Source/JavaScriptCore:
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-08-06  Keith Miller  <keith_miller@apple.com>
2
3         The JSONP parser incorrectly parsers -0 as +0.
4         https://bugs.webkit.org/show_bug.cgi?id=147590
5
6         Reviewed by Michael Saboff.
7
8         In the LiteralParser we should use a double to store the accumulator for numerical tokens
9         rather than an int. Using an int means that -0 is, incorrectly, parsed as +0.
10
11         * runtime/LiteralParser.cpp:
12         (JSC::LiteralParser<CharType>::Lexer::lexNumber):
13
14 2015-08-06  Filip Pizlo  <fpizlo@apple.com>
15
16         Structures used for tryGetConstantProperty() should be registered first
17         https://bugs.webkit.org/show_bug.cgi?id=147750
18
19         Reviewed by Saam Barati and Michael Saboff.
20
21         * dfg/DFGGraph.cpp:
22         (JSC::DFG::Graph::tryGetConstantProperty): Add an assertion to that effect. This should catch the bug sooner.
23         * dfg/DFGGraph.h:
24         (JSC::DFG::Graph::addStructureSet): Register structures when we make a structure set. That ensures that we won't call tryGetConstantProperty() on a structure that hasn't been registered yet.
25         * dfg/DFGStructureRegistrationPhase.cpp:
26         (JSC::DFG::StructureRegistrationPhase::run): Don't register structure sets here anymore. Registering them before we get here means there is no chance of the code being DCE'd before the structures get registered. It also enables the tryGetConstantProperty() assertion, since that code runs before StructureRegisterationPhase.
27         (JSC::DFG::StructureRegistrationPhase::registerStructures):
28         (JSC::DFG::StructureRegistrationPhase::registerStructure):
29         (JSC::DFG::StructureRegistrationPhase::assertAreRegistered):
30         (JSC::DFG::StructureRegistrationPhase::assertIsRegistered):
31         (JSC::DFG::performStructureRegistration):
32
33 2015-08-06  Keith Miller  <keith_miller@apple.com>
34
35         Remove UnspecifiedBoolType from JSC
36         https://bugs.webkit.org/show_bug.cgi?id=147597
37
38         Reviewed by Mark Lam.
39
40         We were using the safe bool pattern in the code base for implicit casting to booleans.
41         With C++11 this is no longer necessary and we can instead create an operator bool.
42
43         * API/JSRetainPtr.h:
44         (JSRetainPtr::operator bool):
45         (JSRetainPtr::operator UnspecifiedBoolType): Deleted.
46         * dfg/DFGEdge.h:
47         (JSC::DFG::Edge::operator bool):
48         (JSC::DFG::Edge::operator UnspecifiedBoolType*): Deleted.
49         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
50         * heap/Weak.h:
51         * heap/WeakInlines.h:
52         (JSC::bool):
53         (JSC::UnspecifiedBoolType): Deleted.
54
55 2015-08-05  Ryosuke Niwa  <rniwa@webkit.org>
56
57         [ES6] Class parser does not allow methods named set and get.
58         https://bugs.webkit.org/show_bug.cgi?id=147150
59
60         Reviewed by Oliver Hunt.
61
62         The bug was caused by parseClass assuming identifiers "get" and "set" could only appear
63         as the leading token for getter and setter methods. Fixed the bug by generalizing the code
64         so that we only treat them as such when it's followed by another token that could be a method name.
65
66         * parser/Parser.cpp:
67         (JSC::Parser<LexerType>::parseClass):
68
69 2015-08-05  Filip Pizlo  <fpizlo@apple.com>
70
71         Unreviewed, roll out http://trac.webkit.org/changeset/187972.
72
73         * bytecode/SamplingTool.cpp:
74         (JSC::SamplingTool::doRun):
75         (JSC::SamplingTool::notifyOfScope):
76         * bytecode/SamplingTool.h:
77         * dfg/DFGThreadData.h:
78         * dfg/DFGWorklist.cpp:
79         (JSC::DFG::Worklist::~Worklist):
80         (JSC::DFG::Worklist::isActiveForVM):
81         (JSC::DFG::Worklist::enqueue):
82         (JSC::DFG::Worklist::compilationState):
83         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
84         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
85         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
86         (JSC::DFG::Worklist::visitWeakReferences):
87         (JSC::DFG::Worklist::removeDeadPlans):
88         (JSC::DFG::Worklist::queueLength):
89         (JSC::DFG::Worklist::dump):
90         (JSC::DFG::Worklist::runThread):
91         * dfg/DFGWorklist.h:
92         * disassembler/Disassembler.cpp:
93         * heap/CopiedSpace.cpp:
94         (JSC::CopiedSpace::doneFillingBlock):
95         (JSC::CopiedSpace::doneCopying):
96         * heap/CopiedSpace.h:
97         * heap/CopiedSpaceInlines.h:
98         (JSC::CopiedSpace::recycleBorrowedBlock):
99         (JSC::CopiedSpace::allocateBlockForCopyingPhase):
100         * heap/HeapTimer.h:
101         * heap/MachineStackMarker.cpp:
102         (JSC::ActiveMachineThreadsManager::Locker::Locker):
103         (JSC::ActiveMachineThreadsManager::add):
104         (JSC::ActiveMachineThreadsManager::remove):
105         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager):
106         (JSC::MachineThreads::~MachineThreads):
107         (JSC::MachineThreads::addCurrentThread):
108         (JSC::MachineThreads::removeThreadIfFound):
109         (JSC::MachineThreads::tryCopyOtherThreadStack):
110         (JSC::MachineThreads::tryCopyOtherThreadStacks):
111         (JSC::MachineThreads::gatherConservativeRoots):
112         * heap/MachineStackMarker.h:
113         * interpreter/JSStack.cpp:
114         (JSC::stackStatisticsMutex):
115         (JSC::JSStack::addToCommittedByteCount):
116         (JSC::JSStack::committedByteCount):
117         * jit/JITThunks.h:
118         * profiler/ProfilerDatabase.h:
119
120 2015-08-05  Saam barati  <saambarati1@gmail.com>
121
122         Bytecodegenerator emits crappy code for returns in a lexical scope.
123         https://bugs.webkit.org/show_bug.cgi?id=147688
124
125         Reviewed by Mark Lam.
126
127         When returning, we only need to emit complex pop scopes if we're in 
128         a finally block. Otherwise, we can just return like normal. This saves
129         us from inefficiently emitting unnecessary pop scopes.
130
131         * bytecompiler/BytecodeGenerator.h:
132         (JSC::BytecodeGenerator::isInFinallyBlock):
133         (JSC::BytecodeGenerator::hasFinaliser): Deleted.
134         * bytecompiler/NodesCodegen.cpp:
135         (JSC::ReturnNode::emitBytecode):
136
137 2015-08-05  Benjamin Poulain  <benjamin@webkit.org>
138
139         Add the Intl API to the status page
140
141         * features.json:
142         Andy VanWagoner landed the skeleton of the API and it is
143         enabled by default.
144
145 2015-08-04  Filip Pizlo  <fpizlo@apple.com>
146
147         Rename Mutex to DeprecatedMutex
148         https://bugs.webkit.org/show_bug.cgi?id=147675
149
150         Reviewed by Geoffrey Garen.
151
152         * bytecode/SamplingTool.cpp:
153         (JSC::SamplingTool::doRun):
154         (JSC::SamplingTool::notifyOfScope):
155         * bytecode/SamplingTool.h:
156         * dfg/DFGThreadData.h:
157         * dfg/DFGWorklist.cpp:
158         (JSC::DFG::Worklist::~Worklist):
159         (JSC::DFG::Worklist::isActiveForVM):
160         (JSC::DFG::Worklist::enqueue):
161         (JSC::DFG::Worklist::compilationState):
162         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
163         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
164         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
165         (JSC::DFG::Worklist::visitWeakReferences):
166         (JSC::DFG::Worklist::removeDeadPlans):
167         (JSC::DFG::Worklist::queueLength):
168         (JSC::DFG::Worklist::dump):
169         (JSC::DFG::Worklist::runThread):
170         * dfg/DFGWorklist.h:
171         * disassembler/Disassembler.cpp:
172         * heap/CopiedSpace.cpp:
173         (JSC::CopiedSpace::doneFillingBlock):
174         (JSC::CopiedSpace::doneCopying):
175         * heap/CopiedSpace.h:
176         * heap/CopiedSpaceInlines.h:
177         (JSC::CopiedSpace::recycleBorrowedBlock):
178         (JSC::CopiedSpace::allocateBlockForCopyingPhase):
179         * heap/HeapTimer.h:
180         * heap/MachineStackMarker.cpp:
181         (JSC::ActiveMachineThreadsManager::Locker::Locker):
182         (JSC::ActiveMachineThreadsManager::add):
183         (JSC::ActiveMachineThreadsManager::remove):
184         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager):
185         (JSC::MachineThreads::~MachineThreads):
186         (JSC::MachineThreads::addCurrentThread):
187         (JSC::MachineThreads::removeThreadIfFound):
188         (JSC::MachineThreads::tryCopyOtherThreadStack):
189         (JSC::MachineThreads::tryCopyOtherThreadStacks):
190         (JSC::MachineThreads::gatherConservativeRoots):
191         * heap/MachineStackMarker.h:
192         * interpreter/JSStack.cpp:
193         (JSC::stackStatisticsMutex):
194         (JSC::JSStack::addToCommittedByteCount):
195         (JSC::JSStack::committedByteCount):
196         * jit/JITThunks.h:
197         * profiler/ProfilerDatabase.h:
198
199 2015-08-05  Saam barati  <saambarati1@gmail.com>
200
201         Replace JSFunctionNameScope with JSLexicalEnvironment for the function name scope.
202         https://bugs.webkit.org/show_bug.cgi?id=147657
203
204         Reviewed by Mark Lam.
205
206         This kills the last of the name scope objects. Function name scopes are
207         now built on top of the scoping mechanisms introduced with ES6 block scoping.
208         A name scope is now just a JSLexicalEnvironment.  We treat assignments to the
209         function name scoped variable carefully depending on if the function is in
210         strict mode. If we're in strict mode, then we treat the variable exactly
211         like a "const" variable. If we're not in strict mode, we can't treat
212         this variable like like ES6 "const" because that would cause the bytecode
213         generator to throw an exception when it shouldn't.
214
215         * CMakeLists.txt:
216         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
217         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
218         * JavaScriptCore.xcodeproj/project.pbxproj:
219         * bytecode/BytecodeList.json:
220         * bytecode/BytecodeUseDef.h:
221         (JSC::computeUsesForBytecodeOffset):
222         (JSC::computeDefsForBytecodeOffset):
223         * bytecode/CodeBlock.cpp:
224         (JSC::CodeBlock::dumpBytecode):
225         * bytecompiler/BytecodeGenerator.cpp:
226         (JSC::BytecodeGenerator::BytecodeGenerator):
227         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
228         (JSC::BytecodeGenerator::pushLexicalScope):
229         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
230         (JSC::BytecodeGenerator::variable):
231         (JSC::BytecodeGenerator::resolveType):
232         (JSC::BytecodeGenerator::emitThrowTypeError):
233         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
234         (JSC::BytecodeGenerator::pushScopedControlFlowContext):
235         (JSC::BytecodeGenerator::emitPushCatchScope):
236         * bytecompiler/BytecodeGenerator.h:
237         * bytecompiler/NodesCodegen.cpp:
238         * debugger/DebuggerScope.cpp:
239         * dfg/DFGOperations.cpp:
240         * interpreter/Interpreter.cpp:
241         * jit/JIT.cpp:
242         (JSC::JIT::privateCompileMainPass):
243         * jit/JIT.h:
244         * jit/JITOpcodes.cpp:
245         (JSC::JIT::emit_op_to_string):
246         (JSC::JIT::emit_op_catch):
247         (JSC::JIT::emit_op_push_name_scope): Deleted.
248         * jit/JITOpcodes32_64.cpp:
249         (JSC::JIT::emitSlow_op_to_string):
250         (JSC::JIT::emit_op_catch):
251         (JSC::JIT::emit_op_push_name_scope): Deleted.
252         * jit/JITOperations.cpp:
253         (JSC::pushNameScope): Deleted.
254         * llint/LLIntSlowPaths.cpp:
255         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
256         * llint/LLIntSlowPaths.h:
257         * llint/LowLevelInterpreter.asm:
258         * parser/Nodes.cpp:
259         * runtime/CommonSlowPaths.cpp:
260         * runtime/Executable.cpp:
261         (JSC::ScriptExecutable::newCodeBlockFor):
262         * runtime/JSFunctionNameScope.cpp: Removed.
263         * runtime/JSFunctionNameScope.h: Removed.
264         * runtime/JSGlobalObject.cpp:
265         (JSC::JSGlobalObject::init):
266         (JSC::JSGlobalObject::visitChildren):
267         * runtime/JSGlobalObject.h:
268         (JSC::JSGlobalObject::withScopeStructure):
269         (JSC::JSGlobalObject::strictEvalActivationStructure):
270         (JSC::JSGlobalObject::activationStructure):
271         (JSC::JSGlobalObject::directArgumentsStructure):
272         (JSC::JSGlobalObject::scopedArgumentsStructure):
273         (JSC::JSGlobalObject::outOfBandArgumentsStructure):
274         (JSC::JSGlobalObject::functionNameScopeStructure): Deleted.
275         * runtime/JSNameScope.cpp: Removed.
276         * runtime/JSNameScope.h: Removed.
277         * runtime/JSObject.cpp:
278         (JSC::JSObject::toThis):
279         (JSC::JSObject::seal):
280         (JSC::JSObject::isFunctionNameScopeObject): Deleted.
281         * runtime/JSObject.h:
282         * runtime/JSScope.cpp:
283         (JSC::JSScope::isCatchScope):
284         (JSC::JSScope::isFunctionNameScopeObject):
285         (JSC::resolveModeName):
286         * runtime/JSScope.h:
287         * runtime/JSSymbolTableObject.cpp:
288         * runtime/SymbolTable.h:
289         * runtime/VM.cpp:
290
291 2015-08-05  Joseph Pecoraro  <pecoraro@apple.com>
292
293         Web Inspector: Improve Support for PropertyName Iterator (Reflect.enumerate) in Inspector
294         https://bugs.webkit.org/show_bug.cgi?id=147679
295
296         Reviewed by Timothy Hatcher.
297
298         Improve native iterator support for the PropertyName Iterator by
299         allowing inspection of the internal object within the iterator
300         and peeking of the next upcoming values of the iterator.
301
302         * inspector/JSInjectedScriptHost.cpp:
303         (Inspector::JSInjectedScriptHost::subtype):
304         (Inspector::JSInjectedScriptHost::getInternalProperties):
305         (Inspector::JSInjectedScriptHost::iteratorEntries):
306         * runtime/JSPropertyNameIterator.h:
307         (JSC::JSPropertyNameIterator::iteratedValue):
308
309 2015-08-04  Brent Fulgham  <bfulgham@apple.com>
310
311         [Win] Update Apple Windows build for VS2015
312         https://bugs.webkit.org/show_bug.cgi?id=147653
313
314         Reviewed by Dean Jackson.
315
316         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Drive-by-fix.
317         Show JSC files in proper project locations in IDE.
318
319 2015-08-04  Joseph Pecoraro  <pecoraro@apple.com>
320
321         Web Inspector: Object previews for SVG elements shows SVGAnimatedString instead of text
322         https://bugs.webkit.org/show_bug.cgi?id=147328
323
324         Reviewed by Timothy Hatcher.
325
326         * inspector/InjectedScriptSource.js:
327         Use classList and classList.toString instead of className.
328
329 2015-08-04  Yusuke Suzuki  <utatane.tea@gmail.com>
330
331         [ES6] Support Module Syntax
332         https://bugs.webkit.org/show_bug.cgi?id=147422
333
334         Reviewed by Saam Barati.
335
336         This patch introduces ES6 Modules syntax parsing part.
337         In this patch, ASTBuilder just produces the corresponding nodes to the ES6 Modules syntax,
338         and this patch does not include the code generator part.
339
340         Modules require 2 phase parsing. In the first pass, we just analyze the dependent modules
341         and do not execute the body or construct the AST. And after analyzing all the dependent
342         modules, we will parse the dependent modules next.
343         After all analyzing part is done, we will start the second pass. In the second pass, we
344         will parse the module, produce the AST, and execute the body.
345         If we don't do so, we need to create all the ASTs in the module's dependent graph at first
346         because the given module can be executed after the all dependent modules are executed. It
347         means that we need to hold so many parser arenas. To avoid this, the first pass only extracts
348         the dependent modules' information.
349
350         In this patch, we don't add this analyzing part yet. This patch only implements the second pass.
351         This patch aims at just implementing the syntax parsing functionality correctly.
352         After this patch is landed, we will create the ModuleDependencyAnalyzer that inherits SyntaxChecker
353         to collect the dependent modules fast[1].
354
355         To test the parsing, we added the "checkModuleSyntax" function into jsc shell.
356         By using this, we can parse the given string as the module.
357
358         [1]: https://bugs.webkit.org/show_bug.cgi?id=147353
359
360         * bytecompiler/NodesCodegen.cpp:
361         (JSC::ModuleProgramNode::emitBytecode):
362         (JSC::ImportDeclarationNode::emitBytecode):
363         (JSC::ExportAllDeclarationNode::emitBytecode):
364         (JSC::ExportDefaultDeclarationNode::emitBytecode):
365         (JSC::ExportLocalDeclarationNode::emitBytecode):
366         (JSC::ExportNamedDeclarationNode::emitBytecode):
367         * jsc.cpp:
368         (GlobalObject::finishCreation):
369         (functionCheckModuleSyntax):
370         * parser/ASTBuilder.h:
371         (JSC::ASTBuilder::createModuleSpecifier):
372         (JSC::ASTBuilder::createImportSpecifier):
373         (JSC::ASTBuilder::createImportSpecifierList):
374         (JSC::ASTBuilder::appendImportSpecifier):
375         (JSC::ASTBuilder::createImportDeclaration):
376         (JSC::ASTBuilder::createExportAllDeclaration):
377         (JSC::ASTBuilder::createExportDefaultDeclaration):
378         (JSC::ASTBuilder::createExportLocalDeclaration):
379         (JSC::ASTBuilder::createExportNamedDeclaration):
380         (JSC::ASTBuilder::createExportSpecifier):
381         (JSC::ASTBuilder::createExportSpecifierList):
382         (JSC::ASTBuilder::appendExportSpecifier):
383         * parser/Keywords.table:
384         * parser/NodeConstructors.h:
385         (JSC::ModuleSpecifierNode::ModuleSpecifierNode):
386         (JSC::ImportSpecifierNode::ImportSpecifierNode):
387         (JSC::ImportDeclarationNode::ImportDeclarationNode):
388         (JSC::ExportAllDeclarationNode::ExportAllDeclarationNode):
389         (JSC::ExportDefaultDeclarationNode::ExportDefaultDeclarationNode):
390         (JSC::ExportLocalDeclarationNode::ExportLocalDeclarationNode):
391         (JSC::ExportNamedDeclarationNode::ExportNamedDeclarationNode):
392         (JSC::ExportSpecifierNode::ExportSpecifierNode):
393         * parser/Nodes.cpp:
394         (JSC::ModuleProgramNode::ModuleProgramNode):
395         * parser/Nodes.h:
396         (JSC::ModuleProgramNode::startColumn):
397         (JSC::ModuleProgramNode::endColumn):
398         (JSC::ModuleSpecifierNode::moduleName):
399         (JSC::ImportSpecifierNode::importedName):
400         (JSC::ImportSpecifierNode::localName):
401         (JSC::ImportSpecifierListNode::specifiers):
402         (JSC::ImportSpecifierListNode::append):
403         (JSC::ImportDeclarationNode::specifierList):
404         (JSC::ImportDeclarationNode::moduleSpecifier):
405         (JSC::ExportAllDeclarationNode::moduleSpecifier):
406         (JSC::ExportDefaultDeclarationNode::declaration):
407         (JSC::ExportLocalDeclarationNode::declaration):
408         (JSC::ExportSpecifierNode::exportedName):
409         (JSC::ExportSpecifierNode::localName):
410         (JSC::ExportSpecifierListNode::specifiers):
411         (JSC::ExportSpecifierListNode::append):
412         (JSC::ExportNamedDeclarationNode::specifierList):
413         (JSC::ExportNamedDeclarationNode::moduleSpecifier):
414         * parser/Parser.cpp:
415         (JSC::Parser<LexerType>::Parser):
416         (JSC::Parser<LexerType>::parseInner):
417         (JSC::Parser<LexerType>::parseModuleSourceElements):
418         (JSC::Parser<LexerType>::parseVariableDeclaration):
419         (JSC::Parser<LexerType>::parseVariableDeclarationList):
420         (JSC::Parser<LexerType>::createBindingPattern):
421         (JSC::Parser<LexerType>::tryParseDestructuringPatternExpression):
422         (JSC::Parser<LexerType>::parseDestructuringPattern):
423         (JSC::Parser<LexerType>::parseForStatement):
424         (JSC::Parser<LexerType>::parseFormalParameters):
425         (JSC::Parser<LexerType>::parseFunctionParameters):
426         (JSC::Parser<LexerType>::parseFunctionDeclaration):
427         (JSC::Parser<LexerType>::parseClassDeclaration):
428         (JSC::Parser<LexerType>::parseModuleSpecifier):
429         (JSC::Parser<LexerType>::parseImportClauseItem):
430         (JSC::Parser<LexerType>::parseImportDeclaration):
431         (JSC::Parser<LexerType>::parseExportSpecifier):
432         (JSC::Parser<LexerType>::parseExportDeclaration):
433         (JSC::Parser<LexerType>::parseMemberExpression):
434         * parser/Parser.h:
435         (JSC::isIdentifierOrKeyword):
436         (JSC::ModuleScopeData::create):
437         (JSC::ModuleScopeData::exportedBindings):
438         (JSC::ModuleScopeData::exportName):
439         (JSC::ModuleScopeData::exportBinding):
440         (JSC::Scope::Scope):
441         (JSC::Scope::setIsModule):
442         (JSC::Scope::moduleScopeData):
443         (JSC::Parser::matchContextualKeyword):
444         (JSC::Parser::matchIdentifierOrKeyword):
445         (JSC::Parser::isofToken): Deleted.
446         * parser/ParserModes.h:
447         * parser/ParserTokens.h:
448         * parser/SyntaxChecker.h:
449         (JSC::SyntaxChecker::createModuleSpecifier):
450         (JSC::SyntaxChecker::createImportSpecifier):
451         (JSC::SyntaxChecker::createImportSpecifierList):
452         (JSC::SyntaxChecker::appendImportSpecifier):
453         (JSC::SyntaxChecker::createImportDeclaration):
454         (JSC::SyntaxChecker::createExportAllDeclaration):
455         (JSC::SyntaxChecker::createExportDefaultDeclaration):
456         (JSC::SyntaxChecker::createExportLocalDeclaration):
457         (JSC::SyntaxChecker::createExportNamedDeclaration):
458         (JSC::SyntaxChecker::createExportSpecifier):
459         (JSC::SyntaxChecker::createExportSpecifierList):
460         (JSC::SyntaxChecker::appendExportSpecifier):
461         * runtime/CommonIdentifiers.cpp:
462         (JSC::CommonIdentifiers::CommonIdentifiers):
463         * runtime/CommonIdentifiers.h:
464         * runtime/Completion.cpp:
465         (JSC::checkModuleSyntax):
466         * runtime/Completion.h:
467         * tests/stress/modules-syntax-error-with-names.js: Added.
468         (shouldThrow):
469         * tests/stress/modules-syntax-error.js: Added.
470         (shouldThrow):
471         (checkModuleSyntaxError.checkModuleSyntaxError.checkModuleSyntaxError):
472         * tests/stress/modules-syntax.js: Added.
473         (prototype.checkModuleSyntax):
474         (checkModuleSyntax):
475         * tests/stress/tagged-templates-syntax.js:
476
477 2015-08-03  Csaba Osztrogonác  <ossy@webkit.org>
478
479         Introduce COMPILER(GCC_OR_CLANG) guard and make COMPILER(GCC) true only for GCC
480         https://bugs.webkit.org/show_bug.cgi?id=146833
481
482         Reviewed by Alexey Proskuryakov.
483
484         * assembler/ARM64Assembler.h:
485         * assembler/ARMAssembler.h:
486         (JSC::ARMAssembler::cacheFlush):
487         * assembler/MacroAssemblerARM.cpp:
488         (JSC::isVFPPresent):
489         * assembler/MacroAssemblerX86Common.h:
490         (JSC::MacroAssemblerX86Common::isSSE2Present):
491         * heap/MachineStackMarker.h:
492         * interpreter/StackVisitor.cpp: Removed redundant COMPILER(CLANG) guards.
493         (JSC::logF):
494         * jit/HostCallReturnValue.h:
495         * jit/JIT.h:
496         * jit/JITOperations.cpp:
497         * jit/JITStubsARM.h:
498         * jit/JITStubsARMv7.h:
499         * jit/JITStubsX86.h:
500         * jit/JITStubsX86Common.h:
501         * jit/JITStubsX86_64.h:
502         * jit/ThunkGenerators.cpp:
503         * runtime/JSExportMacros.h:
504         * runtime/MathCommon.h: Removed redundant COMPILER(CLANG) guard.
505         (JSC::clz32):
506
507 2015-08-03  Filip Pizlo  <fpizlo@apple.com>
508
509         Unreviewed, fix uninitialized property leading to an assert.
510
511         * runtime/PutPropertySlot.h:
512         (JSC::PutPropertySlot::PutPropertySlot):
513
514 2015-08-03  Filip Pizlo  <fpizlo@apple.com>
515
516         Unreviewed, fix Windows.
517
518         * bytecode/ObjectPropertyConditionSet.h:
519         (JSC::ObjectPropertyConditionSet::fromRawPointer):
520
521 2015-07-31  Filip Pizlo  <fpizlo@apple.com>
522
523         DFG should have adaptive structure watchpoints
524         https://bugs.webkit.org/show_bug.cgi?id=146929
525
526         Reviewed by Geoffrey Garen.
527
528         Before this change, if you wanted to efficiently validate whether an object has (or doesn't have) a
529         property, you'd check that the object still has the structure that you first saw the object have. We
530         optimized this a bit with transition watchpoints on the structure, which sometimes allowed us to
531         elide the structure check.
532
533         But this approach fails when that object frequently has new properties added to it. This would
534         change the structure and fire the transition watchpoint, so the code we emitted would be invalid and
535         we'd have to recompile either the IC or an entire code block.
536
537         This change introduces a new concept: an object property condition. This value describes some
538         condition involving a property on some object. There are four kinds: presence, absence,
539         absence-of-setter, and equivalence. For example, a presence condition says that we expect that the
540         object has some property at some offset with some attributes. This allows us to implement a new kind
541         of watchpoint, which knows about the object property condition that it's being used to enforce. If
542         the watchpoint fires because of a structure transition, the watchpoint may simply reinstall itself
543         on the new structure.
544
545         Object property conditions are used on the prototype chain of PutById transitions, GetById misses,
546         and prototype accesses. They are also used for any DFG accesses to object constants, including
547         global property accesses.
548
549         Mostly because of the effect on global property access, this is a 9% speed-up on Kraken. It's
550         neutral on most other things. It's a 68x speed-up on a microbenchmark that illustrates the prototype
551         chain situation. It's also a small speed-up on getter-richards.
552
553         * CMakeLists.txt:
554         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
555         * JavaScriptCore.xcodeproj/project.pbxproj:
556         * bytecode/CodeBlock.cpp:
557         (JSC::CodeBlock::printGetByIdCacheStatus):
558         (JSC::CodeBlock::printPutByIdCacheStatus):
559         * bytecode/CodeBlockJettisoningWatchpoint.cpp:
560         (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
561         * bytecode/ComplexGetStatus.cpp:
562         (JSC::ComplexGetStatus::computeFor):
563         * bytecode/ComplexGetStatus.h:
564         (JSC::ComplexGetStatus::ComplexGetStatus):
565         (JSC::ComplexGetStatus::takesSlowPath):
566         (JSC::ComplexGetStatus::kind):
567         (JSC::ComplexGetStatus::offset):
568         (JSC::ComplexGetStatus::conditionSet):
569         (JSC::ComplexGetStatus::attributes): Deleted.
570         (JSC::ComplexGetStatus::specificValue): Deleted.
571         (JSC::ComplexGetStatus::chain): Deleted.
572         * bytecode/ConstantStructureCheck.cpp: Removed.
573         * bytecode/ConstantStructureCheck.h: Removed.
574         * bytecode/GetByIdStatus.cpp:
575         (JSC::GetByIdStatus::computeForStubInfo):
576         * bytecode/GetByIdVariant.cpp:
577         (JSC::GetByIdVariant::GetByIdVariant):
578         (JSC::GetByIdVariant::~GetByIdVariant):
579         (JSC::GetByIdVariant::operator=):
580         (JSC::GetByIdVariant::attemptToMerge):
581         (JSC::GetByIdVariant::dumpInContext):
582         (JSC::GetByIdVariant::baseStructure): Deleted.
583         * bytecode/GetByIdVariant.h:
584         (JSC::GetByIdVariant::operator!):
585         (JSC::GetByIdVariant::structureSet):
586         (JSC::GetByIdVariant::conditionSet):
587         (JSC::GetByIdVariant::offset):
588         (JSC::GetByIdVariant::callLinkStatus):
589         (JSC::GetByIdVariant::constantChecks): Deleted.
590         (JSC::GetByIdVariant::alternateBase): Deleted.
591         * bytecode/ObjectPropertyCondition.cpp: Added.
592         (JSC::ObjectPropertyCondition::dumpInContext):
593         (JSC::ObjectPropertyCondition::dump):
594         (JSC::ObjectPropertyCondition::structureEnsuresValidityAssumingImpurePropertyWatchpoint):
595         (JSC::ObjectPropertyCondition::validityRequiresImpurePropertyWatchpoint):
596         (JSC::ObjectPropertyCondition::isStillValid):
597         (JSC::ObjectPropertyCondition::structureEnsuresValidity):
598         (JSC::ObjectPropertyCondition::isWatchableAssumingImpurePropertyWatchpoint):
599         (JSC::ObjectPropertyCondition::isWatchable):
600         (JSC::ObjectPropertyCondition::isStillLive):
601         (JSC::ObjectPropertyCondition::validateReferences):
602         (JSC::ObjectPropertyCondition::attemptToMakeEquivalenceWithoutBarrier):
603         * bytecode/ObjectPropertyCondition.h: Added.
604         (JSC::ObjectPropertyCondition::ObjectPropertyCondition):
605         (JSC::ObjectPropertyCondition::presenceWithoutBarrier):
606         (JSC::ObjectPropertyCondition::presence):
607         (JSC::ObjectPropertyCondition::absenceWithoutBarrier):
608         (JSC::ObjectPropertyCondition::absence):
609         (JSC::ObjectPropertyCondition::absenceOfSetterWithoutBarrier):
610         (JSC::ObjectPropertyCondition::absenceOfSetter):
611         (JSC::ObjectPropertyCondition::equivalenceWithoutBarrier):
612         (JSC::ObjectPropertyCondition::equivalence):
613         (JSC::ObjectPropertyCondition::operator!):
614         (JSC::ObjectPropertyCondition::object):
615         (JSC::ObjectPropertyCondition::condition):
616         (JSC::ObjectPropertyCondition::kind):
617         (JSC::ObjectPropertyCondition::uid):
618         (JSC::ObjectPropertyCondition::hasOffset):
619         (JSC::ObjectPropertyCondition::offset):
620         (JSC::ObjectPropertyCondition::hasAttributes):
621         (JSC::ObjectPropertyCondition::attributes):
622         (JSC::ObjectPropertyCondition::hasPrototype):
623         (JSC::ObjectPropertyCondition::prototype):
624         (JSC::ObjectPropertyCondition::hasRequiredValue):
625         (JSC::ObjectPropertyCondition::requiredValue):
626         (JSC::ObjectPropertyCondition::hash):
627         (JSC::ObjectPropertyCondition::operator==):
628         (JSC::ObjectPropertyCondition::isHashTableDeletedValue):
629         (JSC::ObjectPropertyCondition::isCompatibleWith):
630         (JSC::ObjectPropertyCondition::watchingRequiresStructureTransitionWatchpoint):
631         (JSC::ObjectPropertyCondition::watchingRequiresReplacementWatchpoint):
632         (JSC::ObjectPropertyCondition::isValidValueForPresence):
633         (JSC::ObjectPropertyConditionHash::hash):
634         (JSC::ObjectPropertyConditionHash::equal):
635         * bytecode/ObjectPropertyConditionSet.cpp: Added.
636         (JSC::ObjectPropertyConditionSet::forObject):
637         (JSC::ObjectPropertyConditionSet::forConditionKind):
638         (JSC::ObjectPropertyConditionSet::numberOfConditionsWithKind):
639         (JSC::ObjectPropertyConditionSet::hasOneSlotBaseCondition):
640         (JSC::ObjectPropertyConditionSet::slotBaseCondition):
641         (JSC::ObjectPropertyConditionSet::mergedWith):
642         (JSC::ObjectPropertyConditionSet::structuresEnsureValidity):
643         (JSC::ObjectPropertyConditionSet::structuresEnsureValidityAssumingImpurePropertyWatchpoint):
644         (JSC::ObjectPropertyConditionSet::needImpurePropertyWatchpoint):
645         (JSC::ObjectPropertyConditionSet::areStillLive):
646         (JSC::ObjectPropertyConditionSet::dumpInContext):
647         (JSC::ObjectPropertyConditionSet::dump):
648         (JSC::generateConditionsForPropertyMiss):
649         (JSC::generateConditionsForPropertySetterMiss):
650         (JSC::generateConditionsForPrototypePropertyHit):
651         (JSC::generateConditionsForPrototypePropertyHitCustom):
652         (JSC::generateConditionsForPropertySetterMissConcurrently):
653         * bytecode/ObjectPropertyConditionSet.h: Added.
654         (JSC::ObjectPropertyConditionSet::ObjectPropertyConditionSet):
655         (JSC::ObjectPropertyConditionSet::invalid):
656         (JSC::ObjectPropertyConditionSet::nonEmpty):
657         (JSC::ObjectPropertyConditionSet::isValid):
658         (JSC::ObjectPropertyConditionSet::isEmpty):
659         (JSC::ObjectPropertyConditionSet::begin):
660         (JSC::ObjectPropertyConditionSet::end):
661         (JSC::ObjectPropertyConditionSet::releaseRawPointer):
662         (JSC::ObjectPropertyConditionSet::adoptRawPointer):
663         (JSC::ObjectPropertyConditionSet::fromRawPointer):
664         (JSC::ObjectPropertyConditionSet::Data::Data):
665         * bytecode/PolymorphicGetByIdList.cpp:
666         (JSC::GetByIdAccess::GetByIdAccess):
667         (JSC::GetByIdAccess::~GetByIdAccess):
668         (JSC::GetByIdAccess::visitWeak):
669         * bytecode/PolymorphicGetByIdList.h:
670         (JSC::GetByIdAccess::GetByIdAccess):
671         (JSC::GetByIdAccess::structure):
672         (JSC::GetByIdAccess::conditionSet):
673         (JSC::GetByIdAccess::stubRoutine):
674         (JSC::GetByIdAccess::chain): Deleted.
675         (JSC::GetByIdAccess::chainCount): Deleted.
676         * bytecode/PolymorphicPutByIdList.cpp:
677         (JSC::PutByIdAccess::fromStructureStubInfo):
678         (JSC::PutByIdAccess::visitWeak):
679         * bytecode/PolymorphicPutByIdList.h:
680         (JSC::PutByIdAccess::PutByIdAccess):
681         (JSC::PutByIdAccess::transition):
682         (JSC::PutByIdAccess::setter):
683         (JSC::PutByIdAccess::newStructure):
684         (JSC::PutByIdAccess::conditionSet):
685         (JSC::PutByIdAccess::stubRoutine):
686         (JSC::PutByIdAccess::chain): Deleted.
687         (JSC::PutByIdAccess::chainCount): Deleted.
688         * bytecode/PropertyCondition.cpp: Added.
689         (JSC::PropertyCondition::dumpInContext):
690         (JSC::PropertyCondition::dump):
691         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):
692         (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint):
693         (JSC::PropertyCondition::isStillValid):
694         (JSC::PropertyCondition::isWatchableWhenValid):
695         (JSC::PropertyCondition::isWatchableAssumingImpurePropertyWatchpoint):
696         (JSC::PropertyCondition::isWatchable):
697         (JSC::PropertyCondition::isStillLive):
698         (JSC::PropertyCondition::validateReferences):
699         (JSC::PropertyCondition::isValidValueForAttributes):
700         (JSC::PropertyCondition::isValidValueForPresence):
701         (JSC::PropertyCondition::attemptToMakeEquivalenceWithoutBarrier):
702         (WTF::printInternal):
703         * bytecode/PropertyCondition.h: Added.
704         (JSC::PropertyCondition::PropertyCondition):
705         (JSC::PropertyCondition::presenceWithoutBarrier):
706         (JSC::PropertyCondition::presence):
707         (JSC::PropertyCondition::absenceWithoutBarrier):
708         (JSC::PropertyCondition::absence):
709         (JSC::PropertyCondition::absenceOfSetterWithoutBarrier):
710         (JSC::PropertyCondition::absenceOfSetter):
711         (JSC::PropertyCondition::equivalenceWithoutBarrier):
712         (JSC::PropertyCondition::equivalence):
713         (JSC::PropertyCondition::operator!):
714         (JSC::PropertyCondition::kind):
715         (JSC::PropertyCondition::uid):
716         (JSC::PropertyCondition::hasOffset):
717         (JSC::PropertyCondition::offset):
718         (JSC::PropertyCondition::hasAttributes):
719         (JSC::PropertyCondition::attributes):
720         (JSC::PropertyCondition::hasPrototype):
721         (JSC::PropertyCondition::prototype):
722         (JSC::PropertyCondition::hasRequiredValue):
723         (JSC::PropertyCondition::requiredValue):
724         (JSC::PropertyCondition::hash):
725         (JSC::PropertyCondition::operator==):
726         (JSC::PropertyCondition::isHashTableDeletedValue):
727         (JSC::PropertyCondition::isCompatibleWith):
728         (JSC::PropertyCondition::watchingRequiresStructureTransitionWatchpoint):
729         (JSC::PropertyCondition::watchingRequiresReplacementWatchpoint):
730         (JSC::PropertyConditionHash::hash):
731         (JSC::PropertyConditionHash::equal):
732         * bytecode/PutByIdStatus.cpp:
733         (JSC::PutByIdStatus::computeFromLLInt):
734         (JSC::PutByIdStatus::computeFor):
735         (JSC::PutByIdStatus::computeForStubInfo):
736         * bytecode/PutByIdVariant.cpp:
737         (JSC::PutByIdVariant::operator=):
738         (JSC::PutByIdVariant::transition):
739         (JSC::PutByIdVariant::setter):
740         (JSC::PutByIdVariant::makesCalls):
741         (JSC::PutByIdVariant::attemptToMerge):
742         (JSC::PutByIdVariant::attemptToMergeTransitionWithReplace):
743         (JSC::PutByIdVariant::dumpInContext):
744         (JSC::PutByIdVariant::baseStructure): Deleted.
745         * bytecode/PutByIdVariant.h:
746         (JSC::PutByIdVariant::PutByIdVariant):
747         (JSC::PutByIdVariant::kind):
748         (JSC::PutByIdVariant::structure):
749         (JSC::PutByIdVariant::structureSet):
750         (JSC::PutByIdVariant::oldStructure):
751         (JSC::PutByIdVariant::conditionSet):
752         (JSC::PutByIdVariant::offset):
753         (JSC::PutByIdVariant::callLinkStatus):
754         (JSC::PutByIdVariant::constantChecks): Deleted.
755         (JSC::PutByIdVariant::alternateBase): Deleted.
756         * bytecode/StructureStubClearingWatchpoint.cpp:
757         (JSC::StructureStubClearingWatchpoint::~StructureStubClearingWatchpoint):
758         (JSC::StructureStubClearingWatchpoint::push):
759         (JSC::StructureStubClearingWatchpoint::fireInternal):
760         (JSC::WatchpointsOnStructureStubInfo::~WatchpointsOnStructureStubInfo):
761         (JSC::WatchpointsOnStructureStubInfo::addWatchpoint):
762         (JSC::WatchpointsOnStructureStubInfo::ensureReferenceAndAddWatchpoint):
763         * bytecode/StructureStubClearingWatchpoint.h:
764         (JSC::StructureStubClearingWatchpoint::StructureStubClearingWatchpoint):
765         (JSC::WatchpointsOnStructureStubInfo::codeBlock):
766         (JSC::WatchpointsOnStructureStubInfo::stubInfo):
767         * bytecode/StructureStubInfo.cpp:
768         (JSC::StructureStubInfo::deref):
769         (JSC::StructureStubInfo::visitWeakReferences):
770         * bytecode/StructureStubInfo.h:
771         (JSC::StructureStubInfo::initPutByIdTransition):
772         (JSC::StructureStubInfo::initPutByIdReplace):
773         (JSC::StructureStubInfo::setSeen):
774         (JSC::StructureStubInfo::addWatchpoint):
775         * dfg/DFGAbstractInterpreterInlines.h:
776         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
777         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp: Added.
778         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::AdaptiveInferredPropertyValueWatchpoint):
779         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::install):
780         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::fire):
781         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::StructureWatchpoint::fireInternal):
782         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::PropertyWatchpoint::fireInternal):
783         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.h: Added.
784         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::key):
785         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::StructureWatchpoint::StructureWatchpoint):
786         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::PropertyWatchpoint::PropertyWatchpoint):
787         * dfg/DFGAdaptiveStructureWatchpoint.cpp: Added.
788         (JSC::DFG::AdaptiveStructureWatchpoint::AdaptiveStructureWatchpoint):
789         (JSC::DFG::AdaptiveStructureWatchpoint::install):
790         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
791         * dfg/DFGAdaptiveStructureWatchpoint.h: Added.
792         (JSC::DFG::AdaptiveStructureWatchpoint::key):
793         * dfg/DFGByteCodeParser.cpp:
794         (JSC::DFG::ByteCodeParser::cellConstantWithStructureCheck):
795         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
796         (JSC::DFG::ByteCodeParser::handleGetByOffset):
797         (JSC::DFG::ByteCodeParser::handlePutByOffset):
798         (JSC::DFG::ByteCodeParser::check):
799         (JSC::DFG::ByteCodeParser::promoteToConstant):
800         (JSC::DFG::ByteCodeParser::planLoad):
801         (JSC::DFG::ByteCodeParser::load):
802         (JSC::DFG::ByteCodeParser::presenceLike):
803         (JSC::DFG::ByteCodeParser::checkPresenceLike):
804         (JSC::DFG::ByteCodeParser::store):
805         (JSC::DFG::ByteCodeParser::handleGetById):
806         (JSC::DFG::ByteCodeParser::handlePutById):
807         (JSC::DFG::ByteCodeParser::parseBlock):
808         (JSC::DFG::ByteCodeParser::emitChecks): Deleted.
809         * dfg/DFGCommonData.cpp:
810         (JSC::DFG::CommonData::validateReferences):
811         * dfg/DFGCommonData.h:
812         * dfg/DFGConstantFoldingPhase.cpp:
813         (JSC::DFG::ConstantFoldingPhase::foldConstants):
814         (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
815         (JSC::DFG::ConstantFoldingPhase::addBaseCheck):
816         (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
817         (JSC::DFG::ConstantFoldingPhase::addChecks): Deleted.
818         * dfg/DFGDesiredWatchpoints.cpp:
819         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
820         (JSC::DFG::InferredValueAdaptor::add):
821         (JSC::DFG::AdaptiveStructureWatchpointAdaptor::add):
822         (JSC::DFG::DesiredWatchpoints::DesiredWatchpoints):
823         (JSC::DFG::DesiredWatchpoints::addLazily):
824         (JSC::DFG::DesiredWatchpoints::consider):
825         (JSC::DFG::DesiredWatchpoints::reallyAdd):
826         (JSC::DFG::DesiredWatchpoints::areStillValid):
827         (JSC::DFG::DesiredWatchpoints::dumpInContext):
828         * dfg/DFGDesiredWatchpoints.h:
829         (JSC::DFG::SetPointerAdaptor::add):
830         (JSC::DFG::SetPointerAdaptor::hasBeenInvalidated):
831         (JSC::DFG::SetPointerAdaptor::dumpInContext):
832         (JSC::DFG::InferredValueAdaptor::hasBeenInvalidated):
833         (JSC::DFG::InferredValueAdaptor::dumpInContext):
834         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::hasBeenInvalidated):
835         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::dumpInContext):
836         (JSC::DFG::AdaptiveStructureWatchpointAdaptor::hasBeenInvalidated):
837         (JSC::DFG::AdaptiveStructureWatchpointAdaptor::dumpInContext):
838         (JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
839         (JSC::DFG::GenericDesiredWatchpoints::isWatched):
840         (JSC::DFG::GenericDesiredWatchpoints::dumpInContext):
841         (JSC::DFG::DesiredWatchpoints::isWatched):
842         (JSC::DFG::GenericSetAdaptor::add): Deleted.
843         (JSC::DFG::GenericSetAdaptor::hasBeenInvalidated): Deleted.
844         * dfg/DFGDesiredWeakReferences.cpp:
845         (JSC::DFG::DesiredWeakReferences::addLazily):
846         (JSC::DFG::DesiredWeakReferences::contains):
847         * dfg/DFGDesiredWeakReferences.h:
848         * dfg/DFGGraph.cpp:
849         (JSC::DFG::Graph::dump):
850         (JSC::DFG::Graph::clearFlagsOnAllNodes):
851         (JSC::DFG::Graph::watchCondition):
852         (JSC::DFG::Graph::isSafeToLoad):
853         (JSC::DFG::Graph::livenessFor):
854         (JSC::DFG::Graph::tryGetConstantProperty):
855         (JSC::DFG::Graph::visitChildren):
856         * dfg/DFGGraph.h:
857         (JSC::DFG::Graph::identifiers):
858         (JSC::DFG::Graph::watchpoints):
859         * dfg/DFGMultiGetByOffsetData.cpp: Added.
860         (JSC::DFG::GetByOffsetMethod::dumpInContext):
861         (JSC::DFG::GetByOffsetMethod::dump):
862         (JSC::DFG::MultiGetByOffsetCase::dumpInContext):
863         (JSC::DFG::MultiGetByOffsetCase::dump):
864         (WTF::printInternal):
865         * dfg/DFGMultiGetByOffsetData.h: Added.
866         (JSC::DFG::GetByOffsetMethod::GetByOffsetMethod):
867         (JSC::DFG::GetByOffsetMethod::constant):
868         (JSC::DFG::GetByOffsetMethod::load):
869         (JSC::DFG::GetByOffsetMethod::loadFromPrototype):
870         (JSC::DFG::GetByOffsetMethod::operator!):
871         (JSC::DFG::GetByOffsetMethod::kind):
872         (JSC::DFG::GetByOffsetMethod::prototype):
873         (JSC::DFG::GetByOffsetMethod::offset):
874         (JSC::DFG::MultiGetByOffsetCase::MultiGetByOffsetCase):
875         (JSC::DFG::MultiGetByOffsetCase::set):
876         (JSC::DFG::MultiGetByOffsetCase::method):
877         * dfg/DFGNode.h:
878         * dfg/DFGSafeToExecute.h:
879         (JSC::DFG::safeToExecute):
880         * dfg/DFGStructureRegistrationPhase.cpp:
881         (JSC::DFG::StructureRegistrationPhase::run):
882         * ftl/FTLLowerDFGToLLVM.cpp:
883         (JSC::FTL::DFG::LowerDFGToLLVM::compileMultiGetByOffset):
884         * jit/Repatch.cpp:
885         (JSC::repatchByIdSelfAccess):
886         (JSC::checkObjectPropertyCondition):
887         (JSC::checkObjectPropertyConditions):
888         (JSC::replaceWithJump):
889         (JSC::generateByIdStub):
890         (JSC::actionForCell):
891         (JSC::tryBuildGetByIDList):
892         (JSC::emitPutReplaceStub):
893         (JSC::emitPutTransitionStub):
894         (JSC::tryCachePutByID):
895         (JSC::tryBuildPutByIdList):
896         (JSC::tryRepatchIn):
897         (JSC::addStructureTransitionCheck): Deleted.
898         (JSC::emitPutTransitionStubAndGetOldStructure): Deleted.
899         * runtime/IntendedStructureChain.cpp: Removed.
900         * runtime/IntendedStructureChain.h: Removed.
901         * runtime/JSCJSValue.h:
902         * runtime/JSObject.cpp:
903         (JSC::throwTypeError):
904         (JSC::JSObject::convertToDictionary):
905         (JSC::JSObject::shiftButterflyAfterFlattening):
906         * runtime/JSObject.h:
907         (JSC::JSObject::flattenDictionaryObject):
908         (JSC::JSObject::convertToDictionary): Deleted.
909         * runtime/Operations.h:
910         (JSC::normalizePrototypeChain):
911         (JSC::normalizePrototypeChainForChainAccess): Deleted.
912         (JSC::isPrototypeChainNormalized): Deleted.
913         * runtime/PropertySlot.h:
914         (JSC::PropertySlot::PropertySlot):
915         (JSC::PropertySlot::slotBase):
916         * runtime/Structure.cpp:
917         (JSC::Structure::addPropertyTransition):
918         (JSC::Structure::attributeChangeTransition):
919         (JSC::Structure::toDictionaryTransition):
920         (JSC::Structure::toCacheableDictionaryTransition):
921         (JSC::Structure::toUncacheableDictionaryTransition):
922         (JSC::Structure::ensurePropertyReplacementWatchpointSet):
923         (JSC::Structure::startWatchingPropertyForReplacements):
924         (JSC::Structure::didCachePropertyReplacement):
925         (JSC::Structure::dump):
926         * runtime/Structure.h:
927         * runtime/VM.h:
928         * tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check-new.js: Added.
929         (foo):
930         (bar):
931         (baz):
932         * tests/stress/multi-get-by-offset-self-or-proto.js: Added.
933         (foo):
934         * tests/stress/replacement-watchpoint-dictionary.js: Added.
935         (foo):
936         * tests/stress/replacement-watchpoint.js: Added.
937         (foo):
938         * tests/stress/undefined-access-dictionary-then-proto-change.js: Added.
939         (foo):
940         * tests/stress/undefined-access-then-proto-change.js: Added.
941         (foo):
942
943 2015-08-03  Yusuke Suzuki  <utatane.tea@gmail.com>
944
945         JavascriptCore Crash in JSC::ASTBuilder::Property JSC::Parser<JSC::Lexer<unsigned char> >::parseProperty<JSC::ASTBuilder>(JSC::ASTBuilder&, bool)
946         https://bugs.webkit.org/show_bug.cgi?id=147538
947
948         Reviewed by Geoffrey Garen.
949
950         Due to the order of the ARROWFUNCTION token in JSTokenType enum, it is categorized as the one of the Keyword.
951         As a result, when lexing the property name that can take the keywords, the ARROWFUNCTION token is accidentally accepted.
952         This patch changes the order of the ARROWFUNCTION token in JSTokenType to make it the operator token.
953
954         * parser/ParserTokens.h:
955         * tests/stress/arrow-function-token-is-not-keyword.js: Added.
956         (testSyntaxError):
957
958 2015-08-03  Keith Miller  <keith_miller@apple.com>
959
960         Clean up the naming for AST expression generation.
961         https://bugs.webkit.org/show_bug.cgi?id=147581
962
963         Reviewed by Yusuke Suzuki.
964
965         * parser/ASTBuilder.h:
966         (JSC::ASTBuilder::createThisExpr):
967         (JSC::ASTBuilder::createSuperExpr):
968         (JSC::ASTBuilder::createNewTargetExpr):
969         (JSC::ASTBuilder::thisExpr): Deleted.
970         (JSC::ASTBuilder::superExpr): Deleted.
971         (JSC::ASTBuilder::newTargetExpr): Deleted.
972         * parser/Parser.cpp:
973         (JSC::Parser<LexerType>::parsePrimaryExpression):
974         (JSC::Parser<LexerType>::parseMemberExpression):
975         * parser/SyntaxChecker.h:
976         (JSC::SyntaxChecker::createThisExpr):
977         (JSC::SyntaxChecker::createSuperExpr):
978         (JSC::SyntaxChecker::createNewTargetExpr):
979         (JSC::SyntaxChecker::thisExpr): Deleted.
980         (JSC::SyntaxChecker::superExpr): Deleted.
981         (JSC::SyntaxChecker::newTargetExpr): Deleted.
982
983 2015-08-03  Yusuke Suzuki  <utatane.tea@gmail.com>
984
985         Don't set up the callsite to operationGetByValDefault when the optimization is already done
986         https://bugs.webkit.org/show_bug.cgi?id=147577
987
988         Reviewed by Filip Pizlo.
989
990         operationGetByValDefault should be called only when the IC is not set.
991         operationGetByValString breaks this invariant and `ASSERT(!byValInfo.stubRoutine)` in
992         operationGetByValDefault raises the assertion failure.
993         In this patch, we change the callsite setting up code in operationGetByValString when
994         the IC is already set. And to make the operation's meaning explicitly, we changed the
995         name operationGetByValDefault to operationGetByValOptimize, that is aligned to the
996         GetById case.
997
998         * jit/JITOperations.cpp:
999         * jit/JITOperations.h:
1000         * jit/JITPropertyAccess.cpp:
1001         (JSC::JIT::emitSlow_op_get_by_val):
1002         * jit/JITPropertyAccess32_64.cpp:
1003         (JSC::JIT::emitSlow_op_get_by_val):
1004         * tests/stress/operation-get-by-val-default-should-not-called-for-already-optimized-site.js: Added.
1005         (hello):
1006
1007 2015-08-03  Csaba Osztrogonác  <ossy@webkit.org>
1008
1009         [FTL] Remove unused scripts related to native call inlining
1010         https://bugs.webkit.org/show_bug.cgi?id=147448
1011
1012         Reviewed by Filip Pizlo.
1013
1014         * build-symbol-table-index.py: Removed.
1015         * copy-llvm-ir-to-derived-sources.sh: Removed.
1016         * create-llvm-ir-from-source-file.py: Removed.
1017         * create-symbol-table-index.py: Removed.
1018
1019 2015-08-02  Benjamin Poulain  <bpoulain@apple.com>
1020
1021         Investigate HashTable::HashTable(const HashTable&) and HashTable::operator=(const HashTable&) performance for hash-based static analyses
1022         https://bugs.webkit.org/show_bug.cgi?id=118455
1023
1024         Reviewed by Filip Pizlo.
1025
1026         LivenessAnalysisPhase lights up like a christmas tree in profiles.
1027
1028         This patch cuts its cost by 4.
1029         About half of the gains come from removing many rehash() when copying
1030         the HashSet.
1031         The last quarter is achieved by having a special add() function for initializing
1032         a HashSet.
1033
1034         This makes benchmarks progress by 1-2% here and there. Nothing massive.
1035
1036         * dfg/DFGLivenessAnalysisPhase.cpp:
1037         (JSC::DFG::LivenessAnalysisPhase::process):
1038         The m_live HashSet is only useful per block. When we are done with it,
1039         we can transfer it to liveAtHead to avoid a copy.
1040
1041 2015-08-01  Saam barati  <saambarati1@gmail.com>
1042
1043         Unreviewed. Remove unintentional "print" statement in test case.
1044         https://bugs.webkit.org/show_bug.cgi?id=142567
1045
1046         * tests/stress/class-syntax-definition-semantics.js:
1047         (shouldBeSyntaxError):
1048
1049 2015-07-31  Alex Christensen  <achristensen@webkit.org>
1050
1051         Prepare for VS2015
1052         https://bugs.webkit.org/show_bug.cgi?id=146579
1053
1054         Reviewed by Jon Honeycutt.
1055
1056         * heap/Heap.h:
1057         Fix compiler error by explicitly casting zombifiedBits to the size of a pointer.
1058
1059 2015-07-31  Saam barati  <saambarati1@gmail.com>
1060
1061         ES6 class syntax should use block scoping
1062         https://bugs.webkit.org/show_bug.cgi?id=142567
1063
1064         Reviewed by Geoffrey Garen.
1065
1066         We treat class declarations like we do "let" declarations.
1067         The class name is under TDZ until the class declaration
1068         statement is evaluated. Class declarations also follow
1069         the same rules as "let": No duplicate definitions inside
1070         a lexical environment.
1071
1072         * parser/ASTBuilder.h:
1073         (JSC::ASTBuilder::createClassDeclStatement):
1074         * parser/Parser.cpp:
1075         (JSC::Parser<LexerType>::parseClassDeclaration):
1076         * tests/stress/class-syntax-block-scoping.js: Added.
1077         (assert):
1078         (truth):
1079         (.):
1080         * tests/stress/class-syntax-definition-semantics.js: Added.
1081         (shouldBeSyntaxError):
1082         (shouldNotBeSyntaxError):
1083         (truth):
1084         * tests/stress/class-syntax-tdz.js:
1085         (assert):
1086         (shouldThrowTDZ):
1087         (truth):
1088         (.):
1089
1090 2015-07-31  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1091
1092         Implement WebAssembly module parser
1093         https://bugs.webkit.org/show_bug.cgi?id=147293
1094
1095         Reviewed by Mark Lam.
1096
1097         Re-landing after fix for the "..\..\jsc.cpp(46): fatal error C1083: Cannot open
1098         include file: 'JSWASMModule.h'" issue on Windows.
1099
1100         Implement WebAssembly module parser for WebAssembly files produced by pack-asmjs
1101         <https://github.com/WebAssembly/polyfill-prototype-1>. This patch only checks
1102         the magic number at the beginning of the files. Parsing of the rest will be
1103         implemented in a subsequent patch.
1104
1105         * CMakeLists.txt:
1106         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1107         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1108         * JavaScriptCore.xcodeproj/project.pbxproj:
1109         * jsc.cpp:
1110         (GlobalObject::finishCreation):
1111         (functionLoadWebAssembly):
1112         * parser/SourceProvider.h:
1113         (JSC::WebAssemblySourceProvider::create):
1114         (JSC::WebAssemblySourceProvider::data):
1115         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
1116         * runtime/JSGlobalObject.cpp:
1117         (JSC::JSGlobalObject::init):
1118         (JSC::JSGlobalObject::visitChildren):
1119         * runtime/JSGlobalObject.h:
1120         (JSC::JSGlobalObject::wasmModuleStructure):
1121         * wasm/WASMMagicNumber.h: Added.
1122         * wasm/WASMModuleParser.cpp: Added.
1123         (JSC::WASMModuleParser::WASMModuleParser):
1124         (JSC::WASMModuleParser::parse):
1125         (JSC::WASMModuleParser::parseModule):
1126         (JSC::parseWebAssembly):
1127         * wasm/WASMModuleParser.h: Added.
1128         * wasm/WASMReader.cpp: Added.
1129         (JSC::WASMReader::readUnsignedInt32):
1130         (JSC::WASMReader::readFloat):
1131         (JSC::WASMReader::readDouble):
1132         * wasm/WASMReader.h: Added.
1133         (JSC::WASMReader::WASMReader):
1134
1135 2015-07-30  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1136
1137         Add the "wasm" directory to the Additional Include Directories for jsc.exe
1138         https://bugs.webkit.org/show_bug.cgi?id=147443
1139
1140         Reviewed by Mark Lam.
1141
1142         This patch should fix the "..\..\jsc.cpp(46): fatal error C1083:
1143         Cannot open include file: 'JSWASMModule.h'" error in the Windows build.
1144
1145         * JavaScriptCore.vcxproj/jsc/jscCommon.props:
1146
1147 2015-07-30  Chris Dumez  <cdumez@apple.com>
1148
1149         Mark more classes as fast allocated
1150         https://bugs.webkit.org/show_bug.cgi?id=147440
1151
1152         Reviewed by Sam Weinig.
1153
1154         Mark more classes as fast allocated for performance. We heap-allocate
1155         objects of those types throughout the code base.
1156
1157         * API/JSCallbackObject.h:
1158         * API/ObjCCallbackFunction.mm:
1159         * bytecode/BytecodeKills.h:
1160         * bytecode/BytecodeLivenessAnalysis.h:
1161         * bytecode/CallLinkStatus.h:
1162         * bytecode/FullBytecodeLiveness.h:
1163         * bytecode/SamplingTool.h:
1164         * bytecompiler/BytecodeGenerator.h:
1165         * dfg/DFGBasicBlock.h:
1166         * dfg/DFGBlockMap.h:
1167         * dfg/DFGInPlaceAbstractState.h:
1168         * dfg/DFGThreadData.h:
1169         * heap/HeapVerifier.h:
1170         * heap/SlotVisitor.h:
1171         * parser/Lexer.h:
1172         * runtime/ControlFlowProfiler.h:
1173         * runtime/TypeProfiler.h:
1174         * runtime/TypeProfilerLog.h:
1175         * runtime/Watchdog.h:
1176
1177 2015-07-29  Filip Pizlo  <fpizlo@apple.com>
1178
1179         DFG::ArgumentsEliminationPhase should emit a PutStack for all of the GetStacks that the ByteCodeParser emitted
1180         https://bugs.webkit.org/show_bug.cgi?id=147433
1181         rdar://problem/21668986
1182
1183         Reviewed by Mark Lam.
1184
1185         Ideally, the ByteCodeParser would only emit SetArgument nodes for named arguments.  But
1186         currently that's not what it does - it emits a SetArgument for every argument that a varargs
1187         call may pass.  Each SetArgument gets turned into a GetStack.  This means that if
1188         ArgumentsEliminationPhase optimizes away PutStacks for those varargs arguments that didn't
1189         get passed or used, we get degenerate IR where we have a GetStack of something that didn't
1190         have a PutStack.
1191
1192         This fixes the bug by removing the code to optimize away PutStacks in
1193         ArgumentsEliminationPhase.
1194
1195         * dfg/DFGArgumentsEliminationPhase.cpp:
1196         * tests/stress/varargs-inlining-underflow.js: Added.
1197         (baz):
1198         (bar):
1199         (foo):
1200
1201 2015-07-29  Andy VanWagoner  <thetalecrafter@gmail.com>
1202
1203         Implement basic types for ECMAScript Internationalization API
1204         https://bugs.webkit.org/show_bug.cgi?id=146926
1205
1206         Reviewed by Benjamin Poulain.
1207
1208         Adds basic types for ECMA-402 2nd edition, but does not implement the full locale-aware features yet.
1209         http://www.ecma-international.org/ecma-402/2.0/ECMA-402.pdf
1210
1211         * CMakeLists.txt: Added new Intl files.
1212         * Configurations/FeatureDefines.xcconfig: Enable INTL.
1213         * DerivedSources.make: Added Intl files.
1214         * JavaScriptCore.xcodeproj/project.pbxproj: Added Intl files.
1215         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added Intl files.
1216         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Added Intl files.
1217         * runtime/CommonIdentifiers.h: Added Collator, NumberFormat, and DateTimeFormat.
1218         * runtime/DateConstructor.cpp: Made Date.now public.
1219         * runtime/DateConstructor.h: Made Date.now public.
1220         * runtime/IntlCollator.cpp: Added.
1221         (JSC::IntlCollator::create):
1222         (JSC::IntlCollator::createStructure):
1223         (JSC::IntlCollator::IntlCollator):
1224         (JSC::IntlCollator::finishCreation):
1225         (JSC::IntlCollator::destroy):
1226         (JSC::IntlCollator::visitChildren):
1227         (JSC::IntlCollator::setBoundCompare):
1228         (JSC::IntlCollatorFuncCompare): Added placeholder implementation using codePointCompare.
1229         * runtime/IntlCollator.h: Added.
1230         (JSC::IntlCollator::constructor):
1231         (JSC::IntlCollator::boundCompare):
1232         * runtime/IntlCollatorConstructor.cpp: Added.
1233         (JSC::IntlCollatorConstructor::create):
1234         (JSC::IntlCollatorConstructor::createStructure):
1235         (JSC::IntlCollatorConstructor::IntlCollatorConstructor):
1236         (JSC::IntlCollatorConstructor::finishCreation):
1237         (JSC::constructIntlCollator): Added Collator constructor (10.1.2).
1238         (JSC::callIntlCollator): Added Collator constructor (10.1.2).
1239         (JSC::IntlCollatorConstructor::getConstructData):
1240         (JSC::IntlCollatorConstructor::getCallData):
1241         (JSC::IntlCollatorConstructor::getOwnPropertySlot):
1242         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf): Added placeholder implementation returning [].
1243         (JSC::IntlCollatorConstructor::visitChildren):
1244         * runtime/IntlCollatorConstructor.h: Added.
1245         (JSC::IntlCollatorConstructor::collatorStructure):
1246         * runtime/IntlCollatorPrototype.cpp: Added.
1247         (JSC::IntlCollatorPrototype::create):
1248         (JSC::IntlCollatorPrototype::createStructure):
1249         (JSC::IntlCollatorPrototype::IntlCollatorPrototype):
1250         (JSC::IntlCollatorPrototype::finishCreation):
1251         (JSC::IntlCollatorPrototype::getOwnPropertySlot):
1252         (JSC::IntlCollatorPrototypeGetterCompare): Added compare getter (10.3.3)
1253         (JSC::IntlCollatorPrototypeFuncResolvedOptions): Added placeholder implementation returning {}.
1254         * runtime/IntlCollatorPrototype.h: Added.
1255         * runtime/IntlDateTimeFormat.cpp: Added.
1256         (JSC::IntlDateTimeFormat::create):
1257         (JSC::IntlDateTimeFormat::createStructure):
1258         (JSC::IntlDateTimeFormat::IntlDateTimeFormat):
1259         (JSC::IntlDateTimeFormat::finishCreation):
1260         (JSC::IntlDateTimeFormat::destroy):
1261         (JSC::IntlDateTimeFormat::visitChildren):
1262         (JSC::IntlDateTimeFormat::setBoundFormat):
1263         (JSC::IntlDateTimeFormatFuncFormatDateTime): Added placeholder implementation returning new Date(value).toString().
1264         * runtime/IntlDateTimeFormat.h: Added.
1265         (JSC::IntlDateTimeFormat::constructor):
1266         (JSC::IntlDateTimeFormat::boundFormat):
1267         * runtime/IntlDateTimeFormatConstructor.cpp: Added.
1268         (JSC::IntlDateTimeFormatConstructor::create):
1269         (JSC::IntlDateTimeFormatConstructor::createStructure):
1270         (JSC::IntlDateTimeFormatConstructor::IntlDateTimeFormatConstructor):
1271         (JSC::IntlDateTimeFormatConstructor::finishCreation):
1272         (JSC::constructIntlDateTimeFormat): Added DateTimeFormat constructor (12.1.2).
1273         (JSC::callIntlDateTimeFormat): Added DateTimeFormat constructor (12.1.2).
1274         (JSC::IntlDateTimeFormatConstructor::getConstructData):
1275         (JSC::IntlDateTimeFormatConstructor::getCallData):
1276         (JSC::IntlDateTimeFormatConstructor::getOwnPropertySlot):
1277         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf): Added placeholder implementation returning [].
1278         (JSC::IntlDateTimeFormatConstructor::visitChildren):
1279         * runtime/IntlDateTimeFormatConstructor.h: Added.
1280         (JSC::IntlDateTimeFormatConstructor::dateTimeFormatStructure):
1281         * runtime/IntlDateTimeFormatPrototype.cpp: Added.
1282         (JSC::IntlDateTimeFormatPrototype::create):
1283         (JSC::IntlDateTimeFormatPrototype::createStructure):
1284         (JSC::IntlDateTimeFormatPrototype::IntlDateTimeFormatPrototype):
1285         (JSC::IntlDateTimeFormatPrototype::finishCreation):
1286         (JSC::IntlDateTimeFormatPrototype::getOwnPropertySlot):
1287         (JSC::IntlDateTimeFormatPrototypeGetterFormat): Added format getter (12.3.3).
1288         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions): Added placeholder implementation returning {}.
1289         * runtime/IntlDateTimeFormatPrototype.h: Added.
1290         * runtime/IntlNumberFormat.cpp: Added.
1291         (JSC::IntlNumberFormat::create):
1292         (JSC::IntlNumberFormat::createStructure):
1293         (JSC::IntlNumberFormat::IntlNumberFormat):
1294         (JSC::IntlNumberFormat::finishCreation):
1295         (JSC::IntlNumberFormat::destroy):
1296         (JSC::IntlNumberFormat::visitChildren):
1297         (JSC::IntlNumberFormat::setBoundFormat):
1298         (JSC::IntlNumberFormatFuncFormatNumber): Added placeholder implementation returning Number(value).toString().
1299         * runtime/IntlNumberFormat.h: Added.
1300         (JSC::IntlNumberFormat::constructor):
1301         (JSC::IntlNumberFormat::boundFormat):
1302         * runtime/IntlNumberFormatConstructor.cpp: Added.
1303         (JSC::IntlNumberFormatConstructor::create):
1304         (JSC::IntlNumberFormatConstructor::createStructure):
1305         (JSC::IntlNumberFormatConstructor::IntlNumberFormatConstructor):
1306         (JSC::IntlNumberFormatConstructor::finishCreation):
1307         (JSC::constructIntlNumberFormat): Added NumberFormat constructor (11.1.2).
1308         (JSC::callIntlNumberFormat): Added NumberFormat constructor (11.1.2).
1309         (JSC::IntlNumberFormatConstructor::getConstructData):
1310         (JSC::IntlNumberFormatConstructor::getCallData):
1311         (JSC::IntlNumberFormatConstructor::getOwnPropertySlot):
1312         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf): Added placeholder implementation returning [].
1313         (JSC::IntlNumberFormatConstructor::visitChildren):
1314         * runtime/IntlNumberFormatConstructor.h: Added.
1315         (JSC::IntlNumberFormatConstructor::numberFormatStructure):
1316         * runtime/IntlNumberFormatPrototype.cpp: Added.
1317         (JSC::IntlNumberFormatPrototype::create):
1318         (JSC::IntlNumberFormatPrototype::createStructure):
1319         (JSC::IntlNumberFormatPrototype::IntlNumberFormatPrototype):
1320         (JSC::IntlNumberFormatPrototype::finishCreation):
1321         (JSC::IntlNumberFormatPrototype::getOwnPropertySlot):
1322         (JSC::IntlNumberFormatPrototypeGetterFormat): Added format getter (11.3.3).
1323         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions): Added placeholder implementation returning {}.
1324         * runtime/IntlNumberFormatPrototype.h: Added.
1325         * runtime/IntlObject.cpp:
1326         (JSC::IntlObject::create):
1327         (JSC::IntlObject::finishCreation): Added Collator, NumberFormat, and DateTimeFormat properties (8.1).
1328         (JSC::IntlObject::visitChildren):
1329         * runtime/IntlObject.h:
1330         (JSC::IntlObject::collatorConstructor):
1331         (JSC::IntlObject::collatorPrototype):
1332         (JSC::IntlObject::collatorStructure):
1333         (JSC::IntlObject::numberFormatConstructor):
1334         (JSC::IntlObject::numberFormatPrototype):
1335         (JSC::IntlObject::numberFormatStructure):
1336         (JSC::IntlObject::dateTimeFormatConstructor):
1337         (JSC::IntlObject::dateTimeFormatPrototype):
1338         (JSC::IntlObject::dateTimeFormatStructure):
1339         * runtime/JSGlobalObject.cpp:
1340         (JSC::JSGlobalObject::init):
1341
1342 2015-07-29  Commit Queue  <commit-queue@webkit.org>
1343
1344         Unreviewed, rolling out r187550.
1345         https://bugs.webkit.org/show_bug.cgi?id=147420
1346
1347         Broke Windows build (again) (Requested by smfr on #webkit).
1348
1349         Reverted changeset:
1350
1351         "Implement WebAssembly module parser"
1352         https://bugs.webkit.org/show_bug.cgi?id=147293
1353         http://trac.webkit.org/changeset/187550
1354
1355 2015-07-29  Basile Clement  <basile_clement@apple.com>
1356
1357         Remove native call inlining
1358         https://bugs.webkit.org/show_bug.cgi?id=147417
1359
1360         Rubber Stamped by Filip Pizlo.
1361
1362         * CMakeLists.txt:
1363         * dfg/DFGAbstractInterpreterInlines.h:
1364         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Deleted.
1365         * dfg/DFGByteCodeParser.cpp:
1366         (JSC::DFG::ByteCodeParser::handleCall): Deleted.
1367         * dfg/DFGClobberize.h:
1368         (JSC::DFG::clobberize): Deleted.
1369         * dfg/DFGDoesGC.cpp:
1370         (JSC::DFG::doesGC): Deleted.
1371         * dfg/DFGFixupPhase.cpp:
1372         (JSC::DFG::FixupPhase::fixupNode): Deleted.
1373         * dfg/DFGNode.h:
1374         (JSC::DFG::Node::hasHeapPrediction): Deleted.
1375         (JSC::DFG::Node::hasCellOperand): Deleted.
1376         * dfg/DFGNodeType.h:
1377         * dfg/DFGPredictionPropagationPhase.cpp:
1378         (JSC::DFG::PredictionPropagationPhase::propagate): Deleted.
1379         * dfg/DFGSafeToExecute.h:
1380         (JSC::DFG::safeToExecute): Deleted.
1381         * dfg/DFGSpeculativeJIT32_64.cpp:
1382         (JSC::DFG::SpeculativeJIT::compile): Deleted.
1383         * dfg/DFGSpeculativeJIT64.cpp:
1384         (JSC::DFG::SpeculativeJIT::compile): Deleted.
1385         * ftl/FTLCapabilities.cpp:
1386         (JSC::FTL::canCompile): Deleted.
1387         * ftl/FTLLowerDFGToLLVM.cpp:
1388         (JSC::FTL::DFG::LowerDFGToLLVM::lower): Deleted.
1389         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode): Deleted.
1390         (JSC::FTL::DFG::LowerDFGToLLVM::compileNativeCallOrConstruct): Deleted.
1391         (JSC::FTL::DFG::LowerDFGToLLVM::getFunctionBySymbol): Deleted.
1392         (JSC::FTL::DFG::LowerDFGToLLVM::getModuleByPathForSymbol): Deleted.
1393         (JSC::FTL::DFG::LowerDFGToLLVM::didOverflowStack): Deleted.
1394         * ftl/FTLState.cpp:
1395         (JSC::FTL::State::State): Deleted.
1396         * ftl/FTLState.h:
1397         * runtime/BundlePath.cpp: Removed.
1398         (JSC::bundlePath): Deleted.
1399         * runtime/JSDataViewPrototype.cpp:
1400         (JSC::getData):
1401         (JSC::setData):
1402         * runtime/Options.h:
1403
1404 2015-07-29  Basile Clement  <basile_clement@apple.com>
1405
1406         Unreviewed, skipping a test that is too complex for its own good
1407         https://bugs.webkit.org/show_bug.cgi?id=147167
1408
1409         * tests/stress/math-pow-coherency.js:
1410
1411 2015-07-29  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1412
1413         Implement WebAssembly module parser
1414         https://bugs.webkit.org/show_bug.cgi?id=147293
1415
1416         Reviewed by Mark Lam.
1417
1418         Reupload the patch, since r187539 should fix the "Cannot open include file:
1419         'JSWASMModule.h'" issue in the Windows build.
1420
1421         * CMakeLists.txt:
1422         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1423         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1424         * JavaScriptCore.xcodeproj/project.pbxproj:
1425         * jsc.cpp:
1426         (GlobalObject::finishCreation):
1427         (functionLoadWebAssembly):
1428         * parser/SourceProvider.h:
1429         (JSC::WebAssemblySourceProvider::create):
1430         (JSC::WebAssemblySourceProvider::data):
1431         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
1432         * runtime/JSGlobalObject.cpp:
1433         (JSC::JSGlobalObject::init):
1434         (JSC::JSGlobalObject::visitChildren):
1435         * runtime/JSGlobalObject.h:
1436         (JSC::JSGlobalObject::wasmModuleStructure):
1437         * wasm/WASMMagicNumber.h: Added.
1438         * wasm/WASMModuleParser.cpp: Added.
1439         (JSC::WASMModuleParser::WASMModuleParser):
1440         (JSC::WASMModuleParser::parse):
1441         (JSC::WASMModuleParser::parseModule):
1442         (JSC::parseWebAssembly):
1443         * wasm/WASMModuleParser.h: Added.
1444         * wasm/WASMReader.cpp: Added.
1445         (JSC::WASMReader::readUnsignedInt32):
1446         (JSC::WASMReader::readFloat):
1447         (JSC::WASMReader::readDouble):
1448         * wasm/WASMReader.h: Added.
1449         (JSC::WASMReader::WASMReader):
1450
1451 2015-07-29  Basile Clement  <basile_clement@apple.com>
1452
1453         Unreviewed, lower the number of test iterations to prevent timing out on Debug builds
1454         https://bugs.webkit.org/show_bug.cgi?id=147167
1455
1456         * tests/stress/math-pow-coherency.js:
1457
1458 2015-07-28  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1459
1460         Add the "wasm" directory to Visual Studio project files
1461         https://bugs.webkit.org/show_bug.cgi?id=147400
1462
1463         Reviewed by Simon Fraser.
1464
1465         This patch should fix the "Cannot open include file: 'JSWASMModule.h'" issue
1466         in the Windows build.
1467
1468         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
1469         * JavaScriptCore.vcxproj/copy-files.cmd:
1470
1471 2015-07-28  Commit Queue  <commit-queue@webkit.org>
1472
1473         Unreviewed, rolling out r187531.
1474         https://bugs.webkit.org/show_bug.cgi?id=147397
1475
1476         Broke Windows bild (Requested by smfr on #webkit).
1477
1478         Reverted changeset:
1479
1480         "Implement WebAssembly module parser"
1481         https://bugs.webkit.org/show_bug.cgi?id=147293
1482         http://trac.webkit.org/changeset/187531
1483
1484 2015-07-28  Benjamin Poulain  <bpoulain@apple.com>
1485
1486         Speed up the Stringifier::toJSON() fast case
1487         https://bugs.webkit.org/show_bug.cgi?id=147383
1488
1489         Reviewed by Andreas Kling.
1490
1491         * runtime/JSONObject.cpp:
1492         (JSC::Stringifier::toJSON):
1493         (JSC::Stringifier::toJSONImpl):
1494
1495 2015-07-28  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1496
1497         Implement WebAssembly module parser
1498         https://bugs.webkit.org/show_bug.cgi?id=147293
1499
1500         Reviewed by Geoffrey Garen.
1501
1502         Implement WebAssembly module parser for WebAssembly files produced by pack-asmjs
1503         <https://github.com/WebAssembly/polyfill-prototype-1>. This patch only checks
1504         the magic number at the beginning of the files. Parsing of the rest will be
1505         implemented in a subsequent patch.
1506
1507         * CMakeLists.txt:
1508         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1509         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1510         * JavaScriptCore.xcodeproj/project.pbxproj:
1511         * jsc.cpp:
1512         (GlobalObject::finishCreation):
1513         (functionLoadWebAssembly):
1514         * parser/SourceProvider.h:
1515         (JSC::WebAssemblySourceProvider::create):
1516         (JSC::WebAssemblySourceProvider::data):
1517         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
1518         * runtime/JSGlobalObject.cpp:
1519         (JSC::JSGlobalObject::init):
1520         (JSC::JSGlobalObject::visitChildren):
1521         * runtime/JSGlobalObject.h:
1522         (JSC::JSGlobalObject::wasmModuleStructure):
1523         * wasm/WASMMagicNumber.h: Added.
1524         * wasm/WASMModuleParser.cpp: Added.
1525         (JSC::WASMModuleParser::WASMModuleParser):
1526         (JSC::WASMModuleParser::parse):
1527         (JSC::WASMModuleParser::parseModule):
1528         (JSC::parseWebAssembly):
1529         * wasm/WASMModuleParser.h: Added.
1530         * wasm/WASMReader.cpp: Added.
1531         (JSC::WASMReader::readUnsignedInt32):
1532         (JSC::WASMReader::readFloat):
1533         (JSC::WASMReader::readDouble):
1534         * wasm/WASMReader.h: Added.
1535         (JSC::WASMReader::WASMReader):
1536
1537 2015-07-28  Yusuke Suzuki  <utatane.tea@gmail.com>
1538
1539         [ES6] Add ENABLE_ES6_MODULES compile time flag with the default value "false"
1540         https://bugs.webkit.org/show_bug.cgi?id=147350
1541
1542         Reviewed by Sam Weinig.
1543
1544         * Configurations/FeatureDefines.xcconfig:
1545
1546 2015-07-28  Saam barati  <saambarati1@gmail.com>
1547
1548         Make the type profiler work with lexical scoping and add tests
1549         https://bugs.webkit.org/show_bug.cgi?id=145438
1550
1551         Reviewed by Geoffrey Garen.
1552
1553         op_profile_type now knows how to resolve variables allocated within
1554         the local scope stack. This means it knows how to resolve "let"
1555         and "const" variables. Also, some refactoring was done inside
1556         the BytecodeGenerator to make writing code to support the type
1557         profiler much simpler and clearer.
1558
1559         * bytecode/CodeBlock.cpp:
1560         (JSC::CodeBlock::CodeBlock):
1561         * bytecode/CodeBlock.h:
1562         (JSC::CodeBlock::symbolTable): Deleted.
1563         * bytecode/UnlinkedCodeBlock.h:
1564         (JSC::UnlinkedCodeBlock::addExceptionHandler):
1565         (JSC::UnlinkedCodeBlock::exceptionHandler):
1566         (JSC::UnlinkedCodeBlock::vm):
1567         (JSC::UnlinkedCodeBlock::addArrayProfile):
1568         (JSC::UnlinkedCodeBlock::setSymbolTableConstantIndex): Deleted.
1569         (JSC::UnlinkedCodeBlock::symbolTableConstantIndex): Deleted.
1570         * bytecompiler/BytecodeGenerator.cpp:
1571         (JSC::BytecodeGenerator::BytecodeGenerator):
1572         (JSC::BytecodeGenerator::emitMove):
1573         (JSC::BytecodeGenerator::emitTypeProfilerExpressionInfo):
1574         (JSC::BytecodeGenerator::emitProfileType):
1575         (JSC::BytecodeGenerator::emitProfileControlFlow):
1576         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
1577         * bytecompiler/BytecodeGenerator.h:
1578         (JSC::BytecodeGenerator::emitNodeForLeftHandSide):
1579         * bytecompiler/NodesCodegen.cpp:
1580         (JSC::ThisNode::emitBytecode):
1581         (JSC::ResolveNode::emitBytecode):
1582         (JSC::BracketAccessorNode::emitBytecode):
1583         (JSC::DotAccessorNode::emitBytecode):
1584         (JSC::FunctionCallValueNode::emitBytecode):
1585         (JSC::FunctionCallResolveNode::emitBytecode):
1586         (JSC::FunctionCallBracketNode::emitBytecode):
1587         (JSC::FunctionCallDotNode::emitBytecode):
1588         (JSC::CallFunctionCallDotNode::emitBytecode):
1589         (JSC::ApplyFunctionCallDotNode::emitBytecode):
1590         (JSC::PostfixNode::emitResolve):
1591         (JSC::PostfixNode::emitBracket):
1592         (JSC::PostfixNode::emitDot):
1593         (JSC::PrefixNode::emitResolve):
1594         (JSC::PrefixNode::emitBracket):
1595         (JSC::PrefixNode::emitDot):
1596         (JSC::ReadModifyResolveNode::emitBytecode):
1597         (JSC::AssignResolveNode::emitBytecode):
1598         (JSC::AssignDotNode::emitBytecode):
1599         (JSC::ReadModifyDotNode::emitBytecode):
1600         (JSC::AssignBracketNode::emitBytecode):
1601         (JSC::ReadModifyBracketNode::emitBytecode):
1602         (JSC::EmptyVarExpression::emitBytecode):
1603         (JSC::EmptyLetExpression::emitBytecode):
1604         (JSC::ForInNode::emitLoopHeader):
1605         (JSC::ForOfNode::emitBytecode):
1606         (JSC::ReturnNode::emitBytecode):
1607         (JSC::FunctionNode::emitBytecode):
1608         (JSC::BindingNode::bindValue):
1609         * dfg/DFGSpeculativeJIT32_64.cpp:
1610         (JSC::DFG::SpeculativeJIT::compile):
1611         * dfg/DFGSpeculativeJIT64.cpp:
1612         (JSC::DFG::SpeculativeJIT::compile):
1613         * jit/JITOpcodes.cpp:
1614         (JSC::JIT::emit_op_profile_type):
1615         * jit/JITOpcodes32_64.cpp:
1616         (JSC::JIT::emit_op_profile_type):
1617         * llint/LowLevelInterpreter32_64.asm:
1618         * llint/LowLevelInterpreter64.asm:
1619         * tests/typeProfiler/es6-block-scoping.js: Added.
1620         (noop):
1621         (arr):
1622         (wrapper.changeFoo):
1623         (wrapper.scoping):
1624         (wrapper.scoping2):
1625         (wrapper):
1626         * tests/typeProfiler/es6-classes.js: Added.
1627         (noop):
1628         (wrapper.Animal):
1629         (wrapper.Animal.prototype.methodA):
1630         (wrapper.Dog):
1631         (wrapper.Dog.prototype.methodB):
1632         (wrapper):
1633
1634 2015-07-28  Saam barati  <saambarati1@gmail.com>
1635
1636         Implement catch scope using lexical scoping constructs introduced with "let" scoping patch
1637         https://bugs.webkit.org/show_bug.cgi?id=146979
1638
1639         Reviewed by Geoffrey Garen.
1640
1641         Now that BytecodeGenerator has a notion of local scope depth,
1642         we can easily implement a catch scope that doesn't claim that
1643         all variables are dynamically scoped. This means that functions
1644         that use try/catch can have local variable resolution. This also
1645         means that all functions that use try/catch don't have all
1646         their variables marked as being captured.
1647
1648         Catch scopes now behave like a "let" scope (sans the TDZ logic) with a 
1649         single variable. Catch scopes are now just JSLexicalEnvironments and the 
1650         symbol table backing the catch scope knows that it corresponds to a catch scope.
1651
1652         * CMakeLists.txt:
1653         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1654         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1655         * JavaScriptCore.xcodeproj/project.pbxproj:
1656         * bytecode/CodeBlock.cpp:
1657         (JSC::CodeBlock::dumpBytecode):
1658         * bytecode/EvalCodeCache.h:
1659         (JSC::EvalCodeCache::isCacheable):
1660         * bytecompiler/BytecodeGenerator.cpp:
1661         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
1662         (JSC::BytecodeGenerator::emitLoadGlobalObject):
1663         (JSC::BytecodeGenerator::pushLexicalScope):
1664         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
1665         (JSC::BytecodeGenerator::popLexicalScope):
1666         (JSC::BytecodeGenerator::popLexicalScopeInternal):
1667         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
1668         (JSC::BytecodeGenerator::variable):
1669         (JSC::BytecodeGenerator::resolveType):
1670         (JSC::BytecodeGenerator::emitResolveScope):
1671         (JSC::BytecodeGenerator::emitPopScope):
1672         (JSC::BytecodeGenerator::emitPopWithScope):
1673         (JSC::BytecodeGenerator::emitDebugHook):
1674         (JSC::BytecodeGenerator::popScopedControlFlowContext):
1675         (JSC::BytecodeGenerator::emitPushCatchScope):
1676         (JSC::BytecodeGenerator::emitPopCatchScope):
1677         (JSC::BytecodeGenerator::beginSwitch):
1678         (JSC::BytecodeGenerator::emitPopWithOrCatchScope): Deleted.
1679         * bytecompiler/BytecodeGenerator.h:
1680         (JSC::BytecodeGenerator::lastOpcodeID):
1681         * bytecompiler/NodesCodegen.cpp:
1682         (JSC::AssignResolveNode::emitBytecode):
1683         (JSC::WithNode::emitBytecode):
1684         (JSC::TryNode::emitBytecode):
1685         * debugger/DebuggerScope.cpp:
1686         (JSC::DebuggerScope::isCatchScope):
1687         (JSC::DebuggerScope::isFunctionNameScope):
1688         (JSC::DebuggerScope::isFunctionOrEvalScope):
1689         (JSC::DebuggerScope::caughtValue):
1690         * debugger/DebuggerScope.h:
1691         * inspector/ScriptDebugServer.cpp:
1692         (Inspector::ScriptDebugServer::exceptionOrCaughtValue):
1693         * interpreter/Interpreter.cpp:
1694         (JSC::Interpreter::execute):
1695         * jit/JITOpcodes.cpp:
1696         (JSC::JIT::emit_op_push_name_scope):
1697         * jit/JITOpcodes32_64.cpp:
1698         (JSC::JIT::emit_op_push_name_scope):
1699         * jit/JITOperations.cpp:
1700         * jit/JITOperations.h:
1701         * parser/ASTBuilder.h:
1702         (JSC::ASTBuilder::createContinueStatement):
1703         (JSC::ASTBuilder::createTryStatement):
1704         * parser/NodeConstructors.h:
1705         (JSC::ThrowNode::ThrowNode):
1706         (JSC::TryNode::TryNode):
1707         (JSC::FunctionParameters::FunctionParameters):
1708         * parser/Nodes.h:
1709         * parser/Parser.cpp:
1710         (JSC::Parser<LexerType>::parseTryStatement):
1711         * parser/SyntaxChecker.h:
1712         (JSC::SyntaxChecker::createBreakStatement):
1713         (JSC::SyntaxChecker::createContinueStatement):
1714         (JSC::SyntaxChecker::createTryStatement):
1715         (JSC::SyntaxChecker::createSwitchStatement):
1716         (JSC::SyntaxChecker::createWhileStatement):
1717         (JSC::SyntaxChecker::createWithStatement):
1718         * runtime/JSCatchScope.cpp:
1719         * runtime/JSCatchScope.h:
1720         (JSC::JSCatchScope::JSCatchScope): Deleted.
1721         (JSC::JSCatchScope::create): Deleted.
1722         (JSC::JSCatchScope::createStructure): Deleted.
1723         * runtime/JSFunctionNameScope.h:
1724         (JSC::JSFunctionNameScope::JSFunctionNameScope):
1725         * runtime/JSGlobalObject.cpp:
1726         (JSC::JSGlobalObject::init):
1727         (JSC::JSGlobalObject::visitChildren):
1728         * runtime/JSGlobalObject.h:
1729         (JSC::JSGlobalObject::withScopeStructure):
1730         (JSC::JSGlobalObject::strictEvalActivationStructure):
1731         (JSC::JSGlobalObject::activationStructure):
1732         (JSC::JSGlobalObject::functionNameScopeStructure):
1733         (JSC::JSGlobalObject::directArgumentsStructure):
1734         (JSC::JSGlobalObject::scopedArgumentsStructure):
1735         (JSC::JSGlobalObject::catchScopeStructure): Deleted.
1736         * runtime/JSNameScope.cpp:
1737         (JSC::JSNameScope::create):
1738         (JSC::JSNameScope::toThis):
1739         * runtime/JSNameScope.h:
1740         * runtime/JSObject.cpp:
1741         (JSC::JSObject::toThis):
1742         (JSC::JSObject::isFunctionNameScopeObject):
1743         (JSC::JSObject::isCatchScopeObject): Deleted.
1744         * runtime/JSObject.h:
1745         * runtime/JSScope.cpp:
1746         (JSC::JSScope::collectVariablesUnderTDZ):
1747         (JSC::JSScope::isLexicalScope):
1748         (JSC::JSScope::isCatchScope):
1749         (JSC::resolveModeName):
1750         * runtime/JSScope.h:
1751         * runtime/SymbolTable.cpp:
1752         (JSC::SymbolTable::SymbolTable):
1753         (JSC::SymbolTable::cloneScopePart):
1754         * runtime/SymbolTable.h:
1755         * tests/stress/const-semantics.js:
1756         (.):
1757
1758 2015-07-28  Filip Pizlo  <fpizlo@apple.com>
1759
1760         DFG::ArgumentsEliminationPhase has a redundant check for inserting CheckInBounds when converting GetByVal to GetStack in the inline non-varargs case
1761         https://bugs.webkit.org/show_bug.cgi?id=147373
1762
1763         Reviewed by Mark Lam.
1764
1765         The code was doing a check for "index >= inlineCallFrame->arguments.size() - 1" in code where
1766         safeToGetStack is true and we aren't in varargs context, but in a non-varargs context,
1767         safeToGetStack can only be true if "index < inlineCallFrame->arguments.size() - 1".
1768
1769         When converting a GetByVal to GetStack, there are three possibilities:
1770
1771         1) Impossible to convert. This can happen if the GetByVal is out-of-bounds of the things we
1772            know to have stored to the stack. For example, if we inline a function that does
1773            "arguments[42]" at a call that passes no arguments.
1774
1775         2) Possible to convert, but we cannot prove statically that the GetByVal was in bounds. This
1776            can happen for "arguments[42]" with no inline call frame (since we don't know statically
1777            how many arguments we will be passed) or in a varargs call frame.
1778
1779         3) Possible to convert, and we know statically that the GetByVal is in bounds. This can
1780            happen for "arguments[42]" if we have an inline call frame, and it's not a varargs call
1781            frame, and we know that the caller passed 42 or more arguments.
1782
1783         The way the phase handles this is it first determines that we're not in case (1). This is
1784         called safeToGetStack. safeToGetStack is true if we have case (2) or (3). For inline call
1785         frames that have no varargs, this means that safeToGetStack is true exactly when the GetByVal
1786         is in-bounds (i.e. case (3)).
1787
1788         But the phase was again doing a check for whether the index is in-bounds for non-varargs
1789         inline call frames even when safeToGetStack was true. That check is redundant and should be
1790         eliminated, since it makes the code confusing.
1791
1792         * dfg/DFGArgumentsEliminationPhase.cpp:
1793
1794 2015-07-28  Filip Pizlo  <fpizlo@apple.com>
1795
1796         DFG::PutStackSinkingPhase should be more aggressive about its "no GetStack until put" rule
1797         https://bugs.webkit.org/show_bug.cgi?id=147371
1798
1799         Reviewed by Mark Lam.
1800
1801         Two fixes:
1802
1803         - Make ConflictingFlush really mean that you can't load from the stack slot. This means not
1804           using ConflictingFlush for arguments.
1805
1806         - Assert that a GetStack never sees ConflictingFlush.
1807
1808         * dfg/DFGPutStackSinkingPhase.cpp:
1809
1810 2015-07-28  Basile Clement  <basile_clement@apple.com>
1811
1812         Misleading error message: "At least one digit must occur after a decimal point"
1813         https://bugs.webkit.org/show_bug.cgi?id=146238
1814
1815         Reviewed by Geoffrey Garen.
1816
1817         Interestingly, we had a comment explaining what this error message was
1818         about that is much clearer than the error message itself. This patch
1819         simply replaces the error message with the explanation from the
1820         comment.
1821
1822         * parser/Lexer.cpp:
1823         (JSC::Lexer<T>::lex):
1824
1825 2015-07-28  Basile Clement  <basile_clement@apple.com>
1826
1827         Simplify call linking
1828         https://bugs.webkit.org/show_bug.cgi?id=147363
1829
1830         Reviewed by Filip Pizlo.
1831
1832         Previously, we were passing both the CallLinkInfo and a
1833         (CodeSpecializationKind, RegisterPreservationMode) pair to the
1834         different call linking slow paths. However, the CallLinkInfo already
1835         has all of that information, and we don't gain anything by having them
1836         in additional static parameters - except possibly a very small
1837         performance gain in presence of inlining. However since those are
1838         already slow paths, this performance loss (if it exists) will not be
1839         visible in practice.
1840
1841         This patch removes the various specialized thunks and JIT operations
1842         for regular and polymorphic call linking with a single thunk and
1843         operation for each case. Moreover, it removes the four specialized
1844         virtual call thunks and operations with one virtual call thunk for each
1845         call link info, allowing for better branch prediction by the CPU and
1846         fixing a pre-existing FIXME.
1847
1848         * bytecode/CallLinkInfo.cpp:
1849         (JSC::CallLinkInfo::unlink):
1850         (JSC::CallLinkInfo::dummy): Deleted.
1851         * bytecode/CallLinkInfo.h:
1852         (JSC::CallLinkInfo::CallLinkInfo):
1853         (JSC::CallLinkInfo::registerPreservationMode):
1854         (JSC::CallLinkInfo::setUpCallFromFTL):
1855         (JSC::CallLinkInfo::setSlowStub):
1856         (JSC::CallLinkInfo::clearSlowStub):
1857         (JSC::CallLinkInfo::slowStub):
1858         * dfg/DFGDriver.cpp:
1859         (JSC::DFG::compileImpl):
1860         * dfg/DFGJITCompiler.cpp:
1861         (JSC::DFG::JITCompiler::link):
1862         * ftl/FTLJSCallBase.cpp:
1863         (JSC::FTL::JSCallBase::link):
1864         * jit/JITCall.cpp:
1865         (JSC::JIT::compileCallEvalSlowCase):
1866         (JSC::JIT::compileOpCall):
1867         (JSC::JIT::compileOpCallSlowCase):
1868         * jit/JITCall32_64.cpp:
1869         (JSC::JIT::compileCallEvalSlowCase):
1870         (JSC::JIT::compileOpCall):
1871         (JSC::JIT::compileOpCallSlowCase):
1872         * jit/JITOperations.cpp:
1873         * jit/JITOperations.h:
1874         (JSC::operationLinkFor): Deleted.
1875         (JSC::operationVirtualFor): Deleted.
1876         (JSC::operationLinkPolymorphicCallFor): Deleted.
1877         * jit/Repatch.cpp:
1878         (JSC::generateByIdStub):
1879         (JSC::linkSlowFor):
1880         (JSC::linkFor):
1881         (JSC::revertCall):
1882         (JSC::unlinkFor):
1883         (JSC::linkVirtualFor):
1884         (JSC::linkPolymorphicCall):
1885         * jit/Repatch.h:
1886         * jit/ThunkGenerators.cpp:
1887         (JSC::linkCallThunkGenerator):
1888         (JSC::linkPolymorphicCallThunkGenerator):
1889         (JSC::virtualThunkFor):
1890         (JSC::linkForThunkGenerator): Deleted.
1891         (JSC::linkConstructThunkGenerator): Deleted.
1892         (JSC::linkCallThatPreservesRegsThunkGenerator): Deleted.
1893         (JSC::linkConstructThatPreservesRegsThunkGenerator): Deleted.
1894         (JSC::linkPolymorphicCallForThunkGenerator): Deleted.
1895         (JSC::linkPolymorphicCallThatPreservesRegsThunkGenerator): Deleted.
1896         (JSC::virtualForThunkGenerator): Deleted.
1897         (JSC::virtualCallThunkGenerator): Deleted.
1898         (JSC::virtualConstructThunkGenerator): Deleted.
1899         (JSC::virtualCallThatPreservesRegsThunkGenerator): Deleted.
1900         (JSC::virtualConstructThatPreservesRegsThunkGenerator): Deleted.
1901         * jit/ThunkGenerators.h:
1902         (JSC::linkThunkGeneratorFor): Deleted.
1903         (JSC::linkPolymorphicCallThunkGeneratorFor): Deleted.
1904         (JSC::virtualThunkGeneratorFor): Deleted.
1905
1906 2015-07-28  Basile Clement  <basile_clement@apple.com>
1907
1908         stress/math-pow-with-constants.js fails in cloop
1909         https://bugs.webkit.org/show_bug.cgi?id=147167
1910
1911         Reviewed by Geoffrey Garen.
1912
1913         Baseline JIT, DFG and FTL are using a fast exponentiation fast path
1914         when computing Math.pow() with an integer exponent that is not taken in
1915         the LLInt (or the DFG abstract interpreter). This leads to the result
1916         of pow changing depending on the compilation tier or the fact that
1917         constant propagation kicks in, which is undesirable.
1918
1919         This patch adds the fast path to the slow operationMathPow in order to
1920         maintain an illusion of consistency.
1921
1922         * runtime/MathCommon.cpp:
1923         (JSC::operationMathPow):
1924         * tests/stress/math-pow-coherency.js: Added.
1925         (pow42):
1926         (build42AsDouble.opaqueAdd):
1927         (build42AsDouble):
1928         (powDouble42):
1929         (clobber):
1930         (pow42NoConstantFolding):
1931         (powDouble42NoConstantFolding):
1932
1933 2015-07-28  Joseph Pecoraro  <pecoraro@apple.com>
1934
1935         Web Inspector: Show Pseudo Elements in DOM Tree
1936         https://bugs.webkit.org/show_bug.cgi?id=139612
1937
1938         Reviewed by Timothy Hatcher.
1939
1940         * inspector/protocol/DOM.json:
1941         Add new properties to DOMNode if it is a pseudo element or if it has
1942         pseudo element children. Add new events for if a pseudo element is
1943         added or removed dynamically to an existing DOMNode.
1944
1945 2015-07-27  Filip Pizlo  <fpizlo@apple.com>
1946
1947         Add logging when executable code gets deallocated
1948         https://bugs.webkit.org/show_bug.cgi?id=147355
1949
1950         Reviewed by Mark Lam.
1951
1952         * ftl/FTLJITCode.cpp:
1953         (JSC::FTL::JITCode::~JITCode): Print something when this is freed.
1954         * jit/JITCode.cpp:
1955         (JSC::JITCodeWithCodeRef::~JITCodeWithCodeRef): Print something when this is freed.
1956
1957 2015-07-27  Filip Pizlo  <fpizlo@apple.com>
1958
1959         DFG::safeToExecute() cases for GetByOffset/PutByOffset don't handle clobbered structure abstract values correctly
1960         https://bugs.webkit.org/show_bug.cgi?id=147354
1961
1962         Reviewed by Michael Saboff.
1963
1964         If m_structure.isClobbered(), it means that we had a side effect that clobbered
1965         the abstract value but it may recover back to its original value at the next
1966         invalidation point. Since the invalidation point hasn't been reached yet, we need
1967         to conservatively treat the clobbered state as if it was top. At the invalidation
1968         point, the clobbered set will return back to being unclobbered.
1969
1970         In addition to fixing the bug, this introduces isInfinite(), which should be used
1971         in places where it's tempting to just use isTop().
1972
1973         * dfg/DFGSafeToExecute.h:
1974         (JSC::DFG::safeToExecute): Fix the bug.
1975         * dfg/DFGStructureAbstractValue.cpp:
1976         (JSC::DFG::StructureAbstractValue::contains): Switch to using isInfinite().
1977         (JSC::DFG::StructureAbstractValue::isSubsetOf): Switch to using isInfinite().
1978         (JSC::DFG::StructureAbstractValue::isSupersetOf): Switch to using isInfinite().
1979         (JSC::DFG::StructureAbstractValue::overlaps): Switch to using isInfinite().
1980         * dfg/DFGStructureAbstractValue.h:
1981         (JSC::DFG::StructureAbstractValue::isFinite): New convenience method.
1982         (JSC::DFG::StructureAbstractValue::isInfinite): New convenience method.
1983         (JSC::DFG::StructureAbstractValue::onlyStructure): Switch to using isInfinite().
1984
1985 2015-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1986
1987         [ES6] Implement Reflect.enumerate
1988         https://bugs.webkit.org/show_bug.cgi?id=147347
1989
1990         Reviewed by Sam Weinig.
1991
1992         This patch implements Reflect.enumerate.
1993         It returns the iterator that iterates the enumerable keys of the given object.
1994         It follows the for-in's enumeration order.
1995
1996         To implement it, we write down the same logic to the for-in's enumeration code in C++.
1997
1998         * CMakeLists.txt:
1999         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2000         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2001         * JavaScriptCore.xcodeproj/project.pbxproj:
2002         * runtime/JSGlobalObject.cpp:
2003         (JSC::JSGlobalObject::init):
2004         (JSC::JSGlobalObject::visitChildren):
2005         * runtime/JSGlobalObject.h:
2006         (JSC::JSGlobalObject::propertyNameIteratorStructure):
2007         * runtime/JSPropertyNameIterator.cpp: Added.
2008         (JSC::JSPropertyNameIterator::JSPropertyNameIterator):
2009         (JSC::JSPropertyNameIterator::clone):
2010         (JSC::JSPropertyNameIterator::create):
2011         (JSC::JSPropertyNameIterator::finishCreation):
2012         (JSC::JSPropertyNameIterator::visitChildren):
2013         (JSC::JSPropertyNameIterator::next):
2014         (JSC::propertyNameIteratorFuncNext):
2015         * runtime/JSPropertyNameIterator.h: Added.
2016         (JSC::JSPropertyNameIterator::createStructure):
2017         * runtime/ReflectObject.cpp:
2018         (JSC::reflectObjectEnumerate):
2019         * tests/stress/reflect-enumerate.js: Added.
2020         (shouldBe):
2021         (shouldThrow):
2022
2023 2015-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2024
2025         [ES6] Implement Reflect.preventExtensions
2026         https://bugs.webkit.org/show_bug.cgi?id=147331
2027
2028         Reviewed by Sam Weinig.
2029
2030         Implement Reflect.preventExtensions.
2031         This is different from Object.preventExensions.
2032
2033         1. When preventExtensions is called onto the non-object, it raises the TypeError.
2034         2. Reflect.preventExtensions does not raise the TypeError when the preventExtensions operation is failed.
2035
2036         For the (2) case, since there is no Proxy implementation currently, Reflect.preventExtensions always succeed.
2037
2038         * runtime/ReflectObject.cpp:
2039         (JSC::reflectObjectPreventExtensions):
2040         * tests/stress/reflect-prevent-extensions.js: Added.
2041         (shouldBe):
2042         (shouldThrow):
2043
2044 2015-07-27  Alex Christensen  <achristensen@webkit.org>
2045
2046         Use Ninja on Windows.
2047         https://bugs.webkit.org/show_bug.cgi?id=147228
2048
2049         Reviewed by Martin Robinson.
2050
2051         * CMakeLists.txt:
2052         Set the working directory when generating LowLevelInterpreterWin.asm to put LowLevelInterpreterWin.asm.sym in the right place.
2053
2054 2015-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2055
2056         SparseValueMap check is skipped when the butterfly's vectorLength is larger than the access-requested index
2057         https://bugs.webkit.org/show_bug.cgi?id=147265
2058
2059         Reviewed by Geoffrey Garen.
2060
2061         JSObject's vector holds the indexed values and we leverage it to represent stored values and holes.
2062         By checking that the given index is in-bound of the vector's length, we can look up the property fast.
2063         And for the sparse array, we have also the separated SparseValueMap to hold the pairs.
2064         And we need to take care that the length of the vector should not overlap the indices stored in the SparseValueMap.
2065
2066         The vector only holds the pure JS values to avoid additional checking for accessors when looking up the value
2067         from the vector. To achieve this, we also store the accessors (and attributed properties) to SparseValueMap
2068         even the index is less than MIN_SPARSE_ARRAY_INDEX.
2069
2070         As a result, if the length of the vector overlaps the indices of the accessors stored in the SparseValueMap,
2071         we accidentally skip the phase looking up from the SparseValueMap. Instead, we just load from the vector and
2072         if the loaded value is an array hole, we decide the given object does not have the value for the given index.
2073
2074         This patch fixes the problem.
2075         When defining the attributed value that index is smaller than the length of the vector, we throw away the vector
2076         and change the object to DictionaryIndexingMode. Since we can assume that indexed accessors rarely exist in
2077         practice, we expect this does not hurt the performance while keeping the fast property access system without
2078         checking the sparse map.
2079
2080         * runtime/JSObject.cpp:
2081         (JSC::JSObject::putDirectIndexBeyondVectorLength):
2082         * tests/stress/sparse-map-non-overlapping.js: Added.
2083         (shouldBe):
2084         (testing):
2085         (object.get 1000):
2086         * tests/stress/sparse-map-non-skip-getter-overriding.js: Added.
2087         (shouldBe):
2088         (obj.get 1):
2089         (testing):
2090         * tests/stress/sparse-map-non-skip.js: Added.
2091         (shouldBe):
2092         (testing):
2093         (testing2):
2094         (.get for):
2095
2096 2015-07-27  Saam barati  <saambarati1@gmail.com>
2097
2098         Reduce execution time for "let" and "const" tests
2099         https://bugs.webkit.org/show_bug.cgi?id=147291
2100
2101         Reviewed by Geoffrey Garen.
2102
2103         We don't need to loop so many times for things that will not make it 
2104         into the DFG.  Also, we can loop a lot less for almost all the tests 
2105         because they're mostly testing the bytecode generator.
2106
2107         * tests/stress/const-and-with-statement.js:
2108         * tests/stress/const-exception-handling.js:
2109         * tests/stress/const-loop-semantics.js:
2110         * tests/stress/const-not-strict-mode.js:
2111         * tests/stress/const-semantics.js:
2112         * tests/stress/const-tdz.js:
2113         * tests/stress/lexical-let-and-with-statement.js:
2114         * tests/stress/lexical-let-exception-handling.js:
2115         (assert):
2116         * tests/stress/lexical-let-loop-semantics.js:
2117         (assert):
2118         (shouldThrowTDZ):
2119         (.):
2120         * tests/stress/lexical-let-not-strict-mode.js:
2121         * tests/stress/lexical-let-semantics.js:
2122         (.):
2123         * tests/stress/lexical-let-tdz.js:
2124         (shouldThrowTDZ):
2125         (.):
2126
2127 2015-07-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2128
2129         Rename PropertyNameMode::Both to PropertyNameMode::StringsAndSymbols
2130         https://bugs.webkit.org/show_bug.cgi?id=147311
2131
2132         Reviewed by Sam Weinig.
2133
2134         To make the meaning clear in the user side (PropertyNameArray array(exec, PropertyNameMode::StringsAndSymbols)),
2135         this patch renames PropertyNameMode::Both to PropertyNameMode::StringsAndSymbols.
2136
2137         * bytecode/ObjectAllocationProfile.h:
2138         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
2139         * runtime/EnumerationMode.h:
2140         * runtime/ObjectConstructor.cpp:
2141         (JSC::ownEnumerablePropertyKeys):
2142         (JSC::defineProperties):
2143         (JSC::objectConstructorSeal):
2144         (JSC::objectConstructorFreeze):
2145         (JSC::objectConstructorIsSealed):
2146         (JSC::objectConstructorIsFrozen):
2147         (JSC::ownPropertyKeys):
2148         * runtime/ReflectObject.cpp:
2149         (JSC::reflectObjectOwnKeys):
2150
2151 2015-07-27  Saam barati  <saambarati1@gmail.com>
2152
2153         Added a comment explaining that all "addVar()"s should happen before
2154         emitting bytecode for a function's default parameter expressions
2155
2156         Rubber Stamped by Mark Lam.
2157
2158         * bytecompiler/BytecodeGenerator.cpp:
2159         (JSC::BytecodeGenerator::BytecodeGenerator):
2160
2161 2015-07-26  Sam Weinig  <sam@webkit.org>
2162
2163         Add missing builtin files to the JavaScriptCore Xcode project
2164         https://bugs.webkit.org/show_bug.cgi?id=147312
2165
2166         Reviewed by Darin Adler.
2167
2168         * JavaScriptCore.xcodeproj/project.pbxproj:
2169         Add missing files.
2170
2171 2015-07-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2172
2173         [ES6] Implement Reflect.isExtensible
2174         https://bugs.webkit.org/show_bug.cgi?id=147308
2175
2176         Reviewed by Sam Weinig.
2177
2178         This patch implements Reflect.isExtensible.
2179         It is similar to Object.isExtensible.
2180         The difference is that it raises an error if the first argument is not an object.
2181
2182         * runtime/ReflectObject.cpp:
2183         (JSC::reflectObjectIsExtensible):
2184         * tests/stress/reflect-is-extensible.js: Added.
2185         (shouldBe):
2186         (shouldThrow):
2187
2188 2015-07-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2189
2190         Unreviewed, fix the debug build due to touching the non-declared variable in ASSERT
2191         https://bugs.webkit.org/show_bug.cgi?id=147307
2192
2193         * runtime/ObjectConstructor.cpp:
2194         (JSC::ownPropertyKeys):
2195
2196 2015-07-25  Yusuke Suzuki  <utatane.tea@gmail.com>
2197
2198         [ES6] Implement Reflect.ownKeys
2199         https://bugs.webkit.org/show_bug.cgi?id=147307
2200
2201         Reviewed by Sam Weinig.
2202
2203         This patch implements Reflect.ownKeys.
2204         In this patch, we refactor the existing code to list up own keys in the object.
2205         Such code is used by Object.getOwnPropertyNames, Object.getOwnPropertyKeys, Object.keys and @ownEnumerableKeys.
2206         We factor out the listing up own keys as ownPropertyKeys function and also use it in Reflect.ownKeys.
2207
2208         * runtime/ObjectConstructor.cpp:
2209         (JSC::objectConstructorGetOwnPropertyNames):
2210         (JSC::objectConstructorGetOwnPropertySymbols):
2211         (JSC::objectConstructorKeys):
2212         (JSC::ownEnumerablePropertyKeys):
2213         (JSC::ownPropertyKeys):
2214         * runtime/ObjectConstructor.h:
2215         * runtime/ReflectObject.cpp:
2216         (JSC::reflectObjectOwnKeys):
2217         * tests/stress/reflect-own-keys.js: Added.
2218         (shouldBe):
2219         (shouldThrow):
2220         (shouldBeArray):
2221
2222 2015-07-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2223
2224         [ES6] Implement Reflect.apply
2225         https://bugs.webkit.org/show_bug.cgi?id=147306
2226
2227         Reviewed by Sam Weinig.
2228
2229         Implement Reflect.apply.
2230         The large part of this can be implemented by the @apply builtin annotation.
2231         The only thing which is different from the Funciton.prototype.apply is the third parameter,
2232         "argumentsList" is needed to be an object.
2233
2234         * builtins/ReflectObject.js:
2235         (apply):
2236         (deleteProperty):
2237         * runtime/ReflectObject.cpp:
2238         * tests/stress/reflect-apply.js: Added.
2239         (shouldBe):
2240         (shouldThrow):
2241         (get shouldThrow):
2242         (.get shouldThrow):
2243         (get var.array.get length):
2244         (get var.array.get 0):
2245         (.get var):
2246         * tests/stress/reflect-delete-property.js:
2247
2248 2015-07-25  Yusuke Suzuki  <utatane.tea@gmail.com>
2249
2250         [ES6] Add Reflect namespace and add Reflect.deleteProperty
2251         https://bugs.webkit.org/show_bug.cgi?id=147287
2252
2253         Reviewed by Sam Weinig.
2254
2255         This patch just creates the namespace for ES6 Reflect APIs.
2256         And add template files to implement the actual code.
2257
2258         Not to keep the JS generated properties C array empty,
2259         we added one small method, Reflect.deleteProperty in this patch.
2260
2261         * CMakeLists.txt:
2262         * DerivedSources.make:
2263         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2264         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2265         * JavaScriptCore.xcodeproj/project.pbxproj:
2266         * builtins/ReflectObject.js: Added.
2267         (deleteProperty):
2268         * runtime/CommonIdentifiers.h:
2269         * runtime/JSGlobalObject.cpp:
2270         (JSC::JSGlobalObject::init):
2271         * runtime/ReflectObject.cpp: Added.
2272         (JSC::ReflectObject::ReflectObject):
2273         (JSC::ReflectObject::finishCreation):
2274         (JSC::ReflectObject::getOwnPropertySlot):
2275         * runtime/ReflectObject.h: Added.
2276         (JSC::ReflectObject::create):
2277         (JSC::ReflectObject::createStructure):
2278         * tests/stress/reflect-delete-property.js: Added.
2279         (shouldBe):
2280         (shouldThrow):
2281
2282 2015-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2283
2284         Avoid 2 times name iteration in Object.assign
2285         https://bugs.webkit.org/show_bug.cgi?id=147268
2286
2287         Reviewed by Geoffrey Garen.
2288
2289         Object.assign calls Object.getOwnPropertyNames & Object.getOwnPropertySymbols to collect all the names.
2290         But exposing the private API that collects both at the same time makes the API efficient when the given Object has so many non-indexed properties.
2291         Since Object.assign is so generic API (some form of utility API), the form of the given Object is not expected.
2292         So the taken object may have so many non-indexed properties.
2293
2294         In this patch, we introduce `ownEnumerablePropertyKeys` private function.
2295         It is minor changed version of `[[OwnPropertyKeys]]` in the ES6 spec;
2296         It only includes enumerable properties.
2297
2298         By filtering out the non-enumerable properties in the exposed private function,
2299         we avoid calling @objectGetOwnPropertyDescriptor for each property at the same time.
2300
2301         * builtins/ObjectConstructor.js:
2302         (assign):
2303         * runtime/CommonIdentifiers.h:
2304         * runtime/EnumerationMode.h:
2305         * runtime/JSGlobalObject.cpp:
2306         (JSC::JSGlobalObject::init):
2307         * runtime/ObjectConstructor.cpp:
2308         (JSC::ownEnumerablePropertyKeys):
2309         * runtime/ObjectConstructor.h:
2310         * tests/stress/object-assign-enumerable.js: Added.
2311         (shouldBe):
2312         * tests/stress/object-assign-order.js: Added.
2313         (shouldBe):
2314
2315 2015-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2316
2317         Remove runtime flags for symbols
2318         https://bugs.webkit.org/show_bug.cgi?id=147246
2319
2320         Reviewed by Alex Christensen.
2321
2322         * runtime/ArrayPrototype.cpp:
2323         (JSC::ArrayPrototype::finishCreation):
2324         * runtime/JSGlobalObject.cpp:
2325         (JSC::JSGlobalObject::init): Deleted.
2326         * runtime/JSGlobalObject.h:
2327         * runtime/ObjectConstructor.cpp:
2328         (JSC::ObjectConstructor::finishCreation):
2329         * runtime/RuntimeFlags.h:
2330
2331 2015-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2332
2333         Object.getOwnPropertySymbols on large list takes very long
2334         https://bugs.webkit.org/show_bug.cgi?id=146137
2335
2336         Reviewed by Mark Lam.
2337
2338         Before this patch, Object.getOwnPropertySymbols collects all the names including strings.
2339         And after it's done, filter the names to only retrieve the symbols.
2340         But it's so time consuming if the given object is a large non-holed array since it has
2341         many indexed properties and all the indexes have to be converted to uniqued_strings and
2342         added to the collection of property names (though they may not be of the requested type
2343         and will be filtered out later)
2344
2345         This patch introduces PropertyNameMode.
2346         We leverage this mode in 2 places.
2347
2348         1. PropertyNameArray side
2349         It is set in PropertyNameArray and it filters the incoming added identifiers based on the mode.
2350         It ensures that PropertyNameArray doesn't become so large in the pathological case.
2351         And it ensures that non-expected typed keys by the filter (Symbols or Strings) are never added
2352         to the property name array collections.
2353         However it does not solve the whole problem because the huge array still incurs the many
2354         "indexed property to uniqued string" conversion and the large iteration before adding the keys
2355         to the property name array.
2356
2357         2. getOwnPropertyNames side
2358         So we can use the PropertyNameMode in the caller side (getOwnPropertyNames) as a **hint**.
2359         When the large iteration may occur, the caller side can use the PropertyNameMode as a hint to
2360         avoid the iteration.
2361         But we cannot exclusively rely on these caller side checks because it would require that we
2362         exhaustively add the checks to all custom implementations of getOwnPropertyNames as well.
2363         This process requires manual inspection of many pieces of code, and is error prone. Instead,
2364         we only apply the caller side check in a few strategic places where it is known to yield
2365         performance benefits; and we rely on the filter in PropertyNameArray::add() to reject the wrong
2366         types of properties for all other calls to PropertyNameArray::add().
2367
2368         In this patch, there's a concept in use that is not clear just from reading the code, and hence
2369         should be documented here. When selecting the PropertyNameMode for the PropertyNameArray to be
2370         instantiated, we apply the following logic:
2371
2372         1. Only JavaScriptCore code is aware of ES6 Symbols.
2373         We can assume that pre-existing external code that interfaces JSC are only looking for string named properties. This includes:
2374             a. WebCore bindings
2375             b. Serializer bindings
2376             c. NPAPI bindings
2377             d. Objective C bindings
2378         2. In JSC, code that compute object storage space needs to iterate both Symbol and String named properties. Hence, use PropertyNameMode::Both.
2379         3. In JSC, ES6 APIs that work with Symbols should use PropertyNameMode::Symbols.
2380         4. In JSC, ES6 APIs that work with String named properties should use PropertyNameMode::Strings.
2381
2382         * API/JSObjectRef.cpp:
2383         (JSObjectCopyPropertyNames):
2384         * bindings/ScriptValue.cpp:
2385         (Deprecated::jsToInspectorValue):
2386         * bytecode/ObjectAllocationProfile.h:
2387         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
2388         * runtime/EnumerationMode.h:
2389         (JSC::EnumerationMode::EnumerationMode):
2390         (JSC::EnumerationMode::includeSymbolProperties): Deleted.
2391         * runtime/GenericArgumentsInlines.h:
2392         (JSC::GenericArguments<Type>::getOwnPropertyNames):
2393         * runtime/JSGenericTypedArrayViewInlines.h:
2394         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertyNames):
2395         * runtime/JSLexicalEnvironment.cpp:
2396         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
2397         * runtime/JSONObject.cpp:
2398         (JSC::Stringifier::Stringifier):
2399         (JSC::Stringifier::Holder::appendNextProperty):
2400         (JSC::Walker::walk):
2401         * runtime/JSObject.cpp:
2402         (JSC::JSObject::getOwnPropertyNames):
2403         * runtime/JSPropertyNameEnumerator.cpp:
2404         (JSC::JSPropertyNameEnumerator::create):
2405         * runtime/JSPropertyNameEnumerator.h:
2406         (JSC::propertyNameEnumerator):
2407         * runtime/JSSymbolTableObject.cpp:
2408         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
2409         * runtime/ObjectConstructor.cpp:
2410         (JSC::objectConstructorGetOwnPropertyNames):
2411         (JSC::objectConstructorGetOwnPropertySymbols):
2412         (JSC::objectConstructorKeys):
2413         (JSC::defineProperties):
2414         (JSC::objectConstructorSeal):
2415         (JSC::objectConstructorFreeze):
2416         (JSC::objectConstructorIsSealed):
2417         (JSC::objectConstructorIsFrozen):
2418         * runtime/PropertyNameArray.h:
2419         (JSC::PropertyNameArray::PropertyNameArray):
2420         (JSC::PropertyNameArray::mode):
2421         (JSC::PropertyNameArray::addKnownUnique):
2422         (JSC::PropertyNameArray::add):
2423         (JSC::PropertyNameArray::isUidMatchedToTypeMode):
2424         (JSC::PropertyNameArray::includeSymbolProperties):
2425         (JSC::PropertyNameArray::includeStringProperties):
2426         * runtime/StringObject.cpp:
2427         (JSC::StringObject::getOwnPropertyNames):
2428         * runtime/Structure.cpp:
2429         (JSC::Structure::getPropertyNamesFromStructure):
2430
2431 2015-07-24  Saam barati  <saambarati1@gmail.com>
2432
2433         [ES6] Add support for default parameters
2434         https://bugs.webkit.org/show_bug.cgi?id=38409
2435
2436         Reviewed by Filip Pizlo.
2437
2438         This patch implements ES6 default parameters according to the ES6
2439         specification. This patch builds off the components introduced with 
2440         "let" scoping and parsing function parameters in the same parser
2441         arena as the function itself. "let" scoping allows functions with default 
2442         parameter values to place their parameters under the TDZ. Parsing function
2443         parameters in the same parser arena allows the FunctionParameters AST node
2444         refer to ExpressionNodes.
2445
2446         The most subtle part of this patch is how we allocate lexical environments
2447         when functions have default parameter values. If a function has default
2448         parameter values then there must be a separate lexical environment for
2449         its parameters. Then, the function's "var" lexical environment must have
2450         the parameter lexical environment as its parent. The BytecodeGenerator
2451         takes great care to not allocate the "var" lexical environment before its
2452         really needed.
2453
2454         The "arguments" object for a function with default parameters will never be 
2455         a mapped arugments object. It will always be a cloned arugments object.
2456
2457         * bytecompiler/BytecodeGenerator.cpp:
2458         (JSC::BytecodeGenerator::generate):
2459         (JSC::BytecodeGenerator::BytecodeGenerator):
2460         (JSC::BytecodeGenerator::~BytecodeGenerator):
2461         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
2462         (JSC::BytecodeGenerator::initializeNextParameter):
2463         (JSC::BytecodeGenerator::initializeVarLexicalEnvironment):
2464         (JSC::BytecodeGenerator::visibleNameForParameter):
2465         (JSC::BytecodeGenerator::emitLoadGlobalObject):
2466         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
2467         (JSC::BytecodeGenerator::pushLexicalScope):
2468         (JSC::BytecodeGenerator::popLexicalScope):
2469         * bytecompiler/BytecodeGenerator.h:
2470         (JSC::BytecodeGenerator::lastOpcodeID):
2471         * bytecompiler/NodesCodegen.cpp:
2472         (JSC::FunctionNode::emitBytecode):
2473         * jit/JITOperations.cpp:
2474         * parser/ASTBuilder.h:
2475         (JSC::ASTBuilder::createElementList):
2476         (JSC::ASTBuilder::createFormalParameterList):
2477         (JSC::ASTBuilder::appendParameter):
2478         (JSC::ASTBuilder::createClause):
2479         (JSC::ASTBuilder::createClauseList):
2480         * parser/Nodes.h:
2481         (JSC::FunctionParameters::size):
2482         (JSC::FunctionParameters::at):
2483         (JSC::FunctionParameters::hasDefaultParameterValues):
2484         (JSC::FunctionParameters::append):
2485         * parser/Parser.cpp:
2486         (JSC::Parser<LexerType>::parseVariableDeclarationList):
2487         (JSC::Parser<LexerType>::createBindingPattern):
2488         (JSC::Parser<LexerType>::tryParseDestructuringPatternExpression):
2489         (JSC::Parser<LexerType>::parseDestructuringPattern):
2490         (JSC::Parser<LexerType>::parseFormalParameters):
2491         (JSC::Parser<LexerType>::parseFunctionParameters):
2492         * parser/Parser.h:
2493         (JSC::Scope::declareParameter):
2494         * parser/SyntaxChecker.h:
2495         (JSC::SyntaxChecker::createElementList):
2496         (JSC::SyntaxChecker::createFormalParameterList):
2497         (JSC::SyntaxChecker::appendParameter):
2498         (JSC::SyntaxChecker::createClause):
2499         (JSC::SyntaxChecker::createClauseList):
2500         * tests/stress/es6-default-parameters.js: Added.
2501         (assert):
2502         (shouldThrow):
2503         (shouldThrowSyntaxError):
2504         (shouldThrowTDZ):
2505         (basic):
2506         (basicFunctionCaptureInDefault.basicFunctionCaptureInDefault.basicCaptured):
2507         (basicCaptured.basicCaptured.tricky):
2508         (strict):
2509         (playground):
2510         (scoping):
2511         (augmentsArguments1):
2512         (augmentsArguments2):
2513         (augmentsArguments3):
2514         (augmentsArguments4):
2515         (augmentsArguments5):
2516
2517 2015-07-24  Xabier Rodriguez Calvar  <calvaris@igalia.com>
2518
2519         Remove JS Promise constructor unused piece of code
2520         https://bugs.webkit.org/show_bug.cgi?id=147262
2521
2522         Reviewed by Geoffrey Garen.
2523
2524         * runtime/JSPromiseConstructor.cpp:
2525         (JSC::constructPromise): Deleted.
2526         * runtime/JSPromiseConstructor.h: Removed JSC::constructPromise.
2527
2528 2015-07-24  Mark Lam  <mark.lam@apple.com>
2529
2530         Add WASM files to vcxproj files.
2531         https://bugs.webkit.org/show_bug.cgi?id=147264
2532
2533         Reviewed by Geoffrey Garen.
2534
2535         This is a follow up to http://trac.webkit.org/changeset/187254 where WASM files
2536         were introduced but were not able to be added to the vcxproj files yet.
2537
2538         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2539         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2540
2541 2015-07-23  Filip Pizlo  <fpizlo@apple.com>
2542
2543         DFG::safeToExecute() is wrong for MultiGetByOffset, doesn't consider the structures of the prototypes that get loaded from
2544         https://bugs.webkit.org/show_bug.cgi?id=147250
2545
2546         Reviewed by Geoffrey Garen.
2547         
2548         This fixes a nasty - but currently benign - bug in DFG::safeToExecute(). That function
2549         will tell you if hoisting a node to some point is safe in the sense that the node will
2550         not crash the VM if it executes at that point. A node may be unsafe to execute if we
2551         cannot prove that at that point, the memory it is loading is not garbage. This is a
2552         necessarily loose notion - for example it's OK to hoist a load if we haven't proved
2553         that the load makes semantic sense at that point, since anyway the place where the node
2554         did get used will still be guarded by any such semantic checks. But because we may also
2555         hoist uses of the load, we need to make sure that it doesn't produce a garbage value.
2556         Also, we need to ensure that the load won't trap. Hence safeToExecute() returns true
2557         anytime we can be sure that a node will not produce a garbage result (i.e. a malformed
2558         JSValue or object pointer) and will not trap when executed at the point in question.
2559         
2560         The bug is that this verification isn't performed for the loads from prototypes inside
2561         MultiGetByOffset. DFG::ByteCodeParser will guard MultiGetByOffset with CheckStructure's
2562         on the prototypes. So, hypothetically, you might end up hoisting a MultiGetByOffset
2563         above those structure checks, which would mean that we might load a value from a memory
2564         location without knowing that the location is valid. It might then return the value
2565         loaded.
2566         
2567         This never happens in practice. Those structure checks are more hoistable that the
2568         MultiGetByOffset, since they read a strict subset of the MultiGetByOffset's abstract
2569         heap reads. Also, we hoist in program order. So, those CheckStructure's will always be
2570         hoisted before the MultiGetByOffset gets hoisted.
2571         
2572         But we should fix this anyway. DFG::safeToExecute() has a clear definition of what a
2573         "true" return means for IR transformations, and it fails in satisfying that definition
2574         for MultiGetByOffset.
2575         
2576         There are various approaches we can use for making this safe. I considered two:
2577         
2578         1) Have MultiGetByOffset refer to the prototypes it is loading from in IR, so that we
2579            can check if it's safe to load from them.
2580         
2581         2) Turn off MultiGetByOffset hoisting when it will emit loads from prototypes, and the
2582            prototype structure isn't being watched.
2583         
2584         I ended up using (2), because it will be the most natural solution once I finish
2585         https://bugs.webkit.org/show_bug.cgi?id=146929. Already now, it's somewhat more natural
2586         than (1) since that requires more extensive IR changes. Also, (2) will give us what we
2587         want in *most* cases: we will usually watch the prototype structure, and we will
2588         usually constant-fold loads from prototypes. Both of these usually-true things would
2589         have to become false for MultiGetByOffset hoisting to be disabled by this change.
2590         
2591         This change also adds my attempt at a test, though it's not really a test of this bug.
2592         This bug is currently benign. But, the test does at least trigger the logic to run,
2593         which is better than nothing.
2594
2595         * dfg/DFGSafeToExecute.h:
2596         (JSC::DFG::safeToExecute):
2597         * tests/stress/multi-get-by-offset-hoist-around-structure-check.js: Added.
2598         (foo):
2599
2600 2015-07-23  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2601
2602         Implement WebAssembly modules
2603         https://bugs.webkit.org/show_bug.cgi?id=147222
2604
2605         Reviewed by Filip Pizlo.
2606
2607         Make JSWASMModule inherit from JSDestructibleObject so that the destructor is called.
2608
2609         * wasm/JSWASMModule.h:
2610
2611 2015-07-23  Alex Christensen  <achristensen@webkit.org>
2612
2613         Remove compile and runtime flags for promises.
2614         https://bugs.webkit.org/show_bug.cgi?id=147244
2615
2616         Reviewed by Yusuke Suzuki.
2617
2618         * API/JSCallbackObjectFunctions.h:
2619         (JSC::JSCallbackObject<Parent>::JSCallbackObject):
2620         * API/JSContextRef.cpp:
2621         (JSGlobalContextCreateInGroup):
2622         * Configurations/FeatureDefines.xcconfig:
2623         * inspector/JSInjectedScriptHost.cpp:
2624         (Inspector::JSInjectedScriptHost::getInternalProperties):
2625         * runtime/JSGlobalObject.cpp:
2626         (JSC::JSGlobalObject::init):
2627         (JSC::JSGlobalObject::visitChildren):
2628         * runtime/JSGlobalObject.h:
2629         (JSC::JSGlobalObject::create):
2630         (JSC::JSGlobalObject::syntaxErrorConstructor):
2631         (JSC::JSGlobalObject::typeErrorConstructor):
2632         (JSC::JSGlobalObject::URIErrorConstructor):
2633         (JSC::JSGlobalObject::promiseConstructor):
2634         (JSC::JSGlobalObject::nullGetterFunction):
2635         (JSC::JSGlobalObject::nullSetterFunction):
2636         (JSC::JSGlobalObject::applyFunction):
2637         (JSC::JSGlobalObject::definePropertyFunction):
2638         (JSC::JSGlobalObject::arrayProtoValuesFunction):
2639         (JSC::JSGlobalObject::initializePromiseFunction):
2640         (JSC::JSGlobalObject::newPromiseDeferredFunction):
2641         (JSC::JSGlobalObject::throwTypeErrorGetterSetter):
2642         (JSC::JSGlobalObject::regExpPrototype):
2643         (JSC::JSGlobalObject::errorPrototype):
2644         (JSC::JSGlobalObject::iteratorPrototype):
2645         (JSC::JSGlobalObject::promisePrototype):
2646         (JSC::JSGlobalObject::debuggerScopeStructure):
2647         (JSC::JSGlobalObject::withScopeStructure):
2648         (JSC::JSGlobalObject::iteratorResultStructure):
2649         (JSC::JSGlobalObject::iteratorResultStructureOffset):
2650         (JSC::JSGlobalObject::regExpMatchesArrayStructure):
2651         (JSC::JSGlobalObject::promiseStructure):
2652         * runtime/JSPromise.cpp:
2653         (JSC::JSPromise::result):
2654         * runtime/JSPromise.h:
2655         * runtime/JSPromiseConstructor.cpp:
2656         (JSC::constructPromise):
2657         * runtime/JSPromiseConstructor.h:
2658         * runtime/JSPromiseDeferred.cpp:
2659         (JSC::JSPromiseDeferred::visitChildren):
2660         * runtime/JSPromiseDeferred.h:
2661         * runtime/JSPromisePrototype.cpp:
2662         (JSC::JSPromisePrototype::getOwnPropertySlot):
2663         * runtime/JSPromisePrototype.h:
2664         * runtime/RuntimeFlags.h:
2665         * runtime/VM.cpp:
2666         (JSC::VM::VM):
2667         * runtime/VM.h:
2668
2669 2015-07-23  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2670
2671         Implement WebAssembly modules
2672         https://bugs.webkit.org/show_bug.cgi?id=147222
2673
2674         Reviewed by Mark Lam.
2675
2676         Introducing the boilerplate data structure for the WebAssembly module.
2677         WebAssembly functionality will be added in a subsequent patch.
2678
2679         * CMakeLists.txt:
2680         * JavaScriptCore.xcodeproj/project.pbxproj:
2681         * wasm/JSWASMModule.cpp: Added.
2682         (JSC::JSWASMModule::visitChildren):
2683         * wasm/JSWASMModule.h: Added.
2684         (JSC::JSWASMModule::create):
2685         (JSC::JSWASMModule::createStructure):
2686         (JSC::JSWASMModule::JSWASMModule):
2687
2688 2015-07-23  Devin Rousso  <drousso@apple.com>
2689
2690         Web Inspector: Add a function to CSSCompletions to get a list of supported system fonts
2691         https://bugs.webkit.org/show_bug.cgi?id=147009
2692
2693         Reviewed by Joseph Pecoraro.
2694
2695         * inspector/protocol/CSS.json: Added getSupportedSystemFontFamilyNames function.
2696
2697 2015-07-22  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2698
2699         Add ENABLE_WEBASSEMBLY feature flag for WebAssembly
2700         https://bugs.webkit.org/show_bug.cgi?id=147212
2701
2702         Reviewed by Filip Pizlo.
2703
2704         * Configurations/FeatureDefines.xcconfig:
2705
2706 2015-07-22  Filip Pizlo  <fpizlo@apple.com>
2707
2708         Simplify DFG::DesiredIdentifiers and make it possible to turn a UniquedStringImpl* into an identifierNumber at any time
2709         https://bugs.webkit.org/show_bug.cgi?id=147218
2710
2711         Reviewed by Sam Weinig.
2712         
2713         I want to be able to take a UniquedStringImpl* and turn it into an identifierNumber at
2714         various points in my work on https://bugs.webkit.org/show_bug.cgi?id=146929. Currently,
2715         most Nodes that deal with identifiers use identifierNumbers and you can only create an
2716         identifierNumber in BytecodeGenerator. DFG::ByteCodeParser does sort of have the
2717         ability to create new identifierNumbers when inlining - it takes the inlined code's
2718         identifiers and either gives them new numbers or reuses numbers from the enclosing
2719         code.
2720         
2721         This patch takes that basic functionality and puts it in
2722         DFG::DesiredIdentifiers::ensure(). Anyone can call this at any time to turn a
2723         UniquedStringImpl* into an identifierNumber. This data structure is already used by
2724         Plan to properly install any newly created identifier table entries into the CodeBlock.
2725
2726         * dfg/DFGByteCodeParser.cpp:
2727         (JSC::DFG::ByteCodeParser::ByteCodeParser):
2728         (JSC::DFG::ByteCodeParser::noticeArgumentsUse):
2729         (JSC::DFG::ByteCodeParser::linkBlocks):
2730         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2731         (JSC::DFG::ByteCodeParser::buildOperandMapsIfNecessary): Deleted.
2732         * dfg/DFGDesiredIdentifiers.cpp:
2733         (JSC::DFG::DesiredIdentifiers::DesiredIdentifiers):
2734         (JSC::DFG::DesiredIdentifiers::numberOfIdentifiers):
2735         (JSC::DFG::DesiredIdentifiers::ensure):
2736         (JSC::DFG::DesiredIdentifiers::at):
2737         (JSC::DFG::DesiredIdentifiers::addLazily): Deleted.
2738         * dfg/DFGDesiredIdentifiers.h:
2739
2740 2015-07-22  Filip Pizlo  <fpizlo@apple.com>
2741
2742         Simplify things like CompareEq(@x,@x)
2743         https://bugs.webkit.org/show_bug.cgi?id=145850
2744
2745         Reviewed by Sam Weinig.
2746         
2747         This simplifies x==x to true, except in cases where x might be a double (in which case this
2748         might still be false if x is NaN).
2749
2750         * dfg/DFGAbstractInterpreterInlines.h:
2751         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2752         * tests/stress/nan-equal-untyped.js: Added.
2753         (foo):
2754         (test):
2755         * tests/stress/nan-equal.js: Added.
2756         (foo):
2757
2758 2015-07-22  Joseph Pecoraro  <pecoraro@apple.com>
2759
2760         Web Inspector: Timeline should immediately start moving play head when starting a new recording
2761         https://bugs.webkit.org/show_bug.cgi?id=147210
2762
2763         Reviewed by Timothy Hatcher.
2764
2765         * inspector/protocol/Timeline.json:
2766         Add timestamps to recordingStarted and recordingStopped events.
2767
2768 2015-07-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2769
2770         Introducing construct ability into JS executables
2771         https://bugs.webkit.org/show_bug.cgi?id=147183
2772
2773         Reviewed by Geoffrey Garen.
2774
2775         Decouple the construct ability from the builtin functions.
2776         Currently, all builtin functions are not constructors after r182995.
2777         In that patch, when the given function is builtin JS function, we recognize it as the non-constructor function.
2778
2779         But, we need to relax it to implement some constructors in builtins JS.
2780         By decoupling the construct ability from whether the function is builtin or not, we can provide
2781
2782         1. constructors written in builtin JS
2783         2. non-constructors in normal JS functions
2784
2785         (1) is needed for Promise constructor.
2786         And (2) is needed for method functions and arrow functions.
2787
2788         This patch introduces ConstructAbility into the unlinked function executables.
2789         It holds whether the given JS function has the construct ability or not.
2790         By leveraging this, this patch disables the construct ability of the method definitions, setters, getters and arrow functions.
2791
2792         And at the same time, this patch introduces the annotation for constructor in builtin JS.
2793         We can define the function as follows,
2794
2795             constructor Promise(executor)
2796             {
2797                 ...
2798             }
2799
2800         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2801         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2802         * JavaScriptCore.xcodeproj/project.pbxproj:
2803         * builtins/BuiltinExecutables.cpp:
2804         (JSC::BuiltinExecutables::createDefaultConstructor):
2805         (JSC::BuiltinExecutables::createExecutableInternal):
2806         * builtins/BuiltinExecutables.h:
2807         * builtins/Iterator.prototype.js:
2808         (symbolIterator):
2809         (SymbolIterator): Deleted.
2810         * bytecode/UnlinkedCodeBlock.cpp:
2811         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2812         * bytecode/UnlinkedCodeBlock.h:
2813         * bytecompiler/BytecodeGenerator.h:
2814         (JSC::BytecodeGenerator::makeFunction):
2815         * generate-js-builtins:
2816         (getCopyright):
2817         (Function):
2818         (Function.__init__):
2819         (Function.mangleName):
2820         (getFunctions):
2821         (mangleName): Deleted.
2822         * jit/JITOperations.cpp:
2823         * llint/LLIntSlowPaths.cpp:
2824         (JSC::LLInt::setUpCall):
2825         * parser/Parser.cpp:
2826         (JSC::Parser<LexerType>::parseClass):
2827         * runtime/CodeCache.cpp:
2828         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
2829         * runtime/CommonIdentifiers.h:
2830         * runtime/ConstructAbility.h: Copied from Source/JavaScriptCore/builtins/Iterator.prototype.js.
2831         * runtime/Executable.h:
2832         * runtime/JSFunction.cpp:
2833         (JSC::JSFunction::getConstructData):
2834         * runtime/JSGlobalObject.cpp:
2835         (JSC::JSGlobalObject::init):
2836         * tests/stress/non-constructors.js: Added.
2837         (shouldThrow):
2838         (.prototype.method):
2839         (.prototype.get getter):
2840         (.prototype.set setter):
2841         (.method):
2842         (.get shouldThrow):
2843         (.set shouldThrow):
2844         (set var.test.get getter):
2845         (set var.test.set setter):
2846         (set var.test.normal):
2847         (.set var):
2848         (.set new):
2849
2850 2015-07-22  Csaba Osztrogonác  <ossy@webkit.org>
2851
2852         [JSC] Enable exception fuzzing for GCC too
2853         https://bugs.webkit.org/show_bug.cgi?id=146831
2854
2855         Reviewed by Darin Adler.
2856
2857         * jit/JITOperations.cpp:
2858
2859 2015-07-22  Filip Pizlo  <fpizlo@apple.com>
2860
2861         Fixed pool allocation should always be aligned
2862         https://bugs.webkit.org/show_bug.cgi?id=147201
2863
2864         Reviewed by Simon Fraser.
2865         
2866         Passing an unaligned size to the allocator can cause asserts or even worse things. The
2867         Options reservation value isn't going to be aligned.
2868
2869         * jit/ExecutableAllocatorFixedVMPool.cpp:
2870         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
2871
2872 2015-07-22  Csaba Osztrogonác  <ossy@webkit.org>
2873
2874         Enable STATIC_ASSERT_IS_TRIVIALLY_DESTRUCTIBLE for GCC
2875         https://bugs.webkit.org/show_bug.cgi?id=146829
2876
2877         Reviewed by Brent Fulgham.
2878
2879         * heap/GCAssertions.h:
2880
2881 2015-07-22  Alex Christensen  <achristensen@webkit.org>
2882
2883         Fix quirks in CMake build on Mac and Windows
2884         https://bugs.webkit.org/show_bug.cgi?id=147174
2885
2886         Reviewed by Gyuyoung Kim.
2887
2888         * PlatformMac.cmake:
2889         Add JSRemoteInspector.cpp and remove semicolon from command to make it actually run.
2890
2891 2015-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2892
2893         Add newTarget accessor to JS constructor written in C++
2894         https://bugs.webkit.org/show_bug.cgi?id=147160
2895
2896         Reviewed by Geoffrey Garen.
2897
2898         This patch adds `ExecState#newTarget()` which returns `new.target` defined in ECMA262 6th.
2899         It enables some C++ constructors (like Intl.XXX constructors) to leverage this to complete
2900         its implementation.
2901
2902         When the constructor is called, |this| in the arguments is used for storing new.target instead.
2903         So by adding the accessor for |this|, JS constructor written in C++ can access new.target.
2904
2905         And at the same time, this patch extends the existing `construct` to accept new.target value.
2906         It is corresponding to the spec's Construct abstract operation.
2907
2908         * interpreter/CallFrame.h:
2909         (JSC::ExecState::newTarget):
2910         * interpreter/Interpreter.cpp:
2911         (JSC::Interpreter::executeConstruct):
2912         * interpreter/Interpreter.h:
2913         * runtime/ConstructData.cpp:
2914         (JSC::construct):
2915         * runtime/ConstructData.h:
2916         (JSC::construct):
2917
2918 2015-07-21  Filip Pizlo  <fpizlo@apple.com>
2919
2920         Unreviewed, fix a lot of tests. Need to initialize WTF threading sooner.
2921
2922         * jsc.cpp:
2923         (main):
2924
2925 2015-07-21  Filip Pizlo  <fpizlo@apple.com>
2926
2927         Fixed VM pool allocation should have a reserve for allocations that cannot fail
2928         https://bugs.webkit.org/show_bug.cgi?id=147154
2929         rdar://problem/21847618
2930
2931         Reviewed by Geoffrey Garen.
2932         
2933         This adds the notion of a JIT pool reserve fraction. Some fraction, currently 1/4, of
2934         the JIT pool is reserved for allocations that cannot fail. It makes sense to make this
2935         a fraction rather than a constant because each allocation that can fail may cause some
2936         number of allocations that cannot fail (for example, the OSR exit thunks that we
2937         compile when we exit from some CodeBlock cannot fail).
2938         
2939         I've tested this by adding a test mode where we artificially limit the JIT pool size.
2940         Prior to the fix, we had >20 failures. Now we have none.
2941
2942         * heap/GCLogging.cpp:
2943         (WTF::printInternal): I needed a dump method on Options members when debugging this.
2944         * heap/GCLogging.h:
2945         * jit/ExecutableAllocator.h: Raise the ARM64 limit to 32MB because 16MB is cutting it too close.
2946         * jit/ExecutableAllocatorFixedVMPool.cpp:
2947         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): Add the ability to artificially limit JIT pool size for testing.
2948         (JSC::ExecutableAllocator::memoryPressureMultiplier): Implement the reserve when computing memory pressure for JIT tier-up heuristics.
2949         (JSC::ExecutableAllocator::allocate): Implement the reserve when allocating can-fail things.
2950         * jsc.cpp: Rewire some options parsing so that CommandLine happens before we create the JIT pool.
2951         (main):
2952         (CommandLine::parseArguments):
2953         (jscmain):
2954         * runtime/Options.cpp: 
2955         (JSC::OptionRange::dump): I needed a dump method on Options members when debugging this.
2956         (JSC::Options::initialize): This can now be called more than once.
2957         * runtime/Options.h:
2958
2959 2015-07-21  Saam barati  <saambarati1@gmail.com>
2960
2961         ObjectPatternNode's entry should use "const Identifier&" instead of "Identifier"
2962         https://bugs.webkit.org/show_bug.cgi?id=147156
2963
2964         Reviewed by Andreas Kling.
2965
2966         * parser/Nodes.h:
2967
2968 2015-07-21  Basile Clement  <basile_clement@apple.com>
2969
2970         Object allocation sinking phase is performing needless HashMap copies
2971         https://bugs.webkit.org/show_bug.cgi?id=147159
2972
2973         Reviewed by Geoffrey Garen.
2974
2975         The points-to analyzer in the object allocation sinking phase is
2976         currently performing copies of its allocation and pointers tables in
2977         several places. While this is not a huge problem since those tables are
2978         usually small and we are in the FTL path anyway, we still shouldn't be
2979         doing such useless copying.
2980
2981         This patch also removes the DFGInsertOSRHintsForUpdate files that are
2982         no longer needed with the new object sinking phase and should have been
2983         removed in r186795.
2984
2985         * CMakeLists.txt:
2986         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2987         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2988         * JavaScriptCore.xcodeproj/project.pbxproj:
2989         * dfg/DFGInsertOSRHintsForUpdate.cpp: Removed.
2990         (JSC::DFG::insertOSRHintsForUpdate): Deleted.
2991         * dfg/DFGInsertOSRHintsForUpdate.h: Removed.
2992         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2993
2994 2015-07-21  Saam barati  <saambarati1@gmail.com>
2995
2996         DestructuringPatternNode and DestructuringAssignmentNode should be ParserArenaFreeable
2997         https://bugs.webkit.org/show_bug.cgi?id=147140
2998
2999         Reviewed by Geoffrey Garen.
3000
3001         The descendants of DestructuringPatternNode that need destruction also
3002         inherit from ParserArenaDeletable.
3003
3004         * parser/Nodes.h:
3005         (JSC::DestructuringPatternNode::~DestructuringPatternNode):
3006         (JSC::ObjectPatternNode::appendEntry):
3007         (JSC::DestructuringAssignmentNode::bindings):
3008
3009 2015-07-21  Keith Miller  <keith_miller@apple.com>
3010
3011         Add support for the new.target syntax.
3012         https://bugs.webkit.org/show_bug.cgi?id=147051
3013
3014         Reviewed by Yusuke Suzuki.
3015
3016         Add support for new.target. Essentially the implementation is, before constructor calls,
3017         the target of a "new" is placed where "this" noramlly goes in the calling convention.
3018         Then in the constructor before object is initialized we move the target of the "new"
3019         into a local variable.
3020
3021         * bytecompiler/BytecodeGenerator.cpp:
3022         (JSC::BytecodeGenerator::BytecodeGenerator):
3023         * bytecompiler/NodesCodegen.cpp:
3024         (JSC::NewTargetNode::emitBytecode):
3025         * parser/ASTBuilder.h:
3026         (JSC::ASTBuilder::newTargetExpr):
3027         * parser/NodeConstructors.h:
3028         (JSC::NewTargetNode::NewTargetNode):
3029         * parser/Nodes.h:
3030         * parser/Parser.cpp:
3031         (JSC::Parser<LexerType>::parseMemberExpression):
3032         * parser/SyntaxChecker.h:
3033         (JSC::SyntaxChecker::newTargetExpr):
3034         * runtime/CommonIdentifiers.h:
3035         * tests/stress/new-target.js: Added.
3036         (test):
3037         (call):
3038         (Constructor.subCall):
3039         (Constructor.SubConstructor):
3040         (Constructor):
3041         (noAssign):
3042         (doWeirdThings):
3043         (SuperClass):
3044         (SubClass):
3045
3046 2015-07-20  Saam barati  <saambarati1@gmail.com>
3047
3048         "let" scoping introduced incoherent story about symbol table cloning
3049         https://bugs.webkit.org/show_bug.cgi?id=147046
3050
3051         Reviewed by Filip Pizlo.
3052
3053         This patch now establishes a clear set of rules for how SymbolTables
3054         are owned by CodeBlock. Every SymbolTable that is used by a bytecode
3055         instruction must live in CodeBlock's constant register pool. When CodeBlock
3056         is being linked, it ensures that every SymbolTable in the constant pool is cloned. 
3057         This leaves no room for an un-cloned symbol table to be used by a bytecode instruction. 
3058         Some instructions may refer to SymbolTable's indirectly through a JSLexicalEnvironment. 
3059         This is fine, all JSLexicalEnvironment's are allocated with references to cloned symbol tables.
3060
3061         Another goal of this patch is to remove the notion that a SymbolTable is 1 to 1 
3062         with a CodeBlock. With lexical scoping, this view of the world is no longer
3063         correct. This patch begins to remove this assumption by making CodeBlock's
3064         symbolTable() getter method private. There is still one place where we need
3065         to purge our codebase of this assumption and that is the type profiler. It 
3066         has not been updated for lexical scoping. After it is updated in 
3067         https://bugs.webkit.org/show_bug.cgi?id=145438
3068         we will be able to remove CodeBlock's symbolTable() getter entirely.
3069
3070         * bytecode/CodeBlock.cpp:
3071         (JSC::CodeBlock::CodeBlock):
3072         (JSC::CodeBlock::nameForRegister):
3073         * bytecode/CodeBlock.h:
3074         (JSC::CodeBlock::addStringSwitchJumpTable):
3075         (JSC::CodeBlock::stringSwitchJumpTable):
3076         (JSC::CodeBlock::evalCodeCache):
3077         (JSC::CodeBlock::symbolTable):
3078         * bytecode/UnlinkedCodeBlock.cpp:
3079         (JSC::UnlinkedFunctionExecutable::visitChildren):
3080         (JSC::UnlinkedFunctionExecutable::link):
3081         (JSC::UnlinkedFunctionExecutable::codeBlockFor):
3082         * bytecode/UnlinkedCodeBlock.h:
3083         (JSC::UnlinkedCodeBlock::addExceptionHandler):
3084         (JSC::UnlinkedCodeBlock::exceptionHandler):
3085         (JSC::UnlinkedCodeBlock::setSymbolTableConstantIndex):
3086         (JSC::UnlinkedCodeBlock::symbolTableConstantIndex):
3087         (JSC::UnlinkedCodeBlock::symbolTable): Deleted.
3088         (JSC::UnlinkedCodeBlock::setSymbolTable): Deleted.
3089         * bytecompiler/BytecodeGenerator.cpp:
3090         (JSC::BytecodeGenerator::generate):
3091         (JSC::BytecodeGenerator::BytecodeGenerator):
3092         (JSC::BytecodeGenerator::pushLexicalScope):
3093         (JSC::BytecodeGenerator::variableForLocalEntry):
3094         (JSC::BytecodeGenerator::createVariable):
3095         (JSC::BytecodeGenerator::resolveType):
3096         (JSC::BytecodeGenerator::emitResolveScope):
3097         * bytecompiler/BytecodeGenerator.h:
3098         (JSC::BytecodeGenerator::thisRegister):
3099         (JSC::BytecodeGenerator::instructions):
3100         (JSC::BytecodeGenerator::symbolTable): Deleted.
3101         * dfg/DFGGraph.h:
3102         (JSC::DFG::Graph::baselineCodeBlockFor):
3103         (JSC::DFG::Graph::isStrictModeFor):
3104         (JSC::DFG::Graph::symbolTableFor): Deleted.
3105         * jit/AssemblyHelpers.h:
3106         (JSC::AssemblyHelpers::baselineCodeBlock):
3107         (JSC::AssemblyHelpers::argumentsStart):
3108         (JSC::AssemblyHelpers::symbolTableFor): Deleted.
3109         * runtime/CommonSlowPaths.cpp:
3110         (JSC::SLOW_PATH_DECL):
3111         * runtime/Executable.cpp:
3112         (JSC::FunctionExecutable::visitChildren):
3113         (JSC::FunctionExecutable::clearUnlinkedCodeForRecompilation):
3114         (JSC::FunctionExecutable::symbolTable): Deleted.
3115         * runtime/Executable.h:
3116
3117 2015-07-18  Filip Pizlo  <fpizlo@apple.com>
3118
3119         REGRESSION(186691): OSR entry is broken on loop headers that have no live variables
3120         https://bugs.webkit.org/show_bug.cgi?id=147074
3121         rdar://problem/21869970
3122
3123         Reviewed by Michael Saboff.
3124         
3125         The OSR entry must-handle block/value widening introduced in r186691 would cause the
3126         CFA to reexecute if it caused any live local variables to change value. But this fails
3127         if the must-handle block has no live local variables, and the entry block otherwise
3128         appears to be unreachable.
3129         
3130         This fixes the bug by having the change detection include whether the block hadn't been
3131         visited in addition to whether any local variable values got widened.
3132         
3133         This is a ~4% speed-up on SunSpider in browser.
3134
3135         * dfg/DFGCFAPhase.cpp:
3136         (JSC::DFG::CFAPhase::run):
3137
3138 2015-07-20  Mark Lam  <mark.lam@apple.com>
3139
3140         Rollout r187020 and r187021: breaks JSC API tests on debug builds.
3141         https://bugs.webkit.org/show_bug.cgi?id=147110
3142
3143         * heap/MachineStackMarker.cpp:
3144         (JSC::MachineThreads::addCurrentThread):
3145         * runtime/JSLock.cpp:
3146         (JSC::JSLockHolder::~JSLockHolder):
3147         (JSC::JSLock::JSLock):
3148         (JSC::JSLock::willDestroyVM):
3149         (JSC::JSLock::setExclusiveThread):
3150         (JSC::JSLock::lock):
3151         (JSC::JSLock::unlock):
3152         (JSC::JSLock::currentThreadIsHoldingLock):
3153         (JSC::JSLock::dropAllLocks):
3154         * runtime/JSLock.h:
3155         (JSC::JSLock::vm):
3156         (JSC::JSLock::hasExclusiveThread):
3157         (JSC::JSLock::exclusiveThread):
3158         * runtime/VM.h:
3159         (JSC::VM::hasExclusiveThread):
3160         (JSC::VM::exclusiveThread):
3161         (JSC::VM::setExclusiveThread):
3162
3163 2015-07-20  Per Arne Vollan  <peavo@outlook.com>
3164
3165         Unreviewed debug build fix after r187020.
3166
3167         * heap/MachineStackMarker.cpp:
3168         (JSC::MachineThreads::addCurrentThread):
3169         VM::exclusiveThread() has changed return type to ThreadIdentifier.
3170
3171 2015-07-20  Per Arne Vollan  <peavo@outlook.com>
3172
3173         JavaScriptCore performance is very bad on Windows
3174         https://bugs.webkit.org/show_bug.cgi?id=146448
3175
3176         Reviewed by Mark Lam.
3177
3178         Profiling shows that std::this_thread::get_id() is slow on Windows.
3179         Use WTF::currentThread() instead, which calls GetCurrentThreadId().
3180         This is faster on Windows. The issue has been reported to Microsoft,
3181         https://connect.microsoft.com/VisualStudio/feedback/details/1558211.
3182
3183         * runtime/JSLock.cpp:
3184         (JSC::JSLockHolder::~JSLockHolder):
3185         (JSC::JSLock::JSLock):
3186         (JSC::JSLock::willDestroyVM):
3187         (JSC::JSLock::setExclusiveThread):
3188         (JSC::JSLock::lock):
3189         (JSC::JSLock::unlock):
3190         (JSC::JSLock::currentThreadIsHoldingLock):
3191         * runtime/JSLock.h:
3192         (JSC::JSLock::vm):
3193         (JSC::JSLock::hasExclusiveThread):
3194         (JSC::JSLock::exclusiveThread):
3195         * runtime/VM.h:
3196         (JSC::VM::hasExclusiveThread):
3197         (JSC::VM::exclusiveThread):
3198         (JSC::VM::setExclusiveThread):
3199
3200 2015-07-19  Yusuke Suzuki  <utatane.tea@gmail.com>
3201
3202         In strict mode, `Object.keys(arguments)` includes "length"
3203         https://bugs.webkit.org/show_bug.cgi?id=147071
3204
3205         Reviewed by Darin Adler.
3206
3207         ClonedAguments didn't set the "length" with DontEnum.
3208
3209         * runtime/ClonedArguments.cpp:
3210         (JSC::ClonedArguments::createWithInlineFrame):
3211         (JSC::ClonedArguments::createByCopyingFrom):
3212         * tests/stress/arguments-length-always-dont-enum.js: Added.
3213         (shouldBe):
3214         (argsSloppy):
3215         (argsStrict):
3216
3217 2015-07-19  Jordan Harband  <ljharb@gmail.com>
3218
3219         new Date(NaN).toJSON() must return null instead of throwing a TypeError
3220         https://bugs.webkit.org/show_bug.cgi?id=141115
3221
3222         Reviewed by Yusuke Suzuki.
3223
3224         * runtime/DatePrototype.cpp:
3225         (JSC::dateProtoFuncToJSON):
3226
3227 2015-07-19  Saam barati  <saambarati1@gmail.com>
3228
3229         Parser::parseFunctionInfo hits RELEASE_ASSERT for Arrow Functions
3230         https://bugs.webkit.org/show_bug.cgi?id=147090
3231
3232         Reviewed by Yusuke Suzuki.
3233
3234         ArrowFunction's have there ParserFunctionInfo "name" field to 
3235         be a non-null pointer. This is obviously allowed and valid except we 
3236         had a RELEASE_ASSERT that claimed otherwise. This is a mistake. 
3237
3238         Note: ArrowFunction's will never actually have a function name;
3239         there ParserFunctionInfo "name" field will be the empty string. 
3240         This is not be mistaken with the name field being a null pointer.
3241
3242         * parser/Parser.cpp:
3243         (JSC::Parser<LexerType>::parseFunctionInfo):
3244
3245 2015-07-18  Saam barati  <saambarati1@gmail.com>
3246
3247         [ES6] Add support for block scope const
3248         https://bugs.webkit.org/show_bug.cgi?id=31813
3249
3250         Reviewed by Filip Pizlo.
3251
3252         'const' is now implemented in an ES6 spec compliant manner.
3253         'const' variables are always block scoped and always live
3254         either on the stack or in a JSLexicalEnvironment. 'const'
3255         variables never live on the global object.
3256
3257         Inside the BytecodeGenerator, when assigning to a stack
3258         'const' variable or a LocalClosureVar 'const' variable,
3259         we will emit code that just throws a type error.
3260         When assigning to a ClosureVar const variable, CodeBlock linking
3261         will ensure that we perform a dynamic lookup of that variable so
3262         that put_to_scope's slow path throws a type error.
3263
3264         The old 'const' implementation has been removed in this patch.
3265
3266         * bytecode/BytecodeList.json:
3267         * bytecode/BytecodeUseDef.h:
3268         (JSC::computeUsesForBytecodeOffset):
3269         (JSC::computeDefsForBytecodeOffset):
3270         * bytecode/CodeBlock.cpp:
3271         (JSC::CodeBlock::dumpBytecode):
3272         (JSC::CodeBlock::CodeBlock):
3273         * bytecompiler/BytecodeGenerator.cpp:
3274         (JSC::BytecodeGenerator::BytecodeGenerator):
3275         (JSC::BytecodeGenerator::pushLexicalScope):
3276         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
3277         (JSC::BytecodeGenerator::variable):
3278         (JSC::BytecodeGenerator::variableForLocalEntry):
3279         (JSC::BytecodeGenerator::createVariable):
3280         (JSC::BytecodeGenerator::emitResolveScope):
3281         (JSC::BytecodeGenerator::emitInstanceOf):
3282         (JSC::BytecodeGenerator::emitGetById):
3283         (JSC::BytecodeGenerator::isArgumentNumber):
3284         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
3285         (JSC::BytecodeGenerator::emitEnumeration):
3286         (JSC::BytecodeGenerator::variablePerSymbolTable): Deleted.
3287         (JSC::BytecodeGenerator::emitInitGlobalConst): Deleted.
3288         * bytecompiler/BytecodeGenerator.h:
3289         (JSC::Variable::Variable):
3290         (JSC::Variable::isReadOnly):
3291         (JSC::Variable::isSpecial):
3292         (JSC::Variable::isConst):
3293         (JSC::BytecodeGenerator::thisRegister):
3294         (JSC::BytecodeGenerator::emitTypeOf):
3295         (JSC::BytecodeGenerator::emitIn):
3296         * bytecompiler/NodesCodegen.cpp:
3297         (JSC::PostfixNode::emitResolve):
3298         (JSC::PrefixNode::emitResolve):
3299         (JSC::ReadModifyResolveNode::emitBytecode):
3300         (JSC::AssignResolveNode::emitBytecode):
3301         (JSC::CommaNode::emitBytecode):
3302         (JSC::BindingNode::bindValue):
3303         (JSC::ConstDeclNode::emitCodeSingle): Deleted.
3304         (JSC::ConstDeclNode::emitBytecode): Deleted.
3305         (JSC::ConstStatementNode::emitBytecode): Deleted.
3306         * dfg/DFGByteCodeParser.cpp:
3307         (JSC::DFG::ByteCodeParser::parseBlock):
3308         * dfg/DFGCapabilities.cpp:
3309         (JSC::DFG::capabilityLevel):
3310         * jit/JIT.cpp:
3311         (JSC::JIT::privateCompileMainPass):
3312         * jit/JIT.h:
3313         * jit/JITPropertyAccess.cpp:
3314         (JSC::JIT::emit_op_put_to_arguments):
3315         (JSC::JIT::emit_op_init_global_const): Deleted.
3316         * jit/JITPropertyAccess32_64.cpp:
3317         (JSC::JIT::emit_op_put_to_arguments):
3318         (JSC::JIT::emit_op_init_global_const): Deleted.
3319         * llint/LowLevelInterpreter.asm:
3320         * llint/LowLevelInterpreter32_64.asm:
3321         * llint/LowLevelInterpreter64.asm:
3322         * parser/ASTBuilder.h:
3323         (JSC::ASTBuilder::createDeclarationStatement):
3324         (JSC::ASTBuilder::createEmptyVarExpression):
3325         (JSC::ASTBuilder::createDebugger):
3326         (JSC::ASTBuilder::appendStatement):
3327         (JSC::ASTBuilder::createVarStatement): Deleted.
3328         (JSC::ASTBuilder::createLetStatement): Deleted.
3329         (JSC::ASTBuilder::createConstStatement): Deleted.
3330         (JSC::ASTBuilder::appendConstDecl): Deleted.
3331         * parser/NodeConstructors.h:
3332         (JSC::CommaNode::CommaNode):
3333         (JSC::SourceElements::SourceElements):
3334         (JSC::SwitchNode::SwitchNode):
3335         (JSC::BlockNode::BlockNode):
3336         (JSC::ConstStatementNode::ConstStatementNode): Deleted.
3337         (JSC::ConstDeclNode::ConstDeclNode): Deleted.
3338         * parser/Nodes.h:
3339         (JSC::ConstDeclNode::hasInitializer): Deleted.
3340         (JSC::ConstDeclNode::ident): Deleted.
3341         * parser/Parser.cpp:
3342         (JSC::Parser<LexerType>::parseStatementListItem):
3343         (JSC::Parser<LexerType>::parseVariableDeclaration):
3344         (JSC::Parser<LexerType>::parseWhileStatement):
3345         (JSC::Parser<LexerType>::parseVariableDeclarationList):
3346         (JSC::Parser<LexerType>::createBindingPattern):
3347         (JSC::Parser<LexerType>::parseDestructuringPattern):
3348         (JSC::Parser<LexerType>::parseDefaultValueForDestructuringPattern):
3349         (JSC::Parser<LexerType>::parseForStatement):
3350         (JSC::Parser<LexerType>::parseTryStatement):
3351         (JSC::Parser<LexerType>::parseFunctionInfo):
3352         (JSC::Parser<LexerType>::parseFunctionDeclaration):
3353         (JSC::Parser<Le