Web Inspector: ES6: Show Symbol properties on Objects
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-04-07  Joseph Pecoraro  <pecoraro@apple.com>
2
3         Web Inspector: ES6: Show Symbol properties on Objects
4         https://bugs.webkit.org/show_bug.cgi?id=141279
5
6         Reviewed by Timothy Hatcher.
7
8         * inspector/protocol/Runtime.json:
9         Give PropertyDescriptor a reference to the Symbol RemoteObject
10         if the property is a symbol property.
11
12         * inspector/InjectedScriptSource.js:
13         Enumerate symbol properties on objects.
14
15 2015-04-07  Filip Pizlo  <fpizlo@apple.com>
16
17         Make it possible to enable LLVM FastISel
18         https://bugs.webkit.org/show_bug.cgi?id=143489
19
20         Reviewed by Michael Saboff.
21
22         The decision to enable FastISel is made by Options.h|cpp, but the LLVM library can disable it if it finds that it is built
23         against a version of LLVM that doesn't support it. Thereafter, JSC::enableLLVMFastISel is the flag that tells the system
24         if we should enable it.
25
26         * ftl/FTLCompile.cpp:
27         (JSC::FTL::mmAllocateDataSection):
28         * llvm/InitializeLLVM.cpp:
29         (JSC::initializeLLVMImpl):
30         * llvm/InitializeLLVM.h:
31         * llvm/InitializeLLVMLinux.cpp:
32         (JSC::getLLVMInitializerFunction):
33         (JSC::initializeLLVMImpl): Deleted.
34         * llvm/InitializeLLVMMac.cpp:
35         (JSC::getLLVMInitializerFunction):
36         (JSC::initializeLLVMImpl): Deleted.
37         * llvm/InitializeLLVMPOSIX.cpp:
38         (JSC::getLLVMInitializerFunctionPOSIX):
39         (JSC::initializeLLVMPOSIX): Deleted.
40         * llvm/InitializeLLVMPOSIX.h:
41         * llvm/InitializeLLVMWin.cpp:
42         (JSC::getLLVMInitializerFunction):
43         (JSC::initializeLLVMImpl): Deleted.
44         * llvm/LLVMAPI.cpp:
45         * llvm/LLVMAPI.h:
46         * llvm/library/LLVMExports.cpp:
47         (initCommandLine):
48         (initializeAndGetJSCLLVMAPI):
49         * runtime/Options.cpp:
50         (JSC::Options::initialize):
51
52 2015-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>
53
54         put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex
55         https://bugs.webkit.org/show_bug.cgi?id=140426
56
57         Reviewed by Darin Adler.
58
59         In the put_by_val_direct operation, we use JSObject::putDirect.
60         However, it only accepts non-index property. For index property, we need to use JSObject::putDirectIndex.
61         This patch checks toString-ed Identifier is index or not to choose putDirect / putDirectIndex.
62
63         * dfg/DFGOperations.cpp:
64         (JSC::DFG::putByVal):
65         (JSC::DFG::operationPutByValInternal):
66         * jit/JITOperations.cpp:
67         * llint/LLIntSlowPaths.cpp:
68         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
69         * runtime/Identifier.h:
70         (JSC::isIndex):
71         (JSC::parseIndex):
72         * tests/stress/dfg-put-by-val-direct-with-edge-numbers.js: Added.
73         (lookupWithKey):
74         (toStringThrowsError.toString):
75
76 2015-04-06  Alberto Garcia  <berto@igalia.com>
77
78         [GTK] Fix HPPA build
79         https://bugs.webkit.org/show_bug.cgi?id=143453
80
81         Reviewed by Darin Adler.
82
83         Add HPPA to the list of supported CPUs.
84
85         * CMakeLists.txt:
86
87 2015-04-06  Mark Lam  <mark.lam@apple.com>
88
89         In the 64-bit DFG and FTL, Array::Double case for HasIndexedProperty should set its result to true when all is well.
90         <https://webkit.org/b/143396>
91
92         Reviewed by Filip Pizlo.
93
94         The DFG was neglecting to set the result boolean.  The FTL was setting it with
95         an inverted value.  Both of these are now resolved.
96
97         * dfg/DFGSpeculativeJIT64.cpp:
98         (JSC::DFG::SpeculativeJIT::compile):
99         * ftl/FTLLowerDFGToLLVM.cpp:
100         (JSC::FTL::LowerDFGToLLVM::compileHasIndexedProperty):
101         * tests/stress/for-in-array-mode.js: Added.
102         (.):
103         (test):
104
105 2015-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>
106
107         [ES6] DFG and FTL should be aware of that StringConstructor behavior for symbols becomes different from ToString
108         https://bugs.webkit.org/show_bug.cgi?id=143424
109
110         Reviewed by Geoffrey Garen.
111
112         In ES6, StringConstructor behavior becomes different from ToString abstract operations in the spec. (and JSValue::toString).
113
114         ToString(symbol) throws a type error.
115         However, String(symbol) produces SymbolDescriptiveString(symbol).
116
117         So, in DFG and FTL phase, they should not inline StringConstructor to ToString.
118
119         Now, in the template literals patch, ToString DFG operation is planned to be used.
120         And current ToString behavior is aligned to the spec (and JSValue::toString) and it's better.
121         So intead of changing ToString behavior, this patch adds CallStringConstructor operation into DFG and FTL.
122         In CallStringConstructor, all behavior in DFG analysis is the same.
123         Only the difference from ToString is, when calling DFG operation functions, it calls
124         operationCallStringConstructorOnCell and operationCallStringConstructor instead of
125         operationToStringOnCell and operationToString.
126
127         * dfg/DFGAbstractInterpreterInlines.h:
128         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
129         * dfg/DFGBackwardsPropagationPhase.cpp:
130         (JSC::DFG::BackwardsPropagationPhase::propagate):
131         * dfg/DFGByteCodeParser.cpp:
132         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
133         * dfg/DFGClobberize.h:
134         (JSC::DFG::clobberize):
135         * dfg/DFGDoesGC.cpp:
136         (JSC::DFG::doesGC):
137         * dfg/DFGFixupPhase.cpp:
138         (JSC::DFG::FixupPhase::fixupNode):
139         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
140         (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
141         (JSC::DFG::FixupPhase::fixupToString): Deleted.
142         * dfg/DFGNodeType.h:
143         * dfg/DFGOperations.cpp:
144         * dfg/DFGOperations.h:
145         * dfg/DFGPredictionPropagationPhase.cpp:
146         (JSC::DFG::PredictionPropagationPhase::propagate):
147         * dfg/DFGSafeToExecute.h:
148         (JSC::DFG::safeToExecute):
149         * dfg/DFGSpeculativeJIT.cpp:
150         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnCell):
151         (JSC::DFG::SpeculativeJIT::compileToStringOnCell): Deleted.
152         * dfg/DFGSpeculativeJIT.h:
153         * dfg/DFGSpeculativeJIT32_64.cpp:
154         (JSC::DFG::SpeculativeJIT::compile):
155         * dfg/DFGSpeculativeJIT64.cpp:
156         (JSC::DFG::SpeculativeJIT::compile):
157         * dfg/DFGStructureRegistrationPhase.cpp:
158         (JSC::DFG::StructureRegistrationPhase::run):
159         * ftl/FTLCapabilities.cpp:
160         (JSC::FTL::canCompile):
161         * ftl/FTLLowerDFGToLLVM.cpp:
162         (JSC::FTL::LowerDFGToLLVM::compileNode):
163         (JSC::FTL::LowerDFGToLLVM::compileToStringOrCallStringConstructor):
164         (JSC::FTL::LowerDFGToLLVM::compileToString): Deleted.
165         * runtime/StringConstructor.cpp:
166         (JSC::stringConstructor):
167         (JSC::callStringConstructor):
168         * runtime/StringConstructor.h:
169         * tests/stress/symbol-and-string-constructor.js: Added.
170         (performString):
171
172 2015-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>
173
174         Return Optional<uint32_t> from PropertyName::asIndex
175         https://bugs.webkit.org/show_bug.cgi?id=143422
176
177         Reviewed by Darin Adler.
178
179         PropertyName::asIndex returns uint32_t and use UINT_MAX as NotAnIndex.
180         But it's not obvious to callers.
181
182         This patch changes
183         1. PropertyName::asIndex() to return Optional<uint32_t> and
184         2. function name `asIndex()` to `parseIndex()`.
185         It forces callers to check the value is index or not explicitly.
186
187         * bytecode/GetByIdStatus.cpp:
188         (JSC::GetByIdStatus::computeFor):
189         * bytecode/PutByIdStatus.cpp:
190         (JSC::PutByIdStatus::computeFor):
191         * bytecompiler/BytecodeGenerator.cpp:
192         (JSC::BytecodeGenerator::emitDirectPutById):
193         * jit/Repatch.cpp:
194         (JSC::emitPutTransitionStubAndGetOldStructure):
195         * jsc.cpp:
196         * runtime/ArrayPrototype.cpp:
197         (JSC::arrayProtoFuncSort):
198         * runtime/GenericArgumentsInlines.h:
199         (JSC::GenericArguments<Type>::getOwnPropertySlot):
200         (JSC::GenericArguments<Type>::put):
201         (JSC::GenericArguments<Type>::deleteProperty):
202         (JSC::GenericArguments<Type>::defineOwnProperty):
203         * runtime/Identifier.h:
204         (JSC::parseIndex):
205         (JSC::Identifier::isSymbol):
206         * runtime/JSArray.cpp:
207         (JSC::JSArray::defineOwnProperty):
208         * runtime/JSCJSValue.cpp:
209         (JSC::JSValue::putToPrimitive):
210         * runtime/JSGenericTypedArrayViewInlines.h:
211         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
212         (JSC::JSGenericTypedArrayView<Adaptor>::put):
213         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
214         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
215         * runtime/JSObject.cpp:
216         (JSC::JSObject::put):
217         (JSC::JSObject::putDirectAccessor):
218         (JSC::JSObject::putDirectCustomAccessor):
219         (JSC::JSObject::deleteProperty):
220         (JSC::JSObject::putDirectMayBeIndex):
221         (JSC::JSObject::defineOwnProperty):
222         * runtime/JSObject.h:
223         (JSC::JSObject::getOwnPropertySlot):
224         (JSC::JSObject::getPropertySlot):
225         (JSC::JSObject::putDirectInternal):
226         * runtime/JSString.cpp:
227         (JSC::JSString::getStringPropertyDescriptor):
228         * runtime/JSString.h:
229         (JSC::JSString::getStringPropertySlot):
230         * runtime/LiteralParser.cpp:
231         (JSC::LiteralParser<CharType>::parse):
232         * runtime/PropertyName.h:
233         (JSC::parseIndex):
234         (JSC::toUInt32FromCharacters): Deleted.
235         (JSC::toUInt32FromStringImpl): Deleted.
236         (JSC::PropertyName::asIndex): Deleted.
237         * runtime/PropertyNameArray.cpp:
238         (JSC::PropertyNameArray::add):
239         * runtime/StringObject.cpp:
240         (JSC::StringObject::deleteProperty):
241         * runtime/Structure.cpp:
242         (JSC::Structure::prototypeChainMayInterceptStoreTo):
243
244 2015-04-05  Andreas Kling  <akling@apple.com>
245
246         URI encoding/escaping should use efficient string building instead of calling snprintf().
247         <https://webkit.org/b/143426>
248
249         Reviewed by Gavin Barraclough.
250
251         I saw 0.5% of main thread time in snprintf() on <http://polymerlabs.github.io/benchmarks/>
252         which seemed pretty silly. This change gets that down to nothing in favor of using our
253         existing JSStringBuilder and HexNumber.h facilities.
254
255         These APIs are well-exercised by our existing test suite.
256
257         * runtime/JSGlobalObjectFunctions.cpp:
258         (JSC::encode):
259         (JSC::globalFuncEscape):
260
261 2015-04-05  Masataka Yakura  <masataka.yakura@gmail.com>
262
263         documentation for ES Promises points to the wrong one
264         https://bugs.webkit.org/show_bug.cgi?id=143263
265
266         Reviewed by Darin Adler.
267
268         * features.json:
269
270 2015-04-05  Simon Fraser  <simon.fraser@apple.com>
271
272         Remove "go ahead and" from comments
273         https://bugs.webkit.org/show_bug.cgi?id=143421
274
275         Reviewed by Darin Adler, Benjamin Poulain.
276
277         Remove the phrase "go ahead and" from comments where it doesn't add
278         anything (which is almost all of them).
279
280         * interpreter/JSStack.cpp:
281         (JSC::JSStack::growSlowCase):
282
283 2015-04-04  Andreas Kling  <akling@apple.com>
284
285         Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely.
286         <https://webkit.org/b/143210>
287
288         Reviewed by Geoffrey Garen.
289
290         Since a MarkedBlock cannot be destroyed until all the WeakBlocks pointing into it are gone,
291         we had a little problem where WeakBlocks with only null pointers would still keep their
292         MarkedBlock alive.
293
294         This patch fixes that by detaching WeakBlocks from their MarkedBlock once a sweep discovers
295         that the WeakBlock contains no pointers to live objects. Ownership of the WeakBlock is passed
296         to the Heap, which will sweep the list of these detached WeakBlocks as part of a full GC,
297         destroying them once they're fully dead.
298
299         This allows the garbage collector to reclaim the 64kB MarkedBlocks much sooner, and resolves
300         a mysterious issue where doing two full garbage collections back-to-back would free additional
301         memory in the second collection.
302
303         Management of detached WeakBlocks is implemented as a Vector<WeakBlock*> in Heap, along with
304         an index of the next block in that vector that needs to be swept. The IncrementalSweeper then
305         calls into Heap::sweepNextLogicallyEmptyWeakBlock() to sweep one block at a time.
306
307         * heap/Heap.h:
308         * heap/Heap.cpp:
309         (JSC::Heap::collectAllGarbage): Add a final pass where we sweep the logically empty WeakBlocks
310         owned by Heap, after everything else has been swept.
311
312         (JSC::Heap::notifyIncrementalSweeper): Set up an incremental sweep of logically empty WeakBlocks
313         after a full garbage collection ends. Note that we don't do this after Eden collections, since
314         they are unlikely to cause entire WeakBlocks to go empty.
315
316         (JSC::Heap::addLogicallyEmptyWeakBlock): Added. Interface for passing ownership of a WeakBlock
317         to the Heap when it's detached from a WeakSet.
318
319         (JSC::Heap::sweepAllLogicallyEmptyWeakBlocks): Helper for collectAllGarbage() that sweeps all
320         of the logically empty WeakBlocks owned by Heap.
321
322         (JSC::Heap::sweepNextLogicallyEmptyWeakBlock): Sweeps one logically empty WeakBlock if needed
323         and updates the next-logically-empty-weak-block-to-sweep index.
324
325         (JSC::Heap::lastChanceToFinalize): call sweepAllLogicallyEmptyWeakBlocks() here, since there
326         won't be another chance after this.
327
328         * heap/IncrementalSweeper.h:
329         (JSC::IncrementalSweeper::hasWork): Deleted.
330
331         * heap/IncrementalSweeper.cpp:
332         (JSC::IncrementalSweeper::fullSweep):
333         (JSC::IncrementalSweeper::doSweep):
334         (JSC::IncrementalSweeper::sweepNextBlock): Restructured IncrementalSweeper a bit to simplify
335         adding a new sweeping stage for the Heap's logically empty WeakBlocks. sweepNextBlock() is
336         changed to return a bool (true if there's more work to be done.)
337
338         * heap/WeakBlock.cpp:
339         (JSC::WeakBlock::sweep): This now figures out if the WeakBlock is logically empty, i.e doesn't
340         contain any pointers to live objects. The answer is stored in a new SweepResult member.
341
342         * heap/WeakBlock.h:
343         (JSC::WeakBlock::isLogicallyEmptyButNotFree): Added. Can be queried after a sweep to determine
344         if the WeakBlock could be detached from the MarkedBlock.
345
346         (JSC::WeakBlock::SweepResult::SweepResult): Deleted in favor of initializing member variables
347         when declaring them.
348
349 2015-04-04  Yusuke Suzuki  <utatane.tea@gmail.com>
350
351         Implement ES6 Object.getOwnPropertySymbols
352         https://bugs.webkit.org/show_bug.cgi?id=141106
353
354         Reviewed by Geoffrey Garen.
355
356         This patch implements `Object.getOwnPropertySymbols`.
357         One technical issue is that, since we use private symbols (such as `@Object`) in the
358         privileged JS code in `builtins/`, they should not be exposed.
359         To distinguish them from the usual symbols, check the target `StringImpl*` is a not private name
360         before adding it into PropertyNameArray.
361
362         To check the target `StringImpl*` is a private name, we leverage privateToPublic map in `BuiltinNames`
363         since all private symbols are held in this map.
364
365         * builtins/BuiltinExecutables.cpp:
366         (JSC::BuiltinExecutables::createExecutableInternal):
367         * builtins/BuiltinNames.h:
368         (JSC::BuiltinNames::isPrivateName):
369         * runtime/CommonIdentifiers.cpp:
370         (JSC::CommonIdentifiers::isPrivateName):
371         * runtime/CommonIdentifiers.h:
372         * runtime/EnumerationMode.h:
373         (JSC::EnumerationMode::EnumerationMode):
374         (JSC::EnumerationMode::includeSymbolProperties):
375         * runtime/ExceptionHelpers.cpp:
376         (JSC::createUndefinedVariableError):
377         * runtime/JSGlobalObject.cpp:
378         (JSC::JSGlobalObject::init):
379         * runtime/JSLexicalEnvironment.cpp:
380         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
381         * runtime/JSSymbolTableObject.cpp:
382         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
383         * runtime/ObjectConstructor.cpp:
384         (JSC::ObjectConstructor::finishCreation):
385         (JSC::objectConstructorGetOwnPropertySymbols):
386         (JSC::defineProperties):
387         (JSC::objectConstructorSeal):
388         (JSC::objectConstructorFreeze):
389         (JSC::objectConstructorIsSealed):
390         (JSC::objectConstructorIsFrozen):
391         * runtime/ObjectConstructor.h:
392         (JSC::ObjectConstructor::create):
393         * runtime/Structure.cpp:
394         (JSC::Structure::getPropertyNamesFromStructure):
395         * tests/stress/object-get-own-property-symbols-perform-to-object.js: Added.
396         (compare):
397         * tests/stress/object-get-own-property-symbols.js: Added.
398         (forIn):
399         * tests/stress/symbol-define-property.js: Added.
400         (testSymbol):
401         * tests/stress/symbol-seal-and-freeze.js: Added.
402         * tests/stress/symbol-with-json.js: Added.
403
404 2015-04-03  Mark Lam  <mark.lam@apple.com>
405
406         Add Options::jitPolicyScale() as a single knob to make all compilations happen sooner.
407         <https://webkit.org/b/143385>
408
409         Reviewed by Geoffrey Garen.
410
411         For debugging purposes, sometimes, we want to be able to make compilation happen
412         sooner to see if we can accelerate the manifestation of certain events / bugs.
413         Currently, in order to achieve this, we'll have to tweak multiple JIT thresholds
414         which make up the compilation policy.  Let's add a single knob that can tune all
415         the thresholds up / down in one go proportionately so that we can easily tweak
416         how soon compilation occurs.
417
418         * runtime/Options.cpp:
419         (JSC::scaleJITPolicy):
420         (JSC::recomputeDependentOptions):
421         * runtime/Options.h:
422
423 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
424
425         is* API methods should be @properties
426         https://bugs.webkit.org/show_bug.cgi?id=143388
427
428         Reviewed by Mark Lam.
429
430         This appears to be the preferred idiom in WebKit, CA, AppKit, and
431         Foundation.
432
433         * API/JSValue.h: Be @properties.
434
435         * API/tests/testapi.mm:
436         (testObjectiveCAPI): Use the @properties.
437
438 2015-04-03  Mark Lam  <mark.lam@apple.com>
439
440         Some JSC Options refactoring and enhancements.
441         <https://webkit.org/b/143384>
442
443         Rubber stamped by Benjamin Poulain.
444
445         Create a better encapsulated Option class to make working with options easier.  This
446         is a building block towards a JIT policy scaling debugging option I will introduce later.
447
448         This work entails:
449         1. Convert Options::Option into a public class Option (who works closely with Options).
450         2. Convert Options::EntryType into an enum class Options::Type and make it public.
451         3. Renamed Options::OPT_<option name> to Options::<option name>ID because it reads better.
452         4. Add misc methods to class Option to make it more useable.
453
454         * runtime/Options.cpp:
455         (JSC::Options::dumpOption):
456         (JSC::Option::dump):
457         (JSC::Option::operator==):
458         (JSC::Options::Option::dump): Deleted.
459         (JSC::Options::Option::operator==): Deleted.
460         * runtime/Options.h:
461         (JSC::Option::Option):
462         (JSC::Option::operator!=):
463         (JSC::Option::name):
464         (JSC::Option::description):
465         (JSC::Option::type):
466         (JSC::Option::isOverridden):
467         (JSC::Option::defaultOption):
468         (JSC::Option::boolVal):
469         (JSC::Option::unsignedVal):
470         (JSC::Option::doubleVal):
471         (JSC::Option::int32Val):
472         (JSC::Option::optionRangeVal):
473         (JSC::Option::optionStringVal):
474         (JSC::Option::gcLogLevelVal):
475         (JSC::Options::Option::Option): Deleted.
476         (JSC::Options::Option::operator!=): Deleted.
477
478 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
479
480         JavaScriptCore API should support type checking for Array and Date
481         https://bugs.webkit.org/show_bug.cgi?id=143324
482
483         Follow-up to address a comment by Dan.
484
485         * API/WebKitAvailability.h: __MAC_OS_X_VERSION_MIN_REQUIRED <= 101100
486         is wrong, since this API is available when __MAC_OS_X_VERSION_MIN_REQUIRED
487         is equal to 101100.
488
489 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
490
491         JavaScriptCore API should support type checking for Array and Date
492         https://bugs.webkit.org/show_bug.cgi?id=143324
493
494         Follow-up to address a comment by Dan.
495
496         * API/WebKitAvailability.h: Do use 10.0 because it was right all along.
497         Added a comment explaining why.
498
499 2015-04-03  Csaba Osztrogonác  <ossy@webkit.org>
500
501         FTL JIT tests should fail if LLVM library isn't available
502         https://bugs.webkit.org/show_bug.cgi?id=143374
503
504         Reviewed by Mark Lam.
505
506         * dfg/DFGPlan.cpp:
507         (JSC::DFG::Plan::compileInThreadImpl):
508         * runtime/Options.h:
509
510 2015-04-03  Zan Dobersek  <zdobersek@igalia.com>
511
512         Fix the EFL and GTK build after r182243
513         https://bugs.webkit.org/show_bug.cgi?id=143361
514
515         Reviewed by Csaba Osztrogonác.
516
517         * CMakeLists.txt: InspectorBackendCommands.js is generated in the
518         DerivedSources/JavaScriptCore/inspector/ directory.
519
520 2015-04-03  Zan Dobersek  <zdobersek@igalia.com>
521
522         Unreviewed, fixing Clang builds of the GTK port on Linux.
523
524         * runtime/Options.cpp:
525         Include the <math.h> header for isnan().
526
527 2015-04-02  Mark Lam  <mark.lam@apple.com>
528
529         Enhance ability to dump JSC Options.
530         <https://webkit.org/b/143357>
531
532         Reviewed by Benjamin Poulain.
533
534         Some enhancements to how the JSC options work:
535
536         1. Add a JSC_showOptions option which take values: 0 = None, 1 = Overridden only,
537            2 = All, 3 = Verbose.
538
539            The default is 0 (None).  This dumps nothing.
540            With the Overridden setting, at VM initialization time, we will dump all
541            option values that have been changed from their default.
542            With the All setting, at VM initialization time, we will dump all option values.
543            With the Verbose setting, at VM initialization time, we will dump all option
544            values along with their descriptions (if available).
545
546         2. We now store a copy of the default option values.
547
548            We later use this for comparison to tell if an option has been overridden, and
549            print the default value for reference.  As a result, we no longer need the
550            didOverride flag since we can compute whether the option is overridden at any time.
551
552         3. Added description strings to some options to be printed when JSC_showOptions=3 (Verbose).
553
554            This will come in handy later when we want to rename some of the options to more sane
555            names that are easier to remember.  For example, we can change
556            Options::dfgFunctionWhitelistFile() to Options::dfgWhiteList(), and
557            Options::slowPathAllocsBetweenGCs() to Options::forcedGcRate().  With the availability
558            of the description, we can afford to use shorter and less descriptive option names,
559            but they will be easier to remember and use for day to day debugging work.
560
561            In this patch, I did not change the names of any of the options yet.  I only added
562            description strings for options that I know about, and where I think the option name
563            isn't already descriptive enough.
564
565         4. Also deleted some unused code.
566
567         * jsc.cpp:
568         (CommandLine::parseArguments):
569         * runtime/Options.cpp:
570         (JSC::Options::initialize):
571         (JSC::Options::setOption):
572         (JSC::Options::dumpAllOptions):
573         (JSC::Options::dumpOption):
574         (JSC::Options::Option::dump):
575         (JSC::Options::Option::operator==):
576         * runtime/Options.h:
577         (JSC::OptionRange::rangeString):
578         (JSC::Options::Option::Option):
579         (JSC::Options::Option::operator!=):
580
581 2015-04-02  Geoffrey Garen  <ggaren@apple.com>
582
583         JavaScriptCore API should support type checking for Array and Date
584         https://bugs.webkit.org/show_bug.cgi?id=143324
585
586         Reviewed by Darin Adler, Sam Weinig, Dan Bernstein.
587
588         * API/JSValue.h:
589         * API/JSValue.mm:
590         (-[JSValue isArray]):
591         (-[JSValue isDate]): Added an ObjC API.
592
593         * API/JSValueRef.cpp:
594         (JSValueIsArray):
595         (JSValueIsDate):
596         * API/JSValueRef.h: Added a C API.
597
598         * API/WebKitAvailability.h: Brought our availability macros up to date
599         and fixed a harmless bug where "10_10" translated to "10.0".
600
601         * API/tests/testapi.c:
602         (main): Added a test and corrected a pre-existing leak.
603
604         * API/tests/testapi.mm:
605         (testObjectiveCAPI): Added a test.
606
607 2015-04-02  Mark Lam  <mark.lam@apple.com>
608
609         Add Options::dumpSourceAtDFGTime().
610         <https://webkit.org/b/143349>
611
612         Reviewed by Oliver Hunt, and Michael Saboff.
613
614         Sometimes, we will want to see the JS source code that we're compiling, and it
615         would be nice to be able to do this without having to jump thru a lot of hoops.
616         So, let's add a Options::dumpSourceAtDFGTime() option just like we have a
617         Options::dumpBytecodeAtDFGTime() option.
618
619         Also added versions of CodeBlock::dumpSource() and CodeBlock::dumpBytecode()
620         that explicitly take no arguments (instead of relying on the version that takes
621         the default argument).  These versions are friendlier to use when we want to call
622         them from an interactive debugging session.
623
624         * bytecode/CodeBlock.cpp:
625         (JSC::CodeBlock::dumpSource):
626         (JSC::CodeBlock::dumpBytecode):
627         * bytecode/CodeBlock.h:
628         * dfg/DFGByteCodeParser.cpp:
629         (JSC::DFG::ByteCodeParser::parseCodeBlock):
630         * runtime/Options.h:
631
632 2015-04-02  Yusuke Suzuki  <utatane.tea@gmail.com>
633
634         Clean up EnumerationMode to easily extend
635         https://bugs.webkit.org/show_bug.cgi?id=143276
636
637         Reviewed by Geoffrey Garen.
638
639         To make the followings easily,
640         1. Adding new flag Include/ExcludeSymbols in the Object.getOwnPropertySymbols patch
641         2. Make ExcludeSymbols implicitly default for the existing flags
642         we encapsulate EnumerationMode flags into EnumerationMode class.
643
644         And this class manages 2 flags. Later it will be extended to 3.
645         1. DontEnumPropertiesMode (default is Exclude)
646         2. JSObjectPropertiesMode (default is Include)
647         3. SymbolPropertiesMode (default is Exclude)
648             SymbolPropertiesMode will be added in Object.getOwnPropertySymbols patch.
649
650         This patch replaces places using ExcludeDontEnumProperties
651         to EnumerationMode() value which represents default mode.
652
653         * API/JSCallbackObjectFunctions.h:
654         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
655         * API/JSObjectRef.cpp:
656         (JSObjectCopyPropertyNames):
657         * bindings/ScriptValue.cpp:
658         (Deprecated::jsToInspectorValue):
659         * bytecode/ObjectAllocationProfile.h:
660         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
661         * runtime/ArrayPrototype.cpp:
662         (JSC::arrayProtoFuncSort):
663         * runtime/EnumerationMode.h:
664         (JSC::EnumerationMode::EnumerationMode):
665         (JSC::EnumerationMode::includeDontEnumProperties):
666         (JSC::EnumerationMode::includeJSObjectProperties):
667         (JSC::shouldIncludeDontEnumProperties): Deleted.
668         (JSC::shouldExcludeDontEnumProperties): Deleted.
669         (JSC::shouldIncludeJSObjectPropertyNames): Deleted.
670         (JSC::modeThatSkipsJSObject): Deleted.
671         * runtime/GenericArgumentsInlines.h:
672         (JSC::GenericArguments<Type>::getOwnPropertyNames):
673         * runtime/JSArray.cpp:
674         (JSC::JSArray::getOwnNonIndexPropertyNames):
675         * runtime/JSArrayBuffer.cpp:
676         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
677         * runtime/JSArrayBufferView.cpp:
678         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
679         * runtime/JSFunction.cpp:
680         (JSC::JSFunction::getOwnNonIndexPropertyNames):
681         * runtime/JSFunction.h:
682         * runtime/JSGenericTypedArrayViewInlines.h:
683         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnNonIndexPropertyNames):
684         * runtime/JSLexicalEnvironment.cpp:
685         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
686         * runtime/JSONObject.cpp:
687         (JSC::Stringifier::Holder::appendNextProperty):
688         (JSC::Walker::walk):
689         * runtime/JSObject.cpp:
690         (JSC::getClassPropertyNames):
691         (JSC::JSObject::getOwnPropertyNames):
692         (JSC::JSObject::getOwnNonIndexPropertyNames):
693         (JSC::JSObject::getGenericPropertyNames):
694         * runtime/JSPropertyNameEnumerator.h:
695         (JSC::propertyNameEnumerator):
696         * runtime/JSSymbolTableObject.cpp:
697         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
698         * runtime/ObjectConstructor.cpp:
699         (JSC::objectConstructorGetOwnPropertyNames):
700         (JSC::objectConstructorKeys):
701         (JSC::defineProperties):
702         (JSC::objectConstructorSeal):
703         (JSC::objectConstructorFreeze):
704         (JSC::objectConstructorIsSealed):
705         (JSC::objectConstructorIsFrozen):
706         * runtime/RegExpObject.cpp:
707         (JSC::RegExpObject::getOwnNonIndexPropertyNames):
708         (JSC::RegExpObject::getPropertyNames):
709         (JSC::RegExpObject::getGenericPropertyNames):
710         * runtime/StringObject.cpp:
711         (JSC::StringObject::getOwnPropertyNames):
712         * runtime/Structure.cpp:
713         (JSC::Structure::getPropertyNamesFromStructure):
714
715 2015-04-01  Alex Christensen  <achristensen@webkit.org>
716
717         Progress towards CMake on Windows and Mac.
718         https://bugs.webkit.org/show_bug.cgi?id=143293
719
720         Reviewed by Filip Pizlo.
721
722         * CMakeLists.txt:
723         Enabled using assembly on Windows.
724         Replaced unix commands with CMake commands.
725         * PlatformMac.cmake:
726         Tell open source builders where to find unicode headers.
727
728 2015-04-01  Yusuke Suzuki  <utatane.tea@gmail.com>
729
730         IteratorClose should be called when jumping over the target for-of loop
731         https://bugs.webkit.org/show_bug.cgi?id=143140
732
733         Reviewed by Geoffrey Garen.
734
735         This patch fixes labeled break/continue behaviors with for-of and iterators.
736
737         1. Support IteratorClose beyond multiple loop contexts
738         Previously, IteratorClose is only executed in for-of's breakTarget().
739         However, this misses IteratorClose execution when statement roll-ups multiple control flow contexts.
740         For example,
741         outer: for (var e1 of outer) {
742             inner: for (var e2 of inner) {
743                 break outer;
744             }
745         }
746         In this case, return method of inner should be called.
747         We leverage the existing system for `finally` to execute inner.return method correctly.
748         Leveraging `finally` system fixes `break`, `continue` and `return` cases.
749         `throw` case is already supported by emitting try-catch handlers in for-of.
750
751         2. Incorrect LabelScope creation is done in ForOfNode
752         ForOfNode creates duplicated LabelScope.
753         It causes infinite loop when executing the following program that contains
754         explicitly labeled for-of loop.
755         For example,
756         inner: for (var elm of array) {
757             continue inner;
758         }
759
760         * bytecompiler/BytecodeGenerator.cpp:
761         (JSC::BytecodeGenerator::pushFinallyContext):
762         (JSC::BytecodeGenerator::pushIteratorCloseContext):
763         (JSC::BytecodeGenerator::popFinallyContext):
764         (JSC::BytecodeGenerator::popIteratorCloseContext):
765         (JSC::BytecodeGenerator::emitComplexPopScopes):
766         (JSC::BytecodeGenerator::emitEnumeration):
767         (JSC::BytecodeGenerator::emitIteratorClose):
768         * bytecompiler/BytecodeGenerator.h:
769         * bytecompiler/NodesCodegen.cpp:
770         (JSC::ForOfNode::emitBytecode):
771         * tests/stress/iterator-return-beyond-multiple-iteration-scopes.js: Added.
772         (createIterator.iterator.return):
773         (createIterator):
774         * tests/stress/raise-error-in-iterator-close.js: Added.
775         (createIterator.iterator.return):
776         (createIterator):
777
778 2015-04-01  Yusuke Suzuki  <utatane.tea@gmail.com>
779
780         [ES6] Implement Symbol.unscopables
781         https://bugs.webkit.org/show_bug.cgi?id=142829
782
783         Reviewed by Geoffrey Garen.
784
785         This patch introduces Symbol.unscopables functionality.
786         In ES6, some generic names (like keys, values) are introduced
787         as Array's method name. And this breaks the web since some web sites
788         use like the following code.
789
790         var values = ...;
791         with (array) {
792             values;  // This values is trapped by array's method "values".
793         }
794
795         To fix this, Symbol.unscopables introduces blacklist
796         for with scope's trapping. When resolving scope,
797         if name is found in the target scope and the target scope is with scope,
798         we check Symbol.unscopables object to filter generic names.
799
800         This functionality is only active for with scopes.
801         Global scope does not have unscopables functionality.
802
803         And since
804         1) op_resolve_scope for with scope always return Dynamic resolve type,
805         2) in that case, JSScope::resolve is always used in JIT and LLInt,
806         3) the code which contains op_resolve_scope that returns Dynamic cannot be compiled with DFG and FTL,
807         to implement this functionality, we just change JSScope::resolve and no need to change JIT code.
808         So performance regression is only visible in Dynamic resolving case, and it is already much slow.
809
810         * runtime/ArrayPrototype.cpp:
811         (JSC::ArrayPrototype::finishCreation):
812         * runtime/CommonIdentifiers.h:
813         * runtime/JSGlobalObject.h:
814         (JSC::JSGlobalObject::runtimeFlags):
815         * runtime/JSScope.cpp:
816         (JSC::isUnscopable):
817         (JSC::JSScope::resolve):
818         * runtime/JSScope.h:
819         (JSC::ScopeChainIterator::scope):
820         * tests/stress/global-environment-does-not-trap-unscopables.js: Added.
821         (test):
822         * tests/stress/unscopables.js: Added.
823         (test):
824         (.):
825
826 2015-03-31  Ryosuke Niwa  <rniwa@webkit.org>
827
828         ES6 class syntax should allow static setters and getters
829         https://bugs.webkit.org/show_bug.cgi?id=143180
830
831         Reviewed by Filip Pizlo
832
833         Apparently I misread the spec when I initially implemented parseClass.
834         ES6 class syntax allows static getters and setters so just allow that.
835
836         * parser/Parser.cpp:
837         (JSC::Parser<LexerType>::parseClass):
838
839 2015-03-31  Filip Pizlo  <fpizlo@apple.com>
840
841         PutClosureVar CSE def() rule has a wrong base
842         https://bugs.webkit.org/show_bug.cgi?id=143280
843
844         Reviewed by Michael Saboff.
845         
846         I think that this code was incorrect in a benign way, since the base of a
847         PutClosureVar is not a JS-visible object. But it was preventing some optimizations.
848
849         * dfg/DFGClobberize.h:
850         (JSC::DFG::clobberize):
851
852 2015-03-31  Commit Queue  <commit-queue@webkit.org>
853
854         Unreviewed, rolling out r182200.
855         https://bugs.webkit.org/show_bug.cgi?id=143279
856
857         Probably causing assertion extravaganza on bots. (Requested by
858         kling on #webkit).
859
860         Reverted changeset:
861
862         "Logically empty WeakBlocks should not pin down their
863         MarkedBlocks indefinitely."
864         https://bugs.webkit.org/show_bug.cgi?id=143210
865         http://trac.webkit.org/changeset/182200
866
867 2015-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>
868
869         Clean up Identifier factories to clarify the meaning of StringImpl*
870         https://bugs.webkit.org/show_bug.cgi?id=143146
871
872         Reviewed by Filip Pizlo.
873
874         In the a lot of places, `Identifier(VM*/ExecState*, StringImpl*)` constructor is used.
875         However, it's ambiguous because `StringImpl*` has 2 different meanings.
876         1) normal string, it is replacable with `WTFString` and
877         2) `uid`, which holds `isSymbol` information to represent Symbols.
878         So we dropped Identifier constructors for strings and instead, introduced 2 factory functions.
879         + `Identifier::fromString(VM*/ExecState*, const String&)`.
880         Just construct Identifier from strings. The symbol-ness of StringImpl* is not kept.
881         + `Identifier::fromUid(VM*/ExecState*, StringImpl*)`.
882         This function is used for 2) `uid`. So symbol-ness of `StringImpl*` is kept.
883
884         And to clean up `StringImpl` which is used as uid,
885         we introduce `StringKind` into `StringImpl`. There's 3 kinds
886         1. StringNormal (non-atomic, non-symbol)
887         2. StringAtomic (atomic, non-symbol)
888         3. StringSymbol (non-atomic, symbol)
889         They are mutually exclusive. And (atomic, symbol) case should not exist.
890
891         * API/JSCallbackObjectFunctions.h:
892         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
893         * API/JSObjectRef.cpp:
894         (JSObjectMakeFunction):
895         * API/OpaqueJSString.cpp:
896         (OpaqueJSString::identifier):
897         * bindings/ScriptFunctionCall.cpp:
898         (Deprecated::ScriptFunctionCall::call):
899         * builtins/BuiltinExecutables.cpp:
900         (JSC::BuiltinExecutables::createExecutableInternal):
901         * builtins/BuiltinNames.h:
902         (JSC::BuiltinNames::BuiltinNames):
903         * bytecompiler/BytecodeGenerator.cpp:
904         (JSC::BytecodeGenerator::BytecodeGenerator):
905         (JSC::BytecodeGenerator::emitThrowReferenceError):
906         (JSC::BytecodeGenerator::emitThrowTypeError):
907         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
908         (JSC::BytecodeGenerator::emitEnumeration):
909         * dfg/DFGDesiredIdentifiers.cpp:
910         (JSC::DFG::DesiredIdentifiers::reallyAdd):
911         * inspector/JSInjectedScriptHost.cpp:
912         (Inspector::JSInjectedScriptHost::functionDetails):
913         (Inspector::constructInternalProperty):
914         (Inspector::JSInjectedScriptHost::weakMapEntries):
915         (Inspector::JSInjectedScriptHost::iteratorEntries):
916         * inspector/JSInjectedScriptHostPrototype.cpp:
917         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
918         * inspector/JSJavaScriptCallFramePrototype.cpp:
919         * inspector/ScriptCallStackFactory.cpp:
920         (Inspector::extractSourceInformationFromException):
921         * jit/JITOperations.cpp:
922         * jsc.cpp:
923         (GlobalObject::finishCreation):
924         (GlobalObject::addFunction):
925         (GlobalObject::addConstructableFunction):
926         (functionRun):
927         (runWithScripts):
928         * llint/LLIntData.cpp:
929         (JSC::LLInt::Data::performAssertions):
930         * llint/LowLevelInterpreter.asm:
931         * parser/ASTBuilder.h:
932         (JSC::ASTBuilder::addVar):
933         * parser/Parser.cpp:
934         (JSC::Parser<LexerType>::parseInner):
935         (JSC::Parser<LexerType>::createBindingPattern):
936         * parser/ParserArena.h:
937         (JSC::IdentifierArena::makeIdentifier):
938         (JSC::IdentifierArena::makeIdentifierLCharFromUChar):
939         (JSC::IdentifierArena::makeNumericIdentifier):
940         * runtime/ArgumentsIteratorPrototype.cpp:
941         (JSC::ArgumentsIteratorPrototype::finishCreation):
942         * runtime/ArrayIteratorPrototype.cpp:
943         (JSC::ArrayIteratorPrototype::finishCreation):
944         * runtime/ArrayPrototype.cpp:
945         (JSC::ArrayPrototype::finishCreation):
946         (JSC::arrayProtoFuncPush):
947         * runtime/ClonedArguments.cpp:
948         (JSC::ClonedArguments::getOwnPropertySlot):
949         * runtime/CommonIdentifiers.cpp:
950         (JSC::CommonIdentifiers::CommonIdentifiers):
951         * runtime/CommonIdentifiers.h:
952         * runtime/Error.cpp:
953         (JSC::addErrorInfo):
954         (JSC::hasErrorInfo):
955         * runtime/ExceptionHelpers.cpp:
956         (JSC::createUndefinedVariableError):
957         * runtime/GenericArgumentsInlines.h:
958         (JSC::GenericArguments<Type>::getOwnPropertySlot):
959         * runtime/Identifier.h:
960         (JSC::Identifier::isSymbol):
961         (JSC::Identifier::Identifier):
962         (JSC::Identifier::from): Deleted.
963         * runtime/IdentifierInlines.h:
964         (JSC::Identifier::Identifier):
965         (JSC::Identifier::fromUid):
966         (JSC::Identifier::fromString):
967         * runtime/JSCJSValue.cpp:
968         (JSC::JSValue::dumpInContextAssumingStructure):
969         * runtime/JSCJSValueInlines.h:
970         (JSC::JSValue::toPropertyKey):
971         * runtime/JSGlobalObject.cpp:
972         (JSC::JSGlobalObject::init):
973         * runtime/JSLexicalEnvironment.cpp:
974         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
975         * runtime/JSObject.cpp:
976         (JSC::getClassPropertyNames):
977         (JSC::JSObject::reifyStaticFunctionsForDelete):
978         * runtime/JSObject.h:
979         (JSC::makeIdentifier):
980         * runtime/JSPromiseConstructor.cpp:
981         (JSC::JSPromiseConstructorFuncRace):
982         (JSC::JSPromiseConstructorFuncAll):
983         * runtime/JSString.h:
984         (JSC::JSString::toIdentifier):
985         * runtime/JSSymbolTableObject.cpp:
986         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
987         * runtime/LiteralParser.cpp:
988         (JSC::LiteralParser<CharType>::tryJSONPParse):
989         (JSC::LiteralParser<CharType>::makeIdentifier):
990         * runtime/Lookup.h:
991         (JSC::reifyStaticProperties):
992         * runtime/MapConstructor.cpp:
993         (JSC::constructMap):
994         * runtime/MapIteratorPrototype.cpp:
995         (JSC::MapIteratorPrototype::finishCreation):
996         * runtime/MapPrototype.cpp:
997         (JSC::MapPrototype::finishCreation):
998         * runtime/MathObject.cpp:
999         (JSC::MathObject::finishCreation):
1000         * runtime/NumberConstructor.cpp:
1001         (JSC::NumberConstructor::finishCreation):
1002         * runtime/ObjectConstructor.cpp:
1003         (JSC::ObjectConstructor::finishCreation):
1004         * runtime/PrivateName.h:
1005         (JSC::PrivateName::PrivateName):
1006         * runtime/PropertyMapHashTable.h:
1007         (JSC::PropertyTable::find):
1008         (JSC::PropertyTable::get):
1009         * runtime/PropertyName.h:
1010         (JSC::PropertyName::PropertyName):
1011         (JSC::PropertyName::publicName):
1012         (JSC::PropertyName::asIndex):
1013         * runtime/PropertyNameArray.cpp:
1014         (JSC::PropertyNameArray::add):
1015         * runtime/PropertyNameArray.h:
1016         (JSC::PropertyNameArray::addKnownUnique):
1017         * runtime/RegExpConstructor.cpp:
1018         (JSC::RegExpConstructor::finishCreation):
1019         * runtime/SetConstructor.cpp:
1020         (JSC::constructSet):
1021         * runtime/SetIteratorPrototype.cpp:
1022         (JSC::SetIteratorPrototype::finishCreation):
1023         * runtime/SetPrototype.cpp:
1024         (JSC::SetPrototype::finishCreation):
1025         * runtime/StringIteratorPrototype.cpp:
1026         (JSC::StringIteratorPrototype::finishCreation):
1027         * runtime/StringPrototype.cpp:
1028         (JSC::StringPrototype::finishCreation):
1029         * runtime/Structure.cpp:
1030         (JSC::Structure::getPropertyNamesFromStructure):
1031         * runtime/SymbolConstructor.cpp:
1032         * runtime/VM.cpp:
1033         (JSC::VM::throwException):
1034         * runtime/WeakMapConstructor.cpp:
1035         (JSC::constructWeakMap):
1036
1037 2015-03-31  Andreas Kling  <akling@apple.com>
1038
1039         Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely.
1040         <https://webkit.org/b/143210>
1041
1042         Reviewed by Geoffrey Garen.
1043
1044         Since a MarkedBlock cannot be destroyed until all the WeakBlocks pointing into it are gone,
1045         we had a little problem where WeakBlocks with only null pointers would still keep their
1046         MarkedBlock alive.
1047
1048         This patch fixes that by detaching WeakBlocks from their MarkedBlock once a sweep discovers
1049         that the WeakBlock contains no pointers to live objects. Ownership of the WeakBlock is passed
1050         to the Heap, which will sweep the list of these detached WeakBlocks as part of a full GC,
1051         destroying them once they're fully dead.
1052
1053         This allows the garbage collector to reclaim the 64kB MarkedBlocks much sooner, and resolves
1054         a mysterious issue where doing two full garbage collections back-to-back would free additional
1055         memory in the second collection.
1056
1057         Management of detached WeakBlocks is implemented as a Vector<WeakBlock*> in Heap, along with
1058         an index of the next block in that vector that needs to be swept. The IncrementalSweeper then
1059         calls into Heap::sweepNextLogicallyEmptyWeakBlock() to sweep one block at a time.
1060
1061         * heap/Heap.h:
1062         * heap/Heap.cpp:
1063         (JSC::Heap::collectAllGarbage): Add a final pass where we sweep the logically empty WeakBlocks
1064         owned by Heap, after everything else has been swept.
1065
1066         (JSC::Heap::notifyIncrementalSweeper): Set up an incremental sweep of logically empty WeakBlocks
1067         after a full garbage collection ends. Note that we don't do this after Eden collections, since
1068         they are unlikely to cause entire WeakBlocks to go empty.
1069
1070         (JSC::Heap::addLogicallyEmptyWeakBlock): Added. Interface for passing ownership of a WeakBlock
1071         to the Heap when it's detached from a WeakSet.
1072
1073         (JSC::Heap::sweepAllLogicallyEmptyWeakBlocks): Helper for collectAllGarbage() that sweeps all
1074         of the logically empty WeakBlocks owned by Heap.
1075
1076         (JSC::Heap::sweepNextLogicallyEmptyWeakBlock): Sweeps one logically empty WeakBlock if needed
1077         and updates the next-logically-empty-weak-block-to-sweep index.
1078
1079         (JSC::Heap::lastChanceToFinalize): call sweepAllLogicallyEmptyWeakBlocks() here, since there
1080         won't be another chance after this.
1081
1082         * heap/IncrementalSweeper.h:
1083         (JSC::IncrementalSweeper::hasWork): Deleted.
1084
1085         * heap/IncrementalSweeper.cpp:
1086         (JSC::IncrementalSweeper::fullSweep):
1087         (JSC::IncrementalSweeper::doSweep):
1088         (JSC::IncrementalSweeper::sweepNextBlock): Restructured IncrementalSweeper a bit to simplify
1089         adding a new sweeping stage for the Heap's logically empty WeakBlocks. sweepNextBlock() is
1090         changed to return a bool (true if there's more work to be done.)
1091
1092         * heap/WeakBlock.cpp:
1093         (JSC::WeakBlock::sweep): This now figures out if the WeakBlock is logically empty, i.e doesn't
1094         contain any pointers to live objects. The answer is stored in a new SweepResult member.
1095
1096         * heap/WeakBlock.h:
1097         (JSC::WeakBlock::isLogicallyEmptyButNotFree): Added. Can be queried after a sweep to determine
1098         if the WeakBlock could be detached from the MarkedBlock.
1099
1100         (JSC::WeakBlock::SweepResult::SweepResult): Deleted in favor of initializing member variables
1101         when declaring them.
1102
1103 2015-03-31  Ryosuke Niwa  <rniwa@webkit.org>
1104
1105         eval("this.foo") causes a crash if this had not been initialized in a derived class's constructor
1106         https://bugs.webkit.org/show_bug.cgi?id=142883
1107
1108         Reviewed by Filip Pizlo.
1109
1110         The crash was caused by eval inside the constructor of a derived class not checking TDZ.
1111
1112         Fixed the bug by adding a parser flag that forces the TDZ check to be always emitted when accessing "this"
1113         in eval inside a derived class' constructor.
1114
1115         * bytecode/EvalCodeCache.h:
1116         (JSC::EvalCodeCache::getSlow):
1117         * bytecompiler/NodesCodegen.cpp:
1118         (JSC::ThisNode::emitBytecode):
1119         * debugger/DebuggerCallFrame.cpp:
1120         (JSC::DebuggerCallFrame::evaluate):
1121         * interpreter/Interpreter.cpp:
1122         (JSC::eval):
1123         * parser/ASTBuilder.h:
1124         (JSC::ASTBuilder::thisExpr):
1125         * parser/NodeConstructors.h:
1126         (JSC::ThisNode::ThisNode):
1127         * parser/Nodes.h:
1128         * parser/Parser.cpp:
1129         (JSC::Parser<LexerType>::Parser):
1130         (JSC::Parser<LexerType>::parsePrimaryExpression):
1131         * parser/Parser.h:
1132         (JSC::parse):
1133         * parser/ParserModes.h:
1134         * parser/SyntaxChecker.h:
1135         (JSC::SyntaxChecker::thisExpr):
1136         * runtime/CodeCache.cpp:
1137         (JSC::CodeCache::getGlobalCodeBlock):
1138         (JSC::CodeCache::getProgramCodeBlock):
1139         (JSC::CodeCache::getEvalCodeBlock):
1140         * runtime/CodeCache.h:
1141         (JSC::SourceCodeKey::SourceCodeKey):
1142         * runtime/Executable.cpp:
1143         (JSC::EvalExecutable::create):
1144         * runtime/Executable.h:
1145         * runtime/JSGlobalObject.cpp:
1146         (JSC::JSGlobalObject::createEvalCodeBlock):
1147         * runtime/JSGlobalObject.h:
1148         * runtime/JSGlobalObjectFunctions.cpp:
1149         (JSC::globalFuncEval):
1150         * tests/stress/class-syntax-no-tdz-in-eval.js: Added.
1151         * tests/stress/class-syntax-tdz-in-eval.js: Added.
1152
1153 2015-03-31  Commit Queue  <commit-queue@webkit.org>
1154
1155         Unreviewed, rolling out r182186.
1156         https://bugs.webkit.org/show_bug.cgi?id=143270
1157
1158         it crashes all the WebGL tests on the Debug bots (Requested by
1159         dino on #webkit).
1160
1161         Reverted changeset:
1162
1163         "Web Inspector: add 2D/WebGL canvas instrumentation
1164         infrastructure"
1165         https://bugs.webkit.org/show_bug.cgi?id=137278
1166         http://trac.webkit.org/changeset/182186
1167
1168 2015-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1169
1170         [ES6] Object type restrictions on a first parameter of several Object.* functions are relaxed
1171         https://bugs.webkit.org/show_bug.cgi?id=142937
1172
1173         Reviewed by Darin Adler.
1174
1175         In ES6, Object type restrictions on a first parameter of several Object.* functions are relaxed.
1176         In ES5 or prior, when a first parameter is not object type, these functions raise TypeError.
1177         But now, several functions perform ToObject onto a non-object parameter.
1178         And others behaves as if a parameter is a non-extensible ordinary object with no own properties.
1179         It is described in ES6 Annex E.
1180         Functions different from ES5 are following.
1181
1182         1. An attempt is make to coerce the argument using ToObject.
1183             Object.getOwnPropertyDescriptor
1184             Object.getOwnPropertyNames
1185             Object.getPrototypeOf
1186             Object.keys
1187
1188         2. Treated as if it was a non-extensible ordinary object with no own properties.
1189             Object.freeze
1190             Object.isExtensible
1191             Object.isFrozen
1192             Object.isSealed
1193             Object.preventExtensions
1194             Object.seal
1195
1196         * runtime/ObjectConstructor.cpp:
1197         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
1198         (JSC::objectConstructorGetPrototypeOf):
1199         (JSC::objectConstructorGetOwnPropertyDescriptor):
1200         (JSC::objectConstructorGetOwnPropertyNames):
1201         (JSC::objectConstructorKeys):
1202         (JSC::objectConstructorSeal):
1203         (JSC::objectConstructorFreeze):
1204         (JSC::objectConstructorPreventExtensions):
1205         (JSC::objectConstructorIsSealed):
1206         (JSC::objectConstructorIsFrozen):
1207         (JSC::objectConstructorIsExtensible):
1208         * tests/stress/object-freeze-accept-non-object.js: Added.
1209         * tests/stress/object-get-own-property-descriptor-perform-to-object.js: Added.
1210         (canary):
1211         * tests/stress/object-get-own-property-names-perform-to-object.js: Added.
1212         (compare):
1213         * tests/stress/object-get-prototype-of-perform-to-object.js: Added.
1214         * tests/stress/object-is-extensible-accept-non-object.js: Added.
1215         * tests/stress/object-is-frozen-accept-non-object.js: Added.
1216         * tests/stress/object-is-sealed-accept-non-object.js: Added.
1217         * tests/stress/object-keys-perform-to-object.js: Added.
1218         (compare):
1219         * tests/stress/object-prevent-extensions-accept-non-object.js: Added.
1220         * tests/stress/object-seal-accept-non-object.js: Added.
1221
1222 2015-03-31  Matt Baker  <mattbaker@apple.com>
1223
1224         Web Inspector: add 2D/WebGL canvas instrumentation infrastructure
1225         https://bugs.webkit.org/show_bug.cgi?id=137278
1226
1227         Reviewed by Timothy Hatcher.
1228
1229         Added Canvas protocol which defines types used by InspectorCanvasAgent.
1230
1231         * CMakeLists.txt:
1232         * DerivedSources.make:
1233         * inspector/protocol/Canvas.json: Added.
1234
1235         * inspector/scripts/codegen/generator.py:
1236         (Generator.stylized_name_for_enum_value):
1237         Added special handling for 2D (always uppercase) and WebGL (rename mapping) enum strings.
1238
1239 2015-03-30  Ryosuke Niwa  <rniwa@webkit.org>
1240
1241         Extending null should set __proto__ to null
1242         https://bugs.webkit.org/show_bug.cgi?id=142882
1243
1244         Reviewed by Geoffrey Garen and Benjamin Poulain.
1245
1246         Set Derived.prototype.__proto__ to null when extending null.
1247
1248         * bytecompiler/NodesCodegen.cpp:
1249         (JSC::ClassExprNode::emitBytecode):
1250
1251 2015-03-30  Mark Lam  <mark.lam@apple.com>
1252
1253         REGRESSION (r181993): inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html crashes.
1254         <https://webkit.org/b/143105>
1255
1256         Reviewed by Filip Pizlo.
1257
1258         With r181993, the DFG and FTL may elide the storing of the scope register.  As a result,
1259         on OSR exits from DFG / FTL frames where this elision has take place, we may get baseline
1260         JIT frames that may have its scope register not set.  The Debugger's current implementation
1261         which relies on the scope register is not happy about this.  For example, this results in a
1262         crash in the layout test inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html.
1263
1264         The fix is to disable inlining when the debugger is in use.  Also, we add Flush nodes to
1265         ensure that the scope register value is flushed to the register in the stack frame.
1266
1267         * dfg/DFGByteCodeParser.cpp:
1268         (JSC::DFG::ByteCodeParser::ByteCodeParser):
1269         (JSC::DFG::ByteCodeParser::setLocal):
1270         (JSC::DFG::ByteCodeParser::flush):
1271         - Add code to flush the scope register.
1272         (JSC::DFG::ByteCodeParser::inliningCost):
1273         - Pretend that all codeBlocks are too expensive to inline if the debugger is in use, thereby
1274           disabling inlining whenever the debugger is in use.
1275         * dfg/DFGGraph.cpp:
1276         (JSC::DFG::Graph::Graph):
1277         * dfg/DFGGraph.h:
1278         (JSC::DFG::Graph::hasDebuggerEnabled):
1279         * dfg/DFGStackLayoutPhase.cpp:
1280         (JSC::DFG::StackLayoutPhase::run):
1281         - Update the DFG codeBlock's scopeRegister since it can be moved during stack layout.
1282         * ftl/FTLCompile.cpp:
1283         (JSC::FTL::mmAllocateDataSection):
1284         - Update the FTL codeBlock's scopeRegister since it can be moved during stack layout.
1285
1286 2015-03-30  Michael Saboff  <msaboff@apple.com>
1287
1288         Fix flakey float32-repeat-out-of-bounds.js and int8-repeat-out-of-bounds.js tests for ARM64
1289         https://bugs.webkit.org/show_bug.cgi?id=138391
1290
1291         Reviewed by Mark Lam.
1292
1293         Re-enabling these tests as I can't get them to fail on local iOS test devices.
1294         There have been many changes since these tests were disabled.
1295         I'll watch automated test results for failures.  If there are failures running automated
1296         testing, it might be due to the device's relative CPU performance.
1297         
1298         * tests/stress/float32-repeat-out-of-bounds.js:
1299         * tests/stress/int8-repeat-out-of-bounds.js:
1300
1301 2015-03-30  Joseph Pecoraro  <pecoraro@apple.com>
1302
1303         Web Inspector: Regression: Preview for [[null]] shouldn't be []
1304         https://bugs.webkit.org/show_bug.cgi?id=143208
1305
1306         Reviewed by Mark Lam.
1307
1308         * inspector/InjectedScriptSource.js:
1309         Handle null when generating simple object previews.
1310
1311 2015-03-30  Per Arne Vollan  <peavo@outlook.com>
1312
1313         Avoid using hardcoded values for JSValue::Int32Tag, if possible.
1314         https://bugs.webkit.org/show_bug.cgi?id=143134
1315
1316         Reviewed by Geoffrey Garen.
1317
1318         * jit/JSInterfaceJIT.h:
1319         * jit/Repatch.cpp:
1320         (JSC::tryCacheGetByID):
1321
1322 2015-03-30  Filip Pizlo  <fpizlo@apple.com>
1323
1324         REGRESSION: js/regress/inline-arguments-local-escape.html is flaky
1325         https://bugs.webkit.org/show_bug.cgi?id=143104
1326
1327         Reviewed by Geoffrey Garen.
1328         
1329         Created a test that is a 100% repro of the flaky failure. This test is called
1330         get-my-argument-by-val-for-inlined-escaped-arguments.js. It fails all of the time because it
1331         always causes the compiler to emit a GetMyArgumentByVal of the arguments object returned by
1332         the inlined function. Other than that, it's the same as inline-arguments-local-escape.
1333         
1334         Also created three more tests for three similar, but not identical, failures.
1335         
1336         Then fixed the bug: PreciseLocalClobberize was assuming that if we read(Stack) then we are
1337         only reading those parts of the stack that are relevant to the current semantic code origin.
1338         That's false after ArgumentsEliminationPhase - we might have operations on phantom arguments,
1339         like GetMyArgumentByVal, ForwardVarargs, CallForwardVarargs, and ConstructForwardVarargs, that
1340         read parts of the stack associated with the inline call frame for the phantom arguments. This
1341         may not be subsumed by the current semantic origin's stack area in cases that the arguments
1342         were allowed to "locally" escape.
1343         
1344         The higher-order lesson here is that in DFG SSA IR, the current semantic origin's stack area
1345         is not really a meaningful concept anymore. It is only meaningful for nodes that will read
1346         the stack due to function.arguments, but there are a bunch of other ways that we could also
1347         read the stack and those operations may read any stack slot. I believe that this change makes
1348         PreciseLocalClobberize right: it will refine a read(Stack) from Clobberize correctly by casing
1349         on node type. In future, if we add a read(Stack) to Clobberize, we'll have to make sure that
1350         readTop() in PreciseLocalClobberize does the right thing.
1351
1352         * dfg/DFGClobberize.h:
1353         (JSC::DFG::clobberize):
1354         * dfg/DFGPreciseLocalClobberize.h:
1355         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1356         * dfg/DFGPutStackSinkingPhase.cpp:
1357         * tests/stress/call-forward-varargs-for-inlined-escaped-arguments.js: Added.
1358         * tests/stress/construct-forward-varargs-for-inlined-escaped-arguments.js: Added.
1359         * tests/stress/forward-varargs-for-inlined-escaped-arguments.js: Added.
1360         * tests/stress/get-my-argument-by-val-for-inlined-escaped-arguments.js: Added.
1361         * tests/stress/real-forward-varargs-for-inlined-escaped-arguments.js: Added.
1362
1363 2015-03-30  Benjamin Poulain  <benjamin@webkit.org>
1364
1365         Start the features.json files
1366         https://bugs.webkit.org/show_bug.cgi?id=143207
1367
1368         Reviewed by Darin Adler.
1369
1370         Start the features.json files to have something to experiment
1371         with for the UI.
1372
1373         * features.json: Added.
1374
1375 2015-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
1376
1377         [Win] Addresing post-review comment after r182122
1378         https://bugs.webkit.org/show_bug.cgi?id=143189
1379
1380         Unreviewed.
1381
1382 2015-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
1383
1384         [Win] Allow building JavaScriptCore without Cygwin
1385         https://bugs.webkit.org/show_bug.cgi?id=143189
1386
1387         Reviewed by Brent Fulgham.
1388
1389         Paths like /usr/bin/ don't exist on Windows.
1390         Hashbangs don't work on Windows. Instead we must explicitly call the executable.
1391         Prefixing commands with environment variables doesn't work on Windows.
1392         Windows doesn't have 'cmp'
1393         Windows uses 'del' instead of 'rm'
1394         Windows uses 'type NUL' intead of 'touch'
1395
1396         * DerivedSources.make:
1397         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
1398         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
1399         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl:
1400         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
1401         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl:
1402         * JavaScriptCore.vcxproj/build-generated-files.pl:
1403         * UpdateContents.py: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl.
1404
1405 2015-03-28  Joseph Pecoraro  <pecoraro@apple.com>
1406
1407         Clean up JavaScriptCore/builtins
1408         https://bugs.webkit.org/show_bug.cgi?id=143177
1409
1410         Reviewed by Ryosuke Niwa.
1411
1412         * builtins/ArrayConstructor.js:
1413         (from):
1414         - We can compare to undefined instead of using a typeof undefined check.
1415         - Converge on double quoted strings everywhere.
1416
1417         * builtins/ArrayIterator.prototype.js:
1418         (next):
1419         * builtins/StringIterator.prototype.js:
1420         (next):
1421         - Use shorthand object construction to avoid duplication.
1422         - Improve grammar in error messages.
1423
1424         * tests/stress/array-iterators-next-with-call.js:
1425         * tests/stress/string-iterators.js:
1426         - Update for new error message strings.
1427
1428 2015-03-28  Saam Barati  <saambarati1@gmail.com>
1429
1430         Web Inspector: ES6: Better support for Symbol types in Type Profiler
1431         https://bugs.webkit.org/show_bug.cgi?id=141257
1432
1433         Reviewed by Joseph Pecoraro.
1434
1435         ES6 introduces the new primitive type Symbol. This patch makes JSC's 
1436         type profiler support this new primitive type.
1437
1438         * dfg/DFGFixupPhase.cpp:
1439         (JSC::DFG::FixupPhase::fixupNode):
1440         * inspector/protocol/Runtime.json:
1441         * runtime/RuntimeType.cpp:
1442         (JSC::runtimeTypeForValue):
1443         * runtime/RuntimeType.h:
1444         (JSC::runtimeTypeIsPrimitive):
1445         * runtime/TypeSet.cpp:
1446         (JSC::TypeSet::addTypeInformation):
1447         (JSC::TypeSet::dumpTypes):
1448         (JSC::TypeSet::doesTypeConformTo):
1449         (JSC::TypeSet::displayName):
1450         (JSC::TypeSet::inspectorTypeSet):
1451         (JSC::TypeSet::toJSONString):
1452         * runtime/TypeSet.h:
1453         (JSC::TypeSet::seenTypes):
1454         * tests/typeProfiler/driver/driver.js:
1455         * tests/typeProfiler/symbol.js: Added.
1456         (wrapper.foo):
1457         (wrapper.bar):
1458         (wrapper.bar.bar.baz):
1459         (wrapper):
1460
1461 2015-03-27  Saam Barati  <saambarati1@gmail.com>
1462
1463         Deconstruction parameters are bound too late
1464         https://bugs.webkit.org/show_bug.cgi?id=143148
1465
1466         Reviewed by Filip Pizlo.
1467
1468         Currently, a deconstruction pattern named with the same
1469         name as a function will shadow the function. This is
1470         wrong. It should be the other way around.
1471
1472         * bytecompiler/BytecodeGenerator.cpp:
1473         (JSC::BytecodeGenerator::generate):
1474
1475 2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>
1476
1477         parse doesn't initialize the 16-bit version of the JSC parser with defaultConstructorKind
1478         https://bugs.webkit.org/show_bug.cgi?id=143170
1479
1480         Reviewed by Benjamin Poulain.
1481
1482         Assert that we never use 16-bit version of the parser to parse a default constructor
1483         since both base and derived default constructors should be using a 8-bit string.
1484
1485         * parser/Parser.h:
1486         (JSC::parse):
1487
1488 2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>
1489
1490         ES6 Classes: Runtime error in JIT'd class calling super() with arguments and superclass has default constructor
1491         https://bugs.webkit.org/show_bug.cgi?id=142862
1492
1493         Reviewed by Benjamin Poulain.
1494
1495         Add a test that used to fail in DFG now that the bug has been fixed by r181993.
1496
1497         * tests/stress/class-syntax-derived-default-constructor.js: Added.
1498
1499 2015-03-27  Michael Saboff  <msaboff@apple.com>
1500
1501         load8Signed() and load16Signed() should be renamed to avoid confusion
1502         https://bugs.webkit.org/show_bug.cgi?id=143168
1503
1504         Reviewed by Benjamin Poulain.
1505
1506         Renamed load8Signed() to load8SignedExtendTo32() and load16Signed() to load16SignedExtendTo32().
1507
1508         * assembler/MacroAssemblerARM.h:
1509         (JSC::MacroAssemblerARM::load8SignedExtendTo32):
1510         (JSC::MacroAssemblerARM::load16SignedExtendTo32):
1511         (JSC::MacroAssemblerARM::load8Signed): Deleted.
1512         (JSC::MacroAssemblerARM::load16Signed): Deleted.
1513         * assembler/MacroAssemblerARM64.h:
1514         (JSC::MacroAssemblerARM64::load16SignedExtendTo32):
1515         (JSC::MacroAssemblerARM64::load8SignedExtendTo32):
1516         (JSC::MacroAssemblerARM64::load16Signed): Deleted.
1517         (JSC::MacroAssemblerARM64::load8Signed): Deleted.
1518         * assembler/MacroAssemblerARMv7.h:
1519         (JSC::MacroAssemblerARMv7::load16SignedExtendTo32):
1520         (JSC::MacroAssemblerARMv7::load8SignedExtendTo32):
1521         (JSC::MacroAssemblerARMv7::load16Signed): Deleted.
1522         (JSC::MacroAssemblerARMv7::load8Signed): Deleted.
1523         * assembler/MacroAssemblerMIPS.h:
1524         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
1525         (JSC::MacroAssemblerMIPS::load16SignedExtendTo32):
1526         (JSC::MacroAssemblerMIPS::load8Signed): Deleted.
1527         (JSC::MacroAssemblerMIPS::load16Signed): Deleted.
1528         * assembler/MacroAssemblerSH4.h:
1529         (JSC::MacroAssemblerSH4::load8SignedExtendTo32):
1530         (JSC::MacroAssemblerSH4::load8):
1531         (JSC::MacroAssemblerSH4::load16SignedExtendTo32):
1532         (JSC::MacroAssemblerSH4::load16):
1533         (JSC::MacroAssemblerSH4::load8Signed): Deleted.
1534         (JSC::MacroAssemblerSH4::load16Signed): Deleted.
1535         * assembler/MacroAssemblerX86Common.h:
1536         (JSC::MacroAssemblerX86Common::load8SignedExtendTo32):
1537         (JSC::MacroAssemblerX86Common::load16SignedExtendTo32):
1538         (JSC::MacroAssemblerX86Common::load8Signed): Deleted.
1539         (JSC::MacroAssemblerX86Common::load16Signed): Deleted.
1540         * dfg/DFGSpeculativeJIT.cpp:
1541         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
1542         * jit/JITPropertyAccess.cpp:
1543         (JSC::JIT::emitIntTypedArrayGetByVal):
1544
1545 2015-03-27  Michael Saboff  <msaboff@apple.com>
1546
1547         Fix flakey dfg-int8array.js and dfg-int16array.js tests for ARM64
1548         https://bugs.webkit.org/show_bug.cgi?id=138390
1549
1550         Reviewed by Mark Lam.
1551
1552         Changed load8Signed() and load16Signed() to only sign extend the loaded value to 32 bits
1553         instead of 64 bits.  This is what X86-64 does.
1554
1555         * assembler/MacroAssemblerARM64.h:
1556         (JSC::MacroAssemblerARM64::load16Signed):
1557         (JSC::MacroAssemblerARM64::load8Signed):
1558
1559 2015-03-27  Saam Barati  <saambarati1@gmail.com>
1560
1561         Add back previously broken assert from bug 141869
1562         https://bugs.webkit.org/show_bug.cgi?id=143005
1563
1564         Reviewed by Michael Saboff.
1565
1566         * runtime/ExceptionHelpers.cpp:
1567         (JSC::invalidParameterInSourceAppender):
1568
1569 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
1570
1571         Make some more objects use FastMalloc
1572         https://bugs.webkit.org/show_bug.cgi?id=143122
1573
1574         Reviewed by Csaba Osztrogonác.
1575
1576         * API/JSCallbackObject.h:
1577         * heap/IncrementalSweeper.h:
1578         * jit/JITThunks.h:
1579         * runtime/JSGlobalObjectDebuggable.h:
1580         * runtime/RegExpCache.h:
1581
1582 2015-03-27  Michael Saboff  <msaboff@apple.com>
1583
1584         Objects with numeric properties intermittently get a phantom 'length' property
1585         https://bugs.webkit.org/show_bug.cgi?id=142792
1586
1587         Reviewed by Csaba Osztrogonác.
1588
1589         Fixed a > (greater than) that should be a >> (right shift) in the code that disassembles
1590         test and branch instructions.  This function is used for linking tbz/tbnz branches between
1591         two seperately JIT'ed sections of code.  Sometime we'd create a bogus tbz instruction in
1592         the failure case checks in the GetById array length stub created for "obj.length" access.
1593         If the failure case code address was at a negative offset from the stub, we'd look for bit 1
1594         being set when we should have been looking for bit 0.
1595
1596         * assembler/ARM64Assembler.h:
1597         (JSC::ARM64Assembler::disassembleTestAndBranchImmediate):
1598
1599 2015-03-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1600
1601         Insert exception check around toPropertyKey call
1602         https://bugs.webkit.org/show_bug.cgi?id=142922
1603
1604         Reviewed by Geoffrey Garen.
1605
1606         In some places, exception check is missing after/before toPropertyKey.
1607         However, since it calls toString, it's observable to users,
1608
1609         Missing exception checks in Object.prototype methods can be
1610         observed since it would be overridden with toObject(null/undefined) errors.
1611         We inserted exception checks after toPropertyKey.
1612
1613         Missing exception checks in GetById related code can be
1614         observed since it would be overridden with toObject(null/undefined) errors.
1615         In this case, we need to insert exception checks before/after toPropertyKey
1616         since RequireObjectCoercible followed by toPropertyKey can cause exceptions.
1617
1618         JSValue::get checks null/undefined and raise an exception if |this| is null or undefined.
1619         However, we need to check whether the baseValue is object coercible before executing JSValue::toPropertyKey.
1620         According to the spec, we first perform RequireObjectCoercible and check the exception.
1621         And second, we perform ToPropertyKey and check the exception.
1622         Since JSValue::toPropertyKey can cause toString call, this is observable to users.
1623         For example, if the target is not object coercible,
1624         ToPropertyKey should not be executed, and toString should not be executed by ToPropertyKey.
1625         So the order of observable actions (RequireObjectCoercible and ToPropertyKey) should be correct to the spec.
1626
1627         This patch introduces JSValue::requireObjectCoercible and use it because of the following 2 reasons.
1628
1629         1. Using toObject instead of requireObjectCoercible produces unnecessary wrapper object.
1630
1631         toObject converts primitive types into wrapper objects.
1632         But it is not efficient since wrapper objects are not necessary
1633         if we look up methods from primitive values's prototype. (using synthesizePrototype is better).
1634
1635         2. Using the result of toObject is not correct to the spec.
1636
1637         To align to the spec correctly, we cannot use JSObject::get
1638         by using the wrapper object produced by the toObject suggested in (1).
1639         If we use JSObject that is converted by toObject, getter will be called by using this JSObject as |this|.
1640         It is not correct since getter should be called with the original |this| value that may be primitive types.
1641
1642         So in this patch, we use JSValue::requireObjectCoercible
1643         to check the target is object coercible and raise an error if it's not.
1644
1645         * dfg/DFGOperations.cpp:
1646         * jit/JITOperations.cpp:
1647         (JSC::getByVal):
1648         * llint/LLIntSlowPaths.cpp:
1649         (JSC::LLInt::getByVal):
1650         * runtime/CommonSlowPaths.cpp:
1651         (JSC::SLOW_PATH_DECL):
1652         * runtime/JSCJSValue.h:
1653         * runtime/JSCJSValueInlines.h:
1654         (JSC::JSValue::requireObjectCoercible):
1655         * runtime/ObjectPrototype.cpp:
1656         (JSC::objectProtoFuncHasOwnProperty):
1657         (JSC::objectProtoFuncDefineGetter):
1658         (JSC::objectProtoFuncDefineSetter):
1659         (JSC::objectProtoFuncLookupGetter):
1660         (JSC::objectProtoFuncLookupSetter):
1661         (JSC::objectProtoFuncPropertyIsEnumerable):
1662         * tests/stress/exception-in-to-property-key-should-be-handled-early-in-object-methods.js: Added.
1663         (shouldThrow):
1664         (if):
1665         * tests/stress/exception-in-to-property-key-should-be-handled-early.js: Added.
1666         (shouldThrow):
1667         (.):
1668
1669 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
1670
1671         WebContent Crash when instantiating class with Type Profiling enabled
1672         https://bugs.webkit.org/show_bug.cgi?id=143037
1673
1674         Reviewed by Ryosuke Niwa.
1675
1676         * bytecompiler/BytecodeGenerator.h:
1677         * bytecompiler/BytecodeGenerator.cpp:
1678         (JSC::BytecodeGenerator::BytecodeGenerator):
1679         (JSC::BytecodeGenerator::emitMoveEmptyValue):
1680         We cannot profile the type of an uninitialized empty JSValue.
1681         Nor do we expect this to be necessary, since it is effectively
1682         an unseen undefined value. So add a way to put the empty value
1683         without profiling.
1684
1685         (JSC::BytecodeGenerator::emitMove):
1686         Add an assert to try to catch this issue early on, and force
1687         callers to explicitly use emitMoveEmptyValue instead.
1688
1689         * tests/typeProfiler/classes.js: Added.
1690         (wrapper.Base):
1691         (wrapper.Derived):
1692         (wrapper):
1693         Add test coverage both for this case and classes in general.
1694
1695 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
1696
1697         Web Inspector: ES6: Provide a better view for Classes in the console
1698         https://bugs.webkit.org/show_bug.cgi?id=142999
1699
1700         Reviewed by Timothy Hatcher.
1701
1702         * inspector/protocol/Runtime.json:
1703         Provide a new `subtype` enum "class". This is a subtype of `type`
1704         "function", all other subtypes are subtypes of `object` types.
1705         For a class, the frontend will immediately want to get the prototype
1706         to enumerate its methods, so include the `classPrototype`.
1707
1708         * inspector/JSInjectedScriptHost.cpp:
1709         (Inspector::JSInjectedScriptHost::subtype):
1710         Denote class construction functions as "class" subtypes.
1711
1712         * inspector/InjectedScriptSource.js:
1713         Handling for the new "class" type.
1714
1715         * bytecode/UnlinkedCodeBlock.h:
1716         (JSC::UnlinkedFunctionExecutable::isClassConstructorFunction):
1717         * runtime/Executable.h:
1718         (JSC::FunctionExecutable::isClassConstructorFunction):
1719         * runtime/JSFunction.h:
1720         * runtime/JSFunctionInlines.h:
1721         (JSC::JSFunction::isClassConstructorFunction):
1722         Check if this function is a class constructor function. That information
1723         is on the UnlinkedFunctionExecutable, so plumb it through to JSFunction.
1724
1725 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
1726
1727         Function.prototype.toString should not decompile the AST
1728         https://bugs.webkit.org/show_bug.cgi?id=142853
1729
1730         Reviewed by Darin Adler.
1731
1732         Following up on Darin's review comments.
1733
1734         * runtime/FunctionConstructor.cpp:
1735         (JSC::constructFunctionSkippingEvalEnabledCheck):
1736
1737 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
1738
1739         "lineNo" does not match WebKit coding style guidelines
1740         https://bugs.webkit.org/show_bug.cgi?id=143119
1741
1742         Reviewed by Michael Saboff.
1743
1744         We can afford to use whole words.
1745
1746         * bytecode/CodeBlock.cpp:
1747         (JSC::CodeBlock::lineNumberForBytecodeOffset):
1748         (JSC::CodeBlock::expressionRangeForBytecodeOffset):
1749         * bytecode/UnlinkedCodeBlock.cpp:
1750         (JSC::UnlinkedFunctionExecutable::link):
1751         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
1752         * bytecode/UnlinkedCodeBlock.h:
1753         * bytecompiler/NodesCodegen.cpp:
1754         (JSC::WhileNode::emitBytecode):
1755         * debugger/Debugger.cpp:
1756         (JSC::Debugger::toggleBreakpoint):
1757         * interpreter/Interpreter.cpp:
1758         (JSC::StackFrame::computeLineAndColumn):
1759         (JSC::GetStackTraceFunctor::operator()):
1760         (JSC::Interpreter::execute):
1761         * interpreter/StackVisitor.cpp:
1762         (JSC::StackVisitor::Frame::computeLineAndColumn):
1763         * parser/Nodes.h:
1764         (JSC::Node::firstLine):
1765         (JSC::Node::lineNo): Deleted.
1766         (JSC::StatementNode::firstLine): Deleted.
1767         * parser/ParserError.h:
1768         (JSC::ParserError::toErrorObject):
1769         * profiler/LegacyProfiler.cpp:
1770         (JSC::createCallIdentifierFromFunctionImp):
1771         * runtime/CodeCache.cpp:
1772         (JSC::CodeCache::getGlobalCodeBlock):
1773         * runtime/Executable.cpp:
1774         (JSC::ScriptExecutable::ScriptExecutable):
1775         (JSC::ScriptExecutable::newCodeBlockFor):
1776         (JSC::FunctionExecutable::fromGlobalCode):
1777         * runtime/Executable.h:
1778         (JSC::ScriptExecutable::firstLine):
1779         (JSC::ScriptExecutable::setOverrideLineNumber):
1780         (JSC::ScriptExecutable::hasOverrideLineNumber):
1781         (JSC::ScriptExecutable::overrideLineNumber):
1782         (JSC::ScriptExecutable::lineNo): Deleted.
1783         (JSC::ScriptExecutable::setOverrideLineNo): Deleted.
1784         (JSC::ScriptExecutable::hasOverrideLineNo): Deleted.
1785         (JSC::ScriptExecutable::overrideLineNo): Deleted.
1786         * runtime/FunctionConstructor.cpp:
1787         (JSC::constructFunctionSkippingEvalEnabledCheck):
1788         * runtime/FunctionConstructor.h:
1789         * tools/CodeProfile.cpp:
1790         (JSC::CodeProfile::report):
1791         * tools/CodeProfile.h:
1792         (JSC::CodeProfile::CodeProfile):
1793
1794 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
1795
1796         Assertion firing in JavaScriptCore/parser/parser.h for statesman.com site
1797         https://bugs.webkit.org/show_bug.cgi?id=142974
1798
1799         Reviewed by Joseph Pecoraro.
1800
1801         This patch does two things:
1802
1803         (1) Restore JavaScriptCore's sanitization of line and column numbers to
1804         one-based values.
1805
1806         We need this because WebCore sometimes provides huge negative column
1807         numbers.
1808
1809         (2) Solve the attribute event listener line numbering problem a different
1810         way: Rather than offseting all line numbers by -1 in an attribute event
1811         listener in order to arrange for a custom result, instead use an explicit
1812         feature for saying "all errors in this code should map to this line number".
1813
1814         * bytecode/UnlinkedCodeBlock.cpp:
1815         (JSC::UnlinkedFunctionExecutable::link):
1816         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
1817         * bytecode/UnlinkedCodeBlock.h:
1818         * interpreter/Interpreter.cpp:
1819         (JSC::StackFrame::computeLineAndColumn):
1820         (JSC::GetStackTraceFunctor::operator()):
1821         * interpreter/Interpreter.h:
1822         * interpreter/StackVisitor.cpp:
1823         (JSC::StackVisitor::Frame::computeLineAndColumn):
1824         * parser/ParserError.h:
1825         (JSC::ParserError::toErrorObject): Plumb through an override line number.
1826         When a function has an override line number, all syntax and runtime
1827         errors in the function will map to it. This is useful for attribute event
1828         listeners.
1829  
1830         * parser/SourceCode.h:
1831         (JSC::SourceCode::SourceCode): Restore the old sanitization of line and
1832         column numbers to one-based integers. It was kind of a hack to remove this.
1833
1834         * runtime/Executable.cpp:
1835         (JSC::ScriptExecutable::ScriptExecutable):
1836         (JSC::FunctionExecutable::fromGlobalCode):
1837         * runtime/Executable.h:
1838         (JSC::ScriptExecutable::setOverrideLineNo):
1839         (JSC::ScriptExecutable::hasOverrideLineNo):
1840         (JSC::ScriptExecutable::overrideLineNo):
1841         * runtime/FunctionConstructor.cpp:
1842         (JSC::constructFunctionSkippingEvalEnabledCheck):
1843         * runtime/FunctionConstructor.h: Plumb through an override line number.
1844
1845 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
1846
1847         If we're in code for accessing scoped arguments, we should probably check if the object is a scoped arguments rather than checking if it's a direct arguments.
1848
1849         Reviewed by Michael Saboff.
1850
1851         * jit/JITPropertyAccess.cpp:
1852         (JSC::JIT::emitScopedArgumentsGetByVal):
1853         * tests/stress/scoped-then-direct-arguments-get-by-val-in-baseline.js: Added.
1854
1855 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
1856
1857         FTL ScopedArguments GetArrayLength generates incorrect code and crashes in LLVM
1858         https://bugs.webkit.org/show_bug.cgi?id=143098
1859
1860         Reviewed by Csaba Osztrogonác.
1861
1862         * ftl/FTLLowerDFGToLLVM.cpp:
1863         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength): Fix a typo.
1864         * tests/stress/scoped-arguments-array-length.js: Added. This test previously always crashed in ftl-no-cjit mode.
1865
1866 2015-03-26  Csaba Osztrogonác  <ossy@webkit.org>
1867
1868         Unreviewed gardening, skip failing tests on AArch64 Linux.
1869
1870         * tests/mozilla/mozilla-tests.yaml:
1871         * tests/stress/cached-prototype-setter.js:
1872
1873 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
1874
1875         Unreviewed, fixes to silly things. While landing fixes to r181993, I introduced crashes. This fixes them.
1876
1877         * dfg/DFGConstantFoldingPhase.cpp:
1878         (JSC::DFG::ConstantFoldingPhase::foldConstants): I landed a fix for a VS warning. It broke this. Now I'm fixing it.
1879         * ftl/FTLCompile.cpp:
1880         (JSC::FTL::compile): Make sure we pass the module when dumping. This makes FTL debugging possible again.
1881         * ftl/FTLState.cpp:
1882         (JSC::FTL::State::dumpState): New overload that takes a module, so that we can call this after FTL::compile() clears State's module.
1883         * ftl/FTLState.h:
1884
1885 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1886
1887         Unreviewed, fix obvious goof that was causing 32-bit debug crashes. The 64-bit version did it
1888         right, so this just makes 32-bit do the same.
1889
1890         * dfg/DFGSpeculativeJIT32_64.cpp:
1891         (JSC::DFG::SpeculativeJIT::emitCall):
1892
1893 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1894
1895         Fix a typo that ggaren found but that I didn't fix before.
1896
1897         * runtime/DirectArgumentsOffset.h:
1898
1899 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1900
1901         Unreviewed, VC found a bug. This fixes the bug.
1902
1903         * dfg/DFGConstantFoldingPhase.cpp:
1904         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1905
1906 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1907
1908         Unreviewed, try to fix Windows build.
1909
1910         * runtime/ClonedArguments.cpp:
1911         (JSC::ClonedArguments::createWithInlineFrame):
1912
1913 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1914
1915         Unreviewed, fix debug build.
1916
1917         * bytecompiler/NodesCodegen.cpp:
1918         (JSC::ConstDeclNode::emitCodeSingle):
1919
1920 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1921
1922         Unreviewed, fix CLOOP build.
1923
1924         * dfg/DFGMinifiedID.h:
1925
1926 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1927
1928         Heap variables shouldn't end up in the stack frame
1929         https://bugs.webkit.org/show_bug.cgi?id=141174
1930
1931         Reviewed by Geoffrey Garen.
1932         
1933         This is a major change to how JavaScriptCore handles declared variables (i.e. "var"). It removes
1934         any ambiguity about whether a variable should be in the heap or on the stack. A variable will no
1935         longer move between heap and stack during its lifetime. This enables a bunch of optimizations and
1936         simplifications:
1937         
1938         - Accesses to variables no longer need checks or indirections to determine where the variable is
1939           at that moment in time. For example, loading a closure variable now takes just one load instead
1940           of two. Loading an argument by index now takes a bounds check and a load in the fastest case
1941           (when no arguments object allocation is required) while previously that same operation required
1942           a "did I allocate arguments yet" check, a bounds check, and then the load.
1943         
1944         - Reasoning about the allocation of an activation or arguments object now follows the same simple
1945           logic as the allocation of any other kind of object. Previously, those objects were lazily
1946           allocated - so an allocation instruction wasn't the actual allocation site, since it might not
1947           allocate anything at all. This made the implementation of traditional escape analyses really
1948           awkward, and ultimately it meant that we missed important cases. Now, we can reason about the
1949           arguments object using the usual SSA tricks which allows for more comprehensive removal.
1950         
1951         - The allocations of arguments objects, functions, and activations are now much faster. While
1952           this patch generally expands our ability to eliminate arguments object allocations, an earlier
1953           version of the patch - which lacked that functionality - was a progression on some arguments-
1954           and closure-happy benchmarks because although no allocations were eliminated, all allocations
1955           were faster.
1956         
1957         - There is no tear-off. The runtime no loner needs to know about where on the stack a frame keeps
1958           its arguments objects or activations. The runtime doesn't have to do things to the arguments
1959           objects and activations that a frame allocated, when the frame is unwound. We always had horrid
1960           bugs in that code, so it's good to see it go. This removes *a ton* of machinery from the DFG,
1961           FTL, CodeBlock, and other places. All of the things having to do with "captured variables" is
1962           now gone. This also enables implementing block-scoping. Without this change, block-scope
1963           support would require telling CodeBlock and all of the rest of the runtime about all of the
1964           variables that store currently-live scopes. That would have been so disastrously hard that it
1965           might as well be impossible. With this change, it's fair game for the bytecode generator to
1966           simply allocate whatever activations it wants, wherever it wants, and to keep them live for
1967           however long it wants. This all works, because after bytecode generation, an activation is just
1968           an object and variables that refer to it are just normal variables.
1969         
1970         - SymbolTable can now tell you explicitly where a variable lives. The answer is in the form of a
1971           VarOffset object, which has methods like isStack(), isScope(), etc. VirtualRegister is never
1972           used for offsets of non-stack variables anymore. We now have shiny new objects for other kinds
1973           of offsets - ScopeOffset for offsets into scopes, and DirectArgumentsOffset for offsets into
1974           an arguments object.
1975         
1976         - Functions that create activations can now tier-up into the FTL. Previously they couldn't. Also,
1977           using activations used to prevent inlining; now functions that use activations can be inlined
1978           just fine.
1979         
1980         This is a >1% speed-up on Octane. This is a >2% speed-up on CompressionBench. This is a tiny
1981         speed-up on AsmBench (~0.4% or something). This looks like it might be a speed-up on SunSpider.
1982         It's only a slow-down on very short-running microbenchmarks we had previously written for our old
1983         style of tear-off-based arguments optimization. Those benchmarks are not part of any major suite.
1984         
1985         The easiest way of understanding this change is to start by looking at the changes in runtime/,
1986         and then the changes in bytecompiler/, and then sort of work your way up the compiler tiers.
1987
1988         * CMakeLists.txt:
1989         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1990         * JavaScriptCore.xcodeproj/project.pbxproj:
1991         * assembler/AbortReason.h:
1992         * assembler/AbstractMacroAssembler.h:
1993         (JSC::AbstractMacroAssembler::BaseIndex::withOffset):
1994         * bytecode/ByValInfo.h:
1995         (JSC::hasOptimizableIndexingForJSType):
1996         (JSC::hasOptimizableIndexing):
1997         (JSC::jitArrayModeForJSType):
1998         (JSC::jitArrayModePermitsPut):
1999         (JSC::jitArrayModeForStructure):
2000         * bytecode/BytecodeKills.h: Added.
2001         (JSC::BytecodeKills::BytecodeKills):
2002         (JSC::BytecodeKills::operandIsKilled):
2003         (JSC::BytecodeKills::forEachOperandKilledAt):
2004         (JSC::BytecodeKills::KillSet::KillSet):
2005         (JSC::BytecodeKills::KillSet::add):
2006         (JSC::BytecodeKills::KillSet::forEachLocal):
2007         (JSC::BytecodeKills::KillSet::contains):
2008         * bytecode/BytecodeList.json:
2009         * bytecode/BytecodeLivenessAnalysis.cpp:
2010         (JSC::isValidRegisterForLiveness):
2011         (JSC::stepOverInstruction):
2012         (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint):
2013         (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset):
2014         (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset):
2015         (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
2016         (JSC::BytecodeLivenessAnalysis::computeKills):
2017         (JSC::indexForOperand): Deleted.
2018         (JSC::BytecodeLivenessAnalysis::getLivenessInfoForNonCapturedVarsAtBytecodeOffset): Deleted.
2019         (JSC::getLivenessInfo): Deleted.
2020         * bytecode/BytecodeLivenessAnalysis.h:
2021         * bytecode/BytecodeLivenessAnalysisInlines.h:
2022         (JSC::operandIsAlwaysLive):
2023         (JSC::operandThatIsNotAlwaysLiveIsLive):
2024         (JSC::operandIsLive):
2025         * bytecode/BytecodeUseDef.h:
2026         (JSC::computeUsesForBytecodeOffset):
2027         (JSC::computeDefsForBytecodeOffset):
2028         * bytecode/CodeBlock.cpp:
2029         (JSC::CodeBlock::dumpBytecode):
2030         (JSC::CodeBlock::CodeBlock):
2031         (JSC::CodeBlock::nameForRegister):
2032         (JSC::CodeBlock::validate):
2033         (JSC::CodeBlock::isCaptured): Deleted.
2034         (JSC::CodeBlock::framePointerOffsetToGetActivationRegisters): Deleted.
2035         (JSC::CodeBlock::machineSlowArguments): Deleted.
2036         * bytecode/CodeBlock.h:
2037         (JSC::unmodifiedArgumentsRegister): Deleted.
2038         (JSC::CodeBlock::setArgumentsRegister): Deleted.
2039         (JSC::CodeBlock::argumentsRegister): Deleted.
2040         (JSC::CodeBlock::uncheckedArgumentsRegister): Deleted.
2041         (JSC::CodeBlock::usesArguments): Deleted.
2042         (JSC::CodeBlock::captureCount): Deleted.
2043         (JSC::CodeBlock::captureStart): Deleted.
2044         (JSC::CodeBlock::captureEnd): Deleted.
2045         (JSC::CodeBlock::argumentIndexAfterCapture): Deleted.
2046         (JSC::CodeBlock::hasSlowArguments): Deleted.
2047         (JSC::ExecState::argumentAfterCapture): Deleted.
2048         * bytecode/CodeOrigin.h:
2049         * bytecode/DataFormat.h:
2050         (JSC::dataFormatToString):
2051         * bytecode/FullBytecodeLiveness.h:
2052         (JSC::FullBytecodeLiveness::getLiveness):
2053         (JSC::FullBytecodeLiveness::operandIsLive):
2054         (JSC::FullBytecodeLiveness::FullBytecodeLiveness): Deleted.
2055         (JSC::FullBytecodeLiveness::getOut): Deleted.
2056         * bytecode/Instruction.h:
2057         (JSC::Instruction::Instruction):
2058         * bytecode/Operands.h:
2059         (JSC::Operands::virtualRegisterForIndex):
2060         * bytecode/SpeculatedType.cpp:
2061         (JSC::dumpSpeculation):
2062         (JSC::speculationToAbbreviatedString):
2063         (JSC::speculationFromClassInfo):
2064         * bytecode/SpeculatedType.h:
2065         (JSC::isDirectArgumentsSpeculation):
2066         (JSC::isScopedArgumentsSpeculation):
2067         (JSC::isActionableMutableArraySpeculation):
2068         (JSC::isActionableArraySpeculation):
2069         (JSC::isArgumentsSpeculation): Deleted.
2070         * bytecode/UnlinkedCodeBlock.cpp:
2071         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2072         * bytecode/UnlinkedCodeBlock.h:
2073         (JSC::UnlinkedCodeBlock::setArgumentsRegister): Deleted.
2074         (JSC::UnlinkedCodeBlock::usesArguments): Deleted.
2075         (JSC::UnlinkedCodeBlock::argumentsRegister): Deleted.
2076         * bytecode/ValueRecovery.cpp:
2077         (JSC::ValueRecovery::dumpInContext):
2078         * bytecode/ValueRecovery.h:
2079         (JSC::ValueRecovery::directArgumentsThatWereNotCreated):
2080         (JSC::ValueRecovery::outOfBandArgumentsThatWereNotCreated):
2081         (JSC::ValueRecovery::nodeID):
2082         (JSC::ValueRecovery::argumentsThatWereNotCreated): Deleted.
2083         * bytecode/VirtualRegister.h:
2084         (JSC::VirtualRegister::operator==):
2085         (JSC::VirtualRegister::operator!=):
2086         (JSC::VirtualRegister::operator<):
2087         (JSC::VirtualRegister::operator>):
2088         (JSC::VirtualRegister::operator<=):
2089         (JSC::VirtualRegister::operator>=):
2090         * bytecompiler/BytecodeGenerator.cpp:
2091         (JSC::BytecodeGenerator::generate):
2092         (JSC::BytecodeGenerator::BytecodeGenerator):
2093         (JSC::BytecodeGenerator::initializeNextParameter):
2094         (JSC::BytecodeGenerator::visibleNameForParameter):
2095         (JSC::BytecodeGenerator::emitMove):
2096         (JSC::BytecodeGenerator::variable):
2097         (JSC::BytecodeGenerator::createVariable):
2098         (JSC::BytecodeGenerator::emitResolveScope):
2099         (JSC::BytecodeGenerator::emitGetFromScope):
2100         (JSC::BytecodeGenerator::emitPutToScope):
2101         (JSC::BytecodeGenerator::initializeVariable):
2102         (JSC::BytecodeGenerator::emitInstanceOf):
2103         (JSC::BytecodeGenerator::emitNewFunction):
2104         (JSC::BytecodeGenerator::emitNewFunctionInternal):
2105         (JSC::BytecodeGenerator::emitCall):
2106         (JSC::BytecodeGenerator::emitReturn):
2107         (JSC::BytecodeGenerator::emitConstruct):
2108         (JSC::BytecodeGenerator::isArgumentNumber):
2109         (JSC::BytecodeGenerator::emitEnumeration):
2110         (JSC::BytecodeGenerator::addVar): Deleted.
2111         (JSC::BytecodeGenerator::emitInitLazyRegister): Deleted.
2112         (JSC::BytecodeGenerator::initializeCapturedVariable): Deleted.
2113         (JSC::BytecodeGenerator::resolveCallee): Deleted.
2114         (JSC::BytecodeGenerator::addCallee): Deleted.
2115         (JSC::BytecodeGenerator::addParameter): Deleted.
2116         (JSC::BytecodeGenerator::willResolveToArgumentsRegister): Deleted.
2117         (JSC::BytecodeGenerator::uncheckedLocalArgumentsRegister): Deleted.
2118         (JSC::BytecodeGenerator::createLazyRegisterIfNecessary): Deleted.
2119         (JSC::BytecodeGenerator::isCaptured): Deleted.
2120         (JSC::BytecodeGenerator::local): Deleted.
2121         (JSC::BytecodeGenerator::constLocal): Deleted.
2122         (JSC::BytecodeGenerator::emitResolveConstantLocal): Deleted.
2123         (JSC::BytecodeGenerator::emitGetArgumentsLength): Deleted.
2124         (JSC::BytecodeGenerator::emitGetArgumentByVal): Deleted.
2125         (JSC::BytecodeGenerator::emitLazyNewFunction): Deleted.
2126         (JSC::BytecodeGenerator::createArgumentsIfNecessary): Deleted.
2127         * bytecompiler/BytecodeGenerator.h:
2128         (JSC::Variable::Variable):
2129         (JSC::Variable::isResolved):
2130         (JSC::Variable::ident):
2131         (JSC::Variable::offset):
2132         (JSC::Variable::isLocal):
2133         (JSC::Variable::local):
2134         (JSC::Variable::isSpecial):
2135         (JSC::BytecodeGenerator::argumentsRegister):
2136         (JSC::BytecodeGenerator::emitNode):
2137         (JSC::BytecodeGenerator::registerFor):
2138         (JSC::Local::Local): Deleted.
2139         (JSC::Local::operator bool): Deleted.
2140         (JSC::Local::get): Deleted.
2141         (JSC::Local::isSpecial): Deleted.
2142         (JSC::ResolveScopeInfo::ResolveScopeInfo): Deleted.
2143         (JSC::ResolveScopeInfo::isLocal): Deleted.
2144         (JSC::ResolveScopeInfo::localIndex): Deleted.
2145         (JSC::BytecodeGenerator::hasSafeLocalArgumentsRegister): Deleted.
2146         (JSC::BytecodeGenerator::captureMode): Deleted.
2147         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly): Deleted.
2148         (JSC::BytecodeGenerator::shouldCreateArgumentsEagerly): Deleted.
2149         (JSC::BytecodeGenerator::hasWatchableVariable): Deleted.
2150         (JSC::BytecodeGenerator::watchableVariableIdentifier): Deleted.
2151         * bytecompiler/NodesCodegen.cpp:
2152         (JSC::ResolveNode::isPure):
2153         (JSC::ResolveNode::emitBytecode):
2154         (JSC::BracketAccessorNode::emitBytecode):
2155         (JSC::DotAccessorNode::emitBytecode):
2156         (JSC::EvalFunctionCallNode::emitBytecode):
2157         (JSC::FunctionCallResolveNode::emitBytecode):
2158         (JSC::CallFunctionCallDotNode::emitBytecode):
2159         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2160         (JSC::PostfixNode::emitResolve):
2161         (JSC::DeleteResolveNode::emitBytecode):
2162         (JSC::TypeOfResolveNode::emitBytecode):
2163         (JSC::PrefixNode::emitResolve):
2164         (JSC::ReadModifyResolveNode::emitBytecode):
2165         (JSC::AssignResolveNode::emitBytecode):
2166         (JSC::ConstDeclNode::emitCodeSingle):
2167         (JSC::EmptyVarExpression::emitBytecode):
2168         (JSC::ForInNode::tryGetBoundLocal):
2169         (JSC::ForInNode::emitLoopHeader):
2170         (JSC::ForOfNode::emitBytecode):
2171         (JSC::ArrayPatternNode::emitDirectBinding):
2172         (JSC::BindingNode::bindValue):
2173         (JSC::getArgumentByVal): Deleted.
2174         * dfg/DFGAbstractHeap.h:
2175         * dfg/DFGAbstractInterpreter.h:
2176         * dfg/DFGAbstractInterpreterInlines.h:
2177         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2178         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberWorld):
2179         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberCapturedVars): Deleted.
2180         * dfg/DFGAbstractValue.h:
2181         * dfg/DFGArgumentPosition.h:
2182         (JSC::DFG::ArgumentPosition::addVariable):
2183         * dfg/DFGArgumentsEliminationPhase.cpp: Added.
2184         (JSC::DFG::performArgumentsElimination):
2185         * dfg/DFGArgumentsEliminationPhase.h: Added.
2186         * dfg/DFGArgumentsSimplificationPhase.cpp: Removed.
2187         * dfg/DFGArgumentsSimplificationPhase.h: Removed.
2188         * dfg/DFGArgumentsUtilities.cpp: Added.
2189         (JSC::DFG::argumentsInvolveStackSlot):
2190         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
2191         * dfg/DFGArgumentsUtilities.h: Added.
2192         * dfg/DFGArrayMode.cpp:
2193         (JSC::DFG::ArrayMode::refine):
2194         (JSC::DFG::ArrayMode::alreadyChecked):
2195         (JSC::DFG::arrayTypeToString):
2196         * dfg/DFGArrayMode.h:
2197         (JSC::DFG::ArrayMode::canCSEStorage):
2198         (JSC::DFG::ArrayMode::modeForPut):
2199         * dfg/DFGAvailabilityMap.cpp:
2200         (JSC::DFG::AvailabilityMap::prune):
2201         * dfg/DFGAvailabilityMap.h:
2202         (JSC::DFG::AvailabilityMap::closeOverNodes):
2203         (JSC::DFG::AvailabilityMap::closeStartingWithLocal):
2204         * dfg/DFGBackwardsPropagationPhase.cpp:
2205         (JSC::DFG::BackwardsPropagationPhase::propagate):
2206         * dfg/DFGByteCodeParser.cpp:
2207         (JSC::DFG::ByteCodeParser::newVariableAccessData):
2208         (JSC::DFG::ByteCodeParser::getLocal):
2209         (JSC::DFG::ByteCodeParser::setLocal):
2210         (JSC::DFG::ByteCodeParser::getArgument):
2211         (JSC::DFG::ByteCodeParser::setArgument):
2212         (JSC::DFG::ByteCodeParser::flushDirect):
2213         (JSC::DFG::ByteCodeParser::flush):
2214         (JSC::DFG::ByteCodeParser::noticeArgumentsUse):
2215         (JSC::DFG::ByteCodeParser::handleVarargsCall):
2216         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
2217         (JSC::DFG::ByteCodeParser::handleInlining):
2218         (JSC::DFG::ByteCodeParser::parseBlock):
2219         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2220         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2221         * dfg/DFGCPSRethreadingPhase.cpp:
2222         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
2223         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
2224         * dfg/DFGCSEPhase.cpp:
2225         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h: Added.
2226         (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
2227         * dfg/DFGCapabilities.cpp:
2228         (JSC::DFG::isSupportedForInlining):
2229         (JSC::DFG::capabilityLevel):
2230         * dfg/DFGClobberize.h:
2231         (JSC::DFG::clobberize):
2232         * dfg/DFGCommon.h:
2233         * dfg/DFGCommonData.h:
2234         (JSC::DFG::CommonData::CommonData):
2235         * dfg/DFGConstantFoldingPhase.cpp:
2236         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2237         * dfg/DFGDCEPhase.cpp:
2238         (JSC::DFG::DCEPhase::cleanVariables):
2239         * dfg/DFGDisassembler.h:
2240         * dfg/DFGDoesGC.cpp:
2241         (JSC::DFG::doesGC):
2242         * dfg/DFGFixupPhase.cpp:
2243         (JSC::DFG::FixupPhase::fixupNode):
2244         * dfg/DFGFlushFormat.cpp:
2245         (WTF::printInternal):
2246         * dfg/DFGFlushFormat.h:
2247         (JSC::DFG::resultFor):
2248         (JSC::DFG::useKindFor):
2249         (JSC::DFG::dataFormatFor):
2250         * dfg/DFGForAllKills.h: Added.
2251         (JSC::DFG::forAllLiveNodesAtTail):
2252         (JSC::DFG::forAllDirectlyKilledOperands):
2253         (JSC::DFG::forAllKilledOperands):
2254         (JSC::DFG::forAllKilledNodesAtNodeIndex):
2255         (JSC::DFG::forAllKillsInBlock):
2256         * dfg/DFGGraph.cpp:
2257         (JSC::DFG::Graph::Graph):
2258         (JSC::DFG::Graph::dump):
2259         (JSC::DFG::Graph::substituteGetLocal):
2260         (JSC::DFG::Graph::livenessFor):
2261         (JSC::DFG::Graph::killsFor):
2262         (JSC::DFG::Graph::tryGetConstantClosureVar):
2263         (JSC::DFG::Graph::tryGetRegisters): Deleted.
2264         * dfg/DFGGraph.h:
2265         (JSC::DFG::Graph::symbolTableFor):
2266         (JSC::DFG::Graph::uses):
2267         (JSC::DFG::Graph::bytecodeRegisterForArgument): Deleted.
2268         (JSC::DFG::Graph::capturedVarsFor): Deleted.
2269         (JSC::DFG::Graph::usesArguments): Deleted.
2270         (JSC::DFG::Graph::argumentsRegisterFor): Deleted.
2271         (JSC::DFG::Graph::machineArgumentsRegisterFor): Deleted.
2272         (JSC::DFG::Graph::uncheckedArgumentsRegisterFor): Deleted.
2273         * dfg/DFGHeapLocation.cpp:
2274         (WTF::printInternal):
2275         * dfg/DFGHeapLocation.h:
2276         * dfg/DFGInPlaceAbstractState.cpp:
2277         (JSC::DFG::InPlaceAbstractState::initialize):
2278         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
2279         * dfg/DFGJITCompiler.cpp:
2280         (JSC::DFG::JITCompiler::link):
2281         * dfg/DFGMayExit.cpp:
2282         (JSC::DFG::mayExit):
2283         * dfg/DFGMinifiedID.h:
2284         * dfg/DFGMinifiedNode.cpp:
2285         (JSC::DFG::MinifiedNode::fromNode):
2286         * dfg/DFGMinifiedNode.h:
2287         (JSC::DFG::belongsInMinifiedGraph):
2288         (JSC::DFG::MinifiedNode::hasInlineCallFrame):
2289         (JSC::DFG::MinifiedNode::inlineCallFrame):
2290         * dfg/DFGNode.cpp:
2291         (JSC::DFG::Node::convertToIdentityOn):
2292         * dfg/DFGNode.h:
2293         (JSC::DFG::Node::hasConstant):
2294         (JSC::DFG::Node::constant):
2295         (JSC::DFG::Node::hasScopeOffset):
2296         (JSC::DFG::Node::scopeOffset):
2297         (JSC::DFG::Node::hasDirectArgumentsOffset):
2298         (JSC::DFG::Node::capturedArgumentsOffset):
2299         (JSC::DFG::Node::variablePointer):
2300         (JSC::DFG::Node::hasCallVarargsData):
2301         (JSC::DFG::Node::hasLoadVarargsData):
2302         (JSC::DFG::Node::hasHeapPrediction):
2303         (JSC::DFG::Node::hasCellOperand):
2304         (JSC::DFG::Node::objectMaterializationData):
2305         (JSC::DFG::Node::isPhantomAllocation):
2306         (JSC::DFG::Node::willHaveCodeGenOrOSR):
2307         (JSC::DFG::Node::shouldSpeculateDirectArguments):
2308         (JSC::DFG::Node::shouldSpeculateScopedArguments):
2309         (JSC::DFG::Node::isPhantomArguments): Deleted.
2310         (JSC::DFG::Node::hasVarNumber): Deleted.
2311         (JSC::DFG::Node::varNumber): Deleted.
2312         (JSC::DFG::Node::registerPointer): Deleted.
2313         (JSC::DFG::Node::shouldSpeculateArguments): Deleted.
2314         * dfg/DFGNodeType.h:
2315         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2316         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
2317         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
2318         * dfg/DFGOSRExitCompiler.cpp:
2319         (JSC::DFG::OSRExitCompiler::emitRestoreArguments):
2320         * dfg/DFGOSRExitCompiler.h:
2321         (JSC::DFG::OSRExitCompiler::badIndex): Deleted.
2322         (JSC::DFG::OSRExitCompiler::initializePoisoned): Deleted.
2323         (JSC::DFG::OSRExitCompiler::poisonIndex): Deleted.
2324         * dfg/DFGOSRExitCompiler32_64.cpp:
2325         (JSC::DFG::OSRExitCompiler::compileExit):
2326         * dfg/DFGOSRExitCompiler64.cpp:
2327         (JSC::DFG::OSRExitCompiler::compileExit):
2328         * dfg/DFGOSRExitCompilerCommon.cpp:
2329         (JSC::DFG::reifyInlinedCallFrames):
2330         (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator): Deleted.
2331         (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator): Deleted.
2332         (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): Deleted.
2333         * dfg/DFGOSRExitCompilerCommon.h:
2334         * dfg/DFGOperations.cpp:
2335         * dfg/DFGOperations.h:
2336         * dfg/DFGPlan.cpp:
2337         (JSC::DFG::Plan::compileInThreadImpl):
2338         * dfg/DFGPreciseLocalClobberize.h:
2339         (JSC::DFG::PreciseLocalClobberizeAdaptor::read):
2340         (JSC::DFG::PreciseLocalClobberizeAdaptor::write):
2341         (JSC::DFG::PreciseLocalClobberizeAdaptor::def):
2342         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
2343         (JSC::DFG::preciseLocalClobberize):
2344         (JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop): Deleted.
2345         (JSC::DFG::forEachLocalReadByUnwind): Deleted.
2346         * dfg/DFGPredictionPropagationPhase.cpp:
2347         (JSC::DFG::PredictionPropagationPhase::run):
2348         (JSC::DFG::PredictionPropagationPhase::propagate):
2349         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
2350         (JSC::DFG::PredictionPropagationPhase::propagateThroughArgumentPositions):
2351         * dfg/DFGPromoteHeapAccess.h:
2352         (JSC::DFG::promoteHeapAccess):
2353         * dfg/DFGPromotedHeapLocation.cpp:
2354         (WTF::printInternal):
2355         * dfg/DFGPromotedHeapLocation.h:
2356         * dfg/DFGSSAConversionPhase.cpp:
2357         (JSC::DFG::SSAConversionPhase::run):
2358         * dfg/DFGSafeToExecute.h:
2359         (JSC::DFG::safeToExecute):
2360         * dfg/DFGSpeculativeJIT.cpp:
2361         (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
2362         (JSC::DFG::SpeculativeJIT::emitGetLength):
2363         (JSC::DFG::SpeculativeJIT::emitGetCallee):
2364         (JSC::DFG::SpeculativeJIT::emitGetArgumentStart):
2365         (JSC::DFG::SpeculativeJIT::checkArray):
2366         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
2367         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
2368         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
2369         (JSC::DFG::SpeculativeJIT::compileNewFunction):
2370         (JSC::DFG::SpeculativeJIT::compileForwardVarargs):
2371         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
2372         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
2373         (JSC::DFG::SpeculativeJIT::compileGetFromArguments):
2374         (JSC::DFG::SpeculativeJIT::compilePutToArguments):
2375         (JSC::DFG::SpeculativeJIT::compileCreateScopedArguments):
2376         (JSC::DFG::SpeculativeJIT::compileCreateClonedArguments):
2377         (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Deleted.
2378         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments): Deleted.
2379         (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength): Deleted.
2380         (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck): Deleted.
2381         (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression): Deleted.
2382         * dfg/DFGSpeculativeJIT.h:
2383         (JSC::DFG::SpeculativeJIT::callOperation):
2384         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
2385         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
2386         (JSC::DFG::SpeculativeJIT::framePointerOffsetToGetActivationRegisters): Deleted.
2387         * dfg/DFGSpeculativeJIT32_64.cpp:
2388         (JSC::DFG::SpeculativeJIT::emitCall):
2389         (JSC::DFG::SpeculativeJIT::compile):
2390         * dfg/DFGSpeculativeJIT64.cpp:
2391         (JSC::DFG::SpeculativeJIT::emitCall):
2392         (JSC::DFG::SpeculativeJIT::compile):
2393         * dfg/DFGStackLayoutPhase.cpp:
2394         (JSC::DFG::StackLayoutPhase::run):
2395         * dfg/DFGStrengthReductionPhase.cpp:
2396         (JSC::DFG::StrengthReductionPhase::handleNode):
2397         * dfg/DFGStructureRegistrationPhase.cpp:
2398         (JSC::DFG::StructureRegistrationPhase::run):
2399         * dfg/DFGUnificationPhase.cpp:
2400         (JSC::DFG::UnificationPhase::run):
2401         * dfg/DFGValidate.cpp:
2402         (JSC::DFG::Validate::validateCPS):
2403         * dfg/DFGValueSource.cpp:
2404         (JSC::DFG::ValueSource::dump):
2405         * dfg/DFGValueSource.h:
2406         (JSC::DFG::dataFormatToValueSourceKind):
2407         (JSC::DFG::valueSourceKindToDataFormat):
2408         (JSC::DFG::ValueSource::ValueSource):
2409         (JSC::DFG::ValueSource::forFlushFormat):
2410         (JSC::DFG::ValueSource::valueRecovery):
2411         * dfg/DFGVarargsForwardingPhase.cpp: Added.
2412         (JSC::DFG::performVarargsForwarding):
2413         * dfg/DFGVarargsForwardingPhase.h: Added.
2414         * dfg/DFGVariableAccessData.cpp:
2415         (JSC::DFG::VariableAccessData::VariableAccessData):
2416         (JSC::DFG::VariableAccessData::flushFormat):
2417         (JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted.
2418         * dfg/DFGVariableAccessData.h:
2419         (JSC::DFG::VariableAccessData::shouldNeverUnbox):
2420         (JSC::DFG::VariableAccessData::shouldUseDoubleFormat):
2421         (JSC::DFG::VariableAccessData::isCaptured): Deleted.
2422         (JSC::DFG::VariableAccessData::mergeIsArgumentsAlias): Deleted.
2423         (JSC::DFG::VariableAccessData::isArgumentsAlias): Deleted.
2424         * dfg/DFGVariableAccessDataDump.cpp:
2425         (JSC::DFG::VariableAccessDataDump::dump):
2426         * dfg/DFGVariableAccessDataDump.h:
2427         * dfg/DFGVariableEventStream.cpp:
2428         (JSC::DFG::VariableEventStream::tryToSetConstantRecovery):
2429         * dfg/DFGVariableEventStream.h:
2430         * ftl/FTLAbstractHeap.cpp:
2431         (JSC::FTL::AbstractHeap::dump):
2432         (JSC::FTL::AbstractField::dump):
2433         (JSC::FTL::IndexedAbstractHeap::dump):
2434         (JSC::FTL::NumberedAbstractHeap::dump):
2435         (JSC::FTL::AbsoluteAbstractHeap::dump):
2436         * ftl/FTLAbstractHeap.h:
2437         * ftl/FTLAbstractHeapRepository.cpp:
2438         * ftl/FTLAbstractHeapRepository.h:
2439         * ftl/FTLCapabilities.cpp:
2440         (JSC::FTL::canCompile):
2441         * ftl/FTLCompile.cpp:
2442         (JSC::FTL::mmAllocateDataSection):
2443         * ftl/FTLExitArgument.cpp:
2444         (JSC::FTL::ExitArgument::dump):
2445         * ftl/FTLExitPropertyValue.cpp:
2446         (JSC::FTL::ExitPropertyValue::withLocalsOffset):
2447         * ftl/FTLExitPropertyValue.h:
2448         * ftl/FTLExitTimeObjectMaterialization.cpp:
2449         (JSC::FTL::ExitTimeObjectMaterialization::ExitTimeObjectMaterialization):
2450         (JSC::FTL::ExitTimeObjectMaterialization::accountForLocalsOffset):
2451         * ftl/FTLExitTimeObjectMaterialization.h:
2452         (JSC::FTL::ExitTimeObjectMaterialization::origin):
2453         * ftl/FTLExitValue.cpp:
2454         (JSC::FTL::ExitValue::withLocalsOffset):
2455         (JSC::FTL::ExitValue::valueFormat):
2456         (JSC::FTL::ExitValue::dumpInContext):
2457         * ftl/FTLExitValue.h:
2458         (JSC::FTL::ExitValue::isArgument):
2459         (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated): Deleted.
2460         (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated): Deleted.
2461         (JSC::FTL::ExitValue::valueFormat): Deleted.
2462         * ftl/FTLInlineCacheSize.cpp:
2463         (JSC::FTL::sizeOfCallForwardVarargs):
2464         (JSC::FTL::sizeOfConstructForwardVarargs):
2465         (JSC::FTL::sizeOfICFor):
2466         * ftl/FTLInlineCacheSize.h:
2467         * ftl/FTLIntrinsicRepository.h:
2468         * ftl/FTLJSCallVarargs.cpp:
2469         (JSC::FTL::JSCallVarargs::JSCallVarargs):
2470         (JSC::FTL::JSCallVarargs::emit):
2471         * ftl/FTLJSCallVarargs.h:
2472         * ftl/FTLLowerDFGToLLVM.cpp:
2473         (JSC::FTL::LowerDFGToLLVM::lower):
2474         (JSC::FTL::LowerDFGToLLVM::compileNode):
2475         (JSC::FTL::LowerDFGToLLVM::compilePutStack):
2476         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
2477         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2478         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
2479         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2480         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
2481         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
2482         (JSC::FTL::LowerDFGToLLVM::compileCreateActivation):
2483         (JSC::FTL::LowerDFGToLLVM::compileNewFunction):
2484         (JSC::FTL::LowerDFGToLLVM::compileCreateDirectArguments):
2485         (JSC::FTL::LowerDFGToLLVM::compileCreateScopedArguments):
2486         (JSC::FTL::LowerDFGToLLVM::compileCreateClonedArguments):
2487         (JSC::FTL::LowerDFGToLLVM::compileStringCharAt):
2488         (JSC::FTL::LowerDFGToLLVM::compileStringCharCodeAt):
2489         (JSC::FTL::LowerDFGToLLVM::compileGetGlobalVar):
2490         (JSC::FTL::LowerDFGToLLVM::compilePutGlobalVar):
2491         (JSC::FTL::LowerDFGToLLVM::compileGetArgumentCount):
2492         (JSC::FTL::LowerDFGToLLVM::compileGetClosureVar):
2493         (JSC::FTL::LowerDFGToLLVM::compilePutClosureVar):
2494         (JSC::FTL::LowerDFGToLLVM::compileGetFromArguments):
2495         (JSC::FTL::LowerDFGToLLVM::compilePutToArguments):
2496         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs):
2497         (JSC::FTL::LowerDFGToLLVM::compileForwardVarargs):
2498         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname):
2499         (JSC::FTL::LowerDFGToLLVM::ArgumentsLength::ArgumentsLength):
2500         (JSC::FTL::LowerDFGToLLVM::getArgumentsLength):
2501         (JSC::FTL::LowerDFGToLLVM::getCurrentCallee):
2502         (JSC::FTL::LowerDFGToLLVM::getArgumentsStart):
2503         (JSC::FTL::LowerDFGToLLVM::baseIndex):
2504         (JSC::FTL::LowerDFGToLLVM::allocateObject):
2505         (JSC::FTL::LowerDFGToLLVM::allocateVariableSizedObject):
2506         (JSC::FTL::LowerDFGToLLVM::isArrayType):
2507         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
2508         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
2509         (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
2510         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
2511         (JSC::FTL::LowerDFGToLLVM::loadStructure):
2512         (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments): Deleted.
2513         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength): Deleted.
2514         (JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters): Deleted.
2515         (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated): Deleted.
2516         (JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated): Deleted.
2517         * ftl/FTLOSRExitCompiler.cpp:
2518         (JSC::FTL::compileRecovery):
2519         (JSC::FTL::compileStub):
2520         * ftl/FTLOperations.cpp:
2521         (JSC::FTL::operationMaterializeObjectInOSR):
2522         * ftl/FTLOutput.h:
2523         (JSC::FTL::Output::aShr):
2524         (JSC::FTL::Output::lShr):
2525         (JSC::FTL::Output::zeroExtPtr):
2526         * heap/CopyToken.h:
2527         * interpreter/CallFrame.h:
2528         (JSC::ExecState::getArgumentUnsafe):
2529         * interpreter/Interpreter.cpp:
2530         (JSC::sizeOfVarargs):
2531         (JSC::sizeFrameForVarargs):
2532         (JSC::loadVarargs):
2533         (JSC::unwindCallFrame):
2534         * interpreter/Interpreter.h:
2535         * interpreter/StackVisitor.cpp:
2536         (JSC::StackVisitor::Frame::createArguments):
2537         (JSC::StackVisitor::Frame::existingArguments): Deleted.
2538         * interpreter/StackVisitor.h:
2539         * jit/AssemblyHelpers.h:
2540         (JSC::AssemblyHelpers::storeValue):
2541         (JSC::AssemblyHelpers::loadValue):
2542         (JSC::AssemblyHelpers::storeTrustedValue):
2543         (JSC::AssemblyHelpers::branchIfNotCell):
2544         (JSC::AssemblyHelpers::branchIsEmpty):
2545         (JSC::AssemblyHelpers::argumentsStart):
2546         (JSC::AssemblyHelpers::baselineArgumentsRegisterFor): Deleted.
2547         (JSC::AssemblyHelpers::offsetOfLocals): Deleted.
2548         (JSC::AssemblyHelpers::offsetOfArguments): Deleted.
2549         * jit/CCallHelpers.h:
2550         (JSC::CCallHelpers::setupArgument):
2551         * jit/GPRInfo.h:
2552         (JSC::JSValueRegs::withTwoAvailableRegs):
2553         * jit/JIT.cpp:
2554         (JSC::JIT::privateCompileMainPass):
2555         (JSC::JIT::privateCompileSlowCases):
2556         * jit/JIT.h:
2557         * jit/JITCall.cpp:
2558         (JSC::JIT::compileSetupVarargsFrame):
2559         * jit/JITCall32_64.cpp:
2560         (JSC::JIT::compileSetupVarargsFrame):
2561         * jit/JITInlines.h:
2562         (JSC::JIT::callOperation):
2563         * jit/JITOpcodes.cpp:
2564         (JSC::JIT::emit_op_create_lexical_environment):
2565         (JSC::JIT::emit_op_new_func):
2566         (JSC::JIT::emit_op_create_direct_arguments):
2567         (JSC::JIT::emit_op_create_scoped_arguments):
2568         (JSC::JIT::emit_op_create_out_of_band_arguments):
2569         (JSC::JIT::emit_op_tear_off_arguments): Deleted.
2570         (JSC::JIT::emit_op_create_arguments): Deleted.
2571         (JSC::JIT::emit_op_init_lazy_reg): Deleted.
2572         (JSC::JIT::emit_op_get_arguments_length): Deleted.
2573         (JSC::JIT::emitSlow_op_get_arguments_length): Deleted.
2574         (JSC::JIT::emit_op_get_argument_by_val): Deleted.
2575         (JSC::JIT::emitSlow_op_get_argument_by_val): Deleted.
2576         * jit/JITOpcodes32_64.cpp:
2577         (JSC::JIT::emit_op_create_lexical_environment):
2578         (JSC::JIT::emit_op_tear_off_arguments): Deleted.
2579         (JSC::JIT::emit_op_create_arguments): Deleted.
2580         (JSC::JIT::emit_op_init_lazy_reg): Deleted.
2581         (JSC::JIT::emit_op_get_arguments_length): Deleted.
2582         (JSC::JIT::emitSlow_op_get_arguments_length): Deleted.
2583         (JSC::JIT::emit_op_get_argument_by_val): Deleted.
2584         (JSC::JIT::emitSlow_op_get_argument_by_val): Deleted.
2585         * jit/JITOperations.cpp:
2586         * jit/JITOperations.h:
2587         * jit/JITPropertyAccess.cpp:
2588         (JSC::JIT::emitGetClosureVar):
2589         (JSC::JIT::emitPutClosureVar):
2590         (JSC::JIT::emit_op_get_from_arguments):
2591         (JSC::JIT::emit_op_put_to_arguments):
2592         (JSC::JIT::emit_op_init_global_const):
2593         (JSC::JIT::privateCompileGetByVal):
2594         (JSC::JIT::emitDirectArgumentsGetByVal):
2595         (JSC::JIT::emitScopedArgumentsGetByVal):
2596         * jit/JITPropertyAccess32_64.cpp:
2597         (JSC::JIT::emitGetClosureVar):
2598         (JSC::JIT::emitPutClosureVar):
2599         (JSC::JIT::emit_op_get_from_arguments):
2600         (JSC::JIT::emit_op_put_to_arguments):
2601         (JSC::JIT::emit_op_init_global_const):
2602         * jit/SetupVarargsFrame.cpp:
2603         (JSC::emitSetupVarargsFrameFastCase):
2604         * llint/LLIntOffsetsExtractor.cpp:
2605         * llint/LLIntSlowPaths.cpp:
2606         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2607         * llint/LowLevelInterpreter.asm:
2608         * llint/LowLevelInterpreter32_64.asm:
2609         * llint/LowLevelInterpreter64.asm:
2610         * parser/Nodes.h:
2611         (JSC::ScopeNode::captures):
2612         * runtime/Arguments.cpp: Removed.
2613         * runtime/Arguments.h: Removed.
2614         * runtime/ArgumentsMode.h: Added.
2615         * runtime/DirectArgumentsOffset.cpp: Added.
2616         (JSC::DirectArgumentsOffset::dump):
2617         * runtime/DirectArgumentsOffset.h: Added.
2618         (JSC::DirectArgumentsOffset::DirectArgumentsOffset):
2619         * runtime/CommonSlowPaths.cpp:
2620         (JSC::SLOW_PATH_DECL):
2621         * runtime/CommonSlowPaths.h:
2622         * runtime/ConstantMode.cpp: Added.
2623         (WTF::printInternal):
2624         * runtime/ConstantMode.h:
2625         (JSC::modeForIsConstant):
2626         * runtime/DirectArguments.cpp: Added.
2627         (JSC::DirectArguments::DirectArguments):
2628         (JSC::DirectArguments::createUninitialized):
2629         (JSC::DirectArguments::create):
2630         (JSC::DirectArguments::createByCopying):
2631         (JSC::DirectArguments::visitChildren):
2632         (JSC::DirectArguments::copyBackingStore):
2633         (JSC::DirectArguments::createStructure):
2634         (JSC::DirectArguments::overrideThings):
2635         (JSC::DirectArguments::overrideThingsIfNecessary):
2636         (JSC::DirectArguments::overrideArgument):
2637         (JSC::DirectArguments::copyToArguments):
2638         (JSC::DirectArguments::overridesSize):
2639         * runtime/DirectArguments.h: Added.
2640         (JSC::DirectArguments::internalLength):
2641         (JSC::DirectArguments::length):
2642         (JSC::DirectArguments::canAccessIndexQuickly):
2643         (JSC::DirectArguments::getIndexQuickly):
2644         (JSC::DirectArguments::setIndexQuickly):
2645         (JSC::DirectArguments::callee):
2646         (JSC::DirectArguments::argument):
2647         (JSC::DirectArguments::overrodeThings):
2648         (JSC::DirectArguments::offsetOfCallee):
2649         (JSC::DirectArguments::offsetOfLength):
2650         (JSC::DirectArguments::offsetOfMinCapacity):
2651         (JSC::DirectArguments::offsetOfOverrides):
2652         (JSC::DirectArguments::storageOffset):
2653         (JSC::DirectArguments::offsetOfSlot):
2654         (JSC::DirectArguments::allocationSize):
2655         (JSC::DirectArguments::storage):
2656         * runtime/FunctionPrototype.cpp:
2657         * runtime/GenericArguments.h: Added.
2658         (JSC::GenericArguments::GenericArguments):
2659         * runtime/GenericArgumentsInlines.h: Added.
2660         (JSC::GenericArguments<Type>::getOwnPropertySlot):
2661         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
2662         (JSC::GenericArguments<Type>::getOwnPropertyNames):
2663         (JSC::GenericArguments<Type>::put):
2664         (JSC::GenericArguments<Type>::putByIndex):
2665         (JSC::GenericArguments<Type>::deleteProperty):
2666         (JSC::GenericArguments<Type>::deletePropertyByIndex):
2667         (JSC::GenericArguments<Type>::defineOwnProperty):
2668         (JSC::GenericArguments<Type>::copyToArguments):
2669         * runtime/GenericOffset.h: Added.
2670         (JSC::GenericOffset::GenericOffset):
2671         (JSC::GenericOffset::operator!):
2672         (JSC::GenericOffset::offsetUnchecked):
2673         (JSC::GenericOffset::offset):
2674         (JSC::GenericOffset::operator==):
2675         (JSC::GenericOffset::operator!=):
2676         (JSC::GenericOffset::operator<):
2677         (JSC::GenericOffset::operator>):
2678         (JSC::GenericOffset::operator<=):
2679         (JSC::GenericOffset::operator>=):
2680         (JSC::GenericOffset::operator+):
2681         (JSC::GenericOffset::operator-):
2682         (JSC::GenericOffset::operator+=):
2683         (JSC::GenericOffset::operator-=):
2684         * runtime/JSArgumentsIterator.cpp:
2685         (JSC::JSArgumentsIterator::finishCreation):
2686         (JSC::argumentsFuncIterator):
2687         * runtime/JSArgumentsIterator.h:
2688         (JSC::JSArgumentsIterator::create):
2689         (JSC::JSArgumentsIterator::next):
2690         * runtime/JSEnvironmentRecord.cpp:
2691         (JSC::JSEnvironmentRecord::visitChildren):
2692         * runtime/JSEnvironmentRecord.h:
2693         (JSC::JSEnvironmentRecord::variables):
2694         (JSC::JSEnvironmentRecord::isValid):
2695         (JSC::JSEnvironmentRecord::variableAt):
2696         (JSC::JSEnvironmentRecord::offsetOfVariables):
2697         (JSC::JSEnvironmentRecord::offsetOfVariable):
2698         (JSC::JSEnvironmentRecord::allocationSizeForScopeSize):
2699         (JSC::JSEnvironmentRecord::allocationSize):
2700         (JSC::JSEnvironmentRecord::JSEnvironmentRecord):
2701         (JSC::JSEnvironmentRecord::finishCreationUninitialized):
2702         (JSC::JSEnvironmentRecord::finishCreation):
2703         (JSC::JSEnvironmentRecord::registers): Deleted.
2704         (JSC::JSEnvironmentRecord::registerAt): Deleted.
2705         (JSC::JSEnvironmentRecord::addressOfRegisters): Deleted.
2706         (JSC::JSEnvironmentRecord::offsetOfRegisters): Deleted.
2707         * runtime/JSFunction.cpp:
2708         * runtime/JSGlobalObject.cpp:
2709         (JSC::JSGlobalObject::init):
2710         (JSC::JSGlobalObject::addGlobalVar):
2711         (JSC::JSGlobalObject::addFunction):
2712         (JSC::JSGlobalObject::visitChildren):
2713         (JSC::JSGlobalObject::addStaticGlobals):
2714         * runtime/JSGlobalObject.h:
2715         (JSC::JSGlobalObject::directArgumentsStructure):
2716         (JSC::JSGlobalObject::scopedArgumentsStructure):
2717         (JSC::JSGlobalObject::outOfBandArgumentsStructure):
2718         (JSC::JSGlobalObject::argumentsStructure): Deleted.
2719         * runtime/JSLexicalEnvironment.cpp:
2720         (JSC::JSLexicalEnvironment::symbolTableGet):
2721         (JSC::JSLexicalEnvironment::symbolTablePut):
2722         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
2723         (JSC::JSLexicalEnvironment::symbolTablePutWithAttributes):
2724         (JSC::JSLexicalEnvironment::visitChildren): Deleted.
2725         * runtime/JSLexicalEnvironment.h:
2726         (JSC::JSLexicalEnvironment::create):
2727         (JSC::JSLexicalEnvironment::JSLexicalEnvironment):
2728         (JSC::JSLexicalEnvironment::registersOffset): Deleted.
2729         (JSC::JSLexicalEnvironment::storageOffset): Deleted.
2730         (JSC::JSLexicalEnvironment::storage): Deleted.
2731         (JSC::JSLexicalEnvironment::allocationSize): Deleted.
2732         (JSC::JSLexicalEnvironment::isValidIndex): Deleted.
2733         (JSC::JSLexicalEnvironment::isValid): Deleted.
2734         (JSC::JSLexicalEnvironment::registerAt): Deleted.
2735         * runtime/JSNameScope.cpp:
2736         (JSC::JSNameScope::visitChildren): Deleted.
2737         * runtime/JSNameScope.h:
2738         (JSC::JSNameScope::create):
2739         (JSC::JSNameScope::value):
2740         (JSC::JSNameScope::finishCreation):
2741         (JSC::JSNameScope::JSNameScope):
2742         * runtime/JSScope.cpp:
2743         (JSC::abstractAccess):
2744         * runtime/JSSegmentedVariableObject.cpp:
2745         (JSC::JSSegmentedVariableObject::findVariableIndex):
2746         (JSC::JSSegmentedVariableObject::addVariables):
2747         (JSC::JSSegmentedVariableObject::visitChildren):
2748         (JSC::JSSegmentedVariableObject::findRegisterIndex): Deleted.
2749         (JSC::JSSegmentedVariableObject::addRegisters): Deleted.
2750         * runtime/JSSegmentedVariableObject.h:
2751         (JSC::JSSegmentedVariableObject::variableAt):
2752         (JSC::JSSegmentedVariableObject::assertVariableIsInThisObject):
2753         (JSC::JSSegmentedVariableObject::registerAt): Deleted.
2754         (JSC::JSSegmentedVariableObject::assertRegisterIsInThisObject): Deleted.
2755         * runtime/JSSymbolTableObject.h:
2756         (JSC::JSSymbolTableObject::offsetOfSymbolTable):
2757         (JSC::symbolTableGet):
2758         (JSC::symbolTablePut):
2759         (JSC::symbolTablePutWithAttributes):
2760         * runtime/JSType.h:
2761         * runtime/Options.h:
2762         * runtime/ClonedArguments.cpp: Added.
2763         (JSC::ClonedArguments::ClonedArguments):
2764         (JSC::ClonedArguments::createEmpty):
2765         (JSC::ClonedArguments::createWithInlineFrame):
2766         (JSC::ClonedArguments::createWithMachineFrame):
2767         (JSC::ClonedArguments::createByCopyingFrom):
2768         (JSC::ClonedArguments::createStructure):
2769         (JSC::ClonedArguments::getOwnPropertySlot):
2770         (JSC::ClonedArguments::getOwnPropertyNames):
2771         (JSC::ClonedArguments::put):
2772         (JSC::ClonedArguments::deleteProperty):
2773         (JSC::ClonedArguments::defineOwnProperty):
2774         (JSC::ClonedArguments::materializeSpecials):
2775         (JSC::ClonedArguments::materializeSpecialsIfNecessary):
2776         * runtime/ClonedArguments.h: Added.
2777         (JSC::ClonedArguments::specialsMaterialized):
2778         * runtime/ScopeOffset.cpp: Added.
2779         (JSC::ScopeOffset::dump):
2780         * runtime/ScopeOffset.h: Added.
2781         (JSC::ScopeOffset::ScopeOffset):
2782         * runtime/ScopedArguments.cpp: Added.
2783         (JSC::ScopedArguments::ScopedArguments):
2784         (JSC::ScopedArguments::finishCreation):
2785         (JSC::ScopedArguments::createUninitialized):
2786         (JSC::ScopedArguments::create):
2787         (JSC::ScopedArguments::createByCopying):
2788         (JSC::ScopedArguments::createByCopyingFrom):
2789         (JSC::ScopedArguments::visitChildren):
2790         (JSC::ScopedArguments::createStructure):
2791         (JSC::ScopedArguments::overrideThings):
2792         (JSC::ScopedArguments::overrideThingsIfNecessary):
2793         (JSC::ScopedArguments::overrideArgument):
2794         (JSC::ScopedArguments::copyToArguments):
2795         * runtime/ScopedArguments.h: Added.
2796         (JSC::ScopedArguments::internalLength):
2797         (JSC::ScopedArguments::length):
2798         (JSC::ScopedArguments::canAccessIndexQuickly):
2799         (JSC::ScopedArguments::getIndexQuickly):
2800         (JSC::ScopedArguments::setIndexQuickly):
2801         (JSC::ScopedArguments::callee):
2802         (JSC::ScopedArguments::overrodeThings):
2803         (JSC::ScopedArguments::offsetOfOverrodeThings):
2804         (JSC::ScopedArguments::offsetOfTotalLength):
2805         (JSC::ScopedArguments::offsetOfTable):
2806         (JSC::ScopedArguments::offsetOfScope):
2807         (JSC::ScopedArguments::overflowStorageOffset):
2808         (JSC::ScopedArguments::allocationSize):
2809         (JSC::ScopedArguments::overflowStorage):
2810         * runtime/ScopedArgumentsTable.cpp: Added.
2811         (JSC::ScopedArgumentsTable::ScopedArgumentsTable):
2812         (JSC::ScopedArgumentsTable::~ScopedArgumentsTable):
2813         (JSC::ScopedArgumentsTable::destroy):
2814         (JSC::ScopedArgumentsTable::create):
2815         (JSC::ScopedArgumentsTable::clone):
2816         (JSC::ScopedArgumentsTable::setLength):
2817         (JSC::ScopedArgumentsTable::set):
2818         (JSC::ScopedArgumentsTable::createStructure):
2819         * runtime/ScopedArgumentsTable.h: Added.
2820         (JSC::ScopedArgumentsTable::length):
2821         (JSC::ScopedArgumentsTable::get):
2822         (JSC::ScopedArgumentsTable::lock):
2823         (JSC::ScopedArgumentsTable::offsetOfLength):
2824         (JSC::ScopedArgumentsTable::offsetOfArguments):
2825         (JSC::ScopedArgumentsTable::at):
2826         * runtime/SymbolTable.cpp:
2827         (JSC::SymbolTableEntry::prepareToWatch):
2828         (JSC::SymbolTable::SymbolTable):
2829         (JSC::SymbolTable::visitChildren):
2830         (JSC::SymbolTable::localToEntry):
2831         (JSC::SymbolTable::entryFor):
2832         (JSC::SymbolTable::cloneScopePart):
2833         (JSC::SymbolTable::prepareForTypeProfiling):
2834         (JSC::SymbolTable::uniqueIDForOffset):
2835         (JSC::SymbolTable::globalTypeSetForOffset):
2836         (JSC::SymbolTable::cloneCapturedNames): Deleted.
2837         (JSC::SymbolTable::uniqueIDForRegister): Deleted.
2838         (JSC::SymbolTable::globalTypeSetForRegister): Deleted.
2839         * runtime/SymbolTable.h:
2840         (JSC::SymbolTableEntry::varOffsetFromBits):
2841         (JSC::SymbolTableEntry::scopeOffsetFromBits):
2842         (JSC::SymbolTableEntry::Fast::varOffset):
2843         (JSC::SymbolTableEntry::Fast::scopeOffset):
2844         (JSC::SymbolTableEntry::Fast::isDontEnum):
2845         (JSC::SymbolTableEntry::Fast::getAttributes):
2846         (JSC::SymbolTableEntry::SymbolTableEntry):
2847         (JSC::SymbolTableEntry::varOffset):
2848         (JSC::SymbolTableEntry::isWatchable):
2849         (JSC::SymbolTableEntry::scopeOffset):
2850         (JSC::SymbolTableEntry::setAttributes):
2851         (JSC::SymbolTableEntry::constantMode):
2852         (JSC::SymbolTableEntry::isDontEnum):
2853         (JSC::SymbolTableEntry::disableWatching):
2854         (JSC::SymbolTableEntry::pack):
2855         (JSC::SymbolTableEntry::isValidVarOffset):
2856         (JSC::SymbolTable::createNameScopeTable):
2857         (JSC::SymbolTable::maxScopeOffset):
2858         (JSC::SymbolTable::didUseScopeOffset):
2859         (JSC::SymbolTable::didUseVarOffset):
2860         (JSC::SymbolTable::scopeSize):
2861         (JSC::SymbolTable::nextScopeOffset):
2862         (JSC::SymbolTable::takeNextScopeOffset):
2863         (JSC::SymbolTable::add):
2864         (JSC::SymbolTable::set):
2865         (JSC::SymbolTable::argumentsLength):
2866         (JSC::SymbolTable::setArgumentsLength):
2867         (JSC::SymbolTable::argumentOffset):
2868         (JSC::SymbolTable::setArgumentOffset):
2869         (JSC::SymbolTable::arguments):
2870         (JSC::SlowArgument::SlowArgument): Deleted.
2871         (JSC::SymbolTableEntry::Fast::getIndex): Deleted.
2872         (JSC::SymbolTableEntry::getIndex): Deleted.
2873         (JSC::SymbolTableEntry::isValidIndex): Deleted.
2874         (JSC::SymbolTable::captureStart): Deleted.
2875         (JSC::SymbolTable::setCaptureStart): Deleted.
2876         (JSC::SymbolTable::captureEnd): Deleted.
2877         (JSC::SymbolTable::setCaptureEnd): Deleted.
2878         (JSC::SymbolTable::captureCount): Deleted.
2879         (JSC::SymbolTable::isCaptured): Deleted.
2880         (JSC::SymbolTable::parameterCount): Deleted.
2881         (JSC::SymbolTable::parameterCountIncludingThis): Deleted.
2882         (JSC::SymbolTable::setParameterCountIncludingThis): Deleted.
2883         (JSC::SymbolTable::slowArguments): Deleted.
2884         (JSC::SymbolTable::setSlowArguments): Deleted.
2885         * runtime/VM.cpp:
2886         (JSC::VM::VM):
2887         * runtime/VM.h:
2888         * runtime/VarOffset.cpp: Added.
2889         (JSC::VarOffset::dump):
2890         (WTF::printInternal):
2891         * runtime/VarOffset.h: Added.
2892         (JSC::VarOffset::VarOffset):
2893         (JSC::VarOffset::assemble):
2894         (JSC::VarOffset::isValid):
2895         (JSC::VarOffset::operator!):
2896         (JSC::VarOffset::kind):
2897         (JSC::VarOffset::isStack):
2898         (JSC::VarOffset::isScope):
2899         (JSC::VarOffset::isDirectArgument):
2900         (JSC::VarOffset::stackOffsetUnchecked):
2901         (JSC::VarOffset::scopeOffsetUnchecked):
2902         (JSC::VarOffset::capturedArgumentsOffsetUnchecked):
2903         (JSC::VarOffset::stackOffset):
2904         (JSC::VarOffset::scopeOffset):
2905         (JSC::VarOffset::capturedArgumentsOffset):
2906         (JSC::VarOffset::rawOffset):
2907         (JSC::VarOffset::checkSanity):
2908         (JSC::VarOffset::operator==):
2909         (JSC::VarOffset::operator!=):
2910         (JSC::VarOffset::hash):
2911         (JSC::VarOffset::isHashTableDeletedValue):
2912         (JSC::VarOffsetHash::hash):
2913         (JSC::VarOffsetHash::equal):
2914         * tests/stress/arguments-exit-strict-mode.js: Added.
2915         * tests/stress/arguments-exit.js: Added.
2916         * tests/stress/arguments-inlined-exit-strict-mode-fixed.js: Added.
2917         * tests/stress/arguments-inlined-exit-strict-mode.js: Added.
2918         * tests/stress/arguments-inlined-exit.js: Added.
2919         * tests/stress/arguments-interference.js: Added.
2920         * tests/stress/arguments-interference-cfg.js: Added.
2921         * tests/stress/dead-get-closure-var.js: Added.
2922         * tests/stress/get-declared-unpassed-argument-in-direct-arguments.js: Added.
2923         * tests/stress/get-declared-unpassed-argument-in-scoped-arguments.js: Added.
2924         * tests/stress/varargs-closure-inlined-exit-strict-mode.js: Added.
2925         * tests/stress/varargs-closure-inlined-exit.js: Added.
2926         * tests/stress/varargs-exit.js: Added.
2927         * tests/stress/varargs-inlined-exit.js: Added.
2928         * tests/stress/varargs-inlined-simple-exit-aliasing-weird-reversed-args.js: Added.
2929         * tests/stress/varargs-inlined-simple-exit-aliasing-weird.js: Added.
2930         * tests/stress/varargs-inlined-simple-exit-aliasing.js: Added.
2931         * tests/stress/varargs-inlined-simple-exit.js: Added.
2932         * tests/stress/varargs-too-few-arguments.js: Added.
2933         * tests/stress/varargs-varargs-closure-inlined-exit.js: Added.
2934         * tests/stress/varargs-varargs-inlined-exit-strict-mode.js: Added.
2935         * tests/stress/varargs-varargs-inlined-exit.js: Added.
2936
2937 2015-03-25  Andy Estes  <aestes@apple.com>
2938
2939         [Cocoa] RemoteInspectorXPCConnection::deserializeMessage() leaks a NSDictionary under Objective-C GC
2940         https://bugs.webkit.org/show_bug.cgi?id=143068
2941
2942         Reviewed by Dan Bernstein.
2943
2944         * inspector/remote/RemoteInspectorXPCConnection.mm:
2945         (Inspector::RemoteInspectorXPCConnection::deserializeMessage): Used RetainPtr::autorelease(), which does the right thing under GC.
2946
2947 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2948
2949         Use JITCompilationCanFail in more places, and make the fail path of JITCompilationMustSucceed a crash instead of attempting GC
2950         https://bugs.webkit.org/show_bug.cgi?id=142993
2951
2952         Reviewed by Geoffrey Garen and Mark Lam.
2953         
2954         This changes the most commonly invoked paths that relied on JITCompilationMustSucceed
2955         into using JITCompilationCanFail and having a legit fallback path. This mostly involves
2956         having the FTL JIT do the same trick as the DFG JIT in case of any memory allocation
2957         failure, but also involves adding the same kind of thing to the stub generators in
2958         Repatch.
2959         
2960         Because of that change, there are relatively few uses of JITCompilationMustSucceed. Most
2961         of those uses cannot handle a GC, and so cannot do releaseExecutableMemory(). Only a few,
2962         like host call stub generation, could handle a GC, but those get invoked very rarely. So,
2963         this patch changes the releaseExecutableMemory() call into a crash with some diagnostic
2964         printout.
2965         
2966         Also add a way of inducing executable allocation failure, so that we can test this.
2967
2968         * CMakeLists.txt:
2969         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2970         * JavaScriptCore.xcodeproj/project.pbxproj:
2971         * dfg/DFGJITCompiler.cpp:
2972         (JSC::DFG::JITCompiler::compile):
2973         (JSC::DFG::JITCompiler::compileFunction):
2974         (JSC::DFG::JITCompiler::link): Deleted.
2975         (JSC::DFG::JITCompiler::linkFunction): Deleted.
2976         * dfg/DFGJITCompiler.h:
2977         * dfg/DFGPlan.cpp:
2978         (JSC::DFG::Plan::compileInThreadImpl):
2979         * ftl/FTLCompile.cpp:
2980         (JSC::FTL::mmAllocateCodeSection):
2981         (JSC::FTL::mmAllocateDataSection):
2982         * ftl/FTLLink.cpp:
2983         (JSC::FTL::link):
2984         * ftl/FTLState.h:
2985         * jit/ArityCheckFailReturnThunks.cpp:
2986         (JSC::ArityCheckFailReturnThunks::returnPCsFor):
2987         * jit/ExecutableAllocationFuzz.cpp: Added.
2988         (JSC::numberOfExecutableAllocationFuzzChecks):
2989         (JSC::doExecutableAllocationFuzzing):
2990         * jit/ExecutableAllocationFuzz.h: Added.
2991         (JSC::doExecutableAllocationFuzzingIfEnabled):
2992         * jit/ExecutableAllocatorFixedVMPool.cpp:
2993         (JSC::ExecutableAllocator::allocate):
2994         * jit/JIT.cpp:
2995         (JSC::JIT::privateCompile):
2996         * jit/JITCompilationEffort.h:
2997         * jit/Repatch.cpp:
2998         (JSC::generateByIdStub):
2999         (JSC::tryCacheGetByID):
3000         (JSC::tryBuildGetByIDList):
3001         (JSC::emitPutReplaceStub):
3002         (JSC::emitPutTransitionStubAndGetOldStructure):
3003         (JSC::tryCachePutByID):
3004         (JSC::tryBuildPutByIdList):
3005         (JSC::tryRepatchIn):
3006         (JSC::linkPolymorphicCall):
3007         * jsc.cpp:
3008         (jscmain):
3009         * runtime/Options.h:
3010         * runtime/TestRunnerUtils.h:
3011         * runtime/VM.cpp:
3012         * tests/executableAllocationFuzz: Added.
3013         * tests/executableAllocationFuzz.yaml: Added.
3014         * tests/executableAllocationFuzz/v8-raytrace.js: Added.
3015
3016 2015-03-25  Mark Lam  <mark.lam@apple.com>
3017
3018         REGRESSION(169139): LLINT intermittently fails JSC testapi tests.
3019         <https://webkit.org/b/135719>
3020
3021         Reviewed by Geoffrey Garen.
3022
3023         This is a regression introduced in http://trac.webkit.org/changeset/169139 which
3024         changed VM::watchdog from an embedded field into a std::unique_ptr, but did not
3025         update the LLINT to access it as such.
3026
3027         The issue has only manifested so far on the CLoop tests because those are LLINT
3028         only.  In the non-CLoop cases, the JIT kicks in and does the right thing, thereby
3029         hiding the bug in the LLINT.
3030
3031         * API/JSContextRef.cpp:
3032         (createWatchdogIfNeeded):
3033         (JSContextGroupSetExecutionTimeLimit):
3034         (JSContextGroupClearExecutionTimeLimit):
3035         * llint/LowLevelInterpreter.asm:
3036
3037 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
3038
3039         Change Atomic methods from using the_wrong_naming_conventions to using theRightNamingConventions. Also make seq_cst the default.
3040
3041         Rubber stamped by Geoffrey Garen.
3042
3043         * bytecode/CodeBlock.cpp:
3044         (JSC::CodeBlock::visitAggregate):
3045
3046 2015-03-25  Joseph Pecoraro  <pecoraro@apple.com>
3047
3048         Fix formatting in BuiltinExecutables
3049         https://bugs.webkit.org/show_bug.cgi?id=143061
3050
3051         Reviewed by Ryosuke Niwa.
3052
3053         * builtins/BuiltinExecutables.cpp:
3054         (JSC::BuiltinExecutables::createExecutableInternal):
3055
3056 2015-03-25  Joseph Pecoraro  <pecoraro@apple.com>
3057
3058         ES6: Classes: Program level class statement throws exception in strict mode
3059         https://bugs.webkit.org/show_bug.cgi?id=143038
3060
3061         Reviewed by Ryosuke Niwa.
3062
3063         Classes expose a name to the current lexical environment. This treats
3064         "class X {}" like "var X = class X {}". Ideally it would be "let X = class X {}".
3065         Also, improve error messages for class statements where the class is missing a name.
3066
3067         * parser/Parser.h:
3068         * parser/Parser.cpp:
3069         (JSC::Parser<LexerType>::parseClass):
3070         Fill name in info parameter if needed. Better error message if name is needed and missing.
3071
3072         (JSC::Parser<LexerType>::parseClassDeclaration):
3073         Pass info parameter to get name, and expose the name as a variable name.
3074
3075         (JSC::Parser<LexerType>::parsePrimaryExpression):
3076         Pass info parameter that is ignored.
3077
3078         * parser/ParserFunctionInfo.h:
3079         Add a parser info for class, to extract the name.
3080
3081 2015-03-25  Yusuke Suzuki  <utatane.tea@gmail.com>
3082
3083         New map and set modification tests in r181922 fails
3084         https://bugs.webkit.org/show_bug.cgi?id=143031
3085
3086         Reviewed and tweaked by Geoffrey Garen.
3087
3088         When packing Map/Set backing store, we need to decrement Map/Set iterator's m_index
3089         to adjust for the packed backing store.
3090
3091         Consider the following map data.
3092
3093         x: deleted, o: exists
3094         0 1 2 3 4
3095         x x x x o
3096
3097         And iterator with m_index 3.
3098
3099         When packing the map data, map data will become,
3100
3101         0
3102         o
3103
3104         At that time, we perfom didRemoveEntry 4 times on iterators.
3105         times => m_index/index/result
3106         1 => 3/0/dec
3107         2 => 2/1/dec
3108         3 => 1/2/nothing
3109         4 => 1/3/nothing
3110
3111         After iteration, iterator's m_index becomes 1. But we expected that becomes 0.
3112         This is because if we use decremented m_index for comparison,
3113         while provided deletedIndex is the index in old storage, m_index is the index in partially packed storage.
3114
3115         In this patch, we compare against the packed index instead.
3116         times => m_index/packedIndex/result
3117         1 => 3/0/dec
3118         2 => 2/0/dec
3119         3 => 1/0/dec
3120         4 => 0/0/nothing
3121
3122         So m_index becomes 0 as expected.
3123
3124         And according to the spec, once the iterator is closed (becomes done: true),
3125         its internal [[Map]]/[[Set]] is set to undefined.
3126         So after the iterator is finished, we don't revive the iterator (e.g. by clearing m_index = 0).
3127
3128         In this patch, we change 2 things.
3129         1.
3130         Compare an iterator's index against the packed index when removing an entry.
3131
3132         2.
3133         If the iterator is closed (isFinished()), we don't apply adjustment to the iterator.
3134
3135         * runtime/MapData.h:
3136         (JSC::MapDataImpl::IteratorData::finish):
3137         (JSC::MapDataImpl::IteratorData::isFinished):
3138         (JSC::MapDataImpl::IteratorData::didRemoveEntry):
3139         (JSC::MapDataImpl::IteratorData::didRemoveAllEntries):
3140         (JSC::MapDataImpl::IteratorData::startPackBackingStore):
3141         * runtime/MapDataInlines.h:
3142         (JSC::JSIterator>::replaceAndPackBackingStore):
3143         * tests/stress/modify-map-during-iteration.js:
3144         * tests/stress/modify-set-during-iteration.js:
3145
3146 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
3147
3148         Setter should have a single formal parameter, Getter no parameters
3149         https://bugs.webkit.org/show_bug.cgi?id=142903
3150
3151         Reviewed by Geoffrey Garen.
3152
3153         * parser/Parser.cpp:
3154         (JSC::Parser<LexerType>::parseFunctionInfo):
3155         Enforce no parameters for getters and a single parameter
3156         for setters, with informational error messages.
3157
3158 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
3159
3160         ES6: Classes: Early return in sub-class constructor results in returning undefined instead of instance
3161         https://bugs.webkit.org/show_bug.cgi?id=143012
3162
3163         Reviewed by Ryosuke Niwa.
3164
3165         * bytecompiler/BytecodeGenerator.cpp:
3166         (JSC::BytecodeGenerator::emitReturn):
3167         Fix handling of "undefined" when returned from a Derived class. It was
3168         returning "undefined" when it should have returned "this".
3169
3170 2015-03-24  Yusuke Suzuki  <utatane.tea@gmail.com>
3171
3172         REGRESSION (r181458): Heap use-after-free in JSSetIterator destructor
3173         https://bugs.webkit.org/show_bug.cgi?id=142696
3174
3175         Reviewed and tweaked by Geoffrey Garen.
3176
3177         Before r142556, JSSetIterator::destroy was not defined.
3178         So accidentally MapData::const_iterator in JSSet was never destroyed.
3179         But it had non trivial destructor, decrementing MapData->m_iteratorCount.
3180
3181         After r142556, JSSetIterator::destroy works.
3182         It correctly destruct MapData::const_iterator and m_iteratorCount partially works.
3183         But JSSetIterator::~JSSetIterator requires owned JSSet since it mutates MapData->m_iteratorCount.
3184
3185         It is guaranteed that JSSet is live since JSSetIterator has a reference to JSSet
3186         and marks it in visitChildren (WriteBarrier<Unknown>).
3187         However, the order of destructions is not guaranteed in GC-ed system.
3188
3189         Consider the following case,
3190         allocate JSSet and subsequently allocate JSSetIterator.
3191         And they resides in the separated MarkedBlock, <1> and <2>.
3192
3193         JSSet<1> <- JSSetIterator<2>
3194
3195         And after that, when performing GC, Marker decides that the above 2 objects are not marked.
3196         And Marker also decides MarkedBlocks <1> and <2> can be sweeped.
3197
3198         First Sweeper sweep <1>, destruct JSSet<1> and free MarkedBlock<1>.
3199         Second Sweeper sweep <2>, attempt to destruct JSSetIterator<2>.
3200         However, JSSetIterator<2>'s destructor,
3201         JSSetIterator::~JSSetIterator requires live JSSet<1>, it causes use-after-free.
3202
3203         In this patch, we introduce WeakGCMap into JSMap/JSSet to track live iterators.
3204         When packing the removed elements in JSSet/JSMap, we apply the change to all live
3205         iterators tracked by WeakGCMap.
3206
3207         WeakGCMap can only track JSCell since they are managed by GC.
3208         So we drop JSSet/JSMap C++ style iterators. Instead of C++ style iterator, this patch
3209         introduces JS style iterator signatures into C++ class IteratorData.
3210         If we need to iterate over JSMap/JSSet, use JSSetIterator/JSMapIterator instead of using
3211         IteratorData directly.
3212
3213         * runtime/JSMap.cpp:
3214         (JSC::JSMap::destroy):
3215         * runtime/JSMap.h:
3216         (JSC::JSMap::JSMap):
3217         (JSC::JSMap::begin): Deleted.
3218         (JSC::JSMap::end): Deleted.
3219         * runtime/JSMapIterator.cpp:
3220         (JSC::JSMapIterator::destroy):
3221         * runtime/JSMapIterator.h:
3222         (JSC::JSMapIterator::next):
3223         (JSC::JSMapIterator::nextKeyValue):
3224         (JSC::JSMapIterator::iteratorData):
3225         (JSC::JSMapIterator::JSMapIterator):
3226         * runtime/JSSet.cpp:
3227         (JSC::JSSet::destroy):
3228         * runtime/JSSet.h:
3229         (JSC::JSSet::JSSet):
3230         (JSC::JSSet::begin): Deleted.
3231         (JSC::JSSet::end): Deleted.
3232         * runtime/JSSetIterator.cpp:
3233         (JSC::JSSetIterator::destroy):
3234         * runtime/JSSetIterator.h:
3235         (JSC::JSSetIterator::next):
3236         (JSC::JSSetIterator::iteratorData):
3237         (JSC::JSSetIterator::JSSetIterator):
3238         * runtime/MapData.h:
3239         (JSC::MapDataImpl::IteratorData::finish):
3240         (JSC::MapDataImpl::IteratorData::isFinished):
3241         (JSC::MapDataImpl::shouldPack):
3242         (JSC::JSIterator>::MapDataImpl):
3243         (JSC::JSIterator>::KeyType::KeyType):
3244         (JSC::JSIterator>::IteratorData::IteratorData):
3245         (JSC::JSIterator>::IteratorData::next):
3246         (JSC::JSIterator>::IteratorData::ensureSlot):
3247         (JSC::JSIterator>::IteratorData::applyMapDataPatch):
3248         (JSC::JSIterator>::IteratorData::refreshCursor):
3249         (JSC::MapDataImpl::const_iterator::key): Deleted.
3250         (JSC::MapDataImpl::const_iterator::value): Deleted.
3251         (JSC::MapDataImpl::const_iterator::operator++): Deleted.
3252         (JSC::MapDataImpl::const_iterator::finish): Deleted.
3253         (JSC::MapDataImpl::const_iterator::atEnd): Deleted.
3254         (JSC::MapDataImpl::begin): Deleted.
3255         (JSC::MapDataImpl::end): Deleted.
3256         (JSC::MapDataImpl<Entry>::MapDataImpl): Deleted.
3257         (JSC::MapDataImpl<Entry>::clear): Deleted.
3258         (JSC::MapDataImpl<Entry>::KeyType::KeyType): Deleted.
3259         (JSC::MapDataImpl<Entry>::const_iterator::internalIncrement): Deleted.
3260         (JSC::MapDataImpl<Entry>::const_iterator::ensureSlot): Deleted.
3261         (JSC::MapDataImpl<Entry>::const_iterator::const_iterator): Deleted.
3262         (JSC::MapDataImpl<Entry>::const_iterator::~const_iterator): Deleted.
3263         (JSC::MapDataImpl<Entry>::const_iterator::operator): Deleted.
3264         (JSC::=): Deleted.
3265         * runtime/MapDataInlines.h:
3266         (JSC::JSIterator>::clear):
3267         (JSC::JSIterator>::find):
3268         (JSC::JSIterator>::contains):
3269         (JSC::JSIterator>::add):
3270         (JSC::JSIterator>::set):
3271         (JSC::JSIterator>::get):
3272         (JSC::JSIterator>::remove):
3273         (JSC::JSIterator>::replaceAndPackBackingStore):
3274         (JSC::JSIterator>::replaceBackingStore):
3275         (JSC::JSIterator>::ensureSpaceForAppend):
3276         (JSC::JSIterator>::visitChildren):
3277         (JSC::JSIterator>::copyBackingStore):
3278         (JSC::JSIterator>::applyMapDataPatch):
3279         (JSC::MapDataImpl<Entry>::find): Deleted.
3280         (JSC::MapDataImpl<Entry>::contains): Deleted.
3281         (JSC::MapDataImpl<Entry>::add): Deleted.
3282         (JSC::MapDataImpl<Entry>::set): Deleted.
3283         (JSC::MapDataImpl<Entry>::get): Deleted.
3284         (JSC::MapDataImpl<Entry>::remove): Deleted.
3285         (JSC::MapDataImpl<Entry>::replaceAndPackBackingStore): Deleted.
3286         (JSC::MapDataImpl<Entry>::replaceBackingStore): Deleted.
3287         (JSC::MapDataImpl<Entry>::ensureSpaceForAppend): Deleted.
3288         (JSC::MapDataImpl<Entry>::visitChildren): Deleted.
3289         (JSC::MapDataImpl<Entry>::copyBackingStore): Deleted.
3290         * runtime/MapPrototype.cpp:
3291         (JSC::mapProtoFuncForEach):
3292         * runtime/SetPrototype.cpp:
3293         (JSC::setProtoFuncForEach):
3294         * runtime/WeakGCMap.h:
3295         (JSC::WeakGCMap::forEach):
3296         * tests/stress/modify-map-during-iteration.js: Added.
3297         (testValue):
3298         (identityPairs):
3299         (.set if):
3300         (var):
3301         (set map):
3302         * tests/stress/modify-set-during-iteration.js: Added.
3303         (testValue):
3304         (set forEach):
3305         (set delete):
3306
3307 2015-03-24  Mark Lam  <mark.lam@apple.com>
3308
3309         The ExecutionTimeLimit test should use its own JSGlobalContextRef.
3310         <https://webkit.org/b/143024>
3311
3312         Reviewed by Geoffrey Garen.
3313
3314         Currently, the ExecutionTimeLimit test is using a JSGlobalContextRef
3315         passed in from testapi.c.  It should create its own for better
3316         encapsulation of the test.
3317
3318         * API/tests/ExecutionTimeLimitTest.cpp:
3319         (currentCPUTimeAsJSFunctionCallback):
3320         (testExecutionTimeLimit):
3321         * API/tests/ExecutionTimeLimitTest.h:
3322         * API/tests/testapi.c:
3323         (main):
3324
3325 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
3326
3327         ES6: Object Literal Methods toString is missing method name
3328         https://bugs.webkit.org/show_bug.cgi?id=142992
3329
3330         Reviewed by Geoffrey Garen.
3331
3332         Always stringify functions in the pattern:
3333
3334           "function " + <function name> + <text from opening parenthesis to closing brace>.
3335
3336         * runtime/FunctionPrototype.cpp:
3337         (JSC::functionProtoFuncToString):
3338         Update the path that was not stringifying in this pattern.
3339
3340         * bytecode/UnlinkedCodeBlock.cpp:
3341         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3342         * bytecode/UnlinkedCodeBlock.h:
3343         (JSC::UnlinkedFunctionExecutable::parametersStartOffset):
3344         * parser/Nodes.h:
3345         * runtime/Executable.cpp:
3346         (JSC::FunctionExecutable::FunctionExecutable):
3347         * runtime/Executable.h:
3348         (JSC::FunctionExecut