a200b530bc73a6f2e4fcfaedadd11cbe86627b2d
[WebKit.git] / Source / JavaScriptCore / ChangeLog
1 2015-02-02  Joseph Pecoraro  <pecoraro@apple.com>
2
3         Web Inspector: Extend CSS.getSupportedCSSProperties to provide values for properties for CSS Augmented JSContext
4         https://bugs.webkit.org/show_bug.cgi?id=141064
5
6         Reviewed by Timothy Hatcher.
7
8         * inspector/protocol/CSS.json:
9
10 2015-02-02  Daniel Bates  <dabates@apple.com>
11
12         [iOS] ASSERTION FAILED: m_scriptExecutionContext->isContextThread() in ContextDestructionObserver::observeContext
13         https://bugs.webkit.org/show_bug.cgi?id=141057
14         <rdar://problem/19068790>
15
16         Reviewed by Alexey Proskuryakov.
17
18         * inspector/remote/RemoteInspector.mm:
19         (Inspector::RemoteInspector::receivedIndicateMessage): Modified to call WTF::callOnWebThreadOrDispatchAsyncOnMainThread().
20         (Inspector::dispatchAsyncOnQueueSafeForAnyDebuggable): Deleted; moved logic to common helper function,
21         WTF::callOnWebThreadOrDispatchAsyncOnMainThread() so that it can be called from both RemoteInspector::receivedIndicateMessage()
22         and CryptoKeyRSA::generatePair().
23
24 2015-02-02  Saam Barati  <saambarati1@gmail.com>
25
26         Create tests for JSC's Control Flow Profiler
27         https://bugs.webkit.org/show_bug.cgi?id=141123
28
29         Reviewed by Filip Pizlo.
30
31         This patch creates a control flow profiler testing API in jsc.cpp 
32         that accepts a function and a string as arguments. The string must 
33         be a substring of the text of the function argument. The API returns 
34         a boolean indicating whether or not the basic block that encloses the 
35         substring has executed.
36
37         This patch uses this API to test that the control flow profiler
38         behaves as expected on basic block boundaries. These tests do not
39         provide full coverage for all JavaScript statements that can create
40         basic blocks boundaries. Full coverage will come in a later patch.
41
42         * jsc.cpp:
43         (GlobalObject::finishCreation):
44         (functionHasBasicBlockExecuted):
45         * runtime/ControlFlowProfiler.cpp:
46         (JSC::ControlFlowProfiler::hasBasicBlockAtTextOffsetBeenExecuted):
47         * runtime/ControlFlowProfiler.h:
48         * tests/controlFlowProfiler: Added.
49         * tests/controlFlowProfiler.yaml: Added.
50         * tests/controlFlowProfiler/driver: Added.
51         * tests/controlFlowProfiler/driver/driver.js: Added.
52         (assert):
53         * tests/controlFlowProfiler/if-statement.js: Added.
54         (testIf):
55         (noMatches):
56         * tests/controlFlowProfiler/loop-statements.js: Added.
57         (forRegular):
58         (forIn):
59         (forOf):
60         (whileLoop):
61         * tests/controlFlowProfiler/switch-statements.js: Added.
62         (testSwitch):
63         * tests/controlFlowProfiler/test-jit.js: Added.
64         (tierUpToBaseline):
65         (tierUpToDFG):
66         (baselineTest):
67         (dfgTest):
68
69 2015-01-28  Filip Pizlo  <fpizlo@apple.com>
70
71         Polymorphic call inlining should be based on polymorphic call inline caching rather than logging
72         https://bugs.webkit.org/show_bug.cgi?id=140660
73
74         Reviewed by Geoffrey Garen.
75         
76         When we first implemented polymorphic call inlining, we did the profiling based on a call
77         edge log. The idea was to store each call edge (a tuple of call site and callee) into a
78         global log that was processed lazily. Processing the log would give precise counts of call
79         edges, and could be used to drive well-informed inlining decisions - polymorphic or not.
80         This was a speed-up on throughput tests but a slow-down for latency tests. It was a net win
81         nonetheless.
82         
83         Experience with this code shows three things. First, the call edge profiler is buggy and
84         complex. It would take work to fix the bugs. Second, the call edge profiler incurs lots of
85         overhead for latency code that we care deeply about. Third, it's not at all clear that
86         having call edge counts for every possible callee is any better than just having call edge
87         counts for the limited number of callees that an inline cache would catch.
88         
89         So, this patch removes the call edge profiler and replaces it with a polymorphic call inline
90         cache. If we miss the basic call inline cache, we inflate the cache to be a jump to an
91         out-of-line stub that cases on the previously known callees. If that misses again, then we
92         rewrite that stub to include the new callee. We do this up to some number of callees. If we
93         hit the limit then we switch to using a plain virtual call.
94         
95         Substantial speed-up on V8Spider; undoes the slow-down that the original call edge profiler
96         caused. Might be a SunSpider speed-up (below 1%), depending on hardware.
97         
98         Rolling this back in after fixing https://bugs.webkit.org/show_bug.cgi?id=141107.
99
100         * CMakeLists.txt:
101         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
102         * JavaScriptCore.xcodeproj/project.pbxproj:
103         * bytecode/CallEdge.h:
104         (JSC::CallEdge::count):
105         (JSC::CallEdge::CallEdge):
106         * bytecode/CallEdgeProfile.cpp: Removed.
107         * bytecode/CallEdgeProfile.h: Removed.
108         * bytecode/CallEdgeProfileInlines.h: Removed.
109         * bytecode/CallLinkInfo.cpp:
110         (JSC::CallLinkInfo::unlink):
111         (JSC::CallLinkInfo::visitWeak):
112         * bytecode/CallLinkInfo.h:
113         * bytecode/CallLinkStatus.cpp:
114         (JSC::CallLinkStatus::CallLinkStatus):
115         (JSC::CallLinkStatus::computeFor):
116         (JSC::CallLinkStatus::computeFromCallLinkInfo):
117         (JSC::CallLinkStatus::isClosureCall):
118         (JSC::CallLinkStatus::makeClosureCall):
119         (JSC::CallLinkStatus::dump):
120         (JSC::CallLinkStatus::computeFromCallEdgeProfile): Deleted.
121         * bytecode/CallLinkStatus.h:
122         (JSC::CallLinkStatus::CallLinkStatus):
123         (JSC::CallLinkStatus::isSet):
124         (JSC::CallLinkStatus::variants):
125         (JSC::CallLinkStatus::size):
126         (JSC::CallLinkStatus::at):
127         (JSC::CallLinkStatus::operator[]):
128         (JSC::CallLinkStatus::canOptimize):
129         (JSC::CallLinkStatus::edges): Deleted.
130         (JSC::CallLinkStatus::canTrustCounts): Deleted.
131         * bytecode/CallVariant.cpp:
132         (JSC::variantListWithVariant):
133         (JSC::despecifiedVariantList):
134         * bytecode/CallVariant.h:
135         * bytecode/CodeBlock.cpp:
136         (JSC::CodeBlock::~CodeBlock):
137         (JSC::CodeBlock::linkIncomingPolymorphicCall):
138         (JSC::CodeBlock::unlinkIncomingCalls):
139         (JSC::CodeBlock::noticeIncomingCall):
140         * bytecode/CodeBlock.h:
141         (JSC::CodeBlock::isIncomingCallAlreadyLinked): Deleted.
142         * dfg/DFGAbstractInterpreterInlines.h:
143         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
144         * dfg/DFGByteCodeParser.cpp:
145         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
146         (JSC::DFG::ByteCodeParser::handleCall):
147         (JSC::DFG::ByteCodeParser::handleInlining):
148         * dfg/DFGClobberize.h:
149         (JSC::DFG::clobberize):
150         * dfg/DFGConstantFoldingPhase.cpp:
151         (JSC::DFG::ConstantFoldingPhase::foldConstants):
152         * dfg/DFGDoesGC.cpp:
153         (JSC::DFG::doesGC):
154         * dfg/DFGDriver.cpp:
155         (JSC::DFG::compileImpl):
156         * dfg/DFGFixupPhase.cpp:
157         (JSC::DFG::FixupPhase::fixupNode):
158         * dfg/DFGNode.h:
159         (JSC::DFG::Node::hasHeapPrediction):
160         * dfg/DFGNodeType.h:
161         * dfg/DFGOperations.cpp:
162         * dfg/DFGPredictionPropagationPhase.cpp:
163         (JSC::DFG::PredictionPropagationPhase::propagate):
164         * dfg/DFGSafeToExecute.h:
165         (JSC::DFG::safeToExecute):
166         * dfg/DFGSpeculativeJIT32_64.cpp:
167         (JSC::DFG::SpeculativeJIT::emitCall):
168         (JSC::DFG::SpeculativeJIT::compile):
169         * dfg/DFGSpeculativeJIT64.cpp:
170         (JSC::DFG::SpeculativeJIT::emitCall):
171         (JSC::DFG::SpeculativeJIT::compile):
172         * dfg/DFGTierUpCheckInjectionPhase.cpp:
173         (JSC::DFG::TierUpCheckInjectionPhase::run):
174         (JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling): Deleted.
175         * ftl/FTLCapabilities.cpp:
176         (JSC::FTL::canCompile):
177         * heap/Heap.cpp:
178         (JSC::Heap::collect):
179         * jit/BinarySwitch.h:
180         * jit/ClosureCallStubRoutine.cpp: Removed.
181         * jit/ClosureCallStubRoutine.h: Removed.
182         * jit/JITCall.cpp:
183         (JSC::JIT::compileOpCall):
184         * jit/JITCall32_64.cpp:
185         (JSC::JIT::compileOpCall):
186         * jit/JITOperations.cpp:
187         * jit/JITOperations.h:
188         (JSC::operationLinkPolymorphicCallFor):
189         (JSC::operationLinkClosureCallFor): Deleted.
190         * jit/JITStubRoutine.h:
191         * jit/JITWriteBarrier.h:
192         * jit/PolymorphicCallStubRoutine.cpp: Added.
193         (JSC::PolymorphicCallNode::~PolymorphicCallNode):
194         (JSC::PolymorphicCallNode::unlink):
195         (JSC::PolymorphicCallCase::dump):
196         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
197         (JSC::PolymorphicCallStubRoutine::~PolymorphicCallStubRoutine):
198         (JSC::PolymorphicCallStubRoutine::variants):
199         (JSC::PolymorphicCallStubRoutine::edges):
200         (JSC::PolymorphicCallStubRoutine::visitWeak):
201         (JSC::PolymorphicCallStubRoutine::markRequiredObjectsInternal):
202         * jit/PolymorphicCallStubRoutine.h: Added.
203         (JSC::PolymorphicCallNode::PolymorphicCallNode):
204         (JSC::PolymorphicCallCase::PolymorphicCallCase):
205         (JSC::PolymorphicCallCase::variant):
206         (JSC::PolymorphicCallCase::codeBlock):
207         * jit/Repatch.cpp:
208         (JSC::linkSlowFor):
209         (JSC::linkFor):
210         (JSC::revertCall):
211         (JSC::unlinkFor):
212         (JSC::linkVirtualFor):
213         (JSC::linkPolymorphicCall):
214         (JSC::linkClosureCall): Deleted.
215         * jit/Repatch.h:
216         * jit/ThunkGenerators.cpp:
217         (JSC::linkPolymorphicCallForThunkGenerator):
218         (JSC::linkPolymorphicCallThunkGenerator):
219         (JSC::linkPolymorphicCallThatPreservesRegsThunkGenerator):
220         (JSC::linkClosureCallForThunkGenerator): Deleted.
221         (JSC::linkClosureCallThunkGenerator): Deleted.
222         (JSC::linkClosureCallThatPreservesRegsThunkGenerator): Deleted.
223         * jit/ThunkGenerators.h:
224         (JSC::linkPolymorphicCallThunkGeneratorFor):
225         (JSC::linkClosureCallThunkGeneratorFor): Deleted.
226         * llint/LLIntSlowPaths.cpp:
227         (JSC::LLInt::jitCompileAndSetHeuristics):
228         * runtime/Options.h:
229         * runtime/VM.cpp:
230         (JSC::VM::prepareToDiscardCode):
231         (JSC::VM::ensureCallEdgeLog): Deleted.
232         * runtime/VM.h:
233
234 2015-01-30  Filip Pizlo  <fpizlo@apple.com>
235
236         Converting Flushes and PhantomLocals to Phantoms requires an OSR availability analysis rather than just using the SetLocal's child
237         https://bugs.webkit.org/show_bug.cgi?id=141107
238
239         Reviewed by Michael Saboff.
240         
241         See the bugzilla for a discussion of the problem. This addresses the problem by ensuring
242         that Flushes are always strength-reduced to PhantomLocals, and CPS rethreading does a mini
243         OSR availability analysis to determine the right MovHint value to use for the Phantom.
244
245         * dfg/DFGCPSRethreadingPhase.cpp:
246         (JSC::DFG::CPSRethreadingPhase::CPSRethreadingPhase):
247         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
248         (JSC::DFG::CPSRethreadingPhase::clearVariables):
249         (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
250         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
251         (JSC::DFG::CPSRethreadingPhase::clearVariablesAtHeadAndTail): Deleted.
252         * dfg/DFGNode.h:
253         (JSC::DFG::Node::convertPhantomToPhantomLocal):
254         (JSC::DFG::Node::convertFlushToPhantomLocal):
255         (JSC::DFG::Node::convertToPhantomLocal): Deleted.
256         * dfg/DFGStrengthReductionPhase.cpp:
257         (JSC::DFG::StrengthReductionPhase::handleNode):
258         * tests/stress/inline-call-that-doesnt-use-all-args.js: Added.
259         (foo):
260         (bar):
261         (baz):
262
263 2015-01-31  Michael Saboff  <msaboff@apple.com>
264
265         Crash (DFG assertion) beneath AbstractInterpreter::verifyEdge() @ http://experilous.com/1/planet-generator/2014-09-28/version-1
266         https://bugs.webkit.org/show_bug.cgi?id=141111
267
268         Reviewed by Filip Pizlo.
269
270         In LowerDFGToLLVM::compileNode(), if we determine while compiling a node that we would have
271         exited, we don't need to process the OSR availability or abstract interpreter.
272
273         * ftl/FTLLowerDFGToLLVM.cpp:
274         (JSC::FTL::LowerDFGToLLVM::safelyInvalidateAfterTermination): Broke this out a a separate
275         method since we need to call it at the top and near the bottom of compileNode().
276         (JSC::FTL::LowerDFGToLLVM::compileNode):
277
278 2015-01-31  Sam Weinig  <sam@webkit.org>
279
280         Remove even more Mountain Lion support
281         https://bugs.webkit.org/show_bug.cgi?id=141124
282
283         Reviewed by Alexey Proskuryakov.
284
285         * API/tests/DateTests.mm:
286         * Configurations/Base.xcconfig:
287         * Configurations/DebugRelease.xcconfig:
288         * Configurations/FeatureDefines.xcconfig:
289         * Configurations/Version.xcconfig:
290         * jit/ExecutableAllocatorFixedVMPool.cpp:
291
292 2015-01-31  Commit Queue  <commit-queue@webkit.org>
293
294         Unreviewed, rolling out r179426.
295         https://bugs.webkit.org/show_bug.cgi?id=141119
296
297         "caused a memory use regression" (Requested by Guest45 on
298         #webkit).
299
300         Reverted changeset:
301
302         "Use FastMalloc (bmalloc) instead of BlockAllocator for GC
303         pages"
304         https://bugs.webkit.org/show_bug.cgi?id=140900
305         http://trac.webkit.org/changeset/179426
306
307 2015-01-30  Daniel Bates  <dabates@apple.com>
308
309         Clean up: Remove unnecessary <dispatch/dispatch.h> header from RemoteInspectorDebuggableConnection.h
310         https://bugs.webkit.org/show_bug.cgi?id=141067
311
312         Reviewed by Timothy Hatcher.
313
314         Remove the header <dispatch/dispatch.h> from RemoteInspectorDebuggableConnection.h as we
315         do not make use of its functionality. Instead, include this header in RemoteInspectorDebuggableConnection.mm
316         and RemoteInspector.mm. The latter depended on <dispatch/dispatch.h> being included via
317         header RemoteInspectorDebuggableConnection.h.
318
319         * inspector/remote/RemoteInspector.mm: Include header <dispatch/dispatch.h>.
320         * inspector/remote/RemoteInspectorDebuggableConnection.h: Remove header <dispatch/dispatch.h>.
321         * inspector/remote/RemoteInspectorDebuggableConnection.mm: Include header <dispatch/dispatch.h>.
322
323 2015-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>
324
325         Implement ES6 Symbol
326         https://bugs.webkit.org/show_bug.cgi?id=140435
327
328         Reviewed by Geoffrey Garen.
329
330         This patch implements ES6 Symbol. In this patch, we don't support
331         Symbol.keyFor, Symbol.for, Object.getOwnPropertySymbols. They will be
332         supported in the subsequent patches.
333
334         Since ES6 Symbol is introduced as new primitive value, we implement
335         Symbol as a derived class from JSCell. And now JSValue accepts Symbol*
336         as a new primitive value.
337
338         Symbol has a *unique* flagged StringImpl* as an `uid`. Which pointer
339         value represents the Symbol's identity. So don't compare Symbol's
340         JSCell pointer value for comparison.
341         This enables re-producing Symbol primitive value from StringImpl* uid
342         by executing`Symbol::create(vm, uid)`. This is needed to produce
343         Symbol primitive values from stored StringImpl* in `Object.getOwnPropertySymbols`.
344
345         And Symbol.[[Description]] is folded into the string value of Symbol's uid.
346         By doing so, we can represent ES6 Symbol without extending current PropertyTable key; StringImpl*.
347
348         * CMakeLists.txt:
349         * DerivedSources.make:
350         * JavaScriptCore.order:
351         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
352         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
353         * JavaScriptCore.xcodeproj/project.pbxproj:
354         * builtins/BuiltinExecutables.cpp:
355         (JSC::BuiltinExecutables::createBuiltinExecutable):
356         * builtins/BuiltinNames.h:
357         * dfg/DFGOperations.cpp:
358         (JSC::DFG::operationPutByValInternal):
359         * inspector/JSInjectedScriptHost.cpp:
360         (Inspector::JSInjectedScriptHost::subtype):
361         * interpreter/Interpreter.cpp:
362         * jit/JITOperations.cpp:
363         (JSC::getByVal):
364         * llint/LLIntData.cpp:
365         (JSC::LLInt::Data::performAssertions):
366         * llint/LLIntSlowPaths.cpp:
367         (JSC::LLInt::getByVal):
368         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
369         * llint/LowLevelInterpreter.asm:
370         * runtime/CommonIdentifiers.h:
371         * runtime/CommonSlowPaths.cpp:
372         (JSC::SLOW_PATH_DECL):
373         * runtime/CommonSlowPaths.h:
374         (JSC::CommonSlowPaths::opIn):
375         * runtime/ExceptionHelpers.cpp:
376         (JSC::createUndefinedVariableError):
377         * runtime/JSCJSValue.cpp:
378         (JSC::JSValue::synthesizePrototype):
379         (JSC::JSValue::dumpInContextAssumingStructure):
380         (JSC::JSValue::toStringSlowCase):
381         * runtime/JSCJSValue.h:
382         * runtime/JSCJSValueInlines.h:
383         (JSC::JSValue::isSymbol):
384         (JSC::JSValue::isPrimitive):
385         (JSC::JSValue::toPropertyKey):
386
387         It represents ToPropertyKey abstract operation in the ES6 spec.
388         It cleans up the old implementation's `isName` checks.
389         And to prevent performance regressions in
390             js/regress/fold-get-by-id-to-multi-get-by-offset-rare-int.html
391             js/regress/fold-get-by-id-to-multi-get-by-offset.html
392         we annnotate this function as ALWAYS_INLINE.
393
394         (JSC::JSValue::getPropertySlot):
395         (JSC::JSValue::get):
396         (JSC::JSValue::equalSlowCaseInline):
397         (JSC::JSValue::strictEqualSlowCaseInline):
398         * runtime/JSCell.cpp:
399         (JSC::JSCell::put):
400         (JSC::JSCell::putByIndex):
401         (JSC::JSCell::toPrimitive):
402         (JSC::JSCell::getPrimitiveNumber):
403         (JSC::JSCell::toNumber):
404         (JSC::JSCell::toObject):
405         * runtime/JSCell.h:
406         * runtime/JSCellInlines.h:
407         (JSC::JSCell::isSymbol):
408         (JSC::JSCell::toBoolean):
409         (JSC::JSCell::pureToBoolean):
410         * runtime/JSGlobalObject.cpp:
411         (JSC::JSGlobalObject::init):
412         (JSC::JSGlobalObject::visitChildren):
413         * runtime/JSGlobalObject.h:
414         (JSC::JSGlobalObject::symbolPrototype):
415         (JSC::JSGlobalObject::symbolObjectStructure):
416         * runtime/JSONObject.cpp:
417         (JSC::Stringifier::Stringifier):
418         * runtime/JSSymbolTableObject.cpp:
419         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
420         * runtime/JSType.h:
421         * runtime/JSTypeInfo.h:
422         (JSC::TypeInfo::isName): Deleted.
423         * runtime/MapData.cpp:
424         (JSC::MapData::find):
425         (JSC::MapData::add):
426         (JSC::MapData::remove):
427         (JSC::MapData::replaceAndPackBackingStore):
428         * runtime/MapData.h:
429         (JSC::MapData::clear):
430         * runtime/NameInstance.h: Removed.
431         * runtime/NamePrototype.cpp: Removed.
432         * runtime/ObjectConstructor.cpp:
433         (JSC::objectConstructorGetOwnPropertyDescriptor):
434         (JSC::objectConstructorDefineProperty):
435         * runtime/ObjectPrototype.cpp:
436         (JSC::objectProtoFuncHasOwnProperty):
437         (JSC::objectProtoFuncDefineGetter):
438         (JSC::objectProtoFuncDefineSetter):
439         (JSC::objectProtoFuncLookupGetter):
440         (JSC::objectProtoFuncLookupSetter):
441         (JSC::objectProtoFuncPropertyIsEnumerable):
442         * runtime/Operations.cpp:
443         (JSC::jsTypeStringForValue):
444         (JSC::jsIsObjectType):
445         * runtime/PrivateName.h:
446         (JSC::PrivateName::PrivateName):
447         (JSC::PrivateName::operator==):
448         (JSC::PrivateName::operator!=):
449         * runtime/PropertyMapHashTable.h:
450         (JSC::PropertyTable::find):
451         (JSC::PropertyTable::get):
452         * runtime/PropertyName.h:
453         (JSC::PropertyName::PropertyName):
454         (JSC::PropertyName::publicName):
455         * runtime/SmallStrings.h:
456         * runtime/StringConstructor.cpp:
457         (JSC::callStringConstructor):
458
459         In ES6, String constructor accepts Symbol to execute `String(symbol)`.
460
461         * runtime/Structure.cpp:
462         (JSC::Structure::getPropertyNamesFromStructure):
463         * runtime/StructureInlines.h:
464         (JSC::Structure::prototypeForLookup):
465         * runtime/Symbol.cpp: Added.
466         (JSC::Symbol::Symbol):
467         (JSC::SymbolObject::create):
468         (JSC::Symbol::toPrimitive):
469         (JSC::Symbol::toBoolean):
470         (JSC::Symbol::getPrimitiveNumber):
471         (JSC::Symbol::toObject):
472         (JSC::Symbol::toNumber):
473         (JSC::Symbol::destroy):
474         (JSC::Symbol::descriptiveString):
475         * runtime/Symbol.h: Added.
476         (JSC::Symbol::createStructure):
477         (JSC::Symbol::create):
478         (JSC::Symbol::privateName):
479         (JSC::Symbol::finishCreation):
480         (JSC::asSymbol):
481         * runtime/SymbolConstructor.cpp: Renamed from Source/JavaScriptCore/runtime/NameConstructor.cpp.
482         (JSC::SymbolConstructor::SymbolConstructor):
483         (JSC::SymbolConstructor::finishCreation):
484         (JSC::callSymbol):
485         (JSC::SymbolConstructor::getConstructData):
486         (JSC::SymbolConstructor::getCallData):
487         * runtime/SymbolConstructor.h: Renamed from Source/JavaScriptCore/runtime/NameConstructor.h.
488         (JSC::SymbolConstructor::create):
489         (JSC::SymbolConstructor::createStructure):
490         * runtime/SymbolObject.cpp: Renamed from Source/JavaScriptCore/runtime/NameInstance.cpp.
491         (JSC::SymbolObject::SymbolObject):
492         (JSC::SymbolObject::finishCreation):
493         (JSC::SymbolObject::defaultValue):
494
495         Now JSC doesn't support @@toPrimitive. So instead of it, we implement
496         Symbol.prototype[@@toPrimitive] as ES5 Symbol.[[DefaultValue]].
497
498         * runtime/SymbolObject.h: Added.
499         (JSC::SymbolObject::create):
500         (JSC::SymbolObject::internalValue):
501         (JSC::SymbolObject::createStructure):
502         * runtime/SymbolPrototype.cpp: Added.
503         (JSC::SymbolPrototype::SymbolPrototype):
504         (JSC::SymbolPrototype::finishCreation):
505         (JSC::SymbolPrototype::getOwnPropertySlot):
506         (JSC::symbolProtoFuncToString):
507         (JSC::symbolProtoFuncValueOf):
508         * runtime/SymbolPrototype.h: Renamed from Source/JavaScriptCore/runtime/NamePrototype.h.
509         (JSC::SymbolPrototype::create):
510         (JSC::SymbolPrototype::createStructure):
511
512         SymbolPrototype object is ordinary JS object. Not wrapper object of Symbol.
513         It is tested in js/symbol-prototype-is-ordinary-object.html.
514
515         * runtime/VM.cpp:
516         (JSC::VM::VM):
517         * runtime/VM.h:
518
519 2015-01-30  Geoffrey Garen  <ggaren@apple.com>
520
521         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
522         https://bugs.webkit.org/show_bug.cgi?id=140900
523
524         Reviewed by Mark Hahnenberg.
525
526         Re-landing just the HandleBlock piece of this patch.
527
528         * heap/HandleBlock.h:
529         * heap/HandleBlockInlines.h:
530         (JSC::HandleBlock::create):
531         (JSC::HandleBlock::destroy):
532         (JSC::HandleBlock::HandleBlock):
533         (JSC::HandleBlock::payloadEnd):
534         * heap/HandleSet.cpp:
535         (JSC::HandleSet::~HandleSet):
536         (JSC::HandleSet::grow):
537
538 2015-01-30  Geoffrey Garen  <ggaren@apple.com>
539
540         GC marking threads should clear malloc caches
541         https://bugs.webkit.org/show_bug.cgi?id=141097
542
543         Reviewed by Sam Weinig.
544
545         Follow-up based on Mark Hahnenberg's review: Release after the copy
546         phase, rather than after any phase, since we'd rather not release
547         between marking and copying.
548
549         * heap/GCThread.cpp:
550         (JSC::GCThread::waitForNextPhase):
551         (JSC::GCThread::gcThreadMain):
552
553 2015-01-30  Geoffrey Garen  <ggaren@apple.com>
554
555         GC marking threads should clear malloc caches
556         https://bugs.webkit.org/show_bug.cgi?id=141097
557
558         Reviewed by Andreas Kling.
559
560         This is an attempt to ameliorate a potential memory use regression
561         caused by https://bugs.webkit.org/show_bug.cgi?id=140900
562         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages.
563
564         FastMalloc may accumulate a per-thread cache on each of the 8-ish
565         GC marking threads, which can be expensive.
566
567         * heap/GCThread.cpp:
568         (JSC::GCThread::waitForNextPhase): Scavenge the current thread before
569         going to sleep. There's probably not too much value to keeping our
570         per-thread cache between GCs, and it has some memory footprint.
571
572 2015-01-30  Chris Dumez  <cdumez@apple.com>
573
574         Rename shared() static member functions to singleton() for singleton classes.
575         https://bugs.webkit.org/show_bug.cgi?id=141088
576
577         Reviewed by Ryosuke Niwa and Benjamin Poulain.
578
579         Rename shared() static member functions to singleton() for singleton
580         classes as per the recent coding style change.
581
582         * inspector/remote/RemoteInspector.h:
583         * inspector/remote/RemoteInspector.mm:
584         (Inspector::RemoteInspector::singleton):
585         (Inspector::RemoteInspector::start):
586         (Inspector::RemoteInspector::shared): Deleted.
587         * inspector/remote/RemoteInspectorDebuggable.cpp:
588         (Inspector::RemoteInspectorDebuggable::~RemoteInspectorDebuggable):
589         (Inspector::RemoteInspectorDebuggable::init):
590         (Inspector::RemoteInspectorDebuggable::update):
591         (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
592         (Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection):
593         (Inspector::RemoteInspectorDebuggable::unpauseForInitializedInspector):
594         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
595         (Inspector::RemoteInspectorDebuggableConnection::setup):
596         (Inspector::RemoteInspectorDebuggableConnection::sendMessageToFrontend):
597
598 2015-01-30  Geoffrey Garen  <ggaren@apple.com>
599
600         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
601         https://bugs.webkit.org/show_bug.cgi?id=140900
602
603         Reviewed by Mark Hahnenberg.
604
605         Re-landing just the CopyWorkListSegment piece of this patch.
606
607         * heap/CopiedBlockInlines.h:
608         (JSC::CopiedBlock::reportLiveBytes):
609         * heap/CopyWorkList.h:
610         (JSC::CopyWorkListSegment::create):
611         (JSC::CopyWorkListSegment::destroy):
612         (JSC::CopyWorkListSegment::CopyWorkListSegment):
613         (JSC::CopyWorkList::CopyWorkList):
614         (JSC::CopyWorkList::~CopyWorkList):
615         (JSC::CopyWorkList::append):
616
617 2015-01-29  Commit Queue  <commit-queue@webkit.org>
618
619         Unreviewed, rolling out r179357 and r179358.
620         https://bugs.webkit.org/show_bug.cgi?id=141062
621
622         Suspect this caused WebGL tests to start flaking (Requested by
623         kling on #webkit).
624
625         Reverted changesets:
626
627         "Polymorphic call inlining should be based on polymorphic call
628         inline caching rather than logging"
629         https://bugs.webkit.org/show_bug.cgi?id=140660
630         http://trac.webkit.org/changeset/179357
631
632         "Unreviewed, fix no-JIT build."
633         http://trac.webkit.org/changeset/179358
634
635 2015-01-29  Geoffrey Garen  <ggaren@apple.com>
636
637         Removed op_ret_object_or_this
638         https://bugs.webkit.org/show_bug.cgi?id=141048
639
640         Reviewed by Michael Saboff.
641
642         op_ret_object_or_this was one opcode that would keep us out of the
643         optimizing compilers.
644
645         We don't need a special-purpose opcode; we can just use a branch.
646
647         * bytecode/BytecodeBasicBlock.cpp:
648         (JSC::isTerminal): Removed.
649         * bytecode/BytecodeList.json:
650         * bytecode/BytecodeUseDef.h:
651         (JSC::computeUsesForBytecodeOffset):
652         (JSC::computeDefsForBytecodeOffset): Removed.
653
654         * bytecode/CodeBlock.cpp:
655         (JSC::CodeBlock::dumpBytecode): Removed.
656
657         * bytecompiler/BytecodeGenerator.cpp:
658         (JSC::BytecodeGenerator::emitReturn): Use an explicit branch to determine
659         if we need to substitute 'this' for the return value. Our engine no longer
660         benefits from fused opcodes that dispatch less in the interpreter.
661
662         * jit/JIT.cpp:
663         (JSC::JIT::privateCompileMainPass):
664         * jit/JIT.h:
665         * jit/JITCall32_64.cpp:
666         (JSC::JIT::emit_op_ret_object_or_this): Deleted.
667         * jit/JITOpcodes.cpp:
668         (JSC::JIT::emit_op_ret_object_or_this): Deleted.
669         * llint/LowLevelInterpreter32_64.asm:
670         * llint/LowLevelInterpreter64.asm: Removed.
671
672 2015-01-29  Ryosuke Niwa  <rniwa@webkit.org>
673
674         Implement ES6 class syntax without inheritance support
675         https://bugs.webkit.org/show_bug.cgi?id=140918
676
677         Reviewed by Geoffrey Garen.
678
679         Added the most basic support for ES6 class syntax. After this patch, we support basic class definition like:
680         class A {
681             constructor() { }
682             someMethod() { }
683         }
684
685         We'll add the support for "extends" keyword and automatically generating a constructor in follow up patches.
686         We also don't support block scoping of a class declaration.
687
688         We support both class declaration and class expression. A class expression is implemented by the newly added
689         ClassExprNode AST node. A class declaration is implemented by ClassDeclNode, which is a thin wrapper around
690         AssignResolveNode.
691
692         Tests: js/class-syntax-declaration.html
693                js/class-syntax-expression.html
694
695         * bytecompiler/NodesCodegen.cpp:
696         (JSC::ObjectLiteralNode::emitBytecode): Create a new object instead of delegating the work to PropertyListNode.
697         Also fixed the 5-space indentation.
698         (JSC::PropertyListNode::emitBytecode): Don't create a new object now that ObjectLiteralNode does this.
699         (JSC::ClassDeclNode::emitBytecode): Added. Just let the AssignResolveNode node emit the byte code.
700         (JSC::ClassExprNode::emitBytecode): Create the class constructor and add static methods to the constructor by
701         emitting the byte code for PropertyListNode. Add instance methods to the class's prototype object the same way.
702
703         * parser/ASTBuilder.h:
704         (JSC::ASTBuilder::createClassExpr): Added. Creates a ClassExprNode.
705         (JSC::ASTBuilder::createClassDeclStatement): Added. Creates a AssignResolveNode and wraps it by a ClassDeclNode.
706
707         * parser/NodeConstructors.h:
708         (JSC::ClassDeclNode::ClassDeclNode): Added.
709         (JSC::ClassExprNode::ClassExprNode): Added.
710
711         * parser/Nodes.h:
712         (JSC::ClassExprNode): Added.
713         (JSC::ClassDeclNode): Added.
714
715         * parser/Parser.cpp:
716         (JSC::Parser<LexerType>::parseStatement): Added the support for class declaration.
717         (JSC::stringForFunctionMode): Return "method" for MethodMode.
718         (JSC::Parser<LexerType>::parseClassDeclaration): Added. Uses parseClass to create a class expression and wraps
719         it with ClassDeclNode as described above.
720         (JSC::Parser<LexerType>::parseClass): Parses a class expression.
721         (JSC::Parser<LexerType>::parseProperty):
722         (JSC::Parser<LexerType>::parseGetterSetter): Extracted from parseProperty to share the code between parseProperty
723         and parseClass.
724         (JSC::Parser<LexerType>::parsePrimaryExpression): Added the support for class expression.
725
726         * parser/Parser.h:
727         (FunctionParseMode): Added MethodMode.
728
729         * parser/SyntaxChecker.h:
730         (JSC::SyntaxChecker::createClassExpr): Added.
731         (JSC::SyntaxChecker::createClassDeclStatement): Added.
732
733 2015-01-29  Geoffrey Garen  <ggaren@apple.com>
734
735         Try to fix the Windows build.
736
737         Not reviewed.
738
739         * heap/WeakBlock.h: Use the fully qualified name when declaring our friend.
740
741 2015-01-29  Geoffrey Garen  <ggaren@apple.com>
742
743         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
744         https://bugs.webkit.org/show_bug.cgi?id=140900
745
746         Reviewed by Mark Hahnenberg.
747
748         Re-landing just the WeakBlock piece of this patch.
749
750         * heap/WeakBlock.cpp:
751         (JSC::WeakBlock::create):
752         (JSC::WeakBlock::destroy):
753         (JSC::WeakBlock::WeakBlock):
754         * heap/WeakBlock.h:
755         * heap/WeakSet.cpp:
756         (JSC::WeakSet::~WeakSet):
757         (JSC::WeakSet::addAllocator):
758         (JSC::WeakSet::removeAllocator):
759
760 2015-01-29  Geoffrey Garen  <ggaren@apple.com>
761
762         Use Vector instead of GCSegmentedArray in CodeBlockSet
763         https://bugs.webkit.org/show_bug.cgi?id=141044
764
765         Reviewed by Ryosuke Niwa.
766
767         This is allowed now that we've gotten rid of fastMallocForbid.
768
769         4kB was a bit overkill for just storing a few pointers.
770
771         * heap/CodeBlockSet.cpp:
772         (JSC::CodeBlockSet::CodeBlockSet):
773         * heap/CodeBlockSet.h:
774         * heap/Heap.cpp:
775         (JSC::Heap::Heap):
776
777 2015-01-29  Filip Pizlo  <fpizlo@apple.com>
778
779         Unreviewed, fix no-JIT build.
780
781         * jit/PolymorphicCallStubRoutine.cpp:
782
783 2015-01-28  Filip Pizlo  <fpizlo@apple.com>
784
785         Polymorphic call inlining should be based on polymorphic call inline caching rather than logging
786         https://bugs.webkit.org/show_bug.cgi?id=140660
787
788         Reviewed by Geoffrey Garen.
789         
790         When we first implemented polymorphic call inlining, we did the profiling based on a call
791         edge log. The idea was to store each call edge (a tuple of call site and callee) into a
792         global log that was processed lazily. Processing the log would give precise counts of call
793         edges, and could be used to drive well-informed inlining decisions - polymorphic or not.
794         This was a speed-up on throughput tests but a slow-down for latency tests. It was a net win
795         nonetheless.
796         
797         Experience with this code shows three things. First, the call edge profiler is buggy and
798         complex. It would take work to fix the bugs. Second, the call edge profiler incurs lots of
799         overhead for latency code that we care deeply about. Third, it's not at all clear that
800         having call edge counts for every possible callee is any better than just having call edge
801         counts for the limited number of callees that an inline cache would catch.
802         
803         So, this patch removes the call edge profiler and replaces it with a polymorphic call inline
804         cache. If we miss the basic call inline cache, we inflate the cache to be a jump to an
805         out-of-line stub that cases on the previously known callees. If that misses again, then we
806         rewrite that stub to include the new callee. We do this up to some number of callees. If we
807         hit the limit then we switch to using a plain virtual call.
808         
809         Substantial speed-up on V8Spider; undoes the slow-down that the original call edge profiler
810         caused. Might be a SunSpider speed-up (below 1%), depending on hardware.
811
812         * CMakeLists.txt:
813         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
814         * JavaScriptCore.xcodeproj/project.pbxproj:
815         * bytecode/CallEdge.h:
816         (JSC::CallEdge::count):
817         (JSC::CallEdge::CallEdge):
818         * bytecode/CallEdgeProfile.cpp: Removed.
819         * bytecode/CallEdgeProfile.h: Removed.
820         * bytecode/CallEdgeProfileInlines.h: Removed.
821         * bytecode/CallLinkInfo.cpp:
822         (JSC::CallLinkInfo::unlink):
823         (JSC::CallLinkInfo::visitWeak):
824         * bytecode/CallLinkInfo.h:
825         * bytecode/CallLinkStatus.cpp:
826         (JSC::CallLinkStatus::CallLinkStatus):
827         (JSC::CallLinkStatus::computeFor):
828         (JSC::CallLinkStatus::computeFromCallLinkInfo):
829         (JSC::CallLinkStatus::isClosureCall):
830         (JSC::CallLinkStatus::makeClosureCall):
831         (JSC::CallLinkStatus::dump):
832         (JSC::CallLinkStatus::computeFromCallEdgeProfile): Deleted.
833         * bytecode/CallLinkStatus.h:
834         (JSC::CallLinkStatus::CallLinkStatus):
835         (JSC::CallLinkStatus::isSet):
836         (JSC::CallLinkStatus::variants):
837         (JSC::CallLinkStatus::size):
838         (JSC::CallLinkStatus::at):
839         (JSC::CallLinkStatus::operator[]):
840         (JSC::CallLinkStatus::canOptimize):
841         (JSC::CallLinkStatus::edges): Deleted.
842         (JSC::CallLinkStatus::canTrustCounts): Deleted.
843         * bytecode/CallVariant.cpp:
844         (JSC::variantListWithVariant):
845         (JSC::despecifiedVariantList):
846         * bytecode/CallVariant.h:
847         * bytecode/CodeBlock.cpp:
848         (JSC::CodeBlock::~CodeBlock):
849         (JSC::CodeBlock::linkIncomingPolymorphicCall):
850         (JSC::CodeBlock::unlinkIncomingCalls):
851         (JSC::CodeBlock::noticeIncomingCall):
852         * bytecode/CodeBlock.h:
853         (JSC::CodeBlock::isIncomingCallAlreadyLinked): Deleted.
854         * dfg/DFGAbstractInterpreterInlines.h:
855         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
856         * dfg/DFGByteCodeParser.cpp:
857         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
858         (JSC::DFG::ByteCodeParser::handleCall):
859         (JSC::DFG::ByteCodeParser::handleInlining):
860         * dfg/DFGClobberize.h:
861         (JSC::DFG::clobberize):
862         * dfg/DFGConstantFoldingPhase.cpp:
863         (JSC::DFG::ConstantFoldingPhase::foldConstants):
864         * dfg/DFGDoesGC.cpp:
865         (JSC::DFG::doesGC):
866         * dfg/DFGDriver.cpp:
867         (JSC::DFG::compileImpl):
868         * dfg/DFGFixupPhase.cpp:
869         (JSC::DFG::FixupPhase::fixupNode):
870         * dfg/DFGNode.h:
871         (JSC::DFG::Node::hasHeapPrediction):
872         * dfg/DFGNodeType.h:
873         * dfg/DFGOperations.cpp:
874         * dfg/DFGPredictionPropagationPhase.cpp:
875         (JSC::DFG::PredictionPropagationPhase::propagate):
876         * dfg/DFGSafeToExecute.h:
877         (JSC::DFG::safeToExecute):
878         * dfg/DFGSpeculativeJIT32_64.cpp:
879         (JSC::DFG::SpeculativeJIT::emitCall):
880         (JSC::DFG::SpeculativeJIT::compile):
881         * dfg/DFGSpeculativeJIT64.cpp:
882         (JSC::DFG::SpeculativeJIT::emitCall):
883         (JSC::DFG::SpeculativeJIT::compile):
884         * dfg/DFGTierUpCheckInjectionPhase.cpp:
885         (JSC::DFG::TierUpCheckInjectionPhase::run):
886         (JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling): Deleted.
887         * ftl/FTLCapabilities.cpp:
888         (JSC::FTL::canCompile):
889         * heap/Heap.cpp:
890         (JSC::Heap::collect):
891         * jit/BinarySwitch.h:
892         * jit/ClosureCallStubRoutine.cpp: Removed.
893         * jit/ClosureCallStubRoutine.h: Removed.
894         * jit/JITCall.cpp:
895         (JSC::JIT::compileOpCall):
896         * jit/JITCall32_64.cpp:
897         (JSC::JIT::compileOpCall):
898         * jit/JITOperations.cpp:
899         * jit/JITOperations.h:
900         (JSC::operationLinkPolymorphicCallFor):
901         (JSC::operationLinkClosureCallFor): Deleted.
902         * jit/JITStubRoutine.h:
903         * jit/JITWriteBarrier.h:
904         * jit/PolymorphicCallStubRoutine.cpp: Added.
905         (JSC::PolymorphicCallNode::~PolymorphicCallNode):
906         (JSC::PolymorphicCallNode::unlink):
907         (JSC::PolymorphicCallCase::dump):
908         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
909         (JSC::PolymorphicCallStubRoutine::~PolymorphicCallStubRoutine):
910         (JSC::PolymorphicCallStubRoutine::variants):
911         (JSC::PolymorphicCallStubRoutine::edges):
912         (JSC::PolymorphicCallStubRoutine::visitWeak):
913         (JSC::PolymorphicCallStubRoutine::markRequiredObjectsInternal):
914         * jit/PolymorphicCallStubRoutine.h: Added.
915         (JSC::PolymorphicCallNode::PolymorphicCallNode):
916         (JSC::PolymorphicCallCase::PolymorphicCallCase):
917         (JSC::PolymorphicCallCase::variant):
918         (JSC::PolymorphicCallCase::codeBlock):
919         * jit/Repatch.cpp:
920         (JSC::linkSlowFor):
921         (JSC::linkFor):
922         (JSC::revertCall):
923         (JSC::unlinkFor):
924         (JSC::linkVirtualFor):
925         (JSC::linkPolymorphicCall):
926         (JSC::linkClosureCall): Deleted.
927         * jit/Repatch.h:
928         * jit/ThunkGenerators.cpp:
929         (JSC::linkPolymorphicCallForThunkGenerator):
930         (JSC::linkPolymorphicCallThunkGenerator):
931         (JSC::linkPolymorphicCallThatPreservesRegsThunkGenerator):
932         (JSC::linkClosureCallForThunkGenerator): Deleted.
933         (JSC::linkClosureCallThunkGenerator): Deleted.
934         (JSC::linkClosureCallThatPreservesRegsThunkGenerator): Deleted.
935         * jit/ThunkGenerators.h:
936         (JSC::linkPolymorphicCallThunkGeneratorFor):
937         (JSC::linkClosureCallThunkGeneratorFor): Deleted.
938         * llint/LLIntSlowPaths.cpp:
939         (JSC::LLInt::jitCompileAndSetHeuristics):
940         * runtime/Options.h:
941         * runtime/VM.cpp:
942         (JSC::VM::prepareToDiscardCode):
943         (JSC::VM::ensureCallEdgeLog): Deleted.
944         * runtime/VM.h:
945
946 2015-01-29  Joseph Pecoraro  <pecoraro@apple.com>
947
948         Web Inspector: ES6: Improved Console Format for Set and Map Objects (like Arrays)
949         https://bugs.webkit.org/show_bug.cgi?id=122867
950
951         Reviewed by Timothy Hatcher.
952
953         Add new Runtime.RemoteObject object subtypes for "map", "set", and "weakmap".
954
955         Upgrade Runtime.ObjectPreview to include type/subtype information. Now,
956         an ObjectPreview can be used for any value, in place of a RemoteObject,
957         and not capture / hold a reference to the value. The value will be in
958         the string description.
959
960         Adding this information to ObjectPreview can duplicate some information
961         in the protocol messages if a preview is provided, but simplifies
962         previews, so that all the information you need for any RemoteObject
963         preview is available. To slim messages further, make "overflow" and
964         "properties" only available on previews that may contain properties.
965         So, not primitives or null.
966
967         Finally, for "Map/Set/WeakMap" add an "entries" list to the preview
968         that will return previews with "key" and "value" properties depending
969         on the collection type. To get live, non-preview objects from a
970         collection, use Runtime.getCollectionEntries.
971
972         In order to keep the WeakMap's values Weak the frontend may provide
973         a unique object group name when getting collection entries. It may
974         then release that object group, e.g. when not showing the WeakMap's
975         values to the user, and thus remove the strong reference to the keys
976         so they may be garbage collected.
977
978         * runtime/WeakMapData.h:
979         (JSC::WeakMapData::begin):
980         (JSC::WeakMapData::end):
981         Expose iterators so the Inspector may access WeakMap keys/values.
982
983         * inspector/JSInjectedScriptHostPrototype.cpp:
984         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
985         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakMapEntries):
986         * inspector/JSInjectedScriptHost.h:
987         * inspector/JSInjectedScriptHost.cpp:
988         (Inspector::JSInjectedScriptHost::subtype):
989         Discern "map", "set", and "weakmap" object subtypes.
990
991         (Inspector::JSInjectedScriptHost::weakMapEntries):
992         Return a list of WeakMap entries. These are strong references
993         that the Inspector code is responsible for releasing.
994
995         * inspector/protocol/Runtime.json:
996         Update types and expose the new getCollectionEntries command.
997
998         * inspector/agents/InspectorRuntimeAgent.h:
999         * inspector/agents/InspectorRuntimeAgent.cpp:
1000         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
1001         * inspector/InjectedScript.h:
1002         * inspector/InjectedScript.cpp:
1003         (Inspector::InjectedScript::getInternalProperties):
1004         (Inspector::InjectedScript::getCollectionEntries):
1005         Pass through to the InjectedScript and call getCollectionEntries.
1006
1007         * inspector/scripts/codegen/generator.py:
1008         Add another type with runtime casting.
1009
1010         * inspector/InjectedScriptSource.js:
1011         - Implement getCollectionEntries to get a range of values from a
1012         collection. The non-Weak collections have an order to their keys (in
1013         order of added) so range'd gets are okay. WeakMap does not have an
1014         order, so only allow fetching a number of values.
1015         - Update preview generation to address the Runtime.ObjectPreview
1016         type changes.
1017
1018 2015-01-28  Geoffrey Garen  <ggaren@apple.com>
1019
1020         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
1021         https://bugs.webkit.org/show_bug.cgi?id=140900
1022
1023         Reviewed by Mark Hahnenberg.
1024
1025         Re-landing just the GCArraySegment piece of this patch.
1026
1027         * heap/CodeBlockSet.cpp:
1028         (JSC::CodeBlockSet::CodeBlockSet):
1029         * heap/CodeBlockSet.h:
1030         * heap/GCSegmentedArray.h:
1031         (JSC::GCArraySegment::GCArraySegment):
1032         * heap/GCSegmentedArrayInlines.h:
1033         (JSC::GCSegmentedArray<T>::GCSegmentedArray):
1034         (JSC::GCSegmentedArray<T>::~GCSegmentedArray):
1035         (JSC::GCSegmentedArray<T>::clear):
1036         (JSC::GCSegmentedArray<T>::expand):
1037         (JSC::GCSegmentedArray<T>::refill):
1038         (JSC::GCArraySegment<T>::create):
1039         (JSC::GCArraySegment<T>::destroy):
1040         * heap/GCThreadSharedData.cpp:
1041         (JSC::GCThreadSharedData::GCThreadSharedData):
1042         * heap/Heap.cpp:
1043         (JSC::Heap::Heap):
1044         * heap/MarkStack.cpp:
1045         (JSC::MarkStackArray::MarkStackArray):
1046         * heap/MarkStack.h:
1047         * heap/SlotVisitor.cpp:
1048         (JSC::SlotVisitor::SlotVisitor):
1049
1050 2015-01-29  Csaba Osztrogonác  <ossy@webkit.org>
1051
1052         Move HAVE_DTRACE definition back to Platform.h
1053         https://bugs.webkit.org/show_bug.cgi?id=141033
1054
1055         Reviewed by Dan Bernstein.
1056
1057         * Configurations/Base.xcconfig:
1058         * JavaScriptCore.xcodeproj/project.pbxproj:
1059
1060 2015-01-28  Geoffrey Garen  <ggaren@apple.com>
1061
1062         Removed fastMallocForbid / fastMallocAllow
1063         https://bugs.webkit.org/show_bug.cgi?id=141012
1064
1065         Reviewed by Mark Hahnenberg.
1066
1067         Copy non-current thread stacks before scanning them instead of scanning
1068         them in-place.
1069
1070         This operation is uncommon (i.e., never in the web content process),
1071         and even in a stress test with 4 threads it only copies about 27kB,
1072         so I think the performance cost is OK.
1073
1074         Scanning in-place requires a complex dance where we constrain our GC
1075         data structures not to use malloc, free, or any other interesting functions
1076         that might acquire locks. We've gotten this wrong many times in the past,
1077         and I just got it wrong again yesterday. Since this code path is rarely
1078         tested, I want it to just make sense, and not depend on or constrain the
1079         details of the rest of the GC heap's design.
1080
1081         * heap/MachineStackMarker.cpp:
1082         (JSC::otherThreadStack): Factored out a helper function for dealing with
1083         unaligned and/or backwards pointers.
1084
1085         (JSC::MachineThreads::tryCopyOtherThreadStack): This is now the only
1086         constrained function, and it only calls memcpy and low-level thread APIs.
1087
1088         (JSC::MachineThreads::tryCopyOtherThreadStacks): The design here is that
1089         you do one pass over all the threads to compute their combined size,
1090         and then a second pass to do all the copying. In theory, the threads may
1091         grow in between passes, in which case you'll continue until the threads
1092         stop growing. In practice, you never continue.
1093
1094         (JSC::growBuffer): Helper function for growing.
1095
1096         (JSC::MachineThreads::gatherConservativeRoots):
1097         (JSC::MachineThreads::gatherFromOtherThread): Deleted.
1098         * heap/MachineStackMarker.h: Updated for interface changes.
1099
1100 2015-01-28  Brian J. Burg  <burg@cs.washington.edu>
1101
1102         Web Inspector: remove CSS.setPropertyText, CSS.toggleProperty and related dead code
1103         https://bugs.webkit.org/show_bug.cgi?id=140961
1104
1105         Reviewed by Timothy Hatcher.
1106
1107         * inspector/protocol/CSS.json: Remove unused protocol methods.
1108
1109 2015-01-28  Dana Burkart  <dburkart@apple.com>
1110
1111         Move ASan flag settings from DebugRelease.xcconfig to Base.xcconfig
1112         https://bugs.webkit.org/show_bug.cgi?id=136765
1113
1114         Reviewed by Alexey Proskuryakov.
1115
1116         * Configurations/Base.xcconfig:
1117         * Configurations/DebugRelease.xcconfig:
1118
1119 2015-01-27  Filip Pizlo  <fpizlo@apple.com>
1120
1121         ExitSiteData saying m_takesSlowPath shouldn't mean early returning takesSlowPath() since for the non-LLInt case we later set m_couldTakeSlowPath, which is more precise
1122         https://bugs.webkit.org/show_bug.cgi?id=140980
1123
1124         Reviewed by Oliver Hunt.
1125
1126         * bytecode/CallLinkStatus.cpp:
1127         (JSC::CallLinkStatus::computeFor):
1128
1129 2015-01-27  Filip Pizlo  <fpizlo@apple.com>
1130
1131         Move DFGBinarySwitch out of the DFG so that all of the JITs can use it
1132         https://bugs.webkit.org/show_bug.cgi?id=140959
1133
1134         Rubber stamped by Geoffrey Garen.
1135         
1136         I want to use this for polymorphic stubs for https://bugs.webkit.org/show_bug.cgi?id=140660.
1137         This code no longer has DFG dependencies so this is a very clean move.
1138
1139         * CMakeLists.txt:
1140         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1141         * JavaScriptCore.xcodeproj/project.pbxproj:
1142         * dfg/DFGBinarySwitch.cpp: Removed.
1143         * dfg/DFGBinarySwitch.h: Removed.
1144         * dfg/DFGSpeculativeJIT.cpp:
1145         * jit/BinarySwitch.cpp: Copied from Source/JavaScriptCore/dfg/DFGBinarySwitch.cpp.
1146         * jit/BinarySwitch.h: Copied from Source/JavaScriptCore/dfg/DFGBinarySwitch.h.
1147
1148 2015-01-27  Commit Queue  <commit-queue@webkit.org>
1149
1150         Unreviewed, rolling out r179192.
1151         https://bugs.webkit.org/show_bug.cgi?id=140953
1152
1153         Caused numerous layout test failures (Requested by mattbaker_
1154         on #webkit).
1155
1156         Reverted changeset:
1157
1158         "Use FastMalloc (bmalloc) instead of BlockAllocator for GC
1159         pages"
1160         https://bugs.webkit.org/show_bug.cgi?id=140900
1161         http://trac.webkit.org/changeset/179192
1162
1163 2015-01-27  Michael Saboff  <msaboff@apple.com>
1164
1165         REGRESSION(r178591): 20% regression in Octane box2d
1166         https://bugs.webkit.org/show_bug.cgi?id=140948
1167
1168         Reviewed by Geoffrey Garen.
1169
1170         Added check that we have a lexical environment to the arguments is captured check.
1171         It doesn't make sense to resolve "arguments" when it really isn't captured.
1172
1173         * bytecompiler/BytecodeGenerator.cpp:
1174         (JSC::BytecodeGenerator::willResolveToArgumentsRegister):
1175
1176 2015-01-26  Geoffrey Garen  <ggaren@apple.com>
1177
1178         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
1179         https://bugs.webkit.org/show_bug.cgi?id=140900
1180
1181         Reviewed by Mark Hahnenberg.
1182
1183         Removes some more custom allocation code.
1184
1185         Looks like a speedup. (See results attached to bugzilla.)
1186
1187         Will hopefully reduce memory use by improving sharing between the GC and
1188         malloc heaps.
1189
1190         * API/JSBase.cpp:
1191         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1192         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1193         * JavaScriptCore.xcodeproj/project.pbxproj: Feed the compiler.
1194
1195         * heap/BlockAllocator.cpp: Removed.
1196         * heap/BlockAllocator.h: Removed. No need for a custom allocator anymore.
1197
1198         * heap/CodeBlockSet.cpp:
1199         (JSC::CodeBlockSet::CodeBlockSet):
1200         * heap/CodeBlockSet.h: Feed the compiler.
1201
1202         * heap/CopiedBlock.h:
1203         (JSC::CopiedBlock::createNoZeroFill):
1204         (JSC::CopiedBlock::create):
1205         (JSC::CopiedBlock::CopiedBlock):
1206         (JSC::CopiedBlock::isOversize):
1207         (JSC::CopiedBlock::payloadEnd):
1208         (JSC::CopiedBlock::capacity):
1209         * heap/CopiedBlockInlines.h:
1210         (JSC::CopiedBlock::reportLiveBytes): Each copied block now tracks its
1211         own size, since we can't rely on Region to tell us our size anymore.
1212
1213         * heap/CopiedSpace.cpp:
1214         (JSC::CopiedSpace::~CopiedSpace):
1215         (JSC::CopiedSpace::tryAllocateOversize):
1216         (JSC::CopiedSpace::tryReallocateOversize):
1217         * heap/CopiedSpaceInlines.h:
1218         (JSC::CopiedSpace::recycleEvacuatedBlock):
1219         (JSC::CopiedSpace::recycleBorrowedBlock):
1220         (JSC::CopiedSpace::allocateBlockForCopyingPhase):
1221         (JSC::CopiedSpace::allocateBlock):
1222         (JSC::CopiedSpace::startedCopying): Deallocate blocks directly, rather
1223         than pushing them onto the block allocator's free list; the block
1224         allocator doesn't exist anymore.
1225
1226         * heap/CopyWorkList.h:
1227         (JSC::CopyWorkListSegment::create):
1228         (JSC::CopyWorkListSegment::CopyWorkListSegment):
1229         (JSC::CopyWorkList::~CopyWorkList):
1230         (JSC::CopyWorkList::append):
1231         (JSC::CopyWorkList::CopyWorkList): Deleted.
1232         * heap/GCSegmentedArray.h:
1233         (JSC::GCArraySegment::GCArraySegment):
1234         * heap/GCSegmentedArrayInlines.h:
1235         (JSC::GCSegmentedArray<T>::GCSegmentedArray):
1236         (JSC::GCSegmentedArray<T>::~GCSegmentedArray):
1237         (JSC::GCSegmentedArray<T>::clear):
1238         (JSC::GCSegmentedArray<T>::expand):
1239         (JSC::GCSegmentedArray<T>::refill):
1240         (JSC::GCArraySegment<T>::create):
1241         * heap/GCThreadSharedData.cpp:
1242         (JSC::GCThreadSharedData::GCThreadSharedData):
1243         * heap/GCThreadSharedData.h: Feed the compiler.
1244
1245         * heap/HandleBlock.h:
1246         * heap/HandleBlockInlines.h:
1247         (JSC::HandleBlock::create):
1248         (JSC::HandleBlock::HandleBlock):
1249         (JSC::HandleBlock::payloadEnd):
1250         * heap/HandleSet.cpp:
1251         (JSC::HandleSet::~HandleSet):
1252         (JSC::HandleSet::grow): Same as above.
1253
1254         * heap/Heap.cpp:
1255         (JSC::Heap::Heap):
1256         * heap/Heap.h: Removed the block allocator since it is unused now.
1257
1258         * heap/HeapBlock.h:
1259         (JSC::HeapBlock::destroy):
1260         (JSC::HeapBlock::HeapBlock):
1261         (JSC::HeapBlock::region): Deleted. Removed the Region pointer from each
1262         HeapBlock since a HeapBlock is just a normal allocation now.
1263
1264         * heap/HeapInlines.h:
1265         (JSC::Heap::blockAllocator): Deleted.
1266
1267         * heap/HeapTimer.cpp:
1268         * heap/MarkStack.cpp:
1269         (JSC::MarkStackArray::MarkStackArray):
1270         * heap/MarkStack.h: Feed the compiler.
1271
1272         * heap/MarkedAllocator.cpp:
1273         (JSC::MarkedAllocator::allocateBlock): No need to use a custom code path
1274         based on size, since we use a general purpose allocator now.
1275
1276         * heap/MarkedBlock.cpp:
1277         (JSC::MarkedBlock::create):
1278         (JSC::MarkedBlock::destroy):
1279         (JSC::MarkedBlock::MarkedBlock):
1280         * heap/MarkedBlock.h:
1281         (JSC::MarkedBlock::capacity): Track block size explicitly, like CopiedBlock.
1282
1283         * heap/MarkedSpace.cpp:
1284         (JSC::MarkedSpace::freeBlock):
1285         * heap/MarkedSpace.h:
1286
1287         * heap/Region.h: Removed.
1288
1289         * heap/SlotVisitor.cpp:
1290         (JSC::SlotVisitor::SlotVisitor): Removed reference to block allocator.
1291
1292         * heap/SuperRegion.cpp: Removed.
1293         * heap/SuperRegion.h: Removed.
1294
1295         * heap/WeakBlock.cpp:
1296         (JSC::WeakBlock::create):
1297         (JSC::WeakBlock::WeakBlock):
1298         * heap/WeakBlock.h:
1299         * heap/WeakSet.cpp:
1300         (JSC::WeakSet::~WeakSet):
1301         (JSC::WeakSet::addAllocator):
1302         (JSC::WeakSet::removeAllocator): Removed reference to block allocator.
1303
1304 2015-01-27  Csaba Osztrogonác  <ossy@webkit.org>
1305
1306         [ARM] Typo fix after r176083
1307         https://bugs.webkit.org/show_bug.cgi?id=140937
1308
1309         Reviewed by Anders Carlsson.
1310
1311         * assembler/ARMv7Assembler.h:
1312         (JSC::ARMv7Assembler::ldrh):
1313
1314 2015-01-27  Csaba Osztrogonác  <ossy@webkit.org>
1315
1316         [Win] Unreviewed gardening, skip failing tests.
1317
1318         * tests/exceptionFuzz.yaml: Skip exception fuzz tests due to bug140928.
1319         * tests/mozilla/mozilla-tests.yaml: Skip ecma/Date/15.9.5.28-1.js due to bug140927.
1320
1321 2015-01-26  Csaba Osztrogonác  <ossy@webkit.org>
1322
1323         [Win] Enable JSC stress tests by default
1324         https://bugs.webkit.org/show_bug.cgi?id=128307
1325
1326         Unreviewed typo fix after r179165.
1327
1328         * tests/mozilla/mozilla-tests.yaml:
1329
1330 2015-01-26  Csaba Osztrogonác  <ossy@webkit.org>
1331
1332         [Win] Enable JSC stress tests by default
1333         https://bugs.webkit.org/show_bug.cgi?id=128307
1334
1335         Reviewed by Brent Fulgham.
1336
1337         * tests/mozilla/mozilla-tests.yaml: Skipped on Windows.
1338         * tests/stress/ftl-arithcos.js: Skipped on Windows.
1339
1340 2015-01-26  Ryosuke Niwa  <rniwa@webkit.org>
1341
1342         Parse a function expression as a primary expression
1343         https://bugs.webkit.org/show_bug.cgi?id=140908
1344
1345         Reviewed by Mark Lam.
1346
1347         Moved the code to generate an AST node for a function expression from parseMemberExpression
1348         to parsePrimaryExpression to match the ES6 specification terminology:
1349         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-primary-expression
1350
1351         There should be no behavior change from this change since parsePrimaryExpression is only
1352         called in parseMemberExpression other than the fact failIfStackOverflow() is called.
1353
1354         * parser/Parser.cpp:
1355         (JSC::Parser<LexerType>::parsePrimaryExpression):
1356         (JSC::Parser<LexerType>::parseMemberExpression):
1357
1358 2015-01-26  Myles C. Maxfield  <mmaxfield@apple.com>
1359
1360         [iOS] [SVG -> OTF Converter] Flip the switch off on iOS
1361         https://bugs.webkit.org/show_bug.cgi?id=140860
1362
1363         Reviewed by Darin Adler.
1364
1365         The fonts it makes are grotesque. (See what I did there? Typographic
1366         humor is the best humor.)
1367
1368         * Configurations/FeatureDefines.xcconfig:
1369
1370 2015-01-23  Joseph Pecoraro  <pecoraro@apple.com>
1371
1372         Web Inspector: Rename InjectedScriptHost::type to subtype
1373         https://bugs.webkit.org/show_bug.cgi?id=140841
1374
1375         Reviewed by Timothy Hatcher.
1376
1377         We were using this to set the subtype of an "object" type RemoteObject
1378         so we should clean up the name and call it subtype.
1379
1380         * inspector/InjectedScriptHost.h:
1381         * inspector/InjectedScriptSource.js:
1382         * inspector/JSInjectedScriptHost.cpp:
1383         (Inspector::JSInjectedScriptHost::subtype):
1384         (Inspector::JSInjectedScriptHost::type): Deleted.
1385         * inspector/JSInjectedScriptHost.h:
1386         * inspector/JSInjectedScriptHostPrototype.cpp:
1387         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
1388         (Inspector::jsInjectedScriptHostPrototypeFunctionSubtype):
1389         (Inspector::jsInjectedScriptHostPrototypeFunctionType): Deleted.
1390
1391 2015-01-23  Michael Saboff  <msaboff@apple.com>
1392
1393         LayoutTests/js/script-tests/reentrant-caching.js crashing on 32 bit builds
1394         https://bugs.webkit.org/show_bug.cgi?id=140843
1395
1396         Reviewed by Oliver Hunt.
1397
1398         When we are in vmEntryToJavaScript, we keep the stack pointer at an
1399         alignment sutiable for pointing to a call frame header, which is the
1400         alignment post making a call.  We adjust the sp when calling to JS code,
1401         but don't adjust it before calling the out of stack handler.
1402
1403         * llint/LowLevelInterpreter32_64.asm:
1404         Moved stack point down 8 bytes to get it aligned.
1405
1406 2015-01-23  Joseph Pecoraro  <pecoraro@apple.com>
1407
1408         Web Inspector: Object Previews in the Console
1409         https://bugs.webkit.org/show_bug.cgi?id=129204
1410
1411         Reviewed by Timothy Hatcher.
1412
1413         Update the very old, unused object preview code. Part of this comes from
1414         the earlier WebKit legacy implementation, and the Blink implementation.
1415
1416         A RemoteObject may include a preview, if it is asked for, and if the
1417         RemoteObject is an object. Previews are a shallow (single level) list
1418         of a limited number of properties on the object. The previewed
1419         properties are always stringified (even if primatives). Previews are
1420         limited to just 5 properties or 100 indices. Previews are marked
1421         as lossless if they are a complete snapshot of the object.
1422
1423         There is a path to make previews two levels deep, that is currently
1424         unused but should soon be used for tables (e.g. IndexedDB).
1425
1426         * inspector/InjectedScriptSource.js:
1427         - Move some code off of InjectedScript to be generic functions
1428         usable by RemoteObject as well.
1429         - Update preview generation to use 
1430
1431         * inspector/protocol/Runtime.json:
1432         - Add a new type, "accessor" for preview objects. This represents
1433         a getter / setter. We currently don't get the value.
1434
1435 2015-01-23  Michael Saboff  <msaboff@apple.com>
1436
1437         Immediate crash when setting JS breakpoint
1438         https://bugs.webkit.org/show_bug.cgi?id=140811
1439
1440         Reviewed by Mark Lam.
1441
1442         When the DFG stack layout phase doesn't allocate a register for the scope register,
1443         it incorrectly sets the scope register in the code block to a bad value, one with
1444         an offset of 0.  Changed it so that we set the code block's scope register to the 
1445         invalid VirtualRegister instead.
1446
1447         No tests needed as adding the ASSERT in setScopeRegister() was used to find the bug.
1448         We crash with that ASSERT in testapi and likely many other tests as well.
1449
1450         * bytecode/CodeBlock.cpp:
1451         (JSC::CodeBlock::CodeBlock):
1452         * bytecode/CodeBlock.h:
1453         (JSC::CodeBlock::setScopeRegister):
1454         (JSC::CodeBlock::scopeRegister):
1455         Added ASSERTs to catch any future improper setting of the code block's scope register.
1456
1457         * dfg/DFGStackLayoutPhase.cpp:
1458         (JSC::DFG::StackLayoutPhase::run):
1459
1460 2015-01-22  Mark Hahnenberg  <mhahnenb@gmail.com>
1461
1462         EdenCollections unnecessarily visit SmallStrings
1463         https://bugs.webkit.org/show_bug.cgi?id=140762
1464
1465         Reviewed by Geoffrey Garen.
1466
1467         * heap/Heap.cpp:
1468         (JSC::Heap::copyBackingStores): Also added a GCPhase for copying
1469         backing stores, which is a significant portion of garbage collection.
1470         (JSC::Heap::visitSmallStrings): Check to see if we need to visit
1471         SmallStrings based on the collection type.
1472         * runtime/SmallStrings.cpp:
1473         (JSC::SmallStrings::SmallStrings):
1474         (JSC::SmallStrings::visitStrongReferences): Set the fact that we have
1475         visited the SmallStrings since the last modification.
1476         * runtime/SmallStrings.h:
1477         (JSC::SmallStrings::needsToBeVisited): If we're doing a
1478         FullCollection, we need to visit. Otherwise, it depends on whether
1479         we've been visited since the last modification/allocation.
1480
1481 2015-01-22  Ryosuke Niwa  <rniwa@webkit.org>
1482
1483         Add a build flag for ES6 class syntax
1484         https://bugs.webkit.org/show_bug.cgi?id=140760
1485
1486         Reviewed by Michael Saboff.
1487
1488         Added ES6_CLASS_SYNTAX build flag and used it in tokenizer to recognize
1489         "class", "extends", "static" and "super" keywords.
1490
1491         * Configurations/FeatureDefines.xcconfig:
1492         * parser/Keywords.table:
1493         * parser/ParserTokens.h:
1494
1495 2015-01-22  Commit Queue  <commit-queue@webkit.org>
1496
1497         Unreviewed, rolling out r178894.
1498         https://bugs.webkit.org/show_bug.cgi?id=140775
1499
1500         Broke JSC and bindings tests (Requested by ap_ on #webkit).
1501
1502         Reverted changeset:
1503
1504         "put_by_val_direct need to check the property is index or not
1505         for using putDirect / putDirectIndex"
1506         https://bugs.webkit.org/show_bug.cgi?id=140426
1507         http://trac.webkit.org/changeset/178894
1508
1509 2015-01-22  Mark Lam  <mark.lam@apple.com>
1510
1511         BytecodeGenerator::initializeCapturedVariable() sets a misleading value for the 5th operand of op_put_to_scope.
1512         <https://webkit.org/b/140743>
1513
1514         Reviewed by Oliver Hunt.
1515
1516         BytecodeGenerator::initializeCapturedVariable() was setting the 5th operand to
1517         op_put_to_scope to an inappropriate value (i.e. 0).  As a result, the execution
1518         of put_to_scope could store a wrong inferred value into the VariableWatchpointSet
1519         for which ever captured variable is at local index 0.  In practice, this turns
1520         out to be the local for the Arguments object.  In this reproduction case in the
1521         bug, the wrong inferred value written there is the boolean true.
1522
1523         Subsequently, DFG compilation occurs and CreateArguments is emitted to first do
1524         a check of the local for the Arguments object.  But because that local has a
1525         wrong inferred value, the check always discovers a non-null value and we never
1526         actually create the Arguments object.  Immediately after this, an OSR exit
1527         occurs leaving the Arguments object local uninitialized.  Later on at arguments
1528         tear off, we run into a boolean true where we had expected to find an Arguments
1529         object, which in turn, leads to the crash.
1530
1531         The fix is to:
1532         1. In the case where the resolveModeType is LocalClosureVar, change the
1533            5th operand of op_put_to_scope to be a boolean.  True means that the
1534            local var is watchable.  False means it is not watchable.  We no longer
1535            pass the local index (instead of true) and UINT_MAX (instead of false).
1536
1537            This allows us to express more clearer in the code what that value means,
1538            as well as remove the redundant way of getting the local's identifier.
1539            The identifier is always the one passed in the 2nd operand. 
1540
1541         2. Previously, though intuitively, we know that the watchable variable
1542            identifier should be the same as the one that is passed in operand 2, this
1543            relationship was not clear in the code.  By code analysis, I confirmed that 
1544            the callers of BytecodeGenerator::emitPutToScope() always use the same
1545            identifier for operand 2 and for filling out the ResolveScopeInfo from
1546            which we get the watchable variable identifier later.  I've changed the
1547            code to make this clear now by always using the identifier passed in
1548            operand 2.
1549
1550         3. In the case where the resolveModeType is LocalClosureVar,
1551            initializeCapturedVariable() and emitPutToScope() will now query
1552            hasWatchableVariable() to determine if the local is watchable or not.
1553            Accordingly, we pass the boolean result of hasWatchableVariable() as
1554            operand 5 of op_put_to_scope.
1555
1556         Also added some assertions.
1557
1558         * bytecode/CodeBlock.cpp:
1559         (JSC::CodeBlock::CodeBlock):
1560         * bytecompiler/BytecodeGenerator.cpp:
1561         (JSC::BytecodeGenerator::initializeCapturedVariable):
1562         (JSC::BytecodeGenerator::hasConstant):
1563         (JSC::BytecodeGenerator::emitPutToScope):
1564         * bytecompiler/BytecodeGenerator.h:
1565         (JSC::BytecodeGenerator::hasWatchableVariable):
1566         (JSC::BytecodeGenerator::watchableVariableIdentifier):
1567         (JSC::BytecodeGenerator::watchableVariable): Deleted.
1568
1569 2015-01-22  Ryosuke Niwa  <rniwa@webkit.org>
1570
1571         PropertyListNode::emitNode duplicates the code to put a constant property
1572         https://bugs.webkit.org/show_bug.cgi?id=140761
1573
1574         Reviewed by Geoffrey Garen.
1575
1576         Extracted PropertyListNode::emitPutConstantProperty to share the code.
1577
1578         Also made PropertyListNode::emitBytecode private since nobody is calling this function directly.
1579
1580         * bytecompiler/NodesCodegen.cpp:
1581         (JSC::PropertyListNode::emitBytecode):
1582         (JSC::PropertyListNode::emitPutConstantProperty): Added.
1583         * parser/Nodes.h:
1584
1585 2015-01-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1586
1587         put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex
1588         https://bugs.webkit.org/show_bug.cgi?id=140426
1589
1590         Reviewed by Geoffrey Garen.
1591
1592         In the put_by_val_direct operation, we use JSObject::putDirect.
1593         However, it only accepts non-index property. For index property, we need to use JSObject::putDirectIndex.
1594         This patch changes Identifier::asIndex() to return Optional<uint32_t>.
1595         It forces callers to check the value is index or not explicitly.
1596         Additionally, it checks toString-ed Identifier is index or not to choose putDirect / putDirectIndex.
1597
1598         * bytecode/GetByIdStatus.cpp:
1599         (JSC::GetByIdStatus::computeFor):
1600         * bytecode/PutByIdStatus.cpp:
1601         (JSC::PutByIdStatus::computeFor):
1602         * bytecompiler/BytecodeGenerator.cpp:
1603         (JSC::BytecodeGenerator::emitDirectPutById):
1604         * dfg/DFGOperations.cpp:
1605         (JSC::DFG::operationPutByValInternal):
1606         * jit/JITOperations.cpp:
1607         * jit/Repatch.cpp:
1608         (JSC::emitPutTransitionStubAndGetOldStructure):
1609         * jsc.cpp:
1610         * llint/LLIntSlowPaths.cpp:
1611         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1612         * runtime/Arguments.cpp:
1613         (JSC::Arguments::getOwnPropertySlot):
1614         (JSC::Arguments::put):
1615         (JSC::Arguments::deleteProperty):
1616         (JSC::Arguments::defineOwnProperty):
1617         * runtime/ArrayPrototype.cpp:
1618         (JSC::arrayProtoFuncSort):
1619         * runtime/JSArray.cpp:
1620         (JSC::JSArray::defineOwnProperty):
1621         * runtime/JSCJSValue.cpp:
1622         (JSC::JSValue::putToPrimitive):
1623         * runtime/JSGenericTypedArrayViewInlines.h:
1624         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
1625         (JSC::JSGenericTypedArrayView<Adaptor>::put):
1626         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
1627         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
1628         * runtime/JSObject.cpp:
1629         (JSC::JSObject::put):
1630         (JSC::JSObject::putDirectAccessor):
1631         (JSC::JSObject::putDirectCustomAccessor):
1632         (JSC::JSObject::deleteProperty):
1633         (JSC::JSObject::putDirectMayBeIndex):
1634         (JSC::JSObject::defineOwnProperty):
1635         * runtime/JSObject.h:
1636         (JSC::JSObject::getOwnPropertySlot):
1637         (JSC::JSObject::getPropertySlot):
1638         (JSC::JSObject::putDirectInternal):
1639         * runtime/JSString.cpp:
1640         (JSC::JSString::getStringPropertyDescriptor):
1641         * runtime/JSString.h:
1642         (JSC::JSString::getStringPropertySlot):
1643         * runtime/LiteralParser.cpp:
1644         (JSC::LiteralParser<CharType>::parse):
1645         * runtime/PropertyName.h:
1646         (JSC::toUInt32FromCharacters):
1647         (JSC::toUInt32FromStringImpl):
1648         (JSC::PropertyName::asIndex):
1649         * runtime/PropertyNameArray.cpp:
1650         (JSC::PropertyNameArray::add):
1651         * runtime/StringObject.cpp:
1652         (JSC::StringObject::deleteProperty):
1653         * runtime/Structure.cpp:
1654         (JSC::Structure::prototypeChainMayInterceptStoreTo):
1655
1656 2015-01-21  Ryosuke Niwa  <rniwa@webkit.org>
1657
1658         Consolidate out arguments of parseFunctionInfo into a struct
1659         https://bugs.webkit.org/show_bug.cgi?id=140754
1660
1661         Reviewed by Oliver Hunt.
1662
1663         Introduced ParserFunctionInfo for storing out arguments of parseFunctionInfo.
1664
1665         * JavaScriptCore.xcodeproj/project.pbxproj:
1666         * parser/ASTBuilder.h:
1667         (JSC::ASTBuilder::createFunctionExpr):
1668         (JSC::ASTBuilder::createGetterOrSetterProperty): This one takes a property name in addition to
1669         ParserFunctionInfo since the property name and the function name could differ.
1670         (JSC::ASTBuilder::createFuncDeclStatement):
1671         * parser/Parser.cpp:
1672         (JSC::Parser<LexerType>::parseFunctionInfo):
1673         (JSC::Parser<LexerType>::parseFunctionDeclaration):
1674         (JSC::Parser<LexerType>::parseProperty):
1675         (JSC::Parser<LexerType>::parseMemberExpression):
1676         * parser/Parser.h:
1677         * parser/ParserFunctionInfo.h: Added.
1678         * parser/SyntaxChecker.h:
1679         (JSC::SyntaxChecker::createFunctionExpr):
1680         (JSC::SyntaxChecker::createFuncDeclStatement):
1681         (JSC::SyntaxChecker::createClassDeclStatement):
1682         (JSC::SyntaxChecker::createGetterOrSetterProperty):
1683
1684 2015-01-21  Mark Hahnenberg  <mhahnenb@gmail.com>
1685
1686         Change Heap::m_compiledCode to use a Vector
1687         https://bugs.webkit.org/show_bug.cgi?id=140717
1688
1689         Reviewed by Andreas Kling.
1690
1691         Right now it's a DoublyLinkedList, which is iterated during each
1692         collection. This contributes to some of the longish Eden pause times.
1693         A Vector would be more appropriate and would also allow ExecutableBase
1694         to be 2 pointers smaller.
1695
1696         * heap/Heap.cpp:
1697         (JSC::Heap::deleteAllCompiledCode):
1698         (JSC::Heap::deleteAllUnlinkedFunctionCode):
1699         (JSC::Heap::clearUnmarkedExecutables):
1700         * heap/Heap.h:
1701         * runtime/Executable.h: No longer need to inherit from DoublyLinkedListNode.
1702
1703 2015-01-21  Ryosuke Niwa  <rniwa@webkit.org>
1704
1705         BytecodeGenerator shouldn't expose all of its member variables
1706         https://bugs.webkit.org/show_bug.cgi?id=140752
1707
1708         Reviewed by Mark Lam.
1709
1710         Added "private:" and removed unused data members as detected by clang.
1711
1712         * bytecompiler/BytecodeGenerator.cpp:
1713         (JSC::BytecodeGenerator::BytecodeGenerator):
1714         * bytecompiler/BytecodeGenerator.h:
1715         (JSC::BytecodeGenerator::lastOpcodeID): Added. Used in BinaryOpNode::emitBytecode.
1716         * bytecompiler/NodesCodegen.cpp:
1717         (JSC::BinaryOpNode::emitBytecode):
1718
1719 2015-01-21  Joseph Pecoraro  <pecoraro@apple.com>
1720
1721         Web Inspector: ASSERT expanding objects in console PrimitiveBindingTraits<T>::assertValueHasExpectedType
1722         https://bugs.webkit.org/show_bug.cgi?id=140746
1723
1724         Reviewed by Timothy Hatcher.
1725
1726         * inspector/InjectedScriptSource.js:
1727         Do not add impure properties to the descriptor object that will
1728         eventually be sent to the frontend.
1729
1730 2015-01-21  Matthew Mirman  <mmirman@apple.com>
1731
1732         Updated split such that it does not include the empty end of input string match.
1733         https://bugs.webkit.org/show_bug.cgi?id=138129
1734         <rdar://problem/18807403>
1735
1736         Reviewed by Filip Pizlo.
1737
1738         * runtime/StringPrototype.cpp:
1739         (JSC::stringProtoFuncSplit):
1740         * tests/stress/empty_eos_regex_split.js: Added.
1741
1742 2015-01-21  Michael Saboff  <msaboff@apple.com>
1743
1744         Eliminate Scope slot from JavaScript CallFrame
1745         https://bugs.webkit.org/show_bug.cgi?id=136724
1746
1747         Reviewed by Geoffrey Garen.
1748
1749         This finishes the removal of the scope chain slot from the call frame header.
1750
1751         * dfg/DFGOSRExitCompilerCommon.cpp:
1752         (JSC::DFG::reifyInlinedCallFrames):
1753         * dfg/DFGPreciseLocalClobberize.h:
1754         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1755         * dfg/DFGSpeculativeJIT32_64.cpp:
1756         (JSC::DFG::SpeculativeJIT::emitCall):
1757         * dfg/DFGSpeculativeJIT64.cpp:
1758         (JSC::DFG::SpeculativeJIT::emitCall):
1759         * ftl/FTLJSCall.cpp:
1760         (JSC::FTL::JSCall::emit):
1761         * ftl/FTLLowerDFGToLLVM.cpp:
1762         (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
1763         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
1764         * interpreter/JSStack.h:
1765         * interpreter/VMInspector.cpp:
1766         (JSC::VMInspector::dumpFrame):
1767         * jit/JITCall.cpp:
1768         (JSC::JIT::compileOpCall):
1769         * jit/JITCall32_64.cpp:
1770         (JSC::JIT::compileOpCall):
1771         * jit/JITOpcodes32_64.cpp:
1772         (JSC::JIT::privateCompileCTINativeCall):
1773         * jit/Repatch.cpp:
1774         (JSC::generateByIdStub):
1775         (JSC::linkClosureCall):
1776         * jit/ThunkGenerators.cpp:
1777         (JSC::virtualForThunkGenerator):
1778         (JSC::nativeForGenerator):
1779         Deleted ScopeChain slot from JSStack.  Removed all code where ScopeChain was being
1780         read or set.  In most cases this was where we make JS calls.
1781
1782         * interpreter/CallFrameClosure.h:
1783         (JSC::CallFrameClosure::setArgument):
1784         (JSC::CallFrameClosure::resetCallFrame): Deleted.
1785         * interpreter/Interpreter.cpp:
1786         (JSC::Interpreter::execute):
1787         (JSC::Interpreter::executeCall):
1788         (JSC::Interpreter::executeConstruct):
1789         (JSC::Interpreter::prepareForRepeatCall):
1790         * interpreter/ProtoCallFrame.cpp:
1791         (JSC::ProtoCallFrame::init):
1792         * interpreter/ProtoCallFrame.h:
1793         (JSC::ProtoCallFrame::scope): Deleted.
1794         (JSC::ProtoCallFrame::setScope): Deleted.
1795         * llint/LLIntData.cpp:
1796         (JSC::LLInt::Data::performAssertions):
1797         * llint/LowLevelInterpreter.asm:
1798         * llint/LowLevelInterpreter64.asm:
1799         Removed the related scopeChainValue member from ProtoCallFrame.  Reduced the number of
1800         registers that needed to be copied from the ProtoCallFrame to a callee's frame
1801         from 5 to 4.
1802
1803         * llint/LowLevelInterpreter32_64.asm:
1804         In addition to the prior changes, also deleted the unused macro getDeBruijnScope.
1805
1806 2015-01-21  Michael Saboff  <msaboff@apple.com>
1807
1808         Eliminate construct methods from NullGetterFunction and NullSetterFunction classes
1809         https://bugs.webkit.org/show_bug.cgi?id=140708
1810
1811         Reviewed by Mark Lam.
1812
1813         Eliminated construct methods and change getConstructData() for both classes to return
1814         ConstructTypeNone as they can never be called.
1815
1816         * runtime/NullGetterFunction.cpp:
1817         (JSC::NullGetterFunction::getConstructData):
1818         (JSC::constructReturnUndefined): Deleted.
1819         * runtime/NullSetterFunction.cpp:
1820         (JSC::NullSetterFunction::getConstructData):
1821         (JSC::constructReturnUndefined): Deleted.
1822
1823 2015-01-21  Csaba Osztrogonác  <ossy@webkit.org>
1824
1825         Remove ENABLE(INSPECTOR) ifdef guards
1826         https://bugs.webkit.org/show_bug.cgi?id=140668
1827
1828         Reviewed by Darin Adler.
1829
1830         * Configurations/FeatureDefines.xcconfig:
1831         * bindings/ScriptValue.cpp:
1832         (Deprecated::ScriptValue::toInspectorValue):
1833         * bindings/ScriptValue.h:
1834         * inspector/ConsoleMessage.cpp:
1835         * inspector/ConsoleMessage.h:
1836         * inspector/ContentSearchUtilities.cpp:
1837         * inspector/ContentSearchUtilities.h:
1838         * inspector/IdentifiersFactory.cpp:
1839         * inspector/IdentifiersFactory.h:
1840         * inspector/InjectedScript.cpp:
1841         * inspector/InjectedScript.h:
1842         * inspector/InjectedScriptBase.cpp:
1843         * inspector/InjectedScriptBase.h:
1844         * inspector/InjectedScriptHost.cpp:
1845         * inspector/InjectedScriptHost.h:
1846         * inspector/InjectedScriptManager.cpp:
1847         * inspector/InjectedScriptManager.h:
1848         * inspector/InjectedScriptModule.cpp:
1849         * inspector/InjectedScriptModule.h:
1850         * inspector/InspectorAgentRegistry.cpp:
1851         * inspector/InspectorBackendDispatcher.cpp:
1852         * inspector/InspectorBackendDispatcher.h:
1853         * inspector/InspectorProtocolTypes.h:
1854         * inspector/JSGlobalObjectConsoleClient.cpp:
1855         * inspector/JSGlobalObjectInspectorController.cpp:
1856         * inspector/JSGlobalObjectInspectorController.h:
1857         * inspector/JSGlobalObjectScriptDebugServer.cpp:
1858         * inspector/JSGlobalObjectScriptDebugServer.h:
1859         * inspector/JSInjectedScriptHost.cpp:
1860         * inspector/JSInjectedScriptHost.h:
1861         * inspector/JSInjectedScriptHostPrototype.cpp:
1862         * inspector/JSInjectedScriptHostPrototype.h:
1863         * inspector/JSJavaScriptCallFrame.cpp:
1864         * inspector/JSJavaScriptCallFrame.h:
1865         * inspector/JSJavaScriptCallFramePrototype.cpp:
1866         * inspector/JSJavaScriptCallFramePrototype.h:
1867         * inspector/JavaScriptCallFrame.cpp:
1868         * inspector/JavaScriptCallFrame.h:
1869         * inspector/ScriptCallFrame.cpp:
1870         (Inspector::ScriptCallFrame::buildInspectorObject):
1871         * inspector/ScriptCallFrame.h:
1872         * inspector/ScriptCallStack.cpp:
1873         (Inspector::ScriptCallStack::buildInspectorArray):
1874         * inspector/ScriptCallStack.h:
1875         * inspector/ScriptDebugServer.cpp:
1876         * inspector/agents/InspectorAgent.cpp:
1877         * inspector/agents/InspectorAgent.h:
1878         * inspector/agents/InspectorConsoleAgent.cpp:
1879         * inspector/agents/InspectorConsoleAgent.h:
1880         * inspector/agents/InspectorDebuggerAgent.cpp:
1881         * inspector/agents/InspectorDebuggerAgent.h:
1882         * inspector/agents/InspectorRuntimeAgent.cpp:
1883         * inspector/agents/InspectorRuntimeAgent.h:
1884         * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
1885         * inspector/agents/JSGlobalObjectConsoleAgent.h:
1886         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
1887         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
1888         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
1889         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
1890         * inspector/scripts/codegen/cpp_generator_templates.py:
1891         (CppGeneratorTemplates):
1892         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1893         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1894         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1895         * inspector/scripts/tests/expected/enum-values.json-result:
1896         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1897         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1898         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1899         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1900         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1901         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1902         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1903         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1904         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1905         * runtime/TypeSet.cpp:
1906         (JSC::TypeSet::inspectorTypeSet):
1907         (JSC::StructureShape::inspectorRepresentation):
1908
1909 2015-01-20  Joseph Pecoraro  <pecoraro@apple.com>
1910
1911         Web Inspector: Clean up InjectedScriptSource.js
1912         https://bugs.webkit.org/show_bug.cgi?id=140709
1913
1914         Reviewed by Timothy Hatcher.
1915
1916         This patch includes some relevant Blink patches and small changes.
1917         
1918         Patch by <aandrey@chromium.org>
1919         DevTools: Remove console last result $_ on console clear.
1920         https://src.chromium.org/viewvc/blink?revision=179179&view=revision
1921
1922         Patch by <eustas@chromium.org>
1923         [Inspect DOM properties] incorrect CSS Selector Syntax
1924         https://src.chromium.org/viewvc/blink?revision=156903&view=revision
1925
1926         * inspector/InjectedScriptSource.js:
1927
1928 2015-01-20  Joseph Pecoraro  <pecoraro@apple.com>
1929
1930         Web Inspector: Cleanup RuntimeAgent a bit
1931         https://bugs.webkit.org/show_bug.cgi?id=140706
1932
1933         Reviewed by Timothy Hatcher.
1934
1935         * inspector/InjectedScript.h:
1936         * inspector/InspectorBackendDispatcher.h:
1937         * inspector/ScriptCallFrame.cpp:
1938         * inspector/agents/InspectorRuntimeAgent.cpp:
1939         (Inspector::InspectorRuntimeAgent::evaluate):
1940         (Inspector::InspectorRuntimeAgent::getProperties):
1941         (Inspector::InspectorRuntimeAgent::run):
1942         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1943         (Inspector::recompileAllJSFunctionsForTypeProfiling):
1944         (Inspector::InspectorRuntimeAgent::setTypeProfilerEnabledState):
1945
1946 2015-01-20  Matthew Mirman  <mmirman@apple.com>
1947
1948         Made Identity in the DFG allocate a new temp register and move 
1949         the old data to it.
1950         https://bugs.webkit.org/show_bug.cgi?id=140700
1951         <rdar://problem/19339106>
1952
1953         Reviewed by Filip Pizlo.
1954
1955         * dfg/DFGSpeculativeJIT64.cpp:
1956         (JSC::DFG::SpeculativeJIT::compile): 
1957         Added scratch registers for Identity. 
1958         * tests/mozilla/mozilla-tests.yaml: enabled previously failing test
1959
1960 2015-01-20  Joseph Pecoraro  <pecoraro@apple.com>
1961
1962         Web Inspector: Expanding event objects in console shows undefined for most values, it should have real values
1963         https://bugs.webkit.org/show_bug.cgi?id=137306
1964
1965         Reviewed by Timothy Hatcher.
1966
1967         Provide another optional parameter to getProperties, to gather a list
1968         of all own and getter properties.
1969
1970         * inspector/InjectedScript.cpp:
1971         (Inspector::InjectedScript::getProperties):
1972         * inspector/InjectedScript.h:
1973         * inspector/InjectedScriptSource.js:
1974         * inspector/agents/InspectorRuntimeAgent.cpp:
1975         (Inspector::InspectorRuntimeAgent::getProperties):
1976         * inspector/agents/InspectorRuntimeAgent.h:
1977         * inspector/protocol/Runtime.json:
1978
1979 2015-01-20  Joseph Pecoraro  <pecoraro@apple.com>
1980
1981         Web Inspector: Should show dynamic specificity values
1982         https://bugs.webkit.org/show_bug.cgi?id=140647
1983
1984         Reviewed by Benjamin Poulain.
1985
1986         * inspector/protocol/CSS.json:
1987         Clarify CSSSelector optional values and add "dynamic" property indicating
1988         if the selector can be dynamic based on the element it is matched against.
1989
1990 2015-01-20  Commit Queue  <commit-queue@webkit.org>
1991
1992         Unreviewed, rolling out r178751.
1993         https://bugs.webkit.org/show_bug.cgi?id=140694
1994
1995         Caused 32-bit JSC test failures (Requested by JoePeck on
1996         #webkit).
1997
1998         Reverted changeset:
1999
2000         "put_by_val_direct need to check the property is index or not
2001         for using putDirect / putDirectIndex"
2002         https://bugs.webkit.org/show_bug.cgi?id=140426
2003         http://trac.webkit.org/changeset/178751
2004
2005 2015-01-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2006
2007         put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex
2008         https://bugs.webkit.org/show_bug.cgi?id=140426
2009
2010         Reviewed by Geoffrey Garen.
2011
2012         In the put_by_val_direct operation, we use JSObject::putDirect.
2013         However, it only accepts non-index property. For index property, we need to use JSObject::putDirectIndex.
2014         This patch changes Identifier::asIndex() to return Optional<uint32_t>.
2015         It forces callers to check the value is index or not explicitly.
2016         Additionally, it checks toString-ed Identifier is index or not to choose putDirect / putDirectIndex.
2017
2018         * bytecode/GetByIdStatus.cpp:
2019         (JSC::GetByIdStatus::computeFor):
2020         * bytecode/PutByIdStatus.cpp:
2021         (JSC::PutByIdStatus::computeFor):
2022         * bytecompiler/BytecodeGenerator.cpp:
2023         (JSC::BytecodeGenerator::emitDirectPutById):
2024         * dfg/DFGOperations.cpp:
2025         (JSC::DFG::operationPutByValInternal):
2026         * jit/JITOperations.cpp:
2027         * jit/Repatch.cpp:
2028         (JSC::emitPutTransitionStubAndGetOldStructure):
2029         * jsc.cpp:
2030         * llint/LLIntSlowPaths.cpp:
2031         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2032         * runtime/Arguments.cpp:
2033         (JSC::Arguments::getOwnPropertySlot):
2034         (JSC::Arguments::put):
2035         (JSC::Arguments::deleteProperty):
2036         (JSC::Arguments::defineOwnProperty):
2037         * runtime/ArrayPrototype.cpp:
2038         (JSC::arrayProtoFuncSort):
2039         * runtime/JSArray.cpp:
2040         (JSC::JSArray::defineOwnProperty):
2041         * runtime/JSCJSValue.cpp:
2042         (JSC::JSValue::putToPrimitive):
2043         * runtime/JSGenericTypedArrayViewInlines.h:
2044         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
2045         (JSC::JSGenericTypedArrayView<Adaptor>::put):
2046         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
2047         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
2048         * runtime/JSObject.cpp:
2049         (JSC::JSObject::put):
2050         (JSC::JSObject::putDirectAccessor):
2051         (JSC::JSObject::putDirectCustomAccessor):
2052         (JSC::JSObject::deleteProperty):
2053         (JSC::JSObject::putDirectMayBeIndex):
2054         (JSC::JSObject::defineOwnProperty):
2055         * runtime/JSObject.h:
2056         (JSC::JSObject::getOwnPropertySlot):
2057         (JSC::JSObject::getPropertySlot):
2058         (JSC::JSObject::putDirectInternal):
2059         * runtime/JSString.cpp:
2060         (JSC::JSString::getStringPropertyDescriptor):
2061         * runtime/JSString.h:
2062         (JSC::JSString::getStringPropertySlot):
2063         * runtime/LiteralParser.cpp:
2064         (JSC::LiteralParser<CharType>::parse):
2065         * runtime/PropertyName.h:
2066         (JSC::toUInt32FromCharacters):
2067         (JSC::toUInt32FromStringImpl):
2068         (JSC::PropertyName::asIndex):
2069         * runtime/PropertyNameArray.cpp:
2070         (JSC::PropertyNameArray::add):
2071         * runtime/StringObject.cpp:
2072         (JSC::StringObject::deleteProperty):
2073         * runtime/Structure.cpp:
2074         (JSC::Structure::prototypeChainMayInterceptStoreTo):
2075
2076 2015-01-20  Michael Saboff  <msaboff@apple.com>
2077
2078         REGRESSION(178696): Sporadic crashes while garbage collecting
2079         https://bugs.webkit.org/show_bug.cgi?id=140688
2080
2081         Reviewed by Geoffrey Garen.
2082
2083         Added missing visitor.append(&thisObject->m_nullSetterFunction).
2084
2085         * runtime/JSGlobalObject.cpp:
2086         (JSC::JSGlobalObject::visitChildren):
2087
2088 2015-01-19  Brian J. Burg  <burg@cs.washington.edu>
2089
2090         Web Replay: code generator should take supplemental specifications and allow cross-framework references
2091         https://bugs.webkit.org/show_bug.cgi?id=136312
2092
2093         Reviewed by Joseph Pecoraro.
2094
2095         Some types are shared between replay inputs from different frameworks.
2096         Previously, these type declarations were duplicated in every input
2097         specification file in which they were used. This caused some type encoding
2098         traits to be emitted twice if used from WebCore inputs and WebKit2 inputs.
2099
2100         This patch teaches the replay inputs code generator to accept multiple
2101         input specification files. Inputs can freely reference types from other
2102         frameworks without duplicating declarations.
2103
2104         On the code generation side, the model could contain types and inputs from
2105         frameworks that are not the target framework. Only generate code for the
2106         target framework.
2107
2108         To properly generate cross-framework type encoding traits, use
2109         Type.encoding_type_argument in more places, and add the export macro for WebCore
2110         and the Test framework.
2111
2112         Adjust some tests so that enum coverage is preserved by moving the enum types
2113         into "Test" (the target framework for tests).
2114
2115         * JavaScriptCore.vcxproj/copy-files.cmd:
2116         For Windows, copy over JSInputs.json as if it were a private header.
2117
2118         * JavaScriptCore.xcodeproj/project.pbxproj: Make JSInputs.json a private header.
2119         * replay/JSInputs.json:
2120         Put all primitive types and WTF types in this specification file.
2121
2122         * replay/scripts/CodeGeneratorReplayInputs.py:
2123         (Input.__init__):
2124         (InputsModel.__init__): Keep track of the input's framework.
2125         (InputsModel.parse_specification): Parse the framework here. Adjust to new format,
2126         and allow either types or inputs to be missing from a single file.
2127
2128         (InputsModel.parse_type_with_framework):
2129         (InputsModel.parse_input_with_framework):
2130         (Generator.should_generate_item): Added helper method.
2131         (Generator.generate_header): Filter inputs to generate.
2132         (Generator.generate_implementation): Filter inputs to generate.
2133         (Generator.generate_enum_trait_declaration): Filter enums to generate.
2134         Add WEBCORE_EXPORT macro to enum encoding traits.
2135
2136         (Generator.generate_for_each_macro): Filter inputs to generate.
2137         (Generator.generate_enum_trait_implementation): Filter enums to generate.
2138         (generate_from_specifications): Added.
2139         (generate_from_specifications.parse_json_from_file):
2140         (InputsModel.parse_toplevel): Deleted.
2141         (InputsModel.parse_type_with_framework_name): Deleted.
2142         (InputsModel.parse_input): Deleted.
2143         (generate_from_specification): Deleted.
2144         * replay/scripts/CodeGeneratorReplayInputsTemplates.py:
2145         * replay/scripts/tests/expected/fail-on-no-inputs.json-error: Removed.
2146         * replay/scripts/tests/expected/fail-on-no-types.json-error: Removed.
2147         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp:
2148         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h:
2149         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp:
2150         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h:
2151         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp:
2152         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h:
2153         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp:
2154         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h:
2155         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h:
2156         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h:
2157         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h:
2158         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h:
2159         * replay/scripts/tests/fail-on-c-style-enum-no-storage.json:
2160         * replay/scripts/tests/fail-on-duplicate-enum-type.json:
2161         * replay/scripts/tests/fail-on-duplicate-input-names.json:
2162         * replay/scripts/tests/fail-on-duplicate-type-names.json:
2163         * replay/scripts/tests/fail-on-enum-type-missing-values.json:
2164         * replay/scripts/tests/fail-on-missing-input-member-name.json:
2165         * replay/scripts/tests/fail-on-missing-input-name.json:
2166         * replay/scripts/tests/fail-on-missing-input-queue.json:
2167         * replay/scripts/tests/fail-on-missing-type-mode.json:
2168         * replay/scripts/tests/fail-on-missing-type-name.json:
2169         * replay/scripts/tests/fail-on-no-inputs.json:
2170         Removed, no longer required to be in a single file.
2171
2172         * replay/scripts/tests/fail-on-no-types.json:
2173         Removed, no longer required to be in a single file.
2174
2175         * replay/scripts/tests/fail-on-unknown-input-queue.json:
2176         * replay/scripts/tests/fail-on-unknown-member-type.json:
2177         * replay/scripts/tests/fail-on-unknown-type-mode.json:
2178         * replay/scripts/tests/generate-enum-encoding-helpers-with-guarded-values.json:
2179         * replay/scripts/tests/generate-enum-encoding-helpers.json:
2180         * replay/scripts/tests/generate-enum-with-guard.json:
2181         Include enums that are and are not generated.
2182
2183         * replay/scripts/tests/generate-enums-with-same-base-name.json:
2184         * replay/scripts/tests/generate-event-loop-shape-types.json:
2185         * replay/scripts/tests/generate-input-with-guard.json:
2186         * replay/scripts/tests/generate-input-with-vector-members.json:
2187         * replay/scripts/tests/generate-inputs-with-flags.json:
2188         * replay/scripts/tests/generate-memoized-type-modes.json:
2189
2190 2015-01-20  Tomas Popela  <tpopela@redhat.com>
2191
2192         [GTK] Cannot compile 2.7.3 on PowerPC machines
2193         https://bugs.webkit.org/show_bug.cgi?id=140616
2194
2195         Include climits for INT_MAX and wtf/DataLog.h for dataLogF
2196
2197         Reviewed by Csaba Osztrogonác.
2198
2199         * runtime/BasicBlockLocation.cpp:
2200
2201 2015-01-19  Michael Saboff  <msaboff@apple.com>
2202
2203         A "cached" null setter should throw a TypeException when called in strict mode and doesn't
2204         https://bugs.webkit.org/show_bug.cgi?id=139418
2205
2206         Reviewed by Filip Pizlo.
2207
2208         Made a new NullSetterFunction class similar to NullGetterFunction.  The difference is that 
2209         NullSetterFunction will throw a TypeError per the ECMA262 spec for a strict mode caller.
2210
2211         * CMakeLists.txt:
2212         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2213         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2214         * JavaScriptCore.xcodeproj/project.pbxproj:
2215         Added new files NullSetterFunction.cpp and NullSetterFunction.h.
2216
2217         * runtime/GetterSetter.h:
2218         (JSC::GetterSetter::GetterSetter):
2219         (JSC::GetterSetter::isSetterNull):
2220         (JSC::GetterSetter::setSetter):
2221         Change setter instances from using NullGetterFunction to using NullSetterFunction.
2222
2223         * runtime/JSGlobalObject.cpp:
2224         (JSC::JSGlobalObject::init):
2225         * runtime/JSGlobalObject.h:
2226         (JSC::JSGlobalObject::nullSetterFunction):
2227         Added m_nullSetterFunction and accessor.
2228
2229         * runtime/NullSetterFunction.cpp: Added.
2230         (JSC::GetCallerStrictnessFunctor::GetCallerStrictnessFunctor):
2231         (JSC::GetCallerStrictnessFunctor::operator()):
2232         (JSC::GetCallerStrictnessFunctor::callerIsStrict):
2233         (JSC::callerIsStrict):
2234         Method to determine if the caller is in strict mode.
2235
2236         (JSC::callReturnUndefined):
2237         (JSC::constructReturnUndefined):
2238         (JSC::NullSetterFunction::getCallData):
2239         (JSC::NullSetterFunction::getConstructData):
2240         * runtime/NullSetterFunction.h: Added.
2241         (JSC::NullSetterFunction::create):
2242         (JSC::NullSetterFunction::createStructure):
2243         (JSC::NullSetterFunction::NullSetterFunction):
2244         Class with handlers for a null setter.
2245
2246 2015-01-19  Saam Barati  <saambarati1@gmail.com>
2247
2248         Web Inspector: Provide a front end for JSC's Control Flow Profiler
2249         https://bugs.webkit.org/show_bug.cgi?id=138454
2250
2251         Reviewed by Timothy Hatcher.
2252
2253         This patch puts the final touches on what JSC needs to provide
2254         for the Web Inspector to show a UI for the control flow profiler.
2255
2256         * inspector/agents/InspectorRuntimeAgent.cpp:
2257         (Inspector::recompileAllJSFunctionsForTypeProfiling):
2258         * runtime/ControlFlowProfiler.cpp:
2259         (JSC::ControlFlowProfiler::getBasicBlocksForSourceID):
2260         * runtime/FunctionHasExecutedCache.cpp:
2261         (JSC::FunctionHasExecutedCache::getFunctionRanges):
2262         (JSC::FunctionHasExecutedCache::getUnexecutedFunctionRanges): Deleted.
2263         * runtime/FunctionHasExecutedCache.h:
2264
2265 2015-01-19  David Kilzer  <ddkilzer@apple.com>
2266
2267         [iOS] Only use LLVM static library arguments on 64-bit builds of libllvmForJSC.dylib
2268         <http://webkit.org/b/140658>
2269
2270         Reviewed by Filip Pizlo.
2271
2272         * Configurations/LLVMForJSC.xcconfig: Set OTHER_LDFLAGS_LLVM
2273         only when building for 64-bit architectures.
2274
2275 2015-01-19  Filip Pizlo  <fpizlo@apple.com>
2276
2277         ClosureCallStubRoutine no longer needs codeOrigin
2278         https://bugs.webkit.org/show_bug.cgi?id=140659
2279
2280         Reviewed by Michael Saboff.
2281         
2282         Once upon a time, we would look for the CodeOrigin associated with a return PC. This search
2283         would start with the CodeBlock according to the caller frame's call frame header. But if the
2284         call was a closure call, the return PC would be inside some closure call stub. So if the
2285         CodeBlock search failed, we would search *all* closure call stub routines to see which one
2286         encompasses the return PC. Then, we would use the CodeOrigin stored in the stub routine
2287         object. This was all a bunch of madness, and we actually got rid of it - we now determine
2288         the CodeOrigin for a call frame using the encoded code origin bits inside the tag of the
2289         argument count.
2290         
2291         This patch removes the final vestiges of the madness:
2292         
2293         - Remove the totally unused method declaration for the thing that did the closure call stub
2294           search.
2295         
2296         - Remove the CodeOrigin field from the ClosureCallStubRoutine. Except for that crazy search
2297           that we no longer do, everyone else who finds a ClosureCallStubRoutine will find it via
2298           the CallLinkInfo. The CallLinkInfo also has the CodeOrigin, so we don't need this field
2299           anymore.
2300
2301         * bytecode/CodeBlock.h:
2302         * jit/ClosureCallStubRoutine.cpp:
2303         (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine):
2304         * jit/ClosureCallStubRoutine.h:
2305         (JSC::ClosureCallStubRoutine::executable):
2306         (JSC::ClosureCallStubRoutine::codeOrigin): Deleted.
2307         * jit/Repatch.cpp:
2308         (JSC::linkClosureCall):
2309
2310 2015-01-19  Saam Barati  <saambarati1@gmail.com>
2311
2312         Basic block start offsets should never be larger than end offsets in the control flow profiler
2313         https://bugs.webkit.org/show_bug.cgi?id=140377
2314
2315         Reviewed by Filip Pizlo.
2316
2317         The bytecode generator will emit code more than once for some AST nodes. For instance, 
2318         the finally block of TryNode will emit two code paths for its finally block: one for 
2319         the normal path, and another for the path where an exception is thrown in the catch block. 
2320         
2321         This repeated code emission of the same AST node previously broke how the control 
2322         flow profiler computed text ranges of basic blocks because when the same AST node 
2323         is emitted multiple times, there is a good chance that there are ranges that span 
2324         from the end offset of one of these duplicated nodes back to the start offset of 
2325         the same duplicated node. This caused a basic block range to report a larger start 
2326         offset than end offset. This was incorrect. Now, when this situation is encountered 
2327         while linking a CodeBlock, the faulty range in question is ignored.
2328
2329         * bytecode/CodeBlock.cpp:
2330         (JSC::CodeBlock::CodeBlock):
2331         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
2332         * bytecode/CodeBlock.h:
2333         * bytecompiler/NodesCodegen.cpp:
2334         (JSC::ForInNode::emitMultiLoopBytecode):
2335         (JSC::ForOfNode::emitBytecode):
2336         (JSC::TryNode::emitBytecode):
2337         * parser/Parser.cpp:
2338         (JSC::Parser<LexerType>::parseConditionalExpression):
2339         * runtime/ControlFlowProfiler.cpp:
2340         (JSC::ControlFlowProfiler::ControlFlowProfiler):
2341         * runtime/ControlFlowProfiler.h:
2342         (JSC::ControlFlowProfiler::dummyBasicBlock):
2343
2344 2015-01-19  Myles C. Maxfield  <mmaxfield@apple.com>
2345
2346         [SVG -> OTF Converter] Flip the switch on
2347         https://bugs.webkit.org/show_bug.cgi?id=140592
2348
2349         Reviewed by Antti Koivisto.
2350
2351         * Configurations/FeatureDefines.xcconfig:
2352
2353 2015-01-19  Brian J. Burg  <burg@cs.washington.edu>
2354
2355         Web Replay: convert to is<T> and downcast<T> for decoding replay inputs
2356         https://bugs.webkit.org/show_bug.cgi?id=140512
2357
2358         Reviewed by Chris Dumez.
2359
2360         Generate a SPECIALIZE_TYPE_TRAITS_* chunk of code for each input. This cannot
2361         be done using REPLAY_INPUT_NAMES_FOR_EACH macro since that doesn't fully qualify
2362         input types, and the type traits macro is defined in namespace WTF.
2363
2364         * replay/NondeterministicInput.h: Make overridden methods public.
2365         * replay/scripts/CodeGeneratorReplayInputs.py:
2366         (Generator.generate_header):
2367         (Generator.qualified_input_name): Allow forcing qualification. WTF is never a target framework.
2368         (Generator.generate_input_type_trait_declaration): Added.
2369         * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Add a template.
2370         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h:
2371         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h:
2372         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h:
2373         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h:
2374         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h:
2375         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h:
2376         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h:
2377         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h:
2378
2379 2015-01-19  Commit Queue  <commit-queue@webkit.org>
2380
2381         Unreviewed, rolling out r178653.
2382         https://bugs.webkit.org/show_bug.cgi?id=140634
2383
2384         Broke multiple SVG tests on Mountain Lion (Requested by ap on
2385         #webkit).
2386
2387         Reverted changeset:
2388
2389         "[SVG -> OTF Converter] Flip the switch on"
2390         https://bugs.webkit.org/show_bug.cgi?id=140592
2391         http://trac.webkit.org/changeset/178653
2392
2393 2015-01-18  Dean Jackson  <dino@apple.com>
2394
2395         ES6: Support Array.of construction
2396         https://bugs.webkit.org/show_bug.cgi?id=140605
2397         <rdar://problem/19513655>
2398
2399         Reviewed by Geoffrey Garen.
2400
2401         Add and implementation of Array.of, described in 22.1.2.3 of the ES6
2402         specification (15 Jan 2015). The Array.of() method creates a new Array
2403         instance with a variable number of arguments, regardless of number or type
2404         of the arguments.
2405
2406         * runtime/ArrayConstructor.cpp:
2407         (JSC::arrayConstructorOf): Create a new empty Array, then iterate
2408         over the arguments, setting them to the appropriate index.
2409
2410 2015-01-19  Myles C. Maxfield  <mmaxfield@apple.com>
2411
2412         [SVG -> OTF Converter] Flip the switch on
2413         https://bugs.webkit.org/show_bug.cgi?id=140592
2414
2415         Reviewed by Antti Koivisto.
2416
2417         * Configurations/FeatureDefines.xcconfig:
2418
2419 2015-01-17  Brian J. Burg  <burg@cs.washington.edu>
2420
2421         Web Inspector: highlight data for overlay should use protocol type builders
2422         https://bugs.webkit.org/show_bug.cgi?id=129441
2423
2424         Reviewed by Timothy Hatcher.
2425
2426         Add a new domain for overlay types.
2427
2428         * CMakeLists.txt:
2429         * DerivedSources.make:
2430         * inspector/protocol/OverlayTypes.json: Added.
2431
2432 2015-01-17  Michael Saboff  <msaboff@apple.com>
2433
2434         Crash in JSScope::resolve() on tools.ups.com
2435         https://bugs.webkit.org/show_bug.cgi?id=140579
2436
2437         Reviewed by Geoffrey Garen.
2438
2439         For op_resolve_scope of a global property or variable that needs to check for the var
2440         injection check watchpoint, we need to keep the scope around with a Phantom.  The
2441         baseline JIT slowpath for op_resolve_scope needs the scope value if the watchpoint
2442         fired.
2443
2444         * dfg/DFGByteCodeParser.cpp:
2445         (JSC::DFG::ByteCodeParser::parseBlock):
2446
2447 2015-01-16  Brian J. Burg  <burg@cs.washington.edu>
2448
2449         Web Inspector: code generator should introduce typedefs for protocol types that are arrays
2450         https://bugs.webkit.org/show_bug.cgi?id=140557
2451
2452         Reviewed by Joseph Pecoraro.
2453
2454         Currently, there is no generated type name for "array" type declarations such as Console.CallStack.
2455         This makes it longwinded and confusing to use the type in C++ code.
2456
2457         This patch adds a typedef for array type declarations, so types such as Console::CallStack
2458         can be referred to directly, rather than using Inspector::Protocol::Array<Console::CallFrame>.
2459
2460         Some tests were updated to cover array type declarations used as parameters and type members.
2461
2462         * inspector/ScriptCallStack.cpp: Use the new typedef.
2463         (Inspector::ScriptCallStack::buildInspectorArray):
2464         * inspector/ScriptCallStack.h:
2465         * inspector/scripts/codegen/cpp_generator.py:
2466         (CppGenerator.cpp_protocol_type_for_type): If an ArrayType is nominal, use the typedef'd name instead.
2467         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2468         (_generate_typedefs_for_domain): Also generate typedefs for array type declarations.
2469         (_generate_typedefs_for_domain.Inspector):
2470         * inspector/scripts/codegen/models.py: Save the name of an ArrayType when it is a type declaration.
2471         (ArrayType.__init__):
2472         (Protocol.resolve_types):
2473         (Protocol.lookup_type_reference):
2474         * inspector/scripts/tests/commands-with-async-attribute.json:
2475         * inspector/scripts/tests/commands-with-optional-call-return-parameters.json:
2476         * inspector/scripts/tests/events-with-optional-parameters.json:
2477         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2478         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2479         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2480         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2481         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2482         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2483         * inspector/scripts/tests/type-declaration-object-type.json:
2484
2485 2015-01-16  Brian J. Burg  <burg@cs.washington.edu>
2486
2487         Web Replay: purge remaining PassRefPtr uses and minor cleanup
2488         https://bugs.webkit.org/show_bug.cgi?id=140456
2489
2490         Reviewed by Andreas Kling.
2491
2492         Get rid of PassRefPtr. Introduce default initializers where it makes sense.
2493         Remove mistaken uses of AtomicString that were not removed as part of r174113.
2494
2495         * replay/EmptyInputCursor.h:
2496         * replay/InputCursor.h:
2497         (JSC::InputCursor::InputCursor):
2498
2499 2015-01-16  Brian J. Burg  <burg@cs.washington.edu>
2500
2501         Web Inspector: code generator should fail on duplicate parameter and member names
2502         https://bugs.webkit.org/show_bug.cgi?id=140555
2503
2504         Reviewed by Timothy Hatcher.
2505
2506         * inspector/scripts/codegen/models.py:
2507         (find_duplicates): Add a helper function to find duplicates in a list.
2508         (Protocol.parse_type_declaration):
2509         (Protocol.parse_command):
2510         (Protocol.parse_event):
2511         * inspector/scripts/tests/expected/fail-on-duplicate-command-call-parameter-names.json-error: Added.
2512         * inspector/scripts/tests/expected/fail-on-duplicate-command-return-parameter-names.json-error: Added.
2513         * inspector/scripts/tests/expected/fail-on-duplicate-event-parameter-names.json-error: Added.
2514         * inspector/scripts/tests/expected/fail-on-duplicate-type-member-names.json-error: Added.
2515         * inspector/scripts/tests/fail-on-duplicate-command-call-parameter-names.json: Added.
2516         * inspector/scripts/tests/fail-on-duplicate-command-return-parameter-names.json: Added.
2517         * inspector/scripts/tests/fail-on-duplicate-event-parameter-names.json: Added.
2518         * inspector/scripts/tests/fail-on-duplicate-type-member-names.json: Added.
2519
2520 2015-01-16  Michael Saboff  <msaboff@apple.com>
2521
2522         REGRESSION (r174226): Header on huffingtonpost.com is too large
2523         https://bugs.webkit.org/show_bug.cgi?id=140306
2524
2525         Reviewed by Filip Pizlo.
2526
2527         BytecodeGenerator::willResolveToArguments() is used to check to see if we can use the
2528         arguments register or whether we need to resolve "arguments".  If the arguments have
2529         been captured, then they are stored in the lexical environment and the arguments
2530         register is not used.
2531
2532         Changed BytecodeGenerator::willResolveToArguments() to also check to see if the arguments
2533         register is captured.  Renamed the function to willResolveToArgumentsRegister() to
2534         better indicate what we are checking.
2535
2536         Aligned 32 and 64 bit paths in ArgumentsRecoveryGenerator::generateFor() for creating
2537         an arguments object that was optimized out of an inlined callFrame.  The 32 bit path
2538         incorrectly calculated the location of the reified callee frame.  This alignment resulted
2539         in the removal of operationCreateInlinedArgumentsDuringOSRExit()
2540
2541         * bytecompiler/BytecodeGenerator.cpp:
2542         (JSC::BytecodeGenerator::willResolveToArgumentsRegister):
2543         (JSC::BytecodeGenerator::uncheckedLocalArgumentsRegister):
2544         (JSC::BytecodeGenerator::emitCall):
2545         (JSC::BytecodeGenerator::emitConstruct):
2546         (JSC::BytecodeGenerator::emitEnumeration):
2547         (JSC::BytecodeGenerator::willResolveToArguments): Deleted.
2548         * bytecompiler/BytecodeGenerator.h:
2549         * bytecompiler/NodesCodegen.cpp:
2550         (JSC::BracketAccessorNode::emitBytecode):
2551         (JSC::DotAccessorNode::emitBytecode):
2552         (JSC::getArgumentByVal):
2553         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2554         (JSC::ArrayPatternNode::emitDirectBinding):
2555         * dfg/DFGOSRExitCompilerCommon.cpp:
2556         (JSC::DFG::ArgumentsRecoveryGenerator::generateFor):
2557         * dfg/DFGOperations.cpp:
2558         (JSC::operationCreateInlinedArgumentsDuringOSRExit): Deleted.
2559         * dfg/DFGOperations.h:
2560         (JSC::operationCreateInlinedArgumentsDuringOSRExit): Deleted.
2561
2562 2015-01-15  Csaba Osztrogonác  <ossy@webkit.org>
2563
2564         Remove ENABLE(SQL_DATABASE) guards
2565         https://bugs.webkit.org/show_bug.cgi?id=140434
2566
2567         Reviewed by Darin Adler.
2568
2569         * CMakeLists.txt:
2570         * Configurations/FeatureDefines.xcconfig:
2571         * DerivedSources.make:
2572         * inspector/protocol/Database.json:
2573
2574 2015-01-14  Alexey Proskuryakov  <ap@apple.com>
2575
2576         Web Inspector and regular console use different source code locations for messages
2577         https://bugs.webkit.org/show_bug.cgi?id=140478
2578
2579         Reviewed by Brian Burg.
2580
2581         * inspector/ConsoleMessage.h: Expose computed source location.
2582
2583         * inspector/agents/InspectorConsoleAgent.cpp:
2584         (Inspector::InspectorConsoleAgent::addMessageToConsole):
2585         (Inspector::InspectorConsoleAgent::stopTiming):
2586         (Inspector::InspectorConsoleAgent::count):
2587         * inspector/agents/InspectorConsoleAgent.h:
2588         addMessageToConsole() now takes a pre-made ConsoleMessage object.
2589
2590         * inspector/JSGlobalObjectConsoleClient.cpp:
2591         (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
2592         (Inspector::JSGlobalObjectConsoleClient::warnUnimplemented):
2593         * inspector/JSGlobalObjectInspectorController.cpp:
2594         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
2595         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
2596         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
2597         Updated for the above changes.
2598
2599 2015-01-15  Mark Lam  <mark.lam@apple.com>
2600
2601         [Part 2] Argument object created by "Function dot arguments" should use a clone of argument values.
2602         <https://webkit.org/b/140093>
2603
2604         Reviewed by Geoffrey Garen.
2605
2606         * interpreter/StackVisitor.cpp:
2607         (JSC::StackVisitor::Frame::createArguments):
2608         - We should not fetching the lexicalEnvironment here.  The reason we've
2609           introduced the ClonedArgumentsCreationMode is because the lexicalEnvironment
2610           may not be available to us at this point.  Instead, we'll just pass a nullptr.
2611
2612         * runtime/Arguments.cpp:
2613         (JSC::Arguments::tearOffForCloning):
2614         * runtime/Arguments.h:
2615         (JSC::Arguments::finishCreation):
2616         - Use the new tearOffForCloning() to tear off arguments right out of the values
2617           passed on the stack.  tearOff() is not appropriate for this purpose because
2618           it takes slowArgumentsData into account.
2619
2620 2015-01-14  Matthew Mirman  <mmirman@apple.com>
2621
2622         Removed accidental commit of "invalid_array.js" 
2623         http://trac.webkit.org/changeset/178439
2624
2625         * tests/stress/invalid_array.js: Removed.
2626
2627 2015-01-14  Matthew Mirman  <mmirman@apple.com>
2628
2629         Fixes operationPutByIdOptimizes such that they check that the put didn't
2630         change the structure of the object who's property access is being
2631         cached.  Also removes uses of the new base value from the cache generation code.
2632         https://bugs.webkit.org/show_bug.cgi?id=139500
2633
2634         Reviewed by Filip Pizlo.
2635
2636         * jit/JITOperations.cpp:
2637         (JSC::operationPutByIdStrictOptimize): saved the structure before the put.
2638         (JSC::operationPutByIdNonStrictOptimize): ditto.
2639         (JSC::operationPutByIdDirectStrictOptimize): ditto.
2640         (JSC::operationPutByIdDirectNonStrictOptimize): ditto.
2641         * jit/Repatch.cpp:
2642         (JSC::generateByIdStub):
2643         (JSC::tryCacheGetByID):
2644         (JSC::tryBuildGetByIDList):
2645         (JSC::emitPutReplaceStub):
2646         (JSC::emitPutTransitionStubAndGetOldStructure): Added.
2647         (JSC::tryCachePutByID):
2648         (JSC::repatchPutByID):
2649         (JSC::tryBuildPutByIdList):
2650         (JSC::tryRepatchIn):
2651         (JSC::emitPutTransitionStub): Deleted.
2652         * jit/Repatch.h:
2653         * llint/LLIntSlowPaths.cpp:
2654         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2655         * runtime/JSPropertyNameEnumerator.h:
2656         (JSC::genericPropertyNameEnumerator):
2657         * runtime/Operations.h:
2658         (JSC::normalizePrototypeChainForChainAccess): restructured to not use the base value.
2659         (JSC::normalizePrototypeChain): restructured to not use the base value.
2660         * tests/mozilla/mozilla-tests.yaml:
2661         * tests/stress/proto-setter.js: Added.
2662         * tests/stress/put-by-id-build-list-order-recurse.js: Added.
2663         Added test that fails without this patch.
2664
2665 2015-01-13  Joseph Pecoraro  <pecoraro@apple.com>
2666
2667         Web Inspector: Remove unused ResizeImage and DecodeImageData timeline events
2668         https://bugs.webkit.org/show_bug.cgi?id=140404
2669
2670         Reviewed by Timothy Hatcher.
2671
2672         * inspector/protocol/Timeline.json:
2673
2674 2015-01-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2675
2676         DFG can call PutByValDirect for generic arrays
2677         https://bugs.webkit.org/show_bug.cgi?id=140389
2678
2679         Reviewed by Geoffrey Garen.
2680
2681         Computed properties in object initializers (ES6) use the put_by_val_direct operation.
2682         However, current DFG asserts that put_by_val_direct is not used for the generic array,
2683         the assertion failure is raised.
2684         This patch allow DFG to use put_by_val_direct to generic arrays.
2685
2686         And fix the DFG put_by_val_direct implementation for string properties.
2687         At first, put_by_val_direct is inteded to be used for spread elements.
2688         So the property keys were limited to numbers (indexes).
2689         But now, it's also used for computed properties in object initializers.
2690
2691         * dfg/DFGOperations.cpp:
2692         (JSC::DFG::operationPutByValInternal):
2693         * dfg/DFGSpeculativeJIT64.cpp:
2694         (JSC::DFG::SpeculativeJIT::compile):
2695
2696 2015-01-13  Geoffrey Garen  <ggaren@apple.com>
2697
2698         Out of bounds access in BytecodeGenerator::emitGetById under DotAccessorNode::emitBytecode
2699         https://bugs.webkit.org/show_bug.cgi?id=140397
2700
2701         Reviewed by Geoffrey Garen.
2702
2703         Patch by Alexey Proskuryakov.
2704
2705         Reviewed, performance tested, and ChangeLogged by Geoffrey Garen.
2706
2707         No performance change.
2708
2709         No test, since this is a small past-the-end read, which is very
2710         difficult to turn into a reproducible failing test -- and existing tests
2711         crash reliably using ASan.
2712
2713         * bytecompiler/NodesCodegen.cpp:
2714         (JSC::BracketAccessorNode::emitBytecode):
2715         (JSC::DotAccessorNode::emitBytecode):
2716         (JSC::FunctionCallBracketNode::emitBytecode):
2717         (JSC::PostfixNode::emitResolve):
2718         (JSC::DeleteBracketNode::emitBytecode):
2719         (JSC::DeleteDotNode::emitBytecode):
2720         (JSC::PrefixNode::emitResolve):
2721         (JSC::UnaryOpNode::emitBytecode):
2722         (JSC::BitwiseNotNode::emitBytecode):
2723         (JSC::BinaryOpNode::emitBytecode):
2724         (JSC::EqualNode::emitBytecode):
2725         (JSC::StrictEqualNode::emitBytecode):
2726         (JSC::ThrowableBinaryOpNode::emitBytecode):
2727         (JSC::AssignDotNode::emitBytecode):
2728         (JSC::AssignBracketNode::emitBytecode): Use RefPtr in more places. Any
2729         register used across a call to a function that might allocate a new
2730         temporary register must be held in a RefPtr.
2731
2732 2015-01-12  Michael Saboff  <msaboff@apple.com>
2733
2734         Local JSArray* "keys" in objectConstructorKeys() is not marked during garbage collection
2735         https://bugs.webkit.org/show_bug.cgi?id=140348
2736
2737         Reviewed by Mark Lam.
2738
2739         We used to read registers in MachineThreads::gatherFromCurrentThread(), but that is too late
2740         because those registers may have been spilled on the stack and replaced with other values by
2741         the time we call down to gatherFromCurrentThread().
2742
2743         Now we get the register contents at the same place that we demarcate the current top of
2744         stack using the address of a local variable, in Heap::markRoots().  The register contents
2745         buffer is passed along with the demarcation pointer.  These need to be done at this level 
2746         in the call tree and no lower, as markRoots() calls various functions that visit object
2747         pointers that may be latter proven dead.  Any of those pointers that are left on the
2748         stack or in registers could be incorrectly marked as live if we scan the stack contents
2749         from a called function or one of its callees.  The stack demarcation pointer and register
2750         saving need to be done in the same function so that we have a consistent stack, active
2751         and spilled registers.
2752
2753         Because we don't want to make unnecessary calls to get the register contents, we use
2754         a macro to allocated, and possibly align, the register structure and get the actual
2755         register contents.
2756
2757
2758         * heap/Heap.cpp:
2759         (JSC::Heap::markRoots):
2760         (JSC::Heap::gatherStackRoots):
2761         * heap/Heap.h:
2762         * heap/MachineStackMarker.cpp:
2763         (JSC::MachineThreads::gatherFromCurrentThread):
2764         (JSC::MachineThreads::gatherConservativeRoots):
2765         * heap/MachineStackMarker.h:
2766
2767 2015-01-12  Benjamin Poulain  <benjamin@webkit.org>
2768
2769         Add basic pattern matching support to the url filters
2770         https://bugs.webkit.org/show_bug.cgi?id=140283
2771
2772         Reviewed by Andreas Kling.
2773
2774         * JavaScriptCore.xcodeproj/project.pbxproj:
2775         Make YarrParser.h private in order to use it from WebCore.
2776
2777 2015-01-12  Geoffrey Garen  <ggaren@apple.com>
2778
2779         Out of bounds read in IdentifierArena::makeIdentifier
2780         https://bugs.webkit.org/show_bug.cgi?id=140376
2781
2782         Patch by Alexey Proskuryakov.
2783
2784         Reviewed and ChangeLogged by Geoffrey Garen.
2785
2786         No test, since this is a small past-the-end read, which is very
2787         difficult to turn into a reproducible failing test -- and existing tests
2788         crash reliably using ASan.
2789
2790         * parser/ParserArena.h:
2791         (JSC::IdentifierArena::makeIdentifier):
2792         (JSC::IdentifierArena::makeIdentifierLCharFromUChar): Check for a
2793         zero-length string input, like we do in the literal parser, since it is
2794         not valid to dereference characters in a zero-length string.
2795
2796         A zero-length string is allowed in JavaScript -- for example, "".
2797
2798 2015-01-11  Sam Weinig  <sam@webkit.org>
2799
2800         Remove support for SharedWorkers
2801         https://bugs.webkit.org/show_bug.cgi?id=140344
2802
2803         Reviewed by Anders Carlsson.
2804
2805         * Configurations/FeatureDefines.xcconfig:
2806
2807 2015-01-12  Myles C. Maxfield  <mmaxfield@apple.com>
2808
2809         Allow targetting the SVG->OTF font converter with ENABLE(SVG_OTF_CONVERTER)
2810         https://bugs.webkit.org/show_bug.cgi?id=136769
2811
2812         Reviewed by Antti Koivisto.
2813
2814         * Configurations/FeatureDefines.xcconfig:
2815
2816 2015-01-12  Commit Queue  <commit-queue@webkit.org>
2817
2818         Unreviewed, rolling out r178266.
2819         https://bugs.webkit.org/show_bug.cgi?id=140363
2820
2821         Broke a JSC test (Requested by ap on #webkit).
2822
2823         Reverted changeset:
2824
2825         "Local JSArray* "keys" in objectConstructorKeys() is not
2826         marked during garbage collection"
2827         https://bugs.webkit.org/show_bug.cgi?id=140348
2828         http://trac.webkit.org/changeset/178266
2829
2830 2015-01-12  Michael Saboff  <msaboff@apple.com>
2831
2832         Local JSArray* "keys" in objectConstructorKeys() is not marked during garbage collection
2833         https://bugs.webkit.org/show_bug.cgi?id=140348
2834
2835         Reviewed by Mark Lam.
2836
2837         Move the address of the local variable that is used to demarcate the top of the stack for 
2838         conservative roots down to MachineThreads::gatherFromCurrentThread() since it also gets
2839         the register values using setjmp().  That way we don't lose any callee save register
2840         contents between Heap::markRoots(), where it was set, and gatherFromCurrentThread().
2841         If we lose any JSObject* that are only in callee save registers, they will be GC'ed
2842         erroneously.
2843
2844         * heap/Heap.cpp:
2845         (JSC::Heap::markRoots):
2846         (JSC::Heap::gatherStackRoots):
2847         * heap/Heap.h:
2848         * heap/MachineStackMarker.cpp:
2849         (JSC::MachineThreads::gatherFromCurrentThread):
2850         (JSC::MachineThreads::gatherConservativeRoots):
2851         * heap/MachineStackMarker.h:
2852
2853 2015-01-11  Eric Carlson  <eric.carlson@apple.com>
2854
2855         Fix typo in testate.c error messages
2856         https://bugs.webkit.org/show_bug.cgi?id=140305
2857
2858         Reviewed by Geoffrey Garen.
2859
2860         * API/tests/testapi.c:
2861         (main): "... script did not timed out ..." -> "... script did not time out ..."
2862
2863 2015-01-09  Michael Saboff  <msaboff@apple.com>
2864
2865         Breakpoint doesn't fire in this HTML5 game
2866         https://bugs.webkit.org/show_bug.cgi?id=140269
2867
2868         Reviewed by Mark Lam.
2869
2870         When parsing a single line cached function, use the lineStartOffset of the
2871         location where we found the cached function instead of the cached lineStartOffset.
2872         The cache location's lineStartOffset has not been adjusted for any possible
2873         containing functions.
2874
2875         This change is not needed for multi-line cached functions.  Consider the
2876         single line source:
2877
2878         function outer(){function inner1(){doStuff();}; (function inner2() {doMoreStuff()})()}
2879
2880         The first parser pass, we parse and cache inner1() and inner2() with a lineStartOffset
2881         of 0.  Later when we parse outer() and find inner1() in the cache, SourceCode start
2882         character is at outer()'s outermost open brace.  That is what we should use for
2883         lineStartOffset for inner1().  When done parsing inner1() we set the parsing token
2884         to the saved location for inner1(), including the lineStartOffset of 0.  We need
2885         to use the value of lineStartOffset before we started parsing inner1().  That is
2886         what the fix does.  When we parse inner2() the lineStartOffset will be correct.
2887
2888         For a multi-line function, the close brace is guaranteed to be on a different line
2889         than the open brace.  Hence, its lineStartOffset will not change with the change of
2890         the SourceCode start character
2891
2892         * parser/Parser.cpp:
2893         (JSC::Parser<LexerType>::parseFunctionInfo):
2894
2895 2015-01-09  Joseph Pecoraro  <pecoraro@apple.com>
2896
2897         Web Inspector: Uncaught Exception in ProbeManager deleting breakpoint
2898         https://bugs.webkit.org/show_bug.cgi?id=140279
2899         rdar://problem/19422299
2900
2901         Reviewed by Oliver Hunt.
2902
2903         * runtime/MapData.cpp:
2904         (JSC::MapData::replaceAndPackBackingStore):
2905         The cell table also needs to have its values fixed.
2906
2907 2015-01-09  Joseph Pecoraro  <pecoraro@apple.com>
2908
2909         Web Inspector: Remove or use TimelineAgent Resource related event types
2910         https://bugs.webkit.org/show_bug.cgi?id=140155
2911
2912         Reviewed by Timothy Hatcher.
2913
2914         Remove unused / stale Timeline event types.
2915
2916         * inspector/protocol/Timeline.json:
2917
2918 2015-01-09  Csaba Osztrogonác  <ossy@webkit.org>
2919
2920         REGRESSION(r177925): It broke the !ENABLE(INSPECTOR) build
2921         https://bugs.webkit.org/show_bug.cgi?id=140098
2922
2923         Reviewed by Brian Burg.
2924
2925         * inspector/InspectorBackendDispatcher.h: Missing ENABLE(INSPECTOR) guard added.
2926
2927 2015-01-08  Mark Lam  <mark.lam@apple.com>
2928
2929         Argument object created by "Function dot arguments" should use a clone of the argument values.
2930         <https://webkit.org/b/140093>
2931
2932         Reviewed by Geoffrey Garen.
2933
2934         After the change in <https://webkit.org/b/139827>, the dfg-tear-off-arguments-not-activation.js
2935         test will crash.  The relevant code which manifests the issue is as follows:
2936
2937             function bar() {
2938                 return foo.arguments;
2939             }
2940
2941             function foo(p) {
2942                 var x = 42;
2943                 if (p)
2944                     return (function() { return x; });
2945                 else
2946                     return bar();
2947             }
2948
2949         In this case, foo() has no knowledge of bar() needing its LexicalEnvironment and
2950         has dead code eliminated the SetLocal that stores it into its designated local.
2951         In bar(), the factory for the Arguments object (for creating foo.arguments) tries
2952         to read foo's LexicalEnvironment from its designated lexicalEnvironment local,
2953         but instead, finds it to be uninitialized.  This results in a null pointer access
2954         which causes a crash.
2955
2956         This can be resolved by having bar() instantiate a clone of the Arguments object
2957         instead, and populate its elements with values fetched directly from foo's frame.
2958         There's no need to reference foo's LexicalEnvironment (whether present or not).
2959
2960         * interpreter/StackVisitor.cpp:
2961         (JSC::StackVisitor::Frame::createArguments):
2962         * runtime/Arguments.h:
2963         (JSC::Arguments::finishCreation):
2964
2965 2015-01-08  Mark Lam  <mark.lam@apple.com>
2966
2967         Make the LLINT and Baseline JIT's op_create_arguments and op_get_argument_by_val use their lexicalEnvironment operand.
2968         <https://webkit.org/b/140236>
2969
2970         Reviewed by Geoffrey Garen.
2971
2972         Will change the DFG to use the operand on a subsequent pass.  For now,
2973         the DFG uses a temporary thunk (operationCreateArgumentsForDFG()) to
2974         retain the old behavior of getting the lexicalEnviroment from the
2975         ExecState.
2976
2977         * bytecompiler/BytecodeGenerator.cpp:
2978         (JSC::BytecodeGenerator::BytecodeGenerator):
2979         (JSC::BytecodeGenerator::emitGetArgumentByVal):
2980         (JSC::BytecodeGenerator::createArgumentsIfNecessary):
2981         - When the lexicalEnvironment is not available, pass the invalid VirtualRegister
2982           instead of an empty JSValue as the lexicalEnvironment operand.
2983
2984         * dfg/DFGOperations.cpp:
2985         - Use the lexicalEnvironment from the ExecState for now.
2986
2987         * dfg/DFGSpeculativeJIT32_64.cpp:
2988         (JSC::DFG::SpeculativeJIT::compile):
2989         * dfg/DFGSpeculativeJIT64.cpp:
2990         (JSC::DFG::SpeculativeJIT::compile):
2991         - Use the operationCreateArgumentsForDFG() thunk for now.
2992
2993         * interpreter/CallFrame.cpp:
2994         (JSC::CallFrame::lexicalEnvironmentOrNullptr):
2995         * interpreter/CallFrame.h:
2996         - Added this convenience function to return either the
2997           lexicalEnvironment or a nullptr so that we don't need to do a
2998           conditional check on codeBlock->needsActivation() at multiple sites.
2999
3000         * interpreter/StackVisitor.cpp:
3001         (JSC::StackVisitor::Frame::createArguments):
3002         * jit/JIT.h:
3003         * jit/JITInlines.h:
3004         (JSC::JIT::callOperation):
3005         * jit/JITOpcodes.cpp:
3006         (JSC::JIT::emit_op_create_arguments):
3007         (JSC::JIT::emitSlow_op_get_argument_by_val):
3008         * jit/JITOpcodes32_64.cpp:
3009         (JSC::JIT::emit_op_create_arguments):
3010         (JSC::JIT::emitSlow_op_get_argument_by_val):
3011         * jit/JITOperations.cpp:
3012         * jit/JITOperations.h:
3013         * llint/LLIntSlowPaths.cpp:
3014         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3015         * runtime/Arguments.h:
3016         (JSC::Arguments::create):
3017         (JSC::Arguments::finishCreation):
3018         * runtime/CommonSlowPaths.cpp:
3019         (JSC::SLOW_PATH_DECL):
3020         * runtime/JSLexicalEnvironment.cpp:
3021         (JSC::JSLexicalEnvironment::argumentsGetter):
3022
3023 2015-01-08  Joseph Pecoraro  <pecoraro@apple.com>
3024
3025         Web Inspector: Pause Reason Improvements (Breakpoint, Debugger Statement, Pause on Next Statement)
3026         https://bugs.webkit.org/show_bug.cgi?id=138991
3027
3028         Reviewed by Timothy Hatcher.
3029
3030         * debugger/Debugger.cpp:
3031         (JSC::Debugger::Debugger):
3032         (JSC::Debugger::pauseIfNeeded):
3033         (JSC::Debugger::didReachBreakpoint):
3034         When actually pausing, if we hit a breakpoint ensure the reason
3035         is PausedForBreakpoint, otherwise use the current reason.
3036
3037         * debugger/Debugger.h:
3038         Make pause reason and pausing breakpoint ID public.
3039
3040         * inspector/agents/InspectorDebuggerAgent.h:
3041         * inspector/agents/InspectorDebuggerAgent.cpp:
3042         (Inspector::buildAssertPauseReason):
3043         (Inspector::buildCSPViolationPauseReason):
3044         (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason):
3045         (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason):
3046         (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
3047         (Inspector::buildObjectForBreakpointCookie):
3048         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
3049         (Inspector::InspectorDebuggerAgent::removeBreakpoint):
3050         (Inspector::InspectorDebuggerAgent::resolveBreakpoint):
3051         (Inspector::InspectorDebuggerAgent::pause):
3052         (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP):
3053         (Inspector::InspectorDebuggerAgent::currentCallFrames):
3054         (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
3055         Clean up creation of pause reason objects and other cleanup
3056         of PassRefPtr use and InjectedScript use.
3057
3058         (Inspector::InspectorDebuggerAgent::didPause):
3059         Clean up so that we first check for an Exception, and then fall
3060         back to including a Pause Reason derived from the Debugger.
3061
3062         * inspector/protocol/Debugger.json:
3063         Add new DebuggerStatement, Breakpoint, and PauseOnNextStatement reasons.
3064
3065 2015-01-08  Joseph Pecoraro  <pecoraro@apple.com>
3066
3067         Web Inspector: Type check NSArray's in ObjC Interfaces have the right object types
3068         https://bugs.webkit.org/show_bug.cgi?id=140209
3069
3070         Reviewed by Timothy Hatcher.
3071
3072         Check the types of objects in NSArrays for all interfaces (commands, events, types)
3073         when the user can set an array of objects. Previously we were only type checking
3074         they were RWIJSONObjects, now we add an explicit check for the exact object type.
3075
3076         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
3077         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
3078         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
3079         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
3080         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
3081         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members):
3082         (ObjCProtocolTypesImplementationGenerator._generate_setter_for_member):
3083         * inspector/scripts/codegen/objc_generator.py:
3084         (ObjCGenerator.objc_class_for_array_type):
3085         (ObjCGenerator):
3086
3087 2015-01-07  Mark Lam  <mark.lam@apple.com>
3088
3089         Add the lexicalEnvironment as an operand to op_get_argument_by_val.
3090         <https://webkit.org/b/140233>
3091
3092         Reviewed by Filip Pizlo.
3093
3094         This patch only adds the operand to the bytecode.  It is not in use yet.
3095
3096         * bytecode/BytecodeList.json:
3097         * bytecode/BytecodeUseDef.h:
3098         (JSC::computeUsesForBytecodeOffset):
3099         * bytecode/CodeBlock.cpp:
3100         (JSC::CodeBlock::dumpBytecode):
3101         * bytecompiler/BytecodeGenerator.cpp:
3102         (JSC::BytecodeGenerator::emitGetArgumentByVal):
3103         * llint/LowLevelInterpreter32_64.asm:
3104         * llint/LowLevelInterpreter64.asm:
3105
3106 2015-01-07  Yusuke Suzuki  <utatane.tea@gmail.com>
3107
3108         Investigate the character type of repeated string instead of checking is8Bit flag
3109         https://bugs.webkit.org/show_bug.cgi?id=140139
3110
3111         Reviewed by Darin Adler.
3112
3113         Instead of checking is8Bit flag of the repeated string, investigate
3114         the actual value of the repeated character since i8Bit flag give a false negative case.
3115
3116         * runtime/StringPrototype.cpp:
3117         (JSC::repeatCharacter):
3118         (JSC::stringProtoFuncRepeat):
3119         (JSC::repeatSmallString): Deleted.
3120
3121 2015-01-07  Joseph Pecoraro  <pecoraro@apple.com>
3122
3123         Web Inspector: ObjC Generate types from the GenericTypes domain
3124         https://bugs.webkit.org/show_bug.cgi?id=140229
3125
3126         Reviewed by Timothy Hatcher.
3127
3128         Generate types from the GenericTypes domain, as they are expected
3129         by other domains (like Page domain). Also, don't include the @protocol
3130         forward declaration for a domain if it doesn't have any commands.
3131
3132         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
3133         (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations):
3134         (ObjCBackendDispatcherHeaderGenerator): Deleted.
3135         (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations_for_domains): Deleted.
3136         * inspector/scripts/codegen/objc_generator.py:
3137         (ObjCGenerator):
3138         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
3139         * inspector/scripts/tests/expected/enum-values.json-result:
3140         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
3141         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
3142         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
3143         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
3144         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
3145         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
3146         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
3147         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
3148         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
3149
3150 2015-01-07  Joseph Pecoraro  <pecoraro@apple.com>
3151
3152         Web Inspector: Remove unnecessary copyRef for paramsObject in generated dispatchers
3153         https://bugs.webkit.org/show_bug.cgi?id=140228
3154
3155         Reviewed by Timothy Hatcher.
3156
3157         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
3158         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
3159         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
3160         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
3161         * inspector/scripts/tests/expected/enum-values.json-result:
3162         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
3163
3164 2015-01-07  Saam Barati  <saambarati1@gmail.com>
3165
3166         interpret op_profile_type in the LLInt instead of unconditionally calling into the slow path
3167         https://bugs.webkit.org/show_bug.cgi?id=140165
3168
3169         Reviewed by Michael Saboff.
3170
3171         Inlining the functionality of TypeProfilerLog::recordTypeInformationForLocation
3172         into the LLInt speeds up type profiling.
3173
3174         * llint/LLIntOffsetsExtractor.cpp:
3175         * llint/LowLevelInterpreter.asm:
3176         * llint/LowLevelInterpreter32_64.asm:
3177         * llint/LowLevelInterpreter64.asm:
3178         * runtime/CommonSlowPaths.cpp:
3179         (JSC::SLOW_PATH_DECL):
3180         * runtime/CommonSlowPaths.h:
3181         * runtime/TypeProfilerLog.h:
3182         (JSC::TypeProfilerLog::recordTypeInformationForLocation): Deleted.
3183
3184 2015-01-07  Brian J. Burg  <burg@cs.washington.edu>
3185
3186         Web Inspector: purge PassRefPtr from Inspector code and use Ref for typed and untyped protocol objects
3187         https://bugs.webkit.org/show_bug.cgi?id=140053
3188
3189         Reviewed by Andreas Kling.
3190
3191         This patch replaces uses of PassRefPtr with uses of RefPtr&& and WTF::move() in code
3192         related to Web Inspector. It also converts many uses of RefPtr to Ref where
3193         references are always non-null. These two refactorings have been combined since
3194         they tend to require similar changes to the code.
3195
3196         Creation methods for subclasses of InspectorValue now return a Ref, and callsites
3197         have been updated to take a Ref instead of RefPtr.
3198
3199         Builders for typed protocol objects now return a Ref. Since there is no implicit
3200         call to operator&, callsites now must explicitly call .release() to convert a
3201         builder object into the corresponding protocol object once required fields are set.
3202         Update callsites and use auto to eliminate repetition of longwinded protocol types.
3203
3204         Tests for inspector protocol and replay inputs have been rebaselined.
3205
3206         * bindings/ScriptValue.cpp:
3207         (Deprecated::jsToInspectorValue):
3208         (Deprecated::ScriptValue::toInspectorValue):
3209         * bindings/ScriptValue.h:
3210         * inspector/ConsoleMessage.cpp:
3211         (Inspector::ConsoleMessage::addToFrontend):
3212         * inspector/ContentSearchUtilities.cpp:
3213         (Inspector::ContentSearchUtilities::buildObjectForSearchMatch):
3214         (Inspector::ContentSearchUtilities::searchInTextByLines):
3215         * inspector/ContentSearchUtilities.h:
3216         * inspector/InjectedScript.cpp:
3217         (Inspector::InjectedScript::getFunctionDetails):
3218         (Inspector::InjectedScript::getProperties):
3219         (Inspector::InjectedScript::getInternalProperties):
3220         (Inspector::InjectedScript::wrapCallFrames):
3221         (Inspector::InjectedScript::wrapObject):
3222         (Inspector::InjectedScript::wrapTable):
3223         * inspector/InjectedScript.h:
3224         * inspector/InjectedScriptBase.cpp:
3225         (Inspector::InjectedScriptBase::makeEvalCall): Split the early exits.
3226         * inspector/InspectorBackendDispatcher.cpp:
3227         (Inspector::InspectorBackendDispatcher::CallbackBase::CallbackBase):
3228         (Inspector::InspectorBackendDispatcher::CallbackBase::sendIfActive):
3229         (Inspector::InspectorBackendDispatcher::create):
3230         (Inspector::InspectorBackendDispatcher::dispatch):
3231         (Inspector::InspectorBackendDispatcher::sendResponse):
3232         (Inspector::InspectorBackendDispatcher::reportProtocolError):
3233         (Inspector::getPropertyValue): Add a comment to clarify what this clever code does.
3234         (Inspector::InspectorBackendDispatcher::getInteger):
3235         (Inspector::InspectorBackendDispatcher::getDouble):
3236         (Inspector::InspectorBackendDispatcher::getString):
3237         (Inspector::InspectorBackendDispatcher::getBoolean):
3238         (Inspector::InspectorBackendDispatcher::getObject):
3239         (Inspector::InspectorBackendDispatcher::getArray):
3240         (Inspector::InspectorBackendDispatcher::getValue):
3241         * inspector/InspectorBackendDispatcher.h: Use a typed protocol object to collect
3242         protocol error strings.
3243         (Inspector::InspectorSupplementalBackendDispatcher::InspectorSupplementalBackendDispatcher):
3244         Convert the supplemental dispatcher's reference to Ref since it is never null.
3245         * inspector/InspectorEnvironment.h:
3246         * inspector/InspectorProtocolTypes.h: Get rid of ArrayItemHelper and
3247         StructItemTraits. Add more versions of addItem to handle pushing various types.
3248         (Inspector::Protocol::Array::openAccessors):
3249         (Inspector::Protocol::Array::addItem):
3250         (Inspector::Protocol::Array::create):
3251         (Inspector::Protocol::StructItemTraits::push):
3252         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast): Assert argument.
3253         (Inspector::Protocol::StructItemTraits::pushRefPtr): Deleted.
3254         (Inspector::Protocol::ArrayItemHelper<String>::Traits::pushRaw): Deleted.
3255         (Inspector::Protocol::ArrayItemHelper<int>::Traits::pushRaw): Deleted.
3256         (Inspector::Protocol::ArrayItemHelper<double>::Traits::pushRaw): Deleted.
3257         (Inspector::Protocol::ArrayItemHelper<bool>::Traits::pushRaw): Deleted.
3258         (Inspector::Protocol::ArrayItemHelper<InspectorValue>::Traits::pushRefPtr): Deleted.
3259         (Inspector::Protocol::ArrayItemHelper<InspectorObject>::Traits::pushRefPtr): Deleted.
3260         (Inspector::Protocol::ArrayItemHelper<InspectorArray>::Traits::pushRefPtr): Deleted.
3261         (Inspector::Protocol::ArrayItemHelper<Protocol::Array<T>>::Traits::pushRefPtr): Deleted.
3262         * inspector/InspectorValues.cpp: Straighten out getArray and getObject to have
3263         the same call signature as other getters. Use Ref where possible.
3264         (Inspector::InspectorObjectBase::getBoolean):
3265         (Inspector::InspectorObjectBase::getString):
3266         (Inspector::InspectorObjectBase::getObject):
3267         (Inspector::InspectorObjectBase::getArray):
3268         (Inspector::InspectorObjectBase::getValue):
3269         (Inspector::InspectorObjectBase::writeJSON):
3270         (Inspector::InspectorArrayBase::get):
3271         (Inspector::InspectorObject::create):
3272         (Inspector::InspectorArray::create):
3273         (Inspector::InspectorValue::null):
3274         (Inspector::InspectorString::create):
3275         (Inspector::InspectorBasicValue::create):
3276         (Inspector::InspectorObjectBase::get): Deleted.
3277         * inspector/InspectorValues.h:
3278         (Inspector::InspectorObjectBase::setValue):
3279         (Inspector::InspectorObjectBase::setObject):
3280         (Inspector::InspectorObjectBase::setArray):
3281         (Inspector::InspectorArrayBase::pushValue):
3282         (Inspector::InspectorArrayBase::pushObject):
3283         (Inspector::InspectorArrayBase::pushArray):
3284         * inspector/JSGlobalObjectConsoleClient.cpp:
3285         (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
3286         (Inspector::JSGlobalObjectConsoleClient::count):
3287         (Inspector::JSGlobalObjectConsoleClient::timeEnd):
3288         (Inspector::JSGlobalObjectConsoleClient::timeStamp):
3289         * inspector/JSGlobalObjectConsoleClient.h:
3290         * inspector/JSGlobalObjectInspectorController.cpp:
3291         (Inspector::JSGlobalObjectInspectorController::executionStopwatch):
3292         * inspector/JSGlobalObjectInspectorController.h:
3293         * inspector/ScriptCallFrame.cpp:
3294         (Inspector::ScriptCallFrame::buildInspectorObject):
3295         * inspector/ScriptCallFrame.h:
3296         * inspector/ScriptCallStack.cpp:
3297         (Inspector::ScriptCallStack::create):
3298         (Inspector::ScriptCallStack::buildInspectorArray):
3299         * inspector/ScriptCallStack.h:
3300         * inspector/agents/InspectorAgent.cpp:
3301         (Inspector::InspectorAgent::enable):
3302         (Inspector::InspectorAgent::inspect):
3303         (Inspector::InspectorAgent::activateExtraDomain):
3304         * inspector/agents/InspectorAgent.h:
3305         * inspector/agents/InspectorDebuggerAgent.cpp:
3306         (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
3307         (Inspector::buildObjectForBreakpointCookie):
3308         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
3309         (Inspector::InspectorDebuggerAgent::setBreakpoint):
3310         (Inspector::InspectorDebuggerAgent::continueToLocation):
3311         (Inspector::InspectorDebuggerAgent::resolveBreakpoint):
3312         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
3313         (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP):
3314         (Inspector::InspectorDebuggerAgent::currentCallFrames):
3315         (Inspector::InspectorDebuggerAgent::didParseSource):
3316         (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
3317         (Inspector::InspectorDebuggerAgent::breakProgram):
3318         * inspector/agents/InspectorDebuggerAgent.h:
3319         * inspector/agents/InspectorRuntimeAgent.cpp:
3320         (Inspector::buildErrorRangeObject):
3321         (Inspector::InspectorRuntimeAgent::callFunctionOn):
3322         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
3323         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
3324         * inspector/agents/InspectorRuntimeAgent.h:
3325         * inspector/scripts/codegen/cpp_generator.py:
3326         (CppGenerator.cpp_type_for_unchecked_formal_in_parameter):
3327         (CppGenerator.cpp_type_for_type_with_name):
3328         (CppGenerator.cpp_type_for_formal_async_parameter):
3329         (CppGenerator.should_use_references_for_type):
3330         (CppGenerator):
3331         * inspector/scripts/codegen/cpp_generator_templates.py:
3332         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
3333         (CppBackendDispatcherHeaderGenerator.generate_output):
3334         (CppBackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command):
3335         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
3336         (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
3337         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
3338         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
3339         (CppFrontendDispatcherHeaderGenerator.generate_output):
3340         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
3341         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
3342         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
3343         (CppProtocolTypesHeaderGenerator.generate_output):
3344         (_generate_class_for_object_declaration):
3345         (_generate_unchecked_setter_for_member):
3346         (_generate_forward_declarations_for_binding_traits):
3347         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
3348         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
3349         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
3350         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
3351         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
3352         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
3353         (ObjCProtocolTypesImplementationGenerator.generate_output):
3354         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
3355         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
3356         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
3357         * inspector/scripts/tests/expected/enum-values.json-result:
3358         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
3359         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
3360         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
3361         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
3362         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
3363         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
3364         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
3365         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
3366         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
3367         * replay/EncodedValue.cpp:
3368         (JSC::EncodedValue::asObject):
3369         (JSC::EncodedValue::asArray):
3370         (JSC::EncodedValue::put<EncodedValue>):
3371         (JSC::EncodedValue::append<EncodedValue>):
3372         (JSC::EncodedValue::get<EncodedValue>):
3373         * replay/EncodedValue.h:
3374         * replay/scripts/CodeGeneratorReplayInputs.py:
3375         (Type.borrow_type):
3376         (Type.argument_type):
3377         (Generator.generate_member_move_expression):
3378         * runtime/ConsoleClient.cpp:
3379         (JSC::ConsoleClient::printConsoleMessageWithArguments):
3380         (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
3381         (JSC::ConsoleClient::logWithLevel):
3382         (JSC::ConsoleClient::clear):
3383         (JSC::ConsoleClient::dir):
3384         (JSC::ConsoleClient::dirXML):
3385         (JSC::ConsoleClient::table):
3386         (JSC::ConsoleClient::trace):
3387         (JSC::ConsoleClient::assertCondition):
3388         (JSC::ConsoleClient::group):
3389         (JSC::ConsoleClient::groupCollapsed):
3390         (JSC::ConsoleClient::groupEnd):
3391         * runtime/ConsoleClient.h:
3392         * runtime/TypeSet.cpp:
3393         (JSC::TypeSet::allStructureRepresentations):
3394         (JSC::TypeSet::inspectorTypeSet):
3395         (JSC::StructureShape::inspectorRepresentation):
3396         * runtime/TypeSet.h:
3397
3398 2015-01-07  Commit Queue  <commit-queue@webkit.org>
3399
3400         Unreviewed, rolling out r178039.
3401         https://bugs.webkit.org/show_bug.cgi?id=140187
3402
3403         Breaks ObjC Inspector Protocol (Requested by JoePeck on
3404         #webkit).
3405
3406         Reverted changeset:
3407
3408         "Web Inspector: purge PassRefPtr from Inspector code and use
3409         Ref for typed and untyped protocol objects"
3410         https://bugs.webkit.org/show_bug.cgi?id=140053
3411         http://trac.webkit.org/changeset/178039
3412
3413 2015-01-06  Brian J. Burg  <burg@cs.washington.edu>
3414
3415         Web Inspector: purge PassRefPtr from Inspector code and use Ref for typed and untyped protocol objects
3416         https://bugs.webkit.org/show_bug.cgi?id=140053
3417
3418         Reviewed by Andreas Kling.
3419
3420         This patch replaces uses of PassRefPtr with uses of RefPtr&& and WTF::move() in code
3421         related to Web Inspector. It also converts many uses of RefPtr to Ref where
3422         references are always non-null. These two refactorings have been combined since
3423         they tend to require similar changes to the code.
3424
3425         Creation methods for subclasses of InspectorValue now return a Ref, and callsites
3426         have been updated to take a Ref instead of RefPtr.
3427
3428         Builders for typed protocol objects now return a Ref. Since there is no implicit
3429         call to operator&, callsites now must explicitly call .release() to convert a
3430         builder object into the corresponding protocol object once required fields are set.
3431         Update callsites and use auto to eliminate repetition of longwinded protocol types.
3432
3433         Tests for inspector protocol and replay inputs have been rebaselined.
3434
3435         * bindings/ScriptValue.cpp:
3436         (Deprecated::jsToInspectorValue):
3437         (Deprecated::ScriptValue::toInspectorValue):
3438         * bindings/ScriptValue.h:
3439         * inspector/ConsoleMessage.cpp:
3440         (Inspector::ConsoleMessage::addToFrontend):
3441         * inspector/ContentSearchUtilities.cpp:
3442         (Inspector::ContentSearchUtilities::buildObjectForSearchMatch):
3443         (Inspector::ContentSearchUtilities::searchInTextByLines):
3444         * inspector/ContentSearchUtilities.h:
3445         * inspector/InjectedScript.cpp:
3446         (Inspector::InjectedScript::getFunctionDetails):
3447         (Inspector::InjectedScript::getProperties):
3448         (Inspector::InjectedScript::getInternalProperties):
3449         (Inspector::InjectedScript::wrapCallFrames):
3450         (Inspector::InjectedScript::wrapObject):
3451         (Inspector::InjectedScript::wrapTable):
3452         * inspector/InjectedScript.h:
3453         * inspector/InjectedScriptBase.cpp:
3454         (Inspector::InjectedScriptBase::makeEvalCall): Split the early exits.
3455         * inspector/InspectorBackendDispatcher.cpp:
3456         (Inspector::InspectorBackendDispatcher::CallbackBase::CallbackBase):
3457         (Inspector::InspectorBackendDispatcher::CallbackBase::sendIfActive):
3458         (Inspector::InspectorBackendDispatcher::create):
3459         (Inspector::InspectorBackendDispatcher::dispatch):
3460         (Inspector::InspectorBackendDispatcher::sendResponse):
3461         (Inspector::InspectorBackendDispatcher::reportProtocolError):
3462         (Inspector::getPropertyValue): Add a comment to clarify what this clever code does.
3463         (Inspector::InspectorBackendDispatcher::getInteger):
3464         (Inspector::InspectorBackendDispatcher::getDouble):
3465         (Inspector::InspectorBackendDispatcher::getString):
3466         (Inspector::InspectorBackendDispatcher::getBoolean):
3467         (Inspector::InspectorBackendDispatcher::getObject):
3468         (Inspector::InspectorBackendDispatcher::getArray):
3469         (Inspector::InspectorBackendDispatcher::getValue):
3470         * inspector/InspectorBackendDispatcher.h: Use a typed protocol object to collect
3471         protocol error strings.
3472         (Inspector::InspectorSupplementalBackendDispatcher::InspectorSupplementalBackendDispatcher):
3473         Convert the supplemental dispatcher's reference to Ref since it is never null.
3474         * inspector/InspectorEnvironment.h:
3475         * inspector/InspectorProtocolTypes.h: Get rid of ArrayItemHelper and
3476         StructItemTraits. Add more versions of addItem to handle pushing various types.
3477         (Inspector::Protocol::Array::openAccessors):
3478         (Inspector::Protocol::Array::addItem):
3479         (Inspector::Protocol::Array::create):
3480         (Inspector::Protocol::StructItemTraits::push):
3481         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast): Assert argument.
3482         (Inspector::Protocol::StructItemTraits::pushRefPtr): Deleted.
3483         (Inspector::Protocol::ArrayItemHelper<String>::Traits::pushRaw): Deleted.
3484         (Inspector::Protocol::ArrayItemHelper<int>::Traits::pushRaw): Deleted.
3485         (Inspector::Protocol::ArrayItemHelper<double>::Traits::pushRaw): Deleted.
3486         (Inspector::Protocol::ArrayItemHelper<bool>::Traits::pushRaw): Deleted.
3487         (Inspector::Protocol::ArrayItemHelper<InspectorValue>::Traits::pushRefPtr): Deleted.
3488         (Inspector::Protocol::ArrayItemHelper<InspectorObject>::Traits::pushRefPtr): Deleted.
3489         (Inspector::Protocol::ArrayItemHelper<InspectorArray>::Traits::pushRefPtr): Deleted.
3490         (Inspector::Protocol::ArrayItemHelper<Protocol::Array<T>>::Traits::pushRefPtr): Deleted.
3491         * inspector/InspectorValues.cpp: Straighten out getArray and getObject to have
3492         the same call signature as other getters. Use Ref where possible.
3493         (Inspector::InspectorObjectBase::getBoolean):
3494         (Inspector::InspectorObjectBase::getString):
3495         (Inspector::InspectorObjectBase::getObject):
3496         (Inspector::InspectorObjectBase::getArray):
3497         (Inspector::InspectorObjectBase::getValue):
3498         (Inspector::InspectorObjectBase::writeJSON):
3499         (Inspector::InspectorArrayBase::get):
3500         (Inspector::InspectorObject::create):
3501         (Inspector::InspectorArray::create):
3502         (Inspector::InspectorValue::null):
3503         (Inspector::InspectorString::create):
3504         (Inspector::InspectorBasicValue::create):
3505         (Inspector::InspectorObjectBase::get): Deleted.
3506         * inspector/InspectorValues.h:
3507         (Inspector::InspectorObjectBase::setValue):
3508         (Inspector::InspectorObjectBase::setObject):
3509         (Inspector::InspectorObjectBase::setArray):
3510         (Inspector::InspectorArrayBase::pushValue):
3511         (Inspector::InspectorArrayBase::pushObject):
3512         (Inspector::InspectorArrayBase::pushArray):
3513         * inspector/JSGlobalObjectConsoleClient.cpp:
3514         (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
3515         (Inspector::JSGlobalObjectConsoleClient::count):
3516         (Inspector::JSGlobalObjectConsoleClient::timeEnd):
3517         (Inspector::JSGlobalObjectConsoleClient::timeStamp):
3518         * inspector/JSGlobalObjectConsoleClient.h:
3519         * inspector/JSGlobalObjectInspectorController.cpp:
3520         (Inspector::JSGlobalObjectInspectorController::executionStopwatch):
3521         * inspector/JSGlobalObjectInspectorController.h:
3522         * inspector/ScriptCallFrame.cpp:
3523         (Inspector::ScriptCallFrame::buildInspectorObject):
3524         * inspector/ScriptCallFrame.h:
3525         * inspector/ScriptCallStack.cpp:
3526         (Inspector::ScriptCallStack::create):
3527         (Inspector::ScriptCallStack::buildInspectorArray):
3528         * inspector/ScriptCallStack.h:
3529         * inspector/agents/InspectorAgent.cpp:
3530         (Inspector::InspectorAgent::enable):
3531         (Inspector::InspectorAgent::inspect):
3532         (Inspector::InspectorAgent::activateExtraDomain):
3533         * inspector/agents/InspectorAgent.h:
3534         * inspector/agents/InspectorDebuggerAgent.cpp:
3535         (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
3536         (Inspector::buildObjectForBreakpointCookie):
3537         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
3538         (Inspector::InspectorDebuggerAgent::setBreakpoint):
3539         (Inspector::InspectorDebuggerAgent::continueToLocation):
3540         (Inspector::InspectorDebuggerAgent::resolveBreakpoint):
3541         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
3542         (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP):
3543         (Inspector::InspectorDebuggerAgent::currentCallFrames):
3544         (Inspector::InspectorDebuggerAgent::didParseSource):
3545         (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
3546         (Inspector::InspectorDebuggerAgent::breakProgram):
3547         * inspector/agents/InspectorDebuggerAgent.h:
3548         * inspector/agents/InspectorRuntimeAgent.cpp:
3549         (Inspector::buildErrorRangeObject):
3550         (Inspector::InspectorRuntimeAgent::callFunctionOn):
3551         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
3552         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
3553         * inspector/agents/InspectorRuntimeAgent.h:
3554         * inspector/scripts/codegen/cpp_generator.py:
3555         (CppGenerator.cpp_type_for_unchecked_formal_in_parameter):
3556         (CppGenerator.cpp_type_for_type_with_name):
3557         (CppGenerator.cpp_type_for_formal_async_parameter):
3558         (CppGenerator.should_use_references_for_type):
3559         (CppGenerator):
3560         * inspector/scripts/codegen/cpp_generator_templates.py:
3561         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
3562         (CppBackendDispatcherHeaderGenerator.generate_output):
3563         (CppBackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command):
3564         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
3565         (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
3566         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
3567         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
3568         (CppFrontendDispatcherHeaderGenerator.generate_output):
3569         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
3570         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
3571         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
3572         (CppProtocolTypesHeaderGenerator.generate_output):
3573         (_generate_class_for_object_declaration):
3574         (_generate_unchecked_setter_for_member):
3575         (_generate_forward_declarations_for_binding_traits):
3576         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
3577         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
3578         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
3579         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
3580         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
3581         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
3582         (ObjCProtocolTypesImplementationGenerator.generate_output):
3583         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
3584         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
3585         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
3586         * inspector/scripts/tests/expected/enum-values.json-result:
3587         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
3588         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
3589         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
3590         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
3591         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
3592         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
3593         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
3594         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
3595         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
3596         * replay/EncodedValue.cpp:
3597         (JSC::EncodedValue::asObject):
3598         (JSC::EncodedValue::asArray):
3599         (JSC::EncodedValue::put<EncodedValue>):
3600         (JSC::EncodedValue::append<EncodedValue>):
3601         (JSC::EncodedValue::get<EncodedValue>):
3602         * replay/EncodedValue.h:
3603         * replay/scripts/CodeGeneratorReplayInputs.py:
3604         (Type.borrow_type):
3605         (Type.argument_type):
3606         (Generator.generate_member_move_expression):
3607         * runtime/ConsoleClient.cpp:
3608         (JSC::ConsoleClient::printConsoleMessageWithArguments):
3609         (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
3610         (JSC::ConsoleClient::logWithLevel):
3611         (JSC::ConsoleClient::clear):
3612         (JSC::ConsoleClient::dir):
3613         (JSC::ConsoleClient::dirXML):
3614         (JSC::ConsoleClient::table):
3615         (JSC::ConsoleClient::trace):
3616         (JSC::ConsoleClient::assertCondition):
3617         (JSC::ConsoleClient::group):
3618         (JSC::ConsoleClient::groupCollapsed):
3619         (JSC::ConsoleClient::groupEnd):
3620         * runtime/ConsoleClient.h:
3621         * runtime/TypeSet.cpp:
3622         (JSC::TypeSet::allStructureRepresentations):
3623         (JSC::TypeSet::inspectorTypeSet):
3624         (JSC::StructureShape::inspectorRepresentation):
3625         * runtime/TypeSet.h:
3626
3627 2015-01-06  Chris Dumez  <cdumez@apple.com>
3628
3629         Drop ResourceResponseBase::connectionID and connectionReused members
3630         https://bugs.webkit.org/show_bug.cgi?id=140158
3631
3632         Reviewed by Sam Weinig.
3633
3634         Drop ResourceResponseBase::connectionID and connectionReused members.
3635         Those were needed by the Chromium port but are no longer used.
3636
3637         * inspector/protocol/Network.json:
3638
3639 2015-01-06  Mark Lam  <mark.lam@apple.com>
3640
3641         Add the lexicalEnvironment as an operand to op_create_arguments.
3642         <https://webkit.org/b/140148>
3643
3644         Reviewed by Geoffrey Garen.
3645
3646         This patch only adds the operand to the bytecode.  It is not in use yet.
3647
3648         * bytecode/BytecodeList.json:
3649         * bytecode/BytecodeUseDef.h:
3650         (JSC::computeUsesForBytecodeOffset):
3651         * bytecode/CodeBlock.cpp:
3652         (JSC::CodeBlock::dumpBytecode):
3653         * bytecompiler/BytecodeGenerator.cpp:
3654         (JSC::BytecodeGenerator::BytecodeGenerator):
3655         (JSC::BytecodeGenerator::createArgumentsIfNecessary):
3656         - Adds the lexicalEnvironment register (if present) as an operand to
3657           op_create_arguments.  Else, adds a constant empty JSValue.
3658         * llint/LowLevelInterpreter32_64.asm:
3659         * llint/LowLevelInterpreter64.asm:
3660
3661 2015-01-06  Alexey Proskuryakov  <ap@apple.com>
3662
3663         ADDRESS_SANITIZER macro is overloaded
3664         https://bugs.webkit.org/show_bug.cgi?id=140130
3665
3666         Reviewed by Anders Carlsson.
3667
3668         * interpreter/JSStack.cpp: (JSC::JSStack::sanitizeStack): Use the new macro.
3669         This code is nearly unused (only compiled in when JIT is disabled at build time),
3670         however I've been told that it's best to keep it.
3671
3672 2015-01-06  Mark Lam  <mark.lam@apple.com>
3673
3674         Fix Use details for op_create_arguments.
3675         <https://webkit.org/b/140110>
3676
3677         Rubber stamped by Filip Pizlo.
3678
3679         The previous patch was wrong about op_create_arguments not using its 1st operand.
3680         It does read from it (hence, used) to check if the Arguments object has already
3681         been created or not.  This patch reverts the change for op_create_arguments.
3682
3683         * bytecode/BytecodeUseDef.h:
3684         (JSC::computeUsesForBytecodeOffset):
3685
3686 2015-01-06  Mark Lam  <mark.lam@apple.com>
3687
3688         Fix Use details for op_create_lexical_environment and op_create_arguments.
3689         <https://webkit.org/b/140110>
3690
3691         Reviewed by Filip Pizlo.
3692
3693         The current "Use" details for op_create_lexical_environment and
3694         op_create_arguments are wrong.  op_create_argument uses nothing instead of the
3695         1st operand (the output local).  op_create_lexical_environment uses its 2nd
3696         operand (the scope chain) instead of the 1st (the output local).
3697         This patch fixes them to specify the proper uses.
3698
3699         * bytecode/BytecodeUseDef.h:
3700         (JSC::computeUsesForBytecodeOffset):
3701
3702 2015-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>
3703
3704         Implement ES6 String.prototype.repeat(count)
3705         https://bugs.webkit.org/show_bug.cgi?id=140047
3706
3707         Reviewed by Darin Adler.
3708
3709         Introducing ES6 String.prototype.repeat(count) function.
3710
3711         * runtime/JSString.h:
3712         * runtime/StringPrototype.cpp:
3713         (JSC::StringPrototype::finishCreation):
3714         (JSC::repeatSmallString):
3715         (JSC::stringProtoFuncRepeat):
3716
3717 2015-01-03  Michael Saboff  <msaboff@apple.com>
3718
3719         Crash in operationNewFunction when scrolling on Google+
3720         https://bugs.webkit.org/show_bug.cgi?id=140033
3721
3722         Reviewed by Oliver Hunt.
3723
3724         In DFG code, the scope register can be eliminated because all uses have been
3725         dead code eliminated.  In the case where one of the uses was creating a function
3726         that is never used, the baseline code will still create the function.  If we OSR
3727         exit to a path where that function gets created, check the scope register value
3728         and set the new, but dead, function to undefined instead of creating a new function.
3729
3730         * jit/JITOpcodes.cpp:
3731         (JSC::JIT::emit_op_new_func_exp):
3732
3733 2015-01-01  Yusuke Suzuki  <utatane.tea@gmail.com>
3734
3735         String includes methods perform toString on searchString before toInt32 on a offset
3736         https://bugs.webkit.org/show_bug.cgi?id=140031
3737
3738         Reviewed by Darin Adler.
3739
3740         * runtime/StringPrototype.cpp:
3741         (JSC::stringProtoFuncStartsWith):
3742         (JSC::stringProtoFuncEndsWith):
3743         (JSC::stringProtoFuncIncludes):
3744
3745 2015-01-01  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
3746
3747         Change to return std::unique_ptr<> in fooCreate()
3748         https://bugs.webkit.org/show_bug.cgi?id=139983
3749
3750         Reviewed by Darin Adler.
3751
3752         To avoid unnecessary std::unique_ptr<> casting, fooCreate() returns std::unique_ptr<> directly.
3753
3754         * create_regex_tables:
3755         * yarr/YarrPattern.h:
3756         (JSC::Yarr::YarrPattern::reset):
3757         (JSC::Yarr::YarrPattern::newlineCharacterClass):
3758         (JSC::Yarr::YarrPattern::digitsCharacterClass):
3759         (JSC::Yarr::YarrPattern::spacesCharacterClass):
3760         (JSC::Yarr::YarrPattern::wordcharCharacterClass):
3761         (JSC::Yarr::YarrPattern::nondigitsCharacterClass):
3762         (JSC::Yarr::YarrPattern::nonspacesCharacterClass):
3763         (JSC::Yarr::YarrPattern::nonwordcharCharacterClass):
3764
3765 2015-01-01  Jeff Miller  <jeffm@apple.com>
3766
3767         Update user-visible copyright strings to include 2015
3768         https://bugs.webkit.org/show_bug.cgi?id=139880
3769
3770         Reviewed by Darin Adler.
3771
3772         * Info.plist:
3773
3774 2015-01-01  Darin Adler  <darin@apple.com>
3775
3776         We often misspell identifier as "identifer"
3777         https://bugs.webkit.org/show_bug.cgi?id=140025
3778
3779         Reviewed by Michael Saboff.
3780
3781         * runtime/ArrayConventions.h: Fix it.
3782
3783 2014-12-29  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
3784
3785         Move JavaScriptCore/yarr to std::unique_ptr
3786         https://bugs.webkit.org/show_bug.cgi?id=139621
3787
3788         Reviewed by Anders Carlsson.
3789
3790         Final clean up OwnPtr|PassOwnPtr in JavaScriptCore/yarr.
3791
3792         * yarr/YarrInterpreter.cpp:
3793         (JSC::Yarr::ByteCompiler::atomParenthesesSubpatternEnd):
3794         * yarr/YarrInterpreter.h:
3795         (JSC::Yarr::BytecodePattern::BytecodePattern):
3796         * yarr/YarrJIT.cpp:
3797         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
3798         (JSC::Yarr::YarrGenerator::opCompileParentheticalAssertion):
3799         (JSC::Yarr::YarrGenerator::opCompileBody):
3800         * yarr/YarrPattern.cpp:
3801         (JSC::Yarr::CharacterClassConstructor::charClass):
3802         (JSC::Yarr::YarrPatternConstructor::YarrPatternConstructor):
3803         (JSC::Yarr::YarrPatternConstructor::reset):
3804         (JSC::Yarr::YarrPatternConstructor::atomPatternCharacter):
3805         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassEnd):
3806         (JSC::Yarr::YarrPatternConstructor::atomParenthesesSubpatternBegin):
3807         (JSC::Yarr::YarrPatternConstructor::atomParentheticalAssertionBegin):
3808         (JSC::Yarr::YarrPatternConstructor::copyDisjunction):
3809         (JSC::Yarr::YarrPatternConstructor::checkForTerminalParentheses):
3810         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
3811         * yarr/YarrPattern.h:
3812         (JSC::Yarr::PatternDisjunction::addNewAlternative):
3813         (JSC::Yarr::YarrPattern::newlineCharacterClass):
3814         (JSC::Yarr::YarrPattern::digitsCharacterClass):
3815         (JSC::Yarr::YarrPattern::spacesCharacterClass):
3816         (JSC::Yarr::YarrPattern::wordcharCharacterClass):
3817         (JSC::Yarr::YarrPattern::nondigitsCharacterClass):
3818         (JSC::Yarr::YarrPattern::nonspacesCharacterClass):
3819         (JSC::Yarr::YarrPattern::nonwordcharCharacterClass):
3820
3821 2014-12-26  Dan Bernstein  <mitz@apple.com>
3822
3823         <rdar://problem/19348208> REGRESSION (r177027): iOS builds use the wrong toolchain
3824         https://bugs.webkit.org/show_bug.cgi?id=139950
3825
3826         Reviewed by David Kilzer.
3827
3828         * Configurations/Base.xcconfig: Only define TOOLCHAINS when building for OS X, doing so
3829         in a manner that works with Xcode 5.1.1.
3830
3831 2014-12-22  Mark Lam  <mark.lam@apple.com>
3832
3833         Use ctiPatchCallByReturnAddress() in JITOperations.cpp.
3834         <https://webkit.org/b/139892>
3835
3836         Reviewed by Michael Saboff.
3837
3838         The code in JITOperations.cpp sometimes calls RepatchBuffer::relinkCallerToFunction()
3839         directly, and sometimes uses a helper function, ctiPatchCallByReturnAddress().
3840         This patch changes it to use the helper function consistently.
3841
3842         * jit/JITOperations.cpp:
3843
3844 2014-12-22  Mark Lam  <mark.lam@apple.com>
3845
3846         Fix some typos in a comment.
3847         <https://webkit.org/b/139882>
3848
3849         Reviewed by Michael Saboff.
3850
3851         * jit/JITPropertyAccess.cpp:
3852         (JSC::JIT::emit_op_get_by_val):
3853
3854 2014-12-22  Mark Lam  <mark.lam@apple.com>
3855
3856         Assert that Array elements not copied when changing shape to ArrayStorage type are indeed holes.
3857         <https://webkit.org/b/138118>
3858
3859         Reviewed by Michael Saboff.
3860
3861         * runtime/JSObject.cpp:
3862         (JSC::JSObject::convertInt32ToArrayStorage):
3863         (JSC::JSObject::convertDoubleToArrayStorage):
3864         (JSC::JSObject::convertContiguousToArrayStorage):
3865
3866 2014-12-20  Eric Carlson  <eric.carlson@apple.com>
3867
3868         [iOS] add optimized fullscreen API
3869         https://bugs.webkit.org/show_bug.cgi?id=139833
3870         <rdar://problem/18844486>
3871
3872         Reviewed by Simon Fraser.
3873
3874         * Configurations/FeatureDefines.xcconfig: Add ENABLE_VIDEO_PRESENTATION_MODE.
3875
3876 2014-12-20  David Kilzer  <ddkilzer@apple.com>
3877
3878         Switch from using PLATFORM_NAME to SDK selectors in WebCore, WebInspectorUI, WebKit, WebKit2
3879         <http://webkit.org/b/139463>
3880
3881         Reviewed by Mark Rowe.
3882
3883         * Configurations/JavaScriptCore.xcconfig:
3884         - Simplify SECTORDER_FLAGS.
3885
3886 2014-12-19  Andreas Kling  <akling@apple.com>
3887
3888         Plug leak below LLVMCopyStringRepOfTargetData().
3889         <https://webkit.org/b/139832>
3890
3891         Reviewed by Michael Saboff.
3892
3893         LLVMCopyStringRepOfTargetData() returns a strdup()'ed string, so make sure
3894         to free() it after we're done using it.
3895
3896         * ftl/FTLCompile.cpp:
3897         (JSC::FTL::mmAllocateDataSection):
3898
3899 2014-12-19  Joseph Pecoraro  <pecoraro@apple.com>
3900
3901         Web Inspector: CRASH inspector-protocol/debugger/breakpoint-action-detach.html
3902         https://bugs.webkit.org/show_bug.cgi?id=139797
3903
3904         Reviewed by Mark Lam.
3905
3906         * debugger/Debugger.h:
3907         * debugger/Debugger.cpp:
3908         (JSC::Debugger::isAttached):
3909         Check if we are the debugger for a particular global object.
3910         (JSC::Debugger::pauseIfNeeded):
3911         Pass the global object on when hitting a brekapoint.
3912
3913         * inspector/ScriptDebugServer.h:
3914         * inspector/ScriptDebugServer.cpp:
3915         (Inspector::ScriptDebugServer::handleBreakpointHit):
3916         Stop evaluting breakpoint actions if a previous action caused the
3917         debugger to detach from this global object.
3918         (Inspector::ScriptDebugServer::handlePause):
3919         Standardize on passing JSGlobalObject parameter first.
3920
3921 2014-12-19  Mark Lam  <mark.lam@apple.com>
3922
3923         [Win] Endless compiler warnings created by DFGEdge.h.
3924         <https://webkit.org/b/139801>
3925
3926         Reviewed by Brent Fulgham.
3927
3928         Add a cast to fix the type just the way the 64-bit version does.
3929
3930         * dfg/DFGEdge.h:
3931         (JSC::DFG::Edge::makeWord):
3932
3933 2014-12-19  Commit Queue  <commit-queue@webkit.org>
3934
3935         Unreviewed, rolling out r177574.
3936         https://bugs.webkit.org/show_bug.cgi?id=139821
3937
3938         "Broke Production builds by installing
3939         libWebCoreTestSupport.dylib in the wrong directory" (Requested
3940         by ddkilzer on #webkit).
3941
3942         Reverted changeset:
3943
3944         "Switch from using PLATFORM_NAME to SDK selectors in WebCore,
3945         WebInspectorUI, WebKit, WebKit2"
3946         https://bugs.webkit.org/show_bug.cgi?id=139463
3947         http://trac.webkit.org/changeset/177574
3948
3949 2014-12-19  Michael Saboff  <msaboff@apple.com>
3950
3951         REGRESSION(174226): Captured arguments in a using function compiled by the DFG have the initial value when the closure was invoked
3952         https://bugs.webkit.org/show_bug.cgi?id=139808
3953
3954         Reviewed by Oliver Hunt.
3955
3956         There are three changes here.
3957         1) Create a VariableWatchpointSet for captured arguments variables.
3958         2) Properly use the VariableWatchpointSet* found in op_put_to_scope in the 64 bit LLInt code.
3959         3) Add the same putLocalClosureVar path to the 32 bit LLInt code that exists in the 64 bit version.
3960
3961         * bytecompiler/BytecodeGenerator.cpp:
3962         (JSC::BytecodeGenerator::BytecodeGenerator):
3963         * llint/LowLevelInterpreter32_64.asm:
3964         * llint/LowLevelInterpreter64.asm:
3965
3966 2014-12-19  David Kilzer  <ddkilzer@apple.com>
3967
3968         Switch from using PLATFORM_NAME to SDK selectors in WebCore, WebInspectorUI, WebKit, WebKit2
3969         <http://webkit.org/b/139463>
3970
3971         Reviewed by Mark Rowe.
3972
3973         * Configurations/JavaScriptCore.xcconfig:
3974         - Simplify SECTORDER_FLAGS.
3975
3976 2014-12-18  Brent Fulgham  <bfulgham@apple.com>
3977
3978         Unreviewed build fix.
3979
3980         * jsc.cpp: Remove typo.
3981
3982 2014-12-17  Michael Saboff  <msaboff@apple.com>
3983
3984         Tests with infinite recursion frequently crash
3985         https://bugs.webkit.org/show_bug.cgi?id=139548
3986
3987         Reviewed by Geoffrey Garen.
3988
3989         While unwinding, if the call frame doesn't have a codeblock, then we
3990         are in native code, handle appropriately.
3991
3992         * interpreter/Interpreter.cpp:
3993         (JSC::unwindCallFrame):
3994         (JSC::UnwindFunctor::operator()):
3995         Added checks for null CodeBlock.
3996
3997         (JSC::Interpreter::unwind): Removed wrong ASSERT.
3998
3999 2014-12-17  Chris Dumez  <cdumez@apple.com>
4000
4001         [iOS] Make it possible to toggle FeatureCounter support at runtime
4002         https://bugs.webkit.org/show_bug.cgi?id=139688
4003         <rdar://problem/19266254>
4004
4005         Reviewed by Andreas Kling.
4006
4007         Stop linking against AppSupport framework as the functionality is no
4008         longer in WTF (it was moved to WebCore).
4009
4010         * Configurations/JavaScriptCore.xcconfig:
4011
4012 2014-12-17  Brent Fulgham  <bfulgham@apple.com>
4013
4014         [Win] Correct DebugSuffix builds under MSBuild
4015         https://bugs.webkit.org/show_bug.cgi?id=139733
4016         <rdar://problem/19276880&g