DFG::Plan shouldn't read from its VM once it's been cancelled

[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2016-05-15  Filip Pizlo  <fpizlo@apple.com>

        DFG::Plan shouldn't read from its VM once it's been cancelled
        https://bugs.webkit.org/show_bug.cgi?id=157726

        Reviewed by Saam Barati.
        
        Plan::vm was a reference, not a pointer, and so wasn't nulled by Plan::cancel(). So, a
        cancelled plan may have a dangling pointer to a VM: we could delete the VM after cancelling
        the plan.
        
        Prior to http://trac.webkit.org/changeset/200705, this was probably fine because nobody
        would read Plan::vm if the plan was cancelled. But r200705 changed that. It was a hard
        regression to spot because usually a cancelled plan will still refer to a valid VM.
        
        This change fixes the regression and makes it a lot easier to spot the regression in the
        future. Plan::vm is now a pointer and we null it in Plan::cancel(). Now if you make this
        mistake, you will get a crash anytime the Plan is cancelled, not just anytime the plan is
        cancelled and the VM gets deleted. Also, it's now very clear what to do when you want to
        use Plan::vm on the cancel path: you can null-check vm; if it's null, assume the worst.
        
        Because we null the VM of a cancelled plan, we cannot have Safepoint::vm() return the
        plan's VM anymore. That's because when we cancel a plan that is at a safepoint, we use the
        safepoint's VM to determine whether this is one of our safepoints *after* the plan is
        already cancelled. So, Safepoint now has its own copy of m_vm, and that copy gets nulled
        when the Safepoint is cancelled. The Safepoint's m_vm will be nulled moments after Plan's
        vm gets nulled (see Worklist::removeDeadPlans(), which has a cancel path for Plans in one
        loop and a cancel path for Safepoints in the loop after it).

        * dfg/DFGJITFinalizer.cpp:
        (JSC::DFG::JITFinalizer::finalizeCommon):
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::Plan):
        (JSC::DFG::Plan::computeCompileTimes):
        (JSC::DFG::Plan::reportCompileTimes):
        (JSC::DFG::Plan::compileInThreadImpl):
        (JSC::DFG::Plan::reallyAdd):
        (JSC::DFG::Plan::notifyCompiling):
        (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
        (JSC::DFG::Plan::cancel):
        * dfg/DFGPlan.h:
        (JSC::DFG::Plan::canTierUpAndOSREnter):
        * dfg/DFGSafepoint.cpp:
        (JSC::DFG::Safepoint::cancel):
        (JSC::DFG::Safepoint::vm):
        * dfg/DFGSafepoint.h:
        * dfg/DFGWorklist.cpp:
        (JSC::DFG::Worklist::isActiveForVM):
        (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
        (JSC::DFG::Worklist::removeAllReadyPlansForVM):
        (JSC::DFG::Worklist::rememberCodeBlocks):
        (JSC::DFG::Worklist::visitWeakReferences):
        (JSC::DFG::Worklist::removeDeadPlans):
        (JSC::DFG::Worklist::runThread):
        * ftl/FTLJITFinalizer.cpp:
        (JSC::FTL::JITFinalizer::finalizeFunction):

2016-05-15  Yusuke Suzuki  <utatane.tea@gmail.com>

        Modernize Intl constructors; using InternalFunction::createSubclassStructure
        https://bugs.webkit.org/show_bug.cgi?id=157082

        Reviewed by Darin Adler.

        Previously, Intl constructors retrieve "prototype" to inherit the "new.target".
        At that time, this mis-assumed that getDirect() always returns meaningful JS value.
        Actually, it returns an empty value if a property does not exist.

        Instead of fixing this assertion, we now use InternalFunction::createSubclassStructure
        in Intl constructors. It is modern and preferable way since it can cache the derived
        structures in InternalFunction.

        This patch also cleans up the workaround in Intl.NumberFormat and Intl.DateTimeFormat.
        Those code are largely duplicate. This is now extracted into
        constructIntlInstanceWithWorkaroundForLegacyIntlConstructor. This clean up does not
        have any behavior changes. They are already tested in LayoutTests/js/intl-datetimeformat
        and LayoutTests/js/intl-numberformat.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * runtime/IntlCollator.cpp:
        (JSC::IntlCollator::create):
        * runtime/IntlCollator.h:
        * runtime/IntlCollatorConstructor.cpp:
        (JSC::constructIntlCollator):
        (JSC::callIntlCollator):
        * runtime/IntlDateTimeFormat.cpp:
        (JSC::IntlDateTimeFormat::create):
        * runtime/IntlDateTimeFormat.h:
        * runtime/IntlDateTimeFormatConstructor.cpp:
        (JSC::constructIntlDateTimeFormat):
        (JSC::callIntlDateTimeFormat):
        * runtime/IntlDateTimeFormatPrototype.cpp:
        (JSC::IntlDateTimeFormatPrototypeGetterFormat):
        (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
        * runtime/IntlNumberFormat.cpp:
        (JSC::IntlNumberFormat::create):
        * runtime/IntlNumberFormat.h:
        * runtime/IntlNumberFormatConstructor.cpp:
        (JSC::constructIntlNumberFormat):
        (JSC::callIntlNumberFormat):
        * runtime/IntlNumberFormatPrototype.cpp:
        (JSC::IntlNumberFormatPrototypeGetterFormat):
        (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
        * runtime/IntlObjectInlines.h: Added.
        (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
        * tests/stress/intl-constructors-with-proxy.js: Added.
        (shouldBe):
        (throw.new.Error.Empty):
        (throw.new.Error):
        (shouldBe.Empty):

2016-05-14  Joseph Pecoraro  <pecoraro@apple.com>

        Remove LegacyProfiler
        https://bugs.webkit.org/show_bug.cgi?id=153565

        Reviewed by Mark Lam.

        JavaScriptCore now provides a sampling profiler and it is enabled
        by all ports. Web Inspector switched months ago to using the
        sampling profiler and displaying its data. Remove the legacy
        profiler, as it is no longer being used by anything other then
        console.profile and tests. We will update console.profile's
        behavior soon to have new behavior and use the sampling data.

        * API/JSProfilerPrivate.cpp: Removed.
        * API/JSProfilerPrivate.h: Removed.
        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset): Deleted.
        (JSC::computeDefsForBytecodeOffset): Deleted.
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode): Deleted.
        * bytecode/UnlinkedFunctionExecutable.cpp:
        (JSC::generateUnlinkedFunctionCodeBlock):
        (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
        * bytecode/UnlinkedFunctionExecutable.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitCall):
        (JSC::BytecodeGenerator::emitCallVarargs):
        (JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
        (JSC::BytecodeGenerator::emitConstructVarargs):
        (JSC::BytecodeGenerator::emitConstruct):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::CallArguments::profileHookRegister): Deleted.
        (JSC::BytecodeGenerator::shouldEmitProfileHooks): Deleted.
        * bytecompiler/NodesCodegen.cpp:
        (JSC::CallFunctionCallDotNode::emitBytecode):
        (JSC::ApplyFunctionCallDotNode::emitBytecode):
        (JSC::CallArguments::CallArguments): Deleted.
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Deleted.
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock): Deleted.
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel): Deleted.
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize): Deleted.
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC): Deleted.
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode): Deleted.
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute): Deleted.
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile): Deleted.
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile): Deleted.
        * inspector/InjectedScriptBase.cpp:
        (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled):
        * inspector/protocol/Timeline.json:
        * interpreter/Interpreter.cpp:
        (JSC::UnwindFunctor::operator()): Deleted.
        (JSC::Interpreter::execute): Deleted.
        (JSC::Interpreter::executeCall): Deleted.
        (JSC::Interpreter::executeConstruct): Deleted.
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass): Deleted.
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_profile_will_call): Deleted.
        (JSC::JIT::emit_op_profile_did_call): Deleted.
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_profile_will_call): Deleted.
        (JSC::JIT::emit_op_profile_did_call): Deleted.
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jsc.cpp:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.
        * llint/LLIntSlowPaths.h:
        * llint/LowLevelInterpreter.asm:
        * parser/ParserModes.h:
        * profiler/CallIdentifier.h: Removed.
        * profiler/LegacyProfiler.cpp: Removed.
        * profiler/LegacyProfiler.h: Removed.
        * profiler/Profile.cpp: Removed.
        * profiler/Profile.h: Removed.
        * profiler/ProfileGenerator.cpp: Removed.
        * profiler/ProfileGenerator.h: Removed.
        * profiler/ProfileNode.cpp: Removed.
        * profiler/ProfileNode.h: Removed.
        * profiler/ProfilerJettisonReason.cpp:
        (WTF::printInternal): Deleted.
        * profiler/ProfilerJettisonReason.h:
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getGlobalCodeBlock):
        (JSC::CodeCache::getProgramCodeBlock):
        (JSC::CodeCache::getEvalCodeBlock):
        (JSC::CodeCache::getModuleProgramCodeBlock):
        * runtime/CodeCache.h:
        * runtime/Executable.cpp:
        (JSC::ScriptExecutable::newCodeBlockFor):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::createProgramCodeBlock):
        (JSC::JSGlobalObject::createEvalCodeBlock):
        (JSC::JSGlobalObject::createModuleProgramCodeBlock):
        (JSC::JSGlobalObject::~JSGlobalObject): Deleted.
        (JSC::JSGlobalObject::hasLegacyProfiler): Deleted.
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::supportsLegacyProfiling): Deleted.
        * runtime/Options.h:
        * runtime/VM.cpp:
        (JSC::VM::VM): Deleted.
        (JSC::SetEnabledProfilerFunctor::operator()): Deleted.
        (JSC::VM::setEnabledProfiler): Deleted.
        * runtime/VM.h:
        (JSC::VM::enabledProfiler): Deleted.
        (JSC::VM::enabledProfilerAddress): Deleted.

2016-05-13  Joseph Pecoraro  <pecoraro@apple.com>

        jsc: samplingProfilerStackTraces() without starting sampling should not cause jsc to crash
        https://bugs.webkit.org/show_bug.cgi?id=157704

        Reviewed by Saam Barati.

        * jsc.cpp:
        (functionStartSamplingProfiler):
        (functionSamplingProfilerStackTraces):
        Throw an exception instead of crashing if we haven't started sampling.

        * inspector/agents/InspectorScriptProfilerAgent.cpp:
        (Inspector::InspectorScriptProfilerAgent::startTracking):
        * runtime/VM.h:
        * runtime/VM.cpp:
        (JSC::VM::ensureSamplingProfiler):
        Switch ensure to returning a reference, like most other ensures.

2016-05-13  Saam barati  <sbarati@apple.com>

        DFG/FTL have a few bugs in their reasoning about the scope
        https://bugs.webkit.org/show_bug.cgi?id=157696

        Reviewed by Benjamin Poulain.

        1. When the debugger is enabled, it is easier for the DFG to reason
        about the scope register by simply claiming all nodes read the scope
        register. This prevents us from ever entering the runtime where we
        may take a stack trace but there isn't a scope on the stack.

        2. This patch fixes a bug where the FTL compilation wasn't properly
        setting the CodeBlock register. It was only doing this when there
        was inline data, but when the debugger is enabled, we never inline.
        So this code just needed to be removed from that loop. It was never
        right for it to be inside the loop.

        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::compile):

2016-05-13  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] SetLocal without exit do not need phantoms
        https://bugs.webkit.org/show_bug.cgi?id=157653

        Reviewed by Filip Pizlo.

        I made a mistake in r200498.

        If a SetLocal cannot possibly exit, we were not clearing
        the source of the operand. As a result, we sometime kept
        a value alive up to the end of the block.

        That's uncommon because SetLocal typically appear
        toward the end of blocks. That's probably why there was
        no perf impact with that fix.

        * dfg/DFGPhantomInsertionPhase.cpp:

2016-05-13  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Move the CheckTierUp function calls out of the main path
        https://bugs.webkit.org/show_bug.cgi?id=157668

        Reviewed by Mark Lam.

        If you have a tiny tiny loop (for example, Sunspider's bits-in-byte),
        the size of CheckTierUp is a problem.

        On multi-issue CPUs, the node is so big that we do not
        get to run anything from the loop in the instruction fetch.

        On x86, having a bigger loop also pushes us out of the LSD.

        This is a 6% improvement on bits-in-byte. Other Sunspider tests
        only improves marginally.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::addSlowPathGenerator):
        (JSC::DFG::SpeculativeJIT::runSlowPathGenerators):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::silentSpill):
        (JSC::DFG::SpeculativeJIT::silentFill):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2016-05-13  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Emit the loads of emitLoadWithStructureCheck() in the order they are used
        https://bugs.webkit.org/show_bug.cgi?id=157671

        Reviewed by Mark Lam.

        This improves the chances of having a value
        when issuing the TEST.

        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitLoadWithStructureCheck):

2016-05-13  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Inform augmenting client when inspector controller is destroyed
        https://bugs.webkit.org/show_bug.cgi?id=157688
        <rdar://problem/25832724>

        Reviewed by Timothy Hatcher.

        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::~JSGlobalObjectInspectorController):
        * inspector/augmentable/AugmentableInspectorControllerClient.h:
        There is a weak relationship between the InspectorController and the
        AugmentingClient. Let the augmenting client know when the controller
        is destroyed so it doesn't try to use us anymore.

2016-05-13  Geoffrey Garen  <ggaren@apple.com>

        Runaway malloc memory usage in this simple JSC program
        https://bugs.webkit.org/show_bug.cgi?id=157682

        Reviewed by Mark Lam.

        * heap/WeakSet.cpp:
        (JSC::WeakSet::sweep): Whenever we might add a block to
        m_logicallyEmptyWeakBlocks, be sure also to sweep a block in
        m_logicallyEmptyWeakBlocks. Otherwise, additions might outpace removals
        even when all memory is freed.

        We do this whenever we *might* add a block and not just whenever we *do*
        add a block because we'd like to sweep the entries in
        m_logicallyEmptyWeakBlocks promptly even when it's not growing, and this
        is a reasonably rate-limited opportunity to do so.

2016-05-13  Mark Lam  <mark.lam@apple.com>

        We should have one calleeSaveRegistersBuffer per VMEntryFrame, not one per VM.
        https://bugs.webkit.org/show_bug.cgi?id=157537
        <rdar://problem/24794845>

        Reviewed by Michael Saboff.

        The pre-existing code behaves this way:

        1. When JS code throws an exception, it saves callee save registers in
           the VM calleeSaveRegistersBuffer.  These values are meant to be restored
           to the callee save registers later either at the catch handler or at the
           uncaught exception handler.

        2. If the Inspector is enable, the VM will invoke inspector C++ code to inspect
           the exception.  That C++ code can change the values of the callee save
           registers.

           The inspector code in turn re-enters the VM to execute JS inspector code.

           The JS inspector code can run hot enough that we do an enterOptimizationCheck
           on it.  The enterOptimizationCheck first saves all callee save registers
           into the VM calleeSaveRegistersBuffer.

           This effectively overwrites the values in the VM calleeSaveRegistersBuffer
           from (1).

        3. Eventually, execution returns to the catch handler or the uncaught exception
           handler which restores the overwritten values in the VM
           calleeSaveRegistersBuffer to the callee save registers.

           When execution returns to the C++ code that entered the VM before (1), the
           values in the callee registers are not what that code expects, and badness
           and/or crashes ensues.

        This patch applies the following fix:
        
        1. Allocate space in the VMEntryFrame for the calleeSaveRegistersBuffer.
           This ensures that each VM entry session has its own buffer to use, and will
           not corrupt the one from the previous VM entry session.

           Delete the VM calleeSaveRegistersBuffer.

        2. Change all locations that uses the VM calleeSaveRegistersBuffer to use the
           calleeSaveRegistersBuffer in the current VMEntryFrame.

        3. Renamed all uses of the term "VMCalleeSavesBuffer" to
           "VMEntryFrameCalleeSavesBuffer".

        This fix has been tested on the following configurations:
        1. JSC and layout tests on a debug ASan build for 64-bit x86_64.
        2. JSC tests on a release ASan build for 32-bit x86.
        3. JSC tests on a release normal (non-ASan) build for ARM64.
        4. JSC tests on a release normal (non-ASan) build for ARMv7 and ARMv7s.
        5. JSC tests on a release ASan CLOOP build for x86_64.

        These test runs did not produce any new crashes.  The ASan CLOOP has some
        pre-existing crashes which are not due to this patch.

        This bug can be tested by running the inspector/debugger/regress-133182.html test
        on an ASan build.

        * bytecode/PolymorphicAccess.cpp:
        (JSC::AccessGenerationState::emitExplicitExceptionHandler):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileExceptionHandlers):
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGThunks.cpp:
        (JSC::DFG::osrEntryThunkGenerator):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::compile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::lower):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub):
        * interpreter/Interpreter.cpp:
        (JSC::UnwindFunctor::operator()):
        (JSC::UnwindFunctor::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
        (JSC::UnwindFunctor::copyCalleeSavesToVMCalleeSavesBuffer): Deleted.
        * interpreter/Interpreter.h:
        (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
        * interpreter/VMEntryRecord.h:
        (JSC::VMEntryRecord::calleeSaveRegistersBufferOffset):
        (JSC::VMEntryRecord::prevTopCallFrame):
        (JSC::VMEntryRecord::unsafePrevTopCallFrame):
        (JSC::VMEntryFrame::vmEntryRecordOffset):
        (JSC::VMEntryFrame::calleeSaveRegistersBufferOffset):
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::emitRandomThunk):
        (JSC::AssemblyHelpers::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
        (JSC::AssemblyHelpers::restoreCalleeSavesFromVMCalleeSavesBuffer): Deleted.
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::emitRestoreSavedTagRegisters):
        (JSC::AssemblyHelpers::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
        (JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToVMEntryFrameCalleeSavesBuffer):
        (JSC::AssemblyHelpers::copyCalleeSavesToVMCalleeSavesBuffer): Deleted.
        (JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToVMCalleeSavesBuffer): Deleted.
        * jit/JIT.cpp:
        (JSC::JIT::emitEnterOptimizationCheck):
        (JSC::JIT::privateCompileExceptionHandlers):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_throw):
        (JSC::JIT::emit_op_catch):
        (JSC::JIT::emitSlow_op_loop_hint):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_throw):
        (JSC::JIT::emit_op_catch):
        * jit/ThunkGenerators.cpp:
        (JSC::throwExceptionFromCallSlowPathGenerator):
        (JSC::nativeForGenerator):
        * llint/LLIntThunks.cpp:
        (JSC::vmEntryRecord):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/VM.h:
        (JSC::VM::getCTIStub):
        (JSC::VM::calleeSaveRegistersBufferOffset): Deleted.
        * wasm/WASMFunctionCompiler.h:
        (JSC::WASMFunctionCompiler::endFunction):

2016-05-13  Beth Dakin  <bdakin@apple.com>

        Add dyldSPI.h for linked on or after checks, and add one for link preview
        https://bugs.webkit.org/show_bug.cgi?id=157401
        -and corresponding-
        rdar://problem/26253396

        Reviewed by Darin Adler.

        Import #import <wtf/spi/darwin/dyldSPI.h> which now declares all of the 
        needed dyld code.
        * API/JSWrapperMap.mm:

2016-05-13  Yusuke Suzuki  <utatane.tea@gmail.com>

        Assertion failure for direct eval in non-class method
        https://bugs.webkit.org/show_bug.cgi?id=157138

        Reviewed by Saam Barati.

        This assertion was incorrect. In method definitions in object literals,
        it can be sloppy mode, but its DerivedContextType may not be DerivedContextType::None.

        * bytecode/EvalCodeCache.h:
        (JSC::EvalCodeCache::CacheKey::CacheKey):
        (JSC::EvalCodeCache::CacheKey::operator==):
        (JSC::EvalCodeCache::CacheKey::Hash::equal):
        (JSC::EvalCodeCache::tryGet):
        (JSC::EvalCodeCache::getSlow):
        * interpreter/Interpreter.cpp:
        (JSC::eval):
        * tests/stress/direct-eval-in-object-literal-methods.js: Added.
        (shouldBe):
        (throw.new.Error):
        (shouldBe.Parent.prototype.l):
        (shouldBe.Parent):
        (shouldBe.Derived.prototype.m):
        (shouldBe.Derived):

2016-05-13  Skachkov Oleksandr  <gskachkov@gmail.com>

        Assertion failure for super() call in arrow function default parameters
        https://bugs.webkit.org/show_bug.cgi?id=157079

        Reviewed by Saam Barati.

        Root of the issue that in arrow function we load bounded variables this/super/new.target just after 
        input parameters were initialized, and did not covered case of default values for 
        function parameters. 
        Current patch tried to fix issue and allow to load bounded variables earlier, before the input 
        parameters are assigned by default values.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * tests/stress/arrowfunction-lexical-bind-this-2.js:

2016-05-12  Mark Lam  <mark.lam@apple.com>

        Baseline and DFG's JSC_report...CompileTimes needs CodeBlock hashes.
        https://bugs.webkit.org/show_bug.cgi?id=157643

        Reviewed by Keith Miller.

        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):

2016-05-12  Csaba Osztrogonác  <ossy@webkit.org>

        Remove ENABLE(ES6_ARROWFUNCTION_SYNTAX) guards
        https://bugs.webkit.org/show_bug.cgi?id=157564

        Reviewed by Darin Adler.

        * Configurations/FeatureDefines.xcconfig:
        * parser/Parser.cpp:

2016-05-12  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: CRASH getting internal properties of function with no bound arguments causes
        https://bugs.webkit.org/show_bug.cgi?id=157613
        <rdar://problem/26238754>

        Reviewed by Timothy Hatcher.

        * inspector/JSInjectedScriptHost.cpp:
        (Inspector::JSInjectedScriptHost::getInternalProperties):
        Gracefully handle a JSBoundFunction with no bound arguments.
        In this case boundArgs is JSValue() which we don't want to
        expose as the value of the internal property.

2016-05-11  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Make sure StringRange is passed to Vector by register
        https://bugs.webkit.org/show_bug.cgi?id=157603

        Reviewed by Darin Adler.

        This is bizarre, but on my SDK, Vector::append(StringRange)
        is passing the values on the stack.
        The two integers are written to the stack, the address given
        to append(), then append() reads it back and store it.

        This patch changes the code to use constructAndAppend(), ensuring
        the values are used directly.

        On my machine, this helps Sunspider and Octane.
        This might be something wrong with my SDK but the fix is so easy
        that we might as well do this.

        * runtime/StringPrototype.cpp:
        (JSC::removeUsingRegExpSearch):
        (JSC::replaceUsingRegExpSearch):

2016-05-11  Zan Dobersek  <zdobersek@igalia.com>

        ARMv7Assembler: suppress a -Wnarrowing warning when compiling with GCC
        https://bugs.webkit.org/show_bug.cgi?id=157576

        Reviewed by Csaba Osztrogonác.

        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::revertJumpTo_movT3movtcmpT2): Explicitly cast the
        `OP_CMP_reg_T2 | left` value to uint16_t, avoiding a narrowing conversion
        warning that's being reported when compiling with GCC. The warning is sprung
        due to RegisterID (which is the type of `left`) being an enum based on int,
        even when the enum itself only declares 23 values.

2016-05-11  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: `this` in Scope Chain Sidebar does not have preview, looks poor
        https://bugs.webkit.org/show_bug.cgi?id=157602

        Reviewed by Timothy Hatcher.

        * inspector/InjectedScriptSource.js:
        (InjectedScript.CallFrameProxy):
        Include a preview when creating the RemoteObject for `this`.

2016-05-11  Keith Miller  <keith_miller@apple.com>

        Unreviewed, correct the title of the ChangeLog for r200667.

2016-05-11  Joseph Pecoraro  <pecoraro@apple.com>

        JSC test stress/reflect-set.js failing after 200694
        https://bugs.webkit.org/show_bug.cgi?id=157586

        Unreviewed test rebaseline.

        * tests/stress/reflect-set.js:
        Update the expected error message. We are in strict mode, so the
        improved error message makes sense.

2016-05-11  Filip Pizlo  <fpizlo@apple.com>

        Beef up JSC profiler event log
        https://bugs.webkit.org/show_bug.cgi?id=157584

        Reviewed by Saam Barati.
        
        Also log more about compilation.

        * bytecode/ExecutionCounter.cpp: Changed the meaning of codeBlock to be the codeBlock that is doing the profiling. This will now get the baseline version if it needs it. This is needed for logging the threshold checking event.
        (JSC::applyMemoryUsageHeuristics):
        (JSC::ExecutionCounter<countingVariant>::hasCrossedThreshold):
        * dfg/DFGJITCode.cpp: Pass the right codeBlock.
        (JSC::DFG::JITCode::checkIfOptimizationThresholdReached):
        (JSC::DFG::JITCode::optimizeNextInvocation):
        (JSC::DFG::JITCode::dontOptimizeAnytimeSoon):
        (JSC::DFG::JITCode::optimizeSoon):
        (JSC::DFG::JITCode::forceOptimizationSlowPathConcurrently):
        * dfg/DFGPlan.cpp: Log things about compile times and whether the compiler succeeded or failed.
        (JSC::DFG::Plan::computeCompileTimes):
        (JSC::DFG::Plan::reportCompileTimes):
        (JSC::DFG::Plan::compileInThread):
        (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
        * jit/ExecutableAllocatorFixedVMPool.cpp: Make it possible to look at memory usage, though separately from the log, for now.
        (JSC::ExecutableAllocator::allocate):
        * runtime/Options.h:

2016-05-11  Saam barati  <sbarati@apple.com>

        Air may decide to put the result register of an arithmetic snippet in the tag register
        https://bugs.webkit.org/show_bug.cgi?id=157548

        Reviewed by Filip Pizlo.

        This patch adds a new ValueRep to B3 called LateRegister. The semantics
        are similar to Register in that it can be used to pin an argument to
        a particular register. It differs from ValueRep::Register in that the semantics of
        LateRegister are that it is used after the result of the node its an argument to
        is computed. This means that a LateRegister argument will interfere with the result
        of a node. LateRegister is not a valid result ValueRep.

        This was needed because there was a bug where B3/Air would assign the
        result of a patchpoint to the TagTypeNumber register. This broke our
        code when we would box a double into a JSValue in a snippet when the
        result is the same as the TagTypeNumber register. To fix the issue,
        we pass TagMaskRegister and TagTypeNumberRegister as ValueRep::LateRegister
        arguments to various patchpoints.

        * b3/B3LowerToAir.cpp:
        (JSC::B3::Air::LowerToAir::fillStackmap):
        * b3/B3PatchpointSpecial.cpp:
        (JSC::B3::PatchpointSpecial::admitsStack):
        * b3/B3StackmapSpecial.cpp:
        (JSC::B3::StackmapSpecial::forEachArgImpl):
        (JSC::B3::StackmapSpecial::isArgValidForRep):
        * b3/B3Validate.cpp:
        * b3/B3ValueRep.cpp:
        (JSC::B3::ValueRep::addUsedRegistersTo):
        (JSC::B3::ValueRep::dump):
        (JSC::B3::ValueRep::emitRestore):
        (JSC::B3::ValueRep::recoveryForJSValue):
        (WTF::printInternal):
        * b3/B3ValueRep.h:
        (JSC::B3::ValueRep::reg):
        (JSC::B3::ValueRep::lateReg):
        (JSC::B3::ValueRep::stack):
        (JSC::B3::ValueRep::operator==):
        (JSC::B3::ValueRep::isSomeRegister):
        (JSC::B3::ValueRep::isReg):
        * b3/testb3.cpp:
        (JSC::B3::testSpillUseLargerThanDef):
        (JSC::B3::testLateRegister):
        (JSC::B3::zero):
        (JSC::B3::run):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::lower):
        (JSC::FTL::DFG::LowerDFGToB3::compileIn):
        (JSC::FTL::DFG::LowerDFGToB3::getById):
        (JSC::FTL::DFG::LowerDFGToB3::emitBinarySnippet):
        (JSC::FTL::DFG::LowerDFGToB3::emitBinaryBitOpSnippet):
        (JSC::FTL::DFG::LowerDFGToB3::emitRightShiftSnippet):

2016-05-11  Joseph Pecoraro  <pecoraro@apple.com>

        Improve error messages for accessing arguments.callee and similar getters in strict mode
        https://bugs.webkit.org/show_bug.cgi?id=157545

        Reviewed by Mark Lam.

        * runtime/ClonedArguments.cpp:
        (JSC::ClonedArguments::getOwnPropertySlot):
        (JSC::ClonedArguments::materializeSpecials):
        Provide better error GetterSetter in strict mode.

        * runtime/JSFunction.cpp:
        (JSC::getThrowTypeErrorGetterSetter):
        (JSC::JSFunction::defineOwnProperty):
        Provide better error GetterSetter in strict mode.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::throwTypeErrorGetterSetter):
        (JSC::JSGlobalObject::throwTypeErrorCalleeAndCallerGetterSetter):
        (JSC::JSGlobalObject::throwTypeErrorArgumentsAndCallerInStrictModeGetterSetter):
        (JSC::JSGlobalObject::throwTypeErrorArgumentsAndCallerInClassContextGetterSetter):
        (JSC::JSGlobalObject::throwTypeErrorArgumentsAndCallerGetterSetter): Deleted.
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncThrowTypeErrorCalleeAndCaller):
        (JSC::globalFuncThrowTypeErrorArgumentsAndCallerInStrictMode):
        (JSC::globalFuncThrowTypeErrorArgumentsAndCallerInClassContext):
        (JSC::globalFuncThrowTypeErrorArgumentsAndCaller): Deleted.
        * runtime/JSGlobalObjectFunctions.h:
        Rename and expose new handles for new error getter setter native functions.

2016-05-11  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r200481.
        https://bugs.webkit.org/show_bug.cgi?id=157573

        it's bad news for asm.js (Requested by pizlo on #webkit).

        Reverted changeset:

        "Reduce maximum JIT pool size on X86_64."
        http://trac.webkit.org/changeset/200481

2016-05-10  Keith Miller  <keith_miller@apple.com>

        TypedArray.prototype.slice should not use the byteLength of the passed array for memmove
        https://bugs.webkit.org/show_bug.cgi?id=157551
        <rdar://problem/26179914>

        Reviewed by Michael Saboff.

        The TypedArray.prototype.slice function would use the byteLength of the passed array
        to determine the amount of data to copy. It should have been using the passed length
        times the size of each element. This fixes a crash on JavaPoly.com

        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::JSGenericTypedArrayView<Adaptor>::set):
        * tests/stress/typedarray-slice.js:

2016-05-10  Michael Saboff  <msaboff@apple.com>

        REGRESSION(r200447): Unable to build C_LOOP with clang version 800.0.12 or higher
        https://bugs.webkit.org/show_bug.cgi?id=157549

        Reviewed by Keith Miller.

        Disable debug annotations for C_LOOP builds.  They are inline assembly directives,
        unnecessary and they cause syntax errors.

        * offlineasm/asm.rb:

2016-05-10  Filip Pizlo  <fpizlo@apple.com>

        Internal JSC profiler should have a timestamped log of events for each code block
        https://bugs.webkit.org/show_bug.cgi?id=157538

        Reviewed by Benjamin Poulain.
        
        For example, in 3d-cube, I can query the events for MMulti and I get:

        1462917476.17083  MMulti#DTZ7qc                          installCode        
        1462917476.179663 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline installCode        
        1462917476.179664 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline osrEntry           at bc#49
        1462917476.185651 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 1011.214233/1717.000000, -707
        1462917476.187913 MMulti#DTZ7qc MMulti#DTZ7qc-2-DFG      installCode        
        1462917476.187917 MMulti#DTZ7qc MMulti#DTZ7qc-2-DFG      osrEntry           at bc#49
        1462917476.205365 MMulti#DTZ7qc MMulti#DTZ7qc-2-DFG      jettison           due to OSRExit, counting = true, detail = (null)
        1462917476.205368 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline frequentExit       bc#65: BadCache/FromDFG
        1462917476.205369 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline installCode        
        1462917476.205482 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 1013.000000/3434.000000, -1000
        1462917476.211547 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 2013.000000/3434.000000, -1000
        1462917476.213721 MMulti#DTZ7qc MMulti#DTZ7qc-3-DFG      installCode        
        1462917476.213726 MMulti#DTZ7qc MMulti#DTZ7qc-3-DFG      osrEntry           at bc#49
        1462917476.223976 MMulti#DTZ7qc MMulti#DTZ7qc-3-DFG      jettison           due to OSRExit, counting = true, detail = (null)
        1462917476.223981 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline frequentExit       bc#77: BadCache/FromDFG
        1462917476.223982 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline frequentExit       bc#94: BadCache/FromDFG
        1462917476.223982 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline installCode        
        1462917476.224064 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 1013.000000/6868.000000, -1000
        1462917476.224151 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 2013.000000/6868.000000, -1000
        1462917476.224258 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 3013.000000/6868.000000, -1000
        1462917476.224337 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 4023.000000/6868.000000, -1000
        1462917476.224425 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 5023.000000/6868.000000, -1000
        1462917476.224785 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 6023.396484/6868.000000, -862
        1462917476.227669 MMulti#DTZ7qc MMulti#DTZ7qc-4-DFG      installCode        
        1462917476.227675 MMulti#DTZ7qc MMulti#DTZ7qc-4-DFG      osrEntry           at bc#0
        
        The output is ugly but useful. We can make it less ugly later.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::jettison):
        * bytecode/CodeBlock.h:
        (JSC::ScriptExecutable::forEachCodeBlock):
        * bytecode/DFGExitProfile.cpp:
        (JSC::DFG::ExitProfile::add):
        * dfg/DFGJITFinalizer.cpp:
        (JSC::DFG::JITFinalizer::finalizeCommon):
        * dfg/DFGOperations.cpp:
        * ftl/FTLJITFinalizer.cpp:
        (JSC::FTL::JITFinalizer::finalizeFunction):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JITOperations.cpp:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::jitCompileAndSetHeuristics):
        (JSC::LLInt::entryOSR):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * profiler/ProfilerCompilation.cpp:
        (JSC::Profiler::Compilation::Compilation):
        (JSC::Profiler::Compilation::setJettisonReason):
        (JSC::Profiler::Compilation::dump):
        (JSC::Profiler::Compilation::toJS):
        * profiler/ProfilerCompilation.h:
        (JSC::Profiler::Compilation::uid):
        * profiler/ProfilerDatabase.cpp:
        (JSC::Profiler::Database::ensureBytecodesFor):
        (JSC::Profiler::Database::notifyDestruction):
        (JSC::Profiler::Database::addCompilation):
        (JSC::Profiler::Database::toJS):
        (JSC::Profiler::Database::registerToSaveAtExit):
        (JSC::Profiler::Database::logEvent):
        (JSC::Profiler::Database::addDatabaseToAtExit):
        * profiler/ProfilerDatabase.h:
        * profiler/ProfilerEvent.cpp: Added.
        (JSC::Profiler::Event::dump):
        (JSC::Profiler::Event::toJS):
        * profiler/ProfilerEvent.h: Added.
        (JSC::Profiler::Event::Event):
        (JSC::Profiler::Event::operator bool):
        (JSC::Profiler::Event::time):
        (JSC::Profiler::Event::bytecodes):
        (JSC::Profiler::Event::compilation):
        (JSC::Profiler::Event::summary):
        (JSC::Profiler::Event::detail):
        * profiler/ProfilerUID.cpp: Added.
        (JSC::Profiler::UID::create):
        (JSC::Profiler::UID::dump):
        (JSC::Profiler::UID::toJS):
        * profiler/ProfilerUID.h: Added.
        (JSC::Profiler::UID::UID):
        (JSC::Profiler::UID::fromInt):
        (JSC::Profiler::UID::toInt):
        (JSC::Profiler::UID::operator==):
        (JSC::Profiler::UID::operator!=):
        (JSC::Profiler::UID::operator bool):
        (JSC::Profiler::UID::isHashTableDeletedValue):
        (JSC::Profiler::UID::hash):
        (JSC::Profiler::UIDHash::hash):
        (JSC::Profiler::UIDHash::equal):
        * runtime/CommonIdentifiers.h:
        * runtime/Executable.cpp:
        (JSC::ScriptExecutable::installCode):
        * runtime/VM.h:
        (JSC::VM::bytecodeIntrinsicRegistry):
        (JSC::VM::shadowChicken):
        * runtime/VMInlines.h:
        (JSC::VM::shouldTriggerTermination):
        (JSC::VM::logEvent):

2016-05-10  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Backend should initiate timeline recordings on page navigations to ensure nothing is missed
        https://bugs.webkit.org/show_bug.cgi?id=157504
        <rdar://problem/26188642>

        Reviewed by Brian Burg.

        * inspector/protocol/Timeline.json:
        Add protocol commands to enable/disable auto capture and list the
        instruments that should be enabled when auto capture starts.
        Add protocol event for when the backend starts an auto capture.

2016-05-10  Joseph Pecoraro  <pecoraro@apple.com>

        Make the different evaluateWithScopeExtension implementations more consistent
        https://bugs.webkit.org/show_bug.cgi?id=157536

        Reviewed by Timothy Hatcher.

        * inspector/JSInjectedScriptHost.cpp:
        (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
        Throw the exception consistent with JSJavaScriptCallFrame.

        * inspector/JSJavaScriptCallFrame.cpp:
        (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
        Better error message consistent with InjectedScriptHost.

        * runtime/Completion.h:
        * runtime/Completion.cpp:
        (JSC::evaluateWithScopeExtension):
        Give this an Exception out parameter like other evaluations
        so the caller can decide what to do with it.

2016-05-10  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] FTL can produce GetByVal nodes without proper bounds checking
        https://bugs.webkit.org/show_bug.cgi?id=157502
        rdar://problem/26027027

        Reviewed by Filip Pizlo.

        It was possible for FTL to generates GetByVal on arbitrary offsets
        without any bounds checking.

        The bug is caused by the order of optimization phases:
        -First, the Integer Range Optimization proves that a CheckInBounds
         test can never fail.
         This proof is based on control flow or preceeding instructions
         inside a loop.
        -The Loop Invariant Code Motion phase finds that the GetByVal does not
         depend on anything in the loop and hoist it out of the loop.
        -> As a result, the conditions that were necessary to eliminate
           the CheckInBounds are no longer met before the GetByVal.

        This patch just moves the Integer Range Optimization phase after
        Loop Invariant Code Motion to make sure no code is moved after
        its integer ranges bounds proofs have been used.

        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * tests/stress/bounds-check-not-eliminated-by-licm.js: Added.
        (testInLoopTests):

2016-05-10  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Eliminate the crazy code for evaluateOnCallFrame
        https://bugs.webkit.org/show_bug.cgi?id=157510
        <rdar://problem/26191332>

        Reviewed by Timothy Hatcher.

        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
        Set and clear an optional scope extension object.

        * inspector/InjectedScriptSource.js:
        (InjectedScript.prototype.evaluate):
        (InjectedScript.prototype._evaluateOn):
        (InjectedScript.prototype.evaluateOnCallFrame):
        Unify the code to use the passed in evaluate function and object.
        When evaluating on a call frame the evaluate function ends up being
        DebuggerCallFrame::evaluateWithScopeExtension. When evaluating globally
        this ends up being JSInjectedScriptHost::evaluateWithScopeExtension.
        In both cases "object" is the preferred this object to use.

        * debugger/DebuggerCallFrame.h:
        * inspector/JSJavaScriptCallFrame.cpp:
        (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
        (Inspector::JSJavaScriptCallFrame::evaluate): Deleted.
        * inspector/JSJavaScriptCallFrame.h:
        * inspector/JSJavaScriptCallFramePrototype.cpp:
        (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
        (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluateWithScopeExtension):
        * inspector/JavaScriptCallFrame.h:
        (Inspector::JavaScriptCallFrame::evaluateWithScopeExtension):
        (Inspector::JavaScriptCallFrame::evaluate): Deleted.
        Pass through to DebuggerCallFrame with the proper arguments.

        * debugger/Debugger.cpp:
        (JSC::Debugger::hasBreakpoint):
        * inspector/ScriptDebugServer.cpp:
        (Inspector::ScriptDebugServer::evaluateBreakpointAction):
        Use the new evaluate on call frame method name and no scope extension object.

2016-05-10  Saam barati  <sbarati@apple.com>

        Make super-property-access.js test run for less time because it was timing out in debug builds.

        Rubber stamped by Filip Pizlo.

        * tests/stress/super-property-access.js:
        (test):
        (test.value):
        (test.foo):
        (test.B.prototype.bar):
        (test.B):

2016-05-10  Csaba Osztrogonác  <ossy@webkit.org>

        [JSC] Fix the !ENABLE(DFG_JIT) build
        https://bugs.webkit.org/show_bug.cgi?id=157512

        Reviewed by Mark Lam.

        * jit/Repatch.cpp:

2016-05-09  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: CRASH under JSC::DebuggerCallFrame::thisValue when hitting breakpoint
        https://bugs.webkit.org/show_bug.cgi?id=157442
        <rdar://problem/24172015>

        Reviewed by Saam Barati.

        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::thisValueForCallFrame):
        When the thisValue is JSValue() return undefined and avoid calling
        toThisValue which would lead to a crash. Having `this` be an empty
        JSValue could happen inside an ES6 class constructor, before
        calling super.

2016-05-09  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix cloop.

        * bytecode/ValueProfile.cpp:
        (JSC::ResultProfile::emitDetectNumericness):
        (JSC::ResultProfile::emitSetNonNumber):
        * bytecode/ValueProfile.h:
        (JSC::ResultProfile::addressOfFlags):
        (JSC::ResultProfile::addressOfSpecialFastPathCount):
        (JSC::ResultProfile::detectNumericness):
        (JSC::ResultProfile::hasBits):

2016-05-09  Michael Saboff  <msaboff@apple.com>

        Crash beneath ObjCCallbackFunctionImpl::call
        https://bugs.webkit.org/show_bug.cgi?id=157491

        Reviewed by Saam Barati.

        Clear any exceptions after the micro task runs.

        Tried creating a test case, but I don't have source for the app.
        I can't seem to find the right combination of Promises and ObjC code.

        * runtime/JSJob.cpp:
        (JSC::JSJobMicrotask::run):

2016-05-09  Filip Pizlo  <fpizlo@apple.com>

        Polymorphic operands in operators coerces downstream values to double.
        https://bugs.webkit.org/show_bug.cgi?id=151793

        Reviewed by Mark Lam.
        
        Previously if an object flowed into arithmetic, the prediction propagation phase would either
        assume that the output of the arithmetic had to be double or sometimes it would assume that it
        couldn't be double. We want it to only assume that the output is double if it actually had been.
        
        The first part of this patch is to roll out http://trac.webkit.org/changeset/200502. That removed
        some of the machinery that we had in place to detect whether the output of an operation is int or
        double. That changeset claimed that the machinery was "fundamentally broken". It actually wasn't.
        The reason why it didn't work was that ByteCodeParser was ignoring it if likelyToTakeSlowCase was
        false. I think this was a complete goof-up: the code in ByteCodeParser::makeSafe was structured
        in a way that made it non-obvious that the method is a no-op if !likelyToTakeSlowCase. So, this
        change rolls out r200502 and makes ResultProfile do its job by reshaping how makeSafe processes
        it.
        
        This also makes two other changes to shore up ResultProfile:
        - OSR exit can now refine a ResultProfile the same way that it refines ValueProfile.
        - Baseline JIT slow paths now set bits in ResultProfile.
        
        Based on this stuff, the DFG now predicts int/double/string in op_add/op_sub/op_mul based on
        ResultProfiles. To be conservative, we still only use the ResultProfiles if the incoming
        prediction is not number-or-boolean. This ensures that we exactly retain our old behavior in
        those cases for which it was tuned. But I hope to remove this soon. I believe that ResultProfile
        is already strictly better than what prediction propagation was doing before.
        
        This can be an enormous win. This patch adds some simple microbenchmarks that demonstrate the
        problem of assuming that arithmetic on objects returns double. The most extreme of these speeds
        up 8x with this change (object-int-add-array).
        
        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::addFrequentExitSite):
        (JSC::CodeBlock::hasExitSite):
        * bytecode/DFGExitProfile.cpp:
        (JSC::DFG::FrequentExitSite::dump):
        (JSC::DFG::ExitProfile::ExitProfile):
        (JSC::DFG::ExitProfile::~ExitProfile):
        (JSC::DFG::ExitProfile::add):
        * bytecode/DFGExitProfile.h:
        (JSC::DFG::FrequentExitSite::isHashTableDeletedValue):
        * bytecode/MethodOfGettingAValueProfile.cpp:
        (JSC::MethodOfGettingAValueProfile::fromLazyOperand):
        (JSC::MethodOfGettingAValueProfile::emitReportValue):
        (JSC::MethodOfGettingAValueProfile::getSpecFailBucket): Deleted.
        * bytecode/MethodOfGettingAValueProfile.h:
        (JSC::MethodOfGettingAValueProfile::MethodOfGettingAValueProfile):
        (JSC::MethodOfGettingAValueProfile::operator bool):
        (JSC::MethodOfGettingAValueProfile::operator!): Deleted.
        * bytecode/PolymorphicAccess.cpp:
        (JSC::AccessCase::generateImpl):
        * bytecode/ValueProfile.cpp:
        (JSC::ResultProfile::emitDetectBitsLight):
        (JSC::ResultProfile::emitSetDouble):
        (JSC::ResultProfile::emitSetNonNumber):
        (WTF::printInternal):
        * bytecode/ValueProfile.h:
        (JSC::ResultProfile::ResultProfile):
        (JSC::ResultProfile::bytecodeOffset):
        (JSC::ResultProfile::specialFastPathCount):
        (JSC::ResultProfile::didObserveNonInt32):
        (JSC::ResultProfile::didObserveDouble):
        (JSC::ResultProfile::didObserveNonNegZeroDouble):
        (JSC::ResultProfile::didObserveNegZeroDouble):
        (JSC::ResultProfile::didObserveNonNumber):
        (JSC::ResultProfile::didObserveInt32Overflow):
        (JSC::ResultProfile::didObserveInt52Overflow):
        (JSC::ResultProfile::setObservedNonNegZeroDouble):
        (JSC::ResultProfile::setObservedNegZeroDouble):
        (JSC::ResultProfile::setObservedNonNumber):
        (JSC::ResultProfile::setObservedInt32Overflow):
        (JSC::ResultProfile::addressOfFlags):
        (JSC::ResultProfile::addressOfSpecialFastPathCount):
        (JSC::ResultProfile::detectBitsLight):
        (JSC::ResultProfile::hasBits):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::makeSafe):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::ensureNaturalLoops):
        (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
        (JSC::DFG::Graph::valueProfileFor): Deleted.
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::hasExitSite):
        (JSC::DFG::Graph::numBlocks):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::arithNodeFlags):
        (JSC::DFG::Node::mayHaveNonIntResult):
        (JSC::DFG::Node::mayHaveDoubleResult):
        (JSC::DFG::Node::mayHaveNonNumberResult):
        (JSC::DFG::Node::hasConstantBuffer):
        * dfg/DFGNodeFlags.cpp:
        (JSC::DFG::dumpNodeFlags):
        * dfg/DFGNodeFlags.h:
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::branchIfEqual):
        (JSC::AssemblyHelpers::branchIfNotCell):
        (JSC::AssemblyHelpers::branchIfNotNumber):
        (JSC::AssemblyHelpers::branchIfNotDoubleKnownNotInt32):
        (JSC::AssemblyHelpers::branchIfBoolean):
        (JSC::AssemblyHelpers::branchIfEmpty):
        (JSC::AssemblyHelpers::branchStructure):
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::CCallHelpers):
        (JSC::CCallHelpers::setupArguments):
        (JSC::CCallHelpers::setupArgumentsWithExecState):
        * jit/IntrinsicEmitter.cpp:
        (JSC::AccessCase::emitIntrinsicGetter):
        * jit/JIT.h:
        * jit/JITAddGenerator.cpp:
        (JSC::JITAddGenerator::generateFastPath):
        * jit/JITAddGenerator.h:
        (JSC::JITAddGenerator::JITAddGenerator):
        * jit/JITArithmetic.cpp:
        (JSC::JIT::emit_op_add):
        (JSC::JIT::emitSlow_op_add):
        (JSC::JIT::emit_op_div):
        (JSC::JIT::emit_op_mul):
        (JSC::JIT::emitSlow_op_mul):
        (JSC::JIT::emit_op_sub):
        (JSC::JIT::emitSlow_op_sub):
        * jit/JITInlines.h:
        (JSC::JIT::callOperation):
        (JSC::JIT::callOperationNoExceptionCheck):
        * jit/JITMulGenerator.cpp:
        (JSC::JITMulGenerator::generateFastPath):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/JITSubGenerator.cpp:
        (JSC::JITSubGenerator::generateFastPath):
        * jit/JITSubGenerator.h:
        (JSC::JITSubGenerator::JITSubGenerator):
        * jit/TagRegistersMode.cpp: Added.
        (WTF::printInternal):
        * jit/TagRegistersMode.h: Added.
        * runtime/CommonSlowPaths.cpp:
        (JSC::updateResultProfileForBinaryArithOp):

2016-05-09  Keith Miller  <keith_miller@apple.com>

        CallObjectConstructor should not call operationToThis in the FTL
        https://bugs.webkit.org/show_bug.cgi?id=157492
        <rdar://problem/26149904>

        Reviewed by Mark Lam.

        At some point when I was working on intrinsifying the Object
        constructor, I realized that the Object constructor was different
        from the ToObject operation. I fixed the DFG but I guess I didn't
        fix the FTL.

        This patch fixes an issue with www.wunderground.com not loading
        the 10-day forecast and local map.

        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor):
        * tests/stress/call-object-constructor.js: Added.
        (test):
        (assert):

2016-05-09  Saam barati  <sbarati@apple.com>

        Getter and setter on super are called with wrong "this" object
        https://bugs.webkit.org/show_bug.cgi?id=147064
        <rdar://problem/21885916>

        Reviewed by Filip Pizlo.

        This patch implements calls to 'super' getters and setters.
        The problem before is we were passing the 'super' (i.e, the prototype
        object) as the this value to these getters/setters, which is wrong. 
        We should be passing the caller's this value.

        To implement this behavior, I've introduced four new opcodes and their corresponding DFG nodes:
        - op_get_by_id_with_this | GetByIdWithThis
        - op_put_by_id_with_this | PutByIdWithThis
        - op_get_by_val_with_this | GetByValWithThis
        - op_put_by_val_with_this | PutByValWithThis

        These are implemented with no optimizations. The future plan is 
        to unite them with the *by_id and *by_val opcodes and nodes:
        https://bugs.webkit.org/show_bug.cgi?id=157215

        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitGetById):
        (JSC::BytecodeGenerator::emitPutById):
        (JSC::BytecodeGenerator::emitDirectPutById):
        (JSC::BytecodeGenerator::emitGetByVal):
        (JSC::BytecodeGenerator::emitPutByVal):
        (JSC::BytecodeGenerator::emitDirectPutByVal):
        (JSC::BytecodeGenerator::emitLoadDerivedConstructorFromArrowFunctionLexicalEnvironment):
        (JSC::BytecodeGenerator::ensureThis):
        (JSC::BytecodeGenerator::isThisUsedInInnerArrowFunction):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ThisNode::emitBytecode):
        (JSC::emitHomeObjectForCallee):
        (JSC::emitSuperBaseForCallee):
        (JSC::emitGetSuperFunctionForConstruct):
        (JSC::SuperNode::emitBytecode):
        (JSC::NewTargetNode::emitBytecode):
        (JSC::TaggedTemplateNode::emitBytecode):
        (JSC::BracketAccessorNode::emitBytecode):
        (JSC::DotAccessorNode::emitBytecode):
        (JSC::FunctionCallValueNode::emitBytecode):
        (JSC::FunctionCallBracketNode::emitBytecode):
        (JSC::FunctionCallDotNode::emitBytecode):
        (JSC::CallFunctionCallDotNode::emitBytecode):
        (JSC::ApplyFunctionCallDotNode::emitBytecode):
        (JSC::PostfixNode::emitBracket):
        (JSC::PostfixNode::emitDot):
        (JSC::PrefixNode::emitBracket):
        (JSC::PrefixNode::emitDot):
        (JSC::AssignDotNode::emitBytecode):
        (JSC::ReadModifyDotNode::emitBytecode):
        (JSC::AssignBracketNode::emitBytecode):
        (JSC::ReadModifyBracketNode::emitBytecode):
        (JSC::ForInNode::emitLoopHeader):
        (JSC::ForOfNode::emitBytecode):
        (JSC::AssignmentElementNode::bindValue):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasIdentifier):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        (JSC::DFG::newTypedArrayWithSize):
        (JSC::DFG::putWithThis):
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetByValWithThis):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutByIdWithThis):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutByValWithThis):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
        * jit/CCallHelpers.cpp:
        (JSC::CCallHelpers::setupShadowChickenPacket):
        (JSC::CCallHelpers::setupFourStubArgsGPR):
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState):
        (JSC::CCallHelpers::setupThreeStubArgsGPR):
        (JSC::CCallHelpers::setupTwoStubArgsFPR):
        (JSC::CCallHelpers::setupStubArguments134):
        * jit/GPRInfo.h:
        (JSC::argumentRegisterFor): Deleted.
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_put_by_val):
        (JSC::JIT::emit_op_put_by_val_with_this):
        (JSC::JIT::emitGenericContiguousPutByVal):
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emit_op_get_by_id_with_this):
        (JSC::JIT::emit_op_get_by_val_with_this):
        (JSC::JIT::emitSlow_op_get_by_id):
        (JSC::JIT::emit_op_put_by_id):
        (JSC::JIT::emit_op_put_by_id_with_this):
        (JSC::JIT::emitSlow_op_put_by_id):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_put_to_arguments):
        (JSC::JIT::emit_op_get_by_id_with_this):
        (JSC::JIT::emit_op_get_by_val_with_this):
        (JSC::JIT::emit_op_put_by_id_with_this):
        (JSC::JIT::emit_op_put_by_val_with_this):
        * llint/LowLevelInterpreter.asm:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/CommonSlowPaths.h:
        * tests/stress/super-property-access-exceptions.js: Added.
        (assert):
        (test):
        (test.fooProp):
        (test.A.prototype.get foo):
        (test.A.prototype.get x):
        (test.A):
        (test.B):
        (test.B.prototype.bar):
        (test.B.prototype.baz):
        (test.foo):
        (test.func):
        (test.A.prototype.set foo):
        * tests/stress/super-property-access-tdz.js: Added.
        (assert):
        (test):
        (shouldThrowTDZ):
        (test.A.prototype.get foo):
        (test.A.prototype.set foo):
        (test.A):
        (test.fooProp):
        (test.B):
        (test.C):
        (test.D):
        (test.E):
        (test.F):
        * tests/stress/super-property-access.js: Added.
        (assert):
        (test):
        (func):
        (test.A):
        (test.A.prototype.set value):
        (test.A.prototype.get value):
        (test.B.prototype.set value):
        (test.B.prototype.get value):
        (test.B):
        (test.value):
        (test.A.prototype.get func):
        (test.B.prototype.inc):
        (test.B.prototype.dec):
        (test.B.prototype.preInc):
        (test.B.prototype.preDec):
        (test.B.prototype.plusEq):
        (test.B.prototype.minusEq):
        (test.B.prototype.timesEq):
        (test.B.prototype.divEq):
        (test.B.prototype.funcDot):
        (test.B.prototype.funcBracket):
        (test.foo):
        (test.B.prototype.baz):
        (test.B.prototype.jaz):
        (test.B.prototype.bar):
        (test.B.prototype.index):
        (test.):
        (test.prototype.bar):
        (test.A.prototype.set foo):
        (test.A.prototype.get array):
        (test.A.prototype.get foo):
        (test.obj):
        (test.A.prototype.get call):
        (test.A.prototype.get apply):
        (test.B.prototype.foo):
        (test.A.prototype.get i):

2016-05-08  Chris Dumez  <cdumez@apple.com>

        [COCOA] Disable HAVE_DTRACE at build time
        https://bugs.webkit.org/show_bug.cgi?id=157433
        <rdar://problem/26148841>

        Reviewed by Mark Lam.

        Drop DTRACE-related code from JSC since it is very old and seems
        unused.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * PlatformMac.cmake:
        * heap/Heap.cpp:
        (JSC::Heap::collectImpl): Deleted.
        (JSC::Heap::didFinishCollection): Deleted.
        * profiler/ProfileGenerator.cpp:
        (JSC::ProfileGenerator::willExecute): Deleted.
        (JSC::ProfileGenerator::didExecute): Deleted.
        * runtime/Tracing.d: Removed.
        * runtime/Tracing.h: Removed.

2016-05-07  Mark Lam  <mark.lam@apple.com>

        Add JSC options bytecodeRangeToJITCompile and jitWhitelist.
        https://bugs.webkit.org/show_bug.cgi?id=157428

        Reviewed by Michael Saboff.

        1. Added Options::bytecodeRangeToJITCompile and Options::jitWhitelist options.

        2. Moved DFGFunctionWhitelist* to FunctionWhitelist* and made it generic so that
           it can be used for more than one whitelist instance.  In this case, we now have
           two: the dfgWhitelist and the jitWhitelist.

        3. Added "can compile" checks in LLInt::shouldJIT() to check
           Options::bytecodeRangeToJITCompile and Options::jitWhitelist.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGDriver.cpp:
        (JSC::DFG::getNumCompilations):
        (JSC::DFG::ensureGlobalDFGWhitelist):
        (JSC::DFG::compileImpl):
        * dfg/DFGFunctionWhitelist.cpp: Removed.
        * dfg/DFGFunctionWhitelist.h: Removed.

        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::ensureGlobalJITWhitelist):
        (JSC::LLInt::shouldJIT):

        * runtime/Options.h:

        * tools/FunctionWhitelist.cpp: Copied from Source/JavaScriptCore/dfg/DFGFunctionWhitelist.cpp.
        (JSC::FunctionWhitelist::FunctionWhitelist):
        (JSC::FunctionWhitelist::contains):
        (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist): Deleted.
        (JSC::DFG::FunctionWhitelist::FunctionWhitelist): Deleted.
        (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile): Deleted.
        (JSC::DFG::FunctionWhitelist::contains): Deleted.
        * tools/FunctionWhitelist.h: Copied from Source/JavaScriptCore/dfg/DFGFunctionWhitelist.h.

2016-05-07  Benjamin Poulain  <bpoulain@apple.com>

        [JSC][32bit] stress/tagged-templates-template-object.js fails in debug
        https://bugs.webkit.org/show_bug.cgi?id=157436

        Reviewed by Filip Pizlo.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        The node OverridesHasInstance had a speculation after a jump.

2016-05-06  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Misc CommandLineAPI cleanup
        https://bugs.webkit.org/show_bug.cgi?id=157450

        Reviewed by Ryosuke Niwa.

        * inspector/InjectedScriptSource.js:
        (BasicCommandLineAPI):
        Fix mistake in r200533, and modernize related code.

2016-05-06  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Improve console.count()
        https://bugs.webkit.org/show_bug.cgi?id=157439
        <rdar://problem/26152654>

        Reviewed by Timothy Hatcher.

          - make console.count() increment an unnamed global counter.
          - make console.count(label) increment a counter with that label name.

        * inspector/agents/InspectorConsoleAgent.cpp:
        (Inspector::InspectorConsoleAgent::count):

2016-05-06  Simon Fraser  <simon.fraser@apple.com>

        Enable IOS_TEXT_AUTOSIZING on Mac and make it testable
        https://bugs.webkit.org/show_bug.cgi?id=157432
        rdar://problem/16406720

        Reviewed by Dean Jackson.

        Enable IOS_TEXT_AUTOSIZING on Mac so it can be tested.

        * Configurations/FeatureDefines.xcconfig:

2016-05-06  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Console: Variables defined with let/const aren't accessible outside of console's scope
        https://bugs.webkit.org/show_bug.cgi?id=150752
        <rdar://problem/23343385>

        Reviewed by Mark Lam.

        This approach allows Web Inspector to hang a "Scope Extension", a
        WithObjectScope, off the GlobalObject. When resolving identifiers
        in fails to resolve anything in the normal scope chain, consult
        the scope extension.

        This allows us to eliminate the `with (commandLineAPI) { ... }`
        block in global console evaluations, and instead makes it a full
        program evaluation, with the commandLineAPI available and safely
        shadowed by actual variables as expected.

        * inspector/InjectedScriptSource.js:
        (InjectedScript.prototype._evaluateOn):
        Use the new evaluateWithScopeExtension and provide the CommandLineAPI
        object as the scope extension object.

        (BasicCommandLineAPI):
        (BasicCommandLineAPI.inScopeVariables): Deleted.
        Simplify now that we don't need to check for variable shadowing ourselves.

        * inspector/JSInjectedScriptHost.cpp:
        (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
        * inspector/JSInjectedScriptHost.h:
        * inspector/JSInjectedScriptHostPrototype.cpp:
        (Inspector::JSInjectedScriptHostPrototype::finishCreation):
        (Inspector::jsInjectedScriptHostPrototypeFunctionEvaluateWithScopeExtension):
        Provide a new InjectedScriptHost method to evaluate a program
        with a scope extension.

        * runtime/Completion.cpp:
        (JSC::evaluateWithScopeExtension):
        * runtime/Completion.h:
        General JSC::evaluate function to evaluate a program with a scope extension.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::setGlobalScopeExtension):
        (JSC::JSGlobalObject::clearGlobalScopeExtension):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::globalScopeExtension):
        Hang a scope extension off the global object.

        * runtime/JSScope.cpp:
        (JSC::JSScope::resolve):
        Consult the scope extension when resolve fails to find anything normally.

2016-05-06  Mark Lam  <mark.lam@apple.com>

        Add JSC options reportBaselineCompileTimes and reportDFGCompileTimes.
        https://bugs.webkit.org/show_bug.cgi?id=157427

        Reviewed by Filip Pizlo and Keith Miller.

        The compile times reporting options are now:
            reportCompileTimes         -> report compile times in all tiers.
            reportBaselineCompileTimes -> report compile times in baseline JIT.
            reportDFGCompileTimes      -> report compile times in DFG and FTL.
            reportFTLCompileTimes      -> report compile times in FTL.

        Also updated reportTotalCompileTimes() to collect stats that include the baseline
        JIT.  compileTimeStats() is now moved into JIT.cpp (from DFGPlan.cpp). 

        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::reportCompileTimes):
        (JSC::DFG::Plan::compileInThread):
        (JSC::DFG::Plan::compileInThreadImpl):
        (JSC::DFG::Plan::cancel):
        (JSC::DFG::Plan::compileTimeStats): Deleted.
        * dfg/DFGPlan.h:
        (JSC::DFG::Plan::compileTimeStats): Deleted.
        * jit/JIT.cpp:
        (JSC::ctiPatchCallByReturnAddress):
        (JSC::JIT::privateCompile):
        (JSC::JIT::stackPointerOffsetFor):
        (JSC::JIT::reportCompileTimes):
        (JSC::JIT::computeCompileTimes):
        (JSC::JIT::compileTimeStats):
        * jit/JIT.h:
        (JSC::JIT::shouldEmitProfiling):
        * jsc.cpp:
        (runJSC):
        * runtime/Options.h:

2016-05-05  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Get rid of NonNegZeroDouble, it is broken
        https://bugs.webkit.org/show_bug.cgi?id=157399
        rdar://problem/25339647

        Reviewed by Mark Lam.

        The profile "NonNegZeroDouble" is fundamentally broken.

        It is used by DFG to predict the result of ArithMul as being a Double
        or Int32.
        The problem is you are likely to mispredict, and when you do, you are
        guaranteed to end up in a recompile loop.

        The compile loops usually happen like this:
        -We speculate you have Int32 despite producing doubles.
        -We OSR exit on another node (ValueToInt32 for example) from the result of this ArithMul.
        -When we compile this block again, ArithMul will do the same misprediction
         because it unconditionally predicts Int32.

        The flag NonNegZeroDouble was very unlikely to be set correctly
        in the first place.

        In LLINT, the flag is only set on the slow path.
        Since double*double is on the fast path, those cases are ignored.

        In Baseline, the flag is set for any case that falls back on double
        multiplication. BUT, the DFG flag was only set for nodes that spend
        many iteration in slow path, which obviously does not apply to double*double.

        Given the perf drawbacks and the recompile loops, I removed
        the whole flag for now.

        * bytecode/ValueProfile.cpp:
        (WTF::printInternal):
        * bytecode/ValueProfile.h:
        (JSC::ResultProfile::didObserveNonInt32): Deleted.
        (JSC::ResultProfile::didObserveDouble): Deleted.
        (JSC::ResultProfile::didObserveNonNegZeroDouble): Deleted.
        (JSC::ResultProfile::setObservedNonNegZeroDouble): Deleted.
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::makeSafe): Deleted.
        * dfg/DFGNode.h:
        (JSC::DFG::Node::mayHaveNonIntResult): Deleted.
        * dfg/DFGNodeFlags.cpp:
        (JSC::DFG::dumpNodeFlags): Deleted.
        * dfg/DFGNodeFlags.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * jit/JITMulGenerator.cpp:
        (JSC::JITMulGenerator::generateFastPath): Deleted.
        * runtime/CommonSlowPaths.cpp:
        (JSC::updateResultProfileForBinaryArithOp): Deleted.

2016-05-05  Joseph Pecoraro  <pecoraro@apple.com>

        REGRESSION(r200422): Web Inspector: Make new Array Iterator objects play nice with Web Inspector
        https://bugs.webkit.org/show_bug.cgi?id=157361
        <rdar://problem/26099793>

        Reviewed by Timothy Hatcher.

        * builtins/ArrayPrototype.js:
        (createArrayIterator):
        (values):
        (keys):
        (entries):
        * builtins/TypedArrayPrototype.js:
        (values):
        (keys):
        (entries):
        * runtime/CommonIdentifiers.h:
        Set the kind on the iterator object, that can be shown
        to the inspector if the object is shown in the console.

        * inspector/InjectedScriptSource.js:
        (InjectedScript.prototype._describe):
        Get a better name for the new Array Iterator which is just an Object.

        * inspector/JSInjectedScriptHost.cpp:
        (Inspector::JSInjectedScriptHost::subtype):
        (Inspector::JSInjectedScriptHost::getInternalProperties):
        Detect and handle ArrayIterator object instances. Porting the code
        from the JSArrayIterator code path.

2016-05-05  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] In DFG, an OSR Exit on SetLocal can trash its child node
        https://bugs.webkit.org/show_bug.cgi?id=157358
        rdar://problem/25339647

        Reviewed by Filip Pizlo.

        When we OSR Exit on SetLocal, the child is never restored if its representation
        was changed since the MovHint.

        For example, say we have:
            @1 = SomethingProducingDouble()
            @2 = MovHint(@1)
            @3 = ValueRep(@1)
            @4 = SetLocal(@3, FlushedInt32)

        When we lower SetLocal(), we start by speculating that @3 is an Int32.
        Now this can fail if @1 was really a double.
        When that happens, we go over the VariableEventStream to find where values
        are, and @1 died at @3. Since the speculation failure happens before
        the SetLocal event, we don't do anything with @3.

        In this patch, I extend the PhantomInsertion phase to keep the MovHint
        alive past the SetLocal.

        * dfg/DFGPhantomInsertionPhase.cpp:
        * tests/stress/multiply-typed-double-and-object.js: Added.
        (otherObject.valueOf):
        (targetDFG.multiply):
        (targetFTL.multiply):

2016-05-05  Oliver Hunt  <oliver@apple.com>

        Enable separated heap by default on ios
        https://bugs.webkit.org/show_bug.cgi?id=156720

        Reviewed by Geoffrey Garen.

        We've fixed the xnu side of things, so we can reland this.

        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):

2016-05-05  Joseph Pecoraro  <pecoraro@apple.com>

        JSContext Inspector: Better CommandLineAPI in JSContext inspection
        https://bugs.webkit.org/show_bug.cgi?id=157387
        <rdar://problem/22630583>

        Reviewed by Timothy Hatcher.

        * inspector/InjectedScriptSource.js:
        (InjectedScript.prototype._evaluateOn):
        (BasicCommandLineAPI.inScopeVariables):
        (BasicCommandLineAPI):
        When creating a BasicCommandLineAPI, pass the call frame so
        that we don't shadow variables in the callstack.

        (BasicCommandLineAPI.methods):
        (clear):
        (table):
        (profile):
        (profileEnd):
        (keys):
        (values):
        Some just pass through to console, others are tiny methods.
        Implement them, and give them the expected toString string.

2016-05-05  Filip Pizlo  <fpizlo@apple.com>

        Reduce maximum JIT pool size on X86_64.

        Rubber stamped by Geoffrey Garen.
        
        This changes our maximum pool size to 100MB. The problem with letting a page allocate much
        more than this is that we will sometimes call deleteAllCode() or one of its friends. Deleting
        a huge amount of memory is expensive in our allocator.
        
        So long as we allow for such large-scale code death to happen, and so long as it's expensive,
        we should bound the amount of code we end up with in the first place.
        
        In the long run, we should fix our executable allocator so that it's not so expensive to kill
        all code.
        
        * jit/ExecutableAllocator.h:

2016-05-05  Filip Pizlo  <fpizlo@apple.com>

        Reduce thresholds that control the maximum IC stub size.

        Rubber stamped by Chris Dumez and Benjamin Poulain.
        
        This reduces the thresholds to before the megamorphic load optimizations to see if that
        recovers a PLT regression.

        * runtime/Options.h:

2016-05-05  Filip Pizlo  <fpizlo@apple.com>

        We shouldn't crash if DFG AI proved that something was unreachable on one run but then decided not to prove it on another run
        https://bugs.webkit.org/show_bug.cgi?id=157379

        Reviewed by Mark Lam.
        
        Any run of DFG AI is a fixpoint that loosens the proof until it can't find any more
        counterexamples to the proof.  It errs on the side of loosening proofs, i.e., on the side of
        proving fewer things.

        We run this fixpoint multiple times since there are multiple points in the DFG optimization
        pipeline when we run DFG AI.  Each of those runs completes a fixpoint and produces the
        tightest proof it can that did not result in counterexamples being found.

        It's possible that on run K of DFG AI, we prove some property, but on run K+1, we don't prove
        that property. The code could have changed between the two runs due to other phases. Other
        phases may modify the code in such a way that it's less amenable to AI's analysis. Our design
        allows this because DFG AI is not 100% precise. It defends itself from making unsound choices
        or running forever by sometimes punting on proving some property. It must be able to do this,
        and so therefore, it might sometimes prove fewer things on a later run.

        Currently in trunk if the property that AI proves on run K but fails to prove on run K+1 is
        the reachability of a piece of code, then run K+1 will crash on an assertion at the
        Unreachable node. It will complain that it reached an Unreachable. But it might be reaching
        that Unreachable because it failed to prove that something earlier was always exiting. That's
        OK, see above.

        So, we should remove the assertion that AI doesn't see Unreachable.
        
        No new tests because I don't know how to make this happen. I believe that this happens in the
        wild based on crash logs.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

2016-05-05  Joseph Pecoraro  <pecoraro@apple.com>

        Crash if you type "debugger" in the console and continue
        https://bugs.webkit.org/show_bug.cgi?id=156924
        <rdar://problem/25884189>

        Reviewed by Mark Lam.

        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
        Bail with an error when we are not paused.

        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::InspectorRuntimeAgent::callFunctionOn):
        (Inspector::InspectorRuntimeAgent::getProperties):
        (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
        (Inspector::InspectorRuntimeAgent::getCollectionEntries):
        (Inspector::InspectorRuntimeAgent::saveResult):
        Update poor error message.

2016-05-05  Keith Miller  <keith_miller@apple.com>

        Add support for delete by value to the DFG
        https://bugs.webkit.org/show_bug.cgi?id=157372

        Reviewed by Filip Pizlo.

        This patch adds basic support for delete by value to the DFG. delete by value
        just calls out to a C++ operation on each execution. Additionally, this patch
        fixes an issue with delete by id where we would crash if the base was null
        or undefined.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileDeleteById):
        (JSC::DFG::SpeculativeJIT::compileDeleteByVal):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_del_by_val):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_del_by_val):
        * tests/stress/delete-by-val.js: Added.
        (assert):
        (test):
        * tests/stress/delete-to-object-exception.js: Added.
        (assert):
        (test):

2016-05-05  Michael Saboff  <msaboff@apple.com>

        Unreviewed build fix after change set r200447.

        Made the detection of clang version XCode build specific.
        Now shouldEnableDebugAnnotations() should return false for all other build types.

        * offlineasm/config.rb:

2016-05-05  Joseph Pecoraro  <pecoraro@apple.com>

        Create console object lazily
        https://bugs.webkit.org/show_bug.cgi?id=157328

        Reviewed by Geoffrey Garen.

        * runtime/CommonIdentifiers.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::createConsoleProperty):
        (JSC::JSGlobalObject::init): Deleted.

2016-05-04  Michael Saboff  <msaboff@apple.com>

        Enable Dwarf2 debug information in offline assembler for clang compiler
        https://bugs.webkit.org/show_bug.cgi?id=157364.

        Reviewed by Mark Lam.

        Added a new function shouldEnableDebugAnnotations() that determines if
        we are using clang and a new enough version to support the debug annotations.

        * offlineasm/config.rb:
        (shouldEnableDebugAnnotations): Added.

2016-05-04  Keith Miller  <keith_miller@apple.com>

        Unreviewed, fix test for new ArrayIteratorPrototype.next() error message.

        * tests/stress/array-iterators-next-with-call.js:

2016-05-04  Filip Pizlo  <fpizlo@apple.com>

        Speed up JSGlobalObject initialization by making some properties lazy
        https://bugs.webkit.org/show_bug.cgi?id=157045

        Reviewed by Keith Miller.
        
        This makes about half of JSGlobalObject's state lazy. There are three categories of
        state in JSGlobalObject:
        
        1) C++ fields in JSGlobalObject.
        2) JS object properties in JSGlobalObject's JSObject superclass.
        3) JS variables in JSGlobalObject's JSSegmentedVariableObject superclass.
        
        State held in JS variables cannot yet be made lazy. That's why this patch only goes
        half-way.
        
        State in JS object properties can be made lazy if we move it to the static property
        hashtable. JSGlobalObject already had one of those. This patch makes static property
        hashtables a lot more powerful, by adding three new kinds of static properties. These
        new kinds allow us to make almost all of JSGlobalObject's object properties lazy.
        
        State in C++ fields can now be made lazy thanks in part to WTF's support for stateless
        lambdas. You can of course make anything lazy by hand, but there are many C++ fields in
        JSGlobalObject and we are adding more all the time. We don't want to require that each
        of these has a getter with an initialization check and a corresponding out-of-line slow
        path that does the initialization. We want this kind of boilerplate to be handled by
        some abstractions.
        
        The primary abstraction introduced in this patch is LazyProperty<Type>. Currently, this
        only works where Type is a subclass of JSCell. Such a property holds a pointer to Type.
        You can use it like you would a WriteBarrier<Type>. It even has set() and get() methods,
        so it's almost a drop-in replacement.
        
        The key to LazyProperty<Type>'s power is that you can do this:
        
            class Bar {
                ...
                LazyProperty<Foo> m_foo;
            };
            ...
            m_foo.initLater(
                [] (const LazyProperty<Foo>::Initializer<Bar>& init) {
                    init.set(Foo::create(init.vm, init.owner));
                });
        
        This initLater() call requires that you pass a stateless lambda (see WTF changelog for
        the definition). Miraculously, this initLater() call is guaranteed to compile to a store
        of a pointer constant to m_foo, as in:
        
            movabsq 0xBLAH, %rax
            movq %rax, &m_foo
        
        This magical pointer constant points to a callback that was generated by the template
        instantiation of initLater(). That callback knows to call your stateless lambda, but
        also does some other bookkeeping: it makes sure that you indeed initialized the property
        inside the callback and it manages recursive initializations. It's totally legal to call
        m_foo.get() inside the initLater() callback. If you do that before you call init.set(),
        m_foo.get() will return null. This is an excellent escape hatch if we ever find
        ourselves in a dependency cycle. I added this feature because I already had to create a
        dependency cycle.
        
        Note that using LazyProperties from DFG threads is super awkward. It's going to be hard
        to get this right. The DFG thread cannot initialize those fields, so it has to make sure
        that it does conservative things. But for some nodes this could mean adding a lot of new
        logic, like NewTypedArray, which currently is written in such a way that it assumes that
        we always have the typed array structure. Currently we take a two-fold approach: for
        typed arrays we don't handle the NewTypedArray intrinsic if the structure isn't
        initialized, and for everything else we don't make the properties lazy if the DFG needs
        them. As we optimize this further we might need to teach the DFG to handle more lazy
        properties. I tried to do this for RegExp but found it to be very confusing. With typed
        arrays I got lucky.
        
        There is also a somewhat more powerful construct called LazyClassStructure. We often
        need to keep around the structure of some standard JS class, like Date. We also need to
        make sure that the constructor ends up in the global object's property table. And we
        often need to keep the original value of the constructor for ourselves. In this case, we
        want to make sure that the creation of the structure-prototype-constructor constellation
        is atomic. We don't want code to start looking at the structure if it points to a
        prototype that doesn't have its "constructor" property set yet, for example.
        LazyClassStructure solves this by abstracting that whole initialization. You provide the
        callback that allocates everything, since we are super inconsistent about the way we
        initialize things, but LazyClassStructure establishes the workflow and helps you not
        mess up.
        
        Finally, the new static hashtable attributes allow for all of this to work with the JS
        property table:
        
        PropertyCallback: if you use this attribute, the second column in the table should be
        the name of a function to call to initialize this property. This is useful for things
        like the Math property. The Math object turns out to be very expensive to allocate.
        Delaying its allocation is super easy with the PropertyCallback attribute.
        
        CellProperty: with this attribute the second column should be a C++ field name like
        JSGlobalObject::m_evalErrorConstructor. The static hashtable will grab the offset of
        this property, and when it needs to be initialized, Lookup will assume you have a
        LazyProperty<JSCell> and call its get() method. It will initialize the property to
        whatever get() returned. Note that it's legal to cast a LazyProperty<Anything> to
        LazyProperty<JSCell> for the purpose of calling get() because the get() method will just
        call whatever callback function pointer is encoded in the property and it does not need
        to know anything about what type that callback will instantiate.
        
        ClassStructure: with this attribute the second column should be a C++ field name. The
        static hashtable will initialize the property by treating the field as a
        LazyClassStructure and it will call get(). LazyClassStructure completely owns the whole
        initialization workflow, so Lookup assumes that when LazyClassStructure::get() returns,
        the property in question will already be set. By convention, we have LazyClassStructure
        initialize the property with a pointer to the constructor, since that's how all of our
        classes work: "globalObject.Date" points to the DateConstructor.
        
        This is a 2x speed-up in JSGlobalObject initialization time in a microbenchmark that
        calls our C API. This is a 1% speed-up on SunSpider and JSRegress.
        
        Rolling this back in after fixing the function pointer alignment issue. The last version
        relied on function pointers being aligned to a 4-byte boundary. We cannot rely on this,
        especially since ARMv7 uses the low bit of function pointers as a tag to indicate the
        instruction set. This version adds an extra indirection, so that
        LazyProperty<>::m_pointer points to a pointer that points to the function. A pointer to
        a pointer is guaranteed to be at least 4-byte aligned.

        * API/JSCallbackFunction.cpp:
        (JSC::JSCallbackFunction::create):
        * API/ObjCCallbackFunction.h:
        (JSC::ObjCCallbackFunction::impl):
        * API/ObjCCallbackFunction.mm:
        (JSC::ObjCCallbackFunction::ObjCCallbackFunction):
        (JSC::ObjCCallbackFunction::create):
        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * create_hash_table:
        * debugger/DebuggerScope.cpp:
        (JSC::DebuggerScope::create):
        (JSC::DebuggerScope::DebuggerScope):
        * debugger/DebuggerScope.h:
        (JSC::DebuggerScope::jsScope):
        (JSC::DebuggerScope::create): Deleted.
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGAbstractValue.cpp:
        (JSC::DFG::AbstractValue::set):
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::originalArrayStructure):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStructureRegistrationPhase.cpp:
        (JSC::DFG::StructureRegistrationPhase::run):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
        * runtime/ClonedArguments.cpp:
        (JSC::ClonedArguments::getOwnPropertySlot):
        (JSC::ClonedArguments::materializeSpecials):
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/FunctionPrototype.cpp:
        (JSC::functionProtoFuncToString):
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::visitChildren):
        (JSC::InternalFunction::name):
        (JSC::InternalFunction::calculatedDisplayName):
        (JSC::InternalFunction::createSubclassStructure):
        * runtime/InternalFunction.h:
        * runtime/JSBoundFunction.cpp:
        (JSC::JSBoundFunction::finishCreation):
        (JSC::JSBoundFunction::visitChildren):
        * runtime/JSBoundSlotBaseFunction.cpp:
        (JSC::JSBoundSlotBaseFunction::create):
        * runtime/JSFunction.cpp:
        (JSC::retrieveCallerFunction):
        (JSC::getThrowTypeErrorGetterSetter):
        (JSC::JSFunction::callerGetter):
        (JSC::JSFunction::getOwnPropertySlot):
        (JSC::JSFunction::defineOwnProperty):
        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
        (JSC::constructGenericTypedArrayView):
        * runtime/JSGlobalObject.cpp:
        (JSC::createProxyProperty):
        (JSC::createJSONProperty):
        (JSC::createMathProperty):
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::stringPrototypeChainIsSane):
        (JSC::JSGlobalObject::resetPrototype):
        (JSC::JSGlobalObject::visitChildren):
        (JSC::JSGlobalObject::toThis):
        (JSC::JSGlobalObject::getOwnPropertySlot):
        (JSC::JSGlobalObject::createThrowTypeError): Deleted.
        (JSC::JSGlobalObject::createThrowTypeErrorArgumentsAndCaller): Deleted.
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::objectConstructor):
        (JSC::JSGlobalObject::promiseConstructor):
        (JSC::JSGlobalObject::internalPromiseConstructor):
        (JSC::JSGlobalObject::evalErrorConstructor):
        (JSC::JSGlobalObject::rangeErrorConstructor):
        (JSC::JSGlobalObject::referenceErrorConstructor):
        (JSC::JSGlobalObject::syntaxErrorConstructor):
        (JSC::JSGlobalObject::typeErrorConstructor):
        (JSC::JSGlobalObject::URIErrorConstructor):
        (JSC::JSGlobalObject::nullGetterFunction):
        (JSC::JSGlobalObject::nullSetterFunction):
        (JSC::JSGlobalObject::callFunction):
        (JSC::JSGlobalObject::applyFunction):
        (JSC::JSGlobalObject::definePropertyFunction):
        (JSC::JSGlobalObject::arrayProtoValuesFunction):
        (JSC::JSGlobalObject::initializePromiseFunction):
        (JSC::JSGlobalObject::newPromiseCapabilityFunction):
        (JSC::JSGlobalObject::functionProtoHasInstanceSymbolFunction):
        (JSC::JSGlobalObject::regExpProtoExecFunction):
        (JSC::JSGlobalObject::regExpProtoSymbolReplaceFunction):
        (JSC::JSGlobalObject::regExpProtoGlobalGetter):
        (JSC::JSGlobalObject::regExpProtoUnicodeGetter):
        (JSC::JSGlobalObject::throwTypeErrorGetterSetter):
        (JSC::JSGlobalObject::throwTypeErrorArgumentsAndCallerGetterSetter):
        (JSC::JSGlobalObject::moduleLoader):
        (JSC::JSGlobalObject::objectPrototype):
        (JSC::JSGlobalObject::functionPrototype):
        (JSC::JSGlobalObject::arrayPrototype):
        (JSC::JSGlobalObject::booleanPrototype):
        (JSC::JSGlobalObject::stringPrototype):
        (JSC::JSGlobalObject::symbolPrototype):
        (JSC::JSGlobalObject::numberPrototype):
        (JSC::JSGlobalObject::datePrototype):
        (JSC::JSGlobalObject::regExpPrototype):
        (JSC::JSGlobalObject::errorPrototype):
        (JSC::JSGlobalObject::iteratorPrototype):
        (JSC::JSGlobalObject::generatorFunctionPrototype):
        (JSC::JSGlobalObject::generatorPrototype):
        (JSC::JSGlobalObject::debuggerScopeStructure):
        (JSC::JSGlobalObject::withScopeStructure):
        (JSC::JSGlobalObject::strictEvalActivationStructure):
        (JSC::JSGlobalObject::activationStructure):
        (JSC::JSGlobalObject::moduleEnvironmentStructure):
        (JSC::JSGlobalObject::directArgumentsStructure):
        (JSC::JSGlobalObject::scopedArgumentsStructure):
        (JSC::JSGlobalObject::clonedArgumentsStructure):
        (JSC::JSGlobalObject::isOriginalArrayStructure):
        (JSC::JSGlobalObject::booleanObjectStructure):
        (JSC::JSGlobalObject::callbackConstructorStructure):
        (JSC::JSGlobalObject::callbackFunctionStructure):
        (JSC::JSGlobalObject::callbackObjectStructure):
        (JSC::JSGlobalObject::propertyNameIteratorStructure):
        (JSC::JSGlobalObject::objcCallbackFunctionStructure):
        (JSC::JSGlobalObject::objcWrapperObjectStructure):
        (JSC::JSGlobalObject::dateStructure):
        (JSC::JSGlobalObject::nullPrototypeObjectStructure):
        (JSC::JSGlobalObject::errorStructure):
        (JSC::JSGlobalObject::calleeStructure):
        (JSC::JSGlobalObject::functionStructure):
        (JSC::JSGlobalObject::boundFunctionStructure):
        (JSC::JSGlobalObject::boundSlotBaseFunctionStructure):
        (JSC::JSGlobalObject::getterSetterStructure):
        (JSC::JSGlobalObject::nativeStdFunctionStructure):
        (JSC::JSGlobalObject::namedFunctionStructure):
        (JSC::JSGlobalObject::functionNameOffset):
        (JSC::JSGlobalObject::numberObjectStructure):
        (JSC::JSGlobalObject::privateNameStructure):
        (JSC::JSGlobalObject::mapStructure):
        (JSC::JSGlobalObject::regExpStructure):
        (JSC::JSGlobalObject::generatorFunctionStructure):
        (JSC::JSGlobalObject::setStructure):
        (JSC::JSGlobalObject::stringObjectStructure):
        (JSC::JSGlobalObject::symbolObjectStructure):
        (JSC::JSGlobalObject::iteratorResultObjectStructure):
        (JSC::JSGlobalObject::lazyTypedArrayStructure):
        (JSC::JSGlobalObject::typedArrayStructure):
        (JSC::JSGlobalObject::typedArrayStructureConcurrently):
        (JSC::JSGlobalObject::isOriginalTypedArrayStructure):
        (JSC::JSGlobalObject::typedArrayConstructor):
        (JSC::JSGlobalObject::actualPointerFor):
        (JSC::JSGlobalObject::internalFunctionStructure): Deleted.
        * runtime/JSNativeStdFunction.cpp:
        (JSC::JSNativeStdFunction::create):
        * runtime/JSWithScope.cpp:
        (JSC::JSWithScope::create):
        (JSC::JSWithScope::visitChildren):
        (JSC::JSWithScope::createStructure):
        (JSC::JSWithScope::JSWithScope):
        * runtime/JSWithScope.h:
        (JSC::JSWithScope::object):
        (JSC::JSWithScope::create): Deleted.
        (JSC::JSWithScope::createStructure): Deleted.
        (JSC::JSWithScope::JSWithScope): Deleted.
        * runtime/LazyClassStructure.cpp: Added.
        (JSC::LazyClassStructure::Initializer::Initializer):
        (JSC::LazyClassStructure::Initializer::setPrototype):
        (JSC::LazyClassStructure::Initializer::setStructure):
        (JSC::LazyClassStructure::Initializer::setConstructor):
        (JSC::LazyClassStructure::visit):
        (JSC::LazyClassStructure::dump):
        * runtime/LazyClassStructure.h: Added.
        (JSC::LazyClassStructure::LazyClassStructure):
        (JSC::LazyClassStructure::get):
        (JSC::LazyClassStructure::prototype):
        (JSC::LazyClassStructure::constructor):
        (JSC::LazyClassStructure::getConcurrently):
        (JSC::LazyClassStructure::prototypeConcurrently):
        (JSC::LazyClassStructure::constructorConcurrently):
        * runtime/LazyClassStructureInlines.h: Added.
        (JSC::LazyClassStructure::initLater):
        * runtime/LazyProperty.h: Added.
        (JSC::LazyProperty::Initializer::Initializer):
        (JSC::LazyProperty::LazyProperty):
        (JSC::LazyProperty::get):
        (JSC::LazyProperty::getConcurrently):
        * runtime/LazyPropertyInlines.h: Added.
        (JSC::ElementType>::Initializer::set):
        (JSC::ElementType>::initLater):
        (JSC::ElementType>::setMayBeNull):
        (JSC::ElementType>::set):
        (JSC::ElementType>::visit):
        (JSC::ElementType>::dump):
        (JSC::ElementType>::callFunc):
        * runtime/Lookup.cpp:
        (JSC::setUpStaticFunctionSlot):
        * runtime/Lookup.h:
        (JSC::HashTableValue::function):
        (JSC::HashTableValue::functionLength):
        (JSC::HashTableValue::propertyGetter):
        (JSC::HashTableValue::propertyPutter):
        (JSC::HashTableValue::accessorGetter):
        (JSC::HashTableValue::accessorSetter):
        (JSC::HashTableValue::constantInteger):
        (JSC::HashTableValue::lexerValue):
        (JSC::HashTableValue::lazyCellPropertyOffset):
        (JSC::HashTableValue::lazyClassStructureOffset):
        (JSC::HashTableValue::lazyPropertyCallback):
        (JSC::getStaticPropertySlot):
        (JSC::getStaticValueSlot):
        (JSC::putEntry):
        (JSC::reifyStaticProperty):
        * runtime/PropertySlot.h:
        * runtime/TypedArrayType.h:

2016-05-04  Joseph Pecoraro  <pecoraro@apple.com>

        Improve the grammar of some error messages 'a argument list' => 'an argument list'
        https://bugs.webkit.org/show_bug.cgi?id=157350
        <rdar://problem/26082108>

        Reviewed by Mark Lam.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseIfStatement):
        (JSC::Parser<LexerType>::parseImportDeclaration):
        (JSC::Parser<LexerType>::parseExportDeclaration):
        (JSC::Parser<LexerType>::parseObjectLiteral):
        (JSC::Parser<LexerType>::parseStrictObjectLiteral):
        (JSC::Parser<LexerType>::parseArguments):
        Use the alternate error message formatter macro which outputs 'an'
        instead of 'a' preceding the last argument.

2016-05-04  Keith Miller  <keith_miller@apple.com>

        Corrections to r200422
        https://bugs.webkit.org/show_bug.cgi?id=157351

        Reviewed by Joseph Pecoraro.

        Fix some typos in various files. Also, make separate error messages
        for the this value being undefined vs null in the ArrayIteratorprototype
        next function and add test.

        * Scripts/builtins/builtins_model.py:
        * builtins/ArrayIteratorPrototype.js:
        (next):
        (arrayIteratorValueNext):
        (arrayIteratorKeyNext):
        (arrayIteratorKeyValueNext):
        * builtins/ArrayPrototype.js:
        (keys):
        (entries):
        * builtins/TypedArrayPrototype.js:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init): Deleted.
        * tests/stress/array-iterators-next-error-messages.js: Added.
        (assert):
        (catch):

2016-05-04  Keith Miller  <keith_miller@apple.com>

        Unreviewed, reland r200149 since the rollout had inconclusive PLT AB testing results.

2016-05-04  Mark Lam  <mark.lam@apple.com>

        ES6 Function.name inferred from property names of literal objects can break some websites.
        https://bugs.webkit.org/show_bug.cgi?id=157246

        Reviewed by Geoffrey Garen.

        Specifically, the library mathjs (see http://mathjs.org and https://github.com/josdejong/mathjs)
        uses an idiom where it created literal objects with property names that look like
        this: 'number | BigNumber | Unit'.  Later, this name is used in a string to create
        function source code that gets eval'ed.  Since 'number | BigNumber | Unit' is not
        a valid function name, we get a syntax error.

        Here are the details:

        1. mathjs uses object literals with the funky property names for its function members.
           For example, 

              // helper function to type check the middle value of the array
              var middle = typed({
                'number | BigNumber | Unit': function (value) {
                  return value;
                }
              });

        2. mathjs' getName() uses Function.name to get the name of functions (hence, picks
           up the property name as inferred value of Function.name as specified by ES6):

                /**
                 * Retrieve the function name from a set of functions, and check
                 * whether the name of all functions match (if given)
                 ...
                 */
                function getName (fns) {
                  var name = '';

                  for (var i = 0; i < fns.length; i++) {
                    var fn = fns[i];
                    ...
                        name = fn.name;
                    ...
                  return name;
                }

        3. mathjs uses that name to assembler new function source code that gets eval'ed:

                /**
                 * Compose a function from sub-functions each handling a single type signature.
                 ...
                 */
                function _typed(name, signatures) {
                  ...
                  // generate code for the typed function
                  var code = [];
                  var _name = name || '';
                  ...
                  code.push('function ' + _name + '(' + _args.join(', ') + ') {');
                  code.push('  "use strict";');
                  code.push('  var name = \'' + _name + '\';');
                  code.push(node.toCode(refs, '  '));
                  code.push('}');

                  // generate body for the factory function
                  var body = [
                    refs.toCode(),
                    'return ' + code.join('\n')
                  ].join('\n');

                  // evaluate the JavaScript code and attach function references
                  var factory = (new Function(refs.name, 'createError', body));  // <== Syntax Error here!
                  var fn = factory(refs, createError);
                  ...
                  return fn;
                }

        Until mathjs (and any other frameworks that does similar things) and sites that
        uses mathjs has been updated to work with ES6, we'll need a compatibility hack to
        work around it.

        Here's what we'll do:
        1. Introduce a needsSiteSpecificQuirks flag in JSGlobalObject.
        2. Have WebCore's JSDOMWindowBase set that flag if the browser's
           needsSiteSpecificQuirks is enabled in its settings.
        3. If needsSiteSpecificQuirks is enabled, have JSFunction::reifyName() check for
           ' ' or '|' in the name string it will use to reify the Function.name property.
           If those characters exists in the name, we'll replace the name string with a
           null string.

        * runtime/JSFunction.cpp:
        (JSC::JSFunction::reifyName):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::needsSiteSpecificQuirks):
        (JSC::JSGlobalObject::GlobalPropertyInfo::GlobalPropertyInfo):
        (JSC::JSGlobalObject::setNeedsSiteSpecificQuirks):

2016-05-04  Keith Miller  <keith_miller@apple.com>

        Speedup array iterators
        https://bugs.webkit.org/show_bug.cgi?id=157315

        Reviewed by Michael Saboff.

        This patch improves the performance of Array iterators in ES6. There are two main changes
        that make things faster. The first is that the value, keys and entries functions have been
        moved to JS. This enables us to inline the construction of the iterator. Thus, when we get
        to the FTL we are able to sink the allocation of the iterator object. This significantly
        improves the performance of any for-of loop since we are now able to have both the iteration
        counter and the iterated object in local variables rather than in the heap.

        Secondly, instead of using a number to store the iteratation kind we now use a virtual
        method on the iteration object to indicate which next function to use. This ends up being
        helpful because it means we can eliminate the branches in the old next function that decide
        what value to return. With those branches gone the various next functions are now small
        enough to inline. Once the next functions are inlined then the FTL is able to sink the
        allocation of next() result object. There is still room for optimization in the loop since
        we currently don't recognize that the array access in the next function is in bounds or that
        the increment to the loop counter cannot overflow.

        The overall performance changes appear to be a ~4-6x speedup in a simple microbenchmark that
        computes the sum of an array with some extra arithmetic. The variance depends on the exact
        body of the loop. Additionally, on a new regress test that changes all the loops in
        deltablue into for-of loops this patch is a 1.8x progression. Overall, it still looks like
        for-of loops are significantly slower than an indexed for loop. In the first test it's ~2-4x
        slower with the difference depending on the body of the loop. If the loop is just the sum
        then we see a much larger regression than if the loop does even simple arithmetic. It looks
        like the indexed for loop without extra arithmetic is small enough to fit into the x86
        replay buffer on my machine, which would explain why there is such a big difference between
        the for of loop in that case. On the deltablue benchmark it's 1.4x slower. It's clear from
        these numbers that there is still a lot of work we can do to make for of loops faster.

        This patch also makes some changes to the way that we decorate our builtin js
        functions. Instead of the old syntax (putting the decorated values in [] before the function
        declaration i.e. [intrinsic=foo]) this patch changes the syntax to be closer to the way that
        decorators are proposed in a future ECMAScript proposal (using @ followed by the entry on a
        new line before the function declaration i.e. @intrinsic=foo).

        Finally, in the builtin scripts regular expressions re.S has been changed to re.DOTALL since
        DOTALL is easier to understand without going to the reference page for python regular
        expressions.

        * Scripts/builtins/builtins_model.py:
        * builtins/ArrayIteratorPrototype.js:
        (next):
        (arrayIteratorValueNext):
        (arrayIteratorKeyNext):
        (arrayIteratorKeyValueNext):
        * builtins/ArrayPrototype.js:
        (createArrayIterator):
        (values):
        (keys):
        (entries):
        * builtins/RegExpPrototype.js:
        (intrinsic.RegExpTestIntrinsic.test):
        * builtins/StringPrototype.js:
        (intrinsic.StringPrototypeReplaceIntrinsic.replace):
        * builtins/TypedArrayPrototype.js:
        (values):
        (keys):
        (entries):
        * inspector/JSInjectedScriptHost.cpp:
        (Inspector::cloneArrayIteratorObject):
        (Inspector::JSInjectedScriptHost::iteratorEntries):
        * jit/ThunkGenerators.cpp:
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::finishCreation):
        (JSC::arrayProtoFuncValues): Deleted.
        (JSC::arrayProtoFuncEntries): Deleted.
        (JSC::arrayProtoFuncKeys): Deleted.
        * runtime/CommonIdentifiers.h:
        * runtime/JSArrayIterator.cpp:
        (JSC::JSArrayIterator::clone): Deleted.
        * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
        (JSC::genericTypedArrayViewProtoFuncEntries): Deleted.
        (JSC::genericTypedArrayViewProtoFuncKeys): Deleted.
        (JSC::typedArrayViewProtoFuncValues): Deleted.
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * runtime/JSGlobalObject.h:
        * runtime/JSTypedArrayViewPrototype.cpp:
        (JSC::JSTypedArrayViewPrototype::finishCreation):
        (JSC::typedArrayViewProtoFuncEntries): Deleted.
        (JSC::typedArrayViewProtoFuncKeys): Deleted.
        (JSC::typedArrayViewProtoFuncValues): Deleted.
        * runtime/MapPrototype.cpp:
        (JSC::MapPrototype::finishCreation):
        * runtime/SetPrototype.cpp:
        (JSC::SetPrototype::finishCreation):

2016-05-04  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Object constructor need to be aware of new.target
        https://bugs.webkit.org/show_bug.cgi?id=157196

        Reviewed by Darin Adler.

        Object constructor should be aware of new.target.
        When the new.target is specified, we should store it.prototype to the newly created
        object's [[Prototype]].

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::visitChildren):
        Take the design that caches the structure used for empty object.
        This structure is also used in constructEmptyObject frequently.

        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::objectStructureForObjectConstructor):
        * runtime/ObjectConstructor.cpp:
        (JSC::constructObject):
        (JSC::constructWithObjectConstructor):
        (JSC::callObjectConstructor):
        * runtime/ObjectConstructor.h:
        (JSC::constructEmptyObject):
        Construct the object by using the plain structure that is also used in the ObjectConstructor.

        * tests/stress/object-constructor-should-be-new-target-aware.js: Added.
        (shouldBe):
        (Hello):

2016-05-04  Chris Dumez  <cdumez@apple.com>

        Unreviewed, rolling out r200383 and r200406.

        Seems to have caused crashes on iOS / ARMv7s

        Reverted changesets:

        "Speed up JSGlobalObject initialization by making some
        properties lazy"
        https://bugs.webkit.org/show_bug.cgi?id=157045
        http://trac.webkit.org/changeset/200383

        "REGRESSION(r200383): Setting lazily initialized properties
        across frame boundaries crashes"
        https://bugs.webkit.org/show_bug.cgi?id=157333
        http://trac.webkit.org/changeset/200406

2016-05-04  Yusuke Suzuki  <utatane.tea@gmail.com>

        Assertion failure for super() call in direct eval in method function
        https://bugs.webkit.org/show_bug.cgi?id=157091

        Reviewed by Darin Adler.

        While we ensure that direct super is under the correct context,
        we don't check it for the eval code. This patch moves the check from the end of parsing the function
        to the places where we found the direct super or the super bindings. This covers the direct eval that
        contains the direct super calls.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
        (JSC::Parser<LexerType>::parseFunctionInfo):
        (JSC::Parser<LexerType>::parseMemberExpression):
        * parser/Parser.h:
        (JSC::Scope::hasDirectSuper):
        (JSC::Scope::setHasDirectSuper):
        (JSC::Scope::needsSuperBinding):
        (JSC::Scope::setNeedsSuperBinding):
        (JSC::Parser::closestParentOrdinaryFunctionNonLexicalScope):
        * tests/stress/eval-and-super.js: Added.
        (shouldBe):
        (shouldThrow):
        (prototype.m):
        (prototype.n):
        * tests/stress/generator-and-super.js: Added.
        (testSyntaxError):
        (testSyntaxError.Base.prototype.hello):
        (testSyntaxError.Base.prototype.ok):
        (testSyntaxError.Base):
        (Hello.prototype.gen):
        (Hello):
        (testSyntaxError.hello):

2016-05-03  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION(r200383): Setting lazily initialized properties across frame boundaries crashes
        https://bugs.webkit.org/show_bug.cgi?id=157333

        Reviewed by Benjamin Poulain.
        
        I forgot to add logic for lazy properties in putEntry(). It turns out that it's easy to
        add.

        * runtime/Lookup.h:
        (JSC::putEntry):
        * runtime/PropertySlot.h:

2016-05-03  Filip Pizlo  <fpizlo@apple.com>

        References from code to Structures should be stronger than weak
        https://bugs.webkit.org/show_bug.cgi?id=157324

        Reviewed by Mark Lam.
        
        If code refers to a Structure and the Structure dies, then previously we'd kill the code. 
        This makes sense because the Structure could be the only thing left referring to some global
        object or prototype.

        But this also causes unnecessary churn. Sometimes there will be a structure that we just
        haven't really done anything with recently and so it appears dead. The approach we use
        elsewhere in our type inference is that the type that the code uses is general enough to
        handle every past execution. Having the GC clear code when some Structure it uses dies means
        that we forget that the code used that Structure. We'll either assume that the code is more
        monomorphic than it really is (because after GC we patch in some other structure but not the
        deleted one, so it looks like we only ever saw the new structure), or we'll assume that it's
        crazier than it really is (because we'll remember that there had been some structure that
        caused deletion, so we'll assume that deletions might happen in the future, so we'll use a
        fully dynamic IC).

        This change introduces a more nuanced policy: if it's cheap to mark a dead Structure then we
        should mark it just so that all of the code that refers to it remembers that there had been
        this exact Structure in the past. If the code often goes through different Structures then
        we already have great mechanisms to realize that the code is nutty (namely, the
        PolymorphicAccess size limit). But if the code just does this a handful of times then
        remembering this old Structure is probably net good:

        - It obeys the "handle all past executions" law.
        - It preserves the history of the property access, allowing a precise measure of its past
          polymorphism.
        - It makes the code ready to run fast if the user decides to use that Structure again.
          Marking the Structure means it will stay in whatever property transition tables it was in,
          so if the program does the same thing it did in the past, it will get this old Structure.

        It looks like this is a progression in gbemu and it makes gbemu perform more
        deterministically. Also, it seems that this makes JetStream run faster.
        
        Over five in-browser runs of JetStream, here's what we see before and after:
        
        Geometric Mean:
            Before              After
            229.23 +- 8.2523    230.70 +- 12.888
            232.91 +- 15.638    239.04 +- 13.766
            234.79 +- 12.760    236.32 +- 15.562
            236.20 +- 23.125    242.02 +- 3.3865
            237.22 +- 2.1929    237.23 +- 17.664
        
        Just gbemu:
            Before              After
            541.0 +- 135.8      481.7 +- 143.4
            518.9 +- 15.65      508.1 +- 136.3
            362.5 +- 0.8884     489.7 +- 101.4
            470.7 +- 313.3      530.7 +- 11.49
            418.7 +- 180.6      537.2 +- 6.514
        
        Notice that there is plenty of noise before and after, but the noise is now far less severe.
        After this change I did not see any runs like "470.7 +- 313.3" where the size of the 
        confidence interval (313.3 * 2) is greater than the score (470.7). Also, notice that the
        least noisy run before the change also got a lower score than we ever observed after the
        change (36.5 +- 0.8884). The noise, and these occasional very low scores, are due to a
        pathology where the GC would reset some stubs at an unfortunate time during profiling,
        causing the optimizing compiler to make many poor decisions. That pathology doesn't exist
        anymore.
        
        On the other hand, prior to this change it was possible for gbemu to sometimes run sooooper
        fast because the GC would cause the profiler to forget gbemu's behavior on the first tick
        and focus only on its behavior in subsequent ticks. So, in steady state, we'd optimize gbemu
        for its later behavior rather than a combination of its early behavior and later behavior.
        We rarely got lucky this way, so it's not fair to view this quirk as a feature.
        
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::propagateTransitions):
        * bytecode/PolymorphicAccess.cpp:
        (JSC::AccessCase::visitWeak):
        (JSC::AccessCase::propagateTransitions):
        (JSC::AccessCase::generateWithGuard):
        (JSC::PolymorphicAccess::visitWeak):
        (JSC::PolymorphicAccess::propagateTransitions):
        (JSC::PolymorphicAccess::dump):
        * bytecode/PolymorphicAccess.h:
        * bytecode/StructureStubInfo.cpp:
        (JSC::StructureStubInfo::visitWeakReferences):
        (JSC::StructureStubInfo::propagateTransitions):
        (JSC::StructureStubInfo::containsPC):
        * bytecode/StructureStubInfo.h:
        (JSC::StructureStubInfo::considerCaching):
        * runtime/Structure.cpp:
        (JSC::Structure::visitChildren):
        (JSC::Structure::isCheapDuringGC):
        (JSC::Structure::markIfCheap):
        (JSC::Structure::prototypeChainMayInterceptStoreTo):
        * runtime/Structure.h:

2016-05-03  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Simplify console.clear
        https://bugs.webkit.org/show_bug.cgi?id=157316

        Reviewed by Timothy Hatcher.

        * inspector/ScriptArguments.cpp:
        (Inspector::ScriptArguments::createEmpty):
        (Inspector::ScriptArguments::ScriptArguments):
        * inspector/ScriptArguments.h:
        Provide a way to create an empty list.

        * runtime/ConsoleClient.cpp:
        (JSC::ConsoleClient::clear):
        * runtime/ConsoleClient.h:
        Drop unnecessary parameter.

        * runtime/ConsoleObject.cpp:
        (JSC::consoleProtoFuncClear):
        No need to parse arguments.

2016-05-03  Yusuke Suzuki  <utatane.tea@gmail.com>

        Improve Symbol() to string coercion error message
        https://bugs.webkit.org/show_bug.cgi?id=157317

        Reviewed by Geoffrey Garen.

        Improve error messages related to Symbols.

        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::toStringSlowCase):
        * runtime/Symbol.cpp:
        (JSC::Symbol::toNumber):
        * runtime/SymbolConstructor.cpp:
        (JSC::symbolConstructorKeyFor):
        * runtime/SymbolPrototype.cpp:
        (JSC::symbolProtoFuncToString):
        (JSC::symbolProtoFuncValueOf):
        * tests/stress/dfg-to-primitive-pass-symbol.js:
        * tests/stress/floating-point-div-to-mul.js:
        (i.catch):
        * tests/stress/string-from-code-point.js:
        (shouldThrow):
        (string_appeared_here.shouldThrow):
        * tests/stress/symbol-error-messages.js: Added.
        (shouldThrow):
        * tests/stress/symbol-registry.js:

2016-05-03  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Give console.time/timeEnd a default label and warnings
        https://bugs.webkit.org/show_bug.cgi?id=157325
        <rdar://problem/26073290>

        Reviewed by Timothy Hatcher.

        Provide more user friendly console.time/timeEnd. The timer name
        is now optional, and is "default" if not provided. Also provide
        warnings when attempting to start an already started timer,
        or stop a timer that does not exist.

        * inspector/agents/InspectorConsoleAgent.cpp:
        (Inspector::InspectorConsoleAgent::startTiming):
        (Inspector::InspectorConsoleAgent::stopTiming):
        Warnings for bad cases.

        * runtime/ConsoleObject.cpp:
        (JSC::defaultLabelString):
        (JSC::consoleProtoFuncTime):
        (JSC::consoleProtoFuncTimeEnd):
        Optional label becomes "default".

2016-05-03  Xan Lopez  <xlopez@igalia.com>

        Fix the ENABLE(WEBASSEMBLY) build
        https://bugs.webkit.org/show_bug.cgi?id=157312

        Reviewed by Darin Adler.

        * runtime/Executable.cpp:
        (JSC::WebAssemblyExecutable::WebAssemblyExecutable):
        * wasm/WASMFunctionCompiler.h:
        (JSC::WASMFunctionCompiler::convertValueToDouble):

2016-05-03  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Remove unused parameter of ScriptArguments::getFirstArgumentAsString
        https://bugs.webkit.org/show_bug.cgi?id=157301

        Reviewed by Timothy Hatcher.

        * inspector/ScriptArguments.cpp:
        (Inspector::ScriptArguments::getFirstArgumentAsString):
        * inspector/ScriptArguments.h:
        Remove unused argument and related code.

        * runtime/ConsoleClient.cpp:
        (JSC::ConsoleClient::printConsoleMessageWithArguments):
        Drive by remove unnecessary cast.

2016-05-03  Michael Saboff  <msaboff@apple.com>

        Crash: Array.prototype.slice() and .splice() can call fastSlice() after an array is truncated
        https://bugs.webkit.org/show_bug.cgi?id=157322

        Reviewed by Filip Pizlo.

        Check to see if the source array has changed length before calling fastSlice().
        If it has, take the slow path.

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncSlice):
        (JSC::arrayProtoFuncSplice):
        * tests/stress/regress-157322.js: New test.

2016-05-03  Joseph Pecoraro  <pecoraro@apple.com>

        Eliminate PassRefPtr conversion from ConsoleObject
        https://bugs.webkit.org/show_bug.cgi?id=157300

        Reviewed by Timothy Hatcher.

        * runtime/ConsoleObject.cpp:
        (JSC::consoleLogWithLevel):
        (JSC::consoleProtoFuncClear):
        (JSC::consoleProtoFuncDir):
        (JSC::consoleProtoFuncDirXML):
        (JSC::consoleProtoFuncTable):
        (JSC::consoleProtoFuncTrace):
        (JSC::consoleProtoFuncAssert):
        (JSC::consoleProtoFuncCount):
        (JSC::consoleProtoFuncTimeStamp):
        (JSC::consoleProtoFuncGroup):
        (JSC::consoleProtoFuncGroupCollapsed):
        (JSC::consoleProtoFuncGroupEnd):
        No need to release to a PassRefPtr, we can just move into the RefPtr<>&&.

2016-05-01  Filip Pizlo  <fpizlo@apple.com>

        Speed up JSGlobalObject initialization by making some properties lazy
        https://bugs.webkit.org/show_bug.cgi?id=157045

        Reviewed by Keith Miller.
        
        This makes about half of JSGlobalObject's state lazy. There are three categories of
        state in JSGlobalObject:
        
        1) C++ fields in JSGlobalObject.
        2) JS object properties in JSGlobalObject's JSObject superclass.
        3) JS variables in JSGlobalObject's JSSegmentedVariableObject superclass.
        
        State held in JS variables cannot yet be made lazy. That's why this patch only goes
        half-way.
        
        State in JS object properties can be made lazy if we move it to the static property
        hashtable. JSGlobalObject already had one of those. This patch makes static property
        hashtables a lot more powerful, by adding three new kinds of static properties. These
        new kinds allow us to make almost all of JSGlobalObject's object properties lazy.
        
        State in C++ fields can now be made lazy thanks in part to WTF's support for stateless
        lambdas. You can of course make anything lazy by hand, but there are many C++ fields in
        JSGlobalObject and we are adding more all the time. We don't want to require that each
        of these has a getter with an initialization check and a corresponding out-of-line slow
        path that does the initialization. We want this kind of boilerplate to be handled by
        some abstractions.
        
        The primary abstraction introduced in this patch is LazyProperty<Type>. Currently, this
        only works where Type is a subclass of JSCell. Such a property holds a pointer to Type.
        You can use it like you would a WriteBarrier<Type>. It even has set() and get() methods,
        so it's almost a drop-in replacement.
        
        The key to LazyProperty<Type>'s power is that you can do this:
        
            class Bar {
                ...
                LazyProperty<Foo> m_foo;
            };
            ...
            m_foo.initLater(
                [] (const LazyProperty<Foo>::Initializer<Bar>& init) {
                    init.set(Foo::create(init.vm, init.owner));
                });
        
        This initLater() call requires that you pass a stateless lambda (see WTF changelog for
        the definition). Miraculously, this initLater() call is guaranteed to compile to a store
        of a pointer constant to m_foo, as in:
        
            movabsq 0xBLAH, %rax
            movq %rax, &m_foo
        
        This magical pointer constant points to a callback that was generated by the template
        instantiation of initLater(). That callback knows to call your stateless lambda, but
        also does some other bookkeeping: it makes sure that you indeed initialized the property
        inside the callback and it manages recursive initializations. It's totally legal to call
        m_foo.get() inside the initLater() callback. If you do that before you call init.set(),
        m_foo.get() will return null. This is an excellent escape hatch if we ever find
        ourselves in a dependency cycle. I added this feature because I already had to create a
        dependency cycle.
        
        Note that using LazyProperties from DFG threads is super awkward. It's going to be hard
        to get this right. The DFG thread cannot initialize those fields, so it has to make sure
        that it does conservative things. But for some nodes this could mean adding a lot of new
        logic, like NewTypedArray, which currently is written in such a way that it assumes that
        we always have the typed array structure. Currently we take a two-fold approach: for
        typed arrays we don't handle the NewTypedArray intrinsic if the structure isn't
        initialized, and for everything else we don't make the properties lazy if the DFG needs
        them. As we optimize this further we might need to teach the DFG to handle more lazy
        properties. I tried to do this for RegExp but found it to be very confusing. With typed
        arrays I got lucky.
        
        There is also a somewhat more powerful construct called LazyClassStructure. We often
        need to keep around the structure of some standard JS class, like Date. We also need to
        make sure that the constructor ends up in the global object's property table. And we
        often need to keep the original value of the constructor for ourselves. In this case, we
        want to make sure that the creation of the structure-prototype-constructor constellation
        is atomic. We don't want code to start looking at the structure if it points to a
        prototype that doesn't have its "constructor" property set yet, for example.
        LazyClassStructure solves this by abstracting that whole initialization. You provide the
        callback that allocates everything, since we are super inconsistent about the way we
        initialize things, but LazyClassStructure establishes the workflow and helps you not
        mess up.
        
        Finally, the new static hashtable attributes allow for all of this to work with the JS
        property table:
        
        PropertyCallback: if you use this attribute, the second column in the table should be
        the name of a function to call to initialize this property. This is useful for things
        like the Math property. The Math object turns out to be very expensive to allocate.
        Delaying its allocation is super easy with the PropertyCallback attribute.
        
        CellProperty: with this attribute the second column should be a C++ field name like
        JSGlobalObject::m_evalErrorConstructor. The static hashtable will grab the offset of
        this property, and when it needs to be initialized, Lookup will assume you have a
        LazyProperty<JSCell> and call its get() method. It will initialize the property to
        whatever get() returned. Note that it's legal to cast a LazyProperty<Anything> to
        LazyProperty<JSCell> for the purpose of calling get() because the get() method will just
        call whatever callback function pointer is encoded in the property and it does not need
        to know anything about what type that callback will instantiate.
        
        ClassStructure: with this attribute the second column should be a C++ field name. The
        static hashtable will initialize the property by treating the field as a
        LazyClassStructure and it will call get(). LazyClassStructure completely owns the whole
        initialization workflow, so Lookup assumes that when LazyClassStructure::get() returns,
        the property in question will already be set. By convention, we have LazyClassStructure
        initialize the property with a pointer to the constructor, since that's how all of our
        classes work: "globalObject.Date" points to the DateConstructor.
        
        This is a 2x speed-up in JSGlobalObject initialization time in a microbenchmark that
        calls our C API. This is a 1% speed-up on SunSpider and JSRegress.

        * API/JSCallbackFunction.cpp:
        (JSC::JSCallbackFunction::create):
        * API/ObjCCallbackFunction.h:
        (JSC::ObjCCallbackFunction::impl):
        * API/ObjCCallbackFunction.mm:
        (JSC::ObjCCallbackFunction::ObjCCallbackFunction):
        (JSC::ObjCCallbackFunction::create):
        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * create_hash_table:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGAbstractValue.cpp:
        (JSC::DFG::AbstractValue::set):
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::originalArrayStructure):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStructureRegistrationPhase.cpp:
        (JSC::DFG::StructureRegistrationPhase::run):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
        * runtime/ClonedArguments.cpp:
        (JSC::ClonedArguments::getOwnPropertySlot):
        (JSC::ClonedArguments::materializeSpecials):
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/FunctionPrototype.cpp:
        (JSC::functionProtoFuncToString):
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::visitChildren):
        (JSC::InternalFunction::name):
        (JSC::InternalFunction::calculatedDisplayName):
        (JSC::InternalFunction::createSubclassStructure):
        * runtime/InternalFunction.h:
        * runtime/JSBoundFunction.cpp:
        (JSC::JSBoundFunction::finishCreation):
        (JSC::JSBoundFunction::visitChildren):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::getOwnPropertySlot):
        (JSC::JSFunction::defineOwnProperty):
        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
        (JSC::constructGenericTypedArrayView):
        * runtime/JSGlobalObject.cpp:
        (JSC::createProxyProperty):
        (JSC::createJSONProperty):
        (JSC::createMathProperty):
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::stringPrototypeChainIsSane):
        (JSC::JSGlobalObject::resetPrototype):
        (JSC::JSGlobalObject::visitChildren):
        (JSC::JSGlobalObject::toThis):
        (JSC::JSGlobalObject::getOwnPropertySlot):
        (JSC::JSGlobalObject::createThrowTypeError): Deleted.
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::objectConstructor):
        (JSC::JSGlobalObject::promiseConstructor):
        (JSC::JSGlobalObject::internalPromiseConstructor):
        (JSC::JSGlobalObject::evalErrorConstructor):
        (JSC::JSGlobalObject::rangeErrorConstructor):
        (JSC::JSGlobalObject::referenceErrorConstructor):
        (JSC::JSGlobalObject::syntaxErrorConstructor):
        (JSC::JSGlobalObject::typeErrorConstructor):
        (JSC::JSGlobalObject::URIErrorConstructor):
        (JSC::JSGlobalObject::nullGetterFunction):
        (JSC::JSGlobalObject::nullSetterFunction):
        (JSC::JSGlobalObject::callFunction):
        (JSC::JSGlobalObject::applyFunction):
        (JSC::JSGlobalObject::definePropertyFunction):
        (JSC::JSGlobalObject::arrayProtoValuesFunction):
        (JSC::JSGlobalObject::initializePromiseFunction):
        (JSC::JSGlobalObject::newPromiseCapabilityFunction):
        (JSC::JSGlobalObject::functionProtoHasInstanceSymbolFunction):
        (JSC::JSGlobalObject::regExpProtoExecFunction):
        (JSC::JSGlobalObject::regExpProtoSymbolReplaceFunction):
        (JSC::JSGlobalObject::regExpProtoGlobalGetter):
        (JSC::JSGlobalObject::regExpProtoUnicodeGetter):
        (JSC::JSGlobalObject::throwTypeErrorGetterSetter):
        (JSC::JSGlobalObject::moduleLoader):
        (JSC::JSGlobalObject::objectPrototype):
        (JSC::JSGlobalObject::functionPrototype):
        (JSC::JSGlobalObject::arrayPrototype):
        (JSC::JSGlobalObject::booleanPrototype):
        (JSC::JSGlobalObject::stringPrototype):
        (JSC::JSGlobalObject::symbolPrototype):
        (JSC::JSGlobalObject::numberPrototype):
        (JSC::JSGlobalObject::datePrototype):
        (JSC::JSGlobalObject::regExpPrototype):
        (JSC::JSGlobalObject::errorPrototype):
        (JSC::JSGlobalObject::iteratorPrototype):
        (JSC::JSGlobalObject::generatorFunctionPrototype):
        (JSC::JSGlobalObject::generatorPrototype):
        (JSC::JSGlobalObject::debuggerScopeStructure):
        (JSC::JSGlobalObject::withScopeStructure):
        (JSC::JSGlobalObject::strictEvalActivationStructure):
        (JSC::JSGlobalObject::activationStructure):
        (JSC::JSGlobalObject::moduleEnvironmentStructure):
        (JSC::JSGlobalObject::directArgumentsStructure):
        (JSC::JSGlobalObject::scopedArgumentsStructure):
        (JSC::JSGlobalObject::clonedArgumentsStructure):
        (JSC::JSGlobalObject::isOriginalArrayStructure):
        (JSC::JSGlobalObject::booleanObjectStructure):
        (JSC::JSGlobalObject::callbackConstructorStructure):
        (JSC::JSGlobalObject::callbackFunctionStructure):
        (JSC::JSGlobalObject::callbackObjectStructure):
        (JSC::JSGlobalObject::propertyNameIteratorStructure):
        (JSC::JSGlobalObject::objcCallbackFunctionStructure):
        (JSC::JSGlobalObject::objcWrapperObjectStructure):
        (JSC::JSGlobalObject::dateStructure):
        (JSC::JSGlobalObject::nullPrototypeObjectStructure):
        (JSC::JSGlobalObject::errorStructure):
        (JSC::JSGlobalObject::calleeStructure):
        (JSC::JSGlobalObject::functionStructure):
        (JSC::JSGlobalObject::boundFunctionStructure):
        (JSC::JSGlobalObject::boundSlotBaseFunctionStructure):
        (JSC::JSGlobalObject::getterSetterStructure):
        (JSC::JSGlobalObject::nativeStdFunctionStructure):
        (JSC::JSGlobalObject::namedFunctionStructure):
        (JSC::JSGlobalObject::functionNameOffset):
        (JSC::JSGlobalObject::numberObjectStructure):
        (JSC::JSGlobalObject::privateNameStructure):
        (JSC::JSGlobalObject::mapStructure):
        (JSC::JSGlobalObject::regExpStructure):
        (JSC::JSGlobalObject::generatorFunctionStructure):
        (JSC::JSGlobalObject::setStructure):
        (JSC::JSGlobalObject::stringObjectStructure):
        (JSC::JSGlobalObject::symbolObjectStructure):
        (JSC::JSGlobalObject::iteratorResultObjectStructure):
        (JSC::JSGlobalObject::lazyTypedArrayStructure):
        (JSC::JSGlobalObject::typedArrayStructure):
        (JSC::JSGlobalObject::typedArrayStructureConcurrently):
        (JSC::JSGlobalObject::isOriginalTypedArrayStructure):
        (JSC::JSGlobalObject::typedArrayConstructor):
        (JSC::JSGlobalObject::actualPointerFor):
        (JSC::JSGlobalObject::internalFunctionStructure): Deleted.
        * runtime/JSNativeStdFunction.cpp:
        (JSC::JSNativeStdFunction::create):
        * runtime/JSWithScope.cpp:
        (JSC::JSWithScope::create):
        (JSC::JSWithScope::visitChildren):
        (JSC::JSWithScope::createStructure):
        (JSC::JSWithScope::JSWithScope):
        * runtime/JSWithScope.h:
        (JSC::JSWithScope::object):
        (JSC::JSWithScope::create): Deleted.
        (JSC::JSWithScope::createStructure): Deleted.
        (JSC::JSWithScope::JSWithScope): Deleted.
        * runtime/LazyClassStructure.cpp: Added.
        (JSC::LazyClassStructure::Initializer::Initializer):
        (JSC::LazyClassStructure::Initializer::setPrototype):
        (JSC::LazyClassStructure::Initializer::setStructure):
        (JSC::LazyClassStructure::Initializer::setConstructor):
        (JSC::LazyClassStructure::visit):
        (JSC::LazyClassStructure::dump):
        * runtime/LazyClassStructure.h: Added.
        (JSC::LazyClassStructure::LazyClassStructure):
        (JSC::LazyClassStructure::get):
        (JSC::LazyClassStructure::prototype):
        (JSC::LazyClassStructure::constructor):
        (JSC::LazyClassStructure::getConcurrently):
        (JSC::LazyClassStructure::prototypeConcurrently):
        (JSC::LazyClassStructure::constructorConcurrently):
        * runtime/LazyClassStructureInlines.h: Added.
        (JSC::LazyClassStructure::initLater):
        * runtime/LazyProperty.h: Added.
        (JSC::LazyProperty::Initializer::Initializer):
        (JSC::LazyProperty::LazyProperty):
        (JSC::LazyProperty::get):
        (JSC::LazyProperty::getConcurrently):
        * runtime/LazyPropertyInlines.h: Added.
        (JSC::LazyProperty<ElementType>::Initializer<OwnerType>::set):
        (JSC::LazyProperty<ElementType>::initLater):
        (JSC::LazyProperty<ElementType>::setMayBeNull):
        (JSC::LazyProperty<ElementType>::set):
        (JSC::LazyProperty<ElementType>::visit):
        (JSC::LazyProperty<ElementType>::dump):
        (JSC::LazyProperty<ElementType>::callFunc):
        * runtime/Lookup.cpp:
        (JSC::setUpStaticFunctionSlot):
        * runtime/Lookup.h:
        (JSC::HashTableValue::function):
        (JSC::HashTableValue::functionLength):
        (JSC::HashTableValue::propertyGetter):
        (JSC::HashTableValue::propertyPutter):
        (JSC::HashTableValue::accessorGetter):
        (JSC::HashTableValue::accessorSetter):
        (JSC::HashTableValue::constantInteger):
        (JSC::HashTableValue::lexerValue):
        (JSC::HashTableValue::lazyCellPropertyOffset):
        (JSC::HashTableValue::lazyClassStructureOffset):
        (JSC::HashTableValue::lazyPropertyCallback):
        (JSC::getStaticPropertySlot):
        (JSC::getStaticValueSlot):
        (JSC::reifyStaticProperty):
        * runtime/PropertySlot.h:
        * runtime/TypedArrayType.h:

2016-05-03  Per Arne Vollan  <peavo@outlook.com>

        [Win] Remove Windows XP Compatibility Requirements
        https://bugs.webkit.org/show_bug.cgi?id=152899

        Reviewed by Brent Fulgham.

        Windows XP is not supported anymore, we can remove workarounds.

        * JavaScriptCore.vcxproj/jsc/DLLLauncherMain.cpp:
        (enableTerminationOnHeapCorruption):

2016-05-03  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: console.assert should do far less work when the assertion is true
        https://bugs.webkit.org/show_bug.cgi?id=157297
        <rdar://problem/26056556>

        Reviewed by Timothy Hatcher.

        * runtime/ConsoleClient.h:
        * runtime/ConsoleClient.cpp:
        (JSC::ConsoleClient::assertion):
        (JSC::ConsoleClient::assertCondition): Deleted.
        Rename, now that this will only get called when the assertion failed.

        * runtime/ConsoleObject.cpp:
        (JSC::consoleProtoFuncAssert):
        Avoid doing any work if the assertion succeeded.

2016-05-03  Joseph Pecoraro  <pecoraro@apple.com>

        Unreviewed follow-up testapi fix after r200355.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        Revert back to non-enumerable. This matches our older behavior,
        we can decide to make this Enumerable later if needed.

2016-05-02  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Reflect.toString() should be [object Object] not [object Reflect]
        https://bugs.webkit.org/show_bug.cgi?id=157288

        Reviewed by Darin Adler.

        * runtime/ReflectObject.cpp:
        * tests/stress/reflect.js: Added.

2016-05-02  Jon Davis  <jond@apple.com>

        Add Resource Timing entry to the Feature Status page.
        https://bugs.webkit.org/show_bug.cgi?id=157285

        Reviewed by Timothy Hatcher.

        * features.json:

2016-05-02  Joseph Pecoraro  <pecoraro@apple.com>

        Make console a namespace object (like Math/JSON), allowing functions to be called unbound
        https://bugs.webkit.org/show_bug.cgi?id=157286
        <rdar://problem/26052830>

        Reviewed by Timothy Hatcher.

        This changes `console` to be a global namespace object, like `Math` and `JSON`.
        It just holds a bunch of functions, that can be used on their own, unbound.
        For example, `[1,2,3].forEach(console.log)` and `var log = console.log; log(1)`
        used to throw exceptions and now do not.

        Previously console was an Object/Prototype pair, so functions were on
        ConsolePrototype (console.__proto__.log) and they needed to be called
        Console objects as the `this` value. Now, `console` is just a standard
        object with a bunch of functions. Since there is no console prototype the
        functions can be passed around and called as expected and they will
        just do the right thing.

        For compatability with other browsers, `console` was made enumerable
        on the global object.