0022ebf77761007262338e0242bc30861bcfbcbc
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-08-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         JavascriptCore Crash in JSC::ASTBuilder::Property JSC::Parser<JSC::Lexer<unsigned char> >::parseProperty<JSC::ASTBuilder>(JSC::ASTBuilder&, bool)
4         https://bugs.webkit.org/show_bug.cgi?id=147538
5
6         Reviewed by Geoffrey Garen.
7
8         Due to the order of the ARROWFUNCTION token in JSTokenType enum, it is categorized as the one of the Keyword.
9         As a result, when lexing the property name that can take the keywords, the ARROWFUNCTION token is accidentally accepted.
10         This patch changes the order of the ARROWFUNCTION token in JSTokenType to make it the operator token.
11
12         * parser/ParserTokens.h:
13         * tests/stress/arrow-function-token-is-not-keyword.js: Added.
14         (testSyntaxError):
15
16 2015-08-03  Keith Miller  <keith_miller@apple.com>
17
18         Clean up the naming for AST expression generation.
19         https://bugs.webkit.org/show_bug.cgi?id=147581
20
21         Reviewed by Yusuke Suzuki.
22
23         * parser/ASTBuilder.h:
24         (JSC::ASTBuilder::createThisExpr):
25         (JSC::ASTBuilder::createSuperExpr):
26         (JSC::ASTBuilder::createNewTargetExpr):
27         (JSC::ASTBuilder::thisExpr): Deleted.
28         (JSC::ASTBuilder::superExpr): Deleted.
29         (JSC::ASTBuilder::newTargetExpr): Deleted.
30         * parser/Parser.cpp:
31         (JSC::Parser<LexerType>::parsePrimaryExpression):
32         (JSC::Parser<LexerType>::parseMemberExpression):
33         * parser/SyntaxChecker.h:
34         (JSC::SyntaxChecker::createThisExpr):
35         (JSC::SyntaxChecker::createSuperExpr):
36         (JSC::SyntaxChecker::createNewTargetExpr):
37         (JSC::SyntaxChecker::thisExpr): Deleted.
38         (JSC::SyntaxChecker::superExpr): Deleted.
39         (JSC::SyntaxChecker::newTargetExpr): Deleted.
40
41 2015-08-03  Yusuke Suzuki  <utatane.tea@gmail.com>
42
43         Don't set up the callsite to operationGetByValDefault when the optimization is already done
44         https://bugs.webkit.org/show_bug.cgi?id=147577
45
46         Reviewed by Filip Pizlo.
47
48         operationGetByValDefault should be called only when the IC is not set.
49         operationGetByValString breaks this invariant and `ASSERT(!byValInfo.stubRoutine)` in
50         operationGetByValDefault raises the assertion failure.
51         In this patch, we change the callsite setting up code in operationGetByValString when
52         the IC is already set. And to make the operation's meaning explicitly, we changed the
53         name operationGetByValDefault to operationGetByValOptimize, that is aligned to the
54         GetById case.
55
56         * jit/JITOperations.cpp:
57         * jit/JITOperations.h:
58         * jit/JITPropertyAccess.cpp:
59         (JSC::JIT::emitSlow_op_get_by_val):
60         * jit/JITPropertyAccess32_64.cpp:
61         (JSC::JIT::emitSlow_op_get_by_val):
62         * tests/stress/operation-get-by-val-default-should-not-called-for-already-optimized-site.js: Added.
63         (hello):
64
65 2015-08-03  Csaba Osztrogonác  <ossy@webkit.org>
66
67         [FTL] Remove unused scripts related to native call inlining
68         https://bugs.webkit.org/show_bug.cgi?id=147448
69
70         Reviewed by Filip Pizlo.
71
72         * build-symbol-table-index.py: Removed.
73         * copy-llvm-ir-to-derived-sources.sh: Removed.
74         * create-llvm-ir-from-source-file.py: Removed.
75         * create-symbol-table-index.py: Removed.
76
77 2015-08-02  Benjamin Poulain  <bpoulain@apple.com>
78
79         Investigate HashTable::HashTable(const HashTable&) and HashTable::operator=(const HashTable&) performance for hash-based static analyses
80         https://bugs.webkit.org/show_bug.cgi?id=118455
81
82         Reviewed by Filip Pizlo.
83
84         LivenessAnalysisPhase lights up like a christmas tree in profiles.
85
86         This patch cuts its cost by 4.
87         About half of the gains come from removing many rehash() when copying
88         the HashSet.
89         The last quarter is achieved by having a special add() function for initializing
90         a HashSet.
91
92         This makes benchmarks progress by 1-2% here and there. Nothing massive.
93
94         * dfg/DFGLivenessAnalysisPhase.cpp:
95         (JSC::DFG::LivenessAnalysisPhase::process):
96         The m_live HashSet is only useful per block. When we are done with it,
97         we can transfer it to liveAtHead to avoid a copy.
98
99 2015-08-01  Saam barati  <saambarati1@gmail.com>
100
101         Unreviewed. Remove unintentional "print" statement in test case.
102         https://bugs.webkit.org/show_bug.cgi?id=142567
103
104         * tests/stress/class-syntax-definition-semantics.js:
105         (shouldBeSyntaxError):
106
107 2015-07-31  Alex Christensen  <achristensen@webkit.org>
108
109         Prepare for VS2015
110         https://bugs.webkit.org/show_bug.cgi?id=146579
111
112         Reviewed by Jon Honeycutt.
113
114         * heap/Heap.h:
115         Fix compiler error by explicitly casting zombifiedBits to the size of a pointer.
116
117 2015-07-31  Saam barati  <saambarati1@gmail.com>
118
119         ES6 class syntax should use block scoping
120         https://bugs.webkit.org/show_bug.cgi?id=142567
121
122         Reviewed by Geoffrey Garen.
123
124         We treat class declarations like we do "let" declarations.
125         The class name is under TDZ until the class declaration
126         statement is evaluated. Class declarations also follow
127         the same rules as "let": No duplicate definitions inside
128         a lexical environment.
129
130         * parser/ASTBuilder.h:
131         (JSC::ASTBuilder::createClassDeclStatement):
132         * parser/Parser.cpp:
133         (JSC::Parser<LexerType>::parseClassDeclaration):
134         * tests/stress/class-syntax-block-scoping.js: Added.
135         (assert):
136         (truth):
137         (.):
138         * tests/stress/class-syntax-definition-semantics.js: Added.
139         (shouldBeSyntaxError):
140         (shouldNotBeSyntaxError):
141         (truth):
142         * tests/stress/class-syntax-tdz.js:
143         (assert):
144         (shouldThrowTDZ):
145         (truth):
146         (.):
147
148 2015-07-31  Sukolsak Sakshuwong  <sukolsak@gmail.com>
149
150         Implement WebAssembly module parser
151         https://bugs.webkit.org/show_bug.cgi?id=147293
152
153         Reviewed by Mark Lam.
154
155         Re-landing after fix for the "..\..\jsc.cpp(46): fatal error C1083: Cannot open
156         include file: 'JSWASMModule.h'" issue on Windows.
157
158         Implement WebAssembly module parser for WebAssembly files produced by pack-asmjs
159         <https://github.com/WebAssembly/polyfill-prototype-1>. This patch only checks
160         the magic number at the beginning of the files. Parsing of the rest will be
161         implemented in a subsequent patch.
162
163         * CMakeLists.txt:
164         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
165         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
166         * JavaScriptCore.xcodeproj/project.pbxproj:
167         * jsc.cpp:
168         (GlobalObject::finishCreation):
169         (functionLoadWebAssembly):
170         * parser/SourceProvider.h:
171         (JSC::WebAssemblySourceProvider::create):
172         (JSC::WebAssemblySourceProvider::data):
173         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
174         * runtime/JSGlobalObject.cpp:
175         (JSC::JSGlobalObject::init):
176         (JSC::JSGlobalObject::visitChildren):
177         * runtime/JSGlobalObject.h:
178         (JSC::JSGlobalObject::wasmModuleStructure):
179         * wasm/WASMMagicNumber.h: Added.
180         * wasm/WASMModuleParser.cpp: Added.
181         (JSC::WASMModuleParser::WASMModuleParser):
182         (JSC::WASMModuleParser::parse):
183         (JSC::WASMModuleParser::parseModule):
184         (JSC::parseWebAssembly):
185         * wasm/WASMModuleParser.h: Added.
186         * wasm/WASMReader.cpp: Added.
187         (JSC::WASMReader::readUnsignedInt32):
188         (JSC::WASMReader::readFloat):
189         (JSC::WASMReader::readDouble):
190         * wasm/WASMReader.h: Added.
191         (JSC::WASMReader::WASMReader):
192
193 2015-07-30  Sukolsak Sakshuwong  <sukolsak@gmail.com>
194
195         Add the "wasm" directory to the Additional Include Directories for jsc.exe
196         https://bugs.webkit.org/show_bug.cgi?id=147443
197
198         Reviewed by Mark Lam.
199
200         This patch should fix the "..\..\jsc.cpp(46): fatal error C1083:
201         Cannot open include file: 'JSWASMModule.h'" error in the Windows build.
202
203         * JavaScriptCore.vcxproj/jsc/jscCommon.props:
204
205 2015-07-30  Chris Dumez  <cdumez@apple.com>
206
207         Mark more classes as fast allocated
208         https://bugs.webkit.org/show_bug.cgi?id=147440
209
210         Reviewed by Sam Weinig.
211
212         Mark more classes as fast allocated for performance. We heap-allocate
213         objects of those types throughout the code base.
214
215         * API/JSCallbackObject.h:
216         * API/ObjCCallbackFunction.mm:
217         * bytecode/BytecodeKills.h:
218         * bytecode/BytecodeLivenessAnalysis.h:
219         * bytecode/CallLinkStatus.h:
220         * bytecode/FullBytecodeLiveness.h:
221         * bytecode/SamplingTool.h:
222         * bytecompiler/BytecodeGenerator.h:
223         * dfg/DFGBasicBlock.h:
224         * dfg/DFGBlockMap.h:
225         * dfg/DFGInPlaceAbstractState.h:
226         * dfg/DFGThreadData.h:
227         * heap/HeapVerifier.h:
228         * heap/SlotVisitor.h:
229         * parser/Lexer.h:
230         * runtime/ControlFlowProfiler.h:
231         * runtime/TypeProfiler.h:
232         * runtime/TypeProfilerLog.h:
233         * runtime/Watchdog.h:
234
235 2015-07-29  Filip Pizlo  <fpizlo@apple.com>
236
237         DFG::ArgumentsEliminationPhase should emit a PutStack for all of the GetStacks that the ByteCodeParser emitted
238         https://bugs.webkit.org/show_bug.cgi?id=147433
239         rdar://problem/21668986
240
241         Reviewed by Mark Lam.
242
243         Ideally, the ByteCodeParser would only emit SetArgument nodes for named arguments.  But
244         currently that's not what it does - it emits a SetArgument for every argument that a varargs
245         call may pass.  Each SetArgument gets turned into a GetStack.  This means that if
246         ArgumentsEliminationPhase optimizes away PutStacks for those varargs arguments that didn't
247         get passed or used, we get degenerate IR where we have a GetStack of something that didn't
248         have a PutStack.
249
250         This fixes the bug by removing the code to optimize away PutStacks in
251         ArgumentsEliminationPhase.
252
253         * dfg/DFGArgumentsEliminationPhase.cpp:
254         * tests/stress/varargs-inlining-underflow.js: Added.
255         (baz):
256         (bar):
257         (foo):
258
259 2015-07-29  Andy VanWagoner  <thetalecrafter@gmail.com>
260
261         Implement basic types for ECMAScript Internationalization API
262         https://bugs.webkit.org/show_bug.cgi?id=146926
263
264         Reviewed by Benjamin Poulain.
265
266         Adds basic types for ECMA-402 2nd edition, but does not implement the full locale-aware features yet.
267         http://www.ecma-international.org/ecma-402/2.0/ECMA-402.pdf
268
269         * CMakeLists.txt: Added new Intl files.
270         * Configurations/FeatureDefines.xcconfig: Enable INTL.
271         * DerivedSources.make: Added Intl files.
272         * JavaScriptCore.xcodeproj/project.pbxproj: Added Intl files.
273         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added Intl files.
274         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Added Intl files.
275         * runtime/CommonIdentifiers.h: Added Collator, NumberFormat, and DateTimeFormat.
276         * runtime/DateConstructor.cpp: Made Date.now public.
277         * runtime/DateConstructor.h: Made Date.now public.
278         * runtime/IntlCollator.cpp: Added.
279         (JSC::IntlCollator::create):
280         (JSC::IntlCollator::createStructure):
281         (JSC::IntlCollator::IntlCollator):
282         (JSC::IntlCollator::finishCreation):
283         (JSC::IntlCollator::destroy):
284         (JSC::IntlCollator::visitChildren):
285         (JSC::IntlCollator::setBoundCompare):
286         (JSC::IntlCollatorFuncCompare): Added placeholder implementation using codePointCompare.
287         * runtime/IntlCollator.h: Added.
288         (JSC::IntlCollator::constructor):
289         (JSC::IntlCollator::boundCompare):
290         * runtime/IntlCollatorConstructor.cpp: Added.
291         (JSC::IntlCollatorConstructor::create):
292         (JSC::IntlCollatorConstructor::createStructure):
293         (JSC::IntlCollatorConstructor::IntlCollatorConstructor):
294         (JSC::IntlCollatorConstructor::finishCreation):
295         (JSC::constructIntlCollator): Added Collator constructor (10.1.2).
296         (JSC::callIntlCollator): Added Collator constructor (10.1.2).
297         (JSC::IntlCollatorConstructor::getConstructData):
298         (JSC::IntlCollatorConstructor::getCallData):
299         (JSC::IntlCollatorConstructor::getOwnPropertySlot):
300         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf): Added placeholder implementation returning [].
301         (JSC::IntlCollatorConstructor::visitChildren):
302         * runtime/IntlCollatorConstructor.h: Added.
303         (JSC::IntlCollatorConstructor::collatorStructure):
304         * runtime/IntlCollatorPrototype.cpp: Added.
305         (JSC::IntlCollatorPrototype::create):
306         (JSC::IntlCollatorPrototype::createStructure):
307         (JSC::IntlCollatorPrototype::IntlCollatorPrototype):
308         (JSC::IntlCollatorPrototype::finishCreation):
309         (JSC::IntlCollatorPrototype::getOwnPropertySlot):
310         (JSC::IntlCollatorPrototypeGetterCompare): Added compare getter (10.3.3)
311         (JSC::IntlCollatorPrototypeFuncResolvedOptions): Added placeholder implementation returning {}.
312         * runtime/IntlCollatorPrototype.h: Added.
313         * runtime/IntlDateTimeFormat.cpp: Added.
314         (JSC::IntlDateTimeFormat::create):
315         (JSC::IntlDateTimeFormat::createStructure):
316         (JSC::IntlDateTimeFormat::IntlDateTimeFormat):
317         (JSC::IntlDateTimeFormat::finishCreation):
318         (JSC::IntlDateTimeFormat::destroy):
319         (JSC::IntlDateTimeFormat::visitChildren):
320         (JSC::IntlDateTimeFormat::setBoundFormat):
321         (JSC::IntlDateTimeFormatFuncFormatDateTime): Added placeholder implementation returning new Date(value).toString().
322         * runtime/IntlDateTimeFormat.h: Added.
323         (JSC::IntlDateTimeFormat::constructor):
324         (JSC::IntlDateTimeFormat::boundFormat):
325         * runtime/IntlDateTimeFormatConstructor.cpp: Added.
326         (JSC::IntlDateTimeFormatConstructor::create):
327         (JSC::IntlDateTimeFormatConstructor::createStructure):
328         (JSC::IntlDateTimeFormatConstructor::IntlDateTimeFormatConstructor):
329         (JSC::IntlDateTimeFormatConstructor::finishCreation):
330         (JSC::constructIntlDateTimeFormat): Added DateTimeFormat constructor (12.1.2).
331         (JSC::callIntlDateTimeFormat): Added DateTimeFormat constructor (12.1.2).
332         (JSC::IntlDateTimeFormatConstructor::getConstructData):
333         (JSC::IntlDateTimeFormatConstructor::getCallData):
334         (JSC::IntlDateTimeFormatConstructor::getOwnPropertySlot):
335         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf): Added placeholder implementation returning [].
336         (JSC::IntlDateTimeFormatConstructor::visitChildren):
337         * runtime/IntlDateTimeFormatConstructor.h: Added.
338         (JSC::IntlDateTimeFormatConstructor::dateTimeFormatStructure):
339         * runtime/IntlDateTimeFormatPrototype.cpp: Added.
340         (JSC::IntlDateTimeFormatPrototype::create):
341         (JSC::IntlDateTimeFormatPrototype::createStructure):
342         (JSC::IntlDateTimeFormatPrototype::IntlDateTimeFormatPrototype):
343         (JSC::IntlDateTimeFormatPrototype::finishCreation):
344         (JSC::IntlDateTimeFormatPrototype::getOwnPropertySlot):
345         (JSC::IntlDateTimeFormatPrototypeGetterFormat): Added format getter (12.3.3).
346         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions): Added placeholder implementation returning {}.
347         * runtime/IntlDateTimeFormatPrototype.h: Added.
348         * runtime/IntlNumberFormat.cpp: Added.
349         (JSC::IntlNumberFormat::create):
350         (JSC::IntlNumberFormat::createStructure):
351         (JSC::IntlNumberFormat::IntlNumberFormat):
352         (JSC::IntlNumberFormat::finishCreation):
353         (JSC::IntlNumberFormat::destroy):
354         (JSC::IntlNumberFormat::visitChildren):
355         (JSC::IntlNumberFormat::setBoundFormat):
356         (JSC::IntlNumberFormatFuncFormatNumber): Added placeholder implementation returning Number(value).toString().
357         * runtime/IntlNumberFormat.h: Added.
358         (JSC::IntlNumberFormat::constructor):
359         (JSC::IntlNumberFormat::boundFormat):
360         * runtime/IntlNumberFormatConstructor.cpp: Added.
361         (JSC::IntlNumberFormatConstructor::create):
362         (JSC::IntlNumberFormatConstructor::createStructure):
363         (JSC::IntlNumberFormatConstructor::IntlNumberFormatConstructor):
364         (JSC::IntlNumberFormatConstructor::finishCreation):
365         (JSC::constructIntlNumberFormat): Added NumberFormat constructor (11.1.2).
366         (JSC::callIntlNumberFormat): Added NumberFormat constructor (11.1.2).
367         (JSC::IntlNumberFormatConstructor::getConstructData):
368         (JSC::IntlNumberFormatConstructor::getCallData):
369         (JSC::IntlNumberFormatConstructor::getOwnPropertySlot):
370         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf): Added placeholder implementation returning [].
371         (JSC::IntlNumberFormatConstructor::visitChildren):
372         * runtime/IntlNumberFormatConstructor.h: Added.
373         (JSC::IntlNumberFormatConstructor::numberFormatStructure):
374         * runtime/IntlNumberFormatPrototype.cpp: Added.
375         (JSC::IntlNumberFormatPrototype::create):
376         (JSC::IntlNumberFormatPrototype::createStructure):
377         (JSC::IntlNumberFormatPrototype::IntlNumberFormatPrototype):
378         (JSC::IntlNumberFormatPrototype::finishCreation):
379         (JSC::IntlNumberFormatPrototype::getOwnPropertySlot):
380         (JSC::IntlNumberFormatPrototypeGetterFormat): Added format getter (11.3.3).
381         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions): Added placeholder implementation returning {}.
382         * runtime/IntlNumberFormatPrototype.h: Added.
383         * runtime/IntlObject.cpp:
384         (JSC::IntlObject::create):
385         (JSC::IntlObject::finishCreation): Added Collator, NumberFormat, and DateTimeFormat properties (8.1).
386         (JSC::IntlObject::visitChildren):
387         * runtime/IntlObject.h:
388         (JSC::IntlObject::collatorConstructor):
389         (JSC::IntlObject::collatorPrototype):
390         (JSC::IntlObject::collatorStructure):
391         (JSC::IntlObject::numberFormatConstructor):
392         (JSC::IntlObject::numberFormatPrototype):
393         (JSC::IntlObject::numberFormatStructure):
394         (JSC::IntlObject::dateTimeFormatConstructor):
395         (JSC::IntlObject::dateTimeFormatPrototype):
396         (JSC::IntlObject::dateTimeFormatStructure):
397         * runtime/JSGlobalObject.cpp:
398         (JSC::JSGlobalObject::init):
399
400 2015-07-29  Commit Queue  <commit-queue@webkit.org>
401
402         Unreviewed, rolling out r187550.
403         https://bugs.webkit.org/show_bug.cgi?id=147420
404
405         Broke Windows build (again) (Requested by smfr on #webkit).
406
407         Reverted changeset:
408
409         "Implement WebAssembly module parser"
410         https://bugs.webkit.org/show_bug.cgi?id=147293
411         http://trac.webkit.org/changeset/187550
412
413 2015-07-29  Basile Clement  <basile_clement@apple.com>
414
415         Remove native call inlining
416         https://bugs.webkit.org/show_bug.cgi?id=147417
417
418         Rubber Stamped by Filip Pizlo.
419
420         * CMakeLists.txt:
421         * dfg/DFGAbstractInterpreterInlines.h:
422         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Deleted.
423         * dfg/DFGByteCodeParser.cpp:
424         (JSC::DFG::ByteCodeParser::handleCall): Deleted.
425         * dfg/DFGClobberize.h:
426         (JSC::DFG::clobberize): Deleted.
427         * dfg/DFGDoesGC.cpp:
428         (JSC::DFG::doesGC): Deleted.
429         * dfg/DFGFixupPhase.cpp:
430         (JSC::DFG::FixupPhase::fixupNode): Deleted.
431         * dfg/DFGNode.h:
432         (JSC::DFG::Node::hasHeapPrediction): Deleted.
433         (JSC::DFG::Node::hasCellOperand): Deleted.
434         * dfg/DFGNodeType.h:
435         * dfg/DFGPredictionPropagationPhase.cpp:
436         (JSC::DFG::PredictionPropagationPhase::propagate): Deleted.
437         * dfg/DFGSafeToExecute.h:
438         (JSC::DFG::safeToExecute): Deleted.
439         * dfg/DFGSpeculativeJIT32_64.cpp:
440         (JSC::DFG::SpeculativeJIT::compile): Deleted.
441         * dfg/DFGSpeculativeJIT64.cpp:
442         (JSC::DFG::SpeculativeJIT::compile): Deleted.
443         * ftl/FTLCapabilities.cpp:
444         (JSC::FTL::canCompile): Deleted.
445         * ftl/FTLLowerDFGToLLVM.cpp:
446         (JSC::FTL::DFG::LowerDFGToLLVM::lower): Deleted.
447         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode): Deleted.
448         (JSC::FTL::DFG::LowerDFGToLLVM::compileNativeCallOrConstruct): Deleted.
449         (JSC::FTL::DFG::LowerDFGToLLVM::getFunctionBySymbol): Deleted.
450         (JSC::FTL::DFG::LowerDFGToLLVM::getModuleByPathForSymbol): Deleted.
451         (JSC::FTL::DFG::LowerDFGToLLVM::didOverflowStack): Deleted.
452         * ftl/FTLState.cpp:
453         (JSC::FTL::State::State): Deleted.
454         * ftl/FTLState.h:
455         * runtime/BundlePath.cpp: Removed.
456         (JSC::bundlePath): Deleted.
457         * runtime/JSDataViewPrototype.cpp:
458         (JSC::getData):
459         (JSC::setData):
460         * runtime/Options.h:
461
462 2015-07-29  Basile Clement  <basile_clement@apple.com>
463
464         Unreviewed, skipping a test that is too complex for its own good
465         https://bugs.webkit.org/show_bug.cgi?id=147167
466
467         * tests/stress/math-pow-coherency.js:
468
469 2015-07-29  Sukolsak Sakshuwong  <sukolsak@gmail.com>
470
471         Implement WebAssembly module parser
472         https://bugs.webkit.org/show_bug.cgi?id=147293
473
474         Reviewed by Mark Lam.
475
476         Reupload the patch, since r187539 should fix the "Cannot open include file:
477         'JSWASMModule.h'" issue in the Windows build.
478
479         * CMakeLists.txt:
480         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
481         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
482         * JavaScriptCore.xcodeproj/project.pbxproj:
483         * jsc.cpp:
484         (GlobalObject::finishCreation):
485         (functionLoadWebAssembly):
486         * parser/SourceProvider.h:
487         (JSC::WebAssemblySourceProvider::create):
488         (JSC::WebAssemblySourceProvider::data):
489         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
490         * runtime/JSGlobalObject.cpp:
491         (JSC::JSGlobalObject::init):
492         (JSC::JSGlobalObject::visitChildren):
493         * runtime/JSGlobalObject.h:
494         (JSC::JSGlobalObject::wasmModuleStructure):
495         * wasm/WASMMagicNumber.h: Added.
496         * wasm/WASMModuleParser.cpp: Added.
497         (JSC::WASMModuleParser::WASMModuleParser):
498         (JSC::WASMModuleParser::parse):
499         (JSC::WASMModuleParser::parseModule):
500         (JSC::parseWebAssembly):
501         * wasm/WASMModuleParser.h: Added.
502         * wasm/WASMReader.cpp: Added.
503         (JSC::WASMReader::readUnsignedInt32):
504         (JSC::WASMReader::readFloat):
505         (JSC::WASMReader::readDouble):
506         * wasm/WASMReader.h: Added.
507         (JSC::WASMReader::WASMReader):
508
509 2015-07-29  Basile Clement  <basile_clement@apple.com>
510
511         Unreviewed, lower the number of test iterations to prevent timing out on Debug builds
512         https://bugs.webkit.org/show_bug.cgi?id=147167
513
514         * tests/stress/math-pow-coherency.js:
515
516 2015-07-28  Sukolsak Sakshuwong  <sukolsak@gmail.com>
517
518         Add the "wasm" directory to Visual Studio project files
519         https://bugs.webkit.org/show_bug.cgi?id=147400
520
521         Reviewed by Simon Fraser.
522
523         This patch should fix the "Cannot open include file: 'JSWASMModule.h'" issue
524         in the Windows build.
525
526         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
527         * JavaScriptCore.vcxproj/copy-files.cmd:
528
529 2015-07-28  Commit Queue  <commit-queue@webkit.org>
530
531         Unreviewed, rolling out r187531.
532         https://bugs.webkit.org/show_bug.cgi?id=147397
533
534         Broke Windows bild (Requested by smfr on #webkit).
535
536         Reverted changeset:
537
538         "Implement WebAssembly module parser"
539         https://bugs.webkit.org/show_bug.cgi?id=147293
540         http://trac.webkit.org/changeset/187531
541
542 2015-07-28  Benjamin Poulain  <bpoulain@apple.com>
543
544         Speed up the Stringifier::toJSON() fast case
545         https://bugs.webkit.org/show_bug.cgi?id=147383
546
547         Reviewed by Andreas Kling.
548
549         * runtime/JSONObject.cpp:
550         (JSC::Stringifier::toJSON):
551         (JSC::Stringifier::toJSONImpl):
552
553 2015-07-28  Sukolsak Sakshuwong  <sukolsak@gmail.com>
554
555         Implement WebAssembly module parser
556         https://bugs.webkit.org/show_bug.cgi?id=147293
557
558         Reviewed by Geoffrey Garen.
559
560         Implement WebAssembly module parser for WebAssembly files produced by pack-asmjs
561         <https://github.com/WebAssembly/polyfill-prototype-1>. This patch only checks
562         the magic number at the beginning of the files. Parsing of the rest will be
563         implemented in a subsequent patch.
564
565         * CMakeLists.txt:
566         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
567         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
568         * JavaScriptCore.xcodeproj/project.pbxproj:
569         * jsc.cpp:
570         (GlobalObject::finishCreation):
571         (functionLoadWebAssembly):
572         * parser/SourceProvider.h:
573         (JSC::WebAssemblySourceProvider::create):
574         (JSC::WebAssemblySourceProvider::data):
575         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
576         * runtime/JSGlobalObject.cpp:
577         (JSC::JSGlobalObject::init):
578         (JSC::JSGlobalObject::visitChildren):
579         * runtime/JSGlobalObject.h:
580         (JSC::JSGlobalObject::wasmModuleStructure):
581         * wasm/WASMMagicNumber.h: Added.
582         * wasm/WASMModuleParser.cpp: Added.
583         (JSC::WASMModuleParser::WASMModuleParser):
584         (JSC::WASMModuleParser::parse):
585         (JSC::WASMModuleParser::parseModule):
586         (JSC::parseWebAssembly):
587         * wasm/WASMModuleParser.h: Added.
588         * wasm/WASMReader.cpp: Added.
589         (JSC::WASMReader::readUnsignedInt32):
590         (JSC::WASMReader::readFloat):
591         (JSC::WASMReader::readDouble):
592         * wasm/WASMReader.h: Added.
593         (JSC::WASMReader::WASMReader):
594
595 2015-07-28  Yusuke Suzuki  <utatane.tea@gmail.com>
596
597         [ES6] Add ENABLE_ES6_MODULES compile time flag with the default value "false"
598         https://bugs.webkit.org/show_bug.cgi?id=147350
599
600         Reviewed by Sam Weinig.
601
602         * Configurations/FeatureDefines.xcconfig:
603
604 2015-07-28  Saam barati  <saambarati1@gmail.com>
605
606         Make the type profiler work with lexical scoping and add tests
607         https://bugs.webkit.org/show_bug.cgi?id=145438
608
609         Reviewed by Geoffrey Garen.
610
611         op_profile_type now knows how to resolve variables allocated within
612         the local scope stack. This means it knows how to resolve "let"
613         and "const" variables. Also, some refactoring was done inside
614         the BytecodeGenerator to make writing code to support the type
615         profiler much simpler and clearer.
616
617         * bytecode/CodeBlock.cpp:
618         (JSC::CodeBlock::CodeBlock):
619         * bytecode/CodeBlock.h:
620         (JSC::CodeBlock::symbolTable): Deleted.
621         * bytecode/UnlinkedCodeBlock.h:
622         (JSC::UnlinkedCodeBlock::addExceptionHandler):
623         (JSC::UnlinkedCodeBlock::exceptionHandler):
624         (JSC::UnlinkedCodeBlock::vm):
625         (JSC::UnlinkedCodeBlock::addArrayProfile):
626         (JSC::UnlinkedCodeBlock::setSymbolTableConstantIndex): Deleted.
627         (JSC::UnlinkedCodeBlock::symbolTableConstantIndex): Deleted.
628         * bytecompiler/BytecodeGenerator.cpp:
629         (JSC::BytecodeGenerator::BytecodeGenerator):
630         (JSC::BytecodeGenerator::emitMove):
631         (JSC::BytecodeGenerator::emitTypeProfilerExpressionInfo):
632         (JSC::BytecodeGenerator::emitProfileType):
633         (JSC::BytecodeGenerator::emitProfileControlFlow):
634         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
635         * bytecompiler/BytecodeGenerator.h:
636         (JSC::BytecodeGenerator::emitNodeForLeftHandSide):
637         * bytecompiler/NodesCodegen.cpp:
638         (JSC::ThisNode::emitBytecode):
639         (JSC::ResolveNode::emitBytecode):
640         (JSC::BracketAccessorNode::emitBytecode):
641         (JSC::DotAccessorNode::emitBytecode):
642         (JSC::FunctionCallValueNode::emitBytecode):
643         (JSC::FunctionCallResolveNode::emitBytecode):
644         (JSC::FunctionCallBracketNode::emitBytecode):
645         (JSC::FunctionCallDotNode::emitBytecode):
646         (JSC::CallFunctionCallDotNode::emitBytecode):
647         (JSC::ApplyFunctionCallDotNode::emitBytecode):
648         (JSC::PostfixNode::emitResolve):
649         (JSC::PostfixNode::emitBracket):
650         (JSC::PostfixNode::emitDot):
651         (JSC::PrefixNode::emitResolve):
652         (JSC::PrefixNode::emitBracket):
653         (JSC::PrefixNode::emitDot):
654         (JSC::ReadModifyResolveNode::emitBytecode):
655         (JSC::AssignResolveNode::emitBytecode):
656         (JSC::AssignDotNode::emitBytecode):
657         (JSC::ReadModifyDotNode::emitBytecode):
658         (JSC::AssignBracketNode::emitBytecode):
659         (JSC::ReadModifyBracketNode::emitBytecode):
660         (JSC::EmptyVarExpression::emitBytecode):
661         (JSC::EmptyLetExpression::emitBytecode):
662         (JSC::ForInNode::emitLoopHeader):
663         (JSC::ForOfNode::emitBytecode):
664         (JSC::ReturnNode::emitBytecode):
665         (JSC::FunctionNode::emitBytecode):
666         (JSC::BindingNode::bindValue):
667         * dfg/DFGSpeculativeJIT32_64.cpp:
668         (JSC::DFG::SpeculativeJIT::compile):
669         * dfg/DFGSpeculativeJIT64.cpp:
670         (JSC::DFG::SpeculativeJIT::compile):
671         * jit/JITOpcodes.cpp:
672         (JSC::JIT::emit_op_profile_type):
673         * jit/JITOpcodes32_64.cpp:
674         (JSC::JIT::emit_op_profile_type):
675         * llint/LowLevelInterpreter32_64.asm:
676         * llint/LowLevelInterpreter64.asm:
677         * tests/typeProfiler/es6-block-scoping.js: Added.
678         (noop):
679         (arr):
680         (wrapper.changeFoo):
681         (wrapper.scoping):
682         (wrapper.scoping2):
683         (wrapper):
684         * tests/typeProfiler/es6-classes.js: Added.
685         (noop):
686         (wrapper.Animal):
687         (wrapper.Animal.prototype.methodA):
688         (wrapper.Dog):
689         (wrapper.Dog.prototype.methodB):
690         (wrapper):
691
692 2015-07-28  Saam barati  <saambarati1@gmail.com>
693
694         Implement catch scope using lexical scoping constructs introduced with "let" scoping patch
695         https://bugs.webkit.org/show_bug.cgi?id=146979
696
697         Reviewed by Geoffrey Garen.
698
699         Now that BytecodeGenerator has a notion of local scope depth,
700         we can easily implement a catch scope that doesn't claim that
701         all variables are dynamically scoped. This means that functions
702         that use try/catch can have local variable resolution. This also
703         means that all functions that use try/catch don't have all
704         their variables marked as being captured.
705
706         Catch scopes now behave like a "let" scope (sans the TDZ logic) with a 
707         single variable. Catch scopes are now just JSLexicalEnvironments and the 
708         symbol table backing the catch scope knows that it corresponds to a catch scope.
709
710         * CMakeLists.txt:
711         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
712         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
713         * JavaScriptCore.xcodeproj/project.pbxproj:
714         * bytecode/CodeBlock.cpp:
715         (JSC::CodeBlock::dumpBytecode):
716         * bytecode/EvalCodeCache.h:
717         (JSC::EvalCodeCache::isCacheable):
718         * bytecompiler/BytecodeGenerator.cpp:
719         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
720         (JSC::BytecodeGenerator::emitLoadGlobalObject):
721         (JSC::BytecodeGenerator::pushLexicalScope):
722         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
723         (JSC::BytecodeGenerator::popLexicalScope):
724         (JSC::BytecodeGenerator::popLexicalScopeInternal):
725         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
726         (JSC::BytecodeGenerator::variable):
727         (JSC::BytecodeGenerator::resolveType):
728         (JSC::BytecodeGenerator::emitResolveScope):
729         (JSC::BytecodeGenerator::emitPopScope):
730         (JSC::BytecodeGenerator::emitPopWithScope):
731         (JSC::BytecodeGenerator::emitDebugHook):
732         (JSC::BytecodeGenerator::popScopedControlFlowContext):
733         (JSC::BytecodeGenerator::emitPushCatchScope):
734         (JSC::BytecodeGenerator::emitPopCatchScope):
735         (JSC::BytecodeGenerator::beginSwitch):
736         (JSC::BytecodeGenerator::emitPopWithOrCatchScope): Deleted.
737         * bytecompiler/BytecodeGenerator.h:
738         (JSC::BytecodeGenerator::lastOpcodeID):
739         * bytecompiler/NodesCodegen.cpp:
740         (JSC::AssignResolveNode::emitBytecode):
741         (JSC::WithNode::emitBytecode):
742         (JSC::TryNode::emitBytecode):
743         * debugger/DebuggerScope.cpp:
744         (JSC::DebuggerScope::isCatchScope):
745         (JSC::DebuggerScope::isFunctionNameScope):
746         (JSC::DebuggerScope::isFunctionOrEvalScope):
747         (JSC::DebuggerScope::caughtValue):
748         * debugger/DebuggerScope.h:
749         * inspector/ScriptDebugServer.cpp:
750         (Inspector::ScriptDebugServer::exceptionOrCaughtValue):
751         * interpreter/Interpreter.cpp:
752         (JSC::Interpreter::execute):
753         * jit/JITOpcodes.cpp:
754         (JSC::JIT::emit_op_push_name_scope):
755         * jit/JITOpcodes32_64.cpp:
756         (JSC::JIT::emit_op_push_name_scope):
757         * jit/JITOperations.cpp:
758         * jit/JITOperations.h:
759         * parser/ASTBuilder.h:
760         (JSC::ASTBuilder::createContinueStatement):
761         (JSC::ASTBuilder::createTryStatement):
762         * parser/NodeConstructors.h:
763         (JSC::ThrowNode::ThrowNode):
764         (JSC::TryNode::TryNode):
765         (JSC::FunctionParameters::FunctionParameters):
766         * parser/Nodes.h:
767         * parser/Parser.cpp:
768         (JSC::Parser<LexerType>::parseTryStatement):
769         * parser/SyntaxChecker.h:
770         (JSC::SyntaxChecker::createBreakStatement):
771         (JSC::SyntaxChecker::createContinueStatement):
772         (JSC::SyntaxChecker::createTryStatement):
773         (JSC::SyntaxChecker::createSwitchStatement):
774         (JSC::SyntaxChecker::createWhileStatement):
775         (JSC::SyntaxChecker::createWithStatement):
776         * runtime/JSCatchScope.cpp:
777         * runtime/JSCatchScope.h:
778         (JSC::JSCatchScope::JSCatchScope): Deleted.
779         (JSC::JSCatchScope::create): Deleted.
780         (JSC::JSCatchScope::createStructure): Deleted.
781         * runtime/JSFunctionNameScope.h:
782         (JSC::JSFunctionNameScope::JSFunctionNameScope):
783         * runtime/JSGlobalObject.cpp:
784         (JSC::JSGlobalObject::init):
785         (JSC::JSGlobalObject::visitChildren):
786         * runtime/JSGlobalObject.h:
787         (JSC::JSGlobalObject::withScopeStructure):
788         (JSC::JSGlobalObject::strictEvalActivationStructure):
789         (JSC::JSGlobalObject::activationStructure):
790         (JSC::JSGlobalObject::functionNameScopeStructure):
791         (JSC::JSGlobalObject::directArgumentsStructure):
792         (JSC::JSGlobalObject::scopedArgumentsStructure):
793         (JSC::JSGlobalObject::catchScopeStructure): Deleted.
794         * runtime/JSNameScope.cpp:
795         (JSC::JSNameScope::create):
796         (JSC::JSNameScope::toThis):
797         * runtime/JSNameScope.h:
798         * runtime/JSObject.cpp:
799         (JSC::JSObject::toThis):
800         (JSC::JSObject::isFunctionNameScopeObject):
801         (JSC::JSObject::isCatchScopeObject): Deleted.
802         * runtime/JSObject.h:
803         * runtime/JSScope.cpp:
804         (JSC::JSScope::collectVariablesUnderTDZ):
805         (JSC::JSScope::isLexicalScope):
806         (JSC::JSScope::isCatchScope):
807         (JSC::resolveModeName):
808         * runtime/JSScope.h:
809         * runtime/SymbolTable.cpp:
810         (JSC::SymbolTable::SymbolTable):
811         (JSC::SymbolTable::cloneScopePart):
812         * runtime/SymbolTable.h:
813         * tests/stress/const-semantics.js:
814         (.):
815
816 2015-07-28  Filip Pizlo  <fpizlo@apple.com>
817
818         DFG::ArgumentsEliminationPhase has a redundant check for inserting CheckInBounds when converting GetByVal to GetStack in the inline non-varargs case
819         https://bugs.webkit.org/show_bug.cgi?id=147373
820
821         Reviewed by Mark Lam.
822
823         The code was doing a check for "index >= inlineCallFrame->arguments.size() - 1" in code where
824         safeToGetStack is true and we aren't in varargs context, but in a non-varargs context,
825         safeToGetStack can only be true if "index < inlineCallFrame->arguments.size() - 1".
826
827         When converting a GetByVal to GetStack, there are three possibilities:
828
829         1) Impossible to convert. This can happen if the GetByVal is out-of-bounds of the things we
830            know to have stored to the stack. For example, if we inline a function that does
831            "arguments[42]" at a call that passes no arguments.
832
833         2) Possible to convert, but we cannot prove statically that the GetByVal was in bounds. This
834            can happen for "arguments[42]" with no inline call frame (since we don't know statically
835            how many arguments we will be passed) or in a varargs call frame.
836
837         3) Possible to convert, and we know statically that the GetByVal is in bounds. This can
838            happen for "arguments[42]" if we have an inline call frame, and it's not a varargs call
839            frame, and we know that the caller passed 42 or more arguments.
840
841         The way the phase handles this is it first determines that we're not in case (1). This is
842         called safeToGetStack. safeToGetStack is true if we have case (2) or (3). For inline call
843         frames that have no varargs, this means that safeToGetStack is true exactly when the GetByVal
844         is in-bounds (i.e. case (3)).
845
846         But the phase was again doing a check for whether the index is in-bounds for non-varargs
847         inline call frames even when safeToGetStack was true. That check is redundant and should be
848         eliminated, since it makes the code confusing.
849
850         * dfg/DFGArgumentsEliminationPhase.cpp:
851
852 2015-07-28  Filip Pizlo  <fpizlo@apple.com>
853
854         DFG::PutStackSinkingPhase should be more aggressive about its "no GetStack until put" rule
855         https://bugs.webkit.org/show_bug.cgi?id=147371
856
857         Reviewed by Mark Lam.
858
859         Two fixes:
860
861         - Make ConflictingFlush really mean that you can't load from the stack slot. This means not
862           using ConflictingFlush for arguments.
863
864         - Assert that a GetStack never sees ConflictingFlush.
865
866         * dfg/DFGPutStackSinkingPhase.cpp:
867
868 2015-07-28  Basile Clement  <basile_clement@apple.com>
869
870         Misleading error message: "At least one digit must occur after a decimal point"
871         https://bugs.webkit.org/show_bug.cgi?id=146238
872
873         Reviewed by Geoffrey Garen.
874
875         Interestingly, we had a comment explaining what this error message was
876         about that is much clearer than the error message itself. This patch
877         simply replaces the error message with the explanation from the
878         comment.
879
880         * parser/Lexer.cpp:
881         (JSC::Lexer<T>::lex):
882
883 2015-07-28  Basile Clement  <basile_clement@apple.com>
884
885         Simplify call linking
886         https://bugs.webkit.org/show_bug.cgi?id=147363
887
888         Reviewed by Filip Pizlo.
889
890         Previously, we were passing both the CallLinkInfo and a
891         (CodeSpecializationKind, RegisterPreservationMode) pair to the
892         different call linking slow paths. However, the CallLinkInfo already
893         has all of that information, and we don't gain anything by having them
894         in additional static parameters - except possibly a very small
895         performance gain in presence of inlining. However since those are
896         already slow paths, this performance loss (if it exists) will not be
897         visible in practice.
898
899         This patch removes the various specialized thunks and JIT operations
900         for regular and polymorphic call linking with a single thunk and
901         operation for each case. Moreover, it removes the four specialized
902         virtual call thunks and operations with one virtual call thunk for each
903         call link info, allowing for better branch prediction by the CPU and
904         fixing a pre-existing FIXME.
905
906         * bytecode/CallLinkInfo.cpp:
907         (JSC::CallLinkInfo::unlink):
908         (JSC::CallLinkInfo::dummy): Deleted.
909         * bytecode/CallLinkInfo.h:
910         (JSC::CallLinkInfo::CallLinkInfo):
911         (JSC::CallLinkInfo::registerPreservationMode):
912         (JSC::CallLinkInfo::setUpCallFromFTL):
913         (JSC::CallLinkInfo::setSlowStub):
914         (JSC::CallLinkInfo::clearSlowStub):
915         (JSC::CallLinkInfo::slowStub):
916         * dfg/DFGDriver.cpp:
917         (JSC::DFG::compileImpl):
918         * dfg/DFGJITCompiler.cpp:
919         (JSC::DFG::JITCompiler::link):
920         * ftl/FTLJSCallBase.cpp:
921         (JSC::FTL::JSCallBase::link):
922         * jit/JITCall.cpp:
923         (JSC::JIT::compileCallEvalSlowCase):
924         (JSC::JIT::compileOpCall):
925         (JSC::JIT::compileOpCallSlowCase):
926         * jit/JITCall32_64.cpp:
927         (JSC::JIT::compileCallEvalSlowCase):
928         (JSC::JIT::compileOpCall):
929         (JSC::JIT::compileOpCallSlowCase):
930         * jit/JITOperations.cpp:
931         * jit/JITOperations.h:
932         (JSC::operationLinkFor): Deleted.
933         (JSC::operationVirtualFor): Deleted.
934         (JSC::operationLinkPolymorphicCallFor): Deleted.
935         * jit/Repatch.cpp:
936         (JSC::generateByIdStub):
937         (JSC::linkSlowFor):
938         (JSC::linkFor):
939         (JSC::revertCall):
940         (JSC::unlinkFor):
941         (JSC::linkVirtualFor):
942         (JSC::linkPolymorphicCall):
943         * jit/Repatch.h:
944         * jit/ThunkGenerators.cpp:
945         (JSC::linkCallThunkGenerator):
946         (JSC::linkPolymorphicCallThunkGenerator):
947         (JSC::virtualThunkFor):
948         (JSC::linkForThunkGenerator): Deleted.
949         (JSC::linkConstructThunkGenerator): Deleted.
950         (JSC::linkCallThatPreservesRegsThunkGenerator): Deleted.
951         (JSC::linkConstructThatPreservesRegsThunkGenerator): Deleted.
952         (JSC::linkPolymorphicCallForThunkGenerator): Deleted.
953         (JSC::linkPolymorphicCallThatPreservesRegsThunkGenerator): Deleted.
954         (JSC::virtualForThunkGenerator): Deleted.
955         (JSC::virtualCallThunkGenerator): Deleted.
956         (JSC::virtualConstructThunkGenerator): Deleted.
957         (JSC::virtualCallThatPreservesRegsThunkGenerator): Deleted.
958         (JSC::virtualConstructThatPreservesRegsThunkGenerator): Deleted.
959         * jit/ThunkGenerators.h:
960         (JSC::linkThunkGeneratorFor): Deleted.
961         (JSC::linkPolymorphicCallThunkGeneratorFor): Deleted.
962         (JSC::virtualThunkGeneratorFor): Deleted.
963
964 2015-07-28  Basile Clement  <basile_clement@apple.com>
965
966         stress/math-pow-with-constants.js fails in cloop
967         https://bugs.webkit.org/show_bug.cgi?id=147167
968
969         Reviewed by Geoffrey Garen.
970
971         Baseline JIT, DFG and FTL are using a fast exponentiation fast path
972         when computing Math.pow() with an integer exponent that is not taken in
973         the LLInt (or the DFG abstract interpreter). This leads to the result
974         of pow changing depending on the compilation tier or the fact that
975         constant propagation kicks in, which is undesirable.
976
977         This patch adds the fast path to the slow operationMathPow in order to
978         maintain an illusion of consistency.
979
980         * runtime/MathCommon.cpp:
981         (JSC::operationMathPow):
982         * tests/stress/math-pow-coherency.js: Added.
983         (pow42):
984         (build42AsDouble.opaqueAdd):
985         (build42AsDouble):
986         (powDouble42):
987         (clobber):
988         (pow42NoConstantFolding):
989         (powDouble42NoConstantFolding):
990
991 2015-07-28  Joseph Pecoraro  <pecoraro@apple.com>
992
993         Web Inspector: Show Pseudo Elements in DOM Tree
994         https://bugs.webkit.org/show_bug.cgi?id=139612
995
996         Reviewed by Timothy Hatcher.
997
998         * inspector/protocol/DOM.json:
999         Add new properties to DOMNode if it is a pseudo element or if it has
1000         pseudo element children. Add new events for if a pseudo element is
1001         added or removed dynamically to an existing DOMNode.
1002
1003 2015-07-27  Filip Pizlo  <fpizlo@apple.com>
1004
1005         Add logging when executable code gets deallocated
1006         https://bugs.webkit.org/show_bug.cgi?id=147355
1007
1008         Reviewed by Mark Lam.
1009
1010         * ftl/FTLJITCode.cpp:
1011         (JSC::FTL::JITCode::~JITCode): Print something when this is freed.
1012         * jit/JITCode.cpp:
1013         (JSC::JITCodeWithCodeRef::~JITCodeWithCodeRef): Print something when this is freed.
1014
1015 2015-07-27  Filip Pizlo  <fpizlo@apple.com>
1016
1017         DFG::safeToExecute() cases for GetByOffset/PutByOffset don't handle clobbered structure abstract values correctly
1018         https://bugs.webkit.org/show_bug.cgi?id=147354
1019
1020         Reviewed by Michael Saboff.
1021
1022         If m_structure.isClobbered(), it means that we had a side effect that clobbered
1023         the abstract value but it may recover back to its original value at the next
1024         invalidation point. Since the invalidation point hasn't been reached yet, we need
1025         to conservatively treat the clobbered state as if it was top. At the invalidation
1026         point, the clobbered set will return back to being unclobbered.
1027
1028         In addition to fixing the bug, this introduces isInfinite(), which should be used
1029         in places where it's tempting to just use isTop().
1030
1031         * dfg/DFGSafeToExecute.h:
1032         (JSC::DFG::safeToExecute): Fix the bug.
1033         * dfg/DFGStructureAbstractValue.cpp:
1034         (JSC::DFG::StructureAbstractValue::contains): Switch to using isInfinite().
1035         (JSC::DFG::StructureAbstractValue::isSubsetOf): Switch to using isInfinite().
1036         (JSC::DFG::StructureAbstractValue::isSupersetOf): Switch to using isInfinite().
1037         (JSC::DFG::StructureAbstractValue::overlaps): Switch to using isInfinite().
1038         * dfg/DFGStructureAbstractValue.h:
1039         (JSC::DFG::StructureAbstractValue::isFinite): New convenience method.
1040         (JSC::DFG::StructureAbstractValue::isInfinite): New convenience method.
1041         (JSC::DFG::StructureAbstractValue::onlyStructure): Switch to using isInfinite().
1042
1043 2015-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1044
1045         [ES6] Implement Reflect.enumerate
1046         https://bugs.webkit.org/show_bug.cgi?id=147347
1047
1048         Reviewed by Sam Weinig.
1049
1050         This patch implements Reflect.enumerate.
1051         It returns the iterator that iterates the enumerable keys of the given object.
1052         It follows the for-in's enumeration order.
1053
1054         To implement it, we write down the same logic to the for-in's enumeration code in C++.
1055
1056         * CMakeLists.txt:
1057         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1058         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1059         * JavaScriptCore.xcodeproj/project.pbxproj:
1060         * runtime/JSGlobalObject.cpp:
1061         (JSC::JSGlobalObject::init):
1062         (JSC::JSGlobalObject::visitChildren):
1063         * runtime/JSGlobalObject.h:
1064         (JSC::JSGlobalObject::propertyNameIteratorStructure):
1065         * runtime/JSPropertyNameIterator.cpp: Added.
1066         (JSC::JSPropertyNameIterator::JSPropertyNameIterator):
1067         (JSC::JSPropertyNameIterator::clone):
1068         (JSC::JSPropertyNameIterator::create):
1069         (JSC::JSPropertyNameIterator::finishCreation):
1070         (JSC::JSPropertyNameIterator::visitChildren):
1071         (JSC::JSPropertyNameIterator::next):
1072         (JSC::propertyNameIteratorFuncNext):
1073         * runtime/JSPropertyNameIterator.h: Added.
1074         (JSC::JSPropertyNameIterator::createStructure):
1075         * runtime/ReflectObject.cpp:
1076         (JSC::reflectObjectEnumerate):
1077         * tests/stress/reflect-enumerate.js: Added.
1078         (shouldBe):
1079         (shouldThrow):
1080
1081 2015-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1082
1083         [ES6] Implement Reflect.preventExtensions
1084         https://bugs.webkit.org/show_bug.cgi?id=147331
1085
1086         Reviewed by Sam Weinig.
1087
1088         Implement Reflect.preventExtensions.
1089         This is different from Object.preventExensions.
1090
1091         1. When preventExtensions is called onto the non-object, it raises the TypeError.
1092         2. Reflect.preventExtensions does not raise the TypeError when the preventExtensions operation is failed.
1093
1094         For the (2) case, since there is no Proxy implementation currently, Reflect.preventExtensions always succeed.
1095
1096         * runtime/ReflectObject.cpp:
1097         (JSC::reflectObjectPreventExtensions):
1098         * tests/stress/reflect-prevent-extensions.js: Added.
1099         (shouldBe):
1100         (shouldThrow):
1101
1102 2015-07-27  Alex Christensen  <achristensen@webkit.org>
1103
1104         Use Ninja on Windows.
1105         https://bugs.webkit.org/show_bug.cgi?id=147228
1106
1107         Reviewed by Martin Robinson.
1108
1109         * CMakeLists.txt:
1110         Set the working directory when generating LowLevelInterpreterWin.asm to put LowLevelInterpreterWin.asm.sym in the right place.
1111
1112 2015-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1113
1114         SparseValueMap check is skipped when the butterfly's vectorLength is larger than the access-requested index
1115         https://bugs.webkit.org/show_bug.cgi?id=147265
1116
1117         Reviewed by Geoffrey Garen.
1118
1119         JSObject's vector holds the indexed values and we leverage it to represent stored values and holes.
1120         By checking that the given index is in-bound of the vector's length, we can look up the property fast.
1121         And for the sparse array, we have also the separated SparseValueMap to hold the pairs.
1122         And we need to take care that the length of the vector should not overlap the indices stored in the SparseValueMap.
1123
1124         The vector only holds the pure JS values to avoid additional checking for accessors when looking up the value
1125         from the vector. To achieve this, we also store the accessors (and attributed properties) to SparseValueMap
1126         even the index is less than MIN_SPARSE_ARRAY_INDEX.
1127
1128         As a result, if the length of the vector overlaps the indices of the accessors stored in the SparseValueMap,
1129         we accidentally skip the phase looking up from the SparseValueMap. Instead, we just load from the vector and
1130         if the loaded value is an array hole, we decide the given object does not have the value for the given index.
1131
1132         This patch fixes the problem.
1133         When defining the attributed value that index is smaller than the length of the vector, we throw away the vector
1134         and change the object to DictionaryIndexingMode. Since we can assume that indexed accessors rarely exist in
1135         practice, we expect this does not hurt the performance while keeping the fast property access system without
1136         checking the sparse map.
1137
1138         * runtime/JSObject.cpp:
1139         (JSC::JSObject::putDirectIndexBeyondVectorLength):
1140         * tests/stress/sparse-map-non-overlapping.js: Added.
1141         (shouldBe):
1142         (testing):
1143         (object.get 1000):
1144         * tests/stress/sparse-map-non-skip-getter-overriding.js: Added.
1145         (shouldBe):
1146         (obj.get 1):
1147         (testing):
1148         * tests/stress/sparse-map-non-skip.js: Added.
1149         (shouldBe):
1150         (testing):
1151         (testing2):
1152         (.get for):
1153
1154 2015-07-27  Saam barati  <saambarati1@gmail.com>
1155
1156         Reduce execution time for "let" and "const" tests
1157         https://bugs.webkit.org/show_bug.cgi?id=147291
1158
1159         Reviewed by Geoffrey Garen.
1160
1161         We don't need to loop so many times for things that will not make it 
1162         into the DFG.  Also, we can loop a lot less for almost all the tests 
1163         because they're mostly testing the bytecode generator.
1164
1165         * tests/stress/const-and-with-statement.js:
1166         * tests/stress/const-exception-handling.js:
1167         * tests/stress/const-loop-semantics.js:
1168         * tests/stress/const-not-strict-mode.js:
1169         * tests/stress/const-semantics.js:
1170         * tests/stress/const-tdz.js:
1171         * tests/stress/lexical-let-and-with-statement.js:
1172         * tests/stress/lexical-let-exception-handling.js:
1173         (assert):
1174         * tests/stress/lexical-let-loop-semantics.js:
1175         (assert):
1176         (shouldThrowTDZ):
1177         (.):
1178         * tests/stress/lexical-let-not-strict-mode.js:
1179         * tests/stress/lexical-let-semantics.js:
1180         (.):
1181         * tests/stress/lexical-let-tdz.js:
1182         (shouldThrowTDZ):
1183         (.):
1184
1185 2015-07-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1186
1187         Rename PropertyNameMode::Both to PropertyNameMode::StringsAndSymbols
1188         https://bugs.webkit.org/show_bug.cgi?id=147311
1189
1190         Reviewed by Sam Weinig.
1191
1192         To make the meaning clear in the user side (PropertyNameArray array(exec, PropertyNameMode::StringsAndSymbols)),
1193         this patch renames PropertyNameMode::Both to PropertyNameMode::StringsAndSymbols.
1194
1195         * bytecode/ObjectAllocationProfile.h:
1196         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
1197         * runtime/EnumerationMode.h:
1198         * runtime/ObjectConstructor.cpp:
1199         (JSC::ownEnumerablePropertyKeys):
1200         (JSC::defineProperties):
1201         (JSC::objectConstructorSeal):
1202         (JSC::objectConstructorFreeze):
1203         (JSC::objectConstructorIsSealed):
1204         (JSC::objectConstructorIsFrozen):
1205         (JSC::ownPropertyKeys):
1206         * runtime/ReflectObject.cpp:
1207         (JSC::reflectObjectOwnKeys):
1208
1209 2015-07-27  Saam barati  <saambarati1@gmail.com>
1210
1211         Added a comment explaining that all "addVar()"s should happen before
1212         emitting bytecode for a function's default parameter expressions
1213
1214         Rubber Stamped by Mark Lam.
1215
1216         * bytecompiler/BytecodeGenerator.cpp:
1217         (JSC::BytecodeGenerator::BytecodeGenerator):
1218
1219 2015-07-26  Sam Weinig  <sam@webkit.org>
1220
1221         Add missing builtin files to the JavaScriptCore Xcode project
1222         https://bugs.webkit.org/show_bug.cgi?id=147312
1223
1224         Reviewed by Darin Adler.
1225
1226         * JavaScriptCore.xcodeproj/project.pbxproj:
1227         Add missing files.
1228
1229 2015-07-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1230
1231         [ES6] Implement Reflect.isExtensible
1232         https://bugs.webkit.org/show_bug.cgi?id=147308
1233
1234         Reviewed by Sam Weinig.
1235
1236         This patch implements Reflect.isExtensible.
1237         It is similar to Object.isExtensible.
1238         The difference is that it raises an error if the first argument is not an object.
1239
1240         * runtime/ReflectObject.cpp:
1241         (JSC::reflectObjectIsExtensible):
1242         * tests/stress/reflect-is-extensible.js: Added.
1243         (shouldBe):
1244         (shouldThrow):
1245
1246 2015-07-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1247
1248         Unreviewed, fix the debug build due to touching the non-declared variable in ASSERT
1249         https://bugs.webkit.org/show_bug.cgi?id=147307
1250
1251         * runtime/ObjectConstructor.cpp:
1252         (JSC::ownPropertyKeys):
1253
1254 2015-07-25  Yusuke Suzuki  <utatane.tea@gmail.com>
1255
1256         [ES6] Implement Reflect.ownKeys
1257         https://bugs.webkit.org/show_bug.cgi?id=147307
1258
1259         Reviewed by Sam Weinig.
1260
1261         This patch implements Reflect.ownKeys.
1262         In this patch, we refactor the existing code to list up own keys in the object.
1263         Such code is used by Object.getOwnPropertyNames, Object.getOwnPropertyKeys, Object.keys and @ownEnumerableKeys.
1264         We factor out the listing up own keys as ownPropertyKeys function and also use it in Reflect.ownKeys.
1265
1266         * runtime/ObjectConstructor.cpp:
1267         (JSC::objectConstructorGetOwnPropertyNames):
1268         (JSC::objectConstructorGetOwnPropertySymbols):
1269         (JSC::objectConstructorKeys):
1270         (JSC::ownEnumerablePropertyKeys):
1271         (JSC::ownPropertyKeys):
1272         * runtime/ObjectConstructor.h:
1273         * runtime/ReflectObject.cpp:
1274         (JSC::reflectObjectOwnKeys):
1275         * tests/stress/reflect-own-keys.js: Added.
1276         (shouldBe):
1277         (shouldThrow):
1278         (shouldBeArray):
1279
1280 2015-07-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1281
1282         [ES6] Implement Reflect.apply
1283         https://bugs.webkit.org/show_bug.cgi?id=147306
1284
1285         Reviewed by Sam Weinig.
1286
1287         Implement Reflect.apply.
1288         The large part of this can be implemented by the @apply builtin annotation.
1289         The only thing which is different from the Funciton.prototype.apply is the third parameter,
1290         "argumentsList" is needed to be an object.
1291
1292         * builtins/ReflectObject.js:
1293         (apply):
1294         (deleteProperty):
1295         * runtime/ReflectObject.cpp:
1296         * tests/stress/reflect-apply.js: Added.
1297         (shouldBe):
1298         (shouldThrow):
1299         (get shouldThrow):
1300         (.get shouldThrow):
1301         (get var.array.get length):
1302         (get var.array.get 0):
1303         (.get var):
1304         * tests/stress/reflect-delete-property.js:
1305
1306 2015-07-25  Yusuke Suzuki  <utatane.tea@gmail.com>
1307
1308         [ES6] Add Reflect namespace and add Reflect.deleteProperty
1309         https://bugs.webkit.org/show_bug.cgi?id=147287
1310
1311         Reviewed by Sam Weinig.
1312
1313         This patch just creates the namespace for ES6 Reflect APIs.
1314         And add template files to implement the actual code.
1315
1316         Not to keep the JS generated properties C array empty,
1317         we added one small method, Reflect.deleteProperty in this patch.
1318
1319         * CMakeLists.txt:
1320         * DerivedSources.make:
1321         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1322         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1323         * JavaScriptCore.xcodeproj/project.pbxproj:
1324         * builtins/ReflectObject.js: Added.
1325         (deleteProperty):
1326         * runtime/CommonIdentifiers.h:
1327         * runtime/JSGlobalObject.cpp:
1328         (JSC::JSGlobalObject::init):
1329         * runtime/ReflectObject.cpp: Added.
1330         (JSC::ReflectObject::ReflectObject):
1331         (JSC::ReflectObject::finishCreation):
1332         (JSC::ReflectObject::getOwnPropertySlot):
1333         * runtime/ReflectObject.h: Added.
1334         (JSC::ReflectObject::create):
1335         (JSC::ReflectObject::createStructure):
1336         * tests/stress/reflect-delete-property.js: Added.
1337         (shouldBe):
1338         (shouldThrow):
1339
1340 2015-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1341
1342         Avoid 2 times name iteration in Object.assign
1343         https://bugs.webkit.org/show_bug.cgi?id=147268
1344
1345         Reviewed by Geoffrey Garen.
1346
1347         Object.assign calls Object.getOwnPropertyNames & Object.getOwnPropertySymbols to collect all the names.
1348         But exposing the private API that collects both at the same time makes the API efficient when the given Object has so many non-indexed properties.
1349         Since Object.assign is so generic API (some form of utility API), the form of the given Object is not expected.
1350         So the taken object may have so many non-indexed properties.
1351
1352         In this patch, we introduce `ownEnumerablePropertyKeys` private function.
1353         It is minor changed version of `[[OwnPropertyKeys]]` in the ES6 spec;
1354         It only includes enumerable properties.
1355
1356         By filtering out the non-enumerable properties in the exposed private function,
1357         we avoid calling @objectGetOwnPropertyDescriptor for each property at the same time.
1358
1359         * builtins/ObjectConstructor.js:
1360         (assign):
1361         * runtime/CommonIdentifiers.h:
1362         * runtime/EnumerationMode.h:
1363         * runtime/JSGlobalObject.cpp:
1364         (JSC::JSGlobalObject::init):
1365         * runtime/ObjectConstructor.cpp:
1366         (JSC::ownEnumerablePropertyKeys):
1367         * runtime/ObjectConstructor.h:
1368         * tests/stress/object-assign-enumerable.js: Added.
1369         (shouldBe):
1370         * tests/stress/object-assign-order.js: Added.
1371         (shouldBe):
1372
1373 2015-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1374
1375         Remove runtime flags for symbols
1376         https://bugs.webkit.org/show_bug.cgi?id=147246
1377
1378         Reviewed by Alex Christensen.
1379
1380         * runtime/ArrayPrototype.cpp:
1381         (JSC::ArrayPrototype::finishCreation):
1382         * runtime/JSGlobalObject.cpp:
1383         (JSC::JSGlobalObject::init): Deleted.
1384         * runtime/JSGlobalObject.h:
1385         * runtime/ObjectConstructor.cpp:
1386         (JSC::ObjectConstructor::finishCreation):
1387         * runtime/RuntimeFlags.h:
1388
1389 2015-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1390
1391         Object.getOwnPropertySymbols on large list takes very long
1392         https://bugs.webkit.org/show_bug.cgi?id=146137
1393
1394         Reviewed by Mark Lam.
1395
1396         Before this patch, Object.getOwnPropertySymbols collects all the names including strings.
1397         And after it's done, filter the names to only retrieve the symbols.
1398         But it's so time consuming if the given object is a large non-holed array since it has
1399         many indexed properties and all the indexes have to be converted to uniqued_strings and
1400         added to the collection of property names (though they may not be of the requested type
1401         and will be filtered out later)
1402
1403         This patch introduces PropertyNameMode.
1404         We leverage this mode in 2 places.
1405
1406         1. PropertyNameArray side
1407         It is set in PropertyNameArray and it filters the incoming added identifiers based on the mode.
1408         It ensures that PropertyNameArray doesn't become so large in the pathological case.
1409         And it ensures that non-expected typed keys by the filter (Symbols or Strings) are never added
1410         to the property name array collections.
1411         However it does not solve the whole problem because the huge array still incurs the many
1412         "indexed property to uniqued string" conversion and the large iteration before adding the keys
1413         to the property name array.
1414
1415         2. getOwnPropertyNames side
1416         So we can use the PropertyNameMode in the caller side (getOwnPropertyNames) as a **hint**.
1417         When the large iteration may occur, the caller side can use the PropertyNameMode as a hint to
1418         avoid the iteration.
1419         But we cannot exclusively rely on these caller side checks because it would require that we
1420         exhaustively add the checks to all custom implementations of getOwnPropertyNames as well.
1421         This process requires manual inspection of many pieces of code, and is error prone. Instead,
1422         we only apply the caller side check in a few strategic places where it is known to yield
1423         performance benefits; and we rely on the filter in PropertyNameArray::add() to reject the wrong
1424         types of properties for all other calls to PropertyNameArray::add().
1425
1426         In this patch, there's a concept in use that is not clear just from reading the code, and hence
1427         should be documented here. When selecting the PropertyNameMode for the PropertyNameArray to be
1428         instantiated, we apply the following logic:
1429
1430         1. Only JavaScriptCore code is aware of ES6 Symbols.
1431         We can assume that pre-existing external code that interfaces JSC are only looking for string named properties. This includes:
1432             a. WebCore bindings
1433             b. Serializer bindings
1434             c. NPAPI bindings
1435             d. Objective C bindings
1436         2. In JSC, code that compute object storage space needs to iterate both Symbol and String named properties. Hence, use PropertyNameMode::Both.
1437         3. In JSC, ES6 APIs that work with Symbols should use PropertyNameMode::Symbols.
1438         4. In JSC, ES6 APIs that work with String named properties should use PropertyNameMode::Strings.
1439
1440         * API/JSObjectRef.cpp:
1441         (JSObjectCopyPropertyNames):
1442         * bindings/ScriptValue.cpp:
1443         (Deprecated::jsToInspectorValue):
1444         * bytecode/ObjectAllocationProfile.h:
1445         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
1446         * runtime/EnumerationMode.h:
1447         (JSC::EnumerationMode::EnumerationMode):
1448         (JSC::EnumerationMode::includeSymbolProperties): Deleted.
1449         * runtime/GenericArgumentsInlines.h:
1450         (JSC::GenericArguments<Type>::getOwnPropertyNames):
1451         * runtime/JSGenericTypedArrayViewInlines.h:
1452         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertyNames):
1453         * runtime/JSLexicalEnvironment.cpp:
1454         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
1455         * runtime/JSONObject.cpp:
1456         (JSC::Stringifier::Stringifier):
1457         (JSC::Stringifier::Holder::appendNextProperty):
1458         (JSC::Walker::walk):
1459         * runtime/JSObject.cpp:
1460         (JSC::JSObject::getOwnPropertyNames):
1461         * runtime/JSPropertyNameEnumerator.cpp:
1462         (JSC::JSPropertyNameEnumerator::create):
1463         * runtime/JSPropertyNameEnumerator.h:
1464         (JSC::propertyNameEnumerator):
1465         * runtime/JSSymbolTableObject.cpp:
1466         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
1467         * runtime/ObjectConstructor.cpp:
1468         (JSC::objectConstructorGetOwnPropertyNames):
1469         (JSC::objectConstructorGetOwnPropertySymbols):
1470         (JSC::objectConstructorKeys):
1471         (JSC::defineProperties):
1472         (JSC::objectConstructorSeal):
1473         (JSC::objectConstructorFreeze):
1474         (JSC::objectConstructorIsSealed):
1475         (JSC::objectConstructorIsFrozen):
1476         * runtime/PropertyNameArray.h:
1477         (JSC::PropertyNameArray::PropertyNameArray):
1478         (JSC::PropertyNameArray::mode):
1479         (JSC::PropertyNameArray::addKnownUnique):
1480         (JSC::PropertyNameArray::add):
1481         (JSC::PropertyNameArray::isUidMatchedToTypeMode):
1482         (JSC::PropertyNameArray::includeSymbolProperties):
1483         (JSC::PropertyNameArray::includeStringProperties):
1484         * runtime/StringObject.cpp:
1485         (JSC::StringObject::getOwnPropertyNames):
1486         * runtime/Structure.cpp:
1487         (JSC::Structure::getPropertyNamesFromStructure):
1488
1489 2015-07-24  Saam barati  <saambarati1@gmail.com>
1490
1491         [ES6] Add support for default parameters
1492         https://bugs.webkit.org/show_bug.cgi?id=38409
1493
1494         Reviewed by Filip Pizlo.
1495
1496         This patch implements ES6 default parameters according to the ES6
1497         specification. This patch builds off the components introduced with 
1498         "let" scoping and parsing function parameters in the same parser
1499         arena as the function itself. "let" scoping allows functions with default 
1500         parameter values to place their parameters under the TDZ. Parsing function
1501         parameters in the same parser arena allows the FunctionParameters AST node
1502         refer to ExpressionNodes.
1503
1504         The most subtle part of this patch is how we allocate lexical environments
1505         when functions have default parameter values. If a function has default
1506         parameter values then there must be a separate lexical environment for
1507         its parameters. Then, the function's "var" lexical environment must have
1508         the parameter lexical environment as its parent. The BytecodeGenerator
1509         takes great care to not allocate the "var" lexical environment before its
1510         really needed.
1511
1512         The "arguments" object for a function with default parameters will never be 
1513         a mapped arugments object. It will always be a cloned arugments object.
1514
1515         * bytecompiler/BytecodeGenerator.cpp:
1516         (JSC::BytecodeGenerator::generate):
1517         (JSC::BytecodeGenerator::BytecodeGenerator):
1518         (JSC::BytecodeGenerator::~BytecodeGenerator):
1519         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
1520         (JSC::BytecodeGenerator::initializeNextParameter):
1521         (JSC::BytecodeGenerator::initializeVarLexicalEnvironment):
1522         (JSC::BytecodeGenerator::visibleNameForParameter):
1523         (JSC::BytecodeGenerator::emitLoadGlobalObject):
1524         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
1525         (JSC::BytecodeGenerator::pushLexicalScope):
1526         (JSC::BytecodeGenerator::popLexicalScope):
1527         * bytecompiler/BytecodeGenerator.h:
1528         (JSC::BytecodeGenerator::lastOpcodeID):
1529         * bytecompiler/NodesCodegen.cpp:
1530         (JSC::FunctionNode::emitBytecode):
1531         * jit/JITOperations.cpp:
1532         * parser/ASTBuilder.h:
1533         (JSC::ASTBuilder::createElementList):
1534         (JSC::ASTBuilder::createFormalParameterList):
1535         (JSC::ASTBuilder::appendParameter):
1536         (JSC::ASTBuilder::createClause):
1537         (JSC::ASTBuilder::createClauseList):
1538         * parser/Nodes.h:
1539         (JSC::FunctionParameters::size):
1540         (JSC::FunctionParameters::at):
1541         (JSC::FunctionParameters::hasDefaultParameterValues):
1542         (JSC::FunctionParameters::append):
1543         * parser/Parser.cpp:
1544         (JSC::Parser<LexerType>::parseVariableDeclarationList):
1545         (JSC::Parser<LexerType>::createBindingPattern):
1546         (JSC::Parser<LexerType>::tryParseDestructuringPatternExpression):
1547         (JSC::Parser<LexerType>::parseDestructuringPattern):
1548         (JSC::Parser<LexerType>::parseFormalParameters):
1549         (JSC::Parser<LexerType>::parseFunctionParameters):
1550         * parser/Parser.h:
1551         (JSC::Scope::declareParameter):
1552         * parser/SyntaxChecker.h:
1553         (JSC::SyntaxChecker::createElementList):
1554         (JSC::SyntaxChecker::createFormalParameterList):
1555         (JSC::SyntaxChecker::appendParameter):
1556         (JSC::SyntaxChecker::createClause):
1557         (JSC::SyntaxChecker::createClauseList):
1558         * tests/stress/es6-default-parameters.js: Added.
1559         (assert):
1560         (shouldThrow):
1561         (shouldThrowSyntaxError):
1562         (shouldThrowTDZ):
1563         (basic):
1564         (basicFunctionCaptureInDefault.basicFunctionCaptureInDefault.basicCaptured):
1565         (basicCaptured.basicCaptured.tricky):
1566         (strict):
1567         (playground):
1568         (scoping):
1569         (augmentsArguments1):
1570         (augmentsArguments2):
1571         (augmentsArguments3):
1572         (augmentsArguments4):
1573         (augmentsArguments5):
1574
1575 2015-07-24  Xabier Rodriguez Calvar  <calvaris@igalia.com>
1576
1577         Remove JS Promise constructor unused piece of code
1578         https://bugs.webkit.org/show_bug.cgi?id=147262
1579
1580         Reviewed by Geoffrey Garen.
1581
1582         * runtime/JSPromiseConstructor.cpp:
1583         (JSC::constructPromise): Deleted.
1584         * runtime/JSPromiseConstructor.h: Removed JSC::constructPromise.
1585
1586 2015-07-24  Mark Lam  <mark.lam@apple.com>
1587
1588         Add WASM files to vcxproj files.
1589         https://bugs.webkit.org/show_bug.cgi?id=147264
1590
1591         Reviewed by Geoffrey Garen.
1592
1593         This is a follow up to http://trac.webkit.org/changeset/187254 where WASM files
1594         were introduced but were not able to be added to the vcxproj files yet.
1595
1596         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1597         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1598
1599 2015-07-23  Filip Pizlo  <fpizlo@apple.com>
1600
1601         DFG::safeToExecute() is wrong for MultiGetByOffset, doesn't consider the structures of the prototypes that get loaded from
1602         https://bugs.webkit.org/show_bug.cgi?id=147250
1603
1604         Reviewed by Geoffrey Garen.
1605         
1606         This fixes a nasty - but currently benign - bug in DFG::safeToExecute(). That function
1607         will tell you if hoisting a node to some point is safe in the sense that the node will
1608         not crash the VM if it executes at that point. A node may be unsafe to execute if we
1609         cannot prove that at that point, the memory it is loading is not garbage. This is a
1610         necessarily loose notion - for example it's OK to hoist a load if we haven't proved
1611         that the load makes semantic sense at that point, since anyway the place where the node
1612         did get used will still be guarded by any such semantic checks. But because we may also
1613         hoist uses of the load, we need to make sure that it doesn't produce a garbage value.
1614         Also, we need to ensure that the load won't trap. Hence safeToExecute() returns true
1615         anytime we can be sure that a node will not produce a garbage result (i.e. a malformed
1616         JSValue or object pointer) and will not trap when executed at the point in question.
1617         
1618         The bug is that this verification isn't performed for the loads from prototypes inside
1619         MultiGetByOffset. DFG::ByteCodeParser will guard MultiGetByOffset with CheckStructure's
1620         on the prototypes. So, hypothetically, you might end up hoisting a MultiGetByOffset
1621         above those structure checks, which would mean that we might load a value from a memory
1622         location without knowing that the location is valid. It might then return the value
1623         loaded.
1624         
1625         This never happens in practice. Those structure checks are more hoistable that the
1626         MultiGetByOffset, since they read a strict subset of the MultiGetByOffset's abstract
1627         heap reads. Also, we hoist in program order. So, those CheckStructure's will always be
1628         hoisted before the MultiGetByOffset gets hoisted.
1629         
1630         But we should fix this anyway. DFG::safeToExecute() has a clear definition of what a
1631         "true" return means for IR transformations, and it fails in satisfying that definition
1632         for MultiGetByOffset.
1633         
1634         There are various approaches we can use for making this safe. I considered two:
1635         
1636         1) Have MultiGetByOffset refer to the prototypes it is loading from in IR, so that we
1637            can check if it's safe to load from them.
1638         
1639         2) Turn off MultiGetByOffset hoisting when it will emit loads from prototypes, and the
1640            prototype structure isn't being watched.
1641         
1642         I ended up using (2), because it will be the most natural solution once I finish
1643         https://bugs.webkit.org/show_bug.cgi?id=146929. Already now, it's somewhat more natural
1644         than (1) since that requires more extensive IR changes. Also, (2) will give us what we
1645         want in *most* cases: we will usually watch the prototype structure, and we will
1646         usually constant-fold loads from prototypes. Both of these usually-true things would
1647         have to become false for MultiGetByOffset hoisting to be disabled by this change.
1648         
1649         This change also adds my attempt at a test, though it's not really a test of this bug.
1650         This bug is currently benign. But, the test does at least trigger the logic to run,
1651         which is better than nothing.
1652
1653         * dfg/DFGSafeToExecute.h:
1654         (JSC::DFG::safeToExecute):
1655         * tests/stress/multi-get-by-offset-hoist-around-structure-check.js: Added.
1656         (foo):
1657
1658 2015-07-23  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1659
1660         Implement WebAssembly modules
1661         https://bugs.webkit.org/show_bug.cgi?id=147222
1662
1663         Reviewed by Filip Pizlo.
1664
1665         Make JSWASMModule inherit from JSDestructibleObject so that the destructor is called.
1666
1667         * wasm/JSWASMModule.h:
1668
1669 2015-07-23  Alex Christensen  <achristensen@webkit.org>
1670
1671         Remove compile and runtime flags for promises.
1672         https://bugs.webkit.org/show_bug.cgi?id=147244
1673
1674         Reviewed by Yusuke Suzuki.
1675
1676         * API/JSCallbackObjectFunctions.h:
1677         (JSC::JSCallbackObject<Parent>::JSCallbackObject):
1678         * API/JSContextRef.cpp:
1679         (JSGlobalContextCreateInGroup):
1680         * Configurations/FeatureDefines.xcconfig:
1681         * inspector/JSInjectedScriptHost.cpp:
1682         (Inspector::JSInjectedScriptHost::getInternalProperties):
1683         * runtime/JSGlobalObject.cpp:
1684         (JSC::JSGlobalObject::init):
1685         (JSC::JSGlobalObject::visitChildren):
1686         * runtime/JSGlobalObject.h:
1687         (JSC::JSGlobalObject::create):
1688         (JSC::JSGlobalObject::syntaxErrorConstructor):
1689         (JSC::JSGlobalObject::typeErrorConstructor):
1690         (JSC::JSGlobalObject::URIErrorConstructor):
1691         (JSC::JSGlobalObject::promiseConstructor):
1692         (JSC::JSGlobalObject::nullGetterFunction):
1693         (JSC::JSGlobalObject::nullSetterFunction):
1694         (JSC::JSGlobalObject::applyFunction):
1695         (JSC::JSGlobalObject::definePropertyFunction):
1696         (JSC::JSGlobalObject::arrayProtoValuesFunction):
1697         (JSC::JSGlobalObject::initializePromiseFunction):
1698         (JSC::JSGlobalObject::newPromiseDeferredFunction):
1699         (JSC::JSGlobalObject::throwTypeErrorGetterSetter):
1700         (JSC::JSGlobalObject::regExpPrototype):
1701         (JSC::JSGlobalObject::errorPrototype):
1702         (JSC::JSGlobalObject::iteratorPrototype):
1703         (JSC::JSGlobalObject::promisePrototype):
1704         (JSC::JSGlobalObject::debuggerScopeStructure):
1705         (JSC::JSGlobalObject::withScopeStructure):
1706         (JSC::JSGlobalObject::iteratorResultStructure):
1707         (JSC::JSGlobalObject::iteratorResultStructureOffset):
1708         (JSC::JSGlobalObject::regExpMatchesArrayStructure):
1709         (JSC::JSGlobalObject::promiseStructure):
1710         * runtime/JSPromise.cpp:
1711         (JSC::JSPromise::result):
1712         * runtime/JSPromise.h:
1713         * runtime/JSPromiseConstructor.cpp:
1714         (JSC::constructPromise):
1715         * runtime/JSPromiseConstructor.h:
1716         * runtime/JSPromiseDeferred.cpp:
1717         (JSC::JSPromiseDeferred::visitChildren):
1718         * runtime/JSPromiseDeferred.h:
1719         * runtime/JSPromisePrototype.cpp:
1720         (JSC::JSPromisePrototype::getOwnPropertySlot):
1721         * runtime/JSPromisePrototype.h:
1722         * runtime/RuntimeFlags.h:
1723         * runtime/VM.cpp:
1724         (JSC::VM::VM):
1725         * runtime/VM.h:
1726
1727 2015-07-23  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1728
1729         Implement WebAssembly modules
1730         https://bugs.webkit.org/show_bug.cgi?id=147222
1731
1732         Reviewed by Mark Lam.
1733
1734         Introducing the boilerplate data structure for the WebAssembly module.
1735         WebAssembly functionality will be added in a subsequent patch.
1736
1737         * CMakeLists.txt:
1738         * JavaScriptCore.xcodeproj/project.pbxproj:
1739         * wasm/JSWASMModule.cpp: Added.
1740         (JSC::JSWASMModule::visitChildren):
1741         * wasm/JSWASMModule.h: Added.
1742         (JSC::JSWASMModule::create):
1743         (JSC::JSWASMModule::createStructure):
1744         (JSC::JSWASMModule::JSWASMModule):
1745
1746 2015-07-23  Devin Rousso  <drousso@apple.com>
1747
1748         Web Inspector: Add a function to CSSCompletions to get a list of supported system fonts
1749         https://bugs.webkit.org/show_bug.cgi?id=147009
1750
1751         Reviewed by Joseph Pecoraro.
1752
1753         * inspector/protocol/CSS.json: Added getSupportedSystemFontFamilyNames function.
1754
1755 2015-07-22  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1756
1757         Add ENABLE_WEBASSEMBLY feature flag for WebAssembly
1758         https://bugs.webkit.org/show_bug.cgi?id=147212
1759
1760         Reviewed by Filip Pizlo.
1761
1762         * Configurations/FeatureDefines.xcconfig:
1763
1764 2015-07-22  Filip Pizlo  <fpizlo@apple.com>
1765
1766         Simplify DFG::DesiredIdentifiers and make it possible to turn a UniquedStringImpl* into an identifierNumber at any time
1767         https://bugs.webkit.org/show_bug.cgi?id=147218
1768
1769         Reviewed by Sam Weinig.
1770         
1771         I want to be able to take a UniquedStringImpl* and turn it into an identifierNumber at
1772         various points in my work on https://bugs.webkit.org/show_bug.cgi?id=146929. Currently,
1773         most Nodes that deal with identifiers use identifierNumbers and you can only create an
1774         identifierNumber in BytecodeGenerator. DFG::ByteCodeParser does sort of have the
1775         ability to create new identifierNumbers when inlining - it takes the inlined code's
1776         identifiers and either gives them new numbers or reuses numbers from the enclosing
1777         code.
1778         
1779         This patch takes that basic functionality and puts it in
1780         DFG::DesiredIdentifiers::ensure(). Anyone can call this at any time to turn a
1781         UniquedStringImpl* into an identifierNumber. This data structure is already used by
1782         Plan to properly install any newly created identifier table entries into the CodeBlock.
1783
1784         * dfg/DFGByteCodeParser.cpp:
1785         (JSC::DFG::ByteCodeParser::ByteCodeParser):
1786         (JSC::DFG::ByteCodeParser::noticeArgumentsUse):
1787         (JSC::DFG::ByteCodeParser::linkBlocks):
1788         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1789         (JSC::DFG::ByteCodeParser::buildOperandMapsIfNecessary): Deleted.
1790         * dfg/DFGDesiredIdentifiers.cpp:
1791         (JSC::DFG::DesiredIdentifiers::DesiredIdentifiers):
1792         (JSC::DFG::DesiredIdentifiers::numberOfIdentifiers):
1793         (JSC::DFG::DesiredIdentifiers::ensure):
1794         (JSC::DFG::DesiredIdentifiers::at):
1795         (JSC::DFG::DesiredIdentifiers::addLazily): Deleted.
1796         * dfg/DFGDesiredIdentifiers.h:
1797
1798 2015-07-22  Filip Pizlo  <fpizlo@apple.com>
1799
1800         Simplify things like CompareEq(@x,@x)
1801         https://bugs.webkit.org/show_bug.cgi?id=145850
1802
1803         Reviewed by Sam Weinig.
1804         
1805         This simplifies x==x to true, except in cases where x might be a double (in which case this
1806         might still be false if x is NaN).
1807
1808         * dfg/DFGAbstractInterpreterInlines.h:
1809         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1810         * tests/stress/nan-equal-untyped.js: Added.
1811         (foo):
1812         (test):
1813         * tests/stress/nan-equal.js: Added.
1814         (foo):
1815
1816 2015-07-22  Joseph Pecoraro  <pecoraro@apple.com>
1817
1818         Web Inspector: Timeline should immediately start moving play head when starting a new recording
1819         https://bugs.webkit.org/show_bug.cgi?id=147210
1820
1821         Reviewed by Timothy Hatcher.
1822
1823         * inspector/protocol/Timeline.json:
1824         Add timestamps to recordingStarted and recordingStopped events.
1825
1826 2015-07-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1827
1828         Introducing construct ability into JS executables
1829         https://bugs.webkit.org/show_bug.cgi?id=147183
1830
1831         Reviewed by Geoffrey Garen.
1832
1833         Decouple the construct ability from the builtin functions.
1834         Currently, all builtin functions are not constructors after r182995.
1835         In that patch, when the given function is builtin JS function, we recognize it as the non-constructor function.
1836
1837         But, we need to relax it to implement some constructors in builtins JS.
1838         By decoupling the construct ability from whether the function is builtin or not, we can provide
1839
1840         1. constructors written in builtin JS
1841         2. non-constructors in normal JS functions
1842
1843         (1) is needed for Promise constructor.
1844         And (2) is needed for method functions and arrow functions.
1845
1846         This patch introduces ConstructAbility into the unlinked function executables.
1847         It holds whether the given JS function has the construct ability or not.
1848         By leveraging this, this patch disables the construct ability of the method definitions, setters, getters and arrow functions.
1849
1850         And at the same time, this patch introduces the annotation for constructor in builtin JS.
1851         We can define the function as follows,
1852
1853             constructor Promise(executor)
1854             {
1855                 ...
1856             }
1857
1858         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1859         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1860         * JavaScriptCore.xcodeproj/project.pbxproj:
1861         * builtins/BuiltinExecutables.cpp:
1862         (JSC::BuiltinExecutables::createDefaultConstructor):
1863         (JSC::BuiltinExecutables::createExecutableInternal):
1864         * builtins/BuiltinExecutables.h:
1865         * builtins/Iterator.prototype.js:
1866         (symbolIterator):
1867         (SymbolIterator): Deleted.
1868         * bytecode/UnlinkedCodeBlock.cpp:
1869         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1870         * bytecode/UnlinkedCodeBlock.h:
1871         * bytecompiler/BytecodeGenerator.h:
1872         (JSC::BytecodeGenerator::makeFunction):
1873         * generate-js-builtins:
1874         (getCopyright):
1875         (Function):
1876         (Function.__init__):
1877         (Function.mangleName):
1878         (getFunctions):
1879         (mangleName): Deleted.
1880         * jit/JITOperations.cpp:
1881         * llint/LLIntSlowPaths.cpp:
1882         (JSC::LLInt::setUpCall):
1883         * parser/Parser.cpp:
1884         (JSC::Parser<LexerType>::parseClass):
1885         * runtime/CodeCache.cpp:
1886         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
1887         * runtime/CommonIdentifiers.h:
1888         * runtime/ConstructAbility.h: Copied from Source/JavaScriptCore/builtins/Iterator.prototype.js.
1889         * runtime/Executable.h:
1890         * runtime/JSFunction.cpp:
1891         (JSC::JSFunction::getConstructData):
1892         * runtime/JSGlobalObject.cpp:
1893         (JSC::JSGlobalObject::init):
1894         * tests/stress/non-constructors.js: Added.
1895         (shouldThrow):
1896         (.prototype.method):
1897         (.prototype.get getter):
1898         (.prototype.set setter):
1899         (.method):
1900         (.get shouldThrow):
1901         (.set shouldThrow):
1902         (set var.test.get getter):
1903         (set var.test.set setter):
1904         (set var.test.normal):
1905         (.set var):
1906         (.set new):
1907
1908 2015-07-22  Csaba Osztrogonác  <ossy@webkit.org>
1909
1910         [JSC] Enable exception fuzzing for GCC too
1911         https://bugs.webkit.org/show_bug.cgi?id=146831
1912
1913         Reviewed by Darin Adler.
1914
1915         * jit/JITOperations.cpp:
1916
1917 2015-07-22  Filip Pizlo  <fpizlo@apple.com>
1918
1919         Fixed pool allocation should always be aligned
1920         https://bugs.webkit.org/show_bug.cgi?id=147201
1921
1922         Reviewed by Simon Fraser.
1923         
1924         Passing an unaligned size to the allocator can cause asserts or even worse things. The
1925         Options reservation value isn't going to be aligned.
1926
1927         * jit/ExecutableAllocatorFixedVMPool.cpp:
1928         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
1929
1930 2015-07-22  Csaba Osztrogonác  <ossy@webkit.org>
1931
1932         Enable STATIC_ASSERT_IS_TRIVIALLY_DESTRUCTIBLE for GCC
1933         https://bugs.webkit.org/show_bug.cgi?id=146829
1934
1935         Reviewed by Brent Fulgham.
1936
1937         * heap/GCAssertions.h:
1938
1939 2015-07-22  Alex Christensen  <achristensen@webkit.org>
1940
1941         Fix quirks in CMake build on Mac and Windows
1942         https://bugs.webkit.org/show_bug.cgi?id=147174
1943
1944         Reviewed by Gyuyoung Kim.
1945
1946         * PlatformMac.cmake:
1947         Add JSRemoteInspector.cpp and remove semicolon from command to make it actually run.
1948
1949 2015-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1950
1951         Add newTarget accessor to JS constructor written in C++
1952         https://bugs.webkit.org/show_bug.cgi?id=147160
1953
1954         Reviewed by Geoffrey Garen.
1955
1956         This patch adds `ExecState#newTarget()` which returns `new.target` defined in ECMA262 6th.
1957         It enables some C++ constructors (like Intl.XXX constructors) to leverage this to complete
1958         its implementation.
1959
1960         When the constructor is called, |this| in the arguments is used for storing new.target instead.
1961         So by adding the accessor for |this|, JS constructor written in C++ can access new.target.
1962
1963         And at the same time, this patch extends the existing `construct` to accept new.target value.
1964         It is corresponding to the spec's Construct abstract operation.
1965
1966         * interpreter/CallFrame.h:
1967         (JSC::ExecState::newTarget):
1968         * interpreter/Interpreter.cpp:
1969         (JSC::Interpreter::executeConstruct):
1970         * interpreter/Interpreter.h:
1971         * runtime/ConstructData.cpp:
1972         (JSC::construct):
1973         * runtime/ConstructData.h:
1974         (JSC::construct):
1975
1976 2015-07-21  Filip Pizlo  <fpizlo@apple.com>
1977
1978         Unreviewed, fix a lot of tests. Need to initialize WTF threading sooner.
1979
1980         * jsc.cpp:
1981         (main):
1982
1983 2015-07-21  Filip Pizlo  <fpizlo@apple.com>
1984
1985         Fixed VM pool allocation should have a reserve for allocations that cannot fail
1986         https://bugs.webkit.org/show_bug.cgi?id=147154
1987         rdar://problem/21847618
1988
1989         Reviewed by Geoffrey Garen.
1990         
1991         This adds the notion of a JIT pool reserve fraction. Some fraction, currently 1/4, of
1992         the JIT pool is reserved for allocations that cannot fail. It makes sense to make this
1993         a fraction rather than a constant because each allocation that can fail may cause some
1994         number of allocations that cannot fail (for example, the OSR exit thunks that we
1995         compile when we exit from some CodeBlock cannot fail).
1996         
1997         I've tested this by adding a test mode where we artificially limit the JIT pool size.
1998         Prior to the fix, we had >20 failures. Now we have none.
1999
2000         * heap/GCLogging.cpp:
2001         (WTF::printInternal): I needed a dump method on Options members when debugging this.
2002         * heap/GCLogging.h:
2003         * jit/ExecutableAllocator.h: Raise the ARM64 limit to 32MB because 16MB is cutting it too close.
2004         * jit/ExecutableAllocatorFixedVMPool.cpp:
2005         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): Add the ability to artificially limit JIT pool size for testing.
2006         (JSC::ExecutableAllocator::memoryPressureMultiplier): Implement the reserve when computing memory pressure for JIT tier-up heuristics.
2007         (JSC::ExecutableAllocator::allocate): Implement the reserve when allocating can-fail things.
2008         * jsc.cpp: Rewire some options parsing so that CommandLine happens before we create the JIT pool.
2009         (main):
2010         (CommandLine::parseArguments):
2011         (jscmain):
2012         * runtime/Options.cpp: 
2013         (JSC::OptionRange::dump): I needed a dump method on Options members when debugging this.
2014         (JSC::Options::initialize): This can now be called more than once.
2015         * runtime/Options.h:
2016
2017 2015-07-21  Saam barati  <saambarati1@gmail.com>
2018
2019         ObjectPatternNode's entry should use "const Identifier&" instead of "Identifier"
2020         https://bugs.webkit.org/show_bug.cgi?id=147156
2021
2022         Reviewed by Andreas Kling.
2023
2024         * parser/Nodes.h:
2025
2026 2015-07-21  Basile Clement  <basile_clement@apple.com>
2027
2028         Object allocation sinking phase is performing needless HashMap copies
2029         https://bugs.webkit.org/show_bug.cgi?id=147159
2030
2031         Reviewed by Geoffrey Garen.
2032
2033         The points-to analyzer in the object allocation sinking phase is
2034         currently performing copies of its allocation and pointers tables in
2035         several places. While this is not a huge problem since those tables are
2036         usually small and we are in the FTL path anyway, we still shouldn't be
2037         doing such useless copying.
2038
2039         This patch also removes the DFGInsertOSRHintsForUpdate files that are
2040         no longer needed with the new object sinking phase and should have been
2041         removed in r186795.
2042
2043         * CMakeLists.txt:
2044         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2045         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2046         * JavaScriptCore.xcodeproj/project.pbxproj:
2047         * dfg/DFGInsertOSRHintsForUpdate.cpp: Removed.
2048         (JSC::DFG::insertOSRHintsForUpdate): Deleted.
2049         * dfg/DFGInsertOSRHintsForUpdate.h: Removed.
2050         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2051
2052 2015-07-21  Saam barati  <saambarati1@gmail.com>
2053
2054         DestructuringPatternNode and DestructuringAssignmentNode should be ParserArenaFreeable
2055         https://bugs.webkit.org/show_bug.cgi?id=147140
2056
2057         Reviewed by Geoffrey Garen.
2058
2059         The descendants of DestructuringPatternNode that need destruction also
2060         inherit from ParserArenaDeletable.
2061
2062         * parser/Nodes.h:
2063         (JSC::DestructuringPatternNode::~DestructuringPatternNode):
2064         (JSC::ObjectPatternNode::appendEntry):
2065         (JSC::DestructuringAssignmentNode::bindings):
2066
2067 2015-07-21  Keith Miller  <keith_miller@apple.com>
2068
2069         Add support for the new.target syntax.
2070         https://bugs.webkit.org/show_bug.cgi?id=147051
2071
2072         Reviewed by Yusuke Suzuki.
2073
2074         Add support for new.target. Essentially the implementation is, before constructor calls,
2075         the target of a "new" is placed where "this" noramlly goes in the calling convention.
2076         Then in the constructor before object is initialized we move the target of the "new"
2077         into a local variable.
2078
2079         * bytecompiler/BytecodeGenerator.cpp:
2080         (JSC::BytecodeGenerator::BytecodeGenerator):
2081         * bytecompiler/NodesCodegen.cpp:
2082         (JSC::NewTargetNode::emitBytecode):
2083         * parser/ASTBuilder.h:
2084         (JSC::ASTBuilder::newTargetExpr):
2085         * parser/NodeConstructors.h:
2086         (JSC::NewTargetNode::NewTargetNode):
2087         * parser/Nodes.h:
2088         * parser/Parser.cpp:
2089         (JSC::Parser<LexerType>::parseMemberExpression):
2090         * parser/SyntaxChecker.h:
2091         (JSC::SyntaxChecker::newTargetExpr):
2092         * runtime/CommonIdentifiers.h:
2093         * tests/stress/new-target.js: Added.
2094         (test):
2095         (call):
2096         (Constructor.subCall):
2097         (Constructor.SubConstructor):
2098         (Constructor):
2099         (noAssign):
2100         (doWeirdThings):
2101         (SuperClass):
2102         (SubClass):
2103
2104 2015-07-20  Saam barati  <saambarati1@gmail.com>
2105
2106         "let" scoping introduced incoherent story about symbol table cloning
2107         https://bugs.webkit.org/show_bug.cgi?id=147046
2108
2109         Reviewed by Filip Pizlo.
2110
2111         This patch now establishes a clear set of rules for how SymbolTables
2112         are owned by CodeBlock. Every SymbolTable that is used by a bytecode
2113         instruction must live in CodeBlock's constant register pool. When CodeBlock
2114         is being linked, it ensures that every SymbolTable in the constant pool is cloned. 
2115         This leaves no room for an un-cloned symbol table to be used by a bytecode instruction. 
2116         Some instructions may refer to SymbolTable's indirectly through a JSLexicalEnvironment. 
2117         This is fine, all JSLexicalEnvironment's are allocated with references to cloned symbol tables.
2118
2119         Another goal of this patch is to remove the notion that a SymbolTable is 1 to 1 
2120         with a CodeBlock. With lexical scoping, this view of the world is no longer
2121         correct. This patch begins to remove this assumption by making CodeBlock's
2122         symbolTable() getter method private. There is still one place where we need
2123         to purge our codebase of this assumption and that is the type profiler. It 
2124         has not been updated for lexical scoping. After it is updated in 
2125         https://bugs.webkit.org/show_bug.cgi?id=145438
2126         we will be able to remove CodeBlock's symbolTable() getter entirely.
2127
2128         * bytecode/CodeBlock.cpp:
2129         (JSC::CodeBlock::CodeBlock):
2130         (JSC::CodeBlock::nameForRegister):
2131         * bytecode/CodeBlock.h:
2132         (JSC::CodeBlock::addStringSwitchJumpTable):
2133         (JSC::CodeBlock::stringSwitchJumpTable):
2134         (JSC::CodeBlock::evalCodeCache):
2135         (JSC::CodeBlock::symbolTable):
2136         * bytecode/UnlinkedCodeBlock.cpp:
2137         (JSC::UnlinkedFunctionExecutable::visitChildren):
2138         (JSC::UnlinkedFunctionExecutable::link):
2139         (JSC::UnlinkedFunctionExecutable::codeBlockFor):
2140         * bytecode/UnlinkedCodeBlock.h:
2141         (JSC::UnlinkedCodeBlock::addExceptionHandler):
2142         (JSC::UnlinkedCodeBlock::exceptionHandler):
2143         (JSC::UnlinkedCodeBlock::setSymbolTableConstantIndex):
2144         (JSC::UnlinkedCodeBlock::symbolTableConstantIndex):
2145         (JSC::UnlinkedCodeBlock::symbolTable): Deleted.
2146         (JSC::UnlinkedCodeBlock::setSymbolTable): Deleted.
2147         * bytecompiler/BytecodeGenerator.cpp:
2148         (JSC::BytecodeGenerator::generate):
2149         (JSC::BytecodeGenerator::BytecodeGenerator):
2150         (JSC::BytecodeGenerator::pushLexicalScope):
2151         (JSC::BytecodeGenerator::variableForLocalEntry):
2152         (JSC::BytecodeGenerator::createVariable):
2153         (JSC::BytecodeGenerator::resolveType):
2154         (JSC::BytecodeGenerator::emitResolveScope):
2155         * bytecompiler/BytecodeGenerator.h:
2156         (JSC::BytecodeGenerator::thisRegister):
2157         (JSC::BytecodeGenerator::instructions):
2158         (JSC::BytecodeGenerator::symbolTable): Deleted.
2159         * dfg/DFGGraph.h:
2160         (JSC::DFG::Graph::baselineCodeBlockFor):
2161         (JSC::DFG::Graph::isStrictModeFor):
2162         (JSC::DFG::Graph::symbolTableFor): Deleted.
2163         * jit/AssemblyHelpers.h:
2164         (JSC::AssemblyHelpers::baselineCodeBlock):
2165         (JSC::AssemblyHelpers::argumentsStart):
2166         (JSC::AssemblyHelpers::symbolTableFor): Deleted.
2167         * runtime/CommonSlowPaths.cpp:
2168         (JSC::SLOW_PATH_DECL):
2169         * runtime/Executable.cpp:
2170         (JSC::FunctionExecutable::visitChildren):
2171         (JSC::FunctionExecutable::clearUnlinkedCodeForRecompilation):
2172         (JSC::FunctionExecutable::symbolTable): Deleted.
2173         * runtime/Executable.h:
2174
2175 2015-07-18  Filip Pizlo  <fpizlo@apple.com>
2176
2177         REGRESSION(186691): OSR entry is broken on loop headers that have no live variables
2178         https://bugs.webkit.org/show_bug.cgi?id=147074
2179         rdar://problem/21869970
2180
2181         Reviewed by Michael Saboff.
2182         
2183         The OSR entry must-handle block/value widening introduced in r186691 would cause the
2184         CFA to reexecute if it caused any live local variables to change value. But this fails
2185         if the must-handle block has no live local variables, and the entry block otherwise
2186         appears to be unreachable.
2187         
2188         This fixes the bug by having the change detection include whether the block hadn't been
2189         visited in addition to whether any local variable values got widened.
2190         
2191         This is a ~4% speed-up on SunSpider in browser.
2192
2193         * dfg/DFGCFAPhase.cpp:
2194         (JSC::DFG::CFAPhase::run):
2195
2196 2015-07-20  Mark Lam  <mark.lam@apple.com>
2197
2198         Rollout r187020 and r187021: breaks JSC API tests on debug builds.
2199         https://bugs.webkit.org/show_bug.cgi?id=147110
2200
2201         * heap/MachineStackMarker.cpp:
2202         (JSC::MachineThreads::addCurrentThread):
2203         * runtime/JSLock.cpp:
2204         (JSC::JSLockHolder::~JSLockHolder):
2205         (JSC::JSLock::JSLock):
2206         (JSC::JSLock::willDestroyVM):
2207         (JSC::JSLock::setExclusiveThread):
2208         (JSC::JSLock::lock):
2209         (JSC::JSLock::unlock):
2210         (JSC::JSLock::currentThreadIsHoldingLock):
2211         (JSC::JSLock::dropAllLocks):
2212         * runtime/JSLock.h:
2213         (JSC::JSLock::vm):
2214         (JSC::JSLock::hasExclusiveThread):
2215         (JSC::JSLock::exclusiveThread):
2216         * runtime/VM.h:
2217         (JSC::VM::hasExclusiveThread):
2218         (JSC::VM::exclusiveThread):
2219         (JSC::VM::setExclusiveThread):
2220
2221 2015-07-20  Per Arne Vollan  <peavo@outlook.com>
2222
2223         Unreviewed debug build fix after r187020.
2224
2225         * heap/MachineStackMarker.cpp:
2226         (JSC::MachineThreads::addCurrentThread):
2227         VM::exclusiveThread() has changed return type to ThreadIdentifier.
2228
2229 2015-07-20  Per Arne Vollan  <peavo@outlook.com>
2230
2231         JavaScriptCore performance is very bad on Windows
2232         https://bugs.webkit.org/show_bug.cgi?id=146448
2233
2234         Reviewed by Mark Lam.
2235
2236         Profiling shows that std::this_thread::get_id() is slow on Windows.
2237         Use WTF::currentThread() instead, which calls GetCurrentThreadId().
2238         This is faster on Windows. The issue has been reported to Microsoft,
2239         https://connect.microsoft.com/VisualStudio/feedback/details/1558211.
2240
2241         * runtime/JSLock.cpp:
2242         (JSC::JSLockHolder::~JSLockHolder):
2243         (JSC::JSLock::JSLock):
2244         (JSC::JSLock::willDestroyVM):
2245         (JSC::JSLock::setExclusiveThread):
2246         (JSC::JSLock::lock):
2247         (JSC::JSLock::unlock):
2248         (JSC::JSLock::currentThreadIsHoldingLock):
2249         * runtime/JSLock.h:
2250         (JSC::JSLock::vm):
2251         (JSC::JSLock::hasExclusiveThread):
2252         (JSC::JSLock::exclusiveThread):
2253         * runtime/VM.h:
2254         (JSC::VM::hasExclusiveThread):
2255         (JSC::VM::exclusiveThread):
2256         (JSC::VM::setExclusiveThread):
2257
2258 2015-07-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2259
2260         In strict mode, `Object.keys(arguments)` includes "length"
2261         https://bugs.webkit.org/show_bug.cgi?id=147071
2262
2263         Reviewed by Darin Adler.
2264
2265         ClonedAguments didn't set the "length" with DontEnum.
2266
2267         * runtime/ClonedArguments.cpp:
2268         (JSC::ClonedArguments::createWithInlineFrame):
2269         (JSC::ClonedArguments::createByCopyingFrom):
2270         * tests/stress/arguments-length-always-dont-enum.js: Added.
2271         (shouldBe):
2272         (argsSloppy):
2273         (argsStrict):
2274
2275 2015-07-19  Jordan Harband  <ljharb@gmail.com>
2276
2277         new Date(NaN).toJSON() must return null instead of throwing a TypeError
2278         https://bugs.webkit.org/show_bug.cgi?id=141115
2279
2280         Reviewed by Yusuke Suzuki.
2281
2282         * runtime/DatePrototype.cpp:
2283         (JSC::dateProtoFuncToJSON):
2284
2285 2015-07-19  Saam barati  <saambarati1@gmail.com>
2286
2287         Parser::parseFunctionInfo hits RELEASE_ASSERT for Arrow Functions
2288         https://bugs.webkit.org/show_bug.cgi?id=147090
2289
2290         Reviewed by Yusuke Suzuki.
2291
2292         ArrowFunction's have there ParserFunctionInfo "name" field to 
2293         be a non-null pointer. This is obviously allowed and valid except we 
2294         had a RELEASE_ASSERT that claimed otherwise. This is a mistake. 
2295
2296         Note: ArrowFunction's will never actually have a function name;
2297         there ParserFunctionInfo "name" field will be the empty string. 
2298         This is not be mistaken with the name field being a null pointer.
2299
2300         * parser/Parser.cpp:
2301         (JSC::Parser<LexerType>::parseFunctionInfo):
2302
2303 2015-07-18  Saam barati  <saambarati1@gmail.com>
2304
2305         [ES6] Add support for block scope const
2306         https://bugs.webkit.org/show_bug.cgi?id=31813
2307
2308         Reviewed by Filip Pizlo.
2309
2310         'const' is now implemented in an ES6 spec compliant manner.
2311         'const' variables are always block scoped and always live
2312         either on the stack or in a JSLexicalEnvironment. 'const'
2313         variables never live on the global object.
2314
2315         Inside the BytecodeGenerator, when assigning to a stack
2316         'const' variable or a LocalClosureVar 'const' variable,
2317         we will emit code that just throws a type error.
2318         When assigning to a ClosureVar const variable, CodeBlock linking
2319         will ensure that we perform a dynamic lookup of that variable so
2320         that put_to_scope's slow path throws a type error.
2321
2322         The old 'const' implementation has been removed in this patch.
2323
2324         * bytecode/BytecodeList.json:
2325         * bytecode/BytecodeUseDef.h:
2326         (JSC::computeUsesForBytecodeOffset):
2327         (JSC::computeDefsForBytecodeOffset):
2328         * bytecode/CodeBlock.cpp:
2329         (JSC::CodeBlock::dumpBytecode):
2330         (JSC::CodeBlock::CodeBlock):
2331         * bytecompiler/BytecodeGenerator.cpp:
2332         (JSC::BytecodeGenerator::BytecodeGenerator):
2333         (JSC::BytecodeGenerator::pushLexicalScope):
2334         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
2335         (JSC::BytecodeGenerator::variable):
2336         (JSC::BytecodeGenerator::variableForLocalEntry):
2337         (JSC::BytecodeGenerator::createVariable):
2338         (JSC::BytecodeGenerator::emitResolveScope):
2339         (JSC::BytecodeGenerator::emitInstanceOf):
2340         (JSC::BytecodeGenerator::emitGetById):
2341         (JSC::BytecodeGenerator::isArgumentNumber):
2342         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
2343         (JSC::BytecodeGenerator::emitEnumeration):
2344         (JSC::BytecodeGenerator::variablePerSymbolTable): Deleted.
2345         (JSC::BytecodeGenerator::emitInitGlobalConst): Deleted.
2346         * bytecompiler/BytecodeGenerator.h:
2347         (JSC::Variable::Variable):
2348         (JSC::Variable::isReadOnly):
2349         (JSC::Variable::isSpecial):
2350         (JSC::Variable::isConst):
2351         (JSC::BytecodeGenerator::thisRegister):
2352         (JSC::BytecodeGenerator::emitTypeOf):
2353         (JSC::BytecodeGenerator::emitIn):
2354         * bytecompiler/NodesCodegen.cpp:
2355         (JSC::PostfixNode::emitResolve):
2356         (JSC::PrefixNode::emitResolve):
2357         (JSC::ReadModifyResolveNode::emitBytecode):
2358         (JSC::AssignResolveNode::emitBytecode):
2359         (JSC::CommaNode::emitBytecode):
2360         (JSC::BindingNode::bindValue):
2361         (JSC::ConstDeclNode::emitCodeSingle): Deleted.
2362         (JSC::ConstDeclNode::emitBytecode): Deleted.
2363         (JSC::ConstStatementNode::emitBytecode): Deleted.
2364         * dfg/DFGByteCodeParser.cpp:
2365         (JSC::DFG::ByteCodeParser::parseBlock):
2366         * dfg/DFGCapabilities.cpp:
2367         (JSC::DFG::capabilityLevel):
2368         * jit/JIT.cpp:
2369         (JSC::JIT::privateCompileMainPass):
2370         * jit/JIT.h:
2371         * jit/JITPropertyAccess.cpp:
2372         (JSC::JIT::emit_op_put_to_arguments):
2373         (JSC::JIT::emit_op_init_global_const): Deleted.
2374         * jit/JITPropertyAccess32_64.cpp:
2375         (JSC::JIT::emit_op_put_to_arguments):
2376         (JSC::JIT::emit_op_init_global_const): Deleted.
2377         * llint/LowLevelInterpreter.asm:
2378         * llint/LowLevelInterpreter32_64.asm:
2379         * llint/LowLevelInterpreter64.asm:
2380         * parser/ASTBuilder.h:
2381         (JSC::ASTBuilder::createDeclarationStatement):
2382         (JSC::ASTBuilder::createEmptyVarExpression):
2383         (JSC::ASTBuilder::createDebugger):
2384         (JSC::ASTBuilder::appendStatement):
2385         (JSC::ASTBuilder::createVarStatement): Deleted.
2386         (JSC::ASTBuilder::createLetStatement): Deleted.
2387         (JSC::ASTBuilder::createConstStatement): Deleted.
2388         (JSC::ASTBuilder::appendConstDecl): Deleted.
2389         * parser/NodeConstructors.h:
2390         (JSC::CommaNode::CommaNode):
2391         (JSC::SourceElements::SourceElements):
2392         (JSC::SwitchNode::SwitchNode):
2393         (JSC::BlockNode::BlockNode):
2394         (JSC::ConstStatementNode::ConstStatementNode): Deleted.
2395         (JSC::ConstDeclNode::ConstDeclNode): Deleted.
2396         * parser/Nodes.h:
2397         (JSC::ConstDeclNode::hasInitializer): Deleted.
2398         (JSC::ConstDeclNode::ident): Deleted.
2399         * parser/Parser.cpp:
2400         (JSC::Parser<LexerType>::parseStatementListItem):
2401         (JSC::Parser<LexerType>::parseVariableDeclaration):
2402         (JSC::Parser<LexerType>::parseWhileStatement):
2403         (JSC::Parser<LexerType>::parseVariableDeclarationList):
2404         (JSC::Parser<LexerType>::createBindingPattern):
2405         (JSC::Parser<LexerType>::parseDestructuringPattern):
2406         (JSC::Parser<LexerType>::parseDefaultValueForDestructuringPattern):
2407         (JSC::Parser<LexerType>::parseForStatement):
2408         (JSC::Parser<LexerType>::parseTryStatement):
2409         (JSC::Parser<LexerType>::parseFunctionInfo):
2410         (JSC::Parser<LexerType>::parseFunctionDeclaration):
2411         (JSC::Parser<LexerType>::parseClass):
2412         (JSC::Parser<LexerType>::parseConstDeclaration): Deleted.
2413         (JSC::Parser<LexerType>::parseConstDeclarationList): Deleted.
2414         * parser/Parser.h:
2415         (JSC::isEvalNode):
2416         (JSC::isEvalNode<EvalNode>):
2417         (JSC::isArguments):
2418         (JSC::isEval):
2419         (JSC::isEvalOrArgumentsIdentifier):
2420         (JSC::Scope::Scope):
2421         (JSC::Scope::declareCallee):
2422         (JSC::Scope::declareVariable):
2423         (JSC::Scope::declareLexicalVariable):
2424         (JSC::Scope::hasDeclaredVariable):
2425         (JSC::Scope::allowsVarDeclarations):
2426         (JSC::Scope::allowsLexicalDeclarations):
2427         (JSC::Scope::declareParameter):
2428         (JSC::Scope::declareBoundParameter):
2429         (JSC::Parser::destructuringKindFromDeclarationType):
2430         (JSC::Parser::assignmentContextFromDeclarationType):
2431         (JSC::Parser::isEvalOrArguments):
2432         (JSC::Parser::currentScope):
2433         (JSC::Parser::popScope):
2434         (JSC::Parser::declareVariable):
2435         (JSC::Parser::hasDeclaredVariable):
2436         (JSC::Parser::setStrictMode):
2437         (JSC::Parser::strictMode):
2438         (JSC::Parser::isValidStrictMode):
2439         (JSC::Parser::declareParameter):
2440         (JSC::Parser::declareBoundParameter):
2441         (JSC::Parser::breakIsValid):
2442         * parser/SyntaxChecker.h:
2443         (JSC::SyntaxChecker::createForInLoop):
2444         (JSC::SyntaxChecker::createForOfLoop):
2445         (JSC::SyntaxChecker::createEmptyStatement):
2446         (JSC::SyntaxChecker::createDeclarationStatement):
2447         (JSC::SyntaxChecker::createReturnStatement):
2448         (JSC::SyntaxChecker::createBreakStatement):
2449         (JSC::SyntaxChecker::createVarStatement): Deleted.
2450         (JSC::SyntaxChecker::createLetStatement): Deleted.
2451         * parser/VariableEnvironment.h:
2452         (JSC::VariableEnvironmentEntry::isCaptured):
2453         (JSC::VariableEnvironmentEntry::isConst):
2454         (JSC::VariableEnvironmentEntry::isVar):
2455         (JSC::VariableEnvironmentEntry::isLet):
2456         (JSC::VariableEnvironmentEntry::setIsCaptured):
2457         (JSC::VariableEnvironmentEntry::setIsConst):
2458         (JSC::VariableEnvironmentEntry::setIsVar):
2459         (JSC::VariableEnvironmentEntry::setIsLet):
2460         (JSC::VariableEnvironmentEntry::isConstant): Deleted.
2461         (JSC::VariableEnvironmentEntry::setIsConstant): Deleted.
2462         * runtime/Executable.cpp:
2463         (JSC::ProgramExecutable::initializeGlobalProperties):
2464         * runtime/JSGlobalObject.cpp:
2465         (JSC::JSGlobalObject::defineOwnProperty):
2466         (JSC::JSGlobalObject::addGlobalVar):
2467         (JSC::JSGlobalObject::addFunction):
2468         (JSC::lastInPrototypeChain):
2469         * runtime/JSGlobalObject.h:
2470         (JSC::JSGlobalObject::finishCreation):
2471         (JSC::JSGlobalObject::addVar):
2472         (JSC::JSGlobalObject::addConst): Deleted.
2473         * runtime/JSLexicalEnvironment.cpp:
2474         (JSC::JSLexicalEnvironment::symbolTablePut):
2475         * tests/stress/const-and-with-statement.js: Added.
2476         (truth):
2477         (assert):
2478         (shouldThrowInvalidConstAssignment):
2479         (.):
2480         * tests/stress/const-exception-handling.js: Added.
2481         (truth):
2482         (assert):
2483         (.):
2484         * tests/stress/const-loop-semantics.js: Added.
2485         (truth):
2486         (assert):
2487         (shouldThrowInvalidConstAssignment):
2488         (.):
2489         * tests/stress/const-not-strict-mode.js: Added.
2490         (truth):
2491         (assert):
2492         (shouldThrowTDZ):
2493         (.):
2494         * tests/stress/const-semantics.js: Added.
2495         (truth):
2496         (assert):
2497         (shouldThrowInvalidConstAssignment):
2498         (.):
2499         * tests/stress/const-tdz.js: Added.
2500         (truth):
2501         (assert):
2502         (shouldThrowTDZ):
2503         (.):
2504
2505 2015-07-18  Saam barati  <saambarati1@gmail.com>
2506
2507         lexical scoping is broken with respect to "break" and "continue"
2508         https://bugs.webkit.org/show_bug.cgi?id=147063
2509
2510         Reviewed by Filip Pizlo.
2511
2512         Bug #142944 which introduced "let" and lexical scoping
2513         didn't properly hook into the bytecode generator's machinery
2514         for calculating scope depth deltas for "break" and "continue". This
2515         resulted in the bytecode generator popping an incorrect number
2516         of scopes when lexical scopes were involved.
2517
2518         This patch fixes this problem and generalizes this machinery a bit.
2519         This patch also renames old functions in a sensible way that is more
2520         coherent in a world with lexical scoping.
2521
2522         * bytecompiler/BytecodeGenerator.cpp:
2523         (JSC::BytecodeGenerator::BytecodeGenerator):
2524         (JSC::BytecodeGenerator::newLabelScope):
2525         (JSC::BytecodeGenerator::emitProfileType):
2526         (JSC::BytecodeGenerator::pushLexicalScope):
2527         (JSC::BytecodeGenerator::popLexicalScope):
2528         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
2529         (JSC::BytecodeGenerator::resolveType):
2530         (JSC::BytecodeGenerator::emitResolveScope):
2531         (JSC::BytecodeGenerator::emitGetFromScope):
2532         (JSC::BytecodeGenerator::emitPutToScope):
2533         (JSC::BytecodeGenerator::emitPushWithScope):
2534         (JSC::BytecodeGenerator::emitGetParentScope):
2535         (JSC::BytecodeGenerator::emitPopScope):
2536         (JSC::BytecodeGenerator::emitPopWithOrCatchScope):
2537         (JSC::BytecodeGenerator::emitPopScopes):
2538         (JSC::BytecodeGenerator::calculateTargetScopeDepthForExceptionHandler):
2539         (JSC::BytecodeGenerator::localScopeDepth):
2540         (JSC::BytecodeGenerator::labelScopeDepth):
2541         (JSC::BytecodeGenerator::emitThrowReferenceError):
2542         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
2543         (JSC::BytecodeGenerator::pushScopedControlFlowContext):
2544         (JSC::BytecodeGenerator::popScopedControlFlowContext):
2545         (JSC::BytecodeGenerator::emitPushCatchScope):
2546         (JSC::BytecodeGenerator::currentScopeDepth): Deleted.
2547         * bytecompiler/BytecodeGenerator.h:
2548         (JSC::BytecodeGenerator::hasFinaliser):
2549         (JSC::BytecodeGenerator::scopeDepth): Deleted.
2550         * bytecompiler/NodesCodegen.cpp:
2551         (JSC::ContinueNode::trivialTarget):
2552         (JSC::BreakNode::trivialTarget):
2553         (JSC::ReturnNode::emitBytecode):
2554         (JSC::WithNode::emitBytecode):
2555         (JSC::TryNode::emitBytecode):
2556         * tests/stress/lexical-scoping-break-continue.js: Added.
2557         (assert):
2558         (.):
2559
2560 2015-07-18  Commit Queue  <commit-queue@webkit.org>
2561
2562         Unreviewed, rolling out r186996.
2563         https://bugs.webkit.org/show_bug.cgi?id=147070
2564
2565         Broke JSC tests (Requested by smfr on #webkit).
2566
2567         Reverted changeset:
2568
2569         "lexical scoping is broken with respect to "break" and
2570         "continue""
2571         https://bugs.webkit.org/show_bug.cgi?id=147063
2572         http://trac.webkit.org/changeset/186996
2573
2574 2015-07-18  Saam barati  <saambarati1@gmail.com>
2575
2576         lexical scoping is broken with respect to "break" and "continue"
2577         https://bugs.webkit.org/show_bug.cgi?id=147063
2578
2579         Reviewed by Filip Pizlo.
2580
2581         Bug #142944 which introduced "let" and lexical scoping
2582         didn't properly hook into the bytecode generator's machinery
2583         for calculating scope depth deltas for "break" and "continue". This
2584         resulted in the bytecode generator popping an incorrect number
2585         of scopes when lexical scopes were involved.
2586
2587         This patch fixes this problem and generalizes this machinery a bit.
2588         This patch also renames old functions in a sensible way that is more
2589         coherent in a world with lexical scoping.
2590
2591         * bytecompiler/BytecodeGenerator.cpp:
2592         (JSC::BytecodeGenerator::BytecodeGenerator):
2593         (JSC::BytecodeGenerator::newLabelScope):
2594         (JSC::BytecodeGenerator::emitProfileType):
2595         (JSC::BytecodeGenerator::pushLexicalScope):
2596         (JSC::BytecodeGenerator::popLexicalScope):
2597         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
2598         (JSC::BytecodeGenerator::resolveType):
2599         (JSC::BytecodeGenerator::emitResolveScope):
2600         (JSC::BytecodeGenerator::emitGetFromScope):
2601         (JSC::BytecodeGenerator::emitPutToScope):
2602         (JSC::BytecodeGenerator::emitPushWithScope):
2603         (JSC::BytecodeGenerator::emitGetParentScope):
2604         (JSC::BytecodeGenerator::emitPopScope):
2605         (JSC::BytecodeGenerator::emitPopWithOrCatchScope):
2606         (JSC::BytecodeGenerator::emitPopScopes):
2607         (JSC::BytecodeGenerator::calculateTargetScopeDepthForExceptionHandler):
2608         (JSC::BytecodeGenerator::localScopeDepth):
2609         (JSC::BytecodeGenerator::labelScopeDepth):
2610         (JSC::BytecodeGenerator::emitThrowReferenceError):
2611         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
2612         (JSC::BytecodeGenerator::pushScopedControlFlowContext):
2613         (JSC::BytecodeGenerator::popScopedControlFlowContext):
2614         (JSC::BytecodeGenerator::emitPushCatchScope):
2615         (JSC::BytecodeGenerator::currentScopeDepth): Deleted.
2616         * bytecompiler/BytecodeGenerator.h:
2617         (JSC::BytecodeGenerator::hasFinaliser):
2618         (JSC::BytecodeGenerator::scopeDepth): Deleted.
2619         * bytecompiler/NodesCodegen.cpp:
2620         (JSC::ContinueNode::trivialTarget):
2621         (JSC::BreakNode::trivialTarget):
2622         (JSC::ReturnNode::emitBytecode):
2623         (JSC::WithNode::emitBytecode):
2624         (JSC::TryNode::emitBytecode):
2625         * tests/stress/lexical-scoping-break-continue.js: Added.
2626         (assert):
2627         (.):
2628
2629 2015-07-17  Filip Pizlo  <fpizlo@apple.com>
2630
2631         DFG should have some obvious mitigations against watching structures that are unprofitable to watch
2632         https://bugs.webkit.org/show_bug.cgi?id=147034
2633
2634         Reviewed by Mark Lam and Michael Saboff.
2635         
2636         This implements two guards against the DFG watching structures that are likely to fire
2637         their watchpoints:
2638         
2639         - Don't watch dictionaries or any structure that had a dictionary in its past. Dictionaries
2640           can be flattened, and then they can transform back to dictionaries.
2641         
2642         - Don't watch structures whose past structures were transitioned-away from while their
2643           transition watchpoints were being watched. This property gives us monotonicity: if we
2644           recompile because we watched structure S1 of object O, then we won't make the same mistake
2645           again when object O has structure S2, S3, and so on.
2646         
2647         This is a 1.5% speed-up on Kraken. It does penalize some Octane tests, but it also seems to
2648         help some of them, so on Octane it's basically neutral.
2649
2650         * bytecode/Watchpoint.h:
2651         (JSC::WatchpointSet::invalidate):
2652         (JSC::WatchpointSet::isBeingWatched):
2653         (JSC::WatchpointSet::addressOfState):
2654         (JSC::WatchpointSet::addressOfSetIsNotEmpty):
2655         (JSC::InlineWatchpointSet::touch):
2656         (JSC::InlineWatchpointSet::isBeingWatched):
2657         * runtime/JSGlobalObject.h:
2658         (JSC::JSGlobalObject::createStructure):
2659         (JSC::JSGlobalObject::registerWeakMap):
2660         * runtime/Structure.cpp:
2661         (JSC::Structure::Structure):
2662         (JSC::Structure::toDictionaryTransition):
2663         (JSC::Structure::didTransitionFromThisStructure):
2664         * runtime/Structure.h:
2665
2666 2015-07-16  Filip Pizlo  <fpizlo@apple.com>
2667
2668         Remove DFG::DesiredWriteBarriers because it's just a very difficult way of saying "please barrier the machine code block owner"
2669         https://bugs.webkit.org/show_bug.cgi?id=147030
2670
2671         Reviewed by Andreas Kling.
2672         
2673         All of the users of DesiredWriteBarriers were just using it to request that Plan
2674         finalization executes a barrier on codeBlock->ownerExecutable. Indeed, that's the only
2675         owning cell in the heap that compilation affects. So, we might as well just have Plan
2676         unconditionally execute that barrier and then we don't need DesiredWriteBarriers at
2677         all.
2678
2679         * CMakeLists.txt:
2680         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2681         * JavaScriptCore.xcodeproj/project.pbxproj:
2682         * dfg/DFGByteCodeParser.cpp:
2683         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2684         * dfg/DFGDesiredWriteBarriers.cpp: Removed.
2685         * dfg/DFGDesiredWriteBarriers.h: Removed.
2686         * dfg/DFGGraph.cpp:
2687         (JSC::DFG::Graph::registerFrozenValues):
2688         * dfg/DFGPlan.cpp:
2689         (JSC::DFG::Plan::reallyAdd):
2690         (JSC::DFG::Plan::notifyCompiling):
2691         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
2692         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
2693         (JSC::DFG::Plan::cancel):
2694         * dfg/DFGPlan.h:
2695
2696 2015-07-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2697
2698         Integrate automatic microtask draining into JSC framework and re-enable Promise
2699         https://bugs.webkit.org/show_bug.cgi?id=146828
2700
2701         Reviewed by Sam Weinig.
2702
2703         Add automatic microtask draining system into JSC framework.
2704         When the depth of VM lock becomes 0, before this, we drain the queued microtasks.
2705         Enqueuing behavior can be injected by the JSGlobalObject's method table.
2706         It is utilized in WebCore to post the microtask to WebCore's event loop.
2707
2708         In the case of JSC interactive shell, VM depth is always greater than 0.
2709         So we manually drains the queued microtasks after evaluating the written line.
2710
2711         Since now JSC framework has the microtask queue, we can drain the queued microtasks.
2712         So re-enable the Promise in the JSC framework context.
2713
2714         * API/JSContextRef.cpp:
2715         (javaScriptRuntimeFlags): Deleted.
2716         * API/tests/testapi.c:
2717         (main):
2718         * API/tests/testapi.mm:
2719         (testObjectiveCAPIMain):
2720         * jsc.cpp:
2721         (runInteractive):
2722         * runtime/JSGlobalObject.cpp:
2723         (JSC::JSGlobalObject::queueMicrotask):
2724         * runtime/JSLock.cpp:
2725         (JSC::JSLock::willReleaseLock):
2726         * runtime/VM.cpp:
2727         (JSC::VM::queueMicrotask):
2728         (JSC::VM::drainMicrotasks):
2729         (JSC::QueuedTask::run):
2730         * runtime/VM.h:
2731         (JSC::QueuedTask::QueuedTask):
2732
2733 2015-07-17  Saam barati  <saambarati1@gmail.com>
2734
2735         Function parameters should be parsed in the same parser arena as the function body
2736         https://bugs.webkit.org/show_bug.cgi?id=145995
2737
2738         Reviewed by Yusuke Suzuki.
2739
2740         This patch changes how functions are parsed in JSC. A function's
2741         parameters are now parsed in the same arena as the function itself.
2742         This allows us to arena allocate all destructuring AST nodes and
2743         the FunctionParameters node. This will help make implementing ES6
2744         default parameter values sane.
2745
2746         A source code that represents a function now includes the text of the function's 
2747         parameters. The starting offset is at the opening parenthesis of the parameter
2748         list or at the starting character of the identifier for arrow functions that
2749         have single arguments and don't start with parenthesis.
2750
2751         For example:
2752
2753         "function (param1, param2) { ... }"
2754                                    ^
2755                                    | This offset used to be the starting offset of a function's SourceCode
2756                   ^
2757                   | This is the new starting offset for a function's SourceCode.
2758
2759         This requires us to change how some offsets are calculated
2760         and also requires us to report some different line numbers for internal
2761         metrics that use a SourceCode's starting line and column numbers.
2762
2763         This patch also does a bit of cleanup with regards to how
2764         functions are parsed in general (especially arrow functions).
2765         It removes some unnecessary #ifdefs and the likes for arrow
2766         to make things clearer and more deliberate.
2767
2768         * API/JSScriptRef.cpp:
2769         (parseScript):
2770         * builtins/BuiltinExecutables.cpp:
2771         (JSC::BuiltinExecutables::createExecutableInternal):
2772         * bytecode/UnlinkedCodeBlock.cpp:
2773         (JSC::generateFunctionCodeBlock):
2774         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2775         (JSC::UnlinkedFunctionExecutable::visitChildren):
2776         (JSC::UnlinkedFunctionExecutable::parameterCount): Deleted.
2777         * bytecode/UnlinkedCodeBlock.h:
2778         * bytecompiler/NodesCodegen.cpp:
2779         (JSC::DestructuringAssignmentNode::emitBytecode):
2780         (JSC::assignDefaultValueIfUndefined):
2781         (JSC::ArrayPatternNode::collectBoundIdentifiers):
2782         (JSC::DestructuringPatternNode::~DestructuringPatternNode): Deleted.
2783         * parser/ASTBuilder.h:
2784         (JSC::ASTBuilder::createClassExpr):
2785         (JSC::ASTBuilder::createFunctionExpr):
2786         (JSC::ASTBuilder::createFunctionBody):
2787         (JSC::ASTBuilder::createArrowFunctionExpr):
2788         (JSC::ASTBuilder::createGetterOrSetterProperty):
2789         (JSC::ASTBuilder::createElementList):
2790         (JSC::ASTBuilder::createFormalParameterList):
2791         (JSC::ASTBuilder::appendParameter):
2792         (JSC::ASTBuilder::createClause):
2793         (JSC::ASTBuilder::createClauseList):
2794         (JSC::ASTBuilder::createFuncDeclStatement):
2795         (JSC::ASTBuilder::createForInLoop):
2796         (JSC::ASTBuilder::createForOfLoop):
2797         (JSC::ASTBuilder::isResolve):
2798         (JSC::ASTBuilder::createDestructuringAssignment):
2799         (JSC::ASTBuilder::createArrayPattern):
2800         (JSC::ASTBuilder::appendArrayPatternSkipEntry):
2801         (JSC::ASTBuilder::appendArrayPatternEntry):
2802         (JSC::ASTBuilder::appendArrayPatternRestEntry):
2803         (JSC::ASTBuilder::finishArrayPattern):
2804         (JSC::ASTBuilder::createObjectPattern):
2805         (JSC::ASTBuilder::appendObjectPatternEntry):
2806         (JSC::ASTBuilder::createBindingLocation):
2807         (JSC::ASTBuilder::setEndOffset):
2808         * parser/Lexer.cpp:
2809         (JSC::Lexer<T>::Lexer):
2810         (JSC::Lexer<T>::nextTokenIsColon):
2811         (JSC::Lexer<T>::setTokenPosition):
2812         (JSC::Lexer<T>::lex):
2813         (JSC::Lexer<T>::clear):
2814         * parser/Lexer.h:
2815         (JSC::Lexer::setIsReparsingFunction):
2816         (JSC::Lexer::isReparsingFunction):
2817         (JSC::Lexer::lineNumber):
2818         (JSC::Lexer::setIsReparsing): Deleted.
2819         (JSC::Lexer::isReparsing): Deleted.
2820         * parser/NodeConstructors.h:
2821         (JSC::TryNode::TryNode):
2822         (JSC::FunctionParameters::FunctionParameters):
2823         (JSC::FuncExprNode::FuncExprNode):
2824         (JSC::FuncDeclNode::FuncDeclNode):
2825         (JSC::ArrayPatternNode::ArrayPatternNode):
2826         (JSC::ObjectPatternNode::ObjectPatternNode):
2827         (JSC::BindingNode::BindingNode):
2828         (JSC::DestructuringAssignmentNode::DestructuringAssignmentNode):
2829         (JSC::ParameterNode::ParameterNode): Deleted.
2830         (JSC::ArrayPatternNode::create): Deleted.
2831         (JSC::ObjectPatternNode::create): Deleted.
2832         (JSC::BindingNode::create): Deleted.
2833         * parser/Nodes.cpp:
2834         (JSC::ProgramNode::ProgramNode):
2835         (JSC::EvalNode::EvalNode):
2836         (JSC::FunctionBodyNode::FunctionBodyNode):
2837         (JSC::FunctionBodyNode::finishParsing):
2838         (JSC::FunctionNode::FunctionNode):
2839         (JSC::FunctionNode::finishParsing):
2840         (JSC::FunctionParameters::create): Deleted.
2841         (JSC::FunctionParameters::FunctionParameters): Deleted.
2842         (JSC::FunctionParameters::~FunctionParameters): Deleted.
2843         * parser/Nodes.h:
2844         (JSC::ProgramNode::startColumn):
2845         (JSC::ProgramNode::endColumn):
2846         (JSC::EvalNode::startColumn):
2847         (JSC::EvalNode::endColumn):
2848         (JSC::FunctionParameters::size):
2849         (JSC::FunctionParameters::at):
2850         (JSC::FunctionParameters::append):
2851         (JSC::FuncExprNode::body):
2852         (JSC::DestructuringPatternNode::~DestructuringPatternNode):
2853         (JSC::DestructuringPatternNode::isBindingNode):
2854         (JSC::DestructuringPatternNode::emitDirectBinding):
2855         (JSC::ArrayPatternNode::appendIndex):
2856         (JSC::ObjectPatternNode::appendEntry):
2857         (JSC::BindingNode::boundProperty):
2858         (JSC::BindingNode::divotStart):
2859         (JSC::BindingNode::divotEnd):
2860         (JSC::DestructuringAssignmentNode::bindings):
2861         (JSC::FuncDeclNode::body):
2862         (JSC::ParameterNode::pattern): Deleted.
2863         (JSC::ParameterNode::nextParam): Deleted.
2864         (JSC::FunctionParameters::patterns): Deleted.
2865         * parser/Parser.cpp:
2866         (JSC::Parser<LexerType>::Parser):
2867         (JSC::Parser<LexerType>::~Parser):
2868         (JSC::Parser<LexerType>::parseInner):
2869         (JSC::Parser<LexerType>::allowAutomaticSemicolon):
2870         (JSC::Parser<LexerType>::parseSourceElements):
2871         (JSC::Parser<LexerType>::createBindingPattern):
2872         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBodySourceElements):
2873         (JSC::Parser<LexerType>::tryParseDestructuringPatternExpression):
2874         (JSC::Parser<LexerType>::parseSwitchClauses):
2875         (JSC::Parser<LexerType>::parseSwitchDefaultClause):
2876         (JSC::Parser<LexerType>::parseBlockStatement):
2877         (JSC::Parser<LexerType>::parseStatement):
2878         (JSC::Parser<LexerType>::parseFormalParameters):
2879         (JSC::Parser<LexerType>::parseFunctionBody):
2880         (JSC::stringForFunctionMode):
2881         (JSC::Parser<LexerType>::parseFunctionParameters):
2882         (JSC::Parser<LexerType>::parseFunctionInfo):
2883         (JSC::Parser<LexerType>::parseFunctionDeclaration):
2884         (JSC::Parser<LexerType>::parseClass):
2885         (JSC::Parser<LexerType>::parsePrimaryExpression):
2886         (JSC::Parser<LexerType>::parseMemberExpression):
2887         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
2888         (JSC::operatorString):
2889         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBody): Deleted.
2890         * parser/Parser.h:
2891         (JSC::Parser::positionBeforeLastNewline):
2892         (JSC::Parser::locationBeforeLastToken):
2893         (JSC::Parser::findCachedFunctionInfo):
2894         (JSC::Parser::isofToken):
2895         (JSC::Parser::isEndOfArrowFunction):
2896         (JSC::Parser::isArrowFunctionParamters):
2897         (JSC::Parser::tokenStart):
2898         (JSC::Parser::isLETMaskedAsIDENT):
2899         (JSC::Parser::autoSemiColon):
2900         (JSC::Parser::setEndOfStatement):
2901         (JSC::Parser::canRecurse):
2902         (JSC::Parser<LexerType>::parse):
2903         (JSC::parse):
2904         * parser/ParserFunctionInfo.h:
2905         * parser/ParserModes.h:
2906         (JSC::functionNameIsInScope):
2907         * parser/SourceCode.h:
2908         (JSC::makeSource):
2909         (JSC::SourceCode::subExpression):
2910         (JSC::SourceCode::subArrowExpression): Deleted.
2911         * parser/SourceProviderCache.h:
2912         (JSC::SourceProviderCache::get):
2913         * parser/SourceProviderCacheItem.h:
2914         (JSC::SourceProviderCacheItem::endFunctionToken):
2915         (JSC::SourceProviderCacheItem::usedVariables):
2916         (JSC::SourceProviderCacheItem::writtenVariables):
2917         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
2918         * parser/SyntaxChecker.h:
2919         (JSC::SyntaxChecker::SyntaxChecker):
2920         (JSC::SyntaxChecker::createClassExpr):
2921         (JSC::SyntaxChecker::createFunctionExpr):
2922         (JSC::SyntaxChecker::createFunctionBody):
2923         (JSC::SyntaxChecker::createArrowFunctionExpr):
2924         (JSC::SyntaxChecker::setFunctionNameStart):
2925         (JSC::SyntaxChecker::createArguments):
2926         (JSC::SyntaxChecker::createPropertyList):
2927         (JSC::SyntaxChecker::createElementList):
2928         (JSC::SyntaxChecker::createFormalParameterList):
2929         (JSC::SyntaxChecker::appendParameter):
2930         (JSC::SyntaxChecker::createClause):
2931         (JSC::SyntaxChecker::createClauseList):
2932         * runtime/CodeCache.cpp:
2933         (JSC::CodeCache::getGlobalCodeBlock):
2934         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
2935         * runtime/Completion.cpp:
2936         (JSC::checkSyntax):
2937         * runtime/Executable.cpp:
2938         (JSC::ProgramExecutable::checkSyntax):
2939         * tests/controlFlowProfiler/conditional-expression.js:
2940         (testConditionalFunctionCall):
2941
2942 2015-07-16  Filip Pizlo  <fpizlo@apple.com>
2943
2944         Unreviewed, fix build for newer LLVMs.
2945
2946         * llvm/LLVMHeaders.h:
2947         * llvm/library/LLVMExports.cpp:
2948
2949 2015-07-16  Mark Lam  <mark.lam@apple.com>
2950
2951         RegExp::match() should set m_state to ByteCode if compilation fails.
2952         https://bugs.webkit.org/show_bug.cgi?id=147023
2953
2954         Reviewed by Michael Saboff.
2955
2956         A RegExp has a YarrCodeBlock that has 4 MacroAssemblerCodeRefs for compiled code.
2957         If one of these compilations succeeds, RegExp::m_state will be set to JITCode.
2958         Subsequently, if RegExp tries to compile another one of these but fails, m_state
2959         will be left untouched i.e. it still says JITCode.  As a result, when
2960         RegExp::match() later tries to execute the non-existant compiled code, it will
2961         crash.
2962
2963         The fix is to downgrade m_state to ByteCode if RegExp ever fails to compile.
2964         This failure should be rare.  We'll do the minimal work here to fix the issue and
2965         keep an eye on the perf bots.  If perf regresses, we can do some optimization work then.
2966
2967         This issue is difficult to test for since it either requires a low memory condition
2968         to trigger a failed RegExp compilation at the right moment, or for the RegExp to
2969         succeed compilation in the MatchedOnly mode but fail in IncludeSubpatterns mode.
2970         Instead, I manually tested it by instrumenting RegExp::compile() to fail once in every
2971         10 compilation attempts.
2972
2973         * runtime/RegExp.cpp:
2974         (JSC::RegExp::compile):
2975         (JSC::RegExp::compileMatchOnly):
2976
2977 2015-07-15  Brent Fulgham  <bfulgham@apple.com>
2978
2979         [Win] Fix armv7 build.
2980
2981         * jit/CCallHelpers.h:
2982         (JSC::CCallHelpers::setupArgumentsWithExecState): The 64-bit argument
2983         version of poke is not available on armv7 builds.
2984
2985 2015-07-15  Brent Fulgham  <bfulgham@apple.com>
2986
2987         [Win] 64-bit Build Failure
2988         https://bugs.webkit.org/show_bug.cgi?id=146989
2989
2990         Reviewed by Mark Lam.
2991
2992         * jit/CCallHelpers.h:
2993         (JSC::CCallHelpers::setupArgumentsWithExecState): Add missing
2994         declaration for 64-bit type on 4-argument register machines (like
2995         Windows).
2996
2997 2015-07-15  Saam barati  <saambarati1@gmail.com>
2998
2999         [ES6] implement block scoping to enable 'let'
3000         https://bugs.webkit.org/show_bug.cgi?id=142944
3001
3002         Reviewed by Filip Pizlo.
3003
3004         * CMakeLists.txt:
3005         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3006         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3007         * JavaScriptCore.xcodeproj/project.pbxproj:
3008         * builtins/BuiltinExecutables.cpp:
3009         (JSC::BuiltinExecutables::createExecutableInternal):
3010         * bytecode/BytecodeList.json:
3011         This patch adds a new opcode and removes op_pop_scope:
3012         1) op_get_parent_scope returns the parent scope but doesn't 
3013         implicitly write that scope into the scope register. op_pop_scope
3014         is now reduced to op_get_parent_scope followed by op_mov.
3015
3016         * bytecode/BytecodeUseDef.h:
3017         (JSC::computeUsesForBytecodeOffset):
3018         (JSC::computeDefsForBytecodeOffset):
3019         * bytecode/CodeBlock.cpp:
3020         (JSC::CodeBlock::dumpBytecode):
3021         (JSC::CodeBlock::CodeBlock):
3022         (JSC::CodeBlock::stronglyVisitStrongReferences):
3023         * bytecode/CodeBlock.h:
3024         (JSC::CodeBlock::addStringSwitchJumpTable):
3025         (JSC::CodeBlock::stringSwitchJumpTable):
3026         (JSC::CodeBlock::symbolTable):
3027         (JSC::CodeBlock::evalCodeCache):
3028         (JSC::CodeBlock::setConstantRegisters):
3029         (JSC::CodeBlock::replaceConstant):
3030         op_put_to_scope for LocalClosureVar now takes as an argument
3031         the constant index for the Symbol Table it will be putting into.
3032         This argument is only used to communicate from the BytecodeGenerator
3033         to CodeBlock linking time and it is not present in the linked bytecode.
3034
3035         op_put_to_scope for non LocalClosureVar takes, at the same index, an
3036         argument that represents the local scope depth which it uses for
3037         JSScope::abstractResolve to know how many scopes it needs to skip.
3038         Again, this is not in the linked code.
3039         op_get_from_scope and op_resolve_scope also take as an argument
3040         the local scope depth to use in JSScope::abstractResolve. Again,
3041         this is not used in the linked code.
3042
3043         * bytecode/EvalCodeCache.h:
3044         (JSC::EvalCodeCache::tryGet):
3045         (JSC::EvalCodeCache::getSlow):
3046         (JSC::EvalCodeCache::clear):
3047         (JSC::EvalCodeCache::isCacheable):
3048         When direct eval is called and passed a scope that 
3049         corresponds to a lexical scope, we can't safely cache 
3050         that code because we won't be able to guarantee
3051         that the cached code is always executed in the same scope.
3052         Consider this example:
3053         function foo() {
3054             let x = 20;
3055             eval("x;");
3056             if (b) {
3057                 let x = 30;
3058                 if (b) {
3059                     let y = 40;
3060                     eval("x;")
3061                 }
3062             }
3063         }
3064
3065         We can't reuse resolution depth when linking get_from_scope in evals.
3066
3067         * bytecode/UnlinkedCodeBlock.cpp:
3068         (JSC::generateFunctionCodeBlock):
3069         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3070         (JSC::UnlinkedFunctionExecutable::parameterCount):
3071         * bytecode/UnlinkedCodeBlock.h:
3072         Unlinked functions now know the variables that were under TDZ in their parent
3073         scope.
3074
3075         (JSC::UnlinkedCodeBlock::symbolTable):
3076         (JSC::UnlinkedCodeBlock::setSymbolTable):
3077         (JSC::UnlinkedCodeBlock::setSymbolTableConstantIndex):
3078         (JSC::UnlinkedCodeBlock::symbolTableConstantIndex):
3079         (JSC::UnlinkedCodeBlock::vm):
3080         * bytecompiler/BytecodeGenerator.cpp:
3081         (JSC::BytecodeGenerator::generate):
3082         (JSC::BytecodeGenerator::BytecodeGenerator):
3083         (JSC::BytecodeGenerator::~BytecodeGenerator):
3084         (JSC::BytecodeGenerator::newRegister):
3085         (JSC::BytecodeGenerator::reclaimFreeRegisters):
3086         (JSC::BytecodeGenerator::newBlockScopeVariable):
3087         (JSC::BytecodeGenerator::newTemporary):
3088         (JSC::BytecodeGenerator::emitProfileType):
3089         (JSC::BytecodeGenerator::emitLoadGlobalObject):
3090         (JSC::BytecodeGenerator::pushLexicalScope):
3091         (JSC::BytecodeGenerator::popLexicalScope):
3092         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
3093         (JSC::BytecodeGenerator::variable):
3094         (JSC::BytecodeGenerator::variablePerSymbolTable):
3095         (JSC::BytecodeGenerator::variableForLocalEntry):
3096         (JSC::BytecodeGenerator::createVariable):
3097         (JSC::BytecodeGenerator::emitResolveScope):
3098         (JSC::BytecodeGenerator::emitGetFromScope):
3099         (JSC::BytecodeGenerator::emitPutToScope):
3100         (JSC::BytecodeGenerator::initializeVariable):
3101         (JSC::BytecodeGenerator::emitTDZCheck):
3102         (JSC::BytecodeGenerator::needsTDZCheck):
3103         (JSC::BytecodeGenerator::emitTDZCheckIfNecessary):
3104         (JSC::BytecodeGenerator::liftTDZCheckIfPossible):
3105         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
3106         (JSC::BytecodeGenerator::emitNewObject):
3107         (JSC::BytecodeGenerator::emitPushWithScope):
3108         (JSC::BytecodeGenerator::emitGetParentScope):
3109         (JSC::BytecodeGenerator::emitPopScope):
3110         (JSC::BytecodeGenerator::emitDebugHook):
3111         (JSC::BytecodeGenerator::pushFinallyContext):
3112         (JSC::BytecodeGenerator::pushIteratorCloseContext):
3113         (JSC::BytecodeGenerator::emitComplexPopScopes):
3114         (JSC::BytecodeGenerator::emitPopScopes):
3115         (JSC::BytecodeGenerator::popTryAndEmitCatch):
3116         (JSC::BytecodeGenerator::calculateTargetScopeDepthForExceptionHandler):
3117         (JSC::BytecodeGenerator::currentScopeDepth):
3118         (JSC::BytecodeGenerator::emitThrowReferenceError):
3119         (JSC::BytecodeGenerator::emitPushCatchScope):
3120         (JSC::BytecodeGenerator::beginSwitch):
3121         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
3122         (JSC::BytecodeGenerator::emitEnumeration):
3123         * bytecompiler/BytecodeGenerator.h:
3124         (JSC::Variable::Variable):
3125         (JSC::Variable::isResolved):
3126         (JSC::Variable::symbolTableConstantIndex):
3127         (JSC::Variable::ident):
3128         (JSC::BytecodeGenerator::ignoredResult):
3129         (JSC::BytecodeGenerator::tempDestination):
3130         (JSC::BytecodeGenerator::lastOpcodeID):
3131         (JSC::BytecodeGenerator::makeFunction):
3132         (JSC::BytecodeGenerator::symbolTable):
3133         (JSC::BytecodeGenerator::shouldOptimizeLocals): Deleted.
3134         (JSC::BytecodeGenerator::canOptimizeNonLocals): Deleted.
3135         The heart of the changes in this patch are in the bytecode generator.
3136         The bytecode generator now keeps a stack of tuples of 
3137         {symbol table, scope register, flag indicating catch or with scope, symbol table index in constant pool}
3138         that models the runtime scope stack. This symbol table stack is used
3139         in resolving local variables.
3140
3141         Also, the bytecode generator handles pushing and popping of lexical scopes. 
3142         This is relatively straight forward:
3143         Captured 'let' variables end up in the JSLexicalEnvironment scope and non-captured
3144         variables end up on the stack. Some trickiness is involved in generating
3145         code for 'for' loops that have captured variables (I'm talking about variables in the loop
3146         header, not the loop body). Each iteration of the for loop ends up with 
3147         its own JSLexicalEnvironment. Static code must be generated in such a way 
3148         to create this runtime behavior. This is done by emitting instructions to 
3149         push and pop a lexical scope at the end of each loop and copying values
3150         from the previous loop's scope into the new scope. This code must also
3151         ensure that each loop iteration's scope refers to the same underlying 
3152         SymbolTable so that no scope is accidentally mistaken as being a singleton scope.
3153
3154         When the debugger is enabled, all lexically defined variables will end up in the
3155         JSLexicalEnvironment.
3156
3157         * bytecompiler/NodesCodegen.cpp:
3158         (JSC::ResolveNode::emitBytecode):
3159         (JSC::FunctionCallResolveNode::emitBytecode):
3160         (JSC::PostfixNode::emitResolve):
3161         (JSC::DeleteResolveNode::emitBytecode):
3162         (JSC::TypeOfResolveNode::emitBytecode):
3163         (JSC::PrefixNode::emitResolve):
3164         (JSC::ReadModifyResolveNode::emitBytecode):
3165         (JSC::AssignResolveNode::emitBytecode):
3166         (JSC::BlockNode::emitBytecode):
3167         (JSC::ExprStatementNode::emitBytecode):
3168         (JSC::DeclarationStatement::emitBytecode):
3169         (JSC::EmptyVarExpression::emitBytecode):
3170         (JSC::EmptyLetExpression::emitBytecode):
3171         (JSC::ForNode::emitBytecode):
3172         (JSC::ForInNode::emitMultiLoopBytecode):
3173         (JSC::ForOfNode::emitBytecode):
3174         (JSC::SwitchNode::emitBytecode):
3175         (JSC::BindingNode::bindValue):
3176         (JSC::VarStatementNode::emitBytecode): Deleted.
3177         * debugger/DebuggerCallFrame.cpp:
3178         (JSC::DebuggerCallFrame::evaluate):
3179         * debugger/DebuggerScope.cpp:
3180         (JSC::DebuggerScope::getOwnPropertySlot):
3181         (JSC::DebuggerScope::put):
3182         * dfg/DFGByteCodeParser.cpp:
3183         (JSC::DFG::ByteCodeParser::parseBlock):
3184         * dfg/DFGCapabilities.cpp:
3185         (JSC::DFG::capabilityLevel):
3186         * dfg/DFGNode.h:
3187         (JSC::DFG::Node::castConstant):
3188         (JSC::DFG::Node::initializationValueForActivation):
3189         (JSC::DFG::Node::containsMovHint):
3190         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3191         CreateActivation nodes now have a second OpInfo that tracks the 
3192         initial value that needs to be placed in the activation. This initial value 
3193         is also used in allocation sinking to create proper bottom values for all 
3194         scope variables.
3195
3196         * dfg/DFGOperations.cpp:
3197         * dfg/DFGOperations.h:
3198         * dfg/DFGSpeculativeJIT.cpp:
3199         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
3200         * dfg/DFGSpeculativeJIT.h:
3201         (JSC::DFG::SpeculativeJIT::callOperation):
3202         * ftl/FTLIntrinsicRepository.h:
3203         * ftl/FTLLowerDFGToLLVM.cpp:
3204         (JSC::FTL::DFG::LowerDFGToLLVM::compileCreateActivation):
3205         (JSC::FTL::DFG::LowerDFGToLLVM::compileMaterializeCreateActivation):
3206         * ftl/FTLOperations.cpp:
3207         (JSC::FTL::operationMaterializeObjectInOSR):
3208         * interpreter/Interpreter.cpp:
3209         (JSC::Interpreter::execute):
3210         * jit/CCallHelpers.h:
3211         (JSC::CCallHelpers::setupArgumentsWithExecState):
3212         * jit/JIT.cpp:
3213         (JSC::JIT::privateCompileMainPass):
3214         * jit/JIT.h:
3215         * jit/JITInlines.h:
3216         (JSC::JIT::callOperation):
3217         * jit/JITOpcodes.cpp:
3218         (JSC::JIT::emit_op_push_with_scope):
3219         (JSC::JIT::compileOpStrictEq):
3220         (JSC::JIT::emit_op_catch):
3221         (JSC::JIT::emit_op_create_lexical_environment):
3222         (JSC::JIT::emit_op_get_parent_scope):
3223         (JSC::JIT::emit_op_switch_imm):
3224         (JSC::JIT::emit_op_enter):
3225         (JSC::JIT::emit_op_get_scope):
3226         (JSC::JIT::emit_op_pop_scope): Deleted.
3227         * jit/JITOpcodes32_64.cpp:
3228         (JSC::JIT::emit_op_push_with_scope):
3229         (JSC::JIT::emit_op_to_number):
3230         (JSC::JIT::emit_op_catch):
3231         (JSC::JIT::emit_op_create_lexical_environment):
3232         (JSC::JIT::emit_op_get_parent_scope):
3233         (JSC::JIT::emit_op_switch_imm):
3234         (JSC::JIT::emit_op_enter):
3235         (JSC::JIT::emit_op_get_scope):
3236         (JSC::JIT::emit_op_pop_scope): Deleted.
3237         * jit/JITOperations.cpp:
3238         (JSC::canAccessArgumentIndexQuickly):
3239         * jit/JITOperations.h:
3240         * llint/LLIntSlowPaths.cpp:
3241         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3242         * llint/LLIntSlowPaths.h:
3243         * llint/LowLevelInterpreter.asm:
3244         * llint/LowLevelInterpreter32_64.asm:
3245         * llint/LowLevelInterpreter64.asm:
3246         * parser/ASTBuilder.h:
3247         (JSC::ASTBuilder::createSourceElements):
3248         (JSC::ASTBuilder::funcDeclarations):
3249         (JSC::ASTBuilder::features):
3250         (JSC::ASTBuilder::numConstants):
3251         (JSC::ASTBuilder::createConditionalExpr):
3252         (JSC::ASTBuilder::createAssignResolve):
3253         (JSC::ASTBuilder::createClassDeclStatement):
3254         (JSC::ASTBuilder::createBlockStatement):
3255         (JSC::ASTBuilder::createIfStatement):
3256         (JSC::ASTBuilder::createForLoop):
3257         (JSC::ASTBuilder::createForInLoop):
3258         (JSC::ASTBuilder::createForOfLoop):
3259         (JSC::ASTBuilder::isBindingNode):
3260         (JSC::ASTBuilder::createEmptyStatement):
3261         (JSC::ASTBuilder::createDeclarationStatement):
3262         (JSC::ASTBuilder::createVarStatement):
3263         (JSC::ASTBuilder::createLetStatement):
3264         (JSC::ASTBuilder::createEmptyVarExpression):
3265         (JSC::ASTBuilder::createEmptyLetExpression):
3266         (JSC::ASTBuilder::createReturnStatement):
3267         (JSC::ASTBuilder::createTryStatement):
3268         (JSC::ASTBuilder::createSwitchStatement):
3269         (JSC::ASTBuilder::appendStatement):
3270         (JSC::ASTBuilder::createCommaExpr):
3271         (JSC::ASTBuilder::appendObjectPatternEntry):
3272         (JSC::ASTBuilder::createBindingLocation):
3273         (JSC::ASTBuilder::setEndOffset):
3274         (JSC::ASTBuilder::Scope::Scope):
3275         (JSC::ASTBuilder::makeAssignNode):
3276         (JSC::ASTBuilder::varDeclarations): Deleted.
3277         (JSC::ASTBuilder::addVar): Deleted.
3278         * parser/Keywords.table:
3279         * parser/NodeConstructors.h:
3280         (JSC::ReadModifyResolveNode::ReadModifyResolveNode):
3281         (JSC::AssignResolveNode::AssignResolveNode):
3282         (JSC::ExprStatementNode::ExprStatementNode):
3283         (JSC::DeclarationStatement::DeclarationStatement):
3284         (JSC::EmptyVarExpression::EmptyVarExpression):
3285         (JSC::EmptyLetExpression::EmptyLetExpression):
3286         (JSC::IfElseNode::IfElseNode):
3287         (JSC::WhileNode::WhileNode):
3288         (JSC::ForNode::ForNode):
3289         (JSC::CaseBlockNode::CaseBlockNode):
3290         (JSC::SwitchNode::SwitchNode):
3291         (JSC::ConstDeclNode::ConstDeclNode):
3292         (JSC::BlockNode::BlockNode):
3293         (JSC::EnumerationNode::EnumerationNode):
3294         (JSC::ForInNode::ForInNode):
3295         (JSC::ForOfNode::ForOfNode):
3296         (JSC::ObjectPatternNode::create):
3297         (JSC::BindingNode::create):
3298         (JSC::BindingNode::BindingNode):
3299         (JSC::VarStatementNode::VarStatementNode): Deleted.
3300         * parser/Nodes.cpp:
3301         (JSC::ScopeNode::ScopeNode):
3302         (JSC::ScopeNode::singleStatement):
3303         (JSC::ProgramNode::ProgramNode):
3304         (JSC::EvalNode::EvalNode):
3305         (JSC::FunctionNode::FunctionNode):
3306         (JSC::FunctionNode::finishParsing):
3307         (JSC::VariableEnvironmentNode::VariableEnvironmentNode):
3308         * parser/Nodes.h:
3309         (JSC::VariableEnvironmentNode::VariableEnvironmentNode):
3310         (JSC::VariableEnvironmentNode::lexicalVariables):
3311         (JSC::ScopeNode::usesThis):
3312         (JSC::ScopeNode::needsActivationForMoreThanVariables):
3313         (JSC::ScopeNode::needsActivation):
3314         (JSC::ScopeNode::hasCapturedVariables):
3315         (JSC::ScopeNode::captures):
3316         (JSC::ScopeNode::varDeclarations):
3317         (JSC::ScopeNode::functionStack):
3318         (JSC::ScopeNode::neededConstants):
3319         (JSC::ProgramNode::startColumn):
3320         (JSC::ProgramNode::endColumn):
3321         (JSC::EvalNode::startColumn):
3322         (JSC::EvalNode::endColumn):
3323         (JSC::BindingNode::boundProperty):
3324         (JSC::BindingNode::divotStart):
3325         (JSC::BindingNode::divotEnd):
3326         (JSC::ScopeNode::capturedVariableCount): Deleted.
3327         (JSC::ScopeNode::capturedVariables): Deleted.
3328         (JSC::ScopeNode::varStack): Deleted.
3329         There is a new class called 'VariableEnvironmentNode' that has the
3330         necessary fields to model a lexical scope. Multiple AST nodes now 
3331         also inherit from VariableEnvironmentNode.
3332
3333         * parser/Parser.cpp:
3334         (JSC::Parser<LexerType>::parseInner):
3335         (JSC::Parser<LexerType>::didFinishParsing):
3336         (JSC::Parser<LexerType>::parseStatementListItem):
3337         (JSC::Parser<LexerType>::parseVariableDeclaration):
3338         (JSC::Parser<LexerType>::parseWhileStatement):
3339         (JSC::Parser<LexerType>::parseVariableDeclarationList):
3340         (JSC::Parser<LexerType>::createBindingPattern):
3341         (JSC::Parser<LexerType>::tryParseDestructuringPatternExpression):
3342         (JSC::Parser<LexerType>::parseDestructuringPattern):
3343         (JSC::Parser<LexerType>::parseConstDeclarationList):
3344         (JSC::Parser<LexerType>::parseForStatement):
3345         (JSC::Parser<LexerType>::parseBreakStatement):
3346         (JSC::Parser<LexerType>::parseContinueStatement):
3347         (JSC::Parser<LexerType>::parseSwitchStatement):
3348         (JSC::Parser<LexerType>::parseTryStatement):
3349         (JSC::Parser<LexerType>::parseBlockStatement):
3350         (JSC::Parser<LexerType>::parseStatement):
3351         (JSC::Parser<LexerType>::parseFunctionInfo):
3352         (JSC::Parser<LexerType>::parseClassDeclaration):
3353         (JSC::Parser<LexerType>::parseClass):
3354         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
3355         (JSC::Parser<LexerType>::parseAssignmentExpression):
3356         (JSC::Parser<LexerType>::parseGetterSetter):
3357         (JSC::Parser<LexerType>::parsePrimaryExpression):
3358         (JSC::Parser<LexerType>::parseVarDeclaration): Deleted.
3359         (JSC::Parser<LexerType>::parseVarDeclarationList): Deleted.
3360         * parser/Parser.h:
3361         (JSC::Scope::Scope):
3362         (JSC::Scope::setIsFunction):
3363         (JSC::Scope::isFunction):
3364         (JSC::Scope::isFunctionBoundary):
3365         (JSC::Scope::setIsLexicalScope):
3366         (JSC::Scope::isLexicalScope):
3367         (JSC::Scope::declaredVariables):
3368         (JSC::Scope::finalizeLexicalEnvironment):
3369         (JSC::Scope::computeLexicallyCapturedVariablesAndPurgeCandidates):
3370         (JSC::Scope::declareCallee):
3371         (JSC::Scope::declareVariable):
3372         (JSC::Scope::declareLexicalVariable):
3373         (JSC::Scope::hasDeclaredVariable):
3374         (JSC::Scope::hasLexicallyDeclaredVariable):
3375         (JSC::Scope::hasDeclaredParameter):
3376         (JSC::Scope::declareWrite):
3377         (JSC::Scope::preventAllVariableDeclarations):
3378         (JSC::Scope::preventVarDeclarations):
3379         (JSC::Scope::allowsVarDeclarations):
3380         (JSC::Scope::allowsLexicalDeclarations):
3381         (JSC::Scope::declareParameter):
3382         (JSC::Scope::declareBoundParameter):
3383         (JSC::Scope::useVariable):
3384         (JSC::Scope::setNeedsFullActivation):
3385         (JSC::Scope::needsFullActivation):
3386         (JSC::Scope::hasDirectSuper):
3387         (JSC::Scope::setNeedsSuperBinding):
3388         (JSC::Scope::collectFreeVariables):
3389         (JSC::Scope::getCapturedVars):
3390         (JSC::Scope::copyCapturedVariablesToVector):
3391         (JSC::Parser::AutoCleanupLexicalScope::AutoCleanupLexicalScope):
3392         (JSC::Parser::AutoCleanupLexicalScope::~AutoCleanupLexicalScope):
3393         (JSC::Parser::AutoCleanupLexicalScope::setIsValid):
3394         (JSC::Parser::AutoCleanupLexicalScope::isValid):
3395         (JSC::Parser::AutoCleanupLexicalScope::setPopped):
3396         (JSC::Parser::AutoCleanupLexicalScope::scope):
3397         (JSC::Parser::currentScope):
3398         (JSC::Parser::pushScope):
3399         (JSC::Parser::popScopeInternal):
3400         (JSC::Parser::popScope):
3401         (JSC::Parser::declareVariable):
3402         (JSC::Parser::hasDeclaredVariable):
3403         (JSC::Parser::hasDeclaredParameter):
3404         (JSC::Parser::declareWrite):
3405         (JSC::Parser::findCachedFunctionInfo):
3406         (JSC::Parser::isFunctionBodyNode):
3407         (JSC::Parser::continueIsValid):
3408         (JSC::Parser::pushLabel):
3409         (JSC::Parser::popLabel):
3410         (JSC::Parser::getLabel):
3411         (JSC::Parser::isLETMaskedAsIDENT):
3412         (JSC::Parser<LexerType>::parse):
3413         (JSC::Scope::preventNewDecls): Deleted.
3414         (JSC::Scope::allowsNewDecls): Deleted.
3415         (JSC::Scope::getCapturedVariables): Deleted.
3416         There are basic parser changes that now allow for the 'let'
3417         keyword. The trickiest change is how we will still treat 'let' 
3418         as an identifier for sloppy-mode code sometimes. For example,
3419         "var let = ..." is allowed but "let let" or "const let" is not.
3420
3421         The most significant change to the parser made for this patch
3422         is appropriating the Scope struct to also also model a lexical 
3423         scope. Changes were made in how we track captured variables to 
3424         account for this. In general, I think some of this code could 
3425         benefit from a slight refactoring to make things cleaner.
3426
3427         * parser/ParserTokens.h:
3428         * parser/SyntaxChecker.h:
3429         (JSC::SyntaxChecker::createNewExpr):
3430         (JSC::SyntaxChecker::createConditionalExpr):
3431         (JSC::SyntaxChecker::createAssignResolve):
3432         (JSC::SyntaxChecker::createEmptyVarExpression):
3433         (JSC::SyntaxChecker::createEmptyLetExpression):
3434         (JSC::SyntaxChecker::createClassExpr):
3435         (JSC::SyntaxChecker::createClassDeclStatement):
3436         (JSC::SyntaxChecker::createBlockStatement):
3437         (JSC::SyntaxChecker::createExprStatement):
3438         (JSC::SyntaxChecker::createIfStatement):
3439         (JSC::SyntaxChecker::createForLoop):
3440         (JSC::SyntaxChecker::createForInLoop):
3441         (JSC::SyntaxChecker::createForOfLoop):
3442         (JSC::SyntaxChecker::createEmptyStatement):
3443         (JSC::SyntaxChecker::createVarStatement):
3444         (JSC::SyntaxChecker::createLetStatement):
3445         (JSC::SyntaxChecker::createReturnStatement):
3446         (JSC::SyntaxChecker::createBreakStatement):
3447         (JSC::SyntaxChecker::createContinueStatement):
3448         (JSC::SyntaxChecker::createTryStatement):
3449         (JSC::SyntaxChecker::createSwitchStatement):
3450         (JSC::SyntaxChecker::createWhileStatement):
3451         (JSC::SyntaxChecker::createWithStatement):
3452         (JSC::SyntaxChecker::createDoWhileStatement):
3453         (JSC::SyntaxChecker::createGetterOrSetterProperty):
3454         (JSC::SyntaxChecker::appendStatement):
3455         (JSC::SyntaxChecker::combineCommaNodes):
3456         (JSC::SyntaxChecker::evalCount):
3457         (JSC::SyntaxChecker::appendBinaryExpressionInfo):
3458         (JSC::SyntaxChecker::operatorStackPop):
3459         (JSC::SyntaxChecker::addVar): Deleted.
3460         * parser/VariableEnvironment.cpp: Added.
3461         (JSC::VariableEnvironment::markVariableAsCapturedIfDefined):
3462         (JSC::VariableEnvironment::markVariableAsCaptured):
3463         (JSC::VariableEnvironment::markAllVariablesAsCaptured):
3464         (JSC::VariableEnvironment::hasCapturedVariables):
3465         (JSC::VariableEnvironment::captures):
3466         (JSC::VariableEnvironment::swap):
3467         * parser/VariableEnvironment.h: Added.
3468         (JSC::VariableEnvironmentEntry::isCaptured):
3469         (JSC::VariableEnvironmentEntry::isConstant):
3470         (JSC::VariableEnvironmentEntry::isVar):
3471         (JSC::VariableEnvironmentEntry::isLet):
3472         (JSC::VariableEnvironmentEntry::setIsCaptured):
3473         (JSC::VariableEnvironmentEntry::setIsConstant):
3474         (JSC::VariableEnvironmentEntry::setIsVar):
3475         (JSC::VariableEnvironmentEntry::setIsLet):
3476         (JSC::VariableEnvironmentEntry::clearIsVar):
3477         (JSC::VariableEnvironment::begin):
3478         (JSC::VariableEnvironment::end):
3479         (JSC::VariableEnvironment::add):
3480         (JSC::VariableEnvironment::size):
3481         (JSC::VariableEnvironment::contains):
3482         (JSC::VariableEnvironment::remove):
3483         VariableEnvironment is a new class that keeps track
3484         of the static environment in the parser and the bytecode generator.
3485         VariableEnvironment behaves like SymbolTable but for the bytecode generator.
3486         It keeps track of variable types, i.e, if a variable is a "var", "let", "const" 
3487         and whether or not its captured.
3488
3489         * runtime/CodeCache.cpp:
3490         (JSC::CodeCache::getGlobalCodeBlock):
3491         (JSC::CodeCache::getProgramCodeBlock):
3492         (JSC::CodeCache::getEvalCodeBlock):
3493         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
3494         * runtime/CodeCache.h:
3495         (JSC::CodeCache::clear):
3496         * runtime/CommonSlowPaths.cpp:
3497         (JSC::SLOW_PATH_DECL):
3498         * runtime/CommonSlowPaths.h:
3499         * runtime/ExceptionHelpers.cpp:
3500         (JSC::createErrorForInvalidGlobalAssignment):
3501         (JSC::createTDZError):
3502         (JSC::throwOutOfMemoryError):
3503         * runtime/ExceptionHelpers.h:
3504         * runtime/Executable.cpp:
3505         (JSC::EvalExecutable::create):
3506         (JSC::ProgramExecutable::initializeGlobalProperties):
3507         * runtime/Executable.h:
3508         * runtime/JSCJSValue.h:
3509         (JSC::jsUndefined):
3510         (JSC::jsTDZValue):
3511         (JSC::jsBoolean):
3512         * runtime/JSEnvironmentRecord.h:
3513         (JSC::JSEnvironmentRecord::finishCreationUninitialized):
3514         (JSC::JSEnvironmentRecord::finishCreation):
3515         * runtime/JSGlobalObject.cpp:
3516         (JSC::JSGlobalObject::createProgramCodeBlock):
3517         (JSC::JSGlobalObject::createEvalCodeBlock):
3518         * runtime/JSGlobalObject.h:
3519         (JSC::JSGlobalObject::weakRandomInteger):
3520         * runtime/JSGlobalObjectFunctions.cpp:
3521         (JSC::globalFuncEval):
3522         * runtime/JSLexicalEnvironment.cpp:
3523         (JSC::JSLexicalEnvironment::symbolTableGet):
3524         * runtime/JSLexicalEnvironment.h:
3525         (JSC::JSLexicalEnvironment::create):
3526         * runtime/JSScope.cpp:
3527         (JSC::JSScope::resolve):
3528         (JSC::JSScope::abstractResolve):
3529         (JSC::JSScope::collectVariablesUnderTDZ):
3530         (JSC::JSScope::isLexicalScope):
3531         (JSC::resolveModeName):
3532         * runtime/JSScope.h:
3533         * runtime/PropertySlot.h:
3534         (JSC::PropertySlot::setValue):
3535         * runtime/SymbolTable.cpp:
3536         (JSC::SymbolTable::SymbolTable):
3537         (JSC::SymbolTable::cloneScopePart):
3538         * runtime/SymbolTable.h:
3539         SymbolTable now uses an extra bit to know if it corresponds
3540         to a "let"-like environment or not.
3541
3542         * runtime/WriteBarrier.h:
3543         (JSC::WriteBarrierBase<Unknown>::get):
3544         (JSC::WriteBarrierBase<Unknown>::clear):
3545         (JSC::WriteBarrierBase<Unknown>::setUndefined):
3546         (JSC::WriteBarrierBase<Unknown>::setStartingValue):
3547         (JSC::WriteBarrierBase<Unknown>::isNumber):
3548         (JSC::WriteBarrierBase<Unknown>::isObject):
3549         (JSC::WriteBarrierBase<Unknown>::isNull):
3550         * tests/stress/activation-sink-default-value-tdz-error.js: Added.
3551         (shouldThrowTDZ):
3552         (bar):
3553         (foo.cap):
3554         * tests/stress/activation-sink-osrexit-default-value-tdz-error.js: Added.
3555         (shouldThrowTDZ):
3556         (bar):
3557         * tests/stress/lexical-let-and-with-statement.js: Added.
3558         (truth):
3559         (assert):
3560         (.):
3561         * tests/stress/lexical-let-exception-handling.js: Added.
3562         (truth):
3563         (assert):
3564         (.):
3565         * tests/stress/lexical-let-global-not-captured-variables.js: Added.
3566         (truth):
3567         (assert):
3568         (foo):
3569         (.let.capY):
3570         * tests/stress/lexical-let-loop-semantics.js: Added.
3571         (truth):
3572         (assert):
3573         (shouldThrowTDZ):
3574         (.):
3575         * tests/stress/lexical-let-not-strict-mode.js: Added.
3576         (truth):
3577         (assert):
3578         (shouldThrowTDZ):
3579         (.):
3580         * tests/stress/lexical-let-semantics.js: Added.
3581         (truth):
3582         (assert):
3583         (let.globalFunction):
3584         (let.retGlobalNumberCaptured):
3585         (let.setGlobalNumberCaptured):
3586         (.):
3587         * tests/stress/lexical-let-tdz.js: Added.
3588         (truth):
3589         (assert):
3590         (shouldThrowTDZ):
3591         (.):
3592
3593 2015-07-15  Anders Carlsson  <andersca@apple.com>
3594
3595         Make JavaScriptCore SPI headers used by WebCore SPI headers self-contained
3596         https://bugs.webkit.org/show_bug.cgi?id=146978
3597
3598         Reviewed by Dan Bernstein.
3599
3600         * debugger/DebuggerPrimitives.h:
3601         * disassembler/Disassembler.h:
3602         * heap/Weak.h:
3603         * inspector/InspectorValues.h:
3604         * runtime/JSCJSValue.h:
3605
3606 2015-07-14  Anders Carlsson  <andersca@apple.com>
3607
3608         Assertions.h should include ExportMacros.h
3609         https://bugs.webkit.org/show_bug.cgi?id=146948
3610
3611         Reviewed by Tim Horton.
3612
3613         Remove now unneeded WTF_EXPORT_PRIVATE define.
3614
3615         * API/JSBase.h:
3616
3617 2015-07-14  Matthew Mirman  <mmirman@apple.com>
3618
3619         Repatch. Makes compileArithSub in the DFG ensure that the constant is an int32.
3620         https://bugs.webkit.org/show_bug.cgi?id=146910
3621         rdar://problem/21729083
3622
3623         Reviewed by Filip Pizlo.
3624         
3625         Also fixes the debug build problem where all edges are assumed to 
3626         have UntypedUse before the fixup phase.
3627
3628         * dfg/DFGSpeculativeJIT.cpp:
3629         (JSC::DFG::SpeculativeJIT::compileArithSub):
3630         * dfg/DFGValidate.cpp:
3631         (JSC::DFG::Validate::validateEdgeWithDoubleResultIfNecessary):
3632         * tests/stress/arith-add-with-constants.js: Added some tests for this case.
3633         (arithAdd42WrittenAsInteger):
3634         (testArithAdd42WrittenAsInteger):
3635         (arithSub42WrittenAsDouble):
3636         (testArithSub42WrittenAsDouble):
3637         (doubleConstant):
3638         (testDoubleConstant): Added test for the case of +0.0 and Math.min(0.0)
3639         (arithAdd42WrittenAsDouble): Deleted.
3640         (testArithAdd42WrittenAsDouble): Deleted.
3641
3642 2015-07-14  Matthew Mirman  <mmirman@apple.com>
3643
3644         Unreviewed, rolling out r186805.
3645
3646         Made raytracer on octane 80% slower
3647
3648         Reverted changeset:
3649
3650         "Makes compileArithSub in the DFG ensure that the constant is
3651         an int32."
3652         https://bugs.webkit.org/show_bug.cgi?id=146910
3653         http://trac.webkit.org/changeset/186805
3654
3655 2015-07-13  Matthew Mirman  <mmirman@apple.com>
3656
3657         Makes compileArithSub in the DFG ensure that the constant is an int32.
3658         https://bugs.webkit.org/show_bug.cgi?id=146910
3659         rdar://problem/21729083
3660
3661         Reviewed by Filip Pizlo.
3662         
3663         Also fixes the debug build problem where all edges are assumed to 
3664         have UntypedUse before the fixup phase.
3665
3666         * dfg/DFGSpeculativeJIT.cpp:
3667         (JSC::DFG::SpeculativeJIT::compileArithSub):
3668         * dfg/DFGValidate.cpp:
3669         (JSC::DFG::Validate::validateEdgeWithDoubleResultIfNecessary):
3670         * tests/stress/arith-add-with-constants.js: Added some tests for this case.
3671         (arithAdd42WrittenAsInteger):
3672         (testArithAdd42WrittenAsInteger):
3673         (arithSub42WrittenAsDouble):
3674         (testArithSub42WrittenAsDouble):
3675         (doubleConstant):
3676         (testDoubleConstant): Added test for the case of +0.0 and Math.min(0.0)
3677         (arithAdd42WrittenAsDouble): Deleted.
3678         (testArithAdd42WrittenAsDouble): Deleted.
3679
3680 2015-07-13  Basile Clement  <basile_clement@apple.com>
3681
3682         Object cycles should not prevent allocation elimination/sinking
3683         https://bugs.webkit.org/show_bug.cgi?id=143073
3684
3685         Reviewed by Filip Pizlo.
3686
3687         This patch introduces a new allocation sinking phase that is able to
3688         sink cycles, in DFGAllocationCycleSinkingPhase.cpp. This phase
3689         supersedes the old allocation sinking phase in
3690         DFGObjectAllocationSinkingPhase.cpp, as that previous phase was never
3691         able to sink allocation cycles while the new phase sometimes can; see
3692         DFGAllocationCycleSinkingPhase.cpp for details.
3693
3694         For now, the new sinking phase is kept behind a
3695         JSC_enableAllocationCycleSinking flag that reverts to the old sinking
3696         phase when false (i.e., by default). This also removes the old
3697         JSC_enableObjectAllocationSinking flag. run-javascriptcore-tests
3698         defaults to using the new sinking phase.
3699
3700         * dfg/DFGGraph.h:
3701         (JSC::DFG::Graph::addStructureSet): Allow empty structure sets
3702         * dfg/DFGLazyNode.cpp:
3703         (JSC::DFG::LazyNode::dump): Prettier dump
3704         * dfg/DFGNode.h:
3705         (JSC::DFG::Node::cellOperand): Move to opInfo for MaterializeCreateActivation
3706         (JSC::DFG::Node::hasStructureSet): Add MaterializeNewObject
3707         (JSC::DFG::Node::objectMaterializationData): Move to opInfo2
3708         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: Remove unused header
3709         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3710         (JSC::DFG::ObjectAllocationSinkingPhase::ObjectAllocationSinkingPhase): Deleted.
3711         (JSC::DFG::ObjectAllocationSinkingPhase::run): Deleted.
3712         (JSC::DFG::ObjectAllocationSinkingPhase::performSinking): Deleted.
3713         (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints): Deleted.
3714         (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints): Deleted.
3715         (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations): Deleted.
3716         (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields): Deleted.
3717         (JSC::DFG::ObjectAllocationSinkingPhase::resolve): Deleted.
3718         (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): Deleted.
3719         (JSC::DFG::ObjectAllocationSinkingPhase::createMaterialize): Deleted.
3720         (JSC::DFG::ObjectAllocationSinkingPhase::populateMaterialize): Deleted.
3721         * dfg/DFGObjectAllocationSinkingPhase.h:
3722         * dfg/DFGPromotedHeapLocation.h: Add a hash and a helper function to PromotedLocationDescriptor
3723         (JSC::DFG::PromotedLocationDescriptor::PromotedLocationDescriptor):
3724         (JSC::DFG::PromotedLocationDescriptor::operator bool):
3725         (JSC::DFG::PromotedLocationDescriptor::neededForMaterialization):
3726         (JSC::DFG::PromotedLocationDescriptorHash::hash):
3727         (JSC::DFG::PromotedLocationDescriptorHash::equal):
3728         * dfg/DFGValidate.cpp:
3729         (JSC::DFG::Validate::validateSSA): Assert that most nodes never see a phantom allocation
3730         * ftl/FTLLowerDFGToLLVM.cpp:
3731         (JSC::FTL::DFG::LowerDFGToLLVM::compileMaterializeNewObject): Use the new structureSet() operand
3732         (JSC::FTL::DFG::LowerDFGToLLVM::compileMaterializeCreateActivation): Node has a new child
3733         * ftl/FTLOSRExitCompiler.cpp: Handle materialization cycles
3734         (JSC::FTL::compileStub):
3735         * ftl/FTLOperations.cpp: Handle materialization cycles
3736         (JSC::FTL::operationPopulateObjectInOSR):
3737         (JSC::FTL::operationMaterializeObjectInOSR):
3738         * ftl/FTLOperations.h: Handle materialization cycles
3739         * tests/stress/correctly-sink-object-even-though-it-dies.js: Added.
3740         (clobber):
3741         (foo):
3742         * tests/stress/eliminate-object-read-over-call.js: Added.
3743         (clobber):
3744         (foo):
3745         * tests/stress/materialize-object-on-edge.js: Added.
3746         (call):
3747         (foo):
3748         * tests/stress/object-sinking-stress.js: Added.
3749         (foo):
3750         * tests/stress/sink-object-cycle.js: Added.
3751         (clobber):
3752         (foo):
3753         * tests/stress/sink-object-past-put.js: Added.
3754         (clobber):
3755         (foo):
3756         * tests/stress/sinkable-new-object-in-loop.js: Added.
3757         (foo):
3758
3759 2015-07-13  Daniel Bates  <dabates@apple.com>
3760
3761         Cleanup: Avoid extraneous increment and decrement of reference count of ScriptArguments in ConsoleClient
3762         https://bugs.webkit.org/show_bug.cgi?id=146920
3763
3764         Reviewed by Brian Burg.
3765
3766         Remove local variable RefPtr<ScriptArguments> and copy constructor call with an argument that
3767         was initialized with an rvalue reference. The argument itself is an lvalue reference.
3768
3769         * runtime/ConsoleClient.cpp:
3770         (JSC::ConsoleClient::printConsoleMessageWithArguments):
3771         (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
3772
3773 2015-07-13  Anders Carlsson  <andersca@apple.com>
3774
3775         Apps linked with a deployment target of iOS 7.x or earlier crash when using modern WebKit API
3776         https://bugs.webkit.org/show_bug.cgi?id=146913
3777         rdar://problem/21789252
3778
3779         Reviewed by Dan Bernstein.
3780
3781         Make a top-level symlink from /System/Library/PrivateFrameworks/JavaScriptCore.framework to
3782         /System/Library/Frameworks/JavaScriptCore.framework.
3783     
3784         * JavaScriptCore.xcodeproj/project.pbxproj:
3785
3786 2015-07-12  Filip Pizlo  <fpizlo@apple.com>
3787
3788         If Watchpoint::fire() looks at the state of the world, it should definitely see its set invalidated, and maybe it should see the object of interest in the transitioned-to state
3789         https://bugs.webkit.org/show_bug.cgi?id=146897
3790
3791         Reviewed by Mark Lam.
3792         
3793         The idea is to eventually support adaptive watchpoints. An adaptive watchpoint will be
3794         able to watch for a condition that is more fine-grained than any one watchpoint set. For
3795         example, we might watch a singleton object to see if it ever acquires a property called
3796         "foo". So long as it doesn't have such a property, we don't want to invalidate any code.
3797         But if it gets that property, then we should deoptimize. Current watchpoints will
3798         invalidate code as soon as any property is added (or deleted), because they will use the
3799         transition watchpoint set of the singleton object's structure, and that fires anytime
3800         there is any transition.
3801         
3802         An adaptive watchpoint would remember the singleton object, and when it got fired, it
3803         would check if the object's new structure has the property "foo". If not, it would check
3804         if the object's new structure is watchable (i.e. has a valid transition watchpoint set).
3805         If the property is missing and the structure is watchable, it would add itself to the
3806         watchpoint set of the new structure. Otherwise, it would deoptimize.
3807         
3808         There are two problems with this idea, and this patch fixes these problems. First, we
3809         usually fire the transition watchpoint before we do the structure transition. This means
3810         that if the fire() method looked at the singleton object's structure, it would see the old
3811         structure, not the new one. It would have no way of knowing what the new structure is.
3812         Second, inside the fire() method, the watchpoint set being invalidated still appears
3813         valid, since we change the state after we fire all watchpoints.
3814         
3815         This patch addresses both issues. Now, in the most important case (addPropertyTransition),
3816         we fire the watchpoint set after we have modified the object. This is accomplished using
3817         a deferral scope called DeferredStructureTransitionWatchpointFire. In cases where there is
3818         no deferral, the adaptive watchpoint will conservatively resort to deoptimization because
3819         it would find that the singleton object's structure is no longer watchable. This is
3820         because in the absence of deferral, the singleton object would still have the original
3821         structure, but that structure's watchpoint set would now report itself as having been
3822         invalidated.
3823
3824         * bytecode/Watchpoint.cpp:
3825         (JSC::WatchpointSet::fireAllSlow): Change the state of the set before firing all watchpoints.
3826         (JSC::WatchpointSet::fireAllWatchpoints):
3827         * runtime/JSObject.h:
3828         (JSC::JSObject::putDirectInternal): Use the deferral scope.
3829         * runtime/Structure.cpp:
3830         (JSC::Structure::Structure): Pass the deferral scope to didTransitionFromThisStructure.
3831         (JSC::Structure::addPropertyTransition): Pass the deferral scope to create().
3832         (JSC::StructureFireDetail::dump): This is no longer anonymous.
3833         (JSC::DeferredStructureTransitionWatchpointFire::DeferredStructureTransitionWatchpointFire): Start with a null structure.
3834         (JSC::DeferredStructureTransitionWatchpointFire::~DeferredStructureTransitionWatchpointFire): Fire the watchpoint if there is a structure.
3835         (JSC::DeferredStructureTransitionWatchpointFire::add): Add a structure. Logically this is a list of deferred things, but we assert that there only will be one (happens to be true now).
3836         (JSC::Structure::didTransitionFromThisStructure): Defer the watchpoint firing if there is a deferral scope.
3837         * runtime/Structure.h:
3838         (JSC::StructureFireDetail::StructureFireDetail): Move this to the header.
3839         * runtime/StructureInlines.h:
3840         (JSC::Structure::create): Pass the deferral scope to the constructor.
3841
3842 2015-07-12  Filip Pizlo  <fpizlo@apple.com>
3843
3844         Watchpoints should be removed from their owning WatchpointSet before they are fired
3845         https://bugs.webkit.org/show_bug.cgi?id=146895
3846
3847         Reviewed by Sam Weinig.
3848         
3849         This simplifies the WatchpointSet API by making it so that when Watchpoint::fire() is
3850         called, the Watchpoint is no longer in the set. This means that you don't have to remember
3851         to remove it from the set's list (currently we do that implicitly as part of whatever
3852         any particular Watchpoint::fireInternal() does), and you can now write adaptive
3853         watchpoints that re-add themselves to a different set if they determine that the thing
3854         they are actually watching is still intact but now needs to be watched in a different way
3855         (like watching for whether some singleton object has a property of some name).
3856
3857         * bytecode/Watchpoint.cpp:
3858         (JSC::Watchpoint::~Watchpoint): Add a comment about why this is necessary.
3859         (JSC::Watchpoint::fire): Make this out-of-line, private, and make it assert that we're no longer on the list.
3860         (JSC::WatchpointSet::fireAllWatchpoints): Make this remove the watchpoint from the list before firing it.
3861         * bytecode/Watchpoint.h:
3862         (JSC::Watchpoint::fire): Deleted. I moved this to Watchpoint.cpp.
3863
3864 2015-07-10  Filip Pizlo  <fpizlo@apple.com>
3865
3866         DFG::DesiredWatchpoints should accept WatchpointSetType's that aren't necessarily pointers
3867         https://bugs.webkit.org/show_bug.cgi?id=146875
3868
3869         Reviewed by Dan Bernstein.
3870         
3871         In the future we'll want to add a desired watchpoint set that's something like "please
3872         watch property 'Foo' for 'deletion' on structure 'S1'", so that the "set type" is struct
3873         like "struct MySet { StringImpl* property; Mode mode; Structure* structure };".
3874         
3875         This is a very mechanical change for now - all of the current users happen to use sets
3876         that are pointer typed, so it's just a matter of moving some "*"'s around.
3877
3878         * dfg/DFGDesiredWatchpoints.h:
3879         (JSC::DFG::GenericSetAdaptor::add):
3880         (JSC::DFG::GenericSetAdaptor::hasBeenInvalidated):
3881         (JSC::DFG::GenericDesiredWatchpoints::GenericDesiredWatchpoints):
3882         (JSC::DFG::GenericDesiredWatchpoints::addLazily):
3883         (JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
3884         (JSC::DFG::GenericDesiredWatchpoints::areStillValid):
3885         (JSC::DFG::GenericDesiredWatchpoints::isWatched):
3886         (JSC::DFG::DesiredWatchpoints::isWatched):
3887
3888 2015-07-10  Filip Pizlo  <fpizlo@apple.com>
3889
3890         Watchpoints should be allocated with FastMalloc
3891         https://bugs.webkit.org/show_bug.cgi?id=146874
3892
3893         Reviewed by Dan Bernstein.