[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2016-05-05  Filip Pizlo  <fpizlo@apple.com>

        Reduce thresholds that control the maximum IC stub size.

        Rubber stamped by Chris Dumez and Benjamin Poulain.
        
        This reduces the thresholds to before the megamorphic load optimizations to see if that
        recovers a PLT regression.

        * runtime/Options.h:

2016-05-05  Filip Pizlo  <fpizlo@apple.com>

        We shouldn't crash if DFG AI proved that something was unreachable on one run but then decided not to prove it on another run
        https://bugs.webkit.org/show_bug.cgi?id=157379

        Reviewed by Mark Lam.
        
        Any run of DFG AI is a fixpoint that loosens the proof until it can't find any more
        counterexamples to the proof.  It errs on the side of loosening proofs, i.e., on the side of
        proving fewer things.

        We run this fixpoint multiple times since there are multiple points in the DFG optimization
        pipeline when we run DFG AI.  Each of those runs completes a fixpoint and produces the
        tightest proof it can that did not result in counterexamples being found.

        It's possible that on run K of DFG AI, we prove some property, but on run K+1, we don't prove
        that property. The code could have changed between the two runs due to other phases. Other
        phases may modify the code in such a way that it's less amenable to AI's analysis. Our design
        allows this because DFG AI is not 100% precise. It defends itself from making unsound choices
        or running forever by sometimes punting on proving some property. It must be able to do this,
        and so therefore, it might sometimes prove fewer things on a later run.

        Currently in trunk if the property that AI proves on run K but fails to prove on run K+1 is
        the reachability of a piece of code, then run K+1 will crash on an assertion at the
        Unreachable node. It will complain that it reached an Unreachable. But it might be reaching
        that Unreachable because it failed to prove that something earlier was always exiting. That's
        OK, see above.

        So, we should remove the assertion that AI doesn't see Unreachable.
        
        No new tests because I don't know how to make this happen. I believe that this happens in the
        wild based on crash logs.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

2016-05-05  Joseph Pecoraro  <pecoraro@apple.com>

        Crash if you type "debugger" in the console and continue
        https://bugs.webkit.org/show_bug.cgi?id=156924
        <rdar://problem/25884189>

        Reviewed by Mark Lam.

        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
        Bail with an error when we are not paused.

        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::InspectorRuntimeAgent::callFunctionOn):
        (Inspector::InspectorRuntimeAgent::getProperties):
        (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
        (Inspector::InspectorRuntimeAgent::getCollectionEntries):
        (Inspector::InspectorRuntimeAgent::saveResult):
        Update poor error message.

2016-05-05  Keith Miller  <keith_miller@apple.com>

        Add support for delete by value to the DFG
        https://bugs.webkit.org/show_bug.cgi?id=157372

        Reviewed by Filip Pizlo.

        This patch adds basic support for delete by value to the DFG. delete by value
        just calls out to a C++ operation on each execution. Additionally, this patch
        fixes an issue with delete by id where we would crash if the base was null
        or undefined.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileDeleteById):
        (JSC::DFG::SpeculativeJIT::compileDeleteByVal):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_del_by_val):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_del_by_val):
        * tests/stress/delete-by-val.js: Added.
        (assert):
        (test):
        * tests/stress/delete-to-object-exception.js: Added.
        (assert):
        (test):

2016-05-05  Michael Saboff  <msaboff@apple.com>

        Unreviewed build fix after change set r200447.

        Made the detection of clang version XCode build specific.
        Now shouldEnableDebugAnnotations() should return false for all other build types.

        * offlineasm/config.rb:

2016-05-05  Joseph Pecoraro  <pecoraro@apple.com>

        Create console object lazily
        https://bugs.webkit.org/show_bug.cgi?id=157328

        Reviewed by Geoffrey Garen.

        * runtime/CommonIdentifiers.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::createConsoleProperty):
        (JSC::JSGlobalObject::init): Deleted.

2016-05-04  Michael Saboff  <msaboff@apple.com>

        Enable Dwarf2 debug information in offline assembler for clang compiler
        https://bugs.webkit.org/show_bug.cgi?id=157364.

        Reviewed by Mark Lam.

        Added a new function shouldEnableDebugAnnotations() that determines if
        we are using clang and a new enough version to support the debug annotations.

        * offlineasm/config.rb:
        (shouldEnableDebugAnnotations): Added.

2016-05-04  Keith Miller  <keith_miller@apple.com>

        Unreviewed, fix test for new ArrayIteratorPrototype.next() error message.

        * tests/stress/array-iterators-next-with-call.js:

2016-05-04  Filip Pizlo  <fpizlo@apple.com>

        Speed up JSGlobalObject initialization by making some properties lazy
        https://bugs.webkit.org/show_bug.cgi?id=157045

        Reviewed by Keith Miller.
        
        This makes about half of JSGlobalObject's state lazy. There are three categories of
        state in JSGlobalObject:
        
        1) C++ fields in JSGlobalObject.
        2) JS object properties in JSGlobalObject's JSObject superclass.
        3) JS variables in JSGlobalObject's JSSegmentedVariableObject superclass.
        
        State held in JS variables cannot yet be made lazy. That's why this patch only goes
        half-way.
        
        State in JS object properties can be made lazy if we move it to the static property
        hashtable. JSGlobalObject already had one of those. This patch makes static property
        hashtables a lot more powerful, by adding three new kinds of static properties. These
        new kinds allow us to make almost all of JSGlobalObject's object properties lazy.
        
        State in C++ fields can now be made lazy thanks in part to WTF's support for stateless
        lambdas. You can of course make anything lazy by hand, but there are many C++ fields in
        JSGlobalObject and we are adding more all the time. We don't want to require that each
        of these has a getter with an initialization check and a corresponding out-of-line slow
        path that does the initialization. We want this kind of boilerplate to be handled by
        some abstractions.
        
        The primary abstraction introduced in this patch is LazyProperty<Type>. Currently, this
        only works where Type is a subclass of JSCell. Such a property holds a pointer to Type.
        You can use it like you would a WriteBarrier<Type>. It even has set() and get() methods,
        so it's almost a drop-in replacement.
        
        The key to LazyProperty<Type>'s power is that you can do this:
        
            class Bar {
                ...
                LazyProperty<Foo> m_foo;
            };
            ...
            m_foo.initLater(
                [] (const LazyProperty<Foo>::Initializer<Bar>& init) {
                    init.set(Foo::create(init.vm, init.owner));
                });
        
        This initLater() call requires that you pass a stateless lambda (see WTF changelog for
        the definition). Miraculously, this initLater() call is guaranteed to compile to a store
        of a pointer constant to m_foo, as in:
        
            movabsq 0xBLAH, %rax
            movq %rax, &m_foo
        
        This magical pointer constant points to a callback that was generated by the template
        instantiation of initLater(). That callback knows to call your stateless lambda, but
        also does some other bookkeeping: it makes sure that you indeed initialized the property
        inside the callback and it manages recursive initializations. It's totally legal to call
        m_foo.get() inside the initLater() callback. If you do that before you call init.set(),
        m_foo.get() will return null. This is an excellent escape hatch if we ever find
        ourselves in a dependency cycle. I added this feature because I already had to create a
        dependency cycle.
        
        Note that using LazyProperties from DFG threads is super awkward. It's going to be hard
        to get this right. The DFG thread cannot initialize those fields, so it has to make sure
        that it does conservative things. But for some nodes this could mean adding a lot of new
        logic, like NewTypedArray, which currently is written in such a way that it assumes that
        we always have the typed array structure. Currently we take a two-fold approach: for
        typed arrays we don't handle the NewTypedArray intrinsic if the structure isn't
        initialized, and for everything else we don't make the properties lazy if the DFG needs
        them. As we optimize this further we might need to teach the DFG to handle more lazy
        properties. I tried to do this for RegExp but found it to be very confusing. With typed
        arrays I got lucky.
        
        There is also a somewhat more powerful construct called LazyClassStructure. We often
        need to keep around the structure of some standard JS class, like Date. We also need to
        make sure that the constructor ends up in the global object's property table. And we
        often need to keep the original value of the constructor for ourselves. In this case, we
        want to make sure that the creation of the structure-prototype-constructor constellation
        is atomic. We don't want code to start looking at the structure if it points to a
        prototype that doesn't have its "constructor" property set yet, for example.
        LazyClassStructure solves this by abstracting that whole initialization. You provide the
        callback that allocates everything, since we are super inconsistent about the way we
        initialize things, but LazyClassStructure establishes the workflow and helps you not
        mess up.
        
        Finally, the new static hashtable attributes allow for all of this to work with the JS
        property table:
        
        PropertyCallback: if you use this attribute, the second column in the table should be
        the name of a function to call to initialize this property. This is useful for things
        like the Math property. The Math object turns out to be very expensive to allocate.
        Delaying its allocation is super easy with the PropertyCallback attribute.
        
        CellProperty: with this attribute the second column should be a C++ field name like
        JSGlobalObject::m_evalErrorConstructor. The static hashtable will grab the offset of
        this property, and when it needs to be initialized, Lookup will assume you have a
        LazyProperty<JSCell> and call its get() method. It will initialize the property to
        whatever get() returned. Note that it's legal to cast a LazyProperty<Anything> to
        LazyProperty<JSCell> for the purpose of calling get() because the get() method will just
        call whatever callback function pointer is encoded in the property and it does not need
        to know anything about what type that callback will instantiate.
        
        ClassStructure: with this attribute the second column should be a C++ field name. The
        static hashtable will initialize the property by treating the field as a
        LazyClassStructure and it will call get(). LazyClassStructure completely owns the whole
        initialization workflow, so Lookup assumes that when LazyClassStructure::get() returns,
        the property in question will already be set. By convention, we have LazyClassStructure
        initialize the property with a pointer to the constructor, since that's how all of our
        classes work: "globalObject.Date" points to the DateConstructor.
        
        This is a 2x speed-up in JSGlobalObject initialization time in a microbenchmark that
        calls our C API. This is a 1% speed-up on SunSpider and JSRegress.
        
        Rolling this back in after fixing the function pointer alignment issue. The last version
        relied on function pointers being aligned to a 4-byte boundary. We cannot rely on this,
        especially since ARMv7 uses the low bit of function pointers as a tag to indicate the
        instruction set. This version adds an extra indirection, so that
        LazyProperty<>::m_pointer points to a pointer that points to the function. A pointer to
        a pointer is guaranteed to be at least 4-byte aligned.

        * API/JSCallbackFunction.cpp:
        (JSC::JSCallbackFunction::create):
        * API/ObjCCallbackFunction.h:
        (JSC::ObjCCallbackFunction::impl):
        * API/ObjCCallbackFunction.mm:
        (JSC::ObjCCallbackFunction::ObjCCallbackFunction):
        (JSC::ObjCCallbackFunction::create):
        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * create_hash_table:
        * debugger/DebuggerScope.cpp:
        (JSC::DebuggerScope::create):
        (JSC::DebuggerScope::DebuggerScope):
        * debugger/DebuggerScope.h:
        (JSC::DebuggerScope::jsScope):
        (JSC::DebuggerScope::create): Deleted.
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGAbstractValue.cpp:
        (JSC::DFG::AbstractValue::set):
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::originalArrayStructure):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStructureRegistrationPhase.cpp:
        (JSC::DFG::StructureRegistrationPhase::run):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
        * runtime/ClonedArguments.cpp:
        (JSC::ClonedArguments::getOwnPropertySlot):
        (JSC::ClonedArguments::materializeSpecials):
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/FunctionPrototype.cpp:
        (JSC::functionProtoFuncToString):
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::visitChildren):
        (JSC::InternalFunction::name):
        (JSC::InternalFunction::calculatedDisplayName):
        (JSC::InternalFunction::createSubclassStructure):
        * runtime/InternalFunction.h:
        * runtime/JSBoundFunction.cpp:
        (JSC::JSBoundFunction::finishCreation):
        (JSC::JSBoundFunction::visitChildren):
        * runtime/JSBoundSlotBaseFunction.cpp:
        (JSC::JSBoundSlotBaseFunction::create):
        * runtime/JSFunction.cpp:
        (JSC::retrieveCallerFunction):
        (JSC::getThrowTypeErrorGetterSetter):
        (JSC::JSFunction::callerGetter):
        (JSC::JSFunction::getOwnPropertySlot):
        (JSC::JSFunction::defineOwnProperty):
        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
        (JSC::constructGenericTypedArrayView):
        * runtime/JSGlobalObject.cpp:
        (JSC::createProxyProperty):
        (JSC::createJSONProperty):
        (JSC::createMathProperty):
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::stringPrototypeChainIsSane):
        (JSC::JSGlobalObject::resetPrototype):
        (JSC::JSGlobalObject::visitChildren):
        (JSC::JSGlobalObject::toThis):
        (JSC::JSGlobalObject::getOwnPropertySlot):
        (JSC::JSGlobalObject::createThrowTypeError): Deleted.
        (JSC::JSGlobalObject::createThrowTypeErrorArgumentsAndCaller): Deleted.
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::objectConstructor):
        (JSC::JSGlobalObject::promiseConstructor):
        (JSC::JSGlobalObject::internalPromiseConstructor):
        (JSC::JSGlobalObject::evalErrorConstructor):
        (JSC::JSGlobalObject::rangeErrorConstructor):
        (JSC::JSGlobalObject::referenceErrorConstructor):
        (JSC::JSGlobalObject::syntaxErrorConstructor):
        (JSC::JSGlobalObject::typeErrorConstructor):
        (JSC::JSGlobalObject::URIErrorConstructor):
        (JSC::JSGlobalObject::nullGetterFunction):
        (JSC::JSGlobalObject::nullSetterFunction):
        (JSC::JSGlobalObject::callFunction):
        (JSC::JSGlobalObject::applyFunction):
        (JSC::JSGlobalObject::definePropertyFunction):
        (JSC::JSGlobalObject::arrayProtoValuesFunction):
        (JSC::JSGlobalObject::initializePromiseFunction):
        (JSC::JSGlobalObject::newPromiseCapabilityFunction):
        (JSC::JSGlobalObject::functionProtoHasInstanceSymbolFunction):
        (JSC::JSGlobalObject::regExpProtoExecFunction):
        (JSC::JSGlobalObject::regExpProtoSymbolReplaceFunction):
        (JSC::JSGlobalObject::regExpProtoGlobalGetter):
        (JSC::JSGlobalObject::regExpProtoUnicodeGetter):
        (JSC::JSGlobalObject::throwTypeErrorGetterSetter):
        (JSC::JSGlobalObject::throwTypeErrorArgumentsAndCallerGetterSetter):
        (JSC::JSGlobalObject::moduleLoader):
        (JSC::JSGlobalObject::objectPrototype):
        (JSC::JSGlobalObject::functionPrototype):
        (JSC::JSGlobalObject::arrayPrototype):
        (JSC::JSGlobalObject::booleanPrototype):
        (JSC::JSGlobalObject::stringPrototype):
        (JSC::JSGlobalObject::symbolPrototype):
        (JSC::JSGlobalObject::numberPrototype):
        (JSC::JSGlobalObject::datePrototype):
        (JSC::JSGlobalObject::regExpPrototype):
        (JSC::JSGlobalObject::errorPrototype):
        (JSC::JSGlobalObject::iteratorPrototype):
        (JSC::JSGlobalObject::generatorFunctionPrototype):
        (JSC::JSGlobalObject::generatorPrototype):
        (JSC::JSGlobalObject::debuggerScopeStructure):
        (JSC::JSGlobalObject::withScopeStructure):
        (JSC::JSGlobalObject::strictEvalActivationStructure):
        (JSC::JSGlobalObject::activationStructure):
        (JSC::JSGlobalObject::moduleEnvironmentStructure):
        (JSC::JSGlobalObject::directArgumentsStructure):
        (JSC::JSGlobalObject::scopedArgumentsStructure):
        (JSC::JSGlobalObject::clonedArgumentsStructure):
        (JSC::JSGlobalObject::isOriginalArrayStructure):
        (JSC::JSGlobalObject::booleanObjectStructure):
        (JSC::JSGlobalObject::callbackConstructorStructure):
        (JSC::JSGlobalObject::callbackFunctionStructure):
        (JSC::JSGlobalObject::callbackObjectStructure):
        (JSC::JSGlobalObject::propertyNameIteratorStructure):
        (JSC::JSGlobalObject::objcCallbackFunctionStructure):
        (JSC::JSGlobalObject::objcWrapperObjectStructure):
        (JSC::JSGlobalObject::dateStructure):
        (JSC::JSGlobalObject::nullPrototypeObjectStructure):
        (JSC::JSGlobalObject::errorStructure):
        (JSC::JSGlobalObject::calleeStructure):
        (JSC::JSGlobalObject::functionStructure):
        (JSC::JSGlobalObject::boundFunctionStructure):
        (JSC::JSGlobalObject::boundSlotBaseFunctionStructure):
        (JSC::JSGlobalObject::getterSetterStructure):
        (JSC::JSGlobalObject::nativeStdFunctionStructure):
        (JSC::JSGlobalObject::namedFunctionStructure):
        (JSC::JSGlobalObject::functionNameOffset):
        (JSC::JSGlobalObject::numberObjectStructure):
        (JSC::JSGlobalObject::privateNameStructure):
        (JSC::JSGlobalObject::mapStructure):
        (JSC::JSGlobalObject::regExpStructure):
        (JSC::JSGlobalObject::generatorFunctionStructure):
        (JSC::JSGlobalObject::setStructure):
        (JSC::JSGlobalObject::stringObjectStructure):
        (JSC::JSGlobalObject::symbolObjectStructure):
        (JSC::JSGlobalObject::iteratorResultObjectStructure):
        (JSC::JSGlobalObject::lazyTypedArrayStructure):
        (JSC::JSGlobalObject::typedArrayStructure):
        (JSC::JSGlobalObject::typedArrayStructureConcurrently):
        (JSC::JSGlobalObject::isOriginalTypedArrayStructure):
        (JSC::JSGlobalObject::typedArrayConstructor):
        (JSC::JSGlobalObject::actualPointerFor):
        (JSC::JSGlobalObject::internalFunctionStructure): Deleted.
        * runtime/JSNativeStdFunction.cpp:
        (JSC::JSNativeStdFunction::create):
        * runtime/JSWithScope.cpp:
        (JSC::JSWithScope::create):
        (JSC::JSWithScope::visitChildren):
        (JSC::JSWithScope::createStructure):
        (JSC::JSWithScope::JSWithScope):
        * runtime/JSWithScope.h:
        (JSC::JSWithScope::object):
        (JSC::JSWithScope::create): Deleted.
        (JSC::JSWithScope::createStructure): Deleted.
        (JSC::JSWithScope::JSWithScope): Deleted.
        * runtime/LazyClassStructure.cpp: Added.
        (JSC::LazyClassStructure::Initializer::Initializer):
        (JSC::LazyClassStructure::Initializer::setPrototype):
        (JSC::LazyClassStructure::Initializer::setStructure):
        (JSC::LazyClassStructure::Initializer::setConstructor):
        (JSC::LazyClassStructure::visit):
        (JSC::LazyClassStructure::dump):
        * runtime/LazyClassStructure.h: Added.
        (JSC::LazyClassStructure::LazyClassStructure):
        (JSC::LazyClassStructure::get):
        (JSC::LazyClassStructure::prototype):
        (JSC::LazyClassStructure::constructor):
        (JSC::LazyClassStructure::getConcurrently):
        (JSC::LazyClassStructure::prototypeConcurrently):
        (JSC::LazyClassStructure::constructorConcurrently):
        * runtime/LazyClassStructureInlines.h: Added.
        (JSC::LazyClassStructure::initLater):
        * runtime/LazyProperty.h: Added.
        (JSC::LazyProperty::Initializer::Initializer):
        (JSC::LazyProperty::LazyProperty):
        (JSC::LazyProperty::get):
        (JSC::LazyProperty::getConcurrently):
        * runtime/LazyPropertyInlines.h: Added.
        (JSC::ElementType>::Initializer::set):
        (JSC::ElementType>::initLater):
        (JSC::ElementType>::setMayBeNull):
        (JSC::ElementType>::set):
        (JSC::ElementType>::visit):
        (JSC::ElementType>::dump):
        (JSC::ElementType>::callFunc):
        * runtime/Lookup.cpp:
        (JSC::setUpStaticFunctionSlot):
        * runtime/Lookup.h:
        (JSC::HashTableValue::function):
        (JSC::HashTableValue::functionLength):
        (JSC::HashTableValue::propertyGetter):
        (JSC::HashTableValue::propertyPutter):
        (JSC::HashTableValue::accessorGetter):
        (JSC::HashTableValue::accessorSetter):
        (JSC::HashTableValue::constantInteger):
        (JSC::HashTableValue::lexerValue):
        (JSC::HashTableValue::lazyCellPropertyOffset):
        (JSC::HashTableValue::lazyClassStructureOffset):
        (JSC::HashTableValue::lazyPropertyCallback):
        (JSC::getStaticPropertySlot):
        (JSC::getStaticValueSlot):
        (JSC::putEntry):
        (JSC::reifyStaticProperty):
        * runtime/PropertySlot.h:
        * runtime/TypedArrayType.h:

2016-05-04  Joseph Pecoraro  <pecoraro@apple.com>

        Improve the grammar of some error messages 'a argument list' => 'an argument list'
        https://bugs.webkit.org/show_bug.cgi?id=157350
        <rdar://problem/26082108>

        Reviewed by Mark Lam.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseIfStatement):
        (JSC::Parser<LexerType>::parseImportDeclaration):
        (JSC::Parser<LexerType>::parseExportDeclaration):
        (JSC::Parser<LexerType>::parseObjectLiteral):
        (JSC::Parser<LexerType>::parseStrictObjectLiteral):
        (JSC::Parser<LexerType>::parseArguments):
        Use the alternate error message formatter macro which outputs 'an'
        instead of 'a' preceding the last argument.

2016-05-04  Keith Miller  <keith_miller@apple.com>

        Corrections to r200422
        https://bugs.webkit.org/show_bug.cgi?id=157351

        Reviewed by Joseph Pecoraro.

        Fix some typos in various files. Also, make separate error messages
        for the this value being undefined vs null in the ArrayIteratorprototype
        next function and add test.

        * Scripts/builtins/builtins_model.py:
        * builtins/ArrayIteratorPrototype.js:
        (next):
        (arrayIteratorValueNext):
        (arrayIteratorKeyNext):
        (arrayIteratorKeyValueNext):
        * builtins/ArrayPrototype.js:
        (keys):
        (entries):
        * builtins/TypedArrayPrototype.js:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init): Deleted.
        * tests/stress/array-iterators-next-error-messages.js: Added.
        (assert):
        (catch):

2016-05-04  Keith Miller  <keith_miller@apple.com>

        Unreviewed, reland r200149 since the rollout had inconclusive PLT AB testing results.

2016-05-04  Mark Lam  <mark.lam@apple.com>

        ES6 Function.name inferred from property names of literal objects can break some websites.
        https://bugs.webkit.org/show_bug.cgi?id=157246

        Reviewed by Geoffrey Garen.

        Specifically, the library mathjs (see http://mathjs.org and https://github.com/josdejong/mathjs)
        uses an idiom where it created literal objects with property names that look like
        this: 'number | BigNumber | Unit'.  Later, this name is used in a string to create
        function source code that gets eval'ed.  Since 'number | BigNumber | Unit' is not
        a valid function name, we get a syntax error.

        Here are the details:

        1. mathjs uses object literals with the funky property names for its function members.
           For example, 

              // helper function to type check the middle value of the array
              var middle = typed({
                'number | BigNumber | Unit': function (value) {
                  return value;
                }
              });

        2. mathjs' getName() uses Function.name to get the name of functions (hence, picks
           up the property name as inferred value of Function.name as specified by ES6):

                /**
                 * Retrieve the function name from a set of functions, and check
                 * whether the name of all functions match (if given)
                 ...
                 */
                function getName (fns) {
                  var name = '';

                  for (var i = 0; i < fns.length; i++) {
                    var fn = fns[i];
                    ...
                        name = fn.name;
                    ...
                  return name;
                }

        3. mathjs uses that name to assembler new function source code that gets eval'ed:

                /**
                 * Compose a function from sub-functions each handling a single type signature.
                 ...
                 */
                function _typed(name, signatures) {
                  ...
                  // generate code for the typed function
                  var code = [];
                  var _name = name || '';
                  ...
                  code.push('function ' + _name + '(' + _args.join(', ') + ') {');
                  code.push('  "use strict";');
                  code.push('  var name = \'' + _name + '\';');
                  code.push(node.toCode(refs, '  '));
                  code.push('}');

                  // generate body for the factory function
                  var body = [
                    refs.toCode(),
                    'return ' + code.join('\n')
                  ].join('\n');

                  // evaluate the JavaScript code and attach function references
                  var factory = (new Function(refs.name, 'createError', body));  // <== Syntax Error here!
                  var fn = factory(refs, createError);
                  ...
                  return fn;
                }

        Until mathjs (and any other frameworks that does similar things) and sites that
        uses mathjs has been updated to work with ES6, we'll need a compatibility hack to
        work around it.

        Here's what we'll do:
        1. Introduce a needsSiteSpecificQuirks flag in JSGlobalObject.
        2. Have WebCore's JSDOMWindowBase set that flag if the browser's
           needsSiteSpecificQuirks is enabled in its settings.
        3. If needsSiteSpecificQuirks is enabled, have JSFunction::reifyName() check for
           ' ' or '|' in the name string it will use to reify the Function.name property.
           If those characters exists in the name, we'll replace the name string with a
           null string.

        * runtime/JSFunction.cpp:
        (JSC::JSFunction::reifyName):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::needsSiteSpecificQuirks):
        (JSC::JSGlobalObject::GlobalPropertyInfo::GlobalPropertyInfo):
        (JSC::JSGlobalObject::setNeedsSiteSpecificQuirks):

2016-05-04  Keith Miller  <keith_miller@apple.com>

        Speedup array iterators
        https://bugs.webkit.org/show_bug.cgi?id=157315

        Reviewed by Michael Saboff.

        This patch improves the performance of Array iterators in ES6. There are two main changes
        that make things faster. The first is that the value, keys and entries functions have been
        moved to JS. This enables us to inline the construction of the iterator. Thus, when we get
        to the FTL we are able to sink the allocation of the iterator object. This significantly
        improves the performance of any for-of loop since we are now able to have both the iteration
        counter and the iterated object in local variables rather than in the heap.

        Secondly, instead of using a number to store the iteratation kind we now use a virtual
        method on the iteration object to indicate which next function to use. This ends up being
        helpful because it means we can eliminate the branches in the old next function that decide
        what value to return. With those branches gone the various next functions are now small
        enough to inline. Once the next functions are inlined then the FTL is able to sink the
        allocation of next() result object. There is still room for optimization in the loop since
        we currently don't recognize that the array access in the next function is in bounds or that
        the increment to the loop counter cannot overflow.

        The overall performance changes appear to be a ~4-6x speedup in a simple microbenchmark that
        computes the sum of an array with some extra arithmetic. The variance depends on the exact
        body of the loop. Additionally, on a new regress test that changes all the loops in
        deltablue into for-of loops this patch is a 1.8x progression. Overall, it still looks like
        for-of loops are significantly slower than an indexed for loop. In the first test it's ~2-4x
        slower with the difference depending on the body of the loop. If the loop is just the sum
        then we see a much larger regression than if the loop does even simple arithmetic. It looks
        like the indexed for loop without extra arithmetic is small enough to fit into the x86
        replay buffer on my machine, which would explain why there is such a big difference between
        the for of loop in that case. On the deltablue benchmark it's 1.4x slower. It's clear from
        these numbers that there is still a lot of work we can do to make for of loops faster.

        This patch also makes some changes to the way that we decorate our builtin js
        functions. Instead of the old syntax (putting the decorated values in [] before the function
        declaration i.e. [intrinsic=foo]) this patch changes the syntax to be closer to the way that
        decorators are proposed in a future ECMAScript proposal (using @ followed by the entry on a
        new line before the function declaration i.e. @intrinsic=foo).

        Finally, in the builtin scripts regular expressions re.S has been changed to re.DOTALL since
        DOTALL is easier to understand without going to the reference page for python regular
        expressions.

        * Scripts/builtins/builtins_model.py:
        * builtins/ArrayIteratorPrototype.js:
        (next):
        (arrayIteratorValueNext):
        (arrayIteratorKeyNext):
        (arrayIteratorKeyValueNext):
        * builtins/ArrayPrototype.js:
        (createArrayIterator):
        (values):
        (keys):
        (entries):
        * builtins/RegExpPrototype.js:
        (intrinsic.RegExpTestIntrinsic.test):
        * builtins/StringPrototype.js:
        (intrinsic.StringPrototypeReplaceIntrinsic.replace):
        * builtins/TypedArrayPrototype.js:
        (values):
        (keys):
        (entries):
        * inspector/JSInjectedScriptHost.cpp:
        (Inspector::cloneArrayIteratorObject):
        (Inspector::JSInjectedScriptHost::iteratorEntries):
        * jit/ThunkGenerators.cpp:
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::finishCreation):
        (JSC::arrayProtoFuncValues): Deleted.
        (JSC::arrayProtoFuncEntries): Deleted.
        (JSC::arrayProtoFuncKeys): Deleted.
        * runtime/CommonIdentifiers.h:
        * runtime/JSArrayIterator.cpp:
        (JSC::JSArrayIterator::clone): Deleted.
        * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
        (JSC::genericTypedArrayViewProtoFuncEntries): Deleted.
        (JSC::genericTypedArrayViewProtoFuncKeys): Deleted.
        (JSC::typedArrayViewProtoFuncValues): Deleted.
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * runtime/JSGlobalObject.h:
        * runtime/JSTypedArrayViewPrototype.cpp:
        (JSC::JSTypedArrayViewPrototype::finishCreation):
        (JSC::typedArrayViewProtoFuncEntries): Deleted.
        (JSC::typedArrayViewProtoFuncKeys): Deleted.
        (JSC::typedArrayViewProtoFuncValues): Deleted.
        * runtime/MapPrototype.cpp:
        (JSC::MapPrototype::finishCreation):
        * runtime/SetPrototype.cpp:
        (JSC::SetPrototype::finishCreation):

2016-05-04  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Object constructor need to be aware of new.target
        https://bugs.webkit.org/show_bug.cgi?id=157196

        Reviewed by Darin Adler.

        Object constructor should be aware of new.target.
        When the new.target is specified, we should store it.prototype to the newly created
        object's [[Prototype]].

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::visitChildren):
        Take the design that caches the structure used for empty object.
        This structure is also used in constructEmptyObject frequently.

        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::objectStructureForObjectConstructor):
        * runtime/ObjectConstructor.cpp:
        (JSC::constructObject):
        (JSC::constructWithObjectConstructor):
        (JSC::callObjectConstructor):
        * runtime/ObjectConstructor.h:
        (JSC::constructEmptyObject):
        Construct the object by using the plain structure that is also used in the ObjectConstructor.

        * tests/stress/object-constructor-should-be-new-target-aware.js: Added.
        (shouldBe):
        (Hello):

2016-05-04  Chris Dumez  <cdumez@apple.com>

        Unreviewed, rolling out r200383 and r200406.

        Seems to have caused crashes on iOS / ARMv7s

        Reverted changesets:

        "Speed up JSGlobalObject initialization by making some
        properties lazy"
        https://bugs.webkit.org/show_bug.cgi?id=157045
        http://trac.webkit.org/changeset/200383

        "REGRESSION(r200383): Setting lazily initialized properties
        across frame boundaries crashes"
        https://bugs.webkit.org/show_bug.cgi?id=157333
        http://trac.webkit.org/changeset/200406

2016-05-04  Yusuke Suzuki  <utatane.tea@gmail.com>

        Assertion failure for super() call in direct eval in method function
        https://bugs.webkit.org/show_bug.cgi?id=157091

        Reviewed by Darin Adler.

        While we ensure that direct super is under the correct context,
        we don't check it for the eval code. This patch moves the check from the end of parsing the function
        to the places where we found the direct super or the super bindings. This covers the direct eval that
        contains the direct super calls.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
        (JSC::Parser<LexerType>::parseFunctionInfo):
        (JSC::Parser<LexerType>::parseMemberExpression):
        * parser/Parser.h:
        (JSC::Scope::hasDirectSuper):
        (JSC::Scope::setHasDirectSuper):
        (JSC::Scope::needsSuperBinding):
        (JSC::Scope::setNeedsSuperBinding):
        (JSC::Parser::closestParentOrdinaryFunctionNonLexicalScope):
        * tests/stress/eval-and-super.js: Added.
        (shouldBe):
        (shouldThrow):
        (prototype.m):
        (prototype.n):
        * tests/stress/generator-and-super.js: Added.
        (testSyntaxError):
        (testSyntaxError.Base.prototype.hello):
        (testSyntaxError.Base.prototype.ok):
        (testSyntaxError.Base):
        (Hello.prototype.gen):
        (Hello):
        (testSyntaxError.hello):

2016-05-03  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION(r200383): Setting lazily initialized properties across frame boundaries crashes
        https://bugs.webkit.org/show_bug.cgi?id=157333

        Reviewed by Benjamin Poulain.
        
        I forgot to add logic for lazy properties in putEntry(). It turns out that it's easy to
        add.

        * runtime/Lookup.h:
        (JSC::putEntry):
        * runtime/PropertySlot.h:

2016-05-03  Filip Pizlo  <fpizlo@apple.com>

        References from code to Structures should be stronger than weak
        https://bugs.webkit.org/show_bug.cgi?id=157324

        Reviewed by Mark Lam.
        
        If code refers to a Structure and the Structure dies, then previously we'd kill the code. 
        This makes sense because the Structure could be the only thing left referring to some global
        object or prototype.

        But this also causes unnecessary churn. Sometimes there will be a structure that we just
        haven't really done anything with recently and so it appears dead. The approach we use
        elsewhere in our type inference is that the type that the code uses is general enough to
        handle every past execution. Having the GC clear code when some Structure it uses dies means
        that we forget that the code used that Structure. We'll either assume that the code is more
        monomorphic than it really is (because after GC we patch in some other structure but not the
        deleted one, so it looks like we only ever saw the new structure), or we'll assume that it's
        crazier than it really is (because we'll remember that there had been some structure that
        caused deletion, so we'll assume that deletions might happen in the future, so we'll use a
        fully dynamic IC).

        This change introduces a more nuanced policy: if it's cheap to mark a dead Structure then we
        should mark it just so that all of the code that refers to it remembers that there had been
        this exact Structure in the past. If the code often goes through different Structures then
        we already have great mechanisms to realize that the code is nutty (namely, the
        PolymorphicAccess size limit). But if the code just does this a handful of times then
        remembering this old Structure is probably net good:

        - It obeys the "handle all past executions" law.
        - It preserves the history of the property access, allowing a precise measure of its past
          polymorphism.
        - It makes the code ready to run fast if the user decides to use that Structure again.
          Marking the Structure means it will stay in whatever property transition tables it was in,
          so if the program does the same thing it did in the past, it will get this old Structure.

        It looks like this is a progression in gbemu and it makes gbemu perform more
        deterministically. Also, it seems that this makes JetStream run faster.
        
        Over five in-browser runs of JetStream, here's what we see before and after:
        
        Geometric Mean:
            Before              After
            229.23 +- 8.2523    230.70 +- 12.888
            232.91 +- 15.638    239.04 +- 13.766
            234.79 +- 12.760    236.32 +- 15.562
            236.20 +- 23.125    242.02 +- 3.3865
            237.22 +- 2.1929    237.23 +- 17.664
        
        Just gbemu:
            Before              After
            541.0 +- 135.8      481.7 +- 143.4
            518.9 +- 15.65      508.1 +- 136.3
            362.5 +- 0.8884     489.7 +- 101.4
            470.7 +- 313.3      530.7 +- 11.49
            418.7 +- 180.6      537.2 +- 6.514
        
        Notice that there is plenty of noise before and after, but the noise is now far less severe.
        After this change I did not see any runs like "470.7 +- 313.3" where the size of the 
        confidence interval (313.3 * 2) is greater than the score (470.7). Also, notice that the
        least noisy run before the change also got a lower score than we ever observed after the
        change (36.5 +- 0.8884). The noise, and these occasional very low scores, are due to a
        pathology where the GC would reset some stubs at an unfortunate time during profiling,
        causing the optimizing compiler to make many poor decisions. That pathology doesn't exist
        anymore.
        
        On the other hand, prior to this change it was possible for gbemu to sometimes run sooooper
        fast because the GC would cause the profiler to forget gbemu's behavior on the first tick
        and focus only on its behavior in subsequent ticks. So, in steady state, we'd optimize gbemu
        for its later behavior rather than a combination of its early behavior and later behavior.
        We rarely got lucky this way, so it's not fair to view this quirk as a feature.
        
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::propagateTransitions):
        * bytecode/PolymorphicAccess.cpp:
        (JSC::AccessCase::visitWeak):
        (JSC::AccessCase::propagateTransitions):
        (JSC::AccessCase::generateWithGuard):
        (JSC::PolymorphicAccess::visitWeak):
        (JSC::PolymorphicAccess::propagateTransitions):
        (JSC::PolymorphicAccess::dump):
        * bytecode/PolymorphicAccess.h:
        * bytecode/StructureStubInfo.cpp:
        (JSC::StructureStubInfo::visitWeakReferences):
        (JSC::StructureStubInfo::propagateTransitions):
        (JSC::StructureStubInfo::containsPC):
        * bytecode/StructureStubInfo.h:
        (JSC::StructureStubInfo::considerCaching):
        * runtime/Structure.cpp:
        (JSC::Structure::visitChildren):
        (JSC::Structure::isCheapDuringGC):
        (JSC::Structure::markIfCheap):
        (JSC::Structure::prototypeChainMayInterceptStoreTo):
        * runtime/Structure.h:

2016-05-03  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Simplify console.clear
        https://bugs.webkit.org/show_bug.cgi?id=157316

        Reviewed by Timothy Hatcher.

        * inspector/ScriptArguments.cpp:
        (Inspector::ScriptArguments::createEmpty):
        (Inspector::ScriptArguments::ScriptArguments):
        * inspector/ScriptArguments.h:
        Provide a way to create an empty list.

        * runtime/ConsoleClient.cpp:
        (JSC::ConsoleClient::clear):
        * runtime/ConsoleClient.h:
        Drop unnecessary parameter.

        * runtime/ConsoleObject.cpp:
        (JSC::consoleProtoFuncClear):
        No need to parse arguments.

2016-05-03  Yusuke Suzuki  <utatane.tea@gmail.com>

        Improve Symbol() to string coercion error message
        https://bugs.webkit.org/show_bug.cgi?id=157317

        Reviewed by Geoffrey Garen.

        Improve error messages related to Symbols.

        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::toStringSlowCase):
        * runtime/Symbol.cpp:
        (JSC::Symbol::toNumber):
        * runtime/SymbolConstructor.cpp:
        (JSC::symbolConstructorKeyFor):
        * runtime/SymbolPrototype.cpp:
        (JSC::symbolProtoFuncToString):
        (JSC::symbolProtoFuncValueOf):
        * tests/stress/dfg-to-primitive-pass-symbol.js:
        * tests/stress/floating-point-div-to-mul.js:
        (i.catch):
        * tests/stress/string-from-code-point.js:
        (shouldThrow):
        (string_appeared_here.shouldThrow):
        * tests/stress/symbol-error-messages.js: Added.
        (shouldThrow):
        * tests/stress/symbol-registry.js:

2016-05-03  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Give console.time/timeEnd a default label and warnings
        https://bugs.webkit.org/show_bug.cgi?id=157325
        <rdar://problem/26073290>

        Reviewed by Timothy Hatcher.

        Provide more user friendly console.time/timeEnd. The timer name
        is now optional, and is "default" if not provided. Also provide
        warnings when attempting to start an already started timer,
        or stop a timer that does not exist.

        * inspector/agents/InspectorConsoleAgent.cpp:
        (Inspector::InspectorConsoleAgent::startTiming):
        (Inspector::InspectorConsoleAgent::stopTiming):
        Warnings for bad cases.

        * runtime/ConsoleObject.cpp:
        (JSC::defaultLabelString):
        (JSC::consoleProtoFuncTime):
        (JSC::consoleProtoFuncTimeEnd):
        Optional label becomes "default".

2016-05-03  Xan Lopez  <xlopez@igalia.com>

        Fix the ENABLE(WEBASSEMBLY) build
        https://bugs.webkit.org/show_bug.cgi?id=157312

        Reviewed by Darin Adler.

        * runtime/Executable.cpp:
        (JSC::WebAssemblyExecutable::WebAssemblyExecutable):
        * wasm/WASMFunctionCompiler.h:
        (JSC::WASMFunctionCompiler::convertValueToDouble):

2016-05-03  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Remove unused parameter of ScriptArguments::getFirstArgumentAsString
        https://bugs.webkit.org/show_bug.cgi?id=157301

        Reviewed by Timothy Hatcher.

        * inspector/ScriptArguments.cpp:
        (Inspector::ScriptArguments::getFirstArgumentAsString):
        * inspector/ScriptArguments.h:
        Remove unused argument and related code.

        * runtime/ConsoleClient.cpp:
        (JSC::ConsoleClient::printConsoleMessageWithArguments):
        Drive by remove unnecessary cast.

2016-05-03  Michael Saboff  <msaboff@apple.com>

        Crash: Array.prototype.slice() and .splice() can call fastSlice() after an array is truncated
        https://bugs.webkit.org/show_bug.cgi?id=157322

        Reviewed by Filip Pizlo.

        Check to see if the source array has changed length before calling fastSlice().
        If it has, take the slow path.

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncSlice):
        (JSC::arrayProtoFuncSplice):
        * tests/stress/regress-157322.js: New test.

2016-05-03  Joseph Pecoraro  <pecoraro@apple.com>

        Eliminate PassRefPtr conversion from ConsoleObject
        https://bugs.webkit.org/show_bug.cgi?id=157300

        Reviewed by Timothy Hatcher.

        * runtime/ConsoleObject.cpp:
        (JSC::consoleLogWithLevel):
        (JSC::consoleProtoFuncClear):
        (JSC::consoleProtoFuncDir):
        (JSC::consoleProtoFuncDirXML):
        (JSC::consoleProtoFuncTable):
        (JSC::consoleProtoFuncTrace):
        (JSC::consoleProtoFuncAssert):
        (JSC::consoleProtoFuncCount):
        (JSC::consoleProtoFuncTimeStamp):
        (JSC::consoleProtoFuncGroup):
        (JSC::consoleProtoFuncGroupCollapsed):
        (JSC::consoleProtoFuncGroupEnd):
        No need to release to a PassRefPtr, we can just move into the RefPtr<>&&.

2016-05-01  Filip Pizlo  <fpizlo@apple.com>

        Speed up JSGlobalObject initialization by making some properties lazy
        https://bugs.webkit.org/show_bug.cgi?id=157045

        Reviewed by Keith Miller.
        
        This makes about half of JSGlobalObject's state lazy. There are three categories of
        state in JSGlobalObject:
        
        1) C++ fields in JSGlobalObject.
        2) JS object properties in JSGlobalObject's JSObject superclass.
        3) JS variables in JSGlobalObject's JSSegmentedVariableObject superclass.
        
        State held in JS variables cannot yet be made lazy. That's why this patch only goes
        half-way.
        
        State in JS object properties can be made lazy if we move it to the static property
        hashtable. JSGlobalObject already had one of those. This patch makes static property
        hashtables a lot more powerful, by adding three new kinds of static properties. These
        new kinds allow us to make almost all of JSGlobalObject's object properties lazy.
        
        State in C++ fields can now be made lazy thanks in part to WTF's support for stateless
        lambdas. You can of course make anything lazy by hand, but there are many C++ fields in
        JSGlobalObject and we are adding more all the time. We don't want to require that each
        of these has a getter with an initialization check and a corresponding out-of-line slow
        path that does the initialization. We want this kind of boilerplate to be handled by
        some abstractions.
        
        The primary abstraction introduced in this patch is LazyProperty<Type>. Currently, this
        only works where Type is a subclass of JSCell. Such a property holds a pointer to Type.
        You can use it like you would a WriteBarrier<Type>. It even has set() and get() methods,
        so it's almost a drop-in replacement.
        
        The key to LazyProperty<Type>'s power is that you can do this:
        
            class Bar {
                ...
                LazyProperty<Foo> m_foo;
            };
            ...
            m_foo.initLater(
                [] (const LazyProperty<Foo>::Initializer<Bar>& init) {
                    init.set(Foo::create(init.vm, init.owner));
                });
        
        This initLater() call requires that you pass a stateless lambda (see WTF changelog for
        the definition). Miraculously, this initLater() call is guaranteed to compile to a store
        of a pointer constant to m_foo, as in:
        
            movabsq 0xBLAH, %rax
            movq %rax, &m_foo
        
        This magical pointer constant points to a callback that was generated by the template
        instantiation of initLater(). That callback knows to call your stateless lambda, but
        also does some other bookkeeping: it makes sure that you indeed initialized the property
        inside the callback and it manages recursive initializations. It's totally legal to call
        m_foo.get() inside the initLater() callback. If you do that before you call init.set(),
        m_foo.get() will return null. This is an excellent escape hatch if we ever find
        ourselves in a dependency cycle. I added this feature because I already had to create a
        dependency cycle.
        
        Note that using LazyProperties from DFG threads is super awkward. It's going to be hard
        to get this right. The DFG thread cannot initialize those fields, so it has to make sure
        that it does conservative things. But for some nodes this could mean adding a lot of new
        logic, like NewTypedArray, which currently is written in such a way that it assumes that
        we always have the typed array structure. Currently we take a two-fold approach: for
        typed arrays we don't handle the NewTypedArray intrinsic if the structure isn't
        initialized, and for everything else we don't make the properties lazy if the DFG needs
        them. As we optimize this further we might need to teach the DFG to handle more lazy
        properties. I tried to do this for RegExp but found it to be very confusing. With typed
        arrays I got lucky.
        
        There is also a somewhat more powerful construct called LazyClassStructure. We often
        need to keep around the structure of some standard JS class, like Date. We also need to
        make sure that the constructor ends up in the global object's property table. And we
        often need to keep the original value of the constructor for ourselves. In this case, we
        want to make sure that the creation of the structure-prototype-constructor constellation
        is atomic. We don't want code to start looking at the structure if it points to a
        prototype that doesn't have its "constructor" property set yet, for example.
        LazyClassStructure solves this by abstracting that whole initialization. You provide the
        callback that allocates everything, since we are super inconsistent about the way we
        initialize things, but LazyClassStructure establishes the workflow and helps you not
        mess up.
        
        Finally, the new static hashtable attributes allow for all of this to work with the JS
        property table:
        
        PropertyCallback: if you use this attribute, the second column in the table should be
        the name of a function to call to initialize this property. This is useful for things
        like the Math property. The Math object turns out to be very expensive to allocate.
        Delaying its allocation is super easy with the PropertyCallback attribute.
        
        CellProperty: with this attribute the second column should be a C++ field name like
        JSGlobalObject::m_evalErrorConstructor. The static hashtable will grab the offset of
        this property, and when it needs to be initialized, Lookup will assume you have a
        LazyProperty<JSCell> and call its get() method. It will initialize the property to
        whatever get() returned. Note that it's legal to cast a LazyProperty<Anything> to
        LazyProperty<JSCell> for the purpose of calling get() because the get() method will just
        call whatever callback function pointer is encoded in the property and it does not need
        to know anything about what type that callback will instantiate.
        
        ClassStructure: with this attribute the second column should be a C++ field name. The
        static hashtable will initialize the property by treating the field as a
        LazyClassStructure and it will call get(). LazyClassStructure completely owns the whole
        initialization workflow, so Lookup assumes that when LazyClassStructure::get() returns,
        the property in question will already be set. By convention, we have LazyClassStructure
        initialize the property with a pointer to the constructor, since that's how all of our
        classes work: "globalObject.Date" points to the DateConstructor.
        
        This is a 2x speed-up in JSGlobalObject initialization time in a microbenchmark that
        calls our C API. This is a 1% speed-up on SunSpider and JSRegress.

        * API/JSCallbackFunction.cpp:
        (JSC::JSCallbackFunction::create):
        * API/ObjCCallbackFunction.h:
        (JSC::ObjCCallbackFunction::impl):
        * API/ObjCCallbackFunction.mm:
        (JSC::ObjCCallbackFunction::ObjCCallbackFunction):
        (JSC::ObjCCallbackFunction::create):
        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * create_hash_table:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGAbstractValue.cpp:
        (JSC::DFG::AbstractValue::set):
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::originalArrayStructure):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStructureRegistrationPhase.cpp:
        (JSC::DFG::StructureRegistrationPhase::run):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
        * runtime/ClonedArguments.cpp:
        (JSC::ClonedArguments::getOwnPropertySlot):
        (JSC::ClonedArguments::materializeSpecials):
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/FunctionPrototype.cpp:
        (JSC::functionProtoFuncToString):
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::visitChildren):
        (JSC::InternalFunction::name):
        (JSC::InternalFunction::calculatedDisplayName):
        (JSC::InternalFunction::createSubclassStructure):
        * runtime/InternalFunction.h:
        * runtime/JSBoundFunction.cpp:
        (JSC::JSBoundFunction::finishCreation):
        (JSC::JSBoundFunction::visitChildren):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::getOwnPropertySlot):
        (JSC::JSFunction::defineOwnProperty):
        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
        (JSC::constructGenericTypedArrayView):
        * runtime/JSGlobalObject.cpp:
        (JSC::createProxyProperty):
        (JSC::createJSONProperty):
        (JSC::createMathProperty):
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::stringPrototypeChainIsSane):
        (JSC::JSGlobalObject::resetPrototype):
        (JSC::JSGlobalObject::visitChildren):
        (JSC::JSGlobalObject::toThis):
        (JSC::JSGlobalObject::getOwnPropertySlot):
        (JSC::JSGlobalObject::createThrowTypeError): Deleted.
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::objectConstructor):
        (JSC::JSGlobalObject::promiseConstructor):
        (JSC::JSGlobalObject::internalPromiseConstructor):
        (JSC::JSGlobalObject::evalErrorConstructor):
        (JSC::JSGlobalObject::rangeErrorConstructor):
        (JSC::JSGlobalObject::referenceErrorConstructor):
        (JSC::JSGlobalObject::syntaxErrorConstructor):
        (JSC::JSGlobalObject::typeErrorConstructor):
        (JSC::JSGlobalObject::URIErrorConstructor):
        (JSC::JSGlobalObject::nullGetterFunction):
        (JSC::JSGlobalObject::nullSetterFunction):
        (JSC::JSGlobalObject::callFunction):
        (JSC::JSGlobalObject::applyFunction):
        (JSC::JSGlobalObject::definePropertyFunction):
        (JSC::JSGlobalObject::arrayProtoValuesFunction):
        (JSC::JSGlobalObject::initializePromiseFunction):
        (JSC::JSGlobalObject::newPromiseCapabilityFunction):
        (JSC::JSGlobalObject::functionProtoHasInstanceSymbolFunction):
        (JSC::JSGlobalObject::regExpProtoExecFunction):
        (JSC::JSGlobalObject::regExpProtoSymbolReplaceFunction):
        (JSC::JSGlobalObject::regExpProtoGlobalGetter):
        (JSC::JSGlobalObject::regExpProtoUnicodeGetter):
        (JSC::JSGlobalObject::throwTypeErrorGetterSetter):
        (JSC::JSGlobalObject::moduleLoader):
        (JSC::JSGlobalObject::objectPrototype):
        (JSC::JSGlobalObject::functionPrototype):
        (JSC::JSGlobalObject::arrayPrototype):
        (JSC::JSGlobalObject::booleanPrototype):
        (JSC::JSGlobalObject::stringPrototype):
        (JSC::JSGlobalObject::symbolPrototype):
        (JSC::JSGlobalObject::numberPrototype):
        (JSC::JSGlobalObject::datePrototype):
        (JSC::JSGlobalObject::regExpPrototype):
        (JSC::JSGlobalObject::errorPrototype):
        (JSC::JSGlobalObject::iteratorPrototype):
        (JSC::JSGlobalObject::generatorFunctionPrototype):
        (JSC::JSGlobalObject::generatorPrototype):
        (JSC::JSGlobalObject::debuggerScopeStructure):
        (JSC::JSGlobalObject::withScopeStructure):
        (JSC::JSGlobalObject::strictEvalActivationStructure):
        (JSC::JSGlobalObject::activationStructure):
        (JSC::JSGlobalObject::moduleEnvironmentStructure):
        (JSC::JSGlobalObject::directArgumentsStructure):
        (JSC::JSGlobalObject::scopedArgumentsStructure):
        (JSC::JSGlobalObject::clonedArgumentsStructure):
        (JSC::JSGlobalObject::isOriginalArrayStructure):
        (JSC::JSGlobalObject::booleanObjectStructure):
        (JSC::JSGlobalObject::callbackConstructorStructure):
        (JSC::JSGlobalObject::callbackFunctionStructure):
        (JSC::JSGlobalObject::callbackObjectStructure):
        (JSC::JSGlobalObject::propertyNameIteratorStructure):
        (JSC::JSGlobalObject::objcCallbackFunctionStructure):
        (JSC::JSGlobalObject::objcWrapperObjectStructure):
        (JSC::JSGlobalObject::dateStructure):
        (JSC::JSGlobalObject::nullPrototypeObjectStructure):
        (JSC::JSGlobalObject::errorStructure):
        (JSC::JSGlobalObject::calleeStructure):
        (JSC::JSGlobalObject::functionStructure):
        (JSC::JSGlobalObject::boundFunctionStructure):
        (JSC::JSGlobalObject::boundSlotBaseFunctionStructure):
        (JSC::JSGlobalObject::getterSetterStructure):
        (JSC::JSGlobalObject::nativeStdFunctionStructure):
        (JSC::JSGlobalObject::namedFunctionStructure):
        (JSC::JSGlobalObject::functionNameOffset):
        (JSC::JSGlobalObject::numberObjectStructure):
        (JSC::JSGlobalObject::privateNameStructure):
        (JSC::JSGlobalObject::mapStructure):
        (JSC::JSGlobalObject::regExpStructure):
        (JSC::JSGlobalObject::generatorFunctionStructure):
        (JSC::JSGlobalObject::setStructure):
        (JSC::JSGlobalObject::stringObjectStructure):
        (JSC::JSGlobalObject::symbolObjectStructure):
        (JSC::JSGlobalObject::iteratorResultObjectStructure):
        (JSC::JSGlobalObject::lazyTypedArrayStructure):
        (JSC::JSGlobalObject::typedArrayStructure):
        (JSC::JSGlobalObject::typedArrayStructureConcurrently):
        (JSC::JSGlobalObject::isOriginalTypedArrayStructure):
        (JSC::JSGlobalObject::typedArrayConstructor):
        (JSC::JSGlobalObject::actualPointerFor):
        (JSC::JSGlobalObject::internalFunctionStructure): Deleted.
        * runtime/JSNativeStdFunction.cpp:
        (JSC::JSNativeStdFunction::create):
        * runtime/JSWithScope.cpp:
        (JSC::JSWithScope::create):
        (JSC::JSWithScope::visitChildren):
        (JSC::JSWithScope::createStructure):
        (JSC::JSWithScope::JSWithScope):
        * runtime/JSWithScope.h:
        (JSC::JSWithScope::object):
        (JSC::JSWithScope::create): Deleted.
        (JSC::JSWithScope::createStructure): Deleted.
        (JSC::JSWithScope::JSWithScope): Deleted.
        * runtime/LazyClassStructure.cpp: Added.
        (JSC::LazyClassStructure::Initializer::Initializer):
        (JSC::LazyClassStructure::Initializer::setPrototype):
        (JSC::LazyClassStructure::Initializer::setStructure):
        (JSC::LazyClassStructure::Initializer::setConstructor):
        (JSC::LazyClassStructure::visit):
        (JSC::LazyClassStructure::dump):
        * runtime/LazyClassStructure.h: Added.
        (JSC::LazyClassStructure::LazyClassStructure):
        (JSC::LazyClassStructure::get):
        (JSC::LazyClassStructure::prototype):
        (JSC::LazyClassStructure::constructor):
        (JSC::LazyClassStructure::getConcurrently):
        (JSC::LazyClassStructure::prototypeConcurrently):
        (JSC::LazyClassStructure::constructorConcurrently):
        * runtime/LazyClassStructureInlines.h: Added.
        (JSC::LazyClassStructure::initLater):
        * runtime/LazyProperty.h: Added.
        (JSC::LazyProperty::Initializer::Initializer):
        (JSC::LazyProperty::LazyProperty):
        (JSC::LazyProperty::get):
        (JSC::LazyProperty::getConcurrently):
        * runtime/LazyPropertyInlines.h: Added.
        (JSC::LazyProperty<ElementType>::Initializer<OwnerType>::set):
        (JSC::LazyProperty<ElementType>::initLater):
        (JSC::LazyProperty<ElementType>::setMayBeNull):
        (JSC::LazyProperty<ElementType>::set):
        (JSC::LazyProperty<ElementType>::visit):
        (JSC::LazyProperty<ElementType>::dump):
        (JSC::LazyProperty<ElementType>::callFunc):
        * runtime/Lookup.cpp:
        (JSC::setUpStaticFunctionSlot):
        * runtime/Lookup.h:
        (JSC::HashTableValue::function):
        (JSC::HashTableValue::functionLength):
        (JSC::HashTableValue::propertyGetter):
        (JSC::HashTableValue::propertyPutter):
        (JSC::HashTableValue::accessorGetter):
        (JSC::HashTableValue::accessorSetter):
        (JSC::HashTableValue::constantInteger):
        (JSC::HashTableValue::lexerValue):
        (JSC::HashTableValue::lazyCellPropertyOffset):
        (JSC::HashTableValue::lazyClassStructureOffset):
        (JSC::HashTableValue::lazyPropertyCallback):
        (JSC::getStaticPropertySlot):
        (JSC::getStaticValueSlot):
        (JSC::reifyStaticProperty):
        * runtime/PropertySlot.h:
        * runtime/TypedArrayType.h:

2016-05-03  Per Arne Vollan  <peavo@outlook.com>

        [Win] Remove Windows XP Compatibility Requirements
        https://bugs.webkit.org/show_bug.cgi?id=152899

        Reviewed by Brent Fulgham.

        Windows XP is not supported anymore, we can remove workarounds.

        * JavaScriptCore.vcxproj/jsc/DLLLauncherMain.cpp:
        (enableTerminationOnHeapCorruption):

2016-05-03  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: console.assert should do far less work when the assertion is true
        https://bugs.webkit.org/show_bug.cgi?id=157297
        <rdar://problem/26056556>

        Reviewed by Timothy Hatcher.

        * runtime/ConsoleClient.h:
        * runtime/ConsoleClient.cpp:
        (JSC::ConsoleClient::assertion):
        (JSC::ConsoleClient::assertCondition): Deleted.
        Rename, now that this will only get called when the assertion failed.

        * runtime/ConsoleObject.cpp:
        (JSC::consoleProtoFuncAssert):
        Avoid doing any work if the assertion succeeded.

2016-05-03  Joseph Pecoraro  <pecoraro@apple.com>

        Unreviewed follow-up testapi fix after r200355.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        Revert back to non-enumerable. This matches our older behavior,
        we can decide to make this Enumerable later if needed.

2016-05-02  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Reflect.toString() should be [object Object] not [object Reflect]
        https://bugs.webkit.org/show_bug.cgi?id=157288

        Reviewed by Darin Adler.

        * runtime/ReflectObject.cpp:
        * tests/stress/reflect.js: Added.

2016-05-02  Jon Davis  <jond@apple.com>

        Add Resource Timing entry to the Feature Status page.
        https://bugs.webkit.org/show_bug.cgi?id=157285

        Reviewed by Timothy Hatcher.

        * features.json:

2016-05-02  Joseph Pecoraro  <pecoraro@apple.com>

        Make console a namespace object (like Math/JSON), allowing functions to be called unbound
        https://bugs.webkit.org/show_bug.cgi?id=157286
        <rdar://problem/26052830>

        Reviewed by Timothy Hatcher.

        This changes `console` to be a global namespace object, like `Math` and `JSON`.
        It just holds a bunch of functions, that can be used on their own, unbound.
        For example, `[1,2,3].forEach(console.log)` and `var log = console.log; log(1)`
        used to throw exceptions and now do not.

        Previously console was an Object/Prototype pair, so functions were on
        ConsolePrototype (console.__proto__.log) and they needed to be called
        Console objects as the `this` value. Now, `console` is just a standard
        object with a bunch of functions. Since there is no console prototype the
        functions can be passed around and called as expected and they will
        just do the right thing.

        For compatability with other browsers, `console` was made enumerable
        on the global object.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        Add new files and remove old files.

        * runtime/CommonIdentifiers.h:
        Add "console".

        * runtime/ConsoleObject.cpp: Renamed from Source/JavaScriptCore/runtime/ConsolePrototype.cpp.
        (JSC::ConsoleObject::ConsoleObject):
        (JSC::ConsoleObject::finishCreation):
        (JSC::valueToStringWithUndefinedOrNullCheck):
        (JSC::consoleLogWithLevel):
        (JSC::consoleProtoFuncDebug):
        (JSC::consoleProtoFuncError):
        (JSC::consoleProtoFuncLog):
        (JSC::consoleProtoFuncInfo):
        (JSC::consoleProtoFuncWarn):
        (JSC::consoleProtoFuncClear):
        (JSC::consoleProtoFuncDir):
        (JSC::consoleProtoFuncDirXML):
        (JSC::consoleProtoFuncTable):
        (JSC::consoleProtoFuncTrace):
        (JSC::consoleProtoFuncAssert):
        (JSC::consoleProtoFuncCount):
        (JSC::consoleProtoFuncProfile):
        (JSC::consoleProtoFuncProfileEnd):
        (JSC::consoleProtoFuncTakeHeapSnapshot):
        (JSC::consoleProtoFuncTime):
        (JSC::consoleProtoFuncTimeEnd):
        (JSC::consoleProtoFuncTimeStamp):
        (JSC::consoleProtoFuncGroup):
        (JSC::consoleProtoFuncGroupCollapsed):
        (JSC::consoleProtoFuncGroupEnd):
        Console functions no longer need to check if the this object is
        a Console object. They will always just work now.

        * runtime/MathObject.cpp:
        * runtime/MathObject.h:
        * runtime/ConsoleObject.h: Renamed from Source/JavaScriptCore/runtime/ConsolePrototype.h.
        (JSC::ConsoleObject::create):
        (JSC::ConsoleObject::createStructure):
        ConsoleObject is a basic object like MathObject.

        * runtime/JSConsole.cpp: Removed.
        * runtime/JSConsole.h: Removed.
        * runtime/JSGlobalObject.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::visitChildren):
        Remove JSConsole / ConsolePrototype in favor of the single ConsoleObject.

2016-05-02  Per Arne Vollan  <peavo@outlook.com>

        [Win] Clean up annoying compiler warnings
        https://bugs.webkit.org/show_bug.cgi?id=149813

        Reviewed by Alex Christensen.

        * bytecode/PropertyCondition.cpp:
        (JSC::PropertyCondition::isWatchableWhenValid):
        * dfg/DFGObjectAllocationSinkingPhase.cpp:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * inspector/InspectorBackendDispatcher.cpp:
        (Inspector::BackendDispatcher::sendPendingErrors):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileOpCall):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseAssignmentExpression):
        * runtime/ClonedArguments.cpp:
        (JSC::ClonedArguments::createWithInlineFrame):
        * runtime/Error.cpp:
        (JSC::addErrorInfoAndGetBytecodeOffset):
        * runtime/IntlNumberFormat.cpp:
        (JSC::IntlNumberFormat::initializeNumberFormat):
        * runtime/JSObject.cpp:
        (JSC::JSObject::heapSnapshot):
        (JSC::callToPrimitiveFunction):
        * runtime/RegExpPrototype.cpp:
        (JSC::flagsString):
        * runtime/SamplingProfiler.cpp:
        (JSC::SamplingProfiler::StackFrame::functionStartColumn):

2016-05-02  Keith Miller  <keith_miller@apple.com>

        ToThis should be able to be eliminated in Constant Folding
        https://bugs.webkit.org/show_bug.cgi?id=157213

        Reviewed by Saam Barati.

        This patch enables eliminating the ToThis value when we have abstract interpreter
        indicates the node is not needed. Since there are Objects that override their
        ToThis behavior we first check if we can eliminate the node by looking at its
        speculated type. If the function is in strict mode then we can eliminate ToThis as
        long as the speculated type is not SpecObjectOther since that contains objects
        that may set OverridesToThis. If the function is not in strict mode then we can
        eliminate ToThis as long is the speculated type is an object that is not SpecObjectOther.

        If we can't eliminate with type information we can still eliminate the ToThis node with
        the proven structure set. When ToThis only sees structures that do not set OverridesToThis
        it can be eliminated. Additionally, if the function is in strict mode then we can eliminate
        ToThis as long as all only the object structures don't set OverridesToThis.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::isToThisAnIdentity):
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupToThis):
        * tests/stress/to-this-global-object.js: Added.
        (test):
        (test2):
        (get for):

2016-05-01  Skachkov Oleksandr  <gskachkov@gmail.com>

        Class contructor and methods shouldn't have "arguments" and "caller"
        https://bugs.webkit.org/show_bug.cgi?id=144238

        Reviewed by Ryosuke Niwa.

        Added TypeError that is raised in case of access to properties 'arguments' or 'caller'
        of constructor or method of class. Actually TypeError already raised for most cases, except
        case with undeclared constructor e. g. 
        class A {}
        (new A).constructor.caller 
        (new A).constructor.arguments

        * runtime/JSFunction.cpp:
        (JSC::getThrowTypeErrorGetterSetter):
        (JSC::JSFunction::getOwnPropertySlot):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::createThrowTypeErrorArgumentsAndCaller):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::throwTypeErrorArgumentsAndCallerGetterSetter):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncThrowTypeErrorArgumentsAndCaller):
        * runtime/JSGlobalObjectFunctions.h:

2016-05-02  Yoav Weiss  <yoav@yoav.ws>

        Move ResourceTiming behind a runtime flag
        https://bugs.webkit.org/show_bug.cgi?id=157133

        Reviewed by Alex Christensen.

        * runtime/CommonIdentifiers.h: Added PerformanceEntry, PerformanceEntryList and PerformanceResourceTiming as property names.

2016-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>

        Assertion failure for bound function with custom prototype and Reflect.construct
        https://bugs.webkit.org/show_bug.cgi?id=157081

        Reviewed by Saam Barati.

        We ensured `newTarget != exec->callee()`. However, it does not mean `newTarget.get("prototype") != exec->callee()->get("prototype")`.
        When the given `prototype` is the same to `baseStructure->sotredPrototype()`, it is unnecessary to create a new structure from this
        baseStructure.

        * bytecode/InternalFunctionAllocationProfile.h:
        (JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase):
        * tests/stress/custom-prototype-may-be-same-to-original-one.js: Added.
        (shouldBe):
        (boundFunction):

2016-04-30  Konstantin Tokarev  <annulen@yandex.ru>

        Guard ObjC-specific code in Heap.cpp with USE(FOUNDATION)
        https://bugs.webkit.org/show_bug.cgi?id=157236

        Reviewed by Darin Adler.

        This also fixes build with GCC 4.8 which does not provide
        __has_include.

        * heap/Heap.cpp:

2016-04-30  Yusuke Suzuki  <utatane.tea@gmail.com>

        Assertion failure for destructuring assignment with new.target and unary operator
        https://bugs.webkit.org/show_bug.cgi?id=157149

        Reviewed by Saam Barati.

        The caller of parseDefaultValueForDestructuringPattern() should propagate errors.
        And this patch also cleans up createSavePoint and createSavePointForError; introducing SavePointWithError.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseSourceElements):
        (JSC::Parser<LexerType>::parseDestructuringPattern):
        Add propagateErorr() for parseDefaultValueForDestructuringPattern.

        (JSC::Parser<LexerType>::parseAssignmentExpression):
        * parser/Parser.h:
        (JSC::Parser::restoreLexerState):
        (JSC::Parser::internalSaveState):
        (JSC::Parser::createSavePointForError):
        (JSC::Parser::createSavePoint):
        (JSC::Parser::internalRestoreState):
        (JSC::Parser::restoreSavePointWithError):
        (JSC::Parser::restoreSavePoint):
        * tests/stress/default-value-parsing-should-propagate-error.js: Added.
        (testSyntaxError):
        (testSyntaxError.f):

2016-04-28  Darin Adler  <darin@apple.com>

        First step in using "enum class" instead of "String" for enumerations in DOM
        https://bugs.webkit.org/show_bug.cgi?id=157163

        Reviewed by Chris Dumez.

        * runtime/JSString.h:
        (JSC::jsStringWithCache): Deleted unneeded overload for AtomicString.

2016-04-29  Benjamin Poulain  <bpoulain@apple.com>

        [JSC][ARMv7S] Arithmetic module results change when tiering up to DFG
        https://bugs.webkit.org/show_bug.cgi?id=157217
        rdar://problem/24733432

        Reviewed by Mark Lam.

        ARMv7's fmod() returns less accurate results than an integer division.
        Since we have integer div on ARMv7s, the results start changing when
        we reach DFG.

        In this patch, I change our fmod slow path to behave like the fast path
        on ARMv7s.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArithMod):
        (JSC::DFG::fmodAsDFGOperation): Deleted.
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/MathCommon.cpp:
        (JSC::isStrictInt32):
        * runtime/MathCommon.h:

2016-04-29  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Issues inspecting the inspector, pausing on breakpoints causes content to not load
        https://bugs.webkit.org/show_bug.cgi?id=157198
        <rdar://problem/26011049>

        Reviewed by Timothy Hatcher.

        * inspector/InspectorBackendDispatcher.cpp:
        (Inspector::BackendDispatcher::sendResponse):
        While auditing the code, add a WTFMove.

2016-04-29  Mark Lam  <mark.lam@apple.com>

        Make RegExp.prototype.test spec compliant.
        https://bugs.webkit.org/show_bug.cgi?id=155862

        Reviewed by Saam Barati.

        * builtins/RegExpPrototype.js:
        (intrinsic.RegExpTestIntrinsic.test):

        * create_hash_table:
        - Delete obsoleted code.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::addToGraph):
        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
        - We now have 2 intrinsics for RegExp.prototype.test:
          RegExpTestIntrinsic and RegExpTestFastIntrinsic.

          RegExpTestIntrinsic maps to the entry at the top of the builtin ES6
          RegExp.prototype.test.
          RegExpTestFastIntrinsic maps to the fast path in the builtin ES6
          RegExp.prototype.test.

          Both will end up using the RegExpTest DFG node to implement the fast path
          of RegExp.prototype.test.  RegExpTestIntrinsic will have some additional checks
          before the RegExpTest node.  Those checks are for speculating that it is ok for
          us to take the fast path.

        * runtime/CommonIdentifiers.h:
        * runtime/Intrinsic.h:

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        - Added the regExpTestFast function.
        - Also fixed the parameter length on 2 other functions that were erroneous.

        * runtime/RegExpPrototype.cpp:
        (JSC::RegExpPrototype::finishCreation):
        (JSC::regExpProtoFuncTestFast):
        (JSC::regExpProtoFuncTest): Deleted.
        * runtime/RegExpPrototype.h:
        * tests/es6.yaml:

2016-04-29  Benjamin Poulain  <benjamin@webkit.org>

        Extend math-pow-stable-results.js to get more information about the failure

        * tests/stress/math-pow-stable-results.js:

2016-04-29  Yusuke Suzuki  <utatane.tea@gmail.com>

        Assertion failure for exception in "prototype" property getter and Reflect.construct
        https://bugs.webkit.org/show_bug.cgi?id=157084

        Reviewed by Mark Lam.

        InternalFunction::createSubclassStrucuture may throw exceptions because it performs [[Get]] to
        look up the "prototype" object. The current assertion is invalid.
        We also found that Object constructor is not aware of new.target. This is filed[1].

        [1]: https://bugs.webkit.org/show_bug.cgi?id=157196

        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::createSubclassStructure):
        * tests/stress/create-subclass-structure-may-throw-exception-when-getting-prototype.js: Added.
        (shouldThrow):
        (bf):

2016-04-29  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r200232.
        https://bugs.webkit.org/show_bug.cgi?id=157189

        This change broke the Mac CMake build and its LayoutTest is
        failing and/or flaky on all platforms (Requested by ryanhaddad
        on #webkit).

        Reverted changeset:

        "Move ResourceTiming behind a runtime flag"
        https://bugs.webkit.org/show_bug.cgi?id=157133
        http://trac.webkit.org/changeset/200232

2016-04-29  Yusuke Suzuki  <utatane.tea@gmail.com>

        [ES6] RegExp.prototype.@@replace should use @isObject instead of `instanceof` for object guard
        https://bugs.webkit.org/show_bug.cgi?id=157124

        Reviewed by Keith Miller.

        Use @isObject instead of `instanceof @Object`.
        The `instanceof` check is not enough to check Object Type.
        This fix itself is the same to r199647, and this patch is for RegExp.prototype.@@replace.

        * builtins/RegExpPrototype.js:
        (replace):
        * tests/stress/regexp-replace-in-other-realm-should-work.js: Added.
        (shouldBe):
        * tests/stress/regexp-replace-should-work-with-objects-not-inheriting-object-prototype.js: Added.
        (shouldBe):
        (regexp.exec):

2016-04-29  Yoav Weiss  <yoav@yoav.ws>

        Move ResourceTiming behind a runtime flag
        https://bugs.webkit.org/show_bug.cgi?id=157133

        Reviewed by Alex Christensen.

        * runtime/CommonIdentifiers.h: Added PerformanceEntry, PerformanceEntryList and PerformanceResourceTiming as property names.

2016-04-28  Joseph Pecoraro  <pecoraro@apple.com>

        Remove unused bool parameter in CodeCache::getGlobalCodeBlock
        https://bugs.webkit.org/show_bug.cgi?id=157156

        Reviewed by Mark Lam.

        The bool parameter appears to be isArrowFunctionContext, but the method's
        contents just get that property from the Executable, so the parameter is
        unnecessary and unused.

        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getGlobalCodeBlock):
        (JSC::CodeCache::getProgramCodeBlock):
        (JSC::CodeCache::getEvalCodeBlock):
        (JSC::CodeCache::getModuleProgramCodeBlock):
        * runtime/CodeCache.h:
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::create):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::createEvalCodeBlock):
        * runtime/JSGlobalObject.h:

2016-04-28  Caitlin Potter  <caitp@igalia.com>

        [JSC] re-implement String#padStart and String#padEnd in JavaScript
        https://bugs.webkit.org/show_bug.cgi?id=157146

        Reviewed by Saam Barati.

        * builtins/StringPrototype.js:
        (repeatCharactersSlowPath):
        (padStart):
        (padEnd):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::finishCreation): Deleted.
        (JSC::repeatStringPattern): Deleted.
        (JSC::padString): Deleted.
        (JSC::stringProtoFuncPadEnd): Deleted.
        (JSC::stringProtoFuncPadStart): Deleted.

2016-04-28  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Tweak auto attach initialization on some platforms
        https://bugs.webkit.org/show_bug.cgi?id=157150
        <rdar://problem/21222045>

        Reviewed by Timothy Hatcher.

        * inspector/EventLoop.cpp:
        (Inspector::EventLoop::cycle):
        * inspector/remote/RemoteInspector.mm:
        (Inspector::RemoteInspector::updateAutomaticInspectionCandidate):

2016-04-28  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Unify Math.pow() accross all tiers
        https://bugs.webkit.org/show_bug.cgi?id=157121

        Reviewed by Geoffrey Garen.

        My previous optimizations of DFG compile time have slowly
        regressed Sunspider's math-partial-sums.

        What is happenning is baseline used a thunk for Math.pow()
        that has a special case for an exponent of -0.5, while
        DFG/FTL have other special cases for other exponents.
        The faster we get to DFG, the less time we spend in that fast
        case for -0.5.

        While looking into this, I discovered some correctness issues. Baseline
        optimizes y=-0.5 by turning it into 1/sqrt(). DFG/FTL optimize constant
        y=0.5 by turning it into sqrt(). The problem is sqrt() behaves differently
        for -0 and -Infinity. With sqrt(), negative numbers are undefined,
        and the result is NaN. With pow(), they have a result.

        Something else that has bothered me for a while is that Math.pow()
        with the same arguments give you different results in LLINT, Baseline,
        and DFG/FTL. This seems a bit dangerous for numerical stability.

        With this patch, I unify the behaviors for all tiers while keeping
        the "special cases".

        We have pow() that is super slow, but most callers don't need the
        full power. We have:
        -pow() with an exponent between 0 and 1000 is a fast path implemented
         by multiplication only.
        -pow(x, 0.5) is sqrt with special checks for negative values.
        -pow(x, -0.5) is sqrt with special checks for negative values.

        The C++ implementation handles all those optimizations too. This ensure
        you get the same results from LLINT to FTL.

        The thunk is eliminated, it was producing incorrect results and only
        optimized Sunspider's partial-sums.

        DFG gets the optimized integer, 0.5 and -0.5 cases since those are important
        for somewhat-hot code. DFG falls back to the C++ code for any non-obvious case.

        FTL gets the full C++ implementation inlined in B3. B3 knows how to eliminate
        all the dead cases so you get the best if your code is hot enough to reach FTL.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode): Deleted.
        * dfg/DFGNode.h:
        (JSC::DFG::Node::convertToArithSqrt): Deleted.
        * dfg/DFGNodeType.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::compileArithPowIntegerFastPath):
        (JSC::DFG::SpeculativeJIT::compileArithPow):
        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileArithPow):
        * jit/ThunkGenerators.cpp:
        (JSC::powThunkGenerator): Deleted.
        * jit/ThunkGenerators.h:
        * runtime/MathCommon.cpp:
        (JSC::operationMathPow):
        * runtime/MathCommon.h:
        * runtime/VM.cpp:
        (JSC::thunkGeneratorForIntrinsic): Deleted.
        * tests/stress/math-pow-stable-results.js: Added.
        Getting consistent results when tiering up is new.
        This test verify that results always remains the same as LLINT.

        * tests/stress/math-pow-with-constants.js:
        (testPowUsedAsSqrt):
        (powUsedAsOneOverSqrt):
        (testPowUsedAsOneOverSqrt):
        (powUsedAsSquare):
        (testPowUsedAsSquare):

2016-04-28  Mark Lam  <mark.lam@apple.com>

        DebuggerScope::className() should not assert scope->isValid().
        https://bugs.webkit.org/show_bug.cgi?id=157143

        Reviewed by Keith Miller.

        DebuggerScope::className() should not assert scope->isValid() because the
        TypeProfiler logs objects it encounters, and may indirectly call
        JSObject::calculatedClassName() on those objects later, thereby calling
        DebuggerScope::className() on an invalidated DebuggerScope.

        The existing handling in DebuggerScope::className() for an invalidated scope
        (that returns a null string) is sufficient.

        * debugger/DebuggerScope.cpp:
        (JSC::DebuggerScope::className):

2016-04-28  Caitlin Potter  <caitp@igalia.com>

        [JSC] implement spec changes for String#padStart and String#padEnd
        https://bugs.webkit.org/show_bug.cgi?id=157139

        Reviewed by Keith Miller.

        Previously, if the fill string was the empty string, it was treated as a
        single U+0020 SPACE character. Now, if this occurs, the original string
        is returned instead.

        Change was discussed at TC39 in March [1], and is reflected in new
        test262 tests for the feature.

        [1] https://github.com/tc39/tc39-notes/blob/master/es7/2016-03/march-29.md#stringprototypepadstartpadend

        * runtime/StringPrototype.cpp:
        (JSC::padString):
        * tests/es6/String.prototype_methods_String.prototype.padEnd.js:
        (TestFillerToString):
        (TestFillerEmptyString):
        * tests/es6/String.prototype_methods_String.prototype.padStart.js:
        (TestFillerToString):
        (TestFillerEmptyString):

2016-04-28  Skachkov Oleksandr  <gskachkov@gmail.com>

        Crash for non-static super property call in derived class constructor
        https://bugs.webkit.org/show_bug.cgi?id=157089

        Reviewed by Darin Adler.
       
        Added tdz check of the 'this' before access to the 'super' for FunctionCallBracketNode, 
        the same as it was done for FunctionCallDotNode.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::FunctionCallBracketNode::emitBytecode):

2016-04-27  Mark Lam  <mark.lam@apple.com>

        The GetterSetter structure needs a globalObject.
        https://bugs.webkit.org/show_bug.cgi?id=157120

        Reviewed by Filip Pizlo.

        In r199170: <http://trac.webkit.org/r199170>, GetterSetter was promoted from
        being a JSCell to a JSObject.  JSObject methods expect their structure to have a
        globalObject.  For example, see JSObject::calculatedClassName().  GetterSetter
        was previously using a singleton getterSetterStructure owned by the VM.  That
        singleton getterSetterStructure is not associated with any globalObjects.  As a
        result, JSObject::calculatedClassName() will run into a null globalObject when it
        is called on a GetterSetter object.

        This patch removes the VM singleton getterSetterStructure, and instead, creates
        a getterSetterStructure for each JSGlobalObject.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGStructureRegistrationPhase.cpp:
        (JSC::DFG::StructureRegistrationPhase::run):
        * runtime/GetterSetter.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::functionStructure):
        (JSC::JSGlobalObject::boundFunctionStructure):
        (JSC::JSGlobalObject::boundSlotBaseFunctionStructure):
        (JSC::JSGlobalObject::getterSetterStructure):
        (JSC::JSGlobalObject::nativeStdFunctionStructure):
        (JSC::JSGlobalObject::namedFunctionStructure):
        (JSC::JSGlobalObject::functionNameOffset):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:

2016-04-27  Keith Miller  <keith_miller@apple.com>

        Unreviewed, Revert r199397 due to PLT regressions

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * builtins/ArrayPrototype.js:
        (concatSlowPath): Deleted.
        (concat): Deleted.
        * bytecode/BytecodeIntrinsicRegistry.cpp:
        (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry): Deleted.
        * bytecode/BytecodeIntrinsicRegistry.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
        (JSC::DFG::ByteCodeParser::handleIntrinsicCall): Deleted.
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC): Deleted.
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute): Deleted.
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
        (JSC::DFG::SpeculativeJIT::compileIsJSArray): Deleted.
        (JSC::DFG::SpeculativeJIT::compileIsArrayObject): Deleted.
        (JSC::DFG::SpeculativeJIT::compileIsArrayConstructor): Deleted.
        (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor): Deleted.
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation): Deleted.
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile): Deleted.
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile): Deleted.
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode): Deleted.
        (JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor): Deleted.
        (JSC::FTL::DFG::LowerDFGToB3::compileIsArrayObject): Deleted.
        (JSC::FTL::DFG::LowerDFGToB3::compileIsJSArray): Deleted.
        (JSC::FTL::DFG::LowerDFGToB3::compileIsArrayConstructor): Deleted.
        (JSC::FTL::DFG::LowerDFGToB3::isArray): Deleted.
        * jit/JITOperations.h:
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionDataLogValue): Deleted.
        * runtime/ArrayConstructor.cpp:
        (JSC::ArrayConstructor::finishCreation):
        (JSC::arrayConstructorPrivateFuncIsArrayConstructor):
        * runtime/ArrayConstructor.h:
        (JSC::isArrayConstructor): Deleted.
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::finishCreation):
        (JSC::arrayProtoFuncConcat):
        (JSC::arrayProtoPrivateFuncIsJSArray): Deleted.
        (JSC::moveElements): Deleted.
        (JSC::arrayProtoPrivateFuncConcatMemcpy): Deleted.
        (JSC::arrayProtoPrivateFuncAppendMemcpy): Deleted.
        * runtime/ArrayPrototype.h:
        * runtime/CommonIdentifiers.h:
        * runtime/Intrinsic.h:
        * runtime/JSArray.cpp:
        (JSC::JSArray::fastConcatWith):
        (JSC::JSArray::appendMemcpy): Deleted.
        * runtime/JSArray.h:
        (JSC::JSArray::fastConcatType):
        (JSC::JSArray::createStructure):
        (JSC::isJSArray):
        * runtime/JSArrayInlines.h: Removed.
        (JSC::JSArray::memCopyWithIndexingType): Deleted.
        (JSC::JSArray::canFastCopy): Deleted.
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * runtime/JSType.h:
        * runtime/ObjectConstructor.h:
        (JSC::constructObject): Deleted.
        * tests/es6.yaml:
        * tests/stress/array-concat-spread-object.js: Removed.
        (arrayEq): Deleted.
        * tests/stress/array-concat-spread-proxy-exception-check.js: Removed.
        (arrayEq): Deleted.
        * tests/stress/array-concat-spread-proxy.js: Removed.
        (arrayEq): Deleted.
        * tests/stress/array-concat-with-slow-indexingtypes.js: Removed.
        (arrayEq): Deleted.
        * tests/stress/array-species-config-array-constructor.js:

2016-04-27  Michael Saboff  <msaboff@apple.com>

        REGRESSION(r200117): Crash in lowerDFGToB3::compileStringReplace()
        https://bugs.webkit.org/show_bug.cgi?id=157099

        Reviewed by Saam Barati.

        Given that the DFGFixupPhase could mark the edge of child2 as StringUse,
        we need to lower that edge appropriately.

        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):

2016-04-27  Mark Lam  <mark.lam@apple.com>

        Address feedback from https://bugs.webkit.org/show_bug.cgi?id=157048#c5.
        https://bugs.webkit.org/show_bug.cgi?id=157096

        Reviewed by Geoffrey Garen.

        1. Check for USE(APPLE_INTERNAL_SDK) instead of __has_include(<mach-o/dyld_priv.h>).
        2. Rename webkitFirstSDKVersionWithInitConstructorSupport to
           firstSDKVersionWithInitConstructorSupport.

        * API/JSWrapperMap.mm:
        (supportsInitMethodConstructors):

2016-04-27  Mark Lam  <mark.lam@apple.com>

        Restrict the availability of some JSC options to local debug builds only.
        https://bugs.webkit.org/show_bug.cgi?id=157058

        Reviewed by Geoffrey Garen.

        1. Each option will be given an availability flag.
        2. The functionOverrides and useDollarVM (along with its alias, enableDollarVM)
           will have "Restricted" availability.
        3. All other options will have “Normal” availability.
        4. Any options with "Restricted" availability will only be accessible if function
           allowRestrictedOptions() returns true.
        5. For now, allowRestrictedOptions() always returns false for release builds, and
           true for debug builds.

        If an option is "Restricted" and restricted options are not allowed, the VM will
        behave semantically as if that option does not exist at all:
        1. Option dumps will not show the option.
        2. Attempts to set the option will fail as if the option does not exist.

        Behind the scene, the option does exist, and is set to its default value
        (whatever that may be) once and only once on options initialization.

        * runtime/Options.cpp:
        (JSC::allowRestrictedOptions):
        (JSC::parse):
        (JSC::overrideOptionWithHeuristic):
        (JSC::Options::initialize):
        (JSC::Options::setOptionWithoutAlias):
        (JSC::Options::dumpOption):
        * runtime/Options.h:
        (JSC::Option::type):
        (JSC::Option::availability):
        (JSC::Option::isOverridden):

2016-04-27  Gavin Barraclough  <barraclough@apple.com>

        Enable separated heap by default on ios
        https://bugs.webkit.org/show_bug.cgi?id=156720
        <rdar://problem/25841790>

        Unreviewed rollout - caused memory regression.

        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):

2016-04-27  Benjamin Poulain  <bpoulain@apple.com>

        Follow up for r200113 on 32bit

        I forgot to do the 32bit counterpart of r200113.
        The test fails on the bots.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2016-04-27  Alberto Garcia  <berto@igalia.com>

        [GTK] Fails to build randomly when generating LLIntDesiredOffsets.h
        https://bugs.webkit.org/show_bug.cgi?id=155427

        Reviewed by Carlos Garcia Campos.

        If the build directory contains the -I string, the script that
        generates LLIntDesiredOffsets.h will confuse it with an option to
        declare an include directory.

        In order to avoid that we should only use the arguments that start
        with -I when extracting the list of include directories, instead
        of using the ones that simply contain that string.

        * offlineasm/parser.rb:

2016-04-27  Saam barati  <sbarati@apple.com>

        JSC should have an option to allow global const redeclarations
        https://bugs.webkit.org/show_bug.cgi?id=157006

        Reviewed by Geoffrey Garen.

        This patch implements an option that dictates whether
        const redeclarations at the program level will throw.
        This option defaults to true but allows users of JSC
        to set it to false. This option is per VM. This is needed
        for backwards compatibility with our old const implementation.

        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionShadowChickenFunctionsOnStack):
        (functionSetGlobalConstRedeclarationShouldNotThrow):
        (functionReadline):
        * runtime/Executable.cpp:
        (JSC::ProgramExecutable::initializeGlobalProperties):
        * runtime/JSGlobalLexicalEnvironment.cpp:
        (JSC::JSGlobalLexicalEnvironment::put):
        (JSC::JSGlobalLexicalEnvironment::isConstVariable):
        * runtime/JSGlobalLexicalEnvironment.h:
        (JSC::JSGlobalLexicalEnvironment::isEmpty):
        * runtime/VM.h:
        (JSC::VM::setGlobalConstRedeclarationShouldThrow):
        (JSC::VM::globalConstRedeclarationShouldThrow):
        * tests/stress/global-const-redeclaration-setting: Added.
        * tests/stress/global-const-redeclaration-setting-2.js: Added.
        (assert):
        * tests/stress/global-const-redeclaration-setting-3.js: Added.
        (assert):
        (catch):
        * tests/stress/global-const-redeclaration-setting-4.js: Added.
        (assert):
        (catch):
        * tests/stress/global-const-redeclaration-setting-5.js: Added.
        (assert):
        (catch):
        * tests/stress/global-const-redeclaration-setting.js: Added.
        (assert):
        * tests/stress/global-const-redeclaration-setting/first.js: Added.
        * tests/stress/global-const-redeclaration-setting/let.js: Added.
        * tests/stress/global-const-redeclaration-setting/second.js: Added.
        * tests/stress/global-const-redeclaration-setting/strict.js: Added.

2016-04-26  Michael Saboff  <msaboff@apple.com>

        [ES] Implement RegExp.prototype.@@replace and use it for String.prototype.replace
        https://bugs.webkit.org/show_bug.cgi?id=156562

        Reviewed by Filip Pizlo.

        Added builtins for String.prototype.replace as well as RegExp.prototype[Symbol.replace].

        The String.prototype.replace also has an intrinsic, StringPrototypeReplaceIntrinsic.
        This original intrinsic was copied to make StringPrototypeReplaceRegExpIntrinsic.
        The difference between the two intrinsics is that StringPrototypeReplaceIntrinsic has
        the same checks found in the new builtin hasObservableSideEffectsForStringReplace.
        We implement these primordial checks for StringPrototypeReplaceIntrinsic in two places.
        First, we do a trial check during ByteCode parsing time to see if the current
        RegExp.prototype properties have changed from the original.  If they have, we don't
        inline the intrinsic.  Later, in the fixup phase, we add nodes to the IR to emit the
        checks at runtime.

        The new intrinsic StringPrototypeReplaceRegExpIntrinsic is only available via the
        private @replaceUsingRegExp, which is called in the String.prototype.replace builtin.
        It is only called after hasObservableSideEffectsForStringReplace has been called

        Both of these intrinsics are needed, because the JS code containing String.replace() calls
        runs initially in the LLint and then the baseline JIT.  Even after the function tiers up
        to the DFG JIT, the inlining budget may not allow StringPrototypeReplaceIntrinsic to be inlined.
        Having StringPrototypeReplaceRegExpIntrinsic allows for the String.prototype.replace builtin to
        get reasonable performance before the other intrinsic is inlined or when it can't.

        * builtins/RegExpPrototype.js:
        (match):
        (getSubstitution):
        (replace):
        (search):
        (split):
        * builtins/StringPrototype.js:
        (repeat):
        (hasObservableSideEffectsForStringReplace):
        (intrinsic.StringPrototypeReplaceIntrinsic.replace):
        (localeCompare):
        New builtins for String.prototype.replace and RegExp.prototype[Symbol.replace].

        * bytecode/BytecodeIntrinsicRegistry.cpp:
        * bytecode/BytecodeIntrinsicRegistry.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixupGetAndSetLocalsInBlock):
        (JSC::DFG::FixupPhase::tryAddStringReplacePrimordialChecks):
        (JSC::DFG::FixupPhase::checkArray):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::getRegExpPrototypeProperty):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::getRegExpPrototypeProperty):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasHeapPrediction):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        * runtime/CommonIdentifiers.h:
        * runtime/Intrinsic.h:
        * runtime/RegExpPrototype.cpp:
        (JSC::RegExpPrototype::finishCreation):
        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::finishCreation):
        (JSC::replace):
        (JSC::stringProtoFuncReplaceUsingRegExp):
        (JSC::stringProtoFuncReplaceUsingStringSearch):
        (JSC::operationStringProtoFuncReplaceGeneric):
        (JSC::stringProtoFuncReplace): Deleted.
        Added StringReplaceRegExp intrinsic.  Added checks for RegExp profiled arguments to StringReplace
        that mirror what is in hasObservableSideEffectsForStringReplace().  If we aren't able to add the
        checks, we OSR exit.  Add Graph::getPrimordialRegExpPrototypeProperty() as a helper to get the
        primordial values from RegExp.prototype.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init): Added @regExpPrototypeSymbolReplace and
        @hasObservableSideEffectsForStringReplace here instead og String.prototype so that we reduce the
        number of objects we have to traverse.

        * tests/es6.yaml: Changed expectations for the various replace related tests to passing.

        * tests/stress/regexp-replace-proxy.js:
        (assert):
        (let.getProxyNullExec.new.Proxy):
        (let.getSetProxyNullExec.new.Proxy):
        (get resetTracking):
        (let.getSetProxyMatches_comma.new.Proxy):
        (set get getSetProxyNullExec):
        (let.getSetProxyReplace_phoneNumber.new.Proxy):
        (set get getSetProxyMatches_comma):
        (let.getSetProxyReplaceUnicode_digit_nonGreedy.new.Proxy):
        (set get resetTracking):
        * tests/stress/string-replace-proxy.js:
        (assert):
        (let.getSetProxyReplace.new.Proxy.replace):
        New tests.

2016-04-26  Mark Lam  <mark.lam@apple.com>

        Gardening: speculative build fix.

        Not reviewed.

        * API/JSWrapperMap.mm:

2016-04-26  Mark Lam  <mark.lam@apple.com>

        Update the compatibility version check for the ObjC API's InitConstructorSupport to use dyld_get_program_sdk_version().
        https://bugs.webkit.org/show_bug.cgi?id=157048

        Reviewed by Geoffrey Garen.

        * API/JSWrapperMap.mm:
        (supportsInitMethodConstructors):
        (getJSExportProtocol):

2016-04-26  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] GetByVal on Undecided use its children before its OSR Exit
        https://bugs.webkit.org/show_bug.cgi?id=157046

        Reviewed by Mark Lam.

        Very silly bug: GetByVal on Undecided uses its children before
        the speculationCheck(). If we fail the speculation, we have already
        lost how to recover the values.

        The existing tests did not catch this because we tier up to B3
        before such Exits happen. B3 has explicit liveness and did not suffer
        from this bug.
        The new test has a smaller warmup to exercise the OSR Exit in DFG
        instead of FTL.

        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * tests/stress/get-by-val-on-undecided-out-of-bounds.js: Added.
        (string_appeared_here.opaqueGetByValKnownArray):

2016-04-26  Skachkov Oleksandr  <gskachkov@gmail.com>

        calling super() a second time in a constructor should throw
        https://bugs.webkit.org/show_bug.cgi?id=151113

        Reviewed by Saam Barati.

        Currently, our implementation checks if 'super()' was called in a constructor more
        than once and raises a RuntimeError before the second call. According to the spec
        we need to raise an error just after the second super() is finished and before
        the new 'this' is assigned https://esdiscuss.org/topic/duplicate-super-call-behaviour.
        To implement this behavior this patch adds a new op code, op_is_empty, that is used
        to check if 'this' is empty.

        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitIsEmpty):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::FunctionCallValueNode::emitBytecode):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileIsEmpty):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_is_empty):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_is_empty):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * tests/stress/class-syntax-double-constructor.js: Added.

2016-04-26  Mark Lam  <mark.lam@apple.com>

        Changed jsc options title to be more descriptive.
        https://bugs.webkit.org/show_bug.cgi?id=157036

        Reviewed by Joseph Pecoraro.

        Let the title for --dumpOptions be "Modified JSC runtime options:" since it only
        dumps overridden options.  The title for --options will remain "All JSC runtime
        options:" since it dumps all all options with verbose detail.

        * jsc.cpp:
        (CommandLine::parseArguments):

2016-04-26  Oliver Hunt  <oliver@apple.com>

        Enable separated heap by default on ios
        https://bugs.webkit.org/show_bug.cgi?id=156720

        Unreviewed roll-in of this change. There is only one
        additional allocation involved in this logic, and that
        is a duplicate mapping.

        Either our tools are not report real memory usage
        or this revision is not responsible for the regression.

        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):

2016-04-26  Filip Pizlo  <fpizlo@apple.com>

        DFG backends shouldn't emit type checks at KnownBlah edges
        https://bugs.webkit.org/show_bug.cgi?id=157025

        Reviewed by Michael Saboff.
        
        This fixes a crash I found when browsing Bing maps with forceEagerCompilation. I include a
        100% repro test case.
        
        The issue is that our code still doesn't fully appreciate the devious implications of
        KnownBlah use kinds. Consider KnownCell for example. It means: "trust me, I know that this
        value will be a cell". You aren't required to provide a proof when you use KnownCell. Often,
        we use it as a result of a path-sensitive proof. The abstract interpreter is not
        path-sensitive, so AI will be absolutely sure that the KnownCell use might see a non-cell.
        This can lead to debug assertions (which this change removes) and it can lead to the backends
        emitting a type check. That type check can be pure evil if the node that has this edge does
        not have an exit origin. Such a node would have passed validation because the validater would
        have thought that the node cannot exit (after all, according to the IR semantics, there is no
        speculation at KnownCell).

        This comprehensively fixes the issue by recognizing that Foo(KnownCell:@x) means: I have
        already proved that by the time you start executing Foo, @x will already be a cell. I cannot
        tell you how I proved this but you can rely on it anyway. AI now takes advantage of this
        meaning and will always do filtering of KnownBlah edges regardless of whether the backend
        actually emits any type checks for those edges. Since the filtering runs before the backend,
        the backend will not emit any checks because it will know that the edge was already checked
        (by whatever mechanism we used when we made the edge KnownBlah).
        
        Note that it's good that we found this bug now. The DFG currently does very few
        sparse-conditional or path-sensitive optimizations, but it will probably do more in the
        future. The bug happens because GetByOffset and friends can achieve path-sensitive proofs via
        watchpoints on the inferred type. Normally, AI can follow along with this proof. But in the
        example program, and on Bing maps, we would GCSE one GetByOffset with another that had a
        weaker proven type. That turned out to be completely sound - between the two GetByOffset's
        there was a Branch to null check it. The inferred type of the second GetByOffset ended up
        knowing that it cannot be null because null only occurred in some structures but not others.
        If we added more sparse-conditional stuff to Branch, then AI would know how to follow along
        with the proof but it would also create more situations where we'd have a path-sensitive
        proof. So, it's good that we're now getting this right.

        * dfg/DFGAbstractInterpreter.h:
        (JSC::DFG::AbstractInterpreter::filterEdgeByUse):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEdges):
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeKnownEdgeTypes):
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
        * dfg/DFGUseKind.h:
        (JSC::DFG::typeFilterFor):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        * tests/stress/path-sensitive-known-cell-crash.js: Added.
        (bar):
        (foo):

2016-04-26  Gavin Barraclough  <barraclough@apple.com>

        Enable separated heap by default on ios
        https://bugs.webkit.org/show_bug.cgi?id=156720

        Unreviewed rollout - caused memory regression.

        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):

2016-04-26  Joseph Pecoraro  <pecoraro@apple.com>

        Improve jsc --help and making sampling options
        https://bugs.webkit.org/show_bug.cgi?id=157015

        Reviewed by Saam Barati.

        Simplify sampling options to be easier to remember:

          * --reportSamplingProfilerData => --sample
          * --samplingProfilerTimingInterval => --sampleInterval

        Update the --help to mention --sample, and restore the behavior of
        --options outputing all possible options so you can discover which
        options are available.        

        * jsc.cpp:
        (printUsageStatement):
        (CommandLine::parseArguments):
        Improve help and modify option dumping.

        * runtime/Options.h:
        * runtime/SamplingProfiler.cpp:
        (JSC::SamplingProfiler::SamplingProfiler):
        Rename the sampling interval option.

2016-04-26  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r200083.
        https://bugs.webkit.org/show_bug.cgi?id=157033

         It brokes the debug build (Requested by gskachkov on
        #webkit).

        Reverted changeset:

        "calling super() a second time in a constructor should throw"
        https://bugs.webkit.org/show_bug.cgi?id=151113
        http://trac.webkit.org/changeset/200083

2016-04-26  Skachkov Oleksandr  <gskachkov@gmail.com>

        calling super() a second time in a constructor should throw
        https://bugs.webkit.org/show_bug.cgi?id=151113

        Reviewed by Saam Barati.

        Currently, our implementation checks if 'super()' was called in a constructor more 
        than once and raises a RuntimeError before the second call. According to the spec 
        we need to raise an error just after the second super() is finished and before 
        the new 'this' is assigned https://esdiscuss.org/topic/duplicate-super-call-behaviour. 
        To implement this behavior this patch adds a new op code, op_is_empty, that is used 
        to check if 'this' is empty.

        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitIsEmpty):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::FunctionCallValueNode::emitBytecode):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileIsEmpty):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_is_empty):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_is_empty):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * tests/stress/class-syntax-double-constructor.js: Added.

2016-04-25  Ryosuke Niwa  <rniwa@webkit.org>

        Remove the build flag for template elements
        https://bugs.webkit.org/show_bug.cgi?id=157022

        Reviewed by Daniel Bates.

        * Configurations/FeatureDefines.xcconfig:

2016-04-25  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Constant folding of UInt32ToNumber is incorrect
        https://bugs.webkit.org/show_bug.cgi?id=157011
        rdar://problem/25769641

        Reviewed by Geoffrey Garen.

        UInt32ToNumber should return the unsigned 32bit value of
        its child. The abstract interpreter fails to do that when handling
        Int52.

        None of the tests caught that because the bytecode generator already
        fold the operation if given a constant. If the constant is not visible
        from the bytecode generator (for example because it comes from an inlined call),
        then the abstract interpreter folding was producing invalid results.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * tests/stress/uint32-to-number-constant-folding.js: Added.
        (uint32ToNumberMinusOne):
        (uint32ToNumberMinusOnePlusInteger):
        (inlineMinusOne):
        (uint32ToNumberOnHiddenMinusOne):
        (uint32ToNumberOnHiddenMinusOnePlusInteger):
        (inlineLargeNegativeNumber1):
        (inlineLargeNegativeNumber2):
        (inlineLargeNegativeNumber3):
        (uint32ToNumberOnHiddenLargeNegativeNumber1):
        (uint32ToNumberOnHiddenLargeNegativeNumber2):
        (uint32ToNumberOnHiddenLargeNegativeNumber3):

2016-04-25  Fujii Hironori  <Hironori.Fujii@sony.com>

        Heap corruption is detected when destructing JSGlobalObject
        https://bugs.webkit.org/show_bug.cgi?id=156831

        Reviewed by Mark Lam.

        WebKit uses CRT static library on Windows.  Each copy of the CRT
        library has its own heap manager, allocating memory in one CRT
        library and passing the pointer across a DLL boundary to be freed
        by a different copy of the CRT library is a potential cause for
        heap corruption.

          Potential Errors Passing CRT Objects Across DLL Boundaries
          <https://msdn.microsoft.com/en-us/library/ms235460(v=vs.140).aspx>

        JSGlobalObject::createRareDataIfNeeded is inlined but
        JSGlobalObject::~JSGlobalObject is not.  Then, the heap of
        allocating JSGlobalObjectRareData is WebKit.dll, but deallocating
        JavaScriptCore.dll.  Adding WTF_MAKE_FAST_ALLOCATED to
        JSGlobalObjectRareData ensures heap consistency of it.  WTF::Lock
        also needs WTF_MAKE_FAST_ALLOCATED because it is allocated from
        the inlined constructor of JSGlobalObjectRareData.

        Test: fast/dom/insertedIntoDocument-iframe.html

        * runtime/JSGlobalObject.h:
        Add WTF_MAKE_FAST_ALLOCATED to JSGlobalObjectRareData.

2016-04-25  Michael Saboff  <msaboff@apple.com>

        Crash using @tryGetById in DFG
        https://bugs.webkit.org/show_bug.cgi?id=156992

        Reviewed by Filip Pizlo.

        We need to spill live registers when compiling TryGetById in DFG.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileTryGetById):
        * tests/stress/regress-156992.js: New test.
        (tryMultipleGetByIds):
        (test):

2016-04-25  Saam barati  <sbarati@apple.com>

        We don't have to parse a function's parameters every time if the function is in the source provider cache
        https://bugs.webkit.org/show_bug.cgi?id=156943

        Reviewed by Filip Pizlo.

        This patch makes a few changes to make parsing inner functions
        faster.

        First, we were always parsing an inner function's parameter
        list using the templatized TreeBuiler. This means if our parent scope
        was building an AST, we ended up building AST nodes for the inner
        function's parameter list even though these nodes would go unused.
        This patch fixes that to *always* build an inner function's parameter
        list using the SyntaxChecker. (Note that this is consistent now with
        always building an inner function's body with a SyntaxChecker.)

        Second, we were always parsing an inner function's parameter list
        even if we had that function saved in the source provider cache.
        I've fixed that bug and made it so that we skip over the parsing 
        of a function's parameter list when it's in the source provider
        cache. We could probably enhance this in the future to skip
        over the entirety of a function starting at the "function"
        keyword or any other start of the function (depending on
        the function type: arrow function, method, etc).

        This patch also renames a few fields. First, I fixed a typo
        from "tocken" => "token" for a few field names. Secondly,
        I renamed a field that was called 'bodyStartColumn' to 
        'parametersStartColumn' because the field really held the
        parameter list's start column.

        I'm benchmarking this as a 1.5-2% octane/jquery speedup
        on a 15" MBP.

        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createFunctionExpr):
        (JSC::ASTBuilder::createMethodDefinition):
        (JSC::ASTBuilder::createArrowFunctionExpr):
        (JSC::ASTBuilder::createGetterOrSetterProperty):
        (JSC::ASTBuilder::createFuncDeclStatement):
        * parser/Lexer.cpp:
        (JSC::Lexer<T>::lex):
        * parser/Lexer.h:
        (JSC::Lexer::currentPosition):
        (JSC::Lexer::positionBeforeLastNewline):
        (JSC::Lexer::lastTokenLocation):
        (JSC::Lexer::setLastLineNumber):
        (JSC::Lexer::lastLineNumber):
        (JSC::Lexer::prevTerminator):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseInner):
        (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
        (JSC::Parser<LexerType>::parseFunctionBody):
        (JSC::stringForFunctionMode):
        (JSC::Parser<LexerType>::parseFunctionParameters):
        (JSC::Parser<LexerType>::parseFunctionInfo):
        * parser/Parser.h:
        (JSC::Scope::usedVariablesContains):
        (JSC::Scope::forEachUsedVariable):
        (JSC::Scope::useVariable):
        (JSC::Scope::copyCapturedVariablesToVector):
        (JSC::Scope::fillParametersForSourceProviderCache):
        (JSC::Scope::restoreFromSourceProviderCache):
        * parser/ParserFunctionInfo.h:
        * parser/SourceProviderCacheItem.h:
        (JSC::SourceProviderCacheItem::endFunctionToken):
        (JSC::SourceProviderCacheItem::usedVariables):
        (JSC::SourceProviderCacheItem::SourceProviderCacheItem):

2016-04-25  Mark Lam  <mark.lam@apple.com>

        Renaming SpecInt32, SpecInt52, MachineInt to SpecInt32Only, SpecInt52Only, AnyInt.
        https://bugs.webkit.org/show_bug.cgi?id=156941

        Reviewed by Filip Pizlo.

        While looking at https://bugs.webkit.org/show_bug.cgi?id=153431, it was decided
        that SpecInt32Only, SpecInt52Only, and AnyInt would be better names for
        SpecInt32, SpecInt52, and MachineInt.  Let's do a bulk rename.

        This is only a renaming patch, and deletion of a piece of unused code.  There are
        no semantic changes.

        * bindings/ScriptValue.cpp:
        (Inspector::jsToInspectorValue):
        * bytecode/SpeculatedType.cpp:
        (JSC::dumpSpeculation):
        (JSC::speculationToAbbreviatedString):
        (JSC::speculationFromValue):
        (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
        (JSC::typeOfDoubleNegation):
        (JSC::typeOfDoubleRounding):
        * bytecode/SpeculatedType.h:
        (JSC::isInt32Speculation):
        (JSC::isInt32OrBooleanSpeculation):
        (JSC::isInt32SpeculationForArithmetic):
        (JSC::isInt32OrBooleanSpeculationForArithmetic):
        (JSC::isInt32OrBooleanSpeculationExpectingDefined):
        (JSC::isInt52Speculation):
        (JSC::isAnyIntSpeculation):
        (JSC::isAnyIntAsDoubleSpeculation):
        (JSC::isDoubleRealSpeculation):
        (JSC::isMachineIntSpeculation): Deleted.
        (JSC::isInt52AsDoubleSpeculation): Deleted.
        (JSC::isIntegerSpeculation): Deleted.
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGAbstractValue.cpp:
        (JSC::DFG::AbstractValue::set):
        (JSC::DFG::AbstractValue::fixTypeForRepresentation):
        (JSC::DFG::AbstractValue::checkConsistency):
        (JSC::DFG::AbstractValue::resultType):
        * dfg/DFGAbstractValue.h:
        (JSC::DFG::AbstractValue::validateType):
        * dfg/DFGArgumentsUtilities.cpp:
        (JSC::DFG::emitCodeToGetArgumentsArrayLength):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixupToThis):
        (JSC::DFG::FixupPhase::observeUseKindOnNode):
        (JSC::DFG::FixupPhase::fixIntConvertingEdge):
        (JSC::DFG::FixupPhase::fixIntOrBooleanEdge):
        (JSC::DFG::FixupPhase::fixDoubleOrBooleanEdge):
        (JSC::DFG::FixupPhase::truncateConstantToInt32):
        (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
        (JSC::DFG::FixupPhase::prependGetArrayLength):
        (JSC::DFG::FixupPhase::fixupChecksInBlock):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::addShouldSpeculateInt32):
        (JSC::DFG::Graph::addShouldSpeculateAnyInt):
        (JSC::DFG::Graph::binaryArithShouldSpeculateInt32):
        (JSC::DFG::Graph::binaryArithShouldSpeculateAnyInt):
        (JSC::DFG::Graph::unaryArithShouldSpeculateInt32):
        (JSC::DFG::Graph::unaryArithShouldSpeculateAnyInt):
        (JSC::DFG::Graph::addShouldSpeculateMachineInt): Deleted.
        (JSC::DFG::Graph::binaryArithShouldSpeculateMachineInt): Deleted.
        (JSC::DFG::Graph::unaryArithShouldSpeculateMachineInt): Deleted.
        * dfg/DFGInPlaceAbstractState.cpp:
        (JSC::DFG::InPlaceAbstractState::initialize):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::noticeOSREntry):
        * dfg/DFGNode.cpp:
        (JSC::DFG::Node::convertToIdentityOn):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::asNumber):
        (JSC::DFG::Node::isAnyIntConstant):
        (JSC::DFG::Node::asAnyInt):
        (JSC::DFG::Node::isBooleanConstant):
        (JSC::DFG::Node::shouldSpeculateInt32OrBooleanExpectingDefined):
        (JSC::DFG::Node::shouldSpeculateAnyInt):
        (JSC::DFG::Node::shouldSpeculateDouble):
        (JSC::DFG::Node::shouldSpeculateNumber):
        (JSC::DFG::Node::isMachineIntConstant): Deleted.
        (JSC::DFG::Node::asMachineInt): Deleted.
        (JSC::DFG::Node::shouldSpeculateMachineInt): Deleted.
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::OSREntryData::dumpInContext):
        (JSC::DFG::prepareOSREntry):
        * dfg/DFGOSREntry.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSSALoweringPhase.cpp:
        (JSC::DFG::SSALoweringPhase::handleNode):
        (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::SafeToExecuteEdge::operator()):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::silentFill):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compileArithAdd):
        (JSC::DFG::SpeculativeJIT::compileArithSub):
        (JSC::DFG::SpeculativeJIT::compileArithNegate):
        (JSC::DFG::SpeculativeJIT::speculateInt32):
        (JSC::DFG::SpeculativeJIT::speculateNumber):
        (JSC::DFG::SpeculativeJIT::speculateMisc):
        (JSC::DFG::SpeculativeJIT::speculate):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::spill):
        (JSC::DFG::SpeculativeJIT::isKnownInteger):
        (JSC::DFG::SpeculativeJIT::isKnownCell):
        (JSC::DFG::SpeculativeJIT::isKnownNotInteger):
        (JSC::DFG::SpeculativeJIT::isKnownNotNumber):
        (JSC::DFG::SpeculativeJIT::isKnownNotCell):
        (JSC::DFG::SpeculativeJIT::isKnownNotOther):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::blessBoolean):
        (JSC::DFG::SpeculativeJIT::convertAnyInt):
        (JSC::DFG::SpeculativeJIT::speculateAnyInt):
        (JSC::DFG::SpeculativeJIT::speculateDoubleRepAnyInt):
        (JSC::DFG::SpeculativeJIT::convertMachineInt): Deleted.
        (JSC::DFG::SpeculativeJIT::speculateMachineInt): Deleted.
        (JSC::DFG::SpeculativeJIT::speculateDoubleRepMachineInt): Deleted.
        * dfg/DFGUseKind.cpp:
        (WTF::printInternal):
        * dfg/DFGUseKind.h:
        (JSC::DFG::typeFilterFor):
        (JSC::DFG::isNumerical):
        (JSC::DFG::isDouble):
        * dfg/DFGValidate.cpp:
        * dfg/DFGVariableAccessData.cpp:
        (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
        (JSC::DFG::VariableAccessData::couldRepresentInt52Impl):
        (JSC::DFG::VariableAccessData::flushFormat):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileInt52Constant):
        (JSC::FTL::DFG::LowerDFGToB3::compileInt52Rep):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
        (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
        (JSC::FTL::DFG::LowerDFGToB3::lowInt32):
        (JSC::FTL::DFG::LowerDFGToB3::strictInt52ToInt32):
        (JSC::FTL::DFG::LowerDFGToB3::isInt32):
        (JSC::FTL::DFG::LowerDFGToB3::isNotInt32):
        (JSC::FTL::DFG::LowerDFGToB3::jsValueToStrictInt52):
        (JSC::FTL::DFG::LowerDFGToB3::doubleToStrictInt52):
        (JSC::FTL::DFG::LowerDFGToB3::speculate):
        (JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
        (JSC::FTL::DFG::LowerDFGToB3::speculateAnyInt):
        (JSC::FTL::DFG::LowerDFGToB3::speculateDoubleRepReal):
        (JSC::FTL::DFG::LowerDFGToB3::speculateDoubleRepAnyInt):
        (JSC::FTL::DFG::LowerDFGToB3::speculateMachineInt): Deleted.
        (JSC::FTL::DFG::LowerDFGToB3::speculateDoubleRepMachineInt): Deleted.
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_profile_type):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_profile_type):
        * runtime/JSCJSValue.h:
        * runtime/JSCJSValueInlines.h:
        (JSC::isInt52):
        (JSC::JSValue::isAnyInt):
        (JSC::JSValue::asAnyInt):
        (JSC::JSValue::isMachineInt): Deleted.
        (JSC::JSValue::asMachineInt): Deleted.
        * runtime/RuntimeType.cpp:
        (JSC::runtimeTypeForValue):
        (JSC::runtimeTypeAsString):
        * runtime/RuntimeType.h:
        * runtime/TypeSet.cpp:
        (JSC::TypeSet::dumpTypes):
        (JSC::TypeSet::displayName):
        (JSC::TypeSet::inspectorTypeSet):
        (JSC::TypeSet::toJSONString):

2016-04-24  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Optimize JSON.parse string fast path
        https://bugs.webkit.org/show_bug.cgi?id=156953

        Reviewed by Mark Lam.

        This patch further optimizes the string parsing fast path.
        Previously, we generated the WTF::String to hold the ownership of the token's string.
        And always copied the token in LiteralParser side.
        Instead, we hold the ownership of the token String by the StringBuilder in LiteralParser::Lexer,
        and remove the processing in the string parsing fast path.
        This patch gives us stable 1 - 2.5% improvement in Kraken json-parse-financial.

                                       Baseline                  Modified

        json-parse-financial        41.383+-0.248      ^      40.894+-0.189         ^ definitely 1.0120x faster

        * runtime/LiteralParser.cpp:
        (JSC::LiteralParser<CharType>::tryJSONPParse):
        (JSC::LiteralParser<CharType>::Lexer::lex):
        (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
        (JSC::LiteralParser<CharType>::parse):
        (JSC::LiteralParser<CharType>::Lexer::lexString): Deleted.
        * runtime/LiteralParser.h:
        (JSC::LiteralParser::tryLiteralParse):
        (JSC::LiteralParser::Lexer::currentToken):
        (JSC::LiteralParser::Lexer::LiteralParserTokenPtr::LiteralParserTokenPtr):
        (JSC::LiteralParser::Lexer::LiteralParserTokenPtr::operator->):

2016-04-24  Filip Pizlo <fpizlo@apple.com> and Andy VanWagoner <thetalecrafter@gmail.com>

        [INTL] Implement String.prototype.localeCompare in ECMA-402
        https://bugs.webkit.org/show_bug.cgi?id=147607

        Reviewed by Darin Adler.
        
        Part of this change is just rolling 194394 back in.
        
        The other part is making that not a regression on CDjs. Other than the fact that it uses
        bound functions, the problem with this new localeCompare implementation is that it uses
        the arguments object. It uses it in a way that *seems* like ArgumentsEliminationPhase
        ought to handle, but to my surprise it didn't:
        
        - If we have a ForceExit GetByVal on the arguments object, we would previously assume that
          it escaped. That's false since we just exit at ForceExit. On the other hand we probably
          should be pruning unreachable paths before we get here, but that's a separate issue. I
          don't want to play with phase order right now.
        
        - If we have a OutOfBounds GetByVal on the arguments object, then the best that would
          previously happen is that we'd compile it into an in-bounds arguments access. That's quite
          bad, as Andy's localeCompare illustrates: it uses out-of-bounds access on the arguments
          object to detect if an argument was passed. This change introduces an OutOfBounds version
          of GetMyArgumentByVal for this purpose.
        
        This change required registering sane chain watchpoints. In the process, I noticed that the
        old way of doing it had a race condition: we might register watchpoints for the structure
        that had become insane. This change introduces a double-checking idiom that I believe works
        because once the structure becomes insane it can't go back to sane and watchpoints
        registration already involves executing the hardest possible fences.

        * builtins/StringPrototype.js:
        (repeat):
        (localeCompare):
        (search):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGArgumentsEliminationPhase.cpp:
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::refine):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        * dfg/DFGPreciseLocalClobberize.h:
        (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGValidate.cpp:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
        (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
        * ftl/FTLTypedPointer.h:
        (JSC::FTL::TypedPointer::TypedPointer):
        (JSC::FTL::TypedPointer::operator bool):
        (JSC::FTL::TypedPointer::heap):
        (JSC::FTL::TypedPointer::operator!): Deleted.
        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::finishCreation):

2016-04-23  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, unbreak cloop.

        * runtime/VM.cpp:
        (JSC::VM::getHostFunction):

2016-04-22  Filip Pizlo  <fpizlo@apple.com>

        Speed up bound functions a bit
        https://bugs.webkit.org/show_bug.cgi?id=156889

        Reviewed by Saam Barati.
        
        Bound functions are hard to optimize because JSC doesn't have a good notion of non-JS code
        that does JS-ey things like make JS calls. What I mean by "non-JS code" is code that did not
        originate from JS source. A bound function does a highly polymorphic call to the target
        stored in the JSBoundFunction. Prior to this change, we represented it as native code that
        used the generic native->JS call API. That's not cheap.
        
        We could model bound functions using a builtin, but it's not clear that this would be easy
        to grok, since so much of the code would have to access special parts of the JSBoundFunction
        type. Doing it that way might solve the performance problems but it would mean extra work to
        arrange for the builtin to have speedy access to the call target, the bound this, and the
        bound arguments. Also, optimizing bound functions that way would mean that bound function
        performance would be gated on the performance of a bunch of other things in our system. For
        example, we'd want this polymorphic call to be handled like the funnel that it is: if we're
        compiling the bound function's outgoing call with no context then we should compile it as
        fully polymorphic but we can let it assume basic sanity like that the callee is a real
        function; but if we're compiling the call with any amount of calling context then we want to
        use normal call IC's.
        
        Since the builtin path wouldn't lead to a simpler patch and since I think that the VM will
        benefit in the long run from using custom handling for bound functions, I kept the native
        code and just added Intrinsic/thunk support.
        
        This just adds an Intrinsic for bound function calls where the JSBoundFunction targets a
        JSFunction instance and has no bound arguments (only bound this). This intrinsic is
        currently only implemented as a thunk and not yet recognized by the DFG bytecode parser.

        I needed to loosen some restrictions to do this. For one, I was really tired of our bad use
        of ENABLE(JIT) conditionals, which made it so that any serious client of Intrinsics would
        have to have #ifdefs. Really what should happen is that if the JIT is not enabled then we
        just ignore intrinsics. Also, the code was previously assuming that having a native
        constructor and knowing the Intrinsic for your native call were mutually exclusive. This
        change makes it possible to have a native executable that has a custom function, custom
        constructor, and an Intrinsic.
        
        This is a >4x speed-up on bound function calls with no bound arguments.

        In the future, we should teach the DFG Intrinsic handling to deal with bound functions and
        we should teach the inliner (and ByteCodeParser::handleCall() in general) how to deal with
        the function call inside the bound function. That would be super awesome.

        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::timesPtr):
        (JSC::AbstractMacroAssembler::Address::withOffset):
        (JSC::AbstractMacroAssembler::BaseIndex::BaseIndex):
        (JSC::MacroAssemblerType>::Address::indexedBy):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::storeCell):
        (JSC::AssemblyHelpers::loadCell):
        (JSC::AssemblyHelpers::storeValue):
        (JSC::AssemblyHelpers::emitSaveCalleeSaves):
        (JSC::AssemblyHelpers::emitSaveThenMaterializeTagRegisters):
        (JSC::AssemblyHelpers::emitRestoreCalleeSaves):
        (JSC::AssemblyHelpers::emitRestoreSavedTagRegisters):
        (JSC::AssemblyHelpers::copyCalleeSavesToVMCalleeSavesBuffer):
        * jit/JITThunks.cpp:
        (JSC::JITThunks::ctiNativeTailCall):
        (JSC::JITThunks::ctiNativeTailCallWithoutSavedTags):
        (JSC::JITThunks::ctiStub):
        (JSC::JITThunks::hostFunctionStub):
        (JSC::JITThunks::clearHostFunctionStubs):
        * jit/JITThunks.h:
        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::callDoubleToDoublePreservingReturn):
        (JSC::SpecializedThunkJIT::tagReturnAsInt32):
        (JSC::SpecializedThunkJIT::emitSaveThenMaterializeTagRegisters): Deleted.
        (JSC::SpecializedThunkJIT::emitRestoreSavedTagRegisters): Deleted.
        * jit/ThunkGenerators.cpp:
        (JSC::virtualThunkFor):
        (JSC::nativeForGenerator):
        (JSC::nativeCallGenerator):
        (JSC::nativeTailCallGenerator):
        (JSC::nativeTailCallWithoutSavedTagsGenerator):
        (JSC::nativeConstructGenerator):
        (JSC::randomThunkGenerator):
        (JSC::boundThisNoArgsFunctionCallGenerator):
        * jit/ThunkGenerators.h:
        * runtime/Executable.cpp:
        (JSC::NativeExecutable::create):
        (JSC::NativeExecutable::destroy):
        (JSC::NativeExecutable::createStructure):
        (JSC::NativeExecutable::finishCreation):
        (JSC::NativeExecutable::NativeExecutable):
        (JSC::ScriptExecutable::ScriptExecutable):
        * runtime/Executable.h:
        * runtime/FunctionPrototype.cpp:
        (JSC::functionProtoFuncBind):
        * runtime/IntlCollatorPrototype.cpp:
        (JSC::IntlCollatorPrototypeGetterCompare):
        * runtime/Intrinsic.h:
        * runtime/JSBoundFunction.cpp:
        (JSC::boundThisNoArgsFunctionCall):
        (JSC::boundFunctionCall):
        (JSC::boundThisNoArgsFunctionConstruct):
        (JSC::boundFunctionConstruct):
        (JSC::getBoundFunctionStructure):
        (JSC::JSBoundFunction::create):
        (JSC::JSBoundFunction::customHasInstance):
        (JSC::JSBoundFunction::JSBoundFunction):
        * runtime/JSBoundFunction.h:
        (JSC::JSBoundFunction::targetFunction):
        (JSC::JSBoundFunction::boundThis):
        (JSC::JSBoundFunction::boundArgs):
        (JSC::JSBoundFunction::createStructure):
        (JSC::JSBoundFunction::offsetOfTargetFunction):
        (JSC::JSBoundFunction::offsetOfBoundThis):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::lookUpOrCreateNativeExecutable):
        (JSC::JSFunction::create):
        * runtime/VM.cpp:
        (JSC::thunkGeneratorForIntrinsic):
        (JSC::VM::getHostFunction):
        * runtime/VM.h:
        (JSC::VM::getCTIStub):
        (JSC::VM::exceptionOffset):

2016-04-22  Joonghun Park  <jh718.park@samsung.com>

        [JSC] Fix build break since r199866
        https://bugs.webkit.org/show_bug.cgi?id=156892

        Reviewed by Darin Adler.

        * runtime/MathCommon.cpp: Follow up to r199913. Remove 'include cmath' in cpp file.

2016-04-22  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Optimize number parsing and string parsing in LiteralParser
        https://bugs.webkit.org/show_bug.cgi?id=156896

        Reviewed by Mark Lam.

        This patch aim to improve JSON.parse performance. Major 2 optimizations are included.

        1. Change `double result` to `int32_t result` in integer parsing case.
        We already have the optimized path for integer parsing, when it's digits are less than 10.
        At that case, the maximum number is 999999999, and the minimum number is -99999999.
        The both are in range of Int32. So We can use int32_t for accumulation instead of double.

        2. Add the string parsing fast / slow cases.
        We add the fast case for string parsing, which does not include any escape sequences.

        Both optimizations improve Kraken json-parse-financial, roughly 3.5 - 4.5%.

        json-parse-financial        49.128+-1.589             46.979+-0.912           might be 1.0457x faster

        * runtime/LiteralParser.cpp:
        (JSC::isJSONWhiteSpace):
        (JSC::isSafeStringCharacter):
        (JSC::LiteralParser<CharType>::Lexer::lexString):
        (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
        (JSC::LiteralParser<CharType>::Lexer::lexNumber):
        * runtime/LiteralParser.h:

2016-04-22  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Source directives lost when using Function constructor repeatedly
        https://bugs.webkit.org/show_bug.cgi?id=156863
        <rdar://problem/25861064>

        Reviewed by Geoffrey Garen.

        Source directives (sourceURL and sourceMappingURL) are normally accessed through
        the SourceProvider and normally set when the script is parsed. However, when a
        CodeCache lookup skips parsing, the new SourceProvider never gets the directives
        (sourceURL/sourceMappingURL). This patch stores the directives on the UnlinkedCodeBlock
        and UnlinkedFunctionExecutable when entering the cache, and copies to the new providers
        when the cache is used.

        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedCodeBlock::sourceURLDirective):
        (JSC::UnlinkedCodeBlock::sourceMappingURLDirective):
        (JSC::UnlinkedCodeBlock::setSourceURLDirective):
        (JSC::UnlinkedCodeBlock::setSourceMappingURLDirective):
        * bytecode/UnlinkedFunctionExecutable.h:
        * parser/SourceProvider.h:
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getGlobalCodeBlock):
        (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
        * runtime/CodeCache.h:
        Store directives on the unlinked code block / executable when adding
        to the cache, so they can be used to update new providers when the
        cache gets used.

        * runtime/JSGlobalObject.cpp:
        Add needed header after CodeCache header cleanup.

2016-04-22  Mark Lam  <mark.lam@apple.com>

        javascript jit bug affecting Google Maps.
        https://bugs.webkit.org/show_bug.cgi?id=153431

        Reviewed by Filip Pizlo.

        The issue was due to the abstract interpreter wrongly marking the type of the
        value read from the Uint3Array as SpecInt52, which precludes it from being an
        Int32.  This proves to be false, and the generated code failed to handle the case
        where the read value is actually an Int32.

        The fix is to have the abstract interpreter use SpecMachineInt instead of
        SpecInt52.

        * bytecode/SpeculatedType.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

2016-04-22  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] PredictionPropagation should not be in the top 5 heaviest phases
        https://bugs.webkit.org/show_bug.cgi?id=156891

        Reviewed by Mark Lam.

        In DFG, PredictionPropagation is often way too high in profiles.
        It is a simple phase, it should not be that hot.

        Most of the time is spent accessing memory. This patch attempts
        to reduce that.

        First, propagate() is split in processInvariants() and propagates().
        The step processInvariants() sets all the types for nodes for which
        the type does not depends on other nodes.

        Adding processInvariants() lowers two hotspot inside PredictionPropagation:
        speculationFromValue() and setPrediction().

        Next, to avoid touching all the nodes at every operation, we keep
        track of the nodes that actually need propagate().
        The vector m_dependentNodes keeps the list of those nodes and propagate()
        only need to process them at each phase.

        This is a smaller gain because growing m_dependentNodes negates
        some of the gains.

        On 3d-cube, this moves PredictionPropagation from fifth position
        to ninth. A lot of the remaining overhead is caused by double-voting
        and cannot be fixed by moving stuff around.

        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagateToFixpoint): Deleted.
        (JSC::DFG::PredictionPropagationPhase::propagate): Deleted.
        (JSC::DFG::PredictionPropagationPhase::propagateForward): Deleted.
        (JSC::DFG::PredictionPropagationPhase::propagateBackward): Deleted.
        (JSC::DFG::PredictionPropagationPhase::doDoubleVoting): Deleted.
        (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting): Deleted.
        (JSC::DFG::PredictionPropagationPhase::propagateThroughArgumentPositions): Deleted.

2016-04-22  Geoffrey Garen  <ggaren@apple.com>

        super should be available in object literals
        https://bugs.webkit.org/show_bug.cgi?id=156933

        Reviewed by Saam Barati.

        When we originally implemented classes, super seemed to be a class-only
        feature. But the final spec says it's available in object literals too.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::PropertyListNode::emitBytecode): Having 'super' and being a class
        property are no longer synonymous, so we track two separate variables.

        (JSC::PropertyListNode::emitPutConstantProperty): Being inside the super
        branch no longer guarantees that you're a class property, so we decide
        our attributes and our function name dynamically.

        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createArrowFunctionExpr):
        (JSC::ASTBuilder::createGetterOrSetterProperty):
        (JSC::ASTBuilder::createArguments):
        (JSC::ASTBuilder::createArgumentsList):
        (JSC::ASTBuilder::createProperty):
        (JSC::ASTBuilder::createPropertyList): Pass through state to indicate
        whether we're a class property, since we can't infer it from 'super'
        anymore.

        * parser/NodeConstructors.h:
        (JSC::PropertyNode::PropertyNode): See ASTBuilder.h.

        * parser/Nodes.h:
        (JSC::PropertyNode::expressionName):
        (JSC::PropertyNode::name):
        (JSC::PropertyNode::type):
        (JSC::PropertyNode::needsSuperBinding):
        (JSC::PropertyNode::isClassProperty):
        (JSC::PropertyNode::putType): See ASTBuilder.h.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseFunctionInfo):
        (JSC::Parser<LexerType>::parseClass):
        (JSC::Parser<LexerType>::parseProperty):
        (JSC::Parser<LexerType>::parsePropertyMethod):
        (JSC::Parser<LexerType>::parseGetterSetter):
        (JSC::Parser<LexerType>::parseMemberExpression): I made these error
        messages generic because it is no longer practical to say concise things
        about the list of places you can use super.

        * parser/Parser.h:

        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createArgumentsList):
        (JSC::SyntaxChecker::createProperty):
        (JSC::SyntaxChecker::appendExportSpecifier):
        (JSC::SyntaxChecker::appendConstDecl):
        (JSC::SyntaxChecker::createGetterOrSetterProperty): Updated for
        interface change.

        * tests/stress/generator-with-super.js:
        (test):
        * tests/stress/modules-syntax-error.js:
        * tests/stress/super-in-lexical-scope.js:
        (testSyntaxError):
        (testSyntaxError.test):
        * tests/stress/tagged-templates-syntax.js: Updated for error message
        changes. See Parser.cpp.

2016-04-22  Filip Pizlo  <fpizlo@apple.com>

        ASSERT(m_stack.last().isTailDeleted) at ShadowChicken.cpp:127 inspecting the inspector
        https://bugs.webkit.org/show_bug.cgi?id=156930

        Reviewed by Joseph Pecoraro.
        
        The loop that prunes the stack from the top should preserve the invariant that the top frame
        cannot be tail-deleted.

        * interpreter/ShadowChicken.cpp:
        (JSC::ShadowChicken::update):

2016-04-22  Benjamin Poulain  <benjamin@webkit.org>

        Attempt to fix the CLoop after r199866

        * runtime/MathCommon.h:

2016-04-22  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Integer Multiply of a number by itself does not need negative zero support
        https://bugs.webkit.org/show_bug.cgi?id=156895

        Reviewed by Saam Barati.

        You cannot produce negative zero by squaring an integer.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArithMul):
        Minor codegen fixes:
        -Use the right form of multiply for ARM.
        -Use a sign-extended 32bit immediates, that's the one with fast forms
         in the MacroAssembler.

2016-04-21  Darin Adler  <darin@apple.com>

        Follow-on to the build fix.

        * runtime/MathCommon.h: Use the C++ std namespace version of the
        frexp function too.

2016-04-21  Joonghun Park  <jh718.park@samsung.com>

        [JSC] Fix build break since r199866. Unreviewed.
        https://bugs.webkit.org/show_bug.cgi?id=156892

        * runtime/MathCommon.h: Add namespace std to isnormal invoking.

2016-04-21  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Add primitive String support to compare operators
        https://bugs.webkit.org/show_bug.cgi?id=156783

        Reviewed by Geoffrey Garen.

        Just the basics.
        We should eventually inline some of the simplest cases.

        This is a 2% improvement on Longspider. It is unfortunately neutral
        for Sunspider on my machine because most of the comparison are from
        baseline.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compare):
        (JSC::DFG::SpeculativeJIT::compileStringCompare):
        (JSC::DFG::SpeculativeJIT::compileStringIdentCompare):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileCompareLess):
        (JSC::FTL::DFG::LowerDFGToB3::compileCompareLessEq):
        (JSC::FTL::DFG::LowerDFGToB3::compileCompareGreater):
        (JSC::FTL::DFG::LowerDFGToB3::compileCompareGreaterEq):
        (JSC::FTL::DFG::LowerDFGToB3::compare):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::callWithoutSideEffects):
        * jit/JITOperations.h:
        * tests/stress/string-compare.js: Added.
        (makeRope):
        (makeString):
        (let.operator.of.operators.eval.compareStringIdent):
        (let.operator.of.operators.compareStringString):
        (let.operator.of.operators.compareStringIdentString):
        (let.operator.of.operators.compareStringStringIdent):
        (let.operator.of.operators.let.left.of.typeCases.let.right.of.typeCases.eval):

2016-04-21  Benjamin Poulain  <bpoulain@webkit.org>

        [JSC] Commute FDiv-by-constant into FMul-by-reciprocal when it is safe
        https://bugs.webkit.org/show_bug.cgi?id=156871

        Reviewed by Filip Pizlo.

        FMul is significantly faster than FDiv.
        For example, on Haswell, FMul has a latency of 5, a throughput of 1
        while FDiv has latency 10-24, throughput 8-18.

        Fortunately for us, Sunspider and Kraken have plenty of division
        by a simple power of 2 constant. Those are just exponent operations
        and can be easily reversed to use FMul instead of FDiv.

        LLVM does something similar in InstCombine.

        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):
        * jit/JITDivGenerator.cpp:
        (JSC::JITDivGenerator::loadOperand):
        (JSC::JITDivGenerator::generateFastPath):
        * jit/SnippetOperand.h:
        (JSC::SnippetOperand::asConstNumber):
        * runtime/MathCommon.h:
        (JSC::safeReciprocalForDivByConst):
        * tests/stress/floating-point-div-to-mul.js: Added.
        (opaqueDivBy2):
        (opaqueDivBy3):
        (opaqueDivBy4):
        (opaqueDivBySafeMaxMinusOne):
        (opaqueDivBySafeMax):
        (opaqueDivBySafeMaxPlusOne):
        (opaqueDivBySafeMin):
        (opaqueDivBySafeMinMinusOne):
        (i.catch):
        (i.result.opaqueDivBySafeMin.valueOf):

2016-04-21  Benjamin Poulain  <benjamin@webkit.org>

        [JSC] Improve the absThunkGenerator() for 64bit
        https://bugs.webkit.org/show_bug.cgi?id=156888

        Reviewed by Michael Saboff.

        A few tests spend a lot of time in this abs() with double argument.

        This patch adds custom handling for the JSValue64 representation.
        In particular:
        -Do not load the value twice. Unbox the GPR if it is not an Int32.
        -Deal with IntMin inline instead of falling back to the C function call.
        -Box the values ourself to avoid a duplicate function tail and return.

        * jit/ThunkGenerators.cpp:
        (JSC::absThunkGenerator):

2016-04-21  Saam barati  <sbarati@apple.com>

        LLInt CallSiteIndex off by 1
        https://bugs.webkit.org/show_bug.cgi?id=156886

        Reviewed by Benjamin Poulain.

        I think was done for historical reasons but isn't needed anymore.

        * llint/LLIntSlowPaths.cpp:

2016-04-21  Keith Miller  <keith_miller@apple.com>

        FTL should handle exceptions in operationInOptimize
        https://bugs.webkit.org/show_bug.cgi?id=156885

        Reviewed by Michael Saboff.

        For some reasone we didn't handle any exceptions in "in" when we called
        operationInOptimize in the FTL.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpAssumingJITType):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileIn):
        * ftl/FTLPatchpointExceptionHandle.h: Add comments explaining which
        function to use for different exception types.

        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionNoFTL):
        * runtime/Executable.cpp:
        (JSC::ScriptExecutable::ScriptExecutable):
        * runtime/Executable.h:
        (JSC::ScriptExecutable::setNeverFTLOptimize):
        (JSC::ScriptExecutable::neverFTLOptimize):
        * tests/stress/in-ftl-exception-check.js: Added.
        (foo):
        (bar):
        (catch):

2016-04-21  Filip Pizlo  <fpizlo@apple.com>

        JSC virtual call thunk shouldn't do a structure->classInfo lookup
        https://bugs.webkit.org/show_bug.cgi?id=156874

        Reviewed by Keith Miller.
        
        This lookup was unnecessary because we can just test the inlined type field.

        But also, this meant that we were exempting JSBoundFunction from the virtual call optimization.
        That's pretty bad.

        * jit/ThunkGenerators.cpp:
        (JSC::virtualThunkFor):

2016-04-21  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: sourceMappingURL not loaded in generated script
        https://bugs.webkit.org/show_bug.cgi?id=156022
        <rdar://problem/25438595>

        Reviewed by Geoffrey Garen.

        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
        Synthetic CallFrames for native code will not have script identifiers.

        * inspector/ScriptCallFrame.cpp:
        (Inspector::ScriptCallFrame::ScriptCallFrame):
        (Inspector::ScriptCallFrame::isEqual):
        (Inspector::ScriptCallFrame::buildInspectorObject):
        * inspector/ScriptCallFrame.h:
        * inspector/protocol/Console.json:
        Include the script identifier in ScriptCallFrame so we can correlate this
        to the exactly script, even if there isn't a URL. The Script may have a
        sourceURL, so the Web Inspector frontend may decide to show / link to it.

        * inspector/ScriptCallStackFactory.cpp:
        (Inspector::CreateScriptCallStackFunctor::operator()):
        (Inspector::createScriptCallStackFromException):
        Include SourceID when we have it.

        * interpreter/Interpreter.cpp:
        (JSC::GetStackTraceFunctor::operator()):
        * interpreter/Interpreter.h:
        * interpreter/StackVisitor.cpp:
        (JSC::StackVisitor::Frame::sourceID):
        * interpreter/StackVisitor.h:
        Access the SourceID when we have it.

2016-04-21  Saam barati  <sbarati@apple.com>

        Lets do less locking of symbol tables in the BytecodeGenerator where we don't have race conditions
        https://bugs.webkit.org/show_bug.cgi?id=156821

        Reviewed by Filip Pizlo.

        The BytecodeGenerator allocates all the SymbolTables that it uses.
        This is before any concurrent compiler thread can use that SymbolTable.
        This means we don't actually need to lock for any operations of the
        SymbolTable. This patch makes this change by removing all locking.
        To do this, I've introduced a new constructor for ConcurrentJITLocker
        which implies no locking is necessary. You instantiate such a ConcurrentJITLocker like so:
        `ConcurrentJITLocker locker(ConcurrentJITLocker::NoLockingNecessary);`

        This patch also removes all uses of Strong<SymbolTable> from the bytecode
        generator and instead wraps bytecode generation in a DeferGC.

        * bytecode/UnlinkedFunctionExecutable.cpp:
        (JSC::generateUnlinkedFunctionCodeBlock):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
        (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
        (JSC::BytecodeGenerator::instantiateLexicalVariables):
        (JSC::BytecodeGenerator::emitPrefillStackTDZVariables):
        (JSC::BytecodeGenerator::pushLexicalScopeInternal):
        (JSC::BytecodeGenerator::initializeBlockScopedFunctions):
        (JSC::BytecodeGenerator::hoistSloppyModeFunctionIfNecessary):
        (JSC::BytecodeGenerator::popLexicalScopeInternal):
        (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
        (JSC::BytecodeGenerator::variable):
        (JSC::BytecodeGenerator::createVariable):
        (JSC::BytecodeGenerator::emitResolveScope):
        (JSC::BytecodeGenerator::emitPushWithScope):
        (JSC::BytecodeGenerator::emitPushFunctionNameScope):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::constructorKind):
        (JSC::BytecodeGenerator::superBinding):
        (JSC::BytecodeGenerator::generate):
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getGlobalCodeBlock):
        * runtime/ConcurrentJITLock.h:
        (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
        (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase):
        (JSC::ConcurrentJITLocker::ConcurrentJITLocker):

2016-04-21  Saam barati  <sbarati@apple.com>

        Remove some unnecessary RefPtrs in the parser
        https://bugs.webkit.org/show_bug.cgi?id=156865

        Reviewed by Filip Pizlo.

        The IdentifierArena or the SourceProviderCacheItem will own these UniquedStringImpls
        while we are using them. There is no need for us to reference count them.

        This might be a 0.5% speedup on octane code-load.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseInner):
        * parser/Parser.h:
        (JSC::Scope::setIsLexicalScope):
        (JSC::Scope::isLexicalScope):
        (JSC::Scope::closedVariableCandidates):
        (JSC::Scope::declaredVariables):
        (JSC::Scope::lexicalVariables):
        (JSC::Scope::finalizeLexicalEnvironment):
        (JSC::Scope::computeLexicallyCapturedVariablesAndPurgeCandidates):
        (JSC::Scope::collectFreeVariables):
        (JSC::Scope::getCapturedVars):
        (JSC::Scope::setStrictMode):
        (JSC::Scope::isValidStrictMode):
        (JSC::Scope::shadowsArguments):
        (JSC::Scope::copyCapturedVariablesToVector):
        * parser/SourceProviderCacheItem.h:
        (JSC::SourceProviderCacheItem::usedVariables):
        (JSC::SourceProviderCacheItem::~SourceProviderCacheItem):
        (JSC::SourceProviderCacheItem::create):
        (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
        (JSC::SourceProviderCacheItem::writtenVariables): Deleted.

2016-04-21  Filip Pizlo  <fpizlo@apple.com>

        PolymorphicAccess adds sizeof(CallerFrameAndPC) rather than subtracting it when calculating stack height
        https://bugs.webkit.org/show_bug.cgi?id=156872

        Reviewed by Geoffrey Garen.
        
        The code that added sizeof(CallerFrameAndPC) emerged from a bad copy-paste in r189586. That was
        the revision that created the PolymorphicAccess class. It moved code for generating a
        getter/setter call from Repatch.cpp to PolymorphicAccess.cpp. You can see the code doing a
        subtraction here:
        
            http://trac.webkit.org/changeset/189586/trunk/Source/JavaScriptCore/jit/Repatch.cpp
        
        This makes the world right again.

        * bytecode/PolymorphicAccess.cpp:
        (JSC::AccessCase::generateImpl):

2016-04-21  Geoffrey Garen  <ggaren@apple.com>

        Build warning: CODE_SIGN_ENTITLEMENTS specified without specifying CODE_SIGN_IDENTITY
        https://bugs.webkit.org/show_bug.cgi?id=156862

        Reviewed by Joseph Pecoraro.

        * Configurations/Base.xcconfig: Specify the ad hoc signing identity by
        default. See