Add ENABLE_WEBASSEMBLY feature flag for WebAssembly
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-07-22  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2
3         Add ENABLE_WEBASSEMBLY feature flag for WebAssembly
4         https://bugs.webkit.org/show_bug.cgi?id=147212
5
6         Reviewed by Filip Pizlo.
7
8         * Configurations/FeatureDefines.xcconfig:
9
10 2015-07-22  Filip Pizlo  <fpizlo@apple.com>
11
12         Simplify DFG::DesiredIdentifiers and make it possible to turn a UniquedStringImpl* into an identifierNumber at any time
13         https://bugs.webkit.org/show_bug.cgi?id=147218
14
15         Reviewed by Sam Weinig.
16         
17         I want to be able to take a UniquedStringImpl* and turn it into an identifierNumber at
18         various points in my work on https://bugs.webkit.org/show_bug.cgi?id=146929. Currently,
19         most Nodes that deal with identifiers use identifierNumbers and you can only create an
20         identifierNumber in BytecodeGenerator. DFG::ByteCodeParser does sort of have the
21         ability to create new identifierNumbers when inlining - it takes the inlined code's
22         identifiers and either gives them new numbers or reuses numbers from the enclosing
23         code.
24         
25         This patch takes that basic functionality and puts it in
26         DFG::DesiredIdentifiers::ensure(). Anyone can call this at any time to turn a
27         UniquedStringImpl* into an identifierNumber. This data structure is already used by
28         Plan to properly install any newly created identifier table entries into the CodeBlock.
29
30         * dfg/DFGByteCodeParser.cpp:
31         (JSC::DFG::ByteCodeParser::ByteCodeParser):
32         (JSC::DFG::ByteCodeParser::noticeArgumentsUse):
33         (JSC::DFG::ByteCodeParser::linkBlocks):
34         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
35         (JSC::DFG::ByteCodeParser::buildOperandMapsIfNecessary): Deleted.
36         * dfg/DFGDesiredIdentifiers.cpp:
37         (JSC::DFG::DesiredIdentifiers::DesiredIdentifiers):
38         (JSC::DFG::DesiredIdentifiers::numberOfIdentifiers):
39         (JSC::DFG::DesiredIdentifiers::ensure):
40         (JSC::DFG::DesiredIdentifiers::at):
41         (JSC::DFG::DesiredIdentifiers::addLazily): Deleted.
42         * dfg/DFGDesiredIdentifiers.h:
43
44 2015-07-22  Filip Pizlo  <fpizlo@apple.com>
45
46         Simplify things like CompareEq(@x,@x)
47         https://bugs.webkit.org/show_bug.cgi?id=145850
48
49         Reviewed by Sam Weinig.
50         
51         This simplifies x==x to true, except in cases where x might be a double (in which case this
52         might still be false if x is NaN).
53
54         * dfg/DFGAbstractInterpreterInlines.h:
55         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
56         * tests/stress/nan-equal-untyped.js: Added.
57         (foo):
58         (test):
59         * tests/stress/nan-equal.js: Added.
60         (foo):
61
62 2015-07-22  Joseph Pecoraro  <pecoraro@apple.com>
63
64         Web Inspector: Timeline should immediately start moving play head when starting a new recording
65         https://bugs.webkit.org/show_bug.cgi?id=147210
66
67         Reviewed by Timothy Hatcher.
68
69         * inspector/protocol/Timeline.json:
70         Add timestamps to recordingStarted and recordingStopped events.
71
72 2015-07-22  Yusuke Suzuki  <utatane.tea@gmail.com>
73
74         Introducing construct ability into JS executables
75         https://bugs.webkit.org/show_bug.cgi?id=147183
76
77         Reviewed by Geoffrey Garen.
78
79         Decouple the construct ability from the builtin functions.
80         Currently, all builtin functions are not constructors after r182995.
81         In that patch, when the given function is builtin JS function, we recognize it as the non-constructor function.
82
83         But, we need to relax it to implement some constructors in builtins JS.
84         By decoupling the construct ability from whether the function is builtin or not, we can provide
85
86         1. constructors written in builtin JS
87         2. non-constructors in normal JS functions
88
89         (1) is needed for Promise constructor.
90         And (2) is needed for method functions and arrow functions.
91
92         This patch introduces ConstructAbility into the unlinked function executables.
93         It holds whether the given JS function has the construct ability or not.
94         By leveraging this, this patch disables the construct ability of the method definitions, setters, getters and arrow functions.
95
96         And at the same time, this patch introduces the annotation for constructor in builtin JS.
97         We can define the function as follows,
98
99             constructor Promise(executor)
100             {
101                 ...
102             }
103
104         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
105         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
106         * JavaScriptCore.xcodeproj/project.pbxproj:
107         * builtins/BuiltinExecutables.cpp:
108         (JSC::BuiltinExecutables::createDefaultConstructor):
109         (JSC::BuiltinExecutables::createExecutableInternal):
110         * builtins/BuiltinExecutables.h:
111         * builtins/Iterator.prototype.js:
112         (symbolIterator):
113         (SymbolIterator): Deleted.
114         * bytecode/UnlinkedCodeBlock.cpp:
115         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
116         * bytecode/UnlinkedCodeBlock.h:
117         * bytecompiler/BytecodeGenerator.h:
118         (JSC::BytecodeGenerator::makeFunction):
119         * generate-js-builtins:
120         (getCopyright):
121         (Function):
122         (Function.__init__):
123         (Function.mangleName):
124         (getFunctions):
125         (mangleName): Deleted.
126         * jit/JITOperations.cpp:
127         * llint/LLIntSlowPaths.cpp:
128         (JSC::LLInt::setUpCall):
129         * parser/Parser.cpp:
130         (JSC::Parser<LexerType>::parseClass):
131         * runtime/CodeCache.cpp:
132         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
133         * runtime/CommonIdentifiers.h:
134         * runtime/ConstructAbility.h: Copied from Source/JavaScriptCore/builtins/Iterator.prototype.js.
135         * runtime/Executable.h:
136         * runtime/JSFunction.cpp:
137         (JSC::JSFunction::getConstructData):
138         * runtime/JSGlobalObject.cpp:
139         (JSC::JSGlobalObject::init):
140         * tests/stress/non-constructors.js: Added.
141         (shouldThrow):
142         (.prototype.method):
143         (.prototype.get getter):
144         (.prototype.set setter):
145         (.method):
146         (.get shouldThrow):
147         (.set shouldThrow):
148         (set var.test.get getter):
149         (set var.test.set setter):
150         (set var.test.normal):
151         (.set var):
152         (.set new):
153
154 2015-07-22  Csaba Osztrogonác  <ossy@webkit.org>
155
156         [JSC] Enable exception fuzzing for GCC too
157         https://bugs.webkit.org/show_bug.cgi?id=146831
158
159         Reviewed by Darin Adler.
160
161         * jit/JITOperations.cpp:
162
163 2015-07-22  Filip Pizlo  <fpizlo@apple.com>
164
165         Fixed pool allocation should always be aligned
166         https://bugs.webkit.org/show_bug.cgi?id=147201
167
168         Reviewed by Simon Fraser.
169         
170         Passing an unaligned size to the allocator can cause asserts or even worse things. The
171         Options reservation value isn't going to be aligned.
172
173         * jit/ExecutableAllocatorFixedVMPool.cpp:
174         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
175
176 2015-07-22  Csaba Osztrogonác  <ossy@webkit.org>
177
178         Enable STATIC_ASSERT_IS_TRIVIALLY_DESTRUCTIBLE for GCC
179         https://bugs.webkit.org/show_bug.cgi?id=146829
180
181         Reviewed by Brent Fulgham.
182
183         * heap/GCAssertions.h:
184
185 2015-07-22  Alex Christensen  <achristensen@webkit.org>
186
187         Fix quirks in CMake build on Mac and Windows
188         https://bugs.webkit.org/show_bug.cgi?id=147174
189
190         Reviewed by Gyuyoung Kim.
191
192         * PlatformMac.cmake:
193         Add JSRemoteInspector.cpp and remove semicolon from command to make it actually run.
194
195 2015-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
196
197         Add newTarget accessor to JS constructor written in C++
198         https://bugs.webkit.org/show_bug.cgi?id=147160
199
200         Reviewed by Geoffrey Garen.
201
202         This patch adds `ExecState#newTarget()` which returns `new.target` defined in ECMA262 6th.
203         It enables some C++ constructors (like Intl.XXX constructors) to leverage this to complete
204         its implementation.
205
206         When the constructor is called, |this| in the arguments is used for storing new.target instead.
207         So by adding the accessor for |this|, JS constructor written in C++ can access new.target.
208
209         And at the same time, this patch extends the existing `construct` to accept new.target value.
210         It is corresponding to the spec's Construct abstract operation.
211
212         * interpreter/CallFrame.h:
213         (JSC::ExecState::newTarget):
214         * interpreter/Interpreter.cpp:
215         (JSC::Interpreter::executeConstruct):
216         * interpreter/Interpreter.h:
217         * runtime/ConstructData.cpp:
218         (JSC::construct):
219         * runtime/ConstructData.h:
220         (JSC::construct):
221
222 2015-07-21  Filip Pizlo  <fpizlo@apple.com>
223
224         Unreviewed, fix a lot of tests. Need to initialize WTF threading sooner.
225
226         * jsc.cpp:
227         (main):
228
229 2015-07-21  Filip Pizlo  <fpizlo@apple.com>
230
231         Fixed VM pool allocation should have a reserve for allocations that cannot fail
232         https://bugs.webkit.org/show_bug.cgi?id=147154
233         rdar://problem/21847618
234
235         Reviewed by Geoffrey Garen.
236         
237         This adds the notion of a JIT pool reserve fraction. Some fraction, currently 1/4, of
238         the JIT pool is reserved for allocations that cannot fail. It makes sense to make this
239         a fraction rather than a constant because each allocation that can fail may cause some
240         number of allocations that cannot fail (for example, the OSR exit thunks that we
241         compile when we exit from some CodeBlock cannot fail).
242         
243         I've tested this by adding a test mode where we artificially limit the JIT pool size.
244         Prior to the fix, we had >20 failures. Now we have none.
245
246         * heap/GCLogging.cpp:
247         (WTF::printInternal): I needed a dump method on Options members when debugging this.
248         * heap/GCLogging.h:
249         * jit/ExecutableAllocator.h: Raise the ARM64 limit to 32MB because 16MB is cutting it too close.
250         * jit/ExecutableAllocatorFixedVMPool.cpp:
251         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): Add the ability to artificially limit JIT pool size for testing.
252         (JSC::ExecutableAllocator::memoryPressureMultiplier): Implement the reserve when computing memory pressure for JIT tier-up heuristics.
253         (JSC::ExecutableAllocator::allocate): Implement the reserve when allocating can-fail things.
254         * jsc.cpp: Rewire some options parsing so that CommandLine happens before we create the JIT pool.
255         (main):
256         (CommandLine::parseArguments):
257         (jscmain):
258         * runtime/Options.cpp: 
259         (JSC::OptionRange::dump): I needed a dump method on Options members when debugging this.
260         (JSC::Options::initialize): This can now be called more than once.
261         * runtime/Options.h:
262
263 2015-07-21  Saam barati  <saambarati1@gmail.com>
264
265         ObjectPatternNode's entry should use "const Identifier&" instead of "Identifier"
266         https://bugs.webkit.org/show_bug.cgi?id=147156
267
268         Reviewed by Andreas Kling.
269
270         * parser/Nodes.h:
271
272 2015-07-21  Basile Clement  <basile_clement@apple.com>
273
274         Object allocation sinking phase is performing needless HashMap copies
275         https://bugs.webkit.org/show_bug.cgi?id=147159
276
277         Reviewed by Geoffrey Garen.
278
279         The points-to analyzer in the object allocation sinking phase is
280         currently performing copies of its allocation and pointers tables in
281         several places. While this is not a huge problem since those tables are
282         usually small and we are in the FTL path anyway, we still shouldn't be
283         doing such useless copying.
284
285         This patch also removes the DFGInsertOSRHintsForUpdate files that are
286         no longer needed with the new object sinking phase and should have been
287         removed in r186795.
288
289         * CMakeLists.txt:
290         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
291         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
292         * JavaScriptCore.xcodeproj/project.pbxproj:
293         * dfg/DFGInsertOSRHintsForUpdate.cpp: Removed.
294         (JSC::DFG::insertOSRHintsForUpdate): Deleted.
295         * dfg/DFGInsertOSRHintsForUpdate.h: Removed.
296         * dfg/DFGObjectAllocationSinkingPhase.cpp:
297
298 2015-07-21  Saam barati  <saambarati1@gmail.com>
299
300         DestructuringPatternNode and DestructuringAssignmentNode should be ParserArenaFreeable
301         https://bugs.webkit.org/show_bug.cgi?id=147140
302
303         Reviewed by Geoffrey Garen.
304
305         The descendants of DestructuringPatternNode that need destruction also
306         inherit from ParserArenaDeletable.
307
308         * parser/Nodes.h:
309         (JSC::DestructuringPatternNode::~DestructuringPatternNode):
310         (JSC::ObjectPatternNode::appendEntry):
311         (JSC::DestructuringAssignmentNode::bindings):
312
313 2015-07-21  Keith Miller  <keith_miller@apple.com>
314
315         Add support for the new.target syntax.
316         https://bugs.webkit.org/show_bug.cgi?id=147051
317
318         Reviewed by Yusuke Suzuki.
319
320         Add support for new.target. Essentially the implementation is, before constructor calls,
321         the target of a "new" is placed where "this" noramlly goes in the calling convention.
322         Then in the constructor before object is initialized we move the target of the "new"
323         into a local variable.
324
325         * bytecompiler/BytecodeGenerator.cpp:
326         (JSC::BytecodeGenerator::BytecodeGenerator):
327         * bytecompiler/NodesCodegen.cpp:
328         (JSC::NewTargetNode::emitBytecode):
329         * parser/ASTBuilder.h:
330         (JSC::ASTBuilder::newTargetExpr):
331         * parser/NodeConstructors.h:
332         (JSC::NewTargetNode::NewTargetNode):
333         * parser/Nodes.h:
334         * parser/Parser.cpp:
335         (JSC::Parser<LexerType>::parseMemberExpression):
336         * parser/SyntaxChecker.h:
337         (JSC::SyntaxChecker::newTargetExpr):
338         * runtime/CommonIdentifiers.h:
339         * tests/stress/new-target.js: Added.
340         (test):
341         (call):
342         (Constructor.subCall):
343         (Constructor.SubConstructor):
344         (Constructor):
345         (noAssign):
346         (doWeirdThings):
347         (SuperClass):
348         (SubClass):
349
350 2015-07-20  Saam barati  <saambarati1@gmail.com>
351
352         "let" scoping introduced incoherent story about symbol table cloning
353         https://bugs.webkit.org/show_bug.cgi?id=147046
354
355         Reviewed by Filip Pizlo.
356
357         This patch now establishes a clear set of rules for how SymbolTables
358         are owned by CodeBlock. Every SymbolTable that is used by a bytecode
359         instruction must live in CodeBlock's constant register pool. When CodeBlock
360         is being linked, it ensures that every SymbolTable in the constant pool is cloned. 
361         This leaves no room for an un-cloned symbol table to be used by a bytecode instruction. 
362         Some instructions may refer to SymbolTable's indirectly through a JSLexicalEnvironment. 
363         This is fine, all JSLexicalEnvironment's are allocated with references to cloned symbol tables.
364
365         Another goal of this patch is to remove the notion that a SymbolTable is 1 to 1 
366         with a CodeBlock. With lexical scoping, this view of the world is no longer
367         correct. This patch begins to remove this assumption by making CodeBlock's
368         symbolTable() getter method private. There is still one place where we need
369         to purge our codebase of this assumption and that is the type profiler. It 
370         has not been updated for lexical scoping. After it is updated in 
371         https://bugs.webkit.org/show_bug.cgi?id=145438
372         we will be able to remove CodeBlock's symbolTable() getter entirely.
373
374         * bytecode/CodeBlock.cpp:
375         (JSC::CodeBlock::CodeBlock):
376         (JSC::CodeBlock::nameForRegister):
377         * bytecode/CodeBlock.h:
378         (JSC::CodeBlock::addStringSwitchJumpTable):
379         (JSC::CodeBlock::stringSwitchJumpTable):
380         (JSC::CodeBlock::evalCodeCache):
381         (JSC::CodeBlock::symbolTable):
382         * bytecode/UnlinkedCodeBlock.cpp:
383         (JSC::UnlinkedFunctionExecutable::visitChildren):
384         (JSC::UnlinkedFunctionExecutable::link):
385         (JSC::UnlinkedFunctionExecutable::codeBlockFor):
386         * bytecode/UnlinkedCodeBlock.h:
387         (JSC::UnlinkedCodeBlock::addExceptionHandler):
388         (JSC::UnlinkedCodeBlock::exceptionHandler):
389         (JSC::UnlinkedCodeBlock::setSymbolTableConstantIndex):
390         (JSC::UnlinkedCodeBlock::symbolTableConstantIndex):
391         (JSC::UnlinkedCodeBlock::symbolTable): Deleted.
392         (JSC::UnlinkedCodeBlock::setSymbolTable): Deleted.
393         * bytecompiler/BytecodeGenerator.cpp:
394         (JSC::BytecodeGenerator::generate):
395         (JSC::BytecodeGenerator::BytecodeGenerator):
396         (JSC::BytecodeGenerator::pushLexicalScope):
397         (JSC::BytecodeGenerator::variableForLocalEntry):
398         (JSC::BytecodeGenerator::createVariable):
399         (JSC::BytecodeGenerator::resolveType):
400         (JSC::BytecodeGenerator::emitResolveScope):
401         * bytecompiler/BytecodeGenerator.h:
402         (JSC::BytecodeGenerator::thisRegister):
403         (JSC::BytecodeGenerator::instructions):
404         (JSC::BytecodeGenerator::symbolTable): Deleted.
405         * dfg/DFGGraph.h:
406         (JSC::DFG::Graph::baselineCodeBlockFor):
407         (JSC::DFG::Graph::isStrictModeFor):
408         (JSC::DFG::Graph::symbolTableFor): Deleted.
409         * jit/AssemblyHelpers.h:
410         (JSC::AssemblyHelpers::baselineCodeBlock):
411         (JSC::AssemblyHelpers::argumentsStart):
412         (JSC::AssemblyHelpers::symbolTableFor): Deleted.
413         * runtime/CommonSlowPaths.cpp:
414         (JSC::SLOW_PATH_DECL):
415         * runtime/Executable.cpp:
416         (JSC::FunctionExecutable::visitChildren):
417         (JSC::FunctionExecutable::clearUnlinkedCodeForRecompilation):
418         (JSC::FunctionExecutable::symbolTable): Deleted.
419         * runtime/Executable.h:
420
421 2015-07-18  Filip Pizlo  <fpizlo@apple.com>
422
423         REGRESSION(186691): OSR entry is broken on loop headers that have no live variables
424         https://bugs.webkit.org/show_bug.cgi?id=147074
425         rdar://problem/21869970
426
427         Reviewed by Michael Saboff.
428         
429         The OSR entry must-handle block/value widening introduced in r186691 would cause the
430         CFA to reexecute if it caused any live local variables to change value. But this fails
431         if the must-handle block has no live local variables, and the entry block otherwise
432         appears to be unreachable.
433         
434         This fixes the bug by having the change detection include whether the block hadn't been
435         visited in addition to whether any local variable values got widened.
436         
437         This is a ~4% speed-up on SunSpider in browser.
438
439         * dfg/DFGCFAPhase.cpp:
440         (JSC::DFG::CFAPhase::run):
441
442 2015-07-20  Mark Lam  <mark.lam@apple.com>
443
444         Rollout r187020 and r187021: breaks JSC API tests on debug builds.
445         https://bugs.webkit.org/show_bug.cgi?id=147110
446
447         * heap/MachineStackMarker.cpp:
448         (JSC::MachineThreads::addCurrentThread):
449         * runtime/JSLock.cpp:
450         (JSC::JSLockHolder::~JSLockHolder):
451         (JSC::JSLock::JSLock):
452         (JSC::JSLock::willDestroyVM):
453         (JSC::JSLock::setExclusiveThread):
454         (JSC::JSLock::lock):
455         (JSC::JSLock::unlock):
456         (JSC::JSLock::currentThreadIsHoldingLock):
457         (JSC::JSLock::dropAllLocks):
458         * runtime/JSLock.h:
459         (JSC::JSLock::vm):
460         (JSC::JSLock::hasExclusiveThread):
461         (JSC::JSLock::exclusiveThread):
462         * runtime/VM.h:
463         (JSC::VM::hasExclusiveThread):
464         (JSC::VM::exclusiveThread):
465         (JSC::VM::setExclusiveThread):
466
467 2015-07-20  Per Arne Vollan  <peavo@outlook.com>
468
469         Unreviewed debug build fix after r187020.
470
471         * heap/MachineStackMarker.cpp:
472         (JSC::MachineThreads::addCurrentThread):
473         VM::exclusiveThread() has changed return type to ThreadIdentifier.
474
475 2015-07-20  Per Arne Vollan  <peavo@outlook.com>
476
477         JavaScriptCore performance is very bad on Windows
478         https://bugs.webkit.org/show_bug.cgi?id=146448
479
480         Reviewed by Mark Lam.
481
482         Profiling shows that std::this_thread::get_id() is slow on Windows.
483         Use WTF::currentThread() instead, which calls GetCurrentThreadId().
484         This is faster on Windows. The issue has been reported to Microsoft,
485         https://connect.microsoft.com/VisualStudio/feedback/details/1558211.
486
487         * runtime/JSLock.cpp:
488         (JSC::JSLockHolder::~JSLockHolder):
489         (JSC::JSLock::JSLock):
490         (JSC::JSLock::willDestroyVM):
491         (JSC::JSLock::setExclusiveThread):
492         (JSC::JSLock::lock):
493         (JSC::JSLock::unlock):
494         (JSC::JSLock::currentThreadIsHoldingLock):
495         * runtime/JSLock.h:
496         (JSC::JSLock::vm):
497         (JSC::JSLock::hasExclusiveThread):
498         (JSC::JSLock::exclusiveThread):
499         * runtime/VM.h:
500         (JSC::VM::hasExclusiveThread):
501         (JSC::VM::exclusiveThread):
502         (JSC::VM::setExclusiveThread):
503
504 2015-07-19  Yusuke Suzuki  <utatane.tea@gmail.com>
505
506         In strict mode, `Object.keys(arguments)` includes "length"
507         https://bugs.webkit.org/show_bug.cgi?id=147071
508
509         Reviewed by Darin Adler.
510
511         ClonedAguments didn't set the "length" with DontEnum.
512
513         * runtime/ClonedArguments.cpp:
514         (JSC::ClonedArguments::createWithInlineFrame):
515         (JSC::ClonedArguments::createByCopyingFrom):
516         * tests/stress/arguments-length-always-dont-enum.js: Added.
517         (shouldBe):
518         (argsSloppy):
519         (argsStrict):
520
521 2015-07-19  Jordan Harband  <ljharb@gmail.com>
522
523         new Date(NaN).toJSON() must return null instead of throwing a TypeError
524         https://bugs.webkit.org/show_bug.cgi?id=141115
525
526         Reviewed by Yusuke Suzuki.
527
528         * runtime/DatePrototype.cpp:
529         (JSC::dateProtoFuncToJSON):
530
531 2015-07-19  Saam barati  <saambarati1@gmail.com>
532
533         Parser::parseFunctionInfo hits RELEASE_ASSERT for Arrow Functions
534         https://bugs.webkit.org/show_bug.cgi?id=147090
535
536         Reviewed by Yusuke Suzuki.
537
538         ArrowFunction's have there ParserFunctionInfo "name" field to 
539         be a non-null pointer. This is obviously allowed and valid except we 
540         had a RELEASE_ASSERT that claimed otherwise. This is a mistake. 
541
542         Note: ArrowFunction's will never actually have a function name;
543         there ParserFunctionInfo "name" field will be the empty string. 
544         This is not be mistaken with the name field being a null pointer.
545
546         * parser/Parser.cpp:
547         (JSC::Parser<LexerType>::parseFunctionInfo):
548
549 2015-07-18  Saam barati  <saambarati1@gmail.com>
550
551         [ES6] Add support for block scope const
552         https://bugs.webkit.org/show_bug.cgi?id=31813
553
554         Reviewed by Filip Pizlo.
555
556         'const' is now implemented in an ES6 spec compliant manner.
557         'const' variables are always block scoped and always live
558         either on the stack or in a JSLexicalEnvironment. 'const'
559         variables never live on the global object.
560
561         Inside the BytecodeGenerator, when assigning to a stack
562         'const' variable or a LocalClosureVar 'const' variable,
563         we will emit code that just throws a type error.
564         When assigning to a ClosureVar const variable, CodeBlock linking
565         will ensure that we perform a dynamic lookup of that variable so
566         that put_to_scope's slow path throws a type error.
567
568         The old 'const' implementation has been removed in this patch.
569
570         * bytecode/BytecodeList.json:
571         * bytecode/BytecodeUseDef.h:
572         (JSC::computeUsesForBytecodeOffset):
573         (JSC::computeDefsForBytecodeOffset):
574         * bytecode/CodeBlock.cpp:
575         (JSC::CodeBlock::dumpBytecode):
576         (JSC::CodeBlock::CodeBlock):
577         * bytecompiler/BytecodeGenerator.cpp:
578         (JSC::BytecodeGenerator::BytecodeGenerator):
579         (JSC::BytecodeGenerator::pushLexicalScope):
580         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
581         (JSC::BytecodeGenerator::variable):
582         (JSC::BytecodeGenerator::variableForLocalEntry):
583         (JSC::BytecodeGenerator::createVariable):
584         (JSC::BytecodeGenerator::emitResolveScope):
585         (JSC::BytecodeGenerator::emitInstanceOf):
586         (JSC::BytecodeGenerator::emitGetById):
587         (JSC::BytecodeGenerator::isArgumentNumber):
588         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
589         (JSC::BytecodeGenerator::emitEnumeration):
590         (JSC::BytecodeGenerator::variablePerSymbolTable): Deleted.
591         (JSC::BytecodeGenerator::emitInitGlobalConst): Deleted.
592         * bytecompiler/BytecodeGenerator.h:
593         (JSC::Variable::Variable):
594         (JSC::Variable::isReadOnly):
595         (JSC::Variable::isSpecial):
596         (JSC::Variable::isConst):
597         (JSC::BytecodeGenerator::thisRegister):
598         (JSC::BytecodeGenerator::emitTypeOf):
599         (JSC::BytecodeGenerator::emitIn):
600         * bytecompiler/NodesCodegen.cpp:
601         (JSC::PostfixNode::emitResolve):
602         (JSC::PrefixNode::emitResolve):
603         (JSC::ReadModifyResolveNode::emitBytecode):
604         (JSC::AssignResolveNode::emitBytecode):
605         (JSC::CommaNode::emitBytecode):
606         (JSC::BindingNode::bindValue):
607         (JSC::ConstDeclNode::emitCodeSingle): Deleted.
608         (JSC::ConstDeclNode::emitBytecode): Deleted.
609         (JSC::ConstStatementNode::emitBytecode): Deleted.
610         * dfg/DFGByteCodeParser.cpp:
611         (JSC::DFG::ByteCodeParser::parseBlock):
612         * dfg/DFGCapabilities.cpp:
613         (JSC::DFG::capabilityLevel):
614         * jit/JIT.cpp:
615         (JSC::JIT::privateCompileMainPass):
616         * jit/JIT.h:
617         * jit/JITPropertyAccess.cpp:
618         (JSC::JIT::emit_op_put_to_arguments):
619         (JSC::JIT::emit_op_init_global_const): Deleted.
620         * jit/JITPropertyAccess32_64.cpp:
621         (JSC::JIT::emit_op_put_to_arguments):
622         (JSC::JIT::emit_op_init_global_const): Deleted.
623         * llint/LowLevelInterpreter.asm:
624         * llint/LowLevelInterpreter32_64.asm:
625         * llint/LowLevelInterpreter64.asm:
626         * parser/ASTBuilder.h:
627         (JSC::ASTBuilder::createDeclarationStatement):
628         (JSC::ASTBuilder::createEmptyVarExpression):
629         (JSC::ASTBuilder::createDebugger):
630         (JSC::ASTBuilder::appendStatement):
631         (JSC::ASTBuilder::createVarStatement): Deleted.
632         (JSC::ASTBuilder::createLetStatement): Deleted.
633         (JSC::ASTBuilder::createConstStatement): Deleted.
634         (JSC::ASTBuilder::appendConstDecl): Deleted.
635         * parser/NodeConstructors.h:
636         (JSC::CommaNode::CommaNode):
637         (JSC::SourceElements::SourceElements):
638         (JSC::SwitchNode::SwitchNode):
639         (JSC::BlockNode::BlockNode):
640         (JSC::ConstStatementNode::ConstStatementNode): Deleted.
641         (JSC::ConstDeclNode::ConstDeclNode): Deleted.
642         * parser/Nodes.h:
643         (JSC::ConstDeclNode::hasInitializer): Deleted.
644         (JSC::ConstDeclNode::ident): Deleted.
645         * parser/Parser.cpp:
646         (JSC::Parser<LexerType>::parseStatementListItem):
647         (JSC::Parser<LexerType>::parseVariableDeclaration):
648         (JSC::Parser<LexerType>::parseWhileStatement):
649         (JSC::Parser<LexerType>::parseVariableDeclarationList):
650         (JSC::Parser<LexerType>::createBindingPattern):
651         (JSC::Parser<LexerType>::parseDestructuringPattern):
652         (JSC::Parser<LexerType>::parseDefaultValueForDestructuringPattern):
653         (JSC::Parser<LexerType>::parseForStatement):
654         (JSC::Parser<LexerType>::parseTryStatement):
655         (JSC::Parser<LexerType>::parseFunctionInfo):
656         (JSC::Parser<LexerType>::parseFunctionDeclaration):
657         (JSC::Parser<LexerType>::parseClass):
658         (JSC::Parser<LexerType>::parseConstDeclaration): Deleted.
659         (JSC::Parser<LexerType>::parseConstDeclarationList): Deleted.
660         * parser/Parser.h:
661         (JSC::isEvalNode):
662         (JSC::isEvalNode<EvalNode>):
663         (JSC::isArguments):
664         (JSC::isEval):
665         (JSC::isEvalOrArgumentsIdentifier):
666         (JSC::Scope::Scope):
667         (JSC::Scope::declareCallee):
668         (JSC::Scope::declareVariable):
669         (JSC::Scope::declareLexicalVariable):
670         (JSC::Scope::hasDeclaredVariable):
671         (JSC::Scope::allowsVarDeclarations):
672         (JSC::Scope::allowsLexicalDeclarations):
673         (JSC::Scope::declareParameter):
674         (JSC::Scope::declareBoundParameter):
675         (JSC::Parser::destructuringKindFromDeclarationType):
676         (JSC::Parser::assignmentContextFromDeclarationType):
677         (JSC::Parser::isEvalOrArguments):
678         (JSC::Parser::currentScope):
679         (JSC::Parser::popScope):
680         (JSC::Parser::declareVariable):
681         (JSC::Parser::hasDeclaredVariable):
682         (JSC::Parser::setStrictMode):
683         (JSC::Parser::strictMode):
684         (JSC::Parser::isValidStrictMode):
685         (JSC::Parser::declareParameter):
686         (JSC::Parser::declareBoundParameter):
687         (JSC::Parser::breakIsValid):
688         * parser/SyntaxChecker.h:
689         (JSC::SyntaxChecker::createForInLoop):
690         (JSC::SyntaxChecker::createForOfLoop):
691         (JSC::SyntaxChecker::createEmptyStatement):
692         (JSC::SyntaxChecker::createDeclarationStatement):
693         (JSC::SyntaxChecker::createReturnStatement):
694         (JSC::SyntaxChecker::createBreakStatement):
695         (JSC::SyntaxChecker::createVarStatement): Deleted.
696         (JSC::SyntaxChecker::createLetStatement): Deleted.
697         * parser/VariableEnvironment.h:
698         (JSC::VariableEnvironmentEntry::isCaptured):
699         (JSC::VariableEnvironmentEntry::isConst):
700         (JSC::VariableEnvironmentEntry::isVar):
701         (JSC::VariableEnvironmentEntry::isLet):
702         (JSC::VariableEnvironmentEntry::setIsCaptured):
703         (JSC::VariableEnvironmentEntry::setIsConst):
704         (JSC::VariableEnvironmentEntry::setIsVar):
705         (JSC::VariableEnvironmentEntry::setIsLet):
706         (JSC::VariableEnvironmentEntry::isConstant): Deleted.
707         (JSC::VariableEnvironmentEntry::setIsConstant): Deleted.
708         * runtime/Executable.cpp:
709         (JSC::ProgramExecutable::initializeGlobalProperties):
710         * runtime/JSGlobalObject.cpp:
711         (JSC::JSGlobalObject::defineOwnProperty):
712         (JSC::JSGlobalObject::addGlobalVar):
713         (JSC::JSGlobalObject::addFunction):
714         (JSC::lastInPrototypeChain):
715         * runtime/JSGlobalObject.h:
716         (JSC::JSGlobalObject::finishCreation):
717         (JSC::JSGlobalObject::addVar):
718         (JSC::JSGlobalObject::addConst): Deleted.
719         * runtime/JSLexicalEnvironment.cpp:
720         (JSC::JSLexicalEnvironment::symbolTablePut):
721         * tests/stress/const-and-with-statement.js: Added.
722         (truth):
723         (assert):
724         (shouldThrowInvalidConstAssignment):
725         (.):
726         * tests/stress/const-exception-handling.js: Added.
727         (truth):
728         (assert):
729         (.):
730         * tests/stress/const-loop-semantics.js: Added.
731         (truth):
732         (assert):
733         (shouldThrowInvalidConstAssignment):
734         (.):
735         * tests/stress/const-not-strict-mode.js: Added.
736         (truth):
737         (assert):
738         (shouldThrowTDZ):
739         (.):
740         * tests/stress/const-semantics.js: Added.
741         (truth):
742         (assert):
743         (shouldThrowInvalidConstAssignment):
744         (.):
745         * tests/stress/const-tdz.js: Added.
746         (truth):
747         (assert):
748         (shouldThrowTDZ):
749         (.):
750
751 2015-07-18  Saam barati  <saambarati1@gmail.com>
752
753         lexical scoping is broken with respect to "break" and "continue"
754         https://bugs.webkit.org/show_bug.cgi?id=147063
755
756         Reviewed by Filip Pizlo.
757
758         Bug #142944 which introduced "let" and lexical scoping
759         didn't properly hook into the bytecode generator's machinery
760         for calculating scope depth deltas for "break" and "continue". This
761         resulted in the bytecode generator popping an incorrect number
762         of scopes when lexical scopes were involved.
763
764         This patch fixes this problem and generalizes this machinery a bit.
765         This patch also renames old functions in a sensible way that is more
766         coherent in a world with lexical scoping.
767
768         * bytecompiler/BytecodeGenerator.cpp:
769         (JSC::BytecodeGenerator::BytecodeGenerator):
770         (JSC::BytecodeGenerator::newLabelScope):
771         (JSC::BytecodeGenerator::emitProfileType):
772         (JSC::BytecodeGenerator::pushLexicalScope):
773         (JSC::BytecodeGenerator::popLexicalScope):
774         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
775         (JSC::BytecodeGenerator::resolveType):
776         (JSC::BytecodeGenerator::emitResolveScope):
777         (JSC::BytecodeGenerator::emitGetFromScope):
778         (JSC::BytecodeGenerator::emitPutToScope):
779         (JSC::BytecodeGenerator::emitPushWithScope):
780         (JSC::BytecodeGenerator::emitGetParentScope):
781         (JSC::BytecodeGenerator::emitPopScope):
782         (JSC::BytecodeGenerator::emitPopWithOrCatchScope):
783         (JSC::BytecodeGenerator::emitPopScopes):
784         (JSC::BytecodeGenerator::calculateTargetScopeDepthForExceptionHandler):
785         (JSC::BytecodeGenerator::localScopeDepth):
786         (JSC::BytecodeGenerator::labelScopeDepth):
787         (JSC::BytecodeGenerator::emitThrowReferenceError):
788         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
789         (JSC::BytecodeGenerator::pushScopedControlFlowContext):
790         (JSC::BytecodeGenerator::popScopedControlFlowContext):
791         (JSC::BytecodeGenerator::emitPushCatchScope):
792         (JSC::BytecodeGenerator::currentScopeDepth): Deleted.
793         * bytecompiler/BytecodeGenerator.h:
794         (JSC::BytecodeGenerator::hasFinaliser):
795         (JSC::BytecodeGenerator::scopeDepth): Deleted.
796         * bytecompiler/NodesCodegen.cpp:
797         (JSC::ContinueNode::trivialTarget):
798         (JSC::BreakNode::trivialTarget):
799         (JSC::ReturnNode::emitBytecode):
800         (JSC::WithNode::emitBytecode):
801         (JSC::TryNode::emitBytecode):
802         * tests/stress/lexical-scoping-break-continue.js: Added.
803         (assert):
804         (.):
805
806 2015-07-18  Commit Queue  <commit-queue@webkit.org>
807
808         Unreviewed, rolling out r186996.
809         https://bugs.webkit.org/show_bug.cgi?id=147070
810
811         Broke JSC tests (Requested by smfr on #webkit).
812
813         Reverted changeset:
814
815         "lexical scoping is broken with respect to "break" and
816         "continue""
817         https://bugs.webkit.org/show_bug.cgi?id=147063
818         http://trac.webkit.org/changeset/186996
819
820 2015-07-18  Saam barati  <saambarati1@gmail.com>
821
822         lexical scoping is broken with respect to "break" and "continue"
823         https://bugs.webkit.org/show_bug.cgi?id=147063
824
825         Reviewed by Filip Pizlo.
826
827         Bug #142944 which introduced "let" and lexical scoping
828         didn't properly hook into the bytecode generator's machinery
829         for calculating scope depth deltas for "break" and "continue". This
830         resulted in the bytecode generator popping an incorrect number
831         of scopes when lexical scopes were involved.
832
833         This patch fixes this problem and generalizes this machinery a bit.
834         This patch also renames old functions in a sensible way that is more
835         coherent in a world with lexical scoping.
836
837         * bytecompiler/BytecodeGenerator.cpp:
838         (JSC::BytecodeGenerator::BytecodeGenerator):
839         (JSC::BytecodeGenerator::newLabelScope):
840         (JSC::BytecodeGenerator::emitProfileType):
841         (JSC::BytecodeGenerator::pushLexicalScope):
842         (JSC::BytecodeGenerator::popLexicalScope):
843         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
844         (JSC::BytecodeGenerator::resolveType):
845         (JSC::BytecodeGenerator::emitResolveScope):
846         (JSC::BytecodeGenerator::emitGetFromScope):
847         (JSC::BytecodeGenerator::emitPutToScope):
848         (JSC::BytecodeGenerator::emitPushWithScope):
849         (JSC::BytecodeGenerator::emitGetParentScope):
850         (JSC::BytecodeGenerator::emitPopScope):
851         (JSC::BytecodeGenerator::emitPopWithOrCatchScope):
852         (JSC::BytecodeGenerator::emitPopScopes):
853         (JSC::BytecodeGenerator::calculateTargetScopeDepthForExceptionHandler):
854         (JSC::BytecodeGenerator::localScopeDepth):
855         (JSC::BytecodeGenerator::labelScopeDepth):
856         (JSC::BytecodeGenerator::emitThrowReferenceError):
857         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
858         (JSC::BytecodeGenerator::pushScopedControlFlowContext):
859         (JSC::BytecodeGenerator::popScopedControlFlowContext):
860         (JSC::BytecodeGenerator::emitPushCatchScope):
861         (JSC::BytecodeGenerator::currentScopeDepth): Deleted.
862         * bytecompiler/BytecodeGenerator.h:
863         (JSC::BytecodeGenerator::hasFinaliser):
864         (JSC::BytecodeGenerator::scopeDepth): Deleted.
865         * bytecompiler/NodesCodegen.cpp:
866         (JSC::ContinueNode::trivialTarget):
867         (JSC::BreakNode::trivialTarget):
868         (JSC::ReturnNode::emitBytecode):
869         (JSC::WithNode::emitBytecode):
870         (JSC::TryNode::emitBytecode):
871         * tests/stress/lexical-scoping-break-continue.js: Added.
872         (assert):
873         (.):
874
875 2015-07-17  Filip Pizlo  <fpizlo@apple.com>
876
877         DFG should have some obvious mitigations against watching structures that are unprofitable to watch
878         https://bugs.webkit.org/show_bug.cgi?id=147034
879
880         Reviewed by Mark Lam and Michael Saboff.
881         
882         This implements two guards against the DFG watching structures that are likely to fire
883         their watchpoints:
884         
885         - Don't watch dictionaries or any structure that had a dictionary in its past. Dictionaries
886           can be flattened, and then they can transform back to dictionaries.
887         
888         - Don't watch structures whose past structures were transitioned-away from while their
889           transition watchpoints were being watched. This property gives us monotonicity: if we
890           recompile because we watched structure S1 of object O, then we won't make the same mistake
891           again when object O has structure S2, S3, and so on.
892         
893         This is a 1.5% speed-up on Kraken. It does penalize some Octane tests, but it also seems to
894         help some of them, so on Octane it's basically neutral.
895
896         * bytecode/Watchpoint.h:
897         (JSC::WatchpointSet::invalidate):
898         (JSC::WatchpointSet::isBeingWatched):
899         (JSC::WatchpointSet::addressOfState):
900         (JSC::WatchpointSet::addressOfSetIsNotEmpty):
901         (JSC::InlineWatchpointSet::touch):
902         (JSC::InlineWatchpointSet::isBeingWatched):
903         * runtime/JSGlobalObject.h:
904         (JSC::JSGlobalObject::createStructure):
905         (JSC::JSGlobalObject::registerWeakMap):
906         * runtime/Structure.cpp:
907         (JSC::Structure::Structure):
908         (JSC::Structure::toDictionaryTransition):
909         (JSC::Structure::didTransitionFromThisStructure):
910         * runtime/Structure.h:
911
912 2015-07-16  Filip Pizlo  <fpizlo@apple.com>
913
914         Remove DFG::DesiredWriteBarriers because it's just a very difficult way of saying "please barrier the machine code block owner"
915         https://bugs.webkit.org/show_bug.cgi?id=147030
916
917         Reviewed by Andreas Kling.
918         
919         All of the users of DesiredWriteBarriers were just using it to request that Plan
920         finalization executes a barrier on codeBlock->ownerExecutable. Indeed, that's the only
921         owning cell in the heap that compilation affects. So, we might as well just have Plan
922         unconditionally execute that barrier and then we don't need DesiredWriteBarriers at
923         all.
924
925         * CMakeLists.txt:
926         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
927         * JavaScriptCore.xcodeproj/project.pbxproj:
928         * dfg/DFGByteCodeParser.cpp:
929         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
930         * dfg/DFGDesiredWriteBarriers.cpp: Removed.
931         * dfg/DFGDesiredWriteBarriers.h: Removed.
932         * dfg/DFGGraph.cpp:
933         (JSC::DFG::Graph::registerFrozenValues):
934         * dfg/DFGPlan.cpp:
935         (JSC::DFG::Plan::reallyAdd):
936         (JSC::DFG::Plan::notifyCompiling):
937         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
938         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
939         (JSC::DFG::Plan::cancel):
940         * dfg/DFGPlan.h:
941
942 2015-07-17  Yusuke Suzuki  <utatane.tea@gmail.com>
943
944         Integrate automatic microtask draining into JSC framework and re-enable Promise
945         https://bugs.webkit.org/show_bug.cgi?id=146828
946
947         Reviewed by Sam Weinig.
948
949         Add automatic microtask draining system into JSC framework.
950         When the depth of VM lock becomes 0, before this, we drain the queued microtasks.
951         Enqueuing behavior can be injected by the JSGlobalObject's method table.
952         It is utilized in WebCore to post the microtask to WebCore's event loop.
953
954         In the case of JSC interactive shell, VM depth is always greater than 0.
955         So we manually drains the queued microtasks after evaluating the written line.
956
957         Since now JSC framework has the microtask queue, we can drain the queued microtasks.
958         So re-enable the Promise in the JSC framework context.
959
960         * API/JSContextRef.cpp:
961         (javaScriptRuntimeFlags): Deleted.
962         * API/tests/testapi.c:
963         (main):
964         * API/tests/testapi.mm:
965         (testObjectiveCAPIMain):
966         * jsc.cpp:
967         (runInteractive):
968         * runtime/JSGlobalObject.cpp:
969         (JSC::JSGlobalObject::queueMicrotask):
970         * runtime/JSLock.cpp:
971         (JSC::JSLock::willReleaseLock):
972         * runtime/VM.cpp:
973         (JSC::VM::queueMicrotask):
974         (JSC::VM::drainMicrotasks):
975         (JSC::QueuedTask::run):
976         * runtime/VM.h:
977         (JSC::QueuedTask::QueuedTask):
978
979 2015-07-17  Saam barati  <saambarati1@gmail.com>
980
981         Function parameters should be parsed in the same parser arena as the function body
982         https://bugs.webkit.org/show_bug.cgi?id=145995
983
984         Reviewed by Yusuke Suzuki.
985
986         This patch changes how functions are parsed in JSC. A function's
987         parameters are now parsed in the same arena as the function itself.
988         This allows us to arena allocate all destructuring AST nodes and
989         the FunctionParameters node. This will help make implementing ES6
990         default parameter values sane.
991
992         A source code that represents a function now includes the text of the function's 
993         parameters. The starting offset is at the opening parenthesis of the parameter
994         list or at the starting character of the identifier for arrow functions that
995         have single arguments and don't start with parenthesis.
996
997         For example:
998
999         "function (param1, param2) { ... }"
1000                                    ^
1001                                    | This offset used to be the starting offset of a function's SourceCode
1002                   ^
1003                   | This is the new starting offset for a function's SourceCode.
1004
1005         This requires us to change how some offsets are calculated
1006         and also requires us to report some different line numbers for internal
1007         metrics that use a SourceCode's starting line and column numbers.
1008
1009         This patch also does a bit of cleanup with regards to how
1010         functions are parsed in general (especially arrow functions).
1011         It removes some unnecessary #ifdefs and the likes for arrow
1012         to make things clearer and more deliberate.
1013
1014         * API/JSScriptRef.cpp:
1015         (parseScript):
1016         * builtins/BuiltinExecutables.cpp:
1017         (JSC::BuiltinExecutables::createExecutableInternal):
1018         * bytecode/UnlinkedCodeBlock.cpp:
1019         (JSC::generateFunctionCodeBlock):
1020         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1021         (JSC::UnlinkedFunctionExecutable::visitChildren):
1022         (JSC::UnlinkedFunctionExecutable::parameterCount): Deleted.
1023         * bytecode/UnlinkedCodeBlock.h:
1024         * bytecompiler/NodesCodegen.cpp:
1025         (JSC::DestructuringAssignmentNode::emitBytecode):
1026         (JSC::assignDefaultValueIfUndefined):
1027         (JSC::ArrayPatternNode::collectBoundIdentifiers):
1028         (JSC::DestructuringPatternNode::~DestructuringPatternNode): Deleted.
1029         * parser/ASTBuilder.h:
1030         (JSC::ASTBuilder::createClassExpr):
1031         (JSC::ASTBuilder::createFunctionExpr):
1032         (JSC::ASTBuilder::createFunctionBody):
1033         (JSC::ASTBuilder::createArrowFunctionExpr):
1034         (JSC::ASTBuilder::createGetterOrSetterProperty):
1035         (JSC::ASTBuilder::createElementList):
1036         (JSC::ASTBuilder::createFormalParameterList):
1037         (JSC::ASTBuilder::appendParameter):
1038         (JSC::ASTBuilder::createClause):
1039         (JSC::ASTBuilder::createClauseList):
1040         (JSC::ASTBuilder::createFuncDeclStatement):
1041         (JSC::ASTBuilder::createForInLoop):
1042         (JSC::ASTBuilder::createForOfLoop):
1043         (JSC::ASTBuilder::isResolve):
1044         (JSC::ASTBuilder::createDestructuringAssignment):
1045         (JSC::ASTBuilder::createArrayPattern):
1046         (JSC::ASTBuilder::appendArrayPatternSkipEntry):
1047         (JSC::ASTBuilder::appendArrayPatternEntry):
1048         (JSC::ASTBuilder::appendArrayPatternRestEntry):
1049         (JSC::ASTBuilder::finishArrayPattern):
1050         (JSC::ASTBuilder::createObjectPattern):
1051         (JSC::ASTBuilder::appendObjectPatternEntry):
1052         (JSC::ASTBuilder::createBindingLocation):
1053         (JSC::ASTBuilder::setEndOffset):
1054         * parser/Lexer.cpp:
1055         (JSC::Lexer<T>::Lexer):
1056         (JSC::Lexer<T>::nextTokenIsColon):
1057         (JSC::Lexer<T>::setTokenPosition):
1058         (JSC::Lexer<T>::lex):
1059         (JSC::Lexer<T>::clear):
1060         * parser/Lexer.h:
1061         (JSC::Lexer::setIsReparsingFunction):
1062         (JSC::Lexer::isReparsingFunction):
1063         (JSC::Lexer::lineNumber):
1064         (JSC::Lexer::setIsReparsing): Deleted.
1065         (JSC::Lexer::isReparsing): Deleted.
1066         * parser/NodeConstructors.h:
1067         (JSC::TryNode::TryNode):
1068         (JSC::FunctionParameters::FunctionParameters):
1069         (JSC::FuncExprNode::FuncExprNode):
1070         (JSC::FuncDeclNode::FuncDeclNode):
1071         (JSC::ArrayPatternNode::ArrayPatternNode):
1072         (JSC::ObjectPatternNode::ObjectPatternNode):
1073         (JSC::BindingNode::BindingNode):
1074         (JSC::DestructuringAssignmentNode::DestructuringAssignmentNode):
1075         (JSC::ParameterNode::ParameterNode): Deleted.
1076         (JSC::ArrayPatternNode::create): Deleted.
1077         (JSC::ObjectPatternNode::create): Deleted.
1078         (JSC::BindingNode::create): Deleted.
1079         * parser/Nodes.cpp:
1080         (JSC::ProgramNode::ProgramNode):
1081         (JSC::EvalNode::EvalNode):
1082         (JSC::FunctionBodyNode::FunctionBodyNode):
1083         (JSC::FunctionBodyNode::finishParsing):
1084         (JSC::FunctionNode::FunctionNode):
1085         (JSC::FunctionNode::finishParsing):
1086         (JSC::FunctionParameters::create): Deleted.
1087         (JSC::FunctionParameters::FunctionParameters): Deleted.
1088         (JSC::FunctionParameters::~FunctionParameters): Deleted.
1089         * parser/Nodes.h:
1090         (JSC::ProgramNode::startColumn):
1091         (JSC::ProgramNode::endColumn):
1092         (JSC::EvalNode::startColumn):
1093         (JSC::EvalNode::endColumn):
1094         (JSC::FunctionParameters::size):
1095         (JSC::FunctionParameters::at):
1096         (JSC::FunctionParameters::append):
1097         (JSC::FuncExprNode::body):
1098         (JSC::DestructuringPatternNode::~DestructuringPatternNode):
1099         (JSC::DestructuringPatternNode::isBindingNode):
1100         (JSC::DestructuringPatternNode::emitDirectBinding):
1101         (JSC::ArrayPatternNode::appendIndex):
1102         (JSC::ObjectPatternNode::appendEntry):
1103         (JSC::BindingNode::boundProperty):
1104         (JSC::BindingNode::divotStart):
1105         (JSC::BindingNode::divotEnd):
1106         (JSC::DestructuringAssignmentNode::bindings):
1107         (JSC::FuncDeclNode::body):
1108         (JSC::ParameterNode::pattern): Deleted.
1109         (JSC::ParameterNode::nextParam): Deleted.
1110         (JSC::FunctionParameters::patterns): Deleted.
1111         * parser/Parser.cpp:
1112         (JSC::Parser<LexerType>::Parser):
1113         (JSC::Parser<LexerType>::~Parser):
1114         (JSC::Parser<LexerType>::parseInner):
1115         (JSC::Parser<LexerType>::allowAutomaticSemicolon):
1116         (JSC::Parser<LexerType>::parseSourceElements):
1117         (JSC::Parser<LexerType>::createBindingPattern):
1118         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBodySourceElements):
1119         (JSC::Parser<LexerType>::tryParseDestructuringPatternExpression):
1120         (JSC::Parser<LexerType>::parseSwitchClauses):
1121         (JSC::Parser<LexerType>::parseSwitchDefaultClause):
1122         (JSC::Parser<LexerType>::parseBlockStatement):
1123         (JSC::Parser<LexerType>::parseStatement):
1124         (JSC::Parser<LexerType>::parseFormalParameters):
1125         (JSC::Parser<LexerType>::parseFunctionBody):
1126         (JSC::stringForFunctionMode):
1127         (JSC::Parser<LexerType>::parseFunctionParameters):
1128         (JSC::Parser<LexerType>::parseFunctionInfo):
1129         (JSC::Parser<LexerType>::parseFunctionDeclaration):
1130         (JSC::Parser<LexerType>::parseClass):
1131         (JSC::Parser<LexerType>::parsePrimaryExpression):
1132         (JSC::Parser<LexerType>::parseMemberExpression):
1133         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
1134         (JSC::operatorString):
1135         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBody): Deleted.
1136         * parser/Parser.h:
1137         (JSC::Parser::positionBeforeLastNewline):
1138         (JSC::Parser::locationBeforeLastToken):
1139         (JSC::Parser::findCachedFunctionInfo):
1140         (JSC::Parser::isofToken):
1141         (JSC::Parser::isEndOfArrowFunction):
1142         (JSC::Parser::isArrowFunctionParamters):
1143         (JSC::Parser::tokenStart):
1144         (JSC::Parser::isLETMaskedAsIDENT):
1145         (JSC::Parser::autoSemiColon):
1146         (JSC::Parser::setEndOfStatement):
1147         (JSC::Parser::canRecurse):
1148         (JSC::Parser<LexerType>::parse):
1149         (JSC::parse):
1150         * parser/ParserFunctionInfo.h:
1151         * parser/ParserModes.h:
1152         (JSC::functionNameIsInScope):
1153         * parser/SourceCode.h:
1154         (JSC::makeSource):
1155         (JSC::SourceCode::subExpression):
1156         (JSC::SourceCode::subArrowExpression): Deleted.
1157         * parser/SourceProviderCache.h:
1158         (JSC::SourceProviderCache::get):
1159         * parser/SourceProviderCacheItem.h:
1160         (JSC::SourceProviderCacheItem::endFunctionToken):
1161         (JSC::SourceProviderCacheItem::usedVariables):
1162         (JSC::SourceProviderCacheItem::writtenVariables):
1163         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
1164         * parser/SyntaxChecker.h:
1165         (JSC::SyntaxChecker::SyntaxChecker):
1166         (JSC::SyntaxChecker::createClassExpr):
1167         (JSC::SyntaxChecker::createFunctionExpr):
1168         (JSC::SyntaxChecker::createFunctionBody):
1169         (JSC::SyntaxChecker::createArrowFunctionExpr):
1170         (JSC::SyntaxChecker::setFunctionNameStart):
1171         (JSC::SyntaxChecker::createArguments):
1172         (JSC::SyntaxChecker::createPropertyList):
1173         (JSC::SyntaxChecker::createElementList):
1174         (JSC::SyntaxChecker::createFormalParameterList):
1175         (JSC::SyntaxChecker::appendParameter):
1176         (JSC::SyntaxChecker::createClause):
1177         (JSC::SyntaxChecker::createClauseList):
1178         * runtime/CodeCache.cpp:
1179         (JSC::CodeCache::getGlobalCodeBlock):
1180         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
1181         * runtime/Completion.cpp:
1182         (JSC::checkSyntax):
1183         * runtime/Executable.cpp:
1184         (JSC::ProgramExecutable::checkSyntax):
1185         * tests/controlFlowProfiler/conditional-expression.js:
1186         (testConditionalFunctionCall):
1187
1188 2015-07-16  Filip Pizlo  <fpizlo@apple.com>
1189
1190         Unreviewed, fix build for newer LLVMs.
1191
1192         * llvm/LLVMHeaders.h:
1193         * llvm/library/LLVMExports.cpp:
1194
1195 2015-07-16  Mark Lam  <mark.lam@apple.com>
1196
1197         RegExp::match() should set m_state to ByteCode if compilation fails.
1198         https://bugs.webkit.org/show_bug.cgi?id=147023
1199
1200         Reviewed by Michael Saboff.
1201
1202         A RegExp has a YarrCodeBlock that has 4 MacroAssemblerCodeRefs for compiled code.
1203         If one of these compilations succeeds, RegExp::m_state will be set to JITCode.
1204         Subsequently, if RegExp tries to compile another one of these but fails, m_state
1205         will be left untouched i.e. it still says JITCode.  As a result, when
1206         RegExp::match() later tries to execute the non-existant compiled code, it will
1207         crash.
1208
1209         The fix is to downgrade m_state to ByteCode if RegExp ever fails to compile.
1210         This failure should be rare.  We'll do the minimal work here to fix the issue and
1211         keep an eye on the perf bots.  If perf regresses, we can do some optimization work then.
1212
1213         This issue is difficult to test for since it either requires a low memory condition
1214         to trigger a failed RegExp compilation at the right moment, or for the RegExp to
1215         succeed compilation in the MatchedOnly mode but fail in IncludeSubpatterns mode.
1216         Instead, I manually tested it by instrumenting RegExp::compile() to fail once in every
1217         10 compilation attempts.
1218
1219         * runtime/RegExp.cpp:
1220         (JSC::RegExp::compile):
1221         (JSC::RegExp::compileMatchOnly):
1222
1223 2015-07-15  Brent Fulgham  <bfulgham@apple.com>
1224
1225         [Win] Fix armv7 build.
1226
1227         * jit/CCallHelpers.h:
1228         (JSC::CCallHelpers::setupArgumentsWithExecState): The 64-bit argument
1229         version of poke is not available on armv7 builds.
1230
1231 2015-07-15  Brent Fulgham  <bfulgham@apple.com>
1232
1233         [Win] 64-bit Build Failure
1234         https://bugs.webkit.org/show_bug.cgi?id=146989
1235
1236         Reviewed by Mark Lam.
1237
1238         * jit/CCallHelpers.h:
1239         (JSC::CCallHelpers::setupArgumentsWithExecState): Add missing
1240         declaration for 64-bit type on 4-argument register machines (like
1241         Windows).
1242
1243 2015-07-15  Saam barati  <saambarati1@gmail.com>
1244
1245         [ES6] implement block scoping to enable 'let'
1246         https://bugs.webkit.org/show_bug.cgi?id=142944
1247
1248         Reviewed by Filip Pizlo.
1249
1250         * CMakeLists.txt:
1251         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1252         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1253         * JavaScriptCore.xcodeproj/project.pbxproj:
1254         * builtins/BuiltinExecutables.cpp:
1255         (JSC::BuiltinExecutables::createExecutableInternal):
1256         * bytecode/BytecodeList.json:
1257         This patch adds a new opcode and removes op_pop_scope:
1258         1) op_get_parent_scope returns the parent scope but doesn't 
1259         implicitly write that scope into the scope register. op_pop_scope
1260         is now reduced to op_get_parent_scope followed by op_mov.
1261
1262         * bytecode/BytecodeUseDef.h:
1263         (JSC::computeUsesForBytecodeOffset):
1264         (JSC::computeDefsForBytecodeOffset):
1265         * bytecode/CodeBlock.cpp:
1266         (JSC::CodeBlock::dumpBytecode):
1267         (JSC::CodeBlock::CodeBlock):
1268         (JSC::CodeBlock::stronglyVisitStrongReferences):
1269         * bytecode/CodeBlock.h:
1270         (JSC::CodeBlock::addStringSwitchJumpTable):
1271         (JSC::CodeBlock::stringSwitchJumpTable):
1272         (JSC::CodeBlock::symbolTable):
1273         (JSC::CodeBlock::evalCodeCache):
1274         (JSC::CodeBlock::setConstantRegisters):
1275         (JSC::CodeBlock::replaceConstant):
1276         op_put_to_scope for LocalClosureVar now takes as an argument
1277         the constant index for the Symbol Table it will be putting into.
1278         This argument is only used to communicate from the BytecodeGenerator
1279         to CodeBlock linking time and it is not present in the linked bytecode.
1280
1281         op_put_to_scope for non LocalClosureVar takes, at the same index, an
1282         argument that represents the local scope depth which it uses for
1283         JSScope::abstractResolve to know how many scopes it needs to skip.
1284         Again, this is not in the linked code.
1285         op_get_from_scope and op_resolve_scope also take as an argument
1286         the local scope depth to use in JSScope::abstractResolve. Again,
1287         this is not used in the linked code.
1288
1289         * bytecode/EvalCodeCache.h:
1290         (JSC::EvalCodeCache::tryGet):
1291         (JSC::EvalCodeCache::getSlow):
1292         (JSC::EvalCodeCache::clear):
1293         (JSC::EvalCodeCache::isCacheable):
1294         When direct eval is called and passed a scope that 
1295         corresponds to a lexical scope, we can't safely cache 
1296         that code because we won't be able to guarantee
1297         that the cached code is always executed in the same scope.
1298         Consider this example:
1299         function foo() {
1300             let x = 20;
1301             eval("x;");
1302             if (b) {
1303                 let x = 30;
1304                 if (b) {
1305                     let y = 40;
1306                     eval("x;")
1307                 }
1308             }
1309         }
1310
1311         We can't reuse resolution depth when linking get_from_scope in evals.
1312
1313         * bytecode/UnlinkedCodeBlock.cpp:
1314         (JSC::generateFunctionCodeBlock):
1315         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1316         (JSC::UnlinkedFunctionExecutable::parameterCount):
1317         * bytecode/UnlinkedCodeBlock.h:
1318         Unlinked functions now know the variables that were under TDZ in their parent
1319         scope.
1320
1321         (JSC::UnlinkedCodeBlock::symbolTable):
1322         (JSC::UnlinkedCodeBlock::setSymbolTable):
1323         (JSC::UnlinkedCodeBlock::setSymbolTableConstantIndex):
1324         (JSC::UnlinkedCodeBlock::symbolTableConstantIndex):
1325         (JSC::UnlinkedCodeBlock::vm):
1326         * bytecompiler/BytecodeGenerator.cpp:
1327         (JSC::BytecodeGenerator::generate):
1328         (JSC::BytecodeGenerator::BytecodeGenerator):
1329         (JSC::BytecodeGenerator::~BytecodeGenerator):
1330         (JSC::BytecodeGenerator::newRegister):
1331         (JSC::BytecodeGenerator::reclaimFreeRegisters):
1332         (JSC::BytecodeGenerator::newBlockScopeVariable):
1333         (JSC::BytecodeGenerator::newTemporary):
1334         (JSC::BytecodeGenerator::emitProfileType):
1335         (JSC::BytecodeGenerator::emitLoadGlobalObject):
1336         (JSC::BytecodeGenerator::pushLexicalScope):
1337         (JSC::BytecodeGenerator::popLexicalScope):
1338         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
1339         (JSC::BytecodeGenerator::variable):
1340         (JSC::BytecodeGenerator::variablePerSymbolTable):
1341         (JSC::BytecodeGenerator::variableForLocalEntry):
1342         (JSC::BytecodeGenerator::createVariable):
1343         (JSC::BytecodeGenerator::emitResolveScope):
1344         (JSC::BytecodeGenerator::emitGetFromScope):
1345         (JSC::BytecodeGenerator::emitPutToScope):
1346         (JSC::BytecodeGenerator::initializeVariable):
1347         (JSC::BytecodeGenerator::emitTDZCheck):
1348         (JSC::BytecodeGenerator::needsTDZCheck):
1349         (JSC::BytecodeGenerator::emitTDZCheckIfNecessary):
1350         (JSC::BytecodeGenerator::liftTDZCheckIfPossible):
1351         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
1352         (JSC::BytecodeGenerator::emitNewObject):
1353         (JSC::BytecodeGenerator::emitPushWithScope):
1354         (JSC::BytecodeGenerator::emitGetParentScope):
1355         (JSC::BytecodeGenerator::emitPopScope):
1356         (JSC::BytecodeGenerator::emitDebugHook):
1357         (JSC::BytecodeGenerator::pushFinallyContext):
1358         (JSC::BytecodeGenerator::pushIteratorCloseContext):
1359         (JSC::BytecodeGenerator::emitComplexPopScopes):
1360         (JSC::BytecodeGenerator::emitPopScopes):
1361         (JSC::BytecodeGenerator::popTryAndEmitCatch):
1362         (JSC::BytecodeGenerator::calculateTargetScopeDepthForExceptionHandler):
1363         (JSC::BytecodeGenerator::currentScopeDepth):
1364         (JSC::BytecodeGenerator::emitThrowReferenceError):
1365         (JSC::BytecodeGenerator::emitPushCatchScope):
1366         (JSC::BytecodeGenerator::beginSwitch):
1367         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
1368         (JSC::BytecodeGenerator::emitEnumeration):
1369         * bytecompiler/BytecodeGenerator.h:
1370         (JSC::Variable::Variable):
1371         (JSC::Variable::isResolved):
1372         (JSC::Variable::symbolTableConstantIndex):
1373         (JSC::Variable::ident):
1374         (JSC::BytecodeGenerator::ignoredResult):
1375         (JSC::BytecodeGenerator::tempDestination):
1376         (JSC::BytecodeGenerator::lastOpcodeID):
1377         (JSC::BytecodeGenerator::makeFunction):
1378         (JSC::BytecodeGenerator::symbolTable):
1379         (JSC::BytecodeGenerator::shouldOptimizeLocals): Deleted.
1380         (JSC::BytecodeGenerator::canOptimizeNonLocals): Deleted.
1381         The heart of the changes in this patch are in the bytecode generator.
1382         The bytecode generator now keeps a stack of tuples of 
1383         {symbol table, scope register, flag indicating catch or with scope, symbol table index in constant pool}
1384         that models the runtime scope stack. This symbol table stack is used
1385         in resolving local variables.
1386
1387         Also, the bytecode generator handles pushing and popping of lexical scopes. 
1388         This is relatively straight forward:
1389         Captured 'let' variables end up in the JSLexicalEnvironment scope and non-captured
1390         variables end up on the stack. Some trickiness is involved in generating
1391         code for 'for' loops that have captured variables (I'm talking about variables in the loop
1392         header, not the loop body). Each iteration of the for loop ends up with 
1393         its own JSLexicalEnvironment. Static code must be generated in such a way 
1394         to create this runtime behavior. This is done by emitting instructions to 
1395         push and pop a lexical scope at the end of each loop and copying values
1396         from the previous loop's scope into the new scope. This code must also
1397         ensure that each loop iteration's scope refers to the same underlying 
1398         SymbolTable so that no scope is accidentally mistaken as being a singleton scope.
1399
1400         When the debugger is enabled, all lexically defined variables will end up in the
1401         JSLexicalEnvironment.
1402
1403         * bytecompiler/NodesCodegen.cpp:
1404         (JSC::ResolveNode::emitBytecode):
1405         (JSC::FunctionCallResolveNode::emitBytecode):
1406         (JSC::PostfixNode::emitResolve):
1407         (JSC::DeleteResolveNode::emitBytecode):
1408         (JSC::TypeOfResolveNode::emitBytecode):
1409         (JSC::PrefixNode::emitResolve):
1410         (JSC::ReadModifyResolveNode::emitBytecode):
1411         (JSC::AssignResolveNode::emitBytecode):
1412         (JSC::BlockNode::emitBytecode):
1413         (JSC::ExprStatementNode::emitBytecode):
1414         (JSC::DeclarationStatement::emitBytecode):
1415         (JSC::EmptyVarExpression::emitBytecode):
1416         (JSC::EmptyLetExpression::emitBytecode):
1417         (JSC::ForNode::emitBytecode):
1418         (JSC::ForInNode::emitMultiLoopBytecode):
1419         (JSC::ForOfNode::emitBytecode):
1420         (JSC::SwitchNode::emitBytecode):
1421         (JSC::BindingNode::bindValue):
1422         (JSC::VarStatementNode::emitBytecode): Deleted.
1423         * debugger/DebuggerCallFrame.cpp:
1424         (JSC::DebuggerCallFrame::evaluate):
1425         * debugger/DebuggerScope.cpp:
1426         (JSC::DebuggerScope::getOwnPropertySlot):
1427         (JSC::DebuggerScope::put):
1428         * dfg/DFGByteCodeParser.cpp:
1429         (JSC::DFG::ByteCodeParser::parseBlock):
1430         * dfg/DFGCapabilities.cpp:
1431         (JSC::DFG::capabilityLevel):
1432         * dfg/DFGNode.h:
1433         (JSC::DFG::Node::castConstant):
1434         (JSC::DFG::Node::initializationValueForActivation):
1435         (JSC::DFG::Node::containsMovHint):
1436         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1437         CreateActivation nodes now have a second OpInfo that tracks the 
1438         initial value that needs to be placed in the activation. This initial value 
1439         is also used in allocation sinking to create proper bottom values for all 
1440         scope variables.
1441
1442         * dfg/DFGOperations.cpp:
1443         * dfg/DFGOperations.h:
1444         * dfg/DFGSpeculativeJIT.cpp:
1445         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
1446         * dfg/DFGSpeculativeJIT.h:
1447         (JSC::DFG::SpeculativeJIT::callOperation):
1448         * ftl/FTLIntrinsicRepository.h:
1449         * ftl/FTLLowerDFGToLLVM.cpp:
1450         (JSC::FTL::DFG::LowerDFGToLLVM::compileCreateActivation):
1451         (JSC::FTL::DFG::LowerDFGToLLVM::compileMaterializeCreateActivation):
1452         * ftl/FTLOperations.cpp:
1453         (JSC::FTL::operationMaterializeObjectInOSR):
1454         * interpreter/Interpreter.cpp:
1455         (JSC::Interpreter::execute):
1456         * jit/CCallHelpers.h:
1457         (JSC::CCallHelpers::setupArgumentsWithExecState):
1458         * jit/JIT.cpp:
1459         (JSC::JIT::privateCompileMainPass):
1460         * jit/JIT.h:
1461         * jit/JITInlines.h:
1462         (JSC::JIT::callOperation):
1463         * jit/JITOpcodes.cpp:
1464         (JSC::JIT::emit_op_push_with_scope):
1465         (JSC::JIT::compileOpStrictEq):
1466         (JSC::JIT::emit_op_catch):
1467         (JSC::JIT::emit_op_create_lexical_environment):
1468         (JSC::JIT::emit_op_get_parent_scope):
1469         (JSC::JIT::emit_op_switch_imm):
1470         (JSC::JIT::emit_op_enter):
1471         (JSC::JIT::emit_op_get_scope):
1472         (JSC::JIT::emit_op_pop_scope): Deleted.
1473         * jit/JITOpcodes32_64.cpp:
1474         (JSC::JIT::emit_op_push_with_scope):
1475         (JSC::JIT::emit_op_to_number):
1476         (JSC::JIT::emit_op_catch):
1477         (JSC::JIT::emit_op_create_lexical_environment):
1478         (JSC::JIT::emit_op_get_parent_scope):
1479         (JSC::JIT::emit_op_switch_imm):
1480         (JSC::JIT::emit_op_enter):
1481         (JSC::JIT::emit_op_get_scope):
1482         (JSC::JIT::emit_op_pop_scope): Deleted.
1483         * jit/JITOperations.cpp:
1484         (JSC::canAccessArgumentIndexQuickly):
1485         * jit/JITOperations.h:
1486         * llint/LLIntSlowPaths.cpp:
1487         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1488         * llint/LLIntSlowPaths.h:
1489         * llint/LowLevelInterpreter.asm:
1490         * llint/LowLevelInterpreter32_64.asm:
1491         * llint/LowLevelInterpreter64.asm:
1492         * parser/ASTBuilder.h:
1493         (JSC::ASTBuilder::createSourceElements):
1494         (JSC::ASTBuilder::funcDeclarations):
1495         (JSC::ASTBuilder::features):
1496         (JSC::ASTBuilder::numConstants):
1497         (JSC::ASTBuilder::createConditionalExpr):
1498         (JSC::ASTBuilder::createAssignResolve):
1499         (JSC::ASTBuilder::createClassDeclStatement):
1500         (JSC::ASTBuilder::createBlockStatement):
1501         (JSC::ASTBuilder::createIfStatement):
1502         (JSC::ASTBuilder::createForLoop):
1503         (JSC::ASTBuilder::createForInLoop):
1504         (JSC::ASTBuilder::createForOfLoop):
1505         (JSC::ASTBuilder::isBindingNode):
1506         (JSC::ASTBuilder::createEmptyStatement):
1507         (JSC::ASTBuilder::createDeclarationStatement):
1508         (JSC::ASTBuilder::createVarStatement):
1509         (JSC::ASTBuilder::createLetStatement):
1510         (JSC::ASTBuilder::createEmptyVarExpression):
1511         (JSC::ASTBuilder::createEmptyLetExpression):
1512         (JSC::ASTBuilder::createReturnStatement):
1513         (JSC::ASTBuilder::createTryStatement):
1514         (JSC::ASTBuilder::createSwitchStatement):
1515         (JSC::ASTBuilder::appendStatement):
1516         (JSC::ASTBuilder::createCommaExpr):
1517         (JSC::ASTBuilder::appendObjectPatternEntry):
1518         (JSC::ASTBuilder::createBindingLocation):
1519         (JSC::ASTBuilder::setEndOffset):
1520         (JSC::ASTBuilder::Scope::Scope):
1521         (JSC::ASTBuilder::makeAssignNode):
1522         (JSC::ASTBuilder::varDeclarations): Deleted.
1523         (JSC::ASTBuilder::addVar): Deleted.
1524         * parser/Keywords.table:
1525         * parser/NodeConstructors.h:
1526         (JSC::ReadModifyResolveNode::ReadModifyResolveNode):
1527         (JSC::AssignResolveNode::AssignResolveNode):
1528         (JSC::ExprStatementNode::ExprStatementNode):
1529         (JSC::DeclarationStatement::DeclarationStatement):
1530         (JSC::EmptyVarExpression::EmptyVarExpression):
1531         (JSC::EmptyLetExpression::EmptyLetExpression):
1532         (JSC::IfElseNode::IfElseNode):
1533         (JSC::WhileNode::WhileNode):
1534         (JSC::ForNode::ForNode):
1535         (JSC::CaseBlockNode::CaseBlockNode):
1536         (JSC::SwitchNode::SwitchNode):
1537         (JSC::ConstDeclNode::ConstDeclNode):
1538         (JSC::BlockNode::BlockNode):
1539         (JSC::EnumerationNode::EnumerationNode):
1540         (JSC::ForInNode::ForInNode):
1541         (JSC::ForOfNode::ForOfNode):
1542         (JSC::ObjectPatternNode::create):
1543         (JSC::BindingNode::create):
1544         (JSC::BindingNode::BindingNode):
1545         (JSC::VarStatementNode::VarStatementNode): Deleted.
1546         * parser/Nodes.cpp:
1547         (JSC::ScopeNode::ScopeNode):
1548         (JSC::ScopeNode::singleStatement):
1549         (JSC::ProgramNode::ProgramNode):
1550         (JSC::EvalNode::EvalNode):
1551         (JSC::FunctionNode::FunctionNode):
1552         (JSC::FunctionNode::finishParsing):
1553         (JSC::VariableEnvironmentNode::VariableEnvironmentNode):
1554         * parser/Nodes.h:
1555         (JSC::VariableEnvironmentNode::VariableEnvironmentNode):
1556         (JSC::VariableEnvironmentNode::lexicalVariables):
1557         (JSC::ScopeNode::usesThis):
1558         (JSC::ScopeNode::needsActivationForMoreThanVariables):
1559         (JSC::ScopeNode::needsActivation):
1560         (JSC::ScopeNode::hasCapturedVariables):
1561         (JSC::ScopeNode::captures):
1562         (JSC::ScopeNode::varDeclarations):
1563         (JSC::ScopeNode::functionStack):
1564         (JSC::ScopeNode::neededConstants):
1565         (JSC::ProgramNode::startColumn):
1566         (JSC::ProgramNode::endColumn):
1567         (JSC::EvalNode::startColumn):
1568         (JSC::EvalNode::endColumn):
1569         (JSC::BindingNode::boundProperty):
1570         (JSC::BindingNode::divotStart):
1571         (JSC::BindingNode::divotEnd):
1572         (JSC::ScopeNode::capturedVariableCount): Deleted.
1573         (JSC::ScopeNode::capturedVariables): Deleted.
1574         (JSC::ScopeNode::varStack): Deleted.
1575         There is a new class called 'VariableEnvironmentNode' that has the
1576         necessary fields to model a lexical scope. Multiple AST nodes now 
1577         also inherit from VariableEnvironmentNode.
1578
1579         * parser/Parser.cpp:
1580         (JSC::Parser<LexerType>::parseInner):
1581         (JSC::Parser<LexerType>::didFinishParsing):
1582         (JSC::Parser<LexerType>::parseStatementListItem):
1583         (JSC::Parser<LexerType>::parseVariableDeclaration):
1584         (JSC::Parser<LexerType>::parseWhileStatement):
1585         (JSC::Parser<LexerType>::parseVariableDeclarationList):
1586         (JSC::Parser<LexerType>::createBindingPattern):
1587         (JSC::Parser<LexerType>::tryParseDestructuringPatternExpression):
1588         (JSC::Parser<LexerType>::parseDestructuringPattern):
1589         (JSC::Parser<LexerType>::parseConstDeclarationList):
1590         (JSC::Parser<LexerType>::parseForStatement):
1591         (JSC::Parser<LexerType>::parseBreakStatement):
1592         (JSC::Parser<LexerType>::parseContinueStatement):
1593         (JSC::Parser<LexerType>::parseSwitchStatement):
1594         (JSC::Parser<LexerType>::parseTryStatement):
1595         (JSC::Parser<LexerType>::parseBlockStatement):
1596         (JSC::Parser<LexerType>::parseStatement):
1597         (JSC::Parser<LexerType>::parseFunctionInfo):
1598         (JSC::Parser<LexerType>::parseClassDeclaration):
1599         (JSC::Parser<LexerType>::parseClass):
1600         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
1601         (JSC::Parser<LexerType>::parseAssignmentExpression):
1602         (JSC::Parser<LexerType>::parseGetterSetter):
1603         (JSC::Parser<LexerType>::parsePrimaryExpression):
1604         (JSC::Parser<LexerType>::parseVarDeclaration): Deleted.
1605         (JSC::Parser<LexerType>::parseVarDeclarationList): Deleted.
1606         * parser/Parser.h:
1607         (JSC::Scope::Scope):
1608         (JSC::Scope::setIsFunction):
1609         (JSC::Scope::isFunction):
1610         (JSC::Scope::isFunctionBoundary):
1611         (JSC::Scope::setIsLexicalScope):
1612         (JSC::Scope::isLexicalScope):
1613         (JSC::Scope::declaredVariables):
1614         (JSC::Scope::finalizeLexicalEnvironment):
1615         (JSC::Scope::computeLexicallyCapturedVariablesAndPurgeCandidates):
1616         (JSC::Scope::declareCallee):
1617         (JSC::Scope::declareVariable):
1618         (JSC::Scope::declareLexicalVariable):
1619         (JSC::Scope::hasDeclaredVariable):
1620         (JSC::Scope::hasLexicallyDeclaredVariable):
1621         (JSC::Scope::hasDeclaredParameter):
1622         (JSC::Scope::declareWrite):
1623         (JSC::Scope::preventAllVariableDeclarations):
1624         (JSC::Scope::preventVarDeclarations):
1625         (JSC::Scope::allowsVarDeclarations):
1626         (JSC::Scope::allowsLexicalDeclarations):
1627         (JSC::Scope::declareParameter):
1628         (JSC::Scope::declareBoundParameter):
1629         (JSC::Scope::useVariable):
1630         (JSC::Scope::setNeedsFullActivation):
1631         (JSC::Scope::needsFullActivation):
1632         (JSC::Scope::hasDirectSuper):
1633         (JSC::Scope::setNeedsSuperBinding):
1634         (JSC::Scope::collectFreeVariables):
1635         (JSC::Scope::getCapturedVars):
1636         (JSC::Scope::copyCapturedVariablesToVector):
1637         (JSC::Parser::AutoCleanupLexicalScope::AutoCleanupLexicalScope):
1638         (JSC::Parser::AutoCleanupLexicalScope::~AutoCleanupLexicalScope):
1639         (JSC::Parser::AutoCleanupLexicalScope::setIsValid):
1640         (JSC::Parser::AutoCleanupLexicalScope::isValid):
1641         (JSC::Parser::AutoCleanupLexicalScope::setPopped):
1642         (JSC::Parser::AutoCleanupLexicalScope::scope):
1643         (JSC::Parser::currentScope):
1644         (JSC::Parser::pushScope):
1645         (JSC::Parser::popScopeInternal):
1646         (JSC::Parser::popScope):
1647         (JSC::Parser::declareVariable):
1648         (JSC::Parser::hasDeclaredVariable):
1649         (JSC::Parser::hasDeclaredParameter):
1650         (JSC::Parser::declareWrite):
1651         (JSC::Parser::findCachedFunctionInfo):
1652         (JSC::Parser::isFunctionBodyNode):
1653         (JSC::Parser::continueIsValid):
1654         (JSC::Parser::pushLabel):
1655         (JSC::Parser::popLabel):
1656         (JSC::Parser::getLabel):
1657         (JSC::Parser::isLETMaskedAsIDENT):
1658         (JSC::Parser<LexerType>::parse):
1659         (JSC::Scope::preventNewDecls): Deleted.
1660         (JSC::Scope::allowsNewDecls): Deleted.
1661         (JSC::Scope::getCapturedVariables): Deleted.
1662         There are basic parser changes that now allow for the 'let'
1663         keyword. The trickiest change is how we will still treat 'let' 
1664         as an identifier for sloppy-mode code sometimes. For example,
1665         "var let = ..." is allowed but "let let" or "const let" is not.
1666
1667         The most significant change to the parser made for this patch
1668         is appropriating the Scope struct to also also model a lexical 
1669         scope. Changes were made in how we track captured variables to 
1670         account for this. In general, I think some of this code could 
1671         benefit from a slight refactoring to make things cleaner.
1672
1673         * parser/ParserTokens.h:
1674         * parser/SyntaxChecker.h:
1675         (JSC::SyntaxChecker::createNewExpr):
1676         (JSC::SyntaxChecker::createConditionalExpr):
1677         (JSC::SyntaxChecker::createAssignResolve):
1678         (JSC::SyntaxChecker::createEmptyVarExpression):
1679         (JSC::SyntaxChecker::createEmptyLetExpression):
1680         (JSC::SyntaxChecker::createClassExpr):
1681         (JSC::SyntaxChecker::createClassDeclStatement):
1682         (JSC::SyntaxChecker::createBlockStatement):
1683         (JSC::SyntaxChecker::createExprStatement):
1684         (JSC::SyntaxChecker::createIfStatement):
1685         (JSC::SyntaxChecker::createForLoop):
1686         (JSC::SyntaxChecker::createForInLoop):
1687         (JSC::SyntaxChecker::createForOfLoop):
1688         (JSC::SyntaxChecker::createEmptyStatement):
1689         (JSC::SyntaxChecker::createVarStatement):
1690         (JSC::SyntaxChecker::createLetStatement):
1691         (JSC::SyntaxChecker::createReturnStatement):
1692         (JSC::SyntaxChecker::createBreakStatement):
1693         (JSC::SyntaxChecker::createContinueStatement):
1694         (JSC::SyntaxChecker::createTryStatement):
1695         (JSC::SyntaxChecker::createSwitchStatement):
1696         (JSC::SyntaxChecker::createWhileStatement):
1697         (JSC::SyntaxChecker::createWithStatement):
1698         (JSC::SyntaxChecker::createDoWhileStatement):
1699         (JSC::SyntaxChecker::createGetterOrSetterProperty):
1700         (JSC::SyntaxChecker::appendStatement):
1701         (JSC::SyntaxChecker::combineCommaNodes):
1702         (JSC::SyntaxChecker::evalCount):
1703         (JSC::SyntaxChecker::appendBinaryExpressionInfo):
1704         (JSC::SyntaxChecker::operatorStackPop):
1705         (JSC::SyntaxChecker::addVar): Deleted.
1706         * parser/VariableEnvironment.cpp: Added.
1707         (JSC::VariableEnvironment::markVariableAsCapturedIfDefined):
1708         (JSC::VariableEnvironment::markVariableAsCaptured):
1709         (JSC::VariableEnvironment::markAllVariablesAsCaptured):
1710         (JSC::VariableEnvironment::hasCapturedVariables):
1711         (JSC::VariableEnvironment::captures):
1712         (JSC::VariableEnvironment::swap):
1713         * parser/VariableEnvironment.h: Added.
1714         (JSC::VariableEnvironmentEntry::isCaptured):
1715         (JSC::VariableEnvironmentEntry::isConstant):
1716         (JSC::VariableEnvironmentEntry::isVar):
1717         (JSC::VariableEnvironmentEntry::isLet):
1718         (JSC::VariableEnvironmentEntry::setIsCaptured):
1719         (JSC::VariableEnvironmentEntry::setIsConstant):
1720         (JSC::VariableEnvironmentEntry::setIsVar):
1721         (JSC::VariableEnvironmentEntry::setIsLet):
1722         (JSC::VariableEnvironmentEntry::clearIsVar):
1723         (JSC::VariableEnvironment::begin):
1724         (JSC::VariableEnvironment::end):
1725         (JSC::VariableEnvironment::add):
1726         (JSC::VariableEnvironment::size):
1727         (JSC::VariableEnvironment::contains):
1728         (JSC::VariableEnvironment::remove):
1729         VariableEnvironment is a new class that keeps track
1730         of the static environment in the parser and the bytecode generator.
1731         VariableEnvironment behaves like SymbolTable but for the bytecode generator.
1732         It keeps track of variable types, i.e, if a variable is a "var", "let", "const" 
1733         and whether or not its captured.
1734
1735         * runtime/CodeCache.cpp:
1736         (JSC::CodeCache::getGlobalCodeBlock):
1737         (JSC::CodeCache::getProgramCodeBlock):
1738         (JSC::CodeCache::getEvalCodeBlock):
1739         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
1740         * runtime/CodeCache.h:
1741         (JSC::CodeCache::clear):
1742         * runtime/CommonSlowPaths.cpp:
1743         (JSC::SLOW_PATH_DECL):
1744         * runtime/CommonSlowPaths.h:
1745         * runtime/ExceptionHelpers.cpp:
1746         (JSC::createErrorForInvalidGlobalAssignment):
1747         (JSC::createTDZError):
1748         (JSC::throwOutOfMemoryError):
1749         * runtime/ExceptionHelpers.h:
1750         * runtime/Executable.cpp:
1751         (JSC::EvalExecutable::create):
1752         (JSC::ProgramExecutable::initializeGlobalProperties):
1753         * runtime/Executable.h:
1754         * runtime/JSCJSValue.h:
1755         (JSC::jsUndefined):
1756         (JSC::jsTDZValue):
1757         (JSC::jsBoolean):
1758         * runtime/JSEnvironmentRecord.h:
1759         (JSC::JSEnvironmentRecord::finishCreationUninitialized):
1760         (JSC::JSEnvironmentRecord::finishCreation):
1761         * runtime/JSGlobalObject.cpp:
1762         (JSC::JSGlobalObject::createProgramCodeBlock):
1763         (JSC::JSGlobalObject::createEvalCodeBlock):
1764         * runtime/JSGlobalObject.h:
1765         (JSC::JSGlobalObject::weakRandomInteger):
1766         * runtime/JSGlobalObjectFunctions.cpp:
1767         (JSC::globalFuncEval):
1768         * runtime/JSLexicalEnvironment.cpp:
1769         (JSC::JSLexicalEnvironment::symbolTableGet):
1770         * runtime/JSLexicalEnvironment.h:
1771         (JSC::JSLexicalEnvironment::create):
1772         * runtime/JSScope.cpp:
1773         (JSC::JSScope::resolve):
1774         (JSC::JSScope::abstractResolve):
1775         (JSC::JSScope::collectVariablesUnderTDZ):
1776         (JSC::JSScope::isLexicalScope):
1777         (JSC::resolveModeName):
1778         * runtime/JSScope.h:
1779         * runtime/PropertySlot.h:
1780         (JSC::PropertySlot::setValue):
1781         * runtime/SymbolTable.cpp:
1782         (JSC::SymbolTable::SymbolTable):
1783         (JSC::SymbolTable::cloneScopePart):
1784         * runtime/SymbolTable.h:
1785         SymbolTable now uses an extra bit to know if it corresponds
1786         to a "let"-like environment or not.
1787
1788         * runtime/WriteBarrier.h:
1789         (JSC::WriteBarrierBase<Unknown>::get):
1790         (JSC::WriteBarrierBase<Unknown>::clear):
1791         (JSC::WriteBarrierBase<Unknown>::setUndefined):
1792         (JSC::WriteBarrierBase<Unknown>::setStartingValue):
1793         (JSC::WriteBarrierBase<Unknown>::isNumber):
1794         (JSC::WriteBarrierBase<Unknown>::isObject):
1795         (JSC::WriteBarrierBase<Unknown>::isNull):
1796         * tests/stress/activation-sink-default-value-tdz-error.js: Added.
1797         (shouldThrowTDZ):
1798         (bar):
1799         (foo.cap):
1800         * tests/stress/activation-sink-osrexit-default-value-tdz-error.js: Added.
1801         (shouldThrowTDZ):
1802         (bar):
1803         * tests/stress/lexical-let-and-with-statement.js: Added.
1804         (truth):
1805         (assert):
1806         (.):
1807         * tests/stress/lexical-let-exception-handling.js: Added.
1808         (truth):
1809         (assert):
1810         (.):
1811         * tests/stress/lexical-let-global-not-captured-variables.js: Added.
1812         (truth):
1813         (assert):
1814         (foo):
1815         (.let.capY):
1816         * tests/stress/lexical-let-loop-semantics.js: Added.
1817         (truth):
1818         (assert):
1819         (shouldThrowTDZ):
1820         (.):
1821         * tests/stress/lexical-let-not-strict-mode.js: Added.
1822         (truth):
1823         (assert):
1824         (shouldThrowTDZ):
1825         (.):
1826         * tests/stress/lexical-let-semantics.js: Added.
1827         (truth):
1828         (assert):
1829         (let.globalFunction):
1830         (let.retGlobalNumberCaptured):
1831         (let.setGlobalNumberCaptured):
1832         (.):
1833         * tests/stress/lexical-let-tdz.js: Added.
1834         (truth):
1835         (assert):
1836         (shouldThrowTDZ):
1837         (.):
1838
1839 2015-07-15  Anders Carlsson  <andersca@apple.com>
1840
1841         Make JavaScriptCore SPI headers used by WebCore SPI headers self-contained
1842         https://bugs.webkit.org/show_bug.cgi?id=146978
1843
1844         Reviewed by Dan Bernstein.
1845
1846         * debugger/DebuggerPrimitives.h:
1847         * disassembler/Disassembler.h:
1848         * heap/Weak.h:
1849         * inspector/InspectorValues.h:
1850         * runtime/JSCJSValue.h:
1851
1852 2015-07-14  Anders Carlsson  <andersca@apple.com>
1853
1854         Assertions.h should include ExportMacros.h
1855         https://bugs.webkit.org/show_bug.cgi?id=146948
1856
1857         Reviewed by Tim Horton.
1858
1859         Remove now unneeded WTF_EXPORT_PRIVATE define.
1860
1861         * API/JSBase.h:
1862
1863 2015-07-14  Matthew Mirman  <mmirman@apple.com>
1864
1865         Repatch. Makes compileArithSub in the DFG ensure that the constant is an int32.
1866         https://bugs.webkit.org/show_bug.cgi?id=146910
1867         rdar://problem/21729083
1868
1869         Reviewed by Filip Pizlo.
1870         
1871         Also fixes the debug build problem where all edges are assumed to 
1872         have UntypedUse before the fixup phase.
1873
1874         * dfg/DFGSpeculativeJIT.cpp:
1875         (JSC::DFG::SpeculativeJIT::compileArithSub):
1876         * dfg/DFGValidate.cpp:
1877         (JSC::DFG::Validate::validateEdgeWithDoubleResultIfNecessary):
1878         * tests/stress/arith-add-with-constants.js: Added some tests for this case.
1879         (arithAdd42WrittenAsInteger):
1880         (testArithAdd42WrittenAsInteger):
1881         (arithSub42WrittenAsDouble):
1882         (testArithSub42WrittenAsDouble):
1883         (doubleConstant):
1884         (testDoubleConstant): Added test for the case of +0.0 and Math.min(0.0)
1885         (arithAdd42WrittenAsDouble): Deleted.
1886         (testArithAdd42WrittenAsDouble): Deleted.
1887
1888 2015-07-14  Matthew Mirman  <mmirman@apple.com>
1889
1890         Unreviewed, rolling out r186805.
1891
1892         Made raytracer on octane 80% slower
1893
1894         Reverted changeset:
1895
1896         "Makes compileArithSub in the DFG ensure that the constant is
1897         an int32."
1898         https://bugs.webkit.org/show_bug.cgi?id=146910
1899         http://trac.webkit.org/changeset/186805
1900
1901 2015-07-13  Matthew Mirman  <mmirman@apple.com>
1902
1903         Makes compileArithSub in the DFG ensure that the constant is an int32.
1904         https://bugs.webkit.org/show_bug.cgi?id=146910
1905         rdar://problem/21729083
1906
1907         Reviewed by Filip Pizlo.
1908         
1909         Also fixes the debug build problem where all edges are assumed to 
1910         have UntypedUse before the fixup phase.
1911
1912         * dfg/DFGSpeculativeJIT.cpp:
1913         (JSC::DFG::SpeculativeJIT::compileArithSub):
1914         * dfg/DFGValidate.cpp:
1915         (JSC::DFG::Validate::validateEdgeWithDoubleResultIfNecessary):
1916         * tests/stress/arith-add-with-constants.js: Added some tests for this case.
1917         (arithAdd42WrittenAsInteger):
1918         (testArithAdd42WrittenAsInteger):
1919         (arithSub42WrittenAsDouble):
1920         (testArithSub42WrittenAsDouble):
1921         (doubleConstant):
1922         (testDoubleConstant): Added test for the case of +0.0 and Math.min(0.0)
1923         (arithAdd42WrittenAsDouble): Deleted.
1924         (testArithAdd42WrittenAsDouble): Deleted.
1925
1926 2015-07-13  Basile Clement  <basile_clement@apple.com>
1927
1928         Object cycles should not prevent allocation elimination/sinking
1929         https://bugs.webkit.org/show_bug.cgi?id=143073
1930
1931         Reviewed by Filip Pizlo.
1932
1933         This patch introduces a new allocation sinking phase that is able to
1934         sink cycles, in DFGAllocationCycleSinkingPhase.cpp. This phase
1935         supersedes the old allocation sinking phase in
1936         DFGObjectAllocationSinkingPhase.cpp, as that previous phase was never
1937         able to sink allocation cycles while the new phase sometimes can; see
1938         DFGAllocationCycleSinkingPhase.cpp for details.
1939
1940         For now, the new sinking phase is kept behind a
1941         JSC_enableAllocationCycleSinking flag that reverts to the old sinking
1942         phase when false (i.e., by default). This also removes the old
1943         JSC_enableObjectAllocationSinking flag. run-javascriptcore-tests
1944         defaults to using the new sinking phase.
1945
1946         * dfg/DFGGraph.h:
1947         (JSC::DFG::Graph::addStructureSet): Allow empty structure sets
1948         * dfg/DFGLazyNode.cpp:
1949         (JSC::DFG::LazyNode::dump): Prettier dump
1950         * dfg/DFGNode.h:
1951         (JSC::DFG::Node::cellOperand): Move to opInfo for MaterializeCreateActivation
1952         (JSC::DFG::Node::hasStructureSet): Add MaterializeNewObject
1953         (JSC::DFG::Node::objectMaterializationData): Move to opInfo2
1954         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: Remove unused header
1955         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1956         (JSC::DFG::ObjectAllocationSinkingPhase::ObjectAllocationSinkingPhase): Deleted.
1957         (JSC::DFG::ObjectAllocationSinkingPhase::run): Deleted.
1958         (JSC::DFG::ObjectAllocationSinkingPhase::performSinking): Deleted.
1959         (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints): Deleted.
1960         (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints): Deleted.
1961         (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations): Deleted.
1962         (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields): Deleted.
1963         (JSC::DFG::ObjectAllocationSinkingPhase::resolve): Deleted.
1964         (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): Deleted.
1965         (JSC::DFG::ObjectAllocationSinkingPhase::createMaterialize): Deleted.
1966         (JSC::DFG::ObjectAllocationSinkingPhase::populateMaterialize): Deleted.
1967         * dfg/DFGObjectAllocationSinkingPhase.h:
1968         * dfg/DFGPromotedHeapLocation.h: Add a hash and a helper function to PromotedLocationDescriptor
1969         (JSC::DFG::PromotedLocationDescriptor::PromotedLocationDescriptor):
1970         (JSC::DFG::PromotedLocationDescriptor::operator bool):
1971         (JSC::DFG::PromotedLocationDescriptor::neededForMaterialization):
1972         (JSC::DFG::PromotedLocationDescriptorHash::hash):
1973         (JSC::DFG::PromotedLocationDescriptorHash::equal):
1974         * dfg/DFGValidate.cpp:
1975         (JSC::DFG::Validate::validateSSA): Assert that most nodes never see a phantom allocation
1976         * ftl/FTLLowerDFGToLLVM.cpp:
1977         (JSC::FTL::DFG::LowerDFGToLLVM::compileMaterializeNewObject): Use the new structureSet() operand
1978         (JSC::FTL::DFG::LowerDFGToLLVM::compileMaterializeCreateActivation): Node has a new child
1979         * ftl/FTLOSRExitCompiler.cpp: Handle materialization cycles
1980         (JSC::FTL::compileStub):
1981         * ftl/FTLOperations.cpp: Handle materialization cycles
1982         (JSC::FTL::operationPopulateObjectInOSR):
1983         (JSC::FTL::operationMaterializeObjectInOSR):
1984         * ftl/FTLOperations.h: Handle materialization cycles
1985         * tests/stress/correctly-sink-object-even-though-it-dies.js: Added.
1986         (clobber):
1987         (foo):
1988         * tests/stress/eliminate-object-read-over-call.js: Added.
1989         (clobber):
1990         (foo):
1991         * tests/stress/materialize-object-on-edge.js: Added.
1992         (call):
1993         (foo):
1994         * tests/stress/object-sinking-stress.js: Added.
1995         (foo):
1996         * tests/stress/sink-object-cycle.js: Added.
1997         (clobber):
1998         (foo):
1999         * tests/stress/sink-object-past-put.js: Added.
2000         (clobber):
2001         (foo):
2002         * tests/stress/sinkable-new-object-in-loop.js: Added.
2003         (foo):
2004
2005 2015-07-13  Daniel Bates  <dabates@apple.com>
2006
2007         Cleanup: Avoid extraneous increment and decrement of reference count of ScriptArguments in ConsoleClient
2008         https://bugs.webkit.org/show_bug.cgi?id=146920
2009
2010         Reviewed by Brian Burg.
2011
2012         Remove local variable RefPtr<ScriptArguments> and copy constructor call with an argument that
2013         was initialized with an rvalue reference. The argument itself is an lvalue reference.
2014
2015         * runtime/ConsoleClient.cpp:
2016         (JSC::ConsoleClient::printConsoleMessageWithArguments):
2017         (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
2018
2019 2015-07-13  Anders Carlsson  <andersca@apple.com>
2020
2021         Apps linked with a deployment target of iOS 7.x or earlier crash when using modern WebKit API
2022         https://bugs.webkit.org/show_bug.cgi?id=146913
2023         rdar://problem/21789252
2024
2025         Reviewed by Dan Bernstein.
2026
2027         Make a top-level symlink from /System/Library/PrivateFrameworks/JavaScriptCore.framework to
2028         /System/Library/Frameworks/JavaScriptCore.framework.
2029     
2030         * JavaScriptCore.xcodeproj/project.pbxproj:
2031
2032 2015-07-12  Filip Pizlo  <fpizlo@apple.com>
2033
2034         If Watchpoint::fire() looks at the state of the world, it should definitely see its set invalidated, and maybe it should see the object of interest in the transitioned-to state
2035         https://bugs.webkit.org/show_bug.cgi?id=146897
2036
2037         Reviewed by Mark Lam.
2038         
2039         The idea is to eventually support adaptive watchpoints. An adaptive watchpoint will be
2040         able to watch for a condition that is more fine-grained than any one watchpoint set. For
2041         example, we might watch a singleton object to see if it ever acquires a property called
2042         "foo". So long as it doesn't have such a property, we don't want to invalidate any code.
2043         But if it gets that property, then we should deoptimize. Current watchpoints will
2044         invalidate code as soon as any property is added (or deleted), because they will use the
2045         transition watchpoint set of the singleton object's structure, and that fires anytime
2046         there is any transition.
2047         
2048         An adaptive watchpoint would remember the singleton object, and when it got fired, it
2049         would check if the object's new structure has the property "foo". If not, it would check
2050         if the object's new structure is watchable (i.e. has a valid transition watchpoint set).
2051         If the property is missing and the structure is watchable, it would add itself to the
2052         watchpoint set of the new structure. Otherwise, it would deoptimize.
2053         
2054         There are two problems with this idea, and this patch fixes these problems. First, we
2055         usually fire the transition watchpoint before we do the structure transition. This means
2056         that if the fire() method looked at the singleton object's structure, it would see the old
2057         structure, not the new one. It would have no way of knowing what the new structure is.
2058         Second, inside the fire() method, the watchpoint set being invalidated still appears
2059         valid, since we change the state after we fire all watchpoints.
2060         
2061         This patch addresses both issues. Now, in the most important case (addPropertyTransition),
2062         we fire the watchpoint set after we have modified the object. This is accomplished using
2063         a deferral scope called DeferredStructureTransitionWatchpointFire. In cases where there is
2064         no deferral, the adaptive watchpoint will conservatively resort to deoptimization because
2065         it would find that the singleton object's structure is no longer watchable. This is
2066         because in the absence of deferral, the singleton object would still have the original
2067         structure, but that structure's watchpoint set would now report itself as having been
2068         invalidated.
2069
2070         * bytecode/Watchpoint.cpp:
2071         (JSC::WatchpointSet::fireAllSlow): Change the state of the set before firing all watchpoints.
2072         (JSC::WatchpointSet::fireAllWatchpoints):
2073         * runtime/JSObject.h:
2074         (JSC::JSObject::putDirectInternal): Use the deferral scope.
2075         * runtime/Structure.cpp:
2076         (JSC::Structure::Structure): Pass the deferral scope to didTransitionFromThisStructure.
2077         (JSC::Structure::addPropertyTransition): Pass the deferral scope to create().
2078         (JSC::StructureFireDetail::dump): This is no longer anonymous.
2079         (JSC::DeferredStructureTransitionWatchpointFire::DeferredStructureTransitionWatchpointFire): Start with a null structure.
2080         (JSC::DeferredStructureTransitionWatchpointFire::~DeferredStructureTransitionWatchpointFire): Fire the watchpoint if there is a structure.
2081         (JSC::DeferredStructureTransitionWatchpointFire::add): Add a structure. Logically this is a list of deferred things, but we assert that there only will be one (happens to be true now).
2082         (JSC::Structure::didTransitionFromThisStructure): Defer the watchpoint firing if there is a deferral scope.
2083         * runtime/Structure.h:
2084         (JSC::StructureFireDetail::StructureFireDetail): Move this to the header.
2085         * runtime/StructureInlines.h:
2086         (JSC::Structure::create): Pass the deferral scope to the constructor.
2087
2088 2015-07-12  Filip Pizlo  <fpizlo@apple.com>
2089
2090         Watchpoints should be removed from their owning WatchpointSet before they are fired
2091         https://bugs.webkit.org/show_bug.cgi?id=146895
2092
2093         Reviewed by Sam Weinig.
2094         
2095         This simplifies the WatchpointSet API by making it so that when Watchpoint::fire() is
2096         called, the Watchpoint is no longer in the set. This means that you don't have to remember
2097         to remove it from the set's list (currently we do that implicitly as part of whatever
2098         any particular Watchpoint::fireInternal() does), and you can now write adaptive
2099         watchpoints that re-add themselves to a different set if they determine that the thing
2100         they are actually watching is still intact but now needs to be watched in a different way
2101         (like watching for whether some singleton object has a property of some name).
2102
2103         * bytecode/Watchpoint.cpp:
2104         (JSC::Watchpoint::~Watchpoint): Add a comment about why this is necessary.
2105         (JSC::Watchpoint::fire): Make this out-of-line, private, and make it assert that we're no longer on the list.
2106         (JSC::WatchpointSet::fireAllWatchpoints): Make this remove the watchpoint from the list before firing it.
2107         * bytecode/Watchpoint.h:
2108         (JSC::Watchpoint::fire): Deleted. I moved this to Watchpoint.cpp.
2109
2110 2015-07-10  Filip Pizlo  <fpizlo@apple.com>
2111
2112         DFG::DesiredWatchpoints should accept WatchpointSetType's that aren't necessarily pointers
2113         https://bugs.webkit.org/show_bug.cgi?id=146875
2114
2115         Reviewed by Dan Bernstein.
2116         
2117         In the future we'll want to add a desired watchpoint set that's something like "please
2118         watch property 'Foo' for 'deletion' on structure 'S1'", so that the "set type" is struct
2119         like "struct MySet { StringImpl* property; Mode mode; Structure* structure };".
2120         
2121         This is a very mechanical change for now - all of the current users happen to use sets
2122         that are pointer typed, so it's just a matter of moving some "*"'s around.
2123
2124         * dfg/DFGDesiredWatchpoints.h:
2125         (JSC::DFG::GenericSetAdaptor::add):
2126         (JSC::DFG::GenericSetAdaptor::hasBeenInvalidated):
2127         (JSC::DFG::GenericDesiredWatchpoints::GenericDesiredWatchpoints):
2128         (JSC::DFG::GenericDesiredWatchpoints::addLazily):
2129         (JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
2130         (JSC::DFG::GenericDesiredWatchpoints::areStillValid):
2131         (JSC::DFG::GenericDesiredWatchpoints::isWatched):
2132         (JSC::DFG::DesiredWatchpoints::isWatched):
2133
2134 2015-07-10  Filip Pizlo  <fpizlo@apple.com>
2135
2136         Watchpoints should be allocated with FastMalloc
2137         https://bugs.webkit.org/show_bug.cgi?id=146874
2138
2139         Reviewed by Dan Bernstein.
2140         
2141         This is in preparation for adding new subclasses of Watchpoint. While starting to do this
2142         I realized that the way Watchpoints allocated themselves was unusual.
2143
2144         * bytecode/CodeBlockJettisoningWatchpoint.h:
2145         (JSC::CodeBlockJettisoningWatchpoint::CodeBlockJettisoningWatchpoint): No need for the default constructor.
2146         * bytecode/Watchpoint.h:
2147         (JSC::Watchpoint::Watchpoint): This should be noncopyable and fast-allocated.
2148         * dfg/DFGCommonData.h: Use a Bag<> instead of SegmentedVector<>. Bag means "malloc things but allow me to free them all at once", which is what we are doing here.
2149         * dfg/DFGDesiredWatchpoints.h:
2150         (JSC::DFG::GenericDesiredWatchpoints::reallyAdd): Use the Bag<> API rather than the very awkward SegmentedVector<> API.
2151
2152 2015-07-10  Filip Pizlo  <fpizlo@apple.com>
2153
2154         AI folding of IsObjectOrNull is broken for non-object types that may be null
2155         https://bugs.webkit.org/show_bug.cgi?id=146867
2156
2157         Reviewed by Ryosuke Niwa.
2158
2159         * dfg/DFGAbstractInterpreterInlines.h:
2160         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Fix the bug and add some text describing what is going on.
2161         * tests/stress/misc-is-object-or-null.js: Added. Test for the bug.
2162         (foo):
2163         * tests/stress/other-is-object-or-null.js: Added. Test for a bug I almost introduced.
2164         (foo):
2165
2166 2015-07-10  Filip Pizlo  <fpizlo@apple.com>
2167
2168         It should be easy to measure total compile times.
2169         https://bugs.webkit.org/show_bug.cgi?id=146857
2170
2171         Reviewed by Sam Weinig.
2172         
2173         This gives DFG::Plan the ability to track total compile times, and return them in a map
2174         of stats that jsc.cpp can display.
2175         
2176         I want to do some work to bring down DFG compile times. This will help me measure whether
2177         I'm making a difference or not.
2178
2179         * dfg/DFGPlan.cpp:
2180         (JSC::DFG::Plan::Plan):
2181         (JSC::DFG::Plan::~Plan):
2182         (JSC::DFG::Plan::computeCompileTimes):
2183         (JSC::DFG::Plan::reportCompileTimes):
2184         (JSC::DFG::Plan::compileInThread):
2185         (JSC::DFG::Plan::compileInThreadImpl):
2186         (JSC::DFG::Plan::cancel):
2187         (JSC::DFG::Plan::compileTimeStats):
2188         (JSC::DFG::dumpAndVerifyGraph): Deleted.
2189         (JSC::DFG::profilerCompilationKindForMode): Deleted.
2190         * dfg/DFGPlan.h:
2191         (JSC::DFG::Plan::compileTimeStats):
2192         * jsc.cpp:
2193         (jscmain):
2194         * runtime/Options.h:
2195
2196 2015-07-04  Filip Pizlo  <fpizlo@apple.com>
2197
2198         DFG fragile frozen values are fundamentally broken
2199         https://bugs.webkit.org/show_bug.cgi?id=146602
2200
2201         Reviewed by Mark Lam.
2202         
2203         This change gets rid of the FragileValue value strength, because it was fundamentally
2204         broken.
2205         
2206         FragileValue was a value known to the compiler but not tracked by the GC in any way -
2207         it wasn't marked and it wasn't weak. This was used to support AI bootstrap for OSR
2208         must-handle values. The philosophy was that if the compiler did use the value for
2209         optimization, it would have been strengthened to a weak value (or maybe even a strong
2210         value, though we probably won't do that). But this was too much of a pipe dream. I've
2211         found at least one case where the compiler did use the value, but never strengthened
2212         it: it would happen if the value ended up in an OSR entry data expected value. Then if
2213         we GCed, we might have killed the value, but OSR entry would still try to use it for
2214         validation. That might have sort of just worked, but it's clearly shady.
2215
2216         The reason why we made must-handle values fragile and not weak is that most of the time
2217         the values disappear from the abstract state: they are LUBed to a non-constant. If we
2218         kept them around as weak, we'd have too many cases of the GC killing the code because
2219         it thought that the value was somehow meaningful to the code when it was only used as a
2220         temporary artifact of optimization.
2221
2222         So, it's true that it's very important for must-handle values not to automatically be
2223         weak or strong. It's also true that the values are necessary for AI bootstrap because
2224         we need to know what values OSR entry will require. But we shouldn't accomplish these
2225         goals by having the compiler hold onto what are essentially dangling pointers.
2226         
2227         This implements a better solution: instead of having InPlaceAbstractState bootstrap the
2228         AI with must-handle values at the beginning, we now widen the valuesAtHead of the
2229         must-handle block after AI converges. This widening is done in CFAPhase. This allows us
2230         to see if the must-handle values are necessary at all. In most cases, the widening
2231         takes a non-constant abstract value and simply amends something to its type based on
2232         the type of the must-handle value, and so the must-handle value never actually shows up
2233         in either the IR or any abstract value. In the unlikely event that the value at head is
2234         bottom, we freeze the must-handle value. This change removes FragileValue, and this
2235         freezing uses WeakValue as the strength. That makes sense: since the abstract value was
2236         bottom, the must-handle value becomes integral to the IR and so it makes no sense for
2237         the GC to keep the resulting CodeBlock alive if that must-handle value dies. This will
2238         sometimes happen for example if you have a very long-running loop whose pre-header
2239         allocates some object, but that pre-header appears to always exit to the optimizing JIT
2240         because it was only profiled once in the LLInt and that profiling appears insufficient
2241         to the DFG. In that case, we'll effectively constant-fold the references to the object
2242         inside the loop, which is both efficient (yay constant folding!) and necessary
2243         (otherwise we wouldn't know what the type of the variable should have been).
2244         
2245         Testing and debugging this is complicated. So, this adds some new capabilities:
2246         
2247         - DFG IR dumps also dump all of the FrozenValues that point to the heap along with
2248           their strengths, so that it's easy to see what GC objects the DFG feels are necessary
2249           for the compilation.
2250         
2251         - DFG OSR entry preparation prints out the OSR entry data structures, so that it's easy
2252           to see what GC pointers (and other things) are used for OSR entry validation. The
2253           printouts are quite detailed, and should also help other kinds of OSR entry
2254           debugging.
2255         
2256         - DFG::Plan now validates whether all of the GC pointers planted in the various JITCode
2257           data structures are also properly registered as either weak or strong pointers in the
2258           CodeBlock. This validation check previously failed due to fragile values ending up in
2259           the OSR entry data structures, both in the newly added test (dead-osr-entry-value.js)
2260           and in some pre-existing tests (like earley-boyer and 3d-raytrace).
2261
2262         * CMakeLists.txt:
2263         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2264         * JavaScriptCore.xcodeproj/project.pbxproj:
2265         * bytecode/CodeBlock.cpp:
2266         (JSC::CodeBlock::stronglyVisitStrongReferences):
2267         * bytecode/CodeOrigin.cpp:
2268         (JSC::InlineCallFrame::visitAggregate):
2269         * bytecode/Operands.h:
2270         (JSC::Operands::operand):
2271         (JSC::Operands::hasOperand):
2272         * bytecode/StructureSet.cpp:
2273         (JSC::StructureSet::dump):
2274         (JSC::StructureSet::validateReferences):
2275         * bytecode/StructureSet.h:
2276         * bytecode/TrackedReferences.cpp: Added.
2277         (JSC::TrackedReferences::TrackedReferences):
2278         (JSC::TrackedReferences::~TrackedReferences):
2279         (JSC::TrackedReferences::add):
2280         (JSC::TrackedReferences::check):
2281         (JSC::TrackedReferences::dump):
2282         * bytecode/TrackedReferences.h: Added.
2283         * dfg/DFGAbstractValue.cpp:
2284         (JSC::DFG::AbstractValue::observeTransitions):
2285         (JSC::DFG::AbstractValue::set):
2286         (JSC::DFG::AbstractValue::fixTypeForRepresentation):
2287         (JSC::DFG::AbstractValue::mergeOSREntryValue):
2288         (JSC::DFG::AbstractValue::filter):
2289         (JSC::DFG::AbstractValue::dumpInContext):
2290         (JSC::DFG::AbstractValue::validateReferences):
2291         (JSC::DFG::AbstractValue::setOSREntryValue): Deleted.
2292         * dfg/DFGAbstractValue.h:
2293         (JSC::DFG::AbstractValue::fullTop):
2294         (JSC::DFG::AbstractValue::merge):
2295         * dfg/DFGByteCodeParser.cpp:
2296         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2297         * dfg/DFGCFAPhase.cpp:
2298         (JSC::DFG::CFAPhase::run):
2299         * dfg/DFGCommonData.cpp:
2300         (JSC::DFG::CommonData::invalidate):
2301         (JSC::DFG::CommonData::validateReferences):
2302         * dfg/DFGCommonData.h:
2303         (JSC::DFG::CommonData::requiredRegisterCountForExecutionAndExit):
2304         * dfg/DFGFrozenValue.h:
2305         (JSC::DFG::FrozenValue::FrozenValue):
2306         (JSC::DFG::FrozenValue::strengthenTo):
2307         (JSC::DFG::FrozenValue::pointsToHeap):
2308         (JSC::DFG::FrozenValue::strength):
2309         (JSC::DFG::FrozenValue::freeze):
2310         * dfg/DFGGraph.cpp:
2311         (JSC::DFG::Graph::Graph):
2312         (JSC::DFG::Graph::dump):
2313         (JSC::DFG::Graph::registerFrozenValues):
2314         (JSC::DFG::Graph::visitChildren):
2315         (JSC::DFG::Graph::freeze):
2316         (JSC::DFG::Graph::freezeStrong):
2317         (JSC::DFG::Graph::freezeFragile): Deleted.
2318         * dfg/DFGGraph.h:
2319         * dfg/DFGInPlaceAbstractState.cpp:
2320         (JSC::DFG::InPlaceAbstractState::initialize):
2321         * dfg/DFGJITCode.cpp:
2322         (JSC::DFG::JITCode::setOptimizationThresholdBasedOnCompilationResult):
2323         (JSC::DFG::JITCode::validateReferences):
2324         * dfg/DFGJITCode.h:
2325         * dfg/DFGJITCompiler.cpp:
2326         (JSC::DFG::JITCompiler::addressOfDoubleConstant):
2327         (JSC::DFG::JITCompiler::noticeOSREntry):
2328         * dfg/DFGJITCompiler.h:
2329         (JSC::DFG::JITCompiler::branchStructurePtr):
2330         (JSC::DFG::JITCompiler::jitCode):
2331         (JSC::DFG::JITCompiler::noticeOSREntry): Deleted.
2332         * dfg/DFGMinifiedGraph.cpp: Added.
2333         (JSC::DFG::MinifiedGraph::prepareAndShrink):
2334         (JSC::DFG::MinifiedGraph::validateReferences):
2335         * dfg/DFGMinifiedGraph.h:
2336         (JSC::DFG::MinifiedGraph::append):
2337         (JSC::DFG::MinifiedGraph::prepareAndShrink): Deleted.
2338         * dfg/DFGOSREntry.cpp:
2339         (JSC::DFG::OSREntryData::dumpInContext):
2340         (JSC::DFG::OSREntryData::dump):
2341         (JSC::DFG::prepareOSREntry):
2342         * dfg/DFGOSREntry.h:
2343         (JSC::DFG::getOSREntryDataBytecodeIndex):
2344         * dfg/DFGPlan.cpp:
2345         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
2346         * dfg/DFGSpeculativeJIT.cpp:
2347         (JSC::DFG::SpeculativeJIT::linkOSREntries):
2348         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
2349         * dfg/DFGStructureAbstractValue.cpp:
2350         (JSC::DFG::StructureAbstractValue::dump):
2351         (JSC::DFG::StructureAbstractValue::validateReferences):
2352         * dfg/DFGStructureAbstractValue.h:
2353         * dfg/DFGValidate.cpp:
2354         (JSC::DFG::Validate::validate):
2355         * dfg/DFGValueStrength.cpp:
2356         (WTF::printInternal):
2357         * dfg/DFGValueStrength.h:
2358         (JSC::DFG::merge):
2359         * ftl/FTLExitPropertyValue.cpp:
2360         (JSC::FTL::ExitPropertyValue::dump):
2361         (JSC::FTL::ExitPropertyValue::validateReferences):
2362         * ftl/FTLExitPropertyValue.h:
2363         * ftl/FTLExitTimeObjectMaterialization.cpp:
2364         (JSC::FTL::ExitTimeObjectMaterialization::dump):
2365         (JSC::FTL::ExitTimeObjectMaterialization::validateReferences):
2366         * ftl/FTLExitTimeObjectMaterialization.h:
2367         * ftl/FTLExitValue.cpp:
2368         (JSC::FTL::ExitValue::dump):
2369         (JSC::FTL::ExitValue::validateReferences):
2370         * ftl/FTLExitValue.h:
2371         * ftl/FTLJITCode.cpp:
2372         (JSC::FTL::JITCode::dfgCommon):
2373         (JSC::FTL::JITCode::validateReferences):
2374         * ftl/FTLJITCode.h:
2375         (JSC::FTL::JITCode::handles):
2376         (JSC::FTL::JITCode::dataSections):
2377         * ftl/FTLOSRExit.cpp:
2378         (JSC::FTL::OSRExit::codeLocationForRepatch):
2379         (JSC::FTL::OSRExit::validateReferences):
2380         * ftl/FTLOSRExit.h:
2381         (JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
2382         * jit/JITCode.cpp:
2383         (JSC::JITCode::typeName):
2384         (JSC::JITCode::validateReferences):
2385         (JSC::JITCode::execute):
2386         * jit/JITCode.h:
2387         (JSC::JITCode::start):
2388         * tests/stress/dead-osr-entry-value.js: Added.
2389         (foo):
2390
2391 2015-07-09  Filip Pizlo  <fpizlo@apple.com>
2392
2393         It should be possible to run the OSR exit fuzzer
2394         https://bugs.webkit.org/show_bug.cgi?id=146814
2395
2396         Reviewed by Mark Lam.
2397         
2398         Fix a silly bug: the option matching was accidentally allowing a prefix match, which
2399         always did the wrong thing for --fireOSRExitFuzzAt and --fireOSRExitFuzzAtStatic. Make
2400         this an exact match instead.
2401
2402         * runtime/Options.cpp:
2403         (JSC::Options::setOption):
2404
2405 2015-07-09  Mark Lam  <mark.lam@apple.com>
2406
2407         SymbolTable::entryFor() should do a bounds check before indexing into the localToEntry vector.
2408         https://bugs.webkit.org/show_bug.cgi?id=146807
2409
2410         Reviewed by Filip Pizlo.
2411
2412         When we capture an argument by name and we use "arguments", we put all of the
2413         arguments into the scope.  But destructured arguments are put into the scope
2414         anonymously i.e. the SymbolTable knows that the scope offset is in use via
2415         SymbolTable::m_maxScopeOffset, but that ScopeOffset won't appear in
2416         SymbolTable::m_map.
2417
2418         The SymbolTable's m_localToEntry vector is synthesized from its m_map, and will
2419         have a size which is based on the largest ScopeOffset in the m_map.  If we have a
2420         scenario where the anonymous argument is at a higher ScopeOffset than all the
2421         named arguments, then the m_localsToEntry vector will not have an entry for it
2422         i.e. the m_localsToEntry vector will have a size that is <= the ScopeOffset of
2423         the anonymous argument.
2424
2425         Hence, SymbolTable::entryFor() should ensure that the requested ScopeOffset is
2426         within the bounds of the m_localToEntry vector before indexing into it.
2427
2428         * runtime/SymbolTable.cpp:
2429         (JSC::SymbolTable::entryFor):
2430
2431 2015-07-09  Michael Saboff  <msaboff@apple.com>
2432
2433         REGRESSION (r180248): Repro Crash: com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::createRangeError + 20
2434         https://bugs.webkit.org/show_bug.cgi?id=146767
2435
2436         Reviewed by Geoffrey Garen.
2437
2438         If the stack check fails at the top most frame, we must use that frame to
2439         generate the exception.  Reverted the code to always use the current frame to
2440         throw an out of stack exception.
2441
2442         * llint/LLIntSlowPaths.cpp:
2443         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2444
2445 2015-07-03  Filip Pizlo  <fpizlo@apple.com>
2446
2447         OSR exit fuzzing should allow us to select a static exit site
2448         https://bugs.webkit.org/show_bug.cgi?id=146601
2449
2450         Reviewed by Geoffrey Garen.
2451         
2452         The original implementation of the fuzzer allows us to trigger an exit based on its index
2453         in the dynamic sequence of exit sites encountered. But there are usually millions of
2454         dynamically encountered exit sites, even if the program only has thousands of static exit
2455         sites. That means that we would at best be able to do a random sampling of exits, and
2456         those would be biased to the hottest exit sites.
2457         
2458         This change allows us to also select exit sites based on their index in the static
2459         sequence of exit sites that the compiler compiled. Then, once that static exit site is
2460         selected, we can select which dynamic exit at that exit site we should trigger. Since the
2461         number of static exit sites is usually smallish (it's bounded by program size), we can do
2462         an exhaustive search over all exit sites in most programs.
2463
2464         * dfg/DFGOSRExitFuzz.cpp:
2465         (JSC::numberOfStaticOSRExitFuzzChecks):
2466         (JSC::numberOfOSRExitFuzzChecks):
2467         * dfg/DFGOSRExitFuzz.h:
2468         (JSC::DFG::doOSRExitFuzzing):
2469         * dfg/DFGSpeculativeJIT.cpp:
2470         (JSC::DFG::SpeculativeJIT::emitOSRExitFuzzCheck):
2471         * ftl/FTLLowerDFGToLLVM.cpp:
2472         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
2473         * jsc.cpp:
2474         (jscmain):
2475         * runtime/Options.h:
2476         * runtime/TestRunnerUtils.h:
2477
2478 2015-07-08  Joseph Pecoraro  <pecoraro@apple.com>
2479
2480         Fix grammar issue in TypeError attempting to change an unconfigurable property
2481         https://bugs.webkit.org/show_bug.cgi?id=146774
2482
2483         Reviewed by Brent Fulgham.
2484
2485         * runtime/JSFunction.cpp:
2486         (JSC::JSFunction::defineOwnProperty):
2487         * runtime/JSObject.cpp:
2488         (JSC::JSObject::defineOwnNonIndexProperty):
2489         * runtime/StringObject.cpp:
2490         (JSC::StringObject::defineOwnProperty):
2491
2492 2015-07-06  Csaba Osztrogonác  <ossy@webkit.org>
2493
2494         Remove the unused HeapBlock.h
2495         https://bugs.webkit.org/show_bug.cgi?id=146580
2496
2497         Reviewed by Andreas Kling.
2498
2499         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2500         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2501         * JavaScriptCore.xcodeproj/project.pbxproj:
2502         * heap/CopiedBlock.h:
2503         * heap/CopiedSpace.h:
2504         * heap/CopiedSpaceInlines.h:
2505         * heap/HandleBlock.h:
2506         * heap/HeapBlock.h: Removed.
2507         * heap/MarkedBlock.h:
2508
2509 2015-07-06  Saam barati  <saambarati1@gmail.com>
2510
2511         JSC's parser should follow the ES6 spec with respect to parsing Declarations
2512         https://bugs.webkit.org/show_bug.cgi?id=146621
2513
2514         Reviewed by Mark Lam.
2515
2516         There were a few locations where JSC would allow declaration statements
2517         in incorrect ways. JSC didn't distinguish between 'Statement' and
2518         'StatementListItem' grammar productions. The relevant grammar is here:
2519         http://www.ecma-international.org/ecma-262/6.0/index.html#sec-statements
2520
2521         From the ECMA Script 6.0 spec:
2522         1. Section 13.6 The if Statement (http://www.ecma-international.org/ecma-262/6.0/index.html#sec-if-statement) 
2523          says that IfStatements only takes Statements for the "then-else" clauses, not StatementListItems.
2524          (Same with 'while/for/do-while' loop bodies).
2525         2. Section 13 ECMAScript Language: Statements and Declarations 
2526          (http://www.ecma-international.org/ecma-262/6.0/index.html#sec-ecmascript-language-statements-and-declarations)
2527          defines the syntax of Statements, and they do not include ClassDeclarations and LexicalDeclarations 
2528          (const, let, see 13.3.1 Let and Const Declarations).
2529          Declarations can only be in the “then-else” clauses when embedded in a StatementListItem in a BlockStatement (see 13.2).
2530
2531         Hence, the following style of declarations are no longer allowed:
2532             'if/for/while (condition) const x = 40;'
2533             'if/for/while (condition) class C { }'
2534
2535         Instead, we mandate such declaration constructs are within a StatementList 
2536        (which is the production that JSC's Parser::parseSourceElements function parses):
2537            'if/for/while (condition) { const x = 40; }'
2538            'if/for/while (condition) { class C { } }'
2539
2540         * parser/Parser.cpp:
2541         (JSC::Parser<LexerType>::parseSourceElements):
2542         (JSC::Parser<LexerType>::parseStatementListItem):
2543         (JSC::Parser<LexerType>::parseVarDeclaration):
2544         (JSC::Parser<LexerType>::parseStatement):
2545         (JSC::Parser<LexerType>::parseExpressionStatement):
2546         * parser/Parser.h:
2547         (JSC::Parser::getLabel):
2548
2549 2015-07-06  Alex Christensen  <achristensen@webkit.org>
2550
2551         Unreviewed debug build fix after r186358.
2552
2553         * runtime/JSArray.cpp:
2554         (JSC::JSArray::fastConcatWith):
2555         Pass vm parameter to fastConcatType.
2556
2557 2015-07-06  Ryosuke Niwa  <rniwa@webkit.org>
2558
2559         Array.concat should be fast for integer or double arrays
2560         https://bugs.webkit.org/show_bug.cgi?id=146260
2561
2562         Reviewed by Darin Adler.
2563
2564         Added a fast path to Array.prototype.concat. When concatenating two Int32, Double, or Contiguous
2565         arrays, simply memcopy the arrays into a new uninitialized buffer.
2566
2567         This improves huffman encoding in CompressionBench by 3.7x on a Mid 2014 MacBookPro.
2568
2569         * runtime/ArrayPrototype.cpp:
2570         (JSC::arrayProtoFuncConcat):
2571         * runtime/JSArray.cpp:
2572         (JSC::JSArray::fastConcatWith): Added.
2573         * runtime/JSArray.h:
2574         (JSC::JSArray::fastConcatType): Added. Returns the resultant array's indexing type if we can use
2575         the fact path. Returns NonArray otherwise.
2576
2577 2015-07-06  Youenn Fablet  <youenn.fablet@crf.canon.fr>
2578
2579         [Streams API] Remove ReadableStream custom constructor
2580         https://bugs.webkit.org/show_bug.cgi?id=146547
2581
2582         Reviewed by Darin Adler.
2583
2584         Adding helper function to throw range errors.
2585
2586         * runtime/Error.h:
2587         (JSC::throwRangeError):
2588         (JSC::throwVMRangeError):
2589
2590 2015-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2591
2592         [ES6] Implement the latest Promise spec in JS
2593         https://bugs.webkit.org/show_bug.cgi?id=146229
2594
2595         Reviewed by Sam Weinig.
2596
2597         Updated the Promise implementation to meet to the ES6 spec.
2598         This patch
2599         1. Implement ES6 Promise and related abstract operations in builtins JS
2600         2. Expose @enqueueJob private function to JS world to post the microtask
2601
2602         Updated implementation has one-on-one correspondence to the ES6 spec description.
2603         And keep the JSPromiseDeferred because it is the interface used from the WebCore.
2604
2605         * CMakeLists.txt:
2606         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2607         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2608         * JavaScriptCore.xcodeproj/project.pbxproj:
2609         * builtins/Array.prototype.js:
2610         (reduce):
2611         (reduceRight):
2612         (every):
2613         (forEach):
2614         (filter):
2615         (map):
2616         (some):
2617         (fill):
2618         (find):
2619         (findIndex):
2620         (includes):
2621         (copyWithin):
2622         ToInteger / ToLength are renamed to toInteger and toLength.
2623         * builtins/ArrayConstructor.js:
2624         (from):
2625         ToInteger / ToLength are renamed to toInteger and toLength.
2626         * builtins/GlobalObject.js:
2627         (toInteger):
2628         (toLength):
2629         (isObject):
2630         (ToInteger): Deleted.
2631         (ToLength): Deleted.
2632         ToInteger / ToLength are renamed to toInteger and toLength.
2633         Add new abstract operation, isObject.
2634         * builtins/Operations.Promise.js: Added.
2635         (isPromise):
2636         (newPromiseReaction):
2637         (newPromiseDeferred):
2638         (newPromiseCapability.executor):
2639         (newPromiseCapability):
2640         (triggerPromiseReactions):
2641         (rejectPromise):
2642         (fulfillPromise):
2643         (createResolvingFunctions.resolve):
2644         (createResolvingFunctions.reject):
2645         (createResolvingFunctions):
2646         (promiseReactionJob):
2647         (promiseResolveThenableJob):
2648         (initializePromise):
2649         Added Promise related abstract operations.
2650         * builtins/Promise.prototype.js:
2651         (catch):
2652         (.onFulfilled):
2653         (.onRejected):
2654         (then):
2655         Promise#then implementation in JS.
2656         * builtins/PromiseConstructor.js: Added.
2657         (all.newResolveElement):
2658         (all):
2659         (race):
2660         (reject):
2661         (resolve):
2662         Promise static functions implementations in JS.
2663         * builtins/StringConstructor.js:
2664         (raw):
2665         ToInteger / ToLength are renamed to toInteger and toLength.
2666         * inspector/JSInjectedScriptHost.cpp:
2667         (Inspector::JSInjectedScriptHost::getInternalProperties):
2668         * runtime/CommonIdentifiers.h:
2669         * runtime/JSGlobalObject.cpp:
2670         (JSC::enqueueJob):
2671         (JSC::JSGlobalObject::init):
2672         (JSC::JSGlobalObject::visitChildren):
2673         * runtime/JSGlobalObject.h:
2674         (JSC::JSGlobalObject::initializePromiseFunction):
2675         (JSC::JSGlobalObject::newPromiseDeferredFunction):
2676         * runtime/JSJob.cpp: Renamed from Source/JavaScriptCore/runtime/JSPromiseReaction.h.
2677         (JSC::createJSJob):
2678         (JSC::JSJobMicrotask::run):
2679         * runtime/JSJob.h: Renamed from Source/JavaScriptCore/runtime/JSPromiseFunctions.h.
2680         * runtime/JSPromise.cpp:
2681         (JSC::JSPromise::create):
2682         (JSC::JSPromise::JSPromise):
2683         (JSC::JSPromise::finishCreation):
2684         (JSC::JSPromise::result):
2685         (JSC::JSPromise::destroy): Deleted.
2686         (JSC::JSPromise::visitChildren): Deleted.
2687         (JSC::JSPromise::reject): Deleted.
2688         (JSC::JSPromise::resolve): Deleted.
2689         (JSC::JSPromise::appendResolveReaction): Deleted.
2690         (JSC::JSPromise::appendRejectReaction): Deleted.
2691         (JSC::triggerPromiseReactions): Deleted.
2692         * runtime/JSPromise.h:
2693         (JSC::JSPromise::status): Deleted.
2694         (JSC::JSPromise::result): Deleted.
2695         (JSC::JSPromise::constructor): Deleted.
2696         * runtime/JSPromiseConstructor.cpp:
2697         (JSC::constructPromise):
2698         (JSC::JSPromiseConstructorFuncResolve): Deleted.
2699         (JSC::JSPromiseConstructorFuncReject): Deleted.
2700         (JSC::performPromiseRaceLoop): Deleted.
2701         (JSC::JSPromiseConstructorFuncRace): Deleted.
2702         (JSC::performPromiseAll): Deleted.
2703         (JSC::JSPromiseConstructorFuncAll): Deleted.
2704         * runtime/JSPromiseDeferred.cpp:
2705         (JSC::JSPromiseDeferred::create):
2706         (JSC::createJSPromiseDeferredFromConstructor): Deleted.
2707         (JSC::updateDeferredFromPotentialThenable): Deleted.
2708         (JSC::performDeferredResolve): Deleted.
2709         (JSC::performDeferredReject): Deleted.
2710         (JSC::abruptRejection): Deleted.
2711         * runtime/JSPromiseDeferred.h:
2712         * runtime/JSPromiseFunctions.cpp: Removed.
2713         (JSC::deferredConstructionFunction): Deleted.
2714         (JSC::createDeferredConstructionFunction): Deleted.
2715         (JSC::identifyFunction): Deleted.
2716         (JSC::createIdentifyFunction): Deleted.
2717         (JSC::promiseAllCountdownFunction): Deleted.
2718         (JSC::createPromiseAllCountdownFunction): Deleted.
2719         (JSC::promiseResolutionHandlerFunction): Deleted.
2720         (JSC::createPromiseResolutionHandlerFunction): Deleted.
2721         (JSC::rejectPromiseFunction): Deleted.
2722         (JSC::createRejectPromiseFunction): Deleted.
2723         (JSC::resolvePromiseFunction): Deleted.
2724         (JSC::createResolvePromiseFunction): Deleted.
2725         (JSC::throwerFunction): Deleted.
2726         (JSC::createThrowerFunction): Deleted.
2727         * runtime/JSPromisePrototype.cpp:
2728         (JSC::JSPromisePrototypeFuncThen): Deleted.
2729         * runtime/JSPromiseReaction.cpp: Removed.
2730         (JSC::createExecutePromiseReactionMicrotask): Deleted.
2731         (JSC::ExecutePromiseReactionMicrotask::run): Deleted.
2732         (JSC::JSPromiseReaction::create): Deleted.
2733         (JSC::JSPromiseReaction::JSPromiseReaction): Deleted.
2734         (JSC::JSPromiseReaction::finishCreation): Deleted.
2735         (JSC::JSPromiseReaction::visitChildren): Deleted.
2736         * runtime/VM.cpp:
2737         (JSC::VM::VM): Deleted.
2738         * runtime/VM.h:
2739
2740 2015-07-04  Chris Dumez  <cdumez@apple.com>
2741
2742         Drop RefPtr::clear() method
2743         https://bugs.webkit.org/show_bug.cgi?id=146556
2744
2745         Reviewed by Brady Eidson.
2746
2747         Drop RefPtr::clear() method in favor of "= nullptr;" pattern.
2748
2749 2015-07-03  Dan Bernstein  <mitz@apple.com>
2750
2751         Just give up on -Wunreachable-code in JavaScriptCore.
2752
2753         * Configurations/Base.xcconfig:
2754         * llint/LowLevelInterpreter.cpp:
2755         (JSC::CLoop::execute):
2756
2757 2015-07-03  Dan Bernstein  <mitz@apple.com>
2758
2759         Fixed the LLINT CLoop build.
2760
2761         * llint/LowLevelInterpreter.cpp:
2762         (JSC::CLoop::execute):
2763
2764 2015-07-03  Dan Bernstein  <mitz@apple.com>
2765
2766         [Xcode] Update some build settings as recommended by Xcode 7
2767         https://bugs.webkit.org/show_bug.cgi?id=146597
2768
2769         Reviewed by Sam Weinig.
2770
2771         * Configurations/Base.xcconfig: Enabled CLANG_WARN_UNREACHABLE_CODE and
2772         GCC_NO_COMMON_BLOCKS. Removed GCC_MODEL_TUNING.
2773
2774         * JavaScriptCore.xcodeproj/project.pbxproj: Updated LastUpgradeCheck.
2775
2776         * dfg/DFGGraph.h: Tweaked the definition of DFG_CRASH to suppress unreachable code warnings.
2777
2778 2015-07-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2779
2780         Relax builtin JS restriction about try-catch
2781         https://bugs.webkit.org/show_bug.cgi?id=146555
2782
2783         Reviewed by Sam Weinig.
2784
2785         When retrieving the captured variables from the full activated scope,
2786         it swapped the given vector with the stored declared variables vector.
2787         This is because retrieving the captured variables are executed in the
2788         last sequence of the parser, so declared variables are no longer used.
2789         However, in builtins functions case, after retrieving the captured
2790         variables, we check the variables by using declared variables vector.
2791         So at that time, the declared variables vector becomes empty and it
2792         raises assertion failures when the builtins function contains the full
2793         activated scope. try-catch's catch scope requires the upper scope full
2794         activated, so JS code in the builtins cannot use the try-catch.
2795
2796         This patch relaxes this restriction. When retrieving the captured
2797         variables from the scope, just copy to the given vector.
2798
2799         * parser/Parser.h:
2800         (JSC::Scope::getCapturedVariables):
2801
2802 2015-07-02  Filip Pizlo  <fpizlo@apple.com>
2803
2804         DFG and FTL should have an OSR exit fuzzer
2805         https://bugs.webkit.org/show_bug.cgi?id=146562
2806
2807         Reviewed by Benjamin Poulain.
2808         
2809         Adds a basic OSR exit fuzzer to JSC. This isn't hooked into any test harnesses yet, but I
2810         spot-checked it on v8-earley-boyer.js and so far found no bugs. I'd like to figure out how
2811         to harness this after I land it.
2812         
2813         Since it's turned off by default, it should have no effect on behavior.
2814
2815         * CMakeLists.txt:
2816         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2817         * JavaScriptCore.xcodeproj/project.pbxproj:
2818         * dfg/DFGOSRExitFuzz.cpp: Added.
2819         (JSC::numberOfOSRExitFuzzChecks):
2820         * dfg/DFGOSRExitFuzz.h: Added.
2821         * dfg/DFGSpeculativeJIT.cpp:
2822         (JSC::DFG::SpeculativeJIT::emitGetArgumentStart):
2823         (JSC::DFG::SpeculativeJIT::emitOSRExitFuzzCheck):
2824         (JSC::DFG::SpeculativeJIT::speculationCheck):
2825         * dfg/DFGSpeculativeJIT.h:
2826         * ftl/FTLLowerDFGToLLVM.cpp:
2827         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
2828         * jsc.cpp:
2829         (jscmain):
2830         * runtime/Options.h:
2831         * runtime/TestRunnerUtils.h:
2832
2833 2015-07-02  Saam barati  <saambarati1@gmail.com>
2834
2835         Rename "Deconstruction" to "Destructuring" throughout JSC
2836         https://bugs.webkit.org/show_bug.cgi?id=146100
2837
2838         Reviewed by Mark Lam.
2839
2840         It is good to use the same naming conventions as the ES6 
2841         spec because it is the de facto way of speaking about these 
2842         language features. This also has the benefit of improving JSC's
2843         hackability because it improves code readability for newcomers 
2844         to JSC or newcomers to this part of the code base.
2845
2846         * bytecompiler/BytecodeGenerator.cpp:
2847         (JSC::BytecodeGenerator::generate):
2848         (JSC::BytecodeGenerator::BytecodeGenerator):
2849         (JSC::BytecodeGenerator::initializeNextParameter):
2850         (JSC::BytecodeGenerator::visibleNameForParameter):
2851         * bytecompiler/BytecodeGenerator.h:
2852         (JSC::BytecodeGenerator::registerFor):
2853         * bytecompiler/NodesCodegen.cpp:
2854         (JSC::ForInNode::tryGetBoundLocal):
2855         (JSC::ForInNode::emitLoopHeader):
2856         (JSC::ForOfNode::emitBytecode):
2857         (JSC::ClassExprNode::emitBytecode):
2858         (JSC::DestructuringAssignmentNode::emitBytecode):
2859         (JSC::DestructuringPatternNode::~DestructuringPatternNode):
2860         (JSC::ArrayPatternNode::collectBoundIdentifiers):
2861         (JSC::DeconstructingAssignmentNode::emitBytecode): Deleted.
2862         (JSC::DeconstructionPatternNode::~DeconstructionPatternNode): Deleted.
2863         * parser/ASTBuilder.h:
2864         (JSC::ASTBuilder::createElementList):
2865         (JSC::ASTBuilder::createFormalParameterList):
2866         (JSC::ASTBuilder::createClause):
2867         (JSC::ASTBuilder::createClauseList):
2868         (JSC::ASTBuilder::createForInLoop):
2869         (JSC::ASTBuilder::createForOfLoop):
2870         (JSC::ASTBuilder::isBindingNode):
2871         (JSC::ASTBuilder::isResolve):
2872         (JSC::ASTBuilder::createDestructuringAssignment):
2873         (JSC::ASTBuilder::createArrayPattern):
2874         (JSC::ASTBuilder::appendArrayPatternSkipEntry):
2875         (JSC::ASTBuilder::appendArrayPatternEntry):
2876         (JSC::ASTBuilder::appendArrayPatternRestEntry):
2877         (JSC::ASTBuilder::createObjectPattern):
2878         (JSC::ASTBuilder::appendObjectPatternEntry):
2879         (JSC::ASTBuilder::createDeconstructingAssignment): Deleted.
2880         * parser/NodeConstructors.h:
2881         (JSC::TryNode::TryNode):
2882         (JSC::ParameterNode::ParameterNode):
2883         (JSC::ForOfNode::ForOfNode):
2884         (JSC::DestructuringPatternNode::DestructuringPatternNode):
2885         (JSC::ArrayPatternNode::ArrayPatternNode):
2886         (JSC::ArrayPatternNode::create):
2887         (JSC::ObjectPatternNode::ObjectPatternNode):
2888         (JSC::BindingNode::create):
2889         (JSC::BindingNode::BindingNode):
2890         (JSC::DestructuringAssignmentNode::DestructuringAssignmentNode):
2891         (JSC::DeconstructionPatternNode::DeconstructionPatternNode): Deleted.
2892         (JSC::DeconstructingAssignmentNode::DeconstructingAssignmentNode): Deleted.
2893         * parser/Nodes.cpp:
2894         (JSC::FunctionParameters::create):
2895         * parser/Nodes.h:
2896         (JSC::ExpressionNode::isResolveNode):
2897         (JSC::ExpressionNode::isBracketAccessorNode):
2898         (JSC::ExpressionNode::isDotAccessorNode):
2899         (JSC::ExpressionNode::isDestructuringNode):
2900         (JSC::ExpressionNode::isFuncExprNode):
2901         (JSC::ExpressionNode::isCommaNode):
2902         (JSC::ExpressionNode::isSimpleArray):
2903         (JSC::ParameterNode::pattern):
2904         (JSC::ParameterNode::nextParam):
2905         (JSC::FunctionParameters::size):
2906         (JSC::FunctionParameters::at):
2907         (JSC::FunctionParameters::patterns):
2908         (JSC::DestructuringPatternNode::isBindingNode):
2909         (JSC::DestructuringPatternNode::emitDirectBinding):
2910         (JSC::ArrayPatternNode::appendIndex):
2911         (JSC::ObjectPatternNode::appendEntry):
2912         (JSC::BindingNode::boundProperty):
2913         (JSC::DestructuringAssignmentNode::bindings):
2914         (JSC::ExpressionNode::isDeconstructionNode): Deleted.
2915         (JSC::DeconstructionPatternNode::isBindingNode): Deleted.
2916         (JSC::DeconstructionPatternNode::emitDirectBinding): Deleted.
2917         (JSC::DeconstructingAssignmentNode::bindings): Deleted.
2918         * parser/Parser.cpp:
2919         (JSC::Parser<LexerType>::parseVarDeclaration):
2920         (JSC::Parser<LexerType>::parseWhileStatement):
2921         (JSC::Parser<LexerType>::parseVarDeclarationList):
2922         (JSC::Parser<LexerType>::createBindingPattern):
2923         (JSC::Parser<LexerType>::tryParseDestructuringPatternExpression):
2924         (JSC::Parser<LexerType>::parseDestructuringPattern):
2925         (JSC::Parser<LexerType>::parseDefaultValueForDestructuringPattern):
2926         (JSC::Parser<LexerType>::parseForStatement):
2927         (JSC::Parser<LexerType>::parseFormalParameters):
2928         (JSC::Parser<LexerType>::parseFunctionParameters):
2929         (JSC::Parser<LexerType>::parseAssignmentExpression):
2930         (JSC::Parser<LexerType>::tryParseDeconstructionPatternExpression): Deleted.
2931         (JSC::Parser<LexerType>::parseDeconstructionPattern): Deleted.
2932         (JSC::Parser<LexerType>::parseDefaultValueForDeconstructionPattern): Deleted.
2933         * parser/Parser.h:
2934         (JSC::isEvalNode):
2935         * parser/SyntaxChecker.h:
2936         (JSC::SyntaxChecker::createPropertyList):
2937         (JSC::SyntaxChecker::createElementList):
2938         (JSC::SyntaxChecker::createFormalParameterList):
2939         (JSC::SyntaxChecker::createClause):
2940         (JSC::SyntaxChecker::createClauseList):
2941         (JSC::SyntaxChecker::operatorStackPop):
2942         * tests/stress/reserved-word-with-escape.js:
2943         * tests/stress/rest-elements.js:
2944
2945 2015-07-02  Mark Lam  <mark.lam@apple.com>
2946
2947         Build fix for Win EWS bot.
2948         https://bugs.webkit.org/show_bug.cgi?id=146551
2949
2950         Not reviewed.
2951
2952         * tools/JSDollarVMPrototype.cpp:
2953         (JSC::functionCrash):
2954
2955 2015-07-02  Dan Bernstein  <mitz@apple.com>
2956
2957         <rdar://problem/21429613> [iOS] Stop making symlinks from PrivateFrameworks to Frameworks
2958         https://bugs.webkit.org/show_bug.cgi?id=146542
2959
2960         Reviewed by Sam Weinig.
2961
2962         * JavaScriptCore.xcodeproj/project.pbxproj: Removed the build phase that makes the symlink.
2963
2964 2015-07-01  Joseph Pecoraro  <pecoraro@apple.com>
2965
2966         Web Inspector: Aggregate profile call information on the backend to drastically reduce profile sizes
2967         https://bugs.webkit.org/show_bug.cgi?id=146536
2968
2969         Reviewed by Timothy Hatcher.
2970
2971         * inspector/protocol/Timeline.json:
2972         Change a CPUProfile from sending a required "calls" param to sending a required
2973         "callInfo" param which includes aggregated information about the calls.
2974
2975 2015-06-30  Filip Pizlo  <fpizlo@apple.com>
2976
2977         DFG::freezeFragile should register the frozen value's structure
2978         https://bugs.webkit.org/show_bug.cgi?id=136055
2979         rdar://problem/21042120
2980
2981         Reviewed by Mark Lam and Geoffrey Garen.
2982         
2983         This fixes weird concurrency bugs where the constant folding phase tries to convert
2984         something to a constant but then crashes because the constant's structure wasn't
2985         registered. The AI was registering the structure of any value it saw, but constant folding
2986         wasn't - and that's fine so long as there ain't no concurrency.
2987         
2988         The best fix is to just make it impossible to introduce a constant into the IR without
2989         registering its structure. That's what this change does. This is not only a great
2990         concurrency fix - it also makes the compiler somewhat easier to hack on because it's one
2991         less case of structure registering that you have to remember about.
2992         
2993         * dfg/DFGAbstractValue.cpp:
2994         (JSC::DFG::AbstractValue::setOSREntryValue): No need to register.
2995         (JSC::DFG::AbstractValue::set): We still call register, but just to get the watchpoint state.
2996         * dfg/DFGGraph.cpp:
2997         (JSC::DFG::Graph::freezeFragile): Register the structure.
2998         * dfg/DFGStructureRegistrationPhase.cpp:
2999         (JSC::DFG::StructureRegistrationPhase::run): Assert that these are all registered.
3000
3001 2015-07-01  Matthew Mirman  <mmirman@apple.com>
3002
3003         Unreviewed, rolling out r185889
3004         https://bugs.webkit.org/show_bug.cgi?id=146528
3005         rdar://problem/21573959
3006
3007         Patch breaks chromeexperiments.com
3008         
3009         Reverted changeset:
3010         
3011         * CMakeLists.txt:
3012         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3013         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3014         * JavaScriptCore.xcodeproj/project.pbxproj:
3015         * inspector/InjectedScriptSource.js:
3016         (.):
3017         * runtime/JSBoundSlotBaseFunction.cpp: Removed.
3018         * runtime/JSBoundSlotBaseFunction.h: Removed.
3019         * runtime/JSGlobalObject.cpp:
3020         (JSC::JSGlobalObject::init): Deleted.
3021         (JSC::JSGlobalObject::visitChildren): Deleted.
3022         * runtime/JSGlobalObject.h:
3023         (JSC::JSGlobalObject::boundSlotBaseFunctionStructure): Deleted.
3024         * runtime/JSObject.cpp:
3025         (JSC::JSObject::getOwnPropertyDescriptor):
3026         (JSC::getBoundSlotBaseFunctionForGetterSetter): Deleted.
3027         * runtime/VM.cpp:
3028         (JSC::VM::VM): Deleted.
3029         * runtime/VM.h:
3030
3031 2015-07-01  Dean Jackson  <dino@apple.com>
3032
3033         Disable the experimental WebGL2 implementation
3034         https://bugs.webkit.org/show_bug.cgi?id=146526
3035         <rdar://problem/21641235>
3036
3037         Reviewed by Myles Maxfield.
3038
3039         Add (and disable) an ENABLE_WEBGL2 flag.
3040
3041         * Configurations/FeatureDefines.xcconfig:
3042
3043 2015-07-01  Matthew Daiter  <mdaiter@apple.com>
3044
3045         Enable MEDIA_STREAM flag
3046         https://bugs.webkit.org/show_bug.cgi?id=145947
3047         <rdar://problem/21365829>
3048
3049         Reviewed by Eric Carlson.
3050
3051         * Configurations/FeatureDefines.xcconfig: Added MEDIA_STREAM flag
3052
3053 2015-06-30  Andy VanWagoner  <thetalecrafter@gmail.com>
3054
3055         Implement ECMAScript Internationalization API
3056         https://bugs.webkit.org/show_bug.cgi?id=90906
3057
3058         Reviewed by Benjamin Poulain.
3059
3060         * CMakeLists.txt: add IntlObject.cpp
3061         * Configurations/FeatureDefines.xcconfig: add ENABLE_INTL flag
3062         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: add IntlObject
3063         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: add IntlObject
3064         * JavaScriptCore.xcodeproj/project.pbxproj: add IntlObject
3065         * runtime/CommonIdentifiers.h: add "Intl" name
3066         * runtime/IntlObject.cpp: Added.
3067         (JSC::IntlObject::IntlObject):
3068         (JSC::IntlObject::create):
3069         (JSC::IntlObject::finishCreation):
3070         (JSC::IntlObject::createStructure):
3071         * runtime/IntlObject.h: Added.
3072         * runtime/JSGlobalObject.cpp: Add global Intl
3073         (JSC::JSGlobalObject::init):
3074
3075 2015-06-30  Basile Clement  <basile_clement@apple.com>
3076
3077         Allow object allocation sinking through GetScope, GetExecutable and SkipScope nodes
3078         https://bugs.webkit.org/show_bug.cgi?id=146431
3079
3080         Reviewed by Filip Pizlo.
3081
3082         * dfg/DFGNode.h:
3083         (JSC::DFG::Node::isFunctionAllocation):
3084         (JSC::DFG::Node::isPhantomFunctionAllocation):
3085         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3086         (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
3087         * dfg/DFGPromoteHeapAccess.h:
3088         (JSC::DFG::promoteHeapAccess):
3089
3090 2015-06-30  Matt Baker  <mattbaker@apple.com>
3091
3092         Web Inspector: Reduce rendering frames "Other" time by instrumenting compositing
3093         https://bugs.webkit.org/show_bug.cgi?id=146168
3094
3095         Reviewed by Brian Burg.
3096
3097         * inspector/protocol/Timeline.json:
3098         New timeline record type for compositing events.
3099
3100 2015-06-29  Dean Jackson  <dino@apple.com>
3101
3102         Temporarily disable PICTURE_SIZES
3103         https://bugs.webkit.org/show_bug.cgi?id=146435
3104         <rdar://problem/21087013>
3105
3106         Reviewed by Tim Horton.
3107
3108         Temporarily disable PICTURE_SIZES because it causes problems with out
3109         of date <picture> polyfills.
3110
3111         * Configurations/FeatureDefines.xcconfig:
3112
3113 2015-06-29  Youenn Fablet  <youenn.fablet@crf.canon.fr>
3114
3115         Binding generator should allow using JSC::Value for "any" parameter in lieu of ScriptValue
3116         https://bugs.webkit.org/show_bug.cgi?id=146403
3117
3118         Reviewed by Darin Adler.
3119
3120         * bindings/ScriptValue.h: Added implicit conversion to JSC::JSValue.
3121
3122 2015-06-28 Aleksandr Skachkov   <gskachkov@gmail.com>
3123
3124         [ES6] Implement ES6 arrow function syntax. No Line terminator between function parameters and =>
3125         https://bugs.webkit.org/show_bug.cgi?id=146394
3126
3127         Reviewed by Yusuke Suzuki.
3128
3129         * parser/Parser.cpp:
3130         (JSC::Parser<LexerType>::parseFunctionInfo):
3131
3132 2015-06-27  Darin Adler  <darin@apple.com>
3133
3134         Make converting JSString to StringView idiomatically safe
3135         https://bugs.webkit.org/show_bug.cgi?id=146387
3136
3137         Reviewed by Anders Carlsson.
3138
3139         * jsc.cpp:
3140         (functionPrint): Add explicit call to SafeView::get, needed since there
3141         is no StringView temporary.
3142         (functionDebug): Ditto.
3143
3144         * runtime/ArrayPrototype.cpp:
3145         (JSC::holesMustForwardToPrototype): Refactored into helper function.
3146         (JSC::join): Refactored so that StringView is a function argument, making
3147         the lifetime simpler.
3148         (JSC::arrayProtoFuncJoin): Ditto.
3149         (JSC::arrayProtoFuncReverse): Use new holesMustForwardToPrototype helper.
3150
3151         * runtime/JSGlobalObjectFunctions.cpp:
3152         (JSC::encode): Add explicit call to SafeView::get.
3153
3154         * runtime/JSString.h: Moved declarations of functions to the top of the
3155         file instead of mixing them in with the function definitions. Changed
3156         return type of the view function to return a JSString::SafeView so that
3157         the JSString's lifetime will last as long as the StringView does in
3158         typical coding idioms.
3159         (JSC::JSString::getIndex): Use unsafeView so we can index into the
3160         view; could also have used view.get but here in this class this seems fine.
3161         (JSC::JSRopeString::unsafeView): Renamed existing view function to this.
3162         (JSC::JSString::unsafeView): Ditto.
3163         (JSC::JSString::SafeView::SafeView): Contains reference to an ExecState
3164         and a JSString. The ExecState is needed to create the StringView, and the
3165         JSString needs to be kept alive as long as the StringView is.
3166         (JSC::JSString::SafeView::operator StringView): Call unsafeView.
3167         (JSC::JSString::SafeView::get): Convenience for when we want to call
3168         StringView member functions.
3169         (JSC::JSString::view): Added. Returns a SafeView.
3170
3171         * runtime/StringPrototype.cpp:
3172         (JSC::stringProtoFuncIndexOf): Add explicit call to SafeView::get.
3173
3174 2015-06-26  Csaba Osztrogonác  <ossy@webkit.org>
3175
3176         Remove ARMv7Assembler.cpp
3177         https://bugs.webkit.org/show_bug.cgi?id=146340
3178
3179         Reviewed by Filip Pizlo.
3180
3181         * CMakeLists.txt:
3182         * JavaScriptCore.xcodeproj/project.pbxproj:
3183         * assembler/ARMv7Assembler.cpp: Removed.
3184
3185 2015-06-26  Csaba Osztrogonác  <ossy@webkit.org>
3186
3187         Fix the !ENABLE(ES6_ARROWFUNCTION_SYNTAX) build after r185989
3188         https://bugs.webkit.org/show_bug.cgi?id=146344
3189
3190         Reviewed by Yusuke Suzuki.
3191
3192         * parser/Parser.cpp:
3193         (JSC::Parser<LexerType>::parseSourceElements):
3194
3195 2015-06-26 Aleksandr Skachkov  <gskachkov@gmail.com>
3196
3197          [ES6] Implement ES6 arrow function syntax. Parser of arrow function with execution as common function. 
3198          https://bugs.webkit.org/show_bug.cgi?id=144955
3199
3200          Reviewed by Yusuke Suzuki.
3201
3202          Added support of ES6 arrow function. Changes were made according to following spec http://wiki.ecmascript.org/doku.php?id=harmony:arrow_function_syntax. Patch does not include any arrow function specific behavior e.g. lexical bind this, arguments and etc.     
3203         This patch implements the simplest cases of arrow function declaration:
3204            parameters             () => 10 + 20
3205            parameter               x => x + 20
3206            parameters         (x, y) => x + y
3207            function with block     x => { return x*10; }
3208
3209         Not implemented:
3210            bind of the this, arguments, super and etc.
3211            exception in case of trying to use 'new' with arrow function
3212
3213         * parser/ASTBuilder.h:
3214         (JSC::ASTBuilder::createFunctionExpr):
3215         (JSC::ASTBuilder::createArrowFunctionExpr):
3216         (JSC::ASTBuilder::createGetterOrSetterProperty):
3217         (JSC::ASTBuilder::createFuncDeclStatement):
3218         * parser/Lexer.cpp:
3219         (JSC::Lexer<T>::setTokenPosition):
3220         (JSC::Lexer<T>::lex):
3221         * parser/Lexer.h:
3222         (JSC::Lexer::lastTokenLocation):
3223         (JSC::Lexer::setTerminator):
3224         * parser/Parser.cpp:
3225         (JSC::Parser<LexerType>::parseInner):
3226         (JSC::Parser<LexerType>::parseSourceElements):
3227         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBody):
3228         (JSC::Parser<LexerType>::parseSwitchClauses):
3229         (JSC::Parser<LexerType>::parseSwitchDefaultClause):
3230         (JSC::Parser<LexerType>::parseBlockStatement):
3231         (JSC::Parser<LexerType>::parseFunctionBody):
3232         (JSC::stringForFunctionMode):
3233         (JSC::Parser<LexerType>::parseFunctionParameters):
3234         (JSC::Parser<LexerType>::parseFunctionInfo):
3235         (JSC::Parser<LexerType>::parseFunctionDeclaration):
3236         (JSC::Parser<LexerType>::parseClass):
3237         (JSC::Parser<LexerType>::parseAssignmentExpression):
3238         (JSC::Parser<LexerType>::parsePropertyMethod):
3239         (JSC::Parser<LexerType>::parseGetterSetter):
3240         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
3241         * parser/Parser.h:
3242         (JSC::Parser::locationBeforeLastToken):
3243         (JSC::Parser::isEndOfArrowFunction):
3244         (JSC::Parser::isArrowFunctionParamters):
3245         (JSC::Parser::setEndOfStatement):
3246         * parser/ParserFunctionInfo.h:
3247         * parser/ParserTokens.h:
3248         * parser/SourceCode.h:
3249         (JSC::SourceCode::subArrowExpression):
3250         * parser/SourceProviderCacheItem.h:
3251         (JSC::SourceProviderCacheItem::endFunctionToken):
3252         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
3253         * parser/SyntaxChecker.h:
3254         (JSC::SyntaxChecker::createArrowFunctionExpr):
3255         (JSC::SyntaxChecker::setFunctionNameStart):
3256
3257 2015-06-25  Yusuke Suzuki  <utatane.tea@gmail.com>
3258
3259         [ES6] Support rest element in destructuring assignments
3260         https://bugs.webkit.org/show_bug.cgi?id=146206
3261
3262         Reviewed by Oliver Hunt.
3263
3264         This patch enables rest element (...rest) in array binding patterns.
3265         It generates array from the iterables.
3266         In variable declarations and parameters, `[...identifier]` form is only allowed,
3267         while expressions can take `[...[...rest]]` pattern.
3268
3269         * bytecompiler/BytecodeGenerator.cpp:
3270         (JSC::BytecodeGenerator::emitEnumeration):
3271         (JSC::BytecodeGenerator::emitIteratorNext):
3272         * bytecompiler/BytecodeGenerator.h:
3273         * bytecompiler/NodesCodegen.cpp:
3274         (JSC::ArrayPatternNode::bindValue):
3275         (JSC::ArrayPatternNode::toString):
3276         * parser/ASTBuilder.h:
3277         (JSC::ASTBuilder::appendArrayPatternSkipEntry):
3278         (JSC::ASTBuilder::appendArrayPatternEntry):
3279         (JSC::ASTBuilder::appendArrayPatternRestEntry):
3280         * parser/Nodes.h:
3281         (JSC::ArrayPatternNode::appendIndex):
3282         * parser/Parser.cpp:
3283         (JSC::Parser<LexerType>::parseDeconstructionPattern):
3284         * parser/SyntaxChecker.h:
3285         (JSC::SyntaxChecker::operatorStackPop):
3286         * tests/stress/rest-elements.js: Added.
3287         (shouldBe):
3288         (shouldThrow):
3289
3290 2015-06-25  Commit Queue  <commit-queue@webkit.org>
3291
3292         Unreviewed, rolling out r185956.
3293         https://bugs.webkit.org/show_bug.cgi?id=146321
3294
3295         Causes massive crashes on test bots (Requested by bfulgham on
3296         #webkit).
3297
3298         Reverted changeset:
3299
3300         "Enabling MEDIA_STREAM"
3301         https://bugs.webkit.org/show_bug.cgi?id=145947
3302         http://trac.webkit.org/changeset/185956
3303
3304 2015-06-25  Michael Saboff  <msaboff@apple.com>
3305
3306         Minor fix to idx bounds check after 185954
3307
3308         Rubber Stamped by Ryosuke Niwa.
3309
3310         Changed "idx > 1" to "idx > 0" in two places.
3311
3312         * runtime/ExceptionHelpers.cpp:
3313         (JSC::functionCallBase):
3314
3315 2015-06-25  Keith Miller  <keith_miller@apple.com>
3316
3317         Address Sanitizer does not play well with memcpy in JSC::MachineThreads::tryCopyOtherThreadStack.
3318         https://bugs.webkit.org/show_bug.cgi?id=146297
3319
3320         Reviewed by Filip Pizlo.
3321
3322         Since we cannot blacklist the system memcpy we must use our own naive implementation,
3323         copyMemory. This is not a significant performance loss as tryCopyOtherThreadStack is
3324         only called as part of an O(heapsize) operation. As the heap is generally much larger
3325         than the stack the performance hit is minimal.
3326
3327         * heap/MachineStackMarker.cpp:
3328         (JSC::copyMemory):
3329         (JSC::MachineThreads::tryCopyOtherThreadStack):
3330         (JSC::asanUnsafeMemcpy): Deleted.
3331
3332 2015-06-25  Matthew Daiter  <mdaiter@apple.com>
3333
3334         Enabling MEDIA_STREAM
3335         https://bugs.webkit.org/show_bug.cgi?id=145947
3336         <rdar://problem/21365829>
3337
3338         Reviewed by Brent Fulgham.