[ARM] Add the necessary setupArgumentsWithExecState after bug141332

[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2015-02-17  Csaba Osztrogonác  <ossy@webkit.org>

        [ARM] Add the necessary setupArgumentsWithExecState after bug141332
        https://bugs.webkit.org/show_bug.cgi?id=141714

        Reviewed by Michael Saboff.

        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState):

2015-02-15  Sam Weinig  <sam@webkit.org>

        Add experimental <attachment> element support
        https://bugs.webkit.org/show_bug.cgi?id=141626

        Reviewed by Tim Horton.

        * Configurations/FeatureDefines.xcconfig:

2015-02-16  Michael Saboff  <msaboff@apple.com>

        REGRESSION(r180060): C Loop crashes
        https://bugs.webkit.org/show_bug.cgi?id=141671

        Reviewed by Geoffrey Garen.

        Fixed a typo that only affected the C Loop in the prologue() macro in LowLevelInterpreter.asm.
        After the stackHeightOKGetCodeBlock label, codeBlockSetter(t1) should be codeBlockGetter(t1).
        Fixed the processing of an out of stack exception in llint_stack_check to not get the caller's
        frame.  This isn't needed, since this helper is only called to check the stack on entry.  Any
        exception will be handled by a call ancestor.

        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::llint_stack_check): Changed to use the current frame for processing an exception.
        * llint/LowLevelInterpreter.asm: Fixed a typo.

2015-02-16  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Scope details sidebar should label objects with constructor names
        https://bugs.webkit.org/show_bug.cgi?id=139449

        Reviewed by Timothy Hatcher.

        * inspector/JSInjectedScriptHost.cpp:
        (Inspector::JSInjectedScriptHost::internalConstructorName):
        * runtime/Structure.cpp:
        (JSC::Structure::toStructureShape):
        Share calculatedClassName.

        * runtime/JSObject.h:        
        * runtime/JSObject.cpp:
        (JSC::JSObject::calculatedClassName):
        Elaborate on a way to get an Object's class name.

2015-02-16  Filip Pizlo  <fpizlo@apple.com>

        DFG SSA should use GetLocal for arguments, and the GetArgument node type should be removed
        https://bugs.webkit.org/show_bug.cgi?id=141623

        Reviewed by Oliver Hunt.
        
        During development of https://bugs.webkit.org/show_bug.cgi?id=141332, I realized that I
        needed to use GetArgument for loading something that has magically already appeared on the
        stack, so currently trunk sort of allows this. But then I realized three things:
        
        - A GetArgument with a non-JSValue flush format means speculating that the value on the
          stack obeys that format, rather than just assuming that that it already has that format.
          In bug 141332, I want it to assume rather than speculate. That also happens to be more
          intuitive; I don't think I was wrong to expect that.
        
        - The node I really want is GetLocal. I'm just getting the value of the local and I don't
          want to do anything else.
        
        - Maybe it would be easier if we just used GetLocal for all of the cases where we currently
          use GetArgument.
        
        This changes the FTL to do argument speculations in the prologue just like the DFG does.
        This brings some consistency to our system, and allows us to get rid of the GetArgument
        node. The speculations that the FTL must do are now made explicit in the m_argumentFormats
        vector in DFG::Graph. This has natural DCE behavior: even if all uses of the argument are
        dead we will still speculate. We already have safeguards to ensure we only speculate if
        there are uses that benefit from speculation (which is a much more conservative criterion
        than DCE).
        
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDCEPhase.cpp:
        (JSC::DFG::DCEPhase::run):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGFlushFormat.h:
        (JSC::DFG::typeFilterFor):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::valueProfileFor):
        (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
        * dfg/DFGInPlaceAbstractState.cpp:
        (JSC::DFG::InPlaceAbstractState::initialize):
        * dfg/DFGNode.cpp:
        (JSC::DFG::Node::hasVariableAccessData):
        * dfg/DFGNodeType.h:
        * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
        (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
        (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGPutLocalSinkingPhase.cpp:
        * dfg/DFGSSAConversionPhase.cpp:
        (JSC::DFG::SSAConversionPhase::run):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::lower):
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
        (JSC::FTL::LowerDFGToLLVM::compileGetArgument): Deleted.
        * tests/stress/dead-speculating-argument-use.js: Added.
        (foo):
        (o.valueOf):

2015-02-15  Filip Pizlo  <fpizlo@apple.com>

        Rare case profiling should actually work
        https://bugs.webkit.org/show_bug.cgi?id=141632

        Reviewed by Michael Saboff.
        
        This simple adjustment appears to be a 2% speed-up on Octane. Over time, the slow case
        heuristic has essentially stopped working because the typical execution count threshold for a
        bytecode instruction is around 66 while the slow case threshold is 100: virtually
        guaranteeing that the DFG will never think that a bytecode instruction has taken the slow
        case even if it took it every single time. So, this changes the slow case threshold to 20.
        
        I checked if we could lower this down further, like to 10. That is worse than 20, and about
        as bad as 100.

        * runtime/Options.h:

2015-02-15  Brian J. Burg  <burg@cs.washington.edu>

        Web Inspector: remove unused XHR replay code
        https://bugs.webkit.org/show_bug.cgi?id=141622

        Reviewed by Timothy Hatcher.

        * inspector/protocol/Network.json: remove XHR replay methods.

2015-02-15  David Kilzer  <ddkilzer@apple.com>

        REGRESSION (r180082): WebCore Debug builds fail on Mavericks due to weak export symbols
        <http://webkit.org/b/141607>

        More work towards fixing the Mavericks Debug build.

        * inspector/ScriptDebugServer.h:
        (Inspector::ScriptDebugServer::Task):
        * inspector/agents/InspectorDebuggerAgent.h:
        (Inspector::InspectorDebuggerAgent::Listener):
        - Remove subclass exports. They did not help.

        * runtime/JSCJSValue.h:
        (JSC::JSValue::toFloat): Do not mark inline method for export.

2015-02-09  Brian J. Burg  <burg@cs.washington.edu>

        Web Inspector: remove some unnecessary Inspector prefixes from class names in Inspector namespace
        https://bugs.webkit.org/show_bug.cgi?id=141372

        Reviewed by Joseph Pecoraro.

        * inspector/ConsoleMessage.cpp:
        (Inspector::ConsoleMessage::addToFrontend):
        (Inspector::ConsoleMessage::updateRepeatCountInConsole):
        * inspector/ConsoleMessage.h:
        * inspector/InspectorAgentBase.h:
        * inspector/InspectorAgentRegistry.cpp:
        (Inspector::AgentRegistry::AgentRegistry):
        (Inspector::AgentRegistry::append):
        (Inspector::AgentRegistry::appendExtraAgent):
        (Inspector::AgentRegistry::didCreateFrontendAndBackend):
        (Inspector::AgentRegistry::willDestroyFrontendAndBackend):
        (Inspector::AgentRegistry::discardAgents):
        (Inspector::InspectorAgentRegistry::InspectorAgentRegistry): Deleted.
        (Inspector::InspectorAgentRegistry::append): Deleted.
        (Inspector::InspectorAgentRegistry::appendExtraAgent): Deleted.
        (Inspector::InspectorAgentRegistry::didCreateFrontendAndBackend): Deleted.
        (Inspector::InspectorAgentRegistry::willDestroyFrontendAndBackend): Deleted.
        (Inspector::InspectorAgentRegistry::discardAgents): Deleted.
        * inspector/InspectorAgentRegistry.h:
        * inspector/InspectorBackendDispatcher.cpp:
        (Inspector::BackendDispatcher::CallbackBase::CallbackBase):
        (Inspector::BackendDispatcher::CallbackBase::isActive):
        (Inspector::BackendDispatcher::CallbackBase::sendFailure):
        (Inspector::BackendDispatcher::CallbackBase::sendIfActive):
        (Inspector::BackendDispatcher::create):
        (Inspector::BackendDispatcher::registerDispatcherForDomain):
        (Inspector::BackendDispatcher::dispatch):
        (Inspector::BackendDispatcher::sendResponse):
        (Inspector::BackendDispatcher::reportProtocolError):
        (Inspector::BackendDispatcher::getInteger):
        (Inspector::BackendDispatcher::getDouble):
        (Inspector::BackendDispatcher::getString):
        (Inspector::BackendDispatcher::getBoolean):
        (Inspector::BackendDispatcher::getObject):
        (Inspector::BackendDispatcher::getArray):
        (Inspector::BackendDispatcher::getValue):
        (Inspector::InspectorBackendDispatcher::CallbackBase::CallbackBase): Deleted.
        (Inspector::InspectorBackendDispatcher::CallbackBase::isActive): Deleted.
        (Inspector::InspectorBackendDispatcher::CallbackBase::sendFailure): Deleted.
        (Inspector::InspectorBackendDispatcher::CallbackBase::sendIfActive): Deleted.
        (Inspector::InspectorBackendDispatcher::create): Deleted.
        (Inspector::InspectorBackendDispatcher::registerDispatcherForDomain): Deleted.
        (Inspector::InspectorBackendDispatcher::dispatch): Deleted.
        (Inspector::InspectorBackendDispatcher::sendResponse): Deleted.
        (Inspector::InspectorBackendDispatcher::reportProtocolError): Deleted.
        (Inspector::InspectorBackendDispatcher::getInteger): Deleted.
        (Inspector::InspectorBackendDispatcher::getDouble): Deleted.
        (Inspector::InspectorBackendDispatcher::getString): Deleted.
        (Inspector::InspectorBackendDispatcher::getBoolean): Deleted.
        (Inspector::InspectorBackendDispatcher::getObject): Deleted.
        (Inspector::InspectorBackendDispatcher::getArray): Deleted.
        (Inspector::InspectorBackendDispatcher::getValue): Deleted.
        * inspector/InspectorBackendDispatcher.h:
        (Inspector::SupplementalBackendDispatcher::SupplementalBackendDispatcher):
        (Inspector::SupplementalBackendDispatcher::~SupplementalBackendDispatcher):
        (Inspector::InspectorSupplementalBackendDispatcher::InspectorSupplementalBackendDispatcher): Deleted.
        (Inspector::InspectorSupplementalBackendDispatcher::~InspectorSupplementalBackendDispatcher): Deleted.
        * inspector/InspectorFrontendChannel.h:
        (Inspector::FrontendChannel::~FrontendChannel):
        (Inspector::InspectorFrontendChannel::~InspectorFrontendChannel): Deleted.
        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
        (Inspector::JSGlobalObjectInspectorController::globalObjectDestroyed):
        (Inspector::JSGlobalObjectInspectorController::connectFrontend):
        (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
        (Inspector::JSGlobalObjectInspectorController::dispatchMessageFromFrontend):
        (Inspector::JSGlobalObjectInspectorController::appendExtraAgent):
        * inspector/JSGlobalObjectInspectorController.h:
        * inspector/agents/InspectorAgent.cpp:
        (Inspector::InspectorAgent::didCreateFrontendAndBackend):
        (Inspector::InspectorAgent::willDestroyFrontendAndBackend):
        * inspector/agents/InspectorAgent.h:
        * inspector/agents/InspectorConsoleAgent.cpp:
        (Inspector::InspectorConsoleAgent::didCreateFrontendAndBackend):
        (Inspector::InspectorConsoleAgent::willDestroyFrontendAndBackend):
        * inspector/agents/InspectorConsoleAgent.h:
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::didCreateFrontendAndBackend):
        (Inspector::InspectorDebuggerAgent::willDestroyFrontendAndBackend):
        (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
        (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
        (Inspector::InspectorDebuggerAgent::pause):
        (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP):
        (Inspector::InspectorDebuggerAgent::didPause):
        (Inspector::InspectorDebuggerAgent::breakProgram):
        (Inspector::InspectorDebuggerAgent::clearBreakDetails):
        * inspector/agents/InspectorDebuggerAgent.h:
        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::InspectorRuntimeAgent::willDestroyFrontendAndBackend):
        * inspector/agents/InspectorRuntimeAgent.h:
        * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
        (Inspector::JSGlobalObjectRuntimeAgent::didCreateFrontendAndBackend):
        (Inspector::JSGlobalObjectRuntimeAgent::willDestroyFrontendAndBackend):
        * inspector/agents/JSGlobalObjectRuntimeAgent.h:
        * inspector/augmentable/AlternateDispatchableAgent.h:
        * inspector/augmentable/AugmentableInspectorController.h:
        * inspector/remote/RemoteInspectorDebuggable.h:
        * inspector/remote/RemoteInspectorDebuggableConnection.h:
        * inspector/scripts/codegen/cpp_generator.py:
        (CppGenerator.cpp_type_for_formal_out_parameter):
        (CppGenerator.cpp_type_for_stack_out_parameter):
        * inspector/scripts/codegen/cpp_generator_templates.py:
        (AlternateBackendDispatcher):
        (Alternate):
        (void):
        (AlternateInspectorBackendDispatcher): Deleted.
        (AlternateInspector): Deleted.
        * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
        (CppBackendDispatcherHeaderGenerator._generate_alternate_handler_forward_declarations_for_domains.Alternate):
        (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
        (CppBackendDispatcherHeaderGenerator._generate_alternate_handler_forward_declarations_for_domains.AlternateInspector): Deleted.
        * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
        (CppBackendDispatcherImplementationGenerator._generate_handler_class_destructor_for_domain):
        (CppBackendDispatcherImplementationGenerator._generate_large_dispatcher_switch_implementation_for_domain):
        (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
        * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
        (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
        * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
        (ObjCFrontendDispatcherImplementationGenerator._generate_event):
        * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
        * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
        * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
        * inspector/scripts/tests/expected/enum-values.json-result:
        * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
        * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
        * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
        * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
        * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
        * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
        * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
        * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
        * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
        * runtime/JSGlobalObjectDebuggable.cpp:
        (JSC::JSGlobalObjectDebuggable::connect):
        (JSC::JSGlobalObjectDebuggable::disconnect):
        * runtime/JSGlobalObjectDebuggable.h:

2015-02-14  David Kilzer  <ddkilzer@apple.com>

        REGRESSION (r180082): WebCore Debug builds fail on Mavericks due to weak export symbols
        <http://webkit.org/b/141607>

        Work towards fixing the Mavericks Debug build.

        * inspector/ScriptDebugServer.h:
        (Inspector::ScriptDebugServer::Task): Export class.
        * inspector/agents/InspectorDebuggerAgent.h:
        (Inspector::InspectorDebuggerAgent::Listener): Export class.
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::setConsoleClient): Do not mark inline
        method for export.

2015-02-14  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Symbol RemoteObject should not send sub-type
        https://bugs.webkit.org/show_bug.cgi?id=141604

        Reviewed by Brian Burg.

        * inspector/InjectedScriptSource.js:

2015-02-13  Benjamin Poulain  <bpoulain@apple.com>

        Attempt to fix 32bits build after r180098

        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        I copied the attribute from the MathObject version of that function when I moved
        it over. DFG has no version of a function call taking those attributes.

2015-02-13  Joseph Pecoraro  <pecoraro@apple.com>

        JSContext Inspector: Do not stash console messages for non-debuggable JSContext
        https://bugs.webkit.org/show_bug.cgi?id=141589

        Reviewed by Timothy Hatcher.

        Consider developer extras disabled for JSContext inspection if the
        RemoteInspector server is not enabled (typically a non-debuggable
        process rejected by webinspectord) or if remote debugging on the
        JSContext was explicitly disabled via SPI.

        When developer extras are disabled, console message will not be stashed.

        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::developerExtrasEnabled):
        * inspector/JSGlobalObjectInspectorController.h:

2015-02-13  Benjamin Poulain  <bpoulain@apple.com>

        Add a DFG node for the Pow Intrinsics
        https://bugs.webkit.org/show_bug.cgi?id=141540

        Reviewed by Filip Pizlo.

        Add a DFG Node for PowIntrinsic. This patch covers the basic cases
        need to avoid massive regression. I will iterate over the node to cover
        the missing types.

        With this patch I get the following progressions on benchmarks:
        -LongSpider's math-partial-sums: +5%.
        -Kraken's imaging-darkroom: +17%
        -AsmBench's cray.c: +6.6%
        -CompressionBench: +2.2% globally.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        Cover a couple of trivial cases:
        -If the exponent is zero, the result is always one, regardless of the base.
        -If both arguments are constants, compute the result at compile time.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        We only support 2 basic cases at this time:
        -Math.pow(double, int)
        -Math.pow(double, double).

        I'll cover Math.pow(int, int) in a follow up.

        * dfg/DFGNode.h:
        (JSC::DFG::Node::convertToArithSqrt):
        (JSC::DFG::Node::arithNodeFlags):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::compileArithPowIntegerFastPath):
        (JSC::DFG::SpeculativeJIT::compileArithPow):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):
        * dfg/DFGValidate.cpp:
        (JSC::DFG::Validate::validate):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileArithPow):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::doublePow):
        (JSC::FTL::Output::doublePowi):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * runtime/MathObject.cpp:
        (JSC::mathProtoFuncPow):
        (JSC::isDenormal): Deleted.
        (JSC::isEdgeCase): Deleted.
        (JSC::mathPow): Deleted.

        * tests/stress/math-pow-basics.js: Added.
        * tests/stress/math-pow-integer-exponent-fastpath.js: Added.
        * tests/stress/math-pow-nan-behaviors.js: Added.
        * tests/stress/math-pow-with-constants.js: Added.
        Start some basic testing of Math.pow().
        Due to the various transform, the value change when the code tiers up,
        I covered this by checking for approximate values.

2015-02-13  Benjamin Poulain  <bpoulain@apple.com>

        ArithSqrt should not be conditional on supportsFloatingPointSqrt
        https://bugs.webkit.org/show_bug.cgi?id=141546

        Reviewed by Geoffrey Garen and Filip Pizlo.

        Just fallback to the function call in the DFG codegen.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArithSqrt):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * tests/stress/math-sqrt-basics.js: Added.
        Basic coverage.

        * tests/stress/math-sqrt-basics-disable-architecture-specific-optimizations.js: Added.
        Same tests but forcing the function call.

2015-02-13  Michael Saboff  <msaboff@apple.com>

        REGRESSION(r180060) New js/regress-141098 test crashes when LLInt is disabled.
        https://bugs.webkit.org/show_bug.cgi?id=141577

        Reviewed by Benjamin Poulain.

        Changed the prologue of the baseline JIT to check for stack space for all
        types of code blocks.  Previously, it was only checking Function.  Now
        it checks Program and Eval as well.

        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):

2015-02-13  Benjamin Poulain  <bpoulain@apple.com>

        Generate incq instead of addq when the immediate value is one
        https://bugs.webkit.org/show_bug.cgi?id=141548

        Reviewed by Gavin Barraclough.

        JSC emits "addq #1 (rXX)" *a lot*.
        This patch replace that by incq, which is one byte shorter
        and is the adviced form.

        Sunspider: +0.47%
        Octane: +0.28%
        Kraken: +0.44%
        AsmBench, CompressionBench: neutral.

        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::add64):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::incq_m):

2015-02-13  Benjamin Poulain  <benjamin@webkit.org>

        Little clean up of Bytecode Generator's Label
        https://bugs.webkit.org/show_bug.cgi?id=141557

        Reviewed by Michael Saboff.

        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/BytecodeGenerator.cpp:
        Label was a friend of BytecodeGenerator in order to access
        m_instructions. There is no need for that, BytecodeGenerator
        has a public getter.

        * bytecompiler/Label.h:
        (JSC::Label::Label):
        (JSC::Label::setLocation):
        (JSC::BytecodeGenerator::newLabel):
        Make it explicit that the generator must exist.

2015-02-13  Michael Saboff  <msaboff@apple.com>

        Google doc spreadsheet reproducibly crashes when sorting
        https://bugs.webkit.org/show_bug.cgi?id=141098

        Reviewed by Oliver Hunt.

        Moved the stack check to before the callee registers are allocated in the
        prologue() by movving it from the functionInitialization() macro.  This
        way we can check the stack before moving the stack pointer, avoiding a
        crash during a "call" instruction.  Before this change, we weren't even
        checking the stack for program and eval execution.

        Made a couple of supporting changes.

        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::llint_stack_check): We can't just go up one frame as we
        may be processing an exception to an entry frame.

        * llint/LowLevelInterpreter.asm:

        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        (llint_throw_from_slow_path_trampoline): Changed method to get the vm
        from the code block to not use the codeBlock, since we may need to
        continue from an exception in a native function.

2015-02-12  Benjamin Poulain  <benjamin@webkit.org>

        Simplify the initialization of BytecodeGenerator a bit
        https://bugs.webkit.org/show_bug.cgi?id=141505

        Reviewed by Anders Carlsson.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * bytecompiler/BytecodeGenerator.h:
        Setup the default initialization at the declaration level
        instead of the constructor.

        Also made m_scopeNode and m_codeType const to make it explicit
        that they are invariant after construction.

        * parser/Nodes.cpp:
        * runtime/Executable.cpp:
        Remove 2 useless #includes.

2015-02-12  Benjamin Poulain  <benjamin@webkit.org>

        Move the generators for GetScope and SkipScope to the common core in DFGSpeculativeJIT
        https://bugs.webkit.org/show_bug.cgi?id=141506

        Reviewed by Michael Saboff.

        The generators for the nodes GetScope and SkipScope were
        completely identical between 32 and 64bits.

        This patch moves the duplicated code to DFGSpeculativeJIT.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetScope):
        (JSC::DFG::SpeculativeJIT::compileSkipScope):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2015-02-11  Brent Fulgham  <bfulgham@apple.com>

        [Win] [64-bit] Work around MSVC2013 Runtime Bug
        https://bugs.webkit.org/show_bug.cgi?id=141498
        <rdar://problem/19803642>

        Reviewed by Anders Carlsson.

        Disable FMA3 instruction use in the MSVC math library to
        work around a VS2013 runtime crash. We can remove this
        workaround when we switch to VS2015.

        * API/tests/testapi.c: Call _set_FMA3_enable(0) to disable
        FMA3 support.
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add new files.
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
        * JavaScriptCore.vcxproj/JavaScriptCoreDLL.cpp: Added.
        * JavaScriptCore.vcxproj/jsc/DLLLauncherMain.cpp: Call _set_FMA3_enable(0)
        to disable FMA3 support.
        * jsc.cpp: Ditto.
        * testRegExp.cpp: Ditto.

2015-02-11  Filip Pizlo  <fpizlo@apple.com>

        The callee frame helpers in DFG::SpeculativeJIT should be available to other JITs
        https://bugs.webkit.org/show_bug.cgi?id=141493

        Reviewed by Michael Saboff.

        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::calleeFrameSlot): Deleted.
        (JSC::DFG::SpeculativeJIT::calleeArgumentSlot): Deleted.
        (JSC::DFG::SpeculativeJIT::calleeFrameTagSlot): Deleted.
        (JSC::DFG::SpeculativeJIT::calleeFramePayloadSlot): Deleted.
        (JSC::DFG::SpeculativeJIT::calleeArgumentTagSlot): Deleted.
        (JSC::DFG::SpeculativeJIT::calleeArgumentPayloadSlot): Deleted.
        (JSC::DFG::SpeculativeJIT::calleeFrameCallerFrame): Deleted.
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::calleeFrameSlot):
        (JSC::AssemblyHelpers::calleeArgumentSlot):
        (JSC::AssemblyHelpers::calleeFrameTagSlot):
        (JSC::AssemblyHelpers::calleeFramePayloadSlot):
        (JSC::AssemblyHelpers::calleeArgumentTagSlot):
        (JSC::AssemblyHelpers::calleeArgumentPayloadSlot):
        (JSC::AssemblyHelpers::calleeFrameCallerFrame):

2015-02-11  Filip Pizlo  <fpizlo@apple.com>

        SetupVarargsFrame should not assume that an inline stack frame would have identical layout to a normal stack frame
        https://bugs.webkit.org/show_bug.cgi?id=141485

        Reviewed by Oliver Hunt.
        
        The inlineStackOffset argument was meant to make it easy for the DFG to use this helper for
        vararg calls from inlined code, but that doesn't work since the DFG inline call frame
        doesn't actually put the argument count at the JSStack::ArgumentCount offset. In fact there
        is really no such thing as an inlineStackOffset except when we OSR exit; while the code is
        running the stack layout is compacted so that the stackOffset is not meaningful.

        * jit/JITCall.cpp:
        (JSC::JIT::compileSetupVarargsFrame):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileSetupVarargsFrame):
        * jit/SetupVarargsFrame.cpp:
        (JSC::emitSetupVarargsFrameFastCase):
        * jit/SetupVarargsFrame.h:

2015-02-10  Filip Pizlo  <fpizlo@apple.com>

        Split FTL::JSCall into the part that knows about call inline caching and the part that interacts with LLVM patchpoints
        https://bugs.webkit.org/show_bug.cgi?id=141455

        Reviewed by Mark Lam.
        
        The newly introduced FTL::JSCallBase can be used to build other things, like the FTL portion
        of https://bugs.webkit.org/show_bug.cgi?id=141332.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CallLinkInfo.h:
        (JSC::CallLinkInfo::specializationKindFor):
        (JSC::CallLinkInfo::specializationKind):
        * ftl/FTLJSCall.cpp:
        (JSC::FTL::JSCall::JSCall):
        (JSC::FTL::JSCall::emit): Deleted.
        (JSC::FTL::JSCall::link): Deleted.
        * ftl/FTLJSCall.h:
        * ftl/FTLJSCallBase.cpp: Added.
        (JSC::FTL::JSCallBase::JSCallBase):
        (JSC::FTL::JSCallBase::emit):
        (JSC::FTL::JSCallBase::link):
        * ftl/FTLJSCallBase.h: Added.

2015-02-10  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix build.

        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState):

2015-02-10  Filip Pizlo  <fpizlo@apple.com>

        op_call_varargs should only load the length once
        https://bugs.webkit.org/show_bug.cgi?id=141440
        rdar://problem/19761683

        Reviewed by Michael Saboff.
        
        Refactors the pair of calls that set up the varargs frame so that the first call returns the
        length, and the second call uses the length returned by the first one. It turns out that this
        gave me an opportunity to shorten a lot of the code.

        * interpreter/Interpreter.cpp:
        (JSC::sizeFrameForVarargs):
        (JSC::loadVarargs):
        (JSC::setupVarargsFrame):
        (JSC::setupVarargsFrameAndSetThis):
        * interpreter/Interpreter.h:
        (JSC::calleeFrameForVarargs):
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState):
        * jit/JIT.h:
        * jit/JITCall.cpp:
        (JSC::JIT::compileSetupVarargsFrame):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileSetupVarargsFrame):
        * jit/JITInlines.h:
        (JSC::JIT::callOperation):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/SetupVarargsFrame.cpp:
        (JSC::emitSetVarargsFrame):
        (JSC::emitSetupVarargsFrameFastCase):
        * jit/SetupVarargsFrame.h:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/Arguments.cpp:
        (JSC::Arguments::copyToArguments):
        * runtime/Arguments.h:
        * runtime/JSArray.cpp:
        (JSC::JSArray::copyToArguments):
        * runtime/JSArray.h:
        * runtime/VM.h:
        * tests/stress/call-varargs-length-effects.js: Added.
        (foo):
        (bar):

2015-02-10  Michael Saboff  <msaboff@apple.com>

        Crash in JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq
        https://bugs.webkit.org/show_bug.cgi?id=139398

        Reviewed by Filip Pizlo.

        Due to CFA analysis, the CompareStrictEq node was determined to be unreachable, but later
        was determined to be reachable.  When we go to lower to LLVM, the edges for the CompareStrictEq
        node are UntypedUse which we can't compile.  Fixed this by checking that the IR before
        lowering can still be handled by the FTL.

        Had to add GetArgument as a node that the FTL can compile as the SSA conversion phase converts
        a SetArgument to a GetArgument.  Before this change FTL::canCompile() would never see a GetArgument
        node.  With the check right before lowering, we see this node.

        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl): Added a final FTL::canCompile() check before lowering
        to verify that after all the transformations we still have valid IR for the FTL.
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile): Added GetArgument as a node the FTL can compile.

2015-02-10  Filip Pizlo  <fpizlo@apple.com>

        Remove unused DFG::SpeculativeJIT::calleeFrameOffset().

        Rubber stamped by Michael Saboff.
        
        Not only was this not used, I believe that the math was wrong. The callee frame doesn't
        actually land past m_nextMachineLocal; instead it lands just below wherever we put SP and
        that decision is made elsewhere. Also, it makes no sense to subtract 1 from
        m_nextMachineLocal when trying to deduce the number of in-use stack slots.

        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::calleeFrameOffset): Deleted.

2015-02-10  Saam Barati  <saambarati1@gmail.com>

        Parser::parseVarDeclarationList gets the wrong JSToken for the last identifier
        https://bugs.webkit.org/show_bug.cgi?id=141272

        Reviewed by Oliver Hunt.

        This patch fixes a bug where the wrong text location would be 
        assigned to a variable declaration inside a ForIn/ForOf loop. 
        It also fixes a bug in the type profiler where the type profiler 
        emits the wrong text offset for a ForIn loop's variable declarator 
        when it's not a pattern node.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::ForInNode::emitLoopHeader):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseVarDeclarationList):
        * tests/typeProfiler/loop.js:
        (testForIn):
        (testForOf):

2015-02-09  Saam Barati  <saambarati1@gmail.com>

        JSC's Type Profiler doesn't profile the type of the looping variable in ForOf/ForIn loops
        https://bugs.webkit.org/show_bug.cgi?id=141241

        Reviewed by Filip Pizlo.

        Type information is now recorded for ForIn and ForOf statements. 
        It was an oversight to not have these statements profiled before.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::ForInNode::emitLoopHeader):
        (JSC::ForOfNode::emitBytecode):
        * tests/typeProfiler/loop.js: Added.
        (testForIn):
        (testForOf):

2015-02-09  Filip Pizlo  <fpizlo@apple.com>

        DFG::StackLayoutPhase should always set the scopeRegister to VirtualRegister() because the DFG doesn't do anything to make its value valid
        https://bugs.webkit.org/show_bug.cgi?id=141412

        Reviewed by Michael Saboff.
        
        StackLayoutPhase was attempting to ensure that the register that
        CodeBlock::scopeRegister() points to is the right one for the DFG. But the DFG did nothing
        else to maintain the validity of the scopeRegister(). It wasn't captured as far as I can
        tell. StackLayoutPhase didn't explicitly mark it live. PreciseLocalClobberize didn't mark
        it as being live. So, by the time we got here the register referred to by
        CodeBlock::scopeRegister() would have been junk. Moreover, CodeBlock::scopeRegister() was
        not used for DFG code blocks, and was hardly ever used outside of bytecode generation.
        
        So, this patch just removes the code to manipulate this field and replaces it with an
        unconditional setScopeRegister(VirtualRegister()). Setting it to the invalid register
        ensures that any attempst to read the scopeRegister in a DFG or FTL frame immediately
        punts.

        * dfg/DFGStackLayoutPhase.cpp:
        (JSC::DFG::StackLayoutPhase::run):

2015-02-09  Filip Pizlo  <fpizlo@apple.com>

        Varargs frame set-up should be factored out for use by other JITs
        https://bugs.webkit.org/show_bug.cgi?id=141388

        Reviewed by Michael Saboff.
        
        Previously the code that dealt with varargs always assumed that we were setting up a varargs call
        frame by literally following the execution semantics of op_call_varargs. This isn't how it'll
        happen once the DFG and FTL do varargs calls, or when varargs calls get inlined. The DFG and FTL
        don't literally execute bytecode; for example their stack frame layout has absolutely nothing in
        common with what the bytecode says, and that will never change.
        
        This patch makes two changes:
        
        Setting up the varargs callee frame can be done in smaller steps: particularly in the case of a
        varargs call that gets inlined, we aren't going to actually want to set up a callee frame in
        full - we just want to put the arguments somewhere, and that place will not have much (if
        anything) in common with the call frame format. This patch factors that out into something called
        a loadVarargs. The thing we used to call loadVarargs is now called setupVarargsFrame. This patch
        also separates loading varargs from setting this, since the fact that those two things are done
        together is a detail made explicit in bytecode but it's not at all required in the higher-tier
        engines. In the process of factoring this code out, I found a bunch of off-by-one errors in the
        various calculations. I fixed them. The distance from the caller's frame pointer to the callee
        frame pointer is always:
        
            numUsedCallerSlots + argCount + 1 + CallFrameSize
        
        where numUsedCallerSlots is toLocal(firstFreeRegister) - 1, which simplifies down to just
        -firstFreeRegister. The code now speaks of numUsedCallerSlots rather than firstFreeRegister,
        since the latter is a bytecode peculiarity that doesn't apply in the DFG or FTL. In the DFG, the
        internally-computed frame size, minus the parameter slots, will be used for numUsedCallerSlots.
        In the FTL, we will essentially compute numUsedCallerSlots dynamically by subtracting SP from FP.
        Eventually, LLVM might give us some cleaner way of doing this, but it probably doesn't matter
        very much.
        
        The arguments forwarding optimization is factored out of the Baseline JIT: the DFG and FTL will
        want to do this optimization as well, but it involves quite a bit of code. So, this code is now
        factored out into SetupVarargsFrame.h|cpp, so that other JITs can use it. In the process of factoring
        this code out I noticed that the 32-bit and 64-bit code is nearly identical, so I combined them.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.h:
        (JSC::ExecState::r):
        (JSC::ExecState::uncheckedR):
        * bytecode/VirtualRegister.h:
        (JSC::VirtualRegister::operator+):
        (JSC::VirtualRegister::operator-):
        (JSC::VirtualRegister::operator+=):
        (JSC::VirtualRegister::operator-=):
        * interpreter/CallFrame.h:
        * interpreter/Interpreter.cpp:
        (JSC::sizeFrameForVarargs):
        (JSC::loadVarargs):
        (JSC::setupVarargsFrame):
        (JSC::setupVarargsFrameAndSetThis):
        * interpreter/Interpreter.h:
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::emitGetFromCallFrameHeaderPtr):
        (JSC::AssemblyHelpers::emitGetFromCallFrameHeader32):
        (JSC::AssemblyHelpers::emitGetFromCallFrameHeader64):
        * jit/JIT.h:
        * jit/JITCall.cpp:
        (JSC::JIT::compileSetupVarargsFrame):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileSetupVarargsFrame):
        * jit/JITInlines.h:
        (JSC::JIT::callOperation):
        (JSC::JIT::emitGetFromCallFrameHeaderPtr): Deleted.
        (JSC::JIT::emitGetFromCallFrameHeader32): Deleted.
        (JSC::JIT::emitGetFromCallFrameHeader64): Deleted.
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/SetupVarargsFrame.cpp: Added.
        (JSC::emitSetupVarargsFrameFastCase):
        * jit/SetupVarargsFrame.h: Added.
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/Arguments.cpp:
        (JSC::Arguments::copyToArguments):
        * runtime/Arguments.h:
        * runtime/JSArray.cpp:
        (JSC::JSArray::copyToArguments):
        * runtime/JSArray.h:

2015-02-09  Filip Pizlo  <fpizlo@apple.com>

        DFG call codegen should resolve the callee operand as late as possible
        https://bugs.webkit.org/show_bug.cgi?id=141398

        Reviewed by Mark Lam.
        
        This is mostly a benign restructuring to help with the implementation of
        https://bugs.webkit.org/show_bug.cgi?id=141332.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):

2015-02-08  Filip Pizlo  <fpizlo@apple.com>

        DFG should only have two mechanisms for describing effectfulness of nodes; previously there were three
        https://bugs.webkit.org/show_bug.cgi?id=141369

        Reviewed by Michael Saboff.

        We previously used the NodeMightClobber and NodeClobbersWorld NodeFlags to describe
        effectfulness.  Starting over a year ago, we introduced a more powerful mechanism - the
        DFG::clobberize() function.  Now we only have one remaining client of the old NodeFlags,
        and everyone else uses DFG::clobberize().  We should get rid of those NodeFlags and
        finally switch everyone over to DFG::clobberize().
        
        Unfortunately there is still another place where effectfulness of nodes is described: the
        AbstractInterpreter. This is because the AbstractInterpreter has special tuning both for
        compile time performance and there are places where the AI is more precise than
        clobberize() because of its flow-sensitivity.
        
        This means that after this change there will be only two places, rather than three, where
        the effectfulness of a node has to be described:

        - DFG::clobberize()
        - DFG::AbstractInterpreter

        * dfg/DFGClobberize.cpp:
        (JSC::DFG::clobbersWorld):
        * dfg/DFGClobberize.h:
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
        (JSC::DFG::FixupPhase::convertToGetArrayLength):
        (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::isPredictedNumerical): Deleted.
        (JSC::DFG::Graph::byValIsPure): Deleted.
        (JSC::DFG::Graph::clobbersWorld): Deleted.
        * dfg/DFGNode.h:
        (JSC::DFG::Node::convertToConstant):
        (JSC::DFG::Node::convertToGetLocalUnlinked):
        (JSC::DFG::Node::convertToGetByOffset):
        (JSC::DFG::Node::convertToMultiGetByOffset):
        (JSC::DFG::Node::convertToPutByOffset):
        (JSC::DFG::Node::convertToMultiPutByOffset):
        * dfg/DFGNodeFlags.cpp:
        (JSC::DFG::dumpNodeFlags):
        * dfg/DFGNodeFlags.h:
        * dfg/DFGNodeType.h:

2015-02-09  Csaba Osztrogonác  <ossy@webkit.org>

        Fix the !ENABLE(DFG_JIT) build
        https://bugs.webkit.org/show_bug.cgi?id=141387

        Reviewed by Darin Adler.

        * jit/Repatch.cpp:

2015-02-08  Benjamin Poulain  <benjamin@webkit.org>

        Remove a few duplicate propagation steps from the DFG's PredictionPropagation phase
        https://bugs.webkit.org/show_bug.cgi?id=141363

        Reviewed by Darin Adler.

        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        Some blocks were duplicated, they probably evolved separately
        to the same state.

2015-02-08  Benjamin Poulain  <benjamin@webkit.org>

        Remove useless declarations and a stale comment from DFGByteCodeParser.h
        https://bugs.webkit.org/show_bug.cgi?id=141361

        Reviewed by Darin Adler.

        The comment refers to the original form of the ByteCodeParser:
            parse(Graph&, JSGlobalData*, CodeBlock*, unsigned startIndex);

        That form is long dead, the comment is more misleading than anything.

        * dfg/DFGByteCodeParser.cpp:
        * dfg/DFGByteCodeParser.h:

2015-02-08  Benjamin Poulain  <benjamin@webkit.org>

        Encapsulate DFG::Plan's beforeFTL timestamp
        https://bugs.webkit.org/show_bug.cgi?id=141360

        Reviewed by Darin Adler.

        Make the attribute private, it is an internal state.

        Rename beforeFTL->timeBeforeFTL for readability.

        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThread):
        (JSC::DFG::Plan::compileInThreadImpl):
        * dfg/DFGPlan.h:

2015-02-08  Benjamin Poulain  <bpoulain@apple.com>

        Remove DFGNode::hasArithNodeFlags()
        https://bugs.webkit.org/show_bug.cgi?id=141319

        Reviewed by Michael Saboff.

        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasArithNodeFlags): Deleted.
        Unused code is unused.

2015-02-07  Chris Dumez  <cdumez@apple.com>

        Add Vector::removeFirstMatching() / removeAllMatching() methods taking lambda functions
        https://bugs.webkit.org/show_bug.cgi?id=141321

        Reviewed by Darin Adler.

        Use new Vector::removeFirstMatching() / removeAllMatching() methods.

2015-02-06  Filip Pizlo  <fpizlo@apple.com>

        DFG SSA shouldn't have SetArgument nodes
        https://bugs.webkit.org/show_bug.cgi?id=141342

        Reviewed by Mark Lam.

        I was wondering why we kept the SetArgument around for captured
        variables. It turns out we did so because we thought we had to, even
        though we didn't have to. The node is meaningless in SSA.

        * dfg/DFGSSAConversionPhase.cpp:
        (JSC::DFG::SSAConversionPhase::run):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):

2015-02-06  Filip Pizlo  <fpizlo@apple.com>

        It should be possible to use the DFG SetArgument node to indicate that someone set the value of a local out-of-band
        https://bugs.webkit.org/show_bug.cgi?id=141337

        Reviewed by Mark Lam.

        This mainly involved ensuring that SetArgument behaves just like SetLocal from a CPS standpoint, but with a special case for those SetArguments that
        are associated with the prologue.

        * dfg/DFGCPSRethreadingPhase.cpp:
        (JSC::DFG::CPSRethreadingPhase::run):
        (JSC::DFG::CPSRethreadingPhase::canonicalizeSet):
        (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
        (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
        (JSC::DFG::CPSRethreadingPhase::canonicalizeSetLocal): Deleted.
        (JSC::DFG::CPSRethreadingPhase::canonicalizeSetArgument): Deleted.

2015-02-06  Mark Lam  <mark.lam@apple.com>

        MachineThreads should be ref counted.
        <https://webkit.org/b/141317>

        Reviewed by Filip Pizlo.

        The VM's MachineThreads registry object is being referenced from other
        threads as a raw pointer.  In a scenario where the VM is destructed on
        the main thread, there is no guarantee that another thread isn't still
        holding a reference to the registry and will eventually invoke
        removeThread() on it on thread exit.  Hence, there's a possible use
        after free scenario here.

        The fix is to make MachineThreads ThreadSafeRefCounted, and have all
        threads that references keep a RefPtr to it to ensure that it stays
        alive until the very last thread is done with it.

        * API/tests/testapi.mm:
        (useVMFromOtherThread): - Renamed to be more descriptive.
        (useVMFromOtherThreadAndOutliveVM):
        - Added a test that has another thread which uses the VM outlive the
          VM to confirm that there is no crash.

          However, I was not actually able to get the VM to crash without this
          patch because I wasn't always able to the thread destructor to be
          called.  With this patch applied, I did verify with some logging that
          the MachineThreads registry is only destructed after all threads
          have removed themselves from it.

        (threadMain): Deleted.

        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::~Heap):
        (JSC::Heap::gatherStackRoots):
        * heap/Heap.h:
        (JSC::Heap::machineThreads):
        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::Thread::Thread):
        (JSC::MachineThreads::addCurrentThread):
        (JSC::MachineThreads::removeCurrentThread):
        * heap/MachineStackMarker.h:

2015-02-06  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r179743.
        https://bugs.webkit.org/show_bug.cgi?id=141335

        caused missing symbols in non-WebKit clients of WTF::Vector
        (Requested by kling on #webkit).

        Reverted changeset:

        "Remove WTF::fastMallocGoodSize()."
        https://bugs.webkit.org/show_bug.cgi?id=141020
        http://trac.webkit.org/changeset/179743

2015-02-04  Filip Pizlo  <fpizlo@apple.com>

        Remove BytecodeGenerator::preserveLastVar() and replace it with a more robust mechanism for preserving non-temporary registers
        https://bugs.webkit.org/show_bug.cgi?id=141211

        Reviewed by Mark Lam.

        Previously, the way non-temporary registers were preserved (i.e. not reclaimed anytime
        we did newTemporary()) by calling preserveLastVar() after all non-temps are created. It
        would raise the refcount on the last (highest-numbered) variable created, and rely on
        the fact that register reclamation started at higher-numbered registers and worked its
        way down. So any retained register would block any lower-numbered registers from being
        reclaimed.
        
        Also, preserveLastVar() sets a thing called m_firstConstantIndex. It's unused.
        
        This removes preserveLastVar() and makes addVar() retain each register it creates. This
        is more explicit, since addVar() is the mechanism for creating non-temporary registers.
        
        To make this work I had to remove an assertion that Register::setIndex() can only be
        called when the refcount is zero. This method might be called after a var is created to
        change its index. This previously worked because preserveLastVar() would be called after
        we had already made all index changes, so the vars would still have refcount zero. Now
        they have refcount 1. I think it's OK to lose this assertion; I can't remember this
        assertion ever firing in a way that alerted me to a serious issue.
        
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::preserveLastVar): Deleted.
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::addVar):
        * bytecompiler/RegisterID.h:
        (JSC::RegisterID::setIndex):

2015-02-06  Andreas Kling  <akling@apple.com>

        Remove WTF::fastMallocGoodSize().
        <https://webkit.org/b/141020>

        Reviewed by Anders Carlsson.

        * assembler/AssemblerBuffer.h:
        (JSC::AssemblerData::AssemblerData):
        (JSC::AssemblerData::grow):

2015-02-05  Michael Saboff  <msaboff@apple.com>

        CodeCache is not thread safe when adding the same source from two different threads
        https://bugs.webkit.org/show_bug.cgi?id=141275

        Reviewed by Mark Lam.

        The issue for this bug is that one thread, takes a cache miss in CodeCache::getGlobalCodeBlock,
        but in the process creates a cache entry with a nullptr UnlinkedCodeBlockType* which it
        will fill in later in the function.  During the body of that function, it allocates
        objects that may garbage collect.  During that garbage collection, we drop the all locks.
        While the locks are released by the first thread, another thread can enter the VM and might
        have exactly the same source and enter CodeCache::getGlobalCodeBlock() itself.  When it
        looks up the code block, it sees it as a cache it and uses the nullptr UnlinkedCodeBlockType*
        and crashes.  This fixes the problem by not dropping the locks during garbage collection.
        There are other likely scenarios where we have a data structure like this code cache in an
        unsafe state for arbitrary reentrance.

        Moved the functionality of DelayedReleaseScope directly into Heap.  Changed it into
        a simple list that is cleared with the new function Heap::releaseDelayedReleasedObjects.
        Now we accumulate objects to be released and release them when all locks are dropped or
        when destroying the Heap.  This eliminated the dropping and reaquiring of locks associated
        with the old scope form of this list.

        Given that all functionality of DelayedReleaseScope is now used and referenced by Heap
        and the lock management no longer needs to be done, just made the list a member of Heap.
        We do need to guard against the case that releasing an object can create more objects
        by calling into JS.  That is why releaseDelayedReleasedObjects() is written to remove
        an object to release so that we aren't recursively in Vector code.  The other thing we
        do in releaseDelayedReleasedObjects() is to guard against recursive calls to itself using
        the m_delayedReleaseRecursionCount.  We only release at the first entry into the function.
        This case is already tested by testapi.mm.

        * heap/DelayedReleaseScope.h: Removed file

        * API/JSAPIWrapperObject.mm:
        * API/ObjCCallbackFunction.mm:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/IncrementalSweeper.cpp:
        (JSC::IncrementalSweeper::doSweep):
        * heap/MarkedAllocator.cpp:
        (JSC::MarkedAllocator::tryAllocateHelper):
        (JSC::MarkedAllocator::tryAllocate):
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::sweep):
        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::MarkedSpace):
        (JSC::MarkedSpace::lastChanceToFinalize):
        (JSC::MarkedSpace::didFinishIterating):
        * heap/MarkedSpace.h:
        * heap/Heap.cpp:
        (JSC::Heap::collectAllGarbage):
        (JSC::Heap::zombifyDeadObjects):
        Removed references to DelayedReleaseScope and DelayedReleaseScope.h.

        * heap/Heap.cpp:
        (JSC::Heap::Heap): Initialized m_delayedReleaseRecursionCount.
        (JSC::Heap::lastChanceToFinalize): Call releaseDelayedObjectsNow() as the VM is going away.
        (JSC::Heap::releaseDelayedReleasedObjects): New function that released the accumulated
        delayed release objects.

        * heap/Heap.h:
        (JSC::Heap::m_delayedReleaseObjects): List of objects to be released later.
        (JSC::Heap::m_delayedReleaseRecursionCount): Counter to indicate that
        releaseDelayedReleasedObjects is being called recursively.
        * heap/HeapInlines.h:
        (JSC::Heap::releaseSoon): Changed location of list to add delayed release objects.
        
        * runtime/JSLock.cpp:
        (JSC::JSLock::willReleaseLock):
        Call Heap::releaseDelayedObjectsNow() when releasing the lock.

2015-02-05  Youenn Fablet  <youenn.fablet@crf.canon.fr> and Xabier Rodriguez Calvar <calvaris@igalia.com>

        [Streams API] Implement a barebone ReadableStream interface
        https://bugs.webkit.org/show_bug.cgi?id=141045

        Reviewed by Benjamin Poulain.

        * Configurations/FeatureDefines.xcconfig:

2015-02-05  Saam Barati  <saambarati1@gmail.com>

        Crash in uninitialized deconstructing variable.
        https://bugs.webkit.org/show_bug.cgi?id=141070

        Reviewed by Michael Saboff.

        According to the ES6 spec, when a destructuring pattern occurs
        as the left hand side of an assignment inside a var declaration 
        statement, the assignment must also have a right hand side value.
        "var {x} = {};" is a legal syntactic statement, but,
        "var {x};" is a syntactic error.

        Section 13.2.2 of the latest draft ES6 spec specifies this requirement:
        https://people.mozilla.org/~jorendorff/es6-draft.html#sec-variable-statement

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseVarDeclaration):
        (JSC::Parser<LexerType>::parseVarDeclarationList):
        (JSC::Parser<LexerType>::parseForStatement):
        * parser/Parser.h:

2015-02-04  Gyuyoung Kim  <gyuyoung.kim@samsung.com>

        Unreviewed, fix a build break on EFL port since r179648.

        * heap/MachineStackMarker.cpp: EFL port doesn't use previousThread variable. 
        (JSC::MachineThreads::tryCopyOtherThreadStacks):

2015-02-04  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: ES6: Improved Console Support for Symbol Objects
        https://bugs.webkit.org/show_bug.cgi?id=141173

        Reviewed by Timothy Hatcher.

        * inspector/protocol/Runtime.json:
        New type, "symbol".

        * inspector/InjectedScriptSource.js:
        Handle Symbol objects in a few places. They don't have properties
        and they cannot be implicitly converted to strings.

2015-02-04  Mark Lam  <mark.lam@apple.com>

        Undo gardening: Restoring the expected ERROR message since that is not the cause of the bot unhappiness.

        Not reviewed.

        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::tryCopyOtherThreadStacks):

2015-02-04  Mark Lam  <mark.lam@apple.com>

        Gardening: Changed expected ERROR message to WARNING to make test bots happy.

        Rubber stamped by Simon Fraser.

        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::tryCopyOtherThreadStacks):

2015-02-04  Mark Lam  <mark.lam@apple.com>

        r179576 introduce a deadlock potential during GC thread suspension.
        <https://webkit.org/b/141268>

        Reviewed by Michael Saboff.

        http://trac.webkit.org/r179576 introduced a potential for deadlocking.
        In the GC thread suspension loop, we currently delete
        MachineThreads::Thread that we detect to be invalid.  This is unsafe
        because we may have already suspended some threads, and one of those
        suspended threads may still be holding the C heap lock which we need
        for deleting the invalid thread.

        The fix is to put the invalid threads in a separate toBeDeleted list,
        and delete them only after GC has resumed all threads.

        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::removeCurrentThread):
        - Undo refactoring removeThreadWithLockAlreadyAcquired() out of
          removeCurrentThread() since it is no longer needed.

        (JSC::MachineThreads::tryCopyOtherThreadStacks):
        - Put invalid Threads on a threadsToBeDeleted list, and delete those
          Threads only after all threads have been resumed.

        (JSC::MachineThreads::removeThreadWithLockAlreadyAcquired): Deleted.
        * heap/MachineStackMarker.h:

2015-02-04  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Clean up Object Property Descriptor Collection
        https://bugs.webkit.org/show_bug.cgi?id=141222

        Reviewed by Timothy Hatcher.

        * inspector/InjectedScriptSource.js:
        Use a list of options when determining which properties to collect
        instead of a few booleans with overlapping responsibilities.

2015-02-04  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: console.table with columnName filter for non-existent property should still show column
        https://bugs.webkit.org/show_bug.cgi?id=141066

        Reviewed by Timothy Hatcher.

        * inspector/ConsoleMessage.cpp:
        (Inspector::ConsoleMessage::addToFrontend):
        When a user provides a second argument, e.g. console.table(..., columnNames),
        then pass that second argument to the frontend.

        * inspector/InjectedScriptSource.js:
        Add a FIXME about the old, unused path now.

2015-02-04  Saam Barati  <saambarati1@gmail.com>

        TypeSet can use 1 byte instead of 4 bytes for its m_seenTypes member variable
        https://bugs.webkit.org/show_bug.cgi?id=141204

        Reviewed by Darin Adler.

        There is no need to use 32 bits to store a TypeSet::RuntimeType set 
        bit-vector when the largest value for a single TypeSet::RuntimeType 
        is 0x80. 8 bits is enough to represent the set of seen types.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * runtime/TypeSet.cpp:
        (JSC::TypeSet::doesTypeConformTo):
        * runtime/TypeSet.h:
        (JSC::TypeSet::seenTypes):

2015-02-04  Mark Lam  <mark.lam@apple.com>

        Remove concept of makeUsableFromMultipleThreads().
        <https://webkit.org/b/141221>

        Reviewed by Mark Hahnenberg.

        Currently, we rely on VM::makeUsableFromMultipleThreads() being called before we
        start acquiring the JSLock and entering the VM from different threads.
        Acquisition of the JSLock will register the acquiring thread with the VM's thread
        registry if not already registered.  However, it will only do this if the VM's
        thread specific key has been initialized by makeUsableFromMultipleThreads().

        This is fragile, and also does not read intuitively because one would expect to
        acquire the JSLock before calling any methods on the VM.  This is exactly what
        JSGlobalContextCreateInGroup() did (i.e. acquire the lock before calling
        makeUsableFromMultipleThreads()), but is wrong.  The result is that the invoking
        thread will not have been registered with the VM during that first entry into
        the VM.

        The fix is to make it so that we initialize the VM's thread specific key on
        construction of the VM's MachineThreads registry instead of relying on
        makeUsableFromMultipleThreads() being called.  With this, we can eliminate
        makeUsableFromMultipleThreads() altogether.

        Performance results are neutral in aggregate.

        * API/JSContextRef.cpp:
        (JSGlobalContextCreateInGroup):
        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::MachineThreads):
        (JSC::MachineThreads::~MachineThreads):
        (JSC::MachineThreads::addCurrentThread):
        (JSC::MachineThreads::removeThread):
        (JSC::MachineThreads::gatherConservativeRoots):
        (JSC::MachineThreads::makeUsableFromMultipleThreads): Deleted.
        * heap/MachineStackMarker.h:
        * runtime/VM.cpp:
        (JSC::VM::sharedInstance):
        * runtime/VM.h:
        (JSC::VM::makeUsableFromMultipleThreads): Deleted.

2015-02-04  Chris Dumez  <cdumez@apple.com>

        Add removeFirst(value) / removeAll(value) methods to WTF::Vector
        https://bugs.webkit.org/show_bug.cgi?id=141192

        Reviewed by Benjamin Poulain.

        Use new Vector::removeFirst(value) / removeAll(value) API to simplify the
        code a bit.

        * inspector/InspectorValues.cpp:
        (Inspector::InspectorObjectBase::remove):

2015-02-03  Mark Lam  <mark.lam@apple.com>

        Workaround a thread library bug where thread destructors may not get called.
        <https://webkit.org/b/141209>

        Reviewed by Michael Saboff.

        There's a bug where thread destructors may not get called.  As far as
        we know, this only manifests on darwin ports.  We will work around this
        by checking at GC time if the platform thread is still valid.  If not,
        we'll purge it from the VM's registeredThreads list before proceeding
        with thread scanning activity.

        Note: it is important that we do this invalid thread detection during
        suspension, because the validity (and liveness) of the other thread is
        only guaranteed while it is suspended.

        * API/tests/testapi.mm:
        (threadMain):
        - Added a test to enter the VM from another thread before we GC on
          the main thread.

        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::removeThreadWithLockAlreadyAcquired):
        (JSC::MachineThreads::removeCurrentThread):
        - refactored removeThreadWithLockAlreadyAcquired() out from
          removeCurrentThread() so that we can also call it for purging invalid
          threads.
        (JSC::suspendThread):
        - Added a return status to tell if the suspension succeeded or not.
        (JSC::MachineThreads::tryCopyOtherThreadStacks):
        - Check if the suspension failed, and purge the thread if we can't
          suspend it.  Failure to suspend implies that the thread has
          terminated without calling its destructor.
        * heap/MachineStackMarker.h:

2015-02-03  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: ASSERT mainThreadPthread launching remote debuggable JSContext app with Debug JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=141189

        Reviewed by Michael Saboff.

        * inspector/remote/RemoteInspector.mm:
        (Inspector::RemoteInspector::singleton):
        Ensure we call WTF::initializeMainThread() on the main thread so that
        we can perform automatic String <-> NSString conversions.

2015-02-03  Brent Fulgham  <bfulgham@apple.com>

        [Win] Project file cleanups after r179429.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:

2015-02-02  Filip Pizlo  <fpizlo@apple.com>

        arguments[-1] should have well-defined behavior
        https://bugs.webkit.org/show_bug.cgi?id=141183

        Reviewed by Mark Lam.
        
        According to JSC's internal argument numbering, 0 is "this" and 1 is the first argument.
        In the "arguments[i]" expression, "this" is not accessible and i = 0 refers to the first
        argument. Previously we handled the bounds check in "arguments[i]" - where "arguments" is
        statically known to be the current function's arguments object - as follows:
        
            add 1, i
            branchAboveOrEqual i, callFrame.ArgumentCount, slowPath
        
        The problem with this is that if i = -1, this passes the test, and we end up accessing
        what would be the "this" argument slot. That's wrong, since we should really be bottoming
        out in arguments["-1"], which is usually undefined but could be anything. It's even worse
        if the function is inlined or if we're in a constructor - in that case the "this" slot
        could be garbage.
        
        It turns out that we had this bug in all of our engines.
        
        This fixes the issue by changing the algorithm to:
        
            load32 callFrame.ArgumentCount, tmp
            sub 1, tmp
            branchAboveOrEqual i, tmp, slowPath
        
        In some engines, we would have used the modified "i" (the one that had 1 added to it) for
        the subsequent argument load; since we don't do this anymore I also had to change some of
        the offsets on the BaseIndex arguments load.
        
        This also includes tests that are written in such a way as to get coverage on LLInt and
        Baseline JIT (get-my-argument-by-val-wrap-around-no-warm-up), DFG and FTL
        (get-my-argument-by-val-wrap-around), and DFG when we're being paranoid about the user
        overwriting the "arguments" variable (get-my-argument-by-val-safe-wrap-around). This also
        includes off-by-1 out-of-bounds tests for each of these cases, since in the process of
        writing the patch I broke the arguments[arguments.length] case in the DFG and didn't see
        any test failures.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::offsetOfArguments):
        (JSC::AssemblyHelpers::offsetOfArgumentsIncludingThis): Deleted.
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_get_argument_by_val):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_get_argument_by_val):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * tests/stress/get-my-argument-by-val-out-of-bounds-no-warm-up.js: Added.
        (foo):
        * tests/stress/get-my-argument-by-val-out-of-bounds.js: Added.
        (foo):
        * tests/stress/get-my-argument-by-val-safe-out-of-bounds.js: Added.
        (foo):
        * tests/stress/get-my-argument-by-val-safe-wrap-around.js: Added.
        (foo):
        * tests/stress/get-my-argument-by-val-wrap-around-no-warm-up.js: Added.
        (foo):
        * tests/stress/get-my-argument-by-val-wrap-around.js: Added.
        (foo):

2015-02-02  Filip Pizlo  <fpizlo@apple.com>

        MultiGetByOffset should be marked NodeMustGenerate
        https://bugs.webkit.org/show_bug.cgi?id=140137

        Reviewed by Michael Saboff.

        * dfg/DFGNode.h:
        (JSC::DFG::Node::convertToGetByOffset): We were sloppy - we should also clear NodeMustGenerate once it's a GetByOffset.
        (JSC::DFG::Node::convertToMultiGetByOffset): Assert that we converted from something that already had NodeMustGenerate.
        * dfg/DFGNodeType.h: We shouldn't DCE a node that does checks and could be effectful in baseline. Making MultiGetByOffset as NodeMustGenerate prevents DCE. FTL could still DCE the actual loads, but the checks will stay.
        * tests/stress/multi-get-by-offset-dce.js: Added. This previously failed because the getter wasn't called.
        (foo):

2015-02-02  Filip Pizlo  <fpizlo@apple.com>

        [FTL] inlined GetMyArgumentByVal with no arguments passed causes instant crash
        https://bugs.webkit.org/show_bug.cgi?id=141180
        rdar://problem/19677552

        Reviewed by Benjamin Poulain.
        
        If we do a GetMyArgumentByVal on an inlined call frame that has no arguments, then the
        bounds check already terminates execution. This means we can skip the part where we
        previously did an out-of-bound array access on the inlined call frame arguments vector.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::safelyInvalidateAfterTermination):
        (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
        (JSC::FTL::LowerDFGToLLVM::terminate):
        (JSC::FTL::LowerDFGToLLVM::didAlreadyTerminate):
        (JSC::FTL::LowerDFGToLLVM::crash):
        * tests/stress/get-my-argument-by-val-inlined-no-formal-parameters.js: Added.
        (foo):
        (bar):

2015-02-02  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION(r179477): arguments simplification no longer works
        https://bugs.webkit.org/show_bug.cgi?id=141169

        Reviewed by Mark Lam.
        
        The operations involved in callee/scope access don't exit and shouldn't get in the way
        of strength-reducing a Flush to a PhantomLocal. Then the PhantomLocal shouldn't get in
        the way of further such strength-reduction. We also need to canonicalize PhantomLocal
        before running arguments simplification.

        * dfg/DFGMayExit.cpp:
        (JSC::DFG::mayExit):
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):

2015-02-02  Filip Pizlo  <fpizlo@apple.com>

        VirtualRegister should really know how to dump itself
        https://bugs.webkit.org/show_bug.cgi?id=141171

        Reviewed by Geoffrey Garen.
        
        Gives VirtualRegister a dump() method that pretty-prints the virtual register. The rest of
        the patch is all about using this new power.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        (JSC::constantName):
        (JSC::CodeBlock::registerName):
        * bytecode/CodeBlock.h:
        (JSC::missingThisObjectMarker): Deleted.
        * bytecode/VirtualRegister.cpp: Added.
        (JSC::VirtualRegister::dump):
        * bytecode/VirtualRegister.h:
        (WTF::printInternal): Deleted.
        * dfg/DFGArgumentPosition.h:
        (JSC::DFG::ArgumentPosition::dump):
        * dfg/DFGFlushedAt.cpp:
        (JSC::DFG::FlushedAt::dump):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGPutLocalSinkingPhase.cpp:
        * dfg/DFGSSAConversionPhase.cpp:
        (JSC::DFG::SSAConversionPhase::run):
        * dfg/DFGValidate.cpp:
        (JSC::DFG::Validate::reportValidationContext):
        * dfg/DFGValueSource.cpp:
        (JSC::DFG::ValueSource::dump):
        * dfg/DFGVariableEvent.cpp:
        (JSC::DFG::VariableEvent::dump):
        (JSC::DFG::VariableEvent::dumpSpillInfo):
        * ftl/FTLExitArgumentForOperand.cpp:
        (JSC::FTL::ExitArgumentForOperand::dump):
        * ftl/FTLExitValue.cpp:
        (JSC::FTL::ExitValue::dumpInContext):
        * profiler/ProfilerBytecodeSequence.cpp:
        (JSC::Profiler::BytecodeSequence::BytecodeSequence):

2015-02-02  Geoffrey Garen  <ggaren@apple.com>

        Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
        https://bugs.webkit.org/show_bug.cgi?id=140900

        Reviewed by Mark Hahnenberg.

        Re-landing just the HandleBlock piece of this patch.

        * heap/HandleBlock.h:
        * heap/HandleBlockInlines.h:
        (JSC::HandleBlock::create):
        (JSC::HandleBlock::destroy):
        (JSC::HandleBlock::HandleBlock):
        (JSC::HandleBlock::payloadEnd):
        * heap/HandleSet.cpp:
        (JSC::HandleSet::~HandleSet):
        (JSC::HandleSet::grow):

2015-02-02  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Support console.table
        https://bugs.webkit.org/show_bug.cgi?id=141058

        Reviewed by Timothy Hatcher.

        * inspector/InjectedScriptSource.js:
        Include the firstLevelKeys filter when generating previews.

        * runtime/ConsoleClient.cpp:
        (JSC::appendMessagePrefix):
        Differentiate console.table logs to system log.

2015-01-31  Filip Pizlo  <fpizlo@apple.com>

        BinarySwitch should be faster on average
        https://bugs.webkit.org/show_bug.cgi?id=141046

        Reviewed by Anders Carlsson.
        
        This optimizes our binary switch using math. It's strictly better than what we had before
        assuming we bottom out in some case (rather than fall through), assuming all cases get
        hit with equal probability. The difference is particularly large for large switch
        statements. For example, a switch statement with 1000 cases would previously require on
        average 13.207 branches to get to some case, while now it just requires 10.464.
        
        This is also a progression for the fall-through case, though we could shave off another
        1/6 branch on average if we wanted to - though it would regress taking a case (not falling
        through) by 1/6 branch. I believe it's better to bias the BinarySwitch for not falling
        through.
        
        This also adds some randomness to the algorithm to minimize the likelihood of us
        generating a switch statement that is always particularly bad for some input. Note that
        the randomness has no effect on average-case performance assuming all cases are equally
        likely.
        
        This ought to have no actual performance change because we don't rely on binary switches
        that much. The main reason why this change is interesting is that I'm finding myself
        increasingly relying on BinarySwitch, and I'd like to know that it's optimal.

        * jit/BinarySwitch.cpp:
        (JSC::BinarySwitch::BinarySwitch):
        (JSC::BinarySwitch::~BinarySwitch):
        (JSC::BinarySwitch::build):
        * jit/BinarySwitch.h:

2015-02-02  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Extend CSS.getSupportedCSSProperties to provide values for properties for CSS Augmented JSContext
        https://bugs.webkit.org/show_bug.cgi?id=141064

        Reviewed by Timothy Hatcher.

        * inspector/protocol/CSS.json:

2015-02-02  Daniel Bates  <dabates@apple.com>

        [iOS] ASSERTION FAILED: m_scriptExecutionContext->isContextThread() in ContextDestructionObserver::observeContext
        https://bugs.webkit.org/show_bug.cgi?id=141057
        <rdar://problem/19068790>

        Reviewed by Alexey Proskuryakov.

        * inspector/remote/RemoteInspector.mm:
        (Inspector::RemoteInspector::receivedIndicateMessage): Modified to call WTF::callOnWebThreadOrDispatchAsyncOnMainThread().
        (Inspector::dispatchAsyncOnQueueSafeForAnyDebuggable): Deleted; moved logic to common helper function,
        WTF::callOnWebThreadOrDispatchAsyncOnMainThread() so that it can be called from both RemoteInspector::receivedIndicateMessage()
        and CryptoKeyRSA::generatePair().

2015-02-02  Saam Barati  <saambarati1@gmail.com>

        Create tests for JSC's Control Flow Profiler
        https://bugs.webkit.org/show_bug.cgi?id=141123

        Reviewed by Filip Pizlo.

        This patch creates a control flow profiler testing API in jsc.cpp 
        that accepts a function and a string as arguments. The string must 
        be a substring of the text of the function argument. The API returns 
        a boolean indicating whether or not the basic block that encloses the 
        substring has executed.

        This patch uses this API to test that the control flow profiler
        behaves as expected on basic block boundaries. These tests do not
        provide full coverage for all JavaScript statements that can create
        basic blocks boundaries. Full coverage will come in a later patch.

        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionHasBasicBlockExecuted):
        * runtime/ControlFlowProfiler.cpp:
        (JSC::ControlFlowProfiler::hasBasicBlockAtTextOffsetBeenExecuted):
        * runtime/ControlFlowProfiler.h:
        * tests/controlFlowProfiler: Added.
        * tests/controlFlowProfiler.yaml: Added.
        * tests/controlFlowProfiler/driver: Added.
        * tests/controlFlowProfiler/driver/driver.js: Added.
        (assert):
        * tests/controlFlowProfiler/if-statement.js: Added.
        (testIf):
        (noMatches):
        * tests/controlFlowProfiler/loop-statements.js: Added.
        (forRegular):
        (forIn):
        (forOf):
        (whileLoop):
        * tests/controlFlowProfiler/switch-statements.js: Added.
        (testSwitch):
        * tests/controlFlowProfiler/test-jit.js: Added.
        (tierUpToBaseline):
        (tierUpToDFG):
        (baselineTest):
        (dfgTest):

2015-01-28  Filip Pizlo  <fpizlo@apple.com>

        Polymorphic call inlining should be based on polymorphic call inline caching rather than logging
        https://bugs.webkit.org/show_bug.cgi?id=140660

        Reviewed by Geoffrey Garen.
        
        When we first implemented polymorphic call inlining, we did the profiling based on a call
        edge log. The idea was to store each call edge (a tuple of call site and callee) into a
        global log that was processed lazily. Processing the log would give precise counts of call
        edges, and could be used to drive well-informed inlining decisions - polymorphic or not.
        This was a speed-up on throughput tests but a slow-down for latency tests. It was a net win
        nonetheless.
        
        Experience with this code shows three things. First, the call edge profiler is buggy and
        complex. It would take work to fix the bugs. Second, the call edge profiler incurs lots of
        overhead for latency code that we care deeply about. Third, it's not at all clear that
        having call edge counts for every possible callee is any better than just having call edge
        counts for the limited number of callees that an inline cache would catch.
        
        So, this patch removes the call edge profiler and replaces it with a polymorphic call inline
        cache. If we miss the basic call inline cache, we inflate the cache to be a jump to an
        out-of-line stub that cases on the previously known callees. If that misses again, then we
        rewrite that stub to include the new callee. We do this up to some number of callees. If we
        hit the limit then we switch to using a plain virtual call.
        
        Substantial speed-up on V8Spider; undoes the slow-down that the original call edge profiler
        caused. Might be a SunSpider speed-up (below 1%), depending on hardware.
        
        Rolling this back in after fixing https://bugs.webkit.org/show_bug.cgi?id=141107.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CallEdge.h:
        (JSC::CallEdge::count):
        (JSC::CallEdge::CallEdge):
        * bytecode/CallEdgeProfile.cpp: Removed.
        * bytecode/CallEdgeProfile.h: Removed.
        * bytecode/CallEdgeProfileInlines.h: Removed.
        * bytecode/CallLinkInfo.cpp:
        (JSC::CallLinkInfo::unlink):
        (JSC::CallLinkInfo::visitWeak):
        * bytecode/CallLinkInfo.h:
        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::CallLinkStatus):
        (JSC::CallLinkStatus::computeFor):
        (JSC::CallLinkStatus::computeFromCallLinkInfo):
        (JSC::CallLinkStatus::isClosureCall):
        (JSC::CallLinkStatus::makeClosureCall):
        (JSC::CallLinkStatus::dump):
        (JSC::CallLinkStatus::computeFromCallEdgeProfile): Deleted.
        * bytecode/CallLinkStatus.h:
        (JSC::CallLinkStatus::CallLinkStatus):
        (JSC::CallLinkStatus::isSet):
        (JSC::CallLinkStatus::variants):
        (JSC::CallLinkStatus::size):
        (JSC::CallLinkStatus::at):
        (JSC::CallLinkStatus::operator[]):
        (JSC::CallLinkStatus::canOptimize):
        (JSC::CallLinkStatus::edges): Deleted.
        (JSC::CallLinkStatus::canTrustCounts): Deleted.
        * bytecode/CallVariant.cpp:
        (JSC::variantListWithVariant):
        (JSC::despecifiedVariantList):
        * bytecode/CallVariant.h:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::~CodeBlock):
        (JSC::CodeBlock::linkIncomingPolymorphicCall):
        (JSC::CodeBlock::unlinkIncomingCalls):
        (JSC::CodeBlock::noticeIncomingCall):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::isIncomingCallAlreadyLinked): Deleted.
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::handleInlining):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compileImpl):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasHeapPrediction):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGTierUpCheckInjectionPhase.cpp:
        (JSC::DFG::TierUpCheckInjectionPhase::run):
        (JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling): Deleted.
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * heap/Heap.cpp:
        (JSC::Heap::collect):
        * jit/BinarySwitch.h:
        * jit/ClosureCallStubRoutine.cpp: Removed.
        * jit/ClosureCallStubRoutine.h: Removed.
        * jit/JITCall.cpp:
        (JSC::JIT::compileOpCall):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileOpCall):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        (JSC::operationLinkPolymorphicCallFor):
        (JSC::operationLinkClosureCallFor): Deleted.
        * jit/JITStubRoutine.h:
        * jit/JITWriteBarrier.h:
        * jit/PolymorphicCallStubRoutine.cpp: Added.
        (JSC::PolymorphicCallNode::~PolymorphicCallNode):
        (JSC::PolymorphicCallNode::unlink):
        (JSC::PolymorphicCallCase::dump):
        (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
        (JSC::PolymorphicCallStubRoutine::~PolymorphicCallStubRoutine):
        (JSC::PolymorphicCallStubRoutine::variants):
        (JSC::PolymorphicCallStubRoutine::edges):
        (JSC::PolymorphicCallStubRoutine::visitWeak):
        (JSC::PolymorphicCallStubRoutine::markRequiredObjectsInternal):
        * jit/PolymorphicCallStubRoutine.h: Added.
        (JSC::PolymorphicCallNode::PolymorphicCallNode):
        (JSC::PolymorphicCallCase::PolymorphicCallCase):
        (JSC::PolymorphicCallCase::variant):
        (JSC::PolymorphicCallCase::codeBlock):
        * jit/Repatch.cpp:
        (JSC::linkSlowFor):
        (JSC::linkFor):
        (JSC::revertCall):
        (JSC::unlinkFor):
        (JSC::linkVirtualFor):
        (JSC::linkPolymorphicCall):
        (JSC::linkClosureCall): Deleted.
        * jit/Repatch.h:
        * jit/ThunkGenerators.cpp:
        (JSC::linkPolymorphicCallForThunkGenerator):
        (JSC::linkPolymorphicCallThunkGenerator):
        (JSC::linkPolymorphicCallThatPreservesRegsThunkGenerator):
        (JSC::linkClosureCallForThunkGenerator): Deleted.
        (JSC::linkClosureCallThunkGenerator): Deleted.
        (JSC::linkClosureCallThatPreservesRegsThunkGenerator): Deleted.
        * jit/ThunkGenerators.h:
        (JSC::linkPolymorphicCallThunkGeneratorFor):
        (JSC::linkClosureCallThunkGeneratorFor): Deleted.
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::jitCompileAndSetHeuristics):
        * runtime/Options.h:
        * runtime/VM.cpp:
        (JSC::VM::prepareToDiscardCode):
        (JSC::VM::ensureCallEdgeLog): Deleted.
        * runtime/VM.h:

2015-01-30  Filip Pizlo  <fpizlo@apple.com>

        Converting Flushes and PhantomLocals to Phantoms requires an OSR availability analysis rather than just using the SetLocal's child
        https://bugs.webkit.org/show_bug.cgi?id=141107

        Reviewed by Michael Saboff.
        
        See the bugzilla for a discussion of the problem. This addresses the problem by ensuring
        that Flushes are always strength-reduced to PhantomLocals, and CPS rethreading does a mini
        OSR availability analysis to determine the right MovHint value to use for the Phantom.

        * dfg/DFGCPSRethreadingPhase.cpp:
        (JSC::DFG::CPSRethreadingPhase::CPSRethreadingPhase):
        (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
        (JSC::DFG::CPSRethreadingPhase::clearVariables):
        (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
        (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
        (JSC::DFG::CPSRethreadingPhase::clearVariablesAtHeadAndTail): Deleted.
        * dfg/DFGNode.h:
        (JSC::DFG::Node::convertPhantomToPhantomLocal):
        (JSC::DFG::Node::convertFlushToPhantomLocal):
        (JSC::DFG::Node::convertToPhantomLocal): Deleted.
        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):
        * tests/stress/inline-call-that-doesnt-use-all-args.js: Added.
        (foo):
        (bar):
        (baz):

2015-01-31  Michael Saboff  <msaboff@apple.com>

        Crash (DFG assertion) beneath AbstractInterpreter::verifyEdge() @ http://experilous.com/1/planet-generator/2014-09-28/version-1
        https://bugs.webkit.org/show_bug.cgi?id=141111

        Reviewed by Filip Pizlo.

        In LowerDFGToLLVM::compileNode(), if we determine while compiling a node that we would have
        exited, we don't need to process the OSR availability or abstract interpreter.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::safelyInvalidateAfterTermination): Broke this out a a separate
        method since we need to call it at the top and near the bottom of compileNode().
        (JSC::FTL::LowerDFGToLLVM::compileNode):

2015-01-31  Sam Weinig  <sam@webkit.org>

        Remove even more Mountain Lion support
        https://bugs.webkit.org/show_bug.cgi?id=141124

        Reviewed by Alexey Proskuryakov.

        * API/tests/DateTests.mm:
        * Configurations/Base.xcconfig:
        * Configurations/DebugRelease.xcconfig:
        * Configurations/FeatureDefines.xcconfig:
        * Configurations/Version.xcconfig:
        * jit/ExecutableAllocatorFixedVMPool.cpp:

2015-01-31  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r179426.
        https://bugs.webkit.org/show_bug.cgi?id=141119

        "caused a memory use regression" (Requested by Guest45 on
        #webkit).

        Reverted changeset:

        "Use FastMalloc (bmalloc) instead of BlockAllocator for GC
        pages"
        https://bugs.webkit.org/show_bug.cgi?id=140900
        http://trac.webkit.org/changeset/179426

2015-01-30  Daniel Bates  <dabates@apple.com>

        Clean up: Remove unnecessary <dispatch/dispatch.h> header from RemoteInspectorDebuggableConnection.h
        https://bugs.webkit.org/show_bug.cgi?id=141067

        Reviewed by Timothy Hatcher.

        Remove the header <dispatch/dispatch.h> from RemoteInspectorDebuggableConnection.h as we
        do not make use of its functionality. Instead, include this header in RemoteInspectorDebuggableConnection.mm
        and RemoteInspector.mm. The latter depended on <dispatch/dispatch.h> being included via
        header RemoteInspectorDebuggableConnection.h.

        * inspector/remote/RemoteInspector.mm: Include header <dispatch/dispatch.h>.
        * inspector/remote/RemoteInspectorDebuggableConnection.h: Remove header <dispatch/dispatch.h>.
        * inspector/remote/RemoteInspectorDebuggableConnection.mm: Include header <dispatch/dispatch.h>.

2015-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>

        Implement ES6 Symbol
        https://bugs.webkit.org/show_bug.cgi?id=140435

        Reviewed by Geoffrey Garen.

        This patch implements ES6 Symbol. In this patch, we don't support
        Symbol.keyFor, Symbol.for, Object.getOwnPropertySymbols. They will be
        supported in the subsequent patches.

        Since ES6 Symbol is introduced as new primitive value, we implement
        Symbol as a derived class from JSCell. And now JSValue accepts Symbol*
        as a new primitive value.

        Symbol has a *unique* flagged StringImpl* as an `uid`. Which pointer
        value represents the Symbol's identity. So don't compare Symbol's
        JSCell pointer value for comparison.
        This enables re-producing Symbol primitive value from StringImpl* uid
        by executing`Symbol::create(vm, uid)`. This is needed to produce
        Symbol primitive values from stored StringImpl* in `Object.getOwnPropertySymbols`.

        And Symbol.[[Description]] is folded into the string value of Symbol's uid.
        By doing so, we can represent ES6 Symbol without extending current PropertyTable key; StringImpl*.

        * CMakeLists.txt:
        * DerivedSources.make:
        * JavaScriptCore.order:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * builtins/BuiltinExecutables.cpp:
        (JSC::BuiltinExecutables::createBuiltinExecutable):
        * builtins/BuiltinNames.h:
        * dfg/DFGOperations.cpp:
        (JSC::DFG::operationPutByValInternal):
        * inspector/JSInjectedScriptHost.cpp:
        (Inspector::JSInjectedScriptHost::subtype):
        * interpreter/Interpreter.cpp:
        * jit/JITOperations.cpp:
        (JSC::getByVal):
        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::getByVal):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LowLevelInterpreter.asm:
        * runtime/CommonIdentifiers.h:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/CommonSlowPaths.h:
        (JSC::CommonSlowPaths::opIn):
        * runtime/ExceptionHelpers.cpp:
        (JSC::createUndefinedVariableError):
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::synthesizePrototype):
        (JSC::JSValue::dumpInContextAssumingStructure):
        (JSC::JSValue::toStringSlowCase):
        * runtime/JSCJSValue.h:
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::isSymbol):
        (JSC::JSValue::isPrimitive):
        (JSC::JSValue::toPropertyKey):

        It represents ToPropertyKey abstract operation in the ES6 spec.
        It cleans up the old implementation's `isName` checks.
        And to prevent performance regressions in
            js/regress/fold-get-by-id-to-multi-get-by-offset-rare-int.html
            js/regress/fold-get-by-id-to-multi-get-by-offset.html
        we annnotate this function as ALWAYS_INLINE.

        (JSC::JSValue::getPropertySlot):
        (JSC::JSValue::get):
        (JSC::JSValue::equalSlowCaseInline):
        (JSC::JSValue::strictEqualSlowCaseInline):
        * runtime/JSCell.cpp:
        (JSC::JSCell::put):
        (JSC::JSCell::putByIndex):
        (JSC::JSCell::toPrimitive):
        (JSC::JSCell::getPrimitiveNumber):
        (JSC::JSCell::toNumber):
        (JSC::JSCell::toObject):
        * runtime/JSCell.h:
        * runtime/JSCellInlines.h:
        (JSC::JSCell::isSymbol):
        (JSC::JSCell::toBoolean):
        (JSC::JSCell::pureToBoolean):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::symbolPrototype):
        (JSC::JSGlobalObject::symbolObjectStructure):
        * runtime/JSONObject.cpp:
        (JSC::Stringifier::Stringifier):
        * runtime/JSSymbolTableObject.cpp:
        (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
        * runtime/JSType.h:
        * runtime/JSTypeInfo.h:
        (JSC::TypeInfo::isName): Deleted.
        * runtime/MapData.cpp:
        (JSC::MapData::find):
        (JSC::MapData::add):
        (JSC::MapData::remove):
        (JSC::MapData::replaceAndPackBackingStore):
        * runtime/MapData.h:
        (JSC::MapData::clear):
        * runtime/NameInstance.h: Removed.
        * runtime/NamePrototype.cpp: Removed.
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorGetOwnPropertyDescriptor):
        (JSC::objectConstructorDefineProperty):
        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncHasOwnProperty):
        (JSC::objectProtoFuncDefineGetter):
        (JSC::objectProtoFuncDefineSetter):
        (JSC::objectProtoFuncLookupGetter):
        (JSC::objectProtoFuncLookupSetter):
        (JSC::objectProtoFuncPropertyIsEnumerable):
        * runtime/Operations.cpp:
        (JSC::jsTypeStringForValue):
        (JSC::jsIsObjectType):
        * runtime/PrivateName.h:
        (JSC::PrivateName::PrivateName):
        (JSC::PrivateName::operator==):
        (JSC::PrivateName::operator!=):
        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyTable::find):
        (JSC::PropertyTable::get):
        * runtime/PropertyName.h:
        (JSC::PropertyName::PropertyName):
        (JSC::PropertyName::publicName):
        * runtime/SmallStrings.h:
        * runtime/StringConstructor.cpp:
        (JSC::callStringConstructor):

        In ES6, String constructor accepts Symbol to execute `String(symbol)`.

        * runtime/Structure.cpp:
        (JSC::Structure::getPropertyNamesFromStructure):
        * runtime/StructureInlines.h:
        (JSC::Structure::prototypeForLookup):
        * runtime/Symbol.cpp: Added.
        (JSC::Symbol::Symbol):
        (JSC::SymbolObject::create):
        (JSC::Symbol::toPrimitive):
        (JSC::Symbol::toBoolean):
        (JSC::Symbol::getPrimitiveNumber):
        (JSC::Symbol::toObject):
        (JSC::Symbol::toNumber):
        (JSC::Symbol::destroy):
        (JSC::Symbol::descriptiveString):
        * runtime/Symbol.h: Added.
        (JSC::Symbol::createStructure):
        (JSC::Symbol::create):
        (JSC::Symbol::privateName):
        (JSC::Symbol::finishCreation):
        (JSC::asSymbol):
        * runtime/SymbolConstructor.cpp: Renamed from Source/JavaScriptCore/runtime/NameConstructor.cpp.
        (JSC::SymbolConstructor::SymbolConstructor):
        (JSC::SymbolConstructor::finishCreation):
        (JSC::callSymbol):
        (JSC::SymbolConstructor::getConstructData):
        (JSC::SymbolConstructor::getCallData):
        * runtime/SymbolConstructor.h: Renamed from Source/JavaScriptCore/runtime/NameConstructor.h.
        (JSC::SymbolConstructor::create):
        (JSC::SymbolConstructor::createStructure):
        * runtime/SymbolObject.cpp: Renamed from Source/JavaScriptCore/runtime/NameInstance.cpp.
        (JSC::SymbolObject::SymbolObject):
        (JSC::SymbolObject::finishCreation):
        (JSC::SymbolObject::defaultValue):

        Now JSC doesn't support @@toPrimitive. So instead of it, we implement
        Symbol.prototype[@@toPrimitive] as ES5 Symbol.[[DefaultValue]].

        * runtime/SymbolObject.h: Added.
        (JSC::SymbolObject::create):
        (JSC::SymbolObject::internalValue):
        (JSC::SymbolObject::createStructure):
        * runtime/SymbolPrototype.cpp: Added.
        (JSC::SymbolPrototype::SymbolPrototype):
        (JSC::SymbolPrototype::finishCreation):
        (JSC::SymbolPrototype::getOwnPropertySlot):
        (JSC::symbolProtoFuncToString):
        (JSC::symbolProtoFuncValueOf):
        * runtime/SymbolPrototype.h: Renamed from Source/JavaScriptCore/runtime/NamePrototype.h.
        (JSC::SymbolPrototype::create):
        (JSC::SymbolPrototype::createStructure):

        SymbolPrototype object is ordinary JS object. Not wrapper object of Symbol.
        It is tested in js/symbol-prototype-is-ordinary-object.html.

        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:

2015-01-30  Geoffrey Garen  <ggaren@apple.com>

        Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
        https://bugs.webkit.org/show_bug.cgi?id=140900

        Reviewed by Mark Hahnenberg.

        Re-landing just the HandleBlock piece of this patch.

        * heap/HandleBlock.h:
        * heap/HandleBlockInlines.h:
        (JSC::HandleBlock::create):
        (JSC::HandleBlock::destroy):
        (JSC::HandleBlock::HandleBlock):
        (JSC::HandleBlock::payloadEnd):
        * heap/HandleSet.cpp:
        (JSC::HandleSet::~HandleSet):
        (JSC::HandleSet::grow):

2015-01-30  Geoffrey Garen  <ggaren@apple.com>

        GC marking threads should clear malloc caches
        https://bugs.webkit.org/show_bug.cgi?id=141097

        Reviewed by Sam Weinig.

        Follow-up based on Mark Hahnenberg's review: Release after the copy
        phase, rather than after any phase, since we'd rather not release
        between marking and copying.

        * heap/GCThread.cpp:
        (JSC::GCThread::waitForNextPhase):
        (JSC::GCThread::gcThreadMain):

2015-01-30  Geoffrey Garen  <ggaren@apple.com>

        GC marking threads should clear malloc caches
        https://bugs.webkit.org/show_bug.cgi?id=141097

        Reviewed by Andreas Kling.

        This is an attempt to ameliorate a potential memory use regression
        caused by https://bugs.webkit.org/show_bug.cgi?id=140900
        Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages.

        FastMalloc may accumulate a per-thread cache on each of the 8-ish
        GC marking threads, which can be expensive.

        * heap/GCThread.cpp:
        (JSC::GCThread::waitForNextPhase): Scavenge the current thread before
        going to sleep. There's probably not too much value to keeping our
        per-thread cache between GCs, and it has some memory footprint.

2015-01-30  Chris Dumez  <cdumez@apple.com>

        Rename shared() static member functions to singleton() for singleton classes.
        https://bugs.webkit.org/show_bug.cgi?id=141088

        Reviewed by Ryosuke Niwa and Benjamin Poulain.

        Rename shared() static member functions to singleton() for singleton
        classes as per the recent coding style change.

        * inspector/remote/RemoteInspector.h:
        * inspector/remote/RemoteInspector.mm:
        (Inspector::RemoteInspector::singleton):
        (Inspector::RemoteInspector::start):
        (Inspector::RemoteInspector::shared): Deleted.
        * inspector/remote/RemoteInspectorDebuggable.cpp:
        (Inspector::RemoteInspectorDebuggable::~RemoteInspectorDebuggable):
        (Inspector::RemoteInspectorDebuggable::init):
        (Inspector::RemoteInspectorDebuggable::update):
        (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
        (Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection):
        (Inspector::RemoteInspectorDebuggable::unpauseForInitializedInspector):
        * inspector/remote/RemoteInspectorDebuggableConnection.mm:
        (Inspector::RemoteInspectorDebuggableConnection::setup):
        (Inspector::RemoteInspectorDebuggableConnection::sendMessageToFrontend):

2015-01-30  Geoffrey Garen  <ggaren@apple.com>

        Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
        https://bugs.webkit.org/show_bug.cgi?id=140900

        Reviewed by Mark Hahnenberg.

        Re-landing just the CopyWorkListSegment piece of this patch.

        * heap/CopiedBlockInlines.h:
        (JSC::CopiedBlock::reportLiveBytes):
        * heap/CopyWorkList.h:
        (JSC::CopyWorkListSegment::create):
        (JSC::CopyWorkListSegment::destroy):
        (JSC::CopyWorkListSegment::CopyWorkListSegment):
        (JSC::CopyWorkList::CopyWorkList):
        (JSC::CopyWorkList::~CopyWorkList):
        (JSC::CopyWorkList::append):

2015-01-29  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r179357 and r179358.
        https://bugs.webkit.org/show_bug.cgi?id=141062

        Suspect this caused WebGL tests to start flaking (Requested by
        kling on #webkit).

        Reverted changesets:

        "Polymorphic call inlining should be based on polymorphic call
        inline caching rather than logging"
        https://bugs.webkit.org/show_bug.cgi?id=140660
        http://trac.webkit.org/changeset/179357

        "Unreviewed, fix no-JIT build."
        http://trac.webkit.org/changeset/179358

2015-01-29  Geoffrey Garen  <ggaren@apple.com>

        Removed op_ret_object_or_this
        https://bugs.webkit.org/show_bug.cgi?id=141048

        Reviewed by Michael Saboff.

        op_ret_object_or_this was one opcode that would keep us out of the
        optimizing compilers.

        We don't need a special-purpose opcode; we can just use a branch.

        * bytecode/BytecodeBasicBlock.cpp:
        (JSC::isTerminal): Removed.
        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset): Removed.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode): Removed.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitReturn): Use an explicit branch to determine
        if we need to substitute 'this' for the return value. Our engine no longer
        benefits from fused opcodes that dispatch less in the interpreter.

        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        * jit/JITCall32_64.cpp:
        (JSC::JIT::emit_op_ret_object_or_this): Deleted.
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_ret_object_or_this): Deleted.
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm: Removed.

2015-01-29  Ryosuke Niwa  <rniwa@webkit.org>

        Implement ES6 class syntax without inheritance support
        https://bugs.webkit.org/show_bug.cgi?id=140918

        Reviewed by Geoffrey Garen.

        Added the most basic support for ES6 class syntax. After this patch, we support basic class definition like:
        class A {
            constructor() { }
            someMethod() { }
        }

        We'll add the support for "extends" keyword and automatically generating a constructor in follow up patches.
        We also don't support block scoping of a class declaration.

        We support both class declaration and class expression. A class expression is implemented by the newly added
        ClassExprNode AST node. A class declaration is implemented by ClassDeclNode, which is a thin wrapper around
        AssignResolveNode.

        Tests: js/class-syntax-declaration.html
               js/class-syntax-expression.html

        * bytecompiler/NodesCodegen.cpp:
        (JSC::ObjectLiteralNode::emitBytecode): Create a new object instead of delegating the work to PropertyListNode.
        Also fixed the 5-space indentation.
        (JSC::PropertyListNode::emitBytecode): Don't create a new object now that ObjectLiteralNode does this.
        (JSC::ClassDeclNode::emitBytecode): Added. Just let the AssignResolveNode node emit the byte code.
        (JSC::ClassExprNode::emitBytecode): Create the class constructor and add static methods to the constructor by
        emitting the byte code for PropertyListNode. Add instance methods to the class's prototype object the same way.

        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createClassExpr): Added. Creates a ClassExprNode.
        (JSC::ASTBuilder::createClassDeclStatement): Added. Creates a AssignResolveNode and wraps it by a ClassDeclNode.

        * parser/NodeConstructors.h:
        (JSC::ClassDeclNode::ClassDeclNode): Added.
        (JSC::ClassExprNode::ClassExprNode): Added.

        * parser/Nodes.h:
        (JSC::ClassExprNode): Added.
        (JSC::ClassDeclNode): Added.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseStatement): Added the support for class declaration.
        (JSC::stringForFunctionMode): Return "method" for MethodMode.
        (JSC::Parser<LexerType>::parseClassDeclaration): Added. Uses parseClass to create a class expression and wraps
        it with ClassDeclNode as described above.
        (JSC::Parser<LexerType>::parseClass): Parses a class expression.
        (JSC::Parser<LexerType>::parseProperty):
        (JSC::Parser<LexerType>::parseGetterSetter): Extracted from parseProperty to share the code between parseProperty
        and parseClass.
        (JSC::Parser<LexerType>::parsePrimaryExpression): Added the support for class expression.

        * parser/Parser.h:
        (FunctionParseMode): Added MethodMode.

        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createClassExpr): Added.
        (JSC::SyntaxChecker::createClassDeclStatement): Added.

2015-01-29  Geoffrey Garen  <ggaren@apple.com>

        Try to fix the Windows build.

        Not reviewed.

        * heap/WeakBlock.h: Use the fully qualified name when declaring our friend.

2015-01-29  Geoffrey Garen  <ggaren@apple.com>

        Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
        https://bugs.webkit.org/show_bug.cgi?id=140900

        Reviewed by Mark Hahnenberg.

        Re-landing just the WeakBlock piece of this patch.

        * heap/WeakBlock.cpp:
        (JSC::WeakBlock::create):
        (JSC::WeakBlock::destroy):
        (JSC::WeakBlock::WeakBlock):
        * heap/WeakBlock.h:
        * heap/WeakSet.cpp:
        (JSC::WeakSet::~WeakSet):
        (JSC::WeakSet::addAllocator):
        (JSC::WeakSet::removeAllocator):

2015-01-29  Geoffrey Garen  <ggaren@apple.com>

        Use Vector instead of GCSegmentedArray in CodeBlockSet
        https://bugs.webkit.org/show_bug.cgi?id=141044

        Reviewed by Ryosuke Niwa.

        This is allowed now that we've gotten rid of fastMallocForbid.

        4kB was a bit overkill for just storing a few pointers.

        * heap/CodeBlockSet.cpp:
        (JSC::CodeBlockSet::CodeBlockSet):
        * heap/CodeBlockSet.h:
        * heap/Heap.cpp:
        (JSC::Heap::Heap):

2015-01-29  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix no-JIT build.

        * jit/PolymorphicCallStubRoutine.cpp:

2015-01-28  Filip Pizlo  <fpizlo@apple.com>

        Polymorphic call inlining should be based on polymorphic call inline caching rather than logging
        https://bugs.webkit.org/show_bug.cgi?id=140660

        Reviewed by Geoffrey Garen.
        
        When we first implemented polymorphic call inlining, we did the profiling based on a call
        edge log. The idea was to store each call edge (a tuple of call site and callee) into a
        global log that was processed lazily. Processing the log would give precise counts of call
        edges, and could be used to drive well-informed inlining decisions - polymorphic or not.
        This was a speed-up on throughput tests but a slow-down for latency tests. It was a net win
        nonetheless.
        
        Experience with this code shows three things. First, the call edge profiler is buggy and
        complex. It would take work to fix the bugs. Second, the call edge profiler incurs lots of
        overhead for latency code that we care deeply about. Third, it's not at all clear that
        having call edge counts for every possible callee is any better than just having call edge
        counts for the limited number of callees that an inline cache would catch.
        
        So, this patch removes the call edge profiler and replaces it with a polymorphic call inline
        cache. If we miss the basic call inline cache, we inflate the cache to be a jump to an
        out-of-line stub that cases on the previously known callees. If that misses again, then we
        rewrite that stub to include the new callee. We do this up to some number of callees. If we
        hit the limit then we switch to using a plain virtual call.
        
        Substantial speed-up on V8Spider; undoes the slow-down that the original call edge profiler
        caused. Might be a SunSpider speed-up (below 1%), depending on hardware.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CallEdge.h:
        (JSC::CallEdge::count):
        (JSC::CallEdge::CallEdge):
        * bytecode/CallEdgeProfile.cpp: Removed.
        * bytecode/CallEdgeProfile.h: Removed.
        * bytecode/CallEdgeProfileInlines.h: Removed.
        * bytecode/CallLinkInfo.cpp:
        (JSC::CallLinkInfo::unlink):
        (JSC::CallLinkInfo::visitWeak):
        * bytecode/CallLinkInfo.h:
        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::CallLinkStatus):
        (JSC::CallLinkStatus::computeFor):
        (JSC::CallLinkStatus::computeFromCallLinkInfo):
        (JSC::CallLinkStatus::isClosureCall):
        (JSC::CallLinkStatus::makeClosureCall):
        (JSC::CallLinkStatus::dump):
        (JSC::CallLinkStatus::computeFromCallEdgeProfile): Deleted.
        * bytecode/CallLinkStatus.h:
        (JSC::CallLinkStatus::CallLinkStatus):
        (JSC::CallLinkStatus::isSet):
        (JSC::CallLinkStatus::variants):
        (JSC::CallLinkStatus::size):
        (JSC::CallLinkStatus::at):
        (JSC::CallLinkStatus::operator[]):
        (JSC::CallLinkStatus::canOptimize):
        (JSC::CallLinkStatus::edges): Deleted.
        (JSC::CallLinkStatus::canTrustCounts): Deleted.
        * bytecode/CallVariant.cpp:
        (JSC::variantListWithVariant):
        (JSC::despecifiedVariantList):
        * bytecode/CallVariant.h:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::~CodeBlock):
        (JSC::CodeBlock::linkIncomingPolymorphicCall):
        (JSC::CodeBlock::unlinkIncomingCalls):
        (JSC::CodeBlock::noticeIncomingCall):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::isIncomingCallAlreadyLinked): Deleted.
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::handleInlining):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compileImpl):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasHeapPrediction):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGTierUpCheckInjectionPhase.cpp:
        (JSC::DFG::TierUpCheckInjectionPhase::run):
        (JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling): Deleted.
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * heap/Heap.cpp:
        (JSC::Heap::collect):
        * jit/BinarySwitch.h:
        * jit/ClosureCallStubRoutine.cpp: Removed.
        * jit/ClosureCallStubRoutine.h: Removed.
        * jit/JITCall.cpp:
        (JSC::JIT::compileOpCall):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileOpCall):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        (JSC::operationLinkPolymorphicCallFor):
        (JSC::operationLinkClosureCallFor): Deleted.
        * jit/JITStubRoutine.h:
        * jit/JITWriteBarrier.h:
        * jit/PolymorphicCallStubRoutine.cpp: Added.
        (JSC::PolymorphicCallNode::~PolymorphicCallNode):
        (JSC::PolymorphicCallNode::unlink):
        (JSC::PolymorphicCallCase::dump):
        (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
        (JSC::PolymorphicCallStubRoutine::~PolymorphicCallStubRoutine):
        (JSC::PolymorphicCallStubRoutine::variants):
        (JSC::PolymorphicCallStubRoutine::edges):
        (JSC::PolymorphicCallStubRoutine::visitWeak):
        (JSC::PolymorphicCallStubRoutine::markRequiredObjectsInternal):
        * jit/PolymorphicCallStubRoutine.h: Added.
        (JSC::PolymorphicCallNode::PolymorphicCallNode):
        (JSC::PolymorphicCallCase::PolymorphicCallCase):
        (JSC::PolymorphicCallCase::variant):
        (JSC::PolymorphicCallCase::codeBlock):
        * jit/Repatch.cpp:
        (JSC::linkSlowFor):
        (JSC::linkFor):
        (JSC::revertCall):
        (JSC::unlinkFor):
        (JSC::linkVirtualFor):
        (JSC::linkPolymorphicCall):
        (JSC::linkClosureCall): Deleted.
        * jit/Repatch.h:
        * jit/ThunkGenerators.cpp:
        (JSC::linkPolymorphicCallForThunkGenerator):
        (JSC::linkPolymorphicCallThunkGenerator):
        (JSC::linkPolymorphicCallThatPreservesRegsThunkGenerator):
        (JSC::linkClosureCallForThunkGenerator): Deleted.
        (JSC::linkClosureCallThunkGenerator): Deleted.
        (JSC::linkClosureCallThatPreservesRegsThunkGenerator): Deleted.
        * jit/ThunkGenerators.h:
        (JSC::linkPolymorphicCallThunkGeneratorFor):
        (JSC::linkClosureCallThunkGeneratorFor): Deleted.
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::jitCompileAndSetHeuristics):
        * runtime/Options.h:
        * runtime/VM.cpp:
        (JSC::VM::prepareToDiscardCode):
        (JSC::VM::ensureCallEdgeLog): Deleted.
        * runtime/VM.h:

2015-01-29  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: ES6: Improved Console Format for Set and Map Objects (like Arrays)
        https://bugs.webkit.org/show_bug.cgi?id=122867

        Reviewed by Timothy Hatcher.

        Add new Runtime.RemoteObject object subtypes for "map", "set", and "weakmap".

        Upgrade Runtime.ObjectPreview to include type/subtype information. Now,
        an ObjectPreview can be used for any value, in place of a RemoteObject,
        and not capture / hold a reference to the value. The value will be in
        the string description.

        Adding this information to ObjectPreview can duplicate some information
        in the protocol messages if a preview is provided, but simplifies
        previews, so that all the information you need for any RemoteObject
        preview is available. To slim messages further, make "overflow" and
        "properties" only available on previews that may contain properties.
        So, not primitives or null.

        Finally, for "Map/Set/WeakMap" add an "entries" list to the preview
        that will return previews with "key" and "value" properties depending
        on the collection type. To get live, non-preview objects from a
        collection, use Runtime.getCollectionEntries.

        In order to keep the WeakMap's values Weak the frontend may provide
        a unique object group name when getting collection entries. It may
        then release that object group, e.g. when not showing the WeakMap's
        values to the user, and thus remove the strong reference to the keys
        so they may be garbage collected.

        * runtime/WeakMapData.h:
        (JSC::WeakMapData::begin):
        (JSC::WeakMapData::end):
        Expose iterators so the Inspector may access WeakMap keys/values.

        * inspector/JSInjectedScriptHostPrototype.cpp:
        (Inspector::JSInjectedScriptHostPrototype::finishCreation):
        (Inspector::jsInjectedScriptHostPrototypeFunctionWeakMapEntries):
        * inspector/JSInjectedScriptHost.h:
        * inspector/JSInjectedScriptHost.cpp:
        (Inspector::JSInjectedScriptHost::subtype):
        Discern "map", "set", and "weakmap" object subtypes.

        (Inspector::JSInjectedScriptHost::weakMapEntries):
        Return a list of WeakMap entries. These are strong references
        that the Inspector code is responsible for releasing.

        * inspector/protocol/Runtime.json:
        Update types and expose the new getCollectionEntries command.

        * inspector/agents/InspectorRuntimeAgent.h:
        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::InspectorRuntimeAgent::getCollectionEntries):
        * inspector/InjectedScript.h:
        * inspector/InjectedScript.cpp:
        (Inspector::InjectedScript::getInternalProperties):
        (Inspector::InjectedScript::getCollectionEntries):
        Pass through to the InjectedScript and call getCollectionEntries.

        * inspector/scripts/codegen/generator.py:
        Add another type with runtime casting.

        * inspector/InjectedScriptSource.js:
        - Implement getCollectionEntries to get a range of values from a
        collection. The non-Weak collections have an order to their keys (in
        order of added) so range'd gets are okay. WeakMap does not have an
        order, so only allow fetching a number of values.
        - Update preview generation to address the Runtime.ObjectPreview
        type changes.

2015-01-28  Geoffrey Garen  <ggaren@apple.com>

        Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
        https://bugs.webkit.org/show_bug.cgi?id=140900

        Reviewed by Mark Hahnenberg.

        Re-landing just the GCArraySegment piece of this patch.

        * heap/CodeBlockSet.cpp:
        (JSC::CodeBlockSet::CodeBlockSet):
        * heap/CodeBlockSet.h:
        * heap/GCSegmentedArray.h:
        (JSC::GCArraySegment::GCArraySegment):
        * heap/GCSegmentedArrayInlines.h:
        (JSC::GCSegmentedArray<T>::GCSegmentedArray):
        (JSC::GCSegmentedArray<T>::~GCSegmentedArray):
        (JSC::GCSegmentedArray<T>::clear):
        (JSC::GCSegmentedArray<T>::expand):
        (JSC::GCSegmentedArray<T>::refill):
        (JSC::GCArraySegment<T>::create):
        (JSC::GCArraySegment<T>::destroy):
        * heap/GCThreadSharedData.cpp:
        (JSC::GCThreadSharedData::GCThreadSharedData):
        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        * heap/MarkStack.cpp:
        (JSC::MarkStackArray::MarkStackArray):
        * heap/MarkStack.h:
        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::SlotVisitor):

2015-01-29  Csaba Osztrogonác  <ossy@webkit.org>

        Move HAVE_DTRACE definition back to Platform.h
        https://bugs.webkit.org/show_bug.cgi?id=141033

        Reviewed by Dan Bernstein.

        * Configurations/Base.xcconfig:
        * JavaScriptCore.xcodeproj/project.pbxproj:

2015-01-28  Geoffrey Garen  <ggaren@apple.com>

        Removed fastMallocForbid / fastMallocAllow
        https://bugs.webkit.org/show_bug.cgi?id=141012

        Reviewed by Mark Hahnenberg.

        Copy non-current thread stacks before scanning them instead of scanning
        them in-place.

        This operation is uncommon (i.e., never in the web content process),
        and even in a stress test with 4 threads it only copies about 27kB,
        so I think the performance cost is OK.

        Scanning in-place requires a complex dance where we constrain our GC
        data structures not to use malloc, free, or any other interesting functions
        that might acquire locks. We've gotten this wrong many times in the past,
        and I just got it wrong again yesterday. Since this code path is rarely
        tested, I want it to just make sense, and not depend on or constrain the
        details of the rest of the GC heap's design.

        * heap/MachineStackMarker.cpp:
        (JSC::otherThreadStack): Factored out a helper function for dealing with
        unaligned and/or backwards pointers.

        (JSC::MachineThreads::tryCopyOtherThreadStack): This is now the only
        constrained function, and it only calls memcpy and low-level thread APIs.

        (JSC::MachineThreads::tryCopyOtherThreadStacks): The design here is that
        you do one pass over all the threads to compute their combined size,
        and then a second pass to do all the copying. In theory, the threads may
        grow in between passes, in which case you'll continue until the threads
        stop growing. In practice, you never continue.

        (JSC::growBuffer): Helper function for growing.

        (JSC::MachineThreads::gatherConservativeRoots):
        (JSC::MachineThreads::gatherFromOtherThread): Deleted.
        * heap/MachineStackMarker.h: Updated for interface changes.

2015-01-28  Brian J. Burg  <burg@cs.washington.edu>

        Web Inspector: remove CSS.setPropertyText, CSS.toggleProperty and related dead code
        https://bugs.webkit.org/show_bug.cgi?id=140961

        Reviewed by Timothy Hatcher.

        * inspector/protocol/CSS.json: Remove unused protocol methods.

2015-01-28  Dana Burkart  <dburkart@apple.com>

        Move ASan flag settings from DebugRelease.xcconfig to Base.xcconfig
        https://bugs.webkit.org/show_bug.cgi?id=136765

        Reviewed by Alexey Proskuryakov.

        * Configurations/Base.xcconfig:
        * Configurations/DebugRelease.xcconfig:

2015-01-27  Filip Pizlo  <fpizlo@apple.com>

        ExitSiteData saying m_takesSlowPath shouldn't mean early returning takesSlowPath() since for the non-LLInt case we later set m_couldTakeSlowPath, which is more precise
        https://bugs.webkit.org/show_bug.cgi?id=140980

        Reviewed by Oliver Hunt.

        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::computeFor):

2015-01-27  Filip Pizlo  <fpizlo@apple.com>

        Move DFGBinarySwitch out of the DFG so that all of the JITs can use it
        https://bugs.webkit.org/show_bug.cgi?id=140959

        Rubber stamped by Geoffrey Garen.
        
        I want to use this for polymorphic stubs for https://bugs.webkit.org/show_bug.cgi?id=140660.
        This code no longer has DFG dependencies so this is a very clean move.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGBinarySwitch.cpp: Removed.
        * dfg/DFGBinarySwitch.h: Removed.
        * dfg/DFGSpeculativeJIT.cpp:
        * jit/BinarySwitch.cpp: Copied from Source/JavaScriptCore/dfg/DFGBinarySwitch.cpp.
        * jit/BinarySwitch.h: Copied from Source/JavaScriptCore/dfg/DFGBinarySwitch.h.

2015-01-27  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r179192.
        https://bugs.webkit.org/show_bug.cgi?id=140953

        Caused numerous layout test failures (Requested by mattbaker_
        on #webkit).

        Reverted changeset:

        "Use FastMalloc (bmalloc) instead of BlockAllocator for GC
        pages"
        https://bugs.webkit.org/show_bug.cgi?id=140900
        http://trac.webkit.org/changeset/179192

2015-01-27  Michael Saboff  <msaboff@apple.com>

        REGRESSION(r178591): 20% regression in Octane box2d
        https://bugs.webkit.org/show_bug.cgi?id=140948

        Reviewed by Geoffrey Garen.

        Added check that we have a lexical environment to the arguments is captured check.
        It doesn't make sense to resolve "arguments" when it really isn't captured.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::willResolveToArgumentsRegister):

2015-01-26  Geoffrey Garen  <ggaren@apple.com>

        Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
        https://bugs.webkit.org/show_bug.cgi?id=140900

        Reviewed by Mark Hahnenberg.

        Removes some more custom allocation code.

        Looks like a speedup. (See results attached to bugzilla.)

        Will hopefully reduce memory use by improving sharing between the GC and
        malloc heaps.

        * API/JSBase.cpp:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj: Feed the compiler.

        * heap/BlockAllocator.cpp: Removed.
        * heap/BlockAllocator.h: Removed. No need for a custom allocator anymore.

        * heap/CodeBlockSet.cpp:
        (JSC::CodeBlockSet::CodeBlockSet):
        * heap/CodeBlockSet.h: Feed the compiler.

        * heap/CopiedBlock.h:
        (JSC::CopiedBlock::createNoZeroFill):
        (JSC::CopiedBlock::create):
        (JSC::CopiedBlock::CopiedBlock):
        (JSC::CopiedBlock::isOversize):
        (JSC::CopiedBlock::payloadEnd):
        (JSC::CopiedBlock::capacity):
        * heap/CopiedBlockInlines.h:
        (JSC::CopiedBlock::reportLiveBytes): Each copied block now tracks its
        own size, since we can't rely on Region to tell us our size anymore.

        * heap/CopiedSpace.cpp:
        (JSC::CopiedSpace::~CopiedSpace):
        (JSC::CopiedSpace::tryAllocateOversize):
        (JSC::CopiedSpace::tryReallocateOversize):
        * heap/CopiedSpaceInlines.h:
        (JSC::CopiedSpace::recycleEvacuatedBlock):
        (JSC::CopiedSpace::recycleBorrowedBlock):
        (JSC::CopiedSpace::allocateBlockForCopyingPhase):
        (JSC::CopiedSpace::allocateBlock):
        (JSC::CopiedSpace::startedCopying): Deallocate blocks directly, rather
        than pushing them onto the block allocator's free list; the block
        allocator doesn't exist anymore.

        * heap/CopyWorkList.h:
        (JSC::CopyWorkListSegment::create):
        (JSC::CopyWorkListSegment::CopyWorkListSegment):
        (JSC::CopyWorkList::~CopyWorkList):
        (JSC::CopyWorkList::append):
        (JSC::CopyWorkList::CopyWorkList): Deleted.
        * heap/GCSegmentedArray.h:
        (JSC::GCArraySegment::GCArraySegment):
        * heap/GCSegmentedArrayInlines.h:
        (JSC::GCSegmentedArray<T>::GCSegmentedArray):
        (JSC::GCSegmentedArray<T>::~GCSegmentedArray):
        (JSC::GCSegmentedArray<T>::clear):
        (JSC::GCSegmentedArray<T>::expand):
        (JSC::GCSegmentedArray<T>::refill):
        (JSC::GCArraySegment<T>::create):
        * heap/GCThreadSharedData.cpp:
        (JSC::GCThreadSharedData::GCThreadSharedData):
        * heap/GCThreadSharedData.h: Feed the compiler.

        * heap/HandleBlock.h:
        * heap/HandleBlockInlines.h:
        (JSC::HandleBlock::create):
        (JSC::HandleBlock::HandleBlock):
        (JSC::HandleBlock::payloadEnd):
        * heap/HandleSet.cpp:
        (JSC::HandleSet::~HandleSet):
        (JSC::HandleSet::grow): Same as above.

        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        * heap/Heap.h: Removed the block allocator since it is unused now.

        * heap/HeapBlock.h:
        (JSC::HeapBlock::destroy):
        (JSC::HeapBlock::HeapBlock):
        (JSC::HeapBlock::region): Deleted. Removed the Region pointer from each
        HeapBlock since a HeapBlock is just a normal allocation now.

        * heap/HeapInlines.h:
        (JSC::Heap::blockAllocator): Deleted.

        * heap/HeapTimer.cpp:
        * heap/MarkStack.cpp:
        (JSC::MarkStackArray::MarkStackArray):
        * heap/MarkStack.h: Feed the compiler.

        * heap/MarkedAllocator.cpp:
        (JSC::MarkedAllocator::allocateBlock): No need to use a custom code path
        based on size, since we use a general purpose allocator now.

        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::create):
        (JSC::MarkedBlock::destroy):
        (JSC::MarkedBlock::MarkedBlock):
        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::capacity): Track block size explicitly, like CopiedBlock.

        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::freeBlock):
        * heap/MarkedSpace.h:

        * heap/Region.h: Removed.

        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::SlotVisitor): Removed reference to block allocator.

        * heap/SuperRegion.cpp: Removed.
        * heap/SuperRegion.h: Removed.

        * heap/WeakBlock.cpp:
        (JSC::WeakBlock::create):
        (JSC::WeakBlock::WeakBlock):
        * heap/WeakBlock.h:
        * heap/WeakSet.cpp:
        (JSC::WeakSet::~WeakSet):
        (JSC::WeakSet::addAllocator):
        (JSC::WeakSet::removeAllocator): Removed reference to block allocator.

2015-01-27  Csaba Osztrogonác  <ossy@webkit.org>

        [ARM] Typo fix after r176083
        https://bugs.webkit.org/show_bug.cgi?id=140937

        Reviewed by Anders Carlsson.

        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::ldrh):

2015-01-27  Csaba Osztrogonác  <ossy@webkit.org>

        [Win] Unreviewed gardening, skip failing tests.

        * tests/exceptionFuzz.yaml: Skip exception fuzz tests due to bug140928.
        * tests/mozilla/mozilla-tests.yaml: Skip ecma/Date/15.9.5.28-1.js due to bug140927.

2015-01-26  Csaba Osztrogonác  <ossy@webkit.org>

        [Win] Enable JSC stress tests by default
        https://bugs.webkit.org/show_bug.cgi?id=128307

        Unreviewed typo fix after r179165.

        * tests/mozilla/mozilla-tests.yaml:

2015-01-26  Csaba Osztrogonác  <ossy@webkit.org>

        [Win] Enable JSC stress tests by default
        https://bugs.webkit.org/show_bug.cgi?id=128307

        Reviewed by Brent Fulgham.

        * tests/mozilla/mozilla-tests.yaml: Skipped on Windows.
        * tests/stress/ftl-arithcos.js: Skipped on Windows.

2015-01-26  Ryosuke Niwa  <rniwa@webkit.org>

        Parse a function expression as a primary expression
        https://bugs.webkit.org/show_bug.cgi?id=140908

        Reviewed by Mark Lam.

        Moved the code to generate an AST node for a function expression from parseMemberExpression
        to parsePrimaryExpression to match the ES6 specification terminology:
        https://people.mozilla.org/~jorendorff/es6-draft.html#sec-primary-expression

        There should be no behavior change from this change since parsePrimaryExpression is only
        called in parseMemberExpression other than the fact failIfStackOverflow() is called.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parsePrimaryExpression):
        (JSC::Parser<LexerType>::parseMemberExpression):

2015-01-26  Myles C. Maxfield  <mmaxfield@apple.com>

        [iOS] [SVG -> OTF Converter] Flip the switch off on iOS
        https://bugs.webkit.org/show_bug.cgi?id=140860

        Reviewed by Darin Adler.

        The fonts it makes are grotesque. (See what I did there? Typographic
        humor is the best humor.)

        * Configurations/FeatureDefines.xcconfig:

2015-01-23  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Rename InjectedScriptHost::type to subtype
        https://bugs.webkit.org/show_bug.cgi?id=140841

        Reviewed by Timothy Hatcher.

        We were using this to set the subtype of an "object" type RemoteObject
        so we should clean up the name and call it subtype.

        * inspector/InjectedScriptHost.h:
        * inspector/InjectedScriptSource.js:
        * inspector/JSInjectedScriptHost.cpp:
        (Inspector::JSInjectedScriptHost::subtype):
        (Inspector::JSInjectedScriptHost::type): Deleted.
        * inspector/JSInjectedScriptHost.h:
        * inspector/JSInjectedScriptHostPrototype.cpp:
        (Inspector::JSInjectedScriptHostPrototype::finishCreation):
        (Inspector::jsInjectedScriptHostPrototypeFunctionSubtype):
        (Inspector::jsInjectedScriptHostPrototypeFunctionType): Deleted.

2015-01-23  Michael Saboff  <msaboff@apple.com>

        LayoutTests/js/script-tests/reentrant-caching.js crashing on 32 bit builds
        https://bugs.webkit.org/show_bug.cgi?id=140843

        Reviewed by Oliver Hunt.

        When we are in vmEntryToJavaScript, we keep the stack pointer at an
        alignment sutiable for pointing to a call frame header, which is the
        alignment post making a call.  We adjust the sp when calling to JS code,
        but don't adjust it before calling the out of stack handler.

        * llint/LowLevelInterpreter32_64.asm:
        Moved stack point down 8 bytes to get it aligned.

2015-01-23  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Object Previews in the Console
        https://bugs.webkit.org/show_bug.cgi?id=129204

        Reviewed by Timothy Hatcher.

        Update the very old, unused object preview code. Part of this comes from
        the earlier WebKit legacy implementation, and the Blink implementation.

        A RemoteObject may include a preview, if it is asked for, and if the
        RemoteObject is an object. Previews are a shallow (single level) list
        of a limited number of properties on the object. The previewed
        properties are always stringified (even if primatives). Previews are
        limited to just 5 properties or 100 indices. Previews are marked
        as lossless if they are a complete snapshot of the object.

        There is a path to make previews two levels deep, that is currently
        unused but should soon be used for tables (e.g. IndexedDB).

        * inspector/InjectedScriptSource.js:
        - Move some code off of InjectedScript to be generic functions
        usable by RemoteObject as well.
        - Update preview generation to use 

        * inspector/protocol/Runtime.json:
        - Add a new type, "accessor" for preview objects. This represents
        a getter / setter. We currently don't get the value.

2015-01-23  Michael Saboff  <msaboff@apple.com>

        Immediate crash when setting JS breakpoint
        https://bugs.webkit.org/show_bug.cgi?id=140811

        Reviewed by Mark Lam.

        When the DFG stack layout phase doesn't allocate a register for the scope register,
        it incorrectly sets the scope register in the code block to a bad value, one with
        an offset of 0.  Changed it so that we set the code block's scope register to the 
        invalid VirtualRegister instead.

        No tests needed as adding the ASSERT in setScopeRegister() was used to find the bug.
        We crash with that ASSERT in testapi and likely many other tests as well.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::setScopeRegister):
        (JSC::CodeBlock::scopeRegister):
        Added ASSERTs to catch any future improper setting of the code block's scope register.

        * dfg/DFGStackLayoutPhase.cpp:
        (JSC::DFG::StackLayoutPhase::run):

2015-01-22  Mark Hahnenberg  <mhahnenb@gmail.com>

        EdenCollections unnecessarily visit SmallStrings
        https://bugs.webkit.org/show_bug.cgi?id=140762

        Reviewed by Geoffrey Garen.

        * heap/Heap.cpp:
        (JSC::Heap::copyBackingStores): Also added a GCPhase for copying
        backing stores, which is a significant portion of garbage collection.
        (JSC::Heap::visitSmallStrings): Check to see if we need to visit
        SmallStrings based on the collection type.
        * runtime/SmallStrings.cpp:
        (JSC::SmallStrings::SmallStrings):
        (JSC::SmallStrings::visitStrongReferences): Set the fact that we have
        visited the SmallStrings since the last modification.
        * runtime/SmallStrings.h:
        (JSC::SmallStrings::needsToBeVisited): If we're doing a
        FullCollection, we need to visit. Otherwise, it depends on whether
        we've been visited since the last modification/allocation.

2015-01-22  Ryosuke Niwa  <rniwa@webkit.org>

        Add a build flag for ES6 class syntax
        https://bugs.webkit.org/show_bug.cgi?id=140760

        Reviewed by Michael Saboff.

        Added ES6_CLASS_SYNTAX build flag and used it in tokenizer to recognize
        "class", "extends", "static" and "super" keywords.

        * Configurations/FeatureDefines.xcconfig:
        * parser/Keywords.table:
        * parser/ParserTokens.h:

2015-01-22  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r178894.
        https://bugs.webkit.org/show_bug.cgi?id=140775

        Broke JSC and bindings tests (Requested by ap_ on #webkit).

        Reverted changeset:

        "put_by_val_direct need to check the property is index or not
        for using putDirect / putDirectIndex"
        https://bugs.webkit.org/show_bug.cgi?id=140426
        http://trac.webkit.org/changeset/178894

2015-01-22  Mark Lam  <mark.lam@apple.com>

        BytecodeGenerator::initializeCapturedVariable() sets a misleading value for the 5th operand of op_put_to_scope.
        <https://webkit.org/b/140743>

        Reviewed by Oliver Hunt.

        BytecodeGenerator::initializeCapturedVariable() was setting the 5th operand to
        op_put_to_scope to an inappropriate value (i.e. 0).  As a result, the execution
        of put_to_scope could store a wrong inferred value into the VariableWatchpointSet
        for which ever captured variable is at local index 0.  In practice, this turns
        out to be the local for the Arguments object.  In this reproduction case in the
        bug, the wrong inferred value written there is the boolean true.

        Subsequently, DFG compilation occurs and CreateArguments is emitted to first do
        a check of the local for the Arguments object.  But because that local has a
        wrong inferred value, the check always discovers a non-null value and we never
        actually create the Arguments object.  Immediately after this, an OSR exit
        occurs leaving the Arguments object local uninitialized.  Later on at arguments
        tear off, we run into a boolean true where we had expected to find an Arguments
        object, which in turn, leads to the crash.

        The fix is to:
        1. In the case where the resolveModeType is LocalClosureVar, change the
           5th operand of op_put_to_scope to be a boolean.  True means that the
           local var is watchable.  False means it is not watchable.  We no longer
           pass the local index (instead of true) and UINT_MAX (instead of false).

           This allows us to express more clearer in the code what that value means,
           as well as remove the redundant way of getting the local's identifier.
           The identifier is always the one passed in the 2nd operand. 

        2. Previously, though intuitively, we know that the watchable variable
           identifier should be the same as the one that is passed in operand 2, this
           relationship was not clear in the code.  By code analysis, I confirmed that 
           the callers of BytecodeGenerator::emitPutToScope() always use the same
           identifier for operand 2 and for filling out the ResolveScopeInfo from
           which we get the watchable variable identifier later.  I've changed the
           code to make this clear now by always using the identifier passed in
           operand 2.

        3. In the case where the resolveModeType is LocalClosureVar,
           initializeCapturedVariable() and emitPutToScope() will now query
           hasWatchableVariable() to determine if the local is watchable or not.
           Accordingly, we pass the boolean result of hasWatchableVariable() as
           operand 5 of op_put_to_scope.

        Also added some assertions.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::initializeCapturedVariable):
        (JSC::BytecodeGenerator::hasConstant):
        (JSC::BytecodeGenerator::emitPutToScope):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::hasWatchableVariable):
        (JSC::BytecodeGenerator::watchableVariableIdentifier):
        (JSC::BytecodeGenerator::watchableVariable): Deleted.

2015-01-22  Ryosuke Niwa  <rniwa@webkit.org>

        PropertyListNode::emitNode duplicates the code to put a constant property
        https://bugs.webkit.org/show_bug.cgi?id=140761

        Reviewed by Geoffrey Garen.

        Extracted PropertyListNode::emitPutConstantProperty to share the code.

        Also made PropertyListNode::emitBytecode private since nobody is calling this function directly.

        * bytecompiler/NodesCodegen.cpp: