Get the features.json files ready for open contributions
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-04-07  Benjamin Poulain  <benjamin@webkit.org>
2
3         Get the features.json files ready for open contributions
4         https://bugs.webkit.org/show_bug.cgi?id=143436
5
6         Reviewed by Darin Adler.
7
8         * features.json:
9
10 2015-04-07  Filip Pizlo  <fpizlo@apple.com>
11
12         Constant folding of typed array properties should be handled by AI rather than strength reduction
13         https://bugs.webkit.org/show_bug.cgi?id=143496
14
15         Reviewed by Geoffrey Garen.
16         
17         Handling constant folding in AI is better because it precludes us from having to fixpoint the CFA
18         phase and whatever other phase did the folding in order to find all constants.
19         
20         This also removes the TypedArrayWatchpoint node type because we can just set the watchpoint
21         directly.
22         
23         This also fixes a bug in FTL lowering of GetTypedArrayByteOffset. The bug was previously not
24         found because all of the tests for it involved the property getting constant folded. I found that
25         the codegen was bad because an earlier version of the patch broke that constant folding. This
26         adds a new test for that node type, which makes constant folding impossible by allocating a new
27         typed array every type. The lesson here is: if you write a test for something, run the test with
28         full IR dumps to make sure it's actually testing the thing you want it to test.
29
30         * dfg/DFGAbstractInterpreterInlines.h:
31         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
32         * dfg/DFGClobberize.h:
33         (JSC::DFG::clobberize):
34         * dfg/DFGConstantFoldingPhase.cpp:
35         (JSC::DFG::ConstantFoldingPhase::foldConstants):
36         * dfg/DFGDoesGC.cpp:
37         (JSC::DFG::doesGC):
38         * dfg/DFGFixupPhase.cpp:
39         (JSC::DFG::FixupPhase::fixupNode):
40         * dfg/DFGGraph.cpp:
41         (JSC::DFG::Graph::dump):
42         (JSC::DFG::Graph::tryGetFoldableView):
43         (JSC::DFG::Graph::tryGetFoldableViewForChild1): Deleted.
44         * dfg/DFGGraph.h:
45         * dfg/DFGNode.h:
46         (JSC::DFG::Node::hasTypedArray): Deleted.
47         (JSC::DFG::Node::typedArray): Deleted.
48         * dfg/DFGNodeType.h:
49         * dfg/DFGPredictionPropagationPhase.cpp:
50         (JSC::DFG::PredictionPropagationPhase::propagate):
51         * dfg/DFGSafeToExecute.h:
52         (JSC::DFG::safeToExecute):
53         * dfg/DFGSpeculativeJIT.cpp:
54         (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
55         * dfg/DFGSpeculativeJIT32_64.cpp:
56         (JSC::DFG::SpeculativeJIT::compile):
57         * dfg/DFGSpeculativeJIT64.cpp:
58         (JSC::DFG::SpeculativeJIT::compile):
59         * dfg/DFGStrengthReductionPhase.cpp:
60         (JSC::DFG::StrengthReductionPhase::handleNode):
61         (JSC::DFG::StrengthReductionPhase::foldTypedArrayPropertyToConstant): Deleted.
62         (JSC::DFG::StrengthReductionPhase::prepareToFoldTypedArray): Deleted.
63         * dfg/DFGWatchpointCollectionPhase.cpp:
64         (JSC::DFG::WatchpointCollectionPhase::handle):
65         (JSC::DFG::WatchpointCollectionPhase::addLazily):
66         * ftl/FTLCapabilities.cpp:
67         (JSC::FTL::canCompile):
68         * ftl/FTLLowerDFGToLLVM.cpp:
69         (JSC::FTL::LowerDFGToLLVM::compileNode):
70         (JSC::FTL::LowerDFGToLLVM::compileGetTypedArrayByteOffset):
71         (JSC::FTL::LowerDFGToLLVM::typedArrayLength):
72         * tests/stress/fold-typed-array-properties.js:
73         (foo):
74         * tests/stress/typed-array-byte-offset.js: Added.
75         (foo):
76
77 2015-04-07  Matthew Mirman  <mmirman@apple.com>
78
79         Source and stack information should get appended only to native errors
80         and should be added directly after construction rather than when thrown. 
81         This fixes frozen objects being unfrozen when thrown while conforming to 
82         ecma script standard and other browser behavior.
83         rdar://problem/19927293
84         https://bugs.webkit.org/show_bug.cgi?id=141871
85         
86         Reviewed by Geoffrey Garen.
87
88         Appending stack, source, line, and column information to an object whenever that object is thrown 
89         is incorrect because it violates the ecma script standard for the behavior of throw.  Suppose for example
90         that the object being thrown already has one of these properties or is frozen.  Adding the properties 
91         would then violate the frozen contract or overwrite those properties.  Other browsers do not do this,
92         and doing this causes unnecessary performance hits in code with heavy use of the throw construct as
93         a control flow construct rather than just an error reporting mechanism.  
94         
95         Because WebCore adds "native" errors which do not inherit from any JSC native error, 
96         appending the error properties as a seperate call after construction of the error is required 
97         to avoid having to manually truncate the stack and gather local source information due to 
98         the stack being extended by a nested call to construct one of the native jsc error.
99         
100         * interpreter/Interpreter.cpp:
101         (JSC::Interpreter::execute):
102         * interpreter/Interpreter.h:
103         * parser/ParserError.h:
104         (JSC::ParserError::toErrorObject):
105         * runtime/CommonIdentifiers.h:
106         * runtime/Error.cpp:
107         (JSC::createError):
108         (JSC::createEvalError):
109         (JSC::createRangeError):
110         (JSC::createReferenceError):
111         (JSC::createSyntaxError):
112         (JSC::createTypeError):
113         (JSC::createNotEnoughArgumentsError):
114         (JSC::createURIError):
115         (JSC::createOutOfMemoryError):
116         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor):
117         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()):
118         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame):
119         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index):
120         (JSC::addErrorInfoAndGetBytecodeOffset):  Added.
121         (JSC::addErrorInfo): Added special case for appending complete error info 
122         to a newly constructed error object.
123         * runtime/Error.h:
124         * runtime/ErrorConstructor.cpp:
125         (JSC::Interpreter::constructWithErrorConstructor):
126         (JSC::Interpreter::callErrorConstructor):
127         * runtime/ErrorInstance.cpp:
128         (JSC::appendSourceToError): Moved from VM.cpp
129         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor):
130         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()):
131         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame):
132         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index):
133         (JSC::addErrorInfoAndGetBytecodeOffset):
134         (JSC::ErrorInstance::finishCreation):
135         * runtime/ErrorInstance.h:
136         (JSC::ErrorInstance::create):
137         * runtime/ErrorPrototype.cpp:
138         (JSC::ErrorPrototype::finishCreation):
139         * runtime/ExceptionFuzz.cpp:
140         (JSC::doExceptionFuzzing):
141         * runtime/ExceptionHelpers.cpp:
142         (JSC::createError):
143         (JSC::createInvalidFunctionApplyParameterError):
144         (JSC::createInvalidInParameterError):
145         (JSC::createInvalidInstanceofParameterError):
146         (JSC::createNotAConstructorError):
147         (JSC::createNotAFunctionError):
148         (JSC::createNotAnObjectError):
149         (JSC::throwOutOfMemoryError):
150         (JSC::createStackOverflowError): Deleted.
151         (JSC::createOutOfMemoryError): Deleted.
152         * runtime/ExceptionHelpers.h:
153         * runtime/JSArrayBufferConstructor.cpp:
154         (JSC::constructArrayBuffer):
155         * runtime/JSArrayBufferPrototype.cpp:
156         (JSC::arrayBufferProtoFuncSlice):
157         * runtime/JSGenericTypedArrayViewInlines.h:
158         (JSC::JSGenericTypedArrayView<Adaptor>::create):
159         (JSC::JSGenericTypedArrayView<Adaptor>::createUninitialized):
160         * runtime/NativeErrorConstructor.cpp:
161         (JSC::Interpreter::constructWithNativeErrorConstructor):
162         (JSC::Interpreter::callNativeErrorConstructor):
163         * runtime/VM.cpp:
164         (JSC::VM::throwException):
165         (JSC::appendSourceToError): Moved to Error.cpp
166         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor): Deleted.
167         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()): Deleted.
168         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame): Deleted.
169         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index): Deleted.
170         * tests/stress/freeze_leek.js: Added.
171
172 2015-04-07  Joseph Pecoraro  <pecoraro@apple.com>
173
174         Web Inspector: ES6: Show Symbol properties on Objects
175         https://bugs.webkit.org/show_bug.cgi?id=141279
176
177         Reviewed by Timothy Hatcher.
178
179         * inspector/protocol/Runtime.json:
180         Give PropertyDescriptor a reference to the Symbol RemoteObject
181         if the property is a symbol property.
182
183         * inspector/InjectedScriptSource.js:
184         Enumerate symbol properties on objects.
185
186 2015-04-07  Filip Pizlo  <fpizlo@apple.com>
187
188         Make it possible to enable LLVM FastISel
189         https://bugs.webkit.org/show_bug.cgi?id=143489
190
191         Reviewed by Michael Saboff.
192
193         The decision to enable FastISel is made by Options.h|cpp, but the LLVM library can disable it if it finds that it is built
194         against a version of LLVM that doesn't support it. Thereafter, JSC::enableLLVMFastISel is the flag that tells the system
195         if we should enable it.
196
197         * ftl/FTLCompile.cpp:
198         (JSC::FTL::mmAllocateDataSection):
199         * llvm/InitializeLLVM.cpp:
200         (JSC::initializeLLVMImpl):
201         * llvm/InitializeLLVM.h:
202         * llvm/InitializeLLVMLinux.cpp:
203         (JSC::getLLVMInitializerFunction):
204         (JSC::initializeLLVMImpl): Deleted.
205         * llvm/InitializeLLVMMac.cpp:
206         (JSC::getLLVMInitializerFunction):
207         (JSC::initializeLLVMImpl): Deleted.
208         * llvm/InitializeLLVMPOSIX.cpp:
209         (JSC::getLLVMInitializerFunctionPOSIX):
210         (JSC::initializeLLVMPOSIX): Deleted.
211         * llvm/InitializeLLVMPOSIX.h:
212         * llvm/InitializeLLVMWin.cpp:
213         (JSC::getLLVMInitializerFunction):
214         (JSC::initializeLLVMImpl): Deleted.
215         * llvm/LLVMAPI.cpp:
216         * llvm/LLVMAPI.h:
217         * llvm/library/LLVMExports.cpp:
218         (initCommandLine):
219         (initializeAndGetJSCLLVMAPI):
220         * runtime/Options.cpp:
221         (JSC::Options::initialize):
222
223 2015-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>
224
225         put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex
226         https://bugs.webkit.org/show_bug.cgi?id=140426
227
228         Reviewed by Darin Adler.
229
230         In the put_by_val_direct operation, we use JSObject::putDirect.
231         However, it only accepts non-index property. For index property, we need to use JSObject::putDirectIndex.
232         This patch checks toString-ed Identifier is index or not to choose putDirect / putDirectIndex.
233
234         * dfg/DFGOperations.cpp:
235         (JSC::DFG::putByVal):
236         (JSC::DFG::operationPutByValInternal):
237         * jit/JITOperations.cpp:
238         * llint/LLIntSlowPaths.cpp:
239         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
240         * runtime/Identifier.h:
241         (JSC::isIndex):
242         (JSC::parseIndex):
243         * tests/stress/dfg-put-by-val-direct-with-edge-numbers.js: Added.
244         (lookupWithKey):
245         (toStringThrowsError.toString):
246
247 2015-04-06  Alberto Garcia  <berto@igalia.com>
248
249         [GTK] Fix HPPA build
250         https://bugs.webkit.org/show_bug.cgi?id=143453
251
252         Reviewed by Darin Adler.
253
254         Add HPPA to the list of supported CPUs.
255
256         * CMakeLists.txt:
257
258 2015-04-06  Mark Lam  <mark.lam@apple.com>
259
260         In the 64-bit DFG and FTL, Array::Double case for HasIndexedProperty should set its result to true when all is well.
261         <https://webkit.org/b/143396>
262
263         Reviewed by Filip Pizlo.
264
265         The DFG was neglecting to set the result boolean.  The FTL was setting it with
266         an inverted value.  Both of these are now resolved.
267
268         * dfg/DFGSpeculativeJIT64.cpp:
269         (JSC::DFG::SpeculativeJIT::compile):
270         * ftl/FTLLowerDFGToLLVM.cpp:
271         (JSC::FTL::LowerDFGToLLVM::compileHasIndexedProperty):
272         * tests/stress/for-in-array-mode.js: Added.
273         (.):
274         (test):
275
276 2015-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>
277
278         [ES6] DFG and FTL should be aware of that StringConstructor behavior for symbols becomes different from ToString
279         https://bugs.webkit.org/show_bug.cgi?id=143424
280
281         Reviewed by Geoffrey Garen.
282
283         In ES6, StringConstructor behavior becomes different from ToString abstract operations in the spec. (and JSValue::toString).
284
285         ToString(symbol) throws a type error.
286         However, String(symbol) produces SymbolDescriptiveString(symbol).
287
288         So, in DFG and FTL phase, they should not inline StringConstructor to ToString.
289
290         Now, in the template literals patch, ToString DFG operation is planned to be used.
291         And current ToString behavior is aligned to the spec (and JSValue::toString) and it's better.
292         So intead of changing ToString behavior, this patch adds CallStringConstructor operation into DFG and FTL.
293         In CallStringConstructor, all behavior in DFG analysis is the same.
294         Only the difference from ToString is, when calling DFG operation functions, it calls
295         operationCallStringConstructorOnCell and operationCallStringConstructor instead of
296         operationToStringOnCell and operationToString.
297
298         * dfg/DFGAbstractInterpreterInlines.h:
299         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
300         * dfg/DFGBackwardsPropagationPhase.cpp:
301         (JSC::DFG::BackwardsPropagationPhase::propagate):
302         * dfg/DFGByteCodeParser.cpp:
303         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
304         * dfg/DFGClobberize.h:
305         (JSC::DFG::clobberize):
306         * dfg/DFGDoesGC.cpp:
307         (JSC::DFG::doesGC):
308         * dfg/DFGFixupPhase.cpp:
309         (JSC::DFG::FixupPhase::fixupNode):
310         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
311         (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
312         (JSC::DFG::FixupPhase::fixupToString): Deleted.
313         * dfg/DFGNodeType.h:
314         * dfg/DFGOperations.cpp:
315         * dfg/DFGOperations.h:
316         * dfg/DFGPredictionPropagationPhase.cpp:
317         (JSC::DFG::PredictionPropagationPhase::propagate):
318         * dfg/DFGSafeToExecute.h:
319         (JSC::DFG::safeToExecute):
320         * dfg/DFGSpeculativeJIT.cpp:
321         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnCell):
322         (JSC::DFG::SpeculativeJIT::compileToStringOnCell): Deleted.
323         * dfg/DFGSpeculativeJIT.h:
324         * dfg/DFGSpeculativeJIT32_64.cpp:
325         (JSC::DFG::SpeculativeJIT::compile):
326         * dfg/DFGSpeculativeJIT64.cpp:
327         (JSC::DFG::SpeculativeJIT::compile):
328         * dfg/DFGStructureRegistrationPhase.cpp:
329         (JSC::DFG::StructureRegistrationPhase::run):
330         * ftl/FTLCapabilities.cpp:
331         (JSC::FTL::canCompile):
332         * ftl/FTLLowerDFGToLLVM.cpp:
333         (JSC::FTL::LowerDFGToLLVM::compileNode):
334         (JSC::FTL::LowerDFGToLLVM::compileToStringOrCallStringConstructor):
335         (JSC::FTL::LowerDFGToLLVM::compileToString): Deleted.
336         * runtime/StringConstructor.cpp:
337         (JSC::stringConstructor):
338         (JSC::callStringConstructor):
339         * runtime/StringConstructor.h:
340         * tests/stress/symbol-and-string-constructor.js: Added.
341         (performString):
342
343 2015-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>
344
345         Return Optional<uint32_t> from PropertyName::asIndex
346         https://bugs.webkit.org/show_bug.cgi?id=143422
347
348         Reviewed by Darin Adler.
349
350         PropertyName::asIndex returns uint32_t and use UINT_MAX as NotAnIndex.
351         But it's not obvious to callers.
352
353         This patch changes
354         1. PropertyName::asIndex() to return Optional<uint32_t> and
355         2. function name `asIndex()` to `parseIndex()`.
356         It forces callers to check the value is index or not explicitly.
357
358         * bytecode/GetByIdStatus.cpp:
359         (JSC::GetByIdStatus::computeFor):
360         * bytecode/PutByIdStatus.cpp:
361         (JSC::PutByIdStatus::computeFor):
362         * bytecompiler/BytecodeGenerator.cpp:
363         (JSC::BytecodeGenerator::emitDirectPutById):
364         * jit/Repatch.cpp:
365         (JSC::emitPutTransitionStubAndGetOldStructure):
366         * jsc.cpp:
367         * runtime/ArrayPrototype.cpp:
368         (JSC::arrayProtoFuncSort):
369         * runtime/GenericArgumentsInlines.h:
370         (JSC::GenericArguments<Type>::getOwnPropertySlot):
371         (JSC::GenericArguments<Type>::put):
372         (JSC::GenericArguments<Type>::deleteProperty):
373         (JSC::GenericArguments<Type>::defineOwnProperty):
374         * runtime/Identifier.h:
375         (JSC::parseIndex):
376         (JSC::Identifier::isSymbol):
377         * runtime/JSArray.cpp:
378         (JSC::JSArray::defineOwnProperty):
379         * runtime/JSCJSValue.cpp:
380         (JSC::JSValue::putToPrimitive):
381         * runtime/JSGenericTypedArrayViewInlines.h:
382         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
383         (JSC::JSGenericTypedArrayView<Adaptor>::put):
384         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
385         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
386         * runtime/JSObject.cpp:
387         (JSC::JSObject::put):
388         (JSC::JSObject::putDirectAccessor):
389         (JSC::JSObject::putDirectCustomAccessor):
390         (JSC::JSObject::deleteProperty):
391         (JSC::JSObject::putDirectMayBeIndex):
392         (JSC::JSObject::defineOwnProperty):
393         * runtime/JSObject.h:
394         (JSC::JSObject::getOwnPropertySlot):
395         (JSC::JSObject::getPropertySlot):
396         (JSC::JSObject::putDirectInternal):
397         * runtime/JSString.cpp:
398         (JSC::JSString::getStringPropertyDescriptor):
399         * runtime/JSString.h:
400         (JSC::JSString::getStringPropertySlot):
401         * runtime/LiteralParser.cpp:
402         (JSC::LiteralParser<CharType>::parse):
403         * runtime/PropertyName.h:
404         (JSC::parseIndex):
405         (JSC::toUInt32FromCharacters): Deleted.
406         (JSC::toUInt32FromStringImpl): Deleted.
407         (JSC::PropertyName::asIndex): Deleted.
408         * runtime/PropertyNameArray.cpp:
409         (JSC::PropertyNameArray::add):
410         * runtime/StringObject.cpp:
411         (JSC::StringObject::deleteProperty):
412         * runtime/Structure.cpp:
413         (JSC::Structure::prototypeChainMayInterceptStoreTo):
414
415 2015-04-05  Andreas Kling  <akling@apple.com>
416
417         URI encoding/escaping should use efficient string building instead of calling snprintf().
418         <https://webkit.org/b/143426>
419
420         Reviewed by Gavin Barraclough.
421
422         I saw 0.5% of main thread time in snprintf() on <http://polymerlabs.github.io/benchmarks/>
423         which seemed pretty silly. This change gets that down to nothing in favor of using our
424         existing JSStringBuilder and HexNumber.h facilities.
425
426         These APIs are well-exercised by our existing test suite.
427
428         * runtime/JSGlobalObjectFunctions.cpp:
429         (JSC::encode):
430         (JSC::globalFuncEscape):
431
432 2015-04-05  Masataka Yakura  <masataka.yakura@gmail.com>
433
434         documentation for ES Promises points to the wrong one
435         https://bugs.webkit.org/show_bug.cgi?id=143263
436
437         Reviewed by Darin Adler.
438
439         * features.json:
440
441 2015-04-05  Simon Fraser  <simon.fraser@apple.com>
442
443         Remove "go ahead and" from comments
444         https://bugs.webkit.org/show_bug.cgi?id=143421
445
446         Reviewed by Darin Adler, Benjamin Poulain.
447
448         Remove the phrase "go ahead and" from comments where it doesn't add
449         anything (which is almost all of them).
450
451         * interpreter/JSStack.cpp:
452         (JSC::JSStack::growSlowCase):
453
454 2015-04-04  Andreas Kling  <akling@apple.com>
455
456         Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely.
457         <https://webkit.org/b/143210>
458
459         Reviewed by Geoffrey Garen.
460
461         Since a MarkedBlock cannot be destroyed until all the WeakBlocks pointing into it are gone,
462         we had a little problem where WeakBlocks with only null pointers would still keep their
463         MarkedBlock alive.
464
465         This patch fixes that by detaching WeakBlocks from their MarkedBlock once a sweep discovers
466         that the WeakBlock contains no pointers to live objects. Ownership of the WeakBlock is passed
467         to the Heap, which will sweep the list of these detached WeakBlocks as part of a full GC,
468         destroying them once they're fully dead.
469
470         This allows the garbage collector to reclaim the 64kB MarkedBlocks much sooner, and resolves
471         a mysterious issue where doing two full garbage collections back-to-back would free additional
472         memory in the second collection.
473
474         Management of detached WeakBlocks is implemented as a Vector<WeakBlock*> in Heap, along with
475         an index of the next block in that vector that needs to be swept. The IncrementalSweeper then
476         calls into Heap::sweepNextLogicallyEmptyWeakBlock() to sweep one block at a time.
477
478         * heap/Heap.h:
479         * heap/Heap.cpp:
480         (JSC::Heap::collectAllGarbage): Add a final pass where we sweep the logically empty WeakBlocks
481         owned by Heap, after everything else has been swept.
482
483         (JSC::Heap::notifyIncrementalSweeper): Set up an incremental sweep of logically empty WeakBlocks
484         after a full garbage collection ends. Note that we don't do this after Eden collections, since
485         they are unlikely to cause entire WeakBlocks to go empty.
486
487         (JSC::Heap::addLogicallyEmptyWeakBlock): Added. Interface for passing ownership of a WeakBlock
488         to the Heap when it's detached from a WeakSet.
489
490         (JSC::Heap::sweepAllLogicallyEmptyWeakBlocks): Helper for collectAllGarbage() that sweeps all
491         of the logically empty WeakBlocks owned by Heap.
492
493         (JSC::Heap::sweepNextLogicallyEmptyWeakBlock): Sweeps one logically empty WeakBlock if needed
494         and updates the next-logically-empty-weak-block-to-sweep index.
495
496         (JSC::Heap::lastChanceToFinalize): call sweepAllLogicallyEmptyWeakBlocks() here, since there
497         won't be another chance after this.
498
499         * heap/IncrementalSweeper.h:
500         (JSC::IncrementalSweeper::hasWork): Deleted.
501
502         * heap/IncrementalSweeper.cpp:
503         (JSC::IncrementalSweeper::fullSweep):
504         (JSC::IncrementalSweeper::doSweep):
505         (JSC::IncrementalSweeper::sweepNextBlock): Restructured IncrementalSweeper a bit to simplify
506         adding a new sweeping stage for the Heap's logically empty WeakBlocks. sweepNextBlock() is
507         changed to return a bool (true if there's more work to be done.)
508
509         * heap/WeakBlock.cpp:
510         (JSC::WeakBlock::sweep): This now figures out if the WeakBlock is logically empty, i.e doesn't
511         contain any pointers to live objects. The answer is stored in a new SweepResult member.
512
513         * heap/WeakBlock.h:
514         (JSC::WeakBlock::isLogicallyEmptyButNotFree): Added. Can be queried after a sweep to determine
515         if the WeakBlock could be detached from the MarkedBlock.
516
517         (JSC::WeakBlock::SweepResult::SweepResult): Deleted in favor of initializing member variables
518         when declaring them.
519
520 2015-04-04  Yusuke Suzuki  <utatane.tea@gmail.com>
521
522         Implement ES6 Object.getOwnPropertySymbols
523         https://bugs.webkit.org/show_bug.cgi?id=141106
524
525         Reviewed by Geoffrey Garen.
526
527         This patch implements `Object.getOwnPropertySymbols`.
528         One technical issue is that, since we use private symbols (such as `@Object`) in the
529         privileged JS code in `builtins/`, they should not be exposed.
530         To distinguish them from the usual symbols, check the target `StringImpl*` is a not private name
531         before adding it into PropertyNameArray.
532
533         To check the target `StringImpl*` is a private name, we leverage privateToPublic map in `BuiltinNames`
534         since all private symbols are held in this map.
535
536         * builtins/BuiltinExecutables.cpp:
537         (JSC::BuiltinExecutables::createExecutableInternal):
538         * builtins/BuiltinNames.h:
539         (JSC::BuiltinNames::isPrivateName):
540         * runtime/CommonIdentifiers.cpp:
541         (JSC::CommonIdentifiers::isPrivateName):
542         * runtime/CommonIdentifiers.h:
543         * runtime/EnumerationMode.h:
544         (JSC::EnumerationMode::EnumerationMode):
545         (JSC::EnumerationMode::includeSymbolProperties):
546         * runtime/ExceptionHelpers.cpp:
547         (JSC::createUndefinedVariableError):
548         * runtime/JSGlobalObject.cpp:
549         (JSC::JSGlobalObject::init):
550         * runtime/JSLexicalEnvironment.cpp:
551         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
552         * runtime/JSSymbolTableObject.cpp:
553         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
554         * runtime/ObjectConstructor.cpp:
555         (JSC::ObjectConstructor::finishCreation):
556         (JSC::objectConstructorGetOwnPropertySymbols):
557         (JSC::defineProperties):
558         (JSC::objectConstructorSeal):
559         (JSC::objectConstructorFreeze):
560         (JSC::objectConstructorIsSealed):
561         (JSC::objectConstructorIsFrozen):
562         * runtime/ObjectConstructor.h:
563         (JSC::ObjectConstructor::create):
564         * runtime/Structure.cpp:
565         (JSC::Structure::getPropertyNamesFromStructure):
566         * tests/stress/object-get-own-property-symbols-perform-to-object.js: Added.
567         (compare):
568         * tests/stress/object-get-own-property-symbols.js: Added.
569         (forIn):
570         * tests/stress/symbol-define-property.js: Added.
571         (testSymbol):
572         * tests/stress/symbol-seal-and-freeze.js: Added.
573         * tests/stress/symbol-with-json.js: Added.
574
575 2015-04-03  Mark Lam  <mark.lam@apple.com>
576
577         Add Options::jitPolicyScale() as a single knob to make all compilations happen sooner.
578         <https://webkit.org/b/143385>
579
580         Reviewed by Geoffrey Garen.
581
582         For debugging purposes, sometimes, we want to be able to make compilation happen
583         sooner to see if we can accelerate the manifestation of certain events / bugs.
584         Currently, in order to achieve this, we'll have to tweak multiple JIT thresholds
585         which make up the compilation policy.  Let's add a single knob that can tune all
586         the thresholds up / down in one go proportionately so that we can easily tweak
587         how soon compilation occurs.
588
589         * runtime/Options.cpp:
590         (JSC::scaleJITPolicy):
591         (JSC::recomputeDependentOptions):
592         * runtime/Options.h:
593
594 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
595
596         is* API methods should be @properties
597         https://bugs.webkit.org/show_bug.cgi?id=143388
598
599         Reviewed by Mark Lam.
600
601         This appears to be the preferred idiom in WebKit, CA, AppKit, and
602         Foundation.
603
604         * API/JSValue.h: Be @properties.
605
606         * API/tests/testapi.mm:
607         (testObjectiveCAPI): Use the @properties.
608
609 2015-04-03  Mark Lam  <mark.lam@apple.com>
610
611         Some JSC Options refactoring and enhancements.
612         <https://webkit.org/b/143384>
613
614         Rubber stamped by Benjamin Poulain.
615
616         Create a better encapsulated Option class to make working with options easier.  This
617         is a building block towards a JIT policy scaling debugging option I will introduce later.
618
619         This work entails:
620         1. Convert Options::Option into a public class Option (who works closely with Options).
621         2. Convert Options::EntryType into an enum class Options::Type and make it public.
622         3. Renamed Options::OPT_<option name> to Options::<option name>ID because it reads better.
623         4. Add misc methods to class Option to make it more useable.
624
625         * runtime/Options.cpp:
626         (JSC::Options::dumpOption):
627         (JSC::Option::dump):
628         (JSC::Option::operator==):
629         (JSC::Options::Option::dump): Deleted.
630         (JSC::Options::Option::operator==): Deleted.
631         * runtime/Options.h:
632         (JSC::Option::Option):
633         (JSC::Option::operator!=):
634         (JSC::Option::name):
635         (JSC::Option::description):
636         (JSC::Option::type):
637         (JSC::Option::isOverridden):
638         (JSC::Option::defaultOption):
639         (JSC::Option::boolVal):
640         (JSC::Option::unsignedVal):
641         (JSC::Option::doubleVal):
642         (JSC::Option::int32Val):
643         (JSC::Option::optionRangeVal):
644         (JSC::Option::optionStringVal):
645         (JSC::Option::gcLogLevelVal):
646         (JSC::Options::Option::Option): Deleted.
647         (JSC::Options::Option::operator!=): Deleted.
648
649 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
650
651         JavaScriptCore API should support type checking for Array and Date
652         https://bugs.webkit.org/show_bug.cgi?id=143324
653
654         Follow-up to address a comment by Dan.
655
656         * API/WebKitAvailability.h: __MAC_OS_X_VERSION_MIN_REQUIRED <= 101100
657         is wrong, since this API is available when __MAC_OS_X_VERSION_MIN_REQUIRED
658         is equal to 101100.
659
660 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
661
662         JavaScriptCore API should support type checking for Array and Date
663         https://bugs.webkit.org/show_bug.cgi?id=143324
664
665         Follow-up to address a comment by Dan.
666
667         * API/WebKitAvailability.h: Do use 10.0 because it was right all along.
668         Added a comment explaining why.
669
670 2015-04-03  Csaba Osztrogonác  <ossy@webkit.org>
671
672         FTL JIT tests should fail if LLVM library isn't available
673         https://bugs.webkit.org/show_bug.cgi?id=143374
674
675         Reviewed by Mark Lam.
676
677         * dfg/DFGPlan.cpp:
678         (JSC::DFG::Plan::compileInThreadImpl):
679         * runtime/Options.h:
680
681 2015-04-03  Zan Dobersek  <zdobersek@igalia.com>
682
683         Fix the EFL and GTK build after r182243
684         https://bugs.webkit.org/show_bug.cgi?id=143361
685
686         Reviewed by Csaba Osztrogonác.
687
688         * CMakeLists.txt: InspectorBackendCommands.js is generated in the
689         DerivedSources/JavaScriptCore/inspector/ directory.
690
691 2015-04-03  Zan Dobersek  <zdobersek@igalia.com>
692
693         Unreviewed, fixing Clang builds of the GTK port on Linux.
694
695         * runtime/Options.cpp:
696         Include the <math.h> header for isnan().
697
698 2015-04-02  Mark Lam  <mark.lam@apple.com>
699
700         Enhance ability to dump JSC Options.
701         <https://webkit.org/b/143357>
702
703         Reviewed by Benjamin Poulain.
704
705         Some enhancements to how the JSC options work:
706
707         1. Add a JSC_showOptions option which take values: 0 = None, 1 = Overridden only,
708            2 = All, 3 = Verbose.
709
710            The default is 0 (None).  This dumps nothing.
711            With the Overridden setting, at VM initialization time, we will dump all
712            option values that have been changed from their default.
713            With the All setting, at VM initialization time, we will dump all option values.
714            With the Verbose setting, at VM initialization time, we will dump all option
715            values along with their descriptions (if available).
716
717         2. We now store a copy of the default option values.
718
719            We later use this for comparison to tell if an option has been overridden, and
720            print the default value for reference.  As a result, we no longer need the
721            didOverride flag since we can compute whether the option is overridden at any time.
722
723         3. Added description strings to some options to be printed when JSC_showOptions=3 (Verbose).
724
725            This will come in handy later when we want to rename some of the options to more sane
726            names that are easier to remember.  For example, we can change
727            Options::dfgFunctionWhitelistFile() to Options::dfgWhiteList(), and
728            Options::slowPathAllocsBetweenGCs() to Options::forcedGcRate().  With the availability
729            of the description, we can afford to use shorter and less descriptive option names,
730            but they will be easier to remember and use for day to day debugging work.
731
732            In this patch, I did not change the names of any of the options yet.  I only added
733            description strings for options that I know about, and where I think the option name
734            isn't already descriptive enough.
735
736         4. Also deleted some unused code.
737
738         * jsc.cpp:
739         (CommandLine::parseArguments):
740         * runtime/Options.cpp:
741         (JSC::Options::initialize):
742         (JSC::Options::setOption):
743         (JSC::Options::dumpAllOptions):
744         (JSC::Options::dumpOption):
745         (JSC::Options::Option::dump):
746         (JSC::Options::Option::operator==):
747         * runtime/Options.h:
748         (JSC::OptionRange::rangeString):
749         (JSC::Options::Option::Option):
750         (JSC::Options::Option::operator!=):
751
752 2015-04-02  Geoffrey Garen  <ggaren@apple.com>
753
754         JavaScriptCore API should support type checking for Array and Date
755         https://bugs.webkit.org/show_bug.cgi?id=143324
756
757         Reviewed by Darin Adler, Sam Weinig, Dan Bernstein.
758
759         * API/JSValue.h:
760         * API/JSValue.mm:
761         (-[JSValue isArray]):
762         (-[JSValue isDate]): Added an ObjC API.
763
764         * API/JSValueRef.cpp:
765         (JSValueIsArray):
766         (JSValueIsDate):
767         * API/JSValueRef.h: Added a C API.
768
769         * API/WebKitAvailability.h: Brought our availability macros up to date
770         and fixed a harmless bug where "10_10" translated to "10.0".
771
772         * API/tests/testapi.c:
773         (main): Added a test and corrected a pre-existing leak.
774
775         * API/tests/testapi.mm:
776         (testObjectiveCAPI): Added a test.
777
778 2015-04-02  Mark Lam  <mark.lam@apple.com>
779
780         Add Options::dumpSourceAtDFGTime().
781         <https://webkit.org/b/143349>
782
783         Reviewed by Oliver Hunt, and Michael Saboff.
784
785         Sometimes, we will want to see the JS source code that we're compiling, and it
786         would be nice to be able to do this without having to jump thru a lot of hoops.
787         So, let's add a Options::dumpSourceAtDFGTime() option just like we have a
788         Options::dumpBytecodeAtDFGTime() option.
789
790         Also added versions of CodeBlock::dumpSource() and CodeBlock::dumpBytecode()
791         that explicitly take no arguments (instead of relying on the version that takes
792         the default argument).  These versions are friendlier to use when we want to call
793         them from an interactive debugging session.
794
795         * bytecode/CodeBlock.cpp:
796         (JSC::CodeBlock::dumpSource):
797         (JSC::CodeBlock::dumpBytecode):
798         * bytecode/CodeBlock.h:
799         * dfg/DFGByteCodeParser.cpp:
800         (JSC::DFG::ByteCodeParser::parseCodeBlock):
801         * runtime/Options.h:
802
803 2015-04-02  Yusuke Suzuki  <utatane.tea@gmail.com>
804
805         Clean up EnumerationMode to easily extend
806         https://bugs.webkit.org/show_bug.cgi?id=143276
807
808         Reviewed by Geoffrey Garen.
809
810         To make the followings easily,
811         1. Adding new flag Include/ExcludeSymbols in the Object.getOwnPropertySymbols patch
812         2. Make ExcludeSymbols implicitly default for the existing flags
813         we encapsulate EnumerationMode flags into EnumerationMode class.
814
815         And this class manages 2 flags. Later it will be extended to 3.
816         1. DontEnumPropertiesMode (default is Exclude)
817         2. JSObjectPropertiesMode (default is Include)
818         3. SymbolPropertiesMode (default is Exclude)
819             SymbolPropertiesMode will be added in Object.getOwnPropertySymbols patch.
820
821         This patch replaces places using ExcludeDontEnumProperties
822         to EnumerationMode() value which represents default mode.
823
824         * API/JSCallbackObjectFunctions.h:
825         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
826         * API/JSObjectRef.cpp:
827         (JSObjectCopyPropertyNames):
828         * bindings/ScriptValue.cpp:
829         (Deprecated::jsToInspectorValue):
830         * bytecode/ObjectAllocationProfile.h:
831         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
832         * runtime/ArrayPrototype.cpp:
833         (JSC::arrayProtoFuncSort):
834         * runtime/EnumerationMode.h:
835         (JSC::EnumerationMode::EnumerationMode):
836         (JSC::EnumerationMode::includeDontEnumProperties):
837         (JSC::EnumerationMode::includeJSObjectProperties):
838         (JSC::shouldIncludeDontEnumProperties): Deleted.
839         (JSC::shouldExcludeDontEnumProperties): Deleted.
840         (JSC::shouldIncludeJSObjectPropertyNames): Deleted.
841         (JSC::modeThatSkipsJSObject): Deleted.
842         * runtime/GenericArgumentsInlines.h:
843         (JSC::GenericArguments<Type>::getOwnPropertyNames):
844         * runtime/JSArray.cpp:
845         (JSC::JSArray::getOwnNonIndexPropertyNames):
846         * runtime/JSArrayBuffer.cpp:
847         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
848         * runtime/JSArrayBufferView.cpp:
849         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
850         * runtime/JSFunction.cpp:
851         (JSC::JSFunction::getOwnNonIndexPropertyNames):
852         * runtime/JSFunction.h:
853         * runtime/JSGenericTypedArrayViewInlines.h:
854         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnNonIndexPropertyNames):
855         * runtime/JSLexicalEnvironment.cpp:
856         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
857         * runtime/JSONObject.cpp:
858         (JSC::Stringifier::Holder::appendNextProperty):
859         (JSC::Walker::walk):
860         * runtime/JSObject.cpp:
861         (JSC::getClassPropertyNames):
862         (JSC::JSObject::getOwnPropertyNames):
863         (JSC::JSObject::getOwnNonIndexPropertyNames):
864         (JSC::JSObject::getGenericPropertyNames):
865         * runtime/JSPropertyNameEnumerator.h:
866         (JSC::propertyNameEnumerator):
867         * runtime/JSSymbolTableObject.cpp:
868         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
869         * runtime/ObjectConstructor.cpp:
870         (JSC::objectConstructorGetOwnPropertyNames):
871         (JSC::objectConstructorKeys):
872         (JSC::defineProperties):
873         (JSC::objectConstructorSeal):
874         (JSC::objectConstructorFreeze):
875         (JSC::objectConstructorIsSealed):
876         (JSC::objectConstructorIsFrozen):
877         * runtime/RegExpObject.cpp:
878         (JSC::RegExpObject::getOwnNonIndexPropertyNames):
879         (JSC::RegExpObject::getPropertyNames):
880         (JSC::RegExpObject::getGenericPropertyNames):
881         * runtime/StringObject.cpp:
882         (JSC::StringObject::getOwnPropertyNames):
883         * runtime/Structure.cpp:
884         (JSC::Structure::getPropertyNamesFromStructure):
885
886 2015-04-01  Alex Christensen  <achristensen@webkit.org>
887
888         Progress towards CMake on Windows and Mac.
889         https://bugs.webkit.org/show_bug.cgi?id=143293
890
891         Reviewed by Filip Pizlo.
892
893         * CMakeLists.txt:
894         Enabled using assembly on Windows.
895         Replaced unix commands with CMake commands.
896         * PlatformMac.cmake:
897         Tell open source builders where to find unicode headers.
898
899 2015-04-01  Yusuke Suzuki  <utatane.tea@gmail.com>
900
901         IteratorClose should be called when jumping over the target for-of loop
902         https://bugs.webkit.org/show_bug.cgi?id=143140
903
904         Reviewed by Geoffrey Garen.
905
906         This patch fixes labeled break/continue behaviors with for-of and iterators.
907
908         1. Support IteratorClose beyond multiple loop contexts
909         Previously, IteratorClose is only executed in for-of's breakTarget().
910         However, this misses IteratorClose execution when statement roll-ups multiple control flow contexts.
911         For example,
912         outer: for (var e1 of outer) {
913             inner: for (var e2 of inner) {
914                 break outer;
915             }
916         }
917         In this case, return method of inner should be called.
918         We leverage the existing system for `finally` to execute inner.return method correctly.
919         Leveraging `finally` system fixes `break`, `continue` and `return` cases.
920         `throw` case is already supported by emitting try-catch handlers in for-of.
921
922         2. Incorrect LabelScope creation is done in ForOfNode
923         ForOfNode creates duplicated LabelScope.
924         It causes infinite loop when executing the following program that contains
925         explicitly labeled for-of loop.
926         For example,
927         inner: for (var elm of array) {
928             continue inner;
929         }
930
931         * bytecompiler/BytecodeGenerator.cpp:
932         (JSC::BytecodeGenerator::pushFinallyContext):
933         (JSC::BytecodeGenerator::pushIteratorCloseContext):
934         (JSC::BytecodeGenerator::popFinallyContext):
935         (JSC::BytecodeGenerator::popIteratorCloseContext):
936         (JSC::BytecodeGenerator::emitComplexPopScopes):
937         (JSC::BytecodeGenerator::emitEnumeration):
938         (JSC::BytecodeGenerator::emitIteratorClose):
939         * bytecompiler/BytecodeGenerator.h:
940         * bytecompiler/NodesCodegen.cpp:
941         (JSC::ForOfNode::emitBytecode):
942         * tests/stress/iterator-return-beyond-multiple-iteration-scopes.js: Added.
943         (createIterator.iterator.return):
944         (createIterator):
945         * tests/stress/raise-error-in-iterator-close.js: Added.
946         (createIterator.iterator.return):
947         (createIterator):
948
949 2015-04-01  Yusuke Suzuki  <utatane.tea@gmail.com>
950
951         [ES6] Implement Symbol.unscopables
952         https://bugs.webkit.org/show_bug.cgi?id=142829
953
954         Reviewed by Geoffrey Garen.
955
956         This patch introduces Symbol.unscopables functionality.
957         In ES6, some generic names (like keys, values) are introduced
958         as Array's method name. And this breaks the web since some web sites
959         use like the following code.
960
961         var values = ...;
962         with (array) {
963             values;  // This values is trapped by array's method "values".
964         }
965
966         To fix this, Symbol.unscopables introduces blacklist
967         for with scope's trapping. When resolving scope,
968         if name is found in the target scope and the target scope is with scope,
969         we check Symbol.unscopables object to filter generic names.
970
971         This functionality is only active for with scopes.
972         Global scope does not have unscopables functionality.
973
974         And since
975         1) op_resolve_scope for with scope always return Dynamic resolve type,
976         2) in that case, JSScope::resolve is always used in JIT and LLInt,
977         3) the code which contains op_resolve_scope that returns Dynamic cannot be compiled with DFG and FTL,
978         to implement this functionality, we just change JSScope::resolve and no need to change JIT code.
979         So performance regression is only visible in Dynamic resolving case, and it is already much slow.
980
981         * runtime/ArrayPrototype.cpp:
982         (JSC::ArrayPrototype::finishCreation):
983         * runtime/CommonIdentifiers.h:
984         * runtime/JSGlobalObject.h:
985         (JSC::JSGlobalObject::runtimeFlags):
986         * runtime/JSScope.cpp:
987         (JSC::isUnscopable):
988         (JSC::JSScope::resolve):
989         * runtime/JSScope.h:
990         (JSC::ScopeChainIterator::scope):
991         * tests/stress/global-environment-does-not-trap-unscopables.js: Added.
992         (test):
993         * tests/stress/unscopables.js: Added.
994         (test):
995         (.):
996
997 2015-03-31  Ryosuke Niwa  <rniwa@webkit.org>
998
999         ES6 class syntax should allow static setters and getters
1000         https://bugs.webkit.org/show_bug.cgi?id=143180
1001
1002         Reviewed by Filip Pizlo
1003
1004         Apparently I misread the spec when I initially implemented parseClass.
1005         ES6 class syntax allows static getters and setters so just allow that.
1006
1007         * parser/Parser.cpp:
1008         (JSC::Parser<LexerType>::parseClass):
1009
1010 2015-03-31  Filip Pizlo  <fpizlo@apple.com>
1011
1012         PutClosureVar CSE def() rule has a wrong base
1013         https://bugs.webkit.org/show_bug.cgi?id=143280
1014
1015         Reviewed by Michael Saboff.
1016         
1017         I think that this code was incorrect in a benign way, since the base of a
1018         PutClosureVar is not a JS-visible object. But it was preventing some optimizations.
1019
1020         * dfg/DFGClobberize.h:
1021         (JSC::DFG::clobberize):
1022
1023 2015-03-31  Commit Queue  <commit-queue@webkit.org>
1024
1025         Unreviewed, rolling out r182200.
1026         https://bugs.webkit.org/show_bug.cgi?id=143279
1027
1028         Probably causing assertion extravaganza on bots. (Requested by
1029         kling on #webkit).
1030
1031         Reverted changeset:
1032
1033         "Logically empty WeakBlocks should not pin down their
1034         MarkedBlocks indefinitely."
1035         https://bugs.webkit.org/show_bug.cgi?id=143210
1036         http://trac.webkit.org/changeset/182200
1037
1038 2015-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1039
1040         Clean up Identifier factories to clarify the meaning of StringImpl*
1041         https://bugs.webkit.org/show_bug.cgi?id=143146
1042
1043         Reviewed by Filip Pizlo.
1044
1045         In the a lot of places, `Identifier(VM*/ExecState*, StringImpl*)` constructor is used.
1046         However, it's ambiguous because `StringImpl*` has 2 different meanings.
1047         1) normal string, it is replacable with `WTFString` and
1048         2) `uid`, which holds `isSymbol` information to represent Symbols.
1049         So we dropped Identifier constructors for strings and instead, introduced 2 factory functions.
1050         + `Identifier::fromString(VM*/ExecState*, const String&)`.
1051         Just construct Identifier from strings. The symbol-ness of StringImpl* is not kept.
1052         + `Identifier::fromUid(VM*/ExecState*, StringImpl*)`.
1053         This function is used for 2) `uid`. So symbol-ness of `StringImpl*` is kept.
1054
1055         And to clean up `StringImpl` which is used as uid,
1056         we introduce `StringKind` into `StringImpl`. There's 3 kinds
1057         1. StringNormal (non-atomic, non-symbol)
1058         2. StringAtomic (atomic, non-symbol)
1059         3. StringSymbol (non-atomic, symbol)
1060         They are mutually exclusive. And (atomic, symbol) case should not exist.
1061
1062         * API/JSCallbackObjectFunctions.h:
1063         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
1064         * API/JSObjectRef.cpp:
1065         (JSObjectMakeFunction):
1066         * API/OpaqueJSString.cpp:
1067         (OpaqueJSString::identifier):
1068         * bindings/ScriptFunctionCall.cpp:
1069         (Deprecated::ScriptFunctionCall::call):
1070         * builtins/BuiltinExecutables.cpp:
1071         (JSC::BuiltinExecutables::createExecutableInternal):
1072         * builtins/BuiltinNames.h:
1073         (JSC::BuiltinNames::BuiltinNames):
1074         * bytecompiler/BytecodeGenerator.cpp:
1075         (JSC::BytecodeGenerator::BytecodeGenerator):
1076         (JSC::BytecodeGenerator::emitThrowReferenceError):
1077         (JSC::BytecodeGenerator::emitThrowTypeError):
1078         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
1079         (JSC::BytecodeGenerator::emitEnumeration):
1080         * dfg/DFGDesiredIdentifiers.cpp:
1081         (JSC::DFG::DesiredIdentifiers::reallyAdd):
1082         * inspector/JSInjectedScriptHost.cpp:
1083         (Inspector::JSInjectedScriptHost::functionDetails):
1084         (Inspector::constructInternalProperty):
1085         (Inspector::JSInjectedScriptHost::weakMapEntries):
1086         (Inspector::JSInjectedScriptHost::iteratorEntries):
1087         * inspector/JSInjectedScriptHostPrototype.cpp:
1088         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
1089         * inspector/JSJavaScriptCallFramePrototype.cpp:
1090         * inspector/ScriptCallStackFactory.cpp:
1091         (Inspector::extractSourceInformationFromException):
1092         * jit/JITOperations.cpp:
1093         * jsc.cpp:
1094         (GlobalObject::finishCreation):
1095         (GlobalObject::addFunction):
1096         (GlobalObject::addConstructableFunction):
1097         (functionRun):
1098         (runWithScripts):
1099         * llint/LLIntData.cpp:
1100         (JSC::LLInt::Data::performAssertions):
1101         * llint/LowLevelInterpreter.asm:
1102         * parser/ASTBuilder.h:
1103         (JSC::ASTBuilder::addVar):
1104         * parser/Parser.cpp:
1105         (JSC::Parser<LexerType>::parseInner):
1106         (JSC::Parser<LexerType>::createBindingPattern):
1107         * parser/ParserArena.h:
1108         (JSC::IdentifierArena::makeIdentifier):
1109         (JSC::IdentifierArena::makeIdentifierLCharFromUChar):
1110         (JSC::IdentifierArena::makeNumericIdentifier):
1111         * runtime/ArgumentsIteratorPrototype.cpp:
1112         (JSC::ArgumentsIteratorPrototype::finishCreation):
1113         * runtime/ArrayIteratorPrototype.cpp:
1114         (JSC::ArrayIteratorPrototype::finishCreation):
1115         * runtime/ArrayPrototype.cpp:
1116         (JSC::ArrayPrototype::finishCreation):
1117         (JSC::arrayProtoFuncPush):
1118         * runtime/ClonedArguments.cpp:
1119         (JSC::ClonedArguments::getOwnPropertySlot):
1120         * runtime/CommonIdentifiers.cpp:
1121         (JSC::CommonIdentifiers::CommonIdentifiers):
1122         * runtime/CommonIdentifiers.h:
1123         * runtime/Error.cpp:
1124         (JSC::addErrorInfo):
1125         (JSC::hasErrorInfo):
1126         * runtime/ExceptionHelpers.cpp:
1127         (JSC::createUndefinedVariableError):
1128         * runtime/GenericArgumentsInlines.h:
1129         (JSC::GenericArguments<Type>::getOwnPropertySlot):
1130         * runtime/Identifier.h:
1131         (JSC::Identifier::isSymbol):
1132         (JSC::Identifier::Identifier):
1133         (JSC::Identifier::from): Deleted.
1134         * runtime/IdentifierInlines.h:
1135         (JSC::Identifier::Identifier):
1136         (JSC::Identifier::fromUid):
1137         (JSC::Identifier::fromString):
1138         * runtime/JSCJSValue.cpp:
1139         (JSC::JSValue::dumpInContextAssumingStructure):
1140         * runtime/JSCJSValueInlines.h:
1141         (JSC::JSValue::toPropertyKey):
1142         * runtime/JSGlobalObject.cpp:
1143         (JSC::JSGlobalObject::init):
1144         * runtime/JSLexicalEnvironment.cpp:
1145         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
1146         * runtime/JSObject.cpp:
1147         (JSC::getClassPropertyNames):
1148         (JSC::JSObject::reifyStaticFunctionsForDelete):
1149         * runtime/JSObject.h:
1150         (JSC::makeIdentifier):
1151         * runtime/JSPromiseConstructor.cpp:
1152         (JSC::JSPromiseConstructorFuncRace):
1153         (JSC::JSPromiseConstructorFuncAll):
1154         * runtime/JSString.h:
1155         (JSC::JSString::toIdentifier):
1156         * runtime/JSSymbolTableObject.cpp:
1157         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
1158         * runtime/LiteralParser.cpp:
1159         (JSC::LiteralParser<CharType>::tryJSONPParse):
1160         (JSC::LiteralParser<CharType>::makeIdentifier):
1161         * runtime/Lookup.h:
1162         (JSC::reifyStaticProperties):
1163         * runtime/MapConstructor.cpp:
1164         (JSC::constructMap):
1165         * runtime/MapIteratorPrototype.cpp:
1166         (JSC::MapIteratorPrototype::finishCreation):
1167         * runtime/MapPrototype.cpp:
1168         (JSC::MapPrototype::finishCreation):
1169         * runtime/MathObject.cpp:
1170         (JSC::MathObject::finishCreation):
1171         * runtime/NumberConstructor.cpp:
1172         (JSC::NumberConstructor::finishCreation):
1173         * runtime/ObjectConstructor.cpp:
1174         (JSC::ObjectConstructor::finishCreation):
1175         * runtime/PrivateName.h:
1176         (JSC::PrivateName::PrivateName):
1177         * runtime/PropertyMapHashTable.h:
1178         (JSC::PropertyTable::find):
1179         (JSC::PropertyTable::get):
1180         * runtime/PropertyName.h:
1181         (JSC::PropertyName::PropertyName):
1182         (JSC::PropertyName::publicName):
1183         (JSC::PropertyName::asIndex):
1184         * runtime/PropertyNameArray.cpp:
1185         (JSC::PropertyNameArray::add):
1186         * runtime/PropertyNameArray.h:
1187         (JSC::PropertyNameArray::addKnownUnique):
1188         * runtime/RegExpConstructor.cpp:
1189         (JSC::RegExpConstructor::finishCreation):
1190         * runtime/SetConstructor.cpp:
1191         (JSC::constructSet):
1192         * runtime/SetIteratorPrototype.cpp:
1193         (JSC::SetIteratorPrototype::finishCreation):
1194         * runtime/SetPrototype.cpp:
1195         (JSC::SetPrototype::finishCreation):
1196         * runtime/StringIteratorPrototype.cpp:
1197         (JSC::StringIteratorPrototype::finishCreation):
1198         * runtime/StringPrototype.cpp:
1199         (JSC::StringPrototype::finishCreation):
1200         * runtime/Structure.cpp:
1201         (JSC::Structure::getPropertyNamesFromStructure):
1202         * runtime/SymbolConstructor.cpp:
1203         * runtime/VM.cpp:
1204         (JSC::VM::throwException):
1205         * runtime/WeakMapConstructor.cpp:
1206         (JSC::constructWeakMap):
1207
1208 2015-03-31  Andreas Kling  <akling@apple.com>
1209
1210         Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely.
1211         <https://webkit.org/b/143210>
1212
1213         Reviewed by Geoffrey Garen.
1214
1215         Since a MarkedBlock cannot be destroyed until all the WeakBlocks pointing into it are gone,
1216         we had a little problem where WeakBlocks with only null pointers would still keep their
1217         MarkedBlock alive.
1218
1219         This patch fixes that by detaching WeakBlocks from their MarkedBlock once a sweep discovers
1220         that the WeakBlock contains no pointers to live objects. Ownership of the WeakBlock is passed
1221         to the Heap, which will sweep the list of these detached WeakBlocks as part of a full GC,
1222         destroying them once they're fully dead.
1223
1224         This allows the garbage collector to reclaim the 64kB MarkedBlocks much sooner, and resolves
1225         a mysterious issue where doing two full garbage collections back-to-back would free additional
1226         memory in the second collection.
1227
1228         Management of detached WeakBlocks is implemented as a Vector<WeakBlock*> in Heap, along with
1229         an index of the next block in that vector that needs to be swept. The IncrementalSweeper then
1230         calls into Heap::sweepNextLogicallyEmptyWeakBlock() to sweep one block at a time.
1231
1232         * heap/Heap.h:
1233         * heap/Heap.cpp:
1234         (JSC::Heap::collectAllGarbage): Add a final pass where we sweep the logically empty WeakBlocks
1235         owned by Heap, after everything else has been swept.
1236
1237         (JSC::Heap::notifyIncrementalSweeper): Set up an incremental sweep of logically empty WeakBlocks
1238         after a full garbage collection ends. Note that we don't do this after Eden collections, since
1239         they are unlikely to cause entire WeakBlocks to go empty.
1240
1241         (JSC::Heap::addLogicallyEmptyWeakBlock): Added. Interface for passing ownership of a WeakBlock
1242         to the Heap when it's detached from a WeakSet.
1243
1244         (JSC::Heap::sweepAllLogicallyEmptyWeakBlocks): Helper for collectAllGarbage() that sweeps all
1245         of the logically empty WeakBlocks owned by Heap.
1246
1247         (JSC::Heap::sweepNextLogicallyEmptyWeakBlock): Sweeps one logically empty WeakBlock if needed
1248         and updates the next-logically-empty-weak-block-to-sweep index.
1249
1250         (JSC::Heap::lastChanceToFinalize): call sweepAllLogicallyEmptyWeakBlocks() here, since there
1251         won't be another chance after this.
1252
1253         * heap/IncrementalSweeper.h:
1254         (JSC::IncrementalSweeper::hasWork): Deleted.
1255
1256         * heap/IncrementalSweeper.cpp:
1257         (JSC::IncrementalSweeper::fullSweep):
1258         (JSC::IncrementalSweeper::doSweep):
1259         (JSC::IncrementalSweeper::sweepNextBlock): Restructured IncrementalSweeper a bit to simplify
1260         adding a new sweeping stage for the Heap's logically empty WeakBlocks. sweepNextBlock() is
1261         changed to return a bool (true if there's more work to be done.)
1262
1263         * heap/WeakBlock.cpp:
1264         (JSC::WeakBlock::sweep): This now figures out if the WeakBlock is logically empty, i.e doesn't
1265         contain any pointers to live objects. The answer is stored in a new SweepResult member.
1266
1267         * heap/WeakBlock.h:
1268         (JSC::WeakBlock::isLogicallyEmptyButNotFree): Added. Can be queried after a sweep to determine
1269         if the WeakBlock could be detached from the MarkedBlock.
1270
1271         (JSC::WeakBlock::SweepResult::SweepResult): Deleted in favor of initializing member variables
1272         when declaring them.
1273
1274 2015-03-31  Ryosuke Niwa  <rniwa@webkit.org>
1275
1276         eval("this.foo") causes a crash if this had not been initialized in a derived class's constructor
1277         https://bugs.webkit.org/show_bug.cgi?id=142883
1278
1279         Reviewed by Filip Pizlo.
1280
1281         The crash was caused by eval inside the constructor of a derived class not checking TDZ.
1282
1283         Fixed the bug by adding a parser flag that forces the TDZ check to be always emitted when accessing "this"
1284         in eval inside a derived class' constructor.
1285
1286         * bytecode/EvalCodeCache.h:
1287         (JSC::EvalCodeCache::getSlow):
1288         * bytecompiler/NodesCodegen.cpp:
1289         (JSC::ThisNode::emitBytecode):
1290         * debugger/DebuggerCallFrame.cpp:
1291         (JSC::DebuggerCallFrame::evaluate):
1292         * interpreter/Interpreter.cpp:
1293         (JSC::eval):
1294         * parser/ASTBuilder.h:
1295         (JSC::ASTBuilder::thisExpr):
1296         * parser/NodeConstructors.h:
1297         (JSC::ThisNode::ThisNode):
1298         * parser/Nodes.h:
1299         * parser/Parser.cpp:
1300         (JSC::Parser<LexerType>::Parser):
1301         (JSC::Parser<LexerType>::parsePrimaryExpression):
1302         * parser/Parser.h:
1303         (JSC::parse):
1304         * parser/ParserModes.h:
1305         * parser/SyntaxChecker.h:
1306         (JSC::SyntaxChecker::thisExpr):
1307         * runtime/CodeCache.cpp:
1308         (JSC::CodeCache::getGlobalCodeBlock):
1309         (JSC::CodeCache::getProgramCodeBlock):
1310         (JSC::CodeCache::getEvalCodeBlock):
1311         * runtime/CodeCache.h:
1312         (JSC::SourceCodeKey::SourceCodeKey):
1313         * runtime/Executable.cpp:
1314         (JSC::EvalExecutable::create):
1315         * runtime/Executable.h:
1316         * runtime/JSGlobalObject.cpp:
1317         (JSC::JSGlobalObject::createEvalCodeBlock):
1318         * runtime/JSGlobalObject.h:
1319         * runtime/JSGlobalObjectFunctions.cpp:
1320         (JSC::globalFuncEval):
1321         * tests/stress/class-syntax-no-tdz-in-eval.js: Added.
1322         * tests/stress/class-syntax-tdz-in-eval.js: Added.
1323
1324 2015-03-31  Commit Queue  <commit-queue@webkit.org>
1325
1326         Unreviewed, rolling out r182186.
1327         https://bugs.webkit.org/show_bug.cgi?id=143270
1328
1329         it crashes all the WebGL tests on the Debug bots (Requested by
1330         dino on #webkit).
1331
1332         Reverted changeset:
1333
1334         "Web Inspector: add 2D/WebGL canvas instrumentation
1335         infrastructure"
1336         https://bugs.webkit.org/show_bug.cgi?id=137278
1337         http://trac.webkit.org/changeset/182186
1338
1339 2015-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1340
1341         [ES6] Object type restrictions on a first parameter of several Object.* functions are relaxed
1342         https://bugs.webkit.org/show_bug.cgi?id=142937
1343
1344         Reviewed by Darin Adler.
1345
1346         In ES6, Object type restrictions on a first parameter of several Object.* functions are relaxed.
1347         In ES5 or prior, when a first parameter is not object type, these functions raise TypeError.
1348         But now, several functions perform ToObject onto a non-object parameter.
1349         And others behaves as if a parameter is a non-extensible ordinary object with no own properties.
1350         It is described in ES6 Annex E.
1351         Functions different from ES5 are following.
1352
1353         1. An attempt is make to coerce the argument using ToObject.
1354             Object.getOwnPropertyDescriptor
1355             Object.getOwnPropertyNames
1356             Object.getPrototypeOf
1357             Object.keys
1358
1359         2. Treated as if it was a non-extensible ordinary object with no own properties.
1360             Object.freeze
1361             Object.isExtensible
1362             Object.isFrozen
1363             Object.isSealed
1364             Object.preventExtensions
1365             Object.seal
1366
1367         * runtime/ObjectConstructor.cpp:
1368         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
1369         (JSC::objectConstructorGetPrototypeOf):
1370         (JSC::objectConstructorGetOwnPropertyDescriptor):
1371         (JSC::objectConstructorGetOwnPropertyNames):
1372         (JSC::objectConstructorKeys):
1373         (JSC::objectConstructorSeal):
1374         (JSC::objectConstructorFreeze):
1375         (JSC::objectConstructorPreventExtensions):
1376         (JSC::objectConstructorIsSealed):
1377         (JSC::objectConstructorIsFrozen):
1378         (JSC::objectConstructorIsExtensible):
1379         * tests/stress/object-freeze-accept-non-object.js: Added.
1380         * tests/stress/object-get-own-property-descriptor-perform-to-object.js: Added.
1381         (canary):
1382         * tests/stress/object-get-own-property-names-perform-to-object.js: Added.
1383         (compare):
1384         * tests/stress/object-get-prototype-of-perform-to-object.js: Added.
1385         * tests/stress/object-is-extensible-accept-non-object.js: Added.
1386         * tests/stress/object-is-frozen-accept-non-object.js: Added.
1387         * tests/stress/object-is-sealed-accept-non-object.js: Added.
1388         * tests/stress/object-keys-perform-to-object.js: Added.
1389         (compare):
1390         * tests/stress/object-prevent-extensions-accept-non-object.js: Added.
1391         * tests/stress/object-seal-accept-non-object.js: Added.
1392
1393 2015-03-31  Matt Baker  <mattbaker@apple.com>
1394
1395         Web Inspector: add 2D/WebGL canvas instrumentation infrastructure
1396         https://bugs.webkit.org/show_bug.cgi?id=137278
1397
1398         Reviewed by Timothy Hatcher.
1399
1400         Added Canvas protocol which defines types used by InspectorCanvasAgent.
1401
1402         * CMakeLists.txt:
1403         * DerivedSources.make:
1404         * inspector/protocol/Canvas.json: Added.
1405
1406         * inspector/scripts/codegen/generator.py:
1407         (Generator.stylized_name_for_enum_value):
1408         Added special handling for 2D (always uppercase) and WebGL (rename mapping) enum strings.
1409
1410 2015-03-30  Ryosuke Niwa  <rniwa@webkit.org>
1411
1412         Extending null should set __proto__ to null
1413         https://bugs.webkit.org/show_bug.cgi?id=142882
1414
1415         Reviewed by Geoffrey Garen and Benjamin Poulain.
1416
1417         Set Derived.prototype.__proto__ to null when extending null.
1418
1419         * bytecompiler/NodesCodegen.cpp:
1420         (JSC::ClassExprNode::emitBytecode):
1421
1422 2015-03-30  Mark Lam  <mark.lam@apple.com>
1423
1424         REGRESSION (r181993): inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html crashes.
1425         <https://webkit.org/b/143105>
1426
1427         Reviewed by Filip Pizlo.
1428
1429         With r181993, the DFG and FTL may elide the storing of the scope register.  As a result,
1430         on OSR exits from DFG / FTL frames where this elision has take place, we may get baseline
1431         JIT frames that may have its scope register not set.  The Debugger's current implementation
1432         which relies on the scope register is not happy about this.  For example, this results in a
1433         crash in the layout test inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html.
1434
1435         The fix is to disable inlining when the debugger is in use.  Also, we add Flush nodes to
1436         ensure that the scope register value is flushed to the register in the stack frame.
1437
1438         * dfg/DFGByteCodeParser.cpp:
1439         (JSC::DFG::ByteCodeParser::ByteCodeParser):
1440         (JSC::DFG::ByteCodeParser::setLocal):
1441         (JSC::DFG::ByteCodeParser::flush):
1442         - Add code to flush the scope register.
1443         (JSC::DFG::ByteCodeParser::inliningCost):
1444         - Pretend that all codeBlocks are too expensive to inline if the debugger is in use, thereby
1445           disabling inlining whenever the debugger is in use.
1446         * dfg/DFGGraph.cpp:
1447         (JSC::DFG::Graph::Graph):
1448         * dfg/DFGGraph.h:
1449         (JSC::DFG::Graph::hasDebuggerEnabled):
1450         * dfg/DFGStackLayoutPhase.cpp:
1451         (JSC::DFG::StackLayoutPhase::run):
1452         - Update the DFG codeBlock's scopeRegister since it can be moved during stack layout.
1453         * ftl/FTLCompile.cpp:
1454         (JSC::FTL::mmAllocateDataSection):
1455         - Update the FTL codeBlock's scopeRegister since it can be moved during stack layout.
1456
1457 2015-03-30  Michael Saboff  <msaboff@apple.com>
1458
1459         Fix flakey float32-repeat-out-of-bounds.js and int8-repeat-out-of-bounds.js tests for ARM64
1460         https://bugs.webkit.org/show_bug.cgi?id=138391
1461
1462         Reviewed by Mark Lam.
1463
1464         Re-enabling these tests as I can't get them to fail on local iOS test devices.
1465         There have been many changes since these tests were disabled.
1466         I'll watch automated test results for failures.  If there are failures running automated
1467         testing, it might be due to the device's relative CPU performance.
1468         
1469         * tests/stress/float32-repeat-out-of-bounds.js:
1470         * tests/stress/int8-repeat-out-of-bounds.js:
1471
1472 2015-03-30  Joseph Pecoraro  <pecoraro@apple.com>
1473
1474         Web Inspector: Regression: Preview for [[null]] shouldn't be []
1475         https://bugs.webkit.org/show_bug.cgi?id=143208
1476
1477         Reviewed by Mark Lam.
1478
1479         * inspector/InjectedScriptSource.js:
1480         Handle null when generating simple object previews.
1481
1482 2015-03-30  Per Arne Vollan  <peavo@outlook.com>
1483
1484         Avoid using hardcoded values for JSValue::Int32Tag, if possible.
1485         https://bugs.webkit.org/show_bug.cgi?id=143134
1486
1487         Reviewed by Geoffrey Garen.
1488
1489         * jit/JSInterfaceJIT.h:
1490         * jit/Repatch.cpp:
1491         (JSC::tryCacheGetByID):
1492
1493 2015-03-30  Filip Pizlo  <fpizlo@apple.com>
1494
1495         REGRESSION: js/regress/inline-arguments-local-escape.html is flaky
1496         https://bugs.webkit.org/show_bug.cgi?id=143104
1497
1498         Reviewed by Geoffrey Garen.
1499         
1500         Created a test that is a 100% repro of the flaky failure. This test is called
1501         get-my-argument-by-val-for-inlined-escaped-arguments.js. It fails all of the time because it
1502         always causes the compiler to emit a GetMyArgumentByVal of the arguments object returned by
1503         the inlined function. Other than that, it's the same as inline-arguments-local-escape.
1504         
1505         Also created three more tests for three similar, but not identical, failures.
1506         
1507         Then fixed the bug: PreciseLocalClobberize was assuming that if we read(Stack) then we are
1508         only reading those parts of the stack that are relevant to the current semantic code origin.
1509         That's false after ArgumentsEliminationPhase - we might have operations on phantom arguments,
1510         like GetMyArgumentByVal, ForwardVarargs, CallForwardVarargs, and ConstructForwardVarargs, that
1511         read parts of the stack associated with the inline call frame for the phantom arguments. This
1512         may not be subsumed by the current semantic origin's stack area in cases that the arguments
1513         were allowed to "locally" escape.
1514         
1515         The higher-order lesson here is that in DFG SSA IR, the current semantic origin's stack area
1516         is not really a meaningful concept anymore. It is only meaningful for nodes that will read
1517         the stack due to function.arguments, but there are a bunch of other ways that we could also
1518         read the stack and those operations may read any stack slot. I believe that this change makes
1519         PreciseLocalClobberize right: it will refine a read(Stack) from Clobberize correctly by casing
1520         on node type. In future, if we add a read(Stack) to Clobberize, we'll have to make sure that
1521         readTop() in PreciseLocalClobberize does the right thing.
1522
1523         * dfg/DFGClobberize.h:
1524         (JSC::DFG::clobberize):
1525         * dfg/DFGPreciseLocalClobberize.h:
1526         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1527         * dfg/DFGPutStackSinkingPhase.cpp:
1528         * tests/stress/call-forward-varargs-for-inlined-escaped-arguments.js: Added.
1529         * tests/stress/construct-forward-varargs-for-inlined-escaped-arguments.js: Added.
1530         * tests/stress/forward-varargs-for-inlined-escaped-arguments.js: Added.
1531         * tests/stress/get-my-argument-by-val-for-inlined-escaped-arguments.js: Added.
1532         * tests/stress/real-forward-varargs-for-inlined-escaped-arguments.js: Added.
1533
1534 2015-03-30  Benjamin Poulain  <benjamin@webkit.org>
1535
1536         Start the features.json files
1537         https://bugs.webkit.org/show_bug.cgi?id=143207
1538
1539         Reviewed by Darin Adler.
1540
1541         Start the features.json files to have something to experiment
1542         with for the UI.
1543
1544         * features.json: Added.
1545
1546 2015-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
1547
1548         [Win] Addresing post-review comment after r182122
1549         https://bugs.webkit.org/show_bug.cgi?id=143189
1550
1551         Unreviewed.
1552
1553 2015-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
1554
1555         [Win] Allow building JavaScriptCore without Cygwin
1556         https://bugs.webkit.org/show_bug.cgi?id=143189
1557
1558         Reviewed by Brent Fulgham.
1559
1560         Paths like /usr/bin/ don't exist on Windows.
1561         Hashbangs don't work on Windows. Instead we must explicitly call the executable.
1562         Prefixing commands with environment variables doesn't work on Windows.
1563         Windows doesn't have 'cmp'
1564         Windows uses 'del' instead of 'rm'
1565         Windows uses 'type NUL' intead of 'touch'
1566
1567         * DerivedSources.make:
1568         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
1569         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
1570         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl:
1571         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
1572         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl:
1573         * JavaScriptCore.vcxproj/build-generated-files.pl:
1574         * UpdateContents.py: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl.
1575
1576 2015-03-28  Joseph Pecoraro  <pecoraro@apple.com>
1577
1578         Clean up JavaScriptCore/builtins
1579         https://bugs.webkit.org/show_bug.cgi?id=143177
1580
1581         Reviewed by Ryosuke Niwa.
1582
1583         * builtins/ArrayConstructor.js:
1584         (from):
1585         - We can compare to undefined instead of using a typeof undefined check.
1586         - Converge on double quoted strings everywhere.
1587
1588         * builtins/ArrayIterator.prototype.js:
1589         (next):
1590         * builtins/StringIterator.prototype.js:
1591         (next):
1592         - Use shorthand object construction to avoid duplication.
1593         - Improve grammar in error messages.
1594
1595         * tests/stress/array-iterators-next-with-call.js:
1596         * tests/stress/string-iterators.js:
1597         - Update for new error message strings.
1598
1599 2015-03-28  Saam Barati  <saambarati1@gmail.com>
1600
1601         Web Inspector: ES6: Better support for Symbol types in Type Profiler
1602         https://bugs.webkit.org/show_bug.cgi?id=141257
1603
1604         Reviewed by Joseph Pecoraro.
1605
1606         ES6 introduces the new primitive type Symbol. This patch makes JSC's 
1607         type profiler support this new primitive type.
1608
1609         * dfg/DFGFixupPhase.cpp:
1610         (JSC::DFG::FixupPhase::fixupNode):
1611         * inspector/protocol/Runtime.json:
1612         * runtime/RuntimeType.cpp:
1613         (JSC::runtimeTypeForValue):
1614         * runtime/RuntimeType.h:
1615         (JSC::runtimeTypeIsPrimitive):
1616         * runtime/TypeSet.cpp:
1617         (JSC::TypeSet::addTypeInformation):
1618         (JSC::TypeSet::dumpTypes):
1619         (JSC::TypeSet::doesTypeConformTo):
1620         (JSC::TypeSet::displayName):
1621         (JSC::TypeSet::inspectorTypeSet):
1622         (JSC::TypeSet::toJSONString):
1623         * runtime/TypeSet.h:
1624         (JSC::TypeSet::seenTypes):
1625         * tests/typeProfiler/driver/driver.js:
1626         * tests/typeProfiler/symbol.js: Added.
1627         (wrapper.foo):
1628         (wrapper.bar):
1629         (wrapper.bar.bar.baz):
1630         (wrapper):
1631
1632 2015-03-27  Saam Barati  <saambarati1@gmail.com>
1633
1634         Deconstruction parameters are bound too late
1635         https://bugs.webkit.org/show_bug.cgi?id=143148
1636
1637         Reviewed by Filip Pizlo.
1638
1639         Currently, a deconstruction pattern named with the same
1640         name as a function will shadow the function. This is
1641         wrong. It should be the other way around.
1642
1643         * bytecompiler/BytecodeGenerator.cpp:
1644         (JSC::BytecodeGenerator::generate):
1645
1646 2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>
1647
1648         parse doesn't initialize the 16-bit version of the JSC parser with defaultConstructorKind
1649         https://bugs.webkit.org/show_bug.cgi?id=143170
1650
1651         Reviewed by Benjamin Poulain.
1652
1653         Assert that we never use 16-bit version of the parser to parse a default constructor
1654         since both base and derived default constructors should be using a 8-bit string.
1655
1656         * parser/Parser.h:
1657         (JSC::parse):
1658
1659 2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>
1660
1661         ES6 Classes: Runtime error in JIT'd class calling super() with arguments and superclass has default constructor
1662         https://bugs.webkit.org/show_bug.cgi?id=142862
1663
1664         Reviewed by Benjamin Poulain.
1665
1666         Add a test that used to fail in DFG now that the bug has been fixed by r181993.
1667
1668         * tests/stress/class-syntax-derived-default-constructor.js: Added.
1669
1670 2015-03-27  Michael Saboff  <msaboff@apple.com>
1671
1672         load8Signed() and load16Signed() should be renamed to avoid confusion
1673         https://bugs.webkit.org/show_bug.cgi?id=143168
1674
1675         Reviewed by Benjamin Poulain.
1676
1677         Renamed load8Signed() to load8SignedExtendTo32() and load16Signed() to load16SignedExtendTo32().
1678
1679         * assembler/MacroAssemblerARM.h:
1680         (JSC::MacroAssemblerARM::load8SignedExtendTo32):
1681         (JSC::MacroAssemblerARM::load16SignedExtendTo32):
1682         (JSC::MacroAssemblerARM::load8Signed): Deleted.
1683         (JSC::MacroAssemblerARM::load16Signed): Deleted.
1684         * assembler/MacroAssemblerARM64.h:
1685         (JSC::MacroAssemblerARM64::load16SignedExtendTo32):
1686         (JSC::MacroAssemblerARM64::load8SignedExtendTo32):
1687         (JSC::MacroAssemblerARM64::load16Signed): Deleted.
1688         (JSC::MacroAssemblerARM64::load8Signed): Deleted.
1689         * assembler/MacroAssemblerARMv7.h:
1690         (JSC::MacroAssemblerARMv7::load16SignedExtendTo32):
1691         (JSC::MacroAssemblerARMv7::load8SignedExtendTo32):
1692         (JSC::MacroAssemblerARMv7::load16Signed): Deleted.
1693         (JSC::MacroAssemblerARMv7::load8Signed): Deleted.
1694         * assembler/MacroAssemblerMIPS.h:
1695         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
1696         (JSC::MacroAssemblerMIPS::load16SignedExtendTo32):
1697         (JSC::MacroAssemblerMIPS::load8Signed): Deleted.
1698         (JSC::MacroAssemblerMIPS::load16Signed): Deleted.
1699         * assembler/MacroAssemblerSH4.h:
1700         (JSC::MacroAssemblerSH4::load8SignedExtendTo32):
1701         (JSC::MacroAssemblerSH4::load8):
1702         (JSC::MacroAssemblerSH4::load16SignedExtendTo32):
1703         (JSC::MacroAssemblerSH4::load16):
1704         (JSC::MacroAssemblerSH4::load8Signed): Deleted.
1705         (JSC::MacroAssemblerSH4::load16Signed): Deleted.
1706         * assembler/MacroAssemblerX86Common.h:
1707         (JSC::MacroAssemblerX86Common::load8SignedExtendTo32):
1708         (JSC::MacroAssemblerX86Common::load16SignedExtendTo32):
1709         (JSC::MacroAssemblerX86Common::load8Signed): Deleted.
1710         (JSC::MacroAssemblerX86Common::load16Signed): Deleted.
1711         * dfg/DFGSpeculativeJIT.cpp:
1712         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
1713         * jit/JITPropertyAccess.cpp:
1714         (JSC::JIT::emitIntTypedArrayGetByVal):
1715
1716 2015-03-27  Michael Saboff  <msaboff@apple.com>
1717
1718         Fix flakey dfg-int8array.js and dfg-int16array.js tests for ARM64
1719         https://bugs.webkit.org/show_bug.cgi?id=138390
1720
1721         Reviewed by Mark Lam.
1722
1723         Changed load8Signed() and load16Signed() to only sign extend the loaded value to 32 bits
1724         instead of 64 bits.  This is what X86-64 does.
1725
1726         * assembler/MacroAssemblerARM64.h:
1727         (JSC::MacroAssemblerARM64::load16Signed):
1728         (JSC::MacroAssemblerARM64::load8Signed):
1729
1730 2015-03-27  Saam Barati  <saambarati1@gmail.com>
1731
1732         Add back previously broken assert from bug 141869
1733         https://bugs.webkit.org/show_bug.cgi?id=143005
1734
1735         Reviewed by Michael Saboff.
1736
1737         * runtime/ExceptionHelpers.cpp:
1738         (JSC::invalidParameterInSourceAppender):
1739
1740 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
1741
1742         Make some more objects use FastMalloc
1743         https://bugs.webkit.org/show_bug.cgi?id=143122
1744
1745         Reviewed by Csaba Osztrogonác.
1746
1747         * API/JSCallbackObject.h:
1748         * heap/IncrementalSweeper.h:
1749         * jit/JITThunks.h:
1750         * runtime/JSGlobalObjectDebuggable.h:
1751         * runtime/RegExpCache.h:
1752
1753 2015-03-27  Michael Saboff  <msaboff@apple.com>
1754
1755         Objects with numeric properties intermittently get a phantom 'length' property
1756         https://bugs.webkit.org/show_bug.cgi?id=142792
1757
1758         Reviewed by Csaba Osztrogonác.
1759
1760         Fixed a > (greater than) that should be a >> (right shift) in the code that disassembles
1761         test and branch instructions.  This function is used for linking tbz/tbnz branches between
1762         two seperately JIT'ed sections of code.  Sometime we'd create a bogus tbz instruction in
1763         the failure case checks in the GetById array length stub created for "obj.length" access.
1764         If the failure case code address was at a negative offset from the stub, we'd look for bit 1
1765         being set when we should have been looking for bit 0.
1766
1767         * assembler/ARM64Assembler.h:
1768         (JSC::ARM64Assembler::disassembleTestAndBranchImmediate):
1769
1770 2015-03-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1771
1772         Insert exception check around toPropertyKey call
1773         https://bugs.webkit.org/show_bug.cgi?id=142922
1774
1775         Reviewed by Geoffrey Garen.
1776
1777         In some places, exception check is missing after/before toPropertyKey.
1778         However, since it calls toString, it's observable to users,
1779
1780         Missing exception checks in Object.prototype methods can be
1781         observed since it would be overridden with toObject(null/undefined) errors.
1782         We inserted exception checks after toPropertyKey.
1783
1784         Missing exception checks in GetById related code can be
1785         observed since it would be overridden with toObject(null/undefined) errors.
1786         In this case, we need to insert exception checks before/after toPropertyKey
1787         since RequireObjectCoercible followed by toPropertyKey can cause exceptions.
1788
1789         JSValue::get checks null/undefined and raise an exception if |this| is null or undefined.
1790         However, we need to check whether the baseValue is object coercible before executing JSValue::toPropertyKey.
1791         According to the spec, we first perform RequireObjectCoercible and check the exception.
1792         And second, we perform ToPropertyKey and check the exception.
1793         Since JSValue::toPropertyKey can cause toString call, this is observable to users.
1794         For example, if the target is not object coercible,
1795         ToPropertyKey should not be executed, and toString should not be executed by ToPropertyKey.
1796         So the order of observable actions (RequireObjectCoercible and ToPropertyKey) should be correct to the spec.
1797
1798         This patch introduces JSValue::requireObjectCoercible and use it because of the following 2 reasons.
1799
1800         1. Using toObject instead of requireObjectCoercible produces unnecessary wrapper object.
1801
1802         toObject converts primitive types into wrapper objects.
1803         But it is not efficient since wrapper objects are not necessary
1804         if we look up methods from primitive values's prototype. (using synthesizePrototype is better).
1805
1806         2. Using the result of toObject is not correct to the spec.
1807
1808         To align to the spec correctly, we cannot use JSObject::get
1809         by using the wrapper object produced by the toObject suggested in (1).
1810         If we use JSObject that is converted by toObject, getter will be called by using this JSObject as |this|.
1811         It is not correct since getter should be called with the original |this| value that may be primitive types.
1812
1813         So in this patch, we use JSValue::requireObjectCoercible
1814         to check the target is object coercible and raise an error if it's not.
1815
1816         * dfg/DFGOperations.cpp:
1817         * jit/JITOperations.cpp:
1818         (JSC::getByVal):
1819         * llint/LLIntSlowPaths.cpp:
1820         (JSC::LLInt::getByVal):
1821         * runtime/CommonSlowPaths.cpp:
1822         (JSC::SLOW_PATH_DECL):
1823         * runtime/JSCJSValue.h:
1824         * runtime/JSCJSValueInlines.h:
1825         (JSC::JSValue::requireObjectCoercible):
1826         * runtime/ObjectPrototype.cpp:
1827         (JSC::objectProtoFuncHasOwnProperty):
1828         (JSC::objectProtoFuncDefineGetter):
1829         (JSC::objectProtoFuncDefineSetter):
1830         (JSC::objectProtoFuncLookupGetter):
1831         (JSC::objectProtoFuncLookupSetter):
1832         (JSC::objectProtoFuncPropertyIsEnumerable):
1833         * tests/stress/exception-in-to-property-key-should-be-handled-early-in-object-methods.js: Added.
1834         (shouldThrow):
1835         (if):
1836         * tests/stress/exception-in-to-property-key-should-be-handled-early.js: Added.
1837         (shouldThrow):
1838         (.):
1839
1840 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
1841
1842         WebContent Crash when instantiating class with Type Profiling enabled
1843         https://bugs.webkit.org/show_bug.cgi?id=143037
1844
1845         Reviewed by Ryosuke Niwa.
1846
1847         * bytecompiler/BytecodeGenerator.h:
1848         * bytecompiler/BytecodeGenerator.cpp:
1849         (JSC::BytecodeGenerator::BytecodeGenerator):
1850         (JSC::BytecodeGenerator::emitMoveEmptyValue):
1851         We cannot profile the type of an uninitialized empty JSValue.
1852         Nor do we expect this to be necessary, since it is effectively
1853         an unseen undefined value. So add a way to put the empty value
1854         without profiling.
1855
1856         (JSC::BytecodeGenerator::emitMove):
1857         Add an assert to try to catch this issue early on, and force
1858         callers to explicitly use emitMoveEmptyValue instead.
1859
1860         * tests/typeProfiler/classes.js: Added.
1861         (wrapper.Base):
1862         (wrapper.Derived):
1863         (wrapper):
1864         Add test coverage both for this case and classes in general.
1865
1866 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
1867
1868         Web Inspector: ES6: Provide a better view for Classes in the console
1869         https://bugs.webkit.org/show_bug.cgi?id=142999
1870
1871         Reviewed by Timothy Hatcher.
1872
1873         * inspector/protocol/Runtime.json:
1874         Provide a new `subtype` enum "class". This is a subtype of `type`
1875         "function", all other subtypes are subtypes of `object` types.
1876         For a class, the frontend will immediately want to get the prototype
1877         to enumerate its methods, so include the `classPrototype`.
1878
1879         * inspector/JSInjectedScriptHost.cpp:
1880         (Inspector::JSInjectedScriptHost::subtype):
1881         Denote class construction functions as "class" subtypes.
1882
1883         * inspector/InjectedScriptSource.js:
1884         Handling for the new "class" type.
1885
1886         * bytecode/UnlinkedCodeBlock.h:
1887         (JSC::UnlinkedFunctionExecutable::isClassConstructorFunction):
1888         * runtime/Executable.h:
1889         (JSC::FunctionExecutable::isClassConstructorFunction):
1890         * runtime/JSFunction.h:
1891         * runtime/JSFunctionInlines.h:
1892         (JSC::JSFunction::isClassConstructorFunction):
1893         Check if this function is a class constructor function. That information
1894         is on the UnlinkedFunctionExecutable, so plumb it through to JSFunction.
1895
1896 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
1897
1898         Function.prototype.toString should not decompile the AST
1899         https://bugs.webkit.org/show_bug.cgi?id=142853
1900
1901         Reviewed by Darin Adler.
1902
1903         Following up on Darin's review comments.
1904
1905         * runtime/FunctionConstructor.cpp:
1906         (JSC::constructFunctionSkippingEvalEnabledCheck):
1907
1908 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
1909
1910         "lineNo" does not match WebKit coding style guidelines
1911         https://bugs.webkit.org/show_bug.cgi?id=143119
1912
1913         Reviewed by Michael Saboff.
1914
1915         We can afford to use whole words.
1916
1917         * bytecode/CodeBlock.cpp:
1918         (JSC::CodeBlock::lineNumberForBytecodeOffset):
1919         (JSC::CodeBlock::expressionRangeForBytecodeOffset):
1920         * bytecode/UnlinkedCodeBlock.cpp:
1921         (JSC::UnlinkedFunctionExecutable::link):
1922         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
1923         * bytecode/UnlinkedCodeBlock.h:
1924         * bytecompiler/NodesCodegen.cpp:
1925         (JSC::WhileNode::emitBytecode):
1926         * debugger/Debugger.cpp:
1927         (JSC::Debugger::toggleBreakpoint):
1928         * interpreter/Interpreter.cpp:
1929         (JSC::StackFrame::computeLineAndColumn):
1930         (JSC::GetStackTraceFunctor::operator()):
1931         (JSC::Interpreter::execute):
1932         * interpreter/StackVisitor.cpp:
1933         (JSC::StackVisitor::Frame::computeLineAndColumn):
1934         * parser/Nodes.h:
1935         (JSC::Node::firstLine):
1936         (JSC::Node::lineNo): Deleted.
1937         (JSC::StatementNode::firstLine): Deleted.
1938         * parser/ParserError.h:
1939         (JSC::ParserError::toErrorObject):
1940         * profiler/LegacyProfiler.cpp:
1941         (JSC::createCallIdentifierFromFunctionImp):
1942         * runtime/CodeCache.cpp:
1943         (JSC::CodeCache::getGlobalCodeBlock):
1944         * runtime/Executable.cpp:
1945         (JSC::ScriptExecutable::ScriptExecutable):
1946         (JSC::ScriptExecutable::newCodeBlockFor):
1947         (JSC::FunctionExecutable::fromGlobalCode):
1948         * runtime/Executable.h:
1949         (JSC::ScriptExecutable::firstLine):
1950         (JSC::ScriptExecutable::setOverrideLineNumber):
1951         (JSC::ScriptExecutable::hasOverrideLineNumber):
1952         (JSC::ScriptExecutable::overrideLineNumber):
1953         (JSC::ScriptExecutable::lineNo): Deleted.
1954         (JSC::ScriptExecutable::setOverrideLineNo): Deleted.
1955         (JSC::ScriptExecutable::hasOverrideLineNo): Deleted.
1956         (JSC::ScriptExecutable::overrideLineNo): Deleted.
1957         * runtime/FunctionConstructor.cpp:
1958         (JSC::constructFunctionSkippingEvalEnabledCheck):
1959         * runtime/FunctionConstructor.h:
1960         * tools/CodeProfile.cpp:
1961         (JSC::CodeProfile::report):
1962         * tools/CodeProfile.h:
1963         (JSC::CodeProfile::CodeProfile):
1964
1965 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
1966
1967         Assertion firing in JavaScriptCore/parser/parser.h for statesman.com site
1968         https://bugs.webkit.org/show_bug.cgi?id=142974
1969
1970         Reviewed by Joseph Pecoraro.
1971
1972         This patch does two things:
1973
1974         (1) Restore JavaScriptCore's sanitization of line and column numbers to
1975         one-based values.
1976
1977         We need this because WebCore sometimes provides huge negative column
1978         numbers.
1979
1980         (2) Solve the attribute event listener line numbering problem a different
1981         way: Rather than offseting all line numbers by -1 in an attribute event
1982         listener in order to arrange for a custom result, instead use an explicit
1983         feature for saying "all errors in this code should map to this line number".
1984
1985         * bytecode/UnlinkedCodeBlock.cpp:
1986         (JSC::UnlinkedFunctionExecutable::link):
1987         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
1988         * bytecode/UnlinkedCodeBlock.h:
1989         * interpreter/Interpreter.cpp:
1990         (JSC::StackFrame::computeLineAndColumn):
1991         (JSC::GetStackTraceFunctor::operator()):
1992         * interpreter/Interpreter.h:
1993         * interpreter/StackVisitor.cpp:
1994         (JSC::StackVisitor::Frame::computeLineAndColumn):
1995         * parser/ParserError.h:
1996         (JSC::ParserError::toErrorObject): Plumb through an override line number.
1997         When a function has an override line number, all syntax and runtime
1998         errors in the function will map to it. This is useful for attribute event
1999         listeners.
2000  
2001         * parser/SourceCode.h:
2002         (JSC::SourceCode::SourceCode): Restore the old sanitization of line and
2003         column numbers to one-based integers. It was kind of a hack to remove this.
2004
2005         * runtime/Executable.cpp:
2006         (JSC::ScriptExecutable::ScriptExecutable):
2007         (JSC::FunctionExecutable::fromGlobalCode):
2008         * runtime/Executable.h:
2009         (JSC::ScriptExecutable::setOverrideLineNo):
2010         (JSC::ScriptExecutable::hasOverrideLineNo):
2011         (JSC::ScriptExecutable::overrideLineNo):
2012         * runtime/FunctionConstructor.cpp:
2013         (JSC::constructFunctionSkippingEvalEnabledCheck):
2014         * runtime/FunctionConstructor.h: Plumb through an override line number.
2015
2016 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
2017
2018         If we're in code for accessing scoped arguments, we should probably check if the object is a scoped arguments rather than checking if it's a direct arguments.
2019
2020         Reviewed by Michael Saboff.
2021
2022         * jit/JITPropertyAccess.cpp:
2023         (JSC::JIT::emitScopedArgumentsGetByVal):
2024         * tests/stress/scoped-then-direct-arguments-get-by-val-in-baseline.js: Added.
2025
2026 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
2027
2028         FTL ScopedArguments GetArrayLength generates incorrect code and crashes in LLVM
2029         https://bugs.webkit.org/show_bug.cgi?id=143098
2030
2031         Reviewed by Csaba Osztrogonác.
2032
2033         * ftl/FTLLowerDFGToLLVM.cpp:
2034         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength): Fix a typo.
2035         * tests/stress/scoped-arguments-array-length.js: Added. This test previously always crashed in ftl-no-cjit mode.
2036
2037 2015-03-26  Csaba Osztrogonác  <ossy@webkit.org>
2038
2039         Unreviewed gardening, skip failing tests on AArch64 Linux.
2040
2041         * tests/mozilla/mozilla-tests.yaml:
2042         * tests/stress/cached-prototype-setter.js:
2043
2044 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
2045
2046         Unreviewed, fixes to silly things. While landing fixes to r181993, I introduced crashes. This fixes them.
2047
2048         * dfg/DFGConstantFoldingPhase.cpp:
2049         (JSC::DFG::ConstantFoldingPhase::foldConstants): I landed a fix for a VS warning. It broke this. Now I'm fixing it.
2050         * ftl/FTLCompile.cpp:
2051         (JSC::FTL::compile): Make sure we pass the module when dumping. This makes FTL debugging possible again.
2052         * ftl/FTLState.cpp:
2053         (JSC::FTL::State::dumpState): New overload that takes a module, so that we can call this after FTL::compile() clears State's module.
2054         * ftl/FTLState.h:
2055
2056 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2057
2058         Unreviewed, fix obvious goof that was causing 32-bit debug crashes. The 64-bit version did it
2059         right, so this just makes 32-bit do the same.
2060
2061         * dfg/DFGSpeculativeJIT32_64.cpp:
2062         (JSC::DFG::SpeculativeJIT::emitCall):
2063
2064 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2065
2066         Fix a typo that ggaren found but that I didn't fix before.
2067
2068         * runtime/DirectArgumentsOffset.h:
2069
2070 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2071
2072         Unreviewed, VC found a bug. This fixes the bug.
2073
2074         * dfg/DFGConstantFoldingPhase.cpp:
2075         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2076
2077 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2078
2079         Unreviewed, try to fix Windows build.
2080
2081         * runtime/ClonedArguments.cpp:
2082         (JSC::ClonedArguments::createWithInlineFrame):
2083
2084 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2085
2086         Unreviewed, fix debug build.
2087
2088         * bytecompiler/NodesCodegen.cpp:
2089         (JSC::ConstDeclNode::emitCodeSingle):
2090
2091 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2092
2093         Unreviewed, fix CLOOP build.
2094
2095         * dfg/DFGMinifiedID.h:
2096
2097 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2098
2099         Heap variables shouldn't end up in the stack frame
2100         https://bugs.webkit.org/show_bug.cgi?id=141174
2101
2102         Reviewed by Geoffrey Garen.
2103         
2104         This is a major change to how JavaScriptCore handles declared variables (i.e. "var"). It removes
2105         any ambiguity about whether a variable should be in the heap or on the stack. A variable will no
2106         longer move between heap and stack during its lifetime. This enables a bunch of optimizations and
2107         simplifications:
2108         
2109         - Accesses to variables no longer need checks or indirections to determine where the variable is
2110           at that moment in time. For example, loading a closure variable now takes just one load instead
2111           of two. Loading an argument by index now takes a bounds check and a load in the fastest case
2112           (when no arguments object allocation is required) while previously that same operation required
2113           a "did I allocate arguments yet" check, a bounds check, and then the load.
2114         
2115         - Reasoning about the allocation of an activation or arguments object now follows the same simple
2116           logic as the allocation of any other kind of object. Previously, those objects were lazily
2117           allocated - so an allocation instruction wasn't the actual allocation site, since it might not
2118           allocate anything at all. This made the implementation of traditional escape analyses really
2119           awkward, and ultimately it meant that we missed important cases. Now, we can reason about the
2120           arguments object using the usual SSA tricks which allows for more comprehensive removal.
2121         
2122         - The allocations of arguments objects, functions, and activations are now much faster. While
2123           this patch generally expands our ability to eliminate arguments object allocations, an earlier
2124           version of the patch - which lacked that functionality - was a progression on some arguments-
2125           and closure-happy benchmarks because although no allocations were eliminated, all allocations
2126           were faster.
2127         
2128         - There is no tear-off. The runtime no loner needs to know about where on the stack a frame keeps
2129           its arguments objects or activations. The runtime doesn't have to do things to the arguments
2130           objects and activations that a frame allocated, when the frame is unwound. We always had horrid
2131           bugs in that code, so it's good to see it go. This removes *a ton* of machinery from the DFG,
2132           FTL, CodeBlock, and other places. All of the things having to do with "captured variables" is
2133           now gone. This also enables implementing block-scoping. Without this change, block-scope
2134           support would require telling CodeBlock and all of the rest of the runtime about all of the
2135           variables that store currently-live scopes. That would have been so disastrously hard that it
2136           might as well be impossible. With this change, it's fair game for the bytecode generator to
2137           simply allocate whatever activations it wants, wherever it wants, and to keep them live for
2138           however long it wants. This all works, because after bytecode generation, an activation is just
2139           an object and variables that refer to it are just normal variables.
2140         
2141         - SymbolTable can now tell you explicitly where a variable lives. The answer is in the form of a
2142           VarOffset object, which has methods like isStack(), isScope(), etc. VirtualRegister is never
2143           used for offsets of non-stack variables anymore. We now have shiny new objects for other kinds
2144           of offsets - ScopeOffset for offsets into scopes, and DirectArgumentsOffset for offsets into
2145           an arguments object.
2146         
2147         - Functions that create activations can now tier-up into the FTL. Previously they couldn't. Also,
2148           using activations used to prevent inlining; now functions that use activations can be inlined
2149           just fine.
2150         
2151         This is a >1% speed-up on Octane. This is a >2% speed-up on CompressionBench. This is a tiny
2152         speed-up on AsmBench (~0.4% or something). This looks like it might be a speed-up on SunSpider.
2153         It's only a slow-down on very short-running microbenchmarks we had previously written for our old
2154         style of tear-off-based arguments optimization. Those benchmarks are not part of any major suite.
2155         
2156         The easiest way of understanding this change is to start by looking at the changes in runtime/,
2157         and then the changes in bytecompiler/, and then sort of work your way up the compiler tiers.
2158
2159         * CMakeLists.txt:
2160         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2161         * JavaScriptCore.xcodeproj/project.pbxproj:
2162         * assembler/AbortReason.h:
2163         * assembler/AbstractMacroAssembler.h:
2164         (JSC::AbstractMacroAssembler::BaseIndex::withOffset):
2165         * bytecode/ByValInfo.h:
2166         (JSC::hasOptimizableIndexingForJSType):
2167         (JSC::hasOptimizableIndexing):
2168         (JSC::jitArrayModeForJSType):
2169         (JSC::jitArrayModePermitsPut):
2170         (JSC::jitArrayModeForStructure):
2171         * bytecode/BytecodeKills.h: Added.
2172         (JSC::BytecodeKills::BytecodeKills):
2173         (JSC::BytecodeKills::operandIsKilled):
2174         (JSC::BytecodeKills::forEachOperandKilledAt):
2175         (JSC::BytecodeKills::KillSet::KillSet):
2176         (JSC::BytecodeKills::KillSet::add):
2177         (JSC::BytecodeKills::KillSet::forEachLocal):
2178         (JSC::BytecodeKills::KillSet::contains):
2179         * bytecode/BytecodeList.json:
2180         * bytecode/BytecodeLivenessAnalysis.cpp:
2181         (JSC::isValidRegisterForLiveness):
2182         (JSC::stepOverInstruction):
2183         (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint):
2184         (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset):
2185         (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset):
2186         (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
2187         (JSC::BytecodeLivenessAnalysis::computeKills):
2188         (JSC::indexForOperand): Deleted.
2189         (JSC::BytecodeLivenessAnalysis::getLivenessInfoForNonCapturedVarsAtBytecodeOffset): Deleted.
2190         (JSC::getLivenessInfo): Deleted.
2191         * bytecode/BytecodeLivenessAnalysis.h:
2192         * bytecode/BytecodeLivenessAnalysisInlines.h:
2193         (JSC::operandIsAlwaysLive):
2194         (JSC::operandThatIsNotAlwaysLiveIsLive):
2195         (JSC::operandIsLive):
2196         * bytecode/BytecodeUseDef.h:
2197         (JSC::computeUsesForBytecodeOffset):
2198         (JSC::computeDefsForBytecodeOffset):
2199         * bytecode/CodeBlock.cpp:
2200         (JSC::CodeBlock::dumpBytecode):
2201         (JSC::CodeBlock::CodeBlock):
2202         (JSC::CodeBlock::nameForRegister):
2203         (JSC::CodeBlock::validate):
2204         (JSC::CodeBlock::isCaptured): Deleted.
2205         (JSC::CodeBlock::framePointerOffsetToGetActivationRegisters): Deleted.
2206         (JSC::CodeBlock::machineSlowArguments): Deleted.
2207         * bytecode/CodeBlock.h:
2208         (JSC::unmodifiedArgumentsRegister): Deleted.
2209         (JSC::CodeBlock::setArgumentsRegister): Deleted.
2210         (JSC::CodeBlock::argumentsRegister): Deleted.
2211         (JSC::CodeBlock::uncheckedArgumentsRegister): Deleted.
2212         (JSC::CodeBlock::usesArguments): Deleted.
2213         (JSC::CodeBlock::captureCount): Deleted.
2214         (JSC::CodeBlock::captureStart): Deleted.
2215         (JSC::CodeBlock::captureEnd): Deleted.
2216         (JSC::CodeBlock::argumentIndexAfterCapture): Deleted.
2217         (JSC::CodeBlock::hasSlowArguments): Deleted.
2218         (JSC::ExecState::argumentAfterCapture): Deleted.
2219         * bytecode/CodeOrigin.h:
2220         * bytecode/DataFormat.h:
2221         (JSC::dataFormatToString):
2222         * bytecode/FullBytecodeLiveness.h:
2223         (JSC::FullBytecodeLiveness::getLiveness):
2224         (JSC::FullBytecodeLiveness::operandIsLive):
2225         (JSC::FullBytecodeLiveness::FullBytecodeLiveness): Deleted.
2226         (JSC::FullBytecodeLiveness::getOut): Deleted.
2227         * bytecode/Instruction.h:
2228         (JSC::Instruction::Instruction):
2229         * bytecode/Operands.h:
2230         (JSC::Operands::virtualRegisterForIndex):
2231         * bytecode/SpeculatedType.cpp:
2232         (JSC::dumpSpeculation):
2233         (JSC::speculationToAbbreviatedString):
2234         (JSC::speculationFromClassInfo):
2235         * bytecode/SpeculatedType.h:
2236         (JSC::isDirectArgumentsSpeculation):
2237         (JSC::isScopedArgumentsSpeculation):
2238         (JSC::isActionableMutableArraySpeculation):
2239         (JSC::isActionableArraySpeculation):
2240         (JSC::isArgumentsSpeculation): Deleted.
2241         * bytecode/UnlinkedCodeBlock.cpp:
2242         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2243         * bytecode/UnlinkedCodeBlock.h:
2244         (JSC::UnlinkedCodeBlock::setArgumentsRegister): Deleted.
2245         (JSC::UnlinkedCodeBlock::usesArguments): Deleted.
2246         (JSC::UnlinkedCodeBlock::argumentsRegister): Deleted.
2247         * bytecode/ValueRecovery.cpp:
2248         (JSC::ValueRecovery::dumpInContext):
2249         * bytecode/ValueRecovery.h:
2250         (JSC::ValueRecovery::directArgumentsThatWereNotCreated):
2251         (JSC::ValueRecovery::outOfBandArgumentsThatWereNotCreated):
2252         (JSC::ValueRecovery::nodeID):
2253         (JSC::ValueRecovery::argumentsThatWereNotCreated): Deleted.
2254         * bytecode/VirtualRegister.h:
2255         (JSC::VirtualRegister::operator==):
2256         (JSC::VirtualRegister::operator!=):
2257         (JSC::VirtualRegister::operator<):
2258         (JSC::VirtualRegister::operator>):
2259         (JSC::VirtualRegister::operator<=):
2260         (JSC::VirtualRegister::operator>=):
2261         * bytecompiler/BytecodeGenerator.cpp:
2262         (JSC::BytecodeGenerator::generate):
2263         (JSC::BytecodeGenerator::BytecodeGenerator):
2264         (JSC::BytecodeGenerator::initializeNextParameter):
2265         (JSC::BytecodeGenerator::visibleNameForParameter):
2266         (JSC::BytecodeGenerator::emitMove):
2267         (JSC::BytecodeGenerator::variable):
2268         (JSC::BytecodeGenerator::createVariable):
2269         (JSC::BytecodeGenerator::emitResolveScope):
2270         (JSC::BytecodeGenerator::emitGetFromScope):
2271         (JSC::BytecodeGenerator::emitPutToScope):
2272         (JSC::BytecodeGenerator::initializeVariable):
2273         (JSC::BytecodeGenerator::emitInstanceOf):
2274         (JSC::BytecodeGenerator::emitNewFunction):
2275         (JSC::BytecodeGenerator::emitNewFunctionInternal):
2276         (JSC::BytecodeGenerator::emitCall):
2277         (JSC::BytecodeGenerator::emitReturn):
2278         (JSC::BytecodeGenerator::emitConstruct):
2279         (JSC::BytecodeGenerator::isArgumentNumber):
2280         (JSC::BytecodeGenerator::emitEnumeration):
2281         (JSC::BytecodeGenerator::addVar): Deleted.
2282         (JSC::BytecodeGenerator::emitInitLazyRegister): Deleted.
2283         (JSC::BytecodeGenerator::initializeCapturedVariable): Deleted.
2284         (JSC::BytecodeGenerator::resolveCallee): Deleted.
2285         (JSC::BytecodeGenerator::addCallee): Deleted.
2286         (JSC::BytecodeGenerator::addParameter): Deleted.
2287         (JSC::BytecodeGenerator::willResolveToArgumentsRegister): Deleted.
2288         (JSC::BytecodeGenerator::uncheckedLocalArgumentsRegister): Deleted.
2289         (JSC::BytecodeGenerator::createLazyRegisterIfNecessary): Deleted.
2290         (JSC::BytecodeGenerator::isCaptured): Deleted.
2291         (JSC::BytecodeGenerator::local): Deleted.
2292         (JSC::BytecodeGenerator::constLocal): Deleted.
2293         (JSC::BytecodeGenerator::emitResolveConstantLocal): Deleted.
2294         (JSC::BytecodeGenerator::emitGetArgumentsLength): Deleted.
2295         (JSC::BytecodeGenerator::emitGetArgumentByVal): Deleted.
2296         (JSC::BytecodeGenerator::emitLazyNewFunction): Deleted.
2297         (JSC::BytecodeGenerator::createArgumentsIfNecessary): Deleted.
2298         * bytecompiler/BytecodeGenerator.h:
2299         (JSC::Variable::Variable):
2300         (JSC::Variable::isResolved):
2301         (JSC::Variable::ident):
2302         (JSC::Variable::offset):
2303         (JSC::Variable::isLocal):
2304         (JSC::Variable::local):
2305         (JSC::Variable::isSpecial):
2306         (JSC::BytecodeGenerator::argumentsRegister):
2307         (JSC::BytecodeGenerator::emitNode):
2308         (JSC::BytecodeGenerator::registerFor):
2309         (JSC::Local::Local): Deleted.
2310         (JSC::Local::operator bool): Deleted.
2311         (JSC::Local::get): Deleted.
2312         (JSC::Local::isSpecial): Deleted.
2313         (JSC::ResolveScopeInfo::ResolveScopeInfo): Deleted.
2314         (JSC::ResolveScopeInfo::isLocal): Deleted.
2315         (JSC::ResolveScopeInfo::localIndex): Deleted.
2316         (JSC::BytecodeGenerator::hasSafeLocalArgumentsRegister): Deleted.
2317         (JSC::BytecodeGenerator::captureMode): Deleted.
2318         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly): Deleted.
2319         (JSC::BytecodeGenerator::shouldCreateArgumentsEagerly): Deleted.
2320         (JSC::BytecodeGenerator::hasWatchableVariable): Deleted.
2321         (JSC::BytecodeGenerator::watchableVariableIdentifier): Deleted.
2322         * bytecompiler/NodesCodegen.cpp:
2323         (JSC::ResolveNode::isPure):
2324         (JSC::ResolveNode::emitBytecode):
2325         (JSC::BracketAccessorNode::emitBytecode):
2326         (JSC::DotAccessorNode::emitBytecode):
2327         (JSC::EvalFunctionCallNode::emitBytecode):
2328         (JSC::FunctionCallResolveNode::emitBytecode):
2329         (JSC::CallFunctionCallDotNode::emitBytecode):
2330         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2331         (JSC::PostfixNode::emitResolve):
2332         (JSC::DeleteResolveNode::emitBytecode):
2333         (JSC::TypeOfResolveNode::emitBytecode):
2334         (JSC::PrefixNode::emitResolve):
2335         (JSC::ReadModifyResolveNode::emitBytecode):
2336         (JSC::AssignResolveNode::emitBytecode):
2337         (JSC::ConstDeclNode::emitCodeSingle):
2338         (JSC::EmptyVarExpression::emitBytecode):
2339         (JSC::ForInNode::tryGetBoundLocal):
2340         (JSC::ForInNode::emitLoopHeader):
2341         (JSC::ForOfNode::emitBytecode):
2342         (JSC::ArrayPatternNode::emitDirectBinding):
2343         (JSC::BindingNode::bindValue):
2344         (JSC::getArgumentByVal): Deleted.
2345         * dfg/DFGAbstractHeap.h:
2346         * dfg/DFGAbstractInterpreter.h:
2347         * dfg/DFGAbstractInterpreterInlines.h:
2348         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2349         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberWorld):
2350         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberCapturedVars): Deleted.
2351         * dfg/DFGAbstractValue.h:
2352         * dfg/DFGArgumentPosition.h:
2353         (JSC::DFG::ArgumentPosition::addVariable):
2354         * dfg/DFGArgumentsEliminationPhase.cpp: Added.
2355         (JSC::DFG::performArgumentsElimination):
2356         * dfg/DFGArgumentsEliminationPhase.h: Added.
2357         * dfg/DFGArgumentsSimplificationPhase.cpp: Removed.
2358         * dfg/DFGArgumentsSimplificationPhase.h: Removed.
2359         * dfg/DFGArgumentsUtilities.cpp: Added.
2360         (JSC::DFG::argumentsInvolveStackSlot):
2361         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
2362         * dfg/DFGArgumentsUtilities.h: Added.
2363         * dfg/DFGArrayMode.cpp:
2364         (JSC::DFG::ArrayMode::refine):
2365         (JSC::DFG::ArrayMode::alreadyChecked):
2366         (JSC::DFG::arrayTypeToString):
2367         * dfg/DFGArrayMode.h:
2368         (JSC::DFG::ArrayMode::canCSEStorage):
2369         (JSC::DFG::ArrayMode::modeForPut):
2370         * dfg/DFGAvailabilityMap.cpp:
2371         (JSC::DFG::AvailabilityMap::prune):
2372         * dfg/DFGAvailabilityMap.h:
2373         (JSC::DFG::AvailabilityMap::closeOverNodes):
2374         (JSC::DFG::AvailabilityMap::closeStartingWithLocal):
2375         * dfg/DFGBackwardsPropagationPhase.cpp:
2376         (JSC::DFG::BackwardsPropagationPhase::propagate):
2377         * dfg/DFGByteCodeParser.cpp:
2378         (JSC::DFG::ByteCodeParser::newVariableAccessData):
2379         (JSC::DFG::ByteCodeParser::getLocal):
2380         (JSC::DFG::ByteCodeParser::setLocal):
2381         (JSC::DFG::ByteCodeParser::getArgument):
2382         (JSC::DFG::ByteCodeParser::setArgument):
2383         (JSC::DFG::ByteCodeParser::flushDirect):
2384         (JSC::DFG::ByteCodeParser::flush):
2385         (JSC::DFG::ByteCodeParser::noticeArgumentsUse):
2386         (JSC::DFG::ByteCodeParser::handleVarargsCall):
2387         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
2388         (JSC::DFG::ByteCodeParser::handleInlining):
2389         (JSC::DFG::ByteCodeParser::parseBlock):
2390         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2391         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2392         * dfg/DFGCPSRethreadingPhase.cpp:
2393         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
2394         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
2395         * dfg/DFGCSEPhase.cpp:
2396         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h: Added.
2397         (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
2398         * dfg/DFGCapabilities.cpp:
2399         (JSC::DFG::isSupportedForInlining):
2400         (JSC::DFG::capabilityLevel):
2401         * dfg/DFGClobberize.h:
2402         (JSC::DFG::clobberize):
2403         * dfg/DFGCommon.h:
2404         * dfg/DFGCommonData.h:
2405         (JSC::DFG::CommonData::CommonData):
2406         * dfg/DFGConstantFoldingPhase.cpp:
2407         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2408         * dfg/DFGDCEPhase.cpp:
2409         (JSC::DFG::DCEPhase::cleanVariables):
2410         * dfg/DFGDisassembler.h:
2411         * dfg/DFGDoesGC.cpp:
2412         (JSC::DFG::doesGC):
2413         * dfg/DFGFixupPhase.cpp:
2414         (JSC::DFG::FixupPhase::fixupNode):
2415         * dfg/DFGFlushFormat.cpp:
2416         (WTF::printInternal):
2417         * dfg/DFGFlushFormat.h:
2418         (JSC::DFG::resultFor):
2419         (JSC::DFG::useKindFor):
2420         (JSC::DFG::dataFormatFor):
2421         * dfg/DFGForAllKills.h: Added.
2422         (JSC::DFG::forAllLiveNodesAtTail):
2423         (JSC::DFG::forAllDirectlyKilledOperands):
2424         (JSC::DFG::forAllKilledOperands):
2425         (JSC::DFG::forAllKilledNodesAtNodeIndex):
2426         (JSC::DFG::forAllKillsInBlock):
2427         * dfg/DFGGraph.cpp:
2428         (JSC::DFG::Graph::Graph):
2429         (JSC::DFG::Graph::dump):
2430         (JSC::DFG::Graph::substituteGetLocal):
2431         (JSC::DFG::Graph::livenessFor):
2432         (JSC::DFG::Graph::killsFor):
2433         (JSC::DFG::Graph::tryGetConstantClosureVar):
2434         (JSC::DFG::Graph::tryGetRegisters): Deleted.
2435         * dfg/DFGGraph.h:
2436         (JSC::DFG::Graph::symbolTableFor):
2437         (JSC::DFG::Graph::uses):
2438         (JSC::DFG::Graph::bytecodeRegisterForArgument): Deleted.
2439         (JSC::DFG::Graph::capturedVarsFor): Deleted.
2440         (JSC::DFG::Graph::usesArguments): Deleted.
2441         (JSC::DFG::Graph::argumentsRegisterFor): Deleted.
2442         (JSC::DFG::Graph::machineArgumentsRegisterFor): Deleted.
2443         (JSC::DFG::Graph::uncheckedArgumentsRegisterFor): Deleted.
2444         * dfg/DFGHeapLocation.cpp:
2445         (WTF::printInternal):
2446         * dfg/DFGHeapLocation.h:
2447         * dfg/DFGInPlaceAbstractState.cpp:
2448         (JSC::DFG::InPlaceAbstractState::initialize):
2449         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
2450         * dfg/DFGJITCompiler.cpp:
2451         (JSC::DFG::JITCompiler::link):
2452         * dfg/DFGMayExit.cpp:
2453         (JSC::DFG::mayExit):
2454         * dfg/DFGMinifiedID.h:
2455         * dfg/DFGMinifiedNode.cpp:
2456         (JSC::DFG::MinifiedNode::fromNode):
2457         * dfg/DFGMinifiedNode.h:
2458         (JSC::DFG::belongsInMinifiedGraph):
2459         (JSC::DFG::MinifiedNode::hasInlineCallFrame):
2460         (JSC::DFG::MinifiedNode::inlineCallFrame):
2461         * dfg/DFGNode.cpp:
2462         (JSC::DFG::Node::convertToIdentityOn):
2463         * dfg/DFGNode.h:
2464         (JSC::DFG::Node::hasConstant):
2465         (JSC::DFG::Node::constant):
2466         (JSC::DFG::Node::hasScopeOffset):
2467         (JSC::DFG::Node::scopeOffset):
2468         (JSC::DFG::Node::hasDirectArgumentsOffset):
2469         (JSC::DFG::Node::capturedArgumentsOffset):
2470         (JSC::DFG::Node::variablePointer):
2471         (JSC::DFG::Node::hasCallVarargsData):
2472         (JSC::DFG::Node::hasLoadVarargsData):
2473         (JSC::DFG::Node::hasHeapPrediction):
2474         (JSC::DFG::Node::hasCellOperand):
2475         (JSC::DFG::Node::objectMaterializationData):
2476         (JSC::DFG::Node::isPhantomAllocation):
2477         (JSC::DFG::Node::willHaveCodeGenOrOSR):
2478         (JSC::DFG::Node::shouldSpeculateDirectArguments):
2479         (JSC::DFG::Node::shouldSpeculateScopedArguments):
2480         (JSC::DFG::Node::isPhantomArguments): Deleted.
2481         (JSC::DFG::Node::hasVarNumber): Deleted.
2482         (JSC::DFG::Node::varNumber): Deleted.
2483         (JSC::DFG::Node::registerPointer): Deleted.
2484         (JSC::DFG::Node::shouldSpeculateArguments): Deleted.
2485         * dfg/DFGNodeType.h:
2486         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2487         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
2488         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
2489         * dfg/DFGOSRExitCompiler.cpp:
2490         (JSC::DFG::OSRExitCompiler::emitRestoreArguments):
2491         * dfg/DFGOSRExitCompiler.h:
2492         (JSC::DFG::OSRExitCompiler::badIndex): Deleted.
2493         (JSC::DFG::OSRExitCompiler::initializePoisoned): Deleted.
2494         (JSC::DFG::OSRExitCompiler::poisonIndex): Deleted.
2495         * dfg/DFGOSRExitCompiler32_64.cpp:
2496         (JSC::DFG::OSRExitCompiler::compileExit):
2497         * dfg/DFGOSRExitCompiler64.cpp:
2498         (JSC::DFG::OSRExitCompiler::compileExit):
2499         * dfg/DFGOSRExitCompilerCommon.cpp:
2500         (JSC::DFG::reifyInlinedCallFrames):
2501         (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator): Deleted.
2502         (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator): Deleted.
2503         (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): Deleted.
2504         * dfg/DFGOSRExitCompilerCommon.h:
2505         * dfg/DFGOperations.cpp:
2506         * dfg/DFGOperations.h:
2507         * dfg/DFGPlan.cpp:
2508         (JSC::DFG::Plan::compileInThreadImpl):
2509         * dfg/DFGPreciseLocalClobberize.h:
2510         (JSC::DFG::PreciseLocalClobberizeAdaptor::read):
2511         (JSC::DFG::PreciseLocalClobberizeAdaptor::write):
2512         (JSC::DFG::PreciseLocalClobberizeAdaptor::def):
2513         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
2514         (JSC::DFG::preciseLocalClobberize):
2515         (JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop): Deleted.
2516         (JSC::DFG::forEachLocalReadByUnwind): Deleted.
2517         * dfg/DFGPredictionPropagationPhase.cpp:
2518         (JSC::DFG::PredictionPropagationPhase::run):
2519         (JSC::DFG::PredictionPropagationPhase::propagate):
2520         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
2521         (JSC::DFG::PredictionPropagationPhase::propagateThroughArgumentPositions):
2522         * dfg/DFGPromoteHeapAccess.h:
2523         (JSC::DFG::promoteHeapAccess):
2524         * dfg/DFGPromotedHeapLocation.cpp:
2525         (WTF::printInternal):
2526         * dfg/DFGPromotedHeapLocation.h:
2527         * dfg/DFGSSAConversionPhase.cpp:
2528         (JSC::DFG::SSAConversionPhase::run):
2529         * dfg/DFGSafeToExecute.h:
2530         (JSC::DFG::safeToExecute):
2531         * dfg/DFGSpeculativeJIT.cpp:
2532         (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
2533         (JSC::DFG::SpeculativeJIT::emitGetLength):
2534         (JSC::DFG::SpeculativeJIT::emitGetCallee):
2535         (JSC::DFG::SpeculativeJIT::emitGetArgumentStart):
2536         (JSC::DFG::SpeculativeJIT::checkArray):
2537         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
2538         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
2539         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
2540         (JSC::DFG::SpeculativeJIT::compileNewFunction):
2541         (JSC::DFG::SpeculativeJIT::compileForwardVarargs):
2542         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
2543         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
2544         (JSC::DFG::SpeculativeJIT::compileGetFromArguments):
2545         (JSC::DFG::SpeculativeJIT::compilePutToArguments):
2546         (JSC::DFG::SpeculativeJIT::compileCreateScopedArguments):
2547         (JSC::DFG::SpeculativeJIT::compileCreateClonedArguments):
2548         (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Deleted.
2549         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments): Deleted.
2550         (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength): Deleted.
2551         (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck): Deleted.
2552         (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression): Deleted.
2553         * dfg/DFGSpeculativeJIT.h:
2554         (JSC::DFG::SpeculativeJIT::callOperation):
2555         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
2556         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
2557         (JSC::DFG::SpeculativeJIT::framePointerOffsetToGetActivationRegisters): Deleted.
2558         * dfg/DFGSpeculativeJIT32_64.cpp:
2559         (JSC::DFG::SpeculativeJIT::emitCall):
2560         (JSC::DFG::SpeculativeJIT::compile):
2561         * dfg/DFGSpeculativeJIT64.cpp:
2562         (JSC::DFG::SpeculativeJIT::emitCall):
2563         (JSC::DFG::SpeculativeJIT::compile):
2564         * dfg/DFGStackLayoutPhase.cpp:
2565         (JSC::DFG::StackLayoutPhase::run):
2566         * dfg/DFGStrengthReductionPhase.cpp:
2567         (JSC::DFG::StrengthReductionPhase::handleNode):
2568         * dfg/DFGStructureRegistrationPhase.cpp:
2569         (JSC::DFG::StructureRegistrationPhase::run):
2570         * dfg/DFGUnificationPhase.cpp:
2571         (JSC::DFG::UnificationPhase::run):
2572         * dfg/DFGValidate.cpp:
2573         (JSC::DFG::Validate::validateCPS):
2574         * dfg/DFGValueSource.cpp:
2575         (JSC::DFG::ValueSource::dump):
2576         * dfg/DFGValueSource.h:
2577         (JSC::DFG::dataFormatToValueSourceKind):
2578         (JSC::DFG::valueSourceKindToDataFormat):
2579         (JSC::DFG::ValueSource::ValueSource):
2580         (JSC::DFG::ValueSource::forFlushFormat):
2581         (JSC::DFG::ValueSource::valueRecovery):
2582         * dfg/DFGVarargsForwardingPhase.cpp: Added.
2583         (JSC::DFG::performVarargsForwarding):
2584         * dfg/DFGVarargsForwardingPhase.h: Added.
2585         * dfg/DFGVariableAccessData.cpp:
2586         (JSC::DFG::VariableAccessData::VariableAccessData):
2587         (JSC::DFG::VariableAccessData::flushFormat):
2588         (JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted.
2589         * dfg/DFGVariableAccessData.h:
2590         (JSC::DFG::VariableAccessData::shouldNeverUnbox):
2591         (JSC::DFG::VariableAccessData::shouldUseDoubleFormat):
2592         (JSC::DFG::VariableAccessData::isCaptured): Deleted.
2593         (JSC::DFG::VariableAccessData::mergeIsArgumentsAlias): Deleted.
2594         (JSC::DFG::VariableAccessData::isArgumentsAlias): Deleted.
2595         * dfg/DFGVariableAccessDataDump.cpp:
2596         (JSC::DFG::VariableAccessDataDump::dump):
2597         * dfg/DFGVariableAccessDataDump.h:
2598         * dfg/DFGVariableEventStream.cpp:
2599         (JSC::DFG::VariableEventStream::tryToSetConstantRecovery):
2600         * dfg/DFGVariableEventStream.h:
2601         * ftl/FTLAbstractHeap.cpp:
2602         (JSC::FTL::AbstractHeap::dump):
2603         (JSC::FTL::AbstractField::dump):
2604         (JSC::FTL::IndexedAbstractHeap::dump):
2605         (JSC::FTL::NumberedAbstractHeap::dump):
2606         (JSC::FTL::AbsoluteAbstractHeap::dump):
2607         * ftl/FTLAbstractHeap.h:
2608         * ftl/FTLAbstractHeapRepository.cpp:
2609         * ftl/FTLAbstractHeapRepository.h:
2610         * ftl/FTLCapabilities.cpp:
2611         (JSC::FTL::canCompile):
2612         * ftl/FTLCompile.cpp:
2613         (JSC::FTL::mmAllocateDataSection):
2614         * ftl/FTLExitArgument.cpp:
2615         (JSC::FTL::ExitArgument::dump):
2616         * ftl/FTLExitPropertyValue.cpp:
2617         (JSC::FTL::ExitPropertyValue::withLocalsOffset):
2618         * ftl/FTLExitPropertyValue.h:
2619         * ftl/FTLExitTimeObjectMaterialization.cpp:
2620         (JSC::FTL::ExitTimeObjectMaterialization::ExitTimeObjectMaterialization):
2621         (JSC::FTL::ExitTimeObjectMaterialization::accountForLocalsOffset):
2622         * ftl/FTLExitTimeObjectMaterialization.h:
2623         (JSC::FTL::ExitTimeObjectMaterialization::origin):
2624         * ftl/FTLExitValue.cpp:
2625         (JSC::FTL::ExitValue::withLocalsOffset):
2626         (JSC::FTL::ExitValue::valueFormat):
2627         (JSC::FTL::ExitValue::dumpInContext):
2628         * ftl/FTLExitValue.h:
2629         (JSC::FTL::ExitValue::isArgument):
2630         (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated): Deleted.
2631         (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated): Deleted.
2632         (JSC::FTL::ExitValue::valueFormat): Deleted.
2633         * ftl/FTLInlineCacheSize.cpp:
2634         (JSC::FTL::sizeOfCallForwardVarargs):
2635         (JSC::FTL::sizeOfConstructForwardVarargs):
2636         (JSC::FTL::sizeOfICFor):
2637         * ftl/FTLInlineCacheSize.h:
2638         * ftl/FTLIntrinsicRepository.h:
2639         * ftl/FTLJSCallVarargs.cpp:
2640         (JSC::FTL::JSCallVarargs::JSCallVarargs):
2641         (JSC::FTL::JSCallVarargs::emit):
2642         * ftl/FTLJSCallVarargs.h:
2643         * ftl/FTLLowerDFGToLLVM.cpp:
2644         (JSC::FTL::LowerDFGToLLVM::lower):
2645         (JSC::FTL::LowerDFGToLLVM::compileNode):
2646         (JSC::FTL::LowerDFGToLLVM::compilePutStack):
2647         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
2648         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2649         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
2650         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2651         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
2652         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
2653         (JSC::FTL::LowerDFGToLLVM::compileCreateActivation):
2654         (JSC::FTL::LowerDFGToLLVM::compileNewFunction):
2655         (JSC::FTL::LowerDFGToLLVM::compileCreateDirectArguments):
2656         (JSC::FTL::LowerDFGToLLVM::compileCreateScopedArguments):
2657         (JSC::FTL::LowerDFGToLLVM::compileCreateClonedArguments):
2658         (JSC::FTL::LowerDFGToLLVM::compileStringCharAt):
2659         (JSC::FTL::LowerDFGToLLVM::compileStringCharCodeAt):
2660         (JSC::FTL::LowerDFGToLLVM::compileGetGlobalVar):
2661         (JSC::FTL::LowerDFGToLLVM::compilePutGlobalVar):
2662         (JSC::FTL::LowerDFGToLLVM::compileGetArgumentCount):
2663         (JSC::FTL::LowerDFGToLLVM::compileGetClosureVar):
2664         (JSC::FTL::LowerDFGToLLVM::compilePutClosureVar):
2665         (JSC::FTL::LowerDFGToLLVM::compileGetFromArguments):
2666         (JSC::FTL::LowerDFGToLLVM::compilePutToArguments):
2667         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs):
2668         (JSC::FTL::LowerDFGToLLVM::compileForwardVarargs):
2669         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname):
2670         (JSC::FTL::LowerDFGToLLVM::ArgumentsLength::ArgumentsLength):
2671         (JSC::FTL::LowerDFGToLLVM::getArgumentsLength):
2672         (JSC::FTL::LowerDFGToLLVM::getCurrentCallee):
2673         (JSC::FTL::LowerDFGToLLVM::getArgumentsStart):
2674         (JSC::FTL::LowerDFGToLLVM::baseIndex):
2675         (JSC::FTL::LowerDFGToLLVM::allocateObject):
2676         (JSC::FTL::LowerDFGToLLVM::allocateVariableSizedObject):
2677         (JSC::FTL::LowerDFGToLLVM::isArrayType):
2678         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
2679         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
2680         (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
2681         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
2682         (JSC::FTL::LowerDFGToLLVM::loadStructure):
2683         (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments): Deleted.
2684         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength): Deleted.
2685         (JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters): Deleted.
2686         (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated): Deleted.
2687         (JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated): Deleted.
2688         * ftl/FTLOSRExitCompiler.cpp:
2689         (JSC::FTL::compileRecovery):
2690         (JSC::FTL::compileStub):
2691         * ftl/FTLOperations.cpp:
2692         (JSC::FTL::operationMaterializeObjectInOSR):
2693         * ftl/FTLOutput.h:
2694         (JSC::FTL::Output::aShr):
2695         (JSC::FTL::Output::lShr):
2696         (JSC::FTL::Output::zeroExtPtr):
2697         * heap/CopyToken.h:
2698         * interpreter/CallFrame.h:
2699         (JSC::ExecState::getArgumentUnsafe):
2700         * interpreter/Interpreter.cpp:
2701         (JSC::sizeOfVarargs):
2702         (JSC::sizeFrameForVarargs):
2703         (JSC::loadVarargs):
2704         (JSC::unwindCallFrame):
2705         * interpreter/Interpreter.h:
2706         * interpreter/StackVisitor.cpp:
2707         (JSC::StackVisitor::Frame::createArguments):
2708         (JSC::StackVisitor::Frame::existingArguments): Deleted.
2709         * interpreter/StackVisitor.h:
2710         * jit/AssemblyHelpers.h:
2711         (JSC::AssemblyHelpers::storeValue):
2712         (JSC::AssemblyHelpers::loadValue):
2713         (JSC::AssemblyHelpers::storeTrustedValue):
2714         (JSC::AssemblyHelpers::branchIfNotCell):
2715         (JSC::AssemblyHelpers::branchIsEmpty):
2716         (JSC::AssemblyHelpers::argumentsStart):
2717         (JSC::AssemblyHelpers::baselineArgumentsRegisterFor): Deleted.
2718         (JSC::AssemblyHelpers::offsetOfLocals): Deleted.
2719         (JSC::AssemblyHelpers::offsetOfArguments): Deleted.
2720         * jit/CCallHelpers.h:
2721         (JSC::CCallHelpers::setupArgument):
2722         * jit/GPRInfo.h:
2723         (JSC::JSValueRegs::withTwoAvailableRegs):
2724         * jit/JIT.cpp:
2725         (JSC::JIT::privateCompileMainPass):
2726         (JSC::JIT::privateCompileSlowCases):
2727         * jit/JIT.h:
2728         * jit/JITCall.cpp:
2729         (JSC::JIT::compileSetupVarargsFrame):
2730         * jit/JITCall32_64.cpp:
2731         (JSC::JIT::compileSetupVarargsFrame):
2732         * jit/JITInlines.h:
2733         (JSC::JIT::callOperation):
2734         * jit/JITOpcodes.cpp:
2735         (JSC::JIT::emit_op_create_lexical_environment):
2736         (JSC::JIT::emit_op_new_func):
2737         (JSC::JIT::emit_op_create_direct_arguments):
2738         (JSC::JIT::emit_op_create_scoped_arguments):
2739         (JSC::JIT::emit_op_create_out_of_band_arguments):
2740         (JSC::JIT::emit_op_tear_off_arguments): Deleted.
2741         (JSC::JIT::emit_op_create_arguments): Deleted.
2742         (JSC::JIT::emit_op_init_lazy_reg): Deleted.
2743         (JSC::JIT::emit_op_get_arguments_length): Deleted.
2744         (JSC::JIT::emitSlow_op_get_arguments_length): Deleted.
2745         (JSC::JIT::emit_op_get_argument_by_val): Deleted.
2746         (JSC::JIT::emitSlow_op_get_argument_by_val): Deleted.
2747         * jit/JITOpcodes32_64.cpp:
2748         (JSC::JIT::emit_op_create_lexical_environment):
2749         (JSC::JIT::emit_op_tear_off_arguments): Deleted.
2750         (JSC::JIT::emit_op_create_arguments): Deleted.
2751         (JSC::JIT::emit_op_init_lazy_reg): Deleted.
2752         (JSC::JIT::emit_op_get_arguments_length): Deleted.
2753         (JSC::JIT::emitSlow_op_get_arguments_length): Deleted.
2754         (JSC::JIT::emit_op_get_argument_by_val): Deleted.
2755         (JSC::JIT::emitSlow_op_get_argument_by_val): Deleted.
2756         * jit/JITOperations.cpp:
2757         * jit/JITOperations.h:
2758         * jit/JITPropertyAccess.cpp:
2759         (JSC::JIT::emitGetClosureVar):
2760         (JSC::JIT::emitPutClosureVar):
2761         (JSC::JIT::emit_op_get_from_arguments):
2762         (JSC::JIT::emit_op_put_to_arguments):
2763         (JSC::JIT::emit_op_init_global_const):
2764         (JSC::JIT::privateCompileGetByVal):
2765         (JSC::JIT::emitDirectArgumentsGetByVal):
2766         (JSC::JIT::emitScopedArgumentsGetByVal):
2767         * jit/JITPropertyAccess32_64.cpp:
2768         (JSC::JIT::emitGetClosureVar):
2769         (JSC::JIT::emitPutClosureVar):
2770         (JSC::JIT::emit_op_get_from_arguments):
2771         (JSC::JIT::emit_op_put_to_arguments):
2772         (JSC::JIT::emit_op_init_global_const):
2773         * jit/SetupVarargsFrame.cpp:
2774         (JSC::emitSetupVarargsFrameFastCase):
2775         * llint/LLIntOffsetsExtractor.cpp:
2776         * llint/LLIntSlowPaths.cpp:
2777         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2778         * llint/LowLevelInterpreter.asm:
2779         * llint/LowLevelInterpreter32_64.asm:
2780         * llint/LowLevelInterpreter64.asm:
2781         * parser/Nodes.h:
2782         (JSC::ScopeNode::captures):
2783         * runtime/Arguments.cpp: Removed.
2784         * runtime/Arguments.h: Removed.
2785         * runtime/ArgumentsMode.h: Added.
2786         * runtime/DirectArgumentsOffset.cpp: Added.
2787         (JSC::DirectArgumentsOffset::dump):
2788         * runtime/DirectArgumentsOffset.h: Added.
2789         (JSC::DirectArgumentsOffset::DirectArgumentsOffset):
2790         * runtime/CommonSlowPaths.cpp:
2791         (JSC::SLOW_PATH_DECL):
2792         * runtime/CommonSlowPaths.h:
2793         * runtime/ConstantMode.cpp: Added.
2794         (WTF::printInternal):
2795         * runtime/ConstantMode.h:
2796         (JSC::modeForIsConstant):
2797         * runtime/DirectArguments.cpp: Added.
2798         (JSC::DirectArguments::DirectArguments):
2799         (JSC::DirectArguments::createUninitialized):
2800         (JSC::DirectArguments::create):
2801         (JSC::DirectArguments::createByCopying):
2802         (JSC::DirectArguments::visitChildren):
2803         (JSC::DirectArguments::copyBackingStore):
2804         (JSC::DirectArguments::createStructure):
2805         (JSC::DirectArguments::overrideThings):
2806         (JSC::DirectArguments::overrideThingsIfNecessary):
2807         (JSC::DirectArguments::overrideArgument):
2808         (JSC::DirectArguments::copyToArguments):
2809         (JSC::DirectArguments::overridesSize):
2810         * runtime/DirectArguments.h: Added.
2811         (JSC::DirectArguments::internalLength):
2812         (JSC::DirectArguments::length):
2813         (JSC::DirectArguments::canAccessIndexQuickly):
2814         (JSC::DirectArguments::getIndexQuickly):
2815         (JSC::DirectArguments::setIndexQuickly):
2816         (JSC::DirectArguments::callee):
2817         (JSC::DirectArguments::argument):
2818         (JSC::DirectArguments::overrodeThings):
2819         (JSC::DirectArguments::offsetOfCallee):
2820         (JSC::DirectArguments::offsetOfLength):
2821         (JSC::DirectArguments::offsetOfMinCapacity):
2822         (JSC::DirectArguments::offsetOfOverrides):
2823         (JSC::DirectArguments::storageOffset):
2824         (JSC::DirectArguments::offsetOfSlot):
2825         (JSC::DirectArguments::allocationSize):
2826         (JSC::DirectArguments::storage):
2827         * runtime/FunctionPrototype.cpp:
2828         * runtime/GenericArguments.h: Added.
2829         (JSC::GenericArguments::GenericArguments):
2830         * runtime/GenericArgumentsInlines.h: Added.
2831         (JSC::GenericArguments<Type>::getOwnPropertySlot):
2832         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
2833         (JSC::GenericArguments<Type>::getOwnPropertyNames):
2834         (JSC::GenericArguments<Type>::put):
2835         (JSC::GenericArguments<Type>::putByIndex):
2836         (JSC::GenericArguments<Type>::deleteProperty):
2837         (JSC::GenericArguments<Type>::deletePropertyByIndex):
2838         (JSC::GenericArguments<Type>::defineOwnProperty):
2839         (JSC::GenericArguments<Type>::copyToArguments):
2840         * runtime/GenericOffset.h: Added.
2841         (JSC::GenericOffset::GenericOffset):
2842         (JSC::GenericOffset::operator!):
2843         (JSC::GenericOffset::offsetUnchecked):
2844         (JSC::GenericOffset::offset):
2845         (JSC::GenericOffset::operator==):
2846         (JSC::GenericOffset::operator!=):
2847         (JSC::GenericOffset::operator<):
2848         (JSC::GenericOffset::operator>):
2849         (JSC::GenericOffset::operator<=):
2850         (JSC::GenericOffset::operator>=):
2851         (JSC::GenericOffset::operator+):
2852         (JSC::GenericOffset::operator-):
2853         (JSC::GenericOffset::operator+=):
2854         (JSC::GenericOffset::operator-=):
2855         * runtime/JSArgumentsIterator.cpp:
2856         (JSC::JSArgumentsIterator::finishCreation):
2857         (JSC::argumentsFuncIterator):
2858         * runtime/JSArgumentsIterator.h:
2859         (JSC::JSArgumentsIterator::create):
2860         (JSC::JSArgumentsIterator::next):
2861         * runtime/JSEnvironmentRecord.cpp:
2862         (JSC::JSEnvironmentRecord::visitChildren):
2863         * runtime/JSEnvironmentRecord.h:
2864         (JSC::JSEnvironmentRecord::variables):
2865         (JSC::JSEnvironmentRecord::isValid):
2866         (JSC::JSEnvironmentRecord::variableAt):
2867         (JSC::JSEnvironmentRecord::offsetOfVariables):
2868         (JSC::JSEnvironmentRecord::offsetOfVariable):
2869         (JSC::JSEnvironmentRecord::allocationSizeForScopeSize):
2870         (JSC::JSEnvironmentRecord::allocationSize):
2871         (JSC::JSEnvironmentRecord::JSEnvironmentRecord):
2872         (JSC::JSEnvironmentRecord::finishCreationUninitialized):
2873         (JSC::JSEnvironmentRecord::finishCreation):
2874         (JSC::JSEnvironmentRecord::registers): Deleted.
2875         (JSC::JSEnvironmentRecord::registerAt): Deleted.
2876         (JSC::JSEnvironmentRecord::addressOfRegisters): Deleted.
2877         (JSC::JSEnvironmentRecord::offsetOfRegisters): Deleted.
2878         * runtime/JSFunction.cpp:
2879         * runtime/JSGlobalObject.cpp:
2880         (JSC::JSGlobalObject::init):
2881         (JSC::JSGlobalObject::addGlobalVar):
2882         (JSC::JSGlobalObject::addFunction):
2883         (JSC::JSGlobalObject::visitChildren):
2884         (JSC::JSGlobalObject::addStaticGlobals):
2885         * runtime/JSGlobalObject.h:
2886         (JSC::JSGlobalObject::directArgumentsStructure):
2887         (JSC::JSGlobalObject::scopedArgumentsStructure):
2888         (JSC::JSGlobalObject::outOfBandArgumentsStructure):
2889         (JSC::JSGlobalObject::argumentsStructure): Deleted.
2890         * runtime/JSLexicalEnvironment.cpp:
2891         (JSC::JSLexicalEnvironment::symbolTableGet):
2892         (JSC::JSLexicalEnvironment::symbolTablePut):
2893         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
2894         (JSC::JSLexicalEnvironment::symbolTablePutWithAttributes):
2895         (JSC::JSLexicalEnvironment::visitChildren): Deleted.
2896         * runtime/JSLexicalEnvironment.h:
2897         (JSC::JSLexicalEnvironment::create):
2898         (JSC::JSLexicalEnvironment::JSLexicalEnvironment):
2899         (JSC::JSLexicalEnvironment::registersOffset): Deleted.
2900         (JSC::JSLexicalEnvironment::storageOffset): Deleted.
2901         (JSC::JSLexicalEnvironment::storage): Deleted.
2902         (JSC::JSLexicalEnvironment::allocationSize): Deleted.
2903         (JSC::JSLexicalEnvironment::isValidIndex): Deleted.
2904         (JSC::JSLexicalEnvironment::isValid): Deleted.
2905         (JSC::JSLexicalEnvironment::registerAt): Deleted.
2906         * runtime/JSNameScope.cpp:
2907         (JSC::JSNameScope::visitChildren): Deleted.
2908         * runtime/JSNameScope.h:
2909         (JSC::JSNameScope::create):
2910         (JSC::JSNameScope::value):
2911         (JSC::JSNameScope::finishCreation):
2912         (JSC::JSNameScope::JSNameScope):
2913         * runtime/JSScope.cpp:
2914         (JSC::abstractAccess):
2915         * runtime/JSSegmentedVariableObject.cpp:
2916         (JSC::JSSegmentedVariableObject::findVariableIndex):
2917         (JSC::JSSegmentedVariableObject::addVariables):
2918         (JSC::JSSegmentedVariableObject::visitChildren):
2919         (JSC::JSSegmentedVariableObject::findRegisterIndex): Deleted.
2920         (JSC::JSSegmentedVariableObject::addRegisters): Deleted.
2921         * runtime/JSSegmentedVariableObject.h:
2922         (JSC::JSSegmentedVariableObject::variableAt):
2923         (JSC::JSSegmentedVariableObject::assertVariableIsInThisObject):
2924         (JSC::JSSegmentedVariableObject::registerAt): Deleted.
2925         (JSC::JSSegmentedVariableObject::assertRegisterIsInThisObject): Deleted.
2926         * runtime/JSSymbolTableObject.h:
2927         (JSC::JSSymbolTableObject::offsetOfSymbolTable):
2928         (JSC::symbolTableGet):
2929         (JSC::symbolTablePut):
2930         (JSC::symbolTablePutWithAttributes):
2931         * runtime/JSType.h:
2932         * runtime/Options.h:
2933         * runtime/ClonedArguments.cpp: Added.
2934         (JSC::ClonedArguments::ClonedArguments):
2935         (JSC::ClonedArguments::createEmpty):
2936         (JSC::ClonedArguments::createWithInlineFrame):
2937         (JSC::ClonedArguments::createWithMachineFrame):
2938         (JSC::ClonedArguments::createByCopyingFrom):
2939         (JSC::ClonedArguments::createStructure):
2940         (JSC::ClonedArguments::getOwnPropertySlot):
2941         (JSC::ClonedArguments::getOwnPropertyNames):
2942         (JSC::ClonedArguments::put):
2943         (JSC::ClonedArguments::deleteProperty):
2944         (JSC::ClonedArguments::defineOwnProperty):
2945         (JSC::ClonedArguments::materializeSpecials):
2946         (JSC::ClonedArguments::materializeSpecialsIfNecessary):
2947         * runtime/ClonedArguments.h: Added.
2948         (JSC::ClonedArguments::specialsMaterialized):
2949         * runtime/ScopeOffset.cpp: Added.
2950         (JSC::ScopeOffset::dump):
2951         * runtime/ScopeOffset.h: Added.
2952         (JSC::ScopeOffset::ScopeOffset):
2953         * runtime/ScopedArguments.cpp: Added.
2954         (JSC::ScopedArguments::ScopedArguments):
2955         (JSC::ScopedArguments::finishCreation):
2956         (JSC::ScopedArguments::createUninitialized):
2957         (JSC::ScopedArguments::create):
2958         (JSC::ScopedArguments::createByCopying):
2959         (JSC::ScopedArguments::createByCopyingFrom):
2960         (JSC::ScopedArguments::visitChildren):
2961         (JSC::ScopedArguments::createStructure):
2962         (JSC::ScopedArguments::overrideThings):
2963         (JSC::ScopedArguments::overrideThingsIfNecessary):
2964         (JSC::ScopedArguments::overrideArgument):
2965         (JSC::ScopedArguments::copyToArguments):
2966         * runtime/ScopedArguments.h: Added.
2967         (JSC::ScopedArguments::internalLength):
2968         (JSC::ScopedArguments::length):
2969         (JSC::ScopedArguments::canAccessIndexQuickly):
2970         (JSC::ScopedArguments::getIndexQuickly):
2971         (JSC::ScopedArguments::setIndexQuickly):
2972         (JSC::ScopedArguments::callee):
2973         (JSC::ScopedArguments::overrodeThings):
2974         (JSC::ScopedArguments::offsetOfOverrodeThings):
2975         (JSC::ScopedArguments::offsetOfTotalLength):
2976         (JSC::ScopedArguments::offsetOfTable):
2977         (JSC::ScopedArguments::offsetOfScope):
2978         (JSC::ScopedArguments::overflowStorageOffset):
2979         (JSC::ScopedArguments::allocationSize):
2980         (JSC::ScopedArguments::overflowStorage):
2981         * runtime/ScopedArgumentsTable.cpp: Added.
2982         (JSC::ScopedArgumentsTable::ScopedArgumentsTable):
2983         (JSC::ScopedArgumentsTable::~ScopedArgumentsTable):
2984         (JSC::ScopedArgumentsTable::destroy):
2985         (JSC::ScopedArgumentsTable::create):
2986         (JSC::ScopedArgumentsTable::clone):
2987         (JSC::ScopedArgumentsTable::setLength):
2988         (JSC::ScopedArgumentsTable::set):
2989         (JSC::ScopedArgumentsTable::createStructure):
2990         * runtime/ScopedArgumentsTable.h: Added.
2991         (JSC::ScopedArgumentsTable::length):
2992         (JSC::ScopedArgumentsTable::get):
2993         (JSC::ScopedArgumentsTable::lock):
2994         (JSC::ScopedArgumentsTable::offsetOfLength):
2995         (JSC::ScopedArgumentsTable::offsetOfArguments):
2996         (JSC::ScopedArgumentsTable::at):
2997         * runtime/SymbolTable.cpp:
2998         (JSC::SymbolTableEntry::prepareToWatch):
2999         (JSC::SymbolTable::SymbolTable):
3000         (JSC::SymbolTable::visitChildren):
3001         (JSC::SymbolTable::localToEntry):
3002         (JSC::SymbolTable::entryFor):
3003         (JSC::SymbolTable::cloneScopePart):
3004         (JSC::SymbolTable::prepareForTypeProfiling):
3005         (JSC::SymbolTable::uniqueIDForOffset):
3006         (JSC::SymbolTable::globalTypeSetForOffset):
3007         (JSC::SymbolTable::cloneCapturedNames): Deleted.
3008         (JSC::SymbolTable::uniqueIDForRegister): Deleted.
3009         (JSC::SymbolTable::globalTypeSetForRegister): Deleted.
3010         * runtime/SymbolTable.h:
3011         (JSC::SymbolTableEntry::varOffsetFromBits):
3012         (JSC::SymbolTableEntry::scopeOffsetFromBits):
3013         (JSC::SymbolTableEntry::Fast::varOffset):
3014         (JSC::SymbolTableEntry::Fast::scopeOffset):
3015         (JSC::SymbolTableEntry::Fast::isDontEnum):
3016         (JSC::SymbolTableEntry::Fast::getAttributes):
3017         (JSC::SymbolTableEntry::SymbolTableEntry):
3018         (JSC::SymbolTableEntry::varOffset):
3019         (JSC::SymbolTableEntry::isWatchable):
3020         (JSC::SymbolTableEntry::scopeOffset):
3021         (JSC::SymbolTableEntry::setAttributes):
3022         (JSC::SymbolTableEntry::constantMode):
3023         (JSC::SymbolTableEntry::isDontEnum):
3024         (JSC::SymbolTableEntry::disableWatching):
3025         (JSC::SymbolTableEntry::pack):
3026         (JSC::SymbolTableEntry::isValidVarOffset):
3027         (JSC::SymbolTable::createNameScopeTable):
3028         (JSC::SymbolTable::maxScopeOffset):
3029         (JSC::SymbolTable::didUseScopeOffset):
3030         (JSC::SymbolTable::didUseVarOffset):
3031         (JSC::SymbolTable::scopeSize):
3032         (JSC::SymbolTable::nextScopeOffset):
3033         (JSC::SymbolTable::takeNextScopeOffset):
3034         (JSC::SymbolTable::add):
3035         (JSC::SymbolTable::set):
3036         (JSC::SymbolTable::argumentsLength):
3037         (JSC::SymbolTable::setArgumentsLength):
3038         (JSC::SymbolTable::argumentOffset):
3039         (JSC::SymbolTable::setArgumentOffset):
3040         (JSC::SymbolTable::arguments):
3041         (JSC::SlowArgument::SlowArgument): Deleted.
3042         (JSC::SymbolTableEntry::Fast::getIndex): Deleted.
3043         (JSC::SymbolTableEntry::getIndex): Deleted.
3044         (JSC::SymbolTableEntry::isValidIndex): Deleted.
3045         (JSC::SymbolTable::captureStart): Deleted.
3046         (JSC::SymbolTable::setCaptureStart): Deleted.
3047         (JSC::SymbolTable::captureEnd): Deleted.
3048         (JSC::SymbolTable::setCaptureEnd): Deleted.
3049         (JSC::SymbolTable::captureCount): Deleted.
3050         (JSC::SymbolTable::isCaptured): Deleted.
3051         (JSC::SymbolTable::parameterCount): Deleted.
3052         (JSC::SymbolTable::parameterCountIncludingThis): Deleted.
3053         (JSC::SymbolTable::setParameterCountIncludingThis): Deleted.
3054         (JSC::SymbolTable::slowArguments): Deleted.
3055         (JSC::SymbolTable::setSlowArguments): Deleted.
3056         * runtime/VM.cpp:
3057         (JSC::VM::VM):
3058         * runtime/VM.h:
3059         * runtime/VarOffset.cpp: Added.
3060         (JSC::VarOffset::dump):
3061         (WTF::printInternal):
3062         * runtime/VarOffset.h: Added.
3063         (JSC::VarOffset::VarOffset):
3064         (JSC::VarOffset::assemble):
3065         (JSC::VarOffset::isValid):
3066         (JSC::VarOffset::operator!):
3067         (JSC::VarOffset::kind):
3068         (JSC::VarOffset::isStack):
3069         (JSC::VarOffset::isScope):
3070         (JSC::VarOffset::isDirectArgument):
3071         (JSC::VarOffset::stackOffsetUnchecked):
3072         (JSC::VarOffset::scopeOffsetUnchecked):
3073         (JSC::VarOffset::capturedArgumentsOffsetUnchecked):
3074         (JSC::VarOffset::stackOffset):
3075         (JSC::VarOffset::scopeOffset):
3076         (JSC::VarOffset::capturedArgumentsOffset):
3077         (JSC::VarOffset::rawOffset):
3078         (JSC::VarOffset::checkSanity):
3079         (JSC::VarOffset::operator==):
3080         (JSC::VarOffset::operator!=):
3081         (JSC::VarOffset::hash):
3082         (JSC::VarOffset::isHashTableDeletedValue):
3083         (JSC::VarOffsetHash::hash):
3084         (JSC::VarOffsetHash::equal):
3085         * tests/stress/arguments-exit-strict-mode.js: Added.
3086         * tests/stress/arguments-exit.js: Added.
3087         * tests/stress/arguments-inlined-exit-strict-mode-fixed.js: Added.
3088         * tests/stress/arguments-inlined-exit-strict-mode.js: Added.
3089         * tests/stress/arguments-inlined-exit.js: Added.
3090         * tests/stress/arguments-interference.js: Added.
3091         * tests/stress/arguments-interference-cfg.js: Added.
3092         * tests/stress/dead-get-closure-var.js: Added.
3093         * tests/stress/get-declared-unpassed-argument-in-direct-arguments.js: Added.
3094         * tests/stress/get-declared-unpassed-argument-in-scoped-arguments.js: Added.
3095         * tests/stress/varargs-closure-inlined-exit-strict-mode.js: Added.
3096         * tests/stress/varargs-closure-inlined-exit.js: Added.
3097         * tests/stress/varargs-exit.js: Added.
3098         * tests/stress/varargs-inlined-exit.js: Added.
3099         * tests/stress/varargs-inlined-simple-exit-aliasing-weird-reversed-args.js: Added.
3100         * tests/stress/varargs-inlined-simple-exit-aliasing-weird.js: Added.
3101         * tests/stress/varargs-inlined-simple-exit-aliasing.js: Added.
3102         * tests/stress/varargs-inlined-simple-exit.js: Added.
3103         * tests/stress/varargs-too-few-arguments.js: Added.
3104         * tests/stress/varargs-varargs-closure-inlined-exit.js: Added.
3105         * tests/stress/varargs-varargs-inlined-exit-strict-mode.js: Added.
3106         * tests/stress/varargs-varargs-inlined-exit.js: Added.
3107
3108 2015-03-25  Andy Estes  <aestes@apple.com>
3109
3110         [Cocoa] RemoteInspectorXPCConnection::deserializeMessage() leaks a NSDictionary under Objective-C GC
3111         https://bugs.webkit.org/show_bug.cgi?id=143068
3112
3113         Reviewed by Dan Bernstein.
3114
3115         * inspector/remote/RemoteInspectorXPCConnection.mm:
3116         (Inspector::RemoteInspectorXPCConnection::deserializeMessage): Used RetainPtr::autorelease(), which does the right thing under GC.
3117
3118 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
3119
3120         Use JITCompilationCanFail in more places, and make the fail path of JITCompilationMustSucceed a crash instead of attempting GC
3121         https://bugs.webkit.org/show_bug.cgi?id=142993
3122
3123         Reviewed by Geoffrey Garen and Mark Lam.
3124         
3125         This changes the most commonly invoked paths that relied on JITCompilationMustSucceed
3126         into using JITCompilationCanFail and having a legit fallback path. This mostly involves
3127         having the FTL JIT do the same trick as the DFG JIT in case of any memory allocation
3128         failure, but also involves adding the same kind of thing to the stub generators in
3129         Repatch.
3130         
3131         Because of that change, there are relatively few uses of JITCompilationMustSucceed. Most
3132         of those uses cannot handle a GC, and so cannot do releaseExecutableMemory(). Only a few,
3133         like host call stub generation, could handle a GC, but those get invoked very rarely. So,
3134         this patch changes the releaseExecutableMemory() call into a crash with some diagnostic
3135         printout.
3136         
3137         Also add a way of inducing executable allocation failure, so that we can test this.
3138
3139         * CMakeLists.txt:
3140         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3141         * JavaScriptCore.xcodeproj/project.pbxproj:
3142         * dfg/DFGJITCompiler.cpp:
3143         (JSC::DFG::JITCompiler::compile):
3144         (JSC::DFG::JITCompiler::compileFunction):
3145         (JSC::DFG::JITCompiler::link): Deleted.
3146         (JSC::DFG::JITCompiler::linkFunction): Deleted.
3147         * dfg/DFGJITCompiler.h:
3148         * dfg/DFGPlan.cpp:
3149         (JSC::DFG::Plan::compileInThreadImpl):
3150         * ftl/FTLCompile.cpp:
3151         (JSC::FTL::mmAllocateCodeSection):
3152         (JSC::FTL::mmAllocateDataSection):
3153         * ftl/FTLLink.cpp:
3154         (JSC::FTL::link):
3155         * ftl/FTLState.h:
3156         * jit/ArityCheckFailReturnThunks.cpp:
3157         (JSC::ArityCheckFailReturnThunks::returnPCsFor):
3158         * jit/ExecutableAllocationFuzz.cpp: Added.
3159         (JSC::numberOfExecutableAllocationFuzzChecks):
3160         (JSC::doExecutableAllocationFuzzing):
3161         * jit/ExecutableAllocationFuzz.h: Added.
3162         (JSC::doExecutableAllocationFuzzingIfEnabled):
3163         * jit/ExecutableAllocatorFixedVMPool.cpp:
3164         (JSC::ExecutableAllocator::allocate):
3165         * jit/JIT.cpp:
3166         (JSC::JIT::privateCompile):
3167         * jit/JITCompilationEffort.h:
3168         * jit/Repatch.cpp:
3169         (JSC::generateByIdStub):
3170         (JSC::tryCacheGetByID):
3171         (JSC::tryBuildGetByIDList):
3172         (JSC::emitPutReplaceStub):
3173         (JSC::emitPutTransitionStubAndGetOldStructure):
3174         (JSC::tryCachePutByID):
3175         (JSC::tryBuildPutByIdList):
3176         (JSC::tryRepatchIn):
3177         (JSC::linkPolymorphicCall):
3178         * jsc.cpp:
3179         (jscmain):
3180         * runtime/Options.h:
3181         * runtime/TestRunnerUtils.h:
3182         * runtime/VM.cpp:
3183         * tests/executableAllocationFuzz: Added.
3184         * tests/executableAllocationFuzz.yaml: Added.
3185         * tests/executableAllocationFuzz/v8-raytrace.js: Added.
3186
3187 2015-03-25  Mark Lam  <mark.lam@apple.com>
3188
3189         REGRESSION(169139): LLINT intermittently fails JSC testapi tests.
3190         <https://webkit.org/b/135719>
3191
3192         Reviewed by Geoffrey Garen.
3193
3194         This is a regression introduced in http://trac.webkit.org/changeset/169139 which
3195         changed VM::watchdog from an embedded field into a std::unique_ptr, but did not
3196         update the LLINT to access it as such.
3197
3198         The issue has only manifested so far on the CLoop tests because those are LLINT
3199         only.  In the non-CLoop cases, the JIT kicks in and does the right thing, thereby
3200         hiding the bug in the LLINT.
3201
3202         * API/JSContextRef.cpp:
3203         (createWatchdogIfNeeded):
3204         (JSContextGroupSetExecutionTimeLimit):
3205         (JSContextGroupClearExecutionTimeLimit):
3206         * llint/LowLevelInterpreter.asm:
3207
3208 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
3209
3210         Change Atomic methods from using the_wrong_naming_conventions to using theRightNamingConventions. Also make seq_cst the default.
3211
3212         Rubber stamped by Geoffrey Garen.
3213
3214         * bytecode/CodeBlock.cpp:
3215         (JSC::CodeBlock::visitAggregate):
3216
3217 2015-03-25  Joseph Pecoraro  <pecoraro@apple.com>
3218
3219         Fix formatting in BuiltinExecutables
3220         https://bugs.webkit.org/show_bug.cgi?id=143061
3221
3222         Reviewed by Ryosuke Niwa.
3223
3224         * builtins/BuiltinExecutables.cpp:
3225         (JSC::BuiltinExecutables::createExecutableInternal):
3226
3227 2015-03-25  Joseph Pecoraro  <pecoraro@apple.com>
3228
3229         ES6: Classes: Program level class statement throws exception in strict mode
3230         https://bugs.webkit.org/show_bug.cgi?id=143038
3231
3232         Reviewed by Ryosuke Niwa.
3233
3234         Classes expose a name to the current lexical environment. This treats
3235         "class X {}" like "var X = class X {}". Ideally it would be "let X = class X {}".
3236         Also, improve error messages for class statements where the class is missing a name.
3237
3238         * parser/Parser.h:
3239         * parser/Parser.cpp:
3240         (JSC::Parser<LexerType>::parseClass):
3241         Fill name in info parameter if needed. Better error message if name is needed and missing.
3242
3243         (JSC::Parser<LexerType>::parseClassDeclaration):
3244         Pass info parameter to get name, and expose the name as a variable name.
3245
3246         (JSC::Parser<LexerType>::parsePrimaryExpression):
3247         Pass info parameter that is ignored.
3248
3249         * parser/ParserFunctionInfo.h:
3250         Add a parser info for class, to extract the name.
3251
3252 2015-03-25  Yusuke Suzuki  <utatane.tea@gmail.com>
3253
3254         New map and set modification tests in r181922 fails
3255         https://bugs.webkit.org/show_bug.cgi?id=143031
3256
3257         Reviewed and tweaked by Geoffrey Garen.
3258
3259         When packing Map/Set backing store, we need to decrement Map/Set iterator's m_index
3260         to adjust for the packed backing store.
3261
3262         Consider the following map data.
3263
3264         x: deleted, o: exists
3265         0 1 2 3 4
3266         x x x x o
3267
3268         And iterator with m_index 3.
3269
3270         When packing the map data, map data will become,
3271
3272         0
3273         o
3274
3275         At that time, we perfom didRemoveEntry 4 times on iterators.
3276         times => m_index/index/result
3277         1 => 3/0/dec
3278         2 => 2/1/dec
3279         3 => 1/2/nothing
3280         4 => 1/3/nothing
3281
3282         After iteration, iterator's m_index becomes 1. But we expected that becomes 0.
3283         This is because if we use decremented m_index for comparison,
3284         while provided deletedIndex is the index in old storage, m_index is the index in partially packed storage.
3285
3286         In this patch, we compare against the packed index instead.
3287         times => m_index/packedIndex/result
3288         1 => 3/0/dec
3289         2 => 2/0/dec
3290         3 => 1/0/dec
3291         4 => 0/0/nothing
3292
3293         So m_index becomes 0 as expected.
3294
3295         And according to the spec, once the iterator is closed (becomes done: true),
3296         its internal [[Map]]/[[Set]] is set to undefined.
3297         So after the iterator is finished, we don't revive the iterator (e.g. by clearing m_index = 0).
3298
3299         In this patch, we change 2 things.
3300         1.
3301         Compare an iterator's index against the packed index when removing an entry.
3302
3303         2.
3304         If the iterator is closed (isFinished()), we don't apply adjustment to the iterator.
3305
3306         * runtime/MapData.h:
3307         (JSC::MapDataImpl::IteratorData::finish):
3308         (JSC::MapDataImpl::IteratorData::isFinished):
3309         (JSC::MapDataImpl::IteratorData::didRemoveEntry):
3310         (JSC::MapDataImpl::IteratorData::didRemoveAllEntries):
3311         (JSC::MapDataImpl::IteratorData::startPackBackingStore):
3312         * runtime/MapDataInlines.h:
3313         (JSC::JSIterator>::replaceAndPackBackingStore):
3314         * tests/stress/modify-map-during-iteration.js:
3315         * tests/stress/modify-set-during-iteration.js:
3316
3317 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
3318
3319         Setter should have a single formal parameter, Getter no parameters
3320         https://bugs.webkit.org/show_bug.cgi?id=142903
3321
3322         Reviewed by Geoffrey Garen.
3323
3324         * parser/Parser.cpp:
3325         (JSC::Parser<LexerType>::parseFunctionInfo):
3326         Enforce no parameters for getters and a single parameter
3327         for setters, with informational error messages.
3328
3329 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
3330
3331         ES6: Classes: Early return in sub-class constructor results in returning undefined instead of instance
3332         https://bugs.webkit.org/show_bug.cgi?id=143012
3333
3334         Reviewed by Ryosuke Niwa.
3335
3336         * bytecompiler/BytecodeGenerator.cpp:
3337         (JSC::BytecodeGenerator::emitReturn):
3338         Fix handling of "undefined" when returned from a Derived class. It was
3339         returning "undefined" when it should have returned "this".
3340
3341 2015-03-24  Yusuke Suzuki  <utatane.tea@gmail.com>
3342