Timeline

Jul 26, 2014:

12:48 PM Changeset in webkit [171650] by Brian Burg

• 3 edits in trunk/Source/WebCore

Web Replay: log and enforce session/segment state machine transitions
​https://bugs.webkit.org/show_bug.cgi?id=135224

Reviewed by Timothy Hatcher.

For debugging purposes, log session and segment state transitions.
Assert that segment state transitions are valid.

No new tests. No behavior was changed.

• replay/ReplayController.cpp:

(WebCore::logDispatchedDOMEvent):
(WebCore::sessionStateToString):
(WebCore::segmentStateToString):
(WebCore::ReplayController::setSessionState):
(WebCore::ReplayController::setSegmentState):
(WebCore::ReplayController::createSegment):
(WebCore::ReplayController::completeSegment): Remove a wrong state transition.
(WebCore::ReplayController::loadSegmentAtIndex):
(WebCore::ReplayController::unloadSegment): Fix a now-erroneous assertion.
(WebCore::ReplayController::startPlayback):
(WebCore::ReplayController::pausePlayback):
(WebCore::ReplayController::willDispatchEvent):
(WebCore::ReplayController::cancelPlayback):

• replay/ReplayController.h:

12:43 PM Changeset in webkit [171649] by Brian Burg

• 2 edits in trunk/Source/WebInspectorUI

Web Inspector: ReplayManager uses undefined events and inconsistent event data
​https://bugs.webkit.org/show_bug.cgi?id=135222

Reviewed by Timothy Hatcher.

• UserInterface/Controllers/ReplayManager.js:

(WebInspector.ReplayManager.prototype.sessionCreated.this):
(WebInspector.ReplayManager.prototype.sessionCreated):
(WebInspector.ReplayManager.prototype.segmentLoaded):
(WebInspector.ReplayManager.prototype.segmentUnloaded):
(WebInspector.ReplayManager.prototype.stopCapturing):
(WebInspector.ReplayManager.prototype.replayToMarkIndex):
(WebInspector.ReplayManager.prototype.segmentCompleted.set catch):
(WebInspector.ReplayManager.prototype.segmentCompleted):
(WebInspector.ReplayManager.prototype.startCapturing):
(WebInspector.ReplayManager.prototype._changeSessionState):

12:06 PM Changeset in webkit [171648] by fpizlo@apple.com

• 89 edits
  3 adds
  53 deletes in trunk

Unreviewed, roll out r171641-r171644. It broke some tests; will investigate and
reland later.

Source/JavaScriptCore:

• CMakeLists.txt:
• JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
• JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
• JavaScriptCore.xcodeproj/project.pbxproj:
• bytecode/BytecodeList.json:
• bytecode/BytecodeUseDef.h:

(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):

• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::dumpBytecode):
(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::finalizeUnconditionally):
(JSC::CodeBlock::printPutByIdCacheStatus): Deleted.

• bytecode/CodeBlock.h:
• bytecode/GetByIdStatus.cpp:

(JSC::GetByIdStatus::computeForStubInfo):
(JSC::GetByIdStatus::computeFor):

• bytecode/GetByIdStatus.h:
• bytecode/GetByIdVariant.cpp:

(JSC::GetByIdVariant::dumpInContext):

• bytecode/GetByIdVariant.h:

(JSC::GetByIdVariant::structureSet):

• bytecode/Instruction.h:
• bytecode/PutByIdStatus.cpp:

(JSC::PutByIdStatus::appendVariant):
(JSC::PutByIdStatus::computeForStubInfo):
(JSC::PutByIdStatus::computeFor):

• bytecode/PutByIdStatus.h:
• bytecode/PutByIdVariant.cpp:

(JSC::PutByIdVariant::dumpInContext):
(JSC::PutByIdVariant::oldStructureForTransition): Deleted.
(JSC::PutByIdVariant::writesStructures): Deleted.
(JSC::PutByIdVariant::reallocatesStorage): Deleted.
(JSC::PutByIdVariant::attemptToMerge): Deleted.
(JSC::PutByIdVariant::attemptToMergeTransitionWithReplace): Deleted.

• bytecode/PutByIdVariant.h:

(JSC::PutByIdVariant::PutByIdVariant):
(JSC::PutByIdVariant::replace):
(JSC::PutByIdVariant::transition):
(JSC::PutByIdVariant::structure):
(JSC::PutByIdVariant::oldStructure):
(JSC::PutByIdVariant::newStructure):
(JSC::PutByIdVariant::constantChecks):

• bytecode/StructureSet.cpp:

(JSC::StructureSet::filter): Deleted.
(JSC::StructureSet::filterArrayModes): Deleted.

• bytecode/StructureSet.h:

(JSC::StructureSet::onlyStructure):

• bytecode/ToThisStatus.cpp: Removed.
• bytecode/ToThisStatus.h: Removed.
• bytecode/TypeLocation.h: Removed.
• bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::BytecodeGenerator):
(JSC::BytecodeGenerator::emitMove):
(JSC::BytecodeGenerator::emitPutToScope):
(JSC::BytecodeGenerator::emitPutById):
(JSC::BytecodeGenerator::emitPutByVal):
(JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity): Deleted.

• bytecompiler/BytecodeGenerator.h:

(JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity): Deleted.

• bytecompiler/NodesCodegen.cpp:

(JSC::PostfixNode::emitResolve):
(JSC::PrefixNode::emitResolve):
(JSC::ReadModifyResolveNode::emitBytecode):
(JSC::AssignResolveNode::emitBytecode):
(JSC::ConstDeclNode::emitCodeSingle):
(JSC::ForInNode::emitBytecode):

• debugger/DebuggerActivation.cpp: Added.

(JSC::DebuggerActivation::DebuggerActivation):
(JSC::DebuggerActivation::finishCreation):
(JSC::DebuggerActivation::visitChildren):
(JSC::DebuggerActivation::className):
(JSC::DebuggerActivation::getOwnPropertySlot):
(JSC::DebuggerActivation::put):
(JSC::DebuggerActivation::deleteProperty):
(JSC::DebuggerActivation::getOwnPropertyNames):
(JSC::DebuggerActivation::defineOwnProperty):

• debugger/DebuggerActivation.h: Added.

(JSC::DebuggerActivation::create):
(JSC::DebuggerActivation::createStructure):

• debugger/DebuggerScope.cpp: Removed.
• debugger/DebuggerScope.h: Removed.
• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):

• dfg/DFGAbstractValue.cpp:

(JSC::DFG::AbstractValue::changeStructure): Deleted.
(JSC::DFG::AbstractValue::contains): Deleted.

• dfg/DFGAbstractValue.h:

(JSC::DFG::AbstractValue::couldBeType):
(JSC::DFG::AbstractValue::isType):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::handlePutById):
(JSC::DFG::ByteCodeParser::parseBlock):

• dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

• dfg/DFGConstantFoldingPhase.cpp:

(JSC::DFG::ConstantFoldingPhase::foldConstants):
(JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
(JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
(JSC::DFG::ConstantFoldingPhase::addBaseCheck): Deleted.
(JSC::DFG::ConstantFoldingPhase::addChecks): Deleted.

• dfg/DFGDoesGC.cpp:

(JSC::DFG::doesGC):

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

• dfg/DFGGraph.cpp:

(JSC::DFG::Graph::visitChildren):
(JSC::DFG::Graph::freezeStrong):

• dfg/DFGGraph.h:
• dfg/DFGNode.cpp:

(JSC::DFG::MultiPutByOffsetData::writesStructures):
(JSC::DFG::MultiPutByOffsetData::reallocatesStorage):

• dfg/DFGNode.h:

(JSC::DFG::Node::convertToPutByOffset):
(JSC::DFG::Node::hasTransition):
(JSC::DFG::Node::convertToMultiGetByOffset): Deleted.
(JSC::DFG::Node::convertToMultiPutByOffset): Deleted.

• dfg/DFGNodeType.h:
• dfg/DFGPredictionPropagationPhase.cpp:

(JSC::DFG::PredictionPropagationPhase::propagate):

• dfg/DFGSafeToExecute.h:

(JSC::DFG::safeToExecute):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::fillJSValue):
(JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
(JSC::DFG::SpeculativeJIT::emitCall):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
(JSC::DFG::SpeculativeJIT::compileLogicalNot):
(JSC::DFG::SpeculativeJIT::emitBranch):
(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGStructureAbstractValue.cpp:

(JSC::DFG::StructureAbstractValue::observeTransition):
(JSC::DFG::StructureAbstractValue::observeTransitions):

• dfg/DFGStructureAbstractValue.h:

(JSC::DFG::StructureAbstractValue::onlyStructure):
(JSC::DFG::StructureAbstractValue::operator=): Deleted.
(JSC::DFG::StructureAbstractValue::set): Deleted.

• dfg/DFGValidate.cpp:

(JSC::DFG::Validate::validate):

• dfg/DFGWatchableStructureWatchingPhase.cpp:

(JSC::DFG::WatchableStructureWatchingPhase::run):

• ftl/FTLAbbreviations.h:

(JSC::FTL::getLinkage): Deleted.

• ftl/FTLCapabilities.cpp:

(JSC::FTL::canCompile):

• ftl/FTLLowerDFGToLLVM.cpp:

(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure):
(JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
(JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
(JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol):

• heap/Heap.cpp:

(JSC::Heap::collect):

• inspector/agents/InspectorRuntimeAgent.cpp:

(Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange): Deleted.

• inspector/agents/InspectorRuntimeAgent.h:
• inspector/protocol/Runtime.json:
• jsc.cpp:

(GlobalObject::finishCreation):
(functionDumpTypesForAllVariables): Deleted.

• llint/LLIntData.cpp:

(JSC::LLInt::Data::performAssertions):

• llint/LLIntSlowPaths.cpp:

(JSC::LLInt::LLINT_SLOW_PATH_DECL):
(JSC::LLInt::putToScopeCommon): Deleted.

• llint/LLIntSlowPaths.h:
• llint/LowLevelInterpreter.asm:
• llint/LowLevelInterpreter32_64.asm:
• llint/LowLevelInterpreter64.asm:
• runtime/ArrayBufferNeuteringWatchpoint.cpp:

(JSC::ArrayBufferNeuteringWatchpoint::createStructure):

• runtime/CommonSlowPaths.cpp:

(JSC::SLOW_PATH_DECL):

• runtime/Executable.h:

(JSC::ExecutableBase::createStructure):
(JSC::NativeExecutable::createStructure):

• runtime/HighFidelityLog.cpp: Removed.
• runtime/HighFidelityLog.h: Removed.
• runtime/HighFidelityTypeProfiler.cpp: Removed.
• runtime/HighFidelityTypeProfiler.h: Removed.
• runtime/JSObject.cpp:

(JSC::JSObject::putDirectCustomAccessor):
(JSC::JSObject::putDirectNonIndexAccessor):
(JSC::JSObject::reifyStaticFunctionsForDelete):

• runtime/JSPromiseDeferred.h:

(JSC::JSPromiseDeferred::createStructure):

• runtime/JSPromiseReaction.h:

(JSC::JSPromiseReaction::createStructure):

• runtime/JSPropertyNameIterator.h:

(JSC::JSPropertyNameIterator::createStructure):

• runtime/JSType.h:
• runtime/JSTypeInfo.h:

(JSC::TypeInfo::TypeInfo):

• runtime/MapData.h:

(JSC::MapData::createStructure):

• runtime/Options.h:
• runtime/PropertyMapHashTable.h:

(JSC::PropertyTable::createStructure):

• runtime/RegExp.h:

(JSC::RegExp::createStructure):

• runtime/SparseArrayValueMap.cpp:

(JSC::SparseArrayValueMap::createStructure):

• runtime/Structure.cpp:

(JSC::StructureTransitionTable::contains):
(JSC::StructureTransitionTable::get):
(JSC::StructureTransitionTable::add):
(JSC::Structure::Structure):
(JSC::Structure::materializePropertyMap):
(JSC::Structure::addPropertyTransition):
(JSC::Structure::despecifyFunctionTransition):
(JSC::Structure::toDictionaryTransition):
(JSC::Structure::freezeTransition):
(JSC::Structure::preventExtensionsTransition):
(JSC::Structure::takePropertyTableOrCloneIfPinned):
(JSC::Structure::nonPropertyTransition):
(JSC::Structure::flattenDictionaryStructure):
(JSC::Structure::addPropertyWithoutTransition):
(JSC::Structure::pin):
(JSC::Structure::allocateRareData):
(JSC::Structure::cloneRareDataFrom):
(JSC::Structure::getConcurrently):
(JSC::Structure::putSpecificValue):
(JSC::Structure::getPropertyNamesFromStructure):
(JSC::Structure::visitChildren):
(JSC::Structure::checkConsistency):
(JSC::Structure::toStructureShape): Deleted.

• runtime/Structure.h:

(JSC::Structure::isExtensible):
(JSC::Structure::didTransition):
(JSC::Structure::isDictionary):
(JSC::Structure::isUncacheableDictionary):
(JSC::Structure::hasBeenFlattenedBefore):
(JSC::Structure::propertyAccessesAreCacheable):
(JSC::Structure::previousID):
(JSC::Structure::hasGetterSetterProperties):
(JSC::Structure::hasReadOnlyOrGetterSetterPropertiesExcludingProto):
(JSC::Structure::setHasGetterSetterProperties):
(JSC::Structure::hasCustomGetterSetterProperties):
(JSC::Structure::setHasCustomGetterSetterProperties):
(JSC::Structure::setContainsReadOnlyProperties):
(JSC::Structure::hasNonEnumerableProperties):
(JSC::Structure::disableSpecificFunctionTracking):
(JSC::Structure::objectToStringValue):
(JSC::Structure::setObjectToStringValue):
(JSC::Structure::staticFunctionsReified):
(JSC::Structure::setStaticFunctionsReified):
(JSC::Structure::transitionWatchpointSet):
(JSC::Structure::setPreviousID):
(JSC::Structure::clearPreviousID):
(JSC::Structure::previous):
(JSC::Structure::rareData):
(JSC::Structure::setHasGetterSetterPropertiesWithProtoCheck): Deleted.
(JSC::Structure::setHasCustomGetterSetterPropertiesWithProtoCheck): Deleted.

• runtime/StructureChain.h:

(JSC::StructureChain::createStructure):

• runtime/StructureInlines.h:

(JSC::Structure::setEnumerationCache):
(JSC::Structure::enumerationCache):
(JSC::Structure::checkOffsetConsistency):

• runtime/StructureRareData.cpp:

(JSC::StructureRareData::createStructure):

• runtime/SymbolTable.cpp:

(JSC::SymbolTable::SymbolTable):
(JSC::SymbolTable::cloneCapturedNames):
(JSC::SymbolTable::uniqueIDForVariable): Deleted.
(JSC::SymbolTable::uniqueIDForRegister): Deleted.
(JSC::SymbolTable::globalTypeSetForRegister): Deleted.
(JSC::SymbolTable::globalTypeSetForVariable): Deleted.

• runtime/SymbolTable.h:

(JSC::SymbolTable::createStructure):
(JSC::SymbolTable::add):
(JSC::SymbolTable::set):

• runtime/TypeSet.cpp: Removed.
• runtime/TypeSet.h: Removed.
• runtime/VM.cpp:

(JSC::VM::VM):
(JSC::VM::getTypesForVariableInRange): Deleted.
(JSC::VM::updateHighFidelityTypeProfileState): Deleted.
(JSC::VM::dumpHighFidelityProfilingTypes): Deleted.

• runtime/VM.h:

(JSC::VM::isProfilingTypesWithHighFidelity): Deleted.
(JSC::VM::highFidelityLog): Deleted.
(JSC::VM::highFidelityTypeProfiler): Deleted.
(JSC::VM::nextLocation): Deleted.
(JSC::VM::getNextUniqueVariableID): Deleted.

• runtime/WeakMapData.h:

(JSC::WeakMapData::createStructure):

• tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check.js: Removed.
• tests/stress/fold-multi-put-by-offset-to-put-by-offset-without-folding-the-structure-check.js: Removed.
• tests/stress/prune-multi-put-by-offset-replace-or-transition-variant.js: Removed.

Source/WebCore:

• ForwardingHeaders/debugger/DebuggerActivation.h: Added.

Source/WebKit/mac:

• WebView/WebScriptDebugDelegate.mm:

Source/WTF:

• wtf/text/WTFString.h:

LayoutTests:

• js/regress/fold-get-by-id-to-multi-get-by-offset-expected.txt: Removed.
• js/regress/fold-get-by-id-to-multi-get-by-offset-rare-int-expected.txt: Removed.
• js/regress/fold-get-by-id-to-multi-get-by-offset-rare-int.html: Removed.
• js/regress/fold-get-by-id-to-multi-get-by-offset.html: Removed.
• js/regress/fold-multi-get-by-offset-to-get-by-offset-expected.txt: Removed.
• js/regress/fold-multi-get-by-offset-to-get-by-offset.html: Removed.
• js/regress/fold-multi-get-by-offset-to-poly-get-by-offset-expected.txt: Removed.
• js/regress/fold-multi-get-by-offset-to-poly-get-by-offset.html: Removed.
• js/regress/fold-multi-put-by-offset-to-poly-put-by-offset-expected.txt: Removed.
• js/regress/fold-multi-put-by-offset-to-poly-put-by-offset.html: Removed.
• js/regress/fold-multi-put-by-offset-to-put-by-offset-expected.txt: Removed.
• js/regress/fold-multi-put-by-offset-to-put-by-offset.html: Removed.
• js/regress/fold-multi-put-by-offset-to-replace-or-transition-put-by-offset-expected.txt: Removed.
• js/regress/fold-multi-put-by-offset-to-replace-or-transition-put-by-offset.html: Removed.
• js/regress/fold-put-by-id-to-multi-put-by-offset-expected.txt: Removed.
• js/regress/fold-put-by-id-to-multi-put-by-offset.html: Removed.
• js/regress/fold-put-structure-expected.txt: Removed.
• js/regress/fold-put-structure.html: Removed.
• js/regress/hoist-poly-check-structure-effectful-loop-expected.txt: Removed.
• js/regress/hoist-poly-check-structure-effectful-loop.html: Removed.
• js/regress/hoist-poly-check-structure-expected.txt: Removed.
• js/regress/hoist-poly-check-structure.html: Removed.
• js/regress/put-by-id-replace-and-transition-expected.txt: Removed.
• js/regress/put-by-id-replace-and-transition.html: Removed.
• js/regress/put-by-id-slightly-polymorphic-expected.txt: Removed.
• js/regress/put-by-id-slightly-polymorphic.html: Removed.
• js/regress/script-tests/fold-get-by-id-to-multi-get-by-offset-rare-int.js: Removed.
• js/regress/script-tests/fold-get-by-id-to-multi-get-by-offset.js: Removed.
• js/regress/script-tests/fold-multi-get-by-offset-to-get-by-offset.js: Removed.
• js/regress/script-tests/fold-multi-get-by-offset-to-poly-get-by-offset.js: Removed.
• js/regress/script-tests/fold-multi-put-by-offset-to-poly-put-by-offset.js: Removed.
• js/regress/script-tests/fold-multi-put-by-offset-to-put-by-offset.js: Removed.
• js/regress/script-tests/fold-multi-put-by-offset-to-replace-or-transition-put-by-offset.js: Removed.
• js/regress/script-tests/fold-put-by-id-to-multi-put-by-offset.js: Removed.
• js/regress/script-tests/fold-put-structure.js: Removed.
• js/regress/script-tests/hoist-poly-check-structure-effectful-loop.js: Removed.
• js/regress/script-tests/hoist-poly-check-structure.js: Removed.
• js/regress/script-tests/put-by-id-replace-and-transition.js: Removed.
• js/regress/script-tests/put-by-id-slightly-polymorphic.js: Removed.

11:45 AM Changeset in webkit [171647] by timothy_horton@apple.com

• 7 edits in trunk/Source

Crash in Web Content Process under ~PDFDocument under clearTouchEventListeners at topDocument()
​https://bugs.webkit.org/show_bug.cgi?id=135319
<rdar://problem/17315168>

Reviewed by Darin Adler and Antti Koivisto.

• WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:

(WebKit::WebFrameLoaderClient::committedLoad):
Allow data through to WebCore for frames with custom content providers;
the only custom content provider currently implemented is main frame PDF
on iOS, which will end up creating a PDFDocument in WebCore, which drops all
data on the floor immediately, so this won't result in WebCore doing anything
with the data, but makes sure that more of the normal document lifecycle is maintained.

In the future, we might want to consider ensuring that all custom content providers
end up creating a SinkDocument or something similarly generic to ensure that
WebCore doesn't try to do anything with their data, but for now, the only client is covered.

• dom/Document.h:
• dom/Document.cpp:

(WebCore::Document::Document):
(WebCore::Document::prepareForDestruction):
Add a flag on Document, m_hasPreparedForDestruction, which ensures
that each Document only goes through prepareForDestruction() once.
prepareForDestruction() can be called a number of times during teardown,
but it's only necessary to actually execute it once.

This was previously achieved by virtue of all callers of prepareForDestruction()
first checking hasLivingRenderTree, and prepareForDestruction() tearing down
the render tree, but that meant that prepareForDestruction() was not called
for Documents who never had a render tree in the first place.

The only part of prepareForDestruction() that is now predicated on hasLivingRenderTree()
is the call to destroyRenderTree(); the rest of the function has the potential to be relevant
for non-rendered placeholder documents and can safely deal with them in other ways.

It is important to call prepareForDestruction() on non-rendered placeholder documents
because some of the cleanup (like disconnectFromFrame()) is critical to safe destruction.

• loader/FrameLoader.cpp:

(WebCore::FrameLoader::clear):
Call prepareForDestruction() even if we don't have a living render tree.
For the sake of minimizing change, removeFocusedNodeOfSubtree still
depends on having a living render tree before calling prepareForDestruction().

• page/Frame.cpp:

(WebCore::Frame::setView):
(WebCore::Frame::setDocument):
Call prepareForDestruction() even if we don't have a living render tree.

9:44 AM Changeset in webkit [171646] by commit-queue@webkit.org

• 2 edits in trunk/Source/WebInspectorUI

Remove accidental debugging console.log
​https://bugs.webkit.org/show_bug.cgi?id=135315

Patch by Joseph Pecoraro <Joseph Pecoraro> on 2014-07-26
Reviewed by Alexey Proskuryakov.

• UserInterface/Views/ApplicationCacheFrameContentView.js:

(WebInspector.ApplicationCacheFrameContentView.prototype._sortDataGrid):

9:42 AM Changeset in webkit [171645] by commit-queue@webkit.org

• 6 edits in trunk/Source/WebInspectorUI

Web Inspector: Timelines performance is very slow, has many forced layouts
​https://bugs.webkit.org/show_bug.cgi?id=135313

Patch by Joseph Pecoraro <Joseph Pecoraro> on 2014-07-26
Reviewed by Timothy Hatcher.

• UserInterface/Views/NavigationItem.js:

(WebInspector.NavigationItem):
(WebInspector.NavigationItem.prototype.get hidden):
(WebInspector.NavigationItem.prototype.set hidden):
Don't have the parent navigation bar update layout if the hidden state did not change.
This greatly reduces the number of forced layouts as timeline nodes are added.

• UserInterface/Views/NavigationSidebarPanel.js:

(WebInspector.NavigationSidebarPanel.prototype.showEmptyContentPlaceholder):
(WebInspector.NavigationSidebarPanel.prototype.hideEmptyContentPlaceholder):
Don't do any work if this is not changing the view.

(WebInspector.NavigationSidebarPanel.prototype._updateContentOverflowShadowVisibilitySoon):
(WebInspector.NavigationSidebarPanel.prototype._updateContentOverflowShadowVisibility):
(WebInspector.NavigationSidebarPanel.prototype._treeElementAddedOrChanged):
When first selecting a specific timeline (Layout / Scripts) we would have a very long hang
updating the content. Most of this was time spent updating the overflow shadow visibility
because every single tree element addition was causing a layout invalidation and forced layout.
Coalesce all of the tree element adds into a single update at the end.

• UserInterface/Views/TimelineOverview.js:

(WebInspector.TimelineOverview.prototype.updateLayout):
Calculating the visible duration checks offsetLeft. Calculate this once, outside
of a loop down below, to prevent or reduce possible forced layouts.

• UserInterface/Views/TreeOutline.js:

(TreeElement.prototype.revealed):
Prevent doing any work for timeline tree elements outside of the selected time range.
Previously they were considered revealed if a parent was expanded, even though that
parent was hidden. This greatly reduces the amount of work during a recording, since
previously we were potentially doing a forced layout for hidden nodes.

• UserInterface/Views/TimelineSidebarPanel.js:

(WebInspector.TimelineSidebarPanel.prototype.treeElementForRepresentedObject.looselyCompareRepresentedObjects):
Ignore ProfileNode, which may happen here in the Script timeline.

Jul 25, 2014:

10:59 PM Changeset in webkit [171644] by fpizlo@apple.com

• 2 edits in trunk/Source/WTF

Attempt to fix Windows.

• wtf/text/WTFString.h:

10:44 PM Changeset in webkit [171643] by fpizlo@apple.com

• 3 edits in trunk/Source/JavaScriptCore

Attempt to fix non-Xcode platforms.

• CMakeLists.txt:
• JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:

10:37 PM Changeset in webkit [171642] by fpizlo@apple.com

• 4 edits in trunk/Source/JavaScriptCore

Fix cloop.

• bytecode/CodeBlock.cpp:

(JSC::dumpChain):
(JSC::CodeBlock::printPutByIdCacheStatus):

• bytecode/StructureSet.cpp:
• bytecode/StructureSet.h:

10:18 PM Changeset in webkit [171641] by fpizlo@apple.com

• 86 edits
  53 adds
  3 deletes in trunk

Merge r170090, r170092, r170129, r170141, r170161, r170215, r170275, r170375, r170376, r170382, r170383, r170399, r170436, r170489, r170490, r170556 from ftlopt.

Source/JavaScriptCore:

2014-06-27 Michael Saboff <​msaboff@apple.com>

Unreviewed build fix after r169795.

Fixed ASSERT for 32 bit build.

• dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):

2014-06-24 Saam Barati <​sbarati@apple.com>

Web Inspector: debugger should be able to show variable types
​https://bugs.webkit.org/show_bug.cgi?id=133395

Reviewed by Filip Pizlo.

Increase the amount of type information the VM gathers when directed
to do so. This initial commit is working towards the goal of
capturing, and then showing (via the Web Inspector) type information for all
assignment and load operations. This patch doesn't have the feature fully
implemented, but it ensures the VM has no performance regressions
unless the feature is specifically turned on.

• JavaScriptCore.xcodeproj/project.pbxproj:
• bytecode/BytecodeList.json:
• bytecode/BytecodeUseDef.h: (JSC::computeUsesForBytecodeOffset): (JSC::computeDefsForBytecodeOffset):
• bytecode/CodeBlock.cpp: (JSC::CodeBlock::dumpBytecode): (JSC::CodeBlock::CodeBlock): (JSC::CodeBlock::finalizeUnconditionally):
• bytecode/CodeBlock.h:
• bytecode/Instruction.h:
• bytecode/TypeLocation.h: Added. (JSC::TypeLocation::TypeLocation):
• bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitMove): (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity): (JSC::BytecodeGenerator::emitPutToScope): (JSC::BytecodeGenerator::emitPutById): (JSC::BytecodeGenerator::emitPutByVal):
• bytecompiler/BytecodeGenerator.h: (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity):
• bytecompiler/NodesCodegen.cpp: (JSC::PostfixNode::emitResolve): (JSC::PrefixNode::emitResolve): (JSC::ReadModifyResolveNode::emitBytecode): (JSC::AssignResolveNode::emitBytecode): (JSC::ConstDeclNode::emitCodeSingle): (JSC::ForInNode::emitBytecode):
• heap/Heap.cpp: (JSC::Heap::collect):
• inspector/agents/InspectorRuntimeAgent.cpp: (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange):
• inspector/agents/InspectorRuntimeAgent.h:
• inspector/protocol/Runtime.json:
• jsc.cpp: (GlobalObject::finishCreation): (functionDumpTypesForAllVariables):
• llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): (JSC::LLInt::putToScopeCommon):
• llint/LLIntSlowPaths.h:
• llint/LowLevelInterpreter.asm:
• runtime/HighFidelityLog.cpp: Added. (JSC::HighFidelityLog::initializeHighFidelityLog): (JSC::HighFidelityLog::~HighFidelityLog): (JSC::HighFidelityLog::recordTypeInformationForLocation): (JSC::HighFidelityLog::processHighFidelityLog): (JSC::HighFidelityLog::actuallyProcessLogThreadFunction):
• runtime/HighFidelityLog.h: Added. (JSC::HighFidelityLog::HighFidelityLog):
• runtime/HighFidelityTypeProfiler.cpp: Added. (JSC::HighFidelityTypeProfiler::getTypesForVariableInRange): (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableInRange): (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableInRange): (JSC::HighFidelityTypeProfiler::insertNewLocation): (JSC::HighFidelityTypeProfiler::getLocationBasedHash):
• runtime/HighFidelityTypeProfiler.h: Added.
• runtime/Options.h:
• runtime/Structure.cpp: (JSC::Structure::toStructureShape):
• runtime/Structure.h:
• runtime/SymbolTable.cpp: (JSC::SymbolTable::SymbolTable): (JSC::SymbolTable::cloneCapturedNames): (JSC::SymbolTable::uniqueIDForVariable): (JSC::SymbolTable::uniqueIDForRegister): (JSC::SymbolTable::globalTypeSetForRegister): (JSC::SymbolTable::globalTypeSetForVariable):
• runtime/SymbolTable.h: (JSC::SymbolTable::add): (JSC::SymbolTable::set):
• runtime/TypeSet.cpp: Added. (JSC::TypeSet::TypeSet): (JSC::TypeSet::getRuntimeTypeForValue): (JSC::TypeSet::addTypeForValue): (JSC::TypeSet::removeDuplicatesInStructureHistory): (JSC::TypeSet::seenTypes): (JSC::TypeSet::dumpSeenTypes): (JSC::StructureShape::StructureShape): (JSC::StructureShape::markAsFinal): (JSC::StructureShape::addProperty): (JSC::StructureShape::propertyHash): (JSC::StructureShape::leastUpperBound): (JSC::StructureShape::stringRepresentation):
• runtime/TypeSet.h: Added. (JSC::StructureShape::create): (JSC::TypeSet::create):
• runtime/VM.cpp: (JSC::VM::VM): (JSC::VM::getTypesForVariableInRange): (JSC::VM::updateHighFidelityTypeProfileState): (JSC::VM::dumpHighFidelityProfilingTypes):
• runtime/VM.h: (JSC::VM::isProfilingTypesWithHighFidelity): (JSC::VM::highFidelityLog): (JSC::VM::highFidelityTypeProfiler): (JSC::VM::nextLocation): (JSC::VM::getNextUniqueVariableID):

2014-06-26 Mark Lam <​mark.lam@apple.com>

Remove unused instantiation of the WithScope structure.
<​https://webkit.org/b/134331>

Reviewed by Oliver Hunt.

The WithScope structure instance is the VM is unused, and is now removed.

• runtime/VM.cpp: (JSC::VM::VM):
• runtime/VM.h:

2014-06-25 Mark Hahnenberg <​mhahnenberg@apple.com>

Structure bit fields should have a consistent format
​https://bugs.webkit.org/show_bug.cgi?id=134307

Reviewed by Filip Pizlo.

Currently we use C-style bit fields for a number of member variables in Structure to save space.
This makes it difficult to load these fields in the JIT. We should instead use our own bitfield
format to make it easy to load and test these variables in JIT code.

• runtime/JSObject.cpp: (JSC::JSObject::putDirectNonIndexAccessor): (JSC::JSObject::reifyStaticFunctionsForDelete):
• runtime/Structure.cpp: (JSC::StructureTransitionTable::contains): (JSC::StructureTransitionTable::get): (JSC::StructureTransitionTable::add): (JSC::Structure::Structure): (JSC::Structure::materializePropertyMap): (JSC::Structure::addPropertyTransition): (JSC::Structure::despecifyFunctionTransition): (JSC::Structure::toDictionaryTransition): (JSC::Structure::freezeTransition): (JSC::Structure::preventExtensionsTransition): (JSC::Structure::takePropertyTableOrCloneIfPinned): (JSC::Structure::nonPropertyTransition): (JSC::Structure::flattenDictionaryStructure): (JSC::Structure::addPropertyWithoutTransition): (JSC::Structure::pin): (JSC::Structure::allocateRareData): (JSC::Structure::cloneRareDataFrom): (JSC::Structure::getConcurrently): (JSC::Structure::putSpecificValue): (JSC::Structure::getPropertyNamesFromStructure): (JSC::Structure::visitChildren): (JSC::Structure::checkConsistency):
• runtime/Structure.h: (JSC::Structure::isExtensible): (JSC::Structure::isDictionary): (JSC::Structure::isUncacheableDictionary): (JSC::Structure::propertyAccessesAreCacheable): (JSC::Structure::previousID): (JSC::Structure::setHasGetterSetterPropertiesWithProtoCheck): (JSC::Structure::setContainsReadOnlyProperties): (JSC::Structure::disableSpecificFunctionTracking): (JSC::Structure::objectToStringValue): (JSC::Structure::setObjectToStringValue): (JSC::Structure::setPreviousID): (JSC::Structure::clearPreviousID): (JSC::Structure::previous): (JSC::Structure::rareData): (JSC::Structure::didTransition): Deleted. (JSC::Structure::hasGetterSetterProperties): Deleted. (JSC::Structure::hasReadOnlyOrGetterSetterPropertiesExcludingProto): Deleted. (JSC::Structure::setHasGetterSetterProperties): Deleted. (JSC::Structure::hasNonEnumerableProperties): Deleted. (JSC::Structure::staticFunctionsReified): Deleted. (JSC::Structure::setStaticFunctionsReified): Deleted.
• runtime/StructureInlines.h: (JSC::Structure::setEnumerationCache): (JSC::Structure::enumerationCache): (JSC::Structure::checkOffsetConsistency):

2014-06-24 Mark Lam <​mark.lam@apple.com>

[ftlopt] Renamed DebuggerActivation to DebuggerScope.
<​https://webkit.org/b/134273>

Reviewed by Michael Saboff.

• CMakeLists.txt:
• JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
• JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
• JavaScriptCore.xcodeproj/project.pbxproj:
• debugger/DebuggerActivation.cpp: Removed.
• debugger/DebuggerActivation.h: Removed.
• debugger/DebuggerScope.cpp: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.cpp. (JSC::DebuggerScope::DebuggerScope): (JSC::DebuggerScope::finishCreation): (JSC::DebuggerScope::visitChildren): (JSC::DebuggerScope::className): (JSC::DebuggerScope::getOwnPropertySlot): (JSC::DebuggerScope::put): (JSC::DebuggerScope::deleteProperty): (JSC::DebuggerScope::getOwnPropertyNames): (JSC::DebuggerScope::defineOwnProperty): (JSC::DebuggerActivation::DebuggerActivation): Deleted. (JSC::DebuggerActivation::finishCreation): Deleted. (JSC::DebuggerActivation::visitChildren): Deleted. (JSC::DebuggerActivation::className): Deleted. (JSC::DebuggerActivation::getOwnPropertySlot): Deleted. (JSC::DebuggerActivation::put): Deleted. (JSC::DebuggerActivation::deleteProperty): Deleted. (JSC::DebuggerActivation::getOwnPropertyNames): Deleted. (JSC::DebuggerActivation::defineOwnProperty): Deleted.
• debugger/DebuggerScope.h: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.h. (JSC::DebuggerScope::create): (JSC::DebuggerActivation::create): Deleted.
• runtime/VM.cpp: (JSC::VM::VM):
• runtime/VM.h:

2014-06-24 Filip Pizlo <​fpizlo@apple.com>

[ftlopt] PutByIdFlush can also be converted to a PutByOffset so don't assert otherwise
​https://bugs.webkit.org/show_bug.cgi?id=134265

Reviewed by Geoffrey Garen.

More assertion fallout from the PutById folding work.

• dfg/DFGNode.h: (JSC::DFG::Node::convertToPutByOffset):

2014-06-24 Filip Pizlo <​fpizlo@apple.com>

[ftlopt] GC should notify us if it resets to_this
​https://bugs.webkit.org/show_bug.cgi?id=128231

Reviewed by Geoffrey Garen.

• CMakeLists.txt:
• JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
• JavaScriptCore.xcodeproj/project.pbxproj:
• bytecode/BytecodeList.json:
• bytecode/CodeBlock.cpp: (JSC::CodeBlock::dumpBytecode): (JSC::CodeBlock::finalizeUnconditionally):
• bytecode/Instruction.h:
• bytecode/ToThisStatus.cpp: Added. (JSC::merge): (WTF::printInternal):
• bytecode/ToThisStatus.h: Added.
• bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::BytecodeGenerator):
• dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock):
• llint/LowLevelInterpreter32_64.asm:
• llint/LowLevelInterpreter64.asm:
• runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL):

2014-06-24 Filip Pizlo <​fpizlo@apple.com>

[ftlopt] StructureAbstractValue::onlyStructure() should return nullptr if isClobbered()
​https://bugs.webkit.org/show_bug.cgi?id=134256

Reviewed by Michael Saboff.

This isn't testable right now (i.e. it's benign) but we should get it right anyway. The
point is to be able to precisely model what goes on in the snippets of code between a
side-effect and an InvalidationPoint.

This patch also cleans up onlyStructure() by delegating more work to
StructureSet::onlyStructure().

• dfg/DFGStructureAbstractValue.h: (JSC::DFG::StructureAbstractValue::onlyStructure):

2014-06-24 Filip Pizlo <​fpizlo@apple.com>

[ftlopt][REGRESSION] PutById AI is introducing watchable structures without watching them
​https://bugs.webkit.org/show_bug.cgi?id=134260

Reviewed by Geoffrey Garen.

This was causing loads of assertion failures in debug builds.

• dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

2014-06-21 Filip Pizlo <​fpizlo@apple.com>

[ftlopt] Fold GetById/PutById to MultiGetByOffset/GetByOffset or MultiPutByOffset/PutByOffset, which implies handling non-singleton sets
​https://bugs.webkit.org/show_bug.cgi?id=134090

Reviewed by Oliver Hunt.

This pretty much finishes off the work to eliminate the special-casing of singleton
structure sets by making it possible to fold GetById and PutById to various polymorphic
forms of the ByOffset nodes.

• bytecode/GetByIdStatus.cpp: (JSC::GetByIdStatus::computeForStubInfo): (JSC::GetByIdStatus::computeFor):
• bytecode/GetByIdStatus.h:
• bytecode/PutByIdStatus.cpp: (JSC::PutByIdStatus::computeFor):
• bytecode/PutByIdStatus.h:
• bytecode/PutByIdVariant.h: (JSC::PutByIdVariant::constantChecks):
• dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
• dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock):
• dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): (JSC::DFG::ConstantFoldingPhase::emitPutByOffset): (JSC::DFG::ConstantFoldingPhase::addChecks):
• dfg/DFGNode.h: (JSC::DFG::Node::convertToMultiGetByOffset): (JSC::DFG::Node::convertToMultiPutByOffset):
• dfg/DFGSpeculativeJIT64.cpp: Also convert all release assertions to DFG assertions in this file, because I was hitting some of them while debugging. (JSC::DFG::SpeculativeJIT::fillJSValue): (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull): (JSC::DFG::SpeculativeJIT::emitCall): (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict): (JSC::DFG::SpeculativeJIT::fillSpeculateInt52): (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): (JSC::DFG::SpeculativeJIT::fillSpeculateCell): (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): (JSC::DFG::SpeculativeJIT::compileLogicalNot): (JSC::DFG::SpeculativeJIT::emitBranch): (JSC::DFG::SpeculativeJIT::compile):
• dfg/DFGStructureAbstractValue.h: (JSC::DFG::StructureAbstractValue::set):

2014-06-19 Filip Pizlo <​fpizlo@apple.com>

[ftlopt] StructureSet::onlyStructure() should return nullptr if it's not a singleton (instead of asserting)
​https://bugs.webkit.org/show_bug.cgi?id=134077

Reviewed by Sam Weinig.

This makes StructureSet and StructureAbstractValue more consistent and fixes a debug assert
in the abstract interpreter.

• bytecode/StructureSet.h: (JSC::StructureSet::onlyStructure):

2014-06-18 Filip Pizlo <​fpizlo@apple.com>

DFG AI and constant folder should be able to precisely prune MultiGetByOffset/MultiPutByOffset even if the base structure abstract value is not a singleton
​https://bugs.webkit.org/show_bug.cgi?id=133918

Reviewed by Mark Hahnenberg.

This also adds pruning of PutStructure, since I basically had no choice but
to implement such logic within MultiPutByOffset.

Also adds a bunch of PutById cache status dumping to bytecode dumping.

• bytecode/GetByIdVariant.cpp: (JSC::GetByIdVariant::dumpInContext):
• bytecode/GetByIdVariant.h: (JSC::GetByIdVariant::structureSet):
• bytecode/PutByIdVariant.h: (JSC::PutByIdVariant::oldStructure):
• bytecode/StructureSet.cpp: (JSC::StructureSet::filter): (JSC::StructureSet::filterArrayModes):
• bytecode/StructureSet.h:
• dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
• dfg/DFGAbstractValue.cpp: (JSC::DFG::AbstractValue::changeStructure): (JSC::DFG::AbstractValue::contains):
• dfg/DFGAbstractValue.h: (JSC::DFG::AbstractValue::couldBeType): (JSC::DFG::AbstractValue::isType):
• dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): (JSC::DFG::ConstantFoldingPhase::emitGetByOffset): (JSC::DFG::ConstantFoldingPhase::emitPutByOffset): (JSC::DFG::ConstantFoldingPhase::addBaseCheck):
• dfg/DFGGraph.cpp: (JSC::DFG::Graph::freezeStrong):
• dfg/DFGGraph.h:
• dfg/DFGStructureAbstractValue.h: (JSC::DFG::StructureAbstractValue::operator=):
• ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
• tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check.js: Added. (foo): (fu): (bar): (baz): (.bar): (.baz):
• tests/stress/fold-multi-put-by-offset-to-put-by-offset-without-folding-the-structure-check.js: Added. (foo): (fu): (bar): (baz): (.bar): (.baz):
• tests/stress/prune-multi-put-by-offset-replace-or-transition-variant.js: Added. (foo): (fu): (bar): (baz): (.bar): (.baz):

2014-06-18 Mark Hahnenberg <​mhahnenberg@apple.com>

Remove CompoundType and LeafType
​https://bugs.webkit.org/show_bug.cgi?id=134037

Reviewed by Filip Pizlo.

We don't use them for anything. We'll replace them with a generic CellType type for all
the objects that are JSCells, aren't JSObjects, and for which we generally don't care about
their JSType at runtime.

• llint/LLIntData.cpp: (JSC::LLInt::Data::performAssertions):
• runtime/ArrayBufferNeuteringWatchpoint.cpp: (JSC::ArrayBufferNeuteringWatchpoint::createStructure):
• runtime/Executable.h: (JSC::ExecutableBase::createStructure): (JSC::NativeExecutable::createStructure):
• runtime/JSPromiseDeferred.h: (JSC::JSPromiseDeferred::createStructure):
• runtime/JSPromiseReaction.h: (JSC::JSPromiseReaction::createStructure):
• runtime/JSPropertyNameIterator.h: (JSC::JSPropertyNameIterator::createStructure):
• runtime/JSType.h:
• runtime/JSTypeInfo.h: (JSC::TypeInfo::TypeInfo):
• runtime/MapData.h: (JSC::MapData::createStructure):
• runtime/PropertyMapHashTable.h: (JSC::PropertyTable::createStructure):
• runtime/RegExp.h: (JSC::RegExp::createStructure):
• runtime/SparseArrayValueMap.cpp: (JSC::SparseArrayValueMap::createStructure):
• runtime/Structure.cpp: (JSC::Structure::Structure):
• runtime/StructureChain.h: (JSC::StructureChain::createStructure):
• runtime/StructureRareData.cpp: (JSC::StructureRareData::createStructure):
• runtime/SymbolTable.h: (JSC::SymbolTable::createStructure):
• runtime/WeakMapData.h: (JSC::WeakMapData::createStructure):

2014-06-17 Filip Pizlo <​fpizlo@apple.com>

[ftlopt] PutStructure and PhantomPutStructure shouldn't leave the world in a clobbered state
​https://bugs.webkit.org/show_bug.cgi?id=134002

Reviewed by Mark Hahnenberg.

The effect of this bug was that if we had a PutStructure or PhantomPutStructure then any
JSConstants would be in a Clobbered state, so we wouldn't take advantage of our knowledge
of the structure if that structure was watchable.

Also kill PhantomPutStructure.

• dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition): (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
• dfg/DFGClobberize.h: (JSC::DFG::clobberize):
• dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC):
• dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode):
• dfg/DFGGraph.cpp: (JSC::DFG::Graph::visitChildren):
• dfg/DFGNode.h: (JSC::DFG::Node::hasTransition):
• dfg/DFGNodeType.h:
• dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate):
• dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute):
• dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile):
• dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile):
• dfg/DFGStructureAbstractValue.cpp: (JSC::DFG::StructureAbstractValue::observeTransition): (JSC::DFG::StructureAbstractValue::observeTransitions):
• dfg/DFGValidate.cpp: (JSC::DFG::Validate::validate):
• dfg/DFGWatchableStructureWatchingPhase.cpp: (JSC::DFG::WatchableStructureWatchingPhase::run):
• ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile):
• ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileNode): (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure): Deleted.

2014-06-17 Filip Pizlo <​fpizlo@apple.com>

[ftlopt] DFG put_by_id should inline accesses with a slightly polymorphic base
​https://bugs.webkit.org/show_bug.cgi?id=133964

Reviewed by Mark Hahnenberg.

• bytecode/PutByIdStatus.cpp: (JSC::PutByIdStatus::appendVariant): (JSC::PutByIdStatus::computeForStubInfo):
• bytecode/PutByIdVariant.cpp: (JSC::PutByIdVariant::oldStructureForTransition): (JSC::PutByIdVariant::writesStructures): (JSC::PutByIdVariant::reallocatesStorage): (JSC::PutByIdVariant::attemptToMerge): (JSC::PutByIdVariant::attemptToMergeTransitionWithReplace): (JSC::PutByIdVariant::dumpInContext):
• bytecode/PutByIdVariant.h: (JSC::PutByIdVariant::PutByIdVariant): (JSC::PutByIdVariant::replace): (JSC::PutByIdVariant::transition): (JSC::PutByIdVariant::structure): (JSC::PutByIdVariant::oldStructure):
• dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
• dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handlePutById): (JSC::DFG::ByteCodeParser::parseBlock):
• dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
• dfg/DFGGraph.cpp: (JSC::DFG::Graph::visitChildren):
• dfg/DFGNode.cpp: (JSC::DFG::MultiPutByOffsetData::writesStructures): (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
• ftl/FTLAbbreviations.h: (JSC::FTL::getLinkage):
• ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset): (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol):

Source/WebCore:

2014-07-25 Mark Lam <​mark.lam@apple.com>

[ftlopt] Renamed DebuggerActivation to DebuggerScope.
<​https://webkit.org/b/134273>

Reviewed by Michael Saboff.

No new tests.

• ForwardingHeaders/debugger/DebuggerActivation.h: Removed.
• Removed because this is not used.

Source/WebKit/mac:

2014-07-25 Mark Lam <​mark.lam@apple.com>

[ftlopt] Renamed DebuggerActivation to DebuggerScope.
<​https://webkit.org/b/134273>

Reviewed by Michael Saboff.

• WebView/WebScriptDebugDelegate.mm:
• Removed unneeded #include.

LayoutTests:

2014-07-25 Filip Pizlo <​fpizlo@apple.com>

[ftlopt] Fold GetById/PutById to MultiGetByOffset/GetByOffset or MultiPutByOffset/PutByOffset, which implies handling non-singleton sets
​https://bugs.webkit.org/show_bug.cgi?id=134090

Reviewed by Oliver Hunt.

• js/regress/fold-get-by-id-to-multi-get-by-offset-expected.txt: Added.
• js/regress/fold-get-by-id-to-multi-get-by-offset-rare-int-expected.txt: Added.
• js/regress/fold-get-by-id-to-multi-get-by-offset-rare-int.html: Added.
• js/regress/fold-get-by-id-to-multi-get-by-offset.html: Added.
• js/regress/fold-put-by-id-to-multi-put-by-offset-expected.txt: Added.
• js/regress/fold-put-by-id-to-multi-put-by-offset.html: Added.
• js/regress/script-tests/fold-get-by-id-to-multi-get-by-offset-rare-int.js: Added. (foo): (fu): (bar): (.bar): (Number):
• js/regress/script-tests/fold-get-by-id-to-multi-get-by-offset.js: Added. (foo): (fu): (bar): (.bar): (Number):
• js/regress/script-tests/fold-put-by-id-to-multi-put-by-offset.js: Added. (foo): (fu): (bar): (.bar):

2014-06-19 Filip Pizlo <​fpizlo@apple.com>

[ftlopt] LICM should be able to hoist CheckStructure even if the loop clobbers structures so long as the structures being checked are watchable
​https://bugs.webkit.org/show_bug.cgi?id=134056

Unreviewed, just landing the test cases for this attempted optimization. The test cases
will still be valid once we find a smart way of doing this optimization.

• js/regress/hoist-poly-check-structure-effectful-loop-expected.txt: Added.
• js/regress/hoist-poly-check-structure-effectful-loop.html: Added.
• js/regress/hoist-poly-check-structure-expected.txt: Added.
• js/regress/hoist-poly-check-structure.html: Added.
• js/regress/script-tests/hoist-poly-check-structure-effectful-loop.js: Added. (foo): (test):
• js/regress/script-tests/hoist-poly-check-structure.js: Added. (foo): (test):

2014-06-18 Filip Pizlo <​fpizlo@apple.com>

DFG AI and constant folder should be able to precisely prune MultiGetByOffset/MultiPutByOffset even if the base structure abstract value is not a singleton
​https://bugs.webkit.org/show_bug.cgi?id=133918

Reviewed by Mark Hahnenberg.

• js/regress/fold-multi-get-by-offset-to-get-by-offset-expected.txt: Added.
• js/regress/fold-multi-get-by-offset-to-get-by-offset.html: Added.
• js/regress/fold-multi-get-by-offset-to-poly-get-by-offset-expected.txt: Added.
• js/regress/fold-multi-get-by-offset-to-poly-get-by-offset.html: Added.
• js/regress/fold-multi-put-by-offset-to-poly-put-by-offset-expected.txt: Added.
• js/regress/fold-multi-put-by-offset-to-poly-put-by-offset.html: Added.
• js/regress/fold-multi-put-by-offset-to-put-by-offset-expected.txt: Added.
• js/regress/fold-multi-put-by-offset-to-put-by-offset.html: Added.
• js/regress/fold-multi-put-by-offset-to-replace-or-transition-put-by-offset-expected.txt: Added.
• js/regress/fold-multi-put-by-offset-to-replace-or-transition-put-by-offset.html: Added.
• js/regress/fold-put-structure-expected.txt: Added.
• js/regress/fold-put-structure.html: Added.
• js/regress/script-tests/fold-multi-get-by-offset-to-get-by-offset.js: Added. (foo): (fu): (bar): (.bar):
• js/regress/script-tests/fold-multi-get-by-offset-to-poly-get-by-offset.js: Added. (foo): (fu): (bar): (.bar):
• js/regress/script-tests/fold-multi-put-by-offset-to-poly-put-by-offset.js: Added. (foo): (fu): (bar): (.bar):
• js/regress/script-tests/fold-multi-put-by-offset-to-put-by-offset.js: Added. (foo): (fu): (bar): (.bar):
• js/regress/script-tests/fold-multi-put-by-offset-to-replace-or-transition-put-by-offset.js: Added. (foo): (fu): (bar): (.bar):
• js/regress/script-tests/fold-put-structure.js: Added. (foo): (fu): (bar): (.bar):

2014-06-17 Filip Pizlo <​fpizlo@apple.com>

[ftlopt] DFG put_by_id should inline accesses with a slightly polymorphic base
​https://bugs.webkit.org/show_bug.cgi?id=133964

Reviewed by Mark Hahnenberg.

• js/regress/put-by-id-replace-and-transition-expected.txt: Added.
• js/regress/put-by-id-replace-and-transition.html: Added.
• js/regress/put-by-id-slightly-polymorphic-expected.txt: Added.
• js/regress/put-by-id-slightly-polymorphic.html: Added.
• js/regress/script-tests/put-by-id-replace-and-transition.js: Added.
• js/regress/script-tests/put-by-id-slightly-polymorphic.js: Added.

9:37 PM Changeset in webkit [171640] by Alan Bujtas

• 3 edits
  2 adds in trunk

Subpixel rendering: Rounded rect gets non-renderable at certain subpixel size.
​https://bugs.webkit.org/show_bug.cgi?id=135314
<rdar://problem/17812921>

Reviewed by Tim Horton.

While calculating the rounded rect for painting, the radius is adjusted to compensate
for the pixel snapped size. However while scaling the radius, certain values overflow
(float) mantissa and it produces a non-renderable rounded rect where the radius becomes bigger
than the rectangle dimensions. In such cases, we need to shrink the radius to make it
renderable again.

Source/WebCore:
Test: transitions/rounded-rect-becomes-non-renderable-while-transitioning.html

• platform/graphics/RoundedRect.cpp:

(WebCore::RoundedRect::pixelSnappedRoundedRectForPainting): shrink the radius by
one device pixel. It is as good as any other small value.

LayoutTests:

• transitions/rounded-rect-becomes-non-renderable-while-transitioning-expected.txt: Added.
• transitions/rounded-rect-becomes-non-renderable-while-transitioning.html: Added.

6:31 PM Changeset in webkit [171639] by fpizlo@apple.com

• 1 edit in trunk/Source/JavaScriptCore/ChangeLog

Unmessup the JavaScriptCore ChangeLog

6:08 PM Changeset in webkit [171638] by matthew_hanson@apple.com

• 18 edits
  2 copies in tags/Safari-600.1.3/Source/WebKit2

Rollout r171622. <rdar://problem/15917314>

5:50 PM Changeset in webkit [171637] by matthew_hanson@apple.com

• 18 edits
  2 deletes in branches/safari-600.1-branch/Source/WebKit2

Merge r171622. <rdar://problem/15917314>

5:46 PM Changeset in webkit [171636] by matthew_hanson@apple.com

• 18 edits
  2 deletes in tags/Safari-600.1.3/Source/WebKit2

Merge r171622. <rdar://problem/15917314>

5:43 PM Changeset in webkit [171635] by commit-queue@webkit.org

• 5 edits in trunk/Source

Parent fullscreen from window instead of view
​https://bugs.webkit.org/show_bug.cgi?id=135310

Patch by Jeremy Jones <​jeremyj@apple.com> on 2014-07-25
Reviewed by Jer Noble.

Parenting in the view causes an incorrect animation to fullscreen, and can cause
fullscreen to only expand to the size of the view instead of the whole window.

Source/WebKit/mac:

• WebView/WebView.mm:

(-[WebView _enterFullscreenForNode:]): Pass window instead of view.

Source/WebKit2:

• UIProcess/ios/WebVideoFullscreenManagerProxy.mm:

(WebKit::WebVideoFullscreenManagerProxy::setupFullscreenWithID): pass view's window.

• WebProcess/ios/WebVideoFullscreenManager.mm: screenRect instead of clientRect

(WebKit::screenRectForNode): was clientRectForNode
(WebKit::WebVideoFullscreenManager::enterFullscreenForNode): use screenRectForNode
(WebKit::WebVideoFullscreenManager::exitFullscreenForNode): ditto
(WebKit::clientRectForNode): Deleted.

4:55 PM Changeset in webkit [171634] by matthew_hanson@apple.com

• 2 edits in branches/safari-600.1-branch/Source/WebCore

Merge r171632. <rdar://problem/17817223>

4:53 PM Changeset in webkit [171633] by matthew_hanson@apple.com

• 2 edits in tags/Safari-600.1.3/Source/WebCore

Merge r171632. <rdar://problem/17817223>

4:37 PM Changeset in webkit [171632] by jer.noble@apple.com

• 2 edits in trunk/Source/WebCore

[EME][Mac] CDM error messages not piped through to MediaKeySession correctly; clients don't receive error events
​https://bugs.webkit.org/show_bug.cgi?id=135312
<rdar://problem/17817223>

Reviewed by Brent Fulgham.

Set (and clear) the client interface so that errors can be piped from the CDMSession up to the MediaKeySession.

• Modules/encryptedmedia/MediaKeySession.cpp:

(WebCore::MediaKeySession::MediaKeySession):
(WebCore::MediaKeySession::close):

4:36 PM Changeset in webkit [171631] by matthew_hanson@apple.com

• 2 edits in branches/safari-600.1-branch/Source/WebKit2

Merge r171629. <rdar://problem/17654369>

4:26 PM Changeset in webkit [171630] by matthew_hanson@apple.com

• 2 edits in tags/Safari-600.1.3/Source/WebKit2

Merge r171629. <rdar://problem/17654369>

4:17 PM Changeset in webkit [171629] by oliver@apple.com

• 2 edits in trunk/Source/WebKit2

Creating incorrect sandbox extension for hsts plist due to missing /
​https://bugs.webkit.org/show_bug.cgi?id=135309

Reviewed by Sam Weinig.

So it turns out that you do actually need /'s in paths...
Now we actually create the correct extension.

• UIProcess/mac/WebContextMac.mm:

(WebKit::WebContext::platformDefaultNetworkingHSTSDatabasePath):

4:02 PM Changeset in webkit [171628] by dino@apple.com

• 4 edits in branches/safari-600.1-branch/Source

Revert back to the Safari behavior from Mavericks and Mountain Lion
on this branch.
<rdar://problem/17800530>

Follow-up comment from Dan Bernstein.

WebKit:

• WebView/WebPreferences.mm: (+[WebPreferences initialize]): Make sure this only applies to Mavericks and Mountain Lion.

WebKit2:

• Shared/WebPreferencesDefinitions.h: Make sure this only applies to Mavericks and Mountain Lion.

3:57 PM Changeset in webkit [171627] by fpizlo@apple.com

• 3 edits in trunk/Source/JavaScriptCore

Add an option to disable native call inlining. Disable it for now to see how it
affects the bots.

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::handleCall):

• runtime/Options.h:

3:52 PM Changeset in webkit [171626] by andersca@apple.com

• 9 edits
  1 copy in trunk

WKNavigation's properties are either always nil or don't behave as documented
​https://bugs.webkit.org/show_bug.cgi?id=135267
<rdar://problem/17730536>

Reviewed by Andreas Kling.

Source/WebKit2:
Remove the properties from WKNavigation and introduce -[WKNavigation _request] as SPI for now.

• Shared/API/Cocoa/WebKitPrivate.h:
• UIProcess/API/Cocoa/WKNavigation.h:
• UIProcess/API/Cocoa/WKNavigation.mm:

(-[WKNavigation _request]):
(-[WKNavigation initialRequest]): Deleted.
(-[WKNavigation request]): Deleted.
(-[WKNavigation setRequest:]): Deleted.
(-[WKNavigation response]): Deleted.
(-[WKNavigation error]): Deleted.

• UIProcess/API/Cocoa/WKNavigationInternal.h:
• UIProcess/API/Cocoa/WKNavigationPrivate.h: Copied from Source/WebKit2/UIProcess/API/Cocoa/WKNavigationInternal.h.
• UIProcess/Cocoa/NavigationState.mm:

(WebKit::NavigationState::createLoadRequestNavigation):

• WebKit2.xcodeproj/project.pbxproj:

Tools:

• TestWebKitAPI/Tests/WebKit2Cocoa/Navigation.mm:

(-[NavigationDelegate webView:didStartProvisionalNavigation:]):
(TEST):
(-[DidFailProvisionalNavigationDelegate webView:didStartProvisionalNavigation:]):
(-[DidFailProvisionalNavigationDelegate webView:didFailProvisionalNavigation:withError:]):

3:43 PM Changeset in webkit [171625] by fpizlo@apple.com

• 2 edits in trunk/Source/JavaScriptCore

Fix cloop.

• dfg/DFGMayExit.cpp:

3:39 PM Changeset in webkit [171624] by jer.noble@apple.com

• 8 edits
  2 adds in trunk

[MSE] Playback stalls & readyState drops to HAVE_CURRENT_DATA at end of stream with unbalanced buffered SourceBuffers
​https://bugs.webkit.org/show_bug.cgi?id=135291
<rdar://problem/17715503>

Reviewed by Sam Weinig.

Source/WebCore:
Test: media/media-source/media-source-end-of-stream-buffered.html

When determining the correct ReadyState for the MediaSource in monitorSourceBuffers(), use the same
definition of "buffered" as is used in the calculation of HTMLMediaElement.buffered and in the
Stream Ended algorithm. Namely, when the stream has ended, treat each SourceBuffer as if its last
buffered range extends to the duration of the stream. This allows playback to continue through to
the duration without stalling due to monitorSourceBuffers().

• Modules/mediasource/SourceBuffer.cpp:

(WebCore::SourceBuffer::bufferedAccountingForEndOfStream): Added; extends the last range in buffered

to MediaSource::duration() if the MediaSource is ended.

(WebCore::SourceBuffer::hasCurrentTime): Uses bufferedAccountingForEndOfStream().
(WebCore::SourceBuffer::hasFutureTime): Ditto.
(WebCore::SourceBuffer::canPlayThrough): Ditto.

• Modules/mediasource/SourceBuffer.h:

Add a convenience method for determining whether the MediaSource has ended:

• Modules/mediasource/MediaSource.cpp:

(WebCore::MediaSource::isEnded):

• Modules/mediasource/MediaSource.h:

Add start() and end() methods that don't take a (usually ignored) isValid inout parameter. Add duration()
and maximumBufferedTime() convenience methods:

• platform/graphics/PlatformTimeRanges.cpp:

(WebCore::PlatformTimeRanges::start):
(WebCore::PlatformTimeRanges::end):
(WebCore::PlatformTimeRanges::duration):
(WebCore::PlatformTimeRanges::maximumBufferedTime):

• platform/graphics/PlatformTimeRanges.h:

LayoutTests:

• media/media-source/media-source-end-of-stream-buffered-expected.txt: Added.
• media/media-source/media-source-end-of-stream-buffered.html: Added.

3:38 PM Changeset in webkit [171623] by commit-queue@webkit.org

• 2 edits in trunk/Tools

[GTK] install-dependencies needs to install perl-CGI on Fedora
​https://bugs.webkit.org/show_bug.cgi?id=135302

Patch by Michael Catanzaro <Michael Catanzaro> on 2014-07-25
Reviewed by Martin Robinson.

• gtk/install-dependencies:

Add perl-CGI to yum dependencies needed for tests

3:34 PM Changeset in webkit [171622] by beidson@apple.com

• 18 edits
  2 deletes in trunk/Source/WebKit2

Clean up WKOriginDataManager and get it messaging to the DatabaseProcess
​https://bugs.webkit.org/show_bug.cgi?id=135035

Reviewed by Sam Weinig.

• DatabaseProcess/DatabaseProcess.cpp:

(WebKit::DatabaseProcess::DatabaseProcess): Instantiate the WebOriginDataManager, installing its message handler.
(WebKit::DatabaseProcess::didReceiveMessage): Try the message receiver map, which will try the WebOriginDataManager.

• DatabaseProcess/DatabaseProcess.h:
• DatabaseProcess/DatabaseProcess.messages.in:

• UIProcess/API/C/WKOriginDataManager.cpp:

(WKOriginDataManagerDeleteEntriesForOrigin): Updated to also take a callback.
(WKOriginDataManagerDeleteEntriesModifiedBetweenDates): Added.
(WKOriginDataManagerDeleteAllEntries): Updated to also take a callback.
(WKOriginDataManagerStartObservingChanges): Deleted.
(WKOriginDataManagerStopObservingChanges): Deleted.
(WKOriginDataManagerSetChangeClient): Deleted.

• UIProcess/API/C/WKOriginDataManager.h:

• UIProcess/Databases/DatabaseProcessProxy.cpp:

(WebKit::DatabaseProcessProxy::didReceiveMessage): Send messages to the WebOriginDataManagerProxy supplement if appropriate.

• UIProcess/Databases/DatabaseProcessProxy.h:
• UIProcess/Databases/DatabaseProcessProxy.messages.in:

• UIProcess/WebContext.cpp:

(WebKit::WebContext::WebContext): Instantiate the WebOriginDataManagerProxy supplement.

• UIProcess/WebContext.h:

(WebKit::WebContext::sendToDatabaseProcessRelaunchingIfNecessary):

• UIProcess/WebOriginDataManagerProxy.cpp:

(WebKit::WebOriginDataManagerProxy::contextDestroyed):
(WebKit::WebOriginDataManagerProxy::processDidClose):
(WebKit::WebOriginDataManagerProxy::getOrigins):
(WebKit::WebOriginDataManagerProxy::deleteEntriesForOrigin): Setup a callback with the message.
(WebKit::WebOriginDataManagerProxy::deleteEntriesModifiedBetweenDates): Added
(WebKit::WebOriginDataManagerProxy::didDeleteEntries): Call the callback.
(WebKit::WebOriginDataManagerProxy::deleteAllEntries): Setup a callback with the message.
(WebKit::WebOriginDataManagerProxy::didDeleteAllEntries): Call the callback.
(WebKit::WebOriginDataManagerProxy::startObservingChanges): Deleted.
(WebKit::WebOriginDataManagerProxy::stopObservingChanges): Deleted.
(WebKit::WebOriginDataManagerProxy::setChangeClient): Deleted.
(WebKit::WebOriginDataManagerProxy::didChange): Deleted.

• UIProcess/WebOriginDataManagerProxy.h:
• UIProcess/WebOriginDataManagerProxy.messages.in:

• UIProcess/WebOriginDataManagerProxyChangeClient.cpp: Removed.
• UIProcess/WebOriginDataManagerProxyChangeClient.h: Removed.

• WebKit2.xcodeproj/project.pbxproj:

• WebProcess/OriginData/WebOriginDataManager.cpp:

(WebKit::WebOriginDataManager::deleteEntriesForOrigin): Send the callback reply.
(WebKit::WebOriginDataManager::deleteEntriesModifiedBetweenDates): Added.
(WebKit::WebOriginDataManager::deleteAllEntries): Send the callback reply.
(WebKit::WebOriginDataManager::startObservingChanges): Deleted.
(WebKit::WebOriginDataManager::stopObservingChanges): Deleted.

• WebProcess/OriginData/WebOriginDataManager.h:
• WebProcess/OriginData/WebOriginDataManager.messages.in:

3:08 PM Changeset in webkit [171621] by matthew_hanson@apple.com

• 2 edits in tags/Safari-600.1.3/Source/WebCore

Merge r171619. <rdar://problem/17811922>

3:05 PM Changeset in webkit [171620] by matthew_hanson@apple.com

• 2 edits in branches/safari-600.1-branch/Source/WebCore

Merge r171619. <rdar://problem/17811922>

2:53 PM Changeset in webkit [171619] by psolanki@apple.com

• 2 edits in trunk/Source/WebCore

[iOS] REGRESSION(r171526): Images fail to load sometimes
​https://bugs.webkit.org/show_bug.cgi?id=135304
<rdar://problem/17811922>

Reviewed by Alexey Proskuryakov.

SharedBuffer::createCFData() calls data() as a way to coalesce the data array elements and
segments into m_buffer. However, data() has an optimization where if we had a single element
in the data array, it would just return that and not do coalescing. So when we passed
m_buffer to WebCoreSharedData, we passed a buffer with no data in it.

Fix this by bringing the optimization to createCFData() and return the CFDataRef from the
data array if we just have a single element.

No new tests. Should be covered by existing tests.

• platform/mac/SharedBufferMac.mm:

(WebCore::SharedBuffer::createCFData):

2:49 PM Changeset in webkit [171618] by bshafiei@apple.com

• 5 edits in tags/Safari-600.1.2.2/Source

Versioning.

2:47 PM Changeset in webkit [171617] by bshafiei@apple.com

• 1 copy in tags/Safari-600.1.2.2

New tag.

2:35 PM Changeset in webkit [171616] by jer.noble@apple.com

• 4 edits in trunk/Source/WebCore

[MSE] High CPU usage in SampleMap::findSamplesWithinPresentationRange() with a large number of buffered samples.
​https://bugs.webkit.org/show_bug.cgi?id=135247

Reviewed by Geoffrey Garen.

Anchor our search for overlapping frames to the end of the search range when the overlap range is sufficiently
close to the end of the search range. The common case for this search is when a sample is about to be appended
to the end of the sample queue, so this should turn most searches into no-ops.

• Modules/mediasource/SampleMap.cpp:

(WebCore::PresentationOrderSampleMap::findSamplesWithinPresentationRangeFromEnd):

• Modules/mediasource/SampleMap.h:
• Modules/mediasource/SourceBuffer.cpp:

(WebCore::SourceBuffer::sourceBufferPrivateDidReceiveSample):

2:31 PM Changeset in webkit [171615] by barraclough@apple.com

• 14 edits in trunk/Source

Yosemite version number is 101000
​https://bugs.webkit.org/show_bug.cgi?id=135301

Reviewed by Sam Weinig.

Source/WebCore:

• WebCore.exp.in:
• platform/ContentFilter.h:
• platform/mac/ScrollViewMac.mm:

(WebCore::ScrollView::platformVisibleContentRect):

• platform/mac/ThemeMac.mm:

(WebCore::updateStates):
(WebCore::paintToggleButton):

• platform/network/cf/CookieJarCFNet.cpp:

(WebCore::copyCookiesForURLWithFirstPartyURL):

• platform/network/cf/ResourceRequest.h:

(WebCore::ResourceRequest::resourcePrioritiesEnabled):

• rendering/RenderThemeMac.mm:

(WebCore::RenderThemeMac::search):

Source/WebKit2:

• UIProcess/Launcher/mac/ProcessLauncherMac.mm:

(WebKit::connectToService):

• WebProcess/com.apple.WebProcess.sb.in:

Source/WTF:

• wtf/FeatureDefines.h:
• wtf/Platform.h:

2:26 PM Changeset in webkit [171614] by mhahnenberg@apple.com

• 35 edits
  2 deletes in branches/ftlopt/Source/JavaScriptCore

Remove JSPropertyNameIterator
​https://bugs.webkit.org/show_bug.cgi?id=135066

Reviewed by Geoffrey Garen.

It has been replaced by JSPropertyNameEnumerator.

• JavaScriptCore.order:
• bytecode/BytecodeBasicBlock.cpp:

(JSC::isBranch):

• bytecode/BytecodeList.json:
• bytecode/BytecodeUseDef.h:

(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):

• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::dumpBytecode):

• bytecode/PreciseJumpTargets.cpp:

(JSC::getJumpTargetsForBytecodeOffset):

• bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::emitGetPropertyNames): Deleted.
(JSC::BytecodeGenerator::emitNextPropertyName): Deleted.

• bytecompiler/BytecodeGenerator.h:
• interpreter/Interpreter.cpp:
• interpreter/Register.h:
• jit/JIT.cpp:

(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):

• jit/JIT.h:
• jit/JITOpcodes.cpp:

(JSC::JIT::emit_op_get_pnames): Deleted.
(JSC::JIT::emit_op_next_pname): Deleted.

• jit/JITOpcodes32_64.cpp:

(JSC::JIT::emit_op_get_pnames): Deleted.
(JSC::JIT::emit_op_next_pname): Deleted.

• jit/JITOperations.cpp:
• jit/JITPropertyAccess.cpp:

(JSC::JIT::emit_op_get_by_pname): Deleted.
(JSC::JIT::emitSlow_op_get_by_pname): Deleted.

• jit/JITPropertyAccess32_64.cpp:

(JSC::JIT::emit_op_get_by_pname): Deleted.
(JSC::JIT::emitSlow_op_get_by_pname): Deleted.

• llint/LLIntOffsetsExtractor.cpp:
• llint/LLIntSlowPaths.cpp:

(JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.

• llint/LLIntSlowPaths.h:
• llint/LowLevelInterpreter.asm:
• llint/LowLevelInterpreter32_64.asm:
• llint/LowLevelInterpreter64.asm:
• runtime/CommonSlowPaths.cpp:
• runtime/JSPropertyNameIterator.cpp:

(JSC::JSPropertyNameIterator::JSPropertyNameIterator): Deleted.
(JSC::JSPropertyNameIterator::create): Deleted.
(JSC::JSPropertyNameIterator::destroy): Deleted.
(JSC::JSPropertyNameIterator::get): Deleted.
(JSC::JSPropertyNameIterator::visitChildren): Deleted.

• runtime/JSPropertyNameIterator.h:

(JSC::JSPropertyNameIterator::createStructure): Deleted.
(JSC::JSPropertyNameIterator::size): Deleted.
(JSC::JSPropertyNameIterator::setCachedStructure): Deleted.
(JSC::JSPropertyNameIterator::cachedStructure): Deleted.
(JSC::JSPropertyNameIterator::setCachedPrototypeChain): Deleted.
(JSC::JSPropertyNameIterator::cachedPrototypeChain): Deleted.
(JSC::JSPropertyNameIterator::finishCreation): Deleted.
(JSC::Register::propertyNameIterator): Deleted.
(JSC::StructureRareData::enumerationCache): Deleted.
(JSC::StructureRareData::setEnumerationCache): Deleted.

• runtime/Structure.cpp:

(JSC::Structure::addPropertyWithoutTransition):
(JSC::Structure::removePropertyWithoutTransition):

• runtime/Structure.h:
• runtime/StructureInlines.h:

(JSC::Structure::setEnumerationCache): Deleted.
(JSC::Structure::enumerationCache): Deleted.

• runtime/StructureRareData.cpp:

(JSC::StructureRareData::visitChildren):

• runtime/StructureRareData.h:
• runtime/VM.cpp:

(JSC::VM::VM):

1:55 PM Changeset in webkit [171613] by fpizlo@apple.com

• 77 edits
  20 adds
  2 deletes in trunk

Merge r169795, r169819, r169864, r169902, r169949, r169950, r170016, r170017, r170060, r170064 from ftlopt.

2014-06-17 Filip Pizlo <​fpizlo@apple.com>

Source/JavaScriptCore:

[ftlopt] Fold constant Phis
​https://bugs.webkit.org/show_bug.cgi?id=133967

Reviewed by Mark Hahnenberg.

It's surprising but we didn't really do this before. Or, rather, we only did it
incidentally when we would likely crash if it ever happened.

Making this work required cleaning up the validater a bit, so I did that too. I also added
mayExit() validation for nodes that didn't have origin.forExit (i.e. nodes that end up in
the Phi header of basic blocks). But this required beefing up mayExit() a bit.

• dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
• dfg/DFGAdjacencyList.h: (JSC::DFG::AdjacencyList::isEmpty):
• dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::run): (JSC::DFG::ConstantFoldingPhase::foldConstants): (JSC::DFG::ConstantFoldingPhase::fixUpsilons):
• dfg/DFGInPlaceAbstractState.h:
• dfg/DFGLICMPhase.cpp: (JSC::DFG::LICMPhase::run): (JSC::DFG::LICMPhase::attemptHoist):
• dfg/DFGMayExit.cpp: (JSC::DFG::mayExit):
• dfg/DFGValidate.cpp: (JSC::DFG::Validate::validate): (JSC::DFG::Validate::validateSSA):

2014-06-17 Filip Pizlo <​fpizlo@apple.com>

[ftlopt] Get rid of NodeDoesNotExit and also get rid of StoreEliminationPhase
​https://bugs.webkit.org/show_bug.cgi?id=133985

Reviewed by Michael Saboff and Mark Hahnenberg.

Store elimination phase has never been very profitable, and now that LLVM can do dead
store elimination for us, this phase is just completely pointless.

This phase is also the primary user of NodeDoesNotExit, which is a flag that the CFA
computes. It computes it poorly and we often get bugs in it. It's also a lot of code to
maintain.

This patch does introduce a new mayExit() calculator that is independent of the CFA and
should be enough for most of the previous NodeDoesNotExit users. Currently it's only used
for assertions in the DFG backend, but we could use it if we ever brought back any of the
other optimizations that previously relied upon NodeDoesNotExit.

This is performance-neutral, except for SunSpider, where it's a speed-up.

• CMakeLists.txt:
• JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
• JavaScriptCore.xcodeproj/project.pbxproj:
• dfg/DFGAbstractInterpreter.h: (JSC::DFG::AbstractInterpreter::filterEdgeByUse): (JSC::DFG::AbstractInterpreter::filterByType):
• dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting): (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
• dfg/DFGCSEPhase.cpp: (JSC::DFG::CSEPhase::CSEPhase): (JSC::DFG::CSEPhase::invalidationPointElimination): (JSC::DFG::CSEPhase::setLocalStoreElimination): (JSC::DFG::CSEPhase::performNodeCSE): (JSC::DFG::CSEPhase::performBlockCSE): (JSC::DFG::performCSE): (JSC::DFG::CSEPhase::globalVarStoreElimination): Deleted. (JSC::DFG::CSEPhase::scopedVarStoreElimination): Deleted. (JSC::DFG::CSEPhase::putStructureStoreElimination): Deleted. (JSC::DFG::CSEPhase::putByOffsetStoreElimination): Deleted. (JSC::DFG::CSEPhase::SetLocalStoreEliminationResult::SetLocalStoreEliminationResult): Deleted. (JSC::DFG::performStoreElimination): Deleted.
• dfg/DFGCSEPhase.h:
• dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode):
• dfg/DFGGraph.cpp: (JSC::DFG::Graph::resetExitStates): Deleted.
• dfg/DFGGraph.h:
• dfg/DFGMayExit.cpp: Added. (JSC::DFG::mayExit):
• dfg/DFGMayExit.h: Added.
• dfg/DFGNode.h: (JSC::DFG::Node::mergeFlags): (JSC::DFG::Node::filterFlags): (JSC::DFG::Node::setCanExit): Deleted. (JSC::DFG::Node::canExit): Deleted.
• dfg/DFGNodeFlags.cpp: (JSC::DFG::dumpNodeFlags):
• dfg/DFGNodeFlags.h:
• dfg/DFGNodeType.h:
• dfg/DFGPlan.cpp: (JSC::DFG::Plan::compileInThreadImpl):
• dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution): (JSC::DFG::SpeculativeJIT::bail): (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
• dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile):
• dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile):

2014-06-15 Filip Pizlo <​fpizlo@apple.com>

[ftlopt] Remove the DFG optimization fixpoint and remove some obvious reasons why we previously benefited from it
​https://bugs.webkit.org/show_bug.cgi?id=133931

Reviewed by Oliver Hunt.

• dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Trigger constant-folding for GetMyArgumentByVal (which means turning it into GetLocalUnlinked) and correct the handling of Upsilon so we don't fold them away.
• dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): Implement constant-folding for GetMyArgumentByVal.
• dfg/DFGPlan.cpp: (JSC::DFG::Plan::compileInThreadImpl): Remove the fixpoint.

2014-06-15 Filip Pizlo <​fpizlo@apple.com>

[ftlopt] DFG OSR entry should have a crystal-clear story for when it's safe to enter at a block with a set of values
​https://bugs.webkit.org/show_bug.cgi?id=133935

Reviewed by Oliver Hunt.

• bytecode/Operands.h: (JSC::Operands::Operands): (JSC::Operands::ensureLocals):
• dfg/DFGAbstractValue.cpp: (JSC::DFG::AbstractValue::filter): Now we can compute intersections of abstract values!
• dfg/DFGAbstractValue.h: (JSC::DFG::AbstractValue::makeFullTop): Completeness. (JSC::DFG::AbstractValue::bytecodeTop): Completeness. (JSC::DFG::AbstractValue::fullTop): Completeness. We end up using this one.
• dfg/DFGBasicBlock.cpp: (JSC::DFG::BasicBlock::BasicBlock): (JSC::DFG::BasicBlock::ensureLocals):
• dfg/DFGBasicBlock.h: Remember the intersection of all things ever proven.
• dfg/DFGCFAPhase.cpp: (JSC::DFG::CFAPhase::run): Compute the intersection.
• dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): No need for the weirdo merge check since this fixes the root of the problem.
• dfg/DFGGraph.cpp: (JSC::DFG::Graph::dumpBlockHeader): Better dumping. (JSC::DFG::Graph::dump): Better dumping.
• dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::noticeOSREntry): Use the intersected abstract value.
• dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileCurrentBlock): Assert if the intersected state indicates the block shouldn't execute.

2014-06-12 Filip Pizlo <​fpizlo@apple.com>

[ftlopt] A DFG inlined ById access variant should not speak of a chain, but only of what structures to test the base for, whether to use a constant as an alternate base for the actual access, and what structures to check on what additional cell constants
​https://bugs.webkit.org/show_bug.cgi?id=133821

Reviewed by Mark Hahnenberg.

This allows us to efficiently cache accesses that differ only in the prototypes on the path
from the base to the prototype that has the field.

It also simplifies a bunch of code - IntendedStructureChain is now just an intermediate
data structure.

• CMakeLists.txt:
• JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
• JavaScriptCore.xcodeproj/project.pbxproj:
• bytecode/ConstantStructureCheck.cpp: Added. (JSC::ConstantStructureCheck::dumpInContext): (JSC::ConstantStructureCheck::dump): (JSC::structureFor): (JSC::areCompatible): (JSC::mergeInto):
• bytecode/ConstantStructureCheck.h: Added. (JSC::ConstantStructureCheck::ConstantStructureCheck): (JSC::ConstantStructureCheck::operator!): (JSC::ConstantStructureCheck::constant): (JSC::ConstantStructureCheck::structure):
• bytecode/GetByIdStatus.cpp: (JSC::GetByIdStatus::computeForStubInfo):
• bytecode/GetByIdVariant.cpp: (JSC::GetByIdVariant::GetByIdVariant): (JSC::GetByIdVariant::operator=): (JSC::GetByIdVariant::attemptToMerge): (JSC::GetByIdVariant::dumpInContext):
• bytecode/GetByIdVariant.h: (JSC::GetByIdVariant::constantChecks): (JSC::GetByIdVariant::alternateBase): (JSC::GetByIdVariant::GetByIdVariant): Deleted. (JSC::GetByIdVariant::chain): Deleted.
• bytecode/PutByIdVariant.cpp: (JSC::PutByIdVariant::dumpInContext):
• bytecode/PutByIdVariant.h: (JSC::PutByIdVariant::transition): (JSC::PutByIdVariant::constantChecks): (JSC::PutByIdVariant::structureChain): Deleted.
• dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
• dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::emitChecks): (JSC::DFG::ByteCodeParser::handleGetById): (JSC::DFG::ByteCodeParser::handlePutById): (JSC::DFG::ByteCodeParser::cellConstantWithStructureCheck): Deleted. (JSC::DFG::ByteCodeParser::structureChainIsStillValid): Deleted. (JSC::DFG::ByteCodeParser::emitPrototypeChecks): Deleted.
• dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): (JSC::DFG::ConstantFoldingPhase::emitGetByOffset): (JSC::DFG::ConstantFoldingPhase::emitPutByOffset): (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
• dfg/DFGDesiredStructureChains.cpp: Removed.
• dfg/DFGDesiredStructureChains.h: Removed.
• dfg/DFGGraph.h: (JSC::DFG::Graph::watchpoints): (JSC::DFG::Graph::chains): Deleted.
• dfg/DFGPlan.cpp: (JSC::DFG::Plan::isStillValid): (JSC::DFG::Plan::checkLivenessAndVisitChildren): (JSC::DFG::Plan::cancel):
• dfg/DFGPlan.h:
• ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
• runtime/IntendedStructureChain.cpp: (JSC::IntendedStructureChain::gatherChecks):
• runtime/IntendedStructureChain.h: (JSC::IntendedStructureChain::at): (JSC::IntendedStructureChain::operator[]):

2014-06-12 Filip Pizlo <​fpizlo@apple.com>

[ftlopt] Constant folding and strength reduction should work in SSA
​https://bugs.webkit.org/show_bug.cgi?id=133839

Reviewed by Oliver Hunt.

• dfg/DFGAtTailAbstractState.cpp: (JSC::DFG::AtTailAbstractState::AtTailAbstractState): (JSC::DFG::AtTailAbstractState::forNode):
• dfg/DFGAtTailAbstractState.h:
• dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants):
• dfg/DFGGraph.cpp: (JSC::DFG::Graph::convertToConstant):
• dfg/DFGIntegerCheckCombiningPhase.cpp: (JSC::DFG::IntegerCheckCombiningPhase::rangeKeyAndAddend): Fix an unrelated regression that this uncovered.
• dfg/DFGLICMPhase.cpp: (JSC::DFG::LICMPhase::LICMPhase):
• dfg/DFGPlan.cpp: (JSC::DFG::Plan::compileInThreadImpl):

2014-06-11 Filip Pizlo <​fpizlo@apple.com>

[ftlopt] DFG get_by_id should inline chain accesses with a slightly polymorphic base
​https://bugs.webkit.org/show_bug.cgi?id=133751

Reviewed by Mark Hahnenberg.

• bytecode/GetByIdStatus.cpp: (JSC::GetByIdStatus::appendVariant): (JSC::GetByIdStatus::computeForStubInfo):
• bytecode/GetByIdVariant.cpp: (JSC::GetByIdVariant::attemptToMerge):
• bytecode/GetByIdVariant.h:
• bytecode/PutByIdStatus.cpp: (JSC::PutByIdStatus::computeFor):
• dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::emitPrototypeChecks): (JSC::DFG::ByteCodeParser::handleGetById): (JSC::DFG::ByteCodeParser::handlePutById):
• runtime/IntendedStructureChain.cpp: (JSC::IntendedStructureChain::IntendedStructureChain): (JSC::IntendedStructureChain::isStillValid): (JSC::IntendedStructureChain::isNormalized): (JSC::IntendedStructureChain::terminalPrototype): (JSC::IntendedStructureChain::operator==): (JSC::IntendedStructureChain::visitChildren): (JSC::IntendedStructureChain::dumpInContext): (JSC::IntendedStructureChain::chain): Deleted.
• runtime/IntendedStructureChain.h: (JSC::IntendedStructureChain::prototype): (JSC::IntendedStructureChain::operator!=): (JSC::IntendedStructureChain::head): Deleted.

2014-06-11 Matthew Mirman <​mmirman@apple.com>

Readded native calling to the FTL and Split the DFG nodes
Call and Construct into NativeCall and NativeConstruct
to better represent their semantics.
​https://bugs.webkit.org/show_bug.cgi?id=133660

Reviewed by Filip Pizlo.

• dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Added NativeCall and NativeConstruct case
• dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::addCall): added NativeCall case. (JSC::DFG::ByteCodeParser::handleCall): set to return NativeCall or NativeConstruct instead of Call or Construct in the presence of a native function.
• dfg/DFGClobberize.h: (JSC::DFG::clobberize): added NativeCall and NativeConstruct case.
• dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): added NativeCall and NativeConstruct case.
• dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): added NativeCall and NativeConstruct case.
• dfg/DFGNode.h: (JSC::DFG::Node::hasHeapPrediction): added NativeCall and NativeConstruct case. (JSC::DFG::Node::canBeKnownFunction): changed to NativeCall and NativeConstruct. (JSC::DFG::Node::hasKnownFunction): changed to NativeCall and NativeConstruct.
• dfg/DFGNodeType.h: added NativeCall and NativeConstruct.
• dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): added NativeCall and NativeConstruct case.
• dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): added NativeCall and NativeConstruct case.
• dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::emitCall): ditto (JSC::DFG::SpeculativeJIT::compile): ditto
• dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::emitCall): ditto (JSC::DFG::SpeculativeJIT::compile): ditto
• ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): ditto
• ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::lower): ditto (JSC::FTL::LowerDFGToLLVM::compileNode): ditto. (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct): Added. (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct): removed NativeCall and NativeConstruct functionality. (JSC::FTL::LowerDFGToLLVM::didOverflowStack): added NativeCall and NativeConstruct case.
• runtime/JSCJSValue.h: added JS_EXPORT_PRIVATE to toInteger as it is apparently needed.

2014-06-11 Matthew Mirman <​mmirman@apple.com>

Ensured Native Calls and Construct and associated checks
are only emitted during ftl mode.
​https://bugs.webkit.org/show_bug.cgi?id=133718

Reviewed by Filip Pizlo.

• dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleCall): Added check for ftl mode before attaching the native function to Call or Construct.

2014-06-10 Filip Pizlo <​fpizlo@apple.com>

[ftlopt] DFG should use its own notion of JSValue, which we should call FrozenValue, that will carry around a copy of its structure
​https://bugs.webkit.org/show_bug.cgi?id=133426

Reviewed by Geoffrey Garen.

The impetus for this was to provide some sense and reason to race conditions arising from
cell constants having their structure changed on the main thread - this is harmess because
we defend against it, but when it goes wrong, it can be difficult to reproduce because it
requires a race. Giving the DFG the ability to "freeze" a cell's structure fixes this.

But this patch goes quite a bit further, and completely rationalizes how the DFG reasons
about constants. It no longer relies on the CodeBlock constant pool at all, which allows
for a more object-oriented approach: for example a Node that has a constant can tell you
what constant it has without needing a CodeBlock.

• CMakeLists.txt:
• JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
• JavaScriptCore.xcodeproj/project.pbxproj:
• bytecode/CallLinkStatus.cpp: (JSC::CallLinkStatus::computeExitSiteData):
• bytecode/ExitKind.cpp: (JSC::exitKindToString): (JSC::exitKindIsCountable):
• bytecode/ExitKind.h: (JSC::isWatchpoint): Deleted.
• bytecode/GetByIdStatus.cpp: (JSC::GetByIdStatus::hasExitSite):
• bytecode/PutByIdStatus.cpp: (JSC::PutByIdStatus::hasExitSite):
• dfg/DFGAbstractInterpreter.h: (JSC::DFG::AbstractInterpreter::filterByValue): (JSC::DFG::AbstractInterpreter::setBuiltInConstant): (JSC::DFG::AbstractInterpreter::setConstant):
• dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): (JSC::DFG::AbstractInterpreter<AbstractStateType>::filterByValue):
• dfg/DFGAbstractValue.cpp: (JSC::DFG::AbstractValue::setOSREntryValue): (JSC::DFG::AbstractValue::set): (JSC::DFG::AbstractValue::filterByValue): (JSC::DFG::AbstractValue::setMostSpecific): Deleted.
• dfg/DFGAbstractValue.h:
• dfg/DFGArgumentsSimplificationPhase.cpp: (JSC::DFG::ArgumentsSimplificationPhase::run):
• dfg/DFGBackwardsPropagationPhase.cpp: (JSC::DFG::BackwardsPropagationPhase::isNotNegZero): (JSC::DFG::BackwardsPropagationPhase::isNotPosZero): (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwoForConstant): (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
• dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::ByteCodeParser): (JSC::DFG::ByteCodeParser::getDirect): (JSC::DFG::ByteCodeParser::get): (JSC::DFG::ByteCodeParser::getLocal): (JSC::DFG::ByteCodeParser::setLocal): (JSC::DFG::ByteCodeParser::setArgument): (JSC::DFG::ByteCodeParser::jsConstant): (JSC::DFG::ByteCodeParser::weakJSConstant): (JSC::DFG::ByteCodeParser::cellConstantWithStructureCheck): (JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand): (JSC::DFG::ByteCodeParser::handleCall): (JSC::DFG::ByteCodeParser::emitFunctionChecks): (JSC::DFG::ByteCodeParser::handleInlining): (JSC::DFG::ByteCodeParser::handleMinMax): (JSC::DFG::ByteCodeParser::handleIntrinsic): (JSC::DFG::ByteCodeParser::handleConstantInternalFunction): (JSC::DFG::ByteCodeParser::handleGetById): (JSC::DFG::ByteCodeParser::prepareToParseBlock): (JSC::DFG::ByteCodeParser::parseBlock): (JSC::DFG::ByteCodeParser::buildOperandMapsIfNecessary): (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): (JSC::DFG::ByteCodeParser::parseCodeBlock): (JSC::DFG::ByteCodeParser::addConstant): Deleted. (JSC::DFG::ByteCodeParser::getJSConstantForValue): Deleted. (JSC::DFG::ByteCodeParser::getJSConstant): Deleted. (JSC::DFG::ByteCodeParser::isJSConstant): Deleted. (JSC::DFG::ByteCodeParser::isInt32Constant): Deleted. (JSC::DFG::ByteCodeParser::valueOfJSConstant): Deleted. (JSC::DFG::ByteCodeParser::valueOfInt32Constant): Deleted. (JSC::DFG::ByteCodeParser::constantUndefined): Deleted. (JSC::DFG::ByteCodeParser::constantNull): Deleted. (JSC::DFG::ByteCodeParser::one): Deleted. (JSC::DFG::ByteCodeParser::constantNaN): Deleted. (JSC::DFG::ByteCodeParser::cellConstant): Deleted. (JSC::DFG::ByteCodeParser::inferredConstant): Deleted. (JSC::DFG::ByteCodeParser::ConstantRecord::ConstantRecord): Deleted.
• dfg/DFGCFGSimplificationPhase.cpp: (JSC::DFG::CFGSimplificationPhase::run):
• dfg/DFGCSEPhase.cpp: (JSC::DFG::CSEPhase::constantCSE): (JSC::DFG::CSEPhase::checkFunctionElimination): (JSC::DFG::CSEPhase::performNodeCSE): (JSC::DFG::CSEPhase::weakConstantCSE): Deleted.
• dfg/DFGClobberize.h: (JSC::DFG::clobberize):
• dfg/DFGCommon.h:
• dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): (JSC::DFG::ConstantFoldingPhase::emitGetByOffset): (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
• dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC):
• dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): (JSC::DFG::FixupPhase::fixupMakeRope): (JSC::DFG::FixupPhase::truncateConstantToInt32): (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength): (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
• dfg/DFGFrozenValue.cpp: Added. (JSC::DFG::FrozenValue::emptySingleton): (JSC::DFG::FrozenValue::dumpInContext): (JSC::DFG::FrozenValue::dump):
• dfg/DFGFrozenValue.h: Added. (JSC::DFG::FrozenValue::FrozenValue): (JSC::DFG::FrozenValue::operator!): (JSC::DFG::FrozenValue::value): (JSC::DFG::FrozenValue::structure): (JSC::DFG::FrozenValue::strengthenTo): (JSC::DFG::FrozenValue::strength): (JSC::DFG::FrozenValue::freeze):
• dfg/DFGGraph.cpp: (JSC::DFG::Graph::Graph): (JSC::DFG::Graph::dump): (JSC::DFG::Graph::tryGetActivation): (JSC::DFG::Graph::tryGetFoldableView): (JSC::DFG::Graph::registerFrozenValues): (JSC::DFG::Graph::visitChildren): (JSC::DFG::Graph::freezeFragile): (JSC::DFG::Graph::freeze): (JSC::DFG::Graph::freezeStrong): (JSC::DFG::Graph::convertToConstant): (JSC::DFG::Graph::convertToStrongConstant): (JSC::DFG::Graph::assertIsWatched):
• dfg/DFGGraph.h: (JSC::DFG::Graph::addImmediateShouldSpeculateInt32): (JSC::DFG::Graph::convertToConstant): Deleted. (JSC::DFG::Graph::constantRegisterForConstant): Deleted. (JSC::DFG::Graph::getJSConstantSpeculation): Deleted. (JSC::DFG::Graph::isConstant): Deleted. (JSC::DFG::Graph::isJSConstant): Deleted. (JSC::DFG::Graph::isInt32Constant): Deleted. (JSC::DFG::Graph::isDoubleConstant): Deleted. (JSC::DFG::Graph::isNumberConstant): Deleted. (JSC::DFG::Graph::isBooleanConstant): Deleted. (JSC::DFG::Graph::isCellConstant): Deleted. (JSC::DFG::Graph::isFunctionConstant): Deleted. (JSC::DFG::Graph::isInternalFunctionConstant): Deleted. (JSC::DFG::Graph::valueOfJSConstant): Deleted. (JSC::DFG::Graph::valueOfInt32Constant): Deleted. (JSC::DFG::Graph::valueOfNumberConstant): Deleted. (JSC::DFG::Graph::valueOfBooleanConstant): Deleted. (JSC::DFG::Graph::valueOfFunctionConstant): Deleted. (JSC::DFG::Graph::mulImmediateShouldSpeculateInt32): Deleted.
• dfg/DFGInPlaceAbstractState.cpp: (JSC::DFG::InPlaceAbstractState::initialize):
• dfg/DFGInsertionSet.h: (JSC::DFG::InsertionSet::insertConstant): (JSC::DFG::InsertionSet::insertConstantForUse):
• dfg/DFGIntegerCheckCombiningPhase.cpp: (JSC::DFG::IntegerCheckCombiningPhase::rangeKeyAndAddend):
• dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::link):
• dfg/DFGLazyJSValue.cpp: (JSC::DFG::LazyJSValue::getValue): (JSC::DFG::LazyJSValue::strictEqual): (JSC::DFG::LazyJSValue::dumpInContext):
• dfg/DFGLazyJSValue.h: (JSC::DFG::LazyJSValue::LazyJSValue): (JSC::DFG::LazyJSValue::tryGetValue): (JSC::DFG::LazyJSValue::value): (JSC::DFG::LazyJSValue::switchLookupValue):
• dfg/DFGMinifiedNode.cpp: (JSC::DFG::MinifiedNode::fromNode):
• dfg/DFGMinifiedNode.h: (JSC::DFG::belongsInMinifiedGraph): (JSC::DFG::MinifiedNode::hasConstant): (JSC::DFG::MinifiedNode::constant): (JSC::DFG::MinifiedNode::hasConstantNumber): Deleted. (JSC::DFG::MinifiedNode::constantNumber): Deleted. (JSC::DFG::MinifiedNode::hasWeakConstant): Deleted. (JSC::DFG::MinifiedNode::weakConstant): Deleted.
• dfg/DFGNode.h: (JSC::DFG::Node::hasConstant): (JSC::DFG::Node::constant): (JSC::DFG::Node::convertToConstant): (JSC::DFG::Node::asJSValue): (JSC::DFG::Node::isInt32Constant): (JSC::DFG::Node::asInt32): (JSC::DFG::Node::asUInt32): (JSC::DFG::Node::isDoubleConstant): (JSC::DFG::Node::isNumberConstant): (JSC::DFG::Node::asNumber): (JSC::DFG::Node::isMachineIntConstant): (JSC::DFG::Node::asMachineInt): (JSC::DFG::Node::isBooleanConstant): (JSC::DFG::Node::asBoolean): (JSC::DFG::Node::isCellConstant): (JSC::DFG::Node::asCell): (JSC::DFG::Node::dynamicCastConstant): (JSC::DFG::Node::function): (JSC::DFG::Node::isWeakConstant): Deleted. (JSC::DFG::Node::constantNumber): Deleted. (JSC::DFG::Node::convertToWeakConstant): Deleted. (JSC::DFG::Node::weakConstant): Deleted. (JSC::DFG::Node::valueOfJSConstant): Deleted.
• dfg/DFGNodeType.h:
• dfg/DFGOSRExitCompiler.cpp:
• dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate):
• dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute):
• dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR): (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR): (JSC::DFG::SpeculativeJIT::silentFill): (JSC::DFG::SpeculativeJIT::compileIn): (JSC::DFG::SpeculativeJIT::compilePeepHoleBooleanBranch): (JSC::DFG::SpeculativeJIT::compilePeepHoleInt32Branch): (JSC::DFG::SpeculativeJIT::compileCurrentBlock): (JSC::DFG::SpeculativeJIT::compileDoubleRep): (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds): (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray): (JSC::DFG::SpeculativeJIT::compileAdd): (JSC::DFG::SpeculativeJIT::compileArithSub): (JSC::DFG::SpeculativeJIT::compileArithMod):
• dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::valueOfJSConstantAsImm64): (JSC::DFG::SpeculativeJIT::initConstantInfo): (JSC::DFG::SpeculativeJIT::isConstant): Deleted. (JSC::DFG::SpeculativeJIT::isJSConstant): Deleted. (JSC::DFG::SpeculativeJIT::isInt32Constant): Deleted. (JSC::DFG::SpeculativeJIT::isDoubleConstant): Deleted. (JSC::DFG::SpeculativeJIT::isNumberConstant): Deleted. (JSC::DFG::SpeculativeJIT::isBooleanConstant): Deleted. (JSC::DFG::SpeculativeJIT::isFunctionConstant): Deleted. (JSC::DFG::SpeculativeJIT::valueOfInt32Constant): Deleted. (JSC::DFG::SpeculativeJIT::valueOfNumberConstant): Deleted. (JSC::DFG::SpeculativeJIT::addressOfDoubleConstant): Deleted. (JSC::DFG::SpeculativeJIT::valueOfJSConstant): Deleted. (JSC::DFG::SpeculativeJIT::valueOfBooleanConstant): Deleted. (JSC::DFG::SpeculativeJIT::valueOfFunctionConstant): Deleted. (JSC::DFG::SpeculativeJIT::isNullConstant): Deleted. (JSC::DFG::SpeculativeJIT::isInteger): Deleted.
• dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::fillJSValue): (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): (JSC::DFG::SpeculativeJIT::fillSpeculateCell): (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): (JSC::DFG::SpeculativeJIT::compile):
• dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::fillJSValue): (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): (JSC::DFG::SpeculativeJIT::fillSpeculateInt52): (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): (JSC::DFG::SpeculativeJIT::fillSpeculateCell): (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): (JSC::DFG::SpeculativeJIT::compile):
• dfg/DFGStrengthReductionPhase.cpp: (JSC::DFG::StrengthReductionPhase::handleNode):
• dfg/DFGValidate.cpp: (JSC::DFG::Validate::validate):
• dfg/DFGValueStrength.cpp: Added. (WTF::printInternal):
• dfg/DFGValueStrength.h: Added. (JSC::DFG::merge):
• dfg/DFGVariableEventStream.cpp: (JSC::DFG::VariableEventStream::tryToSetConstantRecovery): (JSC::DFG::VariableEventStream::reconstruct):
• dfg/DFGVariableEventStream.h:
• dfg/DFGWatchableStructureWatchingPhase.cpp: (JSC::DFG::WatchableStructureWatchingPhase::run): (JSC::DFG::WatchableStructureWatchingPhase::tryWatch):
• dfg/DFGWatchpointCollectionPhase.cpp: (JSC::DFG::WatchpointCollectionPhase::handle):
• ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile):
• ftl/FTLLink.cpp: (JSC::FTL::link):
• ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileNode): (JSC::FTL::LowerDFGToLLVM::compileDoubleConstant): (JSC::FTL::LowerDFGToLLVM::compileInt52Constant): (JSC::FTL::LowerDFGToLLVM::compileCheckStructure): (JSC::FTL::LowerDFGToLLVM::compileCheckFunction): (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant): (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant): (JSC::FTL::LowerDFGToLLVM::lowInt32): (JSC::FTL::LowerDFGToLLVM::lowCell): (JSC::FTL::LowerDFGToLLVM::lowBoolean): (JSC::FTL::LowerDFGToLLVM::lowJSValue): (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument): (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant): Deleted.
• ftl/FTLOSRExitCompiler.cpp: (JSC::FTL::compileStub):
• runtime/JSCJSValue.cpp: (JSC::JSValue::dumpInContext): (JSC::JSValue::dumpInContextAssumingStructure):
• runtime/JSCJSValue.h:

LayoutTests:

[ftlopt] A DFG inlined ById access variant should not speak of a chain, but only of what structures to test the base for, whether to use a constant as an alternate base for the actual access, and what structures to check on what additional cell constants
​https://bugs.webkit.org/show_bug.cgi?id=133821

Reviewed by Mark Hahnenberg.

• js/regress/poly-chain-access-different-prototypes-expected.txt: Added.
• js/regress/poly-chain-access-different-prototypes-simple-expected.txt: Added.
• js/regress/poly-chain-access-different-prototypes-simple.html: Added.
• js/regress/poly-chain-access-different-prototypes.html: Added.
• js/regress/script-tests/poly-chain-access-different-prototypes-simple.js: Added.
• js/regress/script-tests/poly-chain-access-different-prototypes.js: Added.

2014-06-11 Filip Pizlo <​fpizlo@apple.com>

[ftlopt] DFG get_by_id should inline chain accesses with a slightly polymorphic base
​https://bugs.webkit.org/show_bug.cgi?id=133751

Reviewed by Mark Hahnenberg.

• js/regress/poly-chain-access-expected.txt: Added.
• js/regress/poly-chain-access-simpler-expected.txt: Added.
• js/regress/poly-chain-access-simpler.html: Added.
• js/regress/poly-chain-access.html: Added.
• js/regress/script-tests/poly-chain-access-simpler.js: Added.
• js/regress/script-tests/poly-chain-access.js: Added.

1:37 PM Changeset in webkit [171612] by dino@apple.com

• 4 edits in branches/safari-600.1-branch/Source

Revert back to the Safari behavior from Mavericks and Mountain Lion
on this branch.
<rdar://problem/17800530>

Reviewed by Ricky Mondello.

WebKit:

• WebView/WebPreferences.mm: (+[WebPreferences initialize]): Set WebGL preference default to off.

WebKit2:

• Shared/WebPreferencesDefinitions.h: Set WebGL preference default to off.

1:26 PM Changeset in webkit [171611] by mhahnenberg@apple.com

• 8 edits in branches/ftlopt/Source/JavaScriptCore

Fix 32-bit build breakage for type profiling
​https://bugs.webkit.org/process_bug.cgi

Patch by Saam Barati <​sbarati@apple.com> on 2014-07-25
Reviewed by Mark Hahnenberg.

32-bit builds currently break because global variable IDs for high
fidelity type profiling are int64_t. Change this to intptr_t so that
it's 32 bits on 32-bit platforms and 64 bits on 64-bit platforms.

• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::scopeDependentProfile):

• bytecode/TypeLocation.h:
• runtime/SymbolTable.cpp:

(JSC::SymbolTable::uniqueIDForVariable):
(JSC::SymbolTable::uniqueIDForRegister):

• runtime/SymbolTable.h:
• runtime/TypeLocationCache.cpp:

(JSC::TypeLocationCache::getTypeLocation):

• runtime/TypeLocationCache.h:
• runtime/VM.h:

(JSC::VM::getNextUniqueVariableID):

1:07 PM Changeset in webkit [171610] by commit-queue@webkit.org

• 6 edits in trunk/Source/ThirdParty/ANGLE

[Win][ANGLE] Enable D3D11.
​https://bugs.webkit.org/show_bug.cgi?id=135296

Patch by ​peavo@outlook.com <​peavo@outlook.com> on 2014-07-25
Reviewed by Alex Christensen.

Direct3D 11 is not enabled on Windows.

• ANGLE.vcxproj/libGLESv2.vcxproj: Added files.
• ANGLE.vcxproj/libGLESv2.vcxproj.filters: Ditto.
• ANGLE.vcxproj/libGLESv2Common.props: Enable D3D11.
• src/libGLESv2/precompiled.h: Header file does not exist, avoid include.
• changes.diff: Updated diff.

12:39 PM Changeset in webkit [171609] by hyatt@apple.com

• 3 edits
  3 adds in trunk

[New Multicolumn] RenderViews paginated as RL or LR don't handle percentage widths correctly.
REGRESSION: Images don’t scale to fit in page in vertical text books

​https://bugs.webkit.org/show_bug.cgi?id=135204

Source/WebCore:
<rdar://problem/17043792>

Reviewed by Simon Fraser.

Added fast/multicol/pagination/RightToLeft-max-width.html

• rendering/RenderView.cpp:

(WebCore::RenderView::availableLogicalHeight):
Put back in the same code that used to exist for the old columns (but ported to the new
columns).

LayoutTests:
<rdar://problem/17043792>

Reviewed by Simon Fraser.

• fast/multicol/newmulticol/compare-with-old-impl/overflow-content-expected.html: Removed.
• fast/multicol/newmulticol/compare-with-old-impl/overflow-content.html: Removed.
• fast/multicol/pagination/RightToLeft-max-width.html: Added.
• platform/mac/fast/multicol/pagination/RightToLeft-max-width-expected.png: Added.
• platform/mac/fast/multicol/pagination/RightToLeft-max-width-expected.txt: Added.

12:08 PM Changeset in webkit [171608] by mitz@apple.com

• 2 edits in trunk/Source/WebCore

[Mac] Unneeded MobileMe workaround in ResourceHandle::receivedCredential
​https://bugs.webkit.org/show_bug.cgi?id=135297

Reviewed by Alexey Proskuryakov.

• platform/network/mac/ResourceHandleMac.mm:

(WebCore::ResourceHandle::receivedCredential): Removed the site-specific behavior for
gallery.me.com.

12:07 PM Changeset in webkit [171607] by commit-queue@webkit.org

• 4 edits
  8 deletes in trunk

Unreviewed, rolling out r171480.
​https://bugs.webkit.org/show_bug.cgi?id=135300

it broke replaced elements in pagination (Requested by dhyatt_
on #webkit).

Reverted changeset:

"Ensure we compute the min and max height of replaced elements
to 'none' or 0 when appropriate."
​https://bugs.webkit.org/show_bug.cgi?id=135181
​http://trac.webkit.org/changeset/171480

12:04 PM Changeset in webkit [171606] by mhahnenberg@apple.com

• 2 edits in branches/ftlopt/Source/JavaScriptCore

Reindent PropertyNameArray.h
​https://bugs.webkit.org/show_bug.cgi?id=135067

Reviewed by Geoffrey Garen.

• runtime/PropertyNameArray.h:

(JSC::RefCountedIdentifierSet::contains):
(JSC::RefCountedIdentifierSet::size):
(JSC::RefCountedIdentifierSet::add):
(JSC::PropertyNameArrayData::create):
(JSC::PropertyNameArrayData::propertyNameVector):
(JSC::PropertyNameArrayData::PropertyNameArrayData):
(JSC::PropertyNameArray::PropertyNameArray):
(JSC::PropertyNameArray::vm):
(JSC::PropertyNameArray::add):
(JSC::PropertyNameArray::addKnownUnique):
(JSC::PropertyNameArray::operator[]):
(JSC::PropertyNameArray::setData):
(JSC::PropertyNameArray::data):
(JSC::PropertyNameArray::releaseData):
(JSC::PropertyNameArray::identifierSet):
(JSC::PropertyNameArray::canAddKnownUniqueForStructure):
(JSC::PropertyNameArray::size):
(JSC::PropertyNameArray::begin):
(JSC::PropertyNameArray::end):
(JSC::PropertyNameArray::numCacheableSlots):
(JSC::PropertyNameArray::setNumCacheableSlotsForObject):
(JSC::PropertyNameArray::setBaseObject):
(JSC::PropertyNameArray::setPreviouslyEnumeratedLength):

11:46 AM Changeset in webkit [171605] by mhahnenberg@apple.com

• 71 edits
  12 adds in branches/ftlopt/Source

Refactor our current implementation of for-in
​https://bugs.webkit.org/show_bug.cgi?id=134142

Reviewed by Filip Pizlo.

Source/JavaScriptCore:
This patch splits for-in loops into three distinct parts:

• Iterating over the indexed properties in the base object.
• Iterating over the Structure properties in the base object.
• Iterating over any other enumerable properties for that object and any objects in the prototype chain.

It does this by emitting these explicit loops in bytecode, using a new set of bytecodes to
support the various operations required for each loop.

• API/JSCallbackObjectFunctions.h:

(JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):

• JavaScriptCore.xcodeproj/project.pbxproj:
• bytecode/BytecodeList.json:
• bytecode/BytecodeUseDef.h:

(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):

• bytecode/CallLinkStatus.h:

(JSC::CallLinkStatus::CallLinkStatus):

• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::dumpBytecode):
(JSC::CodeBlock::CodeBlock):

• bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::emitGetByVal):
(JSC::BytecodeGenerator::emitComplexPopScopes):
(JSC::BytecodeGenerator::emitGetEnumerableLength):
(JSC::BytecodeGenerator::emitHasGenericProperty):
(JSC::BytecodeGenerator::emitHasIndexedProperty):
(JSC::BytecodeGenerator::emitHasStructureProperty):
(JSC::BytecodeGenerator::emitGetStructurePropertyEnumerator):
(JSC::BytecodeGenerator::emitGetGenericPropertyEnumerator):
(JSC::BytecodeGenerator::emitNextEnumeratorPropertyName):
(JSC::BytecodeGenerator::emitToIndexString):
(JSC::BytecodeGenerator::pushIndexedForInScope):
(JSC::BytecodeGenerator::popIndexedForInScope):
(JSC::BytecodeGenerator::pushStructureForInScope):
(JSC::BytecodeGenerator::popStructureForInScope):
(JSC::BytecodeGenerator::invalidateForInContextForLocal):

• bytecompiler/BytecodeGenerator.h:

(JSC::ForInContext::ForInContext):
(JSC::ForInContext::~ForInContext):
(JSC::ForInContext::isValid):
(JSC::ForInContext::invalidate):
(JSC::ForInContext::local):
(JSC::StructureForInContext::StructureForInContext):
(JSC::StructureForInContext::type):
(JSC::StructureForInContext::index):
(JSC::StructureForInContext::property):
(JSC::StructureForInContext::enumerator):
(JSC::IndexedForInContext::IndexedForInContext):
(JSC::IndexedForInContext::type):
(JSC::IndexedForInContext::index):
(JSC::BytecodeGenerator::pushOptimisedForIn): Deleted.
(JSC::BytecodeGenerator::popOptimisedForIn): Deleted.

• bytecompiler/NodesCodegen.cpp:

(JSC::ReadModifyResolveNode::emitBytecode):
(JSC::AssignResolveNode::emitBytecode):
(JSC::ForInNode::tryGetBoundLocal):
(JSC::ForInNode::emitLoopHeader):
(JSC::ForInNode::emitMultiLoopBytecode):
(JSC::ForInNode::emitBytecode):

• debugger/DebuggerScope.h:
• dfg/DFGAbstractHeap.h:
• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::parseBlock):

• dfg/DFGCapabilities.cpp:

(JSC::DFG::capabilityLevel):

• dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

• dfg/DFGDoesGC.cpp:

(JSC::DFG::doesGC):

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

• dfg/DFGHeapLocation.cpp:

(WTF::printInternal):

• dfg/DFGHeapLocation.h:
• dfg/DFGNode.h:

(JSC::DFG::Node::hasHeapPrediction):
(JSC::DFG::Node::hasArrayMode):

• dfg/DFGNodeType.h:
• dfg/DFGPredictionPropagationPhase.cpp:

(JSC::DFG::PredictionPropagationPhase::propagate):

• dfg/DFGSafeToExecute.h:

(JSC::DFG::safeToExecute):

• dfg/DFGSpeculativeJIT.h:

(JSC::DFG::SpeculativeJIT::callOperation):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• jit/JIT.cpp:

(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):

• jit/JIT.h:

(JSC::JIT::compileHasIndexedProperty):
(JSC::JIT::emitInt32Load):

• jit/JITInlines.h:

(JSC::JIT::emitDoubleGetByVal):
(JSC::JIT::emitLoadForArrayMode):
(JSC::JIT::emitContiguousGetByVal):
(JSC::JIT::emitArrayStorageGetByVal):

• jit/JITOpcodes.cpp:

(JSC::JIT::emit_op_get_enumerable_length):
(JSC::JIT::emit_op_has_structure_property):
(JSC::JIT::emitSlow_op_has_structure_property):
(JSC::JIT::emit_op_has_generic_property):
(JSC::JIT::privateCompileHasIndexedProperty):
(JSC::JIT::emit_op_has_indexed_property):
(JSC::JIT::emitSlow_op_has_indexed_property):
(JSC::JIT::emit_op_get_direct_pname):
(JSC::JIT::emitSlow_op_get_direct_pname):
(JSC::JIT::emit_op_get_structure_property_enumerator):
(JSC::JIT::emit_op_get_generic_property_enumerator):
(JSC::JIT::emit_op_next_enumerator_pname):
(JSC::JIT::emit_op_to_index_string):

• jit/JITOpcodes32_64.cpp:

(JSC::JIT::emit_op_get_enumerable_length):
(JSC::JIT::emit_op_has_structure_property):
(JSC::JIT::emitSlow_op_has_structure_property):
(JSC::JIT::emit_op_has_generic_property):
(JSC::JIT::privateCompileHasIndexedProperty):
(JSC::JIT::emit_op_has_indexed_property):
(JSC::JIT::emitSlow_op_has_indexed_property):
(JSC::JIT::emit_op_get_direct_pname):
(JSC::JIT::emitSlow_op_get_direct_pname):
(JSC::JIT::emit_op_get_structure_property_enumerator):
(JSC::JIT::emit_op_get_generic_property_enumerator):
(JSC::JIT::emit_op_next_enumerator_pname):
(JSC::JIT::emit_op_to_index_string):

• jit/JITOperations.cpp:
• jit/JITOperations.h:
• jit/JITPropertyAccess.cpp:

(JSC::JIT::emitDoubleLoad):
(JSC::JIT::emitContiguousLoad):
(JSC::JIT::emitArrayStorageLoad):
(JSC::JIT::emitDoubleGetByVal): Deleted.
(JSC::JIT::emitContiguousGetByVal): Deleted.
(JSC::JIT::emitArrayStorageGetByVal): Deleted.

• jit/JITPropertyAccess32_64.cpp:

(JSC::JIT::emitContiguousLoad):
(JSC::JIT::emitDoubleLoad):
(JSC::JIT::emitArrayStorageLoad):
(JSC::JIT::emitContiguousGetByVal): Deleted.
(JSC::JIT::emitDoubleGetByVal): Deleted.
(JSC::JIT::emitArrayStorageGetByVal): Deleted.

• llint/LowLevelInterpreter.asm:
• parser/Nodes.h:
• runtime/Arguments.cpp:

(JSC::Arguments::getOwnPropertyNames):

• runtime/ClassInfo.h:
• runtime/CommonSlowPaths.cpp:

(JSC::SLOW_PATH_DECL):

• runtime/CommonSlowPaths.h:
• runtime/EnumerationMode.h: Added.

(JSC::shouldIncludeDontEnumProperties):
(JSC::shouldExcludeDontEnumProperties):
(JSC::shouldIncludeJSObjectPropertyNames):
(JSC::modeThatSkipsJSObject):

• runtime/JSActivation.cpp:

(JSC::JSActivation::getOwnNonIndexPropertyNames):

• runtime/JSArray.cpp:

(JSC::JSArray::getOwnNonIndexPropertyNames):

• runtime/JSArrayBuffer.cpp:

(JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):

• runtime/JSArrayBufferView.cpp:

(JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):

• runtime/JSCell.cpp:

(JSC::JSCell::getEnumerableLength):
(JSC::JSCell::getStructurePropertyNames):
(JSC::JSCell::getGenericPropertyNames):

• runtime/JSCell.h:
• runtime/JSFunction.cpp:

(JSC::JSFunction::getOwnNonIndexPropertyNames):

• runtime/JSGenericTypedArrayViewInlines.h:

(JSC::JSGenericTypedArrayView<Adaptor>::getOwnNonIndexPropertyNames):

• runtime/JSObject.cpp:

(JSC::getClassPropertyNames):
(JSC::JSObject::hasOwnProperty):
(JSC::JSObject::getOwnPropertyNames):
(JSC::JSObject::getOwnNonIndexPropertyNames):
(JSC::JSObject::getEnumerableLength):
(JSC::JSObject::getStructurePropertyNames):
(JSC::JSObject::getGenericPropertyNames):

• runtime/JSObject.h:
• runtime/JSPropertyNameEnumerator.cpp: Added.

(JSC::JSPropertyNameEnumerator::create):
(JSC::JSPropertyNameEnumerator::JSPropertyNameEnumerator):
(JSC::JSPropertyNameEnumerator::finishCreation):
(JSC::JSPropertyNameEnumerator::destroy):
(JSC::JSPropertyNameEnumerator::visitChildren):

• runtime/JSPropertyNameEnumerator.h: Added.

(JSC::JSPropertyNameEnumerator::createStructure):
(JSC::JSPropertyNameEnumerator::propertyNameAtIndex):
(JSC::JSPropertyNameEnumerator::identifierSet):
(JSC::JSPropertyNameEnumerator::cachedPrototypeChain):
(JSC::JSPropertyNameEnumerator::setCachedPrototypeChain):
(JSC::JSPropertyNameEnumerator::cachedStructure):
(JSC::JSPropertyNameEnumerator::cachedStructureID):
(JSC::JSPropertyNameEnumerator::cachedInlineCapacity):
(JSC::JSPropertyNameEnumerator::cachedStructureIDOffset):
(JSC::JSPropertyNameEnumerator::cachedInlineCapacityOffset):
(JSC::JSPropertyNameEnumerator::cachedPropertyNamesLengthOffset):
(JSC::JSPropertyNameEnumerator::cachedPropertyNamesVectorOffset):
(JSC::structurePropertyNameEnumerator):
(JSC::genericPropertyNameEnumerator):

• runtime/JSProxy.cpp:

(JSC::JSProxy::getEnumerableLength):
(JSC::JSProxy::getStructurePropertyNames):
(JSC::JSProxy::getGenericPropertyNames):

• runtime/JSProxy.h:
• runtime/JSSymbolTableObject.cpp:

(JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):

• runtime/PropertyNameArray.cpp:

(JSC::PropertyNameArray::add):
(JSC::PropertyNameArray::setPreviouslyEnumeratedProperties):

• runtime/PropertyNameArray.h:

(JSC::RefCountedIdentifierSet::contains):
(JSC::RefCountedIdentifierSet::size):
(JSC::RefCountedIdentifierSet::add):
(JSC::PropertyNameArray::PropertyNameArray):
(JSC::PropertyNameArray::add):
(JSC::PropertyNameArray::addKnownUnique):
(JSC::PropertyNameArray::identifierSet):
(JSC::PropertyNameArray::canAddKnownUniqueForStructure):
(JSC::PropertyNameArray::setPreviouslyEnumeratedLength):

• runtime/RegExpObject.cpp:

(JSC::RegExpObject::getOwnNonIndexPropertyNames):
(JSC::RegExpObject::getPropertyNames):
(JSC::RegExpObject::getGenericPropertyNames):

• runtime/RegExpObject.h:
• runtime/StringObject.cpp:

(JSC::StringObject::getOwnPropertyNames):

• runtime/Structure.cpp:

(JSC::Structure::getPropertyNamesFromStructure):
(JSC::Structure::setCachedStructurePropertyNameEnumerator):
(JSC::Structure::cachedStructurePropertyNameEnumerator):
(JSC::Structure::setCachedGenericPropertyNameEnumerator):
(JSC::Structure::cachedGenericPropertyNameEnumerator):
(JSC::Structure::canCacheStructurePropertyNameEnumerator):
(JSC::Structure::canCacheGenericPropertyNameEnumerator):
(JSC::Structure::canAccessPropertiesQuickly):

• runtime/Structure.h:
• runtime/StructureRareData.cpp:

(JSC::StructureRareData::visitChildren):
(JSC::StructureRareData::cachedStructurePropertyNameEnumerator):
(JSC::StructureRareData::setCachedStructurePropertyNameEnumerator):
(JSC::StructureRareData::cachedGenericPropertyNameEnumerator):
(JSC::StructureRareData::setCachedGenericPropertyNameEnumerator):

• runtime/StructureRareData.h:
• runtime/VM.cpp:

(JSC::VM::VM):

• runtime/VM.h:

Source/WebCore:
No new tests.

This patch splits for-in loops into three distinct parts:

• Iterating over the indexed properties in the base object.
• Iterating over the Structure properties in the base object.
• Iterating over any other enumerable properties for that object and any objects in the prototype chain.

It does this by emitting these explicit loops in bytecode, using a new set of bytecodes to
support the various operations required for each loop.

• bindings/js/JSDOMWindowCustom.cpp:

(WebCore::JSDOMWindow::getEnumerableLength):
(WebCore::JSDOMWindow::getStructurePropertyNames):
(WebCore::JSDOMWindow::getGenericPropertyNames):

• bindings/scripts/CodeGeneratorJS.pm:

(GenerateHeader):

• bridge/runtime_array.cpp:

(JSC::RuntimeArray::getOwnPropertyNames):

Source/WebKit2:

• WebProcess/Plugins/Netscape/JSNPObject.cpp:

(WebKit::JSNPObject::invalidate): Fixed an invalid ASSERT that was crashing in debug builds.

10:53 AM Changeset in webkit [171604] by Lucas Forschler

• 2 edits in branches/safari-600.1-branch/Source/JavaScriptCore

Merged r171578. <rdar://problem/17811466>

10:52 AM Changeset in webkit [171603] by Lucas Forschler

• 2 edits in tags/Safari-600.1.3/Source/JavaScriptCore

Merged r171578. <rdar://problem/17811466>

10:50 AM Changeset in webkit [171602] by Lucas Forschler

• 2 edits in tags/Safari-600.1.2.1/Source/JavaScriptCore

Merged r171578. <rdar://problem/17805592>

10:39 AM Changeset in webkit [171601] by commit-queue@webkit.org

• 8 edits
  2 deletes in trunk

Unreviewed, rolling out r171587.
​https://bugs.webkit.org/show_bug.cgi?id=135294

Made fast/dom/HTMLObjectElement/beforeload-set-text-
crash.xhtml crash again (Requested by ap on #webkit).

Reverted changeset:

"REGRESSION (r169105): Crash in selection"
​https://bugs.webkit.org/show_bug.cgi?id=134303
​http://trac.webkit.org/changeset/171587

9:41 AM Changeset in webkit [171600] by mitz@apple.com

• 4 edits in trunk/Source/WebCore

ResourceErrorBase::compare doesn’t call the right platformCompare override
​https://bugs.webkit.org/show_bug.cgi?id=135240

Reviewed by Alexey Proskuryakov.

• platform/network/ResourceErrorBase.cpp:

(WebCore::ResourceErrorBase::compare): Changed to call ResourceError::platformCompare.

• platform/network/cf/ResourceError.h: Made platformCompare public.
• platform/network/soup/ResourceError.h: Ditto.

9:39 AM Changeset in webkit [171599] by mitz@apple.com

• 4 edits in trunk/Source/WebCore

[Cocoa] WebProtectionSpace::receivesCredentialSecurely incorrectly returns false in some cases
​https://bugs.webkit.org/show_bug.cgi?id=135241

Reviewed by Alexey Proskuryakov.

• WebCore.exp.in: Export ProtectionSpace::receivesCredentialSecurely.

• platform/network/cocoa/ProtectionSpaceCocoa.h: Declare override of receivesCredentialSecurely.
• platform/network/cocoa/ProtectionSpaceCocoa.mm:

(WebCore::ProtectionSpace::receivesCredentialSecurely): Use -[NSURLProtectionSpace receivesCredentialSecurely].

9:18 AM Changeset in webkit [171598] by commit-queue@webkit.org

• 3 edits in trunk

[GTK] CMake tries to install JavaScriptCore-3.0.gir outside of install prefix
​https://bugs.webkit.org/show_bug.cgi?id=135288

Patch by Michael Catanzaro <Michael Catanzaro> on 2014-07-25
Reviewed by Martin Robinson.

• Source/cmake/FindGObjectIntrospection.cmake: pass correct libdir and

datadir to pkgconfig

• Source/cmake/OptionsGTK.cmake: define install directories early

enough to be used in FindGObjectIntrospection.cmake

8:33 AM Changeset in webkit [171597] by Lucas Forschler

• 14 edits in tags/Safari-600.1.3

Merged r171593. <rdar://problem/16878037>

8:32 AM Changeset in webkit [171596] by Lucas Forschler

• 14 edits in branches/safari-600.1-branch

Merged r171593. <rdar://problem/16878037>

8:21 AM Changeset in webkit [171595] by Alan Bujtas

• 2 edits in trunk/LayoutTests

Unreviewed media test gardening after r171593.

• platform/mac/http/tests/media/hls/video-controls-live-stream-expected.txt:

8:08 AM Changeset in webkit [171594] by commit-queue@webkit.org

• 2 edits in trunk/Tools

Add --dry-run option to sort-export-file
​https://bugs.webkit.org/show_bug.cgi?id=135048

Patch by Renato Nagy <​nagy.renato@stud.u-szeged.hu> on 2014-07-25
Reviewed by Csaba Osztrogonác.

Added --dry-run option to sort-export-file. Running the script with --dry-run
option does not sort the export files but creates a list of the files that
need to be sorted.

• Scripts/sort-export-file:

(sawError):

7:47 AM Changeset in webkit [171593] by Alan Bujtas

• 14 edits in trunk

Subpixel rendering: iOS video playback controls look blurry.
​https://bugs.webkit.org/show_bug.cgi?id=135245
<rdar://problem/16878037>

Reviewed by Simon Fraser.

This patch introduces a compositing parent of the overlay control panel so that
the transformed overlay panel becomes sharp. This is a workaround for webkit.org/b/135246.

Can't find a way to test it yet.

Source/WebCore:

• Modules/mediacontrols/mediaControlsApple.css:

(video::-webkit-media-controls-panel-composited-parent):

• Modules/mediacontrols/mediaControlsApple.js:

(Controller.prototype.createControls):
(Controller.prototype.addControls):

• Modules/mediacontrols/mediaControlsiOS.css:

(video::-webkit-media-controls-panel-composited-parent):

• Modules/mediacontrols/mediaControlsiOS.js: This is a workaround for webkit.org/b/135248

It pushes the overlay panel down to close the gap with the video element. Since the
panel's size in css pixels is scale dependent, the gap needs to be scale dependent too.
(ControllerIOS.prototype.set pageScaleFactor):

LayoutTests:

• platform/mac/fast/hidpi/video-controls-in-hidpi-expected.txt:
• platform/mac/fast/layers/video-layer-expected.txt:
• platform/mac/media/audio-controls-rendering-expected.txt:
• platform/mac/media/controls-after-reload-expected.txt:
• platform/mac/media/controls-strict-expected.txt:
• platform/mac/media/controls-without-preload-expected.txt:
• platform/mac/media/media-controls-clone-expected.txt:
• platform/mac/media/video-no-audio-expected.txt:

4:01 AM Changeset in webkit [171592] by krit@webkit.org

• 2 edits in trunk/LayoutTests

Unreviewed rebaseline of test. Uploaded wrong result.

Patch by Dirk Schulze <​krit@webkit.org> on 2014-07-25

• svg/css/parse-length-expected.txt:

2:52 AM Changeset in webkit [171591] by krit@webkit.org

• 29 edits
  1 move
  3 adds
  1 delete in trunk

Turn x/y to presentation attributes
​https://bugs.webkit.org/show_bug.cgi?id=135215

Source/WebCore:
Patch by Dirk Schulze <​krit@webkit.org> on 2014-07-24
Reviewed by Dean Jackson.

This follows the patch for width and height presentation attributes and
turns x and y to presentation attributes as well:

​http://trac.webkit.org/changeset/171341

Tests: svg/css/parse-length.html

transitions/svg-layout-transition.html

Added copyright where I forgot it in previous patch.

• css/CSSComputedStyleDeclaration.cpp: Computed style of x and y.

(WebCore::ComputedStyleExtractor::propertyValue):

• css/CSSParser.cpp:

(WebCore::isSimpleLengthPropertyID): Add x and y to list.

• css/DeprecatedStyleBuilder.cpp:

(WebCore::DeprecatedStyleBuilder::DeprecatedStyleBuilder): Resolve x and y.

• css/SVGCSSParser.cpp:

(WebCore::CSSParser::parseSVGValue): Parse x and y property.

• css/SVGCSSPropertyNames.in: Add x and y to list of names.
• css/StyleResolver.h:
• page/animation/CSSPropertyAnimation.cpp: Animate x and y as Length.

(WebCore::CSSPropertyAnimationWrapperMap::CSSPropertyAnimationWrapperMap):

• rendering/style/RenderStyle.h: Add x and y setters and getters.
• rendering/style/SVGRenderStyle.cpp: Add x and y setters for StyleLayoutData.

(WebCore::SVGRenderStyle::SVGRenderStyle):
(WebCore::SVGRenderStyle::operator==):
(WebCore::SVGRenderStyle::copyNonInheritedFrom):
(WebCore::SVGRenderStyle::diff):

• rendering/style/SVGRenderStyle.h:

(WebCore::SVGRenderStyle::setX):
(WebCore::SVGRenderStyle::setY):
(WebCore::SVGRenderStyle::x):
(WebCore::SVGRenderStyle::y):

• rendering/style/SVGRenderStyleDefs.cpp: Add StyleLayoutData for style storing.

(WebCore::StyleLayoutData::StyleLayoutData):
(WebCore::StyleLayoutData::copy):
(WebCore::StyleLayoutData::operator==):

• rendering/style/SVGRenderStyleDefs.h:

(WebCore::StyleLayoutData::create):
(WebCore::StyleLayoutData::operator!=):

• rendering/svg/RenderSVGRect.cpp:

(WebCore::RenderSVGRect::updateShapeFromElement):

• rendering/svg/SVGPathData.cpp: Use RenderStyle values rather than attribute values.

(WebCore::updatePathFromRectElement):

• svg/SVGAnimationElement.cpp:

(WebCore::SVGAnimationElement::isTargetAttributeCSSProperty): Fix text detection.

• svg/SVGElement.cpp: Add x and y to the relevant property lists.

(WebCore::populateAttributeNameToCSSPropertyIDMap):
(WebCore::populateCSSPropertyWithSVGDOMNameToAnimatedPropertyTypeMap):

• svg/SVGFilterElement.cpp: Style update on change of x and y.

(WebCore::SVGFilterElement::svgAttributeChanged):

• svg/SVGMaskElement.cpp: Ditto.

(WebCore::SVGMaskElement::svgAttributeChanged):

• svg/SVGPatternElement.cpp: Ditto.

(WebCore::SVGPatternElement::svgAttributeChanged):

• svg/SVGRectElement.cpp: Ditto.

(WebCore::SVGRectElement::svgAttributeChanged):

• svg/SVGTextPositioningElement.cpp: Exclude x and y of text elements since they

are lists instead of individual values. Solution about to be discussed
in the WG. Keep current behavior for now.

(WebCore::SVGTextPositioningElement::collectStyleForPresentationAttribute):
(WebCore::SVGTextPositioningElement::isPresentationAttribute):

• svg/SVGTextPositioningElement.h:

LayoutTests:
Test parsing of x and y attributes. Rendering and SVG animation
covered by existing tests.
CSS Transition test, test transition from specified attribute value
to new property value.

Patch by Dirk Schulze <​krit@webkit.org> on 2014-07-24
Reviewed by Dean Jackson.

• svg/css/parse-length-expected.txt: Added.
• svg/css/parse-length.html: Renamed from LayoutTests/svg/css/parse-width.html.
• svg/css/parse-width-expected.txt: Removed.
• transitions/svg-layout-transition-expected.txt: Added.
• transitions/svg-layout-transition.html: Added.

12:17 AM Changeset in webkit [171590] by Lucas Forschler

• 5 edits in branches/safari-600.1-branch/Source

Versioning.

12:12 AM Changeset in webkit [171589] by Lucas Forschler

• 1 copy in tags/Safari-600.1.3

New Tag.