27ab11900dc818ceaac1fe2b622f174a4c30a632
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-07-22  Filip Pizlo  <fpizlo@apple.com>
2
3         Simplify DFG::DesiredIdentifiers and make it possible to turn a UniquedStringImpl* into an identifierNumber at any time
4         https://bugs.webkit.org/show_bug.cgi?id=147218
5
6         Reviewed by Sam Weinig.
7         
8         I want to be able to take a UniquedStringImpl* and turn it into an identifierNumber at
9         various points in my work on https://bugs.webkit.org/show_bug.cgi?id=146929. Currently,
10         most Nodes that deal with identifiers use identifierNumbers and you can only create an
11         identifierNumber in BytecodeGenerator. DFG::ByteCodeParser does sort of have the
12         ability to create new identifierNumbers when inlining - it takes the inlined code's
13         identifiers and either gives them new numbers or reuses numbers from the enclosing
14         code.
15         
16         This patch takes that basic functionality and puts it in
17         DFG::DesiredIdentifiers::ensure(). Anyone can call this at any time to turn a
18         UniquedStringImpl* into an identifierNumber. This data structure is already used by
19         Plan to properly install any newly created identifier table entries into the CodeBlock.
20
21         * dfg/DFGByteCodeParser.cpp:
22         (JSC::DFG::ByteCodeParser::ByteCodeParser):
23         (JSC::DFG::ByteCodeParser::noticeArgumentsUse):
24         (JSC::DFG::ByteCodeParser::linkBlocks):
25         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
26         (JSC::DFG::ByteCodeParser::buildOperandMapsIfNecessary): Deleted.
27         * dfg/DFGDesiredIdentifiers.cpp:
28         (JSC::DFG::DesiredIdentifiers::DesiredIdentifiers):
29         (JSC::DFG::DesiredIdentifiers::numberOfIdentifiers):
30         (JSC::DFG::DesiredIdentifiers::ensure):
31         (JSC::DFG::DesiredIdentifiers::at):
32         (JSC::DFG::DesiredIdentifiers::addLazily): Deleted.
33         * dfg/DFGDesiredIdentifiers.h:
34
35 2015-07-22  Filip Pizlo  <fpizlo@apple.com>
36
37         Simplify things like CompareEq(@x,@x)
38         https://bugs.webkit.org/show_bug.cgi?id=145850
39
40         Reviewed by Sam Weinig.
41         
42         This simplifies x==x to true, except in cases where x might be a double (in which case this
43         might still be false if x is NaN).
44
45         * dfg/DFGAbstractInterpreterInlines.h:
46         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
47         * tests/stress/nan-equal-untyped.js: Added.
48         (foo):
49         (test):
50         * tests/stress/nan-equal.js: Added.
51         (foo):
52
53 2015-07-22  Joseph Pecoraro  <pecoraro@apple.com>
54
55         Web Inspector: Timeline should immediately start moving play head when starting a new recording
56         https://bugs.webkit.org/show_bug.cgi?id=147210
57
58         Reviewed by Timothy Hatcher.
59
60         * inspector/protocol/Timeline.json:
61         Add timestamps to recordingStarted and recordingStopped events.
62
63 2015-07-22  Yusuke Suzuki  <utatane.tea@gmail.com>
64
65         Introducing construct ability into JS executables
66         https://bugs.webkit.org/show_bug.cgi?id=147183
67
68         Reviewed by Geoffrey Garen.
69
70         Decouple the construct ability from the builtin functions.
71         Currently, all builtin functions are not constructors after r182995.
72         In that patch, when the given function is builtin JS function, we recognize it as the non-constructor function.
73
74         But, we need to relax it to implement some constructors in builtins JS.
75         By decoupling the construct ability from whether the function is builtin or not, we can provide
76
77         1. constructors written in builtin JS
78         2. non-constructors in normal JS functions
79
80         (1) is needed for Promise constructor.
81         And (2) is needed for method functions and arrow functions.
82
83         This patch introduces ConstructAbility into the unlinked function executables.
84         It holds whether the given JS function has the construct ability or not.
85         By leveraging this, this patch disables the construct ability of the method definitions, setters, getters and arrow functions.
86
87         And at the same time, this patch introduces the annotation for constructor in builtin JS.
88         We can define the function as follows,
89
90             constructor Promise(executor)
91             {
92                 ...
93             }
94
95         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
96         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
97         * JavaScriptCore.xcodeproj/project.pbxproj:
98         * builtins/BuiltinExecutables.cpp:
99         (JSC::BuiltinExecutables::createDefaultConstructor):
100         (JSC::BuiltinExecutables::createExecutableInternal):
101         * builtins/BuiltinExecutables.h:
102         * builtins/Iterator.prototype.js:
103         (symbolIterator):
104         (SymbolIterator): Deleted.
105         * bytecode/UnlinkedCodeBlock.cpp:
106         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
107         * bytecode/UnlinkedCodeBlock.h:
108         * bytecompiler/BytecodeGenerator.h:
109         (JSC::BytecodeGenerator::makeFunction):
110         * generate-js-builtins:
111         (getCopyright):
112         (Function):
113         (Function.__init__):
114         (Function.mangleName):
115         (getFunctions):
116         (mangleName): Deleted.
117         * jit/JITOperations.cpp:
118         * llint/LLIntSlowPaths.cpp:
119         (JSC::LLInt::setUpCall):
120         * parser/Parser.cpp:
121         (JSC::Parser<LexerType>::parseClass):
122         * runtime/CodeCache.cpp:
123         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
124         * runtime/CommonIdentifiers.h:
125         * runtime/ConstructAbility.h: Copied from Source/JavaScriptCore/builtins/Iterator.prototype.js.
126         * runtime/Executable.h:
127         * runtime/JSFunction.cpp:
128         (JSC::JSFunction::getConstructData):
129         * runtime/JSGlobalObject.cpp:
130         (JSC::JSGlobalObject::init):
131         * tests/stress/non-constructors.js: Added.
132         (shouldThrow):
133         (.prototype.method):
134         (.prototype.get getter):
135         (.prototype.set setter):
136         (.method):
137         (.get shouldThrow):
138         (.set shouldThrow):
139         (set var.test.get getter):
140         (set var.test.set setter):
141         (set var.test.normal):
142         (.set var):
143         (.set new):
144
145 2015-07-22  Csaba Osztrogonác  <ossy@webkit.org>
146
147         [JSC] Enable exception fuzzing for GCC too
148         https://bugs.webkit.org/show_bug.cgi?id=146831
149
150         Reviewed by Darin Adler.
151
152         * jit/JITOperations.cpp:
153
154 2015-07-22  Filip Pizlo  <fpizlo@apple.com>
155
156         Fixed pool allocation should always be aligned
157         https://bugs.webkit.org/show_bug.cgi?id=147201
158
159         Reviewed by Simon Fraser.
160         
161         Passing an unaligned size to the allocator can cause asserts or even worse things. The
162         Options reservation value isn't going to be aligned.
163
164         * jit/ExecutableAllocatorFixedVMPool.cpp:
165         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
166
167 2015-07-22  Csaba Osztrogonác  <ossy@webkit.org>
168
169         Enable STATIC_ASSERT_IS_TRIVIALLY_DESTRUCTIBLE for GCC
170         https://bugs.webkit.org/show_bug.cgi?id=146829
171
172         Reviewed by Brent Fulgham.
173
174         * heap/GCAssertions.h:
175
176 2015-07-22  Alex Christensen  <achristensen@webkit.org>
177
178         Fix quirks in CMake build on Mac and Windows
179         https://bugs.webkit.org/show_bug.cgi?id=147174
180
181         Reviewed by Gyuyoung Kim.
182
183         * PlatformMac.cmake:
184         Add JSRemoteInspector.cpp and remove semicolon from command to make it actually run.
185
186 2015-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
187
188         Add newTarget accessor to JS constructor written in C++
189         https://bugs.webkit.org/show_bug.cgi?id=147160
190
191         Reviewed by Geoffrey Garen.
192
193         This patch adds `ExecState#newTarget()` which returns `new.target` defined in ECMA262 6th.
194         It enables some C++ constructors (like Intl.XXX constructors) to leverage this to complete
195         its implementation.
196
197         When the constructor is called, |this| in the arguments is used for storing new.target instead.
198         So by adding the accessor for |this|, JS constructor written in C++ can access new.target.
199
200         And at the same time, this patch extends the existing `construct` to accept new.target value.
201         It is corresponding to the spec's Construct abstract operation.
202
203         * interpreter/CallFrame.h:
204         (JSC::ExecState::newTarget):
205         * interpreter/Interpreter.cpp:
206         (JSC::Interpreter::executeConstruct):
207         * interpreter/Interpreter.h:
208         * runtime/ConstructData.cpp:
209         (JSC::construct):
210         * runtime/ConstructData.h:
211         (JSC::construct):
212
213 2015-07-21  Filip Pizlo  <fpizlo@apple.com>
214
215         Unreviewed, fix a lot of tests. Need to initialize WTF threading sooner.
216
217         * jsc.cpp:
218         (main):
219
220 2015-07-21  Filip Pizlo  <fpizlo@apple.com>
221
222         Fixed VM pool allocation should have a reserve for allocations that cannot fail
223         https://bugs.webkit.org/show_bug.cgi?id=147154
224         rdar://problem/21847618
225
226         Reviewed by Geoffrey Garen.
227         
228         This adds the notion of a JIT pool reserve fraction. Some fraction, currently 1/4, of
229         the JIT pool is reserved for allocations that cannot fail. It makes sense to make this
230         a fraction rather than a constant because each allocation that can fail may cause some
231         number of allocations that cannot fail (for example, the OSR exit thunks that we
232         compile when we exit from some CodeBlock cannot fail).
233         
234         I've tested this by adding a test mode where we artificially limit the JIT pool size.
235         Prior to the fix, we had >20 failures. Now we have none.
236
237         * heap/GCLogging.cpp:
238         (WTF::printInternal): I needed a dump method on Options members when debugging this.
239         * heap/GCLogging.h:
240         * jit/ExecutableAllocator.h: Raise the ARM64 limit to 32MB because 16MB is cutting it too close.
241         * jit/ExecutableAllocatorFixedVMPool.cpp:
242         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): Add the ability to artificially limit JIT pool size for testing.
243         (JSC::ExecutableAllocator::memoryPressureMultiplier): Implement the reserve when computing memory pressure for JIT tier-up heuristics.
244         (JSC::ExecutableAllocator::allocate): Implement the reserve when allocating can-fail things.
245         * jsc.cpp: Rewire some options parsing so that CommandLine happens before we create the JIT pool.
246         (main):
247         (CommandLine::parseArguments):
248         (jscmain):
249         * runtime/Options.cpp: 
250         (JSC::OptionRange::dump): I needed a dump method on Options members when debugging this.
251         (JSC::Options::initialize): This can now be called more than once.
252         * runtime/Options.h:
253
254 2015-07-21  Saam barati  <saambarati1@gmail.com>
255
256         ObjectPatternNode's entry should use "const Identifier&" instead of "Identifier"
257         https://bugs.webkit.org/show_bug.cgi?id=147156
258
259         Reviewed by Andreas Kling.
260
261         * parser/Nodes.h:
262
263 2015-07-21  Basile Clement  <basile_clement@apple.com>
264
265         Object allocation sinking phase is performing needless HashMap copies
266         https://bugs.webkit.org/show_bug.cgi?id=147159
267
268         Reviewed by Geoffrey Garen.
269
270         The points-to analyzer in the object allocation sinking phase is
271         currently performing copies of its allocation and pointers tables in
272         several places. While this is not a huge problem since those tables are
273         usually small and we are in the FTL path anyway, we still shouldn't be
274         doing such useless copying.
275
276         This patch also removes the DFGInsertOSRHintsForUpdate files that are
277         no longer needed with the new object sinking phase and should have been
278         removed in r186795.
279
280         * CMakeLists.txt:
281         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
282         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
283         * JavaScriptCore.xcodeproj/project.pbxproj:
284         * dfg/DFGInsertOSRHintsForUpdate.cpp: Removed.
285         (JSC::DFG::insertOSRHintsForUpdate): Deleted.
286         * dfg/DFGInsertOSRHintsForUpdate.h: Removed.
287         * dfg/DFGObjectAllocationSinkingPhase.cpp:
288
289 2015-07-21  Saam barati  <saambarati1@gmail.com>
290
291         DestructuringPatternNode and DestructuringAssignmentNode should be ParserArenaFreeable
292         https://bugs.webkit.org/show_bug.cgi?id=147140
293
294         Reviewed by Geoffrey Garen.
295
296         The descendants of DestructuringPatternNode that need destruction also
297         inherit from ParserArenaDeletable.
298
299         * parser/Nodes.h:
300         (JSC::DestructuringPatternNode::~DestructuringPatternNode):
301         (JSC::ObjectPatternNode::appendEntry):
302         (JSC::DestructuringAssignmentNode::bindings):
303
304 2015-07-21  Keith Miller  <keith_miller@apple.com>
305
306         Add support for the new.target syntax.
307         https://bugs.webkit.org/show_bug.cgi?id=147051
308
309         Reviewed by Yusuke Suzuki.
310
311         Add support for new.target. Essentially the implementation is, before constructor calls,
312         the target of a "new" is placed where "this" noramlly goes in the calling convention.
313         Then in the constructor before object is initialized we move the target of the "new"
314         into a local variable.
315
316         * bytecompiler/BytecodeGenerator.cpp:
317         (JSC::BytecodeGenerator::BytecodeGenerator):
318         * bytecompiler/NodesCodegen.cpp:
319         (JSC::NewTargetNode::emitBytecode):
320         * parser/ASTBuilder.h:
321         (JSC::ASTBuilder::newTargetExpr):
322         * parser/NodeConstructors.h:
323         (JSC::NewTargetNode::NewTargetNode):
324         * parser/Nodes.h:
325         * parser/Parser.cpp:
326         (JSC::Parser<LexerType>::parseMemberExpression):
327         * parser/SyntaxChecker.h:
328         (JSC::SyntaxChecker::newTargetExpr):
329         * runtime/CommonIdentifiers.h:
330         * tests/stress/new-target.js: Added.
331         (test):
332         (call):
333         (Constructor.subCall):
334         (Constructor.SubConstructor):
335         (Constructor):
336         (noAssign):
337         (doWeirdThings):
338         (SuperClass):
339         (SubClass):
340
341 2015-07-20  Saam barati  <saambarati1@gmail.com>
342
343         "let" scoping introduced incoherent story about symbol table cloning
344         https://bugs.webkit.org/show_bug.cgi?id=147046
345
346         Reviewed by Filip Pizlo.
347
348         This patch now establishes a clear set of rules for how SymbolTables
349         are owned by CodeBlock. Every SymbolTable that is used by a bytecode
350         instruction must live in CodeBlock's constant register pool. When CodeBlock
351         is being linked, it ensures that every SymbolTable in the constant pool is cloned. 
352         This leaves no room for an un-cloned symbol table to be used by a bytecode instruction. 
353         Some instructions may refer to SymbolTable's indirectly through a JSLexicalEnvironment. 
354         This is fine, all JSLexicalEnvironment's are allocated with references to cloned symbol tables.
355
356         Another goal of this patch is to remove the notion that a SymbolTable is 1 to 1 
357         with a CodeBlock. With lexical scoping, this view of the world is no longer
358         correct. This patch begins to remove this assumption by making CodeBlock's
359         symbolTable() getter method private. There is still one place where we need
360         to purge our codebase of this assumption and that is the type profiler. It 
361         has not been updated for lexical scoping. After it is updated in 
362         https://bugs.webkit.org/show_bug.cgi?id=145438
363         we will be able to remove CodeBlock's symbolTable() getter entirely.
364
365         * bytecode/CodeBlock.cpp:
366         (JSC::CodeBlock::CodeBlock):
367         (JSC::CodeBlock::nameForRegister):
368         * bytecode/CodeBlock.h:
369         (JSC::CodeBlock::addStringSwitchJumpTable):
370         (JSC::CodeBlock::stringSwitchJumpTable):
371         (JSC::CodeBlock::evalCodeCache):
372         (JSC::CodeBlock::symbolTable):
373         * bytecode/UnlinkedCodeBlock.cpp:
374         (JSC::UnlinkedFunctionExecutable::visitChildren):
375         (JSC::UnlinkedFunctionExecutable::link):
376         (JSC::UnlinkedFunctionExecutable::codeBlockFor):
377         * bytecode/UnlinkedCodeBlock.h:
378         (JSC::UnlinkedCodeBlock::addExceptionHandler):
379         (JSC::UnlinkedCodeBlock::exceptionHandler):
380         (JSC::UnlinkedCodeBlock::setSymbolTableConstantIndex):
381         (JSC::UnlinkedCodeBlock::symbolTableConstantIndex):
382         (JSC::UnlinkedCodeBlock::symbolTable): Deleted.
383         (JSC::UnlinkedCodeBlock::setSymbolTable): Deleted.
384         * bytecompiler/BytecodeGenerator.cpp:
385         (JSC::BytecodeGenerator::generate):
386         (JSC::BytecodeGenerator::BytecodeGenerator):
387         (JSC::BytecodeGenerator::pushLexicalScope):
388         (JSC::BytecodeGenerator::variableForLocalEntry):
389         (JSC::BytecodeGenerator::createVariable):
390         (JSC::BytecodeGenerator::resolveType):
391         (JSC::BytecodeGenerator::emitResolveScope):
392         * bytecompiler/BytecodeGenerator.h:
393         (JSC::BytecodeGenerator::thisRegister):
394         (JSC::BytecodeGenerator::instructions):
395         (JSC::BytecodeGenerator::symbolTable): Deleted.
396         * dfg/DFGGraph.h:
397         (JSC::DFG::Graph::baselineCodeBlockFor):
398         (JSC::DFG::Graph::isStrictModeFor):
399         (JSC::DFG::Graph::symbolTableFor): Deleted.
400         * jit/AssemblyHelpers.h:
401         (JSC::AssemblyHelpers::baselineCodeBlock):
402         (JSC::AssemblyHelpers::argumentsStart):
403         (JSC::AssemblyHelpers::symbolTableFor): Deleted.
404         * runtime/CommonSlowPaths.cpp:
405         (JSC::SLOW_PATH_DECL):
406         * runtime/Executable.cpp:
407         (JSC::FunctionExecutable::visitChildren):
408         (JSC::FunctionExecutable::clearUnlinkedCodeForRecompilation):
409         (JSC::FunctionExecutable::symbolTable): Deleted.
410         * runtime/Executable.h:
411
412 2015-07-18  Filip Pizlo  <fpizlo@apple.com>
413
414         REGRESSION(186691): OSR entry is broken on loop headers that have no live variables
415         https://bugs.webkit.org/show_bug.cgi?id=147074
416         rdar://problem/21869970
417
418         Reviewed by Michael Saboff.
419         
420         The OSR entry must-handle block/value widening introduced in r186691 would cause the
421         CFA to reexecute if it caused any live local variables to change value. But this fails
422         if the must-handle block has no live local variables, and the entry block otherwise
423         appears to be unreachable.
424         
425         This fixes the bug by having the change detection include whether the block hadn't been
426         visited in addition to whether any local variable values got widened.
427         
428         This is a ~4% speed-up on SunSpider in browser.
429
430         * dfg/DFGCFAPhase.cpp:
431         (JSC::DFG::CFAPhase::run):
432
433 2015-07-20  Mark Lam  <mark.lam@apple.com>
434
435         Rollout r187020 and r187021: breaks JSC API tests on debug builds.
436         https://bugs.webkit.org/show_bug.cgi?id=147110
437
438         * heap/MachineStackMarker.cpp:
439         (JSC::MachineThreads::addCurrentThread):
440         * runtime/JSLock.cpp:
441         (JSC::JSLockHolder::~JSLockHolder):
442         (JSC::JSLock::JSLock):
443         (JSC::JSLock::willDestroyVM):
444         (JSC::JSLock::setExclusiveThread):
445         (JSC::JSLock::lock):
446         (JSC::JSLock::unlock):
447         (JSC::JSLock::currentThreadIsHoldingLock):
448         (JSC::JSLock::dropAllLocks):
449         * runtime/JSLock.h:
450         (JSC::JSLock::vm):
451         (JSC::JSLock::hasExclusiveThread):
452         (JSC::JSLock::exclusiveThread):
453         * runtime/VM.h:
454         (JSC::VM::hasExclusiveThread):
455         (JSC::VM::exclusiveThread):
456         (JSC::VM::setExclusiveThread):
457
458 2015-07-20  Per Arne Vollan  <peavo@outlook.com>
459
460         Unreviewed debug build fix after r187020.
461
462         * heap/MachineStackMarker.cpp:
463         (JSC::MachineThreads::addCurrentThread):
464         VM::exclusiveThread() has changed return type to ThreadIdentifier.
465
466 2015-07-20  Per Arne Vollan  <peavo@outlook.com>
467
468         JavaScriptCore performance is very bad on Windows
469         https://bugs.webkit.org/show_bug.cgi?id=146448
470
471         Reviewed by Mark Lam.
472
473         Profiling shows that std::this_thread::get_id() is slow on Windows.
474         Use WTF::currentThread() instead, which calls GetCurrentThreadId().
475         This is faster on Windows. The issue has been reported to Microsoft,
476         https://connect.microsoft.com/VisualStudio/feedback/details/1558211.
477
478         * runtime/JSLock.cpp:
479         (JSC::JSLockHolder::~JSLockHolder):
480         (JSC::JSLock::JSLock):
481         (JSC::JSLock::willDestroyVM):
482         (JSC::JSLock::setExclusiveThread):
483         (JSC::JSLock::lock):
484         (JSC::JSLock::unlock):
485         (JSC::JSLock::currentThreadIsHoldingLock):
486         * runtime/JSLock.h:
487         (JSC::JSLock::vm):
488         (JSC::JSLock::hasExclusiveThread):
489         (JSC::JSLock::exclusiveThread):
490         * runtime/VM.h:
491         (JSC::VM::hasExclusiveThread):
492         (JSC::VM::exclusiveThread):
493         (JSC::VM::setExclusiveThread):
494
495 2015-07-19  Yusuke Suzuki  <utatane.tea@gmail.com>
496
497         In strict mode, `Object.keys(arguments)` includes "length"
498         https://bugs.webkit.org/show_bug.cgi?id=147071
499
500         Reviewed by Darin Adler.
501
502         ClonedAguments didn't set the "length" with DontEnum.
503
504         * runtime/ClonedArguments.cpp:
505         (JSC::ClonedArguments::createWithInlineFrame):
506         (JSC::ClonedArguments::createByCopyingFrom):
507         * tests/stress/arguments-length-always-dont-enum.js: Added.
508         (shouldBe):
509         (argsSloppy):
510         (argsStrict):
511
512 2015-07-19  Jordan Harband  <ljharb@gmail.com>
513
514         new Date(NaN).toJSON() must return null instead of throwing a TypeError
515         https://bugs.webkit.org/show_bug.cgi?id=141115
516
517         Reviewed by Yusuke Suzuki.
518
519         * runtime/DatePrototype.cpp:
520         (JSC::dateProtoFuncToJSON):
521
522 2015-07-19  Saam barati  <saambarati1@gmail.com>
523
524         Parser::parseFunctionInfo hits RELEASE_ASSERT for Arrow Functions
525         https://bugs.webkit.org/show_bug.cgi?id=147090
526
527         Reviewed by Yusuke Suzuki.
528
529         ArrowFunction's have there ParserFunctionInfo "name" field to 
530         be a non-null pointer. This is obviously allowed and valid except we 
531         had a RELEASE_ASSERT that claimed otherwise. This is a mistake. 
532
533         Note: ArrowFunction's will never actually have a function name;
534         there ParserFunctionInfo "name" field will be the empty string. 
535         This is not be mistaken with the name field being a null pointer.
536
537         * parser/Parser.cpp:
538         (JSC::Parser<LexerType>::parseFunctionInfo):
539
540 2015-07-18  Saam barati  <saambarati1@gmail.com>
541
542         [ES6] Add support for block scope const
543         https://bugs.webkit.org/show_bug.cgi?id=31813
544
545         Reviewed by Filip Pizlo.
546
547         'const' is now implemented in an ES6 spec compliant manner.
548         'const' variables are always block scoped and always live
549         either on the stack or in a JSLexicalEnvironment. 'const'
550         variables never live on the global object.
551
552         Inside the BytecodeGenerator, when assigning to a stack
553         'const' variable or a LocalClosureVar 'const' variable,
554         we will emit code that just throws a type error.
555         When assigning to a ClosureVar const variable, CodeBlock linking
556         will ensure that we perform a dynamic lookup of that variable so
557         that put_to_scope's slow path throws a type error.
558
559         The old 'const' implementation has been removed in this patch.
560
561         * bytecode/BytecodeList.json:
562         * bytecode/BytecodeUseDef.h:
563         (JSC::computeUsesForBytecodeOffset):
564         (JSC::computeDefsForBytecodeOffset):
565         * bytecode/CodeBlock.cpp:
566         (JSC::CodeBlock::dumpBytecode):
567         (JSC::CodeBlock::CodeBlock):
568         * bytecompiler/BytecodeGenerator.cpp:
569         (JSC::BytecodeGenerator::BytecodeGenerator):
570         (JSC::BytecodeGenerator::pushLexicalScope):
571         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
572         (JSC::BytecodeGenerator::variable):
573         (JSC::BytecodeGenerator::variableForLocalEntry):
574         (JSC::BytecodeGenerator::createVariable):
575         (JSC::BytecodeGenerator::emitResolveScope):
576         (JSC::BytecodeGenerator::emitInstanceOf):
577         (JSC::BytecodeGenerator::emitGetById):
578         (JSC::BytecodeGenerator::isArgumentNumber):
579         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
580         (JSC::BytecodeGenerator::emitEnumeration):
581         (JSC::BytecodeGenerator::variablePerSymbolTable): Deleted.
582         (JSC::BytecodeGenerator::emitInitGlobalConst): Deleted.
583         * bytecompiler/BytecodeGenerator.h:
584         (JSC::Variable::Variable):
585         (JSC::Variable::isReadOnly):
586         (JSC::Variable::isSpecial):
587         (JSC::Variable::isConst):
588         (JSC::BytecodeGenerator::thisRegister):
589         (JSC::BytecodeGenerator::emitTypeOf):
590         (JSC::BytecodeGenerator::emitIn):
591         * bytecompiler/NodesCodegen.cpp:
592         (JSC::PostfixNode::emitResolve):
593         (JSC::PrefixNode::emitResolve):
594         (JSC::ReadModifyResolveNode::emitBytecode):
595         (JSC::AssignResolveNode::emitBytecode):
596         (JSC::CommaNode::emitBytecode):
597         (JSC::BindingNode::bindValue):
598         (JSC::ConstDeclNode::emitCodeSingle): Deleted.
599         (JSC::ConstDeclNode::emitBytecode): Deleted.
600         (JSC::ConstStatementNode::emitBytecode): Deleted.
601         * dfg/DFGByteCodeParser.cpp:
602         (JSC::DFG::ByteCodeParser::parseBlock):
603         * dfg/DFGCapabilities.cpp:
604         (JSC::DFG::capabilityLevel):
605         * jit/JIT.cpp:
606         (JSC::JIT::privateCompileMainPass):
607         * jit/JIT.h:
608         * jit/JITPropertyAccess.cpp:
609         (JSC::JIT::emit_op_put_to_arguments):
610         (JSC::JIT::emit_op_init_global_const): Deleted.
611         * jit/JITPropertyAccess32_64.cpp:
612         (JSC::JIT::emit_op_put_to_arguments):
613         (JSC::JIT::emit_op_init_global_const): Deleted.
614         * llint/LowLevelInterpreter.asm:
615         * llint/LowLevelInterpreter32_64.asm:
616         * llint/LowLevelInterpreter64.asm:
617         * parser/ASTBuilder.h:
618         (JSC::ASTBuilder::createDeclarationStatement):
619         (JSC::ASTBuilder::createEmptyVarExpression):
620         (JSC::ASTBuilder::createDebugger):
621         (JSC::ASTBuilder::appendStatement):
622         (JSC::ASTBuilder::createVarStatement): Deleted.
623         (JSC::ASTBuilder::createLetStatement): Deleted.
624         (JSC::ASTBuilder::createConstStatement): Deleted.
625         (JSC::ASTBuilder::appendConstDecl): Deleted.
626         * parser/NodeConstructors.h:
627         (JSC::CommaNode::CommaNode):
628         (JSC::SourceElements::SourceElements):
629         (JSC::SwitchNode::SwitchNode):
630         (JSC::BlockNode::BlockNode):
631         (JSC::ConstStatementNode::ConstStatementNode): Deleted.
632         (JSC::ConstDeclNode::ConstDeclNode): Deleted.
633         * parser/Nodes.h:
634         (JSC::ConstDeclNode::hasInitializer): Deleted.
635         (JSC::ConstDeclNode::ident): Deleted.
636         * parser/Parser.cpp:
637         (JSC::Parser<LexerType>::parseStatementListItem):
638         (JSC::Parser<LexerType>::parseVariableDeclaration):
639         (JSC::Parser<LexerType>::parseWhileStatement):
640         (JSC::Parser<LexerType>::parseVariableDeclarationList):
641         (JSC::Parser<LexerType>::createBindingPattern):
642         (JSC::Parser<LexerType>::parseDestructuringPattern):
643         (JSC::Parser<LexerType>::parseDefaultValueForDestructuringPattern):
644         (JSC::Parser<LexerType>::parseForStatement):
645         (JSC::Parser<LexerType>::parseTryStatement):
646         (JSC::Parser<LexerType>::parseFunctionInfo):
647         (JSC::Parser<LexerType>::parseFunctionDeclaration):
648         (JSC::Parser<LexerType>::parseClass):
649         (JSC::Parser<LexerType>::parseConstDeclaration): Deleted.
650         (JSC::Parser<LexerType>::parseConstDeclarationList): Deleted.
651         * parser/Parser.h:
652         (JSC::isEvalNode):
653         (JSC::isEvalNode<EvalNode>):
654         (JSC::isArguments):
655         (JSC::isEval):
656         (JSC::isEvalOrArgumentsIdentifier):
657         (JSC::Scope::Scope):
658         (JSC::Scope::declareCallee):
659         (JSC::Scope::declareVariable):
660         (JSC::Scope::declareLexicalVariable):
661         (JSC::Scope::hasDeclaredVariable):
662         (JSC::Scope::allowsVarDeclarations):
663         (JSC::Scope::allowsLexicalDeclarations):
664         (JSC::Scope::declareParameter):
665         (JSC::Scope::declareBoundParameter):
666         (JSC::Parser::destructuringKindFromDeclarationType):
667         (JSC::Parser::assignmentContextFromDeclarationType):
668         (JSC::Parser::isEvalOrArguments):
669         (JSC::Parser::currentScope):
670         (JSC::Parser::popScope):
671         (JSC::Parser::declareVariable):
672         (JSC::Parser::hasDeclaredVariable):
673         (JSC::Parser::setStrictMode):
674         (JSC::Parser::strictMode):
675         (JSC::Parser::isValidStrictMode):
676         (JSC::Parser::declareParameter):
677         (JSC::Parser::declareBoundParameter):
678         (JSC::Parser::breakIsValid):
679         * parser/SyntaxChecker.h:
680         (JSC::SyntaxChecker::createForInLoop):
681         (JSC::SyntaxChecker::createForOfLoop):
682         (JSC::SyntaxChecker::createEmptyStatement):
683         (JSC::SyntaxChecker::createDeclarationStatement):
684         (JSC::SyntaxChecker::createReturnStatement):
685         (JSC::SyntaxChecker::createBreakStatement):
686         (JSC::SyntaxChecker::createVarStatement): Deleted.
687         (JSC::SyntaxChecker::createLetStatement): Deleted.
688         * parser/VariableEnvironment.h:
689         (JSC::VariableEnvironmentEntry::isCaptured):
690         (JSC::VariableEnvironmentEntry::isConst):
691         (JSC::VariableEnvironmentEntry::isVar):
692         (JSC::VariableEnvironmentEntry::isLet):
693         (JSC::VariableEnvironmentEntry::setIsCaptured):
694         (JSC::VariableEnvironmentEntry::setIsConst):
695         (JSC::VariableEnvironmentEntry::setIsVar):
696         (JSC::VariableEnvironmentEntry::setIsLet):
697         (JSC::VariableEnvironmentEntry::isConstant): Deleted.
698         (JSC::VariableEnvironmentEntry::setIsConstant): Deleted.
699         * runtime/Executable.cpp:
700         (JSC::ProgramExecutable::initializeGlobalProperties):
701         * runtime/JSGlobalObject.cpp:
702         (JSC::JSGlobalObject::defineOwnProperty):
703         (JSC::JSGlobalObject::addGlobalVar):
704         (JSC::JSGlobalObject::addFunction):
705         (JSC::lastInPrototypeChain):
706         * runtime/JSGlobalObject.h:
707         (JSC::JSGlobalObject::finishCreation):
708         (JSC::JSGlobalObject::addVar):
709         (JSC::JSGlobalObject::addConst): Deleted.
710         * runtime/JSLexicalEnvironment.cpp:
711         (JSC::JSLexicalEnvironment::symbolTablePut):
712         * tests/stress/const-and-with-statement.js: Added.
713         (truth):
714         (assert):
715         (shouldThrowInvalidConstAssignment):
716         (.):
717         * tests/stress/const-exception-handling.js: Added.
718         (truth):
719         (assert):
720         (.):
721         * tests/stress/const-loop-semantics.js: Added.
722         (truth):
723         (assert):
724         (shouldThrowInvalidConstAssignment):
725         (.):
726         * tests/stress/const-not-strict-mode.js: Added.
727         (truth):
728         (assert):
729         (shouldThrowTDZ):
730         (.):
731         * tests/stress/const-semantics.js: Added.
732         (truth):
733         (assert):
734         (shouldThrowInvalidConstAssignment):
735         (.):
736         * tests/stress/const-tdz.js: Added.
737         (truth):
738         (assert):
739         (shouldThrowTDZ):
740         (.):
741
742 2015-07-18  Saam barati  <saambarati1@gmail.com>
743
744         lexical scoping is broken with respect to "break" and "continue"
745         https://bugs.webkit.org/show_bug.cgi?id=147063
746
747         Reviewed by Filip Pizlo.
748
749         Bug #142944 which introduced "let" and lexical scoping
750         didn't properly hook into the bytecode generator's machinery
751         for calculating scope depth deltas for "break" and "continue". This
752         resulted in the bytecode generator popping an incorrect number
753         of scopes when lexical scopes were involved.
754
755         This patch fixes this problem and generalizes this machinery a bit.
756         This patch also renames old functions in a sensible way that is more
757         coherent in a world with lexical scoping.
758
759         * bytecompiler/BytecodeGenerator.cpp:
760         (JSC::BytecodeGenerator::BytecodeGenerator):
761         (JSC::BytecodeGenerator::newLabelScope):
762         (JSC::BytecodeGenerator::emitProfileType):
763         (JSC::BytecodeGenerator::pushLexicalScope):
764         (JSC::BytecodeGenerator::popLexicalScope):
765         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
766         (JSC::BytecodeGenerator::resolveType):
767         (JSC::BytecodeGenerator::emitResolveScope):
768         (JSC::BytecodeGenerator::emitGetFromScope):
769         (JSC::BytecodeGenerator::emitPutToScope):
770         (JSC::BytecodeGenerator::emitPushWithScope):
771         (JSC::BytecodeGenerator::emitGetParentScope):
772         (JSC::BytecodeGenerator::emitPopScope):
773         (JSC::BytecodeGenerator::emitPopWithOrCatchScope):
774         (JSC::BytecodeGenerator::emitPopScopes):
775         (JSC::BytecodeGenerator::calculateTargetScopeDepthForExceptionHandler):
776         (JSC::BytecodeGenerator::localScopeDepth):
777         (JSC::BytecodeGenerator::labelScopeDepth):
778         (JSC::BytecodeGenerator::emitThrowReferenceError):
779         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
780         (JSC::BytecodeGenerator::pushScopedControlFlowContext):
781         (JSC::BytecodeGenerator::popScopedControlFlowContext):
782         (JSC::BytecodeGenerator::emitPushCatchScope):
783         (JSC::BytecodeGenerator::currentScopeDepth): Deleted.
784         * bytecompiler/BytecodeGenerator.h:
785         (JSC::BytecodeGenerator::hasFinaliser):
786         (JSC::BytecodeGenerator::scopeDepth): Deleted.
787         * bytecompiler/NodesCodegen.cpp:
788         (JSC::ContinueNode::trivialTarget):
789         (JSC::BreakNode::trivialTarget):
790         (JSC::ReturnNode::emitBytecode):
791         (JSC::WithNode::emitBytecode):
792         (JSC::TryNode::emitBytecode):
793         * tests/stress/lexical-scoping-break-continue.js: Added.
794         (assert):
795         (.):
796
797 2015-07-18  Commit Queue  <commit-queue@webkit.org>
798
799         Unreviewed, rolling out r186996.
800         https://bugs.webkit.org/show_bug.cgi?id=147070
801
802         Broke JSC tests (Requested by smfr on #webkit).
803
804         Reverted changeset:
805
806         "lexical scoping is broken with respect to "break" and
807         "continue""
808         https://bugs.webkit.org/show_bug.cgi?id=147063
809         http://trac.webkit.org/changeset/186996
810
811 2015-07-18  Saam barati  <saambarati1@gmail.com>
812
813         lexical scoping is broken with respect to "break" and "continue"
814         https://bugs.webkit.org/show_bug.cgi?id=147063
815
816         Reviewed by Filip Pizlo.
817
818         Bug #142944 which introduced "let" and lexical scoping
819         didn't properly hook into the bytecode generator's machinery
820         for calculating scope depth deltas for "break" and "continue". This
821         resulted in the bytecode generator popping an incorrect number
822         of scopes when lexical scopes were involved.
823
824         This patch fixes this problem and generalizes this machinery a bit.
825         This patch also renames old functions in a sensible way that is more
826         coherent in a world with lexical scoping.
827
828         * bytecompiler/BytecodeGenerator.cpp:
829         (JSC::BytecodeGenerator::BytecodeGenerator):
830         (JSC::BytecodeGenerator::newLabelScope):
831         (JSC::BytecodeGenerator::emitProfileType):
832         (JSC::BytecodeGenerator::pushLexicalScope):
833         (JSC::BytecodeGenerator::popLexicalScope):
834         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
835         (JSC::BytecodeGenerator::resolveType):
836         (JSC::BytecodeGenerator::emitResolveScope):
837         (JSC::BytecodeGenerator::emitGetFromScope):
838         (JSC::BytecodeGenerator::emitPutToScope):
839         (JSC::BytecodeGenerator::emitPushWithScope):
840         (JSC::BytecodeGenerator::emitGetParentScope):
841         (JSC::BytecodeGenerator::emitPopScope):
842         (JSC::BytecodeGenerator::emitPopWithOrCatchScope):
843         (JSC::BytecodeGenerator::emitPopScopes):
844         (JSC::BytecodeGenerator::calculateTargetScopeDepthForExceptionHandler):
845         (JSC::BytecodeGenerator::localScopeDepth):
846         (JSC::BytecodeGenerator::labelScopeDepth):
847         (JSC::BytecodeGenerator::emitThrowReferenceError):
848         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
849         (JSC::BytecodeGenerator::pushScopedControlFlowContext):
850         (JSC::BytecodeGenerator::popScopedControlFlowContext):
851         (JSC::BytecodeGenerator::emitPushCatchScope):
852         (JSC::BytecodeGenerator::currentScopeDepth): Deleted.
853         * bytecompiler/BytecodeGenerator.h:
854         (JSC::BytecodeGenerator::hasFinaliser):
855         (JSC::BytecodeGenerator::scopeDepth): Deleted.
856         * bytecompiler/NodesCodegen.cpp:
857         (JSC::ContinueNode::trivialTarget):
858         (JSC::BreakNode::trivialTarget):
859         (JSC::ReturnNode::emitBytecode):
860         (JSC::WithNode::emitBytecode):
861         (JSC::TryNode::emitBytecode):
862         * tests/stress/lexical-scoping-break-continue.js: Added.
863         (assert):
864         (.):
865
866 2015-07-17  Filip Pizlo  <fpizlo@apple.com>
867
868         DFG should have some obvious mitigations against watching structures that are unprofitable to watch
869         https://bugs.webkit.org/show_bug.cgi?id=147034
870
871         Reviewed by Mark Lam and Michael Saboff.
872         
873         This implements two guards against the DFG watching structures that are likely to fire
874         their watchpoints:
875         
876         - Don't watch dictionaries or any structure that had a dictionary in its past. Dictionaries
877           can be flattened, and then they can transform back to dictionaries.
878         
879         - Don't watch structures whose past structures were transitioned-away from while their
880           transition watchpoints were being watched. This property gives us monotonicity: if we
881           recompile because we watched structure S1 of object O, then we won't make the same mistake
882           again when object O has structure S2, S3, and so on.
883         
884         This is a 1.5% speed-up on Kraken. It does penalize some Octane tests, but it also seems to
885         help some of them, so on Octane it's basically neutral.
886
887         * bytecode/Watchpoint.h:
888         (JSC::WatchpointSet::invalidate):
889         (JSC::WatchpointSet::isBeingWatched):
890         (JSC::WatchpointSet::addressOfState):
891         (JSC::WatchpointSet::addressOfSetIsNotEmpty):
892         (JSC::InlineWatchpointSet::touch):
893         (JSC::InlineWatchpointSet::isBeingWatched):
894         * runtime/JSGlobalObject.h:
895         (JSC::JSGlobalObject::createStructure):
896         (JSC::JSGlobalObject::registerWeakMap):
897         * runtime/Structure.cpp:
898         (JSC::Structure::Structure):
899         (JSC::Structure::toDictionaryTransition):
900         (JSC::Structure::didTransitionFromThisStructure):
901         * runtime/Structure.h:
902
903 2015-07-16  Filip Pizlo  <fpizlo@apple.com>
904
905         Remove DFG::DesiredWriteBarriers because it's just a very difficult way of saying "please barrier the machine code block owner"
906         https://bugs.webkit.org/show_bug.cgi?id=147030
907
908         Reviewed by Andreas Kling.
909         
910         All of the users of DesiredWriteBarriers were just using it to request that Plan
911         finalization executes a barrier on codeBlock->ownerExecutable. Indeed, that's the only
912         owning cell in the heap that compilation affects. So, we might as well just have Plan
913         unconditionally execute that barrier and then we don't need DesiredWriteBarriers at
914         all.
915
916         * CMakeLists.txt:
917         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
918         * JavaScriptCore.xcodeproj/project.pbxproj:
919         * dfg/DFGByteCodeParser.cpp:
920         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
921         * dfg/DFGDesiredWriteBarriers.cpp: Removed.
922         * dfg/DFGDesiredWriteBarriers.h: Removed.
923         * dfg/DFGGraph.cpp:
924         (JSC::DFG::Graph::registerFrozenValues):
925         * dfg/DFGPlan.cpp:
926         (JSC::DFG::Plan::reallyAdd):
927         (JSC::DFG::Plan::notifyCompiling):
928         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
929         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
930         (JSC::DFG::Plan::cancel):
931         * dfg/DFGPlan.h:
932
933 2015-07-17  Yusuke Suzuki  <utatane.tea@gmail.com>
934
935         Integrate automatic microtask draining into JSC framework and re-enable Promise
936         https://bugs.webkit.org/show_bug.cgi?id=146828
937
938         Reviewed by Sam Weinig.
939
940         Add automatic microtask draining system into JSC framework.
941         When the depth of VM lock becomes 0, before this, we drain the queued microtasks.
942         Enqueuing behavior can be injected by the JSGlobalObject's method table.
943         It is utilized in WebCore to post the microtask to WebCore's event loop.
944
945         In the case of JSC interactive shell, VM depth is always greater than 0.
946         So we manually drains the queued microtasks after evaluating the written line.
947
948         Since now JSC framework has the microtask queue, we can drain the queued microtasks.
949         So re-enable the Promise in the JSC framework context.
950
951         * API/JSContextRef.cpp:
952         (javaScriptRuntimeFlags): Deleted.
953         * API/tests/testapi.c:
954         (main):
955         * API/tests/testapi.mm:
956         (testObjectiveCAPIMain):
957         * jsc.cpp:
958         (runInteractive):
959         * runtime/JSGlobalObject.cpp:
960         (JSC::JSGlobalObject::queueMicrotask):
961         * runtime/JSLock.cpp:
962         (JSC::JSLock::willReleaseLock):
963         * runtime/VM.cpp:
964         (JSC::VM::queueMicrotask):
965         (JSC::VM::drainMicrotasks):
966         (JSC::QueuedTask::run):
967         * runtime/VM.h:
968         (JSC::QueuedTask::QueuedTask):
969
970 2015-07-17  Saam barati  <saambarati1@gmail.com>
971
972         Function parameters should be parsed in the same parser arena as the function body
973         https://bugs.webkit.org/show_bug.cgi?id=145995
974
975         Reviewed by Yusuke Suzuki.
976
977         This patch changes how functions are parsed in JSC. A function's
978         parameters are now parsed in the same arena as the function itself.
979         This allows us to arena allocate all destructuring AST nodes and
980         the FunctionParameters node. This will help make implementing ES6
981         default parameter values sane.
982
983         A source code that represents a function now includes the text of the function's 
984         parameters. The starting offset is at the opening parenthesis of the parameter
985         list or at the starting character of the identifier for arrow functions that
986         have single arguments and don't start with parenthesis.
987
988         For example:
989
990         "function (param1, param2) { ... }"
991                                    ^
992                                    | This offset used to be the starting offset of a function's SourceCode
993                   ^
994                   | This is the new starting offset for a function's SourceCode.
995
996         This requires us to change how some offsets are calculated
997         and also requires us to report some different line numbers for internal
998         metrics that use a SourceCode's starting line and column numbers.
999
1000         This patch also does a bit of cleanup with regards to how
1001         functions are parsed in general (especially arrow functions).
1002         It removes some unnecessary #ifdefs and the likes for arrow
1003         to make things clearer and more deliberate.
1004
1005         * API/JSScriptRef.cpp:
1006         (parseScript):
1007         * builtins/BuiltinExecutables.cpp:
1008         (JSC::BuiltinExecutables::createExecutableInternal):
1009         * bytecode/UnlinkedCodeBlock.cpp:
1010         (JSC::generateFunctionCodeBlock):
1011         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1012         (JSC::UnlinkedFunctionExecutable::visitChildren):
1013         (JSC::UnlinkedFunctionExecutable::parameterCount): Deleted.
1014         * bytecode/UnlinkedCodeBlock.h:
1015         * bytecompiler/NodesCodegen.cpp:
1016         (JSC::DestructuringAssignmentNode::emitBytecode):
1017         (JSC::assignDefaultValueIfUndefined):
1018         (JSC::ArrayPatternNode::collectBoundIdentifiers):
1019         (JSC::DestructuringPatternNode::~DestructuringPatternNode): Deleted.
1020         * parser/ASTBuilder.h:
1021         (JSC::ASTBuilder::createClassExpr):
1022         (JSC::ASTBuilder::createFunctionExpr):
1023         (JSC::ASTBuilder::createFunctionBody):
1024         (JSC::ASTBuilder::createArrowFunctionExpr):
1025         (JSC::ASTBuilder::createGetterOrSetterProperty):
1026         (JSC::ASTBuilder::createElementList):
1027         (JSC::ASTBuilder::createFormalParameterList):
1028         (JSC::ASTBuilder::appendParameter):
1029         (JSC::ASTBuilder::createClause):
1030         (JSC::ASTBuilder::createClauseList):
1031         (JSC::ASTBuilder::createFuncDeclStatement):
1032         (JSC::ASTBuilder::createForInLoop):
1033         (JSC::ASTBuilder::createForOfLoop):
1034         (JSC::ASTBuilder::isResolve):
1035         (JSC::ASTBuilder::createDestructuringAssignment):
1036         (JSC::ASTBuilder::createArrayPattern):
1037         (JSC::ASTBuilder::appendArrayPatternSkipEntry):
1038         (JSC::ASTBuilder::appendArrayPatternEntry):
1039         (JSC::ASTBuilder::appendArrayPatternRestEntry):
1040         (JSC::ASTBuilder::finishArrayPattern):
1041         (JSC::ASTBuilder::createObjectPattern):
1042         (JSC::ASTBuilder::appendObjectPatternEntry):
1043         (JSC::ASTBuilder::createBindingLocation):
1044         (JSC::ASTBuilder::setEndOffset):
1045         * parser/Lexer.cpp:
1046         (JSC::Lexer<T>::Lexer):
1047         (JSC::Lexer<T>::nextTokenIsColon):
1048         (JSC::Lexer<T>::setTokenPosition):
1049         (JSC::Lexer<T>::lex):
1050         (JSC::Lexer<T>::clear):
1051         * parser/Lexer.h:
1052         (JSC::Lexer::setIsReparsingFunction):
1053         (JSC::Lexer::isReparsingFunction):
1054         (JSC::Lexer::lineNumber):
1055         (JSC::Lexer::setIsReparsing): Deleted.
1056         (JSC::Lexer::isReparsing): Deleted.
1057         * parser/NodeConstructors.h:
1058         (JSC::TryNode::TryNode):
1059         (JSC::FunctionParameters::FunctionParameters):
1060         (JSC::FuncExprNode::FuncExprNode):
1061         (JSC::FuncDeclNode::FuncDeclNode):
1062         (JSC::ArrayPatternNode::ArrayPatternNode):
1063         (JSC::ObjectPatternNode::ObjectPatternNode):
1064         (JSC::BindingNode::BindingNode):
1065         (JSC::DestructuringAssignmentNode::DestructuringAssignmentNode):
1066         (JSC::ParameterNode::ParameterNode): Deleted.
1067         (JSC::ArrayPatternNode::create): Deleted.
1068         (JSC::ObjectPatternNode::create): Deleted.
1069         (JSC::BindingNode::create): Deleted.
1070         * parser/Nodes.cpp:
1071         (JSC::ProgramNode::ProgramNode):
1072         (JSC::EvalNode::EvalNode):
1073         (JSC::FunctionBodyNode::FunctionBodyNode):
1074         (JSC::FunctionBodyNode::finishParsing):
1075         (JSC::FunctionNode::FunctionNode):
1076         (JSC::FunctionNode::finishParsing):
1077         (JSC::FunctionParameters::create): Deleted.
1078         (JSC::FunctionParameters::FunctionParameters): Deleted.
1079         (JSC::FunctionParameters::~FunctionParameters): Deleted.
1080         * parser/Nodes.h:
1081         (JSC::ProgramNode::startColumn):
1082         (JSC::ProgramNode::endColumn):
1083         (JSC::EvalNode::startColumn):
1084         (JSC::EvalNode::endColumn):
1085         (JSC::FunctionParameters::size):
1086         (JSC::FunctionParameters::at):
1087         (JSC::FunctionParameters::append):
1088         (JSC::FuncExprNode::body):
1089         (JSC::DestructuringPatternNode::~DestructuringPatternNode):
1090         (JSC::DestructuringPatternNode::isBindingNode):
1091         (JSC::DestructuringPatternNode::emitDirectBinding):
1092         (JSC::ArrayPatternNode::appendIndex):
1093         (JSC::ObjectPatternNode::appendEntry):
1094         (JSC::BindingNode::boundProperty):
1095         (JSC::BindingNode::divotStart):
1096         (JSC::BindingNode::divotEnd):
1097         (JSC::DestructuringAssignmentNode::bindings):
1098         (JSC::FuncDeclNode::body):
1099         (JSC::ParameterNode::pattern): Deleted.
1100         (JSC::ParameterNode::nextParam): Deleted.
1101         (JSC::FunctionParameters::patterns): Deleted.
1102         * parser/Parser.cpp:
1103         (JSC::Parser<LexerType>::Parser):
1104         (JSC::Parser<LexerType>::~Parser):
1105         (JSC::Parser<LexerType>::parseInner):
1106         (JSC::Parser<LexerType>::allowAutomaticSemicolon):
1107         (JSC::Parser<LexerType>::parseSourceElements):
1108         (JSC::Parser<LexerType>::createBindingPattern):
1109         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBodySourceElements):
1110         (JSC::Parser<LexerType>::tryParseDestructuringPatternExpression):
1111         (JSC::Parser<LexerType>::parseSwitchClauses):
1112         (JSC::Parser<LexerType>::parseSwitchDefaultClause):
1113         (JSC::Parser<LexerType>::parseBlockStatement):
1114         (JSC::Parser<LexerType>::parseStatement):
1115         (JSC::Parser<LexerType>::parseFormalParameters):
1116         (JSC::Parser<LexerType>::parseFunctionBody):
1117         (JSC::stringForFunctionMode):
1118         (JSC::Parser<LexerType>::parseFunctionParameters):
1119         (JSC::Parser<LexerType>::parseFunctionInfo):
1120         (JSC::Parser<LexerType>::parseFunctionDeclaration):
1121         (JSC::Parser<LexerType>::parseClass):
1122         (JSC::Parser<LexerType>::parsePrimaryExpression):
1123         (JSC::Parser<LexerType>::parseMemberExpression):
1124         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
1125         (JSC::operatorString):
1126         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBody): Deleted.
1127         * parser/Parser.h:
1128         (JSC::Parser::positionBeforeLastNewline):
1129         (JSC::Parser::locationBeforeLastToken):
1130         (JSC::Parser::findCachedFunctionInfo):
1131         (JSC::Parser::isofToken):
1132         (JSC::Parser::isEndOfArrowFunction):
1133         (JSC::Parser::isArrowFunctionParamters):
1134         (JSC::Parser::tokenStart):
1135         (JSC::Parser::isLETMaskedAsIDENT):
1136         (JSC::Parser::autoSemiColon):
1137         (JSC::Parser::setEndOfStatement):
1138         (JSC::Parser::canRecurse):
1139         (JSC::Parser<LexerType>::parse):
1140         (JSC::parse):
1141         * parser/ParserFunctionInfo.h:
1142         * parser/ParserModes.h:
1143         (JSC::functionNameIsInScope):
1144         * parser/SourceCode.h:
1145         (JSC::makeSource):
1146         (JSC::SourceCode::subExpression):
1147         (JSC::SourceCode::subArrowExpression): Deleted.
1148         * parser/SourceProviderCache.h:
1149         (JSC::SourceProviderCache::get):
1150         * parser/SourceProviderCacheItem.h:
1151         (JSC::SourceProviderCacheItem::endFunctionToken):
1152         (JSC::SourceProviderCacheItem::usedVariables):
1153         (JSC::SourceProviderCacheItem::writtenVariables):
1154         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
1155         * parser/SyntaxChecker.h:
1156         (JSC::SyntaxChecker::SyntaxChecker):
1157         (JSC::SyntaxChecker::createClassExpr):
1158         (JSC::SyntaxChecker::createFunctionExpr):
1159         (JSC::SyntaxChecker::createFunctionBody):
1160         (JSC::SyntaxChecker::createArrowFunctionExpr):
1161         (JSC::SyntaxChecker::setFunctionNameStart):
1162         (JSC::SyntaxChecker::createArguments):
1163         (JSC::SyntaxChecker::createPropertyList):
1164         (JSC::SyntaxChecker::createElementList):
1165         (JSC::SyntaxChecker::createFormalParameterList):
1166         (JSC::SyntaxChecker::appendParameter):
1167         (JSC::SyntaxChecker::createClause):
1168         (JSC::SyntaxChecker::createClauseList):
1169         * runtime/CodeCache.cpp:
1170         (JSC::CodeCache::getGlobalCodeBlock):
1171         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
1172         * runtime/Completion.cpp:
1173         (JSC::checkSyntax):
1174         * runtime/Executable.cpp:
1175         (JSC::ProgramExecutable::checkSyntax):
1176         * tests/controlFlowProfiler/conditional-expression.js:
1177         (testConditionalFunctionCall):
1178
1179 2015-07-16  Filip Pizlo  <fpizlo@apple.com>
1180
1181         Unreviewed, fix build for newer LLVMs.
1182
1183         * llvm/LLVMHeaders.h:
1184         * llvm/library/LLVMExports.cpp:
1185
1186 2015-07-16  Mark Lam  <mark.lam@apple.com>
1187
1188         RegExp::match() should set m_state to ByteCode if compilation fails.
1189         https://bugs.webkit.org/show_bug.cgi?id=147023
1190
1191         Reviewed by Michael Saboff.
1192
1193         A RegExp has a YarrCodeBlock that has 4 MacroAssemblerCodeRefs for compiled code.
1194         If one of these compilations succeeds, RegExp::m_state will be set to JITCode.
1195         Subsequently, if RegExp tries to compile another one of these but fails, m_state
1196         will be left untouched i.e. it still says JITCode.  As a result, when
1197         RegExp::match() later tries to execute the non-existant compiled code, it will
1198         crash.
1199
1200         The fix is to downgrade m_state to ByteCode if RegExp ever fails to compile.
1201         This failure should be rare.  We'll do the minimal work here to fix the issue and
1202         keep an eye on the perf bots.  If perf regresses, we can do some optimization work then.
1203
1204         This issue is difficult to test for since it either requires a low memory condition
1205         to trigger a failed RegExp compilation at the right moment, or for the RegExp to
1206         succeed compilation in the MatchedOnly mode but fail in IncludeSubpatterns mode.
1207         Instead, I manually tested it by instrumenting RegExp::compile() to fail once in every
1208         10 compilation attempts.
1209
1210         * runtime/RegExp.cpp:
1211         (JSC::RegExp::compile):
1212         (JSC::RegExp::compileMatchOnly):
1213
1214 2015-07-15  Brent Fulgham  <bfulgham@apple.com>
1215
1216         [Win] Fix armv7 build.
1217
1218         * jit/CCallHelpers.h:
1219         (JSC::CCallHelpers::setupArgumentsWithExecState): The 64-bit argument
1220         version of poke is not available on armv7 builds.
1221
1222 2015-07-15  Brent Fulgham  <bfulgham@apple.com>
1223
1224         [Win] 64-bit Build Failure
1225         https://bugs.webkit.org/show_bug.cgi?id=146989
1226
1227         Reviewed by Mark Lam.
1228
1229         * jit/CCallHelpers.h:
1230         (JSC::CCallHelpers::setupArgumentsWithExecState): Add missing
1231         declaration for 64-bit type on 4-argument register machines (like
1232         Windows).
1233
1234 2015-07-15  Saam barati  <saambarati1@gmail.com>
1235
1236         [ES6] implement block scoping to enable 'let'
1237         https://bugs.webkit.org/show_bug.cgi?id=142944
1238
1239         Reviewed by Filip Pizlo.
1240
1241         * CMakeLists.txt:
1242         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1243         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1244         * JavaScriptCore.xcodeproj/project.pbxproj:
1245         * builtins/BuiltinExecutables.cpp:
1246         (JSC::BuiltinExecutables::createExecutableInternal):
1247         * bytecode/BytecodeList.json:
1248         This patch adds a new opcode and removes op_pop_scope:
1249         1) op_get_parent_scope returns the parent scope but doesn't 
1250         implicitly write that scope into the scope register. op_pop_scope
1251         is now reduced to op_get_parent_scope followed by op_mov.
1252
1253         * bytecode/BytecodeUseDef.h:
1254         (JSC::computeUsesForBytecodeOffset):
1255         (JSC::computeDefsForBytecodeOffset):
1256         * bytecode/CodeBlock.cpp:
1257         (JSC::CodeBlock::dumpBytecode):
1258         (JSC::CodeBlock::CodeBlock):
1259         (JSC::CodeBlock::stronglyVisitStrongReferences):
1260         * bytecode/CodeBlock.h:
1261         (JSC::CodeBlock::addStringSwitchJumpTable):
1262         (JSC::CodeBlock::stringSwitchJumpTable):
1263         (JSC::CodeBlock::symbolTable):
1264         (JSC::CodeBlock::evalCodeCache):
1265         (JSC::CodeBlock::setConstantRegisters):
1266         (JSC::CodeBlock::replaceConstant):
1267         op_put_to_scope for LocalClosureVar now takes as an argument
1268         the constant index for the Symbol Table it will be putting into.
1269         This argument is only used to communicate from the BytecodeGenerator
1270         to CodeBlock linking time and it is not present in the linked bytecode.
1271
1272         op_put_to_scope for non LocalClosureVar takes, at the same index, an
1273         argument that represents the local scope depth which it uses for
1274         JSScope::abstractResolve to know how many scopes it needs to skip.
1275         Again, this is not in the linked code.
1276         op_get_from_scope and op_resolve_scope also take as an argument
1277         the local scope depth to use in JSScope::abstractResolve. Again,
1278         this is not used in the linked code.
1279
1280         * bytecode/EvalCodeCache.h:
1281         (JSC::EvalCodeCache::tryGet):
1282         (JSC::EvalCodeCache::getSlow):
1283         (JSC::EvalCodeCache::clear):
1284         (JSC::EvalCodeCache::isCacheable):
1285         When direct eval is called and passed a scope that 
1286         corresponds to a lexical scope, we can't safely cache 
1287         that code because we won't be able to guarantee
1288         that the cached code is always executed in the same scope.
1289         Consider this example:
1290         function foo() {
1291             let x = 20;
1292             eval("x;");
1293             if (b) {
1294                 let x = 30;
1295                 if (b) {
1296                     let y = 40;
1297                     eval("x;")
1298                 }
1299             }
1300         }
1301
1302         We can't reuse resolution depth when linking get_from_scope in evals.
1303
1304         * bytecode/UnlinkedCodeBlock.cpp:
1305         (JSC::generateFunctionCodeBlock):
1306         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1307         (JSC::UnlinkedFunctionExecutable::parameterCount):
1308         * bytecode/UnlinkedCodeBlock.h:
1309         Unlinked functions now know the variables that were under TDZ in their parent
1310         scope.
1311
1312         (JSC::UnlinkedCodeBlock::symbolTable):
1313         (JSC::UnlinkedCodeBlock::setSymbolTable):
1314         (JSC::UnlinkedCodeBlock::setSymbolTableConstantIndex):
1315         (JSC::UnlinkedCodeBlock::symbolTableConstantIndex):
1316         (JSC::UnlinkedCodeBlock::vm):
1317         * bytecompiler/BytecodeGenerator.cpp:
1318         (JSC::BytecodeGenerator::generate):
1319         (JSC::BytecodeGenerator::BytecodeGenerator):
1320         (JSC::BytecodeGenerator::~BytecodeGenerator):
1321         (JSC::BytecodeGenerator::newRegister):
1322         (JSC::BytecodeGenerator::reclaimFreeRegisters):
1323         (JSC::BytecodeGenerator::newBlockScopeVariable):
1324         (JSC::BytecodeGenerator::newTemporary):
1325         (JSC::BytecodeGenerator::emitProfileType):
1326         (JSC::BytecodeGenerator::emitLoadGlobalObject):
1327         (JSC::BytecodeGenerator::pushLexicalScope):
1328         (JSC::BytecodeGenerator::popLexicalScope):
1329         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
1330         (JSC::BytecodeGenerator::variable):
1331         (JSC::BytecodeGenerator::variablePerSymbolTable):
1332         (JSC::BytecodeGenerator::variableForLocalEntry):
1333         (JSC::BytecodeGenerator::createVariable):
1334         (JSC::BytecodeGenerator::emitResolveScope):
1335         (JSC::BytecodeGenerator::emitGetFromScope):
1336         (JSC::BytecodeGenerator::emitPutToScope):
1337         (JSC::BytecodeGenerator::initializeVariable):
1338         (JSC::BytecodeGenerator::emitTDZCheck):
1339         (JSC::BytecodeGenerator::needsTDZCheck):
1340         (JSC::BytecodeGenerator::emitTDZCheckIfNecessary):
1341         (JSC::BytecodeGenerator::liftTDZCheckIfPossible):
1342         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
1343         (JSC::BytecodeGenerator::emitNewObject):
1344         (JSC::BytecodeGenerator::emitPushWithScope):
1345         (JSC::BytecodeGenerator::emitGetParentScope):
1346         (JSC::BytecodeGenerator::emitPopScope):
1347         (JSC::BytecodeGenerator::emitDebugHook):
1348         (JSC::BytecodeGenerator::pushFinallyContext):
1349         (JSC::BytecodeGenerator::pushIteratorCloseContext):
1350         (JSC::BytecodeGenerator::emitComplexPopScopes):
1351         (JSC::BytecodeGenerator::emitPopScopes):
1352         (JSC::BytecodeGenerator::popTryAndEmitCatch):
1353         (JSC::BytecodeGenerator::calculateTargetScopeDepthForExceptionHandler):
1354         (JSC::BytecodeGenerator::currentScopeDepth):
1355         (JSC::BytecodeGenerator::emitThrowReferenceError):
1356         (JSC::BytecodeGenerator::emitPushCatchScope):
1357         (JSC::BytecodeGenerator::beginSwitch):
1358         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
1359         (JSC::BytecodeGenerator::emitEnumeration):
1360         * bytecompiler/BytecodeGenerator.h:
1361         (JSC::Variable::Variable):
1362         (JSC::Variable::isResolved):
1363         (JSC::Variable::symbolTableConstantIndex):
1364         (JSC::Variable::ident):
1365         (JSC::BytecodeGenerator::ignoredResult):
1366         (JSC::BytecodeGenerator::tempDestination):
1367         (JSC::BytecodeGenerator::lastOpcodeID):
1368         (JSC::BytecodeGenerator::makeFunction):
1369         (JSC::BytecodeGenerator::symbolTable):
1370         (JSC::BytecodeGenerator::shouldOptimizeLocals): Deleted.
1371         (JSC::BytecodeGenerator::canOptimizeNonLocals): Deleted.
1372         The heart of the changes in this patch are in the bytecode generator.
1373         The bytecode generator now keeps a stack of tuples of 
1374         {symbol table, scope register, flag indicating catch or with scope, symbol table index in constant pool}
1375         that models the runtime scope stack. This symbol table stack is used
1376         in resolving local variables.
1377
1378         Also, the bytecode generator handles pushing and popping of lexical scopes. 
1379         This is relatively straight forward:
1380         Captured 'let' variables end up in the JSLexicalEnvironment scope and non-captured
1381         variables end up on the stack. Some trickiness is involved in generating
1382         code for 'for' loops that have captured variables (I'm talking about variables in the loop
1383         header, not the loop body). Each iteration of the for loop ends up with 
1384         its own JSLexicalEnvironment. Static code must be generated in such a way 
1385         to create this runtime behavior. This is done by emitting instructions to 
1386         push and pop a lexical scope at the end of each loop and copying values
1387         from the previous loop's scope into the new scope. This code must also
1388         ensure that each loop iteration's scope refers to the same underlying 
1389         SymbolTable so that no scope is accidentally mistaken as being a singleton scope.
1390
1391         When the debugger is enabled, all lexically defined variables will end up in the
1392         JSLexicalEnvironment.
1393
1394         * bytecompiler/NodesCodegen.cpp:
1395         (JSC::ResolveNode::emitBytecode):
1396         (JSC::FunctionCallResolveNode::emitBytecode):
1397         (JSC::PostfixNode::emitResolve):
1398         (JSC::DeleteResolveNode::emitBytecode):
1399         (JSC::TypeOfResolveNode::emitBytecode):
1400         (JSC::PrefixNode::emitResolve):
1401         (JSC::ReadModifyResolveNode::emitBytecode):
1402         (JSC::AssignResolveNode::emitBytecode):
1403         (JSC::BlockNode::emitBytecode):
1404         (JSC::ExprStatementNode::emitBytecode):
1405         (JSC::DeclarationStatement::emitBytecode):
1406         (JSC::EmptyVarExpression::emitBytecode):
1407         (JSC::EmptyLetExpression::emitBytecode):
1408         (JSC::ForNode::emitBytecode):
1409         (JSC::ForInNode::emitMultiLoopBytecode):
1410         (JSC::ForOfNode::emitBytecode):
1411         (JSC::SwitchNode::emitBytecode):
1412         (JSC::BindingNode::bindValue):
1413         (JSC::VarStatementNode::emitBytecode): Deleted.
1414         * debugger/DebuggerCallFrame.cpp:
1415         (JSC::DebuggerCallFrame::evaluate):
1416         * debugger/DebuggerScope.cpp:
1417         (JSC::DebuggerScope::getOwnPropertySlot):
1418         (JSC::DebuggerScope::put):
1419         * dfg/DFGByteCodeParser.cpp:
1420         (JSC::DFG::ByteCodeParser::parseBlock):
1421         * dfg/DFGCapabilities.cpp:
1422         (JSC::DFG::capabilityLevel):
1423         * dfg/DFGNode.h:
1424         (JSC::DFG::Node::castConstant):
1425         (JSC::DFG::Node::initializationValueForActivation):
1426         (JSC::DFG::Node::containsMovHint):
1427         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1428         CreateActivation nodes now have a second OpInfo that tracks the 
1429         initial value that needs to be placed in the activation. This initial value 
1430         is also used in allocation sinking to create proper bottom values for all 
1431         scope variables.
1432
1433         * dfg/DFGOperations.cpp:
1434         * dfg/DFGOperations.h:
1435         * dfg/DFGSpeculativeJIT.cpp:
1436         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
1437         * dfg/DFGSpeculativeJIT.h:
1438         (JSC::DFG::SpeculativeJIT::callOperation):
1439         * ftl/FTLIntrinsicRepository.h:
1440         * ftl/FTLLowerDFGToLLVM.cpp:
1441         (JSC::FTL::DFG::LowerDFGToLLVM::compileCreateActivation):
1442         (JSC::FTL::DFG::LowerDFGToLLVM::compileMaterializeCreateActivation):
1443         * ftl/FTLOperations.cpp:
1444         (JSC::FTL::operationMaterializeObjectInOSR):
1445         * interpreter/Interpreter.cpp:
1446         (JSC::Interpreter::execute):
1447         * jit/CCallHelpers.h:
1448         (JSC::CCallHelpers::setupArgumentsWithExecState):
1449         * jit/JIT.cpp:
1450         (JSC::JIT::privateCompileMainPass):
1451         * jit/JIT.h:
1452         * jit/JITInlines.h:
1453         (JSC::JIT::callOperation):
1454         * jit/JITOpcodes.cpp:
1455         (JSC::JIT::emit_op_push_with_scope):
1456         (JSC::JIT::compileOpStrictEq):
1457         (JSC::JIT::emit_op_catch):
1458         (JSC::JIT::emit_op_create_lexical_environment):
1459         (JSC::JIT::emit_op_get_parent_scope):
1460         (JSC::JIT::emit_op_switch_imm):
1461         (JSC::JIT::emit_op_enter):
1462         (JSC::JIT::emit_op_get_scope):
1463         (JSC::JIT::emit_op_pop_scope): Deleted.
1464         * jit/JITOpcodes32_64.cpp:
1465         (JSC::JIT::emit_op_push_with_scope):
1466         (JSC::JIT::emit_op_to_number):
1467         (JSC::JIT::emit_op_catch):
1468         (JSC::JIT::emit_op_create_lexical_environment):
1469         (JSC::JIT::emit_op_get_parent_scope):
1470         (JSC::JIT::emit_op_switch_imm):
1471         (JSC::JIT::emit_op_enter):
1472         (JSC::JIT::emit_op_get_scope):
1473         (JSC::JIT::emit_op_pop_scope): Deleted.
1474         * jit/JITOperations.cpp:
1475         (JSC::canAccessArgumentIndexQuickly):
1476         * jit/JITOperations.h:
1477         * llint/LLIntSlowPaths.cpp:
1478         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1479         * llint/LLIntSlowPaths.h:
1480         * llint/LowLevelInterpreter.asm:
1481         * llint/LowLevelInterpreter32_64.asm:
1482         * llint/LowLevelInterpreter64.asm:
1483         * parser/ASTBuilder.h:
1484         (JSC::ASTBuilder::createSourceElements):
1485         (JSC::ASTBuilder::funcDeclarations):
1486         (JSC::ASTBuilder::features):
1487         (JSC::ASTBuilder::numConstants):
1488         (JSC::ASTBuilder::createConditionalExpr):
1489         (JSC::ASTBuilder::createAssignResolve):
1490         (JSC::ASTBuilder::createClassDeclStatement):
1491         (JSC::ASTBuilder::createBlockStatement):
1492         (JSC::ASTBuilder::createIfStatement):
1493         (JSC::ASTBuilder::createForLoop):
1494         (JSC::ASTBuilder::createForInLoop):
1495         (JSC::ASTBuilder::createForOfLoop):
1496         (JSC::ASTBuilder::isBindingNode):
1497         (JSC::ASTBuilder::createEmptyStatement):
1498         (JSC::ASTBuilder::createDeclarationStatement):
1499         (JSC::ASTBuilder::createVarStatement):
1500         (JSC::ASTBuilder::createLetStatement):
1501         (JSC::ASTBuilder::createEmptyVarExpression):
1502         (JSC::ASTBuilder::createEmptyLetExpression):
1503         (JSC::ASTBuilder::createReturnStatement):
1504         (JSC::ASTBuilder::createTryStatement):
1505         (JSC::ASTBuilder::createSwitchStatement):
1506         (JSC::ASTBuilder::appendStatement):
1507         (JSC::ASTBuilder::createCommaExpr):
1508         (JSC::ASTBuilder::appendObjectPatternEntry):
1509         (JSC::ASTBuilder::createBindingLocation):
1510         (JSC::ASTBuilder::setEndOffset):
1511         (JSC::ASTBuilder::Scope::Scope):
1512         (JSC::ASTBuilder::makeAssignNode):
1513         (JSC::ASTBuilder::varDeclarations): Deleted.
1514         (JSC::ASTBuilder::addVar): Deleted.
1515         * parser/Keywords.table:
1516         * parser/NodeConstructors.h:
1517         (JSC::ReadModifyResolveNode::ReadModifyResolveNode):
1518         (JSC::AssignResolveNode::AssignResolveNode):
1519         (JSC::ExprStatementNode::ExprStatementNode):
1520         (JSC::DeclarationStatement::DeclarationStatement):
1521         (JSC::EmptyVarExpression::EmptyVarExpression):
1522         (JSC::EmptyLetExpression::EmptyLetExpression):
1523         (JSC::IfElseNode::IfElseNode):
1524         (JSC::WhileNode::WhileNode):
1525         (JSC::ForNode::ForNode):
1526         (JSC::CaseBlockNode::CaseBlockNode):
1527         (JSC::SwitchNode::SwitchNode):
1528         (JSC::ConstDeclNode::ConstDeclNode):
1529         (JSC::BlockNode::BlockNode):
1530         (JSC::EnumerationNode::EnumerationNode):
1531         (JSC::ForInNode::ForInNode):
1532         (JSC::ForOfNode::ForOfNode):
1533         (JSC::ObjectPatternNode::create):
1534         (JSC::BindingNode::create):
1535         (JSC::BindingNode::BindingNode):
1536         (JSC::VarStatementNode::VarStatementNode): Deleted.
1537         * parser/Nodes.cpp:
1538         (JSC::ScopeNode::ScopeNode):
1539         (JSC::ScopeNode::singleStatement):
1540         (JSC::ProgramNode::ProgramNode):
1541         (JSC::EvalNode::EvalNode):
1542         (JSC::FunctionNode::FunctionNode):
1543         (JSC::FunctionNode::finishParsing):
1544         (JSC::VariableEnvironmentNode::VariableEnvironmentNode):
1545         * parser/Nodes.h:
1546         (JSC::VariableEnvironmentNode::VariableEnvironmentNode):
1547         (JSC::VariableEnvironmentNode::lexicalVariables):
1548         (JSC::ScopeNode::usesThis):
1549         (JSC::ScopeNode::needsActivationForMoreThanVariables):
1550         (JSC::ScopeNode::needsActivation):
1551         (JSC::ScopeNode::hasCapturedVariables):
1552         (JSC::ScopeNode::captures):
1553         (JSC::ScopeNode::varDeclarations):
1554         (JSC::ScopeNode::functionStack):
1555         (JSC::ScopeNode::neededConstants):
1556         (JSC::ProgramNode::startColumn):
1557         (JSC::ProgramNode::endColumn):
1558         (JSC::EvalNode::startColumn):
1559         (JSC::EvalNode::endColumn):
1560         (JSC::BindingNode::boundProperty):
1561         (JSC::BindingNode::divotStart):
1562         (JSC::BindingNode::divotEnd):
1563         (JSC::ScopeNode::capturedVariableCount): Deleted.
1564         (JSC::ScopeNode::capturedVariables): Deleted.
1565         (JSC::ScopeNode::varStack): Deleted.
1566         There is a new class called 'VariableEnvironmentNode' that has the
1567         necessary fields to model a lexical scope. Multiple AST nodes now 
1568         also inherit from VariableEnvironmentNode.
1569
1570         * parser/Parser.cpp:
1571         (JSC::Parser<LexerType>::parseInner):
1572         (JSC::Parser<LexerType>::didFinishParsing):
1573         (JSC::Parser<LexerType>::parseStatementListItem):
1574         (JSC::Parser<LexerType>::parseVariableDeclaration):
1575         (JSC::Parser<LexerType>::parseWhileStatement):
1576         (JSC::Parser<LexerType>::parseVariableDeclarationList):
1577         (JSC::Parser<LexerType>::createBindingPattern):
1578         (JSC::Parser<LexerType>::tryParseDestructuringPatternExpression):
1579         (JSC::Parser<LexerType>::parseDestructuringPattern):
1580         (JSC::Parser<LexerType>::parseConstDeclarationList):
1581         (JSC::Parser<LexerType>::parseForStatement):
1582         (JSC::Parser<LexerType>::parseBreakStatement):
1583         (JSC::Parser<LexerType>::parseContinueStatement):
1584         (JSC::Parser<LexerType>::parseSwitchStatement):
1585         (JSC::Parser<LexerType>::parseTryStatement):
1586         (JSC::Parser<LexerType>::parseBlockStatement):
1587         (JSC::Parser<LexerType>::parseStatement):
1588         (JSC::Parser<LexerType>::parseFunctionInfo):
1589         (JSC::Parser<LexerType>::parseClassDeclaration):
1590         (JSC::Parser<LexerType>::parseClass):
1591         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
1592         (JSC::Parser<LexerType>::parseAssignmentExpression):
1593         (JSC::Parser<LexerType>::parseGetterSetter):
1594         (JSC::Parser<LexerType>::parsePrimaryExpression):
1595         (JSC::Parser<LexerType>::parseVarDeclaration): Deleted.
1596         (JSC::Parser<LexerType>::parseVarDeclarationList): Deleted.
1597         * parser/Parser.h:
1598         (JSC::Scope::Scope):
1599         (JSC::Scope::setIsFunction):
1600         (JSC::Scope::isFunction):
1601         (JSC::Scope::isFunctionBoundary):
1602         (JSC::Scope::setIsLexicalScope):
1603         (JSC::Scope::isLexicalScope):
1604         (JSC::Scope::declaredVariables):
1605         (JSC::Scope::finalizeLexicalEnvironment):
1606         (JSC::Scope::computeLexicallyCapturedVariablesAndPurgeCandidates):
1607         (JSC::Scope::declareCallee):
1608         (JSC::Scope::declareVariable):
1609         (JSC::Scope::declareLexicalVariable):
1610         (JSC::Scope::hasDeclaredVariable):
1611         (JSC::Scope::hasLexicallyDeclaredVariable):
1612         (JSC::Scope::hasDeclaredParameter):
1613         (JSC::Scope::declareWrite):
1614         (JSC::Scope::preventAllVariableDeclarations):
1615         (JSC::Scope::preventVarDeclarations):
1616         (JSC::Scope::allowsVarDeclarations):
1617         (JSC::Scope::allowsLexicalDeclarations):
1618         (JSC::Scope::declareParameter):
1619         (JSC::Scope::declareBoundParameter):
1620         (JSC::Scope::useVariable):
1621         (JSC::Scope::setNeedsFullActivation):
1622         (JSC::Scope::needsFullActivation):
1623         (JSC::Scope::hasDirectSuper):
1624         (JSC::Scope::setNeedsSuperBinding):
1625         (JSC::Scope::collectFreeVariables):
1626         (JSC::Scope::getCapturedVars):
1627         (JSC::Scope::copyCapturedVariablesToVector):
1628         (JSC::Parser::AutoCleanupLexicalScope::AutoCleanupLexicalScope):
1629         (JSC::Parser::AutoCleanupLexicalScope::~AutoCleanupLexicalScope):
1630         (JSC::Parser::AutoCleanupLexicalScope::setIsValid):
1631         (JSC::Parser::AutoCleanupLexicalScope::isValid):
1632         (JSC::Parser::AutoCleanupLexicalScope::setPopped):
1633         (JSC::Parser::AutoCleanupLexicalScope::scope):
1634         (JSC::Parser::currentScope):
1635         (JSC::Parser::pushScope):
1636         (JSC::Parser::popScopeInternal):
1637         (JSC::Parser::popScope):
1638         (JSC::Parser::declareVariable):
1639         (JSC::Parser::hasDeclaredVariable):
1640         (JSC::Parser::hasDeclaredParameter):
1641         (JSC::Parser::declareWrite):
1642         (JSC::Parser::findCachedFunctionInfo):
1643         (JSC::Parser::isFunctionBodyNode):
1644         (JSC::Parser::continueIsValid):
1645         (JSC::Parser::pushLabel):
1646         (JSC::Parser::popLabel):
1647         (JSC::Parser::getLabel):
1648         (JSC::Parser::isLETMaskedAsIDENT):
1649         (JSC::Parser<LexerType>::parse):
1650         (JSC::Scope::preventNewDecls): Deleted.
1651         (JSC::Scope::allowsNewDecls): Deleted.
1652         (JSC::Scope::getCapturedVariables): Deleted.
1653         There are basic parser changes that now allow for the 'let'
1654         keyword. The trickiest change is how we will still treat 'let' 
1655         as an identifier for sloppy-mode code sometimes. For example,
1656         "var let = ..." is allowed but "let let" or "const let" is not.
1657
1658         The most significant change to the parser made for this patch
1659         is appropriating the Scope struct to also also model a lexical 
1660         scope. Changes were made in how we track captured variables to 
1661         account for this. In general, I think some of this code could 
1662         benefit from a slight refactoring to make things cleaner.
1663
1664         * parser/ParserTokens.h:
1665         * parser/SyntaxChecker.h:
1666         (JSC::SyntaxChecker::createNewExpr):
1667         (JSC::SyntaxChecker::createConditionalExpr):
1668         (JSC::SyntaxChecker::createAssignResolve):
1669         (JSC::SyntaxChecker::createEmptyVarExpression):
1670         (JSC::SyntaxChecker::createEmptyLetExpression):
1671         (JSC::SyntaxChecker::createClassExpr):
1672         (JSC::SyntaxChecker::createClassDeclStatement):
1673         (JSC::SyntaxChecker::createBlockStatement):
1674         (JSC::SyntaxChecker::createExprStatement):
1675         (JSC::SyntaxChecker::createIfStatement):
1676         (JSC::SyntaxChecker::createForLoop):
1677         (JSC::SyntaxChecker::createForInLoop):
1678         (JSC::SyntaxChecker::createForOfLoop):
1679         (JSC::SyntaxChecker::createEmptyStatement):
1680         (JSC::SyntaxChecker::createVarStatement):
1681         (JSC::SyntaxChecker::createLetStatement):
1682         (JSC::SyntaxChecker::createReturnStatement):
1683         (JSC::SyntaxChecker::createBreakStatement):
1684         (JSC::SyntaxChecker::createContinueStatement):
1685         (JSC::SyntaxChecker::createTryStatement):
1686         (JSC::SyntaxChecker::createSwitchStatement):
1687         (JSC::SyntaxChecker::createWhileStatement):
1688         (JSC::SyntaxChecker::createWithStatement):
1689         (JSC::SyntaxChecker::createDoWhileStatement):
1690         (JSC::SyntaxChecker::createGetterOrSetterProperty):
1691         (JSC::SyntaxChecker::appendStatement):
1692         (JSC::SyntaxChecker::combineCommaNodes):
1693         (JSC::SyntaxChecker::evalCount):
1694         (JSC::SyntaxChecker::appendBinaryExpressionInfo):
1695         (JSC::SyntaxChecker::operatorStackPop):
1696         (JSC::SyntaxChecker::addVar): Deleted.
1697         * parser/VariableEnvironment.cpp: Added.
1698         (JSC::VariableEnvironment::markVariableAsCapturedIfDefined):
1699         (JSC::VariableEnvironment::markVariableAsCaptured):
1700         (JSC::VariableEnvironment::markAllVariablesAsCaptured):
1701         (JSC::VariableEnvironment::hasCapturedVariables):
1702         (JSC::VariableEnvironment::captures):
1703         (JSC::VariableEnvironment::swap):
1704         * parser/VariableEnvironment.h: Added.
1705         (JSC::VariableEnvironmentEntry::isCaptured):
1706         (JSC::VariableEnvironmentEntry::isConstant):
1707         (JSC::VariableEnvironmentEntry::isVar):
1708         (JSC::VariableEnvironmentEntry::isLet):
1709         (JSC::VariableEnvironmentEntry::setIsCaptured):
1710         (JSC::VariableEnvironmentEntry::setIsConstant):
1711         (JSC::VariableEnvironmentEntry::setIsVar):
1712         (JSC::VariableEnvironmentEntry::setIsLet):
1713         (JSC::VariableEnvironmentEntry::clearIsVar):
1714         (JSC::VariableEnvironment::begin):
1715         (JSC::VariableEnvironment::end):
1716         (JSC::VariableEnvironment::add):
1717         (JSC::VariableEnvironment::size):
1718         (JSC::VariableEnvironment::contains):
1719         (JSC::VariableEnvironment::remove):
1720         VariableEnvironment is a new class that keeps track
1721         of the static environment in the parser and the bytecode generator.
1722         VariableEnvironment behaves like SymbolTable but for the bytecode generator.
1723         It keeps track of variable types, i.e, if a variable is a "var", "let", "const" 
1724         and whether or not its captured.
1725
1726         * runtime/CodeCache.cpp:
1727         (JSC::CodeCache::getGlobalCodeBlock):
1728         (JSC::CodeCache::getProgramCodeBlock):
1729         (JSC::CodeCache::getEvalCodeBlock):
1730         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
1731         * runtime/CodeCache.h:
1732         (JSC::CodeCache::clear):
1733         * runtime/CommonSlowPaths.cpp:
1734         (JSC::SLOW_PATH_DECL):
1735         * runtime/CommonSlowPaths.h:
1736         * runtime/ExceptionHelpers.cpp:
1737         (JSC::createErrorForInvalidGlobalAssignment):
1738         (JSC::createTDZError):
1739         (JSC::throwOutOfMemoryError):
1740         * runtime/ExceptionHelpers.h:
1741         * runtime/Executable.cpp:
1742         (JSC::EvalExecutable::create):
1743         (JSC::ProgramExecutable::initializeGlobalProperties):
1744         * runtime/Executable.h:
1745         * runtime/JSCJSValue.h:
1746         (JSC::jsUndefined):
1747         (JSC::jsTDZValue):
1748         (JSC::jsBoolean):
1749         * runtime/JSEnvironmentRecord.h:
1750         (JSC::JSEnvironmentRecord::finishCreationUninitialized):
1751         (JSC::JSEnvironmentRecord::finishCreation):
1752         * runtime/JSGlobalObject.cpp:
1753         (JSC::JSGlobalObject::createProgramCodeBlock):
1754         (JSC::JSGlobalObject::createEvalCodeBlock):
1755         * runtime/JSGlobalObject.h:
1756         (JSC::JSGlobalObject::weakRandomInteger):
1757         * runtime/JSGlobalObjectFunctions.cpp:
1758         (JSC::globalFuncEval):
1759         * runtime/JSLexicalEnvironment.cpp:
1760         (JSC::JSLexicalEnvironment::symbolTableGet):
1761         * runtime/JSLexicalEnvironment.h:
1762         (JSC::JSLexicalEnvironment::create):
1763         * runtime/JSScope.cpp:
1764         (JSC::JSScope::resolve):
1765         (JSC::JSScope::abstractResolve):
1766         (JSC::JSScope::collectVariablesUnderTDZ):
1767         (JSC::JSScope::isLexicalScope):
1768         (JSC::resolveModeName):
1769         * runtime/JSScope.h:
1770         * runtime/PropertySlot.h:
1771         (JSC::PropertySlot::setValue):
1772         * runtime/SymbolTable.cpp:
1773         (JSC::SymbolTable::SymbolTable):
1774         (JSC::SymbolTable::cloneScopePart):
1775         * runtime/SymbolTable.h:
1776         SymbolTable now uses an extra bit to know if it corresponds
1777         to a "let"-like environment or not.
1778
1779         * runtime/WriteBarrier.h:
1780         (JSC::WriteBarrierBase<Unknown>::get):
1781         (JSC::WriteBarrierBase<Unknown>::clear):
1782         (JSC::WriteBarrierBase<Unknown>::setUndefined):
1783         (JSC::WriteBarrierBase<Unknown>::setStartingValue):
1784         (JSC::WriteBarrierBase<Unknown>::isNumber):
1785         (JSC::WriteBarrierBase<Unknown>::isObject):
1786         (JSC::WriteBarrierBase<Unknown>::isNull):
1787         * tests/stress/activation-sink-default-value-tdz-error.js: Added.
1788         (shouldThrowTDZ):
1789         (bar):
1790         (foo.cap):
1791         * tests/stress/activation-sink-osrexit-default-value-tdz-error.js: Added.
1792         (shouldThrowTDZ):
1793         (bar):
1794         * tests/stress/lexical-let-and-with-statement.js: Added.
1795         (truth):
1796         (assert):
1797         (.):
1798         * tests/stress/lexical-let-exception-handling.js: Added.
1799         (truth):
1800         (assert):
1801         (.):
1802         * tests/stress/lexical-let-global-not-captured-variables.js: Added.
1803         (truth):
1804         (assert):
1805         (foo):
1806         (.let.capY):
1807         * tests/stress/lexical-let-loop-semantics.js: Added.
1808         (truth):
1809         (assert):
1810         (shouldThrowTDZ):
1811         (.):
1812         * tests/stress/lexical-let-not-strict-mode.js: Added.
1813         (truth):
1814         (assert):
1815         (shouldThrowTDZ):
1816         (.):
1817         * tests/stress/lexical-let-semantics.js: Added.
1818         (truth):
1819         (assert):
1820         (let.globalFunction):
1821         (let.retGlobalNumberCaptured):
1822         (let.setGlobalNumberCaptured):
1823         (.):
1824         * tests/stress/lexical-let-tdz.js: Added.
1825         (truth):
1826         (assert):
1827         (shouldThrowTDZ):
1828         (.):
1829
1830 2015-07-15  Anders Carlsson  <andersca@apple.com>
1831
1832         Make JavaScriptCore SPI headers used by WebCore SPI headers self-contained
1833         https://bugs.webkit.org/show_bug.cgi?id=146978
1834
1835         Reviewed by Dan Bernstein.
1836
1837         * debugger/DebuggerPrimitives.h:
1838         * disassembler/Disassembler.h:
1839         * heap/Weak.h:
1840         * inspector/InspectorValues.h:
1841         * runtime/JSCJSValue.h:
1842
1843 2015-07-14  Anders Carlsson  <andersca@apple.com>
1844
1845         Assertions.h should include ExportMacros.h
1846         https://bugs.webkit.org/show_bug.cgi?id=146948
1847
1848         Reviewed by Tim Horton.
1849
1850         Remove now unneeded WTF_EXPORT_PRIVATE define.
1851
1852         * API/JSBase.h:
1853
1854 2015-07-14  Matthew Mirman  <mmirman@apple.com>
1855
1856         Repatch. Makes compileArithSub in the DFG ensure that the constant is an int32.
1857         https://bugs.webkit.org/show_bug.cgi?id=146910
1858         rdar://problem/21729083
1859
1860         Reviewed by Filip Pizlo.
1861         
1862         Also fixes the debug build problem where all edges are assumed to 
1863         have UntypedUse before the fixup phase.
1864
1865         * dfg/DFGSpeculativeJIT.cpp:
1866         (JSC::DFG::SpeculativeJIT::compileArithSub):
1867         * dfg/DFGValidate.cpp:
1868         (JSC::DFG::Validate::validateEdgeWithDoubleResultIfNecessary):
1869         * tests/stress/arith-add-with-constants.js: Added some tests for this case.
1870         (arithAdd42WrittenAsInteger):
1871         (testArithAdd42WrittenAsInteger):
1872         (arithSub42WrittenAsDouble):
1873         (testArithSub42WrittenAsDouble):
1874         (doubleConstant):
1875         (testDoubleConstant): Added test for the case of +0.0 and Math.min(0.0)
1876         (arithAdd42WrittenAsDouble): Deleted.
1877         (testArithAdd42WrittenAsDouble): Deleted.
1878
1879 2015-07-14  Matthew Mirman  <mmirman@apple.com>
1880
1881         Unreviewed, rolling out r186805.
1882
1883         Made raytracer on octane 80% slower
1884
1885         Reverted changeset:
1886
1887         "Makes compileArithSub in the DFG ensure that the constant is
1888         an int32."
1889         https://bugs.webkit.org/show_bug.cgi?id=146910
1890         http://trac.webkit.org/changeset/186805
1891
1892 2015-07-13  Matthew Mirman  <mmirman@apple.com>
1893
1894         Makes compileArithSub in the DFG ensure that the constant is an int32.
1895         https://bugs.webkit.org/show_bug.cgi?id=146910
1896         rdar://problem/21729083
1897
1898         Reviewed by Filip Pizlo.
1899         
1900         Also fixes the debug build problem where all edges are assumed to 
1901         have UntypedUse before the fixup phase.
1902
1903         * dfg/DFGSpeculativeJIT.cpp:
1904         (JSC::DFG::SpeculativeJIT::compileArithSub):
1905         * dfg/DFGValidate.cpp:
1906         (JSC::DFG::Validate::validateEdgeWithDoubleResultIfNecessary):
1907         * tests/stress/arith-add-with-constants.js: Added some tests for this case.
1908         (arithAdd42WrittenAsInteger):
1909         (testArithAdd42WrittenAsInteger):
1910         (arithSub42WrittenAsDouble):
1911         (testArithSub42WrittenAsDouble):
1912         (doubleConstant):
1913         (testDoubleConstant): Added test for the case of +0.0 and Math.min(0.0)
1914         (arithAdd42WrittenAsDouble): Deleted.
1915         (testArithAdd42WrittenAsDouble): Deleted.
1916
1917 2015-07-13  Basile Clement  <basile_clement@apple.com>
1918
1919         Object cycles should not prevent allocation elimination/sinking
1920         https://bugs.webkit.org/show_bug.cgi?id=143073
1921
1922         Reviewed by Filip Pizlo.
1923
1924         This patch introduces a new allocation sinking phase that is able to
1925         sink cycles, in DFGAllocationCycleSinkingPhase.cpp. This phase
1926         supersedes the old allocation sinking phase in
1927         DFGObjectAllocationSinkingPhase.cpp, as that previous phase was never
1928         able to sink allocation cycles while the new phase sometimes can; see
1929         DFGAllocationCycleSinkingPhase.cpp for details.
1930
1931         For now, the new sinking phase is kept behind a
1932         JSC_enableAllocationCycleSinking flag that reverts to the old sinking
1933         phase when false (i.e., by default). This also removes the old
1934         JSC_enableObjectAllocationSinking flag. run-javascriptcore-tests
1935         defaults to using the new sinking phase.
1936
1937         * dfg/DFGGraph.h:
1938         (JSC::DFG::Graph::addStructureSet): Allow empty structure sets
1939         * dfg/DFGLazyNode.cpp:
1940         (JSC::DFG::LazyNode::dump): Prettier dump
1941         * dfg/DFGNode.h:
1942         (JSC::DFG::Node::cellOperand): Move to opInfo for MaterializeCreateActivation
1943         (JSC::DFG::Node::hasStructureSet): Add MaterializeNewObject
1944         (JSC::DFG::Node::objectMaterializationData): Move to opInfo2
1945         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: Remove unused header
1946         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1947         (JSC::DFG::ObjectAllocationSinkingPhase::ObjectAllocationSinkingPhase): Deleted.
1948         (JSC::DFG::ObjectAllocationSinkingPhase::run): Deleted.
1949         (JSC::DFG::ObjectAllocationSinkingPhase::performSinking): Deleted.
1950         (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints): Deleted.
1951         (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints): Deleted.
1952         (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations): Deleted.
1953         (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields): Deleted.
1954         (JSC::DFG::ObjectAllocationSinkingPhase::resolve): Deleted.
1955         (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): Deleted.
1956         (JSC::DFG::ObjectAllocationSinkingPhase::createMaterialize): Deleted.
1957         (JSC::DFG::ObjectAllocationSinkingPhase::populateMaterialize): Deleted.
1958         * dfg/DFGObjectAllocationSinkingPhase.h:
1959         * dfg/DFGPromotedHeapLocation.h: Add a hash and a helper function to PromotedLocationDescriptor
1960         (JSC::DFG::PromotedLocationDescriptor::PromotedLocationDescriptor):
1961         (JSC::DFG::PromotedLocationDescriptor::operator bool):
1962         (JSC::DFG::PromotedLocationDescriptor::neededForMaterialization):
1963         (JSC::DFG::PromotedLocationDescriptorHash::hash):
1964         (JSC::DFG::PromotedLocationDescriptorHash::equal):
1965         * dfg/DFGValidate.cpp:
1966         (JSC::DFG::Validate::validateSSA): Assert that most nodes never see a phantom allocation
1967         * ftl/FTLLowerDFGToLLVM.cpp:
1968         (JSC::FTL::DFG::LowerDFGToLLVM::compileMaterializeNewObject): Use the new structureSet() operand
1969         (JSC::FTL::DFG::LowerDFGToLLVM::compileMaterializeCreateActivation): Node has a new child
1970         * ftl/FTLOSRExitCompiler.cpp: Handle materialization cycles
1971         (JSC::FTL::compileStub):
1972         * ftl/FTLOperations.cpp: Handle materialization cycles
1973         (JSC::FTL::operationPopulateObjectInOSR):
1974         (JSC::FTL::operationMaterializeObjectInOSR):
1975         * ftl/FTLOperations.h: Handle materialization cycles
1976         * tests/stress/correctly-sink-object-even-though-it-dies.js: Added.
1977         (clobber):
1978         (foo):
1979         * tests/stress/eliminate-object-read-over-call.js: Added.
1980         (clobber):
1981         (foo):
1982         * tests/stress/materialize-object-on-edge.js: Added.
1983         (call):
1984         (foo):
1985         * tests/stress/object-sinking-stress.js: Added.
1986         (foo):
1987         * tests/stress/sink-object-cycle.js: Added.
1988         (clobber):
1989         (foo):
1990         * tests/stress/sink-object-past-put.js: Added.
1991         (clobber):
1992         (foo):
1993         * tests/stress/sinkable-new-object-in-loop.js: Added.
1994         (foo):
1995
1996 2015-07-13  Daniel Bates  <dabates@apple.com>
1997
1998         Cleanup: Avoid extraneous increment and decrement of reference count of ScriptArguments in ConsoleClient
1999         https://bugs.webkit.org/show_bug.cgi?id=146920
2000
2001         Reviewed by Brian Burg.
2002
2003         Remove local variable RefPtr<ScriptArguments> and copy constructor call with an argument that
2004         was initialized with an rvalue reference. The argument itself is an lvalue reference.
2005
2006         * runtime/ConsoleClient.cpp:
2007         (JSC::ConsoleClient::printConsoleMessageWithArguments):
2008         (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
2009
2010 2015-07-13  Anders Carlsson  <andersca@apple.com>
2011
2012         Apps linked with a deployment target of iOS 7.x or earlier crash when using modern WebKit API
2013         https://bugs.webkit.org/show_bug.cgi?id=146913
2014         rdar://problem/21789252
2015
2016         Reviewed by Dan Bernstein.
2017
2018         Make a top-level symlink from /System/Library/PrivateFrameworks/JavaScriptCore.framework to
2019         /System/Library/Frameworks/JavaScriptCore.framework.
2020     
2021         * JavaScriptCore.xcodeproj/project.pbxproj:
2022
2023 2015-07-12  Filip Pizlo  <fpizlo@apple.com>
2024
2025         If Watchpoint::fire() looks at the state of the world, it should definitely see its set invalidated, and maybe it should see the object of interest in the transitioned-to state
2026         https://bugs.webkit.org/show_bug.cgi?id=146897
2027
2028         Reviewed by Mark Lam.
2029         
2030         The idea is to eventually support adaptive watchpoints. An adaptive watchpoint will be
2031         able to watch for a condition that is more fine-grained than any one watchpoint set. For
2032         example, we might watch a singleton object to see if it ever acquires a property called
2033         "foo". So long as it doesn't have such a property, we don't want to invalidate any code.
2034         But if it gets that property, then we should deoptimize. Current watchpoints will
2035         invalidate code as soon as any property is added (or deleted), because they will use the
2036         transition watchpoint set of the singleton object's structure, and that fires anytime
2037         there is any transition.
2038         
2039         An adaptive watchpoint would remember the singleton object, and when it got fired, it
2040         would check if the object's new structure has the property "foo". If not, it would check
2041         if the object's new structure is watchable (i.e. has a valid transition watchpoint set).
2042         If the property is missing and the structure is watchable, it would add itself to the
2043         watchpoint set of the new structure. Otherwise, it would deoptimize.
2044         
2045         There are two problems with this idea, and this patch fixes these problems. First, we
2046         usually fire the transition watchpoint before we do the structure transition. This means
2047         that if the fire() method looked at the singleton object's structure, it would see the old
2048         structure, not the new one. It would have no way of knowing what the new structure is.
2049         Second, inside the fire() method, the watchpoint set being invalidated still appears
2050         valid, since we change the state after we fire all watchpoints.
2051         
2052         This patch addresses both issues. Now, in the most important case (addPropertyTransition),
2053         we fire the watchpoint set after we have modified the object. This is accomplished using
2054         a deferral scope called DeferredStructureTransitionWatchpointFire. In cases where there is
2055         no deferral, the adaptive watchpoint will conservatively resort to deoptimization because
2056         it would find that the singleton object's structure is no longer watchable. This is
2057         because in the absence of deferral, the singleton object would still have the original
2058         structure, but that structure's watchpoint set would now report itself as having been
2059         invalidated.
2060
2061         * bytecode/Watchpoint.cpp:
2062         (JSC::WatchpointSet::fireAllSlow): Change the state of the set before firing all watchpoints.
2063         (JSC::WatchpointSet::fireAllWatchpoints):
2064         * runtime/JSObject.h:
2065         (JSC::JSObject::putDirectInternal): Use the deferral scope.
2066         * runtime/Structure.cpp:
2067         (JSC::Structure::Structure): Pass the deferral scope to didTransitionFromThisStructure.
2068         (JSC::Structure::addPropertyTransition): Pass the deferral scope to create().
2069         (JSC::StructureFireDetail::dump): This is no longer anonymous.
2070         (JSC::DeferredStructureTransitionWatchpointFire::DeferredStructureTransitionWatchpointFire): Start with a null structure.
2071         (JSC::DeferredStructureTransitionWatchpointFire::~DeferredStructureTransitionWatchpointFire): Fire the watchpoint if there is a structure.
2072         (JSC::DeferredStructureTransitionWatchpointFire::add): Add a structure. Logically this is a list of deferred things, but we assert that there only will be one (happens to be true now).
2073         (JSC::Structure::didTransitionFromThisStructure): Defer the watchpoint firing if there is a deferral scope.
2074         * runtime/Structure.h:
2075         (JSC::StructureFireDetail::StructureFireDetail): Move this to the header.
2076         * runtime/StructureInlines.h:
2077         (JSC::Structure::create): Pass the deferral scope to the constructor.
2078
2079 2015-07-12  Filip Pizlo  <fpizlo@apple.com>
2080
2081         Watchpoints should be removed from their owning WatchpointSet before they are fired
2082         https://bugs.webkit.org/show_bug.cgi?id=146895
2083
2084         Reviewed by Sam Weinig.
2085         
2086         This simplifies the WatchpointSet API by making it so that when Watchpoint::fire() is
2087         called, the Watchpoint is no longer in the set. This means that you don't have to remember
2088         to remove it from the set's list (currently we do that implicitly as part of whatever
2089         any particular Watchpoint::fireInternal() does), and you can now write adaptive
2090         watchpoints that re-add themselves to a different set if they determine that the thing
2091         they are actually watching is still intact but now needs to be watched in a different way
2092         (like watching for whether some singleton object has a property of some name).
2093
2094         * bytecode/Watchpoint.cpp:
2095         (JSC::Watchpoint::~Watchpoint): Add a comment about why this is necessary.
2096         (JSC::Watchpoint::fire): Make this out-of-line, private, and make it assert that we're no longer on the list.
2097         (JSC::WatchpointSet::fireAllWatchpoints): Make this remove the watchpoint from the list before firing it.
2098         * bytecode/Watchpoint.h:
2099         (JSC::Watchpoint::fire): Deleted. I moved this to Watchpoint.cpp.
2100
2101 2015-07-10  Filip Pizlo  <fpizlo@apple.com>
2102
2103         DFG::DesiredWatchpoints should accept WatchpointSetType's that aren't necessarily pointers
2104         https://bugs.webkit.org/show_bug.cgi?id=146875
2105
2106         Reviewed by Dan Bernstein.
2107         
2108         In the future we'll want to add a desired watchpoint set that's something like "please
2109         watch property 'Foo' for 'deletion' on structure 'S1'", so that the "set type" is struct
2110         like "struct MySet { StringImpl* property; Mode mode; Structure* structure };".
2111         
2112         This is a very mechanical change for now - all of the current users happen to use sets
2113         that are pointer typed, so it's just a matter of moving some "*"'s around.
2114
2115         * dfg/DFGDesiredWatchpoints.h:
2116         (JSC::DFG::GenericSetAdaptor::add):
2117         (JSC::DFG::GenericSetAdaptor::hasBeenInvalidated):
2118         (JSC::DFG::GenericDesiredWatchpoints::GenericDesiredWatchpoints):
2119         (JSC::DFG::GenericDesiredWatchpoints::addLazily):
2120         (JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
2121         (JSC::DFG::GenericDesiredWatchpoints::areStillValid):
2122         (JSC::DFG::GenericDesiredWatchpoints::isWatched):
2123         (JSC::DFG::DesiredWatchpoints::isWatched):
2124
2125 2015-07-10  Filip Pizlo  <fpizlo@apple.com>
2126
2127         Watchpoints should be allocated with FastMalloc
2128         https://bugs.webkit.org/show_bug.cgi?id=146874
2129
2130         Reviewed by Dan Bernstein.
2131         
2132         This is in preparation for adding new subclasses of Watchpoint. While starting to do this
2133         I realized that the way Watchpoints allocated themselves was unusual.
2134
2135         * bytecode/CodeBlockJettisoningWatchpoint.h:
2136         (JSC::CodeBlockJettisoningWatchpoint::CodeBlockJettisoningWatchpoint): No need for the default constructor.
2137         * bytecode/Watchpoint.h:
2138         (JSC::Watchpoint::Watchpoint): This should be noncopyable and fast-allocated.
2139         * dfg/DFGCommonData.h: Use a Bag<> instead of SegmentedVector<>. Bag means "malloc things but allow me to free them all at once", which is what we are doing here.
2140         * dfg/DFGDesiredWatchpoints.h:
2141         (JSC::DFG::GenericDesiredWatchpoints::reallyAdd): Use the Bag<> API rather than the very awkward SegmentedVector<> API.
2142
2143 2015-07-10  Filip Pizlo  <fpizlo@apple.com>
2144
2145         AI folding of IsObjectOrNull is broken for non-object types that may be null
2146         https://bugs.webkit.org/show_bug.cgi?id=146867
2147
2148         Reviewed by Ryosuke Niwa.
2149
2150         * dfg/DFGAbstractInterpreterInlines.h:
2151         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Fix the bug and add some text describing what is going on.
2152         * tests/stress/misc-is-object-or-null.js: Added. Test for the bug.
2153         (foo):
2154         * tests/stress/other-is-object-or-null.js: Added. Test for a bug I almost introduced.
2155         (foo):
2156
2157 2015-07-10  Filip Pizlo  <fpizlo@apple.com>
2158
2159         It should be easy to measure total compile times.
2160         https://bugs.webkit.org/show_bug.cgi?id=146857
2161
2162         Reviewed by Sam Weinig.
2163         
2164         This gives DFG::Plan the ability to track total compile times, and return them in a map
2165         of stats that jsc.cpp can display.
2166         
2167         I want to do some work to bring down DFG compile times. This will help me measure whether
2168         I'm making a difference or not.
2169
2170         * dfg/DFGPlan.cpp:
2171         (JSC::DFG::Plan::Plan):
2172         (JSC::DFG::Plan::~Plan):
2173         (JSC::DFG::Plan::computeCompileTimes):
2174         (JSC::DFG::Plan::reportCompileTimes):
2175         (JSC::DFG::Plan::compileInThread):
2176         (JSC::DFG::Plan::compileInThreadImpl):
2177         (JSC::DFG::Plan::cancel):
2178         (JSC::DFG::Plan::compileTimeStats):
2179         (JSC::DFG::dumpAndVerifyGraph): Deleted.
2180         (JSC::DFG::profilerCompilationKindForMode): Deleted.
2181         * dfg/DFGPlan.h:
2182         (JSC::DFG::Plan::compileTimeStats):
2183         * jsc.cpp:
2184         (jscmain):
2185         * runtime/Options.h:
2186
2187 2015-07-04  Filip Pizlo  <fpizlo@apple.com>
2188
2189         DFG fragile frozen values are fundamentally broken
2190         https://bugs.webkit.org/show_bug.cgi?id=146602
2191
2192         Reviewed by Mark Lam.
2193         
2194         This change gets rid of the FragileValue value strength, because it was fundamentally
2195         broken.
2196         
2197         FragileValue was a value known to the compiler but not tracked by the GC in any way -
2198         it wasn't marked and it wasn't weak. This was used to support AI bootstrap for OSR
2199         must-handle values. The philosophy was that if the compiler did use the value for
2200         optimization, it would have been strengthened to a weak value (or maybe even a strong
2201         value, though we probably won't do that). But this was too much of a pipe dream. I've
2202         found at least one case where the compiler did use the value, but never strengthened
2203         it: it would happen if the value ended up in an OSR entry data expected value. Then if
2204         we GCed, we might have killed the value, but OSR entry would still try to use it for
2205         validation. That might have sort of just worked, but it's clearly shady.
2206
2207         The reason why we made must-handle values fragile and not weak is that most of the time
2208         the values disappear from the abstract state: they are LUBed to a non-constant. If we
2209         kept them around as weak, we'd have too many cases of the GC killing the code because
2210         it thought that the value was somehow meaningful to the code when it was only used as a
2211         temporary artifact of optimization.
2212
2213         So, it's true that it's very important for must-handle values not to automatically be
2214         weak or strong. It's also true that the values are necessary for AI bootstrap because
2215         we need to know what values OSR entry will require. But we shouldn't accomplish these
2216         goals by having the compiler hold onto what are essentially dangling pointers.
2217         
2218         This implements a better solution: instead of having InPlaceAbstractState bootstrap the
2219         AI with must-handle values at the beginning, we now widen the valuesAtHead of the
2220         must-handle block after AI converges. This widening is done in CFAPhase. This allows us
2221         to see if the must-handle values are necessary at all. In most cases, the widening
2222         takes a non-constant abstract value and simply amends something to its type based on
2223         the type of the must-handle value, and so the must-handle value never actually shows up
2224         in either the IR or any abstract value. In the unlikely event that the value at head is
2225         bottom, we freeze the must-handle value. This change removes FragileValue, and this
2226         freezing uses WeakValue as the strength. That makes sense: since the abstract value was
2227         bottom, the must-handle value becomes integral to the IR and so it makes no sense for
2228         the GC to keep the resulting CodeBlock alive if that must-handle value dies. This will
2229         sometimes happen for example if you have a very long-running loop whose pre-header
2230         allocates some object, but that pre-header appears to always exit to the optimizing JIT
2231         because it was only profiled once in the LLInt and that profiling appears insufficient
2232         to the DFG. In that case, we'll effectively constant-fold the references to the object
2233         inside the loop, which is both efficient (yay constant folding!) and necessary
2234         (otherwise we wouldn't know what the type of the variable should have been).
2235         
2236         Testing and debugging this is complicated. So, this adds some new capabilities:
2237         
2238         - DFG IR dumps also dump all of the FrozenValues that point to the heap along with
2239           their strengths, so that it's easy to see what GC objects the DFG feels are necessary
2240           for the compilation.
2241         
2242         - DFG OSR entry preparation prints out the OSR entry data structures, so that it's easy
2243           to see what GC pointers (and other things) are used for OSR entry validation. The
2244           printouts are quite detailed, and should also help other kinds of OSR entry
2245           debugging.
2246         
2247         - DFG::Plan now validates whether all of the GC pointers planted in the various JITCode
2248           data structures are also properly registered as either weak or strong pointers in the
2249           CodeBlock. This validation check previously failed due to fragile values ending up in
2250           the OSR entry data structures, both in the newly added test (dead-osr-entry-value.js)
2251           and in some pre-existing tests (like earley-boyer and 3d-raytrace).
2252
2253         * CMakeLists.txt:
2254         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2255         * JavaScriptCore.xcodeproj/project.pbxproj:
2256         * bytecode/CodeBlock.cpp:
2257         (JSC::CodeBlock::stronglyVisitStrongReferences):
2258         * bytecode/CodeOrigin.cpp:
2259         (JSC::InlineCallFrame::visitAggregate):
2260         * bytecode/Operands.h:
2261         (JSC::Operands::operand):
2262         (JSC::Operands::hasOperand):
2263         * bytecode/StructureSet.cpp:
2264         (JSC::StructureSet::dump):
2265         (JSC::StructureSet::validateReferences):
2266         * bytecode/StructureSet.h:
2267         * bytecode/TrackedReferences.cpp: Added.
2268         (JSC::TrackedReferences::TrackedReferences):
2269         (JSC::TrackedReferences::~TrackedReferences):
2270         (JSC::TrackedReferences::add):
2271         (JSC::TrackedReferences::check):
2272         (JSC::TrackedReferences::dump):
2273         * bytecode/TrackedReferences.h: Added.
2274         * dfg/DFGAbstractValue.cpp:
2275         (JSC::DFG::AbstractValue::observeTransitions):
2276         (JSC::DFG::AbstractValue::set):
2277         (JSC::DFG::AbstractValue::fixTypeForRepresentation):
2278         (JSC::DFG::AbstractValue::mergeOSREntryValue):
2279         (JSC::DFG::AbstractValue::filter):
2280         (JSC::DFG::AbstractValue::dumpInContext):
2281         (JSC::DFG::AbstractValue::validateReferences):
2282         (JSC::DFG::AbstractValue::setOSREntryValue): Deleted.
2283         * dfg/DFGAbstractValue.h:
2284         (JSC::DFG::AbstractValue::fullTop):
2285         (JSC::DFG::AbstractValue::merge):
2286         * dfg/DFGByteCodeParser.cpp:
2287         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2288         * dfg/DFGCFAPhase.cpp:
2289         (JSC::DFG::CFAPhase::run):
2290         * dfg/DFGCommonData.cpp:
2291         (JSC::DFG::CommonData::invalidate):
2292         (JSC::DFG::CommonData::validateReferences):
2293         * dfg/DFGCommonData.h:
2294         (JSC::DFG::CommonData::requiredRegisterCountForExecutionAndExit):
2295         * dfg/DFGFrozenValue.h:
2296         (JSC::DFG::FrozenValue::FrozenValue):
2297         (JSC::DFG::FrozenValue::strengthenTo):
2298         (JSC::DFG::FrozenValue::pointsToHeap):
2299         (JSC::DFG::FrozenValue::strength):
2300         (JSC::DFG::FrozenValue::freeze):
2301         * dfg/DFGGraph.cpp:
2302         (JSC::DFG::Graph::Graph):
2303         (JSC::DFG::Graph::dump):
2304         (JSC::DFG::Graph::registerFrozenValues):
2305         (JSC::DFG::Graph::visitChildren):
2306         (JSC::DFG::Graph::freeze):
2307         (JSC::DFG::Graph::freezeStrong):
2308         (JSC::DFG::Graph::freezeFragile): Deleted.
2309         * dfg/DFGGraph.h:
2310         * dfg/DFGInPlaceAbstractState.cpp:
2311         (JSC::DFG::InPlaceAbstractState::initialize):
2312         * dfg/DFGJITCode.cpp:
2313         (JSC::DFG::JITCode::setOptimizationThresholdBasedOnCompilationResult):
2314         (JSC::DFG::JITCode::validateReferences):
2315         * dfg/DFGJITCode.h:
2316         * dfg/DFGJITCompiler.cpp:
2317         (JSC::DFG::JITCompiler::addressOfDoubleConstant):
2318         (JSC::DFG::JITCompiler::noticeOSREntry):
2319         * dfg/DFGJITCompiler.h:
2320         (JSC::DFG::JITCompiler::branchStructurePtr):
2321         (JSC::DFG::JITCompiler::jitCode):
2322         (JSC::DFG::JITCompiler::noticeOSREntry): Deleted.
2323         * dfg/DFGMinifiedGraph.cpp: Added.
2324         (JSC::DFG::MinifiedGraph::prepareAndShrink):
2325         (JSC::DFG::MinifiedGraph::validateReferences):
2326         * dfg/DFGMinifiedGraph.h:
2327         (JSC::DFG::MinifiedGraph::append):
2328         (JSC::DFG::MinifiedGraph::prepareAndShrink): Deleted.
2329         * dfg/DFGOSREntry.cpp:
2330         (JSC::DFG::OSREntryData::dumpInContext):
2331         (JSC::DFG::OSREntryData::dump):
2332         (JSC::DFG::prepareOSREntry):
2333         * dfg/DFGOSREntry.h:
2334         (JSC::DFG::getOSREntryDataBytecodeIndex):
2335         * dfg/DFGPlan.cpp:
2336         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
2337         * dfg/DFGSpeculativeJIT.cpp:
2338         (JSC::DFG::SpeculativeJIT::linkOSREntries):
2339         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
2340         * dfg/DFGStructureAbstractValue.cpp:
2341         (JSC::DFG::StructureAbstractValue::dump):
2342         (JSC::DFG::StructureAbstractValue::validateReferences):
2343         * dfg/DFGStructureAbstractValue.h:
2344         * dfg/DFGValidate.cpp:
2345         (JSC::DFG::Validate::validate):
2346         * dfg/DFGValueStrength.cpp:
2347         (WTF::printInternal):
2348         * dfg/DFGValueStrength.h:
2349         (JSC::DFG::merge):
2350         * ftl/FTLExitPropertyValue.cpp:
2351         (JSC::FTL::ExitPropertyValue::dump):
2352         (JSC::FTL::ExitPropertyValue::validateReferences):
2353         * ftl/FTLExitPropertyValue.h:
2354         * ftl/FTLExitTimeObjectMaterialization.cpp:
2355         (JSC::FTL::ExitTimeObjectMaterialization::dump):
2356         (JSC::FTL::ExitTimeObjectMaterialization::validateReferences):
2357         * ftl/FTLExitTimeObjectMaterialization.h:
2358         * ftl/FTLExitValue.cpp:
2359         (JSC::FTL::ExitValue::dump):
2360         (JSC::FTL::ExitValue::validateReferences):
2361         * ftl/FTLExitValue.h:
2362         * ftl/FTLJITCode.cpp:
2363         (JSC::FTL::JITCode::dfgCommon):
2364         (JSC::FTL::JITCode::validateReferences):
2365         * ftl/FTLJITCode.h:
2366         (JSC::FTL::JITCode::handles):
2367         (JSC::FTL::JITCode::dataSections):
2368         * ftl/FTLOSRExit.cpp:
2369         (JSC::FTL::OSRExit::codeLocationForRepatch):
2370         (JSC::FTL::OSRExit::validateReferences):
2371         * ftl/FTLOSRExit.h:
2372         (JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
2373         * jit/JITCode.cpp:
2374         (JSC::JITCode::typeName):
2375         (JSC::JITCode::validateReferences):
2376         (JSC::JITCode::execute):
2377         * jit/JITCode.h:
2378         (JSC::JITCode::start):
2379         * tests/stress/dead-osr-entry-value.js: Added.
2380         (foo):
2381
2382 2015-07-09  Filip Pizlo  <fpizlo@apple.com>
2383
2384         It should be possible to run the OSR exit fuzzer
2385         https://bugs.webkit.org/show_bug.cgi?id=146814
2386
2387         Reviewed by Mark Lam.
2388         
2389         Fix a silly bug: the option matching was accidentally allowing a prefix match, which
2390         always did the wrong thing for --fireOSRExitFuzzAt and --fireOSRExitFuzzAtStatic. Make
2391         this an exact match instead.
2392
2393         * runtime/Options.cpp:
2394         (JSC::Options::setOption):
2395
2396 2015-07-09  Mark Lam  <mark.lam@apple.com>
2397
2398         SymbolTable::entryFor() should do a bounds check before indexing into the localToEntry vector.
2399         https://bugs.webkit.org/show_bug.cgi?id=146807
2400
2401         Reviewed by Filip Pizlo.
2402
2403         When we capture an argument by name and we use "arguments", we put all of the
2404         arguments into the scope.  But destructured arguments are put into the scope
2405         anonymously i.e. the SymbolTable knows that the scope offset is in use via
2406         SymbolTable::m_maxScopeOffset, but that ScopeOffset won't appear in
2407         SymbolTable::m_map.
2408
2409         The SymbolTable's m_localToEntry vector is synthesized from its m_map, and will
2410         have a size which is based on the largest ScopeOffset in the m_map.  If we have a
2411         scenario where the anonymous argument is at a higher ScopeOffset than all the
2412         named arguments, then the m_localsToEntry vector will not have an entry for it
2413         i.e. the m_localsToEntry vector will have a size that is <= the ScopeOffset of
2414         the anonymous argument.
2415
2416         Hence, SymbolTable::entryFor() should ensure that the requested ScopeOffset is
2417         within the bounds of the m_localToEntry vector before indexing into it.
2418
2419         * runtime/SymbolTable.cpp:
2420         (JSC::SymbolTable::entryFor):
2421
2422 2015-07-09  Michael Saboff  <msaboff@apple.com>
2423
2424         REGRESSION (r180248): Repro Crash: com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::createRangeError + 20
2425         https://bugs.webkit.org/show_bug.cgi?id=146767
2426
2427         Reviewed by Geoffrey Garen.
2428
2429         If the stack check fails at the top most frame, we must use that frame to
2430         generate the exception.  Reverted the code to always use the current frame to
2431         throw an out of stack exception.
2432
2433         * llint/LLIntSlowPaths.cpp:
2434         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2435
2436 2015-07-03  Filip Pizlo  <fpizlo@apple.com>
2437
2438         OSR exit fuzzing should allow us to select a static exit site
2439         https://bugs.webkit.org/show_bug.cgi?id=146601
2440
2441         Reviewed by Geoffrey Garen.
2442         
2443         The original implementation of the fuzzer allows us to trigger an exit based on its index
2444         in the dynamic sequence of exit sites encountered. But there are usually millions of
2445         dynamically encountered exit sites, even if the program only has thousands of static exit
2446         sites. That means that we would at best be able to do a random sampling of exits, and
2447         those would be biased to the hottest exit sites.
2448         
2449         This change allows us to also select exit sites based on their index in the static
2450         sequence of exit sites that the compiler compiled. Then, once that static exit site is
2451         selected, we can select which dynamic exit at that exit site we should trigger. Since the
2452         number of static exit sites is usually smallish (it's bounded by program size), we can do
2453         an exhaustive search over all exit sites in most programs.
2454
2455         * dfg/DFGOSRExitFuzz.cpp:
2456         (JSC::numberOfStaticOSRExitFuzzChecks):
2457         (JSC::numberOfOSRExitFuzzChecks):
2458         * dfg/DFGOSRExitFuzz.h:
2459         (JSC::DFG::doOSRExitFuzzing):
2460         * dfg/DFGSpeculativeJIT.cpp:
2461         (JSC::DFG::SpeculativeJIT::emitOSRExitFuzzCheck):
2462         * ftl/FTLLowerDFGToLLVM.cpp:
2463         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
2464         * jsc.cpp:
2465         (jscmain):
2466         * runtime/Options.h:
2467         * runtime/TestRunnerUtils.h:
2468
2469 2015-07-08  Joseph Pecoraro  <pecoraro@apple.com>
2470
2471         Fix grammar issue in TypeError attempting to change an unconfigurable property
2472         https://bugs.webkit.org/show_bug.cgi?id=146774
2473
2474         Reviewed by Brent Fulgham.
2475
2476         * runtime/JSFunction.cpp:
2477         (JSC::JSFunction::defineOwnProperty):
2478         * runtime/JSObject.cpp:
2479         (JSC::JSObject::defineOwnNonIndexProperty):
2480         * runtime/StringObject.cpp:
2481         (JSC::StringObject::defineOwnProperty):
2482
2483 2015-07-06  Csaba Osztrogonác  <ossy@webkit.org>
2484
2485         Remove the unused HeapBlock.h
2486         https://bugs.webkit.org/show_bug.cgi?id=146580
2487
2488         Reviewed by Andreas Kling.
2489
2490         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2491         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2492         * JavaScriptCore.xcodeproj/project.pbxproj:
2493         * heap/CopiedBlock.h:
2494         * heap/CopiedSpace.h:
2495         * heap/CopiedSpaceInlines.h:
2496         * heap/HandleBlock.h:
2497         * heap/HeapBlock.h: Removed.
2498         * heap/MarkedBlock.h:
2499
2500 2015-07-06  Saam barati  <saambarati1@gmail.com>
2501
2502         JSC's parser should follow the ES6 spec with respect to parsing Declarations
2503         https://bugs.webkit.org/show_bug.cgi?id=146621
2504
2505         Reviewed by Mark Lam.
2506
2507         There were a few locations where JSC would allow declaration statements
2508         in incorrect ways. JSC didn't distinguish between 'Statement' and
2509         'StatementListItem' grammar productions. The relevant grammar is here:
2510         http://www.ecma-international.org/ecma-262/6.0/index.html#sec-statements
2511
2512         From the ECMA Script 6.0 spec:
2513         1. Section 13.6 The if Statement (http://www.ecma-international.org/ecma-262/6.0/index.html#sec-if-statement) 
2514          says that IfStatements only takes Statements for the "then-else" clauses, not StatementListItems.
2515          (Same with 'while/for/do-while' loop bodies).
2516         2. Section 13 ECMAScript Language: Statements and Declarations 
2517          (http://www.ecma-international.org/ecma-262/6.0/index.html#sec-ecmascript-language-statements-and-declarations)
2518          defines the syntax of Statements, and they do not include ClassDeclarations and LexicalDeclarations 
2519          (const, let, see 13.3.1 Let and Const Declarations).
2520          Declarations can only be in the “then-else” clauses when embedded in a StatementListItem in a BlockStatement (see 13.2).
2521
2522         Hence, the following style of declarations are no longer allowed:
2523             'if/for/while (condition) const x = 40;'
2524             'if/for/while (condition) class C { }'
2525
2526         Instead, we mandate such declaration constructs are within a StatementList 
2527        (which is the production that JSC's Parser::parseSourceElements function parses):
2528            'if/for/while (condition) { const x = 40; }'
2529            'if/for/while (condition) { class C { } }'
2530
2531         * parser/Parser.cpp:
2532         (JSC::Parser<LexerType>::parseSourceElements):
2533         (JSC::Parser<LexerType>::parseStatementListItem):
2534         (JSC::Parser<LexerType>::parseVarDeclaration):
2535         (JSC::Parser<LexerType>::parseStatement):
2536         (JSC::Parser<LexerType>::parseExpressionStatement):
2537         * parser/Parser.h:
2538         (JSC::Parser::getLabel):
2539
2540 2015-07-06  Alex Christensen  <achristensen@webkit.org>
2541
2542         Unreviewed debug build fix after r186358.
2543
2544         * runtime/JSArray.cpp:
2545         (JSC::JSArray::fastConcatWith):
2546         Pass vm parameter to fastConcatType.
2547
2548 2015-07-06  Ryosuke Niwa  <rniwa@webkit.org>
2549
2550         Array.concat should be fast for integer or double arrays
2551         https://bugs.webkit.org/show_bug.cgi?id=146260
2552
2553         Reviewed by Darin Adler.
2554
2555         Added a fast path to Array.prototype.concat. When concatenating two Int32, Double, or Contiguous
2556         arrays, simply memcopy the arrays into a new uninitialized buffer.
2557
2558         This improves huffman encoding in CompressionBench by 3.7x on a Mid 2014 MacBookPro.
2559
2560         * runtime/ArrayPrototype.cpp:
2561         (JSC::arrayProtoFuncConcat):
2562         * runtime/JSArray.cpp:
2563         (JSC::JSArray::fastConcatWith): Added.
2564         * runtime/JSArray.h:
2565         (JSC::JSArray::fastConcatType): Added. Returns the resultant array's indexing type if we can use
2566         the fact path. Returns NonArray otherwise.
2567
2568 2015-07-06  Youenn Fablet  <youenn.fablet@crf.canon.fr>
2569
2570         [Streams API] Remove ReadableStream custom constructor
2571         https://bugs.webkit.org/show_bug.cgi?id=146547
2572
2573         Reviewed by Darin Adler.
2574
2575         Adding helper function to throw range errors.
2576
2577         * runtime/Error.h:
2578         (JSC::throwRangeError):
2579         (JSC::throwVMRangeError):
2580
2581 2015-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2582
2583         [ES6] Implement the latest Promise spec in JS
2584         https://bugs.webkit.org/show_bug.cgi?id=146229
2585
2586         Reviewed by Sam Weinig.
2587
2588         Updated the Promise implementation to meet to the ES6 spec.
2589         This patch
2590         1. Implement ES6 Promise and related abstract operations in builtins JS
2591         2. Expose @enqueueJob private function to JS world to post the microtask
2592
2593         Updated implementation has one-on-one correspondence to the ES6 spec description.
2594         And keep the JSPromiseDeferred because it is the interface used from the WebCore.
2595
2596         * CMakeLists.txt:
2597         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2598         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2599         * JavaScriptCore.xcodeproj/project.pbxproj:
2600         * builtins/Array.prototype.js:
2601         (reduce):
2602         (reduceRight):
2603         (every):
2604         (forEach):
2605         (filter):
2606         (map):
2607         (some):
2608         (fill):
2609         (find):
2610         (findIndex):
2611         (includes):
2612         (copyWithin):
2613         ToInteger / ToLength are renamed to toInteger and toLength.
2614         * builtins/ArrayConstructor.js:
2615         (from):
2616         ToInteger / ToLength are renamed to toInteger and toLength.
2617         * builtins/GlobalObject.js:
2618         (toInteger):
2619         (toLength):
2620         (isObject):
2621         (ToInteger): Deleted.
2622         (ToLength): Deleted.
2623         ToInteger / ToLength are renamed to toInteger and toLength.
2624         Add new abstract operation, isObject.
2625         * builtins/Operations.Promise.js: Added.
2626         (isPromise):
2627         (newPromiseReaction):
2628         (newPromiseDeferred):
2629         (newPromiseCapability.executor):
2630         (newPromiseCapability):
2631         (triggerPromiseReactions):
2632         (rejectPromise):
2633         (fulfillPromise):
2634         (createResolvingFunctions.resolve):
2635         (createResolvingFunctions.reject):
2636         (createResolvingFunctions):
2637         (promiseReactionJob):
2638         (promiseResolveThenableJob):
2639         (initializePromise):
2640         Added Promise related abstract operations.
2641         * builtins/Promise.prototype.js:
2642         (catch):
2643         (.onFulfilled):
2644         (.onRejected):
2645         (then):
2646         Promise#then implementation in JS.
2647         * builtins/PromiseConstructor.js: Added.
2648         (all.newResolveElement):
2649         (all):
2650         (race):
2651         (reject):
2652         (resolve):
2653         Promise static functions implementations in JS.
2654         * builtins/StringConstructor.js:
2655         (raw):
2656         ToInteger / ToLength are renamed to toInteger and toLength.
2657         * inspector/JSInjectedScriptHost.cpp:
2658         (Inspector::JSInjectedScriptHost::getInternalProperties):
2659         * runtime/CommonIdentifiers.h:
2660         * runtime/JSGlobalObject.cpp:
2661         (JSC::enqueueJob):
2662         (JSC::JSGlobalObject::init):
2663         (JSC::JSGlobalObject::visitChildren):
2664         * runtime/JSGlobalObject.h:
2665         (JSC::JSGlobalObject::initializePromiseFunction):
2666         (JSC::JSGlobalObject::newPromiseDeferredFunction):
2667         * runtime/JSJob.cpp: Renamed from Source/JavaScriptCore/runtime/JSPromiseReaction.h.
2668         (JSC::createJSJob):
2669         (JSC::JSJobMicrotask::run):
2670         * runtime/JSJob.h: Renamed from Source/JavaScriptCore/runtime/JSPromiseFunctions.h.
2671         * runtime/JSPromise.cpp:
2672         (JSC::JSPromise::create):
2673         (JSC::JSPromise::JSPromise):
2674         (JSC::JSPromise::finishCreation):
2675         (JSC::JSPromise::result):
2676         (JSC::JSPromise::destroy): Deleted.
2677         (JSC::JSPromise::visitChildren): Deleted.
2678         (JSC::JSPromise::reject): Deleted.
2679         (JSC::JSPromise::resolve): Deleted.
2680         (JSC::JSPromise::appendResolveReaction): Deleted.
2681         (JSC::JSPromise::appendRejectReaction): Deleted.
2682         (JSC::triggerPromiseReactions): Deleted.
2683         * runtime/JSPromise.h:
2684         (JSC::JSPromise::status): Deleted.
2685         (JSC::JSPromise::result): Deleted.
2686         (JSC::JSPromise::constructor): Deleted.
2687         * runtime/JSPromiseConstructor.cpp:
2688         (JSC::constructPromise):
2689         (JSC::JSPromiseConstructorFuncResolve): Deleted.
2690         (JSC::JSPromiseConstructorFuncReject): Deleted.
2691         (JSC::performPromiseRaceLoop): Deleted.
2692         (JSC::JSPromiseConstructorFuncRace): Deleted.
2693         (JSC::performPromiseAll): Deleted.
2694         (JSC::JSPromiseConstructorFuncAll): Deleted.
2695         * runtime/JSPromiseDeferred.cpp:
2696         (JSC::JSPromiseDeferred::create):
2697         (JSC::createJSPromiseDeferredFromConstructor): Deleted.
2698         (JSC::updateDeferredFromPotentialThenable): Deleted.
2699         (JSC::performDeferredResolve): Deleted.
2700         (JSC::performDeferredReject): Deleted.
2701         (JSC::abruptRejection): Deleted.
2702         * runtime/JSPromiseDeferred.h:
2703         * runtime/JSPromiseFunctions.cpp: Removed.
2704         (JSC::deferredConstructionFunction): Deleted.
2705         (JSC::createDeferredConstructionFunction): Deleted.
2706         (JSC::identifyFunction): Deleted.
2707         (JSC::createIdentifyFunction): Deleted.
2708         (JSC::promiseAllCountdownFunction): Deleted.
2709         (JSC::createPromiseAllCountdownFunction): Deleted.
2710         (JSC::promiseResolutionHandlerFunction): Deleted.
2711         (JSC::createPromiseResolutionHandlerFunction): Deleted.
2712         (JSC::rejectPromiseFunction): Deleted.
2713         (JSC::createRejectPromiseFunction): Deleted.
2714         (JSC::resolvePromiseFunction): Deleted.
2715         (JSC::createResolvePromiseFunction): Deleted.
2716         (JSC::throwerFunction): Deleted.
2717         (JSC::createThrowerFunction): Deleted.
2718         * runtime/JSPromisePrototype.cpp:
2719         (JSC::JSPromisePrototypeFuncThen): Deleted.
2720         * runtime/JSPromiseReaction.cpp: Removed.
2721         (JSC::createExecutePromiseReactionMicrotask): Deleted.
2722         (JSC::ExecutePromiseReactionMicrotask::run): Deleted.
2723         (JSC::JSPromiseReaction::create): Deleted.
2724         (JSC::JSPromiseReaction::JSPromiseReaction): Deleted.
2725         (JSC::JSPromiseReaction::finishCreation): Deleted.
2726         (JSC::JSPromiseReaction::visitChildren): Deleted.
2727         * runtime/VM.cpp:
2728         (JSC::VM::VM): Deleted.
2729         * runtime/VM.h:
2730
2731 2015-07-04  Chris Dumez  <cdumez@apple.com>
2732
2733         Drop RefPtr::clear() method
2734         https://bugs.webkit.org/show_bug.cgi?id=146556
2735
2736         Reviewed by Brady Eidson.
2737
2738         Drop RefPtr::clear() method in favor of "= nullptr;" pattern.
2739
2740 2015-07-03  Dan Bernstein  <mitz@apple.com>
2741
2742         Just give up on -Wunreachable-code in JavaScriptCore.
2743
2744         * Configurations/Base.xcconfig:
2745         * llint/LowLevelInterpreter.cpp:
2746         (JSC::CLoop::execute):
2747
2748 2015-07-03  Dan Bernstein  <mitz@apple.com>
2749
2750         Fixed the LLINT CLoop build.
2751
2752         * llint/LowLevelInterpreter.cpp:
2753         (JSC::CLoop::execute):
2754
2755 2015-07-03  Dan Bernstein  <mitz@apple.com>
2756
2757         [Xcode] Update some build settings as recommended by Xcode 7
2758         https://bugs.webkit.org/show_bug.cgi?id=146597
2759
2760         Reviewed by Sam Weinig.
2761
2762         * Configurations/Base.xcconfig: Enabled CLANG_WARN_UNREACHABLE_CODE and
2763         GCC_NO_COMMON_BLOCKS. Removed GCC_MODEL_TUNING.
2764
2765         * JavaScriptCore.xcodeproj/project.pbxproj: Updated LastUpgradeCheck.
2766
2767         * dfg/DFGGraph.h: Tweaked the definition of DFG_CRASH to suppress unreachable code warnings.
2768
2769 2015-07-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2770
2771         Relax builtin JS restriction about try-catch
2772         https://bugs.webkit.org/show_bug.cgi?id=146555
2773
2774         Reviewed by Sam Weinig.
2775
2776         When retrieving the captured variables from the full activated scope,
2777         it swapped the given vector with the stored declared variables vector.
2778         This is because retrieving the captured variables are executed in the
2779         last sequence of the parser, so declared variables are no longer used.
2780         However, in builtins functions case, after retrieving the captured
2781         variables, we check the variables by using declared variables vector.
2782         So at that time, the declared variables vector becomes empty and it
2783         raises assertion failures when the builtins function contains the full
2784         activated scope. try-catch's catch scope requires the upper scope full
2785         activated, so JS code in the builtins cannot use the try-catch.
2786
2787         This patch relaxes this restriction. When retrieving the captured
2788         variables from the scope, just copy to the given vector.
2789
2790         * parser/Parser.h:
2791         (JSC::Scope::getCapturedVariables):
2792
2793 2015-07-02  Filip Pizlo  <fpizlo@apple.com>
2794
2795         DFG and FTL should have an OSR exit fuzzer
2796         https://bugs.webkit.org/show_bug.cgi?id=146562
2797
2798         Reviewed by Benjamin Poulain.
2799         
2800         Adds a basic OSR exit fuzzer to JSC. This isn't hooked into any test harnesses yet, but I
2801         spot-checked it on v8-earley-boyer.js and so far found no bugs. I'd like to figure out how
2802         to harness this after I land it.
2803         
2804         Since it's turned off by default, it should have no effect on behavior.
2805
2806         * CMakeLists.txt:
2807         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2808         * JavaScriptCore.xcodeproj/project.pbxproj:
2809         * dfg/DFGOSRExitFuzz.cpp: Added.
2810         (JSC::numberOfOSRExitFuzzChecks):
2811         * dfg/DFGOSRExitFuzz.h: Added.
2812         * dfg/DFGSpeculativeJIT.cpp:
2813         (JSC::DFG::SpeculativeJIT::emitGetArgumentStart):
2814         (JSC::DFG::SpeculativeJIT::emitOSRExitFuzzCheck):
2815         (JSC::DFG::SpeculativeJIT::speculationCheck):
2816         * dfg/DFGSpeculativeJIT.h:
2817         * ftl/FTLLowerDFGToLLVM.cpp:
2818         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
2819         * jsc.cpp:
2820         (jscmain):
2821         * runtime/Options.h:
2822         * runtime/TestRunnerUtils.h:
2823
2824 2015-07-02  Saam barati  <saambarati1@gmail.com>
2825
2826         Rename "Deconstruction" to "Destructuring" throughout JSC
2827         https://bugs.webkit.org/show_bug.cgi?id=146100
2828
2829         Reviewed by Mark Lam.
2830
2831         It is good to use the same naming conventions as the ES6 
2832         spec because it is the de facto way of speaking about these 
2833         language features. This also has the benefit of improving JSC's
2834         hackability because it improves code readability for newcomers 
2835         to JSC or newcomers to this part of the code base.
2836
2837         * bytecompiler/BytecodeGenerator.cpp:
2838         (JSC::BytecodeGenerator::generate):
2839         (JSC::BytecodeGenerator::BytecodeGenerator):
2840         (JSC::BytecodeGenerator::initializeNextParameter):
2841         (JSC::BytecodeGenerator::visibleNameForParameter):
2842         * bytecompiler/BytecodeGenerator.h:
2843         (JSC::BytecodeGenerator::registerFor):
2844         * bytecompiler/NodesCodegen.cpp:
2845         (JSC::ForInNode::tryGetBoundLocal):
2846         (JSC::ForInNode::emitLoopHeader):
2847         (JSC::ForOfNode::emitBytecode):
2848         (JSC::ClassExprNode::emitBytecode):
2849         (JSC::DestructuringAssignmentNode::emitBytecode):
2850         (JSC::DestructuringPatternNode::~DestructuringPatternNode):
2851         (JSC::ArrayPatternNode::collectBoundIdentifiers):
2852         (JSC::DeconstructingAssignmentNode::emitBytecode): Deleted.
2853         (JSC::DeconstructionPatternNode::~DeconstructionPatternNode): Deleted.
2854         * parser/ASTBuilder.h:
2855         (JSC::ASTBuilder::createElementList):
2856         (JSC::ASTBuilder::createFormalParameterList):
2857         (JSC::ASTBuilder::createClause):
2858         (JSC::ASTBuilder::createClauseList):
2859         (JSC::ASTBuilder::createForInLoop):
2860         (JSC::ASTBuilder::createForOfLoop):
2861         (JSC::ASTBuilder::isBindingNode):
2862         (JSC::ASTBuilder::isResolve):
2863         (JSC::ASTBuilder::createDestructuringAssignment):
2864         (JSC::ASTBuilder::createArrayPattern):
2865         (JSC::ASTBuilder::appendArrayPatternSkipEntry):
2866         (JSC::ASTBuilder::appendArrayPatternEntry):
2867         (JSC::ASTBuilder::appendArrayPatternRestEntry):
2868         (JSC::ASTBuilder::createObjectPattern):
2869         (JSC::ASTBuilder::appendObjectPatternEntry):
2870         (JSC::ASTBuilder::createDeconstructingAssignment): Deleted.
2871         * parser/NodeConstructors.h:
2872         (JSC::TryNode::TryNode):
2873         (JSC::ParameterNode::ParameterNode):
2874         (JSC::ForOfNode::ForOfNode):
2875         (JSC::DestructuringPatternNode::DestructuringPatternNode):
2876         (JSC::ArrayPatternNode::ArrayPatternNode):
2877         (JSC::ArrayPatternNode::create):
2878         (JSC::ObjectPatternNode::ObjectPatternNode):
2879         (JSC::BindingNode::create):
2880         (JSC::BindingNode::BindingNode):
2881         (JSC::DestructuringAssignmentNode::DestructuringAssignmentNode):
2882         (JSC::DeconstructionPatternNode::DeconstructionPatternNode): Deleted.
2883         (JSC::DeconstructingAssignmentNode::DeconstructingAssignmentNode): Deleted.
2884         * parser/Nodes.cpp:
2885         (JSC::FunctionParameters::create):
2886         * parser/Nodes.h:
2887         (JSC::ExpressionNode::isResolveNode):
2888         (JSC::ExpressionNode::isBracketAccessorNode):
2889         (JSC::ExpressionNode::isDotAccessorNode):
2890         (JSC::ExpressionNode::isDestructuringNode):
2891         (JSC::ExpressionNode::isFuncExprNode):
2892         (JSC::ExpressionNode::isCommaNode):
2893         (JSC::ExpressionNode::isSimpleArray):
2894         (JSC::ParameterNode::pattern):
2895         (JSC::ParameterNode::nextParam):
2896         (JSC::FunctionParameters::size):
2897         (JSC::FunctionParameters::at):
2898         (JSC::FunctionParameters::patterns):
2899         (JSC::DestructuringPatternNode::isBindingNode):
2900         (JSC::DestructuringPatternNode::emitDirectBinding):
2901         (JSC::ArrayPatternNode::appendIndex):
2902         (JSC::ObjectPatternNode::appendEntry):
2903         (JSC::BindingNode::boundProperty):
2904         (JSC::DestructuringAssignmentNode::bindings):
2905         (JSC::ExpressionNode::isDeconstructionNode): Deleted.
2906         (JSC::DeconstructionPatternNode::isBindingNode): Deleted.
2907         (JSC::DeconstructionPatternNode::emitDirectBinding): Deleted.
2908         (JSC::DeconstructingAssignmentNode::bindings): Deleted.
2909         * parser/Parser.cpp:
2910         (JSC::Parser<LexerType>::parseVarDeclaration):
2911         (JSC::Parser<LexerType>::parseWhileStatement):
2912         (JSC::Parser<LexerType>::parseVarDeclarationList):
2913         (JSC::Parser<LexerType>::createBindingPattern):
2914         (JSC::Parser<LexerType>::tryParseDestructuringPatternExpression):
2915         (JSC::Parser<LexerType>::parseDestructuringPattern):
2916         (JSC::Parser<LexerType>::parseDefaultValueForDestructuringPattern):
2917         (JSC::Parser<LexerType>::parseForStatement):
2918         (JSC::Parser<LexerType>::parseFormalParameters):
2919         (JSC::Parser<LexerType>::parseFunctionParameters):
2920         (JSC::Parser<LexerType>::parseAssignmentExpression):
2921         (JSC::Parser<LexerType>::tryParseDeconstructionPatternExpression): Deleted.
2922         (JSC::Parser<LexerType>::parseDeconstructionPattern): Deleted.
2923         (JSC::Parser<LexerType>::parseDefaultValueForDeconstructionPattern): Deleted.
2924         * parser/Parser.h:
2925         (JSC::isEvalNode):
2926         * parser/SyntaxChecker.h:
2927         (JSC::SyntaxChecker::createPropertyList):
2928         (JSC::SyntaxChecker::createElementList):
2929         (JSC::SyntaxChecker::createFormalParameterList):
2930         (JSC::SyntaxChecker::createClause):
2931         (JSC::SyntaxChecker::createClauseList):
2932         (JSC::SyntaxChecker::operatorStackPop):
2933         * tests/stress/reserved-word-with-escape.js:
2934         * tests/stress/rest-elements.js:
2935
2936 2015-07-02  Mark Lam  <mark.lam@apple.com>
2937
2938         Build fix for Win EWS bot.
2939         https://bugs.webkit.org/show_bug.cgi?id=146551
2940
2941         Not reviewed.
2942
2943         * tools/JSDollarVMPrototype.cpp:
2944         (JSC::functionCrash):
2945
2946 2015-07-02  Dan Bernstein  <mitz@apple.com>
2947
2948         <rdar://problem/21429613> [iOS] Stop making symlinks from PrivateFrameworks to Frameworks
2949         https://bugs.webkit.org/show_bug.cgi?id=146542
2950
2951         Reviewed by Sam Weinig.
2952
2953         * JavaScriptCore.xcodeproj/project.pbxproj: Removed the build phase that makes the symlink.
2954
2955 2015-07-01  Joseph Pecoraro  <pecoraro@apple.com>
2956
2957         Web Inspector: Aggregate profile call information on the backend to drastically reduce profile sizes
2958         https://bugs.webkit.org/show_bug.cgi?id=146536
2959
2960         Reviewed by Timothy Hatcher.
2961
2962         * inspector/protocol/Timeline.json:
2963         Change a CPUProfile from sending a required "calls" param to sending a required
2964         "callInfo" param which includes aggregated information about the calls.
2965
2966 2015-06-30  Filip Pizlo  <fpizlo@apple.com>
2967
2968         DFG::freezeFragile should register the frozen value's structure
2969         https://bugs.webkit.org/show_bug.cgi?id=136055
2970         rdar://problem/21042120
2971
2972         Reviewed by Mark Lam and Geoffrey Garen.
2973         
2974         This fixes weird concurrency bugs where the constant folding phase tries to convert
2975         something to a constant but then crashes because the constant's structure wasn't
2976         registered. The AI was registering the structure of any value it saw, but constant folding
2977         wasn't - and that's fine so long as there ain't no concurrency.
2978         
2979         The best fix is to just make it impossible to introduce a constant into the IR without
2980         registering its structure. That's what this change does. This is not only a great
2981         concurrency fix - it also makes the compiler somewhat easier to hack on because it's one
2982         less case of structure registering that you have to remember about.
2983         
2984         * dfg/DFGAbstractValue.cpp:
2985         (JSC::DFG::AbstractValue::setOSREntryValue): No need to register.
2986         (JSC::DFG::AbstractValue::set): We still call register, but just to get the watchpoint state.
2987         * dfg/DFGGraph.cpp:
2988         (JSC::DFG::Graph::freezeFragile): Register the structure.
2989         * dfg/DFGStructureRegistrationPhase.cpp:
2990         (JSC::DFG::StructureRegistrationPhase::run): Assert that these are all registered.
2991
2992 2015-07-01  Matthew Mirman  <mmirman@apple.com>
2993
2994         Unreviewed, rolling out r185889
2995         https://bugs.webkit.org/show_bug.cgi?id=146528
2996         rdar://problem/21573959
2997
2998         Patch breaks chromeexperiments.com
2999         
3000         Reverted changeset:
3001         
3002         * CMakeLists.txt:
3003         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3004         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3005         * JavaScriptCore.xcodeproj/project.pbxproj:
3006         * inspector/InjectedScriptSource.js:
3007         (.):
3008         * runtime/JSBoundSlotBaseFunction.cpp: Removed.
3009         * runtime/JSBoundSlotBaseFunction.h: Removed.
3010         * runtime/JSGlobalObject.cpp:
3011         (JSC::JSGlobalObject::init): Deleted.
3012         (JSC::JSGlobalObject::visitChildren): Deleted.
3013         * runtime/JSGlobalObject.h:
3014         (JSC::JSGlobalObject::boundSlotBaseFunctionStructure): Deleted.
3015         * runtime/JSObject.cpp:
3016         (JSC::JSObject::getOwnPropertyDescriptor):
3017         (JSC::getBoundSlotBaseFunctionForGetterSetter): Deleted.
3018         * runtime/VM.cpp:
3019         (JSC::VM::VM): Deleted.
3020         * runtime/VM.h:
3021
3022 2015-07-01  Dean Jackson  <dino@apple.com>
3023
3024         Disable the experimental WebGL2 implementation
3025         https://bugs.webkit.org/show_bug.cgi?id=146526
3026         <rdar://problem/21641235>
3027
3028         Reviewed by Myles Maxfield.
3029
3030         Add (and disable) an ENABLE_WEBGL2 flag.
3031
3032         * Configurations/FeatureDefines.xcconfig:
3033
3034 2015-07-01  Matthew Daiter  <mdaiter@apple.com>
3035
3036         Enable MEDIA_STREAM flag
3037         https://bugs.webkit.org/show_bug.cgi?id=145947
3038         <rdar://problem/21365829>
3039
3040         Reviewed by Eric Carlson.
3041
3042         * Configurations/FeatureDefines.xcconfig: Added MEDIA_STREAM flag
3043
3044 2015-06-30  Andy VanWagoner  <thetalecrafter@gmail.com>
3045
3046         Implement ECMAScript Internationalization API
3047         https://bugs.webkit.org/show_bug.cgi?id=90906
3048
3049         Reviewed by Benjamin Poulain.
3050
3051         * CMakeLists.txt: add IntlObject.cpp
3052         * Configurations/FeatureDefines.xcconfig: add ENABLE_INTL flag
3053         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: add IntlObject
3054         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: add IntlObject
3055         * JavaScriptCore.xcodeproj/project.pbxproj: add IntlObject
3056         * runtime/CommonIdentifiers.h: add "Intl" name
3057         * runtime/IntlObject.cpp: Added.
3058         (JSC::IntlObject::IntlObject):
3059         (JSC::IntlObject::create):
3060         (JSC::IntlObject::finishCreation):
3061         (JSC::IntlObject::createStructure):
3062         * runtime/IntlObject.h: Added.
3063         * runtime/JSGlobalObject.cpp: Add global Intl
3064         (JSC::JSGlobalObject::init):
3065
3066 2015-06-30  Basile Clement  <basile_clement@apple.com>
3067
3068         Allow object allocation sinking through GetScope, GetExecutable and SkipScope nodes
3069         https://bugs.webkit.org/show_bug.cgi?id=146431
3070
3071         Reviewed by Filip Pizlo.
3072
3073         * dfg/DFGNode.h:
3074         (JSC::DFG::Node::isFunctionAllocation):
3075         (JSC::DFG::Node::isPhantomFunctionAllocation):
3076         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3077         (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
3078         * dfg/DFGPromoteHeapAccess.h:
3079         (JSC::DFG::promoteHeapAccess):
3080
3081 2015-06-30  Matt Baker  <mattbaker@apple.com>
3082
3083         Web Inspector: Reduce rendering frames "Other" time by instrumenting compositing
3084         https://bugs.webkit.org/show_bug.cgi?id=146168
3085
3086         Reviewed by Brian Burg.
3087
3088         * inspector/protocol/Timeline.json:
3089         New timeline record type for compositing events.
3090
3091 2015-06-29  Dean Jackson  <dino@apple.com>
3092
3093         Temporarily disable PICTURE_SIZES
3094         https://bugs.webkit.org/show_bug.cgi?id=146435
3095         <rdar://problem/21087013>
3096
3097         Reviewed by Tim Horton.
3098
3099         Temporarily disable PICTURE_SIZES because it causes problems with out
3100         of date <picture> polyfills.
3101
3102         * Configurations/FeatureDefines.xcconfig:
3103
3104 2015-06-29  Youenn Fablet  <youenn.fablet@crf.canon.fr>
3105
3106         Binding generator should allow using JSC::Value for "any" parameter in lieu of ScriptValue
3107         https://bugs.webkit.org/show_bug.cgi?id=146403
3108
3109         Reviewed by Darin Adler.
3110
3111         * bindings/ScriptValue.h: Added implicit conversion to JSC::JSValue.
3112
3113 2015-06-28 Aleksandr Skachkov   <gskachkov@gmail.com>
3114
3115         [ES6] Implement ES6 arrow function syntax. No Line terminator between function parameters and =>
3116         https://bugs.webkit.org/show_bug.cgi?id=146394
3117
3118         Reviewed by Yusuke Suzuki.
3119
3120         * parser/Parser.cpp:
3121         (JSC::Parser<LexerType>::parseFunctionInfo):
3122
3123 2015-06-27  Darin Adler  <darin@apple.com>
3124
3125         Make converting JSString to StringView idiomatically safe
3126         https://bugs.webkit.org/show_bug.cgi?id=146387
3127
3128         Reviewed by Anders Carlsson.
3129
3130         * jsc.cpp:
3131         (functionPrint): Add explicit call to SafeView::get, needed since there
3132         is no StringView temporary.
3133         (functionDebug): Ditto.
3134
3135         * runtime/ArrayPrototype.cpp:
3136         (JSC::holesMustForwardToPrototype): Refactored into helper function.
3137         (JSC::join): Refactored so that StringView is a function argument, making
3138         the lifetime simpler.
3139         (JSC::arrayProtoFuncJoin): Ditto.
3140         (JSC::arrayProtoFuncReverse): Use new holesMustForwardToPrototype helper.
3141
3142         * runtime/JSGlobalObjectFunctions.cpp:
3143         (JSC::encode): Add explicit call to SafeView::get.
3144
3145         * runtime/JSString.h: Moved declarations of functions to the top of the
3146         file instead of mixing them in with the function definitions. Changed
3147         return type of the view function to return a JSString::SafeView so that
3148         the JSString's lifetime will last as long as the StringView does in
3149         typical coding idioms.
3150         (JSC::JSString::getIndex): Use unsafeView so we can index into the
3151         view; could also have used view.get but here in this class this seems fine.
3152         (JSC::JSRopeString::unsafeView): Renamed existing view function to this.
3153         (JSC::JSString::unsafeView): Ditto.
3154         (JSC::JSString::SafeView::SafeView): Contains reference to an ExecState
3155         and a JSString. The ExecState is needed to create the StringView, and the
3156         JSString needs to be kept alive as long as the StringView is.
3157         (JSC::JSString::SafeView::operator StringView): Call unsafeView.
3158         (JSC::JSString::SafeView::get): Convenience for when we want to call
3159         StringView member functions.
3160         (JSC::JSString::view): Added. Returns a SafeView.
3161
3162         * runtime/StringPrototype.cpp:
3163         (JSC::stringProtoFuncIndexOf): Add explicit call to SafeView::get.
3164
3165 2015-06-26  Csaba Osztrogonác  <ossy@webkit.org>
3166
3167         Remove ARMv7Assembler.cpp
3168         https://bugs.webkit.org/show_bug.cgi?id=146340
3169
3170         Reviewed by Filip Pizlo.
3171
3172         * CMakeLists.txt:
3173         * JavaScriptCore.xcodeproj/project.pbxproj:
3174         * assembler/ARMv7Assembler.cpp: Removed.
3175
3176 2015-06-26  Csaba Osztrogonác  <ossy@webkit.org>
3177
3178         Fix the !ENABLE(ES6_ARROWFUNCTION_SYNTAX) build after r185989
3179         https://bugs.webkit.org/show_bug.cgi?id=146344
3180
3181         Reviewed by Yusuke Suzuki.
3182
3183         * parser/Parser.cpp:
3184         (JSC::Parser<LexerType>::parseSourceElements):
3185
3186 2015-06-26 Aleksandr Skachkov  <gskachkov@gmail.com>
3187
3188          [ES6] Implement ES6 arrow function syntax. Parser of arrow function with execution as common function. 
3189          https://bugs.webkit.org/show_bug.cgi?id=144955
3190
3191          Reviewed by Yusuke Suzuki.
3192
3193          Added support of ES6 arrow function. Changes were made according to following spec http://wiki.ecmascript.org/doku.php?id=harmony:arrow_function_syntax. Patch does not include any arrow function specific behavior e.g. lexical bind this, arguments and etc.     
3194         This patch implements the simplest cases of arrow function declaration:
3195            parameters             () => 10 + 20
3196            parameter               x => x + 20
3197            parameters         (x, y) => x + y
3198            function with block     x => { return x*10; }
3199
3200         Not implemented:
3201            bind of the this, arguments, super and etc.
3202            exception in case of trying to use 'new' with arrow function
3203
3204         * parser/ASTBuilder.h:
3205         (JSC::ASTBuilder::createFunctionExpr):
3206         (JSC::ASTBuilder::createArrowFunctionExpr):
3207         (JSC::ASTBuilder::createGetterOrSetterProperty):
3208         (JSC::ASTBuilder::createFuncDeclStatement):
3209         * parser/Lexer.cpp:
3210         (JSC::Lexer<T>::setTokenPosition):
3211         (JSC::Lexer<T>::lex):
3212         * parser/Lexer.h:
3213         (JSC::Lexer::lastTokenLocation):
3214         (JSC::Lexer::setTerminator):
3215         * parser/Parser.cpp:
3216         (JSC::Parser<LexerType>::parseInner):
3217         (JSC::Parser<LexerType>::parseSourceElements):
3218         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBody):
3219         (JSC::Parser<LexerType>::parseSwitchClauses):
3220         (JSC::Parser<LexerType>::parseSwitchDefaultClause):
3221         (JSC::Parser<LexerType>::parseBlockStatement):
3222         (JSC::Parser<LexerType>::parseFunctionBody):
3223         (JSC::stringForFunctionMode):
3224         (JSC::Parser<LexerType>::parseFunctionParameters):
3225         (JSC::Parser<LexerType>::parseFunctionInfo):
3226         (JSC::Parser<LexerType>::parseFunctionDeclaration):
3227         (JSC::Parser<LexerType>::parseClass):
3228         (JSC::Parser<LexerType>::parseAssignmentExpression):
3229         (JSC::Parser<LexerType>::parsePropertyMethod):
3230         (JSC::Parser<LexerType>::parseGetterSetter):
3231         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
3232         * parser/Parser.h:
3233         (JSC::Parser::locationBeforeLastToken):
3234         (JSC::Parser::isEndOfArrowFunction):
3235         (JSC::Parser::isArrowFunctionParamters):
3236         (JSC::Parser::setEndOfStatement):
3237         * parser/ParserFunctionInfo.h:
3238         * parser/ParserTokens.h:
3239         * parser/SourceCode.h:
3240         (JSC::SourceCode::subArrowExpression):
3241         * parser/SourceProviderCacheItem.h:
3242         (JSC::SourceProviderCacheItem::endFunctionToken):
3243         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
3244         * parser/SyntaxChecker.h:
3245         (JSC::SyntaxChecker::createArrowFunctionExpr):
3246         (JSC::SyntaxChecker::setFunctionNameStart):
3247
3248 2015-06-25  Yusuke Suzuki  <utatane.tea@gmail.com>
3249
3250         [ES6] Support rest element in destructuring assignments
3251         https://bugs.webkit.org/show_bug.cgi?id=146206
3252
3253         Reviewed by Oliver Hunt.
3254
3255         This patch enables rest element (...rest) in array binding patterns.
3256         It generates array from the iterables.
3257         In variable declarations and parameters, `[...identifier]` form is only allowed,
3258         while expressions can take `[...[...rest]]` pattern.
3259
3260         * bytecompiler/BytecodeGenerator.cpp:
3261         (JSC::BytecodeGenerator::emitEnumeration):
3262         (JSC::BytecodeGenerator::emitIteratorNext):
3263         * bytecompiler/BytecodeGenerator.h:
3264         * bytecompiler/NodesCodegen.cpp:
3265         (JSC::ArrayPatternNode::bindValue):
3266         (JSC::ArrayPatternNode::toString):
3267         * parser/ASTBuilder.h:
3268         (JSC::ASTBuilder::appendArrayPatternSkipEntry):
3269         (JSC::ASTBuilder::appendArrayPatternEntry):
3270         (JSC::ASTBuilder::appendArrayPatternRestEntry):
3271         * parser/Nodes.h:
3272         (JSC::ArrayPatternNode::appendIndex):
3273         * parser/Parser.cpp:
3274         (JSC::Parser<LexerType>::parseDeconstructionPattern):
3275         * parser/SyntaxChecker.h:
3276         (JSC::SyntaxChecker::operatorStackPop):
3277         * tests/stress/rest-elements.js: Added.
3278         (shouldBe):
3279         (shouldThrow):
3280
3281 2015-06-25  Commit Queue  <commit-queue@webkit.org>
3282
3283         Unreviewed, rolling out r185956.
3284         https://bugs.webkit.org/show_bug.cgi?id=146321
3285
3286         Causes massive crashes on test bots (Requested by bfulgham on
3287         #webkit).
3288
3289         Reverted changeset:
3290
3291         "Enabling MEDIA_STREAM"
3292         https://bugs.webkit.org/show_bug.cgi?id=145947
3293         http://trac.webkit.org/changeset/185956
3294
3295 2015-06-25  Michael Saboff  <msaboff@apple.com>
3296
3297         Minor fix to idx bounds check after 185954
3298
3299         Rubber Stamped by Ryosuke Niwa.
3300
3301         Changed "idx > 1" to "idx > 0" in two places.
3302
3303         * runtime/ExceptionHelpers.cpp:
3304         (JSC::functionCallBase):
3305
3306 2015-06-25  Keith Miller  <keith_miller@apple.com>
3307
3308         Address Sanitizer does not play well with memcpy in JSC::MachineThreads::tryCopyOtherThreadStack.
3309         https://bugs.webkit.org/show_bug.cgi?id=146297
3310
3311         Reviewed by Filip Pizlo.
3312
3313         Since we cannot blacklist the system memcpy we must use our own naive implementation,
3314         copyMemory. This is not a significant performance loss as tryCopyOtherThreadStack is
3315         only called as part of an O(heapsize) operation. As the heap is generally much larger
3316         than the stack the performance hit is minimal.
3317
3318         * heap/MachineStackMarker.cpp:
3319         (JSC::copyMemory):
3320         (JSC::MachineThreads::tryCopyOtherThreadStack):
3321         (JSC::asanUnsafeMemcpy): Deleted.
3322
3323 2015-06-25  Matthew Daiter  <mdaiter@apple.com>
3324
3325         Enabling MEDIA_STREAM
3326         https://bugs.webkit.org/show_bug.cgi?id=145947
3327         <rdar://problem/21365829>
3328
3329         Reviewed by Brent Fulgham.
3330
3331         * Configurations/FeatureDefines.xcconfig:
3332
3333 2015-06-25  Michael Saboff  <msaboff@apple.com>
3334
3335         REGRESSION (r181889): basspro.com hangs on load under JSC::ErrorInstance::finishCreation(JSC::ExecState*, JSC::VM&, WTF::String const&, bool) + 2801 (JavaScriptCore + 3560689)
3336         https://bugs.webkit.org/show_bug.cgi?id=146298
3337
3338         Reviewed by Mark Lam.
3339
3340         We were underflowing in ExceptionHelpers.cpp::functionCallBase() with a right to left
3341         string index.  Added checks that idx stays within the string.  Also added a termination
3342         condition when idx is 0.
3343
3344         * runtime/ExceptionHelpers.cpp:
3345         (JSC::functionCallBase):
3346
3347 2015-06-24  Chris Dumez  <cdumez@apple.com>
3348
3349         Unreviewed, speculative build fix after r185942.
3350
3351         Add missing include for StrongInlines.h.
3352
3353         * runtime/ArrayPrototype.cpp:
3354
3355 2015-06-24  Darin Adler  <darin@apple.com>
3356
3357         Optimize Array.join and Array.reverse for high speed array types
3358         https://bugs.webkit.org/show_bug.cgi?id=146275
3359
3360         Reviewed by Mark Lam.
3361
3362         This seems to yield another 17% speed improvement in the array
3363         test from the Peacekeeper benchmark.
3364
3365         * runtime/ArrayPrototype.cpp:
3366         (JSC::isHole): Added. Helper to check for holes.
3367         (JSC::containsHole): Ditto.
3368         (JSC::arrayProtoFuncJoin): Added special cases for the various types
3369         of arrays that could be in a butterfly.
3370         (JSC::arrayProtoFuncReverse): Ditto.
3371
3372         * runtime/JSStringJoiner.h: Made appendEmptyString public so we can
3373         call it from the new parts of Array.join.
3374
3375 2015-06-24  Filip Pizlo  <fpizlo@apple.com>
3376
3377         DFG::SpeculativeJIT shouldn't use filter==Contradiction when it meant isClear
3378         https://bugs.webkit.org/show_bug.cgi?id=146291
3379         rdar://problem/21435366
3380
3381         Reviewed by Michael Saboff.
3382         
3383         The filter() method returns Contradiction only when a value *becomes* clear. This is
3384         necessary for supporting the convention that non-JSValue nodes have a bottom proved
3385         type. (We should fix that convention eventually, but for now let's just be consistent
3386         about it.)
3387         
3388         * dfg/DFGFiltrationResult.h: Document the issue.
3389         * dfg/DFGSpeculativeJIT32_64.cpp: Work around the issue.
3390         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
3391         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3392         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3393         * dfg/DFGSpeculativeJIT64.cpp: Work around the issue.
3394         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
3395         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
3396         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3397         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3398
3399 2015-06-24  Michael Saboff  <msaboff@apple.com>
3400
3401         Crash on gog.com due to PolymorphicCallNode's having stale references to CallLinkInfo
3402         https://bugs.webkit.org/show_bug.cgi?id=146285
3403
3404         Reviewed by Filip Pizlo.
3405
3406         CallLinkInfo's contain a RefPtr to a PolymorphicCallStubRoutine, named stub, which contains
3407         a collection of PolymorphicCallNode.  Those PolymorphicCallNodes have a reference back to the
3408         CallLinkInfo.  When a CallLinkInfo replaces or clears "stub", the ref count of the
3409         PolymorphicCallStubRoutine is decremented as expected, but since it inherits from
3410         GCAwareJITStubRoutine, it isn't actually deleted until GC.  In the mean time, the original
3411         CallLinkInfo can go away.  If PolymorphicCallNode::unlink() is called at that point,
3412         it will try to unlink a now deleted CallLinkInfo and crash as a result.
3413
3414         The fix is to clear the CallLinkInfo references from any PolymorphicCallNode objects when
3415         when we set a new stub or clear an existing stub for a CallLinkInfo.  This is done by
3416         calling PolymorphicCallNode::clearCallNodesFor() on the old stub.
3417
3418         The prior code would only call clearCallNodesFor() from the CallLinkInfo destructor.
3419         This only took care of the last PolymorphicCallStubRoutine held in the CallLinkInfo.
3420         Any prior PolymorphicCallStubRoutine would still have a, now bad, reference to the CallLinkInfo.
3421
3422         In the process I refactored CallLinkInfo from a struct to a class with proper accessors and
3423         made all the data elements private.
3424
3425         * bytecode/CallLinkInfo.cpp:
3426         (JSC::CallLinkInfo::clearStub): Updated to call PolymorphicCallStubRoutine::clearCallNodesFor()
3427         to clear the back references to this CallLinkInfo.
3428         * bytecode/CallLinkInfo.h:
3429         (JSC::CallLinkInfo::~CallLinkInfo): Moved clearCallNodesFor() call to clearStub().
3430         (JSC::CallLinkInfo::setStub): Clear any prior stub before changing to the new stub.
3431
3432 2015-06-24  Michael Saboff  <msaboff@apple.com>
3433
3434         Refactor CallLinkInfo from a struct to a class
3435         https://bugs.webkit.org/show_bug.cgi?id=146292
3436
3437         Rubber stamped by Filip Pizlo.
3438
3439         Refactored CallLinkInfo from a struct to a class with proper accessors and made all the
3440         data elements private.
3441
3442         Done in preparation for fixing https://bugs.webkit.org/show_bug.cgi?id=146285.
3443
3444         * bytecode/CallLinkInfo.cpp:
3445         (JSC::CallLinkInfo::clearStub):
3446         (JSC::CallLinkInfo::unlink):
3447         (JSC::CallLinkInfo::visitWeak):
3448         * bytecode/CallLinkInfo.h:
3449         (JSC::CallLinkInfo::callTypeFor):
3450         (JSC::CallLinkInfo::CallLinkInfo):
3451         (JSC::CallLinkInfo::~CallLinkInfo):
3452         (JSC::CallLinkInfo::specializationKindFor):
3453         (JSC::CallLinkInfo::specializationKind):
3454         (JSC::CallLinkInfo::isLinked):
3455         (JSC::CallLinkInfo::setUpCall):
3456         (JSC::CallLinkInfo::setCallLocations):
3457         (JSC::CallLinkInfo::setUpCallFromFTL):
3458         (JSC::CallLinkInfo::callReturnLocation):
3459         (JSC::CallLinkInfo::hotPathBegin):
3460         (JSC::CallLinkInfo::hotPathOther):
3461         (JSC::CallLinkInfo::setCallee):
3462         (JSC::CallLinkInfo::clearCallee):
3463         (JSC::CallLinkInfo::callee):
3464         (JSC::CallLinkInfo::setLastSeenCallee):
3465         (JSC::CallLinkInfo::clearLastSeenCallee):
3466         (JSC::CallLinkInfo::lastSeenCallee):
3467         (JSC::CallLinkInfo::haveLastSeenCallee):
3468         (JSC::CallLinkInfo::setStub):
3469         (JSC::CallLinkInfo::stub):
3470         (JSC::CallLinkInfo::seenOnce):
3471         (JSC::CallLinkInfo::clearSeen):
3472         (JSC::CallLinkInfo::setSeen):
3473         (JSC::CallLinkInfo::hasSeenClosure):
3474         (JSC::CallLinkInfo::setHasSeenClosure):
3475         (JSC::CallLinkInfo::clearedByGC):
3476         (JSC::CallLinkInfo::setCallType):
3477         (JSC::CallLinkInfo::callType):
3478         (JSC::CallLinkInfo::addressOfMaxNumArguments):
3479         (JSC::CallLinkInfo::maxNumArguments):
3480         (JSC::CallLinkInfo::offsetOfSlowPathCount):
3481         (JSC::CallLinkInfo::setCalleeGPR):
3482         (JSC::CallLinkInfo::calleeGPR):
3483         (JSC::CallLinkInfo::slowPathCount):
3484         (JSC::CallLinkInfo::setCodeOrigin):
3485         (JSC::CallLinkInfo::codeOrigin):
3486         (JSC::getCallLinkInfoCodeOrigin):
3487         * bytecode/CallLinkStatus.cpp:
3488         (JSC::CallLinkStatus::computeFor):
3489         (JSC::CallLinkStatus::computeFromCallLinkInfo):
3490         (JSC::CallLinkStatus::computeDFGStatuses):
3491         * bytecode/CallLinkStatus.h:
3492         * bytecode/CodeBlock.cpp:
3493         (JSC::CodeBlock::printCallOp):
3494         (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
3495         * dfg/DFGJITCompiler.cpp:
3496         (JSC::DFG::JITCompiler::link):
3497         * dfg/DFGOSRExitCompilerCommon.cpp:
3498         (JSC::DFG::reifyInlinedCallFrames):
3499         * dfg/DFGSpeculativeJIT32_64.cpp:
3500         (JSC::DFG::SpeculativeJIT::emitCall):
3501         * dfg/DFGSpeculativeJIT64.cpp:
3502         (JSC::DFG::SpeculativeJIT::emitCall):
3503         * ftl/FTLJSCallBase.cpp:
3504         (JSC::FTL::JSCallBase::link):
3505         * jit/AccessorCallJITStubRoutine.h:
3506         * jit/JIT.cpp:
3507         (JSC::JIT::privateCompile):
3508         * jit/JIT.h:
3509         * jit/JITCall.cpp:
3510         (JSC::JIT::compileSetupVarargsFrame):
3511         (JSC::JIT::compileOpCall):
3512         * jit/JITCall32_64.cpp:
3513         (JSC::JIT::compileSetupVarargsFrame):
3514         (JSC::JIT::compileOpCall):
3515         * jit/JITOperations.cpp:
3516         * jit/PolymorphicCallStubRoutine.cpp:
3517         (JSC::PolymorphicCallNode::unlink):
3518         (JSC::PolymorphicCallNode::clearCallLinkInfo):
3519         * jit/PolymorphicCallStubRoutine.h:
3520         * jit/Repatch.cpp:
3521         (JSC::generateByIdStub):
3522         (JSC::linkSlowFor):
3523         (JSC::linkFor):
3524         (JSC::revertCall):
3525         (JSC::unlinkFor):
3526         (JSC::linkPolymorphicCall):
3527         * jit/ThunkGenerators.cpp:
3528         (JSC::virtualForThunkGenerator):
3529
3530 2015-06-24  Doug Russell  <d_russell@apple.com>
3531
3532         Bug 146177 - AX: AXObjectCache should try to use an unignored accessibilityObject 
3533         when posting a selection notification when on the border between two accessibilityObjects
3534         https://bugs.webkit.org/show_bug.cgi?id=146177
3535
3536         Add an adopt() function to simplify JSRetainPtr<JSStringRef> { Adopt, string } to adopt(string).
3537
3538         Reviewed by Darin Adler.
3539
3540         * API/JSRetainPtr.h:
3541         (adopt):
3542
3543 2015-06-24  Keith Miller  <keith_miller@apple.com>
3544
3545         Strict Equality on objects should only check that one of the two sides is an object.
3546         https://bugs.webkit.org/show_bug.cgi?id=145992
3547
3548         This patch adds a new optimization for checking strict equality on objects.
3549         If we speculate that a strict equality comparison has an object on one side
3550         we only need to type check that side. Equality is then determined by a pointer
3551         comparison between the two values (although in the 32-bit case we must also check
3552         that the other side is a cell). Once LICM hoists type checks out of a loop we
3553         can be cleverer about how we choose the operand we type check if both are
3554         speculated to be objects.
3555
3556         For testing I added the addressOf function, which returns the address
3557         of a Cell to the runtime.
3558
3559         Reviewed by Mark Lam.
3560
3561         * dfg/DFGFixupPhase.cpp:
3562         (JSC::DFG::FixupPhase::fixupNode):
3563         * dfg/DFGSpeculativeJIT.cpp:
3564         (JSC::DFG::SpeculativeJIT::compileStrictEq):
3565         * dfg/DFGSpeculativeJIT.h:
3566         * dfg/DFGSpeculativeJIT32_64.cpp:
3567         (JSC::DFG::SpeculativeJIT::compileObjectStrictEquality):
3568         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectStrictEquality):
3569         * dfg/DFGSpeculativeJIT64.cpp:
3570         (JSC::DFG::SpeculativeJIT::compileObjectStrictEquality):
3571         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectStrictEquality):
3572         * ftl/FTLCapabilities.cpp:
3573         (JSC::FTL::canCompile):
3574         * ftl/FTLLowerDFGToLLVM.cpp:
3575         (JSC::FTL::DFG::LowerDFGToLLVM::compileCompareStrictEq):
3576         * jsc.cpp:
3577         (GlobalObject::finishCreation):
3578         (functionAddressOf):
3579         * tests/stress/equality-type-checking.js: Added.
3580         (Foo):
3581         (checkStrictEq):
3582         (checkStrictEqOther):
3583
3584 2015-06-24  Mark Lam  <mark.lam@apple.com>
3585
3586         Fixed assertion in JSStringJoiner::join() (regression from r185899).
3587
3588         Not reviewed.
3589
3590         JSStringJoiner did not account for the case where the array being joined can
3591         have null or undefined elements.  As a result, its size may be less than
3592         its initially reserved capacity (which was estimated based on the array length).
3593
3594         * runtime/JSStringJoiner.cpp:
3595         (JSC::JSStringJoiner::join):
3596
3597 2015-06-24  Darin Adler  <darin@apple.com>
3598
3599         Fix Array.concat with RuntimeArray (regression from my last patch)
3600
3601         * runtime/ArrayPrototype.cpp:
3602         (JSC::arrayProtoFuncConcat): Use getLength instead of JSArray::length.
3603
3604         * runtime/JSArray.cpp:
3605         (JSC::JSArray::defineOwnProperty): Added comment about use of
3606         JSArray::length here that is incorrect (in a really non-obvious way).
3607         (JSC::JSArray::fillArgList): Ditto.
3608         (JSC::JSArray::copyToArguments): Ditto.
3609
3610         * runtime/JSArray.h: Added a comment explaining that it is not always
3611         safe to use JSArray::length.
3612
3613 2015-06-23  Mark Lam  <mark.lam@apple.com>
3614
3615         Gardening: Fixing 2 bad asserts from r185889.
3616         https://bugs.webkit.org/show_bug.cgi?id=140575
3617
3618         Not reviewed.
3619
3620         * runtime/JSBoundSlotBaseFunction.cpp:
3621         (JSC::JSBoundSlotBaseFunction::finishCreation):
3622
3623 2015-06-23  Dan Bernstein  <mitz@apple.com>
3624
3625         Fixed iOS production builds.
3626
3627         * JavaScriptCore.xcodeproj/project.pbxproj:
3628
3629 2015-06-22  Darin Adler  <darin@apple.com>
3630
3631         Make Array.join work directly on substrings without reifying them
3632         https://bugs.webkit.org/show_bug.cgi?id=146191
3633
3634         Reviewed by Andreas Kling.
3635
3636         Besides the Array.join change, this has other optimizations based on
3637         profiling the Peacekeeper array benchmark.
3638
3639         I measured a 14% speed improvement in the Peacekeeper array benchmark.
3640
3641         Still a lot of low hanging fruit in that test because so many of functions
3642         on the array prototype are not optimizing for simple cases. For example,
3643         the reverse function does individual get and put calls even when the array
3644         is entirely made up of integers in contiguous storage.
3645
3646         * runtime/ArrayPrototype.cpp:
3647         (JSC::getProperty): Use tryGetIndexQuickly first before getPropertySlot.
3648         (JSC::argumentClampedIndexFromStartOrEnd): Marked inline.
3649         (JSC::shift): Use the getProperty helper in this file instead of using
3650         getPropertySlot. Use putByIndexInline instead of calling putByIndex directly.
3651         In both cases this can yield a faster code path.
3652         (JSC::unshift): Ditto.
3653         (JSC::arrayProtoFuncToString): Updated to use the new JSStringJoiner
3654         interface. Changed local variable name to thisArray since it's not a
3655         JSObject*. Changed loop index to i instead of k.
3656         (JSC::arrayProtoFuncToLocaleString): Updated to use the new JSStringJoiner
3657         interface. Renamed thisObj to thisObject. Added a missing exception check
3658         after the toLocaleString function is called, but before toString is called
3659         the result of that function.
3660         (JSC::arrayProtoFuncJoin): Updated to use the new JSStringJointer interface.
3661         Added a missing exception check after calling toString on the separator
3662         but before calling get to get the first element in the array-like object
3663         being joined. Changed loop index to i instead of k. Added missing exception
3664         check after calling toString on each string from the array before calling
3665         get for the next element.
3666         (JSC::arrayProtoFuncConcat): Use JSArray::length instead of using the
3667         getLength function.
3668         (JSC::arrayProtoFuncReverse): Ditto. Also use putByIndexInline.
3669         (JSC::arrayProtoFuncShift): Ditto.
3670         (JSC::arrayProtoFuncSplice): Use getIndex instead of get, which includes some
3671         additional optimizations.
3672         (JSC::getOrHole): Deleted. Unused function.
3673         (JSC::arrayProtoFuncUnShift): Use putByIndexInline.
3674
3675         * runtime/ExceptionHelpers.cpp:
3676         (JSC::errorDescriptionForValue): Removed the duplicate copy of the the logic
3677         from JSValue::toString.
3678
3679         * runtime/JSCJSValue.cpp:
3680         (JSC::JSValue::toStringSlowCase): Improved the performance when converting a
3681         small integer to a single character string.
3682         (JSC::JSValue::toWTFStringSlowCase): Moved the contents of the
3683         inlineJSValueNotStringtoString function here.
3684         * runtime/JSCJSValue.h: Removed no longer used toWTFStringInline and fixed
3685         a comment with a typo.
3686
3687         * runtime/JSObject.h:
3688         (JSC::JSObject::putByIndexInline): Marked ALWAYS_INLINE because this was not
3689         getting inlined at some call sites.
3690         (JSC::JSObject::indexingData): Deleted. Unused function.
3691         (JSC::JSObject::currentIndexingData): Deleted. Unused function.
3692         (JSC::JSObject::getHolyIndexQuickly): Deleted. Unused function.
3693         (JSC::JSObject::relevantLength): Deleted. Unused function.
3694         (JSC::JSObject::currentRelevantLength): Deleted. Unused function.
3695
3696         * runtime/JSString.h: Added the StringViewWithUnderlyingString struct and
3697         the viewWithUnderlyingString function. Removed the inlineJSValueNotStringtoString
3698         and toWTFStringInline functions.
3699
3700         * runtime/JSStringJoiner.cpp:
3701         (JSC::appendStringToData): Changed this to be a template instead of writing
3702         it out, since StringView::getCharactersWithUpconvert does almsot exactly what
3703         this function was trying to do.
3704         (JSC::joinStrings): Rewrote this to use StringView.
3705         (JSC::JSStringJoiner::joinedLength): Added. Factored out from the join function.
3706         (JSC::JSStringJoiner::join): Rewrote to make it a bit simpler. Added an assertion
3707         that we entirely filled capacity, since we are now reserving capacity and using
3708         uncheckedAppend. Use String instead of RefPtr<StringImpl> because there was no
3709         particular value to using the impl directly.
3710
3711         * runtime/JSStringJoiner.h: Changed the interface to the class to use StringView.
3712         Also changed this class so it now has the responsibility to convert each JSValue
3713         into a string. This let us share more code between toString and join, and also
3714         lets us use the new viewWithUnderlyingString function, which could be confusing at
3715         all the call sites, but is easier to understand here.
3716
3717 2015-06-23  Matthew Mirman  <mmirman@apple.com>
3718
3719         Completes native binding descriptors with native getters and potentially setters.
3720         https://bugs.webkit.org/show_bug.cgi?id=140575
3721         rdar://problem/19506502
3722
3723         Reviewed by Mark Lam.
3724
3725         * CMakeLists.txt:  Added JSBoundSlotBaseFunction.cpp
3726         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3727         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3728         * JavaScriptCore.xcodeproj/project.pbxproj:
3729         * inspector/InjectedScriptSource.js: Added case for descriptor having a native getter.
3730         * runtime/JSBoundSlotBaseFunction.cpp: Added.
3731         (JSC::boundSlotBaseFunctionCall):
3732         (JSC::JSBoundSlotBaseFunction::JSBoundSlotBaseFunction):  
3733         Necessary wrapper for custom getters and setters as objects.
3734         (JSC::JSBoundSlotBaseFunction::create):
3735         (JSC::JSBoundSlotBaseFunction::visitChildren):
3736         (JSC::JSBoundSlotBaseFunction::finishCreation):
3737         * runtime/JSBoundSlotBaseFunction.h: Added.
3738         (JSC::JSBoundSlotBaseFunction::createStructure):
3739         (JSC::JSBoundSlotBaseFunction::boundSlotBase):
3740         (JSC::JSBoundSlotBaseFunction::customGetterSetter):
3741         (JSC::JSBoundSlotBaseFunction::isGetter):
3742         * runtime/JSGlobalObject.cpp:
3743         (JSC::JSGlobalObject::init): Added a globally initialized structure for JSBoundSlotBaseFunction
3744         (JSC::JSGlobalObject::visitChildren): visits that structure
3745         * runtime/JSGlobalObject.h:
3746         (JSC::JSGlobalObject::boundSlotBaseFunctionStructure): added a getter for that structure
3747         * runtime/JSObject.cpp:
3748         (JSC::JSObject::getOwnPropertyDescriptor): extends the case for CustomGetterSetter to 
3749         actually include GetterSetter as a JSBoundSlotBaseFunction
3750         * runtime/VM.cpp: Added initializer for customGetterSetterFunctionMap
3751         * runtime/VM.h: Added cache for JSBoundSlotBaseFunction
3752
3753 2015-06-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3754
3755         [ES6] Allow trailing comma in ArrayBindingPattern and ObjectBindingPattern
3756         https://bugs.webkit.org/show_bug.cgi?id=146192
3757
3758         Reviewed by Darin Adler.
3759
3760         According to the ES6 spec, trailing comma in ArrayBindingPattern and ObjectBindingPattern is allowed.
3761         And empty ArrayBindingPattern and ObjectBindingPattern is also allowed.
3762
3763         This patch allows trailing comma and empty binding patterns.
3764
3765         * bytecompiler/NodesCodegen.cpp:
3766         (JSC::ArrayPatternNode::bindValue):
3767         * parser/Parser.cpp:
3768         (JSC::Parser<LexerType>::parseDeconstructionPattern):
3769         * tests/stress/trailing-comma-in-patterns.js: Added.
3770         (shouldBe):
3771         (iterator):
3772
3773 2015-06-20  Yusuke Suzuki  <utatane.tea@gmail.com>
3774
3775         [ES6] Destructuring assignment need to accept iterables
3776         https://bugs.webkit.org/show_bug.cgi?id=144111
3777
3778         Reviewed by Darin Adler.
3779
3780         This patch makes that destructuring assignments to array binding patterns accept iterables.
3781         Previously, it just access the indexed properties.
3782         After this patch, it iterates the given value by using ES6 iterator protocol.
3783
3784         The iteration becomes different from the for-of case.
3785         1. Since there's no break/continue case, finally scope is not necessary.
3786         2. When the error is raised, the close status of the iterator becomes true. So IteratorClose is not called for that.
3787         3. Since the array binding patterns requires a limited count of iterations (if there is no rest(...rest) case), IteratorClose is called when the iteration does not consume the all values of the iterator.
3788         4. Since the array binding patterns requires a specified count of iterations, iterator's next call is skipped when iterator becomes closed.
3789
3790         * bytecompiler/BytecodeGenerator.cpp:
3791         (JSC::BytecodeGenerator::emitIteratorClose):
3792         * bytecompiler/BytecodeGenerator.h:
3793         * bytecompiler/NodesCodegen.cpp:
3794         (JSC::ArrayPatternNode::bindValue):
3795         * parser/ASTBuilder.h:
3796         (JSC::ASTBuilder::finishArrayPattern):
3797         * parser/Nodes.h:
3798         * parser/Parser.cpp:
3799         (JSC::Parser<LexerType>::parseDeconstructionPattern):
3800         * parser/SyntaxChecker.h:
3801         (JSC::SyntaxChecker::operatorStackPop):
3802         * tests/stress/destructuring-assignment-accepts-iterables.js: Added.
3803         (shouldBe):
3804         (shouldThrow):
3805         (.set shouldThrow):
3806
3807 2015-06-19  Devin Rousso  <drousso@apple.com>
3808
3809         Web Inspector: Highlight currently edited CSS selector
3810         https://bugs.webkit.org/show_bug.cgi?id=145658
3811
3812         Reviewed by Joseph Pecoraro.
3813
3814         * inspector/protocol/DOM.json: Added highlightSelector to show highlight over multiple nodes.
3815
3816 2015-06-19  Mark Lam  <mark.lam@apple.com>
3817
3818         Gardening: fix build for EWS bots.
3819
3820         Not reviewed.
3821
3822         * runtime/JSArray.cpp:
3823         (JSC::JSArray::setLengthWithArrayStorage):
3824
3825 2015-06-19  Michael Saboff  <msaboff@apple.com>
3826
3827         Crash in com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::FTL::fixFunctionBasedOnStackMaps + 17225
3828         https://bugs.webkit.org/show_bug.cgi?id=146133
3829
3830         Reviewed by Geoffrey Garen.
3831
3832         When generating code to put in inline caching areas, if there isn't enough space,
3833         then create and link to an out of line area.  We connect the inline code to this
3834         out of line code area by planting a jump from the inline area to the out of line
3835         code and appending a jump at the end of the out of line code bck to the instruction
3836         following the inline area.  We fill the unused inline area with nops, primarily to 
3837         ensure the disassembler doesn't get confused.
3838
3839         * ftl/FTLCompile.cpp:
3840         (generateInlineIfPossibleOutOfLineIfNot): New function that determines if there is enough space
3841         in the inline code area for the code to link.  If so, it links inline, otherwise it links the
3842         code out of line and plants appropriate jumps to/from the out of line code.
3843         (generateICFastPath):
3844         (generateCheckInICFastPath):
3845         (fixFunctionBasedOnStackMaps):
3846         Use generateInlineIfPossibleOutOfLineIfNot() to link code intended for inline cache space.
3847
3848         * ftl/FTLJITFinalizer.cpp:
3849         (JSC::FTL::JITFinalizer::finalizeFunction):
3850         * ftl/FTLJITFinalizer.h:
3851         (JSC::FTL::OutOfLineCodeInfo::OutOfLineCodeInfo):
3852         Added code to finalize any out of line LinkBuffer created by generateInlineIfPossibleOutOfLineIfNot().
3853
3854 2015-06-19  Geoffrey Garen  <ggaren@apple.com>
3855
3856         WebKit crash while loading nytimes at JavaScriptCore: JSC::ExecutableAllocator::allocate + 276
3857         https://bugs.webkit.org/show_bug.cgi?id=146163
3858         <rdar://problem/20392986>
3859
3860         Reviewed by Michael Saboff.
3861
3862         There's no good way to test this in our test harness because we don't
3863         have a way to simulate executable memory pressure, and doing so would
3864         cause the cases that still use JITCompilationMustSucceed to crash.
3865
3866         Instead, I tested by manually forcing all regexp JIT compilation to
3867         fail and running the JavaScriptCore tests.
3868
3869         * yarr/YarrJIT.cpp:
3870         (JSC::Yarr::YarrGenerator::compile): Allow compilation to fail. We can
3871         fall back to the regexp interpreter if we need to.
3872
3873 2015-06-19  Mark Lam  <mark.lam@apple.com>
3874
3875         Employ explicit operator bool() instead of using the UnspecifiedBoolType workaround.
3876         https://bugs.webkit.org/show_bug.cgi?id=146154
3877
3878         Reviewed by Darin Adler.
3879
3880         * assembler/MacroAssemblerCodeRef.h:
3881         (JSC::MacroAssemblerCodePtr::dataLocation):
3882         (JSC::MacroAssemblerCodePtr::operator bool):
3883         (JSC::MacroAssemblerCodePtr::operator==):