[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2015-04-07  Filip Pizlo  <fpizlo@apple.com>

        Constant folding of typed array properties should be handled by AI rather than strength reduction
        https://bugs.webkit.org/show_bug.cgi?id=143496

        Reviewed by Geoffrey Garen.
        
        Handling constant folding in AI is better because it precludes us from having to fixpoint the CFA
        phase and whatever other phase did the folding in order to find all constants.
        
        This also removes the TypedArrayWatchpoint node type because we can just set the watchpoint
        directly.
        
        This also fixes a bug in FTL lowering of GetTypedArrayByteOffset. The bug was previously not
        found because all of the tests for it involved the property getting constant folded. I found that
        the codegen was bad because an earlier version of the patch broke that constant folding. This
        adds a new test for that node type, which makes constant folding impossible by allocating a new
        typed array every type. The lesson here is: if you write a test for something, run the test with
        full IR dumps to make sure it's actually testing the thing you want it to test.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        (JSC::DFG::Graph::tryGetFoldableView):
        (JSC::DFG::Graph::tryGetFoldableViewForChild1): Deleted.
        * dfg/DFGGraph.h:
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasTypedArray): Deleted.
        (JSC::DFG::Node::typedArray): Deleted.
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):
        (JSC::DFG::StrengthReductionPhase::foldTypedArrayPropertyToConstant): Deleted.
        (JSC::DFG::StrengthReductionPhase::prepareToFoldTypedArray): Deleted.
        * dfg/DFGWatchpointCollectionPhase.cpp:
        (JSC::DFG::WatchpointCollectionPhase::handle):
        (JSC::DFG::WatchpointCollectionPhase::addLazily):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileGetTypedArrayByteOffset):
        (JSC::FTL::LowerDFGToLLVM::typedArrayLength):
        * tests/stress/fold-typed-array-properties.js:
        (foo):
        * tests/stress/typed-array-byte-offset.js: Added.
        (foo):

2015-04-07  Matthew Mirman  <mmirman@apple.com>

        Source and stack information should get appended only to native errors
        and should be added directly after construction rather than when thrown. 
        This fixes frozen objects being unfrozen when thrown while conforming to 
        ecma script standard and other browser behavior.
        rdar://problem/19927293
        https://bugs.webkit.org/show_bug.cgi?id=141871
        
        Reviewed by Geoffrey Garen.

        Appending stack, source, line, and column information to an object whenever that object is thrown 
        is incorrect because it violates the ecma script standard for the behavior of throw.  Suppose for example
        that the object being thrown already has one of these properties or is frozen.  Adding the properties 
        would then violate the frozen contract or overwrite those properties.  Other browsers do not do this,
        and doing this causes unnecessary performance hits in code with heavy use of the throw construct as
        a control flow construct rather than just an error reporting mechanism.  
        
        Because WebCore adds "native" errors which do not inherit from any JSC native error, 
        appending the error properties as a seperate call after construction of the error is required 
        to avoid having to manually truncate the stack and gather local source information due to 
        the stack being extended by a nested call to construct one of the native jsc error.
        
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        * interpreter/Interpreter.h:
        * parser/ParserError.h:
        (JSC::ParserError::toErrorObject):
        * runtime/CommonIdentifiers.h:
        * runtime/Error.cpp:
        (JSC::createError):
        (JSC::createEvalError):
        (JSC::createRangeError):
        (JSC::createReferenceError):
        (JSC::createSyntaxError):
        (JSC::createTypeError):
        (JSC::createNotEnoughArgumentsError):
        (JSC::createURIError):
        (JSC::createOutOfMemoryError):
        (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor):
        (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()):
        (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame):
        (JSC::FindFirstCallerFrameWithCodeblockFunctor::index):
        (JSC::addErrorInfoAndGetBytecodeOffset):  Added.
        (JSC::addErrorInfo): Added special case for appending complete error info 
        to a newly constructed error object.
        * runtime/Error.h:
        * runtime/ErrorConstructor.cpp:
        (JSC::Interpreter::constructWithErrorConstructor):
        (JSC::Interpreter::callErrorConstructor):
        * runtime/ErrorInstance.cpp:
        (JSC::appendSourceToError): Moved from VM.cpp
        (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor):
        (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()):
        (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame):
        (JSC::FindFirstCallerFrameWithCodeblockFunctor::index):
        (JSC::addErrorInfoAndGetBytecodeOffset):
        (JSC::ErrorInstance::finishCreation):
        * runtime/ErrorInstance.h:
        (JSC::ErrorInstance::create):
        * runtime/ErrorPrototype.cpp:
        (JSC::ErrorPrototype::finishCreation):
        * runtime/ExceptionFuzz.cpp:
        (JSC::doExceptionFuzzing):
        * runtime/ExceptionHelpers.cpp:
        (JSC::createError):
        (JSC::createInvalidFunctionApplyParameterError):
        (JSC::createInvalidInParameterError):
        (JSC::createInvalidInstanceofParameterError):
        (JSC::createNotAConstructorError):
        (JSC::createNotAFunctionError):
        (JSC::createNotAnObjectError):
        (JSC::throwOutOfMemoryError):
        (JSC::createStackOverflowError): Deleted.
        (JSC::createOutOfMemoryError): Deleted.
        * runtime/ExceptionHelpers.h:
        * runtime/JSArrayBufferConstructor.cpp:
        (JSC::constructArrayBuffer):
        * runtime/JSArrayBufferPrototype.cpp:
        (JSC::arrayBufferProtoFuncSlice):
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::JSGenericTypedArrayView<Adaptor>::create):
        (JSC::JSGenericTypedArrayView<Adaptor>::createUninitialized):
        * runtime/NativeErrorConstructor.cpp:
        (JSC::Interpreter::constructWithNativeErrorConstructor):
        (JSC::Interpreter::callNativeErrorConstructor):
        * runtime/VM.cpp:
        (JSC::VM::throwException):
        (JSC::appendSourceToError): Moved to Error.cpp
        (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor): Deleted.
        (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()): Deleted.
        (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame): Deleted.
        (JSC::FindFirstCallerFrameWithCodeblockFunctor::index): Deleted.
        * tests/stress/freeze_leek.js: Added.

2015-04-07  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: ES6: Show Symbol properties on Objects
        https://bugs.webkit.org/show_bug.cgi?id=141279

        Reviewed by Timothy Hatcher.

        * inspector/protocol/Runtime.json:
        Give PropertyDescriptor a reference to the Symbol RemoteObject
        if the property is a symbol property.

        * inspector/InjectedScriptSource.js:
        Enumerate symbol properties on objects.

2015-04-07  Filip Pizlo  <fpizlo@apple.com>

        Make it possible to enable LLVM FastISel
        https://bugs.webkit.org/show_bug.cgi?id=143489

        Reviewed by Michael Saboff.

        The decision to enable FastISel is made by Options.h|cpp, but the LLVM library can disable it if it finds that it is built
        against a version of LLVM that doesn't support it. Thereafter, JSC::enableLLVMFastISel is the flag that tells the system
        if we should enable it.

        * ftl/FTLCompile.cpp:
        (JSC::FTL::mmAllocateDataSection):
        * llvm/InitializeLLVM.cpp:
        (JSC::initializeLLVMImpl):
        * llvm/InitializeLLVM.h:
        * llvm/InitializeLLVMLinux.cpp:
        (JSC::getLLVMInitializerFunction):
        (JSC::initializeLLVMImpl): Deleted.
        * llvm/InitializeLLVMMac.cpp:
        (JSC::getLLVMInitializerFunction):
        (JSC::initializeLLVMImpl): Deleted.
        * llvm/InitializeLLVMPOSIX.cpp:
        (JSC::getLLVMInitializerFunctionPOSIX):
        (JSC::initializeLLVMPOSIX): Deleted.
        * llvm/InitializeLLVMPOSIX.h:
        * llvm/InitializeLLVMWin.cpp:
        (JSC::getLLVMInitializerFunction):
        (JSC::initializeLLVMImpl): Deleted.
        * llvm/LLVMAPI.cpp:
        * llvm/LLVMAPI.h:
        * llvm/library/LLVMExports.cpp:
        (initCommandLine):
        (initializeAndGetJSCLLVMAPI):
        * runtime/Options.cpp:
        (JSC::Options::initialize):

2015-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>

        put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex
        https://bugs.webkit.org/show_bug.cgi?id=140426

        Reviewed by Darin Adler.

        In the put_by_val_direct operation, we use JSObject::putDirect.
        However, it only accepts non-index property. For index property, we need to use JSObject::putDirectIndex.
        This patch checks toString-ed Identifier is index or not to choose putDirect / putDirectIndex.

        * dfg/DFGOperations.cpp:
        (JSC::DFG::putByVal):
        (JSC::DFG::operationPutByValInternal):
        * jit/JITOperations.cpp:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/Identifier.h:
        (JSC::isIndex):
        (JSC::parseIndex):
        * tests/stress/dfg-put-by-val-direct-with-edge-numbers.js: Added.
        (lookupWithKey):
        (toStringThrowsError.toString):

2015-04-06  Alberto Garcia  <berto@igalia.com>

        [GTK] Fix HPPA build
        https://bugs.webkit.org/show_bug.cgi?id=143453

        Reviewed by Darin Adler.

        Add HPPA to the list of supported CPUs.

        * CMakeLists.txt:

2015-04-06  Mark Lam  <mark.lam@apple.com>

        In the 64-bit DFG and FTL, Array::Double case for HasIndexedProperty should set its result to true when all is well.
        <https://webkit.org/b/143396>

        Reviewed by Filip Pizlo.

        The DFG was neglecting to set the result boolean.  The FTL was setting it with
        an inverted value.  Both of these are now resolved.

        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileHasIndexedProperty):
        * tests/stress/for-in-array-mode.js: Added.
        (.):
        (test):

2015-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>

        [ES6] DFG and FTL should be aware of that StringConstructor behavior for symbols becomes different from ToString
        https://bugs.webkit.org/show_bug.cgi?id=143424

        Reviewed by Geoffrey Garen.

        In ES6, StringConstructor behavior becomes different from ToString abstract operations in the spec. (and JSValue::toString).

        ToString(symbol) throws a type error.
        However, String(symbol) produces SymbolDescriptiveString(symbol).

        So, in DFG and FTL phase, they should not inline StringConstructor to ToString.

        Now, in the template literals patch, ToString DFG operation is planned to be used.
        And current ToString behavior is aligned to the spec (and JSValue::toString) and it's better.
        So intead of changing ToString behavior, this patch adds CallStringConstructor operation into DFG and FTL.
        In CallStringConstructor, all behavior in DFG analysis is the same.
        Only the difference from ToString is, when calling DFG operation functions, it calls
        operationCallStringConstructorOnCell and operationCallStringConstructor instead of
        operationToStringOnCell and operationToString.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGBackwardsPropagationPhase.cpp:
        (JSC::DFG::BackwardsPropagationPhase::propagate):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
        (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
        (JSC::DFG::FixupPhase::fixupToString): Deleted.
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnCell):
        (JSC::DFG::SpeculativeJIT::compileToStringOnCell): Deleted.
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStructureRegistrationPhase.cpp:
        (JSC::DFG::StructureRegistrationPhase::run):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileToStringOrCallStringConstructor):
        (JSC::FTL::LowerDFGToLLVM::compileToString): Deleted.
        * runtime/StringConstructor.cpp:
        (JSC::stringConstructor):
        (JSC::callStringConstructor):
        * runtime/StringConstructor.h:
        * tests/stress/symbol-and-string-constructor.js: Added.
        (performString):

2015-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>

        Return Optional<uint32_t> from PropertyName::asIndex
        https://bugs.webkit.org/show_bug.cgi?id=143422

        Reviewed by Darin Adler.

        PropertyName::asIndex returns uint32_t and use UINT_MAX as NotAnIndex.
        But it's not obvious to callers.

        This patch changes
        1. PropertyName::asIndex() to return Optional<uint32_t> and
        2. function name `asIndex()` to `parseIndex()`.
        It forces callers to check the value is index or not explicitly.

        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFor):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFor):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitDirectPutById):
        * jit/Repatch.cpp:
        (JSC::emitPutTransitionStubAndGetOldStructure):
        * jsc.cpp:
        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncSort):
        * runtime/GenericArgumentsInlines.h:
        (JSC::GenericArguments<Type>::getOwnPropertySlot):
        (JSC::GenericArguments<Type>::put):
        (JSC::GenericArguments<Type>::deleteProperty):
        (JSC::GenericArguments<Type>::defineOwnProperty):
        * runtime/Identifier.h:
        (JSC::parseIndex):
        (JSC::Identifier::isSymbol):
        * runtime/JSArray.cpp:
        (JSC::JSArray::defineOwnProperty):
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::putToPrimitive):
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
        (JSC::JSGenericTypedArrayView<Adaptor>::put):
        (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
        (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
        (JSC::JSObject::putDirectAccessor):
        (JSC::JSObject::putDirectCustomAccessor):
        (JSC::JSObject::deleteProperty):
        (JSC::JSObject::putDirectMayBeIndex):
        (JSC::JSObject::defineOwnProperty):
        * runtime/JSObject.h:
        (JSC::JSObject::getOwnPropertySlot):
        (JSC::JSObject::getPropertySlot):
        (JSC::JSObject::putDirectInternal):
        * runtime/JSString.cpp:
        (JSC::JSString::getStringPropertyDescriptor):
        * runtime/JSString.h:
        (JSC::JSString::getStringPropertySlot):
        * runtime/LiteralParser.cpp:
        (JSC::LiteralParser<CharType>::parse):
        * runtime/PropertyName.h:
        (JSC::parseIndex):
        (JSC::toUInt32FromCharacters): Deleted.
        (JSC::toUInt32FromStringImpl): Deleted.
        (JSC::PropertyName::asIndex): Deleted.
        * runtime/PropertyNameArray.cpp:
        (JSC::PropertyNameArray::add):
        * runtime/StringObject.cpp:
        (JSC::StringObject::deleteProperty):
        * runtime/Structure.cpp:
        (JSC::Structure::prototypeChainMayInterceptStoreTo):

2015-04-05  Andreas Kling  <akling@apple.com>

        URI encoding/escaping should use efficient string building instead of calling snprintf().
        <https://webkit.org/b/143426>

        Reviewed by Gavin Barraclough.

        I saw 0.5% of main thread time in snprintf() on <http://polymerlabs.github.io/benchmarks/>
        which seemed pretty silly. This change gets that down to nothing in favor of using our
        existing JSStringBuilder and HexNumber.h facilities.

        These APIs are well-exercised by our existing test suite.

        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::encode):
        (JSC::globalFuncEscape):

2015-04-05  Masataka Yakura  <masataka.yakura@gmail.com>

        documentation for ES Promises points to the wrong one
        https://bugs.webkit.org/show_bug.cgi?id=143263

        Reviewed by Darin Adler.

        * features.json:

2015-04-05  Simon Fraser  <simon.fraser@apple.com>

        Remove "go ahead and" from comments
        https://bugs.webkit.org/show_bug.cgi?id=143421

        Reviewed by Darin Adler, Benjamin Poulain.

        Remove the phrase "go ahead and" from comments where it doesn't add
        anything (which is almost all of them).

        * interpreter/JSStack.cpp:
        (JSC::JSStack::growSlowCase):

2015-04-04  Andreas Kling  <akling@apple.com>

        Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely.
        <https://webkit.org/b/143210>

        Reviewed by Geoffrey Garen.

        Since a MarkedBlock cannot be destroyed until all the WeakBlocks pointing into it are gone,
        we had a little problem where WeakBlocks with only null pointers would still keep their
        MarkedBlock alive.

        This patch fixes that by detaching WeakBlocks from their MarkedBlock once a sweep discovers
        that the WeakBlock contains no pointers to live objects. Ownership of the WeakBlock is passed
        to the Heap, which will sweep the list of these detached WeakBlocks as part of a full GC,
        destroying them once they're fully dead.

        This allows the garbage collector to reclaim the 64kB MarkedBlocks much sooner, and resolves
        a mysterious issue where doing two full garbage collections back-to-back would free additional
        memory in the second collection.

        Management of detached WeakBlocks is implemented as a Vector<WeakBlock*> in Heap, along with
        an index of the next block in that vector that needs to be swept. The IncrementalSweeper then
        calls into Heap::sweepNextLogicallyEmptyWeakBlock() to sweep one block at a time.

        * heap/Heap.h:
        * heap/Heap.cpp:
        (JSC::Heap::collectAllGarbage): Add a final pass where we sweep the logically empty WeakBlocks
        owned by Heap, after everything else has been swept.

        (JSC::Heap::notifyIncrementalSweeper): Set up an incremental sweep of logically empty WeakBlocks
        after a full garbage collection ends. Note that we don't do this after Eden collections, since
        they are unlikely to cause entire WeakBlocks to go empty.

        (JSC::Heap::addLogicallyEmptyWeakBlock): Added. Interface for passing ownership of a WeakBlock
        to the Heap when it's detached from a WeakSet.

        (JSC::Heap::sweepAllLogicallyEmptyWeakBlocks): Helper for collectAllGarbage() that sweeps all
        of the logically empty WeakBlocks owned by Heap.

        (JSC::Heap::sweepNextLogicallyEmptyWeakBlock): Sweeps one logically empty WeakBlock if needed
        and updates the next-logically-empty-weak-block-to-sweep index.

        (JSC::Heap::lastChanceToFinalize): call sweepAllLogicallyEmptyWeakBlocks() here, since there
        won't be another chance after this.

        * heap/IncrementalSweeper.h:
        (JSC::IncrementalSweeper::hasWork): Deleted.

        * heap/IncrementalSweeper.cpp:
        (JSC::IncrementalSweeper::fullSweep):
        (JSC::IncrementalSweeper::doSweep):
        (JSC::IncrementalSweeper::sweepNextBlock): Restructured IncrementalSweeper a bit to simplify
        adding a new sweeping stage for the Heap's logically empty WeakBlocks. sweepNextBlock() is
        changed to return a bool (true if there's more work to be done.)

        * heap/WeakBlock.cpp:
        (JSC::WeakBlock::sweep): This now figures out if the WeakBlock is logically empty, i.e doesn't
        contain any pointers to live objects. The answer is stored in a new SweepResult member.

        * heap/WeakBlock.h:
        (JSC::WeakBlock::isLogicallyEmptyButNotFree): Added. Can be queried after a sweep to determine
        if the WeakBlock could be detached from the MarkedBlock.

        (JSC::WeakBlock::SweepResult::SweepResult): Deleted in favor of initializing member variables
        when declaring them.

2015-04-04  Yusuke Suzuki  <utatane.tea@gmail.com>

        Implement ES6 Object.getOwnPropertySymbols
        https://bugs.webkit.org/show_bug.cgi?id=141106

        Reviewed by Geoffrey Garen.

        This patch implements `Object.getOwnPropertySymbols`.
        One technical issue is that, since we use private symbols (such as `@Object`) in the
        privileged JS code in `builtins/`, they should not be exposed.
        To distinguish them from the usual symbols, check the target `StringImpl*` is a not private name
        before adding it into PropertyNameArray.

        To check the target `StringImpl*` is a private name, we leverage privateToPublic map in `BuiltinNames`
        since all private symbols are held in this map.

        * builtins/BuiltinExecutables.cpp:
        (JSC::BuiltinExecutables::createExecutableInternal):
        * builtins/BuiltinNames.h:
        (JSC::BuiltinNames::isPrivateName):
        * runtime/CommonIdentifiers.cpp:
        (JSC::CommonIdentifiers::isPrivateName):
        * runtime/CommonIdentifiers.h:
        * runtime/EnumerationMode.h:
        (JSC::EnumerationMode::EnumerationMode):
        (JSC::EnumerationMode::includeSymbolProperties):
        * runtime/ExceptionHelpers.cpp:
        (JSC::createUndefinedVariableError):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * runtime/JSLexicalEnvironment.cpp:
        (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
        * runtime/JSSymbolTableObject.cpp:
        (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructor::finishCreation):
        (JSC::objectConstructorGetOwnPropertySymbols):
        (JSC::defineProperties):
        (JSC::objectConstructorSeal):
        (JSC::objectConstructorFreeze):
        (JSC::objectConstructorIsSealed):
        (JSC::objectConstructorIsFrozen):
        * runtime/ObjectConstructor.h:
        (JSC::ObjectConstructor::create):
        * runtime/Structure.cpp:
        (JSC::Structure::getPropertyNamesFromStructure):
        * tests/stress/object-get-own-property-symbols-perform-to-object.js: Added.
        (compare):
        * tests/stress/object-get-own-property-symbols.js: Added.
        (forIn):
        * tests/stress/symbol-define-property.js: Added.
        (testSymbol):
        * tests/stress/symbol-seal-and-freeze.js: Added.
        * tests/stress/symbol-with-json.js: Added.

2015-04-03  Mark Lam  <mark.lam@apple.com>

        Add Options::jitPolicyScale() as a single knob to make all compilations happen sooner.
        <https://webkit.org/b/143385>

        Reviewed by Geoffrey Garen.

        For debugging purposes, sometimes, we want to be able to make compilation happen
        sooner to see if we can accelerate the manifestation of certain events / bugs.
        Currently, in order to achieve this, we'll have to tweak multiple JIT thresholds
        which make up the compilation policy.  Let's add a single knob that can tune all
        the thresholds up / down in one go proportionately so that we can easily tweak
        how soon compilation occurs.

        * runtime/Options.cpp:
        (JSC::scaleJITPolicy):
        (JSC::recomputeDependentOptions):
        * runtime/Options.h:

2015-04-03  Geoffrey Garen  <ggaren@apple.com>

        is* API methods should be @properties
        https://bugs.webkit.org/show_bug.cgi?id=143388

        Reviewed by Mark Lam.

        This appears to be the preferred idiom in WebKit, CA, AppKit, and
        Foundation.

        * API/JSValue.h: Be @properties.

        * API/tests/testapi.mm:
        (testObjectiveCAPI): Use the @properties.

2015-04-03  Mark Lam  <mark.lam@apple.com>

        Some JSC Options refactoring and enhancements.
        <https://webkit.org/b/143384>

        Rubber stamped by Benjamin Poulain.

        Create a better encapsulated Option class to make working with options easier.  This
        is a building block towards a JIT policy scaling debugging option I will introduce later.

        This work entails:
        1. Convert Options::Option into a public class Option (who works closely with Options).
        2. Convert Options::EntryType into an enum class Options::Type and make it public.
        3. Renamed Options::OPT_<option name> to Options::<option name>ID because it reads better.
        4. Add misc methods to class Option to make it more useable.

        * runtime/Options.cpp:
        (JSC::Options::dumpOption):
        (JSC::Option::dump):
        (JSC::Option::operator==):
        (JSC::Options::Option::dump): Deleted.
        (JSC::Options::Option::operator==): Deleted.
        * runtime/Options.h:
        (JSC::Option::Option):
        (JSC::Option::operator!=):
        (JSC::Option::name):
        (JSC::Option::description):
        (JSC::Option::type):
        (JSC::Option::isOverridden):
        (JSC::Option::defaultOption):
        (JSC::Option::boolVal):
        (JSC::Option::unsignedVal):
        (JSC::Option::doubleVal):
        (JSC::Option::int32Val):
        (JSC::Option::optionRangeVal):
        (JSC::Option::optionStringVal):
        (JSC::Option::gcLogLevelVal):
        (JSC::Options::Option::Option): Deleted.
        (JSC::Options::Option::operator!=): Deleted.

2015-04-03  Geoffrey Garen  <ggaren@apple.com>

        JavaScriptCore API should support type checking for Array and Date
        https://bugs.webkit.org/show_bug.cgi?id=143324

        Follow-up to address a comment by Dan.

        * API/WebKitAvailability.h: __MAC_OS_X_VERSION_MIN_REQUIRED <= 101100
        is wrong, since this API is available when __MAC_OS_X_VERSION_MIN_REQUIRED
        is equal to 101100.

2015-04-03  Geoffrey Garen  <ggaren@apple.com>

        JavaScriptCore API should support type checking for Array and Date
        https://bugs.webkit.org/show_bug.cgi?id=143324

        Follow-up to address a comment by Dan.

        * API/WebKitAvailability.h: Do use 10.0 because it was right all along.
        Added a comment explaining why.

2015-04-03  Csaba Osztrogonác  <ossy@webkit.org>

        FTL JIT tests should fail if LLVM library isn't available
        https://bugs.webkit.org/show_bug.cgi?id=143374

        Reviewed by Mark Lam.

        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * runtime/Options.h:

2015-04-03  Zan Dobersek  <zdobersek@igalia.com>

        Fix the EFL and GTK build after r182243
        https://bugs.webkit.org/show_bug.cgi?id=143361

        Reviewed by Csaba Osztrogonác.

        * CMakeLists.txt: InspectorBackendCommands.js is generated in the
        DerivedSources/JavaScriptCore/inspector/ directory.

2015-04-03  Zan Dobersek  <zdobersek@igalia.com>

        Unreviewed, fixing Clang builds of the GTK port on Linux.

        * runtime/Options.cpp:
        Include the <math.h> header for isnan().

2015-04-02  Mark Lam  <mark.lam@apple.com>

        Enhance ability to dump JSC Options.
        <https://webkit.org/b/143357>

        Reviewed by Benjamin Poulain.

        Some enhancements to how the JSC options work:

        1. Add a JSC_showOptions option which take values: 0 = None, 1 = Overridden only,
           2 = All, 3 = Verbose.

           The default is 0 (None).  This dumps nothing.
           With the Overridden setting, at VM initialization time, we will dump all
           option values that have been changed from their default.
           With the All setting, at VM initialization time, we will dump all option values.
           With the Verbose setting, at VM initialization time, we will dump all option
           values along with their descriptions (if available).

        2. We now store a copy of the default option values.

           We later use this for comparison to tell if an option has been overridden, and
           print the default value for reference.  As a result, we no longer need the
           didOverride flag since we can compute whether the option is overridden at any time.

        3. Added description strings to some options to be printed when JSC_showOptions=3 (Verbose).

           This will come in handy later when we want to rename some of the options to more sane
           names that are easier to remember.  For example, we can change
           Options::dfgFunctionWhitelistFile() to Options::dfgWhiteList(), and
           Options::slowPathAllocsBetweenGCs() to Options::forcedGcRate().  With the availability
           of the description, we can afford to use shorter and less descriptive option names,
           but they will be easier to remember and use for day to day debugging work.

           In this patch, I did not change the names of any of the options yet.  I only added
           description strings for options that I know about, and where I think the option name
           isn't already descriptive enough.

        4. Also deleted some unused code.

        * jsc.cpp:
        (CommandLine::parseArguments):
        * runtime/Options.cpp:
        (JSC::Options::initialize):
        (JSC::Options::setOption):
        (JSC::Options::dumpAllOptions):
        (JSC::Options::dumpOption):
        (JSC::Options::Option::dump):
        (JSC::Options::Option::operator==):
        * runtime/Options.h:
        (JSC::OptionRange::rangeString):
        (JSC::Options::Option::Option):
        (JSC::Options::Option::operator!=):

2015-04-02  Geoffrey Garen  <ggaren@apple.com>

        JavaScriptCore API should support type checking for Array and Date
        https://bugs.webkit.org/show_bug.cgi?id=143324

        Reviewed by Darin Adler, Sam Weinig, Dan Bernstein.

        * API/JSValue.h:
        * API/JSValue.mm:
        (-[JSValue isArray]):
        (-[JSValue isDate]): Added an ObjC API.

        * API/JSValueRef.cpp:
        (JSValueIsArray):
        (JSValueIsDate):
        * API/JSValueRef.h: Added a C API.

        * API/WebKitAvailability.h: Brought our availability macros up to date
        and fixed a harmless bug where "10_10" translated to "10.0".

        * API/tests/testapi.c:
        (main): Added a test and corrected a pre-existing leak.

        * API/tests/testapi.mm:
        (testObjectiveCAPI): Added a test.

2015-04-02  Mark Lam  <mark.lam@apple.com>

        Add Options::dumpSourceAtDFGTime().
        <https://webkit.org/b/143349>

        Reviewed by Oliver Hunt, and Michael Saboff.

        Sometimes, we will want to see the JS source code that we're compiling, and it
        would be nice to be able to do this without having to jump thru a lot of hoops.
        So, let's add a Options::dumpSourceAtDFGTime() option just like we have a
        Options::dumpBytecodeAtDFGTime() option.

        Also added versions of CodeBlock::dumpSource() and CodeBlock::dumpBytecode()
        that explicitly take no arguments (instead of relying on the version that takes
        the default argument).  These versions are friendlier to use when we want to call
        them from an interactive debugging session.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpSource):
        (JSC::CodeBlock::dumpBytecode):
        * bytecode/CodeBlock.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseCodeBlock):
        * runtime/Options.h:

2015-04-02  Yusuke Suzuki  <utatane.tea@gmail.com>

        Clean up EnumerationMode to easily extend
        https://bugs.webkit.org/show_bug.cgi?id=143276

        Reviewed by Geoffrey Garen.

        To make the followings easily,
        1. Adding new flag Include/ExcludeSymbols in the Object.getOwnPropertySymbols patch
        2. Make ExcludeSymbols implicitly default for the existing flags
        we encapsulate EnumerationMode flags into EnumerationMode class.

        And this class manages 2 flags. Later it will be extended to 3.
        1. DontEnumPropertiesMode (default is Exclude)
        2. JSObjectPropertiesMode (default is Include)
        3. SymbolPropertiesMode (default is Exclude)
            SymbolPropertiesMode will be added in Object.getOwnPropertySymbols patch.

        This patch replaces places using ExcludeDontEnumProperties
        to EnumerationMode() value which represents default mode.

        * API/JSCallbackObjectFunctions.h:
        (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
        * API/JSObjectRef.cpp:
        (JSObjectCopyPropertyNames):
        * bindings/ScriptValue.cpp:
        (Deprecated::jsToInspectorValue):
        * bytecode/ObjectAllocationProfile.h:
        (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncSort):
        * runtime/EnumerationMode.h:
        (JSC::EnumerationMode::EnumerationMode):
        (JSC::EnumerationMode::includeDontEnumProperties):
        (JSC::EnumerationMode::includeJSObjectProperties):
        (JSC::shouldIncludeDontEnumProperties): Deleted.
        (JSC::shouldExcludeDontEnumProperties): Deleted.
        (JSC::shouldIncludeJSObjectPropertyNames): Deleted.
        (JSC::modeThatSkipsJSObject): Deleted.
        * runtime/GenericArgumentsInlines.h:
        (JSC::GenericArguments<Type>::getOwnPropertyNames):
        * runtime/JSArray.cpp:
        (JSC::JSArray::getOwnNonIndexPropertyNames):
        * runtime/JSArrayBuffer.cpp:
        (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
        * runtime/JSArrayBufferView.cpp:
        (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::getOwnNonIndexPropertyNames):
        * runtime/JSFunction.h:
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::JSGenericTypedArrayView<Adaptor>::getOwnNonIndexPropertyNames):
        * runtime/JSLexicalEnvironment.cpp:
        (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
        * runtime/JSONObject.cpp:
        (JSC::Stringifier::Holder::appendNextProperty):
        (JSC::Walker::walk):
        * runtime/JSObject.cpp:
        (JSC::getClassPropertyNames):
        (JSC::JSObject::getOwnPropertyNames):
        (JSC::JSObject::getOwnNonIndexPropertyNames):
        (JSC::JSObject::getGenericPropertyNames):
        * runtime/JSPropertyNameEnumerator.h:
        (JSC::propertyNameEnumerator):
        * runtime/JSSymbolTableObject.cpp:
        (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorGetOwnPropertyNames):
        (JSC::objectConstructorKeys):
        (JSC::defineProperties):
        (JSC::objectConstructorSeal):
        (JSC::objectConstructorFreeze):
        (JSC::objectConstructorIsSealed):
        (JSC::objectConstructorIsFrozen):
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::getOwnNonIndexPropertyNames):
        (JSC::RegExpObject::getPropertyNames):
        (JSC::RegExpObject::getGenericPropertyNames):
        * runtime/StringObject.cpp:
        (JSC::StringObject::getOwnPropertyNames):
        * runtime/Structure.cpp:
        (JSC::Structure::getPropertyNamesFromStructure):

2015-04-01  Alex Christensen  <achristensen@webkit.org>

        Progress towards CMake on Windows and Mac.
        https://bugs.webkit.org/show_bug.cgi?id=143293

        Reviewed by Filip Pizlo.

        * CMakeLists.txt:
        Enabled using assembly on Windows.
        Replaced unix commands with CMake commands.
        * PlatformMac.cmake:
        Tell open source builders where to find unicode headers.

2015-04-01  Yusuke Suzuki  <utatane.tea@gmail.com>

        IteratorClose should be called when jumping over the target for-of loop
        https://bugs.webkit.org/show_bug.cgi?id=143140

        Reviewed by Geoffrey Garen.

        This patch fixes labeled break/continue behaviors with for-of and iterators.

        1. Support IteratorClose beyond multiple loop contexts
        Previously, IteratorClose is only executed in for-of's breakTarget().
        However, this misses IteratorClose execution when statement roll-ups multiple control flow contexts.
        For example,
        outer: for (var e1 of outer) {
            inner: for (var e2 of inner) {
                break outer;
            }
        }
        In this case, return method of inner should be called.
        We leverage the existing system for `finally` to execute inner.return method correctly.
        Leveraging `finally` system fixes `break`, `continue` and `return` cases.
        `throw` case is already supported by emitting try-catch handlers in for-of.

        2. Incorrect LabelScope creation is done in ForOfNode
        ForOfNode creates duplicated LabelScope.
        It causes infinite loop when executing the following program that contains
        explicitly labeled for-of loop.
        For example,
        inner: for (var elm of array) {
            continue inner;
        }

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::pushFinallyContext):
        (JSC::BytecodeGenerator::pushIteratorCloseContext):
        (JSC::BytecodeGenerator::popFinallyContext):
        (JSC::BytecodeGenerator::popIteratorCloseContext):
        (JSC::BytecodeGenerator::emitComplexPopScopes):
        (JSC::BytecodeGenerator::emitEnumeration):
        (JSC::BytecodeGenerator::emitIteratorClose):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ForOfNode::emitBytecode):
        * tests/stress/iterator-return-beyond-multiple-iteration-scopes.js: Added.
        (createIterator.iterator.return):
        (createIterator):
        * tests/stress/raise-error-in-iterator-close.js: Added.
        (createIterator.iterator.return):
        (createIterator):

2015-04-01  Yusuke Suzuki  <utatane.tea@gmail.com>

        [ES6] Implement Symbol.unscopables
        https://bugs.webkit.org/show_bug.cgi?id=142829

        Reviewed by Geoffrey Garen.

        This patch introduces Symbol.unscopables functionality.
        In ES6, some generic names (like keys, values) are introduced
        as Array's method name. And this breaks the web since some web sites
        use like the following code.

        var values = ...;
        with (array) {
            values;  // This values is trapped by array's method "values".
        }

        To fix this, Symbol.unscopables introduces blacklist
        for with scope's trapping. When resolving scope,
        if name is found in the target scope and the target scope is with scope,
        we check Symbol.unscopables object to filter generic names.

        This functionality is only active for with scopes.
        Global scope does not have unscopables functionality.

        And since
        1) op_resolve_scope for with scope always return Dynamic resolve type,
        2) in that case, JSScope::resolve is always used in JIT and LLInt,
        3) the code which contains op_resolve_scope that returns Dynamic cannot be compiled with DFG and FTL,
        to implement this functionality, we just change JSScope::resolve and no need to change JIT code.
        So performance regression is only visible in Dynamic resolving case, and it is already much slow.

        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::finishCreation):
        * runtime/CommonIdentifiers.h:
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::runtimeFlags):
        * runtime/JSScope.cpp:
        (JSC::isUnscopable):
        (JSC::JSScope::resolve):
        * runtime/JSScope.h:
        (JSC::ScopeChainIterator::scope):
        * tests/stress/global-environment-does-not-trap-unscopables.js: Added.
        (test):
        * tests/stress/unscopables.js: Added.
        (test):
        (.):

2015-03-31  Ryosuke Niwa  <rniwa@webkit.org>

        ES6 class syntax should allow static setters and getters
        https://bugs.webkit.org/show_bug.cgi?id=143180

        Reviewed by Filip Pizlo

        Apparently I misread the spec when I initially implemented parseClass.
        ES6 class syntax allows static getters and setters so just allow that.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseClass):

2015-03-31  Filip Pizlo  <fpizlo@apple.com>

        PutClosureVar CSE def() rule has a wrong base
        https://bugs.webkit.org/show_bug.cgi?id=143280

        Reviewed by Michael Saboff.
        
        I think that this code was incorrect in a benign way, since the base of a
        PutClosureVar is not a JS-visible object. But it was preventing some optimizations.

        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):

2015-03-31  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r182200.
        https://bugs.webkit.org/show_bug.cgi?id=143279

        Probably causing assertion extravaganza on bots. (Requested by
        kling on #webkit).

        Reverted changeset:

        "Logically empty WeakBlocks should not pin down their
        MarkedBlocks indefinitely."
        https://bugs.webkit.org/show_bug.cgi?id=143210
        http://trac.webkit.org/changeset/182200

2015-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>

        Clean up Identifier factories to clarify the meaning of StringImpl*
        https://bugs.webkit.org/show_bug.cgi?id=143146

        Reviewed by Filip Pizlo.

        In the a lot of places, `Identifier(VM*/ExecState*, StringImpl*)` constructor is used.
        However, it's ambiguous because `StringImpl*` has 2 different meanings.
        1) normal string, it is replacable with `WTFString` and
        2) `uid`, which holds `isSymbol` information to represent Symbols.
        So we dropped Identifier constructors for strings and instead, introduced 2 factory functions.
        + `Identifier::fromString(VM*/ExecState*, const String&)`.
        Just construct Identifier from strings. The symbol-ness of StringImpl* is not kept.
        + `Identifier::fromUid(VM*/ExecState*, StringImpl*)`.
        This function is used for 2) `uid`. So symbol-ness of `StringImpl*` is kept.

        And to clean up `StringImpl` which is used as uid,
        we introduce `StringKind` into `StringImpl`. There's 3 kinds
        1. StringNormal (non-atomic, non-symbol)
        2. StringAtomic (atomic, non-symbol)
        3. StringSymbol (non-atomic, symbol)
        They are mutually exclusive. And (atomic, symbol) case should not exist.

        * API/JSCallbackObjectFunctions.h:
        (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
        * API/JSObjectRef.cpp:
        (JSObjectMakeFunction):
        * API/OpaqueJSString.cpp:
        (OpaqueJSString::identifier):
        * bindings/ScriptFunctionCall.cpp:
        (Deprecated::ScriptFunctionCall::call):
        * builtins/BuiltinExecutables.cpp:
        (JSC::BuiltinExecutables::createExecutableInternal):
        * builtins/BuiltinNames.h:
        (JSC::BuiltinNames::BuiltinNames):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitThrowReferenceError):
        (JSC::BytecodeGenerator::emitThrowTypeError):
        (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
        (JSC::BytecodeGenerator::emitEnumeration):
        * dfg/DFGDesiredIdentifiers.cpp:
        (JSC::DFG::DesiredIdentifiers::reallyAdd):
        * inspector/JSInjectedScriptHost.cpp:
        (Inspector::JSInjectedScriptHost::functionDetails):
        (Inspector::constructInternalProperty):
        (Inspector::JSInjectedScriptHost::weakMapEntries):
        (Inspector::JSInjectedScriptHost::iteratorEntries):
        * inspector/JSInjectedScriptHostPrototype.cpp:
        (Inspector::JSInjectedScriptHostPrototype::finishCreation):
        * inspector/JSJavaScriptCallFramePrototype.cpp:
        * inspector/ScriptCallStackFactory.cpp:
        (Inspector::extractSourceInformationFromException):
        * jit/JITOperations.cpp:
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (GlobalObject::addFunction):
        (GlobalObject::addConstructableFunction):
        (functionRun):
        (runWithScripts):
        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions):
        * llint/LowLevelInterpreter.asm:
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::addVar):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseInner):
        (JSC::Parser<LexerType>::createBindingPattern):
        * parser/ParserArena.h:
        (JSC::IdentifierArena::makeIdentifier):
        (JSC::IdentifierArena::makeIdentifierLCharFromUChar):
        (JSC::IdentifierArena::makeNumericIdentifier):
        * runtime/ArgumentsIteratorPrototype.cpp:
        (JSC::ArgumentsIteratorPrototype::finishCreation):
        * runtime/ArrayIteratorPrototype.cpp:
        (JSC::ArrayIteratorPrototype::finishCreation):
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::finishCreation):
        (JSC::arrayProtoFuncPush):
        * runtime/ClonedArguments.cpp:
        (JSC::ClonedArguments::getOwnPropertySlot):
        * runtime/CommonIdentifiers.cpp:
        (JSC::CommonIdentifiers::CommonIdentifiers):
        * runtime/CommonIdentifiers.h:
        * runtime/Error.cpp:
        (JSC::addErrorInfo):
        (JSC::hasErrorInfo):
        * runtime/ExceptionHelpers.cpp:
        (JSC::createUndefinedVariableError):
        * runtime/GenericArgumentsInlines.h:
        (JSC::GenericArguments<Type>::getOwnPropertySlot):
        * runtime/Identifier.h:
        (JSC::Identifier::isSymbol):
        (JSC::Identifier::Identifier):
        (JSC::Identifier::from): Deleted.
        * runtime/IdentifierInlines.h:
        (JSC::Identifier::Identifier):
        (JSC::Identifier::fromUid):
        (JSC::Identifier::fromString):
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::dumpInContextAssumingStructure):
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::toPropertyKey):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * runtime/JSLexicalEnvironment.cpp:
        (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
        * runtime/JSObject.cpp:
        (JSC::getClassPropertyNames):
        (JSC::JSObject::reifyStaticFunctionsForDelete):
        * runtime/JSObject.h:
        (JSC::makeIdentifier):
        * runtime/JSPromiseConstructor.cpp:
        (JSC::JSPromiseConstructorFuncRace):
        (JSC::JSPromiseConstructorFuncAll):
        * runtime/JSString.h:
        (JSC::JSString::toIdentifier):
        * runtime/JSSymbolTableObject.cpp:
        (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
        * runtime/LiteralParser.cpp:
        (JSC::LiteralParser<CharType>::tryJSONPParse):
        (JSC::LiteralParser<CharType>::makeIdentifier):
        * runtime/Lookup.h:
        (JSC::reifyStaticProperties):
        * runtime/MapConstructor.cpp:
        (JSC::constructMap):
        * runtime/MapIteratorPrototype.cpp:
        (JSC::MapIteratorPrototype::finishCreation):
        * runtime/MapPrototype.cpp:
        (JSC::MapPrototype::finishCreation):
        * runtime/MathObject.cpp:
        (JSC::MathObject::finishCreation):
        * runtime/NumberConstructor.cpp:
        (JSC::NumberConstructor::finishCreation):
        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructor::finishCreation):
        * runtime/PrivateName.h:
        (JSC::PrivateName::PrivateName):
        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyTable::find):
        (JSC::PropertyTable::get):
        * runtime/PropertyName.h:
        (JSC::PropertyName::PropertyName):
        (JSC::PropertyName::publicName):
        (JSC::PropertyName::asIndex):
        * runtime/PropertyNameArray.cpp:
        (JSC::PropertyNameArray::add):
        * runtime/PropertyNameArray.h:
        (JSC::PropertyNameArray::addKnownUnique):
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpConstructor::finishCreation):
        * runtime/SetConstructor.cpp:
        (JSC::constructSet):
        * runtime/SetIteratorPrototype.cpp:
        (JSC::SetIteratorPrototype::finishCreation):
        * runtime/SetPrototype.cpp:
        (JSC::SetPrototype::finishCreation):
        * runtime/StringIteratorPrototype.cpp:
        (JSC::StringIteratorPrototype::finishCreation):
        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::finishCreation):
        * runtime/Structure.cpp:
        (JSC::Structure::getPropertyNamesFromStructure):
        * runtime/SymbolConstructor.cpp:
        * runtime/VM.cpp:
        (JSC::VM::throwException):
        * runtime/WeakMapConstructor.cpp:
        (JSC::constructWeakMap):

2015-03-31  Andreas Kling  <akling@apple.com>

        Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely.
        <https://webkit.org/b/143210>

        Reviewed by Geoffrey Garen.

        Since a MarkedBlock cannot be destroyed until all the WeakBlocks pointing into it are gone,
        we had a little problem where WeakBlocks with only null pointers would still keep their
        MarkedBlock alive.

        This patch fixes that by detaching WeakBlocks from their MarkedBlock once a sweep discovers
        that the WeakBlock contains no pointers to live objects. Ownership of the WeakBlock is passed
        to the Heap, which will sweep the list of these detached WeakBlocks as part of a full GC,
        destroying them once they're fully dead.

        This allows the garbage collector to reclaim the 64kB MarkedBlocks much sooner, and resolves
        a mysterious issue where doing two full garbage collections back-to-back would free additional
        memory in the second collection.

        Management of detached WeakBlocks is implemented as a Vector<WeakBlock*> in Heap, along with
        an index of the next block in that vector that needs to be swept. The IncrementalSweeper then
        calls into Heap::sweepNextLogicallyEmptyWeakBlock() to sweep one block at a time.

        * heap/Heap.h:
        * heap/Heap.cpp:
        (JSC::Heap::collectAllGarbage): Add a final pass where we sweep the logically empty WeakBlocks
        owned by Heap, after everything else has been swept.

        (JSC::Heap::notifyIncrementalSweeper): Set up an incremental sweep of logically empty WeakBlocks
        after a full garbage collection ends. Note that we don't do this after Eden collections, since
        they are unlikely to cause entire WeakBlocks to go empty.

        (JSC::Heap::addLogicallyEmptyWeakBlock): Added. Interface for passing ownership of a WeakBlock
        to the Heap when it's detached from a WeakSet.

        (JSC::Heap::sweepAllLogicallyEmptyWeakBlocks): Helper for collectAllGarbage() that sweeps all
        of the logically empty WeakBlocks owned by Heap.

        (JSC::Heap::sweepNextLogicallyEmptyWeakBlock): Sweeps one logically empty WeakBlock if needed
        and updates the next-logically-empty-weak-block-to-sweep index.

        (JSC::Heap::lastChanceToFinalize): call sweepAllLogicallyEmptyWeakBlocks() here, since there
        won't be another chance after this.

        * heap/IncrementalSweeper.h:
        (JSC::IncrementalSweeper::hasWork): Deleted.

        * heap/IncrementalSweeper.cpp:
        (JSC::IncrementalSweeper::fullSweep):
        (JSC::IncrementalSweeper::doSweep):
        (JSC::IncrementalSweeper::sweepNextBlock): Restructured IncrementalSweeper a bit to simplify
        adding a new sweeping stage for the Heap's logically empty WeakBlocks. sweepNextBlock() is
        changed to return a bool (true if there's more work to be done.)

        * heap/WeakBlock.cpp:
        (JSC::WeakBlock::sweep): This now figures out if the WeakBlock is logically empty, i.e doesn't
        contain any pointers to live objects. The answer is stored in a new SweepResult member.

        * heap/WeakBlock.h:
        (JSC::WeakBlock::isLogicallyEmptyButNotFree): Added. Can be queried after a sweep to determine
        if the WeakBlock could be detached from the MarkedBlock.

        (JSC::WeakBlock::SweepResult::SweepResult): Deleted in favor of initializing member variables
        when declaring them.

2015-03-31  Ryosuke Niwa  <rniwa@webkit.org>

        eval("this.foo") causes a crash if this had not been initialized in a derived class's constructor
        https://bugs.webkit.org/show_bug.cgi?id=142883

        Reviewed by Filip Pizlo.

        The crash was caused by eval inside the constructor of a derived class not checking TDZ.

        Fixed the bug by adding a parser flag that forces the TDZ check to be always emitted when accessing "this"
        in eval inside a derived class' constructor.

        * bytecode/EvalCodeCache.h:
        (JSC::EvalCodeCache::getSlow):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ThisNode::emitBytecode):
        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::evaluate):
        * interpreter/Interpreter.cpp:
        (JSC::eval):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::thisExpr):
        * parser/NodeConstructors.h:
        (JSC::ThisNode::ThisNode):
        * parser/Nodes.h:
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::Parser):
        (JSC::Parser<LexerType>::parsePrimaryExpression):
        * parser/Parser.h:
        (JSC::parse):
        * parser/ParserModes.h:
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::thisExpr):
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getGlobalCodeBlock):
        (JSC::CodeCache::getProgramCodeBlock):
        (JSC::CodeCache::getEvalCodeBlock):
        * runtime/CodeCache.h:
        (JSC::SourceCodeKey::SourceCodeKey):
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::create):
        * runtime/Executable.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::createEvalCodeBlock):
        * runtime/JSGlobalObject.h:
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncEval):
        * tests/stress/class-syntax-no-tdz-in-eval.js: Added.
        * tests/stress/class-syntax-tdz-in-eval.js: Added.

2015-03-31  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r182186.
        https://bugs.webkit.org/show_bug.cgi?id=143270

        it crashes all the WebGL tests on the Debug bots (Requested by
        dino on #webkit).

        Reverted changeset:

        "Web Inspector: add 2D/WebGL canvas instrumentation
        infrastructure"
        https://bugs.webkit.org/show_bug.cgi?id=137278
        http://trac.webkit.org/changeset/182186

2015-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>

        [ES6] Object type restrictions on a first parameter of several Object.* functions are relaxed
        https://bugs.webkit.org/show_bug.cgi?id=142937

        Reviewed by Darin Adler.

        In ES6, Object type restrictions on a first parameter of several Object.* functions are relaxed.
        In ES5 or prior, when a first parameter is not object type, these functions raise TypeError.
        But now, several functions perform ToObject onto a non-object parameter.
        And others behaves as if a parameter is a non-extensible ordinary object with no own properties.
        It is described in ES6 Annex E.
        Functions different from ES5 are following.

        1. An attempt is make to coerce the argument using ToObject.
            Object.getOwnPropertyDescriptor
            Object.getOwnPropertyNames
            Object.getPrototypeOf
            Object.keys

        2. Treated as if it was a non-extensible ordinary object with no own properties.
            Object.freeze
            Object.isExtensible
            Object.isFrozen
            Object.isSealed
            Object.preventExtensions
            Object.seal

        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
        (JSC::objectConstructorGetPrototypeOf):
        (JSC::objectConstructorGetOwnPropertyDescriptor):
        (JSC::objectConstructorGetOwnPropertyNames):
        (JSC::objectConstructorKeys):
        (JSC::objectConstructorSeal):
        (JSC::objectConstructorFreeze):
        (JSC::objectConstructorPreventExtensions):
        (JSC::objectConstructorIsSealed):
        (JSC::objectConstructorIsFrozen):
        (JSC::objectConstructorIsExtensible):
        * tests/stress/object-freeze-accept-non-object.js: Added.
        * tests/stress/object-get-own-property-descriptor-perform-to-object.js: Added.
        (canary):
        * tests/stress/object-get-own-property-names-perform-to-object.js: Added.
        (compare):
        * tests/stress/object-get-prototype-of-perform-to-object.js: Added.
        * tests/stress/object-is-extensible-accept-non-object.js: Added.
        * tests/stress/object-is-frozen-accept-non-object.js: Added.
        * tests/stress/object-is-sealed-accept-non-object.js: Added.
        * tests/stress/object-keys-perform-to-object.js: Added.
        (compare):
        * tests/stress/object-prevent-extensions-accept-non-object.js: Added.
        * tests/stress/object-seal-accept-non-object.js: Added.

2015-03-31  Matt Baker  <mattbaker@apple.com>

        Web Inspector: add 2D/WebGL canvas instrumentation infrastructure
        https://bugs.webkit.org/show_bug.cgi?id=137278

        Reviewed by Timothy Hatcher.

        Added Canvas protocol which defines types used by InspectorCanvasAgent.

        * CMakeLists.txt:
        * DerivedSources.make:
        * inspector/protocol/Canvas.json: Added.

        * inspector/scripts/codegen/generator.py:
        (Generator.stylized_name_for_enum_value):
        Added special handling for 2D (always uppercase) and WebGL (rename mapping) enum strings.

2015-03-30  Ryosuke Niwa  <rniwa@webkit.org>

        Extending null should set __proto__ to null
        https://bugs.webkit.org/show_bug.cgi?id=142882

        Reviewed by Geoffrey Garen and Benjamin Poulain.

        Set Derived.prototype.__proto__ to null when extending null.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::ClassExprNode::emitBytecode):

2015-03-30  Mark Lam  <mark.lam@apple.com>

        REGRESSION (r181993): inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html crashes.
        <https://webkit.org/b/143105>

        Reviewed by Filip Pizlo.

        With r181993, the DFG and FTL may elide the storing of the scope register.  As a result,
        on OSR exits from DFG / FTL frames where this elision has take place, we may get baseline
        JIT frames that may have its scope register not set.  The Debugger's current implementation
        which relies on the scope register is not happy about this.  For example, this results in a
        crash in the layout test inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html.

        The fix is to disable inlining when the debugger is in use.  Also, we add Flush nodes to
        ensure that the scope register value is flushed to the register in the stack frame.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::ByteCodeParser):
        (JSC::DFG::ByteCodeParser::setLocal):
        (JSC::DFG::ByteCodeParser::flush):
        - Add code to flush the scope register.
        (JSC::DFG::ByteCodeParser::inliningCost):
        - Pretend that all codeBlocks are too expensive to inline if the debugger is in use, thereby
          disabling inlining whenever the debugger is in use.
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::Graph):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::hasDebuggerEnabled):
        * dfg/DFGStackLayoutPhase.cpp:
        (JSC::DFG::StackLayoutPhase::run):
        - Update the DFG codeBlock's scopeRegister since it can be moved during stack layout.
        * ftl/FTLCompile.cpp:
        (JSC::FTL::mmAllocateDataSection):
        - Update the FTL codeBlock's scopeRegister since it can be moved during stack layout.

2015-03-30  Michael Saboff  <msaboff@apple.com>

        Fix flakey float32-repeat-out-of-bounds.js and int8-repeat-out-of-bounds.js tests for ARM64
        https://bugs.webkit.org/show_bug.cgi?id=138391

        Reviewed by Mark Lam.

        Re-enabling these tests as I can't get them to fail on local iOS test devices.
        There have been many changes since these tests were disabled.
        I'll watch automated test results for failures.  If there are failures running automated
        testing, it might be due to the device's relative CPU performance.
        
        * tests/stress/float32-repeat-out-of-bounds.js:
        * tests/stress/int8-repeat-out-of-bounds.js:

2015-03-30  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Regression: Preview for [[null]] shouldn't be []
        https://bugs.webkit.org/show_bug.cgi?id=143208

        Reviewed by Mark Lam.

        * inspector/InjectedScriptSource.js:
        Handle null when generating simple object previews.

2015-03-30  Per Arne Vollan  <peavo@outlook.com>

        Avoid using hardcoded values for JSValue::Int32Tag, if possible.
        https://bugs.webkit.org/show_bug.cgi?id=143134

        Reviewed by Geoffrey Garen.

        * jit/JSInterfaceJIT.h:
        * jit/Repatch.cpp:
        (JSC::tryCacheGetByID):

2015-03-30  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION: js/regress/inline-arguments-local-escape.html is flaky
        https://bugs.webkit.org/show_bug.cgi?id=143104

        Reviewed by Geoffrey Garen.
        
        Created a test that is a 100% repro of the flaky failure. This test is called
        get-my-argument-by-val-for-inlined-escaped-arguments.js. It fails all of the time because it
        always causes the compiler to emit a GetMyArgumentByVal of the arguments object returned by
        the inlined function. Other than that, it's the same as inline-arguments-local-escape.
        
        Also created three more tests for three similar, but not identical, failures.
        
        Then fixed the bug: PreciseLocalClobberize was assuming that if we read(Stack) then we are
        only reading those parts of the stack that are relevant to the current semantic code origin.
        That's false after ArgumentsEliminationPhase - we might have operations on phantom arguments,
        like GetMyArgumentByVal, ForwardVarargs, CallForwardVarargs, and ConstructForwardVarargs, that
        read parts of the stack associated with the inline call frame for the phantom arguments. This
        may not be subsumed by the current semantic origin's stack area in cases that the arguments
        were allowed to "locally" escape.
        
        The higher-order lesson here is that in DFG SSA IR, the current semantic origin's stack area
        is not really a meaningful concept anymore. It is only meaningful for nodes that will read
        the stack due to function.arguments, but there are a bunch of other ways that we could also
        read the stack and those operations may read any stack slot. I believe that this change makes
        PreciseLocalClobberize right: it will refine a read(Stack) from Clobberize correctly by casing
        on node type. In future, if we add a read(Stack) to Clobberize, we'll have to make sure that
        readTop() in PreciseLocalClobberize does the right thing.

        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGPreciseLocalClobberize.h:
        (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
        * dfg/DFGPutStackSinkingPhase.cpp:
        * tests/stress/call-forward-varargs-for-inlined-escaped-arguments.js: Added.
        * tests/stress/construct-forward-varargs-for-inlined-escaped-arguments.js: Added.
        * tests/stress/forward-varargs-for-inlined-escaped-arguments.js: Added.
        * tests/stress/get-my-argument-by-val-for-inlined-escaped-arguments.js: Added.
        * tests/stress/real-forward-varargs-for-inlined-escaped-arguments.js: Added.

2015-03-30  Benjamin Poulain  <benjamin@webkit.org>

        Start the features.json files
        https://bugs.webkit.org/show_bug.cgi?id=143207

        Reviewed by Darin Adler.

        Start the features.json files to have something to experiment
        with for the UI.

        * features.json: Added.

2015-03-29  Myles C. Maxfield  <mmaxfield@apple.com>

        [Win] Addresing post-review comment after r182122
        https://bugs.webkit.org/show_bug.cgi?id=143189

        Unreviewed.

2015-03-29  Myles C. Maxfield  <mmaxfield@apple.com>

        [Win] Allow building JavaScriptCore without Cygwin
        https://bugs.webkit.org/show_bug.cgi?id=143189

        Reviewed by Brent Fulgham.

        Paths like /usr/bin/ don't exist on Windows.
        Hashbangs don't work on Windows. Instead we must explicitly call the executable.
        Prefixing commands with environment variables doesn't work on Windows.
        Windows doesn't have 'cmp'
        Windows uses 'del' instead of 'rm'
        Windows uses 'type NUL' intead of 'touch'

        * DerivedSources.make:
        * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
        * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
        * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl:
        * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
        * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl:
        * JavaScriptCore.vcxproj/build-generated-files.pl:
        * UpdateContents.py: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl.

2015-03-28  Joseph Pecoraro  <pecoraro@apple.com>

        Clean up JavaScriptCore/builtins
        https://bugs.webkit.org/show_bug.cgi?id=143177

        Reviewed by Ryosuke Niwa.

        * builtins/ArrayConstructor.js:
        (from):
        - We can compare to undefined instead of using a typeof undefined check.
        - Converge on double quoted strings everywhere.

        * builtins/ArrayIterator.prototype.js:
        (next):
        * builtins/StringIterator.prototype.js:
        (next):
        - Use shorthand object construction to avoid duplication.
        - Improve grammar in error messages.

        * tests/stress/array-iterators-next-with-call.js:
        * tests/stress/string-iterators.js:
        - Update for new error message strings.

2015-03-28  Saam Barati  <saambarati1@gmail.com>

        Web Inspector: ES6: Better support for Symbol types in Type Profiler
        https://bugs.webkit.org/show_bug.cgi?id=141257

        Reviewed by Joseph Pecoraro.

        ES6 introduces the new primitive type Symbol. This patch makes JSC's 
        type profiler support this new primitive type.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * inspector/protocol/Runtime.json:
        * runtime/RuntimeType.cpp:
        (JSC::runtimeTypeForValue):
        * runtime/RuntimeType.h:
        (JSC::runtimeTypeIsPrimitive):
        * runtime/TypeSet.cpp:
        (JSC::TypeSet::addTypeInformation):
        (JSC::TypeSet::dumpTypes):
        (JSC::TypeSet::doesTypeConformTo):
        (JSC::TypeSet::displayName):
        (JSC::TypeSet::inspectorTypeSet):
        (JSC::TypeSet::toJSONString):
        * runtime/TypeSet.h:
        (JSC::TypeSet::seenTypes):
        * tests/typeProfiler/driver/driver.js:
        * tests/typeProfiler/symbol.js: Added.
        (wrapper.foo):
        (wrapper.bar):
        (wrapper.bar.bar.baz):
        (wrapper):

2015-03-27  Saam Barati  <saambarati1@gmail.com>

        Deconstruction parameters are bound too late
        https://bugs.webkit.org/show_bug.cgi?id=143148

        Reviewed by Filip Pizlo.

        Currently, a deconstruction pattern named with the same
        name as a function will shadow the function. This is
        wrong. It should be the other way around.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::generate):

2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>

        parse doesn't initialize the 16-bit version of the JSC parser with defaultConstructorKind
        https://bugs.webkit.org/show_bug.cgi?id=143170

        Reviewed by Benjamin Poulain.

        Assert that we never use 16-bit version of the parser to parse a default constructor
        since both base and derived default constructors should be using a 8-bit string.

        * parser/Parser.h:
        (JSC::parse):

2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>

        ES6 Classes: Runtime error in JIT'd class calling super() with arguments and superclass has default constructor
        https://bugs.webkit.org/show_bug.cgi?id=142862

        Reviewed by Benjamin Poulain.

        Add a test that used to fail in DFG now that the bug has been fixed by r181993.

        * tests/stress/class-syntax-derived-default-constructor.js: Added.

2015-03-27  Michael Saboff  <msaboff@apple.com>

        load8Signed() and load16Signed() should be renamed to avoid confusion
        https://bugs.webkit.org/show_bug.cgi?id=143168

        Reviewed by Benjamin Poulain.

        Renamed load8Signed() to load8SignedExtendTo32() and load16Signed() to load16SignedExtendTo32().

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::load8SignedExtendTo32):
        (JSC::MacroAssemblerARM::load16SignedExtendTo32):
        (JSC::MacroAssemblerARM::load8Signed): Deleted.
        (JSC::MacroAssemblerARM::load16Signed): Deleted.
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::load16SignedExtendTo32):
        (JSC::MacroAssemblerARM64::load8SignedExtendTo32):
        (JSC::MacroAssemblerARM64::load16Signed): Deleted.
        (JSC::MacroAssemblerARM64::load8Signed): Deleted.
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::load16SignedExtendTo32):
        (JSC::MacroAssemblerARMv7::load8SignedExtendTo32):
        (JSC::MacroAssemblerARMv7::load16Signed): Deleted.
        (JSC::MacroAssemblerARMv7::load8Signed): Deleted.
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
        (JSC::MacroAssemblerMIPS::load16SignedExtendTo32):
        (JSC::MacroAssemblerMIPS::load8Signed): Deleted.
        (JSC::MacroAssemblerMIPS::load16Signed): Deleted.
        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::load8SignedExtendTo32):
        (JSC::MacroAssemblerSH4::load8):
        (JSC::MacroAssemblerSH4::load16SignedExtendTo32):
        (JSC::MacroAssemblerSH4::load16):
        (JSC::MacroAssemblerSH4::load8Signed): Deleted.
        (JSC::MacroAssemblerSH4::load16Signed): Deleted.
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::load8SignedExtendTo32):
        (JSC::MacroAssemblerX86Common::load16SignedExtendTo32):
        (JSC::MacroAssemblerX86Common::load8Signed): Deleted.
        (JSC::MacroAssemblerX86Common::load16Signed): Deleted.
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitIntTypedArrayGetByVal):

2015-03-27  Michael Saboff  <msaboff@apple.com>

        Fix flakey dfg-int8array.js and dfg-int16array.js tests for ARM64
        https://bugs.webkit.org/show_bug.cgi?id=138390

        Reviewed by Mark Lam.

        Changed load8Signed() and load16Signed() to only sign extend the loaded value to 32 bits
        instead of 64 bits.  This is what X86-64 does.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::load16Signed):
        (JSC::MacroAssemblerARM64::load8Signed):

2015-03-27  Saam Barati  <saambarati1@gmail.com>

        Add back previously broken assert from bug 141869
        https://bugs.webkit.org/show_bug.cgi?id=143005

        Reviewed by Michael Saboff.

        * runtime/ExceptionHelpers.cpp:
        (JSC::invalidParameterInSourceAppender):

2015-03-26  Geoffrey Garen  <ggaren@apple.com>

        Make some more objects use FastMalloc
        https://bugs.webkit.org/show_bug.cgi?id=143122

        Reviewed by Csaba Osztrogonác.

        * API/JSCallbackObject.h:
        * heap/IncrementalSweeper.h:
        * jit/JITThunks.h:
        * runtime/JSGlobalObjectDebuggable.h:
        * runtime/RegExpCache.h:

2015-03-27  Michael Saboff  <msaboff@apple.com>

        Objects with numeric properties intermittently get a phantom 'length' property
        https://bugs.webkit.org/show_bug.cgi?id=142792

        Reviewed by Csaba Osztrogonác.

        Fixed a > (greater than) that should be a >> (right shift) in the code that disassembles
        test and branch instructions.  This function is used for linking tbz/tbnz branches between
        two seperately JIT'ed sections of code.  Sometime we'd create a bogus tbz instruction in
        the failure case checks in the GetById array length stub created for "obj.length" access.
        If the failure case code address was at a negative offset from the stub, we'd look for bit 1
        being set when we should have been looking for bit 0.

        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::disassembleTestAndBranchImmediate):

2015-03-27  Yusuke Suzuki  <utatane.tea@gmail.com>

        Insert exception check around toPropertyKey call
        https://bugs.webkit.org/show_bug.cgi?id=142922

        Reviewed by Geoffrey Garen.

        In some places, exception check is missing after/before toPropertyKey.
        However, since it calls toString, it's observable to users,

        Missing exception checks in Object.prototype methods can be
        observed since it would be overridden with toObject(null/undefined) errors.
        We inserted exception checks after toPropertyKey.

        Missing exception checks in GetById related code can be
        observed since it would be overridden with toObject(null/undefined) errors.
        In this case, we need to insert exception checks before/after toPropertyKey
        since RequireObjectCoercible followed by toPropertyKey can cause exceptions.

        JSValue::get checks null/undefined and raise an exception if |this| is null or undefined.
        However, we need to check whether the baseValue is object coercible before executing JSValue::toPropertyKey.
        According to the spec, we first perform RequireObjectCoercible and check the exception.
        And second, we perform ToPropertyKey and check the exception.
        Since JSValue::toPropertyKey can cause toString call, this is observable to users.
        For example, if the target is not object coercible,
        ToPropertyKey should not be executed, and toString should not be executed by ToPropertyKey.
        So the order of observable actions (RequireObjectCoercible and ToPropertyKey) should be correct to the spec.

        This patch introduces JSValue::requireObjectCoercible and use it because of the following 2 reasons.

        1. Using toObject instead of requireObjectCoercible produces unnecessary wrapper object.

        toObject converts primitive types into wrapper objects.
        But it is not efficient since wrapper objects are not necessary
        if we look up methods from primitive values's prototype. (using synthesizePrototype is better).

        2. Using the result of toObject is not correct to the spec.

        To align to the spec correctly, we cannot use JSObject::get
        by using the wrapper object produced by the toObject suggested in (1).
        If we use JSObject that is converted by toObject, getter will be called by using this JSObject as |this|.
        It is not correct since getter should be called with the original |this| value that may be primitive types.

        So in this patch, we use JSValue::requireObjectCoercible
        to check the target is object coercible and raise an error if it's not.

        * dfg/DFGOperations.cpp:
        * jit/JITOperations.cpp:
        (JSC::getByVal):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::getByVal):
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/JSCJSValue.h:
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::requireObjectCoercible):
        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncHasOwnProperty):
        (JSC::objectProtoFuncDefineGetter):
        (JSC::objectProtoFuncDefineSetter):
        (JSC::objectProtoFuncLookupGetter):
        (JSC::objectProtoFuncLookupSetter):
        (JSC::objectProtoFuncPropertyIsEnumerable):
        * tests/stress/exception-in-to-property-key-should-be-handled-early-in-object-methods.js: Added.
        (shouldThrow):
        (if):
        * tests/stress/exception-in-to-property-key-should-be-handled-early.js: Added.
        (shouldThrow):
        (.):

2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>

        WebContent Crash when instantiating class with Type Profiling enabled
        https://bugs.webkit.org/show_bug.cgi?id=143037

        Reviewed by Ryosuke Niwa.

        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitMoveEmptyValue):
        We cannot profile the type of an uninitialized empty JSValue.
        Nor do we expect this to be necessary, since it is effectively
        an unseen undefined value. So add a way to put the empty value
        without profiling.

        (JSC::BytecodeGenerator::emitMove):
        Add an assert to try to catch this issue early on, and force
        callers to explicitly use emitMoveEmptyValue instead.

        * tests/typeProfiler/classes.js: Added.
        (wrapper.Base):
        (wrapper.Derived):
        (wrapper):
        Add test coverage both for this case and classes in general.

2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: ES6: Provide a better view for Classes in the console
        https://bugs.webkit.org/show_bug.cgi?id=142999

        Reviewed by Timothy Hatcher.

        * inspector/protocol/Runtime.json:
        Provide a new `subtype` enum "class". This is a subtype of `type`
        "function", all other subtypes are subtypes of `object` types.
        For a class, the frontend will immediately want to get the prototype
        to enumerate its methods, so include the `classPrototype`.

        * inspector/JSInjectedScriptHost.cpp:
        (Inspector::JSInjectedScriptHost::subtype):
        Denote class construction functions as "class" subtypes.

        * inspector/InjectedScriptSource.js:
        Handling for the new "class" type.

        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedFunctionExecutable::isClassConstructorFunction):
        * runtime/Executable.h:
        (JSC::FunctionExecutable::isClassConstructorFunction):
        * runtime/JSFunction.h:
        * runtime/JSFunctionInlines.h:
        (JSC::JSFunction::isClassConstructorFunction):
        Check if this function is a class constructor function. That information
        is on the UnlinkedFunctionExecutable, so plumb it through to JSFunction.

2015-03-26  Geoffrey Garen  <ggaren@apple.com>

        Function.prototype.toString should not decompile the AST
        https://bugs.webkit.org/show_bug.cgi?id=142853

        Reviewed by Darin Adler.

        Following up on Darin's review comments.

        * runtime/FunctionConstructor.cpp:
        (JSC::constructFunctionSkippingEvalEnabledCheck):

2015-03-26  Geoffrey Garen  <ggaren@apple.com>

        "lineNo" does not match WebKit coding style guidelines
        https://bugs.webkit.org/show_bug.cgi?id=143119

        Reviewed by Michael Saboff.

        We can afford to use whole words.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::lineNumberForBytecodeOffset):
        (JSC::CodeBlock::expressionRangeForBytecodeOffset):
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedFunctionExecutable::link):
        (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
        * bytecode/UnlinkedCodeBlock.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::WhileNode::emitBytecode):
        * debugger/Debugger.cpp:
        (JSC::Debugger::toggleBreakpoint):
        * interpreter/Interpreter.cpp:
        (JSC::StackFrame::computeLineAndColumn):
        (JSC::GetStackTraceFunctor::operator()):
        (JSC::Interpreter::execute):
        * interpreter/StackVisitor.cpp:
        (JSC::StackVisitor::Frame::computeLineAndColumn):
        * parser/Nodes.h:
        (JSC::Node::firstLine):
        (JSC::Node::lineNo): Deleted.
        (JSC::StatementNode::firstLine): Deleted.
        * parser/ParserError.h:
        (JSC::ParserError::toErrorObject):
        * profiler/LegacyProfiler.cpp:
        (JSC::createCallIdentifierFromFunctionImp):
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getGlobalCodeBlock):
        * runtime/Executable.cpp:
        (JSC::ScriptExecutable::ScriptExecutable):
        (JSC::ScriptExecutable::newCodeBlockFor):
        (JSC::FunctionExecutable::fromGlobalCode):
        * runtime/Executable.h:
        (JSC::ScriptExecutable::firstLine):
        (JSC::ScriptExecutable::setOverrideLineNumber):
        (JSC::ScriptExecutable::hasOverrideLineNumber):
        (JSC::ScriptExecutable::overrideLineNumber):
        (JSC::ScriptExecutable::lineNo): Deleted.
        (JSC::ScriptExecutable::setOverrideLineNo): Deleted.
        (JSC::ScriptExecutable::hasOverrideLineNo): Deleted.
        (JSC::ScriptExecutable::overrideLineNo): Deleted.
        * runtime/FunctionConstructor.cpp:
        (JSC::constructFunctionSkippingEvalEnabledCheck):
        * runtime/FunctionConstructor.h:
        * tools/CodeProfile.cpp:
        (JSC::CodeProfile::report):
        * tools/CodeProfile.h:
        (JSC::CodeProfile::CodeProfile):

2015-03-26  Geoffrey Garen  <ggaren@apple.com>

        Assertion firing in JavaScriptCore/parser/parser.h for statesman.com site
        https://bugs.webkit.org/show_bug.cgi?id=142974

        Reviewed by Joseph Pecoraro.

        This patch does two things:

        (1) Restore JavaScriptCore's sanitization of line and column numbers to
        one-based values.

        We need this because WebCore sometimes provides huge negative column
        numbers.

        (2) Solve the attribute event listener line numbering problem a different
        way: Rather than offseting all line numbers by -1 in an attribute event
        listener in order to arrange for a custom result, instead use an explicit
        feature for saying "all errors in this code should map to this line number".

        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedFunctionExecutable::link):
        (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
        * bytecode/UnlinkedCodeBlock.h:
        * interpreter/Interpreter.cpp:
        (JSC::StackFrame::computeLineAndColumn):
        (JSC::GetStackTraceFunctor::operator()):
        * interpreter/Interpreter.h:
        * interpreter/StackVisitor.cpp:
        (JSC::StackVisitor::Frame::computeLineAndColumn):
        * parser/ParserError.h:
        (JSC::ParserError::toErrorObject): Plumb through an override line number.
        When a function has an override line number, all syntax and runtime
        errors in the function will map to it. This is useful for attribute event
        listeners.
 
        * parser/SourceCode.h:
        (JSC::SourceCode::SourceCode): Restore the old sanitization of line and
        column numbers to one-based integers. It was kind of a hack to remove this.

        * runtime/Executable.cpp:
        (JSC::ScriptExecutable::ScriptExecutable):
        (JSC::FunctionExecutable::fromGlobalCode):
        * runtime/Executable.h:
        (JSC::ScriptExecutable::setOverrideLineNo):
        (JSC::ScriptExecutable::hasOverrideLineNo):
        (JSC::ScriptExecutable::overrideLineNo):
        * runtime/FunctionConstructor.cpp:
        (JSC::constructFunctionSkippingEvalEnabledCheck):
        * runtime/FunctionConstructor.h: Plumb through an override line number.

2015-03-26  Filip Pizlo  <fpizlo@apple.com>

        If we're in code for accessing scoped arguments, we should probably check if the object is a scoped arguments rather than checking if it's a direct arguments.

        Reviewed by Michael Saboff.

        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitScopedArgumentsGetByVal):
        * tests/stress/scoped-then-direct-arguments-get-by-val-in-baseline.js: Added.

2015-03-26  Filip Pizlo  <fpizlo@apple.com>

        FTL ScopedArguments GetArrayLength generates incorrect code and crashes in LLVM
        https://bugs.webkit.org/show_bug.cgi?id=143098

        Reviewed by Csaba Osztrogonác.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength): Fix a typo.
        * tests/stress/scoped-arguments-array-length.js: Added. This test previously always crashed in ftl-no-cjit mode.

2015-03-26  Csaba Osztrogonác  <ossy@webkit.org>

        Unreviewed gardening, skip failing tests on AArch64 Linux.

        * tests/mozilla/mozilla-tests.yaml:
        * tests/stress/cached-prototype-setter.js:

2015-03-26  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fixes to silly things. While landing fixes to r181993, I introduced crashes. This fixes them.

        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants): I landed a fix for a VS warning. It broke this. Now I'm fixing it.
        * ftl/FTLCompile.cpp:
        (JSC::FTL::compile): Make sure we pass the module when dumping. This makes FTL debugging possible again.
        * ftl/FTLState.cpp:
        (JSC::FTL::State::dumpState): New overload that takes a module, so that we can call this after FTL::compile() clears State's module.
        * ftl/FTLState.h:

2015-03-25  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix obvious goof that was causing 32-bit debug crashes. The 64-bit version did it
        right, so this just makes 32-bit do the same.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):

2015-03-25  Filip Pizlo  <fpizlo@apple.com>

        Fix a typo that ggaren found but that I didn't fix before.

        * runtime/DirectArgumentsOffset.h:

2015-03-25  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, VC found a bug. This fixes the bug.

        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):

2015-03-25  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, try to fix Windows build.

        * runtime/ClonedArguments.cpp:
        (JSC::ClonedArguments::createWithInlineFrame):

2015-03-25  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix debug build.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::ConstDeclNode::emitCodeSingle):

2015-03-25  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix CLOOP build.

        * dfg/DFGMinifiedID.h:

2015-03-25  Filip Pizlo  <fpizlo@apple.com>

        Heap variables shouldn't end up in the stack frame
        https://bugs.webkit.org/show_bug.cgi?id=141174

        Reviewed by Geoffrey Garen.
        
        This is a major change to how JavaScriptCore handles declared variables (i.e. "var"). It removes
        any ambiguity about whether a variable should be in the heap or on the stack. A variable will no
        longer move between heap and stack during its lifetime. This enables a bunch of optimizations and
        simplifications:
        
        - Accesses to variables no longer need checks or indirections to determine where the variable is
          at that moment in time. For example, loading a closure variable now takes just one load instead
          of two. Loading an argument by index now takes a bounds check and a load in the fastest case
          (when no arguments object allocation is required) while previously that same operation required
          a "did I allocate arguments yet" check, a bounds check, and then the load.
        
        - Reasoning about the allocation of an activation or arguments object now follows the same simple
          logic as the allocation of any other kind of object. Previously, those objects were lazily
          allocated - so an allocation instruction wasn't the actual allocation site, since it might not
          allocate anything at all. This made the implementation of traditional escape analyses really
          awkward, and ultimately it meant that we missed important cases. Now, we can reason about the
          arguments object using the usual SSA tricks which allows for more comprehensive removal.
        
        - The allocations of arguments objects, functions, and activations are now much faster. While
          this patch generally expands our ability to eliminate arguments object allocations, an earlier
          version of the patch - which lacked that functionality - was a progression on some arguments-
          and closure-happy benchmarks because although no allocations were eliminated, all allocations
          were faster.
        
        - There is no tear-off. The runtime no loner needs to know about where on the stack a frame keeps
          its arguments objects or activations. The runtime doesn't have to do things to the arguments
          objects and activations that a frame allocated, when the frame is unwound. We always had horrid
          bugs in that code, so it's good to see it go. This removes *a ton* of machinery from the DFG,
          FTL, CodeBlock, and other places. All of the things having to do with "captured variables" is
          now gone. This also enables implementing block-scoping. Without this change, block-scope
          support would require telling CodeBlock and all of the rest of the runtime about all of the
          variables that store currently-live scopes. That would have been so disastrously hard that it
          might as well be impossible. With this change, it's fair game for the bytecode generator to
          simply allocate whatever activations it wants, wherever it wants, and to keep them live for
          however long it wants. This all works, because after bytecode generation, an activation is just
          an object and variables that refer to it are just normal variables.
        
        - SymbolTable can now tell you explicitly where a variable lives. The answer is in the form of a
          VarOffset object, which has methods like isStack(), isScope(), etc. VirtualRegister is never
          used for offsets of non-stack variables anymore. We now have shiny new objects for other kinds
          of offsets - ScopeOffset for offsets into scopes, and DirectArgumentsOffset for offsets into
          an arguments object.
        
        - Functions that create activations can now tier-up into the FTL. Previously they couldn't. Also,
          using activations used to prevent inlining; now functions that use activations can be inlined
          just fine.
        
        This is a >1% speed-up on Octane. This is a >2% speed-up on CompressionBench. This is a tiny
        speed-up on AsmBench (~0.4% or something). This looks like it might be a speed-up on SunSpider.
        It's only a slow-down on very short-running microbenchmarks we had previously written for our old
        style of tear-off-based arguments optimization. Those benchmarks are not part of any major suite.
        
        The easiest way of understanding this change is to start by looking at the changes in runtime/,
        and then the changes in bytecompiler/, and then sort of work your way up the compiler tiers.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/AbortReason.h:
        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::BaseIndex::withOffset):
        * bytecode/ByValInfo.h:
        (JSC::hasOptimizableIndexingForJSType):
        (JSC::hasOptimizableIndexing):
        (JSC::jitArrayModeForJSType):
        (JSC::jitArrayModePermitsPut):
        (JSC::jitArrayModeForStructure):
        * bytecode/BytecodeKills.h: Added.
        (JSC::BytecodeKills::BytecodeKills):
        (JSC::BytecodeKills::operandIsKilled):
        (JSC::BytecodeKills::forEachOperandKilledAt):
        (JSC::BytecodeKills::KillSet::KillSet):
        (JSC::BytecodeKills::KillSet::add):
        (JSC::BytecodeKills::KillSet::forEachLocal):
        (JSC::BytecodeKills::KillSet::contains):
        * bytecode/BytecodeList.json:
        * bytecode/BytecodeLivenessAnalysis.cpp:
        (JSC::isValidRegisterForLiveness):
        (JSC::stepOverInstruction):
        (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint):
        (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset):
        (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset):
        (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
        (JSC::BytecodeLivenessAnalysis::computeKills):
        (JSC::indexForOperand): Deleted.
        (JSC::BytecodeLivenessAnalysis::getLivenessInfoForNonCapturedVarsAtBytecodeOffset): Deleted.
        (JSC::getLivenessInfo): Deleted.
        * bytecode/BytecodeLivenessAnalysis.h:
        * bytecode/BytecodeLivenessAnalysisInlines.h:
        (JSC::operandIsAlwaysLive):
        (JSC::operandThatIsNotAlwaysLiveIsLive):
        (JSC::operandIsLive):
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::nameForRegister):
        (JSC::CodeBlock::validate):
        (JSC::CodeBlock::isCaptured): Deleted.
        (JSC::CodeBlock::framePointerOffsetToGetActivationRegisters): Deleted.
        (JSC::CodeBlock::machineSlowArguments): Deleted.
        * bytecode/CodeBlock.h:
        (JSC::unmodifiedArgumentsRegister): Deleted.
        (JSC::CodeBlock::setArgumentsRegister): Deleted.
        (JSC::CodeBlock::argumentsRegister): Deleted.
        (JSC::CodeBlock::uncheckedArgumentsRegister): Deleted.
        (JSC::CodeBlock::usesArguments): Deleted.
        (JSC::CodeBlock::captureCount): Deleted.
        (JSC::CodeBlock::captureStart): Deleted.
        (JSC::CodeBlock::captureEnd): Deleted.
        (JSC::CodeBlock::argumentIndexAfterCapture): Deleted.
        (JSC::CodeBlock::hasSlowArguments): Deleted.
        (JSC::ExecState::argumentAfterCapture): Deleted.
        * bytecode/CodeOrigin.h:
        * bytecode/DataFormat.h:
        (JSC::dataFormatToString):
        * bytecode/FullBytecodeLiveness.h:
        (JSC::FullBytecodeLiveness::getLiveness):
        (JSC::FullBytecodeLiveness::operandIsLive):
        (JSC::FullBytecodeLiveness::FullBytecodeLiveness): Deleted.
        (JSC::FullBytecodeLiveness::getOut): Deleted.
        * bytecode/Instruction.h:
        (JSC::Instruction::Instruction):
        * bytecode/Operands.h:
        (JSC::Operands::virtualRegisterForIndex):
        * bytecode/SpeculatedType.cpp:
        (JSC::dumpSpeculation):
        (JSC::speculationToAbbreviatedString):
        (JSC::speculationFromClassInfo):
        * bytecode/SpeculatedType.h:
        (JSC::isDirectArgumentsSpeculation):
        (JSC::isScopedArgumentsSpeculation):
        (JSC::isActionableMutableArraySpeculation):
        (JSC::isActionableArraySpeculation):
        (JSC::isArgumentsSpeculation): Deleted.
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedCodeBlock::setArgumentsRegister): Deleted.
        (JSC::UnlinkedCodeBlock::usesArguments): Deleted.
        (JSC::UnlinkedCodeBlock::argumentsRegister): Deleted.
        * bytecode/ValueRecovery.cpp:
        (JSC::ValueRecovery::dumpInContext):
        * bytecode/ValueRecovery.h:
        (JSC::ValueRecovery::directArgumentsThatWereNotCreated):
        (JSC::ValueRecovery::outOfBandArgumentsThatWereNotCreated):
        (JSC::ValueRecovery::nodeID):
        (JSC::ValueRecovery::argumentsThatWereNotCreated): Deleted.
        * bytecode/VirtualRegister.h:
        (JSC::VirtualRegister::operator==):
        (JSC::VirtualRegister::operator!=):
        (JSC::VirtualRegister::operator<):
        (JSC::VirtualRegister::operator>):
        (JSC::VirtualRegister::operator<=):
        (JSC::VirtualRegister::operator>=):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::generate):
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::initializeNextParameter):
        (JSC::BytecodeGenerator::visibleNameForParameter):
        (JSC::BytecodeGenerator::emitMove):
        (JSC::BytecodeGenerator::variable):
        (JSC::BytecodeGenerator::createVariable):
        (JSC::BytecodeGenerator::emitResolveScope):
        (JSC::BytecodeGenerator::emitGetFromScope):
        (JSC::BytecodeGenerator::emitPutToScope):
        (JSC::BytecodeGenerator::initializeVariable):
        (JSC::BytecodeGenerator::emitInstanceOf):
        (JSC::BytecodeGenerator::emitNewFunction):
        (JSC::BytecodeGenerator::emitNewFunctionInternal):
        (JSC::BytecodeGenerator::emitCall):
        (JSC::BytecodeGenerator::emitReturn):
        (JSC::BytecodeGenerator::emitConstruct):
        (JSC::BytecodeGenerator::isArgumentNumber):
        (JSC::BytecodeGenerator::emitEnumeration):
        (JSC::BytecodeGenerator::addVar): Deleted.
        (JSC::BytecodeGenerator::emitInitLazyRegister): Deleted.
        (JSC::BytecodeGenerator::initializeCapturedVariable): Deleted.
        (JSC::BytecodeGenerator::resolveCallee): Deleted.
        (JSC::BytecodeGenerator::addCallee): Deleted.
        (JSC::BytecodeGenerator::addParameter): Deleted.
        (JSC::BytecodeGenerator::willResolveToArgumentsRegister): Deleted.
        (JSC::BytecodeGenerator::uncheckedLocalArgumentsRegister): Deleted.
        (JSC::BytecodeGenerator::createLazyRegisterIfNecessary): Deleted.
        (JSC::BytecodeGenerator::isCaptured): Deleted.
        (JSC::BytecodeGenerator::local): Deleted.
        (JSC::BytecodeGenerator::constLocal): Deleted.
        (JSC::BytecodeGenerator::emitResolveConstantLocal): Deleted.
        (JSC::BytecodeGenerator::emitGetArgumentsLength): Deleted.
        (JSC::BytecodeGenerator::emitGetArgumentByVal): Deleted.
        (JSC::BytecodeGenerator::emitLazyNewFunction): Deleted.
        (JSC::BytecodeGenerator::createArgumentsIfNecessary): Deleted.
        * bytecompiler/BytecodeGenerator.h:
        (JSC::Variable::Variable):
        (JSC::Variable::isResolved):
        (JSC::Variable::ident):
        (JSC::Variable::offset):
        (JSC::Variable::isLocal):
        (JSC::Variable::local):
        (JSC::Variable::isSpecial):
        (JSC::BytecodeGenerator::argumentsRegister):
        (JSC::BytecodeGenerator::emitNode):
        (JSC::BytecodeGenerator::registerFor):
        (JSC::Local::Local): Deleted.
        (JSC::Local::operator bool): Deleted.
        (JSC::Local::get): Deleted.
        (JSC::Local::isSpecial): Deleted.
        (JSC::ResolveScopeInfo::ResolveScopeInfo): Deleted.
        (JSC::ResolveScopeInfo::isLocal): Deleted.
        (JSC::ResolveScopeInfo::localIndex): Deleted.
        (JSC::BytecodeGenerator::hasSafeLocalArgumentsRegister): Deleted.
        (JSC::BytecodeGenerator::captureMode): Deleted.
        (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly): Deleted.
        (JSC::BytecodeGenerator::shouldCreateArgumentsEagerly): Deleted.
        (JSC::BytecodeGenerator::hasWatchableVariable): Deleted.
        (JSC::BytecodeGenerator::watchableVariableIdentifier): Deleted.
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ResolveNode::isPure):
        (JSC::ResolveNode::emitBytecode):
        (JSC::BracketAccessorNode::emitBytecode):
        (JSC::DotAccessorNode::emitBytecode):
        (JSC::EvalFunctionCallNode::emitBytecode):
        (JSC::FunctionCallResolveNode::emitBytecode):
        (JSC::CallFunctionCallDotNode::emitBytecode):
        (JSC::ApplyFunctionCallDotNode::emitBytecode):
        (JSC::PostfixNode::emitResolve):
        (JSC::DeleteResolveNode::emitBytecode):
        (JSC::TypeOfResolveNode::emitBytecode):
        (JSC::PrefixNode::emitResolve):
        (JSC::ReadModifyResolveNode::emitBytecode):
        (JSC::AssignResolveNode::emitBytecode):
        (JSC::ConstDeclNode::emitCodeSingle):
        (JSC::EmptyVarExpression::emitBytecode):
        (JSC::ForInNode::tryGetBoundLocal):
        (JSC::ForInNode::emitLoopHeader):
        (JSC::ForOfNode::emitBytecode):
        (JSC::ArrayPatternNode::emitDirectBinding):
        (JSC::BindingNode::bindValue):
        (JSC::getArgumentByVal): Deleted.
        * dfg/DFGAbstractHeap.h:
        * dfg/DFGAbstractInterpreter.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberWorld):
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberCapturedVars): Deleted.
        * dfg/DFGAbstractValue.h:
        * dfg/DFGArgumentPosition.h:
        (JSC::DFG::ArgumentPosition::addVariable):
        * dfg/DFGArgumentsEliminationPhase.cpp: Added.
        (JSC::DFG::performArgumentsElimination):
        * dfg/DFGArgumentsEliminationPhase.h: Added.
        * dfg/DFGArgumentsSimplificationPhase.cpp: Removed.
        * dfg/DFGArgumentsSimplificationPhase.h: Removed.
        * dfg/DFGArgumentsUtilities.cpp: Added.
        (JSC::DFG::argumentsInvolveStackSlot):
        (JSC::DFG::emitCodeToGetArgumentsArrayLength):
        * dfg/DFGArgumentsUtilities.h: Added.
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::refine):
        (JSC::DFG::ArrayMode::alreadyChecked):
        (JSC::DFG::arrayTypeToString):
        * dfg/DFGArrayMode.h:
        (JSC::DFG::ArrayMode::canCSEStorage):
        (JSC::DFG::ArrayMode::modeForPut):
        * dfg/DFGAvailabilityMap.cpp:
        (JSC::DFG::AvailabilityMap::prune):
        * dfg/DFGAvailabilityMap.h:
        (JSC::DFG::AvailabilityMap::closeOverNodes):
        (JSC::DFG::AvailabilityMap::closeStartingWithLocal):
        * dfg/DFGBackwardsPropagationPhase.cpp:
        (JSC::DFG::BackwardsPropagationPhase::propagate):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::newVariableAccessData):
        (JSC::DFG::ByteCodeParser::getLocal):
        (JSC::DFG::ByteCodeParser::setLocal):
        (JSC::DFG::ByteCodeParser::getArgument):
        (JSC::DFG::ByteCodeParser::setArgument):
        (JSC::DFG::ByteCodeParser::flushDirect):
        (JSC::DFG::ByteCodeParser::flush):
        (JSC::DFG::ByteCodeParser::noticeArgumentsUse):
        (JSC::DFG::ByteCodeParser::handleVarargsCall):
        (JSC::DFG::ByteCodeParser::attemptToInlineCall):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        (JSC::DFG::ByteCodeParser::parseCodeBlock):
        * dfg/DFGCPSRethreadingPhase.cpp:
        (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
        (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
        * dfg/DFGCSEPhase.cpp:
        * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h: Added.
        (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::isSupportedForInlining):
        (JSC::DFG::capabilityLevel):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGCommon.h:
        * dfg/DFGCommonData.h:
        (JSC::DFG::CommonData::CommonData):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGDCEPhase.cpp:
        (JSC::DFG::DCEPhase::cleanVariables):
        * dfg/DFGDisassembler.h:
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGFlushFormat.cpp:
        (WTF::printInternal):
        * dfg/DFGFlushFormat.h:
        (JSC::DFG::resultFor):
        (JSC::DFG::useKindFor):
        (JSC::DFG::dataFormatFor):
        * dfg/DFGForAllKills.h: Added.
        (JSC::DFG::forAllLiveNodesAtTail):
        (JSC::DFG::forAllDirectlyKilledOperands):
        (JSC::DFG::forAllKilledOperands):
        (JSC::DFG::forAllKilledNodesAtNodeIndex):
        (JSC::DFG::forAllKillsInBlock):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::Graph):
        (JSC::DFG::Graph::dump):
        (JSC::DFG::Graph::substituteGetLocal):
        (JSC::DFG::Graph::livenessFor):
        (JSC::DFG::Graph::killsFor):
        (JSC::DFG::Graph::tryGetConstantClosureVar):
        (JSC::DFG::Graph::tryGetRegisters): Deleted.
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::symbolTableFor):
        (JSC::DFG::Graph::uses):
        (JSC::DFG::Graph::bytecodeRegisterForArgument): Deleted.
        (JSC::DFG::Graph::capturedVarsFor): Deleted.
        (JSC::DFG::Graph::usesArguments): Deleted.
        (JSC::DFG::Graph::argumentsRegisterFor): Deleted.
        (JSC::DFG::Graph::machineArgumentsRegisterFor): Deleted.
        (JSC::DFG::Graph::uncheckedArgumentsRegisterFor): Deleted.
        * dfg/DFGHeapLocation.cpp:
        (WTF::printInternal):
        * dfg/DFGHeapLocation.h:
        * dfg/DFGInPlaceAbstractState.cpp:
        (JSC::DFG::InPlaceAbstractState::initialize):
        (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGMayExit.cpp:
        (JSC::DFG::mayExit):
        * dfg/DFGMinifiedID.h:
        * dfg/DFGMinifiedNode.cpp:
        (JSC::DFG::MinifiedNode::fromNode):
        * dfg/DFGMinifiedNode.h:
        (JSC::DFG::belongsInMinifiedGraph):
        (JSC::DFG::MinifiedNode::hasInlineCallFrame):
        (JSC::DFG::MinifiedNode::inlineCallFrame):
        * dfg/DFGNode.cpp:
        (JSC::DFG::Node::convertToIdentityOn):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasConstant):
        (JSC::DFG::Node::constant):
        (JSC::DFG::Node::hasScopeOffset):
        (JSC::DFG::Node::scopeOffset):
        (JSC::DFG::Node::hasDirectArgumentsOffset):
        (JSC::DFG::Node::capturedArgumentsOffset):
        (JSC::DFG::Node::variablePointer):
        (JSC::DFG::Node::hasCallVarargsData):
        (JSC::DFG::Node::hasLoadVarargsData):
        (JSC::DFG::Node::hasHeapPrediction):
        (JSC::DFG::Node::hasCellOperand):
        (JSC::DFG::Node::objectMaterializationData):
        (JSC::DFG::Node::isPhantomAllocation):
        (JSC::DFG::Node::willHaveCodeGenOrOSR):
        (JSC::DFG::Node::shouldSpeculateDirectArguments):
        (JSC::DFG::Node::shouldSpeculateScopedArguments):
        (JSC::DFG::Node::isPhantomArguments): Deleted.
        (JSC::DFG::Node::hasVarNumber): Deleted.
        (JSC::DFG::Node::varNumber): Deleted.
        (JSC::DFG::Node::registerPointer): Deleted.
        (JSC::DFG::Node::shouldSpeculateArguments): Deleted.
        * dfg/DFGNodeType.h:
        * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
        (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
        (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
        * dfg/DFGOSRExitCompiler.cpp:
        (JSC::DFG::OSRExitCompiler::emitRestoreArguments):
        * dfg/DFGOSRExitCompiler.h:
        (JSC::DFG::OSRExitCompiler::badIndex): Deleted.
        (JSC::DFG::OSRExitCompiler::initializePoisoned): Deleted.
        (JSC::DFG::OSRExitCompiler::poisonIndex): Deleted.
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::reifyInlinedCallFrames):
        (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator): Deleted.
        (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator): Deleted.
        (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): Deleted.
        * dfg/DFGOSRExitCompilerCommon.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * dfg/DFGPreciseLocalClobberize.h:
        (JSC::DFG::PreciseLocalClobberizeAdaptor::read):
        (JSC::DFG::PreciseLocalClobberizeAdaptor::write):
        (JSC::DFG::PreciseLocalClobberizeAdaptor::def):
        (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
        (JSC::DFG::preciseLocalClobberize):
        (JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop): Deleted.
        (JSC::DFG::forEachLocalReadByUnwind): Deleted.
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::run):
        (JSC::DFG::PredictionPropagationPhase::propagate):
        (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
        (JSC::DFG::PredictionPropagationPhase::propagateThroughArgumentPositions):
        * dfg/DFGPromoteHeapAccess.h:
        (JSC::DFG::promoteHeapAccess):
        * dfg/DFGPromotedHeapLocation.cpp:
        (WTF::printInternal):
        * dfg/DFGPromotedHeapLocation.h:
        * dfg/DFGSSAConversionPhase.cpp:
        (JSC::DFG::SSAConversionPhase::run):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
        (JSC::DFG::SpeculativeJIT::emitGetLength):
        (JSC::DFG::SpeculativeJIT::emitGetCallee):
        (JSC::DFG::SpeculativeJIT::emitGetArgumentStart):
        (JSC::DFG::SpeculativeJIT::checkArray):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
        (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
        (JSC::DFG::SpeculativeJIT::compileNewFunction):
        (JSC::DFG::SpeculativeJIT::compileForwardVarargs):
        (JSC::DFG::SpeculativeJIT::compileCreateActivation):
        (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
        (JSC::DFG::SpeculativeJIT::compileGetFromArguments):
        (JSC::DFG::SpeculativeJIT::compilePutToArguments):
        (JSC::DFG::SpeculativeJIT::compileCreateScopedArguments):
        (JSC::DFG::SpeculativeJIT::compileCreateClonedArguments):
        (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Deleted.
        (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments): Deleted.
        (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength): Deleted.
        (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck): Deleted.
        (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression): Deleted.
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
        (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
        (JSC::DFG::SpeculativeJIT::framePointerOffsetToGetActivationRegisters): Deleted.
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStackLayoutPhase.cpp:
        (JSC::DFG::StackLayoutPhase::run):
        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):
        * dfg/DFGStructureRegistrationPhase.cpp:
        (JSC::DFG::StructureRegistrationPhase::run):
        * dfg/DFGUnificationPhase.cpp:
        (JSC::DFG::UnificationPhase::run):
        * dfg/DFGValidate.cpp:
        (JSC::DFG::Validate::validateCPS):
        * dfg/DFGValueSource.cpp:
        (JSC::DFG::ValueSource::dump):
        * dfg/DFGValueSource.h:
        (JSC::DFG::dataFormatToValueSourceKind):
        (JSC::DFG::valueSourceKindToDataFormat):
        (JSC::DFG::ValueSource::ValueSource):
        (JSC::DFG::ValueSource::forFlushFormat):
        (JSC::DFG::ValueSource::valueRecovery):
        * dfg/DFGVarargsForwardingPhase.cpp: Added.
        (JSC::DFG::performVarargsForwarding):
        * dfg/DFGVarargsForwardingPhase.h: Added.
        * dfg/DFGVariableAccessData.cpp:
        (JSC::DFG::VariableAccessData::VariableAccessData):
        (JSC::DFG::VariableAccessData::flushFormat):
        (JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted.
        * dfg/DFGVariableAccessData.h:
        (JSC::DFG::VariableAccessData::shouldNeverUnbox):
        (JSC::DFG::VariableAccessData::shouldUseDoubleFormat):
        (JSC::DFG::VariableAccessData::isCaptured): Deleted.
        (JSC::DFG::VariableAccessData::mergeIsArgumentsAlias): Deleted.
        (JSC::DFG::VariableAccessData::isArgumentsAlias): Deleted.
        * dfg/DFGVariableAccessDataDump.cpp:
        (JSC::DFG::VariableAccessDataDump::dump):
        * dfg/DFGVariableAccessDataDump.h:
        * dfg/DFGVariableEventStream.cpp:
        (JSC::DFG::VariableEventStream::tryToSetConstantRecovery):
        * dfg/DFGVariableEventStream.h:
        * ftl/FTLAbstractHeap.cpp:
        (JSC::FTL::AbstractHeap::dump):
        (JSC::FTL::AbstractField::dump):
        (JSC::FTL::IndexedAbstractHeap::dump):
        (JSC::FTL::NumberedAbstractHeap::dump):
        (JSC::FTL::AbsoluteAbstractHeap::dump):
        * ftl/FTLAbstractHeap.h:
        * ftl/FTLAbstractHeapRepository.cpp:
        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::mmAllocateDataSection):
        * ftl/FTLExitArgument.cpp:
        (JSC::FTL::ExitArgument::dump):
        * ftl/FTLExitPropertyValue.cpp:
        (JSC::FTL::ExitPropertyValue::withLocalsOffset):
        * ftl/FTLExitPropertyValue.h:
        * ftl/FTLExitTimeObjectMaterialization.cpp:
        (JSC::FTL::ExitTimeObjectMaterialization::ExitTimeObjectMaterialization):
        (JSC::FTL::ExitTimeObjectMaterialization::accountForLocalsOffset):
        * ftl/FTLExitTimeObjectMaterialization.h:
        (JSC::FTL::ExitTimeObjectMaterialization::origin):
        * ftl/FTLExitValue.cpp:
        (JSC::FTL::ExitValue::withLocalsOffset):
        (JSC::FTL::ExitValue::valueFormat):
        (JSC::FTL::ExitValue::dumpInContext):
        * ftl/FTLExitValue.h:
        (JSC::FTL::ExitValue::isArgument):
        (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated): Deleted.
        (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated): Deleted.
        (JSC::FTL::ExitValue::valueFormat): Deleted.
        * ftl/FTLInlineCacheSize.cpp:
        (JSC::FTL::sizeOfCallForwardVarargs):
        (JSC::FTL::sizeOfConstructForwardVarargs):
        (JSC::FTL::sizeOfICFor):
        * ftl/FTLInlineCacheSize.h:
        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLJSCallVarargs.cpp:
        (JSC::FTL::JSCallVarargs::JSCallVarargs):
        (JSC::FTL::JSCallVarargs::emit):
        * ftl/FTLJSCallVarargs.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::lower):
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compilePutStack):
        (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
        (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
        (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
        (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
        (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
        (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
        (JSC::FTL::LowerDFGToLLVM::compileCreateActivation):
        (JSC::FTL::LowerDFGToLLVM::compileNewFunction):
        (JSC::FTL::LowerDFGToLLVM::compileCreateDirectArguments):
        (JSC::FTL::LowerDFGToLLVM::compileCreateScopedArguments):
        (JSC::FTL::LowerDFGToLLVM::compileCreateClonedArguments):
        (JSC::FTL::LowerDFGToLLVM::compileStringCharAt):
        (JSC::FTL::LowerDFGToLLVM::compileStringCharCodeAt):
        (JSC::FTL::LowerDFGToLLVM::compileGetGlobalVar):
        (JSC::FTL::LowerDFGToLLVM::compilePutGlobalVar):
        (JSC::FTL::LowerDFGToLLVM::compileGetArgumentCount):
        (JSC::FTL::LowerDFGToLLVM::compileGetClosureVar):
        (JSC::FTL::LowerDFGToLLVM::compilePutClosureVar):
        (JSC::FTL::LowerDFGToLLVM::compileGetFromArguments):
        (JSC::FTL::LowerDFGToLLVM::compilePutToArguments):
        (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs):
        (JSC::FTL::LowerDFGToLLVM::compileForwardVarargs):
        (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname):
        (JSC::FTL::LowerDFGToLLVM::ArgumentsLength::ArgumentsLength):
        (JSC::FTL::LowerDFGToLLVM::getArgumentsLength):
        (JSC::FTL::LowerDFGToLLVM::getCurrentCallee):
        (JSC::FTL::LowerDFGToLLVM::getArgumentsStart):
        (JSC::FTL::LowerDFGToLLVM::baseIndex):
        (JSC::FTL::LowerDFGToLLVM::allocateObject):
        (JSC::FTL::LowerDFGToLLVM::allocateVariableSizedObject):
        (JSC::FTL::LowerDFGToLLVM::isArrayType):
        (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
        (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
        (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
        (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
        (JSC::FTL::LowerDFGToLLVM::loadStructure):
        (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments): Deleted.
        (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength): Deleted.
        (JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters): Deleted.
        (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated): Deleted.
        (JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated): Deleted.
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileRecovery):
        (JSC::FTL::compileStub):
        * ftl/FTLOperations.cpp:
        (JSC::FTL::operationMaterializeObjectInOSR):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::aShr):
        (JSC::FTL::Output::lShr):
        (JSC::FTL::Output::zeroExtPtr):
        * heap/CopyToken.h:
        * interpreter/CallFrame.h:
        (JSC::ExecState::getArgumentUnsafe):
        * interpreter/Interpreter.cpp:
        (JSC::sizeOfVarargs):
        (JSC::sizeFrameForVarargs):
        (JSC::loadVarargs):
        (JSC::unwindCallFrame):
        * interpreter/Interpreter.h:
        * interpreter/StackVisitor.cpp:
        (JSC::StackVisitor::Frame::createArguments):
        (JSC::StackVisitor::Frame::existingArguments): Deleted.
        * interpreter/StackVisitor.h:
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::storeValue):
        (JSC::AssemblyHelpers::loadValue):
        (JSC::AssemblyHelpers::storeTrustedValue):
        (JSC::AssemblyHelpers::branchIfNotCell):
        (JSC::AssemblyHelpers::branchIsEmpty):
        (JSC::AssemblyHelpers::argumentsStart):
        (JSC::AssemblyHelpers::baselineArgumentsRegisterFor): Deleted.
        (JSC::AssemblyHelpers::offsetOfLocals): Deleted.
        (JSC::AssemblyHelpers::offsetOfArguments): Deleted.
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgument):
        * jit/GPRInfo.h:
        (JSC::JSValueRegs::withTwoAvailableRegs):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        * jit/JIT.h:
        * jit/JITCall.cpp:
        (JSC::JIT::compileSetupVarargsFrame):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileSetupVarargsFrame):
        * jit/JITInlines.h:
        (JSC::JIT::callOperation):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_create_lexical_environment):
        (JSC::JIT::emit_op_new_func):
        (JSC::JIT::emit_op_create_direct_arguments):
        (JSC::JIT::emit_op_create_scoped_arguments):
        (JSC::JIT::emit_op_create_out_of_band_arguments):
        (JSC::JIT::emit_op_tear_off_arguments): Deleted.
        (JSC::JIT::emit_op_create_arguments): Deleted.
        (JSC::JIT::emit_op_init_lazy_reg): Deleted.
        (JSC::JIT::emit_op_get_arguments_length): Deleted.
        (JSC::JIT::emitSlow_op_get_arguments_length): Deleted.
        (JSC::JIT::emit_op_get_argument_by_val): Deleted.
        (JSC::JIT::emitSlow_op_get_argument_by_val): Deleted.
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_create_lexical_environment):
        (JSC::JIT::emit_op_tear_off_arguments): Deleted.
        (JSC::JIT::emit_op_create_arguments): Deleted.
        (JSC::JIT::emit_op_init_lazy_reg): Deleted.
        (JSC::JIT::emit_op_get_arguments_length): Deleted.
        (JSC::JIT::emitSlow_op_get_arguments_length): Deleted.
        (JSC::JIT::emit_op_get_argument_by_val): Deleted.
        (JSC::JIT::emitSlow_op_get_argument_by_val): Deleted.
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitGetClosureVar):
        (JSC::JIT::emitPutClosureVar):
        (JSC::JIT::emit_op_get_from_arguments):
        (JSC::JIT::emit_op_put_to_arguments):
        (JSC::JIT::emit_op_init_global_const):
        (JSC::JIT::privateCompileGetByVal):
        (JSC::JIT::emitDirectArgumentsGetByVal):
        (JSC::JIT::emitScopedArgumentsGetByVal):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emitGetClosureVar):
        (JSC::JIT::emitPutClosureVar):
        (JSC::JIT::emit_op_get_from_arguments):
        (JSC::JIT::emit_op_put_to_arguments):
        (JSC::JIT::emit_op_init_global_const):
        * jit/SetupVarargsFrame.cpp:
        (JSC::emitSetupVarargsFrameFastCase):
        * llint/LLIntOffsetsExtractor.cpp:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * parser/Nodes.h:
        (JSC::ScopeNode::captures):
        * runtime/Arguments.cpp: Removed.
        * runtime/Arguments.h: Removed.
        * runtime/ArgumentsMode.h: Added.
        * runtime/DirectArgumentsOffset.cpp: Added.
        (JSC::DirectArgumentsOffset::dump):
        * runtime/DirectArgumentsOffset.h: Added.
        (JSC::DirectArgumentsOffset::DirectArgumentsOffset):
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/CommonSlowPaths.h:
        * runtime/ConstantMode.cpp: Added.
        (WTF::printInternal):
        * runtime/ConstantMode.h:
        (JSC::modeForIsConstant):
        * runtime/DirectArguments.cpp: Added.
        (JSC::DirectArguments::DirectArguments):
        (JSC::DirectArguments::createUninitialized):
        (JSC::DirectArguments::create):
        (JSC::DirectArguments::createByCopying):
        (JSC::DirectArguments::visitChildren):
        (JSC::DirectArguments::copyBackingStore):
        (JSC::DirectArguments::createStructure):
        (JSC::DirectArguments::overrideThings):
        (JSC::DirectArguments::overrideThingsIfNecessary):
        (JSC::DirectArguments::overrideArgument):
        (JSC::DirectArguments::copyToArguments):
        (JSC::DirectArguments::overridesSize):
        * runtime/DirectArguments.h: Added.
        (JSC::DirectArguments::internalLength):
        (JSC::DirectArguments::length):
        (JSC::DirectArguments::canAccessIndexQuickly):
        (JSC::DirectArguments::getIndexQuickly):
        (JSC::DirectArguments::setIndexQuickly):
        (JSC::DirectArguments::callee):
        (JSC::DirectArguments::argument):
        (JSC::DirectArguments::overrodeThings):
        (JSC::DirectArguments::offsetOfCallee):
        (JSC::DirectArguments::offsetOfLength):
        (JSC::DirectArguments::offsetOfMinCapacity):
        (JSC::DirectArguments::offsetOfOverrides):
        (JSC::DirectArguments::storageOffset):
        (JSC::DirectArguments::offsetOfSlot):
        (JSC::DirectArguments::allocationSize):
        (JSC::DirectArguments::storage):
        * runtime/FunctionPrototype.cpp:
        * runtime/GenericArguments.h: Added.
        (JSC::GenericArguments::GenericArguments):
        * runtime/GenericArgumentsInlines.h: Added.
        (JSC::GenericArguments<Type>::getOwnPropertySlot):
        (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
        (JSC::GenericArguments<Type>::getOwnPropertyNames):
        (JSC::GenericArguments<Type>::put):
        (JSC::GenericArguments<Type>::putByIndex):
        (JSC::GenericArguments<Type>::deleteProperty):
        (JSC::GenericArguments<Type>::deletePropertyByIndex):
        (JSC::GenericArguments<Type>::defineOwnProperty):
        (JSC::GenericArguments<Type>::copyToArguments):
        * runtime/GenericOffset.h: Added.
        (JSC::GenericOffset::GenericOffset):
        (JSC::GenericOffset::operator!):
        (JSC::GenericOffset::offsetUnchecked):
        (JSC::GenericOffset::offset):
        (JSC::GenericOffset::operator==):
        (JSC::GenericOffset::operator!=):
        (JSC::GenericOffset::operator<):
        (JSC::GenericOffset::operator>):
        (JSC::GenericOffset::operator<=):
        (JSC::GenericOffset::operator>=):
        (JSC::GenericOffset::operator+):
        (JSC::GenericOffset::operator-):
        (JSC::GenericOffset::operator+=):
        (JSC::GenericOffset::operator-=):
        * runtime/JSArgumentsIterator.cpp:
        (JSC::JSArgumentsIterator::finishCreation):
        (JSC::argumentsFuncIterator):
        * runtime/JSArgumentsIterator.h:
        (JSC::JSArgumentsIterator::create):
        (JSC::JSArgumentsIterator::next):
        * runtime/JSEnvironmentRecord.cpp:
        (JSC::JSEnvironmentRecord::visitChildren):
        * runtime/JSEnvironmentRecord.h:
        (JSC::JSEnvironmentRecord::variables):
        (JSC::JSEnvironmentRecord::isValid):
        (JSC::JSEnvironmentRecord::variableAt):
        (JSC::JSEnvironmentRecord::offsetOfVariables):
        (JSC::JSEnvironmentRecord::offsetOfVariable):
        (JSC::JSEnvironmentRecord::allocationSizeForScopeSize):
        (JSC::JSEnvironmentRecord::allocationSize):
        (JSC::JSEnvironmentRecord::JSEnvironmentRecord):
        (JSC::JSEnvironmentRecord::finishCreationUninitialized):
        (JSC::JSEnvironmentRecord::finishCreation):
        (JSC::JSEnvironmentRecord::registers): Deleted.
        (JSC::JSEnvironmentRecord::registerAt): Deleted.
        (JSC::JSEnvironmentRecord::addressOfRegisters): Deleted.
        (JSC::JSEnvironmentRecord::offsetOfRegisters): Deleted.
        * runtime/JSFunction.cpp:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::addGlobalVar):
        (JSC::JSGlobalObject::addFunction):
        (JSC::JSGlobalObject::visitChildren):
        (JSC::JSGlobalObject::addStaticGlobals):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::directArgumentsStructure):
        (JSC::JSGlobalObject::scopedArgumentsStructure):
        (JSC::JSGlobalObject::outOfBandArgumentsStructure):
        (JSC::JSGlobalObject::argumentsStructure): Deleted.
        * runtime/JSLexicalEnvironment.cpp:
        (JSC::JSLexicalEnvironment::symbolTableGet):
        (JSC::JSLexicalEnvironment::symbolTablePut):
        (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
        (JSC::JSLexicalEnvironment::symbolTablePutWithAttributes):
        (JSC::JSLexicalEnvironment::visitChildren): Deleted.
        * runtime/JSLexicalEnvironment.h:
        (JSC::JSLexicalEnvironment::create):
        (JSC::JSLexicalEnvironment::JSLexicalEnvironment):
        (JSC::JSLexicalEnvironment::registersOffset): Deleted.
        (JSC::JSLexicalEnvironment::storageOffset): Deleted.
        (JSC::JSLexicalEnvironment::storage): Deleted.
        (JSC::JSLexicalEnvironment::allocationSize): Deleted.
        (JSC::JSLexicalEnvironment::isValidIndex): Deleted.
        (JSC::JSLexicalEnvironment::isValid): Deleted.
        (JSC::JSLexicalEnvironment::registerAt): Deleted.
        * runtime/JSNameScope.cpp:
        (JSC::JSNameScope::visitChildren): Deleted.
        * runtime/JSNameScope.h:
        (JSC::JSNameScope::create):
        (JSC::JSNameScope::value):
        (JSC::JSNameScope::finishCreation):
        (JSC::JSNameScope::JSNameScope):
        * runtime/JSScope.cpp:
        (JSC::abstractAccess):
        * runtime/JSSegmentedVariableObject.cpp:
        (JSC::JSSegmentedVariableObject::findVariableIndex):
        (JSC::JSSegmentedVariableObject::addVariables):
        (JSC::JSSegmentedVariableObject::visitChildren):
        (JSC::JSSegmentedVariableObject::findRegisterIndex): Deleted.
        (JSC::JSSegmentedVariableObject::addRegisters): Deleted.
        * runtime/JSSegmentedVariableObject.h:
        (JSC::JSSegmentedVariableObject::variableAt):
        (JSC::JSSegmentedVariableObject::assertVariableIsInThisObject):
        (JSC::JSSegmentedVariableObject::registerAt): Deleted.
        (JSC::JSSegmentedVariableObject::assertRegisterIsInThisObject): Deleted.
        * runtime/JSSymbolTableObject.h:
        (JSC::JSSymbolTableObject::offsetOfSymbolTable):
        (JSC::symbolTableGet):
        (JSC::symbolTablePut):
        (JSC::symbolTablePutWithAttributes):
        * runtime/JSType.h:
        * runtime/Options.h:
        * runtime/ClonedArguments.cpp: Added.
        (JSC::ClonedArguments::ClonedArguments):
        (JSC::ClonedArguments::createEmpty):
        (JSC::ClonedArguments::createWithInlineFrame):
        (JSC::ClonedArguments::createWithMachineFrame):
        (JSC::ClonedArguments::createByCopyingFrom):
        (JSC::ClonedArguments::createStructure):
        (JSC::ClonedArguments::getOwnPropertySlot):
        (JSC::ClonedArguments::getOwnPropertyNames):
        (JSC::ClonedArguments::put):
        (JSC::ClonedArguments::deleteProperty):
        (JSC::ClonedArguments::defineOwnProperty):
        (JSC::ClonedArguments::materializeSpecials):
        (JSC::ClonedArguments::materializeSpecialsIfNecessary):
        * runtime/ClonedArguments.h: Added.
        (JSC::ClonedArguments::specialsMaterialized):
        * runtime/ScopeOffset.cpp: Added.
        (JSC::ScopeOffset::dump):
        * runtime/ScopeOffset.h: Added.
        (JSC::ScopeOffset::ScopeOffset):
        * runtime/ScopedArguments.cpp: Added.
        (JSC::ScopedArguments::ScopedArguments):
        (JSC::ScopedArguments::finishCreation):
        (JSC::ScopedArguments::createUninitialized):
        (JSC::ScopedArguments::create):
        (JSC::ScopedArguments::createByCopying):
        (JSC::ScopedArguments::createByCopyingFrom):
        (JSC::ScopedArguments::visitChildren):
        (JSC::ScopedArguments::createStructure):
        (JSC::ScopedArguments::overrideThings):
        (JSC::ScopedArguments::overrideThingsIfNecessary):
        (JSC::ScopedArguments::overrideArgument):
        (JSC::ScopedArguments::copyToArguments):
        * runtime/ScopedArguments.h: Added.
        (JSC::ScopedArguments::internalLength):
        (JSC::ScopedArguments::length):
        (JSC::ScopedArguments::canAccessIndexQuickly):
        (JSC::ScopedArguments::getIndexQuickly):
        (JSC::ScopedArguments::setIndexQuickly):
        (JSC::ScopedArguments::callee):
        (JSC::ScopedArguments::overrodeThings):
        (JSC::ScopedArguments::offsetOfOverrodeThings):
        (JSC::ScopedArguments::offsetOfTotalLength):
        (JSC::ScopedArguments::offsetOfTable):
        (JSC::ScopedArguments::offsetOfScope):
        (JSC::ScopedArguments::overflowStorageOffset):
        (JSC::ScopedArguments::allocationSize):
        (JSC::ScopedArguments::overflowStorage):
        * runtime/ScopedArgumentsTable.cpp: Added.
        (JSC::ScopedArgumentsTable::ScopedArgumentsTable):
        (JSC::ScopedArgumentsTable::~ScopedArgumentsTable):
        (JSC::ScopedArgumentsTable::destroy):
        (JSC::ScopedArgumentsTable::create):
        (JSC::ScopedArgumentsTable::clone):
        (JSC::ScopedArgumentsTable::setLength):
        (JSC::ScopedArgumentsTable::set):
        (JSC::ScopedArgumentsTable::createStructure):
        * runtime/ScopedArgumentsTable.h: Added.
        (JSC::ScopedArgumentsTable::length):
        (JSC::ScopedArgumentsTable::get):
        (JSC::ScopedArgumentsTable::lock):
        (JSC::ScopedArgumentsTable::offsetOfLength):
        (JSC::ScopedArgumentsTable::offsetOfArguments):
        (JSC::ScopedArgumentsTable::at):
        * runtime/SymbolTable.cpp:
        (JSC::SymbolTableEntry::prepareToWatch):
        (JSC::SymbolTable::SymbolTable):
        (JSC::SymbolTable::visitChildren):
        (JSC::SymbolTable::localToEntry):
        (JSC::SymbolTable::entryFor):
        (JSC::SymbolTable::cloneScopePart):
        (JSC::SymbolTable::prepareForTypeProfiling):
        (JSC::SymbolTable::uniqueIDForOffset):
        (JSC::SymbolTable::globalTypeSetForOffset):
        (JSC::SymbolTable::cloneCapturedNames): Deleted.
        (JSC::SymbolTable::uniqueIDForRegister): Deleted.
        (JSC::SymbolTable::globalTypeSetForRegister): Deleted.
        * runtime/SymbolTable.h:
        (JSC::SymbolTableEntry::varOffsetFromBits):
        (JSC::SymbolTableEntry::scopeOffsetFromBits):
        (JSC::SymbolTableEntry::Fast::varOffset):
        (JSC::SymbolTableEntry::Fast::scopeOffset):
        (JSC::SymbolTableEntry::Fast::isDontEnum):
        (JSC::SymbolTableEntry::Fast::getAttributes):
        (JSC::SymbolTableEntry::SymbolTableEntry):
        (JSC::SymbolTableEntry::varOffset):
        (JSC::SymbolTableEntry::isWatchable):
        (JSC::SymbolTableEntry::scopeOffset):
        (JSC::SymbolTableEntry::setAttributes):
        (JSC::SymbolTableEntry::constantMode):
        (JSC::SymbolTableEntry::isDontEnum):
        (JSC::SymbolTableEntry::disableWatching):
        (JSC::SymbolTableEntry::pack):
        (JSC::SymbolTableEntry::isValidVarOffset):
        (JSC::SymbolTable::createNameScopeTable):
        (JSC::SymbolTable::maxScopeOffset):
        (JSC::SymbolTable::didUseScopeOffset):
        (JSC::SymbolTable::didUseVarOffset):
        (JSC::SymbolTable::scopeSize):
        (JSC::SymbolTable::nextScopeOffset):
        (JSC::SymbolTable::takeNextScopeOffset):
        (JSC::SymbolTable::add):
        (JSC::SymbolTable::set):
        (JSC::SymbolTable::argumentsLength):
        (JSC::SymbolTable::setArgumentsLength):
        (JSC::SymbolTable::argumentOffset):
        (JSC::SymbolTable::setArgumentOffset):
        (JSC::SymbolTable::arguments):
        (JSC::SlowArgument::SlowArgument): Deleted.
        (JSC::SymbolTableEntry::Fast::getIndex): Deleted.
        (JSC::SymbolTableEntry::getIndex): Deleted.
        (JSC::SymbolTableEntry::isValidIndex): Deleted.
        (JSC::SymbolTable::captureStart): Deleted.
        (JSC::SymbolTable::setCaptureStart): Deleted.
        (JSC::SymbolTable::captureEnd): Deleted.
        (JSC::SymbolTable::setCaptureEnd): Deleted.
        (JSC::SymbolTable::captureCount): Deleted.
        (JSC::SymbolTable::isCaptured): Deleted.
        (JSC::SymbolTable::parameterCount): Deleted.
        (JSC::SymbolTable::parameterCountIncludingThis): Deleted.
        (JSC::SymbolTable::setParameterCountIncludingThis): Deleted.
        (JSC::SymbolTable::slowArguments): Deleted.
        (JSC::SymbolTable::setSlowArguments): Deleted.
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:
        * runtime/VarOffset.cpp: Added.
        (JSC::VarOffset::dump):
        (WTF::printInternal):
        * runtime/VarOffset.h: Added.
        (JSC::VarOffset::VarOffset):
        (JSC::VarOffset::assemble):
        (JSC::VarOffset::isValid):
        (JSC::VarOffset::operator!):
        (JSC::VarOffset::kind):
        (JSC::VarOffset::isStack):
        (JSC::VarOffset::isScope):
        (JSC::VarOffset::isDirectArgument):
        (JSC::VarOffset::stackOffsetUnchecked):
        (JSC::VarOffset::scopeOffsetUnchecked):
        (JSC::VarOffset::capturedArgumentsOffsetUnchecked):
        (JSC::VarOffset::stackOffset):
        (JSC::VarOffset::scopeOffset):
        (JSC::VarOffset::capturedArgumentsOffset):
        (JSC::VarOffset::rawOffset):
        (JSC::VarOffset::checkSanity):
        (JSC::VarOffset::operator==):
        (JSC::VarOffset::operator!=):
        (JSC::VarOffset::hash):
        (JSC::VarOffset::isHashTableDeletedValue):
        (JSC::VarOffsetHash::hash):
        (JSC::VarOffsetHash::equal):
        * tests/stress/arguments-exit-strict-mode.js: Added.
        * tests/stress/arguments-exit.js: Added.
        * tests/stress/arguments-inlined-exit-strict-mode-fixed.js: Added.
        * tests/stress/arguments-inlined-exit-strict-mode.js: Added.
        * tests/stress/arguments-inlined-exit.js: Added.
        * tests/stress/arguments-interference.js: Added.
        * tests/stress/arguments-interference-cfg.js: Added.
        * tests/stress/dead-get-closure-var.js: Added.
        * tests/stress/get-declared-unpassed-argument-in-direct-arguments.js: Added.
        * tests/stress/get-declared-unpassed-argument-in-scoped-arguments.js: Added.
        * tests/stress/varargs-closure-inlined-exit-strict-mode.js: Added.
        * tests/stress/varargs-closure-inlined-exit.js: Added.
        * tests/stress/varargs-exit.js: Added.
        * tests/stress/varargs-inlined-exit.js: Added.
        * tests/stress/varargs-inlined-simple-exit-aliasing-weird-reversed-args.js: Added.
        * tests/stress/varargs-inlined-simple-exit-aliasing-weird.js: Added.
        * tests/stress/varargs-inlined-simple-exit-aliasing.js: Added.
        * tests/stress/varargs-inlined-simple-exit.js: Added.
        * tests/stress/varargs-too-few-arguments.js: Added.
        * tests/stress/varargs-varargs-closure-inlined-exit.js: Added.
        * tests/stress/varargs-varargs-inlined-exit-strict-mode.js: Added.
        * tests/stress/varargs-varargs-inlined-exit.js: Added.

2015-03-25  Andy Estes  <aestes@apple.com>

        [Cocoa] RemoteInspectorXPCConnection::deserializeMessage() leaks a NSDictionary under Objective-C GC
        https://bugs.webkit.org/show_bug.cgi?id=143068

        Reviewed by Dan Bernstein.

        * inspector/remote/RemoteInspectorXPCConnection.mm:
        (Inspector::RemoteInspectorXPCConnection::deserializeMessage): Used RetainPtr::autorelease(), which does the right thing under GC.

2015-03-25  Filip Pizlo  <fpizlo@apple.com>

        Use JITCompilationCanFail in more places, and make the fail path of JITCompilationMustSucceed a crash instead of attempting GC
        https://bugs.webkit.org/show_bug.cgi?id=142993

        Reviewed by Geoffrey Garen and Mark Lam.
        
        This changes the most commonly invoked paths that relied on JITCompilationMustSucceed
        into using JITCompilationCanFail and having a legit fallback path. This mostly involves
        having the FTL JIT do the same trick as the DFG JIT in case of any memory allocation
        failure, but also involves adding the same kind of thing to the stub generators in
        Repatch.
        
        Because of that change, there are relatively few uses of JITCompilationMustSucceed. Most
        of those uses cannot handle a GC, and so cannot do releaseExecutableMemory(). Only a few,
        like host call stub generation, could handle a GC, but those get invoked very rarely. So,
        this patch changes the releaseExecutableMemory() call into a crash with some diagnostic
        printout.
        
        Also add a way of inducing executable allocation failure, so that we can test this.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compile):
        (JSC::DFG::JITCompiler::compileFunction):
        (JSC::DFG::JITCompiler::link): Deleted.
        (JSC::DFG::JITCompiler::linkFunction): Deleted.
        * dfg/DFGJITCompiler.h:
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::mmAllocateCodeSection):
        (JSC::FTL::mmAllocateDataSection):
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):
        * ftl/FTLState.h:
        * jit/ArityCheckFailReturnThunks.cpp:
        (JSC::ArityCheckFailReturnThunks::returnPCsFor):
        * jit/ExecutableAllocationFuzz.cpp: Added.
        (JSC::numberOfExecutableAllocationFuzzChecks):
        (JSC::doExecutableAllocationFuzzing):
        * jit/ExecutableAllocationFuzz.h: Added.
        (JSC::doExecutableAllocationFuzzingIfEnabled):
        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::ExecutableAllocator::allocate):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JITCompilationEffort.h:
        * jit/Repatch.cpp:
        (JSC::generateByIdStub):
        (JSC::tryCacheGetByID):
        (JSC::tryBuildGetByIDList):
        (JSC::emitPutReplaceStub):
        (JSC::emitPutTransitionStubAndGetOldStructure):
        (JSC::tryCachePutByID):
        (JSC::tryBuildPutByIdList):
        (JSC::tryRepatchIn):
        (JSC::linkPolymorphicCall):
        * jsc.cpp:
        (jscmain):
        * runtime/Options.h:
        * runtime/TestRunnerUtils.h:
        * runtime/VM.cpp:
        * tests/executableAllocationFuzz: Added.
        * tests/executableAllocationFuzz.yaml: Added.
        * tests/executableAllocationFuzz/v8-raytrace.js: Added.

2015-03-25  Mark Lam  <mark.lam@apple.com>

        REGRESSION(169139): LLINT intermittently fails JSC testapi tests.
        <https://webkit.org/b/135719>

        Reviewed by Geoffrey Garen.

        This is a regression introduced in http://trac.webkit.org/changeset/169139 which
        changed VM::watchdog from an embedded field into a std::unique_ptr, but did not
        update the LLINT to access it as such.

        The issue has only manifested so far on the CLoop tests because those are LLINT
        only.  In the non-CLoop cases, the JIT kicks in and does the right thing, thereby
        hiding the bug in the LLINT.

        * API/JSContextRef.cpp:
        (createWatchdogIfNeeded):
        (JSContextGroupSetExecutionTimeLimit):
        (JSContextGroupClearExecutionTimeLimit):
        * llint/LowLevelInterpreter.asm:

2015-03-25  Filip Pizlo  <fpizlo@apple.com>

        Change Atomic methods from using the_wrong_naming_conventions to using theRightNamingConventions. Also make seq_cst the default.

        Rubber stamped by Geoffrey Garen.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::visitAggregate):

2015-03-25  Joseph Pecoraro  <pecoraro@apple.com>

        Fix formatting in BuiltinExecutables
        https://bugs.webkit.org/show_bug.cgi?id=143061

        Reviewed by Ryosuke Niwa.

        * builtins/BuiltinExecutables.cpp:
        (JSC::BuiltinExecutables::createExecutableInternal):

2015-03-25  Joseph Pecoraro  <pecoraro@apple.com>

        ES6: Classes: Program level class statement throws exception in strict mode
        https://bugs.webkit.org/show_bug.cgi?id=143038

        Reviewed by Ryosuke Niwa.

        Classes expose a name to the current lexical environment. This treats
        "class X {}" like "var X = class X {}". Ideally it would be "let X = class X {}".
        Also, improve error messages for class statements where the class is missing a name.

        * parser/Parser.h:
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseClass):
        Fill name in info parameter if needed. Better error message if name is needed and missing.

        (JSC::Parser<LexerType>::parseClassDeclaration):
        Pass info parameter to get name, and expose the name as a variable name.

        (JSC::Parser<LexerType>::parsePrimaryExpression):
        Pass info parameter that is ignored.

        * parser/ParserFunctionInfo.h:
        Add a parser info for class, to extract the name.

2015-03-25  Yusuke Suzuki  <utatane.tea@gmail.com>

        New map and set modification tests in r181922 fails
        https://bugs.webkit.org/show_bug.cgi?id=143031

        Reviewed and tweaked by Geoffrey Garen.

        When packing Map/Set backing store, we need to decrement Map/Set iterator's m_index
        to adjust for the packed backing store.

        Consider the following map data.

        x: deleted, o: exists
        0 1 2 3 4
        x x x x o

        And iterator with m_index 3.

        When packing the map data, map data will become,

        0
        o

        At that time, we perfom didRemoveEntry 4 times on iterators.
        times => m_index/index/result
        1 => 3/0/dec
        2 => 2/1/dec
        3 => 1/2/nothing
        4 => 1/3/nothing

        After iteration, iterator's m_index becomes 1. But we expected that becomes 0.
        This is because if we use decremented m_index for comparison,
        while provided deletedIndex is the index in old storage, m_index is the index in partially packed storage.

        In this patch, we compare against the packed index instead.
        times => m_index/packedIndex/result
        1 => 3/0/dec
        2 => 2/0/dec
        3 => 1/0/dec
        4 => 0/0/nothing

        So m_index becomes 0 as expected.

        And according to the spec, once the iterator is closed (becomes done: true),
        its internal [[Map]]/[[Set]] is set to undefined.
        So after the iterator is finished, we don't revive the iterator (e.g. by clearing m_index = 0).

        In this patch, we change 2 things.
        1.
        Compare an iterator's index against the packed index when removing an entry.

        2.
        If the iterator is closed (isFinished()), we don't apply adjustment to the iterator.

        * runtime/MapData.h:
        (JSC::MapDataImpl::IteratorData::finish):
        (JSC::MapDataImpl::IteratorData::isFinished):
        (JSC::MapDataImpl::IteratorData::didRemoveEntry):
        (JSC::MapDataImpl::IteratorData::didRemoveAllEntries):
        (JSC::MapDataImpl::IteratorData::startPackBackingStore):
        * runtime/MapDataInlines.h:
        (JSC::JSIterator>::replaceAndPackBackingStore):
        * tests/stress/modify-map-during-iteration.js:
        * tests/stress/modify-set-during-iteration.js:

2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>

        Setter should have a single formal parameter, Getter no parameters
        https://bugs.webkit.org/show_bug.cgi?id=142903

        Reviewed by Geoffrey Garen.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseFunctionInfo):
        Enforce no parameters for getters and a single parameter
        for setters, with informational error messages.

2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>

        ES6: Classes: Early return in sub-class constructor results in returning undefined instead of instance
        https://bugs.webkit.org/show_bug.cgi?id=143012

        Reviewed by Ryosuke Niwa.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitReturn):
        Fix handling of "undefined" when returned from a Derived class. It was
        returning "undefined" when it should have returned "this".

2015-03-24  Yusuke Suzuki  <utatane.tea@gmail.com>

        REGRESSION (r181458): Heap use-after-free in JSSetIterator destructor
        https://bugs.webkit.org/show_bug.cgi?id=142696

        Reviewed and tweaked by Geoffrey Garen.

        Before r142556, JSSetIterator::destroy was not defined.
        So accidentally MapData::const_iterator in JSSet was never destroyed.
        But it had non trivial destructor, decrementing MapData->m_iteratorCount.

        After r142556, JSSetIterator::destroy works.
        It correctly destruct MapData::const_iterator and m_iteratorCount partially works.
        But JSSetIterator::~JSSetIterator requires owned JSSet since it mutates MapData->m_iteratorCount.

        It is guaranteed that JSSet is live since JSSetIterator has a reference to JSSet
        and marks it in visitChildren (WriteBarrier<Unknown>).
        However, the order of destructions is not guaranteed in GC-ed system.

        Consider the following case,
        allocate JSSet and subsequently allocate JSSetIterator.
        And they resides in the separated MarkedBlock, <1> and <2>.

        JSSet<1> <- JSSetIterator<2>

        And after that, when performing GC, Marker decides that the above 2 objects are not marked.
        And Marker also decides MarkedBlocks <1> and <2> can be sweeped.

        First Sweeper sweep <1>, destruct JSSet<1> and free MarkedBlock<1>.
        Second Sweeper sweep <2>, attempt to destruct JSSetIterator<2>.
        However, JSSetIterator<2>'s destructor,
        JSSetIterator::~JSSetIterator requires live JSSet<1>, it causes use-after-free.

        In this patch, we introduce WeakGCMap into JSMap/JSSet to track live iterators.
        When packing the removed elements in JSSet/JSMap, we apply the change to all live
        iterators tracked by WeakGCMap.

        WeakGCMap can only track JSCell since they are managed by GC.
        So we drop JSSet/JSMap C++ style iterators. Instead of C++ style iterator, this patch
        introduces JS style iterator signatures into C++ class IteratorData.
        If we need to iterate over JSMap/JSSet, use JSSetIterator/JSMapIterator instead of using
        IteratorData directly.

        * runtime/JSMap.cpp:
        (JSC::JSMap::destroy):
        * runtime/JSMap.h:
        (JSC::JSMap::JSMap):
        (JSC::JSMap::begin): Deleted.
        (JSC::JSMap::end): Deleted.
        * runtime/JSMapIterator.cpp:
        (JSC::JSMapIterator::destroy):
        * runtime/JSMapIterator.h:
        (JSC::JSMapIterator::next):
        (JSC::JSMapIterator::nextKeyValue):
        (JSC::JSMapIterator::iteratorData):
        (JSC::JSMapIterator::JSMapIterator):
        * runtime/JSSet.cpp:
        (JSC::JSSet::destroy):
        * runtime/JSSet.h:
        (JSC::JSSet::JSSet):
        (JSC::JSSet::begin): Deleted.
        (JSC::JSSet::end): Deleted.
        * runtime/JSSetIterator.cpp:
        (JSC::JSSetIterator::destroy):
        * runtime/JSSetIterator.h:
        (JSC::JSSetIterator::next):
        (JSC::JSSetIterator::iteratorData):
        (JSC::JSSetIterator::JSSetIterator):
        * runtime/MapData.h:
        (JSC::MapDataImpl::IteratorData::finish):
        (JSC::MapDataImpl::IteratorData::isFinished):
        (JSC::MapDataImpl::shouldPack):
        (JSC::JSIterator>::MapDataImpl):
        (JSC::JSIterator>::KeyType::KeyType):
        (JSC::JSIterator>::IteratorData::IteratorData):
        (JSC::JSIterator>::IteratorData::next):
        (JSC::JSIterator>::IteratorData::ensureSlot):
        (JSC::JSIterator>::IteratorData::applyMapDataPatch):
        (JSC::JSIterator>::IteratorData::refreshCursor):
        (JSC::MapDataImpl::const_iterator::key): Deleted.
        (JSC::MapDataImpl::const_iterator::value): Deleted.
        (JSC::MapDataImpl::const_iterator::operator++): Deleted.
        (JSC::MapDataImpl::const_iterator::finish): Deleted.
        (JSC::MapDataImpl::const_iterator::atEnd): Deleted.
        (JSC::MapDataImpl::begin): Deleted.
        (JSC::MapDataImpl::end): Deleted.
        (JSC::MapDataImpl<Entry>::MapDataImpl): Deleted.
        (JSC::MapDataImpl<Entry>::clear): Deleted.
        (JSC::MapDataImpl<Entry>::KeyType::KeyType): Deleted.
        (JSC::MapDataImpl<Entry>::const_iterator::internalIncrement): Deleted.
        (JSC::MapDataImpl<Entry>::const_iterator::ensureSlot): Deleted.
        (JSC::MapDataImpl<Entry>::const_iterator::const_iterator): Deleted.
        (JSC::MapDataImpl<Entry>::const_iterator::~const_iterator): Deleted.
        (JSC::MapDataImpl<Entry>::const_iterator::operator): Deleted.
        (JSC::=): Deleted.
        * runtime/MapDataInlines.h:
        (JSC::JSIterator>::clear):
        (JSC::JSIterator>::find):
        (JSC::JSIterator>::contains):
        (JSC::JSIterator>::add):
        (JSC::JSIterator>::set):
        (JSC::JSIterator>::get):
        (JSC::JSIterator>::remove):
        (JSC::JSIterator>::replaceAndPackBackingStore):
        (JSC::JSIterator>::replaceBackingStore):
        (JSC::JSIterator>::ensureSpaceForAppend):
        (JSC::JSIterator>::visitChildren):
        (JSC::JSIterator>::copyBackingStore):
        (JSC::JSIterator>::applyMapDataPatch):
        (JSC::MapDataImpl<Entry>::find): Deleted.
        (JSC::MapDataImpl<Entry>::contains): Deleted.
        (JSC::MapDataImpl<Entry>::add): Deleted.
        (JSC::MapDataImpl<Entry>::set): Deleted.
        (JSC::MapDataImpl<Entry>::get): Deleted.
        (JSC::MapDataImpl<Entry>::remove): Deleted.
        (JSC::MapDataImpl<Entry>::replaceAndPackBackingStore): Deleted.
        (JSC::MapDataImpl<Entry>::replaceBackingStore): Deleted.
        (JSC::MapDataImpl<Entry>::ensureSpaceForAppend): Deleted.
        (JSC::MapDataImpl<Entry>::visitChildren): Deleted.
        (JSC::MapDataImpl<Entry>::copyBackingStore): Deleted.
        * runtime/MapPrototype.cpp:
        (JSC::mapProtoFuncForEach):
        * runtime/SetPrototype.cpp:
        (JSC::setProtoFuncForEach):
        * runtime/WeakGCMap.h:
        (JSC::WeakGCMap::forEach):
        * tests/stress/modify-map-during-iteration.js: Added.
        (testValue):
        (identityPairs):
        (.set if):
        (var):
        (set map):
        * tests/stress/modify-set-during-iteration.js: Added.
        (testValue):
        (set forEach):
        (set delete):

2015-03-24  Mark Lam  <mark.lam@apple.com>

        The ExecutionTimeLimit test should use its own JSGlobalContextRef.
        <https://webkit.org/b/143024>

        Reviewed by Geoffrey Garen.

        Currently, the ExecutionTimeLimit test is using a JSGlobalContextRef
        passed in from testapi.c.  It should create its own for better
        encapsulation of the test.

        * API/tests/ExecutionTimeLimitTest.cpp:
        (currentCPUTimeAsJSFunctionCallback):
        (testExecutionTimeLimit):
        * API/tests/ExecutionTimeLimitTest.h:
        * API/tests/testapi.c:
        (main):

2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>

        ES6: Object Literal Methods toString is missing method name
        https://bugs.webkit.org/show_bug.cgi?id=142992

        Reviewed by Geoffrey Garen.

        Always stringify functions in the pattern:

          "function " + <function name> + <text from opening parenthesis to closing brace>.

        * runtime/FunctionPrototype.cpp:
        (JSC::functionProtoFuncToString):
        Update the path that was not stringifying in this pattern.

        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedFunctionExecutable::parametersStartOffset):
        * parser/Nodes.h:
        * runtime/Executable.cpp:
        (JSC::FunctionExecutable::FunctionExecutable):
        * runtime/Executable.h:
        (JSC::FunctionExecutable::parametersStartOffset):
        Pass the already known function parameter opening parenthesis
        start offset through to the FunctionExecutable. 

        * tests/mozilla/js1_5/Scope/regress-185485.js:
        (with.g):
        Add back original space in this test that was removed by r181810
        now that we have the space again in stringification.

2015-03-24  Michael Saboff  <msaboff@apple.com>

        REGRESSION (172175-172177): Change in for...in processing causes properties added in loop to be enumerated
        https://bugs.webkit.org/show_bug.cgi?id=142856

        Reviewed by Filip Pizlo.

        Refactored the way the for .. in enumeration over objects is done.  We used to make three C++ calls to
        get info for three loops to iterate over indexed properties, structure properties and other properties,
        respectively.  We still have the three loops, but now we make one C++ call to get all the info needed
        for all loops before we exectue any enumeration.

        The JSPropertyEnumerator has a count of the indexed properties and a list of named properties.
        The named properties are one list, with structured properties in the range [0,m_endStructurePropertyIndex)
        and the generic properties in the range [m_endStructurePropertyIndex, m_endGenericPropertyIndex);

        Eliminated the bytecodes op_get_structure_property_enumerator, op_get_generic_property_enumerator and
        op_next_enumerator_pname.
        Added the bytecodes op_get_property_enumerator, op_enumerator_structure_pname and op_enumerator_generic_pname.
        The bytecodes op_enumerator_structure_pname and op_enumerator_generic_pname are similar except for what
        end value we stop iterating on.

        Made corresponding node changes to the DFG and FTL for the bytecode changes.

        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitGetPropertyEnumerator):
        (JSC::BytecodeGenerator::emitEnumeratorStructurePropertyName):
        (JSC::BytecodeGenerator::emitEnumeratorGenericPropertyName):
        (JSC::BytecodeGenerator::emitGetStructurePropertyEnumerator): Deleted.
        (JSC::BytecodeGenerator::emitGetGenericPropertyEnumerator): Deleted.
        (JSC::BytecodeGenerator::emitNextEnumeratorPropertyName): Deleted.
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ForInNode::emitMultiLoopBytecode):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileGetEnumerableLength):
        (JSC::FTL::LowerDFGToLLVM::compileGetPropertyEnumerator):
        (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorStructurePname):
        (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorGenericPname):
        (JSC::FTL::LowerDFGToLLVM::compileGetStructurePropertyEnumerator): Deleted.
        (JSC::FTL::LowerDFGToLLVM::compileGetGenericPropertyEnumerator): Deleted.
        (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname): Deleted.
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_enumerator_structure_pname):
        (JSC::JIT::emit_op_enumerator_generic_pname):
        (JSC::JIT::emit_op_get_property_enumerator):
        (JSC::JIT::emit_op_next_enumerator_pname): Deleted.
        (JSC::JIT::emit_op_get_structure_property_enumerator): Deleted.
        (JSC::JIT::emit_op_get_generic_property_enumerator): Deleted.
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_enumerator_structure_pname):
        (JSC::JIT::emit_op_enumerator_generic_pname):
        (JSC::JIT::emit_op_next_enumerator_pname): Deleted.
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * llint/LowLevelInterpreter.asm:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/CommonSlowPaths.h:
        * runtime/JSPropertyNameEnumerator.cpp:
        (JSC::JSPropertyNameEnumerator::create):
        (JSC::JSPropertyNameEnumerator::finishCreation):
        * runtime/JSPropertyNameEnumerator.h:
        (JSC::JSPropertyNameEnumerator::indexedLength):
        (JSC::JSPropertyNameEnumerator::endStructurePropertyIndex):
        (JSC::JSPropertyNameEnumerator::endGenericPropertyIndex):
        (JSC::JSPropertyNameEnumerator::indexedLengthOffset):
        (JSC::JSPropertyNameEnumerator::endStructurePropertyIndexOffset):
        (JSC::JSPropertyNameEnumerator::endGenericPropertyIndexOffset):
        (JSC::JSPropertyNameEnumerator::cachedInlineCapacityOffset):
        (JSC::propertyNameEnumerator):
        (JSC::JSPropertyNameEnumerator::cachedPropertyNamesLengthOffset): Deleted.
        (JSC::structurePropertyNameEnumerator): Deleted.
        (JSC::genericPropertyNameEnumerator): Deleted.
        * runtime/Structure.cpp:
        (JSC::Structure::setCachedPropertyNameEnumerator):
        (JSC::Structure::cachedPropertyNameEnumerator):
        (JSC::Structure::canCachePropertyNameEnumerator):
        (JSC::Structure::setCachedStructurePropertyNameEnumerator): Deleted.
        (JSC::Structure::cachedStructurePropertyNameEnumerator): Deleted.
        (JSC::Structure::setCachedGenericPropertyNameEnumerator): Deleted.
        (JSC::Structure::cachedGenericPropertyNameEnumerator): Deleted.
        (JSC::Structure::canCacheStructurePropertyNameEnumerator): Deleted.
        (JSC::Structure::canCacheGenericPropertyNameEnumerator): Deleted.
        * runtime/Structure.h:
        * runtime/StructureRareData.cpp:
        (JSC::StructureRareData::visitChildren):
        (JSC::StructureRareData::cachedPropertyNameEnumerator):
        (JSC::StructureRareData::setCachedPropertyNameEnumerator):
        (JSC::StructureRareData::cachedStructurePropertyNameEnumerator): Deleted.
        (JSC::StructureRareData::setCachedStructurePropertyNameEnumerator): Deleted.
        (JSC::StructureRareData::cachedGenericPropertyNameEnumerator): Deleted.
        (JSC::StructureRareData::setCachedGenericPropertyNameEnumerator): Deleted.
        * runtime/StructureRareData.h:
        * tests/stress/for-in-delete-during-iteration.js:

2015-03-24  Michael Saboff  <msaboff@apple.com>

        Unreviewed build fix for debug builds.

        * runtime/ExceptionHelpers.cpp:
        (JSC::invalidParameterInSourceAppender):

2015-03-24  Saam Barati  <saambarati1@gmail.com>

        Improve error messages in JSC
        https://bugs.webkit.org/show_bug.cgi?id=141869

        Reviewed by Geoffrey Garen.

        JavaScriptCore has some unintuitive error messages associated
        with certain common errors. This patch changes some specific
        error messages to be more understandable and also creates a
        mechanism that will allow for easy modification of error messages
        in the future. The specific errors we change are not a function
        errors and invalid parameter errors.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * interpreter/Interpreter.cpp:
        (JSC::sizeOfVarargs):
        * jit/JITOperations.cpp:
        op_throw_static_error always has a JSString as its argument.
        There is no need to dance around this, and we should assert
        that this always holds. This JSString represents the error 
        message we want to display to the user, so there is no need
        to pass it into errorDescriptionForValue which will now place
        quotes around the string.

        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/CommonSlowPaths.h:
        (JSC::CommonSlowPaths::opIn):
        * runtime/ErrorInstance.cpp:
        (JSC::ErrorInstance::ErrorInstance):
        * runtime/ErrorInstance.h:
        (JSC::ErrorInstance::hasSourceAppender):
        (JSC::ErrorInstance::sourceAppender):
        (JSC::ErrorInstance::setSourceAppender):
        (JSC::ErrorInstance::clearSourceAppender):
        (JSC::ErrorInstance::setRuntimeTypeForCause):
        (JSC::ErrorInstance::runtimeTypeForCause):
        (JSC::ErrorInstance::clearRuntimeTypeForCause):
        (JSC::ErrorInstance::appendSourceToMessage): Deleted.
        (JSC::ErrorInstance::setAppendSourceToMessage): Deleted.
        (JSC::ErrorInstance::clearAppendSourceToMessage): Deleted.
        * runtime/ExceptionHelpers.cpp:
        (JSC::errorDescriptionForValue):
        (JSC::defaultApproximateSourceError):
        (JSC::defaultSourceAppender):
        (JSC::functionCallBase):
        (JSC::notAFunctionSourceAppender):
        (JSC::invalidParameterInSourceAppender):
        (JSC::invalidParameterInstanceofSourceAppender):
        (JSC::createError):
        (JSC::createInvalidFunctionApplyParameterError):
        (JSC::createInvalidInParameterError):
        (JSC::createInvalidInstanceofParameterError):
        (JSC::createNotAConstructorError):
        (JSC::createNotAFunctionError):
        (JSC::createNotAnObjectError):
        (JSC::createInvalidParameterError): Deleted.
        * runtime/ExceptionHelpers.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::hasInstance):
        * runtime/RuntimeType.cpp: Added.
        (JSC::runtimeTypeForValue):
        (JSC::runtimeTypeAsString):
        * runtime/RuntimeType.h: Added.
        * runtime/TypeProfilerLog.cpp:
        (JSC::TypeProfilerLog::processLogEntries):
        * runtime/TypeSet.cpp:
        (JSC::TypeSet::getRuntimeTypeForValue): Deleted.
        * runtime/TypeSet.h:
        * runtime/VM.cpp:
        (JSC::appendSourceToError):
        (JSC::VM::throwException):

2015-03-23  Filip Pizlo  <fpizlo@apple.com>

        JSC should have a low-cost asynchronous disassembler
        https://bugs.webkit.org/show_bug.cgi?id=142997

        Reviewed by Mark Lam.
        
        This adds a JSC_asyncDisassembly option that disassembles on a thread. Disassembly
        doesn't block execution. Some code will live a little longer because of this, since the
        work tasks hold a ref to the code, but other than that there is basically no overhead.
        
        At present, this isn't really a replacement for JSC_showDisassembly, since it doesn't
        provide contextual IR information for Baseline and DFG disassemblies, and it doesn't do
        the separate IR dumps for FTL. Using JSC_showDisassembly and friends along with
        JSC_asyncDisassembly has bizarre behavior - so just choose one.
        
        A simple way of understanding how great this is, is to run a small benchmark like
        V8Spider/earley-boyer.
        
        Performance without any disassembly flags: 60ms
        Performance with JSC_showDisassembly=true: 477ms
        Performance with JSC_asyncDisassembly=true: 65ms
        
        So, the overhead of disassembly goes from 8x to 8%.
        
        Note that JSC_asyncDisassembly=true does make it incorrect to run "time" as a way of
        measuring benchmark performance. This is because at VM exit, we wait for all async
        disassembly requests to finish. For example, for earley-boyer, we spend an extra ~130ms
        after the benchmark completely finishes to finish the disassemblies. This small weirdness
        should be OK for the intended use-cases, since all you have to do to get around it is to
        measure the execution time of the benchmark payload rather than the end-to-end time of
        launching the VM.

        * assembler/LinkBuffer.cpp:
        (JSC::LinkBuffer::finalizeCodeWithDisassembly):
        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::wasAlreadyDisassembled):
        (JSC::LinkBuffer::didAlreadyDisassemble):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::disassemble):
        * dfg/DFGJITFinalizer.cpp:
        (JSC::DFG::JITFinalizer::finalize):
        (JSC::DFG::JITFinalizer::finalizeFunction):
        * disassembler/Disassembler.cpp:
        (JSC::disassembleAsynchronously):
        (JSC::waitForAsynchronousDisassembly):
        * disassembler/Disassembler.h:
        * ftl/FTLCompile.cpp:
        (JSC::FTL::mmAllocateDataSection):
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jsc.cpp:
        * runtime/Options.h:
        * runtime/VM.cpp:
        (JSC::VM::~VM):

2015-03-23  Dean Jackson  <dino@apple.com>

        ES7: Implement Array.prototype.includes
        https://bugs.webkit.org/show_bug.cgi?id=142707

        Reviewed by Geoffrey Garen.

        Add support for the ES7 includes method on Arrays.
        https://github.com/tc39/Array.prototype.includes

        * builtins/Array.prototype.js:
        (includes): Implementation in JS.
        * runtime/ArrayPrototype.cpp: Add 'includes' to the lookup table.

2015-03-23  Joseph Pecoraro  <pecoraro@apple.com>

        __defineGetter__/__defineSetter__ should throw exceptions
        https://bugs.webkit.org/show_bug.cgi?id=142934

        Reviewed by Geoffrey Garen.

        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncDefineGetter):
        (JSC::objectProtoFuncDefineSetter):
        Throw exceptions when these functions are used directly.

2015-03-23  Joseph Pecoraro  <pecoraro@apple.com>

        Fix DO_PROPERTYMAP_CONSTENCY_CHECK enabled build
        https://bugs.webkit.org/show_bug.cgi?id=142952

        Reviewed by Geoffrey Garen.

        * runtime/Structure.cpp:
        (JSC::PropertyTable::checkConsistency):
        The check offset method doesn't exist in PropertyTable, it exists in Structure.

        (JSC::Structure::checkConsistency):
        So move it here, and always put it at the start to match normal behavior.

2015-03-22  Filip Pizlo  <fpizlo@apple.com>

        Remove DFG::ValueRecoveryOverride; it's been dead since we removed forward speculations
        https://bugs.webkit.org/show_bug.cgi?id=142956

        Rubber stamped by Gyuyoung Kim.
        
        Just removing dead code.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGOSRExit.h:
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGValueRecoveryOverride.h: Removed.

2015-03-22  Filip Pizlo  <fpizlo@apple.com>

        DFG OSR exit shouldn't assume that the frame count for exit is greater than the frame count in DFG
        https://bugs.webkit.org/show_bug.cgi?id=142948

        Reviewed by Sam Weinig.
        
        It's necessary to ensure that the stack pointer accounts for the extent of our stack usage
        since a signal may clobber the area below the stack pointer. When the DFG is executing,
        the stack pointer accounts for the DFG's worst-case stack usage. When we OSR exit back to
        baseline, we will use a different amount of stack. This is because baseline is a different
        compiler. It will make different decisions. So it will use a different amount of stack.
        
        This gets tricky when we are in the process of doing an OSR exit, because we are sort of
        incrementally transforming the stack from how it looked in the DFG to how it will look in
        baseline. The most conservative approach would be to set the stack pointer to the max of
        DFG and baseline.
        
        When this code was written, a reckless assumption was made: that the stack usage in
        baseline is always at least as large as the stack usage in DFG. Based on this incorrect
        assumption, the code first adjusts the stack pointer to account for the baseline stack
        usage. This sort of usually works, because usually baseline does happen to use more stack.
        But that's not an invariant. Nobody guarantees this. We will never make any changes that
        would make this be guaranteed, because that would be antithetical to how optimizing
        compilers work. The DFG should be allowed to use however much stack it decides that it
        should use in order to get good performance, and it shouldn't try to guarantee that it
        always uses less stack than baseline.
        
        As such, we must always assume that the frame size for DFG execution (i.e.
        frameRegisterCount) and the frame size in baseline once we exit (i.e.
        requiredRegisterCountForExit) are two independent quantities and they have no
        relationship.
        
        Fortunately, though, this code can be made correct by just moving the stack adjustment to
        just before we do conversions. This is because we have since changed the OSR exit
        algorithm to first lift up all state from the DFG state into a scratch buffer, and then to
        drop it out of the scratch buffer and into the stack according to the baseline layo