Make ASan build not depend on asan.xcconfig

[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2015-08-11  Alexey Proskuryakov  <ap@apple.com>

        Make ASan build not depend on asan.xcconfig
        https://bugs.webkit.org/show_bug.cgi?id=147840
        rdar://problem/21093702

        Reviewed by Daniel Bates.

        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::OSREntryData::dump):
        (JSC::DFG::prepareOSREntry):
        * ftl/FTLOSREntry.cpp:
        (JSC::FTL::prepareOSREntry):
        * heap/ConservativeRoots.cpp:
        (JSC::ConservativeRoots::genericAddPointer):
        (JSC::ConservativeRoots::genericAddSpan):
        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::removeThreadIfFound):
        (JSC::MachineThreads::gatherFromCurrentThread):
        (JSC::MachineThreads::Thread::captureStack):
        (JSC::copyMemory):
        * interpreter/Register.h:
        (JSC::Register::operator=):
        (JSC::Register::asanUnsafeJSValue):
        (JSC::Register::jsValue):

2015-08-11  Yusuke Suzuki  <utatane.tea@gmail.com>

        Introduce get_by_id like IC into get_by_val when the given name is String or Symbol
        https://bugs.webkit.org/show_bug.cgi?id=147480

        Reviewed by Filip Pizlo.

        This patch adds get_by_id IC to get_by_val operation by caching the string / symbol id.
        The IC site only caches one id. After checking that the given id is the same to the
        cached one, we perform the get_by_id IC onto it.
        And by collecting IC StructureStubInfo information, we pass it to the DFG and DFG
        compiles get_by_val op code into CheckIdent (with edge type check) and GetById related
        operations when the given get_by_val leverages the property load with the cached id.

        To ensure the incoming value is the expected id, in DFG layer, we use SymbolUse and
        StringIdentUse to enforce the type. To use it, this patch implements SymbolUse.
        This can be leveraged to optimize symbol operations in DFG.

        And since byValInfo is frequently used, we align the byValInfo design to the stubInfo like one.
        Allocated by the Bag and operations take the raw byValInfo pointer directly instead of performing
        binary search onto m_byValInfos. And by storing ArrayProfile* under the ByValInfo, we replaced the
        argument ArrayProfile* in the operations with ByValInfo*.

        * bytecode/ByValInfo.h:
        (JSC::ByValInfo::ByValInfo):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::getByValInfoMap):
        (JSC::CodeBlock::addByValInfo):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::getByValInfo): Deleted.
        (JSC::CodeBlock::setNumberOfByValInfos): Deleted.
        (JSC::CodeBlock::numberOfByValInfos): Deleted.
        (JSC::CodeBlock::byValInfo): Deleted.
        * bytecode/ExitKind.cpp:
        (JSC::exitKindToString):
        * bytecode/ExitKind.h:
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFor):
        (JSC::GetByIdStatus::computeForStubInfo):
        (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
        * bytecode/GetByIdStatus.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::observeUseKindOnNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasUidOperand):
        (JSC::DFG::Node::uidOperand):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::SafeToExecuteEdge::operator()):
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileCheckIdent):
        (JSC::DFG::SpeculativeJIT::speculateSymbol):
        (JSC::DFG::SpeculativeJIT::speculate):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGUseKind.cpp:
        (WTF::printInternal):
        * dfg/DFGUseKind.h:
        (JSC::DFG::typeFilterFor):
        (JSC::DFG::isCell):
        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
        (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckIdent):
        (JSC::FTL::DFG::LowerDFGToLLVM::lowSymbol):
        (JSC::FTL::DFG::LowerDFGToLLVM::speculate):
        (JSC::FTL::DFG::LowerDFGToLLVM::isNotSymbol):
        (JSC::FTL::DFG::LowerDFGToLLVM::speculateSymbol):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        (JSC::ByValCompilationInfo::ByValCompilationInfo):
        (JSC::JIT::compileGetByValWithCachedId):
        * jit/JITInlines.h:
        (JSC::JIT::callOperation):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_has_indexed_property):
        (JSC::JIT::emitSlow_op_has_indexed_property):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_has_indexed_property):
        (JSC::JIT::emitSlow_op_has_indexed_property):
        * jit/JITOperations.cpp:
        (JSC::getByVal):
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_by_val):
        (JSC::JIT::emitGetByValWithCachedId):
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::emit_op_put_by_val):
        (JSC::JIT::emitSlow_op_put_by_val):
        (JSC::JIT::privateCompileGetByVal):
        (JSC::JIT::privateCompileGetByValWithCachedId):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_get_by_val):
        (JSC::JIT::emitGetByValWithCachedId):
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::emit_op_put_by_val):
        (JSC::JIT::emitSlow_op_put_by_val):
        * runtime/Symbol.h:
        * tests/stress/get-by-val-with-string-constructor.js: Added.
        (Hello):
        (get Hello.prototype.generate):
        (ok):
        * tests/stress/get-by-val-with-string-exit.js: Added.
        (shouldBe):
        (getByVal):
        (getStr1):
        (getStr2):
        * tests/stress/get-by-val-with-string-generated.js: Added.
        (shouldBe):
        (getByVal):
        (getStr1):
        (getStr2):
        * tests/stress/get-by-val-with-string-getter.js: Added.
        (object.get hello):
        (ok):
        * tests/stress/get-by-val-with-string.js: Added.
        (shouldBe):
        (getByVal):
        (getStr1):
        (getStr2):
        * tests/stress/get-by-val-with-symbol-constructor.js: Added.
        (Hello):
        (get Hello.prototype.generate):
        (ok):
        * tests/stress/get-by-val-with-symbol-exit.js: Added.
        (shouldBe):
        (getByVal):
        (getSym1):
        (getSym2):
        * tests/stress/get-by-val-with-symbol-getter.js: Added.
        (object.get hello):
        (.get ok):
        * tests/stress/get-by-val-with-symbol.js: Added.
        (shouldBe):
        (getByVal):
        (getSym1):
        (getSym2):

2015-08-11  Filip Pizlo  <fpizlo@apple.com>

        DFG::ByteCodeParser shouldn't call tryGetConstantProperty() with some StructureSet if it isn't checking that the base has a structure in that StructureSet
        https://bugs.webkit.org/show_bug.cgi?id=147891
        rdar://problem/22129447

        Reviewed by Mark Lam.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleGetByOffset): Get rid of this.
        (JSC::DFG::ByteCodeParser::load): Don't call the version of handleGetByOffset() that assumes that we had CheckStructure'd some StructureSet, since we may not have CheckStructure'd anything.
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::assertIsRegistered): Make this always assert even before the StructureRegistrationPhase.
        * dfg/DFGStructureRegistrationPhase.cpp:
        (JSC::DFG::StructureRegistrationPhase::run): Add a FIXME that notes that we no longer believe that structures should be registered only at this phase. They should be registered before this phase and this phase should be removed.

2015-08-11  Brent Fulgham  <bfulgham@apple.com>

        [Win] Switch Windows build to Visual Studio 2015
        https://bugs.webkit.org/show_bug.cgi?id=147887
        <rdar://problem/22235098>

        Reviewed by Alex Christensen.

        Update Visual Studio project file settings to use the current Visual
        Studio and compiler. Continue targeting binaries to run on our minimum
        supported configuration of Windows 7.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj:
        * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
        * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
        * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
        * JavaScriptCore.vcxproj/jsc/jsc.vcxproj:
        * JavaScriptCore.vcxproj/jsc/jscLauncher.vcxproj:
        * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj:
        * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj:
        * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncher.vcxproj:
        * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
        * JavaScriptCore.vcxproj/testapi/testapiLauncher.vcxproj:

2015-08-10  Filip Pizlo  <fpizlo@apple.com>

        WTF should have a ParkingLot for parking sleeping threads, so that locks can fit in 1.6 bits
        https://bugs.webkit.org/show_bug.cgi?id=147665

        Reviewed by Mark Lam.

        Replace ByteSpinLock with ByteLock.

        * runtime/ConcurrentJITLock.h:

2015-08-11  Yusuke Suzuki  <utatane.tea@gmail.com>

        Numeric setter on prototype doesn't get called.
        https://bugs.webkit.org/show_bug.cgi?id=144252

        Reviewed by Darin Adler.

        When switching the blank indexing type to the other one in putByIndex,
        if the `structure(vm)->needsSlowPutIndexing()` is true, we need to switch
        it to the slow put indexing type and reloop the putByIndex since there may
        be some indexing accessor in the prototype chain. Previously, we just set
        the value into the allocated vector.

        In the putDirectIndex case, we just store the value to the vector.
        This is because putDirectIndex is the operation to store the own property
        and it does not check the accessors in the prototype chain.

        * runtime/JSObject.cpp:
        (JSC::JSObject::putByIndexBeyondVectorLength):
        * tests/stress/injected-numeric-setter-on-prototype.js: Added.
        (shouldBe):
        (Trace):
        (Trace.prototype.trace):
        (Trace.prototype.get count):
        (.):
        * tests/stress/numeric-setter-on-prototype-non-blank-array.js: Added.
        (shouldBe):
        (Trace):
        (Trace.prototype.trace):
        (Trace.prototype.get count):
        (.):
        * tests/stress/numeric-setter-on-prototype.js: Added.
        (shouldBe):
        (Trace):
        (Trace.prototype.trace):
        (Trace.prototype.get count):
        (.z.__proto__.set 3):
        * tests/stress/numeric-setter-on-self.js: Added.
        (shouldBe):
        (Trace):
        (Trace.prototype.trace):
        (Trace.prototype.get count):
        (.y.set 2):

2015-08-11  Brent Fulgham  <bfulgham@apple.com>

        [Win] Unreviewed gardening.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Add missing
        file references so they appear in the proper IDE locations.

2015-08-11  Brent Fulgham  <bfulgham@apple.com>

        Unreviewed windows build fix for VS2015.

        * bindings/ScriptValue.h: Add missing JSCJSValueInlines.h include.

2015-08-11  Yusuke Suzuki  <utatane.tea@gmail.com>

        [ES6] Implement Reflect.has
        https://bugs.webkit.org/show_bug.cgi?id=147875

        Reviewed by Sam Weinig.

        This patch implements Reflect.has[1].
        Since the semantics is the same to the `in` operator in the JS[2],
        we can implement it in builtin JS code.

        [1]: http://www.ecma-international.org/ecma-262/6.0/#sec-reflect.has
        [2]: http://www.ecma-international.org/ecma-262/6.0/#sec-relational-operators-runtime-semantics-evaluation

        * builtins/ReflectObject.js:
        (has):
        * runtime/ReflectObject.cpp:
        * tests/stress/reflect-has.js: Added.
        (shouldBe):
        (shouldThrow):

2015-08-11  Yusuke Suzuki  <utatane.tea@gmail.com>

        [ES6] Implement Reflect.getPrototypeOf and Reflect.setPrototypeOf
        https://bugs.webkit.org/show_bug.cgi?id=147874

        Reviewed by Darin Adler.

        This patch implements ES6 Reflect.{getPrototypeOf, setPrototypeOf}.
        The difference from the Object.* one is

        1. They dont not perform ToObject onto the non-object arguments. They make it as a TypeError.
        2. Reflect.setPrototyeOf returns false when the operation is failed. In Object.setPrototypeOf, it raises a TypeError.

        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructorGetPrototypeOfFunctor::ObjectConstructorGetPrototypeOfFunctor):
        (JSC::ObjectConstructorGetPrototypeOfFunctor::result):
        (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
        (JSC::objectConstructorGetPrototypeOf):
        * runtime/ObjectConstructor.h:
        * runtime/ReflectObject.cpp:
        (JSC::reflectObjectGetPrototypeOf):
        (JSC::reflectObjectSetPrototypeOf):
        * tests/stress/reflect-get-prototype-of.js: Added.
        (shouldBe):
        (shouldThrow):
        (Base):
        (Derived):
        * tests/stress/reflect-set-prototype-of.js: Added.
        (shouldBe):
        (shouldThrow):

2015-08-11  Ting-Wei Lan  <lantw44@gmail.com>

        Fix debug build when optimization is enabled
        https://bugs.webkit.org/show_bug.cgi?id=147816

        Reviewed by Alexey Proskuryakov.

        * llint/LLIntEntrypoint.cpp:
        * runtime/FunctionExecutableDump.cpp:

2015-08-11  Yusuke Suzuki  <utatane.tea@gmail.com>

        Ensure that Reflect.enumerate does not produce the deleted keys
        https://bugs.webkit.org/show_bug.cgi?id=147677

        Reviewed by Darin Adler.

        Add tests for Reflect.enumerate that delete the property keys during the enumeration.

        * tests/stress/reflect-enumerate.js:

2015-08-10  Geoffrey Garen  <ggaren@apple.com>

        Start beating UnlinkedCodeBlock.h/.cpp with the "One Class per File" stick
        https://bugs.webkit.org/show_bug.cgi?id=147856

        Reviewed by Saam Barati.

        Split out UnlinkedFunctionExecutable.h/.cpp and ExecutableInfo.h into separate files.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/ExecutableInfo.h: Copied from Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.h.
        (JSC::ExecutableInfo::ExecutableInfo):
        (JSC::UnlinkedStringJumpTable::offsetForValue): Deleted.
        (JSC::UnlinkedSimpleJumpTable::add): Deleted.
        (JSC::UnlinkedInstruction::UnlinkedInstruction): Deleted.
        (JSC::UnlinkedCodeBlock::isConstructor): Deleted.
        (JSC::UnlinkedCodeBlock::isStrictMode): Deleted.
        (JSC::UnlinkedCodeBlock::usesEval): Deleted.
        (JSC::UnlinkedCodeBlock::needsFullScopeChain): Deleted.
        (JSC::UnlinkedCodeBlock::hasExpressionInfo): Deleted.
        (JSC::UnlinkedCodeBlock::setThisRegister): Deleted.
        (JSC::UnlinkedCodeBlock::setScopeRegister): Deleted.
        (JSC::UnlinkedCodeBlock::setActivationRegister): Deleted.
        (JSC::UnlinkedCodeBlock::usesGlobalObject): Deleted.
        (JSC::UnlinkedCodeBlock::setGlobalObjectRegister): Deleted.
        (JSC::UnlinkedCodeBlock::globalObjectRegister): Deleted.
        (JSC::UnlinkedCodeBlock::setNumParameters): Deleted.
        (JSC::UnlinkedCodeBlock::addParameter): Deleted.
        (JSC::UnlinkedCodeBlock::numParameters): Deleted.
        (JSC::UnlinkedCodeBlock::addRegExp): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfRegExps): Deleted.
        (JSC::UnlinkedCodeBlock::regexp): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfIdentifiers): Deleted.
        (JSC::UnlinkedCodeBlock::addIdentifier): Deleted.
        (JSC::UnlinkedCodeBlock::identifier): Deleted.
        (JSC::UnlinkedCodeBlock::identifiers): Deleted.
        (JSC::UnlinkedCodeBlock::addConstant): Deleted.
        (JSC::UnlinkedCodeBlock::registerIndexForLinkTimeConstant): Deleted.
        (JSC::UnlinkedCodeBlock::constantRegisters): Deleted.
        (JSC::UnlinkedCodeBlock::constantRegister): Deleted.
        (JSC::UnlinkedCodeBlock::isConstantRegisterIndex): Deleted.
        (JSC::UnlinkedCodeBlock::constantsSourceCodeRepresentation): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfJumpTargets): Deleted.
        (JSC::UnlinkedCodeBlock::addJumpTarget): Deleted.
        (JSC::UnlinkedCodeBlock::jumpTarget): Deleted.
        (JSC::UnlinkedCodeBlock::lastJumpTarget): Deleted.
        (JSC::UnlinkedCodeBlock::isBuiltinFunction): Deleted.
        (JSC::UnlinkedCodeBlock::constructorKind): Deleted.
        (JSC::UnlinkedCodeBlock::shrinkToFit): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfSwitchJumpTables): Deleted.
        (JSC::UnlinkedCodeBlock::addSwitchJumpTable): Deleted.
        (JSC::UnlinkedCodeBlock::switchJumpTable): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfStringSwitchJumpTables): Deleted.
        (JSC::UnlinkedCodeBlock::addStringSwitchJumpTable): Deleted.
        (JSC::UnlinkedCodeBlock::stringSwitchJumpTable): Deleted.
        (JSC::UnlinkedCodeBlock::addFunctionDecl): Deleted.
        (JSC::UnlinkedCodeBlock::functionDecl): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfFunctionDecls): Deleted.
        (JSC::UnlinkedCodeBlock::addFunctionExpr): Deleted.
        (JSC::UnlinkedCodeBlock::functionExpr): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfFunctionExprs): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfExceptionHandlers): Deleted.
        (JSC::UnlinkedCodeBlock::addExceptionHandler): Deleted.
        (JSC::UnlinkedCodeBlock::exceptionHandler): Deleted.
        (JSC::UnlinkedCodeBlock::vm): Deleted.
        (JSC::UnlinkedCodeBlock::addArrayProfile): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfArrayProfiles): Deleted.
        (JSC::UnlinkedCodeBlock::addArrayAllocationProfile): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfArrayAllocationProfiles): Deleted.
        (JSC::UnlinkedCodeBlock::addObjectAllocationProfile): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfObjectAllocationProfiles): Deleted.
        (JSC::UnlinkedCodeBlock::addValueProfile): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfValueProfiles): Deleted.
        (JSC::UnlinkedCodeBlock::addLLIntCallLinkInfo): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfLLintCallLinkInfos): Deleted.
        (JSC::UnlinkedCodeBlock::codeType): Deleted.
        (JSC::UnlinkedCodeBlock::thisRegister): Deleted.
        (JSC::UnlinkedCodeBlock::scopeRegister): Deleted.
        (JSC::UnlinkedCodeBlock::activationRegister): Deleted.
        (JSC::UnlinkedCodeBlock::hasActivationRegister): Deleted.
        (JSC::UnlinkedCodeBlock::addPropertyAccessInstruction): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfPropertyAccessInstructions): Deleted.
        (JSC::UnlinkedCodeBlock::propertyAccessInstructions): Deleted.
        (JSC::UnlinkedCodeBlock::constantBufferCount): Deleted.
        (JSC::UnlinkedCodeBlock::addConstantBuffer): Deleted.
        (JSC::UnlinkedCodeBlock::constantBuffer): Deleted.
        (JSC::UnlinkedCodeBlock::hasRareData): Deleted.
        (JSC::UnlinkedCodeBlock::recordParse): Deleted.
        (JSC::UnlinkedCodeBlock::codeFeatures): Deleted.
        (JSC::UnlinkedCodeBlock::hasCapturedVariables): Deleted.
        (JSC::UnlinkedCodeBlock::firstLine): Deleted.
        (JSC::UnlinkedCodeBlock::lineCount): Deleted.
        (JSC::UnlinkedCodeBlock::startColumn): Deleted.
        (JSC::UnlinkedCodeBlock::endColumn): Deleted.
        (JSC::UnlinkedCodeBlock::addOpProfileControlFlowBytecodeOffset): Deleted.
        (JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets): Deleted.
        (JSC::UnlinkedCodeBlock::finishCreation): Deleted.
        (JSC::UnlinkedCodeBlock::createRareDataIfNecessary): Deleted.
        (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock): Deleted.
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
        (JSC::generateFunctionCodeBlock): Deleted.
        (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable): Deleted.
        (JSC::UnlinkedFunctionExecutable::visitChildren): Deleted.
        (JSC::UnlinkedFunctionExecutable::link): Deleted.
        (JSC::UnlinkedFunctionExecutable::fromGlobalCode): Deleted.
        (JSC::UnlinkedFunctionExecutable::codeBlockFor): Deleted.
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::ExecutableInfo::ExecutableInfo): Deleted.
        (JSC::ExecutableInfo::needsActivation): Deleted.
        (JSC::ExecutableInfo::usesEval): Deleted.
        (JSC::ExecutableInfo::isStrictMode): Deleted.
        (JSC::ExecutableInfo::isConstructor): Deleted.
        (JSC::ExecutableInfo::isBuiltinFunction): Deleted.
        (JSC::ExecutableInfo::constructorKind): Deleted.
        * bytecode/UnlinkedFunctionExecutable.cpp: Copied from Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp.
        (JSC::generateFunctionCodeBlock):
        (JSC::UnlinkedFunctionExecutable::codeBlockFor):
        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): Deleted.
        (JSC::UnlinkedCodeBlock::visitChildren): Deleted.
        (JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset): Deleted.
        (JSC::UnlinkedCodeBlock::getLineAndColumn): Deleted.
        (JSC::dumpLineColumnEntry): Deleted.
        (JSC::UnlinkedCodeBlock::dumpExpressionRangeInfo): Deleted.
        (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset): Deleted.
        (JSC::UnlinkedCodeBlock::addExpressionInfo): Deleted.
        (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset): Deleted.
        (JSC::UnlinkedCodeBlock::addTypeProfilerExpressionInfo): Deleted.
        (JSC::UnlinkedProgramCodeBlock::visitChildren): Deleted.
        (JSC::UnlinkedCodeBlock::~UnlinkedCodeBlock): Deleted.
        (JSC::UnlinkedProgramCodeBlock::destroy): Deleted.
        (JSC::UnlinkedEvalCodeBlock::destroy): Deleted.
        (JSC::UnlinkedFunctionCodeBlock::destroy): Deleted.
        (JSC::UnlinkedFunctionExecutable::destroy): Deleted.
        (JSC::UnlinkedCodeBlock::setInstructions): Deleted.
        (JSC::UnlinkedCodeBlock::instructions): Deleted.
        * bytecode/UnlinkedFunctionExecutable.h: Copied from Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.h.
        (JSC::ExecutableInfo::ExecutableInfo): Deleted.
        (JSC::ExecutableInfo::needsActivation): Deleted.
        (JSC::ExecutableInfo::usesEval): Deleted.
        (JSC::ExecutableInfo::isStrictMode): Deleted.
        (JSC::ExecutableInfo::isConstructor): Deleted.
        (JSC::ExecutableInfo::isBuiltinFunction): Deleted.
        (JSC::ExecutableInfo::constructorKind): Deleted.
        (JSC::UnlinkedStringJumpTable::offsetForValue): Deleted.
        (JSC::UnlinkedSimpleJumpTable::add): Deleted.
        (JSC::UnlinkedInstruction::UnlinkedInstruction): Deleted.
        (JSC::UnlinkedCodeBlock::isConstructor): Deleted.
        (JSC::UnlinkedCodeBlock::isStrictMode): Deleted.
        (JSC::UnlinkedCodeBlock::usesEval): Deleted.
        (JSC::UnlinkedCodeBlock::needsFullScopeChain): Deleted.
        (JSC::UnlinkedCodeBlock::hasExpressionInfo): Deleted.
        (JSC::UnlinkedCodeBlock::setThisRegister): Deleted.
        (JSC::UnlinkedCodeBlock::setScopeRegister): Deleted.
        (JSC::UnlinkedCodeBlock::setActivationRegister): Deleted.
        (JSC::UnlinkedCodeBlock::usesGlobalObject): Deleted.
        (JSC::UnlinkedCodeBlock::setGlobalObjectRegister): Deleted.
        (JSC::UnlinkedCodeBlock::globalObjectRegister): Deleted.
        (JSC::UnlinkedCodeBlock::setNumParameters): Deleted.
        (JSC::UnlinkedCodeBlock::addParameter): Deleted.
        (JSC::UnlinkedCodeBlock::numParameters): Deleted.
        (JSC::UnlinkedCodeBlock::addRegExp): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfRegExps): Deleted.
        (JSC::UnlinkedCodeBlock::regexp): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfIdentifiers): Deleted.
        (JSC::UnlinkedCodeBlock::addIdentifier): Deleted.
        (JSC::UnlinkedCodeBlock::identifier): Deleted.
        (JSC::UnlinkedCodeBlock::identifiers): Deleted.
        (JSC::UnlinkedCodeBlock::addConstant): Deleted.
        (JSC::UnlinkedCodeBlock::registerIndexForLinkTimeConstant): Deleted.
        (JSC::UnlinkedCodeBlock::constantRegisters): Deleted.
        (JSC::UnlinkedCodeBlock::constantRegister): Deleted.
        (JSC::UnlinkedCodeBlock::isConstantRegisterIndex): Deleted.
        (JSC::UnlinkedCodeBlock::constantsSourceCodeRepresentation): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfJumpTargets): Deleted.
        (JSC::UnlinkedCodeBlock::addJumpTarget): Deleted.
        (JSC::UnlinkedCodeBlock::jumpTarget): Deleted.
        (JSC::UnlinkedCodeBlock::lastJumpTarget): Deleted.
        (JSC::UnlinkedCodeBlock::isBuiltinFunction): Deleted.
        (JSC::UnlinkedCodeBlock::constructorKind): Deleted.
        (JSC::UnlinkedCodeBlock::shrinkToFit): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfSwitchJumpTables): Deleted.
        (JSC::UnlinkedCodeBlock::addSwitchJumpTable): Deleted.
        (JSC::UnlinkedCodeBlock::switchJumpTable): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfStringSwitchJumpTables): Deleted.
        (JSC::UnlinkedCodeBlock::addStringSwitchJumpTable): Deleted.
        (JSC::UnlinkedCodeBlock::stringSwitchJumpTable): Deleted.
        (JSC::UnlinkedCodeBlock::addFunctionDecl): Deleted.
        (JSC::UnlinkedCodeBlock::functionDecl): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfFunctionDecls): Deleted.
        (JSC::UnlinkedCodeBlock::addFunctionExpr): Deleted.
        (JSC::UnlinkedCodeBlock::functionExpr): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfFunctionExprs): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfExceptionHandlers): Deleted.
        (JSC::UnlinkedCodeBlock::addExceptionHandler): Deleted.
        (JSC::UnlinkedCodeBlock::exceptionHandler): Deleted.
        (JSC::UnlinkedCodeBlock::vm): Deleted.
        (JSC::UnlinkedCodeBlock::addArrayProfile): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfArrayProfiles): Deleted.
        (JSC::UnlinkedCodeBlock::addArrayAllocationProfile): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfArrayAllocationProfiles): Deleted.
        (JSC::UnlinkedCodeBlock::addObjectAllocationProfile): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfObjectAllocationProfiles): Deleted.
        (JSC::UnlinkedCodeBlock::addValueProfile): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfValueProfiles): Deleted.
        (JSC::UnlinkedCodeBlock::addLLIntCallLinkInfo): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfLLintCallLinkInfos): Deleted.
        (JSC::UnlinkedCodeBlock::codeType): Deleted.
        (JSC::UnlinkedCodeBlock::thisRegister): Deleted.
        (JSC::UnlinkedCodeBlock::scopeRegister): Deleted.
        (JSC::UnlinkedCodeBlock::activationRegister): Deleted.
        (JSC::UnlinkedCodeBlock::hasActivationRegister): Deleted.
        (JSC::UnlinkedCodeBlock::addPropertyAccessInstruction): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfPropertyAccessInstructions): Deleted.
        (JSC::UnlinkedCodeBlock::propertyAccessInstructions): Deleted.
        (JSC::UnlinkedCodeBlock::constantBufferCount): Deleted.
        (JSC::UnlinkedCodeBlock::addConstantBuffer): Deleted.
        (JSC::UnlinkedCodeBlock::constantBuffer): Deleted.
        (JSC::UnlinkedCodeBlock::hasRareData): Deleted.
        (JSC::UnlinkedCodeBlock::recordParse): Deleted.
        (JSC::UnlinkedCodeBlock::codeFeatures): Deleted.
        (JSC::UnlinkedCodeBlock::hasCapturedVariables): Deleted.
        (JSC::UnlinkedCodeBlock::firstLine): Deleted.
        (JSC::UnlinkedCodeBlock::lineCount): Deleted.
        (JSC::UnlinkedCodeBlock::startColumn): Deleted.
        (JSC::UnlinkedCodeBlock::endColumn): Deleted.
        (JSC::UnlinkedCodeBlock::addOpProfileControlFlowBytecodeOffset): Deleted.
        (JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets): Deleted.
        (JSC::UnlinkedCodeBlock::finishCreation): Deleted.
        (JSC::UnlinkedCodeBlock::createRareDataIfNecessary): Deleted.
        (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock): Deleted.
        * runtime/Executable.h:

2015-08-10  Mark Lam  <mark.lam@apple.com>

        Refactor LiveObjectList and LiveObjectData into their own files.
        https://bugs.webkit.org/show_bug.cgi?id=147843

        Reviewed by Saam Barati.

        There is no behavior change in this patch.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/HeapVerifier.cpp:
        (JSC::HeapVerifier::HeapVerifier):
        (JSC::LiveObjectList::findObject): Deleted.
        * heap/HeapVerifier.h:
        (JSC::LiveObjectData::LiveObjectData): Deleted.
        (JSC::LiveObjectList::LiveObjectList): Deleted.
        (JSC::LiveObjectList::reset): Deleted.
        * heap/LiveObjectData.h: Added.
        (JSC::LiveObjectData::LiveObjectData):
        * heap/LiveObjectList.cpp: Added.
        (JSC::LiveObjectList::findObject):
        * heap/LiveObjectList.h: Added.
        (JSC::LiveObjectList::LiveObjectList):
        (JSC::LiveObjectList::reset):

2015-08-07  Geoffrey Garen  <ggaren@apple.com>

        Let's rename FunctionBodyNode
        https://bugs.webkit.org/show_bug.cgi?id=147292

        Reviewed by Mark Lam & Saam Barati.

        FunctionBodyNode => FunctionMetadataNode

        Make FunctionMetadataNode inherit from Node instead of StatementNode
        because a FunctionMetadataNode can appear in expression context and does
        not have a next statement.

        (I decided to continue allocating FunctionMetadataNode in the AST arena,
        and to retain "Node" in its name, because it really is a parsing
        construct, and we transform its data before consuming it elsewhere.

        There is still room for a future patch to distill and simplify the
        metadata we track about functions between FunDeclNode/FuncExprNode,
        FunctionMetadataNode, and UnlinkedFunctionExecutable. But this is a start.)

        * builtins/BuiltinExecutables.cpp:
        (JSC::BuiltinExecutables::createExecutableInternal):
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::generateFunctionCodeBlock):
        (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
        * bytecode/UnlinkedCodeBlock.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::generate):
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitNewArray):
        (JSC::BytecodeGenerator::emitNewFunction):
        (JSC::BytecodeGenerator::emitNewFunctionExpression):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::makeFunction):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::EvalNode::emitBytecode):
        (JSC::FunctionNode::emitBytecode):
        (JSC::FunctionBodyNode::emitBytecode): Deleted.
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createFunctionExpr):
        (JSC::ASTBuilder::createFunctionBody):
        * parser/NodeConstructors.h:
        (JSC::FunctionParameters::FunctionParameters):
        (JSC::FuncExprNode::FuncExprNode):
        (JSC::FuncDeclNode::FuncDeclNode):
        * parser/Nodes.cpp:
        (JSC::EvalNode::EvalNode):
        (JSC::FunctionMetadataNode::FunctionMetadataNode):
        (JSC::FunctionMetadataNode::finishParsing):
        (JSC::FunctionMetadataNode::setEndPosition):
        (JSC::FunctionBodyNode::FunctionBodyNode): Deleted.
        (JSC::FunctionBodyNode::finishParsing): Deleted.
        (JSC::FunctionBodyNode::setEndPosition): Deleted.
        * parser/Nodes.h:
        (JSC::FuncExprNode::body):
        (JSC::FuncDeclNode::body):
        * parser/Parser.h:
        (JSC::Parser::isFunctionMetadataNode):
        (JSC::Parser::next):
        (JSC::Parser<LexerType>::parse):
        (JSC::Parser::isFunctionBodyNode): Deleted.
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
        * runtime/CodeCache.h:

2015-08-09  Chris Dumez  <cdumez@apple.com>

        Regression(r188105): Seems to have caused crashes during PLT on some iPads
        https://bugs.webkit.org/show_bug.cgi?id=147818

        Unreviewed, roll out r188105.

        * bytecode/ByValInfo.h:
        (JSC::ByValInfo::ByValInfo):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::getByValInfoMap): Deleted.
        (JSC::CodeBlock::addByValInfo): Deleted.
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::getByValInfo):
        (JSC::CodeBlock::setNumberOfByValInfos):
        (JSC::CodeBlock::numberOfByValInfos):
        (JSC::CodeBlock::byValInfo):
        * bytecode/ExitKind.cpp:
        (JSC::exitKindToString): Deleted.
        * bytecode/ExitKind.h:
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFor):
        (JSC::GetByIdStatus::computeForStubInfo):
        (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback): Deleted.
        * bytecode/GetByIdStatus.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Deleted.
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): Deleted.
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize): Deleted.
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants): Deleted.
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC): Deleted.
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode): Deleted.
        (JSC::DFG::FixupPhase::observeUseKindOnNode): Deleted.
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasUidOperand): Deleted.
        (JSC::DFG::Node::uidOperand): Deleted.
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate): Deleted.
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::SafeToExecuteEdge::operator()): Deleted.
        (JSC::DFG::safeToExecute): Deleted.
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileCheckIdent): Deleted.
        (JSC::DFG::SpeculativeJIT::speculateSymbol): Deleted.
        (JSC::DFG::SpeculativeJIT::speculate): Deleted.
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile): Deleted.
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile): Deleted.
        * dfg/DFGUseKind.cpp:
        (WTF::printInternal): Deleted.
        * dfg/DFGUseKind.h:
        (JSC::DFG::typeFilterFor): Deleted.
        (JSC::DFG::isCell): Deleted.
        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile): Deleted.
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::DFG::LowerDFGToLLVM::compileNode): Deleted.
        (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckIdent): Deleted.
        (JSC::FTL::DFG::LowerDFGToLLVM::lowSymbol): Deleted.
        (JSC::FTL::DFG::LowerDFGToLLVM::speculate): Deleted.
        (JSC::FTL::DFG::LowerDFGToLLVM::isNotSymbol): Deleted.
        (JSC::FTL::DFG::LowerDFGToLLVM::speculateSymbol): Deleted.
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        (JSC::ByValCompilationInfo::ByValCompilationInfo):
        (JSC::JIT::compileGetByValWithCachedId): Deleted.
        * jit/JITInlines.h:
        (JSC::JIT::callOperation): Deleted.
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_has_indexed_property):
        (JSC::JIT::emitSlow_op_has_indexed_property):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_has_indexed_property):
        (JSC::JIT::emitSlow_op_has_indexed_property):
        * jit/JITOperations.cpp:
        (JSC::getByVal):
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_by_val):
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::emit_op_put_by_val):
        (JSC::JIT::emitSlow_op_put_by_val):
        (JSC::JIT::emitGetByValWithCachedId): Deleted.
        (JSC::JIT::privateCompileGetByVal): Deleted.
        (JSC::JIT::privateCompileGetByValWithCachedId): Deleted.
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_get_by_val):
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::emit_op_put_by_val):
        (JSC::JIT::emitSlow_op_put_by_val):
        (JSC::JIT::emitGetByValWithCachedId): Deleted.
        * runtime/Symbol.h:
        * tests/stress/get-by-val-with-string-constructor.js: Removed.
        * tests/stress/get-by-val-with-string-exit.js: Removed.
        * tests/stress/get-by-val-with-string-generated.js: Removed.
        * tests/stress/get-by-val-with-string-getter.js: Removed.
        * tests/stress/get-by-val-with-string.js: Removed.
        * tests/stress/get-by-val-with-symbol-constructor.js: Removed.
        * tests/stress/get-by-val-with-symbol-exit.js: Removed.
        * tests/stress/get-by-val-with-symbol-getter.js: Removed.
        * tests/stress/get-by-val-with-symbol.js: Removed.

2015-08-07  Gyuyoung Kim  <gyuyoung.kim@webkit.org>

        Reduce uses of PassRefPtr in bindings
        https://bugs.webkit.org/show_bug.cgi?id=147781

        Reviewed by Chris Dumez.

        Use RefPtr when function can return null or an instance. If not, Ref is used.

        * runtime/JSGenericTypedArrayView.h:
        (JSC::toNativeTypedView):

2015-08-07  Alex Christensen  <achristensen@webkit.org>

        Build more testing binaries with CMake on Windows
        https://bugs.webkit.org/show_bug.cgi?id=147799

        Reviewed by Brent Fulgham.

        * shell/PlatformWin.cmake: Added.
        Build jsc.dll and jsc.exe to find Apple Application Support or WinCairo dlls before using them.

2015-08-07  Filip Pizlo  <fpizlo@apple.com>

        Lightweight locks should be adaptive
        https://bugs.webkit.org/show_bug.cgi?id=147545

        Reviewed by Geoffrey Garen.

        * dfg/DFGCommon.cpp:
        (JSC::DFG::startCrashing):
        * heap/CopiedBlock.h:
        (JSC::CopiedBlock::workListLock):
        * heap/CopiedBlockInlines.h:
        (JSC::CopiedBlock::shouldReportLiveBytes):
        (JSC::CopiedBlock::reportLiveBytes):
        * heap/CopiedSpace.cpp:
        (JSC::CopiedSpace::doneFillingBlock):
        * heap/CopiedSpace.h:
        (JSC::CopiedSpace::CopiedGeneration::CopiedGeneration):
        * heap/CopiedSpaceInlines.h:
        (JSC::CopiedSpace::recycleEvacuatedBlock):
        * heap/GCThreadSharedData.cpp:
        (JSC::GCThreadSharedData::didStartCopying):
        * heap/GCThreadSharedData.h:
        (JSC::GCThreadSharedData::getNextBlocksToCopy):
        * heap/ListableHandler.h:
        (JSC::ListableHandler::List::addThreadSafe):
        (JSC::ListableHandler::List::addNotThreadSafe):
        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::tryCopyOtherThreadStacks):
        * heap/SlotVisitorInlines.h:
        (JSC::SlotVisitor::copyLater):
        * parser/SourceProvider.cpp:
        (JSC::SourceProvider::~SourceProvider):
        (JSC::SourceProvider::getID):
        * profiler/ProfilerDatabase.cpp:
        (JSC::Profiler::Database::addDatabaseToAtExit):
        (JSC::Profiler::Database::removeDatabaseFromAtExit):
        (JSC::Profiler::Database::removeFirstAtExitDatabase):
        * runtime/TypeProfilerLog.h:

2015-08-07  Mark Lam  <mark.lam@apple.com>

        Rename some variables in the JSC watchdog implementation.
        https://bugs.webkit.org/show_bug.cgi?id=147790

        Rubber stamped by Benjamin Poulain.

        This is just a refactoring patch to give the variable better names that describe their
        intended use.  There is no behavior change.

        * runtime/Watchdog.cpp:
        (JSC::Watchdog::Watchdog):
        (JSC::Watchdog::setTimeLimit):
        (JSC::Watchdog::didFire):
        (JSC::Watchdog::isEnabled):
        (JSC::Watchdog::fire):
        (JSC::Watchdog::startCountdownIfNeeded):
        * runtime/Watchdog.h:

2015-08-07  Saam barati  <saambarati1@gmail.com>

        Interpreter::unwind shouldn't be responsible for assigning the correct scope.
        https://bugs.webkit.org/show_bug.cgi?id=147666

        Reviewed by Geoffrey Garen.

        If we make the bytecode generator know about every local scope it 
        creates, and if we give each local scope a unique register, the
        bytecode generator has all the information it needs to assign
        the correct scope to a catch handler. Because the bytecode generator
        knows this information, it's a better separation of responsibilties
        for it to set up the proper scope instead of relying on the exception
        handling runtime to find the scope.

        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::CodeBlock):
        * bytecode/HandlerInfo.h:
        (JSC::UnlinkedHandlerInfo::UnlinkedHandlerInfo):
        (JSC::HandlerInfo::initialize):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::generate):
        (JSC::BytecodeGenerator::pushLexicalScopeInternal):
        (JSC::BytecodeGenerator::emitGetScope):
        (JSC::BytecodeGenerator::emitPushWithScope):
        (JSC::BytecodeGenerator::emitGetParentScope):
        (JSC::BytecodeGenerator::emitPopScope):
        (JSC::BytecodeGenerator::emitPopWithScope):
        (JSC::BytecodeGenerator::allocateAndEmitScope):
        (JSC::BytecodeGenerator::emitComplexPopScopes):
        (JSC::BytecodeGenerator::pushTry):
        (JSC::BytecodeGenerator::popTryAndEmitCatch):
        (JSC::BytecodeGenerator::localScopeDepth):
        (JSC::BytecodeGenerator::calculateTargetScopeDepthForExceptionHandler): Deleted.
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::WithNode::emitBytecode):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::unwind):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_push_with_scope):
        (JSC::JIT::compileOpStrictEq):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_push_with_scope):
        (JSC::JIT::emit_op_to_number):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LLIntSlowPaths.h:
        * llint/LowLevelInterpreter.asm:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/CommonSlowPaths.h:
        * runtime/JSScope.cpp:
        (JSC::JSScope::objectAtScope):
        (JSC::isUnscopable):
        (JSC::JSScope::depth): Deleted.
        * runtime/JSScope.h:

2015-08-07  Yusuke Suzuki  <utatane.tea@gmail.com>

        Add MacroAssembler::patchableBranch64 and fix ARM64's patchableBranchPtr
        https://bugs.webkit.org/show_bug.cgi?id=147761

        Reviewed by Mark Lam.

        This patch implements MacroAssembler::patchableBranch64 in 64bit environments.
        And fix the existing MacroAssemblerARM64::patchableBranchPtr, before this patch,
        it truncates the immediate pointer into the 32bit immediate.
        And use patchableBranch64 in the baseline JIT under the JSVALUE64 configuration.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::patchableBranchPtr):
        (JSC::MacroAssemblerARM64::patchableBranch64):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::patchableBranch64):
        * jit/JIT.h:
        * jit/JITInlines.h:
        (JSC::JIT::emitPatchableJumpIfNotImmediateInteger):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_by_val):

2015-08-06  Yusuke Suzuki  <utatane.tea@gmail.com>

        Introduce get_by_id like IC into get_by_val when the given name is String or Symbol
        https://bugs.webkit.org/show_bug.cgi?id=147480

        Reviewed by Filip Pizlo.

        This patch adds get_by_id IC to get_by_val operation by caching the string / symbol id.
        The IC site only caches one id. After checking that the given id is the same to the
        cached one, we perform the get_by_id IC onto it.
        And by collecting IC StructureStubInfo information, we pass it to the DFG and DFG
        compiles get_by_val op code into CheckIdent (with edge type check) and GetById related
        operations when the given get_by_val leverages the property load with the cached id.

        To ensure the incoming value is the expected id, in DFG layer, we use SymbolUse and
        StringIdentUse to enforce the type. To use it, this patch implements SymbolUse.
        This can be leveraged to optimize symbol operations in DFG.

        And since byValInfo is frequently used, we align the byValInfo design to the stubInfo like one.
        Allocated by the Bag and operations take the raw byValInfo pointer directly instead of performing
        binary search onto m_byValInfos. And by storing ArrayProfile* under the ByValInfo, we replaced the
        argument ArrayProfile* in the operations with ByValInfo*.

        * bytecode/ByValInfo.h:
        (JSC::ByValInfo::ByValInfo):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::getByValInfoMap):
        (JSC::CodeBlock::addByValInfo):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::getByValInfo): Deleted.
        (JSC::CodeBlock::setNumberOfByValInfos): Deleted.
        (JSC::CodeBlock::numberOfByValInfos): Deleted.
        (JSC::CodeBlock::byValInfo): Deleted.
        * bytecode/ExitKind.cpp:
        (JSC::exitKindToString):
        * bytecode/ExitKind.h:
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFor):
        (JSC::GetByIdStatus::computeForStubInfo):
        (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
        * bytecode/GetByIdStatus.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::observeUseKindOnNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasUidOperand):
        (JSC::DFG::Node::uidOperand):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::SafeToExecuteEdge::operator()):
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileCheckIdent):
        (JSC::DFG::SpeculativeJIT::speculateSymbol):
        (JSC::DFG::SpeculativeJIT::speculate):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGUseKind.cpp:
        (WTF::printInternal):
        * dfg/DFGUseKind.h:
        (JSC::DFG::typeFilterFor):
        (JSC::DFG::isCell):
        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
        (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckIdent):
        (JSC::FTL::DFG::LowerDFGToLLVM::lowSymbol):
        (JSC::FTL::DFG::LowerDFGToLLVM::speculate):
        (JSC::FTL::DFG::LowerDFGToLLVM::isNotSymbol):
        (JSC::FTL::DFG::LowerDFGToLLVM::speculateSymbol):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        (JSC::ByValCompilationInfo::ByValCompilationInfo):
        (JSC::JIT::compileGetByValWithCachedId):
        * jit/JITInlines.h:
        (JSC::JIT::callOperation):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_has_indexed_property):
        (JSC::JIT::emitSlow_op_has_indexed_property):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_has_indexed_property):
        (JSC::JIT::emitSlow_op_has_indexed_property):
        * jit/JITOperations.cpp:
        (JSC::getByVal):
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_by_val):
        (JSC::JIT::emitGetByValWithCachedId):
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::emit_op_put_by_val):
        (JSC::JIT::emitSlow_op_put_by_val):
        (JSC::JIT::privateCompileGetByVal):
        (JSC::JIT::privateCompileGetByValWithCachedId):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_get_by_val):
        (JSC::JIT::emitGetByValWithCachedId):
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::emit_op_put_by_val):
        (JSC::JIT::emitSlow_op_put_by_val):
        * runtime/Symbol.h:
        * tests/stress/get-by-val-with-string-constructor.js: Added.
        (Hello):
        (get Hello.prototype.generate):
        (ok):
        * tests/stress/get-by-val-with-string-exit.js: Added.
        (shouldBe):
        (getByVal):
        (getStr1):
        (getStr2):
        * tests/stress/get-by-val-with-string-generated.js: Added.
        (shouldBe):
        (getByVal):
        (getStr1):
        (getStr2):
        * tests/stress/get-by-val-with-string-getter.js: Added.
        (object.get hello):
        (ok):
        * tests/stress/get-by-val-with-string.js: Added.
        (shouldBe):
        (getByVal):
        (getStr1):
        (getStr2):
        * tests/stress/get-by-val-with-symbol-constructor.js: Added.
        (Hello):
        (get Hello.prototype.generate):
        (ok):
        * tests/stress/get-by-val-with-symbol-exit.js: Added.
        (shouldBe):
        (getByVal):
        (getSym1):
        (getSym2):
        * tests/stress/get-by-val-with-symbol-getter.js: Added.
        (object.get hello):
        (.get ok):
        * tests/stress/get-by-val-with-symbol.js: Added.
        (shouldBe):
        (getByVal):
        (getSym1):
        (getSym2):

2015-08-06  Sukolsak Sakshuwong  <sukolsak@gmail.com>

        Parse the entire WebAssembly modules
        https://bugs.webkit.org/show_bug.cgi?id=147393

        Reviewed by Geoffrey Garen.

        Parse the entire WebAssembly modules from files produced by pack-asmjs
        <https://github.com/WebAssembly/polyfill-prototype-1>. This patch can only
        parse modules whose function definition section contains only functions that
        have "return 0;" as their only statement. Parsing of any functions will be
        implemented in a subsequent patch.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * wasm/JSWASMModule.cpp:
        (JSC::JSWASMModule::destroy):
        * wasm/JSWASMModule.h:
        (JSC::JSWASMModule::i32Constants):
        (JSC::JSWASMModule::f32Constants):
        (JSC::JSWASMModule::f64Constants):
        (JSC::JSWASMModule::signatures):
        (JSC::JSWASMModule::functionImports):
        (JSC::JSWASMModule::functionImportSignatures):
        (JSC::JSWASMModule::globalVariableTypes):
        (JSC::JSWASMModule::functionDeclarations):
        (JSC::JSWASMModule::functionPointerTables):
        * wasm/WASMFormat.h: Added.
        * wasm/WASMModuleParser.cpp:
        (JSC::WASMModuleParser::parse):
        (JSC::WASMModuleParser::parseModule):
        (JSC::WASMModuleParser::parseConstantPoolSection):
        (JSC::WASMModuleParser::parseSignatureSection):
        (JSC::WASMModuleParser::parseFunctionImportSection):
        (JSC::WASMModuleParser::parseGlobalSection):
        (JSC::WASMModuleParser::parseFunctionDeclarationSection):
        (JSC::WASMModuleParser::parseFunctionPointerTableSection):
        (JSC::WASMModuleParser::parseFunctionDefinitionSection):
        (JSC::WASMModuleParser::parseFunctionDefinition):
        (JSC::WASMModuleParser::parseExportSection):
        * wasm/WASMModuleParser.h:
        * wasm/WASMReader.cpp:
        (JSC::WASMReader::readUInt32):
        (JSC::WASMReader::readCompactUInt32):
        (JSC::WASMReader::readString):
        (JSC::WASMReader::readType):
        (JSC::WASMReader::readExpressionType):
        (JSC::WASMReader::readExportFormat):
        (JSC::WASMReader::readByte):
        (JSC::WASMReader::readUnsignedInt32): Deleted.
        * wasm/WASMReader.h:

2015-08-06  Keith Miller  <keith_miller@apple.com>

        The typedArrayLength function in FTLLowerDFGToLLVM is dead code.
        https://bugs.webkit.org/show_bug.cgi?id=147749

        Reviewed by Filip Pizlo.

        Removed dead code elimination. the TypedArray length is compiled in compileGetArrayLength()
        thus no one calls this code.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::DFG::LowerDFGToLLVM::typedArrayLength): Deleted.

2015-08-06  Keith Miller  <keith_miller@apple.com>

        The JSONP parser incorrectly parsers -0 as +0.
        https://bugs.webkit.org/show_bug.cgi?id=147590

        Reviewed by Michael Saboff.

        In the LiteralParser we should use a double to store the accumulator for numerical tokens
        rather than an int. Using an int means that -0 is, incorrectly, parsed as +0.

        * runtime/LiteralParser.cpp:
        (JSC::LiteralParser<CharType>::Lexer::lexNumber):

2015-08-06  Filip Pizlo  <fpizlo@apple.com>

        Structures used for tryGetConstantProperty() should be registered first
        https://bugs.webkit.org/show_bug.cgi?id=147750

        Reviewed by Saam Barati and Michael Saboff.

        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::tryGetConstantProperty): Add an assertion to that effect. This should catch the bug sooner.
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::addStructureSet): Register structures when we make a structure set. That ensures that we won't call tryGetConstantProperty() on a structure that hasn't been registered yet.
        * dfg/DFGStructureRegistrationPhase.cpp:
        (JSC::DFG::StructureRegistrationPhase::run): Don't register structure sets here anymore. Registering them before we get here means there is no chance of the code being DCE'd before the structures get registered. It also enables the tryGetConstantProperty() assertion, since that code runs before StructureRegisterationPhase.
        (JSC::DFG::StructureRegistrationPhase::registerStructures):
        (JSC::DFG::StructureRegistrationPhase::registerStructure):
        (JSC::DFG::StructureRegistrationPhase::assertAreRegistered):
        (JSC::DFG::StructureRegistrationPhase::assertIsRegistered):
        (JSC::DFG::performStructureRegistration):

2015-08-06  Keith Miller  <keith_miller@apple.com>

        Remove UnspecifiedBoolType from JSC
        https://bugs.webkit.org/show_bug.cgi?id=147597

        Reviewed by Mark Lam.

        We were using the safe bool pattern in the code base for implicit casting to booleans.
        With C++11 this is no longer necessary and we can instead create an operator bool.

        * API/JSRetainPtr.h:
        (JSRetainPtr::operator bool):
        (JSRetainPtr::operator UnspecifiedBoolType): Deleted.
        * dfg/DFGEdge.h:
        (JSC::DFG::Edge::operator bool):
        (JSC::DFG::Edge::operator UnspecifiedBoolType*): Deleted.
        * dfg/DFGIntegerRangeOptimizationPhase.cpp:
        * heap/Weak.h:
        * heap/WeakInlines.h:
        (JSC::bool):
        (JSC::UnspecifiedBoolType): Deleted.

2015-08-05  Ryosuke Niwa  <rniwa@webkit.org>

        [ES6] Class parser does not allow methods named set and get.
        https://bugs.webkit.org/show_bug.cgi?id=147150

        Reviewed by Oliver Hunt.

        The bug was caused by parseClass assuming identifiers "get" and "set" could only appear
        as the leading token for getter and setter methods. Fixed the bug by generalizing the code
        so that we only treat them as such when it's followed by another token that could be a method name.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseClass):

2015-08-05  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, roll out http://trac.webkit.org/changeset/187972.

        * bytecode/SamplingTool.cpp:
        (JSC::SamplingTool::doRun):
        (JSC::SamplingTool::notifyOfScope):
        * bytecode/SamplingTool.h:
        * dfg/DFGThreadData.h:
        * dfg/DFGWorklist.cpp:
        (JSC::DFG::Worklist::~Worklist):
        (JSC::DFG::Worklist::isActiveForVM):
        (JSC::DFG::Worklist::enqueue):
        (JSC::DFG::Worklist::compilationState):
        (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
        (JSC::DFG::Worklist::removeAllReadyPlansForVM):
        (JSC::DFG::Worklist::completeAllReadyPlansForVM):
        (JSC::DFG::Worklist::visitWeakReferences):
        (JSC::DFG::Worklist::removeDeadPlans):
        (JSC::DFG::Worklist::queueLength):
        (JSC::DFG::Worklist::dump):
        (JSC::DFG::Worklist::runThread):
        * dfg/DFGWorklist.h:
        * disassembler/Disassembler.cpp:
        * heap/CopiedSpace.cpp:
        (JSC::CopiedSpace::doneFillingBlock):
        (JSC::CopiedSpace::doneCopying):
        * heap/CopiedSpace.h:
        * heap/CopiedSpaceInlines.h:
        (JSC::CopiedSpace::recycleBorrowedBlock):
        (JSC::CopiedSpace::allocateBlockForCopyingPhase):
        * heap/HeapTimer.h:
        * heap/MachineStackMarker.cpp:
        (JSC::ActiveMachineThreadsManager::Locker::Locker):
        (JSC::ActiveMachineThreadsManager::add):
        (JSC::ActiveMachineThreadsManager::remove):
        (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager):
        (JSC::MachineThreads::~MachineThreads):
        (JSC::MachineThreads::addCurrentThread):
        (JSC::MachineThreads::removeThreadIfFound):
        (JSC::MachineThreads::tryCopyOtherThreadStack):
        (JSC::MachineThreads::tryCopyOtherThreadStacks):
        (JSC::MachineThreads::gatherConservativeRoots):
        * heap/MachineStackMarker.h:
        * interpreter/JSStack.cpp:
        (JSC::stackStatisticsMutex):
        (JSC::JSStack::addToCommittedByteCount):
        (JSC::JSStack::committedByteCount):
        * jit/JITThunks.h:
        * profiler/ProfilerDatabase.h:

2015-08-05  Saam barati  <saambarati1@gmail.com>

        Bytecodegenerator emits crappy code for returns in a lexical scope.
        https://bugs.webkit.org/show_bug.cgi?id=147688

        Reviewed by Mark Lam.

        When returning, we only need to emit complex pop scopes if we're in 
        a finally block. Otherwise, we can just return like normal. This saves
        us from inefficiently emitting unnecessary pop scopes.

        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::isInFinallyBlock):
        (JSC::BytecodeGenerator::hasFinaliser): Deleted.
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ReturnNode::emitBytecode):

2015-08-05  Benjamin Poulain  <benjamin@webkit.org>

        Add the Intl API to the status page

        * features.json:
        Andy VanWagoner landed the skeleton of the API and it is
        enabled by default.

2015-08-04  Filip Pizlo  <fpizlo@apple.com>

        Rename Mutex to DeprecatedMutex
        https://bugs.webkit.org/show_bug.cgi?id=147675

        Reviewed by Geoffrey Garen.

        * bytecode/SamplingTool.cpp:
        (JSC::SamplingTool::doRun):
        (JSC::SamplingTool::notifyOfScope):
        * bytecode/SamplingTool.h:
        * dfg/DFGThreadData.h:
        * dfg/DFGWorklist.cpp:
        (JSC::DFG::Worklist::~Worklist):
        (JSC::DFG::Worklist::isActiveForVM):
        (JSC::DFG::Worklist::enqueue):
        (JSC::DFG::Worklist::compilationState):
        (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
        (JSC::DFG::Worklist::removeAllReadyPlansForVM):
        (JSC::DFG::Worklist::completeAllReadyPlansForVM):
        (JSC::DFG::Worklist::visitWeakReferences):
        (JSC::DFG::Worklist::removeDeadPlans):
        (JSC::DFG::Worklist::queueLength):
        (JSC::DFG::Worklist::dump):
        (JSC::DFG::Worklist::runThread):
        * dfg/DFGWorklist.h:
        * disassembler/Disassembler.cpp:
        * heap/CopiedSpace.cpp:
        (JSC::CopiedSpace::doneFillingBlock):
        (JSC::CopiedSpace::doneCopying):
        * heap/CopiedSpace.h:
        * heap/CopiedSpaceInlines.h:
        (JSC::CopiedSpace::recycleBorrowedBlock):
        (JSC::CopiedSpace::allocateBlockForCopyingPhase):
        * heap/HeapTimer.h:
        * heap/MachineStackMarker.cpp:
        (JSC::ActiveMachineThreadsManager::Locker::Locker):
        (JSC::ActiveMachineThreadsManager::add):
        (JSC::ActiveMachineThreadsManager::remove):
        (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager):
        (JSC::MachineThreads::~MachineThreads):
        (JSC::MachineThreads::addCurrentThread):
        (JSC::MachineThreads::removeThreadIfFound):
        (JSC::MachineThreads::tryCopyOtherThreadStack):
        (JSC::MachineThreads::tryCopyOtherThreadStacks):
        (JSC::MachineThreads::gatherConservativeRoots):
        * heap/MachineStackMarker.h:
        * interpreter/JSStack.cpp:
        (JSC::stackStatisticsMutex):
        (JSC::JSStack::addToCommittedByteCount):
        (JSC::JSStack::committedByteCount):
        * jit/JITThunks.h:
        * profiler/ProfilerDatabase.h:

2015-08-05  Saam barati  <saambarati1@gmail.com>

        Replace JSFunctionNameScope with JSLexicalEnvironment for the function name scope.
        https://bugs.webkit.org/show_bug.cgi?id=147657

        Reviewed by Mark Lam.

        This kills the last of the name scope objects. Function name scopes are
        now built on top of the scoping mechanisms introduced with ES6 block scoping.
        A name scope is now just a JSLexicalEnvironment.  We treat assignments to the
        function name scoped variable carefully depending on if the function is in
        strict mode. If we're in strict mode, then we treat the variable exactly
        like a "const" variable. If we're not in strict mode, we can't treat
        this variable like like ES6 "const" because that would cause the bytecode
        generator to throw an exception when it shouldn't.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
        (JSC::BytecodeGenerator::pushLexicalScope):
        (JSC::BytecodeGenerator::pushLexicalScopeInternal):
        (JSC::BytecodeGenerator::variable):
        (JSC::BytecodeGenerator::resolveType):
        (JSC::BytecodeGenerator::emitThrowTypeError):
        (JSC::BytecodeGenerator::emitPushFunctionNameScope):
        (JSC::BytecodeGenerator::pushScopedControlFlowContext):
        (JSC::BytecodeGenerator::emitPushCatchScope):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        * debugger/DebuggerScope.cpp:
        * dfg/DFGOperations.cpp:
        * interpreter/Interpreter.cpp:
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_to_string):
        (JSC::JIT::emit_op_catch):
        (JSC::JIT::emit_op_push_name_scope): Deleted.
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emitSlow_op_to_string):
        (JSC::JIT::emit_op_catch):
        (JSC::JIT::emit_op_push_name_scope): Deleted.
        * jit/JITOperations.cpp:
        (JSC::pushNameScope): Deleted.
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LLIntSlowPaths.h:
        * llint/LowLevelInterpreter.asm:
        * parser/Nodes.cpp:
        * runtime/CommonSlowPaths.cpp:
        * runtime/Executable.cpp:
        (JSC::ScriptExecutable::newCodeBlockFor):
        * runtime/JSFunctionNameScope.cpp: Removed.
        * runtime/JSFunctionNameScope.h: Removed.
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::withScopeStructure):
        (JSC::JSGlobalObject::strictEvalActivationStructure):
        (JSC::JSGlobalObject::activationStructure):
        (JSC::JSGlobalObject::directArgumentsStructure):
        (JSC::JSGlobalObject::scopedArgumentsStructure):
        (JSC::JSGlobalObject::outOfBandArgumentsStructure):
        (JSC::JSGlobalObject::functionNameScopeStructure): Deleted.
        * runtime/JSNameScope.cpp: Removed.
        * runtime/JSNameScope.h: Removed.
        * runtime/JSObject.cpp:
        (JSC::JSObject::toThis):
        (JSC::JSObject::seal):
        (JSC::JSObject::isFunctionNameScopeObject): Deleted.
        * runtime/JSObject.h:
        * runtime/JSScope.cpp:
        (JSC::JSScope::isCatchScope):
        (JSC::JSScope::isFunctionNameScopeObject):
        (JSC::resolveModeName):
        * runtime/JSScope.h:
        * runtime/JSSymbolTableObject.cpp:
        * runtime/SymbolTable.h:
        * runtime/VM.cpp:

2015-08-05  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Improve Support for PropertyName Iterator (Reflect.enumerate) in Inspector
        https://bugs.webkit.org/show_bug.cgi?id=147679

        Reviewed by Timothy Hatcher.

        Improve native iterator support for the PropertyName Iterator by
        allowing inspection of the internal object within the iterator
        and peeking of the next upcoming values of the iterator.

        * inspector/JSInjectedScriptHost.cpp:
        (Inspector::JSInjectedScriptHost::subtype):
        (Inspector::JSInjectedScriptHost::getInternalProperties):
        (Inspector::JSInjectedScriptHost::iteratorEntries):
        * runtime/JSPropertyNameIterator.h:
        (JSC::JSPropertyNameIterator::iteratedValue):

2015-08-04  Brent Fulgham  <bfulgham@apple.com>

        [Win] Update Apple Windows build for VS2015
        https://bugs.webkit.org/show_bug.cgi?id=147653

        Reviewed by Dean Jackson.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Drive-by-fix.
        Show JSC files in proper project locations in IDE.

2015-08-04  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Object previews for SVG elements shows SVGAnimatedString instead of text
        https://bugs.webkit.org/show_bug.cgi?id=147328

        Reviewed by Timothy Hatcher.

        * inspector/InjectedScriptSource.js:
        Use classList and classList.toString instead of className.

2015-08-04  Yusuke Suzuki  <utatane.tea@gmail.com>

        [ES6] Support Module Syntax
        https://bugs.webkit.org/show_bug.cgi?id=147422

        Reviewed by Saam Barati.

        This patch introduces ES6 Modules syntax parsing part.
        In this patch, ASTBuilder just produces the corresponding nodes to the ES6 Modules syntax,
        and this patch does not include the code generator part.

        Modules require 2 phase parsing. In the first pass, we just analyze the dependent modules
        and do not execute the body or construct the AST. And after analyzing all the dependent
        modules, we will parse the dependent modules next.
        After all analyzing part is done, we will start the second pass. In the second pass, we
        will parse the module, produce the AST, and execute the body.
        If we don't do so, we need to create all the ASTs in the module's dependent graph at first
        because the given module can be executed after the all dependent modules are executed. It
        means that we need to hold so many parser arenas. To avoid this, the first pass only extracts
        the dependent modules' information.

        In this patch, we don't add this analyzing part yet. This patch only implements the second pass.
        This patch aims at just implementing the syntax parsing functionality correctly.
        After this patch is landed, we will create the ModuleDependencyAnalyzer that inherits SyntaxChecker
        to collect the dependent modules fast[1].

        To test the parsing, we added the "checkModuleSyntax" function into jsc shell.
        By using this, we can parse the given string as the module.

        [1]: https://bugs.webkit.org/show_bug.cgi?id=147353

        * bytecompiler/NodesCodegen.cpp:
        (JSC::ModuleProgramNode::emitBytecode):
        (JSC::ImportDeclarationNode::emitBytecode):
        (JSC::ExportAllDeclarationNode::emitBytecode):
        (JSC::ExportDefaultDeclarationNode::emitBytecode):
        (JSC::ExportLocalDeclarationNode::emitBytecode):
        (JSC::ExportNamedDeclarationNode::emitBytecode):
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionCheckModuleSyntax):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createModuleSpecifier):
        (JSC::ASTBuilder::createImportSpecifier):
        (JSC::ASTBuilder::createImportSpecifierList):
        (JSC::ASTBuilder::appendImportSpecifier):
        (JSC::ASTBuilder::createImportDeclaration):
        (JSC::ASTBuilder::createExportAllDeclaration):
        (JSC::ASTBuilder::createExportDefaultDeclaration):
        (JSC::ASTBuilder::createExportLocalDeclaration):
        (JSC::ASTBuilder::createExportNamedDeclaration):
        (JSC::ASTBuilder::createExportSpecifier):
        (JSC::ASTBuilder::createExportSpecifierList):
        (JSC::ASTBuilder::appendExportSpecifier):
        * parser/Keywords.table:
        * parser/NodeConstructors.h:
        (JSC::ModuleSpecifierNode::ModuleSpecifierNode):
        (JSC::ImportSpecifierNode::ImportSpecifierNode):
        (JSC::ImportDeclarationNode::ImportDeclarationNode):
        (JSC::ExportAllDeclarationNode::ExportAllDeclarationNode):
        (JSC::ExportDefaultDeclarationNode::ExportDefaultDeclarationNode):
        (JSC::ExportLocalDeclarationNode::ExportLocalDeclarationNode):
        (JSC::ExportNamedDeclarationNode::ExportNamedDeclarationNode):
        (JSC::ExportSpecifierNode::ExportSpecifierNode):
        * parser/Nodes.cpp:
        (JSC::ModuleProgramNode::ModuleProgramNode):
        * parser/Nodes.h:
        (JSC::ModuleProgramNode::startColumn):
        (JSC::ModuleProgramNode::endColumn):
        (JSC::ModuleSpecifierNode::moduleName):
        (JSC::ImportSpecifierNode::importedName):
        (JSC::ImportSpecifierNode::localName):
        (JSC::ImportSpecifierListNode::specifiers):
        (JSC::ImportSpecifierListNode::append):
        (JSC::ImportDeclarationNode::specifierList):
        (JSC::ImportDeclarationNode::moduleSpecifier):
        (JSC::ExportAllDeclarationNode::moduleSpecifier):
        (JSC::ExportDefaultDeclarationNode::declaration):
        (JSC::ExportLocalDeclarationNode::declaration):
        (JSC::ExportSpecifierNode::exportedName):
        (JSC::ExportSpecifierNode::localName):
        (JSC::ExportSpecifierListNode::specifiers):
        (JSC::ExportSpecifierListNode::append):
        (JSC::ExportNamedDeclarationNode::specifierList):
        (JSC::ExportNamedDeclarationNode::moduleSpecifier):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::Parser):
        (JSC::Parser<LexerType>::parseInner):
        (JSC::Parser<LexerType>::parseModuleSourceElements):
        (JSC::Parser<LexerType>::parseVariableDeclaration):
        (JSC::Parser<LexerType>::parseVariableDeclarationList):
        (JSC::Parser<LexerType>::createBindingPattern):
        (JSC::Parser<LexerType>::tryParseDestructuringPatternExpression):
        (JSC::Parser<LexerType>::parseDestructuringPattern):
        (JSC::Parser<LexerType>::parseForStatement):
        (JSC::Parser<LexerType>::parseFormalParameters):
        (JSC::Parser<LexerType>::parseFunctionParameters):
        (JSC::Parser<LexerType>::parseFunctionDeclaration):
        (JSC::Parser<LexerType>::parseClassDeclaration):
        (JSC::Parser<LexerType>::parseModuleSpecifier):
        (JSC::Parser<LexerType>::parseImportClauseItem):
        (JSC::Parser<LexerType>::parseImportDeclaration):
        (JSC::Parser<LexerType>::parseExportSpecifier):
        (JSC::Parser<LexerType>::parseExportDeclaration):
        (JSC::Parser<LexerType>::parseMemberExpression):
        * parser/Parser.h:
        (JSC::isIdentifierOrKeyword):
        (JSC::ModuleScopeData::create):
        (JSC::ModuleScopeData::exportedBindings):
        (JSC::ModuleScopeData::exportName):
        (JSC::ModuleScopeData::exportBinding):
        (JSC::Scope::Scope):
        (JSC::Scope::setIsModule):
        (JSC::Scope::moduleScopeData):
        (JSC::Parser::matchContextualKeyword):
        (JSC::Parser::matchIdentifierOrKeyword):
        (JSC::Parser::isofToken): Deleted.
        * parser/ParserModes.h:
        * parser/ParserTokens.h:
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createModuleSpecifier):
        (JSC::SyntaxChecker::createImportSpecifier):
        (JSC::SyntaxChecker::createImportSpecifierList):
        (JSC::SyntaxChecker::appendImportSpecifier):
        (JSC::SyntaxChecker::createImportDeclaration):
        (JSC::SyntaxChecker::createExportAllDeclaration):
        (JSC::SyntaxChecker::createExportDefaultDeclaration):
        (JSC::SyntaxChecker::createExportLocalDeclaration):
        (JSC::SyntaxChecker::createExportNamedDeclaration):
        (JSC::SyntaxChecker::createExportSpecifier):
        (JSC::SyntaxChecker::createExportSpecifierList):
        (JSC::SyntaxChecker::appendExportSpecifier):
        * runtime/CommonIdentifiers.cpp:
        (JSC::CommonIdentifiers::CommonIdentifiers):
        * runtime/CommonIdentifiers.h:
        * runtime/Completion.cpp:
        (JSC::checkModuleSyntax):
        * runtime/Completion.h:
        * tests/stress/modules-syntax-error-with-names.js: Added.
        (shouldThrow):
        * tests/stress/modules-syntax-error.js: Added.
        (shouldThrow):
        (checkModuleSyntaxError.checkModuleSyntaxError.checkModuleSyntaxError):
        * tests/stress/modules-syntax.js: Added.
        (prototype.checkModuleSyntax):
        (checkModuleSyntax):
        * tests/stress/tagged-templates-syntax.js:

2015-08-03  Csaba Osztrogonác  <ossy@webkit.org>

        Introduce COMPILER(GCC_OR_CLANG) guard and make COMPILER(GCC) true only for GCC
        https://bugs.webkit.org/show_bug.cgi?id=146833

        Reviewed by Alexey Proskuryakov.

        * assembler/ARM64Assembler.h:
        * assembler/ARMAssembler.h:
        (JSC::ARMAssembler::cacheFlush):
        * assembler/MacroAssemblerARM.cpp:
        (JSC::isVFPPresent):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::isSSE2Present):
        * heap/MachineStackMarker.h:
        * interpreter/StackVisitor.cpp: Removed redundant COMPILER(CLANG) guards.
        (JSC::logF):
        * jit/HostCallReturnValue.h:
        * jit/JIT.h:
        * jit/JITOperations.cpp:
        * jit/JITStubsARM.h:
        * jit/JITStubsARMv7.h:
        * jit/JITStubsX86.h:
        * jit/JITStubsX86Common.h:
        * jit/JITStubsX86_64.h:
        * jit/ThunkGenerators.cpp:
        * runtime/JSExportMacros.h:
        * runtime/MathCommon.h: Removed redundant COMPILER(CLANG) guard.
        (JSC::clz32):

2015-08-03  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix uninitialized property leading to an assert.

        * runtime/PutPropertySlot.h:
        (JSC::PutPropertySlot::PutPropertySlot):

2015-08-03  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix Windows.

        * bytecode/ObjectPropertyConditionSet.h:
        (JSC::ObjectPropertyConditionSet::fromRawPointer):

2015-07-31  Filip Pizlo  <fpizlo@apple.com>

        DFG should have adaptive structure watchpoints
        https://bugs.webkit.org/show_bug.cgi?id=146929

        Reviewed by Geoffrey Garen.

        Before this change, if you wanted to efficiently validate whether an object has (or doesn't have) a
        property, you'd check that the object still has the structure that you first saw the object have. We
        optimized this a bit with transition watchpoints on the structure, which sometimes allowed us to
        elide the structure check.

        But this approach fails when that object frequently has new properties added to it. This would
        change the structure and fire the transition watchpoint, so the code we emitted would be invalid and
        we'd have to recompile either the IC or an entire code block.

        This change introduces a new concept: an object property condition. This value describes some
        condition involving a property on some object. There are four kinds: presence, absence,
        absence-of-setter, and equivalence. For example, a presence condition says that we expect that the
        object has some property at some offset with some attributes. This allows us to implement a new kind
        of watchpoint, which knows about the object property condition that it's being used to enforce. If
        the watchpoint fires because of a structure transition, the watchpoint may simply reinstall itself
        on the new structure.

        Object property conditions are used on the prototype chain of PutById transitions, GetById misses,
        and prototype accesses. They are also used for any DFG accesses to object constants, including
        global property accesses.

        Mostly because of the effect on global property access, this is a 9% speed-up on Kraken. It's
        neutral on most other things. It's a 68x speed-up on a microbenchmark that illustrates the prototype
        chain situation. It's also a small speed-up on getter-richards.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::printGetByIdCacheStatus):
        (JSC::CodeBlock::printPutByIdCacheStatus):
        * bytecode/CodeBlockJettisoningWatchpoint.cpp:
        (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
        * bytecode/ComplexGetStatus.cpp:
        (JSC::ComplexGetStatus::computeFor):
        * bytecode/ComplexGetStatus.h:
        (JSC::ComplexGetStatus::ComplexGetStatus):
        (JSC::ComplexGetStatus::takesSlowPath):
        (JSC::ComplexGetStatus::kind):
        (JSC::ComplexGetStatus::offset):
        (JSC::ComplexGetStatus::conditionSet):
        (JSC::ComplexGetStatus::attributes): Deleted.
        (JSC::ComplexGetStatus::specificValue): Deleted.
        (JSC::ComplexGetStatus::chain): Deleted.
        * bytecode/ConstantStructureCheck.cpp: Removed.
        * bytecode/ConstantStructureCheck.h: Removed.
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeForStubInfo):
        * bytecode/GetByIdVariant.cpp:
        (JSC::GetByIdVariant::GetByIdVariant):
        (JSC::GetByIdVariant::~GetByIdVariant):
        (JSC::GetByIdVariant::operator=):
        (JSC::GetByIdVariant::attemptToMerge):
        (JSC::GetByIdVariant::dumpInContext):
        (JSC::GetByIdVariant::baseStructure): Deleted.
        * bytecode/GetByIdVariant.h:
        (JSC::GetByIdVariant::operator!):
        (JSC::GetByIdVariant::structureSet):
        (JSC::GetByIdVariant::conditionSet):
        (JSC::GetByIdVariant::offset):
        (JSC::GetByIdVariant::callLinkStatus):
        (JSC::GetByIdVariant::constantChecks): Deleted.
        (JSC::GetByIdVariant::alternateBase): Deleted.
        * bytecode/ObjectPropertyCondition.cpp: Added.
        (JSC::ObjectPropertyCondition::dumpInContext):
        (JSC::ObjectPropertyCondition::dump):
        (JSC::ObjectPropertyCondition::structureEnsuresValidityAssumingImpurePropertyWatchpoint):
        (JSC::ObjectPropertyCondition::validityRequiresImpurePropertyWatchpoint):
        (JSC::ObjectPropertyCondition::isStillValid):
        (JSC::ObjectPropertyCondition::structureEnsuresValidity):
        (JSC::ObjectPropertyCondition::isWatchableAssumingImpurePropertyWatchpoint):
        (JSC::ObjectPropertyCondition::isWatchable):
        (JSC::ObjectPropertyCondition::isStillLive):
        (JSC::ObjectPropertyCondition::validateReferences):
        (JSC::ObjectPropertyCondition::attemptToMakeEquivalenceWithoutBarrier):
        * bytecode/ObjectPropertyCondition.h: Added.
        (JSC::ObjectPropertyCondition::ObjectPropertyCondition):
        (JSC::ObjectPropertyCondition::presenceWithoutBarrier):
        (JSC::ObjectPropertyCondition::presence):
        (JSC::ObjectPropertyCondition::absenceWithoutBarrier):
        (JSC::ObjectPropertyCondition::absence):
        (JSC::ObjectPropertyCondition::absenceOfSetterWithoutBarrier):
        (JSC::ObjectPropertyCondition::absenceOfSetter):
        (JSC::ObjectPropertyCondition::equivalenceWithoutBarrier):
        (JSC::ObjectPropertyCondition::equivalence):
        (JSC::ObjectPropertyCondition::operator!):
        (JSC::ObjectPropertyCondition::object):
        (JSC::ObjectPropertyCondition::condition):
        (JSC::ObjectPropertyCondition::kind):
        (JSC::ObjectPropertyCondition::uid):
        (JSC::ObjectPropertyCondition::hasOffset):
        (JSC::ObjectPropertyCondition::offset):
        (JSC::ObjectPropertyCondition::hasAttributes):
        (JSC::ObjectPropertyCondition::attributes):
        (JSC::ObjectPropertyCondition::hasPrototype):
        (JSC::ObjectPropertyCondition::prototype):
        (JSC::ObjectPropertyCondition::hasRequiredValue):
        (JSC::ObjectPropertyCondition::requiredValue):
        (JSC::ObjectPropertyCondition::hash):
        (JSC::ObjectPropertyCondition::operator==):
        (JSC::ObjectPropertyCondition::isHashTableDeletedValue):
        (JSC::ObjectPropertyCondition::isCompatibleWith):
        (JSC::ObjectPropertyCondition::watchingRequiresStructureTransitionWatchpoint):
        (JSC::ObjectPropertyCondition::watchingRequiresReplacementWatchpoint):
        (JSC::ObjectPropertyCondition::isValidValueForPresence):
        (JSC::ObjectPropertyConditionHash::hash):
        (JSC::ObjectPropertyConditionHash::equal):
        * bytecode/ObjectPropertyConditionSet.cpp: Added.
        (JSC::ObjectPropertyConditionSet::forObject):
        (JSC::ObjectPropertyConditionSet::forConditionKind):
        (JSC::ObjectPropertyConditionSet::numberOfConditionsWithKind):
        (JSC::ObjectPropertyConditionSet::hasOneSlotBaseCondition):
        (JSC::ObjectPropertyConditionSet::slotBaseCondition):
        (JSC::ObjectPropertyConditionSet::mergedWith):
        (JSC::ObjectPropertyConditionSet::structuresEnsureValidity):
        (JSC::ObjectPropertyConditionSet::structuresEnsureValidityAssumingImpurePropertyWatchpoint):
        (JSC::ObjectPropertyConditionSet::needImpurePropertyWatchpoint):
        (JSC::ObjectPropertyConditionSet::areStillLive):
        (JSC::ObjectPropertyConditionSet::dumpInContext):
        (JSC::ObjectPropertyConditionSet::dump):
        (JSC::generateConditionsForPropertyMiss):
        (JSC::generateConditionsForPropertySetterMiss):
        (JSC::generateConditionsForPrototypePropertyHit):
        (JSC::generateConditionsForPrototypePropertyHitCustom):
        (JSC::generateConditionsForPropertySetterMissConcurrently):
        * bytecode/ObjectPropertyConditionSet.h: Added.
        (JSC::ObjectPropertyConditionSet::ObjectPropertyConditionSet):
        (JSC::ObjectPropertyConditionSet::invalid):
        (JSC::ObjectPropertyConditionSet::nonEmpty):
        (JSC::ObjectPropertyConditionSet::isValid):
        (JSC::ObjectPropertyConditionSet::isEmpty):
        (JSC::ObjectPropertyConditionSet::begin):
        (JSC::ObjectPropertyConditionSet::end):
        (JSC::ObjectPropertyConditionSet::releaseRawPointer):
        (JSC::ObjectPropertyConditionSet::adoptRawPointer):
        (JSC::ObjectPropertyConditionSet::fromRawPointer):
        (JSC::ObjectPropertyConditionSet::Data::Data):
        * bytecode/PolymorphicGetByIdList.cpp:
        (JSC::GetByIdAccess::GetByIdAccess):
        (JSC::GetByIdAccess::~GetByIdAccess):
        (JSC::GetByIdAccess::visitWeak):
        * bytecode/PolymorphicGetByIdList.h:
        (JSC::GetByIdAccess::GetByIdAccess):
        (JSC::GetByIdAccess::structure):
        (JSC::GetByIdAccess::conditionSet):
        (JSC::GetByIdAccess::stubRoutine):
        (JSC::GetByIdAccess::chain): Deleted.
        (JSC::GetByIdAccess::chainCount): Deleted.
        * bytecode/PolymorphicPutByIdList.cpp:
        (JSC::PutByIdAccess::fromStructureStubInfo):
        (JSC::PutByIdAccess::visitWeak):
        * bytecode/PolymorphicPutByIdList.h:
        (JSC::PutByIdAccess::PutByIdAccess):
        (JSC::PutByIdAccess::transition):
        (JSC::PutByIdAccess::setter):
        (JSC::PutByIdAccess::newStructure):
        (JSC::PutByIdAccess::conditionSet):
        (JSC::PutByIdAccess::stubRoutine):
        (JSC::PutByIdAccess::chain): Deleted.
        (JSC::PutByIdAccess::chainCount): Deleted.
        * bytecode/PropertyCondition.cpp: Added.
        (JSC::PropertyCondition::dumpInContext):
        (JSC::PropertyCondition::dump):
        (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):
        (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint):
        (JSC::PropertyCondition::isStillValid):
        (JSC::PropertyCondition::isWatchableWhenValid):
        (JSC::PropertyCondition::isWatchableAssumingImpurePropertyWatchpoint):
        (JSC::PropertyCondition::isWatchable):
        (JSC::PropertyCondition::isStillLive):
        (JSC::PropertyCondition::validateReferences):
        (JSC::PropertyCondition::isValidValueForAttributes):
        (JSC::PropertyCondition::isValidValueForPresence):
        (JSC::PropertyCondition::attemptToMakeEquivalenceWithoutBarrier):
        (WTF::printInternal):
        * bytecode/PropertyCondition.h: Added.
        (JSC::PropertyCondition::PropertyCondition):
        (JSC::PropertyCondition::presenceWithoutBarrier):
        (JSC::PropertyCondition::presence):
        (JSC::PropertyCondition::absenceWithoutBarrier):
        (JSC::PropertyCondition::absence):
        (JSC::PropertyCondition::absenceOfSetterWithoutBarrier):
        (JSC::PropertyCondition::absenceOfSetter):
        (JSC::PropertyCondition::equivalenceWithoutBarrier):
        (JSC::PropertyCondition::equivalence):
        (JSC::PropertyCondition::operator!):
        (JSC::PropertyCondition::kind):
        (JSC::PropertyCondition::uid):
        (JSC::PropertyCondition::hasOffset):
        (JSC::PropertyCondition::offset):
        (JSC::PropertyCondition::hasAttributes):
        (JSC::PropertyCondition::attributes):
        (JSC::PropertyCondition::hasPrototype):
        (JSC::PropertyCondition::prototype):
        (JSC::PropertyCondition::hasRequiredValue):
        (JSC::PropertyCondition::requiredValue):
        (JSC::PropertyCondition::hash):
        (JSC::PropertyCondition::operator==):
        (JSC::PropertyCondition::isHashTableDeletedValue):
        (JSC::PropertyCondition::isCompatibleWith):
        (JSC::PropertyCondition::watchingRequiresStructureTransitionWatchpoint):
        (JSC::PropertyCondition::watchingRequiresReplacementWatchpoint):
        (JSC::PropertyConditionHash::hash):
        (JSC::PropertyConditionHash::equal):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFromLLInt):
        (JSC::PutByIdStatus::computeFor):
        (JSC::PutByIdStatus::computeForStubInfo):
        * bytecode/PutByIdVariant.cpp:
        (JSC::PutByIdVariant::operator=):
        (JSC::PutByIdVariant::transition):
        (JSC::PutByIdVariant::setter):
        (JSC::PutByIdVariant::makesCalls):
        (JSC::PutByIdVariant::attemptToMerge):
        (JSC::PutByIdVariant::attemptToMergeTransitionWithReplace):
        (JSC::PutByIdVariant::dumpInContext):
        (JSC::PutByIdVariant::baseStructure): Deleted.
        * bytecode/PutByIdVariant.h:
        (JSC::PutByIdVariant::PutByIdVariant):
        (JSC::PutByIdVariant::kind):
        (JSC::PutByIdVariant::structure):
        (JSC::PutByIdVariant::structureSet):
        (JSC::PutByIdVariant::oldStructure):
        (JSC::PutByIdVariant::conditionSet):
        (JSC::PutByIdVariant::offset):
        (JSC::PutByIdVariant::callLinkStatus):
        (JSC::PutByIdVariant::constantChecks): Deleted.
        (JSC::PutByIdVariant::alternateBase): Deleted.
        * bytecode/StructureStubClearingWatchpoint.cpp:
        (JSC::StructureStubClearingWatchpoint::~StructureStubClearingWatchpoint):
        (JSC::StructureStubClearingWatchpoint::push):
        (JSC::StructureStubClearingWatchpoint::fireInternal):
        (JSC::WatchpointsOnStructureStubInfo::~WatchpointsOnStructureStubInfo):
        (JSC::WatchpointsOnStructureStubInfo::addWatchpoint):
        (JSC::WatchpointsOnStructureStubInfo::ensureReferenceAndAddWatchpoint):
        * bytecode/StructureStubClearingWatchpoint.h:
        (JSC::StructureStubClearingWatchpoint::StructureStubClearingWatchpoint):
        (JSC::WatchpointsOnStructureStubInfo::codeBlock):
        (JSC::WatchpointsOnStructureStubInfo::stubInfo):
        * bytecode/StructureStubInfo.cpp:
        (JSC::StructureStubInfo::deref):
        (JSC::StructureStubInfo::visitWeakReferences):
        * bytecode/StructureStubInfo.h:
        (JSC::StructureStubInfo::initPutByIdTransition):
        (JSC::StructureStubInfo::initPutByIdReplace):
        (JSC::StructureStubInfo::setSeen):
        (JSC::StructureStubInfo::addWatchpoint):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp: Added.
        (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::AdaptiveInferredPropertyValueWatchpoint):
        (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::install):
        (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::fire):
        (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::StructureWatchpoint::fireInternal):
        (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::PropertyWatchpoint::fireInternal):
        * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.h: Added.
        (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::key):
        (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::StructureWatchpoint::StructureWatchpoint):
        (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::PropertyWatchpoint::PropertyWatchpoint):
        * dfg/DFGAdaptiveStructureWatchpoint.cpp: Added.
        (JSC::DFG::AdaptiveStructureWatchpoint::AdaptiveStructureWatchpoint):
        (JSC::DFG::AdaptiveStructureWatchpoint::install):
        (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
        * dfg/DFGAdaptiveStructureWatchpoint.h: Added.
        (JSC::DFG::AdaptiveStructureWatchpoint::key):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::cellConstantWithStructureCheck):
        (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
        (JSC::DFG::ByteCodeParser::handleGetByOffset):
        (JSC::DFG::ByteCodeParser::handlePutByOffset):
        (JSC::DFG::ByteCodeParser::check):
        (JSC::DFG::ByteCodeParser::promoteToConstant):
        (JSC::DFG::ByteCodeParser::planLoad):
        (JSC::DFG::ByteCodeParser::load):
        (JSC::DFG::ByteCodeParser::presenceLike):
        (JSC::DFG::ByteCodeParser::checkPresenceLike):
        (JSC::DFG::ByteCodeParser::store):
        (JSC::DFG::ByteCodeParser::handleGetById):
        (JSC::DFG::ByteCodeParser::handlePutById):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::emitChecks): Deleted.
        * dfg/DFGCommonData.cpp:
        (JSC::DFG::CommonData::validateReferences):
        * dfg/DFGCommonData.h:
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
        (JSC::DFG::ConstantFoldingPhase::addBaseCheck):
        (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
        (JSC::DFG::ConstantFoldingPhase::addChecks): Deleted.
        * dfg/DFGDesiredWatchpoints.cpp:
        (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
        (JSC::DFG::InferredValueAdaptor::add):
        (JSC::DFG::AdaptiveStructureWatchpointAdaptor::add):
        (JSC::DFG::DesiredWatchpoints::DesiredWatchpoints):
        (JSC::DFG::DesiredWatchpoints::addLazily):
        (JSC::DFG::DesiredWatchpoints::consider):
        (JSC::DFG::DesiredWatchpoints::reallyAdd):
        (JSC::DFG::DesiredWatchpoints::areStillValid):
        (JSC::DFG::DesiredWatchpoints::dumpInContext):
        * dfg/DFGDesiredWatchpoints.h:
        (JSC::DFG::SetPointerAdaptor::add):
        (JSC::DFG::SetPointerAdaptor::hasBeenInvalidated):
        (JSC::DFG::SetPointerAdaptor::dumpInContext):
        (JSC::DFG::InferredValueAdaptor::hasBeenInvalidated):
        (JSC::DFG::InferredValueAdaptor::dumpInContext):
        (JSC::DFG::ArrayBufferViewWatchpointAdaptor::hasBeenInvalidated):
        (JSC::DFG::ArrayBufferViewWatchpointAdaptor::dumpInContext):
        (JSC::DFG::AdaptiveStructureWatchpointAdaptor::hasBeenInvalidated):
        (JSC::DFG::AdaptiveStructureWatchpointAdaptor::dumpInContext):
        (JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
        (JSC::DFG::GenericDesiredWatchpoints::isWatched):
        (JSC::DFG::GenericDesiredWatchpoints::dumpInContext):
        (JSC::DFG::DesiredWatchpoints::isWatched):
        (JSC::DFG::GenericSetAdaptor::add): Deleted.
        (JSC::DFG::GenericSetAdaptor::hasBeenInvalidated): Deleted.
        * dfg/DFGDesiredWeakReferences.cpp:
        (JSC::DFG::DesiredWeakReferences::addLazily):
        (JSC::DFG::DesiredWeakReferences::contains):
        * dfg/DFGDesiredWeakReferences.h:
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        (JSC::DFG::Graph::clearFlagsOnAllNodes):
        (JSC::DFG::Graph::watchCondition):
        (JSC::DFG::Graph::isSafeToLoad):
        (JSC::DFG::Graph::livenessFor):
        (JSC::DFG::Graph::tryGetConstantProperty):
        (JSC::DFG::Graph::visitChildren):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::identifiers):
        (JSC::DFG::Graph::watchpoints):
        * dfg/DFGMultiGetByOffsetData.cpp: Added.
        (JSC::DFG::GetByOffsetMethod::dumpInContext):
        (JSC::DFG::GetByOffsetMethod::dump):
        (JSC::DFG::MultiGetByOffsetCase::dumpInContext):
        (JSC::DFG::MultiGetByOffsetCase::dump):
        (WTF::printInternal):
        * dfg/DFGMultiGetByOffsetData.h: Added.
        (JSC::DFG::GetByOffsetMethod::GetByOffsetMethod):
        (JSC::DFG::GetByOffsetMethod::constant):
        (JSC::DFG::GetByOffsetMethod::load):
        (JSC::DFG::GetByOffsetMethod::loadFromPrototype):
        (JSC::DFG::GetByOffsetMethod::operator!):
        (JSC::DFG::GetByOffsetMethod::kind):
        (JSC::DFG::GetByOffsetMethod::prototype):
        (JSC::DFG::GetByOffsetMethod::offset):
        (JSC::DFG::MultiGetByOffsetCase::MultiGetByOffsetCase):
        (JSC::DFG::MultiGetByOffsetCase::set):
        (JSC::DFG::MultiGetByOffsetCase::method):
        * dfg/DFGNode.h:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGStructureRegistrationPhase.cpp:
        (JSC::DFG::StructureRegistrationPhase::run):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::DFG::LowerDFGToLLVM::compileMultiGetByOffset):
        * jit/Repatch.cpp:
        (JSC::repatchByIdSelfAccess):
        (JSC::checkObjectPropertyCondition):
        (JSC::checkObjectPropertyConditions):
        (JSC::replaceWithJump):
        (JSC::generateByIdStub):
        (JSC::actionForCell):
        (JSC::tryBuildGetByIDList):
        (JSC::emitPutReplaceStub):
        (JSC::emitPutTransitionStub):
        (JSC::tryCachePutByID):
        (JSC::tryBuildPutByIdList):
        (JSC::tryRepatchIn):
        (JSC::addStructureTransitionCheck): Deleted.
        (JSC::emitPutTransitionStubAndGetOldStructure): Deleted.
        * runtime/IntendedStructureChain.cpp: Removed.
        * runtime/IntendedStructureChain.h: Removed.
        * runtime/JSCJSValue.h:
        * runtime/JSObject.cpp:
        (JSC::throwTypeError):
        (JSC::JSObject::convertToDictionary):
        (JSC::JSObject::shiftButterflyAfterFlattening):
        * runtime/JSObject.h:
        (JSC::JSObject::flattenDictionaryObject):
        (JSC::JSObject::convertToDictionary): Deleted.
        * runtime/Operations.h:
        (JSC::normalizePrototypeChain):
        (JSC::normalizePrototypeChainForChainAccess): Deleted.
        (JSC::isPrototypeChainNormalized): Deleted.
        * runtime/PropertySlot.h:
        (JSC::PropertySlot::PropertySlot):
        (JSC::PropertySlot::slotBase):
        * runtime/Structure.cpp:
        (JSC::Structure::addPropertyTransition):
        (JSC::Structure::attributeChangeTransition):
        (JSC::Structure::toDictionaryTransition):
        (JSC::Structure::toCacheableDictionaryTransition):
        (JSC::Structure::toUncacheableDictionaryTransition):
        (JSC::Structure::ensurePropertyReplacementWatchpointSet):
        (JSC::Structure::startWatchingPropertyForReplacements):
        (JSC::Structure::didCachePropertyReplacement):
        (JSC::Structure::dump):
        * runtime/Structure.h:
        * runtime/VM.h:
        * tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check-new.js: Added.
        (foo):
        (bar):
        (baz):
        * tests/stress/multi-get-by-offset-self-or-proto.js: Added.
        (foo):
        * tests/stress/replacement-watchpoint-dictionary.js: Added.
        (foo):
        * tests/stress/replacement-watchpoint.js: Added.
        (foo):
        * tests/stress/undefined-access-dictionary-then-proto-change.js: Added.
        (foo):
        * tests/stress/undefined-access-then-proto-change.js: Added.
        (foo):

2015-08-03  Yusuke Suzuki  <utatane.tea@gmail.com>

        JavascriptCore Crash in JSC::ASTBuilder::Property JSC::Parser<JSC::Lexer<unsigned char> >::parseProperty<JSC::ASTBuilder>(JSC::ASTBuilder&, bool)
        https://bugs.webkit.org/show_bug.cgi?id=147538

        Reviewed by Geoffrey Garen.

        Due to the order of the ARROWFUNCTION token in JSTokenType enum, it is categorized as the one of the Keyword.
        As a result, when lexing the property name that can take the keywords, the ARROWFUNCTION token is accidentally accepted.
        This patch changes the order of the ARROWFUNCTION token in JSTokenType to make it the operator token.

        * parser/ParserTokens.h:
        * tests/stress/arrow-function-token-is-not-keyword.js: Added.
        (testSyntaxError):

2015-08-03  Keith Miller  <keith_miller@apple.com>

        Clean up the naming for AST expression generation.
        https://bugs.webkit.org/show_bug.cgi?id=147581

        Reviewed by Yusuke Suzuki.

        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createThisExpr):
        (JSC::ASTBuilder::createSuperExpr):
        (JSC::ASTBuilder::createNewTargetExpr):
        (JSC::ASTBuilder::thisExpr): Deleted.
        (JSC::ASTBuilder::superExpr): Deleted.
        (JSC::ASTBuilder::newTargetExpr): Deleted.
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parsePrimaryExpression):
        (JSC::Parser<LexerType>::parseMemberExpression):
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createThisExpr):
        (JSC::SyntaxChecker::createSuperExpr):
        (JSC::SyntaxChecker::createNewTargetExpr):
        (JSC::SyntaxChecker::thisExpr): Deleted.
        (JSC::SyntaxChecker::superExpr): Deleted.
        (JSC::SyntaxChecker::newTargetExpr): Deleted.

2015-08-03  Yusuke Suzuki  <utatane.tea@gmail.com>

        Don't set up the callsite to operationGetByValDefault when the optimization is already done
        https://bugs.webkit.org/show_bug.cgi?id=147577

        Reviewed by Filip Pizlo.

        operationGetByValDefault should be called only when the IC is not set.
        operationGetByValString breaks this invariant and `ASSERT(!byValInfo.stubRoutine)` in
        operationGetByValDefault raises the assertion failure.
        In this patch, we change the callsite setting up code in operationGetByValString when
        the IC is already set. And to make the operation's meaning explicitly, we changed the
        name operationGetByValDefault to operationGetByValOptimize, that is aligned to the
        GetById case.

        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitSlow_op_get_by_val):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emitSlow_op_get_by_val):
        * tests/stress/operation-get-by-val-default-should-not-called-for-already-optimized-site.js: Added.
        (hello):

2015-08-03  Csaba Osztrogonác  <ossy@webkit.org>

        [FTL] Remove unused scripts related to native call inlining
        https://bugs.webkit.org/show_bug.cgi?id=147448

        Reviewed by Filip Pizlo.

        * build-symbol-table-index.py: Removed.
        * copy-llvm-ir-to-derived-sources.sh: Removed.
        * create-llvm-ir-from-source-file.py: Removed.
        * create-symbol-table-index.py: Removed.

2015-08-02  Benjamin Poulain  <bpoulain@apple.com>

        Investigate HashTable::HashTable(const HashTable&) and HashTable::operator=(const HashTable&) performance for hash-based static analyses
        https://bugs.webkit.org/show_bug.cgi?id=118455

        Reviewed by Filip Pizlo.

        LivenessAnalysisPhase lights up like a christmas tree in profiles.

        This patch cuts its cost by 4.
        About half of the gains come from removing many rehash() when copying
        the HashSet.
        The last quarter is achieved by having a special add() function for initializing
        a HashSet.

        This makes benchmarks progress by 1-2% here and there. Nothing massive.

        * dfg/DFGLivenessAnalysisPhase.cpp:
        (JSC::DFG::LivenessAnalysisPhase::process):
        The m_live HashSet is only useful per block. When we are done with it,
        we can transfer it to liveAtHead to avoid a copy.

2015-08-01  Saam barati  <saambarati1@gmail.com>

        Unreviewed. Remove unintentional "print" statement in test case.
        https://bugs.webkit.org/show_bug.cgi?id=142567

        * tests/stress/class-syntax-definition-semantics.js:
        (shouldBeSyntaxError):

2015-07-31  Alex Christensen  <achristensen@webkit.org>

        Prepare for VS2015
        https://bugs.webkit.org/show_bug.cgi?id=146579

        Reviewed by Jon Honeycutt.

        * heap/Heap.h:
        Fix compiler error by explicitly casting zombifiedBits to the size of a pointer.

2015-07-31  Saam barati  <saambarati1@gmail.com>

        ES6 class syntax should use block scoping
        https://bugs.webkit.org/show_bug.cgi?id=142567

        Reviewed by Geoffrey Garen.

        We treat class declarations like we do "let" declarations.
        The class name is under TDZ until the class declaration
        statement is evaluated. Class declarations also follow
        the same rules as "let": No duplicate definitions inside
        a lexical environment.

        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createClassDeclStatement):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseClassDeclaration):
        * tests/stress/class-syntax-block-scoping.js: Added.
        (assert):
        (truth):
        (.):
        * tests/stress/class-syntax-definition-semantics.js: Added.
        (shouldBeSyntaxError):
        (shouldNotBeSyntaxError):
        (truth):
        * tests/stress/class-syntax-tdz.js:
        (assert):
        (shouldThrowTDZ):
        (truth):
        (.):

2015-07-31  Sukolsak Sakshuwong  <sukolsak@gmail.com>

        Implement WebAssembly module parser
        https://bugs.webkit.org/show_bug.cgi?id=147293

        Reviewed by Mark Lam.

        Re-landing after fix for the "..\..\jsc.cpp(46): fatal error C1083: Cannot open
        include file: 'JSWASMModule.h'" issue on Windows.

        Implement WebAssembly module parser for WebAssembly files produced by pack-asmjs
        <https://github.com/WebAssembly/polyfill-prototype-1>. This patch only checks
        the magic number at the beginning of the files. Parsing of the rest will be
        implemented in a subsequent patch.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionLoadWebAssembly):
        * parser/SourceProvider.h:
        (JSC::WebAssemblySourceProvider::create):
        (JSC::WebAssemblySourceProvider::data):
        (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::wasmModuleStructure):
        * wasm/WASMMagicNumber.h: Added.
        * wasm/WASMModuleParser.cpp: Added.
        (JSC::WASMModuleParser::WASMModuleParser):
        (JSC::WASMModuleParser::parse):
        (JSC::WASMModuleParser::parseModule):
        (JSC::parseWebAssembly):
        * wasm/WASMModuleParser.h: Added.
        * wasm/WASMReader.cpp: Added.
        (JSC::WASMReader::readUnsignedInt32):
        (JSC::WASMReader::readFloat):
        (JSC::WASMReader::readDouble):
        * wasm/WASMReader.h: Added.
        (JSC::WASMReader::WASMReader):

2015-07-30  Sukolsak Sakshuwong  <sukolsak@gmail.com>

        Add the "wasm" directory to the Additional Include Directories for jsc.exe
        https://bugs.webkit.org/show_bug.cgi?id=147443

        Reviewed by Mark Lam.

        This patch should fix the "..\..\jsc.cpp(46): fatal error C1083:
        Cannot open include file: 'JSWASMModule.h'" error in the Windows build.

        * JavaScriptCore.vcxproj/jsc/jscCommon.props:

2015-07-30  Chris Dumez  <cdumez@apple.com>

        Mark more classes as fast allocated
        https://bugs.webkit.org/show_bug.cgi?id=147440

        Reviewed by Sam Weinig.

        Mark more classes as fast allocated for performance. We heap-allocate
        objects of those types throughout the code base.

        * API/JSCallbackObject.h:
        * API/ObjCCallbackFunction.mm:
        * bytecode/BytecodeKills.h:
        * bytecode/BytecodeLivenessAnalysis.h:
        * bytecode/CallLinkStatus.h:
        * bytecode/FullBytecodeLiveness.h:
        * bytecode/SamplingTool.h:
        * bytecompiler/BytecodeGenerator.h:
        * dfg/DFGBasicBlock.h:
        * dfg/DFGBlockMap.h:
        * dfg/DFGInPlaceAbstractState.h:
        * dfg/DFGThreadData.h:
        * heap/HeapVerifier.h:
        * heap/SlotVisitor.h:
        * parser/Lexer.h:
        * runtime/ControlFlowProfiler.h:
        * runtime/TypeProfiler.h:
        * runtime/TypeProfilerLog.h:
        * runtime/Watchdog.h:

2015-07-29  Filip Pizlo  <fpizlo@apple.com>

        DFG::ArgumentsEliminationPhase should emit a PutStack for all of the GetStacks that the ByteCodeParser emitted
        https://bugs.webkit.org/show_bug.cgi?id=147433
        rdar://problem/21668986

        Reviewed by Mark Lam.

        Ideally, the ByteCodeParser would only emit SetArgument nodes for named arguments.  But
        currently that's not what it does - it emits a SetArgument for every argument that a varargs
        call may pass.  Each SetArgument gets turned into a GetStack.  This means that if
        ArgumentsEliminationPhase optimizes away PutStacks for those varargs arguments that didn't
        get passed or used, we get degenerate IR where we have a GetStack of something that didn't
        have a PutStack.

        This fixes the bug by removing the code to optimize away PutStacks in
        ArgumentsEliminationPhase.

        * dfg/DFGArgumentsEliminationPhase.cpp:
        * tests/stress/varargs-inlining-underflow.js: Added.
        (baz):
        (bar):
        (foo):

2015-07-29  Andy VanWagoner  <thetalecrafter@gmail.com>

        Implement basic types for ECMAScript Internationalization API
        https://bugs.webkit.org/show_bug.cgi?id=146926

        Reviewed by Benjamin Poulain.

        Adds basic types for ECMA-402 2nd edition, but does not implement the full locale-aware features yet.
        http://www.ecma-international.org/ecma-402/2.0/ECMA-402.pdf

        * CMakeLists.txt: Added new Intl files.
        * Configurations/FeatureDefines.xcconfig: Enable INTL.
        * DerivedSources.make: Added Intl files.
        * JavaScriptCore.xcodeproj/project.pbxproj: Added Intl files.
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added Intl files.
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Added Intl files.
        * runtime/CommonIdentifiers.h: Added Collator, NumberFormat, and DateTimeFormat.
        * runtime/DateConstructor.cpp: Made Date.now public.
        * runtime/DateConstructor.h: Made Date.now public.
        * runtime/IntlCollator.cpp: Added.
        (JSC::IntlCollator::create):
        (JSC::IntlCollator::createStructure):
        (JSC::IntlCollator::IntlCollator):
        (JSC::IntlCollator::finishCreation):
        (JSC::IntlCollator::destroy):
        (JSC::IntlCollator::visitChildren):
        (JSC::IntlCollator::setBoundCompare):
        (JSC::IntlCollatorFuncCompare): Added placeholder implementation using codePointCompare.
        * runtime/IntlCollator.h: Added.
        (JSC::IntlCollator::constructor):
        (JSC::IntlCollator::boundCompare):
        * runtime/IntlCollatorConstructor.cpp: Added.
        (JSC::IntlCollatorConstructor::create):
        (JSC::IntlCollatorConstructor::createStructure):
        (JSC::IntlCollatorConstructor::IntlCollatorConstructor):
        (JSC::IntlCollatorConstructor::finishCreation):
        (JSC::constructIntlCollator): Added Collator constructor (10.1.2).
        (JSC::callIntlCollator): Added Collator constructor (10.1.2).
        (JSC::IntlCollatorConstructor::getConstructData):
        (JSC::IntlCollatorConstructor::getCallData):
        (JSC::IntlCollatorConstructor::getOwnPropertySlot):
        (JSC::IntlCollatorConstructorFuncSupportedLocalesOf): Added placeholder implementation returning [].
        (JSC::IntlCollatorConstructor::visitChildren):
        * runtime/IntlCollatorConstructor.h: Added.
        (JSC::IntlCollatorConstructor::collatorStructure):
        * runtime/IntlCollatorPrototype.cpp: Added.
        (JSC::IntlCollatorPrototype::create):
        (JSC::IntlCollatorPrototype::createStructure):
        (JSC::IntlCollatorPrototype::IntlCollatorPrototype):
        (JSC::IntlCollatorPrototype::finishCreation):
        (JSC::IntlCollatorPrototype::getOwnPropertySlot):
        (JSC::IntlCollatorPrototypeGetterCompare): Added compare getter (10.3.3)
        (JSC::IntlCollatorPrototypeFuncResolvedOptions): Added placeholder implementation returning {}.
        * runtime/IntlCollatorPrototype.h: Added.
        * runtime/IntlDateTimeFormat.cpp: Added.
        (JSC::IntlDateTimeFormat::create):
        (JSC::IntlDateTimeFormat::createStructure):
        (JSC::IntlDateTimeFormat::IntlDateTimeFormat):
        (JSC::IntlDateTimeFormat::finishCreation):
        (JSC::IntlDateTimeFormat::destroy):
        (JSC::IntlDateTimeFormat::visitChildren):
        (JSC::IntlDateTimeFormat::setBoundFormat):
        (JSC::IntlDateTimeFormatFuncFormatDateTime): Added placeholder implementation returning new Date(value).toString().
        * runtime/IntlDateTimeFormat.h: Added.
        (JSC::IntlDateTimeFormat::constructor):
        (JSC::IntlDateTimeFormat::boundFormat):
        * runtime/IntlDateTimeFormatConstructor.cpp: Added.
        (JSC::IntlDateTimeFormatConstructor::create):
        (JSC::IntlDateTimeFormatConstructor::createStructure):
        (JSC::IntlDateTimeFormatConstructor::IntlDateTimeFormatConstructor):
        (JSC::IntlDateTimeFormatConstructor::finishCreation):
        (JSC::constructIntlDateTimeFormat): Added DateTimeFormat constructor (12.1.2).
        (JSC::callIntlDateTimeFormat): Added DateTimeFormat constructor (12.1.2).
        (JSC::IntlDateTimeFormatConstructor::getConstructData):
        (JSC::IntlDateTimeFormatConstructor::getCallData):
        (JSC::IntlDateTimeFormatConstructor::getOwnPropertySlot):
        (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf): Added placeholder implementation returning [].
        (JSC::IntlDateTimeFormatConstructor::visitChildren):
        * runtime/IntlDateTimeFormatConstructor.h: Added.
        (JSC::IntlDateTimeFormatConstructor::dateTimeFormatStructure):
        * runtime/IntlDateTimeFormatPrototype.cpp: Added.
        (JSC::IntlDateTimeFormatPrototype::create):
        (JSC::IntlDateTimeFormatPrototype::createStructure):
        (JSC::IntlDateTimeFormatPrototype::IntlDateTimeFormatPrototype):
        (JSC::IntlDateTimeFormatPrototype::finishCreation):
        (JSC::IntlDateTimeFormatPrototype::getOwnPropertySlot):
        (JSC::IntlDateTimeFormatPrototypeGetterFormat): Added format getter (12.3.3).
        (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions): Added placeholder implementation returning {}.
        * runtime/IntlDateTimeFormatPrototype.h: Added.
        * runtime/IntlNumberFormat.cpp: Added.
        (JSC::IntlNumberFormat::create):
        (JSC::IntlNumberFormat::createStructure):
        (JSC::IntlNumberFormat::IntlNumberFormat):
        (JSC::IntlNumberFormat::finishCreation):
        (JSC::IntlNumberFormat::destroy):
        (JSC::IntlNumberFormat::visitChildren):
        (JSC::IntlNumberFormat::setBoundFormat):
        (JSC::IntlNumberFormatFuncFormatNumber): Added placeholder implementation returning Number(value).toString().
        * runtime/IntlNumberFormat.h: Added.
        (JSC::IntlNumberFormat::constructor):
        (JSC::IntlNumberFormat::boundFormat):
        * runtime/IntlNumberFormatConstructor.cpp: Added.
        (JSC::IntlNumberFormatConstructor::create):
        (JSC::IntlNumberFormatConstructor::createStructure):
        (JSC::IntlNumberFormatConstructor::IntlNumberFormatConstructor):
        (JSC::IntlNumberFormatConstructor::finishCreation):
        (JSC::constructIntlNumberFormat): Added NumberFormat constructor (11.1.2).
        (JSC::callIntlNumberFormat): Added NumberFormat constructor (11.1.2).
        (JSC::IntlNumberFormatConstructor::getConstructData):
        (JSC::IntlNumberFormatConstructor::getCallData):
        (JSC::IntlNumberFormatConstructor::getOwnPropertySlot):
        (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf): Added placeholder implementation returning [].
        (JSC::IntlNumberFormatConstructor::visitChildren):
        * runtime/IntlNumberFormatConstructor.h: Added.
        (JSC::IntlNumberFormatConstructor::numberFormatStructure):
        * runtime/IntlNumberFormatPrototype.cpp: Added.
        (JSC::IntlNumberFormatPrototype::create):
        (JSC::IntlNumberFormatPrototype::createStructure):
        (JSC::IntlNumberFormatPrototype::IntlNumberFormatPrototype):
        (JSC::IntlNumberFormatPrototype::finishCreation):
        (JSC::IntlNumberFormatPrototype::getOwnPropertySlot):
        (JSC::IntlNumberFormatPrototypeGetterFormat): Added format getter (11.3.3).
        (JSC::IntlNumberFormatPrototypeFuncResolvedOptions): Added placeholder implementation returning {}.
        * runtime/IntlNumberFormatPrototype.h: Added.
        * runtime/IntlObject.cpp:
        (JSC::IntlObject::create):
        (JSC::IntlObject::finishCreation): Added Collator, NumberFormat, and DateTimeFormat properties (8.1).
        (JSC::IntlObject::visitChildren):
        * runtime/IntlObject.h:
        (JSC::IntlObject::collatorConstructor):
        (JSC::IntlObject::collatorPrototype):
        (JSC::IntlObject::collatorStructure):
        (JSC::IntlObject::numberFormatConstructor):
        (JSC::IntlObject::numberFormatPrototype):
        (JSC::IntlObject::numberFormatStructure):
        (JSC::IntlObject::dateTimeFormatConstructor):
        (JSC::IntlObject::dateTimeFormatPrototype):
        (JSC::IntlObject::dateTimeFormatStructure):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):

2015-07-29  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r187550.
        https://bugs.webkit.org/show_bug.cgi?id=147420

        Broke Windows build (again) (Requested by smfr on #webkit).

        Reverted changeset:

        "Implement WebAssembly module parser"
        https://bugs.webkit.org/show_bug.cgi?id=147293
        http://trac.webkit.org/changeset/187550

2015-07-29  Basile Clement  <basile_clement@apple.com>

        Remove native call inlining
        https://bugs.webkit.org/show_bug.cgi?id=147417

        Rubber Stamped by Filip Pizlo.

        * CMakeLists.txt:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Deleted.
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleCall): Deleted.
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize): Deleted.
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC): Deleted.
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode): Deleted.
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasHeapPrediction): Deleted.
        (JSC::DFG::Node::hasCellOperand): Deleted.
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate): Deleted.
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute): Deleted.
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile): Deleted.
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile): Deleted.
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile): Deleted.
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::DFG::LowerDFGToLLVM::lower): Deleted.
        (JSC::FTL::DFG::LowerDFGToLLVM::compileNode): Deleted.
        (JSC::FTL::DFG::LowerDFGToLLVM::compileNativeCallOrConstruct): Deleted.
        (JSC::FTL::DFG::LowerDFGToLLVM::getFunctionBySymbol): Deleted.
        (JSC::FTL::DFG::LowerDFGToLLVM::getModuleByPathForSymbol): Deleted.
        (JSC::FTL::DFG::LowerDFGToLLVM::didOverflowStack): Deleted.
        * ftl/FTLState.cpp:
        (JSC::FTL::State::State): Deleted.
        * ftl/FTLState.h:
        * runtime/BundlePath.cpp: Removed.
        (JSC::bundlePath): Deleted.
        * runtime/JSDataViewPrototype.cpp:
        (JSC::getData):
        (JSC::setData):
        * runtime/Options.h:

2015-07-29  Basile Clement  <basile_clement@apple.com>

        Unreviewed, skipping a test that is too complex for its own good
        https://bugs.webkit.org/show_bug.cgi?id=147167

        * tests/stress/math-pow-coherency.js:

2015-07-29  Sukolsak Sakshuwong  <sukolsak@gmail.com>

        Implement WebAssembly module parser
        https://bugs.webkit.org/show_bug.cgi?id=147293

        Reviewed by Mark Lam.

        Reupload the patch, since r187539 should fix the "Cannot open include file:
        'JSWASMModule.h'" issue in the Windows build.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionLoadWebAssembly):
        * parser/SourceProvider.h:
        (JSC::WebAssemblySourceProvider::create):
        (JSC::WebAssemblySourceProvider::data):
        (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::wasmModuleStructure):
        * wasm/WASMMagicNumber.h: Added.
        * wasm/WASMModuleParser.cpp: Added.
        (JSC::WASMModuleParser::WASMModuleParser):
        (JSC::WASMModuleParser::parse):
        (JSC::WASMModuleParser::parseModule):
        (JSC::parseWebAssembly):
        * wasm/WASMModuleParser.h: Added.
        * wasm/WASMReader.cpp: Added.
        (JSC::WASMReader::readUnsignedInt32):
        (JSC::WASMReader::readFloat):
        (JSC::WASMReader::readDouble):
        * wasm/WASMReader.h: Added.
        (JSC::WASMReader::WASMReader):

2015-07-29  Basile Clement  <basile_clement@apple.com>

        Unreviewed, lower the number of test iterations to prevent timing out on Debug builds
        https://bugs.webkit.org/show_bug.cgi?id=147167

        * tests/stress/math-pow-coherency.js:

2015-07-28  Sukolsak Sakshuwong  <sukolsak@gmail.com>

        Add the "wasm" directory to Visual Studio project files
        https://bugs.webkit.org/show_bug.cgi?id=147400

        Reviewed by Simon Fraser.

        This patch should fix the "Cannot open include file: 'JSWASMModule.h'" issue
        in the Windows build.

        * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
        * JavaScriptCore.vcxproj/copy-files.cmd:

2015-07-28  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r187531.
        https://bugs.webkit.org/show_bug.cgi?id=147397

        Broke Windows bild (Requested by smfr on #webkit).

        Reverted changeset:

        "Implement WebAssembly module parser"
        https://bugs.webkit.org/show_bug.cgi?id=147293
        http://trac.webkit.org/changeset/187531

2015-07-28  Benjamin Poulain  <bpoulain@apple.com>

        Speed up the Stringifier::toJSON() fast case
        https://bugs.webkit.org/show_bug.cgi?id=147383

        Reviewed by Andreas Kling.

        * runtime/JSONObject.cpp:
        (JSC::Stringifier::toJSON):
        (JSC::Stringifier::toJSONImpl):

2015-07-28  Sukolsak Sakshuwong  <sukolsak@gmail.com>

        Implement WebAssembly module parser
        https://bugs.webkit.org/show_bug.cgi?id=147293

        Reviewed by Geoffrey Garen.

        Implement WebAssembly module parser for WebAssembly files produced by pack-asmjs
        <https://github.com/WebAssembly/polyfill-prototype-1>. This patch only checks
        the magic number at the beginning of the files. Parsing of the rest will be
        implemented in a subsequent patch.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionLoadWebAssembly):
        * parser/SourceProvider.h:
        (JSC::WebAssemblySourceProvider::create):
        (JSC::WebAssemblySourceProvider::data):
        (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::wasmModuleStructure):
        * wasm/WASMMagicNumber.h: Added.
        * wasm/WASMModuleParser.cpp: Added.
        (JSC::WASMModuleParser::WASMModuleParser):
        (JSC::WASMModuleParser::parse):
        (JSC::WASMModuleParser::parseModule):
        (JSC::parseWebAssembly):
        * wasm/WASMModuleParser.h: Added.
        * wasm/WASMReader.cpp: Added.
        (JSC::WASMReader::readUnsignedInt32):
        (JSC::WASMReader::readFloat):
        (JSC::WASMReader::readDouble):
        * wasm/WASMReader.h: Added.
        (JSC::WASMReader::WASMReader):

2015-07-28  Yusuke Suzuki  <utatane.tea@gmail.com>

        [ES6] Add ENABLE_ES6_MODULES compile time flag with the default value "false"
        https://bugs.webkit.org/show_bug.cgi?id=147350

        Reviewed by Sam Weinig.

        * Configurations/FeatureDefines.xcconfig:

2015-07-28  Saam barati  <saambarati1@gmail.com>

        Make the type profiler work with lexical scoping and add tests
        https://bugs.webkit.org/show_bug.cgi?id=145438

        Reviewed by Geoffrey Garen.

        op_profile_type now knows how to resolve variables allocated within
        the local scope stack. This means it knows how to resolve "let"
        and "const" variables. Also, some refactoring was done inside
        the BytecodeGenerator to make writing code to support the type
        profiler much simpler and clearer.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::symbolTable): Deleted.
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedCodeBlock::addExceptionHandler):
        (JSC::UnlinkedCodeBlock::exceptionHandler):
        (JSC::UnlinkedCodeBlock::vm):
        (JSC::UnlinkedCodeBlock::addArrayProfile):
        (JSC::UnlinkedCodeBlock::setSymbolTableConstantIndex): Deleted.
        (JSC::UnlinkedCodeBlock::symbolTableConstantIndex): Deleted.
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitMove):
        (JSC::BytecodeGenerator::emitTypeProfilerExpressionInfo):
        (JSC::BytecodeGenerator::emitProfileType):
        (JSC::BytecodeGenerator::emitProfileControlFlow):
        (JSC::BytecodeGenerator::pushLexicalScopeInternal):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::emitNodeForLeftHandSide):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ThisNode::emitBytecode):
        (JSC::ResolveNode::emitBytecode):
        (JSC::BracketAccessorNode::emitBytecode):
        (JSC::DotAccessorNode::emitBytecode):
        (JSC::FunctionCallValueNode::emitBytecode):
        (JSC::FunctionCallResolveNode::emitBytecode):
        (JSC::FunctionCallBracketNode::emitBytecode):
        (JSC::FunctionCallDotNode::emitBytecode):
        (JSC::CallFunctionCallDotNode::emitBytecode):
        (JSC::ApplyFunctionCallDotNode::emitBytecode):
        (JSC::PostfixNode::emitResolve):
        (JSC::PostfixNode::emitBracket):
        (JSC::PostfixNode::emitDot):
        (JSC::PrefixNode::emitResolve):
        (JSC::PrefixNode::emitBracket):
        (JSC::PrefixNode::emitDot):
        (JSC::ReadModifyResolveNode::emitBytecode):
        (JSC::AssignResolveNode::emitBytecode):
        (JSC::AssignDotNode::emitBytecode):
        (JSC::ReadModifyDotNode::emitBytecode):
        (JSC::AssignBracketNode::emitBytecode):
        (JSC::ReadModifyBracketNode::emitBytecode):
        (JSC::EmptyVarExpression::emitBytecode):
        (JSC::EmptyLetExpression::emitBytecode):
        (JSC::ForInNode::emitLoopHeader):
        (JSC::ForOfNode::emitBytecode):
        (JSC::ReturnNode::emitBytecode):
        (JSC::FunctionNode::emitBytecode):
        (JSC::BindingNode::bindValue):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_profile_type):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_profile_type):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * tests/typeProfiler/es6-block-scoping.js: Added.
        (noop):
        (arr):
        (wrapper.changeFoo):
        (wrapper.scoping):
        (wrapper.scoping2):
        (wrapper):
        * tests/typeProfiler/es6-classes.js: Added.
        (noop):
        (wrapper.Animal):
        (wrapper.Animal.prototype.methodA):
        (wrapper.Dog):
        (wrapper.Dog.prototype.methodB):
        (wrapper):

2015-07-28  Saam barati  <saambarati1@gmail.com>

        Implement catch scope using lexical scoping constructs introduced with "let" scoping patch
        https://bugs.webkit.org/show_bug.cgi?id=146979

        Reviewed by Geoffrey Garen.

        Now that BytecodeGenerator has a notion of local scope depth,
        we can easily implement a catch scope that doesn't claim that
        all variables are dynamically scoped. This means that functions
        that use try/catch can have local variable resolution. This also
        means that all functions that use try/catch don't have all
        their variables marked as being captured.

        Catch scopes now behave like a "let" scope (sans the TDZ logic) with a 
        single variable. Catch scopes are now just JSLexicalEnvironments and the 
        symbol table backing the catch scope knows that it corresponds to a catch scope.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        * bytecode/EvalCodeCache.h:
        (JSC::EvalCodeCache::isCacheable):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
        (JSC::BytecodeGenerator::emitLoadGlobalObject):
        (JSC::BytecodeGenerator::pushLexicalScope):
        (JSC::BytecodeGenerator::pushLexicalScopeInternal):
        (JSC::BytecodeGenerator::popLexicalScope):
        (JSC::BytecodeGenerator::popLexicalScopeInternal):
        (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
        (JSC::BytecodeGenerator::variable):
        (JSC::BytecodeGenerator::resolveType):
        (JSC::BytecodeGenerator::emitResolveScope):
        (JSC::BytecodeGenerator::emitPopScope):
        (JSC::BytecodeGenerator::emitPopWithScope):
        (JSC::BytecodeGenerator::emitDebugHook):
        (JSC::BytecodeGenerator::popScopedControlFlowContext):
        (JSC::BytecodeGenerator::emitPushCatchScope):
        (JSC::BytecodeGenerator::emitPopCatchScope):
        (JSC::BytecodeGenerator::beginSwitch):
        (JSC::BytecodeGenerator::emitPopWithOrCatchScope): Deleted.
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::lastOpcodeID):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::AssignResolveNode::emitBytecode):
        (JSC::WithNode::emitBytecode):
        (JSC::TryNode::emitBytecode):
        * debugger/DebuggerScope.cpp:
        (JSC::DebuggerScope::isCatchScope):
        (JSC::DebuggerScope::isFunctionNameScope):
        (JSC::DebuggerScope::isFunctionOrEvalScope):
        (JSC::DebuggerScope::caughtValue):
        * debugger/DebuggerScope.h:
        * inspector/ScriptDebugServer.cpp:
        (Inspector::ScriptDebugServer::exceptionOrCaughtValue):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_push_name_scope):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_push_name_scope):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createContinueStatement):
        (JSC::ASTBuilder::createTryStatement):
        * parser/NodeConstructors.h:
        (JSC::ThrowNode::ThrowNode):
        (JSC::TryNode::TryNode):
        (JSC::FunctionParameters::FunctionParameters):
        * parser/Nodes.h:
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseTryStatement):
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createBreakStatement):
        (JSC::SyntaxChecker::createContinueStatement):
        (JSC::SyntaxChecker::createTryStatement):
        (JSC::SyntaxChecker::createSwitchStatement):
        (JSC::SyntaxChecker::createWhileStatement):
        (JSC::SyntaxChecker::createWithStatement):
        * runtime/JSCatchScope.cpp:
        * runtime/JSCatchScope.h:
        (JSC::JSCatchScope::JSCatchScope): Deleted.
        (JSC::JSCatchScope::create): Deleted.
        (JSC::JSCatchScope::createStructure): Deleted.
        * runtime/JSFunctionNameScope.h:
        (JSC::JSFunctionNameScope::JSFunctionNameScope):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::withScopeStructure):
        (JSC::JSGlobalObject::strictEvalActivationStructure):
        (JSC::JSGlobalObject::activationStructure):
        (JSC::JSGlobalObject::functionNameScopeStructure):
        (JSC::JSGlobalObject::directArgumentsStructure):
        (JSC::JSGlobalObject::scopedArgumentsStructure):
        (JSC::JSGlobalObject::catchScopeStructure): Deleted.
        * runtime/JSNameScope.cpp:
        (JSC::JSNameScope::create):
        (JSC::JSNameScope::toThis):
        * runtime/JSNameScope.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::toThis):
        (JSC::JSObject::isFunctionNameScopeObject):
        (JSC::JSObject::isCatchScopeObject): Deleted.
        * runtime/JSObject.h:
        * runtime/JSScope.cpp:
        (JSC::JSScope::collectVariablesUnderTDZ):
        (JSC::JSScope::isLexicalScope):
        (JSC::JSScope::isCatchScope):
        (JSC::resolveModeName):
        * runtime/JSScope.h:
        * runtime/SymbolTable.cpp:
        (JSC::SymbolTable::SymbolTable):
        (JSC::SymbolTable::cloneScopePart):
        * runtime/SymbolTable.h:
        * tests/stress/const-semantics.js:
        (.):

2015-07-28  Filip Pizlo  <fpizlo@apple.com>

        DFG::ArgumentsEliminationPhase has a redundant check for inserting CheckInBounds when converting GetByVal to GetStack in the inline non-varargs case
        https://bugs.webkit.org/show_bug.cgi?id=147373

        Reviewed by Mark Lam.

        The code was doing a check for "index >= inlineCallFrame->arguments.size() - 1" in code where
        safeToGetStack is true and we aren't in varargs context, but in a non-varargs context,
        safeToGetStack can only be true if "index < inlineCallFrame->arguments.size() - 1".

        When converting a GetByVal to GetStack, there are three possibilities:

        1) Impossible to convert. This can happen if the GetByVal is out-of-bounds of the things we
           know to have stored to the stack. For example, if we inline a function that does
           "arguments[42]" at a call that passes no arguments.

        2) Possible to convert, but we cannot prove statically that the GetByVal was in bounds. This
           can happen for "arguments[42]" with no inline call frame (since we don't know statically
           how many arguments we will be passed) or in a varargs call frame.

        3) Possible to convert, and we know statically that the GetByVal is in bounds. This can
           happen for "arguments[42]" if we have an inline call frame, and it's not a varargs call
           frame, and we know that the caller passed 42 or more arguments.

        The way the phase handles this is it first determines that we're not in case (1). This is
        called safeToGetStack. safeToGetStack is true if we have case (2) or (3). For inline call
        frames that have no varargs, this means that safeToGetStack is true exactly when the GetByVal
        is in-bounds (i.e. case (3)).

        But the phase was again doing a check for whether the index is in-bounds for non-varargs
        inline call frames even when safeToGetStack was true. That check is redundant and should be
        eliminated, since it makes the code confusing.

        * dfg/DFGArgumentsEliminationPhase.cpp:

2015-07-28  Filip Pizlo  <fpizlo@apple.com>

        DFG::PutStackSinkingPhase should be more aggressive about its "no GetStack until put" rule
        https://bugs.webkit.org/show_bug.cgi?id=147371

        Reviewed by Mark Lam.

        Two fixes:

        - Make ConflictingFlush really mean that you can't load from the stack slot. This means not
          using ConflictingFlush for arguments.

        - Assert that a GetStack never sees ConflictingFlush.

        * dfg/DFGPutStackSinkingPhase.cpp:

2015-07-28  Basile Clement  <basile_clement@apple.com>

        Misleading error message: "At least one digit must occur after a decimal point"
        https://bugs.webkit.org/show_bug.cgi?id=146238

        Reviewed by Geoffrey Garen.

        Interestingly, we had a comment explaining what this error message was
        about that is much clearer than the error message itself. This patch
        simply replaces the error message with the explanation from the
        comment.

        * parser/Lexer.cpp:
        (JSC::Lexer<T>::lex):

2015-07-28  Basile Clement  <basile_clement@apple.com>

        Simplify call linking
        https://bugs.webkit.org/show_bug.cgi?id=147363

        Reviewed by Filip Pizlo.

        Previously, we were passing both the CallLinkInfo and a
        (CodeSpecializationKind, RegisterPreservationMode) pair to the
        different call linking slow paths. However, the CallLinkInfo already
        has all of that information, and we don't gain anything by having them
        in additional static parameters - except possibly a very small
        performance gain in presence of inlining. However since those are
        already slow paths, this performance loss (if it exists) will not be
        visible in practice.

        This patch removes the various specialized thunks and JIT operations
        for regular and polymorphic call linking with a single thunk and
        operation for each case. Moreover, it removes the four specialized
        virtual call thunks and operations with one virtual call thunk for each
        call link info, allowing for better branch prediction by the CPU and
        fixing a pre-existing FIXME.

        * bytecode/CallLinkInfo.cpp:
        (JSC::CallLinkInfo::unlink):
        (JSC::CallLinkInfo::dummy): Deleted.
        * bytecode/CallLinkInfo.h:
        (JSC::CallLinkInfo::CallLinkInfo):
        (JSC::CallLinkInfo::registerPreservationMode):
        (JSC::CallLinkInfo::setUpCallFromFTL):
        (JSC::CallLinkInfo::setSlowStub):
        (JSC::CallLinkInfo::clearSlowStub):
        (JSC::CallLinkInfo::slowStub):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compileImpl):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * ftl/FTLJSCallBase.cpp:
        (JSC::FTL::JSCallBase::link):
        * jit/JITCall.cpp:
        (JSC::JIT::compileCallEvalSlowCase):
        (JSC::JIT::compileOpCall):
        (JSC::JIT::compileOpCallSlowCase):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileCallEvalSlowCase):
        (JSC::JIT::compileOpCall):
        (JSC::JIT::compileOpCallSlowCase):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        (JSC::operationLinkFor): Deleted.
        (JSC::operationVirtualFor): Deleted.
        (JSC::operationLinkPolymorphicCallFor): Deleted.
        * jit/Repatch.cpp:
        (JSC::generateByIdStub):
        (JSC::linkSlowFor):
        (JSC::linkFor):
        (JSC::revertCall):
        (JSC::unlinkFor):
        (JSC::linkVirtualFor):
        (JSC::linkPolymorphicCall):
        * jit/Repatch.h:
        * jit/ThunkGenerators.cpp:
        (JSC::linkCallThunkGenerator):
        (JSC::linkPolymorphicCallThunkGenerator):
        (JSC::virtualThunkFor):
        (JSC::linkForThunkGenerator): Deleted.
        (JSC::linkConstructThunkGenerator): Deleted.
        (JSC::linkCallThatPreservesRegsThunkGenerator): Deleted.
        (JSC::linkConstructThatPreservesRegsThunkGenerator): Deleted.
        (JSC::linkPolymorphicCallForThunkGenerator): Deleted.
        (JSC::linkPolymorphicCallThatPreservesRegsThunkGenerator): Deleted.
        (JSC::virtualForThunkGenerator): Deleted.
        (JSC::virtualCallThunkGenerator): Deleted.
        (JSC::virtualConstructThunkGenerator): Deleted.
        (JSC::virtualCallThatPreservesRegsThunkGenerator): Deleted.
        (JSC::virtualConstructThatPreservesRegsThunkGenerator): Deleted.
        * jit/ThunkGenerators.h:
        (JSC::linkThunkGeneratorFor): Deleted.
        (JSC::linkPolymorphicCallThunkGeneratorFor): Deleted.
        (JSC::virtualThunkGeneratorFor): Deleted.

2015-07-28  Basile Clement  <basile_clement@apple.com>

        stress/math-pow-with-constants.js fails in cloop
        https://bugs.webkit.org/show_bug.cgi?id=147167

        Reviewed by Geoffrey Garen.

        Baseline JIT, DFG and FTL are using a fast exponentiation fast path
        when computing Math.pow() with an integer exponent that is not taken in
        the LLInt (or the DFG abstract interpreter). This leads to the result
        of pow changing depending on the compilation tier or the fact that
        constant propagation kicks in, which is undesirable.

        This patch adds the fast path to the slow operationMathPow in order to
        maintain an illusion of consistency.

        * runtime/MathCommon.cpp:
        (JSC::operationMathPow):
        * tests/stress/math-pow-coherency.js: Added.
        (pow42):
        (build42AsDouble.opaqueAdd):
        (build42AsDouble):
        (powDouble42):
        (clobber):
        (pow42NoConstantFolding):
        (powDouble42NoConstantFolding):

2015-07-28  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Show Pseudo Elements in DOM Tree
        https://bugs.webkit.org/show_bug.cgi?id=139612

        Reviewed by Timothy Hatcher.

        * inspector/protocol/DOM.json:
        Add new properties to DOMNode if it is a pseudo element or if it has
        pseudo element children. Add new events for if a pseudo element is
        added or removed dynamically to an existing DOMNode.

2015-07-27  Filip Pizlo  <fpizlo@apple.com>

        Add logging when executable code gets deallocated
        https://bugs.webkit.org/show_bug.cgi?id=147355

        Reviewed by Mark Lam.

        * ftl/FTLJITCode.cpp:
        (JSC::FTL::JITCode::~JITCode): Print something when this is freed.
        * jit/JITCode.cpp:
        (JSC::JITCodeWithCodeRef::~JITCodeWithCodeRef): Print something when this is freed.

2015-07-27  Filip Pizlo  <fpizlo@apple.com>

        DFG::safeToExecute() cases for GetByOffset/PutByOffset don't handle clobbered structure abstract values correctly
        https://bugs.webkit.org/show_bug.cgi?id=147354

        Reviewed by Michael Saboff.

        If m_structure.isClobbered(), it means that we had a side effect that clobbered
        the abstract value but it may recover back to its original value at the next
        invalidation point. Since the invalidation point hasn't been reached yet, we need
        to conservatively treat the clobbered state as if it was top. At the invalidation
        point, the clobbered set will return back to being unclobbered.

        In addition to fixing the bug, this introduces isInfinite(), which should be used
        in places where it's tempting to just use isTop().

        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute): Fix the bug.
        * dfg/DFGStructureAbstractValue.cpp:
        (JSC::DFG::StructureAbstractValue::contains): Switch to using isInfinite().
        (JSC::DFG::StructureAbstractValue::isSubsetOf): Switch to using isInfinite().
        (JSC::DFG::StructureAbstractValue::isSupersetOf): Switch to using isInfinite().
        (JSC::DFG::StructureAbstractValue::overlaps): Switch to using isInfinite().
        * dfg/DFGStructureAbstractValue.h:
        (JSC::DFG::StructureAbstractValue::isFinite): New convenience method.
        (JSC::DFG::StructureAbstractValue::isInfinite): New convenience method.
        (JSC::DFG::StructureAbstractValue::onlyStructure): Switch to using isInfinite().

2015-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>

        [ES6] Implement Reflect.enumerate
        https://bugs.webkit.org/show_bug.cgi?id=147347

        Reviewed by Sam Weinig.

        This patch implements Reflect.enumerate.
        It returns the iterator that iterates the enumerable keys of the given object.
        It follows the for-in's enumeration order.

        To implement it, we write down the same logic to the for-in's enumeration code in C++.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::propertyNameIteratorStructure):
        * runtime/JSPropertyNameIterator.cpp: Added.
        (JSC::JSPropertyNameIterator::JSPropertyNameIterator):
        (JSC::JSPropertyNameIterator::clone):
        (JSC::JSPropertyNameIterator::create):
        (JSC::JSPropertyNameIterator::finishCreation):
        (JSC::JSPropertyNameIterator::visitChildren):
        (JSC::JSPropertyNameIterator::next):
        (JSC::propertyNameIteratorFuncNext):
        * runtime/JSPropertyNameIterator.h: Added.
        (JSC::JSPropertyNameIterator::createStructure):
        * runtime/ReflectObject.cpp:
        (JSC::reflectObjectEnumerate):
        * tests/stress/reflect-enumerate.js: Added.
        (shouldBe):
        (shouldThrow):

2015-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>

        [ES6] Implement Reflect.preventExtensions
        https://bugs.webkit.org/show_bug.cgi?id=147331

        Reviewed by Sam Weinig.

        Implement Reflect.preventExtensions.
        This is different from Object.preventExensions.

        1. When preventExtensions is called onto the non-object, it raises the TypeError.
        2. Reflect.preventExtensions does not raise the TypeError when the preventExtensions operation is failed.

        For the (2) case, since there is no Proxy implementation currently, Reflect.preventExtensions always succeed.

        * runtime/ReflectObject.cpp:
        (JSC::reflectObjectPreventExtensions):
        * tests/stress/reflect-prevent-extensions.js: Added.
        (shouldBe):
        (shouldThrow):

2015-07-27  Alex Christensen  <achristensen@webkit.org>

        Use Ninja on Windows.
        https://bugs.webkit.org/show_bug.cgi?id=147228

        Reviewed by Martin Robinson.

        * CMakeLists.txt:
        Set the working directory when generating LowLevelInterpreterWin.asm to put LowLevelInterpreterWin.asm.sym in the right place.

2015-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>

        SparseValueMap check is skipped when the butterfly's vectorLength is larger than the access-requested index
        https://bugs.webkit.org/show_bug.cgi?id=147265

        Reviewed by Geoffrey Garen.

        JSObject's vector holds the indexed values and we leverage it to represent stored values and holes.
        By checking that the given index is in-bound of the vector's length, we can look up the property fast.
        And for the sparse array, we have also the separated SparseValueMap to hold the pairs.
        And we need to take care that the length of the vector should not overlap the indices stored in the SparseValueMap.

        The vector only holds the pure JS values to avoid additional checking for accessors when looking up the value
        from the vector. To achieve this, we also store the accessors (and attributed properties) to SparseValueMap
        even the index is less than MIN_SPARSE_ARRAY_INDEX.

        As a result, if the length of the vector overlaps the indices of the accessors stored in the SparseValueMap,
        we accidentally skip the phase looking up from the SparseValueMap. Instead, we just load from the vector and
        if the loaded value is an array hole, we decide the given object does not have the value for the given index.

        This patch fixes the problem.
        When defining the attributed value that index is smaller than the length of the vector, we throw away the vector
        and change the object to DictionaryIndexingMode. Since we can assume that indexed accessors rarely exist in
        practice, we expect this does not hurt the performance while keeping the fast property access system without
        checking the sparse map.

        * runtime/JSObject.cpp:
        (JSC::JSObject::putDirectIndexBeyondVectorLength):
        * tests/stress/sparse-map-non-overlapping.js: Added.
        (shouldBe):
        (testing):
        (object.get 1000):
        * tests/stress/sparse-map-non-skip-getter-overriding.js: Added.
        (shouldBe):
        (obj.get 1):
        (testing):
        * tests/stress/sparse-map-non-skip.js: Added.
        (shouldBe):
        (testing):
        (testing2):
        (.get for):

2015-07-27  Saam barati  <saambarati1@gmail.com>

        Reduce execution time for "let" and "const" tests
        https://bugs.webkit.org/show_bug.cgi?id=147291

        Reviewed by Geoffrey Garen.

        We don't need to loop so many times for things that will not make it 
        into the DFG.  Also, we can loop a lot less for almost all the tests 
        because they're mostly testing the bytecode generator.

        * tests/stress/const-and-with-statement.js:
        * tests/stress/const-exception-handling.js:
        * tests/stress/const-loop-semantics.js:
        * tests/stress/const-not-strict-mode.js:
        * tests/stress/const-semantics.js:
        * tests/stress/const-tdz.js:
        * tests/stress/lexical-let-and-with-statement.js:
        * tests/stress/lexical-let-exception-handling.js:
        (assert):
        * tests/stress/lexical-let-loop-semantics.js:
        (assert):
        (shouldThrowTDZ):
        (.):
        * tests/stress/lexical-let-not-strict-mode.js:
        * tests/stress/lexical-let-semantics.js:
        (.):
        * tests/stress/lexical-let-tdz.js:
        (shouldThrowTDZ):
        (.):

2015-07-26  Yusuke Suzuki  <utatane.tea@gmail.com>

        Rename PropertyNameMode::Both to PropertyNameMode::StringsAndSymbols
        https://bugs.webkit.org/show_bug.cgi?id=147311

        Reviewed by Sam Weinig.

        To make the meaning clear in the user side (PropertyNameArray array(exec, PropertyNameMode::StringsAndSymbols)),
        this patch renames PropertyNameMode::Both to PropertyNameMode::StringsAndSymbols.

        * bytecode/ObjectAllocationProfile.h:
        (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
        * runtime/EnumerationMode.h:
        * runtime/ObjectConstructor.cpp:
        (JSC::ownEnumerablePropertyKeys):
        (JSC::defineProperties):
        (JSC::objectConstructorSeal):
        (JSC::objectConstructorFreeze):
        (JSC::objectConstructorIsSealed):
        (JSC::objectConstructorIsFrozen):
        (JSC::ownPropertyKeys):
        * runtime/ReflectObject.cpp:
        (JSC::reflectObjectOwnKeys):

2015-07-27  Saam barati  <saambarati1@gmail.com>

        Added a comment explaining that all "addVar()"s should happen before
        emitting bytecode for a function's default parameter expressions