[ES6] Allow undefined/null for Symbol.search and Symbol.match
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-03-23  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [ES6] Allow undefined/null for Symbol.search and Symbol.match
4         https://bugs.webkit.org/show_bug.cgi?id=155785
5
6         Reviewed by Saam Barati.
7
8         Undefined and null for Symbol.search and Symbol.match properties of the given RegExp (like) object are allowed.
9         When they are specified, we go to the fallback path; creating the RegExp with the given object and matching.
10
11         * builtins/StringPrototype.js:
12         (match):
13         (search):
14         * tests/stress/string-symbol-customization.js: Added.
15         (shouldBe):
16         (shouldThrow):
17
18 2016-03-22  Caitlin Potter  <caitp@igalia.com>
19
20         [JSC] correctly handle indexed properties in Object.getOwnPropertyDescriptors
21         https://bugs.webkit.org/show_bug.cgi?id=155563
22
23         Reviewed by Saam Barati.
24
25         * runtime/JSObject.h:
26         (JSC::JSObject::putOwnDataPropertyMayBeIndex):
27         * runtime/ObjectConstructor.cpp:
28         (JSC::objectConstructorGetOwnPropertyDescriptors):
29
30 2016-03-22  Saam Barati  <sbarati@apple.com>
31
32         We should FTL compile code when the debugger is enabled
33         https://bugs.webkit.org/show_bug.cgi?id=155740
34
35         Reviewed by Oliver Hunt.
36
37         There was no fundamental reason why we didn't support debugging
38         with the FTL. It looks like this was just an oversight. We had
39         a Breakpoint node in the DFG that amounted to a nop. By removing
40         this node, we now support debugging in the FTL. Anytime a breakpoint
41         is set, we will jettison any DFG/FTL CodeBlocks that contain the breakpoint
42         that was set.
43
44         * dfg/DFGAbstractInterpreterInlines.h:
45         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
46         * dfg/DFGByteCodeParser.cpp:
47         (JSC::DFG::ByteCodeParser::parseBlock):
48         * dfg/DFGClobberize.h:
49         (JSC::DFG::clobberize):
50         * dfg/DFGDoesGC.cpp:
51         (JSC::DFG::doesGC):
52         * dfg/DFGFixupPhase.cpp:
53         (JSC::DFG::FixupPhase::fixupNode):
54         * dfg/DFGNodeType.h:
55         * dfg/DFGPredictionPropagationPhase.cpp:
56         (JSC::DFG::PredictionPropagationPhase::propagate):
57         * dfg/DFGSafeToExecute.h:
58         (JSC::DFG::safeToExecute):
59         * dfg/DFGSpeculativeJIT32_64.cpp:
60         (JSC::DFG::SpeculativeJIT::compile):
61         * dfg/DFGSpeculativeJIT64.cpp:
62         (JSC::DFG::SpeculativeJIT::compile):
63
64 2016-03-22  Keith Miller  <keith_miller@apple.com>
65
66         REGRESSION(r197543): Use-after-free on storage/indexeddb/transaction-abort-private.html
67         https://bugs.webkit.org/show_bug.cgi?id=155067
68
69         Reviewed by Filip Pizlo.
70
71         GCIncommingRefCountedSets need to be finalized before we start
72         destructing members of the Heap object. Previously, we would
73         clear all our ArrayBuffer objects when the GCIncommingRefCountedSet
74         holding them was destroyed. However, ArrayBuffers have a weak
75         reference to their wrappers. When we would attempt to destroy the
76         ArrayBuffer object we would end up accessing the WeakImpl for
77         the weak reference, which had already been freed as we destroyed
78         our weak block. The solution to this is to move the old
79         GCIncommingRefCountedSet destructor functionality to a new
80         function lastChanceToFinalize. This function is called when
81         we finalize our other objects on Heap destruction.
82
83         * heap/GCIncomingRefCountedSet.h:
84         * heap/GCIncomingRefCountedSetInlines.h:
85         (JSC::GCIncomingRefCountedSet<T>::lastChanceToFinalize):
86         (JSC::GCIncomingRefCountedSet<T>::~GCIncomingRefCountedSet): Deleted.
87         * heap/Heap.cpp:
88         (JSC::Heap::lastChanceToFinalize):
89
90 2016-03-22  Per Arne Vollan  <peavo@outlook.com>
91
92         [Win] [64-bit] Remove MSVC 2013 FMA3 Bug Workaround
93         https://bugs.webkit.org/show_bug.cgi?id=141499
94
95         Reviewed by Brent Fulgham.
96
97         As we have moved on to VS2015, this workaround is no longer needed.
98
99         * API/tests/testapi.c:
100         (main):
101         * JavaScriptCore.vcxproj/jsc/DLLLauncherMain.cpp:
102         (wWinMain):
103         * jsc.cpp:
104         (main):
105         * testRegExp.cpp:
106         (main):
107
108 2016-03-22  Michael Saboff  <msaboff@apple.com>
109
110         [ES6] Implement RegExp.prototype[@@match]
111         https://bugs.webkit.org/show_bug.cgi?id=155711
112
113         Reviewed by Filip Pizlo.
114
115         Implemented ES6 spec for String.prototype.match and RegExp.prototype[@@match].
116         Implemented both as builtins, with String.prototype.match calling 
117         RegExp.prototype[@@match].
118
119         For performance reasons, RegExp.prototype[@@match] has a C++ fast path when
120         RegExp.prototype.exec has not been overridden.  This fast path,
121         RegExpObject::matchGlobal, was taken from the prior StringPrototype::match.
122         It only handles global matches.
123
124         Added new test, stress/regexp-match.js.
125
126         Updated various tests for changes exception string and now passing ES6 behavior.
127
128         * CMakeLists.txt: 
129         * DerivedSources.make:
130         * JavaScriptCore.xcodeproj/project.pbxproj:
131         Added builtins/RegExpPrototype.js and eliminated RegExpPrototype.lut.h.
132
133         * builtins/RegExpPrototype.js: Added.
134         (match.advanceStringIndexUnicode): Helper.
135         (match): Implements RegExp.prototype[@@match].
136         * builtins/StringPrototype.js:
137         (match): Implements String.prototype.match.
138
139         * bytecode/BytecodeIntrinsicRegistry.cpp:
140         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
141         (JSC::BytecodeIntrinsicRegistry::lookup):
142         * bytecode/BytecodeIntrinsicRegistry.h:
143         * runtime/CommonIdentifiers.h:
144         Added Symbol.match and builtins @match and @exec.
145
146         * runtime/RegExpObject.cpp:
147         * runtime/RegExpObject.h:
148         * runtime/RegExpObjectInlines.h:
149         (JSC::RegExpObject::matchGlobal): Added.
150         (JSC::RegExpObject::advanceStringUnicode): Added helper.
151
152         * runtime/RegExpPrototype.cpp:
153         * runtime/RegExpPrototype.h:
154         (JSC::RegExpPrototype::RegExpPrototype):
155         (JSC::RegExpPrototype::finishCreation):
156         (JSC::RegExpPrototype::visitChildren):
157         (JSC::regExpProtoFuncMatchPrivate):
158         (JSC::RegExpPrototype::getOwnPropertySlot): Deleted.
159         (JSC::RegExpPrototype::create):
160         Restructured to create properties explicitly due to having two names for native regExpProtoFuncExec.
161
162         * runtime/StringPrototype.cpp:
163         (JSC::StringPrototype::finishCreation):
164         Made match a builtin.
165         Removed unused declaration of stringProtoFuncSearch() since it was made a builtin.
166
167         * tests/es6.yaml:
168         * tests/stress/regexp-match.js: Added.
169         (shouldBe):
170         (shouldThrow):
171         (errorKey.toString):
172         (primitive.of.primitives.shouldThrow):
173         (testRegExpMatch):
174         (testMatch):
175         (testBoth):
176         (alwaysUnmatch):
177
178 2016-03-22  Caitlin Potter  <caitp@igalia.com>
179
180         [JSC] allow duplicate property names returned from Proxy ownKeys() trap
181         https://bugs.webkit.org/show_bug.cgi?id=155560
182
183         Reviewed by Darin Adler.
184
185         Specification allows duplicate property names to be reported by the
186         Proxy ownKeys() trap --- and this is observable in any API which
187         operates on the returned list, such as Object.keys(),
188         Object.getOwnPropertyNames(), Object.getOwnPropertySymbols(), or
189         Object.getOwnPropertyDescriptors().
190
191         * runtime/PropertyNameArray.h:
192         (JSC::PropertyNameArray::addUnchecked):
193         (JSC::PropertyNameArray::add):
194         (JSC::PropertyNameArray::addKnownUnique): Deleted.
195         * runtime/ProxyObject.cpp:
196         (JSC::ProxyObject::performGetOwnPropertyNames):
197         * runtime/Structure.cpp:
198         (JSC::Structure::getPropertyNamesFromStructure):
199
200 2016-03-21  Yusuke Suzuki  <utatane.tea@gmail.com>
201
202         [JSC] Clean up Math.floor thunk and use SSE round instruction
203         https://bugs.webkit.org/show_bug.cgi?id=155705
204
205         Reviewed by Geoffrey Garen.
206
207         SSE now allow us to use round instruction to implement Math.floor.
208         MacroAssembler's floorDouble is now only used in ARM64, but it can be allowed in x86 SSE.
209
210         * jit/ThunkGenerators.cpp:
211         (JSC::floorThunkGenerator):
212
213 2016-03-21  Konstantin Tokarev  <annulen@yandex.ru>
214
215         Fixed compilation with GCC 4.8.
216         https://bugs.webkit.org/show_bug.cgi?id=155698
217
218         Reviewed by Alexey Proskuryakov.
219
220         GCC 4.8 does not allow aggregate initialization for type with deleted
221         constructor, see https://gcc.gnu.org/bugzilla/show_bug.cgi?id=52707.
222
223         * dfg/DFGCSEPhase.cpp: Added ctor for ImpureDataSlot.
224
225 2016-03-21  Joonghun Park  <jh718.park@samsung.com>
226
227         [JSC] Add ArrayBuffer::tryCreate and change the callsites where it is needed
228         https://bugs.webkit.org/show_bug.cgi?id=155328
229
230         Reviewed by Darin Adler.
231
232         * API/JSTypedArray.cpp:
233         (JSObjectMakeTypedArray):
234         (JSObjectMakeArrayBufferWithBytesNoCopy):
235         * runtime/ArrayBuffer.h:
236         (JSC::ArrayBuffer::create):
237         (JSC::ArrayBuffer::tryCreate):
238         (JSC::ArrayBuffer::createUninitialized):
239         (JSC::ArrayBuffer::tryCreateUninitialized):
240         (JSC::ArrayBuffer::createInternal):
241         * runtime/GenericTypedArrayViewInlines.h:
242         (JSC::GenericTypedArrayView<Adaptor>::create):
243         (JSC::GenericTypedArrayView<Adaptor>::createUninitialized):
244         * runtime/JSArrayBufferConstructor.cpp:
245         (JSC::constructArrayBuffer):
246
247 2016-03-20  Dan Bernstein  <mitz@apple.com>
248
249         [Mac] Determine TARGET_MAC_OS_X_VERSION_MAJOR from MACOSX_DEPLOYMENT_TARGET rather than from MAC_OS_X_VERSION_MAJOR
250         https://bugs.webkit.org/show_bug.cgi?id=155707
251         <rdar://problem/24980691>
252
253         Reviewed by Darin Adler.
254
255         * Configurations/Base.xcconfig: Set TARGET_MAC_OS_X_VERSION_MAJOR based on the last
256           component of MACOSX_DEPLOYMENT_TARGET.
257         * Configurations/DebugRelease.xcconfig: For engineering builds, preserve the behavior of
258           TARGET_MAC_OS_X_VERSION_MAJOR being the host’s OS version.
259
260 2016-03-20  Michael Saboff  <msaboff@apple.com>
261
262         Crash in stress/regexp-matches-array-slow-put.js due to stomping on memory when having bad time
263         https://bugs.webkit.org/show_bug.cgi?id=155679
264
265         Reviewed by Saam Barati.
266
267         Allocate out of line storage based on what the structure says it needs
268         in JSArray::tryCreateUninitialized.
269
270         * runtime/JSArray.h:
271         (JSC::JSArray::tryCreateUninitialized):
272
273 2016-03-20  Joseph Pecoraro  <pecoraro@apple.com>
274
275         Crash on DFG::WorkList thread in JSC::Heap::isCollecting for destroyed Web Worker
276         https://bugs.webkit.org/show_bug.cgi?id=155678
277         <rdar://problem/25251439>
278
279         Reviewed by Filip Pizlo.
280
281         This fixes a crash that we saw with GuardMalloc. If the Plan was
282         Cancelled it may not be safe to access the VM. If the Plan was
283         cancelled we are just going to bail anyways, so keep the ASSERT but
284         short-circuit if the plan was Cancelled.
285
286         * dfg/DFGWorklist.cpp:
287         (JSC::DFG::Worklist::runThread):
288
289 2016-03-20  Dan Bernstein  <mitz@apple.com>
290
291         Update build settings
292
293         Rubber-stamped by Andy Estes.
294
295         * Configurations/DebugRelease.xcconfig:
296         * Configurations/FeatureDefines.xcconfig:
297         * Configurations/Version.xcconfig:
298
299 2016-03-19  Skachkov Oleksandr  <gskachkov@gmail.com>
300
301         [ES6] Arrow function syntax. Update syntax error text 'super is only valid inside functions' to more suitable
302         https://bugs.webkit.org/show_bug.cgi?id=155491
303
304         Reviewed by Saam Barati.
305
306         Current message 'super is only valid inside of funcitons' is not correct 
307         after patch for https://bugs.webkit.org/show_bug.cgi?id=153864 because 
308         it is allow to use 'super' in eval. Current patch replace old message by
309         'Super is only valid inside functions or 'eval' inside a function' and 
310         fix tests that rely on this message.
311
312         * parser/Parser.cpp:
313         (JSC::Parser<LexerType>::parseMemberExpression):
314         * tests/stress/generator-with-super.js:
315         (shouldThrow):
316         * tests/stress/modules-syntax-error.js:
317         * tests/stress/super-in-lexical-scope.js:
318         * tests/stress/tagged-templates-syntax.js:
319
320 2016-03-19  Mark Lam  <mark.lam@apple.com>
321
322         ES6 spec requires that ErrorPrototype not be an Error object.
323         https://bugs.webkit.org/show_bug.cgi?id=155680
324
325         Reviewed by Michael Saboff.
326
327         The ES6 spec states that Error.prototype should not be an instance of Error:
328         https://tc39.github.io/ecma262/#sec-properties-of-the-error-prototype-object
329
330         "The Error prototype object is an ordinary object. It is not an Error instance
331         and does not have an [[ErrorData]] internal slot."
332
333         This patch changes ErrorPrototype to conform to the above specification.
334
335         * runtime/ErrorConstructor.cpp:
336         (JSC::ErrorConstructor::finishCreation):
337         * runtime/ErrorPrototype.cpp:
338         (JSC::ErrorPrototype::ErrorPrototype):
339         (JSC::ErrorPrototype::finishCreation):
340         (JSC::ErrorPrototype::getOwnPropertySlot):
341         * runtime/ErrorPrototype.h:
342         (JSC::ErrorPrototype::create):
343
344         * runtime/NativeErrorConstructor.cpp:
345         (JSC::NativeErrorConstructor::finishCreation):
346         * runtime/NativeErrorPrototype.cpp:
347         (JSC::NativeErrorPrototype::NativeErrorPrototype):
348         (JSC::NativeErrorPrototype::finishCreation):
349         * runtime/NativeErrorPrototype.h:
350         (JSC::NativeErrorPrototype::create):
351         - updated to no longer need a JSGlobalObject argument.
352
353         * tests/es6/miscellaneous_built-in_prototypes_are_not_instances.js:
354         - updated to match the kangax version of this test.
355
356 2016-03-18  Benjamin Poulain  <bpoulain@apple.com>
357
358         [JSC] Limit DFG's Validate symbols to its compilation unit
359         https://bugs.webkit.org/show_bug.cgi?id=155670
360
361         Reviewed by Filip Pizlo.
362
363         * dfg/DFGValidate.cpp:
364
365 2016-03-18  Mark Lam  <mark.lam@apple.com>
366
367         ES6 spec requires that RegExpPrototype not be a RegExp object.
368         https://bugs.webkit.org/show_bug.cgi?id=155654
369
370         Reviewed by Filip Pizlo.
371
372         The ES6 spec states that RegExp.prototype should not be an instance of RegExp:
373         https://tc39.github.io/ecma262/#sec-properties-of-the-regexp-prototype-object
374
375         "The RegExp prototype object is an ordinary object. It is not a RegExp instance
376         and does not have a [[RegExpMatcher]] internal slot or any of the other internal
377         slots of RegExp instance objects."
378
379         This patch changes RegExpPrototype to conform to the above specifications.
380
381         * runtime/JSGlobalObject.cpp:
382         (JSC::JSGlobalObject::init):
383         * runtime/RegExpConstructor.cpp:
384         (JSC::RegExpConstructor::RegExpConstructor):
385         (JSC::RegExpConstructor::finishCreation):
386         * runtime/RegExpPrototype.cpp:
387         (JSC::RegExpPrototype::RegExpPrototype):
388         (JSC::RegExpPrototype::finishCreation):
389         (JSC::RegExpPrototype::getOwnPropertySlot):
390         (JSC::RegExpPrototype::visitChildren):
391         (JSC::regExpProtoFuncTest):
392         * runtime/RegExpPrototype.h:
393         (JSC::RegExpPrototype::create):
394         (JSC::RegExpPrototype::createStructure):
395         (JSC::RegExpPrototype::emptyRegExp):
396
397         * tests/es6.yaml:
398         - This patch makes the es6/miscellaneous_built-in_prototypes_are_not_instances.js
399           test now pass.  However, the kangax version of this test still fails because
400           it also checks Error objects (which will be fixed in a subsequent patch).
401
402         * tests/mozilla/ecma_2/shell.js:
403         (stringify):
404         (test):
405         (getFailedCases):
406         (err):
407         * tests/stress/static-getter-in-names.js:
408         (shouldBe):
409
410 2016-03-18  Keith Miller  <keith_miller@apple.com>
411
412         DataView should use an accessor for its length and buffer properties
413         https://bugs.webkit.org/show_bug.cgi?id=155625
414
415         Reviewed by Michael Saboff.
416
417         The DataView object should use an accessor on DataView.prototype for its
418         byteLength, byteOffset, and buffer properties. This patch also, moves the
419         buffer property off the TypedArray object itself and onto the prototype
420         along with the other accessors. Since the .buffer property is no longer on
421         the object, JSArrayBufferView no longer needs to intercept accesses to
422         properties. Finally, this patch also fixes the length property on all the
423         existing DataView.prototype functions.
424
425         * runtime/JSArrayBufferView.cpp:
426         (JSC::JSArrayBufferView::getOwnPropertySlot): Deleted.
427         (JSC::JSArrayBufferView::put): Deleted.
428         (JSC::JSArrayBufferView::defineOwnProperty): Deleted.
429         (JSC::JSArrayBufferView::deleteProperty): Deleted.
430         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames): Deleted.
431         * runtime/JSArrayBufferView.h:
432         (JSC::JSArrayBufferView::jsBuffer):
433         * runtime/JSDataViewPrototype.cpp:
434         (JSC::dataViewProtoGetterBuffer):
435         (JSC::dataViewProtoGetterByteLength):
436         (JSC::dataViewProtoGetterByteOffset):
437         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
438         (JSC::genericTypedArrayViewProtoGetterFuncBuffer):
439         * runtime/JSTypedArrayViewPrototype.cpp:
440         (JSC::typedArrayViewProtoGetterFuncBuffer):
441         (JSC::JSTypedArrayViewPrototype::finishCreation):
442
443 2016-03-18  Csaba Osztrogonác  <ossy@webkit.org>
444
445         Unreviewed speculative cloop buildfix after r198364.
446
447         * bytecode/SuperSampler.cpp:
448
449 2016-03-17  Benjamin Poulain  <bpoulain@apple.com>
450
451         [JSC] Make CSE's ImpureData faster when dealing with large blocks
452         https://bugs.webkit.org/show_bug.cgi?id=155594
453
454         Reviewed by Filip Pizlo.
455
456         In some tests with large blocks, the time spent in DFG's LocalCSE
457         can be over 10% of the total compile time.
458         In those cases, LocalCSE is completely dominated by handling large
459         blocks.
460
461         This patch addresses the most obvious hot spots ImpureData's handling.
462
463         Initially, most of the time was going into HashTable::rehash().
464         The reason is the buckets are <HeapLocation, LazyNode> gigantic.
465         The hash table would easily get into several kilobytes and the CPU
466         was spending more time dealing with memory than anything.
467
468         To solve that, I moved the pairs lazily to the heap. The table itself
469         just contains the unique_ptr to those values. This makes the table
470         reasonably small and the alloc/dealloc are paid for by the fast rehash().
471
472         Once addImpure() was better, the next big bottleneck was clobber().
473         For each clobber(), we need to go over the entire map and test each value.
474         That loop was where most of the time was going.
475
476         Most calls to clobber() come from two kinds: SideState and Stack.
477
478         SideState is easy: it is never def'ed so we can always skip it.
479
480         Stack is disjoint from Heap too so we can also put it separately.
481
482         Splitting the map into 2 helped reduce the overhead. The maps are:
483         -Stack
484         -Heap
485
486         Having Stack alone was not enough for many blocks. In some cases,
487         you have a ton of SetLocal/GetLocal and having Stack separately
488         makes no difference.
489
490         To solve that, I split Stack in two: a map addressed by AbstractHeap
491         + unique HeapLocation and a fallback map for everything else.
492         Since most Stack are not TOP and are unique per AbstractHeap,
493         I get O(1) clobber in most cases.
494
495         I could achieve the same result with a custom hash structure.
496         I don't think it is worth the effort, in most cases, m_fallbackStackMap
497         has a size of zero or one.
498
499         This patch introduces a lot of coupling between CSE and AbstractHeap.
500         To reduce the risk of bugs, the old map is still maintained in debug
501         and each step checks that the results are the same as the new implementation.
502
503         A new validation step also verify the strong assumptions made by CSE:
504         -SideState and World are never def().
505         -We never write HEAP TOP, we only write specific heap location.
506
507         * dfg/DFGCSEPhase.cpp:
508         * dfg/DFGHeapLocation.h:
509         * dfg/DFGLazyNode.h:
510         (JSC::DFG::LazyNode::hash):
511
512 2016-03-17  Saam barati  <sbarati@apple.com>
513
514         Implement SmallPtrSet and integrate it into the Parser
515         https://bugs.webkit.org/show_bug.cgi?id=155552
516
517         Reviewed by Filip Pizlo.
518
519         Using SmallPtrSet instead of HashSet really helps speed
520         up the parser. What saves us most is not needing to always
521         malloc/free memory in the HashSet.
522
523         * parser/Parser.cpp:
524         (JSC::Parser<LexerType>::parseInner):
525         * parser/Parser.h:
526         (JSC::Scope::Scope):
527         (JSC::Scope::startSwitch):
528         (JSC::Scope::endSwitch):
529         (JSC::Scope::startLoop):
530         (JSC::Scope::hasDeclaredParameter):
531         (JSC::Scope::declareWrite):
532         (JSC::Scope::declareParameter):
533         (JSC::Scope::usedVariablesContains):
534         (JSC::Scope::useVariable):
535         (JSC::Scope::collectFreeVariables):
536         (JSC::Scope::getCapturedVars):
537         (JSC::Scope::isValidStrictMode):
538         (JSC::Scope::shadowsArguments):
539         (JSC::Scope::copyCapturedVariablesToVector):
540         (JSC::Scope::setIsModule):
541         (JSC::Parser::pushScope):
542         (JSC::Scope::getUsedVariables): Deleted.
543
544 2016-03-17  Brian Burg  <bburg@apple.com>
545
546         Web Inspector: protocol generator shouldn't generate enums for parameters with non-anonymous enum types
547         https://bugs.webkit.org/show_bug.cgi?id=155610
548         <rdar://problem/25229878>
549
550         Reviewed by Joseph Pecoraro.
551
552         If a command parameter has an anonymous enum type, the backend dispatcher generator
553         makes a C++ enum for the parameter. However, if the parameter references a named enum
554         type specified in a domain's 'type' section, then there's no need to generate an enum.
555
556         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
557         (CppBackendDispatcherHeaderGenerator._generate_handler_declaration_for_command):
558         Add a missing check for the is_anonymous flag. Type references to named enums are resolved
559         to the underlying aliased EnumType instead of an AliasedType, so we have to check the flag.
560
561         Rebaseline tests.
562
563         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
564         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
565
566 2016-03-17  Filip Pizlo  <fpizlo@apple.com>
567
568         Replace all of the various non-working and non-compiling sampling profiler hacks with a single super hack
569         https://bugs.webkit.org/show_bug.cgi?id=155561
570
571         Reviewed by Saam Barati.
572
573         A VM needs some internal profiling hacks in addition to the profiler(s) that the user sees, because
574         you can squeeze out more fidelity if you're willing to make some kind of deal with the devil. Prior
575         to this change JSC had a bunch of these:
576
577         - CodeBlock sampling profiler
578         - Bytecode sampling profiler
579         - Sampling flags
580         - Sampling regions
581         - Some other stuff
582
583         I tried using these recently. They didn't even build. Initially I fixed that, but then I found that
584         these profilers had some serious bugs that made them report bogus results - like underreporting the
585         time spent in regions of code by more than 2x.
586
587         Part of the problem here is that a profiler loses fidelity as it gains power. The more general it
588         tries to be, the more code gets executed on the hot path for the profiler, which increasingly
589         perturbs the results. I believe that's the reason for the underreporting - code ran sufficiently
590         slower, and in a sufficiently different way when profiling, that the results were just wrong.
591
592         This change attacks this problem directly by replacing all of the diverse profiling hacks with just
593         one, which I call the SuperSampler. It consists of exactly one counter. When enabled, the sampler
594         will periodically print (via dataLog()) the percentage of samples that saw a non-zero count. Because
595         it's so simple, it gives better accuracy. This comes about in two ways:
596
597         - It runs at a lower rate. That's fine since it's only checking one flag. You don't need a high rate
598           for just one flag.
599         
600         - The fact that there is only *one* flag means that the user must choose a hypothesis about what is
601           slow. This turns the problem of profiling into a hypothesis testing problem, which is an inherently
602           less flaky kind of experiment to run.
603         
604         The SuperSampler is enabled with a runtime flag rather than a compile-time flag, so it's much less
605         likely to break. That also means that you can enable it without rebuilding the universe. The old
606         samplers all had ENABLE flags in Platform.h, which was rather unfortunate for compile times.
607
608         SuperSampler supports both JIT and C++ users. C++ users should use SuperSamplerScope. The default
609         idiom is to create one and pass "true" to it. You can disable a scope by passing "false" instead.
610         This patch puts a bunch of scopes in places I care about. I think it's probably OK if people check in
611         these deactivated scopes. That makes it convenient to retest things we've tested previously.
612
613         * CMakeLists.txt:
614         * JavaScriptCore.xcodeproj/project.pbxproj:
615         * bytecode/SamplingTool.cpp: Removed.
616         * bytecode/SamplingTool.h: Removed.
617         * bytecode/SuperSampler.cpp: Added.
618         (JSC::initializeSuperSampler):
619         (JSC::printSuperSamplerState):
620         * bytecode/SuperSampler.h: Added.
621         (JSC::SuperSamplerScope::SuperSamplerScope):
622         (JSC::SuperSamplerScope::~SuperSamplerScope):
623         * bytecompiler/BytecodeGenerator.cpp:
624         (JSC::BytecodeGenerator::generate):
625         * bytecompiler/NodesCodegen.cpp:
626         * dfg/DFGAbstractInterpreterInlines.h:
627         (JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues):
628         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures):
629         * dfg/DFGArgumentsEliminationPhase.cpp:
630         (JSC::DFG::performArgumentsElimination):
631         * dfg/DFGBackwardsPropagationPhase.cpp:
632         (JSC::DFG::performBackwardsPropagation):
633         * dfg/DFGByteCodeParser.cpp:
634         (JSC::DFG::parse):
635         * dfg/DFGCFAPhase.cpp:
636         (JSC::DFG::performCFA):
637         * dfg/DFGCFGSimplificationPhase.cpp:
638         (JSC::DFG::performCFGSimplification):
639         * dfg/DFGCPSRethreadingPhase.cpp:
640         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
641         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlocks):
642         (JSC::DFG::CPSRethreadingPhase::propagatePhis):
643         (JSC::DFG::performCPSRethreading):
644         * dfg/DFGCSEPhase.cpp:
645         (JSC::DFG::performLocalCSE):
646         (JSC::DFG::performGlobalCSE):
647         * dfg/DFGCleanUpPhase.cpp:
648         (JSC::DFG::performCleanUp):
649         * dfg/DFGConstantFoldingPhase.cpp:
650         (JSC::DFG::performConstantFolding):
651         * dfg/DFGConstantHoistingPhase.cpp:
652         (JSC::DFG::performConstantHoisting):
653         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
654         (JSC::DFG::performCriticalEdgeBreaking):
655         * dfg/DFGDCEPhase.cpp:
656         (JSC::DFG::performDCE):
657         * dfg/DFGDriver.cpp:
658         (JSC::DFG::compileImpl):
659         * dfg/DFGFixupPhase.cpp:
660         (JSC::DFG::performFixup):
661         * dfg/DFGGraph.cpp:
662         (JSC::DFG::Graph::dethread):
663         * dfg/DFGIntegerCheckCombiningPhase.cpp:
664         (JSC::DFG::performIntegerCheckCombining):
665         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
666         (JSC::DFG::performIntegerRangeOptimization):
667         * dfg/DFGInvalidationPointInjectionPhase.cpp:
668         (JSC::DFG::performInvalidationPointInjection):
669         * dfg/DFGJITCompiler.cpp:
670         (JSC::DFG::JITCompiler::compile):
671         (JSC::DFG::JITCompiler::compileFunction):
672         * dfg/DFGLICMPhase.cpp:
673         (JSC::DFG::performLICM):
674         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
675         (JSC::DFG::performLiveCatchVariablePreservationPhase):
676         * dfg/DFGLivenessAnalysisPhase.cpp:
677         (JSC::DFG::performLivenessAnalysis):
678         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
679         (JSC::DFG::performLoopPreHeaderCreation):
680         * dfg/DFGMaximalFlushInsertionPhase.cpp:
681         (JSC::DFG::performMaximalFlushInsertion):
682         * dfg/DFGMovHintRemovalPhase.cpp:
683         (JSC::DFG::performMovHintRemoval):
684         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
685         (JSC::DFG::performOSRAvailabilityAnalysis):
686         * dfg/DFGOSREntrypointCreationPhase.cpp:
687         (JSC::DFG::performOSREntrypointCreation):
688         * dfg/DFGOSRExitCompiler.cpp:
689         * dfg/DFGObjectAllocationSinkingPhase.cpp:
690         (JSC::DFG::performObjectAllocationSinking):
691         * dfg/DFGOperations.cpp:
692         * dfg/DFGPhantomInsertionPhase.cpp:
693         (JSC::DFG::performPhantomInsertion):
694         * dfg/DFGPlan.cpp:
695         (JSC::DFG::Plan::compileInThread):
696         * dfg/DFGPredictionInjectionPhase.cpp:
697         (JSC::DFG::performPredictionInjection):
698         * dfg/DFGPredictionPropagationPhase.cpp:
699         (JSC::DFG::performPredictionPropagation):
700         * dfg/DFGPutStackSinkingPhase.cpp:
701         (JSC::DFG::performPutStackSinking):
702         * dfg/DFGSSAConversionPhase.cpp:
703         (JSC::DFG::performSSAConversion):
704         * dfg/DFGSSALoweringPhase.cpp:
705         (JSC::DFG::performSSALowering):
706         * dfg/DFGSpeculativeJIT64.cpp:
707         (JSC::DFG::SpeculativeJIT::compile):
708         * dfg/DFGStackLayoutPhase.cpp:
709         (JSC::DFG::performStackLayout):
710         * dfg/DFGStaticExecutionCountEstimationPhase.cpp:
711         (JSC::DFG::performStaticExecutionCountEstimation):
712         * dfg/DFGStoreBarrierInsertionPhase.cpp:
713         (JSC::DFG::performFastStoreBarrierInsertion):
714         (JSC::DFG::performGlobalStoreBarrierInsertion):
715         * dfg/DFGStrengthReductionPhase.cpp:
716         (JSC::DFG::performStrengthReduction):
717         * dfg/DFGStructureAbstractValue.cpp:
718         (JSC::DFG::StructureAbstractValue::assertIsRegistered):
719         (JSC::DFG::StructureAbstractValue::clobber):
720         (JSC::DFG::StructureAbstractValue::observeTransition):
721         (JSC::DFG::StructureAbstractValue::observeTransitions):
722         (JSC::DFG::StructureAbstractValue::add):
723         (JSC::DFG::StructureAbstractValue::merge):
724         (JSC::DFG::StructureAbstractValue::mergeSlow):
725         (JSC::DFG::StructureAbstractValue::mergeNotTop):
726         (JSC::DFG::StructureAbstractValue::filter):
727         (JSC::DFG::StructureAbstractValue::filterSlow):
728         (JSC::DFG::StructureAbstractValue::contains):
729         (JSC::DFG::StructureAbstractValue::isSubsetOf):
730         (JSC::DFG::StructureAbstractValue::isSupersetOf):
731         (JSC::DFG::StructureAbstractValue::overlaps):
732         (JSC::DFG::StructureAbstractValue::equalsSlow):
733         * dfg/DFGStructureRegistrationPhase.cpp:
734         (JSC::DFG::performStructureRegistration):
735         * dfg/DFGTierUpCheckInjectionPhase.cpp:
736         (JSC::DFG::performTierUpCheckInjection):
737         * dfg/DFGTypeCheckHoistingPhase.cpp:
738         (JSC::DFG::performTypeCheckHoisting):
739         * dfg/DFGUnificationPhase.cpp:
740         (JSC::DFG::performUnification):
741         * dfg/DFGVarargsForwardingPhase.cpp:
742         (JSC::DFG::performVarargsForwarding):
743         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
744         (JSC::DFG::performVirtualRegisterAllocation):
745         * dfg/DFGWatchpointCollectionPhase.cpp:
746         (JSC::DFG::performWatchpointCollection):
747         * dynbench.cpp:
748         * ftl/FTLLowerDFGToB3.cpp:
749         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExec):
750         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpTest):
751         (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):
752         (JSC::FTL::DFG::LowerDFGToB3::compileGetRegExpObjectLastIndex):
753         * ftl/FTLOSRExitCompiler.cpp:
754         (JSC::FTL::compileFTLOSRExit):
755         * ftl/FTLOutput.cpp:
756         (JSC::FTL::Output::store):
757         (JSC::FTL::Output::absolute):
758         (JSC::FTL::Output::incrementSuperSamplerCount):
759         (JSC::FTL::Output::decrementSuperSamplerCount):
760         * ftl/FTLOutput.h:
761         (JSC::FTL::Output::baseIndex):
762         (JSC::FTL::Output::load8SignExt32):
763         (JSC::FTL::Output::load8ZeroExt32):
764         (JSC::FTL::Output::anchor):
765         (JSC::FTL::Output::absolute): Deleted.
766         * heap/Heap.cpp:
767         (JSC::Heap::markRoots):
768         (JSC::Heap::collectAndSweep):
769         (JSC::Heap::collectImpl):
770         (JSC::Heap::zombifyDeadObjects):
771         * heap/MarkedBlock.cpp:
772         (JSC::MarkedBlock::specializedSweep):
773         * interpreter/Interpreter.cpp:
774         (JSC::setupVarargsFrameAndSetThis):
775         (JSC::Interpreter::Interpreter):
776         (JSC::Interpreter::initialize):
777         (JSC::checkedReturn):
778         (JSC::Interpreter::execute):
779         (JSC::Interpreter::executeCall):
780         (JSC::Interpreter::executeConstruct):
781         (JSC::Interpreter::debug):
782         (JSC::SamplingScope::SamplingScope): Deleted.
783         (JSC::SamplingScope::~SamplingScope): Deleted.
784         (JSC::Interpreter::enableSampler): Deleted.
785         (JSC::Interpreter::dumpSampleData): Deleted.
786         (JSC::Interpreter::startSampling): Deleted.
787         (JSC::Interpreter::stopSampling): Deleted.
788         * interpreter/Interpreter.h:
789         (JSC::Interpreter::isCallBytecode):
790         (JSC::Interpreter::sampler): Deleted.
791         * jit/AssemblyHelpers.cpp:
792         (JSC::AssemblyHelpers::branchIfNotFastTypedArray):
793         (JSC::AssemblyHelpers::incrementSuperSamplerCount):
794         (JSC::AssemblyHelpers::decrementSuperSamplerCount):
795         (JSC::AssemblyHelpers::purifyNaN):
796         * jit/AssemblyHelpers.h:
797         * jit/JIT.cpp:
798         * jit/JIT.h:
799         * jit/JITArithmetic.cpp:
800         * jit/JITArithmetic32_64.cpp:
801         * jit/JITCall.cpp:
802         * jit/JITCall32_64.cpp:
803         * jit/JITOperations.cpp:
804         * jit/JITPropertyAccess.cpp:
805         * jit/JITPropertyAccess32_64.cpp:
806         * jsc.cpp:
807         (runWithScripts):
808         (jscmain):
809         * parser/Nodes.cpp:
810         * parser/Parser.h:
811         (JSC::parse):
812         * runtime/Executable.h:
813         * runtime/InitializeThreading.cpp:
814         (JSC::initializeThreading):
815         * runtime/Options.h:
816         * runtime/RegExpCachedResult.h:
817         * runtime/RegExpMatchesArray.h:
818         (JSC::createRegExpMatchesArray):
819         * runtime/StringPrototype.cpp:
820         (JSC::removeUsingRegExpSearch):
821         (JSC::stringProtoFuncSubstring):
822         * runtime/VM.cpp:
823         (JSC::VM::resetDateCache):
824         (JSC::VM::whenIdle):
825         (JSC::VM::deleteAllCode):
826         (JSC::VM::addSourceProviderCache):
827         (JSC::VM::startSampling): Deleted.
828         (JSC::VM::stopSampling): Deleted.
829         (JSC::VM::dumpSampleData): Deleted.
830         * runtime/VM.h:
831         (JSC::VM::regExpCache):
832         * testRegExp.cpp:
833         (runFromFiles):
834         * yarr/YarrInterpreter.cpp:
835         (JSC::Yarr::interpret):
836
837 2016-03-17  Saam barati  <sbarati@apple.com>
838
839         [ES6] Make GetProperty(.) inside ArrayPrototype.cpp spec compatible.
840         https://bugs.webkit.org/show_bug.cgi?id=155575
841
842         Reviewed by Filip Pizlo and Mark Lam.
843
844         This patch makes various Array.prototype.(shift | unshift | splice)
845         spec compliant. Before, they were performing Get and HasProperty as one 
846         operation. Instead, they need to be performed as two distinct operations
847         when it would be observable.
848
849         * runtime/ArrayPrototype.cpp:
850         (JSC::getProperty):
851         * runtime/PropertySlot.h:
852         (JSC::PropertySlot::PropertySlot):
853         (JSC::PropertySlot::isCacheableValue):
854         (JSC::PropertySlot::isCacheableGetter):
855         (JSC::PropertySlot::isCacheableCustom):
856         (JSC::PropertySlot::setIsTaintedByProxy):
857         (JSC::PropertySlot::isTaintedByProxy):
858         (JSC::PropertySlot::internalMethodType):
859         (JSC::PropertySlot::getValue):
860         * runtime/ProxyObject.cpp:
861         (JSC::ProxyObject::getOwnPropertySlotCommon):
862         * tests/es6.yaml:
863         * tests/stress/proxy-array-prototype-methods.js: Added.
864         (assert):
865         (test):
866         (shallowEq):
867
868 2016-03-17  Mark Lam  <mark.lam@apple.com>
869
870         Make FunctionMode an enum class.
871         https://bugs.webkit.org/show_bug.cgi?id=155587
872
873         Reviewed by Saam Barati.
874
875         * bytecode/UnlinkedFunctionExecutable.cpp:
876         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
877         * parser/NodeConstructors.h:
878         (JSC::BaseFuncExprNode::BaseFuncExprNode):
879         (JSC::FuncExprNode::FuncExprNode):
880         (JSC::FuncDeclNode::FuncDeclNode):
881         (JSC::ArrowFuncExprNode::ArrowFuncExprNode):
882         (JSC::MethodDefinitionNode::MethodDefinitionNode):
883         * parser/ParserModes.h:
884         (JSC::functionNameIsInScope):
885
886 2016-03-17  Michael Saboff  <msaboff@apple.com>
887
888         [ES6] Getters and Setters should be prefixed appropriately
889         https://bugs.webkit.org/show_bug.cgi?id=155593
890
891         Reviewed by Mark Lam.
892
893         Changed the putDirectNativeIntrinsicGetter() to prepend "get " to the funtion name.
894
895         Updated places that had their own macro or hand constructed a getter function to use
896         the JSC_NATIVE_GETTER macro which will properly append "get ".
897
898         Prepended "get " and "set " to the __proto__ accessor created on the Object prototype.
899
900         When we create the Symbol.species getter, added an explicit function name of "get [Symbol.species]".
901
902         * inspector/JSInjectedScriptHostPrototype.cpp:
903         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
904         (Inspector::jsInjectedScriptHostPrototypeAttributeEvaluate):
905         * inspector/JSJavaScriptCallFramePrototype.cpp:
906         (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
907         (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluate):
908         * runtime/JSGlobalObject.cpp:
909         (JSC::JSGlobalObject::init):
910         * runtime/JSObject.cpp:
911         (JSC::JSObject::putDirectNativeIntrinsicGetter):
912         * runtime/MapPrototype.cpp:
913         (JSC::MapPrototype::finishCreation):
914         (JSC::MapPrototype::getOwnPropertySlot):
915         * runtime/SetPrototype.cpp:
916         (JSC::SetPrototype::finishCreation):
917         (JSC::SetPrototype::getOwnPropertySlot):
918         * tests/stress/accessors-get-set-prefix.js: Added.
919         (tryGetOwnPropertyDescriptorGetName):
920
921 2016-03-16  Mark Lam  <mark.lam@apple.com>
922
923         Method names should not appear in the lexical scope of the method's body.
924         https://bugs.webkit.org/show_bug.cgi?id=155568
925
926         Reviewed by Saam Barati.
927
928         Consider this scenario:
929
930             var f = "foo";
931             var result = ({
932                 f() {
933                     return f; // f should be the string "foo", not this method f.
934                 }
935             }).f();
936             result === "foo"; // Should be true.
937
938         The reason this is not current working is because the parser does not yet
939         distinguish between FunctionExpressions and MethodDefinitions.  The ES6 spec
940         explicitly distinguishes between the 2, and we should do the same.
941         
942         This patch changes all methods (and getters and setters which are also methods)
943         to have a FunctionMode of MethodDefinition (instead of FunctionExpression).
944         functionNameIsInScope() is responsible for determining whether a function's name
945         should be in its scope or not.  It already returns false for any function
946         whose FunctionMode is not FunctionExpression.  Giving methods the MethodDefinition
947         FunctionMode gets us the correct behavior ES6 expects.
948
949         * bytecode/UnlinkedFunctionExecutable.cpp:
950         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
951         * bytecode/UnlinkedFunctionExecutable.h:
952         * bytecompiler/BytecodeGenerator.cpp:
953         (JSC::BytecodeGenerator::emitNewArrowFunctionExpression):
954         (JSC::BytecodeGenerator::emitNewMethodDefinition):
955         * bytecompiler/BytecodeGenerator.h:
956         * bytecompiler/NodesCodegen.cpp:
957         (JSC::ArrowFuncExprNode::emitBytecode):
958         (JSC::MethodDefinitionNode::emitBytecode):
959         (JSC::YieldExprNode::emitBytecode):
960         * parser/ASTBuilder.h:
961         (JSC::ASTBuilder::createFunctionExpr):
962         (JSC::ASTBuilder::createMethodDefinition):
963         (JSC::ASTBuilder::createFunctionMetadata):
964         (JSC::ASTBuilder::createGetterOrSetterProperty):
965         (JSC::ASTBuilder::createArguments):
966         * parser/NodeConstructors.h:
967         (JSC::FunctionParameters::FunctionParameters):
968         (JSC::BaseFuncExprNode::BaseFuncExprNode):
969         (JSC::FuncExprNode::FuncExprNode):
970         (JSC::FuncDeclNode::FuncDeclNode):
971         (JSC::ArrowFuncExprNode::ArrowFuncExprNode):
972         (JSC::MethodDefinitionNode::MethodDefinitionNode):
973         (JSC::YieldExprNode::YieldExprNode):
974         * parser/Nodes.h:
975         (JSC::BaseFuncExprNode::metadata):
976         * parser/Parser.cpp:
977         (JSC::Parser<LexerType>::parseClass):
978         (JSC::Parser<LexerType>::parsePropertyMethod):
979         * parser/ParserModes.h:
980         * parser/SyntaxChecker.h:
981         (JSC::SyntaxChecker::createFunctionExpr):
982         (JSC::SyntaxChecker::createFunctionMetadata):
983         (JSC::SyntaxChecker::createArrowFunctionExpr):
984         (JSC::SyntaxChecker::createMethodDefinition):
985         (JSC::SyntaxChecker::setFunctionNameStart):
986         (JSC::SyntaxChecker::createArguments):
987         * tests/es6.yaml:
988
989 2016-03-17  Yusuke Suzuki  <utatane.tea@gmail.com>
990
991         REGRESSION(r197380): Build fails with new GCC and Clang
992         https://bugs.webkit.org/show_bug.cgi?id=155044
993
994         Reviewed by Michael Catanzaro.
995
996         In C++, std math functions ceil and floor are overloaded for double and float.
997         Without explicit cast or function pointer assignment, compilers cannot
998         determine which function address is used in the given context.
999
1000         * b3/B3LowerMacrosAfterOptimizations.cpp:
1001
1002 2016-03-17  Skachkov Oleksandr  <gskachkov@gmail.com>
1003
1004         Invoking super()/super inside of the eval should not lead to SyntaxError
1005         https://bugs.webkit.org/show_bug.cgi?id=153864
1006
1007         Reviewed by Saam Barati.
1008
1009         Added support of the invoking super/super() inside of the eval within class.
1010         Also support cases when eval is invoked in constructor, class method directly 
1011         or via arrow function. Access to the new.target in eval is not part of this patch
1012         and will be implemented in https://bugs.webkit.org/show_bug.cgi?id=155545
1013
1014         * bytecompiler/BytecodeGenerator.cpp:
1015         (JSC::BytecodeGenerator::BytecodeGenerator):
1016         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
1017         (JSC::BytecodeGenerator::isThisUsedInInnerArrowFunction):
1018         (JSC::BytecodeGenerator::isNewTargetUsedInInnerArrowFunction):
1019         (JSC::BytecodeGenerator::isSuperUsedInInnerArrowFunction):
1020         (JSC::BytecodeGenerator::isSuperCallUsedInInnerArrowFunction):
1021         (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope):
1022         * interpreter/Interpreter.cpp:
1023         (JSC::eval):
1024         * parser/Parser.cpp:
1025         (JSC::Parser<LexerType>::Parser):
1026         (JSC::Parser<LexerType>::parseFunctionInfo):
1027         (JSC::Parser<LexerType>::parseMemberExpression):
1028         * parser/Parser.h:
1029         (JSC::Scope::Scope):
1030         (JSC::Scope::isEvalContext):
1031         (JSC::Scope::setIsEvalContext):
1032         (JSC::parse):
1033         * runtime/CodeCache.cpp:
1034         (JSC::CodeCache::getGlobalCodeBlock):
1035         * tests/stress/arrowfunction-lexical-bind-supercall-4.js:
1036         * tests/stress/arrowfunction-lexical-bind-superproperty.js:
1037         * tests/stress/class-syntax-super-in-eval.js: Added.
1038         * tests/stress/generator-with-super.js:
1039
1040 2016-03-15  Filip Pizlo  <fpizlo@apple.com>
1041
1042         ASSERTION FAILED: !edge->isPhantomAllocation() in regress/script-tests/sink-huge-activation.js.ftl-eager in debug mode
1043         https://bugs.webkit.org/show_bug.cgi?id=153805
1044
1045         Reviewed by Mark Lam.
1046
1047         The object allocation sinking phase uses InferredValue::isStillValid() in the opposite
1048         way from most clients: it will do an *extra* optimization if it returns false. The
1049         phase will first compute sink candidates and then it will compute materialization
1050         points. If something is a sink candidate then it is not a materialization point. A
1051         NewFunction node may appear as not being a sink candidate during the first pass, so it's
1052         not added to the set of things that will turn into PhantomNewFunction. But on the second
1053         pass where we add materializations, we check isStillValid() again. Now this may become
1054         false, so that second pass thinks that NewFunction is a sink candidate (even though it's
1055         not in the sink candidates set) and so is not a materialization point.
1056
1057         This manifests as the NewFunction referring to a PhantomCreateActivation or whatever.
1058
1059         The solution is to have the phase cache results of calls to isStillValid(). It's OK if
1060         we just remember the result of the first call and assume that it's not a sink candidate.
1061         That's the worst that can happen.
1062
1063         No new tests since this is a super hard race and sink-huge-activation seemed to already
1064         be catching it.
1065
1066         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1067
1068 2016-03-16  Saam Barati  <sbarati@apple.com>
1069
1070         [ES6] Make Array.prototype.reverse spec compatible.
1071         https://bugs.webkit.org/show_bug.cgi?id=155528
1072
1073         Reviewed by Michael Saboff.
1074
1075         This patch make Array.prototype.reverse spec compatible.
1076         Before, we weren't performing a HasProperty of each index
1077         before performing a Get on that index.  We now do that on
1078         the slow path.
1079
1080         * runtime/ArrayPrototype.cpp:
1081         (JSC::arrayProtoFuncReverse):
1082         * tests/stress/array-reverse-proxy.js: Added.
1083         (assert):
1084         (test):
1085         (shallowCopy):
1086         (shallowEqual):
1087         (let.handler.get getSet):
1088         (test.let.handler.get getSet):
1089
1090 2016-03-16  Chris Dumez  <cdumez@apple.com>
1091
1092         Unreviewed, rolling out r198235, r198240, r198241, and
1093         r198252.
1094
1095         Causing crashes on ARM
1096
1097         Reverted changesets:
1098
1099         "Remove compile time define for SEPARATED_HEAP"
1100         https://bugs.webkit.org/show_bug.cgi?id=155508
1101         http://trac.webkit.org/changeset/198235
1102
1103         "Gardening: build fix after r198235."
1104         http://trac.webkit.org/changeset/198240
1105
1106         "Build fix."
1107         http://trac.webkit.org/changeset/198241
1108
1109         "Rename performJITMemcpy to something more inline with our
1110         normal webkit function names"
1111         https://bugs.webkit.org/show_bug.cgi?id=155525
1112         http://trac.webkit.org/changeset/198252
1113
1114 2016-03-16  Brian Burg <bburg@apple.com>
1115
1116         Unreviewed, rolling out r198257.
1117         https://bugs.webkit.org/show_bug.cgi?id=155553
1118
1119         This change is unnecessary, clients can instead compile the
1120         file with ARC enabled (Requested by brrian on #webkit).
1121
1122         Reverted changeset:
1123
1124         "REGRESSION(r198077): generated Objective-C protocol object
1125         getters leak their wrappers"
1126         https://bugs.webkit.org/show_bug.cgi?id=155523
1127         http://trac.webkit.org/changeset/198257
1128
1129 2016-03-16  Mark Lam  <mark.lam@apple.com>
1130
1131         Add support for setting Function.name from computed properties.
1132         https://bugs.webkit.org/show_bug.cgi?id=155437
1133
1134         Reviewed by Filip Pizlo.
1135
1136         In JS code, we can have initialization of computed properties with function and
1137         class objects e.g.
1138
1139             var o = {
1140                 [x]: function() {},
1141                 [y]: class {}
1142             }
1143
1144         The ES6 spec states that the function and class in the example above (being
1145         anonymous) should take on the value of x and y respectively as their names:
1146
1147             o[x].name; // should be the "stringified" value of x.
1148             o[y].name; // should be the "stringified" value of y.
1149
1150         To achieve this, we will now inject an op_set_function_name bytecode at property
1151         initialization sites if:
1152
1153         1. the property assigned value is a function or class, and
1154         2. the function and class is anonymous, and
1155         3. if property assigned value is a class, it doesn't have a static method
1156            that is statically named "name".
1157
1158         The op_set_function_name will result in JSFunction::setFunctionName() being
1159         called on the target function / class before it is assigned to the property.
1160         JSFunction::setFunctionName() will take care of:
1161
1162         1. computing the name to use from the value of the computed property name
1163            e.g. x and y in the example above.
1164
1165            If the computed property name is not a symbol, then the function / class name
1166            should be the toString() value of that computed property name.
1167
1168            If the computed property name is a symbol, then ...
1169            a. if the Symbol has a defined description (e.g. Symbol("foo")), then the
1170               function / class name should be "[<symbol description>]" e.g. "[foo]".
1171            b. if the Symbol has an undefined description (e.g. Symbol()), then the
1172               function / class name should be "".
1173
1174            Note: Symbol("") is not the same as Symbol().  The former has a defined
1175            descriptor "", and hence, yields a function / class name of "[]".  The latter
1176            yields a function / class name of "".
1177
1178         2. reifying the lazy name property with this function / class name.
1179
1180         op_set_function_name is named after the SetFunctionName internal function
1181         in the ES6 spec that performs the above operation.
1182
1183         It is behaviorally correct to use op_set_function_name at every property
1184         initialization site with computed property names.  However, we choose to not
1185         emit the op_set_function_name bytecode when we already know that it will do
1186         nothing i.e. when the target function / class is proven to already have a name or
1187         name property.  This is done as an optimization to avoid unnecessary calls to
1188         JSFunction::setFunctionName().
1189
1190         Note: we could further check if the class has a static method with a computed
1191         name that is a constant string "name" and elide op_set_function_name there too.
1192         However, we don't bother because this should be rare.  JSFunction::setFunctionName()
1193         will still do the right thing.
1194
1195         * bytecode/BytecodeList.json:
1196         * bytecode/BytecodeUseDef.h:
1197         (JSC::computeUsesForBytecodeOffset):
1198         (JSC::computeDefsForBytecodeOffset):
1199         * bytecode/CodeBlock.cpp:
1200         (JSC::CodeBlock::dumpBytecode):
1201         * bytecompiler/BytecodeGenerator.cpp:
1202         (JSC::BytecodeGenerator::emitNewFunction):
1203         (JSC::BytecodeGenerator::emitSetFunctionNameIfNeeded):
1204         (JSC::BytecodeGenerator::emitCall):
1205         * bytecompiler/BytecodeGenerator.h:
1206         * bytecompiler/NodesCodegen.cpp:
1207         (JSC::PropertyListNode::emitBytecode):
1208         (JSC::PropertyListNode::emitPutConstantProperty):
1209         * dfg/DFGAbstractInterpreterInlines.h:
1210         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1211         * dfg/DFGByteCodeParser.cpp:
1212         (JSC::DFG::ByteCodeParser::parseBlock):
1213         * dfg/DFGCapabilities.cpp:
1214         (JSC::DFG::capabilityLevel):
1215         * dfg/DFGClobberize.h:
1216         (JSC::DFG::clobberize):
1217         * dfg/DFGDoesGC.cpp:
1218         (JSC::DFG::doesGC):
1219         * dfg/DFGFixupPhase.cpp:
1220         (JSC::DFG::FixupPhase::fixupNode):
1221         * dfg/DFGNodeType.h:
1222         * dfg/DFGPredictionPropagationPhase.cpp:
1223         (JSC::DFG::PredictionPropagationPhase::propagate):
1224         * dfg/DFGSafeToExecute.h:
1225         (JSC::DFG::safeToExecute):
1226         * dfg/DFGSpeculativeJIT.cpp:
1227         (JSC::DFG::SpeculativeJIT::compileNewFunction):
1228         (JSC::DFG::SpeculativeJIT::compileSetFunctionName):
1229         (JSC::DFG::SpeculativeJIT::compileForwardVarargs):
1230         * dfg/DFGSpeculativeJIT.h:
1231         (JSC::DFG::SpeculativeJIT::callOperation):
1232         * dfg/DFGSpeculativeJIT32_64.cpp:
1233         (JSC::DFG::SpeculativeJIT::compile):
1234         * dfg/DFGSpeculativeJIT64.cpp:
1235         (JSC::DFG::SpeculativeJIT::compile):
1236         * dfg/DFGStoreBarrierInsertionPhase.cpp:
1237         * ftl/FTLCapabilities.cpp:
1238         (JSC::FTL::canCompile):
1239         * ftl/FTLLowerDFGToB3.cpp:
1240         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1241         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
1242         (JSC::FTL::DFG::LowerDFGToB3::compileSetFunctionName):
1243         (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):
1244         * jit/JIT.cpp:
1245         (JSC::JIT::privateCompileMainPass):
1246         * jit/JIT.h:
1247         * jit/JITInlines.h:
1248         (JSC::JIT::callOperation):
1249         * jit/JITOpcodes.cpp:
1250         (JSC::JIT::emit_op_to_primitive):
1251         (JSC::JIT::emit_op_set_function_name):
1252         (JSC::JIT::emit_op_strcat):
1253         * jit/JITOpcodes32_64.cpp:
1254         (JSC::JIT::emitSlow_op_to_primitive):
1255         (JSC::JIT::emit_op_set_function_name):
1256         (JSC::JIT::emit_op_strcat):
1257         * jit/JITOperations.cpp:
1258         * jit/JITOperations.h:
1259         * llint/LLIntSlowPaths.cpp:
1260         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1261         (JSC::LLInt::handleHostCall):
1262         * llint/LLIntSlowPaths.h:
1263         * llint/LowLevelInterpreter.asm:
1264         * parser/Nodes.cpp:
1265         (JSC::FunctionNode::finishParsing):
1266         (JSC::PropertyListNode::hasStaticallyNamedProperty):
1267         (JSC::VariableEnvironmentNode::VariableEnvironmentNode):
1268         * parser/Nodes.h:
1269         * runtime/JSFunction.cpp:
1270         (JSC::getCalculatedDisplayName):
1271         (JSC::JSFunction::setFunctionName):
1272         (JSC::JSFunction::reifyLength):
1273         (JSC::JSFunction::reifyName):
1274         * runtime/JSFunction.h:
1275         * tests/es6.yaml:
1276         * tests/stress/computed-function-names.js: Added.
1277         (toKeyString):
1278         (toFuncName):
1279         (shouldBe):
1280         (return.propKey):
1281
1282 2016-03-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1283
1284         [ES6] Reflect.set with receiver
1285         https://bugs.webkit.org/show_bug.cgi?id=155294
1286
1287         Reviewed by Saam Barati.
1288
1289         This patch introduces the receiver parameter support for Reflect.set.
1290         Reflect.set can alter the receiver with arbitrary values.
1291         Each property descriptor uses the receiver in [[Set]].
1292
1293         1) In the accessor descriptor case, the receiver is used as |this| value for setter calls.
1294         2) In the data descriptor case, the actual property will be set onto the receiver objects.
1295
1296         The current put operation does not support the receiver that is different from the base object.
1297         In particular, (2) case is not supported.
1298         The naive implementation adds one more [[GetOwnProperty]] for the receiver per [[Set]] (9.1.9.1-4-c [1]), and it is unacceptable.
1299         To keep the fast path efficiently, we fall back to the slow but generic implementation (ordinarySetSlow)
1300         only when the receiver is altered.
1301
1302         We need not to change any JIT part, because the JS code cannot alter the receiver without Reflect.set.
1303         The property accesses generated by the JIT code always have the receiver that is the same to the base object.
1304         ProxyObject can alter the receiver, but this situation has no problem because ProxyObject disables Inline Caching.
1305         NOTE: Generating Inline Caching for JSProxy (that is used for the Window proxy) is already disabled before this change.
1306
1307         [1]: https://tc39.github.io/ecma262/#sec-ordinaryset
1308
1309         * jsc.cpp:
1310         (functionCreateProxy):
1311         * runtime/GenericArgumentsInlines.h:
1312         (JSC::GenericArguments<Type>::put):
1313         * runtime/JSArray.cpp:
1314         (JSC::JSArray::put):
1315         * runtime/JSArrayBuffer.cpp:
1316         (JSC::JSArrayBuffer::put):
1317         * runtime/JSArrayBufferView.cpp:
1318         (JSC::JSArrayBufferView::put):
1319         * runtime/JSCJSValue.h:
1320         * runtime/JSCJSValueInlines.h:
1321         (JSC::isThisValueAltered):
1322         * runtime/JSDataView.cpp:
1323         (JSC::JSDataView::put):
1324         * runtime/JSFunction.cpp:
1325         (JSC::JSFunction::put):
1326         * runtime/JSGenericTypedArrayViewInlines.h:
1327         (JSC::JSGenericTypedArrayView<Adaptor>::put):
1328         * runtime/JSGlobalObject.cpp:
1329         (JSC::JSGlobalObject::put):
1330         * runtime/JSObject.cpp:
1331         (JSC::ordinarySetSlow):
1332         (JSC::JSObject::putInlineSlow):
1333         * runtime/JSObject.h:
1334         * runtime/JSObjectInlines.h:
1335         (JSC::JSObject::putInline):
1336         * runtime/JSProxy.h:
1337         (JSC::JSProxy::createStructure):
1338         * runtime/Lookup.h:
1339         (JSC::putEntry):
1340         * runtime/PropertySlot.h:
1341         * runtime/ProxyObject.cpp:
1342         (JSC::ProxyObject::put):
1343         * runtime/PutPropertySlot.h:
1344         (JSC::PutPropertySlot::PutPropertySlot):
1345         (JSC::PutPropertySlot::isCacheablePut):
1346         (JSC::PutPropertySlot::isCacheableSetter):
1347         (JSC::PutPropertySlot::isCacheableCustom):
1348         (JSC::PutPropertySlot::isCustomAccessor):
1349         (JSC::PutPropertySlot::disableCaching):
1350         (JSC::PutPropertySlot::isCacheable):
1351         * runtime/ReflectObject.cpp:
1352         (JSC::reflectObjectSet):
1353         * runtime/RegExpObject.cpp:
1354         (JSC::RegExpObject::put):
1355         (JSC::reject): Deleted.
1356         * runtime/StringObject.cpp:
1357         (JSC::StringObject::put):
1358         * tests/es6.yaml:
1359         * tests/stress/ordinary-set-exceptions.js: Added.
1360         (shouldBe):
1361         (shouldThrow):
1362         (shouldThrow.set get var):
1363         * tests/stress/proxy-set.js:
1364         * tests/stress/reflect-set-proxy-set.js: Copied from Source/JavaScriptCore/tests/stress/proxy-set.js.
1365         (shouldBe):
1366         (unreachable):
1367         (assert):
1368         (throw.new.Error.let.handler.set 45):
1369         (throw.new.Error):
1370         (let.target.set x):
1371         (let.target.get x):
1372         (set let):
1373         * tests/stress/reflect-set-receiver-proxy-set.js: Added.
1374         (shouldBe):
1375         (unreachable):
1376         (assert):
1377         (let.handler.set 45):
1378         (catch):
1379         (let.target.set x):
1380         (let.target.get x):
1381         (set let):
1382         * tests/stress/reflect-set-with-global-proxy.js: Added.
1383         (shouldBe):
1384         (unreachable):
1385         (get shouldBe):
1386         (set shouldBe):
1387         (set test1):
1388         (set test2):
1389         (set test3):
1390         * tests/stress/reflect-set.js:
1391         (shouldThrow):
1392         (unreachable):
1393         (get shouldBe):
1394         (set shouldBe):
1395         (receiverTestIndexed):
1396         (set get Uint8Array):
1397         (receiverCase): Deleted.
1398         (proxyCase): Deleted.
1399         (stringObjectCase.set get shouldBe): Deleted.
1400         (regExpLastIndex): Deleted.
1401
1402 2016-03-15  Benjamin Poulain  <bpoulain@apple.com>
1403
1404         [JSC] Remove hint from SlowCaseEntry
1405         https://bugs.webkit.org/show_bug.cgi?id=155530
1406
1407         Reviewed by Alex Christensen.
1408
1409         * jit/JIT.h:
1410         (JSC::SlowCaseEntry::SlowCaseEntry):
1411
1412 2016-03-15  Brian Burg  <bburg@apple.com>
1413
1414         REGRESSION(r198077): generated Objective-C protocol object getters leak their wrappers
1415         https://bugs.webkit.org/show_bug.cgi?id=155523
1416         <rdar://problem/25181764>
1417
1418         Reviewed by Joseph Pecoraro.
1419
1420         Since the code may not be compiled with ARC, autorelease the returned wrapper.
1421
1422         * inspector/scripts/codegen/objc_generator.py:
1423         (ObjCGenerator.protocol_to_objc_expression_for_member):
1424         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1425         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1426
1427 2016-03-15  Benjamin Poulain  <bpoulain@apple.com>
1428
1429         [JSC] Help clang generate better code on arrayProtoFuncToString()
1430         https://bugs.webkit.org/show_bug.cgi?id=155512
1431
1432         Reviewed by Mark Lam.
1433
1434         3d-raytrace hits Array.toString() hard with small arrays.
1435         Half of the time is going into overhead around the StringJoiner.
1436         This patch makes the function shorter and the layout better.
1437
1438         * runtime/ArrayPrototype.cpp:
1439         (JSC::arrayProtoFuncToString):
1440         Add "UNLIKELY" on rare cases. Clang pushes that code to the tail.
1441
1442         Factor the code of jsMakeNontrivialString() so that the operation
1443         is not duplicated in the function.
1444
1445         * runtime/JSStringBuilder.h:
1446         (JSC::jsMakeNontrivialString):
1447         jsNontrivialString() supports r-value reference.
1448         Move the result string into jsNontrivialString(), this removes
1449         the deref+destructor from the function.
1450
1451         * runtime/JSStringJoiner.cpp:
1452         (JSC::JSStringJoiner::~JSStringJoiner):
1453         The destructor is pretty large. No point in inlining it.
1454
1455         (JSC::joinStrings):
1456         * runtime/JSStringJoiner.h:
1457         (JSC::JSStringJoiner::JSStringJoiner):
1458         (JSC::JSStringJoiner::append):
1459         The calls were duplicated. That's unnecessary.
1460
1461         * runtime/NumericStrings.h:
1462         (JSC::NumericStrings::add):
1463         Return a reference in all cases.
1464         This removes a deref+destructor.
1465
1466 2016-03-15  Joseph Pecoraro  <pecoraro@apple.com>
1467
1468         Remove stale ArrayPrototype declarations
1469         https://bugs.webkit.org/show_bug.cgi?id=155520
1470
1471         Reviewed by Mark Lam.
1472
1473         * runtime/ArrayPrototype.cpp:
1474         The implementations went away when the methods were moved to builtins
1475         but the declarations were left behind.
1476
1477 2016-03-15  Oliver Hunt  <oliver@apple.com>
1478
1479         Rename performJITMemcpy to something more inline with our normal webkit function names
1480         https://bugs.webkit.org/show_bug.cgi?id=155525
1481
1482         Reviewed by Saam Barati.
1483
1484         Simple bulk search/replace with a better name.
1485
1486         * assembler/ARM64Assembler.h:
1487         (JSC::ARM64Assembler::fillNops):
1488         (JSC::ARM64Assembler::replaceWithJump):
1489         (JSC::ARM64Assembler::replaceWithLoad):
1490         (JSC::ARM64Assembler::replaceWithAddressComputation):
1491         (JSC::ARM64Assembler::setPointer):
1492         (JSC::ARM64Assembler::repatchInt32):
1493         (JSC::ARM64Assembler::repatchCompact):
1494         (JSC::ARM64Assembler::linkJumpOrCall):
1495         (JSC::ARM64Assembler::linkCompareAndBranch):
1496         (JSC::ARM64Assembler::linkConditionalBranch):
1497         (JSC::ARM64Assembler::linkTestAndBranch):
1498         * assembler/LinkBuffer.cpp:
1499         (JSC::LinkBuffer::copyCompactAndLinkCode):
1500         * jit/ExecutableAllocator.h:
1501         (JSC::writeToExecutableRegion):
1502         (JSC::performJITMemcpy): Deleted.
1503
1504 2016-03-15  Oliver Hunt  <oliver@apple.com>
1505
1506         Build fix.
1507
1508         * jit/ExecutableAllocatorFixedVMPool.cpp:
1509
1510 2016-03-15  Mark Lam  <mark.lam@apple.com>
1511
1512         Gardening: build fix after r198235.
1513
1514         Not Reviewed.
1515
1516         * jit/ExecutableAllocatorFixedVMPool.cpp:
1517         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
1518
1519 2016-03-15  Oliver Hunt  <oliver@apple.com>
1520
1521         Remove compile time define for SEPARATED_HEAP
1522         https://bugs.webkit.org/show_bug.cgi?id=155508
1523
1524         Reviewed by Mark Lam.
1525
1526         This removes the compile time define for the SEPARATED_HEAP
1527         feature, and moves to a default-off runtime preference.
1528
1529         This happily also removes the need for world rebuilds while
1530         bringing it up on different platforms.
1531
1532         * Configurations/FeatureDefines.xcconfig:
1533         * assembler/LinkBuffer.cpp:
1534         (JSC::LinkBuffer::copyCompactAndLinkCode):
1535         * jit/ExecutableAllocator.h:
1536         (JSC::performJITMemcpy):
1537         * jit/ExecutableAllocatorFixedVMPool.cpp:
1538         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
1539         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
1540         (JSC::FixedVMPoolExecutableAllocator::genericWriteToJITRegion):
1541         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): Deleted.
1542         * runtime/Options.cpp:
1543         (JSC::recomputeDependentOptions):
1544         * runtime/Options.h:
1545
1546 2016-03-15  Commit Queue  <commit-queue@webkit.org>
1547
1548         Unreviewed, rolling out r198148.
1549         https://bugs.webkit.org/show_bug.cgi?id=155518
1550
1551         "Lets do this patch at a later time" (Requested by saamyjoon
1552         on #webkit).
1553
1554         Reverted changeset:
1555
1556         "[ES6] Disallow var assignments in for-in loops"
1557         https://bugs.webkit.org/show_bug.cgi?id=155451
1558         http://trac.webkit.org/changeset/198148
1559
1560 2016-03-15  Joseph Pecoraro  <pecoraro@apple.com>
1561
1562         REGRESSION: ASSERTION FAILED: !m_lastActiveBlock on js/function-apply.html
1563         https://bugs.webkit.org/show_bug.cgi?id=155411
1564         <rdar://problem/25134537>
1565
1566         Reviewed by Mark Lam.
1567
1568         * heap/Heap.cpp:
1569         (JSC::Heap::collectImpl):
1570         (JSC::Heap::didFinishCollection):
1571         During collection allocators are stop/reset. The HeapProfiler tasks
1572         were using HeapIterationScope (to satisfy MarkedSpace forEachCell API
1573         contracts) which was doing its own stop/resume of allocators. Doing a
1574         stop/resume in between the normal stop/reset of collection is unexpected.
1575
1576         Move this to didFinishCollection, alongside other heap iterations
1577         like zombies and immortal objects. Putting this after those tasks
1578         also means the heap snapshots will respect the zombies/immortal options
1579         when deciding if the cell is alive or not.
1580
1581 2016-03-15  Saam Barati  <sbarati@apple.com>
1582
1583         We should have different JSTypes for JSGlobalLexicalEnvironment and JSLexicalEnvironment and JSModuleEnvironment
1584         https://bugs.webkit.org/show_bug.cgi?id=152406
1585
1586         Reviewed by Mark Lam.
1587
1588         This makes testing for a JSGlobalLexicalEnvironment faster
1589         because we can just check the Cell's type instead of using
1590         jsDynamicCast. I also changed code that does jsDynamicCast<JSGlobalObject*>
1591         instead of isGlobalObject().
1592
1593         * interpreter/Interpreter.cpp:
1594         (JSC::Interpreter::execute):
1595         * jit/JITOperations.cpp:
1596         * llint/LLIntSlowPaths.cpp:
1597         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1598         * runtime/CommonSlowPaths.cpp:
1599         (JSC::SLOW_PATH_DECL):
1600         * runtime/CommonSlowPaths.h:
1601         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
1602         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
1603         * runtime/JSGlobalLexicalEnvironment.h:
1604         (JSC::JSGlobalLexicalEnvironment::createStructure):
1605         * runtime/JSLexicalEnvironment.h:
1606         (JSC::JSLexicalEnvironment::createStructure):
1607         (JSC::JSLexicalEnvironment::JSLexicalEnvironment):
1608         * runtime/JSModuleEnvironment.h:
1609         (JSC::JSModuleEnvironment::createStructure):
1610         (JSC::JSModuleEnvironment::offsetOfModuleRecord):
1611         * runtime/JSObject.h:
1612         (JSC::JSObject::isGlobalObject):
1613         (JSC::JSObject::isJSLexicalEnvironment):
1614         (JSC::JSObject::isGlobalLexicalEnvironment):
1615         (JSC::JSObject::isErrorInstance):
1616         * runtime/JSScope.cpp:
1617         (JSC::abstractAccess):
1618         (JSC::isUnscopable):
1619         (JSC::JSScope::resolve):
1620         (JSC::JSScope::collectVariablesUnderTDZ):
1621         (JSC::JSScope::isVarScope):
1622         (JSC::JSScope::isLexicalScope):
1623         (JSC::JSScope::isModuleScope):
1624         (JSC::JSScope::isCatchScope):
1625         (JSC::JSScope::isFunctionNameScopeObject):
1626         (JSC::JSScope::isNestedLexicalScope):
1627         (JSC::JSScope::constantScopeForCodeBlock):
1628         (JSC::isScopeType): Deleted.
1629         (JSC::JSScope::isGlobalLexicalEnvironment): Deleted.
1630         * runtime/JSScope.h:
1631         * runtime/JSType.h:
1632
1633 2016-03-15  Filip Pizlo  <fpizlo@apple.com>
1634
1635         Remove the Baker barrier from JSC
1636         https://bugs.webkit.org/show_bug.cgi?id=155479
1637
1638         Reviewed by Saam Barati.
1639
1640         It's been a while since I added a Baker barrier, but I never followed it up with an actual
1641         concurrent GC. While thinking about the GC, I became convinced that the right path forward
1642         is to do a non-copying concurrent GC. That is, remove the copied space and just use the
1643         marked space. The downside of using marked space cannot be more than the overhead of the
1644         Baker barrier, so concurrent non-copying GC is definitely better than copying
1645         non-concurrent GC. I also suspect that just plain non-copying non-concurrent GC is going to
1646         be fine also, so the path forward will probably be to first just remove CopiedSpace.
1647
1648         Anyway, for now this patch just removes the Baker barrier. It was a cute implementation but
1649         it just cost performance and I don't think we'll ever use it.
1650
1651         * CMakeLists.txt:
1652         * JavaScriptCore.xcodeproj/project.pbxproj:
1653         * bytecode/PolymorphicAccess.cpp:
1654         (JSC::AccessCase::generate):
1655         * dfg/DFGAbstractInterpreterInlines.h:
1656         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1657         * dfg/DFGArgumentsEliminationPhase.cpp:
1658         * dfg/DFGClobberize.h:
1659         (JSC::DFG::clobberize):
1660         * dfg/DFGCopyBarrierOptimizationPhase.cpp: Removed.
1661         * dfg/DFGCopyBarrierOptimizationPhase.h: Removed.
1662         * dfg/DFGDoesGC.cpp:
1663         (JSC::DFG::doesGC):
1664         * dfg/DFGFixupPhase.cpp:
1665         (JSC::DFG::FixupPhase::fixupNode):
1666         * dfg/DFGHeapLocation.cpp:
1667         (WTF::printInternal):
1668         * dfg/DFGHeapLocation.h:
1669         * dfg/DFGNodeType.h:
1670         * dfg/DFGOperations.cpp:
1671         * dfg/DFGOperations.h:
1672         * dfg/DFGPlan.cpp:
1673         (JSC::DFG::Plan::compileInThreadImpl):
1674         * dfg/DFGPredictionPropagationPhase.cpp:
1675         (JSC::DFG::PredictionPropagationPhase::propagate):
1676         * dfg/DFGSafeToExecute.h:
1677         (JSC::DFG::safeToExecute):
1678         * dfg/DFGSpeculativeJIT.cpp:
1679         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
1680         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
1681         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
1682         * dfg/DFGSpeculativeJIT32_64.cpp:
1683         (JSC::DFG::SpeculativeJIT::compile):
1684         * dfg/DFGSpeculativeJIT64.cpp:
1685         (JSC::DFG::SpeculativeJIT::compile):
1686         * dfg/DFGTypeCheckHoistingPhase.cpp:
1687         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
1688         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
1689         * ftl/FTLCapabilities.cpp:
1690         (JSC::FTL::canCompile):
1691         * ftl/FTLLowerDFGToB3.cpp:
1692         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1693         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
1694         (JSC::FTL::DFG::LowerDFGToB3::compileConstantStoragePointer):
1695         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
1696         (JSC::FTL::DFG::LowerDFGToB3::compileCheckArray):
1697         (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
1698         (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
1699         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
1700         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
1701         (JSC::FTL::DFG::LowerDFGToB3::storageForTransition):
1702         (JSC::FTL::DFG::LowerDFGToB3::getById):
1703         (JSC::FTL::DFG::LowerDFGToB3::isFastTypedArray):
1704         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterflyReadOnly): Deleted.
1705         (JSC::FTL::DFG::LowerDFGToB3::loadButterflyWithBarrier): Deleted.
1706         (JSC::FTL::DFG::LowerDFGToB3::loadVectorWithBarrier): Deleted.
1707         (JSC::FTL::DFG::LowerDFGToB3::copyBarrier): Deleted.
1708         (JSC::FTL::DFG::LowerDFGToB3::isInToSpace): Deleted.
1709         (JSC::FTL::DFG::LowerDFGToB3::loadButterflyReadOnly): Deleted.
1710         (JSC::FTL::DFG::LowerDFGToB3::loadVectorReadOnly): Deleted.
1711         (JSC::FTL::DFG::LowerDFGToB3::removeSpaceBits): Deleted.
1712         * heap/CopyBarrier.h:
1713         (JSC::CopyBarrierBase::CopyBarrierBase):
1714         (JSC::CopyBarrierBase::operator bool):
1715         (JSC::CopyBarrierBase::get):
1716         (JSC::CopyBarrierBase::clear):
1717         (JSC::CopyBarrierBase::setWithoutBarrier):
1718         (JSC::CopyBarrier::CopyBarrier):
1719         (JSC::CopyBarrier::get):
1720         (JSC::CopyBarrier::set):
1721         (JSC::CopyBarrier::setWithoutBarrier):
1722         (JSC::CopyBarrierBase::operator!): Deleted.
1723         (JSC::CopyBarrierBase::getWithoutBarrier): Deleted.
1724         (JSC::CopyBarrierBase::getPredicated): Deleted.
1725         (JSC::CopyBarrierBase::copyState): Deleted.
1726         (JSC::CopyBarrierBase::setCopyState): Deleted.
1727         (JSC::CopyBarrierBase::weakCASWithoutBarrier): Deleted.
1728         (JSC::CopyBarrier::getWithoutBarrier): Deleted.
1729         (JSC::CopyBarrier::getPredicated): Deleted.
1730         (JSC::CopyBarrier::weakCASWithoutBarrier): Deleted.
1731         * heap/Heap.cpp:
1732         (JSC::Heap::addToRememberedSet):
1733         (JSC::Heap::collectAndSweep):
1734         (JSC::Heap::copyBarrier): Deleted.
1735         * heap/Heap.h:
1736         (JSC::Heap::writeBarrierBuffer):
1737         * jit/AssemblyHelpers.cpp:
1738         (JSC::AssemblyHelpers::branchIfNotFastTypedArray):
1739         (JSC::AssemblyHelpers::purifyNaN):
1740         (JSC::AssemblyHelpers::loadTypedArrayVector): Deleted.
1741         * jit/AssemblyHelpers.h:
1742         (JSC::AssemblyHelpers::branchStructure):
1743         (JSC::AssemblyHelpers::addressForByteOffset):
1744         (JSC::AssemblyHelpers::branchIfToSpace): Deleted.
1745         (JSC::AssemblyHelpers::branchIfNotToSpace): Deleted.
1746         (JSC::AssemblyHelpers::removeSpaceBits): Deleted.
1747         * jit/JIT.cpp:
1748         (JSC::JIT::privateCompileMainPass):
1749         (JSC::JIT::privateCompile):
1750         * jit/JITOpcodes.cpp:
1751         (JSC::JIT::emitSlow_op_has_indexed_property):
1752         (JSC::JIT::emit_op_get_direct_pname):
1753         (JSC::JIT::emitSlow_op_get_direct_pname):
1754         * jit/JITOpcodes32_64.cpp:
1755         (JSC::JIT::emit_op_get_direct_pname):
1756         (JSC::JIT::emitSlow_op_get_direct_pname):
1757         * jit/JITPropertyAccess.cpp:
1758         (JSC::JIT::emitDoubleLoad):
1759         (JSC::JIT::emitContiguousLoad):
1760         (JSC::JIT::emitArrayStorageLoad):
1761         (JSC::JIT::emitSlow_op_get_by_val):
1762         (JSC::JIT::emitGenericContiguousPutByVal):
1763         (JSC::JIT::emitArrayStoragePutByVal):
1764         (JSC::JIT::emitSlow_op_put_by_val):
1765         (JSC::JIT::emit_op_get_from_scope):
1766         (JSC::JIT::emitSlow_op_get_from_scope):
1767         (JSC::JIT::emit_op_put_to_scope):
1768         (JSC::JIT::emitSlow_op_put_to_scope):
1769         (JSC::JIT::emitIntTypedArrayGetByVal):
1770         (JSC::JIT::emitFloatTypedArrayGetByVal):
1771         (JSC::JIT::emitIntTypedArrayPutByVal):
1772         (JSC::JIT::emitFloatTypedArrayPutByVal):
1773         * llint/LowLevelInterpreter.asm:
1774         * llint/LowLevelInterpreter64.asm:
1775         * runtime/DirectArguments.cpp:
1776         (JSC::DirectArguments::visitChildren):
1777         (JSC::DirectArguments::copyBackingStore):
1778         (JSC::DirectArguments::overrideArgument):
1779         (JSC::DirectArguments::copyToArguments):
1780         * runtime/DirectArguments.h:
1781         (JSC::DirectArguments::canAccessIndexQuickly):
1782         (JSC::DirectArguments::canAccessArgumentIndexQuicklyInDFG):
1783         * runtime/JSArray.cpp:
1784         (JSC::JSArray::setLength):
1785         (JSC::JSArray::pop):
1786         (JSC::JSArray::push):
1787         (JSC::JSArray::fastSlice):
1788         (JSC::JSArray::fastConcatWith):
1789         (JSC::JSArray::shiftCountWithArrayStorage):
1790         (JSC::JSArray::shiftCountWithAnyIndexingType):
1791         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1792         (JSC::JSArray::fillArgList):
1793         (JSC::JSArray::copyToArguments):
1794         * runtime/JSArrayBufferView.cpp:
1795         (JSC::JSArrayBufferView::finalize):
1796         * runtime/JSArrayBufferView.h:
1797         (JSC::JSArrayBufferView::isNeutered):
1798         (JSC::JSArrayBufferView::vector):
1799         (JSC::JSArrayBufferView::length):
1800         * runtime/JSGenericTypedArrayViewInlines.h:
1801         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
1802         (JSC::JSGenericTypedArrayView<Adaptor>::copyBackingStore):
1803         * runtime/JSObject.cpp:
1804         (JSC::JSObject::visitChildren):
1805         (JSC::JSObject::copyBackingStore):
1806         (JSC::JSObject::heapSnapshot):
1807         (JSC::JSObject::getOwnPropertySlotByIndex):
1808         (JSC::JSObject::putByIndex):
1809         (JSC::JSObject::enterDictionaryIndexingMode):
1810         (JSC::JSObject::createInitialIndexedStorage):
1811         (JSC::JSObject::createArrayStorage):
1812         (JSC::JSObject::convertUndecidedToInt32):
1813         (JSC::JSObject::convertUndecidedToDouble):
1814         (JSC::JSObject::convertUndecidedToContiguous):
1815         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
1816         (JSC::JSObject::convertUndecidedToArrayStorage):
1817         (JSC::JSObject::convertInt32ToDouble):
1818         (JSC::JSObject::convertInt32ToContiguous):
1819         (JSC::JSObject::convertInt32ToArrayStorage):
1820         (JSC::JSObject::convertDoubleToContiguous):
1821         (JSC::JSObject::convertDoubleToArrayStorage):
1822         (JSC::JSObject::convertContiguousToArrayStorage):
1823         (JSC::JSObject::setIndexQuicklyToUndecided):
1824         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
1825         (JSC::JSObject::deletePropertyByIndex):
1826         (JSC::JSObject::getOwnPropertyNames):
1827         (JSC::JSObject::putIndexedDescriptor):
1828         (JSC::JSObject::defineOwnIndexedProperty):
1829         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1830         (JSC::JSObject::putDirectIndexBeyondVectorLength):
1831         (JSC::JSObject::getNewVectorLength):
1832         (JSC::JSObject::ensureLengthSlow):
1833         (JSC::JSObject::reallocateAndShrinkButterfly):
1834         (JSC::JSObject::growOutOfLineStorage):
1835         (JSC::getBoundSlotBaseFunctionForGetterSetter):
1836         (JSC::JSObject::getEnumerableLength):
1837         * runtime/JSObject.h:
1838         (JSC::JSObject::getArrayLength):
1839         (JSC::JSObject::getVectorLength):
1840         (JSC::JSObject::canGetIndexQuickly):
1841         (JSC::JSObject::getIndexQuickly):
1842         (JSC::JSObject::tryGetIndexQuickly):
1843         (JSC::JSObject::canSetIndexQuickly):
1844         (JSC::JSObject::canSetIndexQuicklyForPutDirect):
1845         (JSC::JSObject::setIndexQuickly):
1846         (JSC::JSObject::initializeIndex):
1847         (JSC::JSObject::hasSparseMap):
1848         (JSC::JSObject::inSparseIndexingMode):
1849         (JSC::JSObject::inlineStorage):
1850         (JSC::JSObject::butterfly):
1851         (JSC::JSObject::outOfLineStorage):
1852         (JSC::JSObject::locationForOffset):
1853         (JSC::JSObject::ensureInt32):
1854         (JSC::JSObject::ensureDouble):
1855         (JSC::JSObject::ensureContiguous):
1856         (JSC::JSObject::ensureArrayStorage):
1857         (JSC::JSObject::arrayStorage):
1858         (JSC::JSObject::arrayStorageOrNull):
1859         (JSC::JSObject::ensureLength):
1860         (JSC::JSObject::putDirectWithoutTransition):
1861         * runtime/MapData.h:
1862         (JSC::JSIterator>::IteratorData::next):
1863         (JSC::JSIterator>::IteratorData::refreshCursor):
1864         * runtime/MapDataInlines.h:
1865         (JSC::JSIterator>::find):
1866         (JSC::JSIterator>::add):
1867         (JSC::JSIterator>::remove):
1868         (JSC::JSIterator>::replaceAndPackBackingStore):
1869         (JSC::JSIterator>::replaceBackingStore):
1870         (JSC::JSIterator>::ensureSpaceForAppend):
1871         (JSC::JSIterator>::visitChildren):
1872         (JSC::JSIterator>::copyBackingStore):
1873         * runtime/Options.h:
1874
1875 2016-03-15  Saam barati  <sbarati@apple.com>
1876
1877         Destructuring parameters are evaluated in the wrong scope
1878         https://bugs.webkit.org/show_bug.cgi?id=155454
1879
1880         Reviewed by Geoffrey Garen.
1881
1882         This patch makes our engine compatible with how parameter
1883         lists are evaluated in ES6. A parameter list that contains
1884         a rest parameter, any destructuring patterns, or default parameter values, 
1885         is classified as being non-simple. Non-simple parameter lists
1886         must get their own scope to live in, and the variables in the
1887         scope are under TDZ. This means that functions evaluated in the
1888         parameter list don't have access to variables inside the function
1889         body. Also, non-simple parameter lists get the strict-mode arguments object.
1890
1891         * bytecompiler/BytecodeGenerator.cpp:
1892         (JSC::BytecodeGenerator::BytecodeGenerator):
1893         (JSC::BytecodeGenerator::~BytecodeGenerator):
1894         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
1895         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
1896         * bytecompiler/BytecodeGenerator.h:
1897         * parser/Nodes.h:
1898         (JSC::FunctionParameters::size):
1899         (JSC::FunctionParameters::at):
1900         (JSC::FunctionParameters::append):
1901         (JSC::FunctionParameters::hasDefaultParameterValues): Deleted.
1902         * tests/es6.yaml:
1903         * tests/stress/parameter-scoping.js: Added.
1904         (assert):
1905         (test):
1906         (test.foo):
1907         (test.):
1908
1909 2016-03-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1910
1911         [JSC] Don't reference the properties of @Reflect directly
1912         https://bugs.webkit.org/show_bug.cgi?id=155436
1913
1914         Reviewed by Geoffrey Garen.
1915
1916         Reflect.ownKeys and Reflect.getOwnPropertyDescriptor can be altered with the user-crafted values.
1917         Instead of referencing them directly, let's reference them through private names.
1918
1919         * builtins/ObjectConstructor.js:
1920         (assign):
1921         * runtime/CommonIdentifiers.h:
1922         * runtime/ObjectConstructor.cpp:
1923         (JSC::ObjectConstructor::finishCreation): Deleted.
1924         * runtime/ReflectObject.cpp:
1925         (JSC::ReflectObject::finishCreation):
1926         * tests/stress/object-assign-correctness.js:
1927         (runTests.):
1928         (runTests.get let):
1929         (Reflect.ownKeys):
1930         (Reflect.getOwnPropertyDescriptor):
1931         (test.let.handler.switch.case.string_appeared_here.return.get enumerable): Deleted.
1932         (test.let.handler.getOwnPropertyDescriptor): Deleted.
1933         (test.let.handler.ownKeys): Deleted.
1934         (test.let.handler.get getProps): Deleted.
1935         (test.let.handler): Deleted.
1936         (test): Deleted.
1937
1938 2016-03-14  Daniel Bates  <dabates@apple.com>
1939
1940         Web Inspector: Display Content Security Policy hash in details sidebar for script and style elements
1941         https://bugs.webkit.org/show_bug.cgi?id=155466
1942         <rdar://problem/25152480>
1943
1944         Reviewed by Joseph Pecoraro and Timothy Hatcher.
1945
1946         Add property contentSecurityPolicyHash to store the CSP hash for an HTML style element or an
1947         applicable HTML script element.
1948
1949         * inspector/protocol/DOM.json:
1950
1951 2016-03-14  Joonghun Park  <jh718.park@samsung.com>
1952
1953         Purge PassRefPtr from ArrayBuffer, ArchiveResource, Pasteboard, LegacyWebArchive and DataObjectGtk
1954         https://bugs.webkit.org/show_bug.cgi?id=150497
1955
1956         Reviewed by Darin Adler.
1957
1958         * runtime/ArrayBuffer.h:
1959         (JSC::ArrayBuffer::create):
1960         (JSC::ArrayBuffer::createAdopted):
1961         (JSC::ArrayBuffer::createFromBytes):
1962         (JSC::ArrayBuffer::createUninitialized):
1963         (JSC::ArrayBuffer::slice):
1964         (JSC::ArrayBuffer::sliceImpl):
1965
1966 2016-03-14  Benjamin Poulain  <bpoulain@apple.com>
1967
1968         Andy VanWagoner no longer has time to own Intl
1969
1970         * features.json:
1971         Andy is busy with other things.
1972
1973         Andy, thanks for your amazing work on Intl and your dedication
1974         to making things right.
1975
1976 2016-03-14  Julien Brianceau  <jbriance@cisco.com>
1977
1978         [mips] Fix unaligned access in LLINT.
1979         https://bugs.webkit.org/show_bug.cgi?id=153228
1980
1981         Address loads used with btbxx opcodes were wrongly converted to lw
1982         instruction instead of lbu, leading to unaligned access on mips
1983         platforms. This is not a bug as it's silently fixed up by kernel,
1984         but it's more efficient to avoid unaligned accesses for mips.
1985
1986         Reviewed by Geoffrey Garen.
1987
1988         * offlineasm/mips.rb:
1989
1990 2016-03-14  Filip Pizlo  <fpizlo@apple.com>
1991
1992         REGRESSION(r194394): >2x slow-down on CDjs
1993         https://bugs.webkit.org/show_bug.cgi?id=155471
1994
1995         Unreviewed (rollout).
1996
1997         This revision changes localeCompare() so that it's *much* slower than before. It's
1998         understandable that sometimes things will get a tiny bit slower when implementing new
1999         language features, but more than 2x regression on a major benchmark is not OK.
2000
2001         This rolls out that change. We can reland it once we think about how to do it in a
2002         performant way.
2003
2004         * builtins/StringPrototype.js:
2005         (search):
2006         (localeCompare): Deleted.
2007         * runtime/StringPrototype.cpp:
2008         (JSC::StringPrototype::finishCreation):
2009
2010 2016-03-14  Mark Lam  <mark.lam@apple.com>
2011
2012         Need to distinguish between Symbol() and Symbol("").
2013         https://bugs.webkit.org/show_bug.cgi?id=155438
2014
2015         Reviewed by Saam Barati.
2016
2017         * runtime/PrivateName.h:
2018         (JSC::PrivateName::PrivateName):
2019
2020 2016-03-14  Oliver Hunt  <oliver@apple.com>
2021
2022         Temporarily disable the separated heap.
2023         https://bugs.webkit.org/show_bug.cgi?id=155472
2024
2025         Reviewed by Geoffrey Garen.
2026
2027         Temporarily disable this.
2028
2029         * Configurations/FeatureDefines.xcconfig:
2030
2031 2016-03-14  Joseph Pecoraro  <pecoraro@apple.com>
2032
2033         Reduce generated JSON HeapSnapshot size
2034         https://bugs.webkit.org/show_bug.cgi?id=155460
2035
2036         Reviewed by Geoffrey Garen.
2037
2038         Adjust the HeapSnapshot JSON to better reduce its size.
2039         Changes include:
2040
2041           - avoid inner array groups and instead just have a large array for
2042             nodes/edges. This removes lots of small array allocations.
2043           - eliminate duplicate edges
2044           - avoid duplicating edge names by including them in their own table;
2045           - now both the nodes and edges lists hold only integers
2046
2047         * heap/HeapSnapshotBuilder.cpp:
2048         (JSC::HeapSnapshotBuilder::json):
2049         Add some more documentation for the slightly modified format.
2050         While generating, clear data structures as early as possible.
2051
2052         * heap/HeapSnapshotBuilder.h:
2053         (JSC::HeapSnapshotEdge::HeapSnapshotEdge):
2054         During JSON building, the edge's cell pointers are converted to the
2055         identifier they point to. This avoids having to re-lookup the identifier.
2056
2057         * tests/heapProfiler/driver/driver.js:
2058         (CheapHeapSnapshotEdge):
2059         (CheapHeapSnapshot):
2060         (CheapHeapSnapshot.prototype.edgeNameFromTableIndex):
2061         (HeapSnapshot):
2062         Update test driver for slightly different snapshot format.
2063
2064 2016-03-14  Keith Miller  <keith_miller@apple.com>
2065
2066         We should be able to eliminate cloned arguments objects that use the length property
2067         https://bugs.webkit.org/show_bug.cgi?id=155391
2068
2069         Reviewed by Geoffrey Garen.
2070
2071         Previously if a programmer tried to use arguments.length in a strict function we would not eliminate the
2072         arguments object. We were unable to eliminate the arguments object because the user would get a cloned arguments
2073         object, which does not special case the length property. Thus, in order to get arguments elimination for cloned
2074         we need to add a special case. There are two things that need to happen for the elimination to succeed.
2075
2076         First, we need to eliminate the CheckStructure blocking the GetByOffset for the length property. In order to
2077         eliminate the check structure we need to prove to the Abstract Interpreter that this structure check is
2078         unnesssary. This didn't occur before for two reasons: 1) CreateClonedArguments did not set the structure it
2079         produced. 2) Even if CreateClonedArguments provided the global object's cloned arguments structure we would
2080         transition the new argements object when we added the length property during construction. To fix the second
2081         problem we now pre-assign a slot on clonedArgumentsStructure for the length property. Additionally, in order to
2082         prevent future transitions of the structure we need to choose an indexing type for the structure. Since, not
2083         eliminating the arguments object is so expensive we choose to have all cloned arguments start with continuous
2084         indexing type, this avoids transitioning when otherwise we would not have to. In the future we should be smarter
2085         about choosing the indexing type but since its relatively rare to have a arguments object escape we don't worry
2086         about this for now.
2087
2088         Additionally, this patch renames all former references of outOfBandArguments to clonedArguments and adds
2089         extra instrumentation to DFGArgumentsEliminationPhase.
2090
2091         * bytecode/BytecodeList.json:
2092         * bytecode/BytecodeUseDef.h:
2093         (JSC::computeUsesForBytecodeOffset):
2094         (JSC::computeDefsForBytecodeOffset):
2095         * bytecode/CodeBlock.cpp:
2096         (JSC::CodeBlock::dumpBytecode):
2097         * bytecode/ValueRecovery.h:
2098         (JSC::ValueRecovery::clonedArgumentsThatWereNotCreated):
2099         (JSC::ValueRecovery::outOfBandArgumentsThatWereNotCreated): Deleted.
2100         * bytecompiler/BytecodeGenerator.cpp:
2101         (JSC::BytecodeGenerator::BytecodeGenerator):
2102         * dfg/DFGAbstractInterpreterInlines.h:
2103         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2104         * dfg/DFGArgumentsEliminationPhase.cpp:
2105         * dfg/DFGByteCodeParser.cpp:
2106         (JSC::DFG::ByteCodeParser::parseBlock):
2107         * dfg/DFGCapabilities.cpp:
2108         (JSC::DFG::capabilityLevel):
2109         * dfg/DFGOperations.cpp:
2110         * dfg/DFGSpeculativeJIT.cpp:
2111         (JSC::DFG::SpeculativeJIT::compileCreateClonedArguments):
2112         * dfg/DFGStructureRegistrationPhase.cpp:
2113         (JSC::DFG::StructureRegistrationPhase::run):
2114         * dfg/DFGVariableEventStream.cpp:
2115         (JSC::DFG::VariableEventStream::tryToSetConstantRecovery):
2116         * ftl/FTLLowerDFGToB3.cpp:
2117         (JSC::FTL::DFG::LowerDFGToB3::compileCreateClonedArguments):
2118         * ftl/FTLOperations.cpp:
2119         (JSC::FTL::operationMaterializeObjectInOSR):
2120         * jit/JIT.cpp:
2121         (JSC::JIT::privateCompileMainPass):
2122         * jit/JIT.h:
2123         * jit/JITOpcodes.cpp:
2124         (JSC::JIT::emit_op_create_cloned_arguments):
2125         (JSC::JIT::emit_op_create_out_of_band_arguments): Deleted.
2126         * llint/LowLevelInterpreter.asm:
2127         * runtime/ClonedArguments.cpp:
2128         (JSC::ClonedArguments::ClonedArguments):
2129         (JSC::ClonedArguments::createEmpty):
2130         (JSC::ClonedArguments::createWithInlineFrame):
2131         (JSC::ClonedArguments::createByCopyingFrom):
2132         (JSC::ClonedArguments::createStructure):
2133         * runtime/ClonedArguments.h:
2134         * runtime/JSGlobalObject.cpp:
2135         (JSC::JSGlobalObject::init):
2136         (JSC::JSGlobalObject::visitChildren):
2137         * runtime/JSGlobalObject.h:
2138         (JSC::JSGlobalObject::clonedArgumentsStructure):
2139         (JSC::JSGlobalObject::outOfBandArgumentsStructure): Deleted.
2140
2141 2016-03-14  Saam barati  <sbarati@apple.com>
2142
2143         [ES6] Make JSON.stringify ES6 compatible
2144         https://bugs.webkit.org/show_bug.cgi?id=155448
2145
2146         Reviewed by Sam Weinig and Mark Lam.
2147
2148         We weren't following the spec with respect to the "toJSON" property
2149         of the thing being stringified. We were perform hasProperty(.)
2150         on "toJSON" instead of get(.). This patch changes it our
2151         implementation to perform get(value, "toJSON").
2152
2153         * runtime/JSCJSValue.h:
2154         * runtime/JSCJSValueInlines.h:
2155         (JSC::JSValue::isFunction):
2156         (JSC::JSValue::isCallable):
2157         * runtime/JSONObject.cpp:
2158         (JSC::Stringifier::toJSON):
2159         (JSC::Stringifier::toJSONImpl):
2160         (JSC::Stringifier::appendStringifiedValue):
2161         * tests/es6.yaml:
2162         * tests/stress/proxy-json.js:
2163         (test):
2164         (test.let.handler.get assert):
2165         (test.let.handler):
2166
2167 2016-03-14  Saam barati  <sbarati@apple.com>
2168
2169         [ES6] Disallow var assignments in for-in loops
2170         https://bugs.webkit.org/show_bug.cgi?id=155451
2171
2172         Reviewed by Mark Lam.
2173
2174         We're doing this in its own patch instead of the patch for https://bugs.webkit.org/show_bug.cgi?id=155384
2175         because last time we made this change it broke some websites. Lets try making
2176         it again because it's what the ES6 mandates. If it still breaks things we will
2177         roll it out.
2178
2179         * parser/Parser.cpp:
2180         (JSC::Parser<LexerType>::parseForStatement):
2181
2182 2016-03-14  Saam barati  <sbarati@apple.com>
2183
2184         assignments in for-in/for-of header not allowed
2185         https://bugs.webkit.org/show_bug.cgi?id=155384
2186
2187         Reviewed by Darin Adler.
2188
2189         This patch prevents assignments to the loop variable
2190         in for in/of loops in all but one situation. The following
2191         syntax is still allowed even though the spec prevents it:
2192         ```
2193         for (var i = X in blah) ;
2194         ```
2195         If the loop contains let/const, destructuring, or is a for-of
2196         loop, we always throw a syntax error if there is an assignment.
2197         We can do this with full backwards compatibility.
2198         We only allow the above type of for-in loops because Oliver told
2199         me that when he tried to make such programs illegal he ran
2200         into real websites breaking.
2201
2202         This patch also removed the !::CreatesAST compile-time branch when checking
2203         assignments to new.target. This was a dangerous thing for me
2204         to introduce into our parser. There are times where ::CreatesAST
2205         is true but we also want to check for syntax errors. For example,
2206         when parsing the top-level AST of a program. Though this check
2207         was technically correct, it's dangerous to have. It was correct
2208         because we would always be reparsing the new.target assignment
2209         because new.target is only allowed inside a function. That made it
2210         so that (!::CreatesAST <=> we care about new.target assignment syntax errors).
2211         But, (!::CreatesAST <=> we care about syntax error X) is not true in general.
2212         I think it's safer to remove such code.
2213
2214         * parser/ASTBuilder.h:
2215         (JSC::ASTBuilder::createNewTargetExpr):
2216         (JSC::ASTBuilder::isNewTarget):
2217         (JSC::ASTBuilder::createResolve):
2218         * parser/Nodes.h:
2219         (JSC::ExpressionNode::isBoolean):
2220         (JSC::ExpressionNode::isSpreadExpression):
2221         (JSC::ExpressionNode::isSuperNode):
2222         (JSC::ExpressionNode::isNewTarget):
2223         (JSC::ExpressionNode::isBytecodeIntrinsicNode):
2224         * parser/Parser.cpp:
2225         (JSC::Parser<LexerType>::parseForStatement):
2226         (JSC::Parser<LexerType>::parseAssignmentExpression):
2227         (JSC::Parser<LexerType>::parseUnaryExpression):
2228
2229 2016-03-13  Joseph Pecoraro  <pecoraro@apple.com>
2230
2231         Remove ENABLE(ES6_TEMPLATE_LITERAL_SYNTAX) guards
2232         https://bugs.webkit.org/show_bug.cgi?id=155417
2233
2234         Reviewed by Yusuke Suzuki.
2235
2236         * Configurations/FeatureDefines.xcconfig:
2237         * parser/Parser.cpp:
2238         (JSC::Parser<LexerType>::parsePrimaryExpression): Deleted.
2239         (JSC::Parser<LexerType>::parseMemberExpression): Deleted.
2240
2241 2016-03-13  Konstantin Tokarev  <annulen@yandex.ru>
2242
2243         Added new port JSCOnly.
2244         https://bugs.webkit.org/show_bug.cgi?id=154512
2245
2246         Reviewed by Michael Catanzaro.
2247
2248         This port allows to build JavaScriptCore engine with minimal
2249         dependencies.
2250
2251         * PlatformJSCOnly.cmake: Added.
2252
2253 2016-03-12  Mark Lam  <mark.lam@apple.com>
2254
2255         http://kangax.github.io/compat-table/esnext/ crashes reliably.
2256         https://bugs.webkit.org/show_bug.cgi?id=155404
2257
2258         Reviewed by Yusuke Suzuki.
2259
2260         constructObjectFromPropertyDescriptor() was incorrectly assuming that either
2261         both getter and setter will be set or unset.  It did not consider that only one
2262         of the getter or setter may be set.  This patch fixes that.
2263
2264         * runtime/ObjectConstructor.h:
2265         (JSC::constructObjectFromPropertyDescriptor):
2266         * tests/stress/proxy-with-unbalanced-getter-setter.js: Added.
2267         (assert):
2268         (let.handler.defineProperty):
2269         (i.):
2270         (i.assert):
2271         (i.get assert):
2272         (set assert):
2273
2274 2016-03-12  Brian Burg  <bburg@apple.com>
2275
2276         When generating Objective-C protocol types, getters for objects need to synthesize a new object instance
2277         https://bugs.webkit.org/show_bug.cgi?id=155389
2278         <rdar://problem/25125821>
2279
2280         Reviewed by Timothy Hatcher.
2281
2282         Currently, in object property getters for Objective-C protocol types, we use
2283         a C-style cast of the member's RWIProtocolJSONObject * to the type of the property.
2284         However, at runtime the class of `self` is going to be RWIProtocolJSONObject *,
2285         not MemberType *, so any subsequent calls to MemberType properties on the return value
2286         will fail as the selectors will not be recognized.
2287
2288         Instead of doing a C-style pointer cast, we need to create a new MemberType object
2289         that's backed by the InspectorObject retrieved from the parent object by key.
2290         This requires a new initWithJSONObject initializer for each object protocol type.
2291
2292         * inspector/scripts/codegen/generate_objc_header.py:
2293         (ObjCHeaderGenerator._generate_type_interface): Add new declaration.
2294
2295         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
2296         (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
2297         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_json_object): Added.
2298         Forward through to the super class initializer who assigns the underlying InspectorObject.
2299
2300         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members):
2301         Drive-by cleanup to use the more compact [super init] form.
2302
2303         * inspector/scripts/codegen/objc_generator.py:
2304         (ObjCGenerator.protocol_to_objc_expression_for_member):
2305         For property getters of objects, use initWithJSONObject: rather than a C-style cast.
2306
2307         Rebaseline relevant test results.
2308
2309         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2310         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2311         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2312         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2313         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
2314         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2315         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2316
2317 2016-03-12  Konstantin Tokarev  <annulen@yandex.ru>
2318
2319         Removed variable names from default constructor declarations.
2320         https://bugs.webkit.org/show_bug.cgi?id=155397
2321
2322         Reviewed by Mark Lam.
2323
2324         They carry no information and generate unused variable warning with GCC
2325         4.8 in a lot of source files.
2326
2327         * parser/VariableEnvironment.h:
2328
2329 2016-03-12  Myles C. Maxfield  <mmaxfield@apple.com>
2330
2331         Delete dead SVG Font code
2332         https://bugs.webkit.org/show_bug.cgi?id=154718
2333
2334         Reviewed by Antti Koivisto.
2335
2336         * Configurations/FeatureDefines.xcconfig:
2337
2338 2016-03-11  Benjamin Poulain  <bpoulain@apple.com>
2339
2340         [JSC] Remove a few jumps from DFG
2341         https://bugs.webkit.org/show_bug.cgi?id=155347
2342
2343         Reviewed by Mark Lam.
2344
2345         Usually, setting ValueTrue or ValueFalse is set
2346         by Compare+Or. There are 3 places in DFG with branches instead.
2347
2348         This patch changes them to the usual pattern.
2349
2350         * dfg/DFGSpeculativeJIT64.cpp:
2351         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
2352         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
2353
2354 2016-03-11  Saam barati  <sbarati@apple.com>
2355
2356         [ES6] Make Object.assign spec compliant
2357         https://bugs.webkit.org/show_bug.cgi?id=155375
2358
2359         Reviewed by Michael Saboff.
2360
2361         This is a straight forward implementation of Object.assign
2362         in the spec.
2363         https://tc39.github.io/ecma262/#sec-object.assign
2364         Before, weren't performing all of the specified operations.
2365         Now, we are.
2366
2367         * builtins/ObjectConstructor.js:
2368         (assign):
2369         * runtime/CommonIdentifiers.h:
2370         * runtime/JSGlobalObject.cpp:
2371         (JSC::JSGlobalObject::init):
2372         * tests/es6.yaml:
2373
2374 2016-03-11  Mark Lam  <mark.lam@apple.com>
2375
2376         Implement Function.name and Function#toString for ES6 class.
2377         https://bugs.webkit.org/show_bug.cgi?id=155336
2378
2379         Reviewed by Geoffrey Garen.
2380
2381         The only thing that the ES6 spec says about toString with regards to class
2382         objects is:
2383
2384         "The string representation must have the syntax of a FunctionDeclaration,
2385         FunctionExpression, GeneratorDeclaration, GeneratorExpression, ClassDeclaration,
2386         ClassExpression, ArrowFunction, MethodDefinition, or GeneratorMethod depending
2387         upon the actual characteristics of the object."
2388
2389         Previously, invoking toString() on a class object will return the function
2390         source string of the class' constructor function.  This does not conform to the
2391         spec in that the toString string for a class does not have the syntax of a
2392         ClassDeclaration or ClassExpression.
2393
2394         This is now fixed by doing the following:
2395
2396         1. Added "m_classSource" to FunctionExecutable (and correspondingly to
2397            UnlinkedFunctionExecutable, FunctionMetadataNode, and ClassExprNode).
2398            m_classSource is the SourceCode for the code range "class ... { ... }".
2399
2400            Since the class constructor function is the in memory representation of the
2401            class object, only class constructor functions will have its m_classSource
2402            set.  m_classSource will be "null" (by default) for all other functions.
2403            This is how we know if a FunctionExecutable is for a class.
2404
2405            Note: FunctionExecutable does not have its own m_classSource.  It always gets
2406            it from its UnlinkedFunctionExecutable.  This is ok to do because our CodeCache
2407            currently does not cache UnlinkedFunctionExecutables for class constructors.
2408
2409         2. The ClassExprNode now tracks the SourceCode range for the class expression.
2410            This is used to set m_classSource in the UnlinkedFunctionExecutable at
2411            bytecode generation time, and the FunctionExecutable later at bytecode
2412            linking time.
2413
2414         3. Function.prototype.toString() now checks if the function is for a class.
2415            If so, it returns the string for the class source instead of just the
2416            function source for the class constructor.
2417
2418            Note: the class source is static from the time the class was parsed.  This
2419            can introduces some weirdness at runtime.  Consider the following:
2420
2421                var v1 = class {}
2422                v1.toString(); // yields "class {}".
2423
2424                class c2 extends v1 {}
2425
2426                c2.__proto__ === v1; // yields true i.e. c2 extends v1.
2427                c2.toString(); // yields "class c2 extends v1 {}" which is fine.
2428
2429                v1 = {}; // point v1 to something else now.
2430
2431                c2.__proto__ === v1; // now yields false i.e. c2 no longer extends v1.
2432                                     // c2 actually extends the class that v1 used to
2433                                     // point to, but ...
2434                c2.toString(); // still yields "class c2 extends v1 {}" which is no longer true.
2435
2436            It is unclear how we can best implement toString() to avoid this issue.
2437            The above behavior is how Chrome (Version 51.0.2671.0 canary (64-bit))
2438            currently implements toString() of a class, and we do the same in this patch.
2439            In Firefox (45.0), toString() of a class will yield the function source of it
2440            constructor function, which is not better.
2441
2442         In this patch, we also added ES6 compliance for Function.name on class objects:
2443
2444         4. The ClassExprNode now has a m_ecmaName string for tracking the inferred
2445            name of a class according to the ES6 spec.  The ASTBuilder now mirrors its
2446            handling of FuncExprNodes to ClassExprNodes in setting the nodes' m_ecmaName
2447            where relevant.
2448
2449            The m_ecmaName is later used to set the m_ecmaName of the FunctionExecutable
2450            of the class constructor, which in turn is used to populate the initial value
2451            of the Function.name property.
2452
2453         5. Also renamed some variable names (/m_metadata/metadata/) to be consistent with
2454            webkit naming convention.
2455
2456         * bytecode/UnlinkedFunctionExecutable.cpp:
2457         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2458         * bytecode/UnlinkedFunctionExecutable.h:
2459         * bytecompiler/BytecodeGenerator.cpp:
2460         (JSC::BytecodeGenerator::emitNewArrowFunctionExpression):
2461         (JSC::BytecodeGenerator::emitNewDefaultConstructor):
2462         * bytecompiler/BytecodeGenerator.h:
2463         * bytecompiler/NodesCodegen.cpp:
2464         (JSC::ClassExprNode::emitBytecode):
2465         * parser/ASTBuilder.h:
2466         (JSC::ASTBuilder::createAssignResolve):
2467         (JSC::ASTBuilder::createYield):
2468         (JSC::ASTBuilder::createClassExpr):
2469         (JSC::ASTBuilder::createFunctionExpr):
2470         (JSC::ASTBuilder::createProperty):
2471         (JSC::ASTBuilder::makeAssignNode):
2472         * parser/NodeConstructors.h:
2473         (JSC::FunctionParameters::FunctionParameters):
2474         (JSC::BaseFuncExprNode::BaseFuncExprNode):
2475         (JSC::FuncExprNode::FuncExprNode):
2476         (JSC::FuncDeclNode::FuncDeclNode):
2477         (JSC::ArrowFuncExprNode::ArrowFuncExprNode):
2478         (JSC::ClassDeclNode::ClassDeclNode):
2479         (JSC::ClassExprNode::ClassExprNode):
2480         * parser/Nodes.h:
2481         (JSC::ExpressionNode::isDestructuringNode):
2482         (JSC::ExpressionNode::isFuncExprNode):
2483         (JSC::ExpressionNode::isArrowFuncExprNode):
2484         (JSC::ExpressionNode::isClassExprNode):
2485         (JSC::ExpressionNode::isCommaNode):
2486         (JSC::ExpressionNode::isSimpleArray):
2487         (JSC::ExpressionNode::isAdd):
2488         * parser/Parser.cpp:
2489         (JSC::stringForFunctionMode):
2490         (JSC::Parser<LexerType>::parseFunctionInfo):
2491         (JSC::Parser<LexerType>::parseClass):
2492         * parser/ParserFunctionInfo.h:
2493         * parser/SyntaxChecker.h:
2494         (JSC::SyntaxChecker::createEmptyLetExpression):
2495         (JSC::SyntaxChecker::createYield):
2496         (JSC::SyntaxChecker::createClassExpr):
2497         (JSC::SyntaxChecker::createFunctionExpr):
2498         (JSC::SyntaxChecker::createFunctionMetadata):
2499         (JSC::SyntaxChecker::createArrowFunctionExpr):
2500         * runtime/Executable.cpp:
2501         (JSC::FunctionExecutable::FunctionExecutable):
2502         (JSC::FunctionExecutable::finishCreation):
2503         * runtime/Executable.h:
2504         * runtime/FunctionPrototype.cpp:
2505         (JSC::functionProtoFuncToString):
2506         * tests/es6.yaml:
2507
2508 2016-03-11  Commit Queue  <commit-queue@webkit.org>
2509
2510         Unreviewed, rolling out r197994.
2511         https://bugs.webkit.org/show_bug.cgi?id=155368
2512
2513         Broke several ARM tests (Requested by msaboff on #webkit).
2514
2515         Reverted changeset:
2516
2517         "[JSC] Add register reuse for ArithAdd of an Int32 and
2518         constant in DFG"
2519         https://bugs.webkit.org/show_bug.cgi?id=155164
2520         http://trac.webkit.org/changeset/197994
2521
2522 2016-03-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2523
2524         [ES6] Implement Reflect.set without receiver support
2525         https://bugs.webkit.org/show_bug.cgi?id=155024
2526
2527         Reviewed by Geoffrey Garen.
2528
2529         This patch implements Reflect.set.
2530         The challenge in this patch is Reflect.set requires boolean result of [[Set]],
2531         this is not propagated in the previous JSC put implementation.
2532
2533         This patch changes the put and putByIndex signature from `void put(...)` and `void putByIndex(...)` to `bool put(...)` and `bool putByIndex(...)`,
2534         more consistent style to the ECMA262 spec's [[Set]].
2535
2536         This patch modifies so many part of WebKit. But almost all the changes are mechanical ones.
2537
2538         Currently, this patch does not support receiver modification support.
2539         This will be supported in the subsequent patch[1].
2540
2541         [1]: https://bugs.webkit.org/show_bug.cgi?id=155294
2542
2543         * API/JSCallbackObject.h:
2544         * API/JSCallbackObjectFunctions.h:
2545         (JSC::JSCallbackObject<Parent>::put):
2546         (JSC::JSCallbackObject<Parent>::putByIndex):
2547         * debugger/DebuggerScope.cpp:
2548         (JSC::DebuggerScope::put):
2549         * debugger/DebuggerScope.h:
2550         * jsc.cpp:
2551         (WTF::RuntimeArray::put):
2552         * runtime/ClassInfo.h:
2553         * runtime/ClonedArguments.cpp:
2554         (JSC::ClonedArguments::put):
2555         * runtime/ClonedArguments.h:
2556         * runtime/CustomGetterSetter.cpp:
2557         (JSC::callCustomSetter):
2558         * runtime/CustomGetterSetter.h:
2559         * runtime/GenericArguments.h:
2560         * runtime/GenericArgumentsInlines.h:
2561         (JSC::GenericArguments<Type>::put):
2562         (JSC::GenericArguments<Type>::putByIndex):
2563         * runtime/GetterSetter.cpp:
2564         (JSC::callSetter):
2565         * runtime/GetterSetter.h:
2566         * runtime/JSArray.cpp:
2567         (JSC::JSArray::defineOwnProperty):
2568         (JSC::JSArray::put):
2569         (JSC::JSArray::push):
2570         * runtime/JSArray.h:
2571         * runtime/JSArrayBuffer.cpp:
2572         (JSC::JSArrayBuffer::put):
2573         * runtime/JSArrayBuffer.h:
2574         * runtime/JSArrayBufferView.cpp:
2575         (JSC::JSArrayBufferView::put):
2576         * runtime/JSArrayBufferView.h:
2577         * runtime/JSCJSValue.cpp:
2578         (JSC::JSValue::putToPrimitive):
2579         (JSC::JSValue::putToPrimitiveByIndex):
2580         * runtime/JSCJSValue.h:
2581         * runtime/JSCJSValueInlines.h:
2582         (JSC::JSValue::put):
2583         (JSC::JSValue::putInline):
2584         (JSC::JSValue::putByIndex):
2585         * runtime/JSCell.cpp:
2586         (JSC::JSCell::put):
2587         (JSC::JSCell::putByIndex):
2588         * runtime/JSCell.h:
2589         * runtime/JSDataView.cpp:
2590         (JSC::JSDataView::put):
2591         * runtime/JSDataView.h:
2592         * runtime/JSFunction.cpp:
2593         (JSC::JSFunction::put):
2594         (JSC::JSFunction::defineOwnProperty):
2595         * runtime/JSFunction.h:
2596         * runtime/JSGenericTypedArrayView.h:
2597         * runtime/JSGenericTypedArrayViewInlines.h:
2598         (JSC::JSGenericTypedArrayView<Adaptor>::put):
2599         (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
2600         * runtime/JSGlobalLexicalEnvironment.cpp:
2601         (JSC::JSGlobalLexicalEnvironment::put):
2602         * runtime/JSGlobalLexicalEnvironment.h:
2603         * runtime/JSGlobalObject.cpp:
2604         (JSC::JSGlobalObject::put):
2605         * runtime/JSGlobalObject.h:
2606         * runtime/JSLexicalEnvironment.cpp:
2607         (JSC::JSLexicalEnvironment::put):
2608         * runtime/JSLexicalEnvironment.h:
2609         * runtime/JSModuleEnvironment.cpp:
2610         (JSC::JSModuleEnvironment::put):
2611         * runtime/JSModuleEnvironment.h:
2612         * runtime/JSModuleNamespaceObject.cpp:
2613         (JSC::JSModuleNamespaceObject::put):
2614         (JSC::JSModuleNamespaceObject::putByIndex):
2615         * runtime/JSModuleNamespaceObject.h:
2616         * runtime/JSModuleRecord.cpp:
2617         (JSC::JSModuleRecord::instantiateDeclarations):
2618         * runtime/JSObject.cpp:
2619         (JSC::JSObject::put):
2620         (JSC::JSObject::putInlineSlow):
2621         (JSC::JSObject::putByIndex):
2622         (JSC::JSObject::putGetter):
2623         (JSC::JSObject::putSetter):
2624         (JSC::JSObject::putDirectAccessor):
2625         (JSC::JSObject::putDirectCustomAccessor):
2626         (JSC::JSObject::putDirectNonIndexAccessor):
2627         (JSC::JSObject::putIndexedDescriptor):
2628         (JSC::JSObject::defineOwnIndexedProperty):
2629         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
2630         (JSC::JSObject::attemptToInterceptPutByIndexOnHole):
2631         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2632         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
2633         (JSC::JSObject::putByIndexBeyondVectorLength):
2634         (JSC::JSObject::putDirectNativeIntrinsicGetter):
2635         (JSC::JSObject::putDirectNativeFunction):
2636         (JSC::JSObject::putDirectMayBeIndex):
2637         (JSC::validateAndApplyPropertyDescriptor):
2638         * runtime/JSObject.h:
2639         (JSC::JSObject::putByIndexInline):
2640         (JSC::JSObject::putDirect):
2641         * runtime/JSObjectInlines.h:
2642         (JSC::JSObject::putInline):
2643         * runtime/JSProxy.cpp:
2644         (JSC::JSProxy::put):
2645         (JSC::JSProxy::putByIndex):
2646         * runtime/JSProxy.h:
2647         * runtime/JSSymbolTableObject.h:
2648         (JSC::symbolTablePut):
2649         (JSC::symbolTablePutTouchWatchpointSet):
2650         (JSC::symbolTablePutInvalidateWatchpointSet):
2651         (JSC::symbolTablePutWithAttributesTouchWatchpointSet):
2652         * runtime/Lookup.h:
2653         (JSC::putEntry):
2654         (JSC::lookupPut):
2655         * runtime/ProxyObject.cpp:
2656         (JSC::ProxyObject::performPut):
2657         (JSC::ProxyObject::put):
2658         (JSC::ProxyObject::putByIndexCommon):
2659         (JSC::ProxyObject::putByIndex):
2660         * runtime/ProxyObject.h:
2661         * runtime/PutPropertySlot.h:
2662         * runtime/ReflectObject.cpp:
2663         (JSC::reflectObjectSet):
2664         * runtime/RegExpConstructor.cpp:
2665         (JSC::setRegExpConstructorInput):
2666         (JSC::setRegExpConstructorMultiline):
2667         * runtime/RegExpObject.cpp:
2668         (JSC::RegExpObject::defineOwnProperty):
2669         (JSC::regExpObjectSetLastIndexStrict):
2670         (JSC::regExpObjectSetLastIndexNonStrict):
2671         (JSC::RegExpObject::put):
2672         * runtime/RegExpObject.h:
2673         * runtime/SparseArrayValueMap.cpp:
2674         (JSC::SparseArrayValueMap::putEntry):
2675         (JSC::SparseArrayEntry::put):
2676         * runtime/SparseArrayValueMap.h:
2677         * runtime/StringObject.cpp:
2678         (JSC::StringObject::put):
2679         (JSC::StringObject::putByIndex):
2680         * runtime/StringObject.h:
2681         * tests/es6.yaml:
2682         * tests/modules/namespace.js:
2683         * tests/stress/reflect-set.js: Added.
2684         (shouldBe):
2685         (shouldThrow):
2686         (receiverCase.object2.set Cocoa):
2687         (receiverCase):
2688         (proxyCase):
2689         (objectCase.set get shouldBe):
2690         (objectCase.get shouldBe):
2691         (arrayCase.set get shouldBe):
2692         (arrayCase.get shouldBe):
2693         (arrayBufferCase.set get shouldBe):
2694         (arrayBufferCase.get shouldBe):
2695         (set get shouldBe):
2696         (get shouldBe):
2697         (argumentCase.test1):
2698         (argumentCase.test2):
2699         (argumentCase.test3):
2700         (argumentCase.test4.set get shouldBe):
2701         (argumentCase.test5.get shouldBe):
2702         (argumentStrictCase.test1):
2703         (argumentStrictCase.test2):
2704         (argumentStrictCase.test3):
2705         (argumentStrictCase.test4.set get shouldBe):
2706         (argumentStrictCase.test5.get shouldBe):
2707         (stringObjectCase.set get shouldBe):
2708         (stringObjectCase.get shouldBe):
2709         (customSetter.test1):
2710         (customSetter.test2):
2711         (customSetter.test3):
2712         (customSetter):
2713         (regExpLastIndex):
2714         (functionCase.func):
2715
2716 2016-03-10  Brian Burg  <bburg@apple.com>
2717
2718         Web Inspector: generated initWithPayload: protocol object initializers should recursively decode array and object members
2719         https://bugs.webkit.org/show_bug.cgi?id=155337
2720         <rdar://problem/25098357>
2721
2722         Reviewed by Timothy Hatcher.
2723
2724         In cases where an object member is itself an object or array, we were
2725         not calling initWithPayload: on the object member itself. So, this caused
2726         a runtime error when constructing the outer object because the generated
2727         code casted the NSDictionary/NSArray into the member's protocol object type.
2728
2729         * inspector/scripts/codegen/objc_generator.py:
2730         (ObjCGenerator.payload_to_objc_expression_for_member):
2731         Do a straightforward call to initWithPayload: for objects. For arrays,
2732         call a templated helper function which does the same thing. The helper
2733         is used to make this array decoding fit into a single generated expression.
2734
2735         Rebaseline relevant test results.
2736
2737         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
2738         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2739         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2740
2741 2016-03-10  Keith Miller  <keith_miller@apple.com>
2742
2743         Unreviewed, fix Changelog. git merged poorly.
2744
2745 2016-03-10  Keith Miller  <keith_miller@apple.com>
2746
2747         Unreviewed, fix testapi.
2748
2749         * API/tests/TypedArrayCTest.cpp:
2750         (testAccess):
2751         (testConstructors):
2752         (forEachTypedArrayType):
2753         (testTypedArrayCAPI):
2754
2755 2016-03-10  Saam barati  <sbarati@apple.com>
2756
2757         [ES6] Make RegExp.prototype.toString spec compliant
2758         https://bugs.webkit.org/show_bug.cgi?id=155341
2759
2760         Reviewed by Filip Pizlo.
2761
2762         Before we were directly calling into the flagsString
2763         function. Instead, we must get the "flags" property
2764         of the thisObject. This will usually call into the flags
2765         getter, but not always. Specifically, you can you a Proxy
2766         to observe this behavior.
2767
2768         * runtime/RegExpPrototype.cpp:
2769         (JSC::regExpProtoFuncToString):
2770         (JSC::regExpProtoGetterGlobal):
2771         * tests/es6.yaml:
2772         * tests/es6/Proxy_internal_get_calls_RegExp.prototype.toString.js: Added.
2773         (test.get var):
2774         (test.):
2775         * tests/stress/regexp-prototype-tostring.js: Added.
2776         (assert):
2777         (test):
2778         (test.get var):
2779         (test.):
2780         (let.handler.get switch):
2781         (let.handler):
2782         (get test):
2783         (test.get RegExp):
2784
2785 2016-03-10  Benjamin Poulain  <bpoulain@apple.com>
2786
2787         [JSC] Add register reuse for ArithAdd of an Int32 and constant in DFG
2788         https://bugs.webkit.org/show_bug.cgi?id=155164
2789
2790         Reviewed by Geoffrey Garen.
2791
2792         Every "inc" in loop was looking like this:
2793             move rX, rY
2794             inc rY
2795             jo 0x230f4a200580
2796
2797         This patch add register Reuse to that case to remove
2798         the extra "move".
2799
2800         * dfg/DFGOSRExit.h:
2801         (JSC::DFG::SpeculationRecovery::SpeculationRecovery):
2802         (JSC::DFG::SpeculationRecovery::immediate):
2803         * dfg/DFGOSRExitCompiler32_64.cpp:
2804         (JSC::DFG::OSRExitCompiler::compileExit):
2805         * dfg/DFGOSRExitCompiler64.cpp:
2806         (JSC::DFG::OSRExitCompiler::compileExit):
2807         * dfg/DFGSpeculativeJIT.cpp:
2808         (JSC::DFG::SpeculativeJIT::compileArithAdd):
2809         * tests/stress/arith-add-with-constant-overflow.js: Added.
2810         (opaqueAdd):
2811
2812 2016-03-10  Keith Miller  <keith_miller@apple.com>
2813
2814         Unreviewed, build fix for r197983, hopefully.
2815
2816         * API/WebKitAvailability.h:
2817
2818 2016-03-10  Keith Miller  <keith_miller@apple.com>
2819
2820         Typed Arrays have no public facing API
2821         https://bugs.webkit.org/show_bug.cgi?id=120112
2822
2823         Reviewed by Geoffrey Garen.
2824
2825         This patch adds a new C-API (an Obj-C API will follow in the future) for Typed Arrays. The API has two sets of
2826         functions. One for Typed Arrays and another for Array Buffers. This API is intended to reflect the use of Typed
2827         Array objects in JS code. There is a method for each of the core TypedArray and Array Buffer methods.
2828         Originally, we were planning on using a separate non-JS object as the backing store instead of a JS Array Buffer
2829         but we decide to defer that idea since there was no good CF/NS API that met all the constraints we needed
2830         (Discussed further below). We also wanted to want until Shared Array Buffers had reached a more finished state
2831         to see what impact they might have on an API.
2832
2833         The API has the following Typed Array construction methods:
2834         1) Create with length (the backing buffer is zero initialized). -- JSObjectMakeTypedArray
2835         2) Create with an existing pointer and a destructor. -- JSObjectMakeTypedArrayFromBytesNoCopy
2836         3) Create with an Array Buffer object. -- JSObjectMakeTypedArrayFromArrayBuffer
2837         4) Create with an Array Buffer object with a given offset and length. -- JSObjectMakeTypedArrayFromArrayBufferWithOffset
2838
2839         The API has the following functions on Typed Array JSObjectRefs:
2840         5) Get access to a temporary void* of the backing store's data. -- JSObjectGetTypedArrayBytesPtr
2841         6) Get the length of a Typed Array object (returns 0 if it is not a Typed Array object). -- JSObjectGetTypedArrayLength
2842         7) Get the byte length of a Typed Array object (returns 0 if it is not a Typed Array object). -- JSObjectGetTypedArrayByteLength
2843         8) Get the byte offset of a Typed Array object (returns 0 if it is not a Typed Array object). -- JSObjectGetTypedArrayByteOffset
2844         9) Get a Typed Array object's Array Buffer  backing store. -- JSObjectGetTypedArrayBuffer
2845
2846         The API has the following Array Buffer construction method:
2847         10) Create with an existing pointer and a destructor. -- JSObjectMakeArrayBufferWithBytesNoCopy
2848
2849         The API has the following functions on Array Buffer JSObjectRefs:
2850         11) Get access to a temporary void* of the backing store's data. -- JSObjectGetArrayBufferBytesPtr
2851         12) Get the byte length of an Array Buffer object (returns 0 if it is not an Array Buffer object). -- JSObjectGetArrayBufferByteLength
2852
2853         The API adds the following new typedefs and enumerations:
2854         13) A typedef representing the function pointer type used to deallocate byte pointers provided to constructors. -- JSTypedArrayByesDeallocator
2855         14) An enumeration indicating the Typed Array API type of a JSValueRef. -- JSTypedArrayType
2856
2857         Finally, The API has the following function to get Typed Array Types:
2858         15)  Get the Typed Array type of a JS value. -- JSValueGetTypedArrayType
2859
2860         There are a couple of things to note about these functions. Calling JSObjectGetTypedArrayBytesPtr (5) or
2861         JSObjectGetArrayBufferBytesPtr (12) will pin and lock the ArrayBuffer's data for the remaining lifetime of that
2862         ArrayBuffer. This is because, currently, we do not have finalizers for our Array Buffers or Typed Arrays with a
2863         backing ArrayBuffer and adding one would likely incur a non-trivial cost to GC. Also, we do not have a direct
2864         way to make a Typed Array from a pointer with an offset as we do not expect using offsets to be a common use
2865         case of the API.
2866
2867         While it would have been nice to integrate our backing store with CFData or one of its subclasses, it is not
2868         possible to force a CFData/CFMutableData to be both writable and have a fixed size/backing store pointer.
2869         NSData is not writable and CFMutableData can have a fixed pointer if it is allocated with a non-zero capacity
2870         but there is no way for us to force an existing CFMutableData into this state.
2871
2872         * API/APIUtils.h: Copied from Source/JavaScriptCore/runtime/ArrayBuffer.cpp.
2873         (handleExceptionIfNeeded):
2874         (setException):
2875         * API/JSBase.h:
2876         * API/JSObjectRef.cpp:
2877         (handleExceptionIfNeeded): Deleted.
2878         * API/JSTypedArray.cpp: Added.
2879         (toJSTypedArrayType):
2880         (toTypedArrayType):
2881         (createTypedArray):
2882         (JSValueGetTypedArrayType):
2883         (JSObjectMakeTypedArray):
2884         (JSObjectMakeTypedArrayWithBytesNoCopy):
2885         (JSObjectMakeTypedArrayWithArrayBuffer):
2886         (JSObjectMakeTypedArrayWithArrayBufferAndOffset):
2887         (JSObjectGetTypedArrayBytesPtr):
2888         (JSObjectGetTypedArrayLength):
2889         (JSObjectGetTypedArrayByteLength):
2890         (JSObjectGetTypedArrayByteOffset):
2891         (JSObjectGetTypedArrayBuffer):
2892         (JSObjectMakeArrayBufferWithBytesNoCopy):
2893         (JSObjectGetArrayBufferBytesPtr):
2894         (JSObjectGetArrayBufferByteLength):
2895         * API/JSTypedArray.h: Added.
2896         * API/JSValueRef.cpp:
2897         (handleExceptionIfNeeded): Deleted.
2898         * API/JSValueRef.h:
2899         * API/JavaScript.h:
2900         * API/WebKitAvailability.h:
2901         * API/tests/TypedArrayCTest.cpp: Added.
2902         (id):
2903         (freePtr):
2904         (assertEqualsAsNumber):
2905         (testAccess):
2906         (testConstructors):
2907         (forEachTypedArrayType):
2908         (testTypedArrayCAPI):
2909         * API/tests/TypedArrayCTest.h: Added.
2910         * API/tests/testapi.c:
2911         (main):
2912         * CMakeLists.txt:
2913         * ForwardingHeaders/JavaScriptCore/JSTypedArray.h: Added.
2914         * JavaScriptCore.xcodeproj/project.pbxproj:
2915         * PlatformEfl.cmake:
2916         * PlatformGTK.cmake:
2917         * runtime/ArrayBuffer.cpp:
2918         (JSC::ArrayBuffer::transfer):
2919         * runtime/ArrayBuffer.h:
2920         (JSC::arrayBufferDestructorNull):
2921         (JSC::arrayBufferDestructorDefault):
2922         (JSC::ArrayBufferContents::ArrayBufferContents):
2923         (JSC::ArrayBufferContents::transfer):
2924         (JSC::ArrayBuffer::createAdopted):
2925         (JSC::ArrayBuffer::createFromBytes):
2926         (JSC::ArrayBuffer::ArrayBuffer):
2927         (JSC::ArrayBuffer::pinAndLock):
2928         (JSC::ArrayBufferContents::tryAllocate):
2929         (JSC::ArrayBufferContents::~ArrayBufferContents):
2930         * shell/PlatformWin.cmake:
2931
2932 2016-03-10  Saam barati  <sbarati@apple.com>
2933
2934         [ES6] Instanceof isn't spec compliant when the RHS is a Proxy with a target that is a function
2935         https://bugs.webkit.org/show_bug.cgi?id=155329
2936
2937         Reviewed by Mark Lam.
2938
2939         We use type info flags on the structure to dictate whether or not 
2940         the RHS of an instanceof is a valid RHS (i.e, a function). The solution
2941         to make Proxy a valid RHS when the Proxy's target is callable is to have
2942         two different structures for ProxyObject: one for a non-callable target 
2943         and one for a callable target.
2944
2945         * runtime/JSGlobalObject.cpp:
2946         (JSC::JSGlobalObject::init):
2947         (JSC::JSGlobalObject::visitChildren):
2948         * runtime/JSGlobalObject.h:
2949         (JSC::JSGlobalObject::moduleRecordStructure):
2950         (JSC::JSGlobalObject::moduleNamespaceObjectStructure):
2951         (JSC::JSGlobalObject::proxyObjectStructure):
2952         (JSC::JSGlobalObject::callableProxyObjectStructure):
2953         (JSC::JSGlobalObject::proxyRevokeStructure):
2954         (JSC::JSGlobalObject::wasmModuleStructure):
2955         * runtime/ProxyConstructor.cpp:
2956         (JSC::makeRevocableProxy):
2957         (JSC::constructProxyObject):
2958         (JSC::ProxyConstructor::getConstructData):
2959         * runtime/ProxyObject.cpp:
2960         (JSC::ProxyObject::ProxyObject):
2961         (JSC::ProxyObject::structureForTarget):
2962         (JSC::ProxyObject::finishCreation):
2963         * runtime/ProxyObject.h:
2964         (JSC::ProxyObject::create):
2965         (JSC::ProxyObject::createStructure):
2966         * tests/es6.yaml:
2967         * tests/stress/proxy-instanceof.js: Added.
2968         (assert):
2969         (test):
2970         (C):
2971         (test.let.handler.get if):
2972         (test.let.handler):
2973
2974 2016-03-10  Michael Saboff  <msaboff@apple.com>
2975
2976         [ES6] RegExp sticky flag should be ignored in String.match when global flag is given
2977         https://bugs.webkit.org/show_bug.cgi?id=155332
2978
2979         Reviewed by Saam Barati.
2980
2981         Removed logic from stringProtoFuncMatch that handles the case where both global and sticky flags are set.
2982
2983         * runtime/StringPrototype.cpp:
2984         (JSC::stringProtoFuncMatch):
2985
2986 2016-03-10  Michael Saboff  <msaboff@apple.com>
2987
2988         [ES6] Allow RegExp constructor to take pattern from an existing RegExp with new flags
2989         https://bugs.webkit.org/show_bug.cgi?id=155315
2990
2991         Reviewed by Saam Barati.
2992
2993         Changed to comply with section 21.2.3.1, step 5.  Eliminated syntax error.
2994
2995         In the process, change to get the VM at the top of the function.
2996
2997         Updated tests accordingly.
2998
2999         * runtime/RegExpConstructor.cpp:
3000         (JSC::constructRegExp):
3001         * tests/es6.yaml: Changed miscellaneous_RegExp_constructor_can_alter_flags.js to normal.
3002         * tests/mozilla/mozilla-tests.yaml: Disabled ecma_3/RegExp/15.10.4.1-5-n.js as it checks
3003         for the old behavior of throwing a syntax error.
3004
3005 2016-03-10  Saam barati  <sbarati@apple.com>
3006
3007         [ES6] Make ToPropertyDescriptor spec compliant
3008         https://bugs.webkit.org/show_bug.cgi?id=155313
3009
3010         Reviewed by Mark Lam.
3011
3012         We were performing HasProperty(.) and Get(.) in the same operation.
3013         This isn't valid according to the spec and it's user observable
3014         behavior with Proxy. This patch fixes ToPropertyDescriptor to use
3015         two distinct operations for HasProperty(.) and Get(.).
3016
3017         * runtime/ObjectConstructor.cpp:
3018         (JSC::ownEnumerablePropertyKeys):
3019         (JSC::toPropertyDescriptor):
3020         * tests/es6.yaml:
3021         * tests/stress/to-property-key-correctness.js: Added.
3022         (assert):
3023         (test):
3024         (test.let.handler.has):
3025         (arrayEq):
3026         (let.handler.has):
3027         (let.target):
3028         (set get let):
3029
3030 2016-03-10  Brian Burg  <bburg@apple.com>
3031
3032         Web Inspector: report the underlying parser error message when JSON parsing fails
3033         https://bugs.webkit.org/show_bug.cgi?id=155303
3034         <rdar://problem/25088939>
3035
3036         Reviewed by Timothy Hatcher.
3037
3038         * inspector/scripts/generate-inspector-protocol-bindings.py:
3039         (generate_from_specification.load_specification):
3040         Stringize the underlying error so we can see what it says.
3041
3042 2016-03-09  Joseph Pecoraro  <pecoraro@apple.com>
3043
3044         Web Inspector: JavaScript Heap Allocations Timeline
3045         https://bugs.webkit.org/show_bug.cgi?id=155287
3046         <rdar://problem/25078088>
3047
3048         Reviewed by Timothy Hatcher.
3049
3050         * inspector/InjectedScriptSource.js:
3051         (InjectedScript.prototype._describe):
3052         (InjectedScript.prototype._nodeDescription):
3053         Provide the nicer node preview more often.
3054
3055 2016-03-10  Saam barati  <sbarati@apple.com>
3056
3057         Assignment to new.target should be an early error
3058         https://bugs.webkit.org/show_bug.cgi?id=151148
3059
3060         Reviewed by Mark Lam.
3061
3062         This patch makes it so that any form of assignment to new.target
3063         is an early syntax error.
3064
3065         * parser/ASTBuilder.h:
3066         (JSC::ASTBuilder::createNewTargetExpr):
3067         (JSC::ASTBuilder::isNewTarget):
3068         (JSC::ASTBuilder::createResolve):
3069         * parser/Parser.cpp:
3070         (JSC::Parser<LexerType>::parseAssignmentExpression):
3071         (JSC::Parser<LexerType>::parseUnaryExpression):
3072         * parser/SyntaxChecker.h:
3073         (JSC::SyntaxChecker::createThisExpr):
3074         (JSC::SyntaxChecker::createSuperExpr):
3075         (JSC::SyntaxChecker::createNewTargetExpr):
3076         (JSC::SyntaxChecker::isNewTarget):
3077         (JSC::SyntaxChecker::createResolve):
3078         (JSC::SyntaxChecker::createObjectLiteral):
3079         * tests/es6.yaml:
3080         * tests/stress/new-target-syntax-errors.js: Added.
3081         (shouldBeSyntaxError):
3082         (shouldNotBeSyntaxError):
3083         * tests/stress/new-target.js:
3084         (Constructor):
3085         (doWeirdThings):
3086         (noAssign): Deleted.
3087         (catch): Deleted.
3088
3089 2016-03-08  Skachkov Oleksandr  <gskachkov@gmail.com>
3090
3091         How we load new.target in arrow functions is broken
3092         https://bugs.webkit.org/show_bug.cgi?id=155153
3093
3094         Reviewed by Saam Barati.
3095
3096         Fixed not correct approach of caching new.target. In current patch was added code feature
3097         flag that shows that current function is using new.target, when generating byte code an arrow 
3098         function we are loading new.target value to its register from arrow function lexical environment. 
3099
3100         * bytecompiler/BytecodeGenerator.cpp:
3101         (JSC::BytecodeGenerator::BytecodeGenerator):
3102         (JSC::BytecodeGenerator::emitLoadNewTargetFromArrowFunctionLexicalEnvironment):
3103         * bytecompiler/BytecodeGenerator.h:
3104         (JSC::BytecodeGenerator::newTarget):
3105         * parser/ASTBuilder.h:
3106         (JSC::ASTBuilder::createNewTargetExpr):
3107         (JSC::ASTBuilder::usesNewTarget):
3108         * parser/Nodes.h:
3109         (JSC::ScopeNode::usesNewTarget):
3110         * parser/ParserModes.h:
3111         * tests/stress/arrowfunction-lexical-bind-newtarget.js:
3112
3113 2016-03-09  Joseph Pecoraro  <pecoraro@apple.com>
3114
3115         Web Inspector: Get a RemoteObject or ObjectPreview from HeapSnapshot Object Identifier
3116         https://bugs.webkit.org/show_bug.cgi?id=155264
3117         <rdar://problem/25070716>
3118
3119         Reviewed by Timothy Hatcher.
3120
3121         * inspector/InjectedScript.h:
3122         * inspector/InjectedScript.cpp:
3123         (Inspector::InjectedScript::functionDetails):
3124         (Inspector::InjectedScript::previewValue):
3125         New InjectedScript methods for building Debugger.FunctionDetails
3126         or Runtime.ObjectPreview protocol objects from a JSValue.
3127
3128         * inspector/InjectedScriptSource.js:
3129         (InjectedScript.prototype.previewValue):
3130         (InjectedScript.prototype.functionDetails):
3131         (InjectedScript.prototype.getFunctionDetails):
3132         (InjectedScript.RemoteObject.prototype._isPreviewableObjectInternal):
3133         (InjectedScript.RemoteObject.prototype._createObjectPreviewForValue): Deleted.
3134         (InjectedScript.RemoteObject.prototype._appendEntryPreviews): Deleted.
3135         Share code around creating function details or object preview objects.
3136
3137         * inspector/agents/InspectorHeapAgent.cpp:
3138         (Inspector::InspectorHeapAgent::InspectorHeapAgent):
3139         (Inspector::InspectorHeapAgent::nodeForHeapObjectIdentifier):
3140         (Inspector::InspectorHeapAgent::getPreview):
3141         (Inspector::InspectorHeapAgent::getRemoteObject):
3142         * inspector/agents/InspectorHeapAgent.h:
3143         * inspector/protocol/Heap.json:
3144         New protocol methods that go from heap object identifier to a
3145         remote object or some kind of preview.
3146
3147         * inspector/scripts/codegen/generator.py:
3148         Allow runtime casts for ObjectPreview.
3149
3150 2016-03-09  Andy VanWagoner  <thetalecrafter@gmail.com>
3151
3152         [INTL] Intl Constructors not web compatible with Object.create usage
3153         https://bugs.webkit.org/show_bug.cgi?id=153679
3154
3155         Reviewed by Darin Adler.
3156
3157         Add workaround for initializing NumberFormat and DateTimeFormat objects
3158         using Object.create followed by constructor.call. This is necessary for
3159         backwards compatibility with libraries relying on v1 behavior of Intl
3160         constructors.
3161
3162         Collator does not get the workaround, since polyfills do not include it,
3163         and there are not any known instances of v2 incompatible libraries.
3164
3165         The workaround involves checking for an object that inherits from the
3166         *Format constructor, but was not actually initialized with that type. A
3167         substitute instance is created and attached to the object using a private
3168         name. The prototype functions then check for the private property to use
3169         in place of the original object.
3170
3171         Since this behavior is not part of the v2 spec, it should be removed as
3172         soon as the incompatible behavior is no longer in common use.
3173
3174         * runtime/CommonIdentifiers.h:
3175         * runtime/IntlDateTimeFormatConstructor.cpp:
3176         (JSC::callIntlDateTimeFormat):
3177         * runtime/IntlDateTimeFormatPrototype.cpp:
3178         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
3179         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
3180         * runtime/IntlNumberFormatConstructor.cpp:
3181         (JSC::callIntlNumberFormat):
3182         * runtime/IntlNumberFormatPrototype.cpp:
3183         (JSC::IntlNumberFormatPrototypeGetterFormat):
3184         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
3185
3186 2016-03-09  Saam barati  <sbarati@apple.com>
3187
3188         Add proper JSON.stringify support for Proxy when the target is an array
3189         https://bugs.webkit.org/show_bug.cgi?id=155180
3190
3191         Reviewed by Darin Adler.
3192
3193         This patch makes the following type of program true:
3194         `JSON.stringify(new Proxy([25], {})) === "[25]"`
3195
3196         We need to change the JSON stringifier to use the IsArray test
3197         in section 7.2.2 of ES6 spec instead of the JSC inherits(JSArray::info())
3198         test.
3199
3200         This patch also adds tests for general JSON.stringify support
3201         of Proxy.
3202
3203         * runtime/ArrayConstructor.cpp:
3204         (JSC::arrayConstructorIsArray):
3205         (JSC::arrayConstructorPrivateFuncIsArrayConstructor):
3206         * runtime/ArrayConstructor.h:
3207         (JSC::isArray):
3208         * runtime/JSONObject.cpp:
3209         (JSC::Stringifier::Holder::object):
3210         (JSC::Stringifier::appendStringifiedValue):
3211         (JSC::Stringifier::startNewLine):
3212         (JSC::Stringifier::Holder::Holder):
3213         * tests/es6.yaml:
3214         * tests/stress/proxy-json.js: Added.
3215         (assert):
3216         (test):
3217
3218 2016-03-09  Saam Barati  <sbarati@apple.com>
3219
3220         ES6: Implement lexical scoping for function definitions in strict mode
3221         https://bugs.webkit.org/show_bug.cgi?id=152844
3222
3223         Reviewed by Geoffrey Garen.
3224
3225         This patch implements block scoping for function definitions
3226         in strict mode. The implementation works as follows:
3227         
3228         - If we're in sloppy mode, function declarations work exactly
3229           as they did before this patch. I.e, function declarations are hoisted
3230           and declared like "var" variables.
3231         
3232         - If you're in strict mode and at the top of a function scope or program
3233           scope, function declarations still work like they used to. They are defined
3234           like "var" variables. This is necessary for backwards compatibility
3235           because ES5 strict mode allowed duplicate function declarations at the
3236           top-most scope of a program/function.
3237         
3238         - If you're in strict mode and inside a block statement or a switch statement,
3239           function declarations are now block scoped. All function declarations within
3240           a block are hoisted to the beginning of the block. They are not hoisted out of the 
3241           block like they are in sloppy mode. This allows for the following types of
3242           programs:
3243           ```
3244           function foo() {
3245               function bar() { return 20; }
3246               {
3247                   function bar() { return 30; }
3248                   bar(); // 30
3249               }
3250               bar(); // 20
3251           }
3252           ```
3253
3254         * bytecompiler/BytecodeGenerator.cpp:
3255         (JSC::BytecodeGenerator::BytecodeGenerator):
3256         (JSC::BytecodeGenerator::instantiateLexicalVariables):
3257         (JSC::BytecodeGenerator::emitPrefillStackTDZVariables):
3258         (JSC::BytecodeGenerator::pushLexicalScope):
3259         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
3260         (JSC::BytecodeGenerator::initializeBlockScopedFunctions):
3261         (JSC::BytecodeGenerator::popLexicalScope):
3262         (JSC::BytecodeGenerator::liftTDZCheckIfPossible):
3263         (JSC::BytecodeGenerator::pushTDZVariables):
3264         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
3265         (JSC::BytecodeGenerator::emitNewRegExp):
3266         (JSC::BytecodeGenerator::emitNewFunctionExpressionCommon):
3267         (JSC::BytecodeGenerator::emitNewFunctionExpression):
3268         (JSC::BytecodeGenerator::emitNewArrowFunctionExpression):
3269         * bytecompiler/BytecodeGenerator.h:
3270         * parser/ASTBuilder.h:
3271         (JSC::ASTBuilder::createSourceElements):
3272         (JSC::ASTBuilder::features):
3273         (JSC::ASTBuilder::numConstants):
3274         (JSC::ASTBuilder::createFuncDeclStatement):
3275         (JSC::ASTBuilder::createClassDeclStatement):
3276         (JSC::ASTBuilder::createBlockStatement):
3277         (JSC::ASTBuilder::createTryStatement):
3278         (JSC::ASTBuilder::createSwitchStatement):
3279         (JSC::ASTBuilder::Scope::Scope):
3280         (JSC::ASTBuilder::funcDeclarations): Deleted.
3281         * parser/NodeConstructors.h:
3282         (JSC::CaseBlockNode::CaseBlockNode):
3283         (JSC::SwitchNode::SwitchNode):
3284         (JSC::BlockNode::BlockNode):
3285         * parser/Nodes.cpp:
3286         (JSC::ScopeNode::ScopeNode):
3287         (JSC::ScopeNode::singleStatement):
3288         (JSC::ProgramNode::ProgramNode):
3289         (JSC::ModuleProgramNode::ModuleProgramNode):
3290         (JSC::EvalNode::EvalNode):
3291         (JSC::FunctionNode::FunctionNode):
3292         (JSC::VariableEnvironmentNode::VariableEnvironmentNode):
3293         * parser/Nodes.h:
3294         (JSC::VariableEnvironmentNode::VariableEnvironmentNode):
3295         (JSC::VariableEnvironmentNode::lexicalVariables):
3296         (JSC::VariableEnvironmentNode::functionStack):
3297         (JSC::ScopeNode::captures):
3298         (JSC::ScopeNode::varDeclarations):
3299         (JSC::ScopeNode::neededConstants):
3300         (JSC::ProgramNode::startColumn):
3301         (JSC::ProgramNode::endColumn):
3302         (JSC::EvalNode::startColumn):
3303         (JSC::EvalNode::endColumn):
3304         (JSC::ModuleProgramNode::startColumn):
3305         (JSC::ModuleProgramNode::endColumn):
3306         (JSC::ScopeNode::functionStack): Deleted.
3307         * parser/Parser.cpp:
3308         (JSC::Parser<LexerType>::parseInner):
3309         (JSC::Parser<LexerType>::didFinishParsing):
3310         (JSC::Parser<LexerType>::parseStatementListItem):
3311         (JSC::Parser<LexerType>::parseSwitchStatement):
3312         (JSC::Parser<LexerType>::parseBlockStatement):
3313         (JSC::Parser<LexerType>::parseStatement):
3314         (JSC::Parser<LexerType>::parseFunctionInfo):
3315         (JSC::getMetadata):
3316         (JSC::Parser<LexerType>::parseFunctionDeclaration):
3317         (JSC::Parser<LexerType>::parseExportDeclaration):
3318         * parser/Parser.h:
3319         (JSC::Scope::declareVariable):
3320         (JSC::Scope::declareFunction):
3321         (JSC::Scope::appendFunction):
3322         (JSC::Scope::takeFunctionDeclarations):
3323         (JSC::Scope::declareLexicalVariable):
3324         (JSC::Parser::currentVariableScope):
3325         (JSC::Parser::currentLexicalDeclarationScope):
3326         (JSC::Parser::currentFunctionScope):
3327         (JSC::Parser::pushScope):
3328         (JSC::Parser::popScopeInternal):
3329         (JSC::Parser::declareVariable):
3330         (JSC::Parser::declareFunction):
3331         (JSC::Parser::hasDeclaredVariable):
3332         (JSC::Parser::isFunctionMetadataNode):
3333         (JSC::Parser<LexerType>::parse):
3334         * parser/SyntaxChecker.h:
3335         (JSC::SyntaxChecker::createFuncDeclStatement):
3336         (JSC::SyntaxChecker::createClassDeclStatement):
3337         (JSC::SyntaxChecker::createBlockStatement):
3338         (JSC::SyntaxChecker::createExprStatement):
3339         (JSC::SyntaxChecker::createIfStatement):
3340         (JSC::SyntaxChecker::createContinueStatement):
3341         (JSC::SyntaxChecker::createTryStatement):
3342         (JSC::SyntaxChecker::createSwitchStatement):
3343         (JSC::SyntaxChecker::createWhileStatement):
3344         (JSC::SyntaxChecker::createWithStatement):
3345         (JSC::SyntaxChecker::createDoWhileStatement):
3346         * parser/VariableEnvironment.h:
3347         (JSC::VariableEnvironmentEntry::isExported):
3348         (JSC::VariableEnvironmentEntry::isImported):
3349         (JSC::VariableEnvironmentEntry::isImportedNamespace):
3350         (JSC::VariableEnvironmentEntry::isFunction):
3351         (JSC::VariableEnvironmentEntry::setIsCaptured):
3352         (JSC::VariableEnvironmentEntry::setIsConst):
3353         (JSC::VariableEnvironmentEntry::setIsExported):
3354         (JSC::VariableEnvironmentEntry::setIsImported):
3355         (JSC::VariableEnvironmentEntry::setIsImportedNamespace):
3356         (JSC::VariableEnvironmentEntry::setIsFunction):
3357         (JSC::VariableEnvironmentEntry::clearIsVar):
3358         (JSC::VariableEnvironment::VariableEnvironment):
3359         (JSC::VariableEnvironment::begin):
3360         (JSC::VariableEnvironment::end):
3361         * tests/es6.yaml:
3362         * tests/stress/block-scoped-function-declarations.js: Added.
3363         (assert):
3364         (test):
3365         (f.foo.bar):