[GTK] Fix HPPA build
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-04-06  Alberto Garcia  <berto@igalia.com>
2
3         [GTK] Fix HPPA build
4         https://bugs.webkit.org/show_bug.cgi?id=143453
5
6         Reviewed by Darin Adler.
7
8         Add HPPA to the list of supported CPUs.
9
10         * CMakeLists.txt:
11
12 2015-04-06  Mark Lam  <mark.lam@apple.com>
13
14         In the 64-bit DFG and FTL, Array::Double case for HasIndexedProperty should set its result to true when all is well.
15         <https://webkit.org/b/143396>
16
17         Reviewed by Filip Pizlo.
18
19         The DFG was neglecting to set the result boolean.  The FTL was setting it with
20         an inverted value.  Both of these are now resolved.
21
22         * dfg/DFGSpeculativeJIT64.cpp:
23         (JSC::DFG::SpeculativeJIT::compile):
24         * ftl/FTLLowerDFGToLLVM.cpp:
25         (JSC::FTL::LowerDFGToLLVM::compileHasIndexedProperty):
26         * tests/stress/for-in-array-mode.js: Added.
27         (.):
28         (test):
29
30 2015-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>
31
32         [ES6] DFG and FTL should be aware of that StringConstructor behavior for symbols becomes different from ToString
33         https://bugs.webkit.org/show_bug.cgi?id=143424
34
35         Reviewed by Geoffrey Garen.
36
37         In ES6, StringConstructor behavior becomes different from ToString abstract operations in the spec. (and JSValue::toString).
38
39         ToString(symbol) throws a type error.
40         However, String(symbol) produces SymbolDescriptiveString(symbol).
41
42         So, in DFG and FTL phase, they should not inline StringConstructor to ToString.
43
44         Now, in the template literals patch, ToString DFG operation is planned to be used.
45         And current ToString behavior is aligned to the spec (and JSValue::toString) and it's better.
46         So intead of changing ToString behavior, this patch adds CallStringConstructor operation into DFG and FTL.
47         In CallStringConstructor, all behavior in DFG analysis is the same.
48         Only the difference from ToString is, when calling DFG operation functions, it calls
49         operationCallStringConstructorOnCell and operationCallStringConstructor instead of
50         operationToStringOnCell and operationToString.
51
52         * dfg/DFGAbstractInterpreterInlines.h:
53         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
54         * dfg/DFGBackwardsPropagationPhase.cpp:
55         (JSC::DFG::BackwardsPropagationPhase::propagate):
56         * dfg/DFGByteCodeParser.cpp:
57         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
58         * dfg/DFGClobberize.h:
59         (JSC::DFG::clobberize):
60         * dfg/DFGDoesGC.cpp:
61         (JSC::DFG::doesGC):
62         * dfg/DFGFixupPhase.cpp:
63         (JSC::DFG::FixupPhase::fixupNode):
64         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
65         (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
66         (JSC::DFG::FixupPhase::fixupToString): Deleted.
67         * dfg/DFGNodeType.h:
68         * dfg/DFGOperations.cpp:
69         * dfg/DFGOperations.h:
70         * dfg/DFGPredictionPropagationPhase.cpp:
71         (JSC::DFG::PredictionPropagationPhase::propagate):
72         * dfg/DFGSafeToExecute.h:
73         (JSC::DFG::safeToExecute):
74         * dfg/DFGSpeculativeJIT.cpp:
75         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnCell):
76         (JSC::DFG::SpeculativeJIT::compileToStringOnCell): Deleted.
77         * dfg/DFGSpeculativeJIT.h:
78         * dfg/DFGSpeculativeJIT32_64.cpp:
79         (JSC::DFG::SpeculativeJIT::compile):
80         * dfg/DFGSpeculativeJIT64.cpp:
81         (JSC::DFG::SpeculativeJIT::compile):
82         * dfg/DFGStructureRegistrationPhase.cpp:
83         (JSC::DFG::StructureRegistrationPhase::run):
84         * ftl/FTLCapabilities.cpp:
85         (JSC::FTL::canCompile):
86         * ftl/FTLLowerDFGToLLVM.cpp:
87         (JSC::FTL::LowerDFGToLLVM::compileNode):
88         (JSC::FTL::LowerDFGToLLVM::compileToStringOrCallStringConstructor):
89         (JSC::FTL::LowerDFGToLLVM::compileToString): Deleted.
90         * runtime/StringConstructor.cpp:
91         (JSC::stringConstructor):
92         (JSC::callStringConstructor):
93         * runtime/StringConstructor.h:
94         * tests/stress/symbol-and-string-constructor.js: Added.
95         (performString):
96
97 2015-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>
98
99         Return Optional<uint32_t> from PropertyName::asIndex
100         https://bugs.webkit.org/show_bug.cgi?id=143422
101
102         Reviewed by Darin Adler.
103
104         PropertyName::asIndex returns uint32_t and use UINT_MAX as NotAnIndex.
105         But it's not obvious to callers.
106
107         This patch changes
108         1. PropertyName::asIndex() to return Optional<uint32_t> and
109         2. function name `asIndex()` to `parseIndex()`.
110         It forces callers to check the value is index or not explicitly.
111
112         * bytecode/GetByIdStatus.cpp:
113         (JSC::GetByIdStatus::computeFor):
114         * bytecode/PutByIdStatus.cpp:
115         (JSC::PutByIdStatus::computeFor):
116         * bytecompiler/BytecodeGenerator.cpp:
117         (JSC::BytecodeGenerator::emitDirectPutById):
118         * jit/Repatch.cpp:
119         (JSC::emitPutTransitionStubAndGetOldStructure):
120         * jsc.cpp:
121         * runtime/ArrayPrototype.cpp:
122         (JSC::arrayProtoFuncSort):
123         * runtime/GenericArgumentsInlines.h:
124         (JSC::GenericArguments<Type>::getOwnPropertySlot):
125         (JSC::GenericArguments<Type>::put):
126         (JSC::GenericArguments<Type>::deleteProperty):
127         (JSC::GenericArguments<Type>::defineOwnProperty):
128         * runtime/Identifier.h:
129         (JSC::parseIndex):
130         (JSC::Identifier::isSymbol):
131         * runtime/JSArray.cpp:
132         (JSC::JSArray::defineOwnProperty):
133         * runtime/JSCJSValue.cpp:
134         (JSC::JSValue::putToPrimitive):
135         * runtime/JSGenericTypedArrayViewInlines.h:
136         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
137         (JSC::JSGenericTypedArrayView<Adaptor>::put):
138         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
139         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
140         * runtime/JSObject.cpp:
141         (JSC::JSObject::put):
142         (JSC::JSObject::putDirectAccessor):
143         (JSC::JSObject::putDirectCustomAccessor):
144         (JSC::JSObject::deleteProperty):
145         (JSC::JSObject::putDirectMayBeIndex):
146         (JSC::JSObject::defineOwnProperty):
147         * runtime/JSObject.h:
148         (JSC::JSObject::getOwnPropertySlot):
149         (JSC::JSObject::getPropertySlot):
150         (JSC::JSObject::putDirectInternal):
151         * runtime/JSString.cpp:
152         (JSC::JSString::getStringPropertyDescriptor):
153         * runtime/JSString.h:
154         (JSC::JSString::getStringPropertySlot):
155         * runtime/LiteralParser.cpp:
156         (JSC::LiteralParser<CharType>::parse):
157         * runtime/PropertyName.h:
158         (JSC::parseIndex):
159         (JSC::toUInt32FromCharacters): Deleted.
160         (JSC::toUInt32FromStringImpl): Deleted.
161         (JSC::PropertyName::asIndex): Deleted.
162         * runtime/PropertyNameArray.cpp:
163         (JSC::PropertyNameArray::add):
164         * runtime/StringObject.cpp:
165         (JSC::StringObject::deleteProperty):
166         * runtime/Structure.cpp:
167         (JSC::Structure::prototypeChainMayInterceptStoreTo):
168
169 2015-04-05  Andreas Kling  <akling@apple.com>
170
171         URI encoding/escaping should use efficient string building instead of calling snprintf().
172         <https://webkit.org/b/143426>
173
174         Reviewed by Gavin Barraclough.
175
176         I saw 0.5% of main thread time in snprintf() on <http://polymerlabs.github.io/benchmarks/>
177         which seemed pretty silly. This change gets that down to nothing in favor of using our
178         existing JSStringBuilder and HexNumber.h facilities.
179
180         These APIs are well-exercised by our existing test suite.
181
182         * runtime/JSGlobalObjectFunctions.cpp:
183         (JSC::encode):
184         (JSC::globalFuncEscape):
185
186 2015-04-05  Masataka Yakura  <masataka.yakura@gmail.com>
187
188         documentation for ES Promises points to the wrong one
189         https://bugs.webkit.org/show_bug.cgi?id=143263
190
191         Reviewed by Darin Adler.
192
193         * features.json:
194
195 2015-04-05  Simon Fraser  <simon.fraser@apple.com>
196
197         Remove "go ahead and" from comments
198         https://bugs.webkit.org/show_bug.cgi?id=143421
199
200         Reviewed by Darin Adler, Benjamin Poulain.
201
202         Remove the phrase "go ahead and" from comments where it doesn't add
203         anything (which is almost all of them).
204
205         * interpreter/JSStack.cpp:
206         (JSC::JSStack::growSlowCase):
207
208 2015-04-04  Andreas Kling  <akling@apple.com>
209
210         Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely.
211         <https://webkit.org/b/143210>
212
213         Reviewed by Geoffrey Garen.
214
215         Since a MarkedBlock cannot be destroyed until all the WeakBlocks pointing into it are gone,
216         we had a little problem where WeakBlocks with only null pointers would still keep their
217         MarkedBlock alive.
218
219         This patch fixes that by detaching WeakBlocks from their MarkedBlock once a sweep discovers
220         that the WeakBlock contains no pointers to live objects. Ownership of the WeakBlock is passed
221         to the Heap, which will sweep the list of these detached WeakBlocks as part of a full GC,
222         destroying them once they're fully dead.
223
224         This allows the garbage collector to reclaim the 64kB MarkedBlocks much sooner, and resolves
225         a mysterious issue where doing two full garbage collections back-to-back would free additional
226         memory in the second collection.
227
228         Management of detached WeakBlocks is implemented as a Vector<WeakBlock*> in Heap, along with
229         an index of the next block in that vector that needs to be swept. The IncrementalSweeper then
230         calls into Heap::sweepNextLogicallyEmptyWeakBlock() to sweep one block at a time.
231
232         * heap/Heap.h:
233         * heap/Heap.cpp:
234         (JSC::Heap::collectAllGarbage): Add a final pass where we sweep the logically empty WeakBlocks
235         owned by Heap, after everything else has been swept.
236
237         (JSC::Heap::notifyIncrementalSweeper): Set up an incremental sweep of logically empty WeakBlocks
238         after a full garbage collection ends. Note that we don't do this after Eden collections, since
239         they are unlikely to cause entire WeakBlocks to go empty.
240
241         (JSC::Heap::addLogicallyEmptyWeakBlock): Added. Interface for passing ownership of a WeakBlock
242         to the Heap when it's detached from a WeakSet.
243
244         (JSC::Heap::sweepAllLogicallyEmptyWeakBlocks): Helper for collectAllGarbage() that sweeps all
245         of the logically empty WeakBlocks owned by Heap.
246
247         (JSC::Heap::sweepNextLogicallyEmptyWeakBlock): Sweeps one logically empty WeakBlock if needed
248         and updates the next-logically-empty-weak-block-to-sweep index.
249
250         (JSC::Heap::lastChanceToFinalize): call sweepAllLogicallyEmptyWeakBlocks() here, since there
251         won't be another chance after this.
252
253         * heap/IncrementalSweeper.h:
254         (JSC::IncrementalSweeper::hasWork): Deleted.
255
256         * heap/IncrementalSweeper.cpp:
257         (JSC::IncrementalSweeper::fullSweep):
258         (JSC::IncrementalSweeper::doSweep):
259         (JSC::IncrementalSweeper::sweepNextBlock): Restructured IncrementalSweeper a bit to simplify
260         adding a new sweeping stage for the Heap's logically empty WeakBlocks. sweepNextBlock() is
261         changed to return a bool (true if there's more work to be done.)
262
263         * heap/WeakBlock.cpp:
264         (JSC::WeakBlock::sweep): This now figures out if the WeakBlock is logically empty, i.e doesn't
265         contain any pointers to live objects. The answer is stored in a new SweepResult member.
266
267         * heap/WeakBlock.h:
268         (JSC::WeakBlock::isLogicallyEmptyButNotFree): Added. Can be queried after a sweep to determine
269         if the WeakBlock could be detached from the MarkedBlock.
270
271         (JSC::WeakBlock::SweepResult::SweepResult): Deleted in favor of initializing member variables
272         when declaring them.
273
274 2015-04-04  Yusuke Suzuki  <utatane.tea@gmail.com>
275
276         Implement ES6 Object.getOwnPropertySymbols
277         https://bugs.webkit.org/show_bug.cgi?id=141106
278
279         Reviewed by Geoffrey Garen.
280
281         This patch implements `Object.getOwnPropertySymbols`.
282         One technical issue is that, since we use private symbols (such as `@Object`) in the
283         privileged JS code in `builtins/`, they should not be exposed.
284         To distinguish them from the usual symbols, check the target `StringImpl*` is a not private name
285         before adding it into PropertyNameArray.
286
287         To check the target `StringImpl*` is a private name, we leverage privateToPublic map in `BuiltinNames`
288         since all private symbols are held in this map.
289
290         * builtins/BuiltinExecutables.cpp:
291         (JSC::BuiltinExecutables::createExecutableInternal):
292         * builtins/BuiltinNames.h:
293         (JSC::BuiltinNames::isPrivateName):
294         * runtime/CommonIdentifiers.cpp:
295         (JSC::CommonIdentifiers::isPrivateName):
296         * runtime/CommonIdentifiers.h:
297         * runtime/EnumerationMode.h:
298         (JSC::EnumerationMode::EnumerationMode):
299         (JSC::EnumerationMode::includeSymbolProperties):
300         * runtime/ExceptionHelpers.cpp:
301         (JSC::createUndefinedVariableError):
302         * runtime/JSGlobalObject.cpp:
303         (JSC::JSGlobalObject::init):
304         * runtime/JSLexicalEnvironment.cpp:
305         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
306         * runtime/JSSymbolTableObject.cpp:
307         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
308         * runtime/ObjectConstructor.cpp:
309         (JSC::ObjectConstructor::finishCreation):
310         (JSC::objectConstructorGetOwnPropertySymbols):
311         (JSC::defineProperties):
312         (JSC::objectConstructorSeal):
313         (JSC::objectConstructorFreeze):
314         (JSC::objectConstructorIsSealed):
315         (JSC::objectConstructorIsFrozen):
316         * runtime/ObjectConstructor.h:
317         (JSC::ObjectConstructor::create):
318         * runtime/Structure.cpp:
319         (JSC::Structure::getPropertyNamesFromStructure):
320         * tests/stress/object-get-own-property-symbols-perform-to-object.js: Added.
321         (compare):
322         * tests/stress/object-get-own-property-symbols.js: Added.
323         (forIn):
324         * tests/stress/symbol-define-property.js: Added.
325         (testSymbol):
326         * tests/stress/symbol-seal-and-freeze.js: Added.
327         * tests/stress/symbol-with-json.js: Added.
328
329 2015-04-03  Mark Lam  <mark.lam@apple.com>
330
331         Add Options::jitPolicyScale() as a single knob to make all compilations happen sooner.
332         <https://webkit.org/b/143385>
333
334         Reviewed by Geoffrey Garen.
335
336         For debugging purposes, sometimes, we want to be able to make compilation happen
337         sooner to see if we can accelerate the manifestation of certain events / bugs.
338         Currently, in order to achieve this, we'll have to tweak multiple JIT thresholds
339         which make up the compilation policy.  Let's add a single knob that can tune all
340         the thresholds up / down in one go proportionately so that we can easily tweak
341         how soon compilation occurs.
342
343         * runtime/Options.cpp:
344         (JSC::scaleJITPolicy):
345         (JSC::recomputeDependentOptions):
346         * runtime/Options.h:
347
348 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
349
350         is* API methods should be @properties
351         https://bugs.webkit.org/show_bug.cgi?id=143388
352
353         Reviewed by Mark Lam.
354
355         This appears to be the preferred idiom in WebKit, CA, AppKit, and
356         Foundation.
357
358         * API/JSValue.h: Be @properties.
359
360         * API/tests/testapi.mm:
361         (testObjectiveCAPI): Use the @properties.
362
363 2015-04-03  Mark Lam  <mark.lam@apple.com>
364
365         Some JSC Options refactoring and enhancements.
366         <https://webkit.org/b/143384>
367
368         Rubber stamped by Benjamin Poulain.
369
370         Create a better encapsulated Option class to make working with options easier.  This
371         is a building block towards a JIT policy scaling debugging option I will introduce later.
372
373         This work entails:
374         1. Convert Options::Option into a public class Option (who works closely with Options).
375         2. Convert Options::EntryType into an enum class Options::Type and make it public.
376         3. Renamed Options::OPT_<option name> to Options::<option name>ID because it reads better.
377         4. Add misc methods to class Option to make it more useable.
378
379         * runtime/Options.cpp:
380         (JSC::Options::dumpOption):
381         (JSC::Option::dump):
382         (JSC::Option::operator==):
383         (JSC::Options::Option::dump): Deleted.
384         (JSC::Options::Option::operator==): Deleted.
385         * runtime/Options.h:
386         (JSC::Option::Option):
387         (JSC::Option::operator!=):
388         (JSC::Option::name):
389         (JSC::Option::description):
390         (JSC::Option::type):
391         (JSC::Option::isOverridden):
392         (JSC::Option::defaultOption):
393         (JSC::Option::boolVal):
394         (JSC::Option::unsignedVal):
395         (JSC::Option::doubleVal):
396         (JSC::Option::int32Val):
397         (JSC::Option::optionRangeVal):
398         (JSC::Option::optionStringVal):
399         (JSC::Option::gcLogLevelVal):
400         (JSC::Options::Option::Option): Deleted.
401         (JSC::Options::Option::operator!=): Deleted.
402
403 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
404
405         JavaScriptCore API should support type checking for Array and Date
406         https://bugs.webkit.org/show_bug.cgi?id=143324
407
408         Follow-up to address a comment by Dan.
409
410         * API/WebKitAvailability.h: __MAC_OS_X_VERSION_MIN_REQUIRED <= 101100
411         is wrong, since this API is available when __MAC_OS_X_VERSION_MIN_REQUIRED
412         is equal to 101100.
413
414 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
415
416         JavaScriptCore API should support type checking for Array and Date
417         https://bugs.webkit.org/show_bug.cgi?id=143324
418
419         Follow-up to address a comment by Dan.
420
421         * API/WebKitAvailability.h: Do use 10.0 because it was right all along.
422         Added a comment explaining why.
423
424 2015-04-03  Csaba Osztrogonác  <ossy@webkit.org>
425
426         FTL JIT tests should fail if LLVM library isn't available
427         https://bugs.webkit.org/show_bug.cgi?id=143374
428
429         Reviewed by Mark Lam.
430
431         * dfg/DFGPlan.cpp:
432         (JSC::DFG::Plan::compileInThreadImpl):
433         * runtime/Options.h:
434
435 2015-04-03  Zan Dobersek  <zdobersek@igalia.com>
436
437         Fix the EFL and GTK build after r182243
438         https://bugs.webkit.org/show_bug.cgi?id=143361
439
440         Reviewed by Csaba Osztrogonác.
441
442         * CMakeLists.txt: InspectorBackendCommands.js is generated in the
443         DerivedSources/JavaScriptCore/inspector/ directory.
444
445 2015-04-03  Zan Dobersek  <zdobersek@igalia.com>
446
447         Unreviewed, fixing Clang builds of the GTK port on Linux.
448
449         * runtime/Options.cpp:
450         Include the <math.h> header for isnan().
451
452 2015-04-02  Mark Lam  <mark.lam@apple.com>
453
454         Enhance ability to dump JSC Options.
455         <https://webkit.org/b/143357>
456
457         Reviewed by Benjamin Poulain.
458
459         Some enhancements to how the JSC options work:
460
461         1. Add a JSC_showOptions option which take values: 0 = None, 1 = Overridden only,
462            2 = All, 3 = Verbose.
463
464            The default is 0 (None).  This dumps nothing.
465            With the Overridden setting, at VM initialization time, we will dump all
466            option values that have been changed from their default.
467            With the All setting, at VM initialization time, we will dump all option values.
468            With the Verbose setting, at VM initialization time, we will dump all option
469            values along with their descriptions (if available).
470
471         2. We now store a copy of the default option values.
472
473            We later use this for comparison to tell if an option has been overridden, and
474            print the default value for reference.  As a result, we no longer need the
475            didOverride flag since we can compute whether the option is overridden at any time.
476
477         3. Added description strings to some options to be printed when JSC_showOptions=3 (Verbose).
478
479            This will come in handy later when we want to rename some of the options to more sane
480            names that are easier to remember.  For example, we can change
481            Options::dfgFunctionWhitelistFile() to Options::dfgWhiteList(), and
482            Options::slowPathAllocsBetweenGCs() to Options::forcedGcRate().  With the availability
483            of the description, we can afford to use shorter and less descriptive option names,
484            but they will be easier to remember and use for day to day debugging work.
485
486            In this patch, I did not change the names of any of the options yet.  I only added
487            description strings for options that I know about, and where I think the option name
488            isn't already descriptive enough.
489
490         4. Also deleted some unused code.
491
492         * jsc.cpp:
493         (CommandLine::parseArguments):
494         * runtime/Options.cpp:
495         (JSC::Options::initialize):
496         (JSC::Options::setOption):
497         (JSC::Options::dumpAllOptions):
498         (JSC::Options::dumpOption):
499         (JSC::Options::Option::dump):
500         (JSC::Options::Option::operator==):
501         * runtime/Options.h:
502         (JSC::OptionRange::rangeString):
503         (JSC::Options::Option::Option):
504         (JSC::Options::Option::operator!=):
505
506 2015-04-02  Geoffrey Garen  <ggaren@apple.com>
507
508         JavaScriptCore API should support type checking for Array and Date
509         https://bugs.webkit.org/show_bug.cgi?id=143324
510
511         Reviewed by Darin Adler, Sam Weinig, Dan Bernstein.
512
513         * API/JSValue.h:
514         * API/JSValue.mm:
515         (-[JSValue isArray]):
516         (-[JSValue isDate]): Added an ObjC API.
517
518         * API/JSValueRef.cpp:
519         (JSValueIsArray):
520         (JSValueIsDate):
521         * API/JSValueRef.h: Added a C API.
522
523         * API/WebKitAvailability.h: Brought our availability macros up to date
524         and fixed a harmless bug where "10_10" translated to "10.0".
525
526         * API/tests/testapi.c:
527         (main): Added a test and corrected a pre-existing leak.
528
529         * API/tests/testapi.mm:
530         (testObjectiveCAPI): Added a test.
531
532 2015-04-02  Mark Lam  <mark.lam@apple.com>
533
534         Add Options::dumpSourceAtDFGTime().
535         <https://webkit.org/b/143349>
536
537         Reviewed by Oliver Hunt, and Michael Saboff.
538
539         Sometimes, we will want to see the JS source code that we're compiling, and it
540         would be nice to be able to do this without having to jump thru a lot of hoops.
541         So, let's add a Options::dumpSourceAtDFGTime() option just like we have a
542         Options::dumpBytecodeAtDFGTime() option.
543
544         Also added versions of CodeBlock::dumpSource() and CodeBlock::dumpBytecode()
545         that explicitly take no arguments (instead of relying on the version that takes
546         the default argument).  These versions are friendlier to use when we want to call
547         them from an interactive debugging session.
548
549         * bytecode/CodeBlock.cpp:
550         (JSC::CodeBlock::dumpSource):
551         (JSC::CodeBlock::dumpBytecode):
552         * bytecode/CodeBlock.h:
553         * dfg/DFGByteCodeParser.cpp:
554         (JSC::DFG::ByteCodeParser::parseCodeBlock):
555         * runtime/Options.h:
556
557 2015-04-02  Yusuke Suzuki  <utatane.tea@gmail.com>
558
559         Clean up EnumerationMode to easily extend
560         https://bugs.webkit.org/show_bug.cgi?id=143276
561
562         Reviewed by Geoffrey Garen.
563
564         To make the followings easily,
565         1. Adding new flag Include/ExcludeSymbols in the Object.getOwnPropertySymbols patch
566         2. Make ExcludeSymbols implicitly default for the existing flags
567         we encapsulate EnumerationMode flags into EnumerationMode class.
568
569         And this class manages 2 flags. Later it will be extended to 3.
570         1. DontEnumPropertiesMode (default is Exclude)
571         2. JSObjectPropertiesMode (default is Include)
572         3. SymbolPropertiesMode (default is Exclude)
573             SymbolPropertiesMode will be added in Object.getOwnPropertySymbols patch.
574
575         This patch replaces places using ExcludeDontEnumProperties
576         to EnumerationMode() value which represents default mode.
577
578         * API/JSCallbackObjectFunctions.h:
579         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
580         * API/JSObjectRef.cpp:
581         (JSObjectCopyPropertyNames):
582         * bindings/ScriptValue.cpp:
583         (Deprecated::jsToInspectorValue):
584         * bytecode/ObjectAllocationProfile.h:
585         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
586         * runtime/ArrayPrototype.cpp:
587         (JSC::arrayProtoFuncSort):
588         * runtime/EnumerationMode.h:
589         (JSC::EnumerationMode::EnumerationMode):
590         (JSC::EnumerationMode::includeDontEnumProperties):
591         (JSC::EnumerationMode::includeJSObjectProperties):
592         (JSC::shouldIncludeDontEnumProperties): Deleted.
593         (JSC::shouldExcludeDontEnumProperties): Deleted.
594         (JSC::shouldIncludeJSObjectPropertyNames): Deleted.
595         (JSC::modeThatSkipsJSObject): Deleted.
596         * runtime/GenericArgumentsInlines.h:
597         (JSC::GenericArguments<Type>::getOwnPropertyNames):
598         * runtime/JSArray.cpp:
599         (JSC::JSArray::getOwnNonIndexPropertyNames):
600         * runtime/JSArrayBuffer.cpp:
601         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
602         * runtime/JSArrayBufferView.cpp:
603         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
604         * runtime/JSFunction.cpp:
605         (JSC::JSFunction::getOwnNonIndexPropertyNames):
606         * runtime/JSFunction.h:
607         * runtime/JSGenericTypedArrayViewInlines.h:
608         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnNonIndexPropertyNames):
609         * runtime/JSLexicalEnvironment.cpp:
610         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
611         * runtime/JSONObject.cpp:
612         (JSC::Stringifier::Holder::appendNextProperty):
613         (JSC::Walker::walk):
614         * runtime/JSObject.cpp:
615         (JSC::getClassPropertyNames):
616         (JSC::JSObject::getOwnPropertyNames):
617         (JSC::JSObject::getOwnNonIndexPropertyNames):
618         (JSC::JSObject::getGenericPropertyNames):
619         * runtime/JSPropertyNameEnumerator.h:
620         (JSC::propertyNameEnumerator):
621         * runtime/JSSymbolTableObject.cpp:
622         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
623         * runtime/ObjectConstructor.cpp:
624         (JSC::objectConstructorGetOwnPropertyNames):
625         (JSC::objectConstructorKeys):
626         (JSC::defineProperties):
627         (JSC::objectConstructorSeal):
628         (JSC::objectConstructorFreeze):
629         (JSC::objectConstructorIsSealed):
630         (JSC::objectConstructorIsFrozen):
631         * runtime/RegExpObject.cpp:
632         (JSC::RegExpObject::getOwnNonIndexPropertyNames):
633         (JSC::RegExpObject::getPropertyNames):
634         (JSC::RegExpObject::getGenericPropertyNames):
635         * runtime/StringObject.cpp:
636         (JSC::StringObject::getOwnPropertyNames):
637         * runtime/Structure.cpp:
638         (JSC::Structure::getPropertyNamesFromStructure):
639
640 2015-04-01  Alex Christensen  <achristensen@webkit.org>
641
642         Progress towards CMake on Windows and Mac.
643         https://bugs.webkit.org/show_bug.cgi?id=143293
644
645         Reviewed by Filip Pizlo.
646
647         * CMakeLists.txt:
648         Enabled using assembly on Windows.
649         Replaced unix commands with CMake commands.
650         * PlatformMac.cmake:
651         Tell open source builders where to find unicode headers.
652
653 2015-04-01  Yusuke Suzuki  <utatane.tea@gmail.com>
654
655         IteratorClose should be called when jumping over the target for-of loop
656         https://bugs.webkit.org/show_bug.cgi?id=143140
657
658         Reviewed by Geoffrey Garen.
659
660         This patch fixes labeled break/continue behaviors with for-of and iterators.
661
662         1. Support IteratorClose beyond multiple loop contexts
663         Previously, IteratorClose is only executed in for-of's breakTarget().
664         However, this misses IteratorClose execution when statement roll-ups multiple control flow contexts.
665         For example,
666         outer: for (var e1 of outer) {
667             inner: for (var e2 of inner) {
668                 break outer;
669             }
670         }
671         In this case, return method of inner should be called.
672         We leverage the existing system for `finally` to execute inner.return method correctly.
673         Leveraging `finally` system fixes `break`, `continue` and `return` cases.
674         `throw` case is already supported by emitting try-catch handlers in for-of.
675
676         2. Incorrect LabelScope creation is done in ForOfNode
677         ForOfNode creates duplicated LabelScope.
678         It causes infinite loop when executing the following program that contains
679         explicitly labeled for-of loop.
680         For example,
681         inner: for (var elm of array) {
682             continue inner;
683         }
684
685         * bytecompiler/BytecodeGenerator.cpp:
686         (JSC::BytecodeGenerator::pushFinallyContext):
687         (JSC::BytecodeGenerator::pushIteratorCloseContext):
688         (JSC::BytecodeGenerator::popFinallyContext):
689         (JSC::BytecodeGenerator::popIteratorCloseContext):
690         (JSC::BytecodeGenerator::emitComplexPopScopes):
691         (JSC::BytecodeGenerator::emitEnumeration):
692         (JSC::BytecodeGenerator::emitIteratorClose):
693         * bytecompiler/BytecodeGenerator.h:
694         * bytecompiler/NodesCodegen.cpp:
695         (JSC::ForOfNode::emitBytecode):
696         * tests/stress/iterator-return-beyond-multiple-iteration-scopes.js: Added.
697         (createIterator.iterator.return):
698         (createIterator):
699         * tests/stress/raise-error-in-iterator-close.js: Added.
700         (createIterator.iterator.return):
701         (createIterator):
702
703 2015-04-01  Yusuke Suzuki  <utatane.tea@gmail.com>
704
705         [ES6] Implement Symbol.unscopables
706         https://bugs.webkit.org/show_bug.cgi?id=142829
707
708         Reviewed by Geoffrey Garen.
709
710         This patch introduces Symbol.unscopables functionality.
711         In ES6, some generic names (like keys, values) are introduced
712         as Array's method name. And this breaks the web since some web sites
713         use like the following code.
714
715         var values = ...;
716         with (array) {
717             values;  // This values is trapped by array's method "values".
718         }
719
720         To fix this, Symbol.unscopables introduces blacklist
721         for with scope's trapping. When resolving scope,
722         if name is found in the target scope and the target scope is with scope,
723         we check Symbol.unscopables object to filter generic names.
724
725         This functionality is only active for with scopes.
726         Global scope does not have unscopables functionality.
727
728         And since
729         1) op_resolve_scope for with scope always return Dynamic resolve type,
730         2) in that case, JSScope::resolve is always used in JIT and LLInt,
731         3) the code which contains op_resolve_scope that returns Dynamic cannot be compiled with DFG and FTL,
732         to implement this functionality, we just change JSScope::resolve and no need to change JIT code.
733         So performance regression is only visible in Dynamic resolving case, and it is already much slow.
734
735         * runtime/ArrayPrototype.cpp:
736         (JSC::ArrayPrototype::finishCreation):
737         * runtime/CommonIdentifiers.h:
738         * runtime/JSGlobalObject.h:
739         (JSC::JSGlobalObject::runtimeFlags):
740         * runtime/JSScope.cpp:
741         (JSC::isUnscopable):
742         (JSC::JSScope::resolve):
743         * runtime/JSScope.h:
744         (JSC::ScopeChainIterator::scope):
745         * tests/stress/global-environment-does-not-trap-unscopables.js: Added.
746         (test):
747         * tests/stress/unscopables.js: Added.
748         (test):
749         (.):
750
751 2015-03-31  Ryosuke Niwa  <rniwa@webkit.org>
752
753         ES6 class syntax should allow static setters and getters
754         https://bugs.webkit.org/show_bug.cgi?id=143180
755
756         Reviewed by Filip Pizlo
757
758         Apparently I misread the spec when I initially implemented parseClass.
759         ES6 class syntax allows static getters and setters so just allow that.
760
761         * parser/Parser.cpp:
762         (JSC::Parser<LexerType>::parseClass):
763
764 2015-03-31  Filip Pizlo  <fpizlo@apple.com>
765
766         PutClosureVar CSE def() rule has a wrong base
767         https://bugs.webkit.org/show_bug.cgi?id=143280
768
769         Reviewed by Michael Saboff.
770         
771         I think that this code was incorrect in a benign way, since the base of a
772         PutClosureVar is not a JS-visible object. But it was preventing some optimizations.
773
774         * dfg/DFGClobberize.h:
775         (JSC::DFG::clobberize):
776
777 2015-03-31  Commit Queue  <commit-queue@webkit.org>
778
779         Unreviewed, rolling out r182200.
780         https://bugs.webkit.org/show_bug.cgi?id=143279
781
782         Probably causing assertion extravaganza on bots. (Requested by
783         kling on #webkit).
784
785         Reverted changeset:
786
787         "Logically empty WeakBlocks should not pin down their
788         MarkedBlocks indefinitely."
789         https://bugs.webkit.org/show_bug.cgi?id=143210
790         http://trac.webkit.org/changeset/182200
791
792 2015-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>
793
794         Clean up Identifier factories to clarify the meaning of StringImpl*
795         https://bugs.webkit.org/show_bug.cgi?id=143146
796
797         Reviewed by Filip Pizlo.
798
799         In the a lot of places, `Identifier(VM*/ExecState*, StringImpl*)` constructor is used.
800         However, it's ambiguous because `StringImpl*` has 2 different meanings.
801         1) normal string, it is replacable with `WTFString` and
802         2) `uid`, which holds `isSymbol` information to represent Symbols.
803         So we dropped Identifier constructors for strings and instead, introduced 2 factory functions.
804         + `Identifier::fromString(VM*/ExecState*, const String&)`.
805         Just construct Identifier from strings. The symbol-ness of StringImpl* is not kept.
806         + `Identifier::fromUid(VM*/ExecState*, StringImpl*)`.
807         This function is used for 2) `uid`. So symbol-ness of `StringImpl*` is kept.
808
809         And to clean up `StringImpl` which is used as uid,
810         we introduce `StringKind` into `StringImpl`. There's 3 kinds
811         1. StringNormal (non-atomic, non-symbol)
812         2. StringAtomic (atomic, non-symbol)
813         3. StringSymbol (non-atomic, symbol)
814         They are mutually exclusive. And (atomic, symbol) case should not exist.
815
816         * API/JSCallbackObjectFunctions.h:
817         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
818         * API/JSObjectRef.cpp:
819         (JSObjectMakeFunction):
820         * API/OpaqueJSString.cpp:
821         (OpaqueJSString::identifier):
822         * bindings/ScriptFunctionCall.cpp:
823         (Deprecated::ScriptFunctionCall::call):
824         * builtins/BuiltinExecutables.cpp:
825         (JSC::BuiltinExecutables::createExecutableInternal):
826         * builtins/BuiltinNames.h:
827         (JSC::BuiltinNames::BuiltinNames):
828         * bytecompiler/BytecodeGenerator.cpp:
829         (JSC::BytecodeGenerator::BytecodeGenerator):
830         (JSC::BytecodeGenerator::emitThrowReferenceError):
831         (JSC::BytecodeGenerator::emitThrowTypeError):
832         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
833         (JSC::BytecodeGenerator::emitEnumeration):
834         * dfg/DFGDesiredIdentifiers.cpp:
835         (JSC::DFG::DesiredIdentifiers::reallyAdd):
836         * inspector/JSInjectedScriptHost.cpp:
837         (Inspector::JSInjectedScriptHost::functionDetails):
838         (Inspector::constructInternalProperty):
839         (Inspector::JSInjectedScriptHost::weakMapEntries):
840         (Inspector::JSInjectedScriptHost::iteratorEntries):
841         * inspector/JSInjectedScriptHostPrototype.cpp:
842         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
843         * inspector/JSJavaScriptCallFramePrototype.cpp:
844         * inspector/ScriptCallStackFactory.cpp:
845         (Inspector::extractSourceInformationFromException):
846         * jit/JITOperations.cpp:
847         * jsc.cpp:
848         (GlobalObject::finishCreation):
849         (GlobalObject::addFunction):
850         (GlobalObject::addConstructableFunction):
851         (functionRun):
852         (runWithScripts):
853         * llint/LLIntData.cpp:
854         (JSC::LLInt::Data::performAssertions):
855         * llint/LowLevelInterpreter.asm:
856         * parser/ASTBuilder.h:
857         (JSC::ASTBuilder::addVar):
858         * parser/Parser.cpp:
859         (JSC::Parser<LexerType>::parseInner):
860         (JSC::Parser<LexerType>::createBindingPattern):
861         * parser/ParserArena.h:
862         (JSC::IdentifierArena::makeIdentifier):
863         (JSC::IdentifierArena::makeIdentifierLCharFromUChar):
864         (JSC::IdentifierArena::makeNumericIdentifier):
865         * runtime/ArgumentsIteratorPrototype.cpp:
866         (JSC::ArgumentsIteratorPrototype::finishCreation):
867         * runtime/ArrayIteratorPrototype.cpp:
868         (JSC::ArrayIteratorPrototype::finishCreation):
869         * runtime/ArrayPrototype.cpp:
870         (JSC::ArrayPrototype::finishCreation):
871         (JSC::arrayProtoFuncPush):
872         * runtime/ClonedArguments.cpp:
873         (JSC::ClonedArguments::getOwnPropertySlot):
874         * runtime/CommonIdentifiers.cpp:
875         (JSC::CommonIdentifiers::CommonIdentifiers):
876         * runtime/CommonIdentifiers.h:
877         * runtime/Error.cpp:
878         (JSC::addErrorInfo):
879         (JSC::hasErrorInfo):
880         * runtime/ExceptionHelpers.cpp:
881         (JSC::createUndefinedVariableError):
882         * runtime/GenericArgumentsInlines.h:
883         (JSC::GenericArguments<Type>::getOwnPropertySlot):
884         * runtime/Identifier.h:
885         (JSC::Identifier::isSymbol):
886         (JSC::Identifier::Identifier):
887         (JSC::Identifier::from): Deleted.
888         * runtime/IdentifierInlines.h:
889         (JSC::Identifier::Identifier):
890         (JSC::Identifier::fromUid):
891         (JSC::Identifier::fromString):
892         * runtime/JSCJSValue.cpp:
893         (JSC::JSValue::dumpInContextAssumingStructure):
894         * runtime/JSCJSValueInlines.h:
895         (JSC::JSValue::toPropertyKey):
896         * runtime/JSGlobalObject.cpp:
897         (JSC::JSGlobalObject::init):
898         * runtime/JSLexicalEnvironment.cpp:
899         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
900         * runtime/JSObject.cpp:
901         (JSC::getClassPropertyNames):
902         (JSC::JSObject::reifyStaticFunctionsForDelete):
903         * runtime/JSObject.h:
904         (JSC::makeIdentifier):
905         * runtime/JSPromiseConstructor.cpp:
906         (JSC::JSPromiseConstructorFuncRace):
907         (JSC::JSPromiseConstructorFuncAll):
908         * runtime/JSString.h:
909         (JSC::JSString::toIdentifier):
910         * runtime/JSSymbolTableObject.cpp:
911         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
912         * runtime/LiteralParser.cpp:
913         (JSC::LiteralParser<CharType>::tryJSONPParse):
914         (JSC::LiteralParser<CharType>::makeIdentifier):
915         * runtime/Lookup.h:
916         (JSC::reifyStaticProperties):
917         * runtime/MapConstructor.cpp:
918         (JSC::constructMap):
919         * runtime/MapIteratorPrototype.cpp:
920         (JSC::MapIteratorPrototype::finishCreation):
921         * runtime/MapPrototype.cpp:
922         (JSC::MapPrototype::finishCreation):
923         * runtime/MathObject.cpp:
924         (JSC::MathObject::finishCreation):
925         * runtime/NumberConstructor.cpp:
926         (JSC::NumberConstructor::finishCreation):
927         * runtime/ObjectConstructor.cpp:
928         (JSC::ObjectConstructor::finishCreation):
929         * runtime/PrivateName.h:
930         (JSC::PrivateName::PrivateName):
931         * runtime/PropertyMapHashTable.h:
932         (JSC::PropertyTable::find):
933         (JSC::PropertyTable::get):
934         * runtime/PropertyName.h:
935         (JSC::PropertyName::PropertyName):
936         (JSC::PropertyName::publicName):
937         (JSC::PropertyName::asIndex):
938         * runtime/PropertyNameArray.cpp:
939         (JSC::PropertyNameArray::add):
940         * runtime/PropertyNameArray.h:
941         (JSC::PropertyNameArray::addKnownUnique):
942         * runtime/RegExpConstructor.cpp:
943         (JSC::RegExpConstructor::finishCreation):
944         * runtime/SetConstructor.cpp:
945         (JSC::constructSet):
946         * runtime/SetIteratorPrototype.cpp:
947         (JSC::SetIteratorPrototype::finishCreation):
948         * runtime/SetPrototype.cpp:
949         (JSC::SetPrototype::finishCreation):
950         * runtime/StringIteratorPrototype.cpp:
951         (JSC::StringIteratorPrototype::finishCreation):
952         * runtime/StringPrototype.cpp:
953         (JSC::StringPrototype::finishCreation):
954         * runtime/Structure.cpp:
955         (JSC::Structure::getPropertyNamesFromStructure):
956         * runtime/SymbolConstructor.cpp:
957         * runtime/VM.cpp:
958         (JSC::VM::throwException):
959         * runtime/WeakMapConstructor.cpp:
960         (JSC::constructWeakMap):
961
962 2015-03-31  Andreas Kling  <akling@apple.com>
963
964         Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely.
965         <https://webkit.org/b/143210>
966
967         Reviewed by Geoffrey Garen.
968
969         Since a MarkedBlock cannot be destroyed until all the WeakBlocks pointing into it are gone,
970         we had a little problem where WeakBlocks with only null pointers would still keep their
971         MarkedBlock alive.
972
973         This patch fixes that by detaching WeakBlocks from their MarkedBlock once a sweep discovers
974         that the WeakBlock contains no pointers to live objects. Ownership of the WeakBlock is passed
975         to the Heap, which will sweep the list of these detached WeakBlocks as part of a full GC,
976         destroying them once they're fully dead.
977
978         This allows the garbage collector to reclaim the 64kB MarkedBlocks much sooner, and resolves
979         a mysterious issue where doing two full garbage collections back-to-back would free additional
980         memory in the second collection.
981
982         Management of detached WeakBlocks is implemented as a Vector<WeakBlock*> in Heap, along with
983         an index of the next block in that vector that needs to be swept. The IncrementalSweeper then
984         calls into Heap::sweepNextLogicallyEmptyWeakBlock() to sweep one block at a time.
985
986         * heap/Heap.h:
987         * heap/Heap.cpp:
988         (JSC::Heap::collectAllGarbage): Add a final pass where we sweep the logically empty WeakBlocks
989         owned by Heap, after everything else has been swept.
990
991         (JSC::Heap::notifyIncrementalSweeper): Set up an incremental sweep of logically empty WeakBlocks
992         after a full garbage collection ends. Note that we don't do this after Eden collections, since
993         they are unlikely to cause entire WeakBlocks to go empty.
994
995         (JSC::Heap::addLogicallyEmptyWeakBlock): Added. Interface for passing ownership of a WeakBlock
996         to the Heap when it's detached from a WeakSet.
997
998         (JSC::Heap::sweepAllLogicallyEmptyWeakBlocks): Helper for collectAllGarbage() that sweeps all
999         of the logically empty WeakBlocks owned by Heap.
1000
1001         (JSC::Heap::sweepNextLogicallyEmptyWeakBlock): Sweeps one logically empty WeakBlock if needed
1002         and updates the next-logically-empty-weak-block-to-sweep index.
1003
1004         (JSC::Heap::lastChanceToFinalize): call sweepAllLogicallyEmptyWeakBlocks() here, since there
1005         won't be another chance after this.
1006
1007         * heap/IncrementalSweeper.h:
1008         (JSC::IncrementalSweeper::hasWork): Deleted.
1009
1010         * heap/IncrementalSweeper.cpp:
1011         (JSC::IncrementalSweeper::fullSweep):
1012         (JSC::IncrementalSweeper::doSweep):
1013         (JSC::IncrementalSweeper::sweepNextBlock): Restructured IncrementalSweeper a bit to simplify
1014         adding a new sweeping stage for the Heap's logically empty WeakBlocks. sweepNextBlock() is
1015         changed to return a bool (true if there's more work to be done.)
1016
1017         * heap/WeakBlock.cpp:
1018         (JSC::WeakBlock::sweep): This now figures out if the WeakBlock is logically empty, i.e doesn't
1019         contain any pointers to live objects. The answer is stored in a new SweepResult member.
1020
1021         * heap/WeakBlock.h:
1022         (JSC::WeakBlock::isLogicallyEmptyButNotFree): Added. Can be queried after a sweep to determine
1023         if the WeakBlock could be detached from the MarkedBlock.
1024
1025         (JSC::WeakBlock::SweepResult::SweepResult): Deleted in favor of initializing member variables
1026         when declaring them.
1027
1028 2015-03-31  Ryosuke Niwa  <rniwa@webkit.org>
1029
1030         eval("this.foo") causes a crash if this had not been initialized in a derived class's constructor
1031         https://bugs.webkit.org/show_bug.cgi?id=142883
1032
1033         Reviewed by Filip Pizlo.
1034
1035         The crash was caused by eval inside the constructor of a derived class not checking TDZ.
1036
1037         Fixed the bug by adding a parser flag that forces the TDZ check to be always emitted when accessing "this"
1038         in eval inside a derived class' constructor.
1039
1040         * bytecode/EvalCodeCache.h:
1041         (JSC::EvalCodeCache::getSlow):
1042         * bytecompiler/NodesCodegen.cpp:
1043         (JSC::ThisNode::emitBytecode):
1044         * debugger/DebuggerCallFrame.cpp:
1045         (JSC::DebuggerCallFrame::evaluate):
1046         * interpreter/Interpreter.cpp:
1047         (JSC::eval):
1048         * parser/ASTBuilder.h:
1049         (JSC::ASTBuilder::thisExpr):
1050         * parser/NodeConstructors.h:
1051         (JSC::ThisNode::ThisNode):
1052         * parser/Nodes.h:
1053         * parser/Parser.cpp:
1054         (JSC::Parser<LexerType>::Parser):
1055         (JSC::Parser<LexerType>::parsePrimaryExpression):
1056         * parser/Parser.h:
1057         (JSC::parse):
1058         * parser/ParserModes.h:
1059         * parser/SyntaxChecker.h:
1060         (JSC::SyntaxChecker::thisExpr):
1061         * runtime/CodeCache.cpp:
1062         (JSC::CodeCache::getGlobalCodeBlock):
1063         (JSC::CodeCache::getProgramCodeBlock):
1064         (JSC::CodeCache::getEvalCodeBlock):
1065         * runtime/CodeCache.h:
1066         (JSC::SourceCodeKey::SourceCodeKey):
1067         * runtime/Executable.cpp:
1068         (JSC::EvalExecutable::create):
1069         * runtime/Executable.h:
1070         * runtime/JSGlobalObject.cpp:
1071         (JSC::JSGlobalObject::createEvalCodeBlock):
1072         * runtime/JSGlobalObject.h:
1073         * runtime/JSGlobalObjectFunctions.cpp:
1074         (JSC::globalFuncEval):
1075         * tests/stress/class-syntax-no-tdz-in-eval.js: Added.
1076         * tests/stress/class-syntax-tdz-in-eval.js: Added.
1077
1078 2015-03-31  Commit Queue  <commit-queue@webkit.org>
1079
1080         Unreviewed, rolling out r182186.
1081         https://bugs.webkit.org/show_bug.cgi?id=143270
1082
1083         it crashes all the WebGL tests on the Debug bots (Requested by
1084         dino on #webkit).
1085
1086         Reverted changeset:
1087
1088         "Web Inspector: add 2D/WebGL canvas instrumentation
1089         infrastructure"
1090         https://bugs.webkit.org/show_bug.cgi?id=137278
1091         http://trac.webkit.org/changeset/182186
1092
1093 2015-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1094
1095         [ES6] Object type restrictions on a first parameter of several Object.* functions are relaxed
1096         https://bugs.webkit.org/show_bug.cgi?id=142937
1097
1098         Reviewed by Darin Adler.
1099
1100         In ES6, Object type restrictions on a first parameter of several Object.* functions are relaxed.
1101         In ES5 or prior, when a first parameter is not object type, these functions raise TypeError.
1102         But now, several functions perform ToObject onto a non-object parameter.
1103         And others behaves as if a parameter is a non-extensible ordinary object with no own properties.
1104         It is described in ES6 Annex E.
1105         Functions different from ES5 are following.
1106
1107         1. An attempt is make to coerce the argument using ToObject.
1108             Object.getOwnPropertyDescriptor
1109             Object.getOwnPropertyNames
1110             Object.getPrototypeOf
1111             Object.keys
1112
1113         2. Treated as if it was a non-extensible ordinary object with no own properties.
1114             Object.freeze
1115             Object.isExtensible
1116             Object.isFrozen
1117             Object.isSealed
1118             Object.preventExtensions
1119             Object.seal
1120
1121         * runtime/ObjectConstructor.cpp:
1122         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
1123         (JSC::objectConstructorGetPrototypeOf):
1124         (JSC::objectConstructorGetOwnPropertyDescriptor):
1125         (JSC::objectConstructorGetOwnPropertyNames):
1126         (JSC::objectConstructorKeys):
1127         (JSC::objectConstructorSeal):
1128         (JSC::objectConstructorFreeze):
1129         (JSC::objectConstructorPreventExtensions):
1130         (JSC::objectConstructorIsSealed):
1131         (JSC::objectConstructorIsFrozen):
1132         (JSC::objectConstructorIsExtensible):
1133         * tests/stress/object-freeze-accept-non-object.js: Added.
1134         * tests/stress/object-get-own-property-descriptor-perform-to-object.js: Added.
1135         (canary):
1136         * tests/stress/object-get-own-property-names-perform-to-object.js: Added.
1137         (compare):
1138         * tests/stress/object-get-prototype-of-perform-to-object.js: Added.
1139         * tests/stress/object-is-extensible-accept-non-object.js: Added.
1140         * tests/stress/object-is-frozen-accept-non-object.js: Added.
1141         * tests/stress/object-is-sealed-accept-non-object.js: Added.
1142         * tests/stress/object-keys-perform-to-object.js: Added.
1143         (compare):
1144         * tests/stress/object-prevent-extensions-accept-non-object.js: Added.
1145         * tests/stress/object-seal-accept-non-object.js: Added.
1146
1147 2015-03-31  Matt Baker  <mattbaker@apple.com>
1148
1149         Web Inspector: add 2D/WebGL canvas instrumentation infrastructure
1150         https://bugs.webkit.org/show_bug.cgi?id=137278
1151
1152         Reviewed by Timothy Hatcher.
1153
1154         Added Canvas protocol which defines types used by InspectorCanvasAgent.
1155
1156         * CMakeLists.txt:
1157         * DerivedSources.make:
1158         * inspector/protocol/Canvas.json: Added.
1159
1160         * inspector/scripts/codegen/generator.py:
1161         (Generator.stylized_name_for_enum_value):
1162         Added special handling for 2D (always uppercase) and WebGL (rename mapping) enum strings.
1163
1164 2015-03-30  Ryosuke Niwa  <rniwa@webkit.org>
1165
1166         Extending null should set __proto__ to null
1167         https://bugs.webkit.org/show_bug.cgi?id=142882
1168
1169         Reviewed by Geoffrey Garen and Benjamin Poulain.
1170
1171         Set Derived.prototype.__proto__ to null when extending null.
1172
1173         * bytecompiler/NodesCodegen.cpp:
1174         (JSC::ClassExprNode::emitBytecode):
1175
1176 2015-03-30  Mark Lam  <mark.lam@apple.com>
1177
1178         REGRESSION (r181993): inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html crashes.
1179         <https://webkit.org/b/143105>
1180
1181         Reviewed by Filip Pizlo.
1182
1183         With r181993, the DFG and FTL may elide the storing of the scope register.  As a result,
1184         on OSR exits from DFG / FTL frames where this elision has take place, we may get baseline
1185         JIT frames that may have its scope register not set.  The Debugger's current implementation
1186         which relies on the scope register is not happy about this.  For example, this results in a
1187         crash in the layout test inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html.
1188
1189         The fix is to disable inlining when the debugger is in use.  Also, we add Flush nodes to
1190         ensure that the scope register value is flushed to the register in the stack frame.
1191
1192         * dfg/DFGByteCodeParser.cpp:
1193         (JSC::DFG::ByteCodeParser::ByteCodeParser):
1194         (JSC::DFG::ByteCodeParser::setLocal):
1195         (JSC::DFG::ByteCodeParser::flush):
1196         - Add code to flush the scope register.
1197         (JSC::DFG::ByteCodeParser::inliningCost):
1198         - Pretend that all codeBlocks are too expensive to inline if the debugger is in use, thereby
1199           disabling inlining whenever the debugger is in use.
1200         * dfg/DFGGraph.cpp:
1201         (JSC::DFG::Graph::Graph):
1202         * dfg/DFGGraph.h:
1203         (JSC::DFG::Graph::hasDebuggerEnabled):
1204         * dfg/DFGStackLayoutPhase.cpp:
1205         (JSC::DFG::StackLayoutPhase::run):
1206         - Update the DFG codeBlock's scopeRegister since it can be moved during stack layout.
1207         * ftl/FTLCompile.cpp:
1208         (JSC::FTL::mmAllocateDataSection):
1209         - Update the FTL codeBlock's scopeRegister since it can be moved during stack layout.
1210
1211 2015-03-30  Michael Saboff  <msaboff@apple.com>
1212
1213         Fix flakey float32-repeat-out-of-bounds.js and int8-repeat-out-of-bounds.js tests for ARM64
1214         https://bugs.webkit.org/show_bug.cgi?id=138391
1215
1216         Reviewed by Mark Lam.
1217
1218         Re-enabling these tests as I can't get them to fail on local iOS test devices.
1219         There have been many changes since these tests were disabled.
1220         I'll watch automated test results for failures.  If there are failures running automated
1221         testing, it might be due to the device's relative CPU performance.
1222         
1223         * tests/stress/float32-repeat-out-of-bounds.js:
1224         * tests/stress/int8-repeat-out-of-bounds.js:
1225
1226 2015-03-30  Joseph Pecoraro  <pecoraro@apple.com>
1227
1228         Web Inspector: Regression: Preview for [[null]] shouldn't be []
1229         https://bugs.webkit.org/show_bug.cgi?id=143208
1230
1231         Reviewed by Mark Lam.
1232
1233         * inspector/InjectedScriptSource.js:
1234         Handle null when generating simple object previews.
1235
1236 2015-03-30  Per Arne Vollan  <peavo@outlook.com>
1237
1238         Avoid using hardcoded values for JSValue::Int32Tag, if possible.
1239         https://bugs.webkit.org/show_bug.cgi?id=143134
1240
1241         Reviewed by Geoffrey Garen.
1242
1243         * jit/JSInterfaceJIT.h:
1244         * jit/Repatch.cpp:
1245         (JSC::tryCacheGetByID):
1246
1247 2015-03-30  Filip Pizlo  <fpizlo@apple.com>
1248
1249         REGRESSION: js/regress/inline-arguments-local-escape.html is flaky
1250         https://bugs.webkit.org/show_bug.cgi?id=143104
1251
1252         Reviewed by Geoffrey Garen.
1253         
1254         Created a test that is a 100% repro of the flaky failure. This test is called
1255         get-my-argument-by-val-for-inlined-escaped-arguments.js. It fails all of the time because it
1256         always causes the compiler to emit a GetMyArgumentByVal of the arguments object returned by
1257         the inlined function. Other than that, it's the same as inline-arguments-local-escape.
1258         
1259         Also created three more tests for three similar, but not identical, failures.
1260         
1261         Then fixed the bug: PreciseLocalClobberize was assuming that if we read(Stack) then we are
1262         only reading those parts of the stack that are relevant to the current semantic code origin.
1263         That's false after ArgumentsEliminationPhase - we might have operations on phantom arguments,
1264         like GetMyArgumentByVal, ForwardVarargs, CallForwardVarargs, and ConstructForwardVarargs, that
1265         read parts of the stack associated with the inline call frame for the phantom arguments. This
1266         may not be subsumed by the current semantic origin's stack area in cases that the arguments
1267         were allowed to "locally" escape.
1268         
1269         The higher-order lesson here is that in DFG SSA IR, the current semantic origin's stack area
1270         is not really a meaningful concept anymore. It is only meaningful for nodes that will read
1271         the stack due to function.arguments, but there are a bunch of other ways that we could also
1272         read the stack and those operations may read any stack slot. I believe that this change makes
1273         PreciseLocalClobberize right: it will refine a read(Stack) from Clobberize correctly by casing
1274         on node type. In future, if we add a read(Stack) to Clobberize, we'll have to make sure that
1275         readTop() in PreciseLocalClobberize does the right thing.
1276
1277         * dfg/DFGClobberize.h:
1278         (JSC::DFG::clobberize):
1279         * dfg/DFGPreciseLocalClobberize.h:
1280         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1281         * dfg/DFGPutStackSinkingPhase.cpp:
1282         * tests/stress/call-forward-varargs-for-inlined-escaped-arguments.js: Added.
1283         * tests/stress/construct-forward-varargs-for-inlined-escaped-arguments.js: Added.
1284         * tests/stress/forward-varargs-for-inlined-escaped-arguments.js: Added.
1285         * tests/stress/get-my-argument-by-val-for-inlined-escaped-arguments.js: Added.
1286         * tests/stress/real-forward-varargs-for-inlined-escaped-arguments.js: Added.
1287
1288 2015-03-30  Benjamin Poulain  <benjamin@webkit.org>
1289
1290         Start the features.json files
1291         https://bugs.webkit.org/show_bug.cgi?id=143207
1292
1293         Reviewed by Darin Adler.
1294
1295         Start the features.json files to have something to experiment
1296         with for the UI.
1297
1298         * features.json: Added.
1299
1300 2015-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
1301
1302         [Win] Addresing post-review comment after r182122
1303         https://bugs.webkit.org/show_bug.cgi?id=143189
1304
1305         Unreviewed.
1306
1307 2015-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
1308
1309         [Win] Allow building JavaScriptCore without Cygwin
1310         https://bugs.webkit.org/show_bug.cgi?id=143189
1311
1312         Reviewed by Brent Fulgham.
1313
1314         Paths like /usr/bin/ don't exist on Windows.
1315         Hashbangs don't work on Windows. Instead we must explicitly call the executable.
1316         Prefixing commands with environment variables doesn't work on Windows.
1317         Windows doesn't have 'cmp'
1318         Windows uses 'del' instead of 'rm'
1319         Windows uses 'type NUL' intead of 'touch'
1320
1321         * DerivedSources.make:
1322         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
1323         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
1324         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl:
1325         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
1326         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl:
1327         * JavaScriptCore.vcxproj/build-generated-files.pl:
1328         * UpdateContents.py: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl.
1329
1330 2015-03-28  Joseph Pecoraro  <pecoraro@apple.com>
1331
1332         Clean up JavaScriptCore/builtins
1333         https://bugs.webkit.org/show_bug.cgi?id=143177
1334
1335         Reviewed by Ryosuke Niwa.
1336
1337         * builtins/ArrayConstructor.js:
1338         (from):
1339         - We can compare to undefined instead of using a typeof undefined check.
1340         - Converge on double quoted strings everywhere.
1341
1342         * builtins/ArrayIterator.prototype.js:
1343         (next):
1344         * builtins/StringIterator.prototype.js:
1345         (next):
1346         - Use shorthand object construction to avoid duplication.
1347         - Improve grammar in error messages.
1348
1349         * tests/stress/array-iterators-next-with-call.js:
1350         * tests/stress/string-iterators.js:
1351         - Update for new error message strings.
1352
1353 2015-03-28  Saam Barati  <saambarati1@gmail.com>
1354
1355         Web Inspector: ES6: Better support for Symbol types in Type Profiler
1356         https://bugs.webkit.org/show_bug.cgi?id=141257
1357
1358         Reviewed by Joseph Pecoraro.
1359
1360         ES6 introduces the new primitive type Symbol. This patch makes JSC's 
1361         type profiler support this new primitive type.
1362
1363         * dfg/DFGFixupPhase.cpp:
1364         (JSC::DFG::FixupPhase::fixupNode):
1365         * inspector/protocol/Runtime.json:
1366         * runtime/RuntimeType.cpp:
1367         (JSC::runtimeTypeForValue):
1368         * runtime/RuntimeType.h:
1369         (JSC::runtimeTypeIsPrimitive):
1370         * runtime/TypeSet.cpp:
1371         (JSC::TypeSet::addTypeInformation):
1372         (JSC::TypeSet::dumpTypes):
1373         (JSC::TypeSet::doesTypeConformTo):
1374         (JSC::TypeSet::displayName):
1375         (JSC::TypeSet::inspectorTypeSet):
1376         (JSC::TypeSet::toJSONString):
1377         * runtime/TypeSet.h:
1378         (JSC::TypeSet::seenTypes):
1379         * tests/typeProfiler/driver/driver.js:
1380         * tests/typeProfiler/symbol.js: Added.
1381         (wrapper.foo):
1382         (wrapper.bar):
1383         (wrapper.bar.bar.baz):
1384         (wrapper):
1385
1386 2015-03-27  Saam Barati  <saambarati1@gmail.com>
1387
1388         Deconstruction parameters are bound too late
1389         https://bugs.webkit.org/show_bug.cgi?id=143148
1390
1391         Reviewed by Filip Pizlo.
1392
1393         Currently, a deconstruction pattern named with the same
1394         name as a function will shadow the function. This is
1395         wrong. It should be the other way around.
1396
1397         * bytecompiler/BytecodeGenerator.cpp:
1398         (JSC::BytecodeGenerator::generate):
1399
1400 2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>
1401
1402         parse doesn't initialize the 16-bit version of the JSC parser with defaultConstructorKind
1403         https://bugs.webkit.org/show_bug.cgi?id=143170
1404
1405         Reviewed by Benjamin Poulain.
1406
1407         Assert that we never use 16-bit version of the parser to parse a default constructor
1408         since both base and derived default constructors should be using a 8-bit string.
1409
1410         * parser/Parser.h:
1411         (JSC::parse):
1412
1413 2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>
1414
1415         ES6 Classes: Runtime error in JIT'd class calling super() with arguments and superclass has default constructor
1416         https://bugs.webkit.org/show_bug.cgi?id=142862
1417
1418         Reviewed by Benjamin Poulain.
1419
1420         Add a test that used to fail in DFG now that the bug has been fixed by r181993.
1421
1422         * tests/stress/class-syntax-derived-default-constructor.js: Added.
1423
1424 2015-03-27  Michael Saboff  <msaboff@apple.com>
1425
1426         load8Signed() and load16Signed() should be renamed to avoid confusion
1427         https://bugs.webkit.org/show_bug.cgi?id=143168
1428
1429         Reviewed by Benjamin Poulain.
1430
1431         Renamed load8Signed() to load8SignedExtendTo32() and load16Signed() to load16SignedExtendTo32().
1432
1433         * assembler/MacroAssemblerARM.h:
1434         (JSC::MacroAssemblerARM::load8SignedExtendTo32):
1435         (JSC::MacroAssemblerARM::load16SignedExtendTo32):
1436         (JSC::MacroAssemblerARM::load8Signed): Deleted.
1437         (JSC::MacroAssemblerARM::load16Signed): Deleted.
1438         * assembler/MacroAssemblerARM64.h:
1439         (JSC::MacroAssemblerARM64::load16SignedExtendTo32):
1440         (JSC::MacroAssemblerARM64::load8SignedExtendTo32):
1441         (JSC::MacroAssemblerARM64::load16Signed): Deleted.
1442         (JSC::MacroAssemblerARM64::load8Signed): Deleted.
1443         * assembler/MacroAssemblerARMv7.h:
1444         (JSC::MacroAssemblerARMv7::load16SignedExtendTo32):
1445         (JSC::MacroAssemblerARMv7::load8SignedExtendTo32):
1446         (JSC::MacroAssemblerARMv7::load16Signed): Deleted.
1447         (JSC::MacroAssemblerARMv7::load8Signed): Deleted.
1448         * assembler/MacroAssemblerMIPS.h:
1449         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
1450         (JSC::MacroAssemblerMIPS::load16SignedExtendTo32):
1451         (JSC::MacroAssemblerMIPS::load8Signed): Deleted.
1452         (JSC::MacroAssemblerMIPS::load16Signed): Deleted.
1453         * assembler/MacroAssemblerSH4.h:
1454         (JSC::MacroAssemblerSH4::load8SignedExtendTo32):
1455         (JSC::MacroAssemblerSH4::load8):
1456         (JSC::MacroAssemblerSH4::load16SignedExtendTo32):
1457         (JSC::MacroAssemblerSH4::load16):
1458         (JSC::MacroAssemblerSH4::load8Signed): Deleted.
1459         (JSC::MacroAssemblerSH4::load16Signed): Deleted.
1460         * assembler/MacroAssemblerX86Common.h:
1461         (JSC::MacroAssemblerX86Common::load8SignedExtendTo32):
1462         (JSC::MacroAssemblerX86Common::load16SignedExtendTo32):
1463         (JSC::MacroAssemblerX86Common::load8Signed): Deleted.
1464         (JSC::MacroAssemblerX86Common::load16Signed): Deleted.
1465         * dfg/DFGSpeculativeJIT.cpp:
1466         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
1467         * jit/JITPropertyAccess.cpp:
1468         (JSC::JIT::emitIntTypedArrayGetByVal):
1469
1470 2015-03-27  Michael Saboff  <msaboff@apple.com>
1471
1472         Fix flakey dfg-int8array.js and dfg-int16array.js tests for ARM64
1473         https://bugs.webkit.org/show_bug.cgi?id=138390
1474
1475         Reviewed by Mark Lam.
1476
1477         Changed load8Signed() and load16Signed() to only sign extend the loaded value to 32 bits
1478         instead of 64 bits.  This is what X86-64 does.
1479
1480         * assembler/MacroAssemblerARM64.h:
1481         (JSC::MacroAssemblerARM64::load16Signed):
1482         (JSC::MacroAssemblerARM64::load8Signed):
1483
1484 2015-03-27  Saam Barati  <saambarati1@gmail.com>
1485
1486         Add back previously broken assert from bug 141869
1487         https://bugs.webkit.org/show_bug.cgi?id=143005
1488
1489         Reviewed by Michael Saboff.
1490
1491         * runtime/ExceptionHelpers.cpp:
1492         (JSC::invalidParameterInSourceAppender):
1493
1494 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
1495
1496         Make some more objects use FastMalloc
1497         https://bugs.webkit.org/show_bug.cgi?id=143122
1498
1499         Reviewed by Csaba Osztrogonác.
1500
1501         * API/JSCallbackObject.h:
1502         * heap/IncrementalSweeper.h:
1503         * jit/JITThunks.h:
1504         * runtime/JSGlobalObjectDebuggable.h:
1505         * runtime/RegExpCache.h:
1506
1507 2015-03-27  Michael Saboff  <msaboff@apple.com>
1508
1509         Objects with numeric properties intermittently get a phantom 'length' property
1510         https://bugs.webkit.org/show_bug.cgi?id=142792
1511
1512         Reviewed by Csaba Osztrogonác.
1513
1514         Fixed a > (greater than) that should be a >> (right shift) in the code that disassembles
1515         test and branch instructions.  This function is used for linking tbz/tbnz branches between
1516         two seperately JIT'ed sections of code.  Sometime we'd create a bogus tbz instruction in
1517         the failure case checks in the GetById array length stub created for "obj.length" access.
1518         If the failure case code address was at a negative offset from the stub, we'd look for bit 1
1519         being set when we should have been looking for bit 0.
1520
1521         * assembler/ARM64Assembler.h:
1522         (JSC::ARM64Assembler::disassembleTestAndBranchImmediate):
1523
1524 2015-03-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1525
1526         Insert exception check around toPropertyKey call
1527         https://bugs.webkit.org/show_bug.cgi?id=142922
1528
1529         Reviewed by Geoffrey Garen.
1530
1531         In some places, exception check is missing after/before toPropertyKey.
1532         However, since it calls toString, it's observable to users,
1533
1534         Missing exception checks in Object.prototype methods can be
1535         observed since it would be overridden with toObject(null/undefined) errors.
1536         We inserted exception checks after toPropertyKey.
1537
1538         Missing exception checks in GetById related code can be
1539         observed since it would be overridden with toObject(null/undefined) errors.
1540         In this case, we need to insert exception checks before/after toPropertyKey
1541         since RequireObjectCoercible followed by toPropertyKey can cause exceptions.
1542
1543         JSValue::get checks null/undefined and raise an exception if |this| is null or undefined.
1544         However, we need to check whether the baseValue is object coercible before executing JSValue::toPropertyKey.
1545         According to the spec, we first perform RequireObjectCoercible and check the exception.
1546         And second, we perform ToPropertyKey and check the exception.
1547         Since JSValue::toPropertyKey can cause toString call, this is observable to users.
1548         For example, if the target is not object coercible,
1549         ToPropertyKey should not be executed, and toString should not be executed by ToPropertyKey.
1550         So the order of observable actions (RequireObjectCoercible and ToPropertyKey) should be correct to the spec.
1551
1552         This patch introduces JSValue::requireObjectCoercible and use it because of the following 2 reasons.
1553
1554         1. Using toObject instead of requireObjectCoercible produces unnecessary wrapper object.
1555
1556         toObject converts primitive types into wrapper objects.
1557         But it is not efficient since wrapper objects are not necessary
1558         if we look up methods from primitive values's prototype. (using synthesizePrototype is better).
1559
1560         2. Using the result of toObject is not correct to the spec.
1561
1562         To align to the spec correctly, we cannot use JSObject::get
1563         by using the wrapper object produced by the toObject suggested in (1).
1564         If we use JSObject that is converted by toObject, getter will be called by using this JSObject as |this|.
1565         It is not correct since getter should be called with the original |this| value that may be primitive types.
1566
1567         So in this patch, we use JSValue::requireObjectCoercible
1568         to check the target is object coercible and raise an error if it's not.
1569
1570         * dfg/DFGOperations.cpp:
1571         * jit/JITOperations.cpp:
1572         (JSC::getByVal):
1573         * llint/LLIntSlowPaths.cpp:
1574         (JSC::LLInt::getByVal):
1575         * runtime/CommonSlowPaths.cpp:
1576         (JSC::SLOW_PATH_DECL):
1577         * runtime/JSCJSValue.h:
1578         * runtime/JSCJSValueInlines.h:
1579         (JSC::JSValue::requireObjectCoercible):
1580         * runtime/ObjectPrototype.cpp:
1581         (JSC::objectProtoFuncHasOwnProperty):
1582         (JSC::objectProtoFuncDefineGetter):
1583         (JSC::objectProtoFuncDefineSetter):
1584         (JSC::objectProtoFuncLookupGetter):
1585         (JSC::objectProtoFuncLookupSetter):
1586         (JSC::objectProtoFuncPropertyIsEnumerable):
1587         * tests/stress/exception-in-to-property-key-should-be-handled-early-in-object-methods.js: Added.
1588         (shouldThrow):
1589         (if):
1590         * tests/stress/exception-in-to-property-key-should-be-handled-early.js: Added.
1591         (shouldThrow):
1592         (.):
1593
1594 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
1595
1596         WebContent Crash when instantiating class with Type Profiling enabled
1597         https://bugs.webkit.org/show_bug.cgi?id=143037
1598
1599         Reviewed by Ryosuke Niwa.
1600
1601         * bytecompiler/BytecodeGenerator.h:
1602         * bytecompiler/BytecodeGenerator.cpp:
1603         (JSC::BytecodeGenerator::BytecodeGenerator):
1604         (JSC::BytecodeGenerator::emitMoveEmptyValue):
1605         We cannot profile the type of an uninitialized empty JSValue.
1606         Nor do we expect this to be necessary, since it is effectively
1607         an unseen undefined value. So add a way to put the empty value
1608         without profiling.
1609
1610         (JSC::BytecodeGenerator::emitMove):
1611         Add an assert to try to catch this issue early on, and force
1612         callers to explicitly use emitMoveEmptyValue instead.
1613
1614         * tests/typeProfiler/classes.js: Added.
1615         (wrapper.Base):
1616         (wrapper.Derived):
1617         (wrapper):
1618         Add test coverage both for this case and classes in general.
1619
1620 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
1621
1622         Web Inspector: ES6: Provide a better view for Classes in the console
1623         https://bugs.webkit.org/show_bug.cgi?id=142999
1624
1625         Reviewed by Timothy Hatcher.
1626
1627         * inspector/protocol/Runtime.json:
1628         Provide a new `subtype` enum "class". This is a subtype of `type`
1629         "function", all other subtypes are subtypes of `object` types.
1630         For a class, the frontend will immediately want to get the prototype
1631         to enumerate its methods, so include the `classPrototype`.
1632
1633         * inspector/JSInjectedScriptHost.cpp:
1634         (Inspector::JSInjectedScriptHost::subtype):
1635         Denote class construction functions as "class" subtypes.
1636
1637         * inspector/InjectedScriptSource.js:
1638         Handling for the new "class" type.
1639
1640         * bytecode/UnlinkedCodeBlock.h:
1641         (JSC::UnlinkedFunctionExecutable::isClassConstructorFunction):
1642         * runtime/Executable.h:
1643         (JSC::FunctionExecutable::isClassConstructorFunction):
1644         * runtime/JSFunction.h:
1645         * runtime/JSFunctionInlines.h:
1646         (JSC::JSFunction::isClassConstructorFunction):
1647         Check if this function is a class constructor function. That information
1648         is on the UnlinkedFunctionExecutable, so plumb it through to JSFunction.
1649
1650 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
1651
1652         Function.prototype.toString should not decompile the AST
1653         https://bugs.webkit.org/show_bug.cgi?id=142853
1654
1655         Reviewed by Darin Adler.
1656
1657         Following up on Darin's review comments.
1658
1659         * runtime/FunctionConstructor.cpp:
1660         (JSC::constructFunctionSkippingEvalEnabledCheck):
1661
1662 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
1663
1664         "lineNo" does not match WebKit coding style guidelines
1665         https://bugs.webkit.org/show_bug.cgi?id=143119
1666
1667         Reviewed by Michael Saboff.
1668
1669         We can afford to use whole words.
1670
1671         * bytecode/CodeBlock.cpp:
1672         (JSC::CodeBlock::lineNumberForBytecodeOffset):
1673         (JSC::CodeBlock::expressionRangeForBytecodeOffset):
1674         * bytecode/UnlinkedCodeBlock.cpp:
1675         (JSC::UnlinkedFunctionExecutable::link):
1676         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
1677         * bytecode/UnlinkedCodeBlock.h:
1678         * bytecompiler/NodesCodegen.cpp:
1679         (JSC::WhileNode::emitBytecode):
1680         * debugger/Debugger.cpp:
1681         (JSC::Debugger::toggleBreakpoint):
1682         * interpreter/Interpreter.cpp:
1683         (JSC::StackFrame::computeLineAndColumn):
1684         (JSC::GetStackTraceFunctor::operator()):
1685         (JSC::Interpreter::execute):
1686         * interpreter/StackVisitor.cpp:
1687         (JSC::StackVisitor::Frame::computeLineAndColumn):
1688         * parser/Nodes.h:
1689         (JSC::Node::firstLine):
1690         (JSC::Node::lineNo): Deleted.
1691         (JSC::StatementNode::firstLine): Deleted.
1692         * parser/ParserError.h:
1693         (JSC::ParserError::toErrorObject):
1694         * profiler/LegacyProfiler.cpp:
1695         (JSC::createCallIdentifierFromFunctionImp):
1696         * runtime/CodeCache.cpp:
1697         (JSC::CodeCache::getGlobalCodeBlock):
1698         * runtime/Executable.cpp:
1699         (JSC::ScriptExecutable::ScriptExecutable):
1700         (JSC::ScriptExecutable::newCodeBlockFor):
1701         (JSC::FunctionExecutable::fromGlobalCode):
1702         * runtime/Executable.h:
1703         (JSC::ScriptExecutable::firstLine):
1704         (JSC::ScriptExecutable::setOverrideLineNumber):
1705         (JSC::ScriptExecutable::hasOverrideLineNumber):
1706         (JSC::ScriptExecutable::overrideLineNumber):
1707         (JSC::ScriptExecutable::lineNo): Deleted.
1708         (JSC::ScriptExecutable::setOverrideLineNo): Deleted.
1709         (JSC::ScriptExecutable::hasOverrideLineNo): Deleted.
1710         (JSC::ScriptExecutable::overrideLineNo): Deleted.
1711         * runtime/FunctionConstructor.cpp:
1712         (JSC::constructFunctionSkippingEvalEnabledCheck):
1713         * runtime/FunctionConstructor.h:
1714         * tools/CodeProfile.cpp:
1715         (JSC::CodeProfile::report):
1716         * tools/CodeProfile.h:
1717         (JSC::CodeProfile::CodeProfile):
1718
1719 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
1720
1721         Assertion firing in JavaScriptCore/parser/parser.h for statesman.com site
1722         https://bugs.webkit.org/show_bug.cgi?id=142974
1723
1724         Reviewed by Joseph Pecoraro.
1725
1726         This patch does two things:
1727
1728         (1) Restore JavaScriptCore's sanitization of line and column numbers to
1729         one-based values.
1730
1731         We need this because WebCore sometimes provides huge negative column
1732         numbers.
1733
1734         (2) Solve the attribute event listener line numbering problem a different
1735         way: Rather than offseting all line numbers by -1 in an attribute event
1736         listener in order to arrange for a custom result, instead use an explicit
1737         feature for saying "all errors in this code should map to this line number".
1738
1739         * bytecode/UnlinkedCodeBlock.cpp:
1740         (JSC::UnlinkedFunctionExecutable::link):
1741         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
1742         * bytecode/UnlinkedCodeBlock.h:
1743         * interpreter/Interpreter.cpp:
1744         (JSC::StackFrame::computeLineAndColumn):
1745         (JSC::GetStackTraceFunctor::operator()):
1746         * interpreter/Interpreter.h:
1747         * interpreter/StackVisitor.cpp:
1748         (JSC::StackVisitor::Frame::computeLineAndColumn):
1749         * parser/ParserError.h:
1750         (JSC::ParserError::toErrorObject): Plumb through an override line number.
1751         When a function has an override line number, all syntax and runtime
1752         errors in the function will map to it. This is useful for attribute event
1753         listeners.
1754  
1755         * parser/SourceCode.h:
1756         (JSC::SourceCode::SourceCode): Restore the old sanitization of line and
1757         column numbers to one-based integers. It was kind of a hack to remove this.
1758
1759         * runtime/Executable.cpp:
1760         (JSC::ScriptExecutable::ScriptExecutable):
1761         (JSC::FunctionExecutable::fromGlobalCode):
1762         * runtime/Executable.h:
1763         (JSC::ScriptExecutable::setOverrideLineNo):
1764         (JSC::ScriptExecutable::hasOverrideLineNo):
1765         (JSC::ScriptExecutable::overrideLineNo):
1766         * runtime/FunctionConstructor.cpp:
1767         (JSC::constructFunctionSkippingEvalEnabledCheck):
1768         * runtime/FunctionConstructor.h: Plumb through an override line number.
1769
1770 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
1771
1772         If we're in code for accessing scoped arguments, we should probably check if the object is a scoped arguments rather than checking if it's a direct arguments.
1773
1774         Reviewed by Michael Saboff.
1775
1776         * jit/JITPropertyAccess.cpp:
1777         (JSC::JIT::emitScopedArgumentsGetByVal):
1778         * tests/stress/scoped-then-direct-arguments-get-by-val-in-baseline.js: Added.
1779
1780 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
1781
1782         FTL ScopedArguments GetArrayLength generates incorrect code and crashes in LLVM
1783         https://bugs.webkit.org/show_bug.cgi?id=143098
1784
1785         Reviewed by Csaba Osztrogonác.
1786
1787         * ftl/FTLLowerDFGToLLVM.cpp:
1788         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength): Fix a typo.
1789         * tests/stress/scoped-arguments-array-length.js: Added. This test previously always crashed in ftl-no-cjit mode.
1790
1791 2015-03-26  Csaba Osztrogonác  <ossy@webkit.org>
1792
1793         Unreviewed gardening, skip failing tests on AArch64 Linux.
1794
1795         * tests/mozilla/mozilla-tests.yaml:
1796         * tests/stress/cached-prototype-setter.js:
1797
1798 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
1799
1800         Unreviewed, fixes to silly things. While landing fixes to r181993, I introduced crashes. This fixes them.
1801
1802         * dfg/DFGConstantFoldingPhase.cpp:
1803         (JSC::DFG::ConstantFoldingPhase::foldConstants): I landed a fix for a VS warning. It broke this. Now I'm fixing it.
1804         * ftl/FTLCompile.cpp:
1805         (JSC::FTL::compile): Make sure we pass the module when dumping. This makes FTL debugging possible again.
1806         * ftl/FTLState.cpp:
1807         (JSC::FTL::State::dumpState): New overload that takes a module, so that we can call this after FTL::compile() clears State's module.
1808         * ftl/FTLState.h:
1809
1810 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1811
1812         Unreviewed, fix obvious goof that was causing 32-bit debug crashes. The 64-bit version did it
1813         right, so this just makes 32-bit do the same.
1814
1815         * dfg/DFGSpeculativeJIT32_64.cpp:
1816         (JSC::DFG::SpeculativeJIT::emitCall):
1817
1818 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1819
1820         Fix a typo that ggaren found but that I didn't fix before.
1821
1822         * runtime/DirectArgumentsOffset.h:
1823
1824 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1825
1826         Unreviewed, VC found a bug. This fixes the bug.
1827
1828         * dfg/DFGConstantFoldingPhase.cpp:
1829         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1830
1831 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1832
1833         Unreviewed, try to fix Windows build.
1834
1835         * runtime/ClonedArguments.cpp:
1836         (JSC::ClonedArguments::createWithInlineFrame):
1837
1838 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1839
1840         Unreviewed, fix debug build.
1841
1842         * bytecompiler/NodesCodegen.cpp:
1843         (JSC::ConstDeclNode::emitCodeSingle):
1844
1845 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1846
1847         Unreviewed, fix CLOOP build.
1848
1849         * dfg/DFGMinifiedID.h:
1850
1851 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1852
1853         Heap variables shouldn't end up in the stack frame
1854         https://bugs.webkit.org/show_bug.cgi?id=141174
1855
1856         Reviewed by Geoffrey Garen.
1857         
1858         This is a major change to how JavaScriptCore handles declared variables (i.e. "var"). It removes
1859         any ambiguity about whether a variable should be in the heap or on the stack. A variable will no
1860         longer move between heap and stack during its lifetime. This enables a bunch of optimizations and
1861         simplifications:
1862         
1863         - Accesses to variables no longer need checks or indirections to determine where the variable is
1864           at that moment in time. For example, loading a closure variable now takes just one load instead
1865           of two. Loading an argument by index now takes a bounds check and a load in the fastest case
1866           (when no arguments object allocation is required) while previously that same operation required
1867           a "did I allocate arguments yet" check, a bounds check, and then the load.
1868         
1869         - Reasoning about the allocation of an activation or arguments object now follows the same simple
1870           logic as the allocation of any other kind of object. Previously, those objects were lazily
1871           allocated - so an allocation instruction wasn't the actual allocation site, since it might not
1872           allocate anything at all. This made the implementation of traditional escape analyses really
1873           awkward, and ultimately it meant that we missed important cases. Now, we can reason about the
1874           arguments object using the usual SSA tricks which allows for more comprehensive removal.
1875         
1876         - The allocations of arguments objects, functions, and activations are now much faster. While
1877           this patch generally expands our ability to eliminate arguments object allocations, an earlier
1878           version of the patch - which lacked that functionality - was a progression on some arguments-
1879           and closure-happy benchmarks because although no allocations were eliminated, all allocations
1880           were faster.
1881         
1882         - There is no tear-off. The runtime no loner needs to know about where on the stack a frame keeps
1883           its arguments objects or activations. The runtime doesn't have to do things to the arguments
1884           objects and activations that a frame allocated, when the frame is unwound. We always had horrid
1885           bugs in that code, so it's good to see it go. This removes *a ton* of machinery from the DFG,
1886           FTL, CodeBlock, and other places. All of the things having to do with "captured variables" is
1887           now gone. This also enables implementing block-scoping. Without this change, block-scope
1888           support would require telling CodeBlock and all of the rest of the runtime about all of the
1889           variables that store currently-live scopes. That would have been so disastrously hard that it
1890           might as well be impossible. With this change, it's fair game for the bytecode generator to
1891           simply allocate whatever activations it wants, wherever it wants, and to keep them live for
1892           however long it wants. This all works, because after bytecode generation, an activation is just
1893           an object and variables that refer to it are just normal variables.
1894         
1895         - SymbolTable can now tell you explicitly where a variable lives. The answer is in the form of a
1896           VarOffset object, which has methods like isStack(), isScope(), etc. VirtualRegister is never
1897           used for offsets of non-stack variables anymore. We now have shiny new objects for other kinds
1898           of offsets - ScopeOffset for offsets into scopes, and DirectArgumentsOffset for offsets into
1899           an arguments object.
1900         
1901         - Functions that create activations can now tier-up into the FTL. Previously they couldn't. Also,
1902           using activations used to prevent inlining; now functions that use activations can be inlined
1903           just fine.
1904         
1905         This is a >1% speed-up on Octane. This is a >2% speed-up on CompressionBench. This is a tiny
1906         speed-up on AsmBench (~0.4% or something). This looks like it might be a speed-up on SunSpider.
1907         It's only a slow-down on very short-running microbenchmarks we had previously written for our old
1908         style of tear-off-based arguments optimization. Those benchmarks are not part of any major suite.
1909         
1910         The easiest way of understanding this change is to start by looking at the changes in runtime/,
1911         and then the changes in bytecompiler/, and then sort of work your way up the compiler tiers.
1912
1913         * CMakeLists.txt:
1914         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1915         * JavaScriptCore.xcodeproj/project.pbxproj:
1916         * assembler/AbortReason.h:
1917         * assembler/AbstractMacroAssembler.h:
1918         (JSC::AbstractMacroAssembler::BaseIndex::withOffset):
1919         * bytecode/ByValInfo.h:
1920         (JSC::hasOptimizableIndexingForJSType):
1921         (JSC::hasOptimizableIndexing):
1922         (JSC::jitArrayModeForJSType):
1923         (JSC::jitArrayModePermitsPut):
1924         (JSC::jitArrayModeForStructure):
1925         * bytecode/BytecodeKills.h: Added.
1926         (JSC::BytecodeKills::BytecodeKills):
1927         (JSC::BytecodeKills::operandIsKilled):
1928         (JSC::BytecodeKills::forEachOperandKilledAt):
1929         (JSC::BytecodeKills::KillSet::KillSet):
1930         (JSC::BytecodeKills::KillSet::add):
1931         (JSC::BytecodeKills::KillSet::forEachLocal):
1932         (JSC::BytecodeKills::KillSet::contains):
1933         * bytecode/BytecodeList.json:
1934         * bytecode/BytecodeLivenessAnalysis.cpp:
1935         (JSC::isValidRegisterForLiveness):
1936         (JSC::stepOverInstruction):
1937         (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint):
1938         (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset):
1939         (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset):
1940         (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
1941         (JSC::BytecodeLivenessAnalysis::computeKills):
1942         (JSC::indexForOperand): Deleted.
1943         (JSC::BytecodeLivenessAnalysis::getLivenessInfoForNonCapturedVarsAtBytecodeOffset): Deleted.
1944         (JSC::getLivenessInfo): Deleted.
1945         * bytecode/BytecodeLivenessAnalysis.h:
1946         * bytecode/BytecodeLivenessAnalysisInlines.h:
1947         (JSC::operandIsAlwaysLive):
1948         (JSC::operandThatIsNotAlwaysLiveIsLive):
1949         (JSC::operandIsLive):
1950         * bytecode/BytecodeUseDef.h:
1951         (JSC::computeUsesForBytecodeOffset):
1952         (JSC::computeDefsForBytecodeOffset):
1953         * bytecode/CodeBlock.cpp:
1954         (JSC::CodeBlock::dumpBytecode):
1955         (JSC::CodeBlock::CodeBlock):
1956         (JSC::CodeBlock::nameForRegister):
1957         (JSC::CodeBlock::validate):
1958         (JSC::CodeBlock::isCaptured): Deleted.
1959         (JSC::CodeBlock::framePointerOffsetToGetActivationRegisters): Deleted.
1960         (JSC::CodeBlock::machineSlowArguments): Deleted.
1961         * bytecode/CodeBlock.h:
1962         (JSC::unmodifiedArgumentsRegister): Deleted.
1963         (JSC::CodeBlock::setArgumentsRegister): Deleted.
1964         (JSC::CodeBlock::argumentsRegister): Deleted.
1965         (JSC::CodeBlock::uncheckedArgumentsRegister): Deleted.
1966         (JSC::CodeBlock::usesArguments): Deleted.
1967         (JSC::CodeBlock::captureCount): Deleted.
1968         (JSC::CodeBlock::captureStart): Deleted.
1969         (JSC::CodeBlock::captureEnd): Deleted.
1970         (JSC::CodeBlock::argumentIndexAfterCapture): Deleted.
1971         (JSC::CodeBlock::hasSlowArguments): Deleted.
1972         (JSC::ExecState::argumentAfterCapture): Deleted.
1973         * bytecode/CodeOrigin.h:
1974         * bytecode/DataFormat.h:
1975         (JSC::dataFormatToString):
1976         * bytecode/FullBytecodeLiveness.h:
1977         (JSC::FullBytecodeLiveness::getLiveness):
1978         (JSC::FullBytecodeLiveness::operandIsLive):
1979         (JSC::FullBytecodeLiveness::FullBytecodeLiveness): Deleted.
1980         (JSC::FullBytecodeLiveness::getOut): Deleted.
1981         * bytecode/Instruction.h:
1982         (JSC::Instruction::Instruction):
1983         * bytecode/Operands.h:
1984         (JSC::Operands::virtualRegisterForIndex):
1985         * bytecode/SpeculatedType.cpp:
1986         (JSC::dumpSpeculation):
1987         (JSC::speculationToAbbreviatedString):
1988         (JSC::speculationFromClassInfo):
1989         * bytecode/SpeculatedType.h:
1990         (JSC::isDirectArgumentsSpeculation):
1991         (JSC::isScopedArgumentsSpeculation):
1992         (JSC::isActionableMutableArraySpeculation):
1993         (JSC::isActionableArraySpeculation):
1994         (JSC::isArgumentsSpeculation): Deleted.
1995         * bytecode/UnlinkedCodeBlock.cpp:
1996         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1997         * bytecode/UnlinkedCodeBlock.h:
1998         (JSC::UnlinkedCodeBlock::setArgumentsRegister): Deleted.
1999         (JSC::UnlinkedCodeBlock::usesArguments): Deleted.
2000         (JSC::UnlinkedCodeBlock::argumentsRegister): Deleted.
2001         * bytecode/ValueRecovery.cpp:
2002         (JSC::ValueRecovery::dumpInContext):
2003         * bytecode/ValueRecovery.h:
2004         (JSC::ValueRecovery::directArgumentsThatWereNotCreated):
2005         (JSC::ValueRecovery::outOfBandArgumentsThatWereNotCreated):
2006         (JSC::ValueRecovery::nodeID):
2007         (JSC::ValueRecovery::argumentsThatWereNotCreated): Deleted.
2008         * bytecode/VirtualRegister.h:
2009         (JSC::VirtualRegister::operator==):
2010         (JSC::VirtualRegister::operator!=):
2011         (JSC::VirtualRegister::operator<):
2012         (JSC::VirtualRegister::operator>):
2013         (JSC::VirtualRegister::operator<=):
2014         (JSC::VirtualRegister::operator>=):
2015         * bytecompiler/BytecodeGenerator.cpp:
2016         (JSC::BytecodeGenerator::generate):
2017         (JSC::BytecodeGenerator::BytecodeGenerator):
2018         (JSC::BytecodeGenerator::initializeNextParameter):
2019         (JSC::BytecodeGenerator::visibleNameForParameter):
2020         (JSC::BytecodeGenerator::emitMove):
2021         (JSC::BytecodeGenerator::variable):
2022         (JSC::BytecodeGenerator::createVariable):
2023         (JSC::BytecodeGenerator::emitResolveScope):
2024         (JSC::BytecodeGenerator::emitGetFromScope):
2025         (JSC::BytecodeGenerator::emitPutToScope):
2026         (JSC::BytecodeGenerator::initializeVariable):
2027         (JSC::BytecodeGenerator::emitInstanceOf):
2028         (JSC::BytecodeGenerator::emitNewFunction):
2029         (JSC::BytecodeGenerator::emitNewFunctionInternal):
2030         (JSC::BytecodeGenerator::emitCall):
2031         (JSC::BytecodeGenerator::emitReturn):
2032         (JSC::BytecodeGenerator::emitConstruct):
2033         (JSC::BytecodeGenerator::isArgumentNumber):
2034         (JSC::BytecodeGenerator::emitEnumeration):
2035         (JSC::BytecodeGenerator::addVar): Deleted.
2036         (JSC::BytecodeGenerator::emitInitLazyRegister): Deleted.
2037         (JSC::BytecodeGenerator::initializeCapturedVariable): Deleted.
2038         (JSC::BytecodeGenerator::resolveCallee): Deleted.
2039         (JSC::BytecodeGenerator::addCallee): Deleted.
2040         (JSC::BytecodeGenerator::addParameter): Deleted.
2041         (JSC::BytecodeGenerator::willResolveToArgumentsRegister): Deleted.
2042         (JSC::BytecodeGenerator::uncheckedLocalArgumentsRegister): Deleted.
2043         (JSC::BytecodeGenerator::createLazyRegisterIfNecessary): Deleted.
2044         (JSC::BytecodeGenerator::isCaptured): Deleted.
2045         (JSC::BytecodeGenerator::local): Deleted.
2046         (JSC::BytecodeGenerator::constLocal): Deleted.
2047         (JSC::BytecodeGenerator::emitResolveConstantLocal): Deleted.
2048         (JSC::BytecodeGenerator::emitGetArgumentsLength): Deleted.
2049         (JSC::BytecodeGenerator::emitGetArgumentByVal): Deleted.
2050         (JSC::BytecodeGenerator::emitLazyNewFunction): Deleted.
2051         (JSC::BytecodeGenerator::createArgumentsIfNecessary): Deleted.
2052         * bytecompiler/BytecodeGenerator.h:
2053         (JSC::Variable::Variable):
2054         (JSC::Variable::isResolved):
2055         (JSC::Variable::ident):
2056         (JSC::Variable::offset):
2057         (JSC::Variable::isLocal):
2058         (JSC::Variable::local):
2059         (JSC::Variable::isSpecial):
2060         (JSC::BytecodeGenerator::argumentsRegister):
2061         (JSC::BytecodeGenerator::emitNode):
2062         (JSC::BytecodeGenerator::registerFor):
2063         (JSC::Local::Local): Deleted.
2064         (JSC::Local::operator bool): Deleted.
2065         (JSC::Local::get): Deleted.
2066         (JSC::Local::isSpecial): Deleted.
2067         (JSC::ResolveScopeInfo::ResolveScopeInfo): Deleted.
2068         (JSC::ResolveScopeInfo::isLocal): Deleted.
2069         (JSC::ResolveScopeInfo::localIndex): Deleted.
2070         (JSC::BytecodeGenerator::hasSafeLocalArgumentsRegister): Deleted.
2071         (JSC::BytecodeGenerator::captureMode): Deleted.
2072         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly): Deleted.
2073         (JSC::BytecodeGenerator::shouldCreateArgumentsEagerly): Deleted.
2074         (JSC::BytecodeGenerator::hasWatchableVariable): Deleted.
2075         (JSC::BytecodeGenerator::watchableVariableIdentifier): Deleted.
2076         * bytecompiler/NodesCodegen.cpp:
2077         (JSC::ResolveNode::isPure):
2078         (JSC::ResolveNode::emitBytecode):
2079         (JSC::BracketAccessorNode::emitBytecode):
2080         (JSC::DotAccessorNode::emitBytecode):
2081         (JSC::EvalFunctionCallNode::emitBytecode):
2082         (JSC::FunctionCallResolveNode::emitBytecode):
2083         (JSC::CallFunctionCallDotNode::emitBytecode):
2084         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2085         (JSC::PostfixNode::emitResolve):
2086         (JSC::DeleteResolveNode::emitBytecode):
2087         (JSC::TypeOfResolveNode::emitBytecode):
2088         (JSC::PrefixNode::emitResolve):
2089         (JSC::ReadModifyResolveNode::emitBytecode):
2090         (JSC::AssignResolveNode::emitBytecode):
2091         (JSC::ConstDeclNode::emitCodeSingle):
2092         (JSC::EmptyVarExpression::emitBytecode):
2093         (JSC::ForInNode::tryGetBoundLocal):
2094         (JSC::ForInNode::emitLoopHeader):
2095         (JSC::ForOfNode::emitBytecode):
2096         (JSC::ArrayPatternNode::emitDirectBinding):
2097         (JSC::BindingNode::bindValue):
2098         (JSC::getArgumentByVal): Deleted.
2099         * dfg/DFGAbstractHeap.h:
2100         * dfg/DFGAbstractInterpreter.h:
2101         * dfg/DFGAbstractInterpreterInlines.h:
2102         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2103         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberWorld):
2104         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberCapturedVars): Deleted.
2105         * dfg/DFGAbstractValue.h:
2106         * dfg/DFGArgumentPosition.h:
2107         (JSC::DFG::ArgumentPosition::addVariable):
2108         * dfg/DFGArgumentsEliminationPhase.cpp: Added.
2109         (JSC::DFG::performArgumentsElimination):
2110         * dfg/DFGArgumentsEliminationPhase.h: Added.
2111         * dfg/DFGArgumentsSimplificationPhase.cpp: Removed.
2112         * dfg/DFGArgumentsSimplificationPhase.h: Removed.
2113         * dfg/DFGArgumentsUtilities.cpp: Added.
2114         (JSC::DFG::argumentsInvolveStackSlot):
2115         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
2116         * dfg/DFGArgumentsUtilities.h: Added.
2117         * dfg/DFGArrayMode.cpp:
2118         (JSC::DFG::ArrayMode::refine):
2119         (JSC::DFG::ArrayMode::alreadyChecked):
2120         (JSC::DFG::arrayTypeToString):
2121         * dfg/DFGArrayMode.h:
2122         (JSC::DFG::ArrayMode::canCSEStorage):
2123         (JSC::DFG::ArrayMode::modeForPut):
2124         * dfg/DFGAvailabilityMap.cpp:
2125         (JSC::DFG::AvailabilityMap::prune):
2126         * dfg/DFGAvailabilityMap.h:
2127         (JSC::DFG::AvailabilityMap::closeOverNodes):
2128         (JSC::DFG::AvailabilityMap::closeStartingWithLocal):
2129         * dfg/DFGBackwardsPropagationPhase.cpp:
2130         (JSC::DFG::BackwardsPropagationPhase::propagate):
2131         * dfg/DFGByteCodeParser.cpp:
2132         (JSC::DFG::ByteCodeParser::newVariableAccessData):
2133         (JSC::DFG::ByteCodeParser::getLocal):
2134         (JSC::DFG::ByteCodeParser::setLocal):
2135         (JSC::DFG::ByteCodeParser::getArgument):
2136         (JSC::DFG::ByteCodeParser::setArgument):
2137         (JSC::DFG::ByteCodeParser::flushDirect):
2138         (JSC::DFG::ByteCodeParser::flush):
2139         (JSC::DFG::ByteCodeParser::noticeArgumentsUse):
2140         (JSC::DFG::ByteCodeParser::handleVarargsCall):
2141         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
2142         (JSC::DFG::ByteCodeParser::handleInlining):
2143         (JSC::DFG::ByteCodeParser::parseBlock):
2144         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2145         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2146         * dfg/DFGCPSRethreadingPhase.cpp:
2147         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
2148         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
2149         * dfg/DFGCSEPhase.cpp:
2150         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h: Added.
2151         (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
2152         * dfg/DFGCapabilities.cpp:
2153         (JSC::DFG::isSupportedForInlining):
2154         (JSC::DFG::capabilityLevel):
2155         * dfg/DFGClobberize.h:
2156         (JSC::DFG::clobberize):
2157         * dfg/DFGCommon.h:
2158         * dfg/DFGCommonData.h:
2159         (JSC::DFG::CommonData::CommonData):
2160         * dfg/DFGConstantFoldingPhase.cpp:
2161         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2162         * dfg/DFGDCEPhase.cpp:
2163         (JSC::DFG::DCEPhase::cleanVariables):
2164         * dfg/DFGDisassembler.h:
2165         * dfg/DFGDoesGC.cpp:
2166         (JSC::DFG::doesGC):
2167         * dfg/DFGFixupPhase.cpp:
2168         (JSC::DFG::FixupPhase::fixupNode):
2169         * dfg/DFGFlushFormat.cpp:
2170         (WTF::printInternal):
2171         * dfg/DFGFlushFormat.h:
2172         (JSC::DFG::resultFor):
2173         (JSC::DFG::useKindFor):
2174         (JSC::DFG::dataFormatFor):
2175         * dfg/DFGForAllKills.h: Added.
2176         (JSC::DFG::forAllLiveNodesAtTail):
2177         (JSC::DFG::forAllDirectlyKilledOperands):
2178         (JSC::DFG::forAllKilledOperands):
2179         (JSC::DFG::forAllKilledNodesAtNodeIndex):
2180         (JSC::DFG::forAllKillsInBlock):
2181         * dfg/DFGGraph.cpp:
2182         (JSC::DFG::Graph::Graph):
2183         (JSC::DFG::Graph::dump):
2184         (JSC::DFG::Graph::substituteGetLocal):
2185         (JSC::DFG::Graph::livenessFor):
2186         (JSC::DFG::Graph::killsFor):
2187         (JSC::DFG::Graph::tryGetConstantClosureVar):
2188         (JSC::DFG::Graph::tryGetRegisters): Deleted.
2189         * dfg/DFGGraph.h:
2190         (JSC::DFG::Graph::symbolTableFor):
2191         (JSC::DFG::Graph::uses):
2192         (JSC::DFG::Graph::bytecodeRegisterForArgument): Deleted.
2193         (JSC::DFG::Graph::capturedVarsFor): Deleted.
2194         (JSC::DFG::Graph::usesArguments): Deleted.
2195         (JSC::DFG::Graph::argumentsRegisterFor): Deleted.
2196         (JSC::DFG::Graph::machineArgumentsRegisterFor): Deleted.
2197         (JSC::DFG::Graph::uncheckedArgumentsRegisterFor): Deleted.
2198         * dfg/DFGHeapLocation.cpp:
2199         (WTF::printInternal):
2200         * dfg/DFGHeapLocation.h:
2201         * dfg/DFGInPlaceAbstractState.cpp:
2202         (JSC::DFG::InPlaceAbstractState::initialize):
2203         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
2204         * dfg/DFGJITCompiler.cpp:
2205         (JSC::DFG::JITCompiler::link):
2206         * dfg/DFGMayExit.cpp:
2207         (JSC::DFG::mayExit):
2208         * dfg/DFGMinifiedID.h:
2209         * dfg/DFGMinifiedNode.cpp:
2210         (JSC::DFG::MinifiedNode::fromNode):
2211         * dfg/DFGMinifiedNode.h:
2212         (JSC::DFG::belongsInMinifiedGraph):
2213         (JSC::DFG::MinifiedNode::hasInlineCallFrame):
2214         (JSC::DFG::MinifiedNode::inlineCallFrame):
2215         * dfg/DFGNode.cpp:
2216         (JSC::DFG::Node::convertToIdentityOn):
2217         * dfg/DFGNode.h:
2218         (JSC::DFG::Node::hasConstant):
2219         (JSC::DFG::Node::constant):
2220         (JSC::DFG::Node::hasScopeOffset):
2221         (JSC::DFG::Node::scopeOffset):
2222         (JSC::DFG::Node::hasDirectArgumentsOffset):
2223         (JSC::DFG::Node::capturedArgumentsOffset):
2224         (JSC::DFG::Node::variablePointer):
2225         (JSC::DFG::Node::hasCallVarargsData):
2226         (JSC::DFG::Node::hasLoadVarargsData):
2227         (JSC::DFG::Node::hasHeapPrediction):
2228         (JSC::DFG::Node::hasCellOperand):
2229         (JSC::DFG::Node::objectMaterializationData):
2230         (JSC::DFG::Node::isPhantomAllocation):
2231         (JSC::DFG::Node::willHaveCodeGenOrOSR):
2232         (JSC::DFG::Node::shouldSpeculateDirectArguments):
2233         (JSC::DFG::Node::shouldSpeculateScopedArguments):
2234         (JSC::DFG::Node::isPhantomArguments): Deleted.
2235         (JSC::DFG::Node::hasVarNumber): Deleted.
2236         (JSC::DFG::Node::varNumber): Deleted.
2237         (JSC::DFG::Node::registerPointer): Deleted.
2238         (JSC::DFG::Node::shouldSpeculateArguments): Deleted.
2239         * dfg/DFGNodeType.h:
2240         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2241         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
2242         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
2243         * dfg/DFGOSRExitCompiler.cpp:
2244         (JSC::DFG::OSRExitCompiler::emitRestoreArguments):
2245         * dfg/DFGOSRExitCompiler.h:
2246         (JSC::DFG::OSRExitCompiler::badIndex): Deleted.
2247         (JSC::DFG::OSRExitCompiler::initializePoisoned): Deleted.
2248         (JSC::DFG::OSRExitCompiler::poisonIndex): Deleted.
2249         * dfg/DFGOSRExitCompiler32_64.cpp:
2250         (JSC::DFG::OSRExitCompiler::compileExit):
2251         * dfg/DFGOSRExitCompiler64.cpp:
2252         (JSC::DFG::OSRExitCompiler::compileExit):
2253         * dfg/DFGOSRExitCompilerCommon.cpp:
2254         (JSC::DFG::reifyInlinedCallFrames):
2255         (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator): Deleted.
2256         (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator): Deleted.
2257         (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): Deleted.
2258         * dfg/DFGOSRExitCompilerCommon.h:
2259         * dfg/DFGOperations.cpp:
2260         * dfg/DFGOperations.h:
2261         * dfg/DFGPlan.cpp:
2262         (JSC::DFG::Plan::compileInThreadImpl):
2263         * dfg/DFGPreciseLocalClobberize.h:
2264         (JSC::DFG::PreciseLocalClobberizeAdaptor::read):
2265         (JSC::DFG::PreciseLocalClobberizeAdaptor::write):
2266         (JSC::DFG::PreciseLocalClobberizeAdaptor::def):
2267         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
2268         (JSC::DFG::preciseLocalClobberize):
2269         (JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop): Deleted.
2270         (JSC::DFG::forEachLocalReadByUnwind): Deleted.
2271         * dfg/DFGPredictionPropagationPhase.cpp:
2272         (JSC::DFG::PredictionPropagationPhase::run):
2273         (JSC::DFG::PredictionPropagationPhase::propagate):
2274         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
2275         (JSC::DFG::PredictionPropagationPhase::propagateThroughArgumentPositions):
2276         * dfg/DFGPromoteHeapAccess.h:
2277         (JSC::DFG::promoteHeapAccess):
2278         * dfg/DFGPromotedHeapLocation.cpp:
2279         (WTF::printInternal):
2280         * dfg/DFGPromotedHeapLocation.h:
2281         * dfg/DFGSSAConversionPhase.cpp:
2282         (JSC::DFG::SSAConversionPhase::run):
2283         * dfg/DFGSafeToExecute.h:
2284         (JSC::DFG::safeToExecute):
2285         * dfg/DFGSpeculativeJIT.cpp:
2286         (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
2287         (JSC::DFG::SpeculativeJIT::emitGetLength):
2288         (JSC::DFG::SpeculativeJIT::emitGetCallee):
2289         (JSC::DFG::SpeculativeJIT::emitGetArgumentStart):
2290         (JSC::DFG::SpeculativeJIT::checkArray):
2291         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
2292         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
2293         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
2294         (JSC::DFG::SpeculativeJIT::compileNewFunction):
2295         (JSC::DFG::SpeculativeJIT::compileForwardVarargs):
2296         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
2297         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
2298         (JSC::DFG::SpeculativeJIT::compileGetFromArguments):
2299         (JSC::DFG::SpeculativeJIT::compilePutToArguments):
2300         (JSC::DFG::SpeculativeJIT::compileCreateScopedArguments):
2301         (JSC::DFG::SpeculativeJIT::compileCreateClonedArguments):
2302         (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Deleted.
2303         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments): Deleted.
2304         (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength): Deleted.
2305         (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck): Deleted.
2306         (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression): Deleted.
2307         * dfg/DFGSpeculativeJIT.h:
2308         (JSC::DFG::SpeculativeJIT::callOperation):
2309         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
2310         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
2311         (JSC::DFG::SpeculativeJIT::framePointerOffsetToGetActivationRegisters): Deleted.
2312         * dfg/DFGSpeculativeJIT32_64.cpp:
2313         (JSC::DFG::SpeculativeJIT::emitCall):
2314         (JSC::DFG::SpeculativeJIT::compile):
2315         * dfg/DFGSpeculativeJIT64.cpp:
2316         (JSC::DFG::SpeculativeJIT::emitCall):
2317         (JSC::DFG::SpeculativeJIT::compile):
2318         * dfg/DFGStackLayoutPhase.cpp:
2319         (JSC::DFG::StackLayoutPhase::run):
2320         * dfg/DFGStrengthReductionPhase.cpp:
2321         (JSC::DFG::StrengthReductionPhase::handleNode):
2322         * dfg/DFGStructureRegistrationPhase.cpp:
2323         (JSC::DFG::StructureRegistrationPhase::run):
2324         * dfg/DFGUnificationPhase.cpp:
2325         (JSC::DFG::UnificationPhase::run):
2326         * dfg/DFGValidate.cpp:
2327         (JSC::DFG::Validate::validateCPS):
2328         * dfg/DFGValueSource.cpp:
2329         (JSC::DFG::ValueSource::dump):
2330         * dfg/DFGValueSource.h:
2331         (JSC::DFG::dataFormatToValueSourceKind):
2332         (JSC::DFG::valueSourceKindToDataFormat):
2333         (JSC::DFG::ValueSource::ValueSource):
2334         (JSC::DFG::ValueSource::forFlushFormat):
2335         (JSC::DFG::ValueSource::valueRecovery):
2336         * dfg/DFGVarargsForwardingPhase.cpp: Added.
2337         (JSC::DFG::performVarargsForwarding):
2338         * dfg/DFGVarargsForwardingPhase.h: Added.
2339         * dfg/DFGVariableAccessData.cpp:
2340         (JSC::DFG::VariableAccessData::VariableAccessData):
2341         (JSC::DFG::VariableAccessData::flushFormat):
2342         (JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted.
2343         * dfg/DFGVariableAccessData.h:
2344         (JSC::DFG::VariableAccessData::shouldNeverUnbox):
2345         (JSC::DFG::VariableAccessData::shouldUseDoubleFormat):
2346         (JSC::DFG::VariableAccessData::isCaptured): Deleted.
2347         (JSC::DFG::VariableAccessData::mergeIsArgumentsAlias): Deleted.
2348         (JSC::DFG::VariableAccessData::isArgumentsAlias): Deleted.
2349         * dfg/DFGVariableAccessDataDump.cpp:
2350         (JSC::DFG::VariableAccessDataDump::dump):
2351         * dfg/DFGVariableAccessDataDump.h:
2352         * dfg/DFGVariableEventStream.cpp:
2353         (JSC::DFG::VariableEventStream::tryToSetConstantRecovery):
2354         * dfg/DFGVariableEventStream.h:
2355         * ftl/FTLAbstractHeap.cpp:
2356         (JSC::FTL::AbstractHeap::dump):
2357         (JSC::FTL::AbstractField::dump):
2358         (JSC::FTL::IndexedAbstractHeap::dump):
2359         (JSC::FTL::NumberedAbstractHeap::dump):
2360         (JSC::FTL::AbsoluteAbstractHeap::dump):
2361         * ftl/FTLAbstractHeap.h:
2362         * ftl/FTLAbstractHeapRepository.cpp:
2363         * ftl/FTLAbstractHeapRepository.h:
2364         * ftl/FTLCapabilities.cpp:
2365         (JSC::FTL::canCompile):
2366         * ftl/FTLCompile.cpp:
2367         (JSC::FTL::mmAllocateDataSection):
2368         * ftl/FTLExitArgument.cpp:
2369         (JSC::FTL::ExitArgument::dump):
2370         * ftl/FTLExitPropertyValue.cpp:
2371         (JSC::FTL::ExitPropertyValue::withLocalsOffset):
2372         * ftl/FTLExitPropertyValue.h:
2373         * ftl/FTLExitTimeObjectMaterialization.cpp:
2374         (JSC::FTL::ExitTimeObjectMaterialization::ExitTimeObjectMaterialization):
2375         (JSC::FTL::ExitTimeObjectMaterialization::accountForLocalsOffset):
2376         * ftl/FTLExitTimeObjectMaterialization.h:
2377         (JSC::FTL::ExitTimeObjectMaterialization::origin):
2378         * ftl/FTLExitValue.cpp:
2379         (JSC::FTL::ExitValue::withLocalsOffset):
2380         (JSC::FTL::ExitValue::valueFormat):
2381         (JSC::FTL::ExitValue::dumpInContext):
2382         * ftl/FTLExitValue.h:
2383         (JSC::FTL::ExitValue::isArgument):
2384         (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated): Deleted.
2385         (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated): Deleted.
2386         (JSC::FTL::ExitValue::valueFormat): Deleted.
2387         * ftl/FTLInlineCacheSize.cpp:
2388         (JSC::FTL::sizeOfCallForwardVarargs):
2389         (JSC::FTL::sizeOfConstructForwardVarargs):
2390         (JSC::FTL::sizeOfICFor):
2391         * ftl/FTLInlineCacheSize.h:
2392         * ftl/FTLIntrinsicRepository.h:
2393         * ftl/FTLJSCallVarargs.cpp:
2394         (JSC::FTL::JSCallVarargs::JSCallVarargs):
2395         (JSC::FTL::JSCallVarargs::emit):
2396         * ftl/FTLJSCallVarargs.h:
2397         * ftl/FTLLowerDFGToLLVM.cpp:
2398         (JSC::FTL::LowerDFGToLLVM::lower):
2399         (JSC::FTL::LowerDFGToLLVM::compileNode):
2400         (JSC::FTL::LowerDFGToLLVM::compilePutStack):
2401         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
2402         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2403         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
2404         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2405         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
2406         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
2407         (JSC::FTL::LowerDFGToLLVM::compileCreateActivation):
2408         (JSC::FTL::LowerDFGToLLVM::compileNewFunction):
2409         (JSC::FTL::LowerDFGToLLVM::compileCreateDirectArguments):
2410         (JSC::FTL::LowerDFGToLLVM::compileCreateScopedArguments):
2411         (JSC::FTL::LowerDFGToLLVM::compileCreateClonedArguments):
2412         (JSC::FTL::LowerDFGToLLVM::compileStringCharAt):
2413         (JSC::FTL::LowerDFGToLLVM::compileStringCharCodeAt):
2414         (JSC::FTL::LowerDFGToLLVM::compileGetGlobalVar):
2415         (JSC::FTL::LowerDFGToLLVM::compilePutGlobalVar):
2416         (JSC::FTL::LowerDFGToLLVM::compileGetArgumentCount):
2417         (JSC::FTL::LowerDFGToLLVM::compileGetClosureVar):
2418         (JSC::FTL::LowerDFGToLLVM::compilePutClosureVar):
2419         (JSC::FTL::LowerDFGToLLVM::compileGetFromArguments):
2420         (JSC::FTL::LowerDFGToLLVM::compilePutToArguments):
2421         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs):
2422         (JSC::FTL::LowerDFGToLLVM::compileForwardVarargs):
2423         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname):
2424         (JSC::FTL::LowerDFGToLLVM::ArgumentsLength::ArgumentsLength):
2425         (JSC::FTL::LowerDFGToLLVM::getArgumentsLength):
2426         (JSC::FTL::LowerDFGToLLVM::getCurrentCallee):
2427         (JSC::FTL::LowerDFGToLLVM::getArgumentsStart):
2428         (JSC::FTL::LowerDFGToLLVM::baseIndex):
2429         (JSC::FTL::LowerDFGToLLVM::allocateObject):
2430         (JSC::FTL::LowerDFGToLLVM::allocateVariableSizedObject):
2431         (JSC::FTL::LowerDFGToLLVM::isArrayType):
2432         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
2433         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
2434         (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
2435         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
2436         (JSC::FTL::LowerDFGToLLVM::loadStructure):
2437         (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments): Deleted.
2438         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength): Deleted.
2439         (JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters): Deleted.
2440         (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated): Deleted.
2441         (JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated): Deleted.
2442         * ftl/FTLOSRExitCompiler.cpp:
2443         (JSC::FTL::compileRecovery):
2444         (JSC::FTL::compileStub):
2445         * ftl/FTLOperations.cpp:
2446         (JSC::FTL::operationMaterializeObjectInOSR):
2447         * ftl/FTLOutput.h:
2448         (JSC::FTL::Output::aShr):
2449         (JSC::FTL::Output::lShr):
2450         (JSC::FTL::Output::zeroExtPtr):
2451         * heap/CopyToken.h:
2452         * interpreter/CallFrame.h:
2453         (JSC::ExecState::getArgumentUnsafe):
2454         * interpreter/Interpreter.cpp:
2455         (JSC::sizeOfVarargs):
2456         (JSC::sizeFrameForVarargs):
2457         (JSC::loadVarargs):
2458         (JSC::unwindCallFrame):
2459         * interpreter/Interpreter.h:
2460         * interpreter/StackVisitor.cpp:
2461         (JSC::StackVisitor::Frame::createArguments):
2462         (JSC::StackVisitor::Frame::existingArguments): Deleted.
2463         * interpreter/StackVisitor.h:
2464         * jit/AssemblyHelpers.h:
2465         (JSC::AssemblyHelpers::storeValue):
2466         (JSC::AssemblyHelpers::loadValue):
2467         (JSC::AssemblyHelpers::storeTrustedValue):
2468         (JSC::AssemblyHelpers::branchIfNotCell):
2469         (JSC::AssemblyHelpers::branchIsEmpty):
2470         (JSC::AssemblyHelpers::argumentsStart):
2471         (JSC::AssemblyHelpers::baselineArgumentsRegisterFor): Deleted.
2472         (JSC::AssemblyHelpers::offsetOfLocals): Deleted.
2473         (JSC::AssemblyHelpers::offsetOfArguments): Deleted.
2474         * jit/CCallHelpers.h:
2475         (JSC::CCallHelpers::setupArgument):
2476         * jit/GPRInfo.h:
2477         (JSC::JSValueRegs::withTwoAvailableRegs):
2478         * jit/JIT.cpp:
2479         (JSC::JIT::privateCompileMainPass):
2480         (JSC::JIT::privateCompileSlowCases):
2481         * jit/JIT.h:
2482         * jit/JITCall.cpp:
2483         (JSC::JIT::compileSetupVarargsFrame):
2484         * jit/JITCall32_64.cpp:
2485         (JSC::JIT::compileSetupVarargsFrame):
2486         * jit/JITInlines.h:
2487         (JSC::JIT::callOperation):
2488         * jit/JITOpcodes.cpp:
2489         (JSC::JIT::emit_op_create_lexical_environment):
2490         (JSC::JIT::emit_op_new_func):
2491         (JSC::JIT::emit_op_create_direct_arguments):
2492         (JSC::JIT::emit_op_create_scoped_arguments):
2493         (JSC::JIT::emit_op_create_out_of_band_arguments):
2494         (JSC::JIT::emit_op_tear_off_arguments): Deleted.
2495         (JSC::JIT::emit_op_create_arguments): Deleted.
2496         (JSC::JIT::emit_op_init_lazy_reg): Deleted.
2497         (JSC::JIT::emit_op_get_arguments_length): Deleted.
2498         (JSC::JIT::emitSlow_op_get_arguments_length): Deleted.
2499         (JSC::JIT::emit_op_get_argument_by_val): Deleted.
2500         (JSC::JIT::emitSlow_op_get_argument_by_val): Deleted.
2501         * jit/JITOpcodes32_64.cpp:
2502         (JSC::JIT::emit_op_create_lexical_environment):
2503         (JSC::JIT::emit_op_tear_off_arguments): Deleted.
2504         (JSC::JIT::emit_op_create_arguments): Deleted.
2505         (JSC::JIT::emit_op_init_lazy_reg): Deleted.
2506         (JSC::JIT::emit_op_get_arguments_length): Deleted.
2507         (JSC::JIT::emitSlow_op_get_arguments_length): Deleted.
2508         (JSC::JIT::emit_op_get_argument_by_val): Deleted.
2509         (JSC::JIT::emitSlow_op_get_argument_by_val): Deleted.
2510         * jit/JITOperations.cpp:
2511         * jit/JITOperations.h:
2512         * jit/JITPropertyAccess.cpp:
2513         (JSC::JIT::emitGetClosureVar):
2514         (JSC::JIT::emitPutClosureVar):
2515         (JSC::JIT::emit_op_get_from_arguments):
2516         (JSC::JIT::emit_op_put_to_arguments):
2517         (JSC::JIT::emit_op_init_global_const):
2518         (JSC::JIT::privateCompileGetByVal):
2519         (JSC::JIT::emitDirectArgumentsGetByVal):
2520         (JSC::JIT::emitScopedArgumentsGetByVal):
2521         * jit/JITPropertyAccess32_64.cpp:
2522         (JSC::JIT::emitGetClosureVar):
2523         (JSC::JIT::emitPutClosureVar):
2524         (JSC::JIT::emit_op_get_from_arguments):
2525         (JSC::JIT::emit_op_put_to_arguments):
2526         (JSC::JIT::emit_op_init_global_const):
2527         * jit/SetupVarargsFrame.cpp:
2528         (JSC::emitSetupVarargsFrameFastCase):
2529         * llint/LLIntOffsetsExtractor.cpp:
2530         * llint/LLIntSlowPaths.cpp:
2531         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2532         * llint/LowLevelInterpreter.asm:
2533         * llint/LowLevelInterpreter32_64.asm:
2534         * llint/LowLevelInterpreter64.asm:
2535         * parser/Nodes.h:
2536         (JSC::ScopeNode::captures):
2537         * runtime/Arguments.cpp: Removed.
2538         * runtime/Arguments.h: Removed.
2539         * runtime/ArgumentsMode.h: Added.
2540         * runtime/DirectArgumentsOffset.cpp: Added.
2541         (JSC::DirectArgumentsOffset::dump):
2542         * runtime/DirectArgumentsOffset.h: Added.
2543         (JSC::DirectArgumentsOffset::DirectArgumentsOffset):
2544         * runtime/CommonSlowPaths.cpp:
2545         (JSC::SLOW_PATH_DECL):
2546         * runtime/CommonSlowPaths.h:
2547         * runtime/ConstantMode.cpp: Added.
2548         (WTF::printInternal):
2549         * runtime/ConstantMode.h:
2550         (JSC::modeForIsConstant):
2551         * runtime/DirectArguments.cpp: Added.
2552         (JSC::DirectArguments::DirectArguments):
2553         (JSC::DirectArguments::createUninitialized):
2554         (JSC::DirectArguments::create):
2555         (JSC::DirectArguments::createByCopying):
2556         (JSC::DirectArguments::visitChildren):
2557         (JSC::DirectArguments::copyBackingStore):
2558         (JSC::DirectArguments::createStructure):
2559         (JSC::DirectArguments::overrideThings):
2560         (JSC::DirectArguments::overrideThingsIfNecessary):
2561         (JSC::DirectArguments::overrideArgument):
2562         (JSC::DirectArguments::copyToArguments):
2563         (JSC::DirectArguments::overridesSize):
2564         * runtime/DirectArguments.h: Added.
2565         (JSC::DirectArguments::internalLength):
2566         (JSC::DirectArguments::length):
2567         (JSC::DirectArguments::canAccessIndexQuickly):
2568         (JSC::DirectArguments::getIndexQuickly):
2569         (JSC::DirectArguments::setIndexQuickly):
2570         (JSC::DirectArguments::callee):
2571         (JSC::DirectArguments::argument):
2572         (JSC::DirectArguments::overrodeThings):
2573         (JSC::DirectArguments::offsetOfCallee):
2574         (JSC::DirectArguments::offsetOfLength):
2575         (JSC::DirectArguments::offsetOfMinCapacity):
2576         (JSC::DirectArguments::offsetOfOverrides):
2577         (JSC::DirectArguments::storageOffset):
2578         (JSC::DirectArguments::offsetOfSlot):
2579         (JSC::DirectArguments::allocationSize):
2580         (JSC::DirectArguments::storage):
2581         * runtime/FunctionPrototype.cpp:
2582         * runtime/GenericArguments.h: Added.
2583         (JSC::GenericArguments::GenericArguments):
2584         * runtime/GenericArgumentsInlines.h: Added.
2585         (JSC::GenericArguments<Type>::getOwnPropertySlot):
2586         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
2587         (JSC::GenericArguments<Type>::getOwnPropertyNames):
2588         (JSC::GenericArguments<Type>::put):
2589         (JSC::GenericArguments<Type>::putByIndex):
2590         (JSC::GenericArguments<Type>::deleteProperty):
2591         (JSC::GenericArguments<Type>::deletePropertyByIndex):
2592         (JSC::GenericArguments<Type>::defineOwnProperty):
2593         (JSC::GenericArguments<Type>::copyToArguments):
2594         * runtime/GenericOffset.h: Added.
2595         (JSC::GenericOffset::GenericOffset):
2596         (JSC::GenericOffset::operator!):
2597         (JSC::GenericOffset::offsetUnchecked):
2598         (JSC::GenericOffset::offset):
2599         (JSC::GenericOffset::operator==):
2600         (JSC::GenericOffset::operator!=):
2601         (JSC::GenericOffset::operator<):
2602         (JSC::GenericOffset::operator>):
2603         (JSC::GenericOffset::operator<=):
2604         (JSC::GenericOffset::operator>=):
2605         (JSC::GenericOffset::operator+):
2606         (JSC::GenericOffset::operator-):
2607         (JSC::GenericOffset::operator+=):
2608         (JSC::GenericOffset::operator-=):
2609         * runtime/JSArgumentsIterator.cpp:
2610         (JSC::JSArgumentsIterator::finishCreation):
2611         (JSC::argumentsFuncIterator):
2612         * runtime/JSArgumentsIterator.h:
2613         (JSC::JSArgumentsIterator::create):
2614         (JSC::JSArgumentsIterator::next):
2615         * runtime/JSEnvironmentRecord.cpp:
2616         (JSC::JSEnvironmentRecord::visitChildren):
2617         * runtime/JSEnvironmentRecord.h:
2618         (JSC::JSEnvironmentRecord::variables):
2619         (JSC::JSEnvironmentRecord::isValid):
2620         (JSC::JSEnvironmentRecord::variableAt):
2621         (JSC::JSEnvironmentRecord::offsetOfVariables):
2622         (JSC::JSEnvironmentRecord::offsetOfVariable):
2623         (JSC::JSEnvironmentRecord::allocationSizeForScopeSize):
2624         (JSC::JSEnvironmentRecord::allocationSize):
2625         (JSC::JSEnvironmentRecord::JSEnvironmentRecord):
2626         (JSC::JSEnvironmentRecord::finishCreationUninitialized):
2627         (JSC::JSEnvironmentRecord::finishCreation):
2628         (JSC::JSEnvironmentRecord::registers): Deleted.
2629         (JSC::JSEnvironmentRecord::registerAt): Deleted.
2630         (JSC::JSEnvironmentRecord::addressOfRegisters): Deleted.
2631         (JSC::JSEnvironmentRecord::offsetOfRegisters): Deleted.
2632         * runtime/JSFunction.cpp:
2633         * runtime/JSGlobalObject.cpp:
2634         (JSC::JSGlobalObject::init):
2635         (JSC::JSGlobalObject::addGlobalVar):
2636         (JSC::JSGlobalObject::addFunction):
2637         (JSC::JSGlobalObject::visitChildren):
2638         (JSC::JSGlobalObject::addStaticGlobals):
2639         * runtime/JSGlobalObject.h:
2640         (JSC::JSGlobalObject::directArgumentsStructure):
2641         (JSC::JSGlobalObject::scopedArgumentsStructure):
2642         (JSC::JSGlobalObject::outOfBandArgumentsStructure):
2643         (JSC::JSGlobalObject::argumentsStructure): Deleted.
2644         * runtime/JSLexicalEnvironment.cpp:
2645         (JSC::JSLexicalEnvironment::symbolTableGet):
2646         (JSC::JSLexicalEnvironment::symbolTablePut):
2647         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
2648         (JSC::JSLexicalEnvironment::symbolTablePutWithAttributes):
2649         (JSC::JSLexicalEnvironment::visitChildren): Deleted.
2650         * runtime/JSLexicalEnvironment.h:
2651         (JSC::JSLexicalEnvironment::create):
2652         (JSC::JSLexicalEnvironment::JSLexicalEnvironment):
2653         (JSC::JSLexicalEnvironment::registersOffset): Deleted.
2654         (JSC::JSLexicalEnvironment::storageOffset): Deleted.
2655         (JSC::JSLexicalEnvironment::storage): Deleted.
2656         (JSC::JSLexicalEnvironment::allocationSize): Deleted.
2657         (JSC::JSLexicalEnvironment::isValidIndex): Deleted.
2658         (JSC::JSLexicalEnvironment::isValid): Deleted.
2659         (JSC::JSLexicalEnvironment::registerAt): Deleted.
2660         * runtime/JSNameScope.cpp:
2661         (JSC::JSNameScope::visitChildren): Deleted.
2662         * runtime/JSNameScope.h:
2663         (JSC::JSNameScope::create):
2664         (JSC::JSNameScope::value):
2665         (JSC::JSNameScope::finishCreation):
2666         (JSC::JSNameScope::JSNameScope):
2667         * runtime/JSScope.cpp:
2668         (JSC::abstractAccess):
2669         * runtime/JSSegmentedVariableObject.cpp:
2670         (JSC::JSSegmentedVariableObject::findVariableIndex):
2671         (JSC::JSSegmentedVariableObject::addVariables):
2672         (JSC::JSSegmentedVariableObject::visitChildren):
2673         (JSC::JSSegmentedVariableObject::findRegisterIndex): Deleted.
2674         (JSC::JSSegmentedVariableObject::addRegisters): Deleted.
2675         * runtime/JSSegmentedVariableObject.h:
2676         (JSC::JSSegmentedVariableObject::variableAt):
2677         (JSC::JSSegmentedVariableObject::assertVariableIsInThisObject):
2678         (JSC::JSSegmentedVariableObject::registerAt): Deleted.
2679         (JSC::JSSegmentedVariableObject::assertRegisterIsInThisObject): Deleted.
2680         * runtime/JSSymbolTableObject.h:
2681         (JSC::JSSymbolTableObject::offsetOfSymbolTable):
2682         (JSC::symbolTableGet):
2683         (JSC::symbolTablePut):
2684         (JSC::symbolTablePutWithAttributes):
2685         * runtime/JSType.h:
2686         * runtime/Options.h:
2687         * runtime/ClonedArguments.cpp: Added.
2688         (JSC::ClonedArguments::ClonedArguments):
2689         (JSC::ClonedArguments::createEmpty):
2690         (JSC::ClonedArguments::createWithInlineFrame):
2691         (JSC::ClonedArguments::createWithMachineFrame):
2692         (JSC::ClonedArguments::createByCopyingFrom):
2693         (JSC::ClonedArguments::createStructure):
2694         (JSC::ClonedArguments::getOwnPropertySlot):
2695         (JSC::ClonedArguments::getOwnPropertyNames):
2696         (JSC::ClonedArguments::put):
2697         (JSC::ClonedArguments::deleteProperty):
2698         (JSC::ClonedArguments::defineOwnProperty):
2699         (JSC::ClonedArguments::materializeSpecials):
2700         (JSC::ClonedArguments::materializeSpecialsIfNecessary):
2701         * runtime/ClonedArguments.h: Added.
2702         (JSC::ClonedArguments::specialsMaterialized):
2703         * runtime/ScopeOffset.cpp: Added.
2704         (JSC::ScopeOffset::dump):
2705         * runtime/ScopeOffset.h: Added.
2706         (JSC::ScopeOffset::ScopeOffset):
2707         * runtime/ScopedArguments.cpp: Added.
2708         (JSC::ScopedArguments::ScopedArguments):
2709         (JSC::ScopedArguments::finishCreation):
2710         (JSC::ScopedArguments::createUninitialized):
2711         (JSC::ScopedArguments::create):
2712         (JSC::ScopedArguments::createByCopying):
2713         (JSC::ScopedArguments::createByCopyingFrom):
2714         (JSC::ScopedArguments::visitChildren):
2715         (JSC::ScopedArguments::createStructure):
2716         (JSC::ScopedArguments::overrideThings):
2717         (JSC::ScopedArguments::overrideThingsIfNecessary):
2718         (JSC::ScopedArguments::overrideArgument):
2719         (JSC::ScopedArguments::copyToArguments):
2720         * runtime/ScopedArguments.h: Added.
2721         (JSC::ScopedArguments::internalLength):
2722         (JSC::ScopedArguments::length):
2723         (JSC::ScopedArguments::canAccessIndexQuickly):
2724         (JSC::ScopedArguments::getIndexQuickly):
2725         (JSC::ScopedArguments::setIndexQuickly):
2726         (JSC::ScopedArguments::callee):
2727         (JSC::ScopedArguments::overrodeThings):
2728         (JSC::ScopedArguments::offsetOfOverrodeThings):
2729         (JSC::ScopedArguments::offsetOfTotalLength):
2730         (JSC::ScopedArguments::offsetOfTable):
2731         (JSC::ScopedArguments::offsetOfScope):
2732         (JSC::ScopedArguments::overflowStorageOffset):
2733         (JSC::ScopedArguments::allocationSize):
2734         (JSC::ScopedArguments::overflowStorage):
2735         * runtime/ScopedArgumentsTable.cpp: Added.
2736         (JSC::ScopedArgumentsTable::ScopedArgumentsTable):
2737         (JSC::ScopedArgumentsTable::~ScopedArgumentsTable):
2738         (JSC::ScopedArgumentsTable::destroy):
2739         (JSC::ScopedArgumentsTable::create):
2740         (JSC::ScopedArgumentsTable::clone):
2741         (JSC::ScopedArgumentsTable::setLength):
2742         (JSC::ScopedArgumentsTable::set):
2743         (JSC::ScopedArgumentsTable::createStructure):
2744         * runtime/ScopedArgumentsTable.h: Added.
2745         (JSC::ScopedArgumentsTable::length):
2746         (JSC::ScopedArgumentsTable::get):
2747         (JSC::ScopedArgumentsTable::lock):
2748         (JSC::ScopedArgumentsTable::offsetOfLength):
2749         (JSC::ScopedArgumentsTable::offsetOfArguments):
2750         (JSC::ScopedArgumentsTable::at):
2751         * runtime/SymbolTable.cpp:
2752         (JSC::SymbolTableEntry::prepareToWatch):
2753         (JSC::SymbolTable::SymbolTable):
2754         (JSC::SymbolTable::visitChildren):
2755         (JSC::SymbolTable::localToEntry):
2756         (JSC::SymbolTable::entryFor):
2757         (JSC::SymbolTable::cloneScopePart):
2758         (JSC::SymbolTable::prepareForTypeProfiling):
2759         (JSC::SymbolTable::uniqueIDForOffset):
2760         (JSC::SymbolTable::globalTypeSetForOffset):
2761         (JSC::SymbolTable::cloneCapturedNames): Deleted.
2762         (JSC::SymbolTable::uniqueIDForRegister): Deleted.
2763         (JSC::SymbolTable::globalTypeSetForRegister): Deleted.
2764         * runtime/SymbolTable.h:
2765         (JSC::SymbolTableEntry::varOffsetFromBits):
2766         (JSC::SymbolTableEntry::scopeOffsetFromBits):
2767         (JSC::SymbolTableEntry::Fast::varOffset):
2768         (JSC::SymbolTableEntry::Fast::scopeOffset):
2769         (JSC::SymbolTableEntry::Fast::isDontEnum):
2770         (JSC::SymbolTableEntry::Fast::getAttributes):
2771         (JSC::SymbolTableEntry::SymbolTableEntry):
2772         (JSC::SymbolTableEntry::varOffset):
2773         (JSC::SymbolTableEntry::isWatchable):
2774         (JSC::SymbolTableEntry::scopeOffset):
2775         (JSC::SymbolTableEntry::setAttributes):
2776         (JSC::SymbolTableEntry::constantMode):
2777         (JSC::SymbolTableEntry::isDontEnum):
2778         (JSC::SymbolTableEntry::disableWatching):
2779         (JSC::SymbolTableEntry::pack):
2780         (JSC::SymbolTableEntry::isValidVarOffset):
2781         (JSC::SymbolTable::createNameScopeTable):
2782         (JSC::SymbolTable::maxScopeOffset):
2783         (JSC::SymbolTable::didUseScopeOffset):
2784         (JSC::SymbolTable::didUseVarOffset):
2785         (JSC::SymbolTable::scopeSize):
2786         (JSC::SymbolTable::nextScopeOffset):
2787         (JSC::SymbolTable::takeNextScopeOffset):
2788         (JSC::SymbolTable::add):
2789         (JSC::SymbolTable::set):
2790         (JSC::SymbolTable::argumentsLength):
2791         (JSC::SymbolTable::setArgumentsLength):
2792         (JSC::SymbolTable::argumentOffset):
2793         (JSC::SymbolTable::setArgumentOffset):
2794         (JSC::SymbolTable::arguments):
2795         (JSC::SlowArgument::SlowArgument): Deleted.
2796         (JSC::SymbolTableEntry::Fast::getIndex): Deleted.
2797         (JSC::SymbolTableEntry::getIndex): Deleted.
2798         (JSC::SymbolTableEntry::isValidIndex): Deleted.
2799         (JSC::SymbolTable::captureStart): Deleted.
2800         (JSC::SymbolTable::setCaptureStart): Deleted.
2801         (JSC::SymbolTable::captureEnd): Deleted.
2802         (JSC::SymbolTable::setCaptureEnd): Deleted.
2803         (JSC::SymbolTable::captureCount): Deleted.
2804         (JSC::SymbolTable::isCaptured): Deleted.
2805         (JSC::SymbolTable::parameterCount): Deleted.
2806         (JSC::SymbolTable::parameterCountIncludingThis): Deleted.
2807         (JSC::SymbolTable::setParameterCountIncludingThis): Deleted.
2808         (JSC::SymbolTable::slowArguments): Deleted.
2809         (JSC::SymbolTable::setSlowArguments): Deleted.
2810         * runtime/VM.cpp:
2811         (JSC::VM::VM):
2812         * runtime/VM.h:
2813         * runtime/VarOffset.cpp: Added.
2814         (JSC::VarOffset::dump):
2815         (WTF::printInternal):
2816         * runtime/VarOffset.h: Added.
2817         (JSC::VarOffset::VarOffset):
2818         (JSC::VarOffset::assemble):
2819         (JSC::VarOffset::isValid):
2820         (JSC::VarOffset::operator!):
2821         (JSC::VarOffset::kind):
2822         (JSC::VarOffset::isStack):
2823         (JSC::VarOffset::isScope):
2824         (JSC::VarOffset::isDirectArgument):
2825         (JSC::VarOffset::stackOffsetUnchecked):
2826         (JSC::VarOffset::scopeOffsetUnchecked):
2827         (JSC::VarOffset::capturedArgumentsOffsetUnchecked):
2828         (JSC::VarOffset::stackOffset):
2829         (JSC::VarOffset::scopeOffset):
2830         (JSC::VarOffset::capturedArgumentsOffset):
2831         (JSC::VarOffset::rawOffset):
2832         (JSC::VarOffset::checkSanity):
2833         (JSC::VarOffset::operator==):
2834         (JSC::VarOffset::operator!=):
2835         (JSC::VarOffset::hash):
2836         (JSC::VarOffset::isHashTableDeletedValue):
2837         (JSC::VarOffsetHash::hash):
2838         (JSC::VarOffsetHash::equal):
2839         * tests/stress/arguments-exit-strict-mode.js: Added.
2840         * tests/stress/arguments-exit.js: Added.
2841         * tests/stress/arguments-inlined-exit-strict-mode-fixed.js: Added.
2842         * tests/stress/arguments-inlined-exit-strict-mode.js: Added.
2843         * tests/stress/arguments-inlined-exit.js: Added.
2844         * tests/stress/arguments-interference.js: Added.
2845         * tests/stress/arguments-interference-cfg.js: Added.
2846         * tests/stress/dead-get-closure-var.js: Added.
2847         * tests/stress/get-declared-unpassed-argument-in-direct-arguments.js: Added.
2848         * tests/stress/get-declared-unpassed-argument-in-scoped-arguments.js: Added.
2849         * tests/stress/varargs-closure-inlined-exit-strict-mode.js: Added.
2850         * tests/stress/varargs-closure-inlined-exit.js: Added.
2851         * tests/stress/varargs-exit.js: Added.
2852         * tests/stress/varargs-inlined-exit.js: Added.
2853         * tests/stress/varargs-inlined-simple-exit-aliasing-weird-reversed-args.js: Added.
2854         * tests/stress/varargs-inlined-simple-exit-aliasing-weird.js: Added.
2855         * tests/stress/varargs-inlined-simple-exit-aliasing.js: Added.
2856         * tests/stress/varargs-inlined-simple-exit.js: Added.
2857         * tests/stress/varargs-too-few-arguments.js: Added.
2858         * tests/stress/varargs-varargs-closure-inlined-exit.js: Added.
2859         * tests/stress/varargs-varargs-inlined-exit-strict-mode.js: Added.
2860         * tests/stress/varargs-varargs-inlined-exit.js: Added.
2861
2862 2015-03-25  Andy Estes  <aestes@apple.com>
2863
2864         [Cocoa] RemoteInspectorXPCConnection::deserializeMessage() leaks a NSDictionary under Objective-C GC
2865         https://bugs.webkit.org/show_bug.cgi?id=143068
2866
2867         Reviewed by Dan Bernstein.
2868
2869         * inspector/remote/RemoteInspectorXPCConnection.mm:
2870         (Inspector::RemoteInspectorXPCConnection::deserializeMessage): Used RetainPtr::autorelease(), which does the right thing under GC.
2871
2872 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2873
2874         Use JITCompilationCanFail in more places, and make the fail path of JITCompilationMustSucceed a crash instead of attempting GC
2875         https://bugs.webkit.org/show_bug.cgi?id=142993
2876
2877         Reviewed by Geoffrey Garen and Mark Lam.
2878         
2879         This changes the most commonly invoked paths that relied on JITCompilationMustSucceed
2880         into using JITCompilationCanFail and having a legit fallback path. This mostly involves
2881         having the FTL JIT do the same trick as the DFG JIT in case of any memory allocation
2882         failure, but also involves adding the same kind of thing to the stub generators in
2883         Repatch.
2884         
2885         Because of that change, there are relatively few uses of JITCompilationMustSucceed. Most
2886         of those uses cannot handle a GC, and so cannot do releaseExecutableMemory(). Only a few,
2887         like host call stub generation, could handle a GC, but those get invoked very rarely. So,
2888         this patch changes the releaseExecutableMemory() call into a crash with some diagnostic
2889         printout.
2890         
2891         Also add a way of inducing executable allocation failure, so that we can test this.
2892
2893         * CMakeLists.txt:
2894         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2895         * JavaScriptCore.xcodeproj/project.pbxproj:
2896         * dfg/DFGJITCompiler.cpp:
2897         (JSC::DFG::JITCompiler::compile):
2898         (JSC::DFG::JITCompiler::compileFunction):
2899         (JSC::DFG::JITCompiler::link): Deleted.
2900         (JSC::DFG::JITCompiler::linkFunction): Deleted.
2901         * dfg/DFGJITCompiler.h:
2902         * dfg/DFGPlan.cpp:
2903         (JSC::DFG::Plan::compileInThreadImpl):
2904         * ftl/FTLCompile.cpp:
2905         (JSC::FTL::mmAllocateCodeSection):
2906         (JSC::FTL::mmAllocateDataSection):
2907         * ftl/FTLLink.cpp:
2908         (JSC::FTL::link):
2909         * ftl/FTLState.h:
2910         * jit/ArityCheckFailReturnThunks.cpp:
2911         (JSC::ArityCheckFailReturnThunks::returnPCsFor):
2912         * jit/ExecutableAllocationFuzz.cpp: Added.
2913         (JSC::numberOfExecutableAllocationFuzzChecks):
2914         (JSC::doExecutableAllocationFuzzing):
2915         * jit/ExecutableAllocationFuzz.h: Added.
2916         (JSC::doExecutableAllocationFuzzingIfEnabled):
2917         * jit/ExecutableAllocatorFixedVMPool.cpp:
2918         (JSC::ExecutableAllocator::allocate):
2919         * jit/JIT.cpp:
2920         (JSC::JIT::privateCompile):
2921         * jit/JITCompilationEffort.h:
2922         * jit/Repatch.cpp:
2923         (JSC::generateByIdStub):
2924         (JSC::tryCacheGetByID):
2925         (JSC::tryBuildGetByIDList):
2926         (JSC::emitPutReplaceStub):
2927         (JSC::emitPutTransitionStubAndGetOldStructure):
2928         (JSC::tryCachePutByID):
2929         (JSC::tryBuildPutByIdList):
2930         (JSC::tryRepatchIn):
2931         (JSC::linkPolymorphicCall):
2932         * jsc.cpp:
2933         (jscmain):
2934         * runtime/Options.h:
2935         * runtime/TestRunnerUtils.h:
2936         * runtime/VM.cpp:
2937         * tests/executableAllocationFuzz: Added.
2938         * tests/executableAllocationFuzz.yaml: Added.
2939         * tests/executableAllocationFuzz/v8-raytrace.js: Added.
2940
2941 2015-03-25  Mark Lam  <mark.lam@apple.com>
2942
2943         REGRESSION(169139): LLINT intermittently fails JSC testapi tests.
2944         <https://webkit.org/b/135719>
2945
2946         Reviewed by Geoffrey Garen.
2947
2948         This is a regression introduced in http://trac.webkit.org/changeset/169139 which
2949         changed VM::watchdog from an embedded field into a std::unique_ptr, but did not
2950         update the LLINT to access it as such.
2951
2952         The issue has only manifested so far on the CLoop tests because those are LLINT
2953         only.  In the non-CLoop cases, the JIT kicks in and does the right thing, thereby
2954         hiding the bug in the LLINT.
2955
2956         * API/JSContextRef.cpp:
2957         (createWatchdogIfNeeded):
2958         (JSContextGroupSetExecutionTimeLimit):
2959         (JSContextGroupClearExecutionTimeLimit):
2960         * llint/LowLevelInterpreter.asm:
2961
2962 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2963
2964         Change Atomic methods from using the_wrong_naming_conventions to using theRightNamingConventions. Also make seq_cst the default.
2965
2966         Rubber stamped by Geoffrey Garen.
2967
2968         * bytecode/CodeBlock.cpp:
2969         (JSC::CodeBlock::visitAggregate):
2970
2971 2015-03-25  Joseph Pecoraro  <pecoraro@apple.com>
2972
2973         Fix formatting in BuiltinExecutables
2974         https://bugs.webkit.org/show_bug.cgi?id=143061
2975
2976         Reviewed by Ryosuke Niwa.
2977
2978         * builtins/BuiltinExecutables.cpp:
2979         (JSC::BuiltinExecutables::createExecutableInternal):
2980
2981 2015-03-25  Joseph Pecoraro  <pecoraro@apple.com>
2982
2983         ES6: Classes: Program level class statement throws exception in strict mode
2984         https://bugs.webkit.org/show_bug.cgi?id=143038
2985
2986         Reviewed by Ryosuke Niwa.
2987
2988         Classes expose a name to the current lexical environment. This treats
2989         "class X {}" like "var X = class X {}". Ideally it would be "let X = class X {}".
2990         Also, improve error messages for class statements where the class is missing a name.
2991
2992         * parser/Parser.h:
2993         * parser/Parser.cpp:
2994         (JSC::Parser<LexerType>::parseClass):
2995         Fill name in info parameter if needed. Better error message if name is needed and missing.
2996
2997         (JSC::Parser<LexerType>::parseClassDeclaration):
2998         Pass info parameter to get name, and expose the name as a variable name.
2999
3000         (JSC::Parser<LexerType>::parsePrimaryExpression):
3001         Pass info parameter that is ignored.
3002
3003         * parser/ParserFunctionInfo.h:
3004         Add a parser info for class, to extract the name.
3005
3006 2015-03-25  Yusuke Suzuki  <utatane.tea@gmail.com>
3007
3008         New map and set modification tests in r181922 fails
3009         https://bugs.webkit.org/show_bug.cgi?id=143031
3010
3011         Reviewed and tweaked by Geoffrey Garen.
3012
3013         When packing Map/Set backing store, we need to decrement Map/Set iterator's m_index
3014         to adjust for the packed backing store.
3015
3016         Consider the following map data.
3017
3018         x: deleted, o: exists
3019         0 1 2 3 4
3020         x x x x o
3021
3022         And iterator with m_index 3.
3023
3024         When packing the map data, map data will become,
3025
3026         0
3027         o
3028
3029         At that time, we perfom didRemoveEntry 4 times on iterators.
3030         times => m_index/index/result
3031         1 => 3/0/dec
3032         2 => 2/1/dec
3033         3 => 1/2/nothing
3034         4 => 1/3/nothing
3035
3036         After iteration, iterator's m_index becomes 1. But we expected that becomes 0.
3037         This is because if we use decremented m_index for comparison,
3038         while provided deletedIndex is the index in old storage, m_index is the index in partially packed storage.
3039
3040         In this patch, we compare against the packed index instead.
3041         times => m_index/packedIndex/result
3042         1 => 3/0/dec
3043         2 => 2/0/dec
3044         3 => 1/0/dec
3045         4 => 0/0/nothing
3046
3047         So m_index becomes 0 as expected.
3048
3049         And according to the spec, once the iterator is closed (becomes done: true),
3050         its internal [[Map]]/[[Set]] is set to undefined.
3051         So after the iterator is finished, we don't revive the iterator (e.g. by clearing m_index = 0).
3052
3053         In this patch, we change 2 things.
3054         1.
3055         Compare an iterator's index against the packed index when removing an entry.
3056
3057         2.
3058         If the iterator is closed (isFinished()), we don't apply adjustment to the iterator.
3059
3060         * runtime/MapData.h:
3061         (JSC::MapDataImpl::IteratorData::finish):
3062         (JSC::MapDataImpl::IteratorData::isFinished):
3063         (JSC::MapDataImpl::IteratorData::didRemoveEntry):
3064         (JSC::MapDataImpl::IteratorData::didRemoveAllEntries):
3065         (JSC::MapDataImpl::IteratorData::startPackBackingStore):
3066         * runtime/MapDataInlines.h:
3067         (JSC::JSIterator>::replaceAndPackBackingStore):
3068         * tests/stress/modify-map-during-iteration.js:
3069         * tests/stress/modify-set-during-iteration.js:
3070
3071 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
3072
3073         Setter should have a single formal parameter, Getter no parameters
3074         https://bugs.webkit.org/show_bug.cgi?id=142903
3075
3076         Reviewed by Geoffrey Garen.
3077
3078         * parser/Parser.cpp:
3079         (JSC::Parser<LexerType>::parseFunctionInfo):
3080         Enforce no parameters for getters and a single parameter
3081         for setters, with informational error messages.
3082
3083 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
3084
3085         ES6: Classes: Early return in sub-class constructor results in returning undefined instead of instance
3086         https://bugs.webkit.org/show_bug.cgi?id=143012
3087
3088         Reviewed by Ryosuke Niwa.
3089
3090         * bytecompiler/BytecodeGenerator.cpp:
3091         (JSC::BytecodeGenerator::emitReturn):
3092         Fix handling of "undefined" when returned from a Derived class. It was
3093         returning "undefined" when it should have returned "this".
3094
3095 2015-03-24  Yusuke Suzuki  <utatane.tea@gmail.com>
3096
3097         REGRESSION (r181458): Heap use-after-free in JSSetIterator destructor
3098         https://bugs.webkit.org/show_bug.cgi?id=142696
3099
3100         Reviewed and tweaked by Geoffrey Garen.
3101
3102         Before r142556, JSSetIterator::destroy was not defined.
3103         So accidentally MapData::const_iterator in JSSet was never destroyed.
3104         But it had non trivial destructor, decrementing MapData->m_iteratorCount.
3105
3106         After r142556, JSSetIterator::destroy works.
3107         It correctly destruct MapData::const_iterator and m_iteratorCount partially works.
3108         But JSSetIterator::~JSSetIterator requires owned JSSet since it mutates MapData->m_iteratorCount.
3109
3110         It is guaranteed that JSSet is live since JSSetIterator has a reference to JSSet
3111         and marks it in visitChildren (WriteBarrier<Unknown>).
3112         However, the order of destructions is not guaranteed in GC-ed system.
3113
3114         Consider the following case,
3115         allocate JSSet and subsequently allocate JSSetIterator.
3116         And they resides in the separated MarkedBlock, <1> and <2>.
3117
3118         JSSet<1> <- JSSetIterator<2>
3119
3120         And after that, when performing GC, Marker decides that the above 2 objects are not marked.
3121         And Marker also decides MarkedBlocks <1> and <2> can be sweeped.
3122
3123         First Sweeper sweep <1>, destruct JSSet<1> and free MarkedBlock<1>.
3124         Second Sweeper sweep <2>, attempt to destruct JSSetIterator<2>.
3125         However, JSSetIterator<2>'s destructor,
3126         JSSetIterator::~JSSetIterator requires live JSSet<1>, it causes use-after-free.
3127
3128         In this patch, we introduce WeakGCMap into JSMap/JSSet to track live iterators.
3129         When packing the removed elements in JSSet/JSMap, we apply the change to all live
3130         iterators tracked by WeakGCMap.
3131
3132         WeakGCMap can only track JSCell since they are managed by GC.
3133         So we drop JSSet/JSMap C++ style iterators. Instead of C++ style iterator, this patch
3134         introduces JS style iterator signatures into C++ class IteratorData.
3135         If we need to iterate over JSMap/JSSet, use JSSetIterator/JSMapIterator instead of using
3136         IteratorData directly.
3137
3138         * runtime/JSMap.cpp:
3139         (JSC::JSMap::destroy):
3140         * runtime/JSMap.h:
3141         (JSC::JSMap::JSMap):
3142         (JSC::JSMap::begin): Deleted.
3143         (JSC::JSMap::end): Deleted.
3144         * runtime/JSMapIterator.cpp:
3145         (JSC::JSMapIterator::destroy):
3146         * runtime/JSMapIterator.h:
3147         (JSC::JSMapIterator::next):
3148         (JSC::JSMapIterator::nextKeyValue):
3149         (JSC::JSMapIterator::iteratorData):
3150         (JSC::JSMapIterator::JSMapIterator):
3151         * runtime/JSSet.cpp:
3152         (JSC::JSSet::destroy):
3153         * runtime/JSSet.h:
3154         (JSC::JSSet::JSSet):
3155         (JSC::JSSet::begin): Deleted.
3156         (JSC::JSSet::end): Deleted.
3157         * runtime/JSSetIterator.cpp:
3158         (JSC::JSSetIterator::destroy):
3159         * runtime/JSSetIterator.h:
3160         (JSC::JSSetIterator::next):
3161         (JSC::JSSetIterator::iteratorData):
3162         (JSC::JSSetIterator::JSSetIterator):
3163         * runtime/MapData.h:
3164         (JSC::MapDataImpl::IteratorData::finish):
3165         (JSC::MapDataImpl::IteratorData::isFinished):
3166         (JSC::MapDataImpl::shouldPack):
3167         (JSC::JSIterator>::MapDataImpl):
3168         (JSC::JSIterator>::KeyType::KeyType):
3169         (JSC::JSIterator>::IteratorData::IteratorData):
3170         (JSC::JSIterator>::IteratorData::next):
3171         (JSC::JSIterator>::IteratorData::ensureSlot):
3172         (JSC::JSIterator>::IteratorData::applyMapDataPatch):
3173         (JSC::JSIterator>::IteratorData::refreshCursor):
3174         (JSC::MapDataImpl::const_iterator::key): Deleted.
3175         (JSC::MapDataImpl::const_iterator::value): Deleted.
3176         (JSC::MapDataImpl::const_iterator::operator++): Deleted.
3177         (JSC::MapDataImpl::const_iterator::finish): Deleted.
3178         (JSC::MapDataImpl::const_iterator::atEnd): Deleted.
3179         (JSC::MapDataImpl::begin): Deleted.
3180         (JSC::MapDataImpl::end): Deleted.
3181         (JSC::MapDataImpl<Entry>::MapDataImpl): Deleted.
3182         (JSC::MapDataImpl<Entry>::clear): Deleted.
3183         (JSC::MapDataImpl<Entry>::KeyType::KeyType): Deleted.
3184         (JSC::MapDataImpl<Entry>::const_iterator::internalIncrement): Deleted.
3185         (JSC::MapDataImpl<Entry>::const_iterator::ensureSlot): Deleted.
3186         (JSC::MapDataImpl<Entry>::const_iterator::const_iterator): Deleted.
3187         (JSC::MapDataImpl<Entry>::const_iterator::~const_iterator): Deleted.
3188         (JSC::MapDataImpl<Entry>::const_iterator::operator): Deleted.
3189         (JSC::=): Deleted.
3190         * runtime/MapDataInlines.h:
3191         (JSC::JSIterator>::clear):
3192         (JSC::JSIterator>::find):
3193         (JSC::JSIterator>::contains):
3194         (JSC::JSIterator>::add):
3195         (JSC::JSIterator>::set):
3196         (JSC::JSIterator>::get):
3197         (JSC::JSIterator>::remove):
3198         (JSC::JSIterator>::replaceAndPackBackingStore):
3199         (JSC::JSIterator>::replaceBackingStore):
3200         (JSC::JSIterator>::ensureSpaceForAppend):
3201         (JSC::JSIterator>::visitChildren):
3202         (JSC::JSIterator>::copyBackingStore):
3203         (JSC::JSIterator>::applyMapDataPatch):
3204         (JSC::MapDataImpl<Entry>::find): Deleted.
3205         (JSC::MapDataImpl<Entry>::contains): Deleted.
3206         (JSC::MapDataImpl<Entry>::add): Deleted.
3207         (JSC::MapDataImpl<Entry>::set): Deleted.
3208         (JSC::MapDataImpl<Entry>::get): Deleted.
3209         (JSC::MapDataImpl<Entry>::remove): Deleted.
3210         (JSC::MapDataImpl<Entry>::replaceAndPackBackingStore): Deleted.
3211         (JSC::MapDataImpl<Entry>::replaceBackingStore): Deleted.
3212         (JSC::MapDataImpl<Entry>::ensureSpaceForAppend): Deleted.
3213         (JSC::MapDataImpl<Entry>::visitChildren): Deleted.
3214         (JSC::MapDataImpl<Entry>::copyBackingStore): Deleted.
3215         * runtime/MapPrototype.cpp:
3216         (JSC::mapProtoFuncForEach):
3217         * runtime/SetPrototype.cpp:
3218         (JSC::setProtoFuncForEach):
3219         * runtime/WeakGCMap.h:
3220         (JSC::WeakGCMap::forEach):
3221         * tests/stress/modify-map-during-iteration.js: Added.
3222         (testValue):
3223         (identityPairs):
3224         (.set if):
3225         (var):
3226         (set map):
3227         * tests/stress/modify-set-during-iteration.js: Added.
3228         (testValue):
3229         (set forEach):
3230         (set delete):
3231
3232 2015-03-24  Mark Lam  <mark.lam@apple.com>
3233
3234         The ExecutionTimeLimit test should use its own JSGlobalContextRef.
3235         <https://webkit.org/b/143024>
3236
3237         Reviewed by Geoffrey Garen.
3238
3239         Currently, the ExecutionTimeLimit test is using a JSGlobalContextRef
3240         passed in from testapi.c.  It should create its own for better
3241         encapsulation of the test.
3242
3243         * API/tests/ExecutionTimeLimitTest.cpp:
3244         (currentCPUTimeAsJSFunctionCallback):
3245         (testExecutionTimeLimit):
3246         * API/tests/ExecutionTimeLimitTest.h:
3247         * API/tests/testapi.c:
3248         (main):
3249
3250 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
3251
3252         ES6: Object Literal Methods toString is missing method name
3253         https://bugs.webkit.org/show_bug.cgi?id=142992
3254
3255         Reviewed by Geoffrey Garen.
3256
3257         Always stringify functions in the pattern:
3258
3259           "function " + <function name> + <text from opening parenthesis to closing brace>.
3260
3261         * runtime/FunctionPrototype.cpp:
3262         (JSC::functionProtoFuncToString):
3263         Update the path that was not stringifying in this pattern.
3264
3265         * bytecode/UnlinkedCodeBlock.cpp:
3266         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3267         * bytecode/UnlinkedCodeBlock.h:
3268         (JSC::UnlinkedFunctionExecutable::parametersStartOffset):
3269         * parser/Nodes.h:
3270         * runtime/Executable.cpp:
3271         (JSC::FunctionExecutable::FunctionExecutable):
3272         * runtime/Executable.h:
3273         (JSC::FunctionExecutable::parametersStartOffset):
3274         Pass the already known function parameter opening parenthesis
3275         start offset through to the FunctionExecutable. 
3276
3277         * tests/mozilla/js1_5/Scope/regress-185485.js:
3278         (with.g):
3279         Add back original space in this test that was removed by r181810
3280         now that we have the space again in stringification.
3281
3282 2015-03-24  Michael Saboff  <msaboff@apple.com>
3283
3284         REGRESSION (172175-172177): Change in for...in processing causes properties added in loop to be enumerated
3285         https://bugs.webkit.org/show_bug.cgi?id=142856
3286
3287         Reviewed by Filip Pizlo.
3288
3289         Refactored the way the for .. in enumeration over objects is done.  We used to make three C++ calls to
3290         get info for three loops to iterate over indexed properties, structure properties and other properties,
3291         respectively.  We still have the three loops, but now we make one C++ call to get all the info needed
3292         for all loops before we exectue any enumeration.
3293
3294         The JSPropertyEnumerator has a count of the indexed properties and a list of named properties.
3295         The named properties are one list, with structured properties in the range [0,m_endStructurePropertyIndex)
3296         and the generic properties in the range [m_endStructurePropertyIndex, m_endGenericPropertyIndex);
3297
3298         Eliminated the bytecodes op_get_structure_property_enumerator, op_get_generic_property_enumerator and
3299         op_next_enumerator_pname.
3300         Added the bytecodes op_get_property_enumerator, op_enumerator_structure_pname and op_enumerator_generic_pname.
3301         The bytecodes op_enumerator_structure_pname and op_enumerator_generic_pname are similar except for what
3302         end value we stop iterating on.
3303
3304         Made corresponding node changes to the DFG and FTL for the bytecode changes.
3305
3306         * bytecode/BytecodeList.json:
3307         * bytecode/BytecodeUseDef.h:
3308         (JSC::computeUsesForBytecodeOffset):
3309         (JSC::computeDefsForBytecodeOffset):
3310         * bytecode/CodeBlock.cpp:
3311         (JSC::CodeBlock::dumpBytecode):
3312         * bytecompiler/BytecodeGenerator.cpp:
3313         (JSC::BytecodeGenerator::emitGetPropertyEnumerator):
3314         (JSC::BytecodeGenerator::emitEnumeratorStructurePropertyName):
3315         (JSC::BytecodeGenerator::emitEnumeratorGenericPropertyName):
3316         (JSC::BytecodeGenerator::emitGetStructurePropertyEnumerator): Deleted.
3317         (JSC::BytecodeGenerator::emitGetGenericPropertyEnumerator): Deleted.
3318         (JSC::BytecodeGenerator::emitNextEnumeratorPropertyName): Deleted.
3319         * bytecompiler/BytecodeGenerator.h:
3320         * bytecompiler/NodesCodegen.cpp:
3321         (JSC::ForInNode::emitMultiLoopBytecode):
3322         * dfg/DFGAbstractInterpreterInlines.h:
3323         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3324         * dfg/DFGByteCodeParser.cpp:
3325         (JSC::DFG::ByteCodeParser::parseBlock):
3326         * dfg/DFGCapabilities.cpp:
3327         (JSC::DFG::capabilityLevel):
3328         * dfg/DFGClobberize.h:
3329         (JSC::DFG::clobberize):
3330         * dfg/DFGDoesGC.cpp:
3331         (JSC::DFG::doesGC):
3332         * dfg/DFGFixupPhase.cpp:
3333         (JSC::DFG::FixupPhase::fixupNode):
3334         * dfg/DFGNodeType.h:
3335         * dfg/DFGPredictionPropagationPhase.cpp:
3336         (JSC::DFG::PredictionPropagationPhase::propagate):
3337         * dfg/DFGSafeToExecute.h:
3338         (JSC::DFG::safeToExecute):
3339         * dfg/DFGSpeculativeJIT32_64.cpp:
3340         (JSC::DFG::SpeculativeJIT::compile):
3341         * dfg/DFGSpeculativeJIT64.cpp:
3342         (JSC::DFG::SpeculativeJIT::compile):
3343         * ftl/FTLAbstractHeapRepository.h: