Progress towards CMake on Windows and Mac.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-04-01  Alex Christensen  <achristensen@webkit.org>
2
3         Progress towards CMake on Windows and Mac.
4         https://bugs.webkit.org/show_bug.cgi?id=143293
5
6         Reviewed by Filip Pizlo.
7
8         * CMakeLists.txt:
9         Enabled using assembly on Windows.
10         Replaced unix commands with CMake commands.
11         * PlatformMac.cmake:
12         Tell open source builders where to find unicode headers.
13
14 2015-04-01  Yusuke Suzuki  <utatane.tea@gmail.com>
15
16         IteratorClose should be called when jumping over the target for-of loop
17         https://bugs.webkit.org/show_bug.cgi?id=143140
18
19         Reviewed by Geoffrey Garen.
20
21         This patch fixes labeled break/continue behaviors with for-of and iterators.
22
23         1. Support IteratorClose beyond multiple loop contexts
24         Previously, IteratorClose is only executed in for-of's breakTarget().
25         However, this misses IteratorClose execution when statement roll-ups multiple control flow contexts.
26         For example,
27         outer: for (var e1 of outer) {
28             inner: for (var e2 of inner) {
29                 break outer;
30             }
31         }
32         In this case, return method of inner should be called.
33         We leverage the existing system for `finally` to execute inner.return method correctly.
34         Leveraging `finally` system fixes `break`, `continue` and `return` cases.
35         `throw` case is already supported by emitting try-catch handlers in for-of.
36
37         2. Incorrect LabelScope creation is done in ForOfNode
38         ForOfNode creates duplicated LabelScope.
39         It causes infinite loop when executing the following program that contains
40         explicitly labeled for-of loop.
41         For example,
42         inner: for (var elm of array) {
43             continue inner;
44         }
45
46         * bytecompiler/BytecodeGenerator.cpp:
47         (JSC::BytecodeGenerator::pushFinallyContext):
48         (JSC::BytecodeGenerator::pushIteratorCloseContext):
49         (JSC::BytecodeGenerator::popFinallyContext):
50         (JSC::BytecodeGenerator::popIteratorCloseContext):
51         (JSC::BytecodeGenerator::emitComplexPopScopes):
52         (JSC::BytecodeGenerator::emitEnumeration):
53         (JSC::BytecodeGenerator::emitIteratorClose):
54         * bytecompiler/BytecodeGenerator.h:
55         * bytecompiler/NodesCodegen.cpp:
56         (JSC::ForOfNode::emitBytecode):
57         * tests/stress/iterator-return-beyond-multiple-iteration-scopes.js: Added.
58         (createIterator.iterator.return):
59         (createIterator):
60         * tests/stress/raise-error-in-iterator-close.js: Added.
61         (createIterator.iterator.return):
62         (createIterator):
63
64 2015-04-01  Yusuke Suzuki  <utatane.tea@gmail.com>
65
66         [ES6] Implement Symbol.unscopables
67         https://bugs.webkit.org/show_bug.cgi?id=142829
68
69         Reviewed by Geoffrey Garen.
70
71         This patch introduces Symbol.unscopables functionality.
72         In ES6, some generic names (like keys, values) are introduced
73         as Array's method name. And this breaks the web since some web sites
74         use like the following code.
75
76         var values = ...;
77         with (array) {
78             values;  // This values is trapped by array's method "values".
79         }
80
81         To fix this, Symbol.unscopables introduces blacklist
82         for with scope's trapping. When resolving scope,
83         if name is found in the target scope and the target scope is with scope,
84         we check Symbol.unscopables object to filter generic names.
85
86         This functionality is only active for with scopes.
87         Global scope does not have unscopables functionality.
88
89         And since
90         1) op_resolve_scope for with scope always return Dynamic resolve type,
91         2) in that case, JSScope::resolve is always used in JIT and LLInt,
92         3) the code which contains op_resolve_scope that returns Dynamic cannot be compiled with DFG and FTL,
93         to implement this functionality, we just change JSScope::resolve and no need to change JIT code.
94         So performance regression is only visible in Dynamic resolving case, and it is already much slow.
95
96         * runtime/ArrayPrototype.cpp:
97         (JSC::ArrayPrototype::finishCreation):
98         * runtime/CommonIdentifiers.h:
99         * runtime/JSGlobalObject.h:
100         (JSC::JSGlobalObject::runtimeFlags):
101         * runtime/JSScope.cpp:
102         (JSC::isUnscopable):
103         (JSC::JSScope::resolve):
104         * runtime/JSScope.h:
105         (JSC::ScopeChainIterator::scope):
106         * tests/stress/global-environment-does-not-trap-unscopables.js: Added.
107         (test):
108         * tests/stress/unscopables.js: Added.
109         (test):
110         (.):
111
112 2015-03-31  Ryosuke Niwa  <rniwa@webkit.org>
113
114         ES6 class syntax should allow static setters and getters
115         https://bugs.webkit.org/show_bug.cgi?id=143180
116
117         Reviewed by Filip Pizlo
118
119         Apparently I misread the spec when I initially implemented parseClass.
120         ES6 class syntax allows static getters and setters so just allow that.
121
122         * parser/Parser.cpp:
123         (JSC::Parser<LexerType>::parseClass):
124
125 2015-03-31  Filip Pizlo  <fpizlo@apple.com>
126
127         PutClosureVar CSE def() rule has a wrong base
128         https://bugs.webkit.org/show_bug.cgi?id=143280
129
130         Reviewed by Michael Saboff.
131         
132         I think that this code was incorrect in a benign way, since the base of a
133         PutClosureVar is not a JS-visible object. But it was preventing some optimizations.
134
135         * dfg/DFGClobberize.h:
136         (JSC::DFG::clobberize):
137
138 2015-03-31  Commit Queue  <commit-queue@webkit.org>
139
140         Unreviewed, rolling out r182200.
141         https://bugs.webkit.org/show_bug.cgi?id=143279
142
143         Probably causing assertion extravaganza on bots. (Requested by
144         kling on #webkit).
145
146         Reverted changeset:
147
148         "Logically empty WeakBlocks should not pin down their
149         MarkedBlocks indefinitely."
150         https://bugs.webkit.org/show_bug.cgi?id=143210
151         http://trac.webkit.org/changeset/182200
152
153 2015-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>
154
155         Clean up Identifier factories to clarify the meaning of StringImpl*
156         https://bugs.webkit.org/show_bug.cgi?id=143146
157
158         Reviewed by Filip Pizlo.
159
160         In the a lot of places, `Identifier(VM*/ExecState*, StringImpl*)` constructor is used.
161         However, it's ambiguous because `StringImpl*` has 2 different meanings.
162         1) normal string, it is replacable with `WTFString` and
163         2) `uid`, which holds `isSymbol` information to represent Symbols.
164         So we dropped Identifier constructors for strings and instead, introduced 2 factory functions.
165         + `Identifier::fromString(VM*/ExecState*, const String&)`.
166         Just construct Identifier from strings. The symbol-ness of StringImpl* is not kept.
167         + `Identifier::fromUid(VM*/ExecState*, StringImpl*)`.
168         This function is used for 2) `uid`. So symbol-ness of `StringImpl*` is kept.
169
170         And to clean up `StringImpl` which is used as uid,
171         we introduce `StringKind` into `StringImpl`. There's 3 kinds
172         1. StringNormal (non-atomic, non-symbol)
173         2. StringAtomic (atomic, non-symbol)
174         3. StringSymbol (non-atomic, symbol)
175         They are mutually exclusive. And (atomic, symbol) case should not exist.
176
177         * API/JSCallbackObjectFunctions.h:
178         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
179         * API/JSObjectRef.cpp:
180         (JSObjectMakeFunction):
181         * API/OpaqueJSString.cpp:
182         (OpaqueJSString::identifier):
183         * bindings/ScriptFunctionCall.cpp:
184         (Deprecated::ScriptFunctionCall::call):
185         * builtins/BuiltinExecutables.cpp:
186         (JSC::BuiltinExecutables::createExecutableInternal):
187         * builtins/BuiltinNames.h:
188         (JSC::BuiltinNames::BuiltinNames):
189         * bytecompiler/BytecodeGenerator.cpp:
190         (JSC::BytecodeGenerator::BytecodeGenerator):
191         (JSC::BytecodeGenerator::emitThrowReferenceError):
192         (JSC::BytecodeGenerator::emitThrowTypeError):
193         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
194         (JSC::BytecodeGenerator::emitEnumeration):
195         * dfg/DFGDesiredIdentifiers.cpp:
196         (JSC::DFG::DesiredIdentifiers::reallyAdd):
197         * inspector/JSInjectedScriptHost.cpp:
198         (Inspector::JSInjectedScriptHost::functionDetails):
199         (Inspector::constructInternalProperty):
200         (Inspector::JSInjectedScriptHost::weakMapEntries):
201         (Inspector::JSInjectedScriptHost::iteratorEntries):
202         * inspector/JSInjectedScriptHostPrototype.cpp:
203         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
204         * inspector/JSJavaScriptCallFramePrototype.cpp:
205         * inspector/ScriptCallStackFactory.cpp:
206         (Inspector::extractSourceInformationFromException):
207         * jit/JITOperations.cpp:
208         * jsc.cpp:
209         (GlobalObject::finishCreation):
210         (GlobalObject::addFunction):
211         (GlobalObject::addConstructableFunction):
212         (functionRun):
213         (runWithScripts):
214         * llint/LLIntData.cpp:
215         (JSC::LLInt::Data::performAssertions):
216         * llint/LowLevelInterpreter.asm:
217         * parser/ASTBuilder.h:
218         (JSC::ASTBuilder::addVar):
219         * parser/Parser.cpp:
220         (JSC::Parser<LexerType>::parseInner):
221         (JSC::Parser<LexerType>::createBindingPattern):
222         * parser/ParserArena.h:
223         (JSC::IdentifierArena::makeIdentifier):
224         (JSC::IdentifierArena::makeIdentifierLCharFromUChar):
225         (JSC::IdentifierArena::makeNumericIdentifier):
226         * runtime/ArgumentsIteratorPrototype.cpp:
227         (JSC::ArgumentsIteratorPrototype::finishCreation):
228         * runtime/ArrayIteratorPrototype.cpp:
229         (JSC::ArrayIteratorPrototype::finishCreation):
230         * runtime/ArrayPrototype.cpp:
231         (JSC::ArrayPrototype::finishCreation):
232         (JSC::arrayProtoFuncPush):
233         * runtime/ClonedArguments.cpp:
234         (JSC::ClonedArguments::getOwnPropertySlot):
235         * runtime/CommonIdentifiers.cpp:
236         (JSC::CommonIdentifiers::CommonIdentifiers):
237         * runtime/CommonIdentifiers.h:
238         * runtime/Error.cpp:
239         (JSC::addErrorInfo):
240         (JSC::hasErrorInfo):
241         * runtime/ExceptionHelpers.cpp:
242         (JSC::createUndefinedVariableError):
243         * runtime/GenericArgumentsInlines.h:
244         (JSC::GenericArguments<Type>::getOwnPropertySlot):
245         * runtime/Identifier.h:
246         (JSC::Identifier::isSymbol):
247         (JSC::Identifier::Identifier):
248         (JSC::Identifier::from): Deleted.
249         * runtime/IdentifierInlines.h:
250         (JSC::Identifier::Identifier):
251         (JSC::Identifier::fromUid):
252         (JSC::Identifier::fromString):
253         * runtime/JSCJSValue.cpp:
254         (JSC::JSValue::dumpInContextAssumingStructure):
255         * runtime/JSCJSValueInlines.h:
256         (JSC::JSValue::toPropertyKey):
257         * runtime/JSGlobalObject.cpp:
258         (JSC::JSGlobalObject::init):
259         * runtime/JSLexicalEnvironment.cpp:
260         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
261         * runtime/JSObject.cpp:
262         (JSC::getClassPropertyNames):
263         (JSC::JSObject::reifyStaticFunctionsForDelete):
264         * runtime/JSObject.h:
265         (JSC::makeIdentifier):
266         * runtime/JSPromiseConstructor.cpp:
267         (JSC::JSPromiseConstructorFuncRace):
268         (JSC::JSPromiseConstructorFuncAll):
269         * runtime/JSString.h:
270         (JSC::JSString::toIdentifier):
271         * runtime/JSSymbolTableObject.cpp:
272         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
273         * runtime/LiteralParser.cpp:
274         (JSC::LiteralParser<CharType>::tryJSONPParse):
275         (JSC::LiteralParser<CharType>::makeIdentifier):
276         * runtime/Lookup.h:
277         (JSC::reifyStaticProperties):
278         * runtime/MapConstructor.cpp:
279         (JSC::constructMap):
280         * runtime/MapIteratorPrototype.cpp:
281         (JSC::MapIteratorPrototype::finishCreation):
282         * runtime/MapPrototype.cpp:
283         (JSC::MapPrototype::finishCreation):
284         * runtime/MathObject.cpp:
285         (JSC::MathObject::finishCreation):
286         * runtime/NumberConstructor.cpp:
287         (JSC::NumberConstructor::finishCreation):
288         * runtime/ObjectConstructor.cpp:
289         (JSC::ObjectConstructor::finishCreation):
290         * runtime/PrivateName.h:
291         (JSC::PrivateName::PrivateName):
292         * runtime/PropertyMapHashTable.h:
293         (JSC::PropertyTable::find):
294         (JSC::PropertyTable::get):
295         * runtime/PropertyName.h:
296         (JSC::PropertyName::PropertyName):
297         (JSC::PropertyName::publicName):
298         (JSC::PropertyName::asIndex):
299         * runtime/PropertyNameArray.cpp:
300         (JSC::PropertyNameArray::add):
301         * runtime/PropertyNameArray.h:
302         (JSC::PropertyNameArray::addKnownUnique):
303         * runtime/RegExpConstructor.cpp:
304         (JSC::RegExpConstructor::finishCreation):
305         * runtime/SetConstructor.cpp:
306         (JSC::constructSet):
307         * runtime/SetIteratorPrototype.cpp:
308         (JSC::SetIteratorPrototype::finishCreation):
309         * runtime/SetPrototype.cpp:
310         (JSC::SetPrototype::finishCreation):
311         * runtime/StringIteratorPrototype.cpp:
312         (JSC::StringIteratorPrototype::finishCreation):
313         * runtime/StringPrototype.cpp:
314         (JSC::StringPrototype::finishCreation):
315         * runtime/Structure.cpp:
316         (JSC::Structure::getPropertyNamesFromStructure):
317         * runtime/SymbolConstructor.cpp:
318         * runtime/VM.cpp:
319         (JSC::VM::throwException):
320         * runtime/WeakMapConstructor.cpp:
321         (JSC::constructWeakMap):
322
323 2015-03-31  Andreas Kling  <akling@apple.com>
324
325         Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely.
326         <https://webkit.org/b/143210>
327
328         Reviewed by Geoffrey Garen.
329
330         Since a MarkedBlock cannot be destroyed until all the WeakBlocks pointing into it are gone,
331         we had a little problem where WeakBlocks with only null pointers would still keep their
332         MarkedBlock alive.
333
334         This patch fixes that by detaching WeakBlocks from their MarkedBlock once a sweep discovers
335         that the WeakBlock contains no pointers to live objects. Ownership of the WeakBlock is passed
336         to the Heap, which will sweep the list of these detached WeakBlocks as part of a full GC,
337         destroying them once they're fully dead.
338
339         This allows the garbage collector to reclaim the 64kB MarkedBlocks much sooner, and resolves
340         a mysterious issue where doing two full garbage collections back-to-back would free additional
341         memory in the second collection.
342
343         Management of detached WeakBlocks is implemented as a Vector<WeakBlock*> in Heap, along with
344         an index of the next block in that vector that needs to be swept. The IncrementalSweeper then
345         calls into Heap::sweepNextLogicallyEmptyWeakBlock() to sweep one block at a time.
346
347         * heap/Heap.h:
348         * heap/Heap.cpp:
349         (JSC::Heap::collectAllGarbage): Add a final pass where we sweep the logically empty WeakBlocks
350         owned by Heap, after everything else has been swept.
351
352         (JSC::Heap::notifyIncrementalSweeper): Set up an incremental sweep of logically empty WeakBlocks
353         after a full garbage collection ends. Note that we don't do this after Eden collections, since
354         they are unlikely to cause entire WeakBlocks to go empty.
355
356         (JSC::Heap::addLogicallyEmptyWeakBlock): Added. Interface for passing ownership of a WeakBlock
357         to the Heap when it's detached from a WeakSet.
358
359         (JSC::Heap::sweepAllLogicallyEmptyWeakBlocks): Helper for collectAllGarbage() that sweeps all
360         of the logically empty WeakBlocks owned by Heap.
361
362         (JSC::Heap::sweepNextLogicallyEmptyWeakBlock): Sweeps one logically empty WeakBlock if needed
363         and updates the next-logically-empty-weak-block-to-sweep index.
364
365         (JSC::Heap::lastChanceToFinalize): call sweepAllLogicallyEmptyWeakBlocks() here, since there
366         won't be another chance after this.
367
368         * heap/IncrementalSweeper.h:
369         (JSC::IncrementalSweeper::hasWork): Deleted.
370
371         * heap/IncrementalSweeper.cpp:
372         (JSC::IncrementalSweeper::fullSweep):
373         (JSC::IncrementalSweeper::doSweep):
374         (JSC::IncrementalSweeper::sweepNextBlock): Restructured IncrementalSweeper a bit to simplify
375         adding a new sweeping stage for the Heap's logically empty WeakBlocks. sweepNextBlock() is
376         changed to return a bool (true if there's more work to be done.)
377
378         * heap/WeakBlock.cpp:
379         (JSC::WeakBlock::sweep): This now figures out if the WeakBlock is logically empty, i.e doesn't
380         contain any pointers to live objects. The answer is stored in a new SweepResult member.
381
382         * heap/WeakBlock.h:
383         (JSC::WeakBlock::isLogicallyEmptyButNotFree): Added. Can be queried after a sweep to determine
384         if the WeakBlock could be detached from the MarkedBlock.
385
386         (JSC::WeakBlock::SweepResult::SweepResult): Deleted in favor of initializing member variables
387         when declaring them.
388
389 2015-03-31  Ryosuke Niwa  <rniwa@webkit.org>
390
391         eval("this.foo") causes a crash if this had not been initialized in a derived class's constructor
392         https://bugs.webkit.org/show_bug.cgi?id=142883
393
394         Reviewed by Filip Pizlo.
395
396         The crash was caused by eval inside the constructor of a derived class not checking TDZ.
397
398         Fixed the bug by adding a parser flag that forces the TDZ check to be always emitted when accessing "this"
399         in eval inside a derived class' constructor.
400
401         * bytecode/EvalCodeCache.h:
402         (JSC::EvalCodeCache::getSlow):
403         * bytecompiler/NodesCodegen.cpp:
404         (JSC::ThisNode::emitBytecode):
405         * debugger/DebuggerCallFrame.cpp:
406         (JSC::DebuggerCallFrame::evaluate):
407         * interpreter/Interpreter.cpp:
408         (JSC::eval):
409         * parser/ASTBuilder.h:
410         (JSC::ASTBuilder::thisExpr):
411         * parser/NodeConstructors.h:
412         (JSC::ThisNode::ThisNode):
413         * parser/Nodes.h:
414         * parser/Parser.cpp:
415         (JSC::Parser<LexerType>::Parser):
416         (JSC::Parser<LexerType>::parsePrimaryExpression):
417         * parser/Parser.h:
418         (JSC::parse):
419         * parser/ParserModes.h:
420         * parser/SyntaxChecker.h:
421         (JSC::SyntaxChecker::thisExpr):
422         * runtime/CodeCache.cpp:
423         (JSC::CodeCache::getGlobalCodeBlock):
424         (JSC::CodeCache::getProgramCodeBlock):
425         (JSC::CodeCache::getEvalCodeBlock):
426         * runtime/CodeCache.h:
427         (JSC::SourceCodeKey::SourceCodeKey):
428         * runtime/Executable.cpp:
429         (JSC::EvalExecutable::create):
430         * runtime/Executable.h:
431         * runtime/JSGlobalObject.cpp:
432         (JSC::JSGlobalObject::createEvalCodeBlock):
433         * runtime/JSGlobalObject.h:
434         * runtime/JSGlobalObjectFunctions.cpp:
435         (JSC::globalFuncEval):
436         * tests/stress/class-syntax-no-tdz-in-eval.js: Added.
437         * tests/stress/class-syntax-tdz-in-eval.js: Added.
438
439 2015-03-31  Commit Queue  <commit-queue@webkit.org>
440
441         Unreviewed, rolling out r182186.
442         https://bugs.webkit.org/show_bug.cgi?id=143270
443
444         it crashes all the WebGL tests on the Debug bots (Requested by
445         dino on #webkit).
446
447         Reverted changeset:
448
449         "Web Inspector: add 2D/WebGL canvas instrumentation
450         infrastructure"
451         https://bugs.webkit.org/show_bug.cgi?id=137278
452         http://trac.webkit.org/changeset/182186
453
454 2015-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>
455
456         [ES6] Object type restrictions on a first parameter of several Object.* functions are relaxed
457         https://bugs.webkit.org/show_bug.cgi?id=142937
458
459         Reviewed by Darin Adler.
460
461         In ES6, Object type restrictions on a first parameter of several Object.* functions are relaxed.
462         In ES5 or prior, when a first parameter is not object type, these functions raise TypeError.
463         But now, several functions perform ToObject onto a non-object parameter.
464         And others behaves as if a parameter is a non-extensible ordinary object with no own properties.
465         It is described in ES6 Annex E.
466         Functions different from ES5 are following.
467
468         1. An attempt is make to coerce the argument using ToObject.
469             Object.getOwnPropertyDescriptor
470             Object.getOwnPropertyNames
471             Object.getPrototypeOf
472             Object.keys
473
474         2. Treated as if it was a non-extensible ordinary object with no own properties.
475             Object.freeze
476             Object.isExtensible
477             Object.isFrozen
478             Object.isSealed
479             Object.preventExtensions
480             Object.seal
481
482         * runtime/ObjectConstructor.cpp:
483         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
484         (JSC::objectConstructorGetPrototypeOf):
485         (JSC::objectConstructorGetOwnPropertyDescriptor):
486         (JSC::objectConstructorGetOwnPropertyNames):
487         (JSC::objectConstructorKeys):
488         (JSC::objectConstructorSeal):
489         (JSC::objectConstructorFreeze):
490         (JSC::objectConstructorPreventExtensions):
491         (JSC::objectConstructorIsSealed):
492         (JSC::objectConstructorIsFrozen):
493         (JSC::objectConstructorIsExtensible):
494         * tests/stress/object-freeze-accept-non-object.js: Added.
495         * tests/stress/object-get-own-property-descriptor-perform-to-object.js: Added.
496         (canary):
497         * tests/stress/object-get-own-property-names-perform-to-object.js: Added.
498         (compare):
499         * tests/stress/object-get-prototype-of-perform-to-object.js: Added.
500         * tests/stress/object-is-extensible-accept-non-object.js: Added.
501         * tests/stress/object-is-frozen-accept-non-object.js: Added.
502         * tests/stress/object-is-sealed-accept-non-object.js: Added.
503         * tests/stress/object-keys-perform-to-object.js: Added.
504         (compare):
505         * tests/stress/object-prevent-extensions-accept-non-object.js: Added.
506         * tests/stress/object-seal-accept-non-object.js: Added.
507
508 2015-03-31  Matt Baker  <mattbaker@apple.com>
509
510         Web Inspector: add 2D/WebGL canvas instrumentation infrastructure
511         https://bugs.webkit.org/show_bug.cgi?id=137278
512
513         Reviewed by Timothy Hatcher.
514
515         Added Canvas protocol which defines types used by InspectorCanvasAgent.
516
517         * CMakeLists.txt:
518         * DerivedSources.make:
519         * inspector/protocol/Canvas.json: Added.
520
521         * inspector/scripts/codegen/generator.py:
522         (Generator.stylized_name_for_enum_value):
523         Added special handling for 2D (always uppercase) and WebGL (rename mapping) enum strings.
524
525 2015-03-30  Ryosuke Niwa  <rniwa@webkit.org>
526
527         Extending null should set __proto__ to null
528         https://bugs.webkit.org/show_bug.cgi?id=142882
529
530         Reviewed by Geoffrey Garen and Benjamin Poulain.
531
532         Set Derived.prototype.__proto__ to null when extending null.
533
534         * bytecompiler/NodesCodegen.cpp:
535         (JSC::ClassExprNode::emitBytecode):
536
537 2015-03-30  Mark Lam  <mark.lam@apple.com>
538
539         REGRESSION (r181993): inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html crashes.
540         <https://webkit.org/b/143105>
541
542         Reviewed by Filip Pizlo.
543
544         With r181993, the DFG and FTL may elide the storing of the scope register.  As a result,
545         on OSR exits from DFG / FTL frames where this elision has take place, we may get baseline
546         JIT frames that may have its scope register not set.  The Debugger's current implementation
547         which relies on the scope register is not happy about this.  For example, this results in a
548         crash in the layout test inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html.
549
550         The fix is to disable inlining when the debugger is in use.  Also, we add Flush nodes to
551         ensure that the scope register value is flushed to the register in the stack frame.
552
553         * dfg/DFGByteCodeParser.cpp:
554         (JSC::DFG::ByteCodeParser::ByteCodeParser):
555         (JSC::DFG::ByteCodeParser::setLocal):
556         (JSC::DFG::ByteCodeParser::flush):
557         - Add code to flush the scope register.
558         (JSC::DFG::ByteCodeParser::inliningCost):
559         - Pretend that all codeBlocks are too expensive to inline if the debugger is in use, thereby
560           disabling inlining whenever the debugger is in use.
561         * dfg/DFGGraph.cpp:
562         (JSC::DFG::Graph::Graph):
563         * dfg/DFGGraph.h:
564         (JSC::DFG::Graph::hasDebuggerEnabled):
565         * dfg/DFGStackLayoutPhase.cpp:
566         (JSC::DFG::StackLayoutPhase::run):
567         - Update the DFG codeBlock's scopeRegister since it can be moved during stack layout.
568         * ftl/FTLCompile.cpp:
569         (JSC::FTL::mmAllocateDataSection):
570         - Update the FTL codeBlock's scopeRegister since it can be moved during stack layout.
571
572 2015-03-30  Michael Saboff  <msaboff@apple.com>
573
574         Fix flakey float32-repeat-out-of-bounds.js and int8-repeat-out-of-bounds.js tests for ARM64
575         https://bugs.webkit.org/show_bug.cgi?id=138391
576
577         Reviewed by Mark Lam.
578
579         Re-enabling these tests as I can't get them to fail on local iOS test devices.
580         There have been many changes since these tests were disabled.
581         I'll watch automated test results for failures.  If there are failures running automated
582         testing, it might be due to the device's relative CPU performance.
583         
584         * tests/stress/float32-repeat-out-of-bounds.js:
585         * tests/stress/int8-repeat-out-of-bounds.js:
586
587 2015-03-30  Joseph Pecoraro  <pecoraro@apple.com>
588
589         Web Inspector: Regression: Preview for [[null]] shouldn't be []
590         https://bugs.webkit.org/show_bug.cgi?id=143208
591
592         Reviewed by Mark Lam.
593
594         * inspector/InjectedScriptSource.js:
595         Handle null when generating simple object previews.
596
597 2015-03-30  Per Arne Vollan  <peavo@outlook.com>
598
599         Avoid using hardcoded values for JSValue::Int32Tag, if possible.
600         https://bugs.webkit.org/show_bug.cgi?id=143134
601
602         Reviewed by Geoffrey Garen.
603
604         * jit/JSInterfaceJIT.h:
605         * jit/Repatch.cpp:
606         (JSC::tryCacheGetByID):
607
608 2015-03-30  Filip Pizlo  <fpizlo@apple.com>
609
610         REGRESSION: js/regress/inline-arguments-local-escape.html is flaky
611         https://bugs.webkit.org/show_bug.cgi?id=143104
612
613         Reviewed by Geoffrey Garen.
614         
615         Created a test that is a 100% repro of the flaky failure. This test is called
616         get-my-argument-by-val-for-inlined-escaped-arguments.js. It fails all of the time because it
617         always causes the compiler to emit a GetMyArgumentByVal of the arguments object returned by
618         the inlined function. Other than that, it's the same as inline-arguments-local-escape.
619         
620         Also created three more tests for three similar, but not identical, failures.
621         
622         Then fixed the bug: PreciseLocalClobberize was assuming that if we read(Stack) then we are
623         only reading those parts of the stack that are relevant to the current semantic code origin.
624         That's false after ArgumentsEliminationPhase - we might have operations on phantom arguments,
625         like GetMyArgumentByVal, ForwardVarargs, CallForwardVarargs, and ConstructForwardVarargs, that
626         read parts of the stack associated with the inline call frame for the phantom arguments. This
627         may not be subsumed by the current semantic origin's stack area in cases that the arguments
628         were allowed to "locally" escape.
629         
630         The higher-order lesson here is that in DFG SSA IR, the current semantic origin's stack area
631         is not really a meaningful concept anymore. It is only meaningful for nodes that will read
632         the stack due to function.arguments, but there are a bunch of other ways that we could also
633         read the stack and those operations may read any stack slot. I believe that this change makes
634         PreciseLocalClobberize right: it will refine a read(Stack) from Clobberize correctly by casing
635         on node type. In future, if we add a read(Stack) to Clobberize, we'll have to make sure that
636         readTop() in PreciseLocalClobberize does the right thing.
637
638         * dfg/DFGClobberize.h:
639         (JSC::DFG::clobberize):
640         * dfg/DFGPreciseLocalClobberize.h:
641         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
642         * dfg/DFGPutStackSinkingPhase.cpp:
643         * tests/stress/call-forward-varargs-for-inlined-escaped-arguments.js: Added.
644         * tests/stress/construct-forward-varargs-for-inlined-escaped-arguments.js: Added.
645         * tests/stress/forward-varargs-for-inlined-escaped-arguments.js: Added.
646         * tests/stress/get-my-argument-by-val-for-inlined-escaped-arguments.js: Added.
647         * tests/stress/real-forward-varargs-for-inlined-escaped-arguments.js: Added.
648
649 2015-03-30  Benjamin Poulain  <benjamin@webkit.org>
650
651         Start the features.json files
652         https://bugs.webkit.org/show_bug.cgi?id=143207
653
654         Reviewed by Darin Adler.
655
656         Start the features.json files to have something to experiment
657         with for the UI.
658
659         * features.json: Added.
660
661 2015-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
662
663         [Win] Addresing post-review comment after r182122
664         https://bugs.webkit.org/show_bug.cgi?id=143189
665
666         Unreviewed.
667
668 2015-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
669
670         [Win] Allow building JavaScriptCore without Cygwin
671         https://bugs.webkit.org/show_bug.cgi?id=143189
672
673         Reviewed by Brent Fulgham.
674
675         Paths like /usr/bin/ don't exist on Windows.
676         Hashbangs don't work on Windows. Instead we must explicitly call the executable.
677         Prefixing commands with environment variables doesn't work on Windows.
678         Windows doesn't have 'cmp'
679         Windows uses 'del' instead of 'rm'
680         Windows uses 'type NUL' intead of 'touch'
681
682         * DerivedSources.make:
683         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
684         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
685         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl:
686         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
687         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl:
688         * JavaScriptCore.vcxproj/build-generated-files.pl:
689         * UpdateContents.py: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl.
690
691 2015-03-28  Joseph Pecoraro  <pecoraro@apple.com>
692
693         Clean up JavaScriptCore/builtins
694         https://bugs.webkit.org/show_bug.cgi?id=143177
695
696         Reviewed by Ryosuke Niwa.
697
698         * builtins/ArrayConstructor.js:
699         (from):
700         - We can compare to undefined instead of using a typeof undefined check.
701         - Converge on double quoted strings everywhere.
702
703         * builtins/ArrayIterator.prototype.js:
704         (next):
705         * builtins/StringIterator.prototype.js:
706         (next):
707         - Use shorthand object construction to avoid duplication.
708         - Improve grammar in error messages.
709
710         * tests/stress/array-iterators-next-with-call.js:
711         * tests/stress/string-iterators.js:
712         - Update for new error message strings.
713
714 2015-03-28  Saam Barati  <saambarati1@gmail.com>
715
716         Web Inspector: ES6: Better support for Symbol types in Type Profiler
717         https://bugs.webkit.org/show_bug.cgi?id=141257
718
719         Reviewed by Joseph Pecoraro.
720
721         ES6 introduces the new primitive type Symbol. This patch makes JSC's 
722         type profiler support this new primitive type.
723
724         * dfg/DFGFixupPhase.cpp:
725         (JSC::DFG::FixupPhase::fixupNode):
726         * inspector/protocol/Runtime.json:
727         * runtime/RuntimeType.cpp:
728         (JSC::runtimeTypeForValue):
729         * runtime/RuntimeType.h:
730         (JSC::runtimeTypeIsPrimitive):
731         * runtime/TypeSet.cpp:
732         (JSC::TypeSet::addTypeInformation):
733         (JSC::TypeSet::dumpTypes):
734         (JSC::TypeSet::doesTypeConformTo):
735         (JSC::TypeSet::displayName):
736         (JSC::TypeSet::inspectorTypeSet):
737         (JSC::TypeSet::toJSONString):
738         * runtime/TypeSet.h:
739         (JSC::TypeSet::seenTypes):
740         * tests/typeProfiler/driver/driver.js:
741         * tests/typeProfiler/symbol.js: Added.
742         (wrapper.foo):
743         (wrapper.bar):
744         (wrapper.bar.bar.baz):
745         (wrapper):
746
747 2015-03-27  Saam Barati  <saambarati1@gmail.com>
748
749         Deconstruction parameters are bound too late
750         https://bugs.webkit.org/show_bug.cgi?id=143148
751
752         Reviewed by Filip Pizlo.
753
754         Currently, a deconstruction pattern named with the same
755         name as a function will shadow the function. This is
756         wrong. It should be the other way around.
757
758         * bytecompiler/BytecodeGenerator.cpp:
759         (JSC::BytecodeGenerator::generate):
760
761 2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>
762
763         parse doesn't initialize the 16-bit version of the JSC parser with defaultConstructorKind
764         https://bugs.webkit.org/show_bug.cgi?id=143170
765
766         Reviewed by Benjamin Poulain.
767
768         Assert that we never use 16-bit version of the parser to parse a default constructor
769         since both base and derived default constructors should be using a 8-bit string.
770
771         * parser/Parser.h:
772         (JSC::parse):
773
774 2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>
775
776         ES6 Classes: Runtime error in JIT'd class calling super() with arguments and superclass has default constructor
777         https://bugs.webkit.org/show_bug.cgi?id=142862
778
779         Reviewed by Benjamin Poulain.
780
781         Add a test that used to fail in DFG now that the bug has been fixed by r181993.
782
783         * tests/stress/class-syntax-derived-default-constructor.js: Added.
784
785 2015-03-27  Michael Saboff  <msaboff@apple.com>
786
787         load8Signed() and load16Signed() should be renamed to avoid confusion
788         https://bugs.webkit.org/show_bug.cgi?id=143168
789
790         Reviewed by Benjamin Poulain.
791
792         Renamed load8Signed() to load8SignedExtendTo32() and load16Signed() to load16SignedExtendTo32().
793
794         * assembler/MacroAssemblerARM.h:
795         (JSC::MacroAssemblerARM::load8SignedExtendTo32):
796         (JSC::MacroAssemblerARM::load16SignedExtendTo32):
797         (JSC::MacroAssemblerARM::load8Signed): Deleted.
798         (JSC::MacroAssemblerARM::load16Signed): Deleted.
799         * assembler/MacroAssemblerARM64.h:
800         (JSC::MacroAssemblerARM64::load16SignedExtendTo32):
801         (JSC::MacroAssemblerARM64::load8SignedExtendTo32):
802         (JSC::MacroAssemblerARM64::load16Signed): Deleted.
803         (JSC::MacroAssemblerARM64::load8Signed): Deleted.
804         * assembler/MacroAssemblerARMv7.h:
805         (JSC::MacroAssemblerARMv7::load16SignedExtendTo32):
806         (JSC::MacroAssemblerARMv7::load8SignedExtendTo32):
807         (JSC::MacroAssemblerARMv7::load16Signed): Deleted.
808         (JSC::MacroAssemblerARMv7::load8Signed): Deleted.
809         * assembler/MacroAssemblerMIPS.h:
810         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
811         (JSC::MacroAssemblerMIPS::load16SignedExtendTo32):
812         (JSC::MacroAssemblerMIPS::load8Signed): Deleted.
813         (JSC::MacroAssemblerMIPS::load16Signed): Deleted.
814         * assembler/MacroAssemblerSH4.h:
815         (JSC::MacroAssemblerSH4::load8SignedExtendTo32):
816         (JSC::MacroAssemblerSH4::load8):
817         (JSC::MacroAssemblerSH4::load16SignedExtendTo32):
818         (JSC::MacroAssemblerSH4::load16):
819         (JSC::MacroAssemblerSH4::load8Signed): Deleted.
820         (JSC::MacroAssemblerSH4::load16Signed): Deleted.
821         * assembler/MacroAssemblerX86Common.h:
822         (JSC::MacroAssemblerX86Common::load8SignedExtendTo32):
823         (JSC::MacroAssemblerX86Common::load16SignedExtendTo32):
824         (JSC::MacroAssemblerX86Common::load8Signed): Deleted.
825         (JSC::MacroAssemblerX86Common::load16Signed): Deleted.
826         * dfg/DFGSpeculativeJIT.cpp:
827         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
828         * jit/JITPropertyAccess.cpp:
829         (JSC::JIT::emitIntTypedArrayGetByVal):
830
831 2015-03-27  Michael Saboff  <msaboff@apple.com>
832
833         Fix flakey dfg-int8array.js and dfg-int16array.js tests for ARM64
834         https://bugs.webkit.org/show_bug.cgi?id=138390
835
836         Reviewed by Mark Lam.
837
838         Changed load8Signed() and load16Signed() to only sign extend the loaded value to 32 bits
839         instead of 64 bits.  This is what X86-64 does.
840
841         * assembler/MacroAssemblerARM64.h:
842         (JSC::MacroAssemblerARM64::load16Signed):
843         (JSC::MacroAssemblerARM64::load8Signed):
844
845 2015-03-27  Saam Barati  <saambarati1@gmail.com>
846
847         Add back previously broken assert from bug 141869
848         https://bugs.webkit.org/show_bug.cgi?id=143005
849
850         Reviewed by Michael Saboff.
851
852         * runtime/ExceptionHelpers.cpp:
853         (JSC::invalidParameterInSourceAppender):
854
855 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
856
857         Make some more objects use FastMalloc
858         https://bugs.webkit.org/show_bug.cgi?id=143122
859
860         Reviewed by Csaba Osztrogonác.
861
862         * API/JSCallbackObject.h:
863         * heap/IncrementalSweeper.h:
864         * jit/JITThunks.h:
865         * runtime/JSGlobalObjectDebuggable.h:
866         * runtime/RegExpCache.h:
867
868 2015-03-27  Michael Saboff  <msaboff@apple.com>
869
870         Objects with numeric properties intermittently get a phantom 'length' property
871         https://bugs.webkit.org/show_bug.cgi?id=142792
872
873         Reviewed by Csaba Osztrogonác.
874
875         Fixed a > (greater than) that should be a >> (right shift) in the code that disassembles
876         test and branch instructions.  This function is used for linking tbz/tbnz branches between
877         two seperately JIT'ed sections of code.  Sometime we'd create a bogus tbz instruction in
878         the failure case checks in the GetById array length stub created for "obj.length" access.
879         If the failure case code address was at a negative offset from the stub, we'd look for bit 1
880         being set when we should have been looking for bit 0.
881
882         * assembler/ARM64Assembler.h:
883         (JSC::ARM64Assembler::disassembleTestAndBranchImmediate):
884
885 2015-03-27  Yusuke Suzuki  <utatane.tea@gmail.com>
886
887         Insert exception check around toPropertyKey call
888         https://bugs.webkit.org/show_bug.cgi?id=142922
889
890         Reviewed by Geoffrey Garen.
891
892         In some places, exception check is missing after/before toPropertyKey.
893         However, since it calls toString, it's observable to users,
894
895         Missing exception checks in Object.prototype methods can be
896         observed since it would be overridden with toObject(null/undefined) errors.
897         We inserted exception checks after toPropertyKey.
898
899         Missing exception checks in GetById related code can be
900         observed since it would be overridden with toObject(null/undefined) errors.
901         In this case, we need to insert exception checks before/after toPropertyKey
902         since RequireObjectCoercible followed by toPropertyKey can cause exceptions.
903
904         JSValue::get checks null/undefined and raise an exception if |this| is null or undefined.
905         However, we need to check whether the baseValue is object coercible before executing JSValue::toPropertyKey.
906         According to the spec, we first perform RequireObjectCoercible and check the exception.
907         And second, we perform ToPropertyKey and check the exception.
908         Since JSValue::toPropertyKey can cause toString call, this is observable to users.
909         For example, if the target is not object coercible,
910         ToPropertyKey should not be executed, and toString should not be executed by ToPropertyKey.
911         So the order of observable actions (RequireObjectCoercible and ToPropertyKey) should be correct to the spec.
912
913         This patch introduces JSValue::requireObjectCoercible and use it because of the following 2 reasons.
914
915         1. Using toObject instead of requireObjectCoercible produces unnecessary wrapper object.
916
917         toObject converts primitive types into wrapper objects.
918         But it is not efficient since wrapper objects are not necessary
919         if we look up methods from primitive values's prototype. (using synthesizePrototype is better).
920
921         2. Using the result of toObject is not correct to the spec.
922
923         To align to the spec correctly, we cannot use JSObject::get
924         by using the wrapper object produced by the toObject suggested in (1).
925         If we use JSObject that is converted by toObject, getter will be called by using this JSObject as |this|.
926         It is not correct since getter should be called with the original |this| value that may be primitive types.
927
928         So in this patch, we use JSValue::requireObjectCoercible
929         to check the target is object coercible and raise an error if it's not.
930
931         * dfg/DFGOperations.cpp:
932         * jit/JITOperations.cpp:
933         (JSC::getByVal):
934         * llint/LLIntSlowPaths.cpp:
935         (JSC::LLInt::getByVal):
936         * runtime/CommonSlowPaths.cpp:
937         (JSC::SLOW_PATH_DECL):
938         * runtime/JSCJSValue.h:
939         * runtime/JSCJSValueInlines.h:
940         (JSC::JSValue::requireObjectCoercible):
941         * runtime/ObjectPrototype.cpp:
942         (JSC::objectProtoFuncHasOwnProperty):
943         (JSC::objectProtoFuncDefineGetter):
944         (JSC::objectProtoFuncDefineSetter):
945         (JSC::objectProtoFuncLookupGetter):
946         (JSC::objectProtoFuncLookupSetter):
947         (JSC::objectProtoFuncPropertyIsEnumerable):
948         * tests/stress/exception-in-to-property-key-should-be-handled-early-in-object-methods.js: Added.
949         (shouldThrow):
950         (if):
951         * tests/stress/exception-in-to-property-key-should-be-handled-early.js: Added.
952         (shouldThrow):
953         (.):
954
955 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
956
957         WebContent Crash when instantiating class with Type Profiling enabled
958         https://bugs.webkit.org/show_bug.cgi?id=143037
959
960         Reviewed by Ryosuke Niwa.
961
962         * bytecompiler/BytecodeGenerator.h:
963         * bytecompiler/BytecodeGenerator.cpp:
964         (JSC::BytecodeGenerator::BytecodeGenerator):
965         (JSC::BytecodeGenerator::emitMoveEmptyValue):
966         We cannot profile the type of an uninitialized empty JSValue.
967         Nor do we expect this to be necessary, since it is effectively
968         an unseen undefined value. So add a way to put the empty value
969         without profiling.
970
971         (JSC::BytecodeGenerator::emitMove):
972         Add an assert to try to catch this issue early on, and force
973         callers to explicitly use emitMoveEmptyValue instead.
974
975         * tests/typeProfiler/classes.js: Added.
976         (wrapper.Base):
977         (wrapper.Derived):
978         (wrapper):
979         Add test coverage both for this case and classes in general.
980
981 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
982
983         Web Inspector: ES6: Provide a better view for Classes in the console
984         https://bugs.webkit.org/show_bug.cgi?id=142999
985
986         Reviewed by Timothy Hatcher.
987
988         * inspector/protocol/Runtime.json:
989         Provide a new `subtype` enum "class". This is a subtype of `type`
990         "function", all other subtypes are subtypes of `object` types.
991         For a class, the frontend will immediately want to get the prototype
992         to enumerate its methods, so include the `classPrototype`.
993
994         * inspector/JSInjectedScriptHost.cpp:
995         (Inspector::JSInjectedScriptHost::subtype):
996         Denote class construction functions as "class" subtypes.
997
998         * inspector/InjectedScriptSource.js:
999         Handling for the new "class" type.
1000
1001         * bytecode/UnlinkedCodeBlock.h:
1002         (JSC::UnlinkedFunctionExecutable::isClassConstructorFunction):
1003         * runtime/Executable.h:
1004         (JSC::FunctionExecutable::isClassConstructorFunction):
1005         * runtime/JSFunction.h:
1006         * runtime/JSFunctionInlines.h:
1007         (JSC::JSFunction::isClassConstructorFunction):
1008         Check if this function is a class constructor function. That information
1009         is on the UnlinkedFunctionExecutable, so plumb it through to JSFunction.
1010
1011 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
1012
1013         Function.prototype.toString should not decompile the AST
1014         https://bugs.webkit.org/show_bug.cgi?id=142853
1015
1016         Reviewed by Darin Adler.
1017
1018         Following up on Darin's review comments.
1019
1020         * runtime/FunctionConstructor.cpp:
1021         (JSC::constructFunctionSkippingEvalEnabledCheck):
1022
1023 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
1024
1025         "lineNo" does not match WebKit coding style guidelines
1026         https://bugs.webkit.org/show_bug.cgi?id=143119
1027
1028         Reviewed by Michael Saboff.
1029
1030         We can afford to use whole words.
1031
1032         * bytecode/CodeBlock.cpp:
1033         (JSC::CodeBlock::lineNumberForBytecodeOffset):
1034         (JSC::CodeBlock::expressionRangeForBytecodeOffset):
1035         * bytecode/UnlinkedCodeBlock.cpp:
1036         (JSC::UnlinkedFunctionExecutable::link):
1037         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
1038         * bytecode/UnlinkedCodeBlock.h:
1039         * bytecompiler/NodesCodegen.cpp:
1040         (JSC::WhileNode::emitBytecode):
1041         * debugger/Debugger.cpp:
1042         (JSC::Debugger::toggleBreakpoint):
1043         * interpreter/Interpreter.cpp:
1044         (JSC::StackFrame::computeLineAndColumn):
1045         (JSC::GetStackTraceFunctor::operator()):
1046         (JSC::Interpreter::execute):
1047         * interpreter/StackVisitor.cpp:
1048         (JSC::StackVisitor::Frame::computeLineAndColumn):
1049         * parser/Nodes.h:
1050         (JSC::Node::firstLine):
1051         (JSC::Node::lineNo): Deleted.
1052         (JSC::StatementNode::firstLine): Deleted.
1053         * parser/ParserError.h:
1054         (JSC::ParserError::toErrorObject):
1055         * profiler/LegacyProfiler.cpp:
1056         (JSC::createCallIdentifierFromFunctionImp):
1057         * runtime/CodeCache.cpp:
1058         (JSC::CodeCache::getGlobalCodeBlock):
1059         * runtime/Executable.cpp:
1060         (JSC::ScriptExecutable::ScriptExecutable):
1061         (JSC::ScriptExecutable::newCodeBlockFor):
1062         (JSC::FunctionExecutable::fromGlobalCode):
1063         * runtime/Executable.h:
1064         (JSC::ScriptExecutable::firstLine):
1065         (JSC::ScriptExecutable::setOverrideLineNumber):
1066         (JSC::ScriptExecutable::hasOverrideLineNumber):
1067         (JSC::ScriptExecutable::overrideLineNumber):
1068         (JSC::ScriptExecutable::lineNo): Deleted.
1069         (JSC::ScriptExecutable::setOverrideLineNo): Deleted.
1070         (JSC::ScriptExecutable::hasOverrideLineNo): Deleted.
1071         (JSC::ScriptExecutable::overrideLineNo): Deleted.
1072         * runtime/FunctionConstructor.cpp:
1073         (JSC::constructFunctionSkippingEvalEnabledCheck):
1074         * runtime/FunctionConstructor.h:
1075         * tools/CodeProfile.cpp:
1076         (JSC::CodeProfile::report):
1077         * tools/CodeProfile.h:
1078         (JSC::CodeProfile::CodeProfile):
1079
1080 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
1081
1082         Assertion firing in JavaScriptCore/parser/parser.h for statesman.com site
1083         https://bugs.webkit.org/show_bug.cgi?id=142974
1084
1085         Reviewed by Joseph Pecoraro.
1086
1087         This patch does two things:
1088
1089         (1) Restore JavaScriptCore's sanitization of line and column numbers to
1090         one-based values.
1091
1092         We need this because WebCore sometimes provides huge negative column
1093         numbers.
1094
1095         (2) Solve the attribute event listener line numbering problem a different
1096         way: Rather than offseting all line numbers by -1 in an attribute event
1097         listener in order to arrange for a custom result, instead use an explicit
1098         feature for saying "all errors in this code should map to this line number".
1099
1100         * bytecode/UnlinkedCodeBlock.cpp:
1101         (JSC::UnlinkedFunctionExecutable::link):
1102         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
1103         * bytecode/UnlinkedCodeBlock.h:
1104         * interpreter/Interpreter.cpp:
1105         (JSC::StackFrame::computeLineAndColumn):
1106         (JSC::GetStackTraceFunctor::operator()):
1107         * interpreter/Interpreter.h:
1108         * interpreter/StackVisitor.cpp:
1109         (JSC::StackVisitor::Frame::computeLineAndColumn):
1110         * parser/ParserError.h:
1111         (JSC::ParserError::toErrorObject): Plumb through an override line number.
1112         When a function has an override line number, all syntax and runtime
1113         errors in the function will map to it. This is useful for attribute event
1114         listeners.
1115  
1116         * parser/SourceCode.h:
1117         (JSC::SourceCode::SourceCode): Restore the old sanitization of line and
1118         column numbers to one-based integers. It was kind of a hack to remove this.
1119
1120         * runtime/Executable.cpp:
1121         (JSC::ScriptExecutable::ScriptExecutable):
1122         (JSC::FunctionExecutable::fromGlobalCode):
1123         * runtime/Executable.h:
1124         (JSC::ScriptExecutable::setOverrideLineNo):
1125         (JSC::ScriptExecutable::hasOverrideLineNo):
1126         (JSC::ScriptExecutable::overrideLineNo):
1127         * runtime/FunctionConstructor.cpp:
1128         (JSC::constructFunctionSkippingEvalEnabledCheck):
1129         * runtime/FunctionConstructor.h: Plumb through an override line number.
1130
1131 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
1132
1133         If we're in code for accessing scoped arguments, we should probably check if the object is a scoped arguments rather than checking if it's a direct arguments.
1134
1135         Reviewed by Michael Saboff.
1136
1137         * jit/JITPropertyAccess.cpp:
1138         (JSC::JIT::emitScopedArgumentsGetByVal):
1139         * tests/stress/scoped-then-direct-arguments-get-by-val-in-baseline.js: Added.
1140
1141 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
1142
1143         FTL ScopedArguments GetArrayLength generates incorrect code and crashes in LLVM
1144         https://bugs.webkit.org/show_bug.cgi?id=143098
1145
1146         Reviewed by Csaba Osztrogonác.
1147
1148         * ftl/FTLLowerDFGToLLVM.cpp:
1149         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength): Fix a typo.
1150         * tests/stress/scoped-arguments-array-length.js: Added. This test previously always crashed in ftl-no-cjit mode.
1151
1152 2015-03-26  Csaba Osztrogonác  <ossy@webkit.org>
1153
1154         Unreviewed gardening, skip failing tests on AArch64 Linux.
1155
1156         * tests/mozilla/mozilla-tests.yaml:
1157         * tests/stress/cached-prototype-setter.js:
1158
1159 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
1160
1161         Unreviewed, fixes to silly things. While landing fixes to r181993, I introduced crashes. This fixes them.
1162
1163         * dfg/DFGConstantFoldingPhase.cpp:
1164         (JSC::DFG::ConstantFoldingPhase::foldConstants): I landed a fix for a VS warning. It broke this. Now I'm fixing it.
1165         * ftl/FTLCompile.cpp:
1166         (JSC::FTL::compile): Make sure we pass the module when dumping. This makes FTL debugging possible again.
1167         * ftl/FTLState.cpp:
1168         (JSC::FTL::State::dumpState): New overload that takes a module, so that we can call this after FTL::compile() clears State's module.
1169         * ftl/FTLState.h:
1170
1171 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1172
1173         Unreviewed, fix obvious goof that was causing 32-bit debug crashes. The 64-bit version did it
1174         right, so this just makes 32-bit do the same.
1175
1176         * dfg/DFGSpeculativeJIT32_64.cpp:
1177         (JSC::DFG::SpeculativeJIT::emitCall):
1178
1179 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1180
1181         Fix a typo that ggaren found but that I didn't fix before.
1182
1183         * runtime/DirectArgumentsOffset.h:
1184
1185 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1186
1187         Unreviewed, VC found a bug. This fixes the bug.
1188
1189         * dfg/DFGConstantFoldingPhase.cpp:
1190         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1191
1192 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1193
1194         Unreviewed, try to fix Windows build.
1195
1196         * runtime/ClonedArguments.cpp:
1197         (JSC::ClonedArguments::createWithInlineFrame):
1198
1199 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1200
1201         Unreviewed, fix debug build.
1202
1203         * bytecompiler/NodesCodegen.cpp:
1204         (JSC::ConstDeclNode::emitCodeSingle):
1205
1206 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1207
1208         Unreviewed, fix CLOOP build.
1209
1210         * dfg/DFGMinifiedID.h:
1211
1212 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1213
1214         Heap variables shouldn't end up in the stack frame
1215         https://bugs.webkit.org/show_bug.cgi?id=141174
1216
1217         Reviewed by Geoffrey Garen.
1218         
1219         This is a major change to how JavaScriptCore handles declared variables (i.e. "var"). It removes
1220         any ambiguity about whether a variable should be in the heap or on the stack. A variable will no
1221         longer move between heap and stack during its lifetime. This enables a bunch of optimizations and
1222         simplifications:
1223         
1224         - Accesses to variables no longer need checks or indirections to determine where the variable is
1225           at that moment in time. For example, loading a closure variable now takes just one load instead
1226           of two. Loading an argument by index now takes a bounds check and a load in the fastest case
1227           (when no arguments object allocation is required) while previously that same operation required
1228           a "did I allocate arguments yet" check, a bounds check, and then the load.
1229         
1230         - Reasoning about the allocation of an activation or arguments object now follows the same simple
1231           logic as the allocation of any other kind of object. Previously, those objects were lazily
1232           allocated - so an allocation instruction wasn't the actual allocation site, since it might not
1233           allocate anything at all. This made the implementation of traditional escape analyses really
1234           awkward, and ultimately it meant that we missed important cases. Now, we can reason about the
1235           arguments object using the usual SSA tricks which allows for more comprehensive removal.
1236         
1237         - The allocations of arguments objects, functions, and activations are now much faster. While
1238           this patch generally expands our ability to eliminate arguments object allocations, an earlier
1239           version of the patch - which lacked that functionality - was a progression on some arguments-
1240           and closure-happy benchmarks because although no allocations were eliminated, all allocations
1241           were faster.
1242         
1243         - There is no tear-off. The runtime no loner needs to know about where on the stack a frame keeps
1244           its arguments objects or activations. The runtime doesn't have to do things to the arguments
1245           objects and activations that a frame allocated, when the frame is unwound. We always had horrid
1246           bugs in that code, so it's good to see it go. This removes *a ton* of machinery from the DFG,
1247           FTL, CodeBlock, and other places. All of the things having to do with "captured variables" is
1248           now gone. This also enables implementing block-scoping. Without this change, block-scope
1249           support would require telling CodeBlock and all of the rest of the runtime about all of the
1250           variables that store currently-live scopes. That would have been so disastrously hard that it
1251           might as well be impossible. With this change, it's fair game for the bytecode generator to
1252           simply allocate whatever activations it wants, wherever it wants, and to keep them live for
1253           however long it wants. This all works, because after bytecode generation, an activation is just
1254           an object and variables that refer to it are just normal variables.
1255         
1256         - SymbolTable can now tell you explicitly where a variable lives. The answer is in the form of a
1257           VarOffset object, which has methods like isStack(), isScope(), etc. VirtualRegister is never
1258           used for offsets of non-stack variables anymore. We now have shiny new objects for other kinds
1259           of offsets - ScopeOffset for offsets into scopes, and DirectArgumentsOffset for offsets into
1260           an arguments object.
1261         
1262         - Functions that create activations can now tier-up into the FTL. Previously they couldn't. Also,
1263           using activations used to prevent inlining; now functions that use activations can be inlined
1264           just fine.
1265         
1266         This is a >1% speed-up on Octane. This is a >2% speed-up on CompressionBench. This is a tiny
1267         speed-up on AsmBench (~0.4% or something). This looks like it might be a speed-up on SunSpider.
1268         It's only a slow-down on very short-running microbenchmarks we had previously written for our old
1269         style of tear-off-based arguments optimization. Those benchmarks are not part of any major suite.
1270         
1271         The easiest way of understanding this change is to start by looking at the changes in runtime/,
1272         and then the changes in bytecompiler/, and then sort of work your way up the compiler tiers.
1273
1274         * CMakeLists.txt:
1275         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1276         * JavaScriptCore.xcodeproj/project.pbxproj:
1277         * assembler/AbortReason.h:
1278         * assembler/AbstractMacroAssembler.h:
1279         (JSC::AbstractMacroAssembler::BaseIndex::withOffset):
1280         * bytecode/ByValInfo.h:
1281         (JSC::hasOptimizableIndexingForJSType):
1282         (JSC::hasOptimizableIndexing):
1283         (JSC::jitArrayModeForJSType):
1284         (JSC::jitArrayModePermitsPut):
1285         (JSC::jitArrayModeForStructure):
1286         * bytecode/BytecodeKills.h: Added.
1287         (JSC::BytecodeKills::BytecodeKills):
1288         (JSC::BytecodeKills::operandIsKilled):
1289         (JSC::BytecodeKills::forEachOperandKilledAt):
1290         (JSC::BytecodeKills::KillSet::KillSet):
1291         (JSC::BytecodeKills::KillSet::add):
1292         (JSC::BytecodeKills::KillSet::forEachLocal):
1293         (JSC::BytecodeKills::KillSet::contains):
1294         * bytecode/BytecodeList.json:
1295         * bytecode/BytecodeLivenessAnalysis.cpp:
1296         (JSC::isValidRegisterForLiveness):
1297         (JSC::stepOverInstruction):
1298         (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint):
1299         (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset):
1300         (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset):
1301         (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
1302         (JSC::BytecodeLivenessAnalysis::computeKills):
1303         (JSC::indexForOperand): Deleted.
1304         (JSC::BytecodeLivenessAnalysis::getLivenessInfoForNonCapturedVarsAtBytecodeOffset): Deleted.
1305         (JSC::getLivenessInfo): Deleted.
1306         * bytecode/BytecodeLivenessAnalysis.h:
1307         * bytecode/BytecodeLivenessAnalysisInlines.h:
1308         (JSC::operandIsAlwaysLive):
1309         (JSC::operandThatIsNotAlwaysLiveIsLive):
1310         (JSC::operandIsLive):
1311         * bytecode/BytecodeUseDef.h:
1312         (JSC::computeUsesForBytecodeOffset):
1313         (JSC::computeDefsForBytecodeOffset):
1314         * bytecode/CodeBlock.cpp:
1315         (JSC::CodeBlock::dumpBytecode):
1316         (JSC::CodeBlock::CodeBlock):
1317         (JSC::CodeBlock::nameForRegister):
1318         (JSC::CodeBlock::validate):
1319         (JSC::CodeBlock::isCaptured): Deleted.
1320         (JSC::CodeBlock::framePointerOffsetToGetActivationRegisters): Deleted.
1321         (JSC::CodeBlock::machineSlowArguments): Deleted.
1322         * bytecode/CodeBlock.h:
1323         (JSC::unmodifiedArgumentsRegister): Deleted.
1324         (JSC::CodeBlock::setArgumentsRegister): Deleted.
1325         (JSC::CodeBlock::argumentsRegister): Deleted.
1326         (JSC::CodeBlock::uncheckedArgumentsRegister): Deleted.
1327         (JSC::CodeBlock::usesArguments): Deleted.
1328         (JSC::CodeBlock::captureCount): Deleted.
1329         (JSC::CodeBlock::captureStart): Deleted.
1330         (JSC::CodeBlock::captureEnd): Deleted.
1331         (JSC::CodeBlock::argumentIndexAfterCapture): Deleted.
1332         (JSC::CodeBlock::hasSlowArguments): Deleted.
1333         (JSC::ExecState::argumentAfterCapture): Deleted.
1334         * bytecode/CodeOrigin.h:
1335         * bytecode/DataFormat.h:
1336         (JSC::dataFormatToString):
1337         * bytecode/FullBytecodeLiveness.h:
1338         (JSC::FullBytecodeLiveness::getLiveness):
1339         (JSC::FullBytecodeLiveness::operandIsLive):
1340         (JSC::FullBytecodeLiveness::FullBytecodeLiveness): Deleted.
1341         (JSC::FullBytecodeLiveness::getOut): Deleted.
1342         * bytecode/Instruction.h:
1343         (JSC::Instruction::Instruction):
1344         * bytecode/Operands.h:
1345         (JSC::Operands::virtualRegisterForIndex):
1346         * bytecode/SpeculatedType.cpp:
1347         (JSC::dumpSpeculation):
1348         (JSC::speculationToAbbreviatedString):
1349         (JSC::speculationFromClassInfo):
1350         * bytecode/SpeculatedType.h:
1351         (JSC::isDirectArgumentsSpeculation):
1352         (JSC::isScopedArgumentsSpeculation):
1353         (JSC::isActionableMutableArraySpeculation):
1354         (JSC::isActionableArraySpeculation):
1355         (JSC::isArgumentsSpeculation): Deleted.
1356         * bytecode/UnlinkedCodeBlock.cpp:
1357         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1358         * bytecode/UnlinkedCodeBlock.h:
1359         (JSC::UnlinkedCodeBlock::setArgumentsRegister): Deleted.
1360         (JSC::UnlinkedCodeBlock::usesArguments): Deleted.
1361         (JSC::UnlinkedCodeBlock::argumentsRegister): Deleted.
1362         * bytecode/ValueRecovery.cpp:
1363         (JSC::ValueRecovery::dumpInContext):
1364         * bytecode/ValueRecovery.h:
1365         (JSC::ValueRecovery::directArgumentsThatWereNotCreated):
1366         (JSC::ValueRecovery::outOfBandArgumentsThatWereNotCreated):
1367         (JSC::ValueRecovery::nodeID):
1368         (JSC::ValueRecovery::argumentsThatWereNotCreated): Deleted.
1369         * bytecode/VirtualRegister.h:
1370         (JSC::VirtualRegister::operator==):
1371         (JSC::VirtualRegister::operator!=):
1372         (JSC::VirtualRegister::operator<):
1373         (JSC::VirtualRegister::operator>):
1374         (JSC::VirtualRegister::operator<=):
1375         (JSC::VirtualRegister::operator>=):
1376         * bytecompiler/BytecodeGenerator.cpp:
1377         (JSC::BytecodeGenerator::generate):
1378         (JSC::BytecodeGenerator::BytecodeGenerator):
1379         (JSC::BytecodeGenerator::initializeNextParameter):
1380         (JSC::BytecodeGenerator::visibleNameForParameter):
1381         (JSC::BytecodeGenerator::emitMove):
1382         (JSC::BytecodeGenerator::variable):
1383         (JSC::BytecodeGenerator::createVariable):
1384         (JSC::BytecodeGenerator::emitResolveScope):
1385         (JSC::BytecodeGenerator::emitGetFromScope):
1386         (JSC::BytecodeGenerator::emitPutToScope):
1387         (JSC::BytecodeGenerator::initializeVariable):
1388         (JSC::BytecodeGenerator::emitInstanceOf):
1389         (JSC::BytecodeGenerator::emitNewFunction):
1390         (JSC::BytecodeGenerator::emitNewFunctionInternal):
1391         (JSC::BytecodeGenerator::emitCall):
1392         (JSC::BytecodeGenerator::emitReturn):
1393         (JSC::BytecodeGenerator::emitConstruct):
1394         (JSC::BytecodeGenerator::isArgumentNumber):
1395         (JSC::BytecodeGenerator::emitEnumeration):
1396         (JSC::BytecodeGenerator::addVar): Deleted.
1397         (JSC::BytecodeGenerator::emitInitLazyRegister): Deleted.
1398         (JSC::BytecodeGenerator::initializeCapturedVariable): Deleted.
1399         (JSC::BytecodeGenerator::resolveCallee): Deleted.
1400         (JSC::BytecodeGenerator::addCallee): Deleted.
1401         (JSC::BytecodeGenerator::addParameter): Deleted.
1402         (JSC::BytecodeGenerator::willResolveToArgumentsRegister): Deleted.
1403         (JSC::BytecodeGenerator::uncheckedLocalArgumentsRegister): Deleted.
1404         (JSC::BytecodeGenerator::createLazyRegisterIfNecessary): Deleted.
1405         (JSC::BytecodeGenerator::isCaptured): Deleted.
1406         (JSC::BytecodeGenerator::local): Deleted.
1407         (JSC::BytecodeGenerator::constLocal): Deleted.
1408         (JSC::BytecodeGenerator::emitResolveConstantLocal): Deleted.
1409         (JSC::BytecodeGenerator::emitGetArgumentsLength): Deleted.
1410         (JSC::BytecodeGenerator::emitGetArgumentByVal): Deleted.
1411         (JSC::BytecodeGenerator::emitLazyNewFunction): Deleted.
1412         (JSC::BytecodeGenerator::createArgumentsIfNecessary): Deleted.
1413         * bytecompiler/BytecodeGenerator.h:
1414         (JSC::Variable::Variable):
1415         (JSC::Variable::isResolved):
1416         (JSC::Variable::ident):
1417         (JSC::Variable::offset):
1418         (JSC::Variable::isLocal):
1419         (JSC::Variable::local):
1420         (JSC::Variable::isSpecial):
1421         (JSC::BytecodeGenerator::argumentsRegister):
1422         (JSC::BytecodeGenerator::emitNode):
1423         (JSC::BytecodeGenerator::registerFor):
1424         (JSC::Local::Local): Deleted.
1425         (JSC::Local::operator bool): Deleted.
1426         (JSC::Local::get): Deleted.
1427         (JSC::Local::isSpecial): Deleted.
1428         (JSC::ResolveScopeInfo::ResolveScopeInfo): Deleted.
1429         (JSC::ResolveScopeInfo::isLocal): Deleted.
1430         (JSC::ResolveScopeInfo::localIndex): Deleted.
1431         (JSC::BytecodeGenerator::hasSafeLocalArgumentsRegister): Deleted.
1432         (JSC::BytecodeGenerator::captureMode): Deleted.
1433         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly): Deleted.
1434         (JSC::BytecodeGenerator::shouldCreateArgumentsEagerly): Deleted.
1435         (JSC::BytecodeGenerator::hasWatchableVariable): Deleted.
1436         (JSC::BytecodeGenerator::watchableVariableIdentifier): Deleted.
1437         * bytecompiler/NodesCodegen.cpp:
1438         (JSC::ResolveNode::isPure):
1439         (JSC::ResolveNode::emitBytecode):
1440         (JSC::BracketAccessorNode::emitBytecode):
1441         (JSC::DotAccessorNode::emitBytecode):
1442         (JSC::EvalFunctionCallNode::emitBytecode):
1443         (JSC::FunctionCallResolveNode::emitBytecode):
1444         (JSC::CallFunctionCallDotNode::emitBytecode):
1445         (JSC::ApplyFunctionCallDotNode::emitBytecode):
1446         (JSC::PostfixNode::emitResolve):
1447         (JSC::DeleteResolveNode::emitBytecode):
1448         (JSC::TypeOfResolveNode::emitBytecode):
1449         (JSC::PrefixNode::emitResolve):
1450         (JSC::ReadModifyResolveNode::emitBytecode):
1451         (JSC::AssignResolveNode::emitBytecode):
1452         (JSC::ConstDeclNode::emitCodeSingle):
1453         (JSC::EmptyVarExpression::emitBytecode):
1454         (JSC::ForInNode::tryGetBoundLocal):
1455         (JSC::ForInNode::emitLoopHeader):
1456         (JSC::ForOfNode::emitBytecode):
1457         (JSC::ArrayPatternNode::emitDirectBinding):
1458         (JSC::BindingNode::bindValue):
1459         (JSC::getArgumentByVal): Deleted.
1460         * dfg/DFGAbstractHeap.h:
1461         * dfg/DFGAbstractInterpreter.h:
1462         * dfg/DFGAbstractInterpreterInlines.h:
1463         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1464         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberWorld):
1465         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberCapturedVars): Deleted.
1466         * dfg/DFGAbstractValue.h:
1467         * dfg/DFGArgumentPosition.h:
1468         (JSC::DFG::ArgumentPosition::addVariable):
1469         * dfg/DFGArgumentsEliminationPhase.cpp: Added.
1470         (JSC::DFG::performArgumentsElimination):
1471         * dfg/DFGArgumentsEliminationPhase.h: Added.
1472         * dfg/DFGArgumentsSimplificationPhase.cpp: Removed.
1473         * dfg/DFGArgumentsSimplificationPhase.h: Removed.
1474         * dfg/DFGArgumentsUtilities.cpp: Added.
1475         (JSC::DFG::argumentsInvolveStackSlot):
1476         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
1477         * dfg/DFGArgumentsUtilities.h: Added.
1478         * dfg/DFGArrayMode.cpp:
1479         (JSC::DFG::ArrayMode::refine):
1480         (JSC::DFG::ArrayMode::alreadyChecked):
1481         (JSC::DFG::arrayTypeToString):
1482         * dfg/DFGArrayMode.h:
1483         (JSC::DFG::ArrayMode::canCSEStorage):
1484         (JSC::DFG::ArrayMode::modeForPut):
1485         * dfg/DFGAvailabilityMap.cpp:
1486         (JSC::DFG::AvailabilityMap::prune):
1487         * dfg/DFGAvailabilityMap.h:
1488         (JSC::DFG::AvailabilityMap::closeOverNodes):
1489         (JSC::DFG::AvailabilityMap::closeStartingWithLocal):
1490         * dfg/DFGBackwardsPropagationPhase.cpp:
1491         (JSC::DFG::BackwardsPropagationPhase::propagate):
1492         * dfg/DFGByteCodeParser.cpp:
1493         (JSC::DFG::ByteCodeParser::newVariableAccessData):
1494         (JSC::DFG::ByteCodeParser::getLocal):
1495         (JSC::DFG::ByteCodeParser::setLocal):
1496         (JSC::DFG::ByteCodeParser::getArgument):
1497         (JSC::DFG::ByteCodeParser::setArgument):
1498         (JSC::DFG::ByteCodeParser::flushDirect):
1499         (JSC::DFG::ByteCodeParser::flush):
1500         (JSC::DFG::ByteCodeParser::noticeArgumentsUse):
1501         (JSC::DFG::ByteCodeParser::handleVarargsCall):
1502         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
1503         (JSC::DFG::ByteCodeParser::handleInlining):
1504         (JSC::DFG::ByteCodeParser::parseBlock):
1505         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1506         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1507         * dfg/DFGCPSRethreadingPhase.cpp:
1508         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
1509         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
1510         * dfg/DFGCSEPhase.cpp:
1511         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h: Added.
1512         (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
1513         * dfg/DFGCapabilities.cpp:
1514         (JSC::DFG::isSupportedForInlining):
1515         (JSC::DFG::capabilityLevel):
1516         * dfg/DFGClobberize.h:
1517         (JSC::DFG::clobberize):
1518         * dfg/DFGCommon.h:
1519         * dfg/DFGCommonData.h:
1520         (JSC::DFG::CommonData::CommonData):
1521         * dfg/DFGConstantFoldingPhase.cpp:
1522         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1523         * dfg/DFGDCEPhase.cpp:
1524         (JSC::DFG::DCEPhase::cleanVariables):
1525         * dfg/DFGDisassembler.h:
1526         * dfg/DFGDoesGC.cpp:
1527         (JSC::DFG::doesGC):
1528         * dfg/DFGFixupPhase.cpp:
1529         (JSC::DFG::FixupPhase::fixupNode):
1530         * dfg/DFGFlushFormat.cpp:
1531         (WTF::printInternal):
1532         * dfg/DFGFlushFormat.h:
1533         (JSC::DFG::resultFor):
1534         (JSC::DFG::useKindFor):
1535         (JSC::DFG::dataFormatFor):
1536         * dfg/DFGForAllKills.h: Added.
1537         (JSC::DFG::forAllLiveNodesAtTail):
1538         (JSC::DFG::forAllDirectlyKilledOperands):
1539         (JSC::DFG::forAllKilledOperands):
1540         (JSC::DFG::forAllKilledNodesAtNodeIndex):
1541         (JSC::DFG::forAllKillsInBlock):
1542         * dfg/DFGGraph.cpp:
1543         (JSC::DFG::Graph::Graph):
1544         (JSC::DFG::Graph::dump):
1545         (JSC::DFG::Graph::substituteGetLocal):
1546         (JSC::DFG::Graph::livenessFor):
1547         (JSC::DFG::Graph::killsFor):
1548         (JSC::DFG::Graph::tryGetConstantClosureVar):
1549         (JSC::DFG::Graph::tryGetRegisters): Deleted.
1550         * dfg/DFGGraph.h:
1551         (JSC::DFG::Graph::symbolTableFor):
1552         (JSC::DFG::Graph::uses):
1553         (JSC::DFG::Graph::bytecodeRegisterForArgument): Deleted.
1554         (JSC::DFG::Graph::capturedVarsFor): Deleted.
1555         (JSC::DFG::Graph::usesArguments): Deleted.
1556         (JSC::DFG::Graph::argumentsRegisterFor): Deleted.
1557         (JSC::DFG::Graph::machineArgumentsRegisterFor): Deleted.
1558         (JSC::DFG::Graph::uncheckedArgumentsRegisterFor): Deleted.
1559         * dfg/DFGHeapLocation.cpp:
1560         (WTF::printInternal):
1561         * dfg/DFGHeapLocation.h:
1562         * dfg/DFGInPlaceAbstractState.cpp:
1563         (JSC::DFG::InPlaceAbstractState::initialize):
1564         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
1565         * dfg/DFGJITCompiler.cpp:
1566         (JSC::DFG::JITCompiler::link):
1567         * dfg/DFGMayExit.cpp:
1568         (JSC::DFG::mayExit):
1569         * dfg/DFGMinifiedID.h:
1570         * dfg/DFGMinifiedNode.cpp:
1571         (JSC::DFG::MinifiedNode::fromNode):
1572         * dfg/DFGMinifiedNode.h:
1573         (JSC::DFG::belongsInMinifiedGraph):
1574         (JSC::DFG::MinifiedNode::hasInlineCallFrame):
1575         (JSC::DFG::MinifiedNode::inlineCallFrame):
1576         * dfg/DFGNode.cpp:
1577         (JSC::DFG::Node::convertToIdentityOn):
1578         * dfg/DFGNode.h:
1579         (JSC::DFG::Node::hasConstant):
1580         (JSC::DFG::Node::constant):
1581         (JSC::DFG::Node::hasScopeOffset):
1582         (JSC::DFG::Node::scopeOffset):
1583         (JSC::DFG::Node::hasDirectArgumentsOffset):
1584         (JSC::DFG::Node::capturedArgumentsOffset):
1585         (JSC::DFG::Node::variablePointer):
1586         (JSC::DFG::Node::hasCallVarargsData):
1587         (JSC::DFG::Node::hasLoadVarargsData):
1588         (JSC::DFG::Node::hasHeapPrediction):
1589         (JSC::DFG::Node::hasCellOperand):
1590         (JSC::DFG::Node::objectMaterializationData):
1591         (JSC::DFG::Node::isPhantomAllocation):
1592         (JSC::DFG::Node::willHaveCodeGenOrOSR):
1593         (JSC::DFG::Node::shouldSpeculateDirectArguments):
1594         (JSC::DFG::Node::shouldSpeculateScopedArguments):
1595         (JSC::DFG::Node::isPhantomArguments): Deleted.
1596         (JSC::DFG::Node::hasVarNumber): Deleted.
1597         (JSC::DFG::Node::varNumber): Deleted.
1598         (JSC::DFG::Node::registerPointer): Deleted.
1599         (JSC::DFG::Node::shouldSpeculateArguments): Deleted.
1600         * dfg/DFGNodeType.h:
1601         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
1602         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
1603         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
1604         * dfg/DFGOSRExitCompiler.cpp:
1605         (JSC::DFG::OSRExitCompiler::emitRestoreArguments):
1606         * dfg/DFGOSRExitCompiler.h:
1607         (JSC::DFG::OSRExitCompiler::badIndex): Deleted.
1608         (JSC::DFG::OSRExitCompiler::initializePoisoned): Deleted.
1609         (JSC::DFG::OSRExitCompiler::poisonIndex): Deleted.
1610         * dfg/DFGOSRExitCompiler32_64.cpp:
1611         (JSC::DFG::OSRExitCompiler::compileExit):
1612         * dfg/DFGOSRExitCompiler64.cpp:
1613         (JSC::DFG::OSRExitCompiler::compileExit):
1614         * dfg/DFGOSRExitCompilerCommon.cpp:
1615         (JSC::DFG::reifyInlinedCallFrames):
1616         (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator): Deleted.
1617         (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator): Deleted.
1618         (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): Deleted.
1619         * dfg/DFGOSRExitCompilerCommon.h:
1620         * dfg/DFGOperations.cpp:
1621         * dfg/DFGOperations.h:
1622         * dfg/DFGPlan.cpp:
1623         (JSC::DFG::Plan::compileInThreadImpl):
1624         * dfg/DFGPreciseLocalClobberize.h:
1625         (JSC::DFG::PreciseLocalClobberizeAdaptor::read):
1626         (JSC::DFG::PreciseLocalClobberizeAdaptor::write):
1627         (JSC::DFG::PreciseLocalClobberizeAdaptor::def):
1628         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1629         (JSC::DFG::preciseLocalClobberize):
1630         (JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop): Deleted.
1631         (JSC::DFG::forEachLocalReadByUnwind): Deleted.
1632         * dfg/DFGPredictionPropagationPhase.cpp:
1633         (JSC::DFG::PredictionPropagationPhase::run):
1634         (JSC::DFG::PredictionPropagationPhase::propagate):
1635         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
1636         (JSC::DFG::PredictionPropagationPhase::propagateThroughArgumentPositions):
1637         * dfg/DFGPromoteHeapAccess.h:
1638         (JSC::DFG::promoteHeapAccess):
1639         * dfg/DFGPromotedHeapLocation.cpp:
1640         (WTF::printInternal):
1641         * dfg/DFGPromotedHeapLocation.h:
1642         * dfg/DFGSSAConversionPhase.cpp:
1643         (JSC::DFG::SSAConversionPhase::run):
1644         * dfg/DFGSafeToExecute.h:
1645         (JSC::DFG::safeToExecute):
1646         * dfg/DFGSpeculativeJIT.cpp:
1647         (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
1648         (JSC::DFG::SpeculativeJIT::emitGetLength):
1649         (JSC::DFG::SpeculativeJIT::emitGetCallee):
1650         (JSC::DFG::SpeculativeJIT::emitGetArgumentStart):
1651         (JSC::DFG::SpeculativeJIT::checkArray):
1652         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
1653         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1654         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
1655         (JSC::DFG::SpeculativeJIT::compileNewFunction):
1656         (JSC::DFG::SpeculativeJIT::compileForwardVarargs):
1657         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
1658         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
1659         (JSC::DFG::SpeculativeJIT::compileGetFromArguments):
1660         (JSC::DFG::SpeculativeJIT::compilePutToArguments):
1661         (JSC::DFG::SpeculativeJIT::compileCreateScopedArguments):
1662         (JSC::DFG::SpeculativeJIT::compileCreateClonedArguments):
1663         (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Deleted.
1664         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments): Deleted.
1665         (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength): Deleted.
1666         (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck): Deleted.
1667         (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression): Deleted.
1668         * dfg/DFGSpeculativeJIT.h:
1669         (JSC::DFG::SpeculativeJIT::callOperation):
1670         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
1671         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
1672         (JSC::DFG::SpeculativeJIT::framePointerOffsetToGetActivationRegisters): Deleted.
1673         * dfg/DFGSpeculativeJIT32_64.cpp:
1674         (JSC::DFG::SpeculativeJIT::emitCall):
1675         (JSC::DFG::SpeculativeJIT::compile):
1676         * dfg/DFGSpeculativeJIT64.cpp:
1677         (JSC::DFG::SpeculativeJIT::emitCall):
1678         (JSC::DFG::SpeculativeJIT::compile):
1679         * dfg/DFGStackLayoutPhase.cpp:
1680         (JSC::DFG::StackLayoutPhase::run):
1681         * dfg/DFGStrengthReductionPhase.cpp:
1682         (JSC::DFG::StrengthReductionPhase::handleNode):
1683         * dfg/DFGStructureRegistrationPhase.cpp:
1684         (JSC::DFG::StructureRegistrationPhase::run):
1685         * dfg/DFGUnificationPhase.cpp:
1686         (JSC::DFG::UnificationPhase::run):
1687         * dfg/DFGValidate.cpp:
1688         (JSC::DFG::Validate::validateCPS):
1689         * dfg/DFGValueSource.cpp:
1690         (JSC::DFG::ValueSource::dump):
1691         * dfg/DFGValueSource.h:
1692         (JSC::DFG::dataFormatToValueSourceKind):
1693         (JSC::DFG::valueSourceKindToDataFormat):
1694         (JSC::DFG::ValueSource::ValueSource):
1695         (JSC::DFG::ValueSource::forFlushFormat):
1696         (JSC::DFG::ValueSource::valueRecovery):
1697         * dfg/DFGVarargsForwardingPhase.cpp: Added.
1698         (JSC::DFG::performVarargsForwarding):
1699         * dfg/DFGVarargsForwardingPhase.h: Added.
1700         * dfg/DFGVariableAccessData.cpp:
1701         (JSC::DFG::VariableAccessData::VariableAccessData):
1702         (JSC::DFG::VariableAccessData::flushFormat):
1703         (JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted.
1704         * dfg/DFGVariableAccessData.h:
1705         (JSC::DFG::VariableAccessData::shouldNeverUnbox):
1706         (JSC::DFG::VariableAccessData::shouldUseDoubleFormat):
1707         (JSC::DFG::VariableAccessData::isCaptured): Deleted.
1708         (JSC::DFG::VariableAccessData::mergeIsArgumentsAlias): Deleted.
1709         (JSC::DFG::VariableAccessData::isArgumentsAlias): Deleted.
1710         * dfg/DFGVariableAccessDataDump.cpp:
1711         (JSC::DFG::VariableAccessDataDump::dump):
1712         * dfg/DFGVariableAccessDataDump.h:
1713         * dfg/DFGVariableEventStream.cpp:
1714         (JSC::DFG::VariableEventStream::tryToSetConstantRecovery):
1715         * dfg/DFGVariableEventStream.h:
1716         * ftl/FTLAbstractHeap.cpp:
1717         (JSC::FTL::AbstractHeap::dump):
1718         (JSC::FTL::AbstractField::dump):
1719         (JSC::FTL::IndexedAbstractHeap::dump):
1720         (JSC::FTL::NumberedAbstractHeap::dump):
1721         (JSC::FTL::AbsoluteAbstractHeap::dump):
1722         * ftl/FTLAbstractHeap.h:
1723         * ftl/FTLAbstractHeapRepository.cpp:
1724         * ftl/FTLAbstractHeapRepository.h:
1725         * ftl/FTLCapabilities.cpp:
1726         (JSC::FTL::canCompile):
1727         * ftl/FTLCompile.cpp:
1728         (JSC::FTL::mmAllocateDataSection):
1729         * ftl/FTLExitArgument.cpp:
1730         (JSC::FTL::ExitArgument::dump):
1731         * ftl/FTLExitPropertyValue.cpp:
1732         (JSC::FTL::ExitPropertyValue::withLocalsOffset):
1733         * ftl/FTLExitPropertyValue.h:
1734         * ftl/FTLExitTimeObjectMaterialization.cpp:
1735         (JSC::FTL::ExitTimeObjectMaterialization::ExitTimeObjectMaterialization):
1736         (JSC::FTL::ExitTimeObjectMaterialization::accountForLocalsOffset):
1737         * ftl/FTLExitTimeObjectMaterialization.h:
1738         (JSC::FTL::ExitTimeObjectMaterialization::origin):
1739         * ftl/FTLExitValue.cpp:
1740         (JSC::FTL::ExitValue::withLocalsOffset):
1741         (JSC::FTL::ExitValue::valueFormat):
1742         (JSC::FTL::ExitValue::dumpInContext):
1743         * ftl/FTLExitValue.h:
1744         (JSC::FTL::ExitValue::isArgument):
1745         (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated): Deleted.
1746         (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated): Deleted.
1747         (JSC::FTL::ExitValue::valueFormat): Deleted.
1748         * ftl/FTLInlineCacheSize.cpp:
1749         (JSC::FTL::sizeOfCallForwardVarargs):
1750         (JSC::FTL::sizeOfConstructForwardVarargs):
1751         (JSC::FTL::sizeOfICFor):
1752         * ftl/FTLInlineCacheSize.h:
1753         * ftl/FTLIntrinsicRepository.h:
1754         * ftl/FTLJSCallVarargs.cpp:
1755         (JSC::FTL::JSCallVarargs::JSCallVarargs):
1756         (JSC::FTL::JSCallVarargs::emit):
1757         * ftl/FTLJSCallVarargs.h:
1758         * ftl/FTLLowerDFGToLLVM.cpp:
1759         (JSC::FTL::LowerDFGToLLVM::lower):
1760         (JSC::FTL::LowerDFGToLLVM::compileNode):
1761         (JSC::FTL::LowerDFGToLLVM::compilePutStack):
1762         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
1763         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
1764         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
1765         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
1766         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
1767         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
1768         (JSC::FTL::LowerDFGToLLVM::compileCreateActivation):
1769         (JSC::FTL::LowerDFGToLLVM::compileNewFunction):
1770         (JSC::FTL::LowerDFGToLLVM::compileCreateDirectArguments):
1771         (JSC::FTL::LowerDFGToLLVM::compileCreateScopedArguments):
1772         (JSC::FTL::LowerDFGToLLVM::compileCreateClonedArguments):
1773         (JSC::FTL::LowerDFGToLLVM::compileStringCharAt):
1774         (JSC::FTL::LowerDFGToLLVM::compileStringCharCodeAt):
1775         (JSC::FTL::LowerDFGToLLVM::compileGetGlobalVar):
1776         (JSC::FTL::LowerDFGToLLVM::compilePutGlobalVar):
1777         (JSC::FTL::LowerDFGToLLVM::compileGetArgumentCount):
1778         (JSC::FTL::LowerDFGToLLVM::compileGetClosureVar):
1779         (JSC::FTL::LowerDFGToLLVM::compilePutClosureVar):
1780         (JSC::FTL::LowerDFGToLLVM::compileGetFromArguments):
1781         (JSC::FTL::LowerDFGToLLVM::compilePutToArguments):
1782         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs):
1783         (JSC::FTL::LowerDFGToLLVM::compileForwardVarargs):
1784         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname):
1785         (JSC::FTL::LowerDFGToLLVM::ArgumentsLength::ArgumentsLength):
1786         (JSC::FTL::LowerDFGToLLVM::getArgumentsLength):
1787         (JSC::FTL::LowerDFGToLLVM::getCurrentCallee):
1788         (JSC::FTL::LowerDFGToLLVM::getArgumentsStart):
1789         (JSC::FTL::LowerDFGToLLVM::baseIndex):
1790         (JSC::FTL::LowerDFGToLLVM::allocateObject):
1791         (JSC::FTL::LowerDFGToLLVM::allocateVariableSizedObject):
1792         (JSC::FTL::LowerDFGToLLVM::isArrayType):
1793         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
1794         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
1795         (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
1796         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
1797         (JSC::FTL::LowerDFGToLLVM::loadStructure):
1798         (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments): Deleted.
1799         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength): Deleted.
1800         (JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters): Deleted.
1801         (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated): Deleted.
1802         (JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated): Deleted.
1803         * ftl/FTLOSRExitCompiler.cpp:
1804         (JSC::FTL::compileRecovery):
1805         (JSC::FTL::compileStub):
1806         * ftl/FTLOperations.cpp:
1807         (JSC::FTL::operationMaterializeObjectInOSR):
1808         * ftl/FTLOutput.h:
1809         (JSC::FTL::Output::aShr):
1810         (JSC::FTL::Output::lShr):
1811         (JSC::FTL::Output::zeroExtPtr):
1812         * heap/CopyToken.h:
1813         * interpreter/CallFrame.h:
1814         (JSC::ExecState::getArgumentUnsafe):
1815         * interpreter/Interpreter.cpp:
1816         (JSC::sizeOfVarargs):
1817         (JSC::sizeFrameForVarargs):
1818         (JSC::loadVarargs):
1819         (JSC::unwindCallFrame):
1820         * interpreter/Interpreter.h:
1821         * interpreter/StackVisitor.cpp:
1822         (JSC::StackVisitor::Frame::createArguments):
1823         (JSC::StackVisitor::Frame::existingArguments): Deleted.
1824         * interpreter/StackVisitor.h:
1825         * jit/AssemblyHelpers.h:
1826         (JSC::AssemblyHelpers::storeValue):
1827         (JSC::AssemblyHelpers::loadValue):
1828         (JSC::AssemblyHelpers::storeTrustedValue):
1829         (JSC::AssemblyHelpers::branchIfNotCell):
1830         (JSC::AssemblyHelpers::branchIsEmpty):
1831         (JSC::AssemblyHelpers::argumentsStart):
1832         (JSC::AssemblyHelpers::baselineArgumentsRegisterFor): Deleted.
1833         (JSC::AssemblyHelpers::offsetOfLocals): Deleted.
1834         (JSC::AssemblyHelpers::offsetOfArguments): Deleted.
1835         * jit/CCallHelpers.h:
1836         (JSC::CCallHelpers::setupArgument):
1837         * jit/GPRInfo.h:
1838         (JSC::JSValueRegs::withTwoAvailableRegs):
1839         * jit/JIT.cpp:
1840         (JSC::JIT::privateCompileMainPass):
1841         (JSC::JIT::privateCompileSlowCases):
1842         * jit/JIT.h:
1843         * jit/JITCall.cpp:
1844         (JSC::JIT::compileSetupVarargsFrame):
1845         * jit/JITCall32_64.cpp:
1846         (JSC::JIT::compileSetupVarargsFrame):
1847         * jit/JITInlines.h:
1848         (JSC::JIT::callOperation):
1849         * jit/JITOpcodes.cpp:
1850         (JSC::JIT::emit_op_create_lexical_environment):
1851         (JSC::JIT::emit_op_new_func):
1852         (JSC::JIT::emit_op_create_direct_arguments):
1853         (JSC::JIT::emit_op_create_scoped_arguments):
1854         (JSC::JIT::emit_op_create_out_of_band_arguments):
1855         (JSC::JIT::emit_op_tear_off_arguments): Deleted.
1856         (JSC::JIT::emit_op_create_arguments): Deleted.
1857         (JSC::JIT::emit_op_init_lazy_reg): Deleted.
1858         (JSC::JIT::emit_op_get_arguments_length): Deleted.
1859         (JSC::JIT::emitSlow_op_get_arguments_length): Deleted.
1860         (JSC::JIT::emit_op_get_argument_by_val): Deleted.
1861         (JSC::JIT::emitSlow_op_get_argument_by_val): Deleted.
1862         * jit/JITOpcodes32_64.cpp:
1863         (JSC::JIT::emit_op_create_lexical_environment):
1864         (JSC::JIT::emit_op_tear_off_arguments): Deleted.
1865         (JSC::JIT::emit_op_create_arguments): Deleted.
1866         (JSC::JIT::emit_op_init_lazy_reg): Deleted.
1867         (JSC::JIT::emit_op_get_arguments_length): Deleted.
1868         (JSC::JIT::emitSlow_op_get_arguments_length): Deleted.
1869         (JSC::JIT::emit_op_get_argument_by_val): Deleted.
1870         (JSC::JIT::emitSlow_op_get_argument_by_val): Deleted.
1871         * jit/JITOperations.cpp:
1872         * jit/JITOperations.h:
1873         * jit/JITPropertyAccess.cpp:
1874         (JSC::JIT::emitGetClosureVar):
1875         (JSC::JIT::emitPutClosureVar):
1876         (JSC::JIT::emit_op_get_from_arguments):
1877         (JSC::JIT::emit_op_put_to_arguments):
1878         (JSC::JIT::emit_op_init_global_const):
1879         (JSC::JIT::privateCompileGetByVal):
1880         (JSC::JIT::emitDirectArgumentsGetByVal):
1881         (JSC::JIT::emitScopedArgumentsGetByVal):
1882         * jit/JITPropertyAccess32_64.cpp:
1883         (JSC::JIT::emitGetClosureVar):
1884         (JSC::JIT::emitPutClosureVar):
1885         (JSC::JIT::emit_op_get_from_arguments):
1886         (JSC::JIT::emit_op_put_to_arguments):
1887         (JSC::JIT::emit_op_init_global_const):
1888         * jit/SetupVarargsFrame.cpp:
1889         (JSC::emitSetupVarargsFrameFastCase):
1890         * llint/LLIntOffsetsExtractor.cpp:
1891         * llint/LLIntSlowPaths.cpp:
1892         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1893         * llint/LowLevelInterpreter.asm:
1894         * llint/LowLevelInterpreter32_64.asm:
1895         * llint/LowLevelInterpreter64.asm:
1896         * parser/Nodes.h:
1897         (JSC::ScopeNode::captures):
1898         * runtime/Arguments.cpp: Removed.
1899         * runtime/Arguments.h: Removed.
1900         * runtime/ArgumentsMode.h: Added.
1901         * runtime/DirectArgumentsOffset.cpp: Added.
1902         (JSC::DirectArgumentsOffset::dump):
1903         * runtime/DirectArgumentsOffset.h: Added.
1904         (JSC::DirectArgumentsOffset::DirectArgumentsOffset):
1905         * runtime/CommonSlowPaths.cpp:
1906         (JSC::SLOW_PATH_DECL):
1907         * runtime/CommonSlowPaths.h:
1908         * runtime/ConstantMode.cpp: Added.
1909         (WTF::printInternal):
1910         * runtime/ConstantMode.h:
1911         (JSC::modeForIsConstant):
1912         * runtime/DirectArguments.cpp: Added.
1913         (JSC::DirectArguments::DirectArguments):
1914         (JSC::DirectArguments::createUninitialized):
1915         (JSC::DirectArguments::create):
1916         (JSC::DirectArguments::createByCopying):
1917         (JSC::DirectArguments::visitChildren):
1918         (JSC::DirectArguments::copyBackingStore):
1919         (JSC::DirectArguments::createStructure):
1920         (JSC::DirectArguments::overrideThings):
1921         (JSC::DirectArguments::overrideThingsIfNecessary):
1922         (JSC::DirectArguments::overrideArgument):
1923         (JSC::DirectArguments::copyToArguments):
1924         (JSC::DirectArguments::overridesSize):
1925         * runtime/DirectArguments.h: Added.
1926         (JSC::DirectArguments::internalLength):
1927         (JSC::DirectArguments::length):
1928         (JSC::DirectArguments::canAccessIndexQuickly):
1929         (JSC::DirectArguments::getIndexQuickly):
1930         (JSC::DirectArguments::setIndexQuickly):
1931         (JSC::DirectArguments::callee):
1932         (JSC::DirectArguments::argument):
1933         (JSC::DirectArguments::overrodeThings):
1934         (JSC::DirectArguments::offsetOfCallee):
1935         (JSC::DirectArguments::offsetOfLength):
1936         (JSC::DirectArguments::offsetOfMinCapacity):
1937         (JSC::DirectArguments::offsetOfOverrides):
1938         (JSC::DirectArguments::storageOffset):
1939         (JSC::DirectArguments::offsetOfSlot):
1940         (JSC::DirectArguments::allocationSize):
1941         (JSC::DirectArguments::storage):
1942         * runtime/FunctionPrototype.cpp:
1943         * runtime/GenericArguments.h: Added.
1944         (JSC::GenericArguments::GenericArguments):
1945         * runtime/GenericArgumentsInlines.h: Added.
1946         (JSC::GenericArguments<Type>::getOwnPropertySlot):
1947         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
1948         (JSC::GenericArguments<Type>::getOwnPropertyNames):
1949         (JSC::GenericArguments<Type>::put):
1950         (JSC::GenericArguments<Type>::putByIndex):
1951         (JSC::GenericArguments<Type>::deleteProperty):
1952         (JSC::GenericArguments<Type>::deletePropertyByIndex):
1953         (JSC::GenericArguments<Type>::defineOwnProperty):
1954         (JSC::GenericArguments<Type>::copyToArguments):
1955         * runtime/GenericOffset.h: Added.
1956         (JSC::GenericOffset::GenericOffset):
1957         (JSC::GenericOffset::operator!):
1958         (JSC::GenericOffset::offsetUnchecked):
1959         (JSC::GenericOffset::offset):
1960         (JSC::GenericOffset::operator==):
1961         (JSC::GenericOffset::operator!=):
1962         (JSC::GenericOffset::operator<):
1963         (JSC::GenericOffset::operator>):
1964         (JSC::GenericOffset::operator<=):
1965         (JSC::GenericOffset::operator>=):
1966         (JSC::GenericOffset::operator+):
1967         (JSC::GenericOffset::operator-):
1968         (JSC::GenericOffset::operator+=):
1969         (JSC::GenericOffset::operator-=):
1970         * runtime/JSArgumentsIterator.cpp:
1971         (JSC::JSArgumentsIterator::finishCreation):
1972         (JSC::argumentsFuncIterator):
1973         * runtime/JSArgumentsIterator.h:
1974         (JSC::JSArgumentsIterator::create):
1975         (JSC::JSArgumentsIterator::next):
1976         * runtime/JSEnvironmentRecord.cpp:
1977         (JSC::JSEnvironmentRecord::visitChildren):
1978         * runtime/JSEnvironmentRecord.h:
1979         (JSC::JSEnvironmentRecord::variables):
1980         (JSC::JSEnvironmentRecord::isValid):
1981         (JSC::JSEnvironmentRecord::variableAt):
1982         (JSC::JSEnvironmentRecord::offsetOfVariables):
1983         (JSC::JSEnvironmentRecord::offsetOfVariable):
1984         (JSC::JSEnvironmentRecord::allocationSizeForScopeSize):
1985         (JSC::JSEnvironmentRecord::allocationSize):
1986         (JSC::JSEnvironmentRecord::JSEnvironmentRecord):
1987         (JSC::JSEnvironmentRecord::finishCreationUninitialized):
1988         (JSC::JSEnvironmentRecord::finishCreation):
1989         (JSC::JSEnvironmentRecord::registers): Deleted.
1990         (JSC::JSEnvironmentRecord::registerAt): Deleted.
1991         (JSC::JSEnvironmentRecord::addressOfRegisters): Deleted.
1992         (JSC::JSEnvironmentRecord::offsetOfRegisters): Deleted.
1993         * runtime/JSFunction.cpp:
1994         * runtime/JSGlobalObject.cpp:
1995         (JSC::JSGlobalObject::init):
1996         (JSC::JSGlobalObject::addGlobalVar):
1997         (JSC::JSGlobalObject::addFunction):
1998         (JSC::JSGlobalObject::visitChildren):
1999         (JSC::JSGlobalObject::addStaticGlobals):
2000         * runtime/JSGlobalObject.h:
2001         (JSC::JSGlobalObject::directArgumentsStructure):
2002         (JSC::JSGlobalObject::scopedArgumentsStructure):
2003         (JSC::JSGlobalObject::outOfBandArgumentsStructure):
2004         (JSC::JSGlobalObject::argumentsStructure): Deleted.
2005         * runtime/JSLexicalEnvironment.cpp:
2006         (JSC::JSLexicalEnvironment::symbolTableGet):
2007         (JSC::JSLexicalEnvironment::symbolTablePut):
2008         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
2009         (JSC::JSLexicalEnvironment::symbolTablePutWithAttributes):
2010         (JSC::JSLexicalEnvironment::visitChildren): Deleted.
2011         * runtime/JSLexicalEnvironment.h:
2012         (JSC::JSLexicalEnvironment::create):
2013         (JSC::JSLexicalEnvironment::JSLexicalEnvironment):
2014         (JSC::JSLexicalEnvironment::registersOffset): Deleted.
2015         (JSC::JSLexicalEnvironment::storageOffset): Deleted.
2016         (JSC::JSLexicalEnvironment::storage): Deleted.
2017         (JSC::JSLexicalEnvironment::allocationSize): Deleted.
2018         (JSC::JSLexicalEnvironment::isValidIndex): Deleted.
2019         (JSC::JSLexicalEnvironment::isValid): Deleted.
2020         (JSC::JSLexicalEnvironment::registerAt): Deleted.
2021         * runtime/JSNameScope.cpp:
2022         (JSC::JSNameScope::visitChildren): Deleted.
2023         * runtime/JSNameScope.h:
2024         (JSC::JSNameScope::create):
2025         (JSC::JSNameScope::value):
2026         (JSC::JSNameScope::finishCreation):
2027         (JSC::JSNameScope::JSNameScope):
2028         * runtime/JSScope.cpp:
2029         (JSC::abstractAccess):
2030         * runtime/JSSegmentedVariableObject.cpp:
2031         (JSC::JSSegmentedVariableObject::findVariableIndex):
2032         (JSC::JSSegmentedVariableObject::addVariables):
2033         (JSC::JSSegmentedVariableObject::visitChildren):
2034         (JSC::JSSegmentedVariableObject::findRegisterIndex): Deleted.
2035         (JSC::JSSegmentedVariableObject::addRegisters): Deleted.
2036         * runtime/JSSegmentedVariableObject.h:
2037         (JSC::JSSegmentedVariableObject::variableAt):
2038         (JSC::JSSegmentedVariableObject::assertVariableIsInThisObject):
2039         (JSC::JSSegmentedVariableObject::registerAt): Deleted.
2040         (JSC::JSSegmentedVariableObject::assertRegisterIsInThisObject): Deleted.
2041         * runtime/JSSymbolTableObject.h:
2042         (JSC::JSSymbolTableObject::offsetOfSymbolTable):
2043         (JSC::symbolTableGet):
2044         (JSC::symbolTablePut):
2045         (JSC::symbolTablePutWithAttributes):
2046         * runtime/JSType.h:
2047         * runtime/Options.h:
2048         * runtime/ClonedArguments.cpp: Added.
2049         (JSC::ClonedArguments::ClonedArguments):
2050         (JSC::ClonedArguments::createEmpty):
2051         (JSC::ClonedArguments::createWithInlineFrame):
2052         (JSC::ClonedArguments::createWithMachineFrame):
2053         (JSC::ClonedArguments::createByCopyingFrom):
2054         (JSC::ClonedArguments::createStructure):
2055         (JSC::ClonedArguments::getOwnPropertySlot):
2056         (JSC::ClonedArguments::getOwnPropertyNames):
2057         (JSC::ClonedArguments::put):
2058         (JSC::ClonedArguments::deleteProperty):
2059         (JSC::ClonedArguments::defineOwnProperty):
2060         (JSC::ClonedArguments::materializeSpecials):
2061         (JSC::ClonedArguments::materializeSpecialsIfNecessary):
2062         * runtime/ClonedArguments.h: Added.
2063         (JSC::ClonedArguments::specialsMaterialized):
2064         * runtime/ScopeOffset.cpp: Added.
2065         (JSC::ScopeOffset::dump):
2066         * runtime/ScopeOffset.h: Added.
2067         (JSC::ScopeOffset::ScopeOffset):
2068         * runtime/ScopedArguments.cpp: Added.
2069         (JSC::ScopedArguments::ScopedArguments):
2070         (JSC::ScopedArguments::finishCreation):
2071         (JSC::ScopedArguments::createUninitialized):
2072         (JSC::ScopedArguments::create):
2073         (JSC::ScopedArguments::createByCopying):
2074         (JSC::ScopedArguments::createByCopyingFrom):
2075         (JSC::ScopedArguments::visitChildren):
2076         (JSC::ScopedArguments::createStructure):
2077         (JSC::ScopedArguments::overrideThings):
2078         (JSC::ScopedArguments::overrideThingsIfNecessary):
2079         (JSC::ScopedArguments::overrideArgument):
2080         (JSC::ScopedArguments::copyToArguments):
2081         * runtime/ScopedArguments.h: Added.
2082         (JSC::ScopedArguments::internalLength):
2083         (JSC::ScopedArguments::length):
2084         (JSC::ScopedArguments::canAccessIndexQuickly):
2085         (JSC::ScopedArguments::getIndexQuickly):
2086         (JSC::ScopedArguments::setIndexQuickly):
2087         (JSC::ScopedArguments::callee):
2088         (JSC::ScopedArguments::overrodeThings):
2089         (JSC::ScopedArguments::offsetOfOverrodeThings):
2090         (JSC::ScopedArguments::offsetOfTotalLength):
2091         (JSC::ScopedArguments::offsetOfTable):
2092         (JSC::ScopedArguments::offsetOfScope):
2093         (JSC::ScopedArguments::overflowStorageOffset):
2094         (JSC::ScopedArguments::allocationSize):
2095         (JSC::ScopedArguments::overflowStorage):
2096         * runtime/ScopedArgumentsTable.cpp: Added.
2097         (JSC::ScopedArgumentsTable::ScopedArgumentsTable):
2098         (JSC::ScopedArgumentsTable::~ScopedArgumentsTable):
2099         (JSC::ScopedArgumentsTable::destroy):
2100         (JSC::ScopedArgumentsTable::create):
2101         (JSC::ScopedArgumentsTable::clone):
2102         (JSC::ScopedArgumentsTable::setLength):
2103         (JSC::ScopedArgumentsTable::set):
2104         (JSC::ScopedArgumentsTable::createStructure):
2105         * runtime/ScopedArgumentsTable.h: Added.
2106         (JSC::ScopedArgumentsTable::length):
2107         (JSC::ScopedArgumentsTable::get):
2108         (JSC::ScopedArgumentsTable::lock):
2109         (JSC::ScopedArgumentsTable::offsetOfLength):
2110         (JSC::ScopedArgumentsTable::offsetOfArguments):
2111         (JSC::ScopedArgumentsTable::at):
2112         * runtime/SymbolTable.cpp:
2113         (JSC::SymbolTableEntry::prepareToWatch):
2114         (JSC::SymbolTable::SymbolTable):
2115         (JSC::SymbolTable::visitChildren):
2116         (JSC::SymbolTable::localToEntry):
2117         (JSC::SymbolTable::entryFor):
2118         (JSC::SymbolTable::cloneScopePart):
2119         (JSC::SymbolTable::prepareForTypeProfiling):
2120         (JSC::SymbolTable::uniqueIDForOffset):
2121         (JSC::SymbolTable::globalTypeSetForOffset):
2122         (JSC::SymbolTable::cloneCapturedNames): Deleted.
2123         (JSC::SymbolTable::uniqueIDForRegister): Deleted.
2124         (JSC::SymbolTable::globalTypeSetForRegister): Deleted.
2125         * runtime/SymbolTable.h:
2126         (JSC::SymbolTableEntry::varOffsetFromBits):
2127         (JSC::SymbolTableEntry::scopeOffsetFromBits):
2128         (JSC::SymbolTableEntry::Fast::varOffset):
2129         (JSC::SymbolTableEntry::Fast::scopeOffset):
2130         (JSC::SymbolTableEntry::Fast::isDontEnum):
2131         (JSC::SymbolTableEntry::Fast::getAttributes):
2132         (JSC::SymbolTableEntry::SymbolTableEntry):
2133         (JSC::SymbolTableEntry::varOffset):
2134         (JSC::SymbolTableEntry::isWatchable):
2135         (JSC::SymbolTableEntry::scopeOffset):
2136         (JSC::SymbolTableEntry::setAttributes):
2137         (JSC::SymbolTableEntry::constantMode):
2138         (JSC::SymbolTableEntry::isDontEnum):
2139         (JSC::SymbolTableEntry::disableWatching):
2140         (JSC::SymbolTableEntry::pack):
2141         (JSC::SymbolTableEntry::isValidVarOffset):
2142         (JSC::SymbolTable::createNameScopeTable):
2143         (JSC::SymbolTable::maxScopeOffset):
2144         (JSC::SymbolTable::didUseScopeOffset):
2145         (JSC::SymbolTable::didUseVarOffset):
2146         (JSC::SymbolTable::scopeSize):
2147         (JSC::SymbolTable::nextScopeOffset):
2148         (JSC::SymbolTable::takeNextScopeOffset):
2149         (JSC::SymbolTable::add):
2150         (JSC::SymbolTable::set):
2151         (JSC::SymbolTable::argumentsLength):
2152         (JSC::SymbolTable::setArgumentsLength):
2153         (JSC::SymbolTable::argumentOffset):
2154         (JSC::SymbolTable::setArgumentOffset):
2155         (JSC::SymbolTable::arguments):
2156         (JSC::SlowArgument::SlowArgument): Deleted.
2157         (JSC::SymbolTableEntry::Fast::getIndex): Deleted.
2158         (JSC::SymbolTableEntry::getIndex): Deleted.
2159         (JSC::SymbolTableEntry::isValidIndex): Deleted.
2160         (JSC::SymbolTable::captureStart): Deleted.
2161         (JSC::SymbolTable::setCaptureStart): Deleted.
2162         (JSC::SymbolTable::captureEnd): Deleted.
2163         (JSC::SymbolTable::setCaptureEnd): Deleted.
2164         (JSC::SymbolTable::captureCount): Deleted.
2165         (JSC::SymbolTable::isCaptured): Deleted.
2166         (JSC::SymbolTable::parameterCount): Deleted.
2167         (JSC::SymbolTable::parameterCountIncludingThis): Deleted.
2168         (JSC::SymbolTable::setParameterCountIncludingThis): Deleted.
2169         (JSC::SymbolTable::slowArguments): Deleted.
2170         (JSC::SymbolTable::setSlowArguments): Deleted.
2171         * runtime/VM.cpp:
2172         (JSC::VM::VM):
2173         * runtime/VM.h:
2174         * runtime/VarOffset.cpp: Added.
2175         (JSC::VarOffset::dump):
2176         (WTF::printInternal):
2177         * runtime/VarOffset.h: Added.
2178         (JSC::VarOffset::VarOffset):
2179         (JSC::VarOffset::assemble):
2180         (JSC::VarOffset::isValid):
2181         (JSC::VarOffset::operator!):
2182         (JSC::VarOffset::kind):
2183         (JSC::VarOffset::isStack):
2184         (JSC::VarOffset::isScope):
2185         (JSC::VarOffset::isDirectArgument):
2186         (JSC::VarOffset::stackOffsetUnchecked):
2187         (JSC::VarOffset::scopeOffsetUnchecked):
2188         (JSC::VarOffset::capturedArgumentsOffsetUnchecked):
2189         (JSC::VarOffset::stackOffset):
2190         (JSC::VarOffset::scopeOffset):
2191         (JSC::VarOffset::capturedArgumentsOffset):
2192         (JSC::VarOffset::rawOffset):
2193         (JSC::VarOffset::checkSanity):
2194         (JSC::VarOffset::operator==):
2195         (JSC::VarOffset::operator!=):
2196         (JSC::VarOffset::hash):
2197         (JSC::VarOffset::isHashTableDeletedValue):
2198         (JSC::VarOffsetHash::hash):
2199         (JSC::VarOffsetHash::equal):
2200         * tests/stress/arguments-exit-strict-mode.js: Added.
2201         * tests/stress/arguments-exit.js: Added.
2202         * tests/stress/arguments-inlined-exit-strict-mode-fixed.js: Added.
2203         * tests/stress/arguments-inlined-exit-strict-mode.js: Added.
2204         * tests/stress/arguments-inlined-exit.js: Added.
2205         * tests/stress/arguments-interference.js: Added.
2206         * tests/stress/arguments-interference-cfg.js: Added.
2207         * tests/stress/dead-get-closure-var.js: Added.
2208         * tests/stress/get-declared-unpassed-argument-in-direct-arguments.js: Added.
2209         * tests/stress/get-declared-unpassed-argument-in-scoped-arguments.js: Added.
2210         * tests/stress/varargs-closure-inlined-exit-strict-mode.js: Added.
2211         * tests/stress/varargs-closure-inlined-exit.js: Added.
2212         * tests/stress/varargs-exit.js: Added.
2213         * tests/stress/varargs-inlined-exit.js: Added.
2214         * tests/stress/varargs-inlined-simple-exit-aliasing-weird-reversed-args.js: Added.
2215         * tests/stress/varargs-inlined-simple-exit-aliasing-weird.js: Added.
2216         * tests/stress/varargs-inlined-simple-exit-aliasing.js: Added.
2217         * tests/stress/varargs-inlined-simple-exit.js: Added.
2218         * tests/stress/varargs-too-few-arguments.js: Added.
2219         * tests/stress/varargs-varargs-closure-inlined-exit.js: Added.
2220         * tests/stress/varargs-varargs-inlined-exit-strict-mode.js: Added.
2221         * tests/stress/varargs-varargs-inlined-exit.js: Added.
2222
2223 2015-03-25  Andy Estes  <aestes@apple.com>
2224
2225         [Cocoa] RemoteInspectorXPCConnection::deserializeMessage() leaks a NSDictionary under Objective-C GC
2226         https://bugs.webkit.org/show_bug.cgi?id=143068
2227
2228         Reviewed by Dan Bernstein.
2229
2230         * inspector/remote/RemoteInspectorXPCConnection.mm:
2231         (Inspector::RemoteInspectorXPCConnection::deserializeMessage): Used RetainPtr::autorelease(), which does the right thing under GC.
2232
2233 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2234
2235         Use JITCompilationCanFail in more places, and make the fail path of JITCompilationMustSucceed a crash instead of attempting GC
2236         https://bugs.webkit.org/show_bug.cgi?id=142993
2237
2238         Reviewed by Geoffrey Garen and Mark Lam.
2239         
2240         This changes the most commonly invoked paths that relied on JITCompilationMustSucceed
2241         into using JITCompilationCanFail and having a legit fallback path. This mostly involves
2242         having the FTL JIT do the same trick as the DFG JIT in case of any memory allocation
2243         failure, but also involves adding the same kind of thing to the stub generators in
2244         Repatch.
2245         
2246         Because of that change, there are relatively few uses of JITCompilationMustSucceed. Most
2247         of those uses cannot handle a GC, and so cannot do releaseExecutableMemory(). Only a few,
2248         like host call stub generation, could handle a GC, but those get invoked very rarely. So,
2249         this patch changes the releaseExecutableMemory() call into a crash with some diagnostic
2250         printout.
2251         
2252         Also add a way of inducing executable allocation failure, so that we can test this.
2253
2254         * CMakeLists.txt:
2255         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2256         * JavaScriptCore.xcodeproj/project.pbxproj:
2257         * dfg/DFGJITCompiler.cpp:
2258         (JSC::DFG::JITCompiler::compile):
2259         (JSC::DFG::JITCompiler::compileFunction):
2260         (JSC::DFG::JITCompiler::link): Deleted.
2261         (JSC::DFG::JITCompiler::linkFunction): Deleted.
2262         * dfg/DFGJITCompiler.h:
2263         * dfg/DFGPlan.cpp:
2264         (JSC::DFG::Plan::compileInThreadImpl):
2265         * ftl/FTLCompile.cpp:
2266         (JSC::FTL::mmAllocateCodeSection):
2267         (JSC::FTL::mmAllocateDataSection):
2268         * ftl/FTLLink.cpp:
2269         (JSC::FTL::link):
2270         * ftl/FTLState.h:
2271         * jit/ArityCheckFailReturnThunks.cpp:
2272         (JSC::ArityCheckFailReturnThunks::returnPCsFor):
2273         * jit/ExecutableAllocationFuzz.cpp: Added.
2274         (JSC::numberOfExecutableAllocationFuzzChecks):
2275         (JSC::doExecutableAllocationFuzzing):
2276         * jit/ExecutableAllocationFuzz.h: Added.
2277         (JSC::doExecutableAllocationFuzzingIfEnabled):
2278         * jit/ExecutableAllocatorFixedVMPool.cpp:
2279         (JSC::ExecutableAllocator::allocate):
2280         * jit/JIT.cpp:
2281         (JSC::JIT::privateCompile):
2282         * jit/JITCompilationEffort.h:
2283         * jit/Repatch.cpp:
2284         (JSC::generateByIdStub):
2285         (JSC::tryCacheGetByID):
2286         (JSC::tryBuildGetByIDList):
2287         (JSC::emitPutReplaceStub):
2288         (JSC::emitPutTransitionStubAndGetOldStructure):
2289         (JSC::tryCachePutByID):
2290         (JSC::tryBuildPutByIdList):
2291         (JSC::tryRepatchIn):
2292         (JSC::linkPolymorphicCall):
2293         * jsc.cpp:
2294         (jscmain):
2295         * runtime/Options.h:
2296         * runtime/TestRunnerUtils.h:
2297         * runtime/VM.cpp:
2298         * tests/executableAllocationFuzz: Added.
2299         * tests/executableAllocationFuzz.yaml: Added.
2300         * tests/executableAllocationFuzz/v8-raytrace.js: Added.
2301
2302 2015-03-25  Mark Lam  <mark.lam@apple.com>
2303
2304         REGRESSION(169139): LLINT intermittently fails JSC testapi tests.
2305         <https://webkit.org/b/135719>
2306
2307         Reviewed by Geoffrey Garen.
2308
2309         This is a regression introduced in http://trac.webkit.org/changeset/169139 which
2310         changed VM::watchdog from an embedded field into a std::unique_ptr, but did not
2311         update the LLINT to access it as such.
2312
2313         The issue has only manifested so far on the CLoop tests because those are LLINT
2314         only.  In the non-CLoop cases, the JIT kicks in and does the right thing, thereby
2315         hiding the bug in the LLINT.
2316
2317         * API/JSContextRef.cpp:
2318         (createWatchdogIfNeeded):
2319         (JSContextGroupSetExecutionTimeLimit):
2320         (JSContextGroupClearExecutionTimeLimit):
2321         * llint/LowLevelInterpreter.asm:
2322
2323 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2324
2325         Change Atomic methods from using the_wrong_naming_conventions to using theRightNamingConventions. Also make seq_cst the default.
2326
2327         Rubber stamped by Geoffrey Garen.
2328
2329         * bytecode/CodeBlock.cpp:
2330         (JSC::CodeBlock::visitAggregate):
2331
2332 2015-03-25  Joseph Pecoraro  <pecoraro@apple.com>
2333
2334         Fix formatting in BuiltinExecutables
2335         https://bugs.webkit.org/show_bug.cgi?id=143061
2336
2337         Reviewed by Ryosuke Niwa.
2338
2339         * builtins/BuiltinExecutables.cpp:
2340         (JSC::BuiltinExecutables::createExecutableInternal):
2341
2342 2015-03-25  Joseph Pecoraro  <pecoraro@apple.com>
2343
2344         ES6: Classes: Program level class statement throws exception in strict mode
2345         https://bugs.webkit.org/show_bug.cgi?id=143038
2346
2347         Reviewed by Ryosuke Niwa.
2348
2349         Classes expose a name to the current lexical environment. This treats
2350         "class X {}" like "var X = class X {}". Ideally it would be "let X = class X {}".
2351         Also, improve error messages for class statements where the class is missing a name.
2352
2353         * parser/Parser.h:
2354         * parser/Parser.cpp:
2355         (JSC::Parser<LexerType>::parseClass):
2356         Fill name in info parameter if needed. Better error message if name is needed and missing.
2357
2358         (JSC::Parser<LexerType>::parseClassDeclaration):
2359         Pass info parameter to get name, and expose the name as a variable name.
2360
2361         (JSC::Parser<LexerType>::parsePrimaryExpression):
2362         Pass info parameter that is ignored.
2363
2364         * parser/ParserFunctionInfo.h:
2365         Add a parser info for class, to extract the name.
2366
2367 2015-03-25  Yusuke Suzuki  <utatane.tea@gmail.com>
2368
2369         New map and set modification tests in r181922 fails
2370         https://bugs.webkit.org/show_bug.cgi?id=143031
2371
2372         Reviewed and tweaked by Geoffrey Garen.
2373
2374         When packing Map/Set backing store, we need to decrement Map/Set iterator's m_index
2375         to adjust for the packed backing store.
2376
2377         Consider the following map data.
2378
2379         x: deleted, o: exists
2380         0 1 2 3 4
2381         x x x x o
2382
2383         And iterator with m_index 3.
2384
2385         When packing the map data, map data will become,
2386
2387         0
2388         o
2389
2390         At that time, we perfom didRemoveEntry 4 times on iterators.
2391         times => m_index/index/result
2392         1 => 3/0/dec
2393         2 => 2/1/dec
2394         3 => 1/2/nothing
2395         4 => 1/3/nothing
2396
2397         After iteration, iterator's m_index becomes 1. But we expected that becomes 0.
2398         This is because if we use decremented m_index for comparison,
2399         while provided deletedIndex is the index in old storage, m_index is the index in partially packed storage.
2400
2401         In this patch, we compare against the packed index instead.
2402         times => m_index/packedIndex/result
2403         1 => 3/0/dec
2404         2 => 2/0/dec
2405         3 => 1/0/dec
2406         4 => 0/0/nothing
2407
2408         So m_index becomes 0 as expected.
2409
2410         And according to the spec, once the iterator is closed (becomes done: true),
2411         its internal [[Map]]/[[Set]] is set to undefined.
2412         So after the iterator is finished, we don't revive the iterator (e.g. by clearing m_index = 0).
2413
2414         In this patch, we change 2 things.
2415         1.
2416         Compare an iterator's index against the packed index when removing an entry.
2417
2418         2.
2419         If the iterator is closed (isFinished()), we don't apply adjustment to the iterator.
2420
2421         * runtime/MapData.h:
2422         (JSC::MapDataImpl::IteratorData::finish):
2423         (JSC::MapDataImpl::IteratorData::isFinished):
2424         (JSC::MapDataImpl::IteratorData::didRemoveEntry):
2425         (JSC::MapDataImpl::IteratorData::didRemoveAllEntries):
2426         (JSC::MapDataImpl::IteratorData::startPackBackingStore):
2427         * runtime/MapDataInlines.h:
2428         (JSC::JSIterator>::replaceAndPackBackingStore):
2429         * tests/stress/modify-map-during-iteration.js:
2430         * tests/stress/modify-set-during-iteration.js:
2431
2432 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
2433
2434         Setter should have a single formal parameter, Getter no parameters
2435         https://bugs.webkit.org/show_bug.cgi?id=142903
2436
2437         Reviewed by Geoffrey Garen.
2438
2439         * parser/Parser.cpp:
2440         (JSC::Parser<LexerType>::parseFunctionInfo):
2441         Enforce no parameters for getters and a single parameter
2442         for setters, with informational error messages.
2443
2444 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
2445
2446         ES6: Classes: Early return in sub-class constructor results in returning undefined instead of instance
2447         https://bugs.webkit.org/show_bug.cgi?id=143012
2448
2449         Reviewed by Ryosuke Niwa.
2450
2451         * bytecompiler/BytecodeGenerator.cpp:
2452         (JSC::BytecodeGenerator::emitReturn):
2453         Fix handling of "undefined" when returned from a Derived class. It was
2454         returning "undefined" when it should have returned "this".
2455
2456 2015-03-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2457
2458         REGRESSION (r181458): Heap use-after-free in JSSetIterator destructor
2459         https://bugs.webkit.org/show_bug.cgi?id=142696
2460
2461         Reviewed and tweaked by Geoffrey Garen.
2462
2463         Before r142556, JSSetIterator::destroy was not defined.
2464         So accidentally MapData::const_iterator in JSSet was never destroyed.
2465         But it had non trivial destructor, decrementing MapData->m_iteratorCount.
2466
2467         After r142556, JSSetIterator::destroy works.
2468         It correctly destruct MapData::const_iterator and m_iteratorCount partially works.
2469         But JSSetIterator::~JSSetIterator requires owned JSSet since it mutates MapData->m_iteratorCount.
2470
2471         It is guaranteed that JSSet is live since JSSetIterator has a reference to JSSet
2472         and marks it in visitChildren (WriteBarrier<Unknown>).
2473         However, the order of destructions is not guaranteed in GC-ed system.
2474
2475         Consider the following case,
2476         allocate JSSet and subsequently allocate JSSetIterator.
2477         And they resides in the separated MarkedBlock, <1> and <2>.
2478
2479         JSSet<1> <- JSSetIterator<2>
2480
2481         And after that, when performing GC, Marker decides that the above 2 objects are not marked.
2482         And Marker also decides MarkedBlocks <1> and <2> can be sweeped.
2483
2484         First Sweeper sweep <1>, destruct JSSet<1> and free MarkedBlock<1>.
2485         Second Sweeper sweep <2>, attempt to destruct JSSetIterator<2>.
2486         However, JSSetIterator<2>'s destructor,
2487         JSSetIterator::~JSSetIterator requires live JSSet<1>, it causes use-after-free.
2488
2489         In this patch, we introduce WeakGCMap into JSMap/JSSet to track live iterators.
2490         When packing the removed elements in JSSet/JSMap, we apply the change to all live
2491         iterators tracked by WeakGCMap.
2492
2493         WeakGCMap can only track JSCell since they are managed by GC.
2494         So we drop JSSet/JSMap C++ style iterators. Instead of C++ style iterator, this patch
2495         introduces JS style iterator signatures into C++ class IteratorData.
2496         If we need to iterate over JSMap/JSSet, use JSSetIterator/JSMapIterator instead of using
2497         IteratorData directly.
2498
2499         * runtime/JSMap.cpp:
2500         (JSC::JSMap::destroy):
2501         * runtime/JSMap.h:
2502         (JSC::JSMap::JSMap):
2503         (JSC::JSMap::begin): Deleted.
2504         (JSC::JSMap::end): Deleted.
2505         * runtime/JSMapIterator.cpp:
2506         (JSC::JSMapIterator::destroy):
2507         * runtime/JSMapIterator.h:
2508         (JSC::JSMapIterator::next):
2509         (JSC::JSMapIterator::nextKeyValue):
2510         (JSC::JSMapIterator::iteratorData):
2511         (JSC::JSMapIterator::JSMapIterator):
2512         * runtime/JSSet.cpp:
2513         (JSC::JSSet::destroy):
2514         * runtime/JSSet.h:
2515         (JSC::JSSet::JSSet):
2516         (JSC::JSSet::begin): Deleted.
2517         (JSC::JSSet::end): Deleted.
2518         * runtime/JSSetIterator.cpp:
2519         (JSC::JSSetIterator::destroy):
2520         * runtime/JSSetIterator.h:
2521         (JSC::JSSetIterator::next):
2522         (JSC::JSSetIterator::iteratorData):
2523         (JSC::JSSetIterator::JSSetIterator):
2524         * runtime/MapData.h:
2525         (JSC::MapDataImpl::IteratorData::finish):
2526         (JSC::MapDataImpl::IteratorData::isFinished):
2527         (JSC::MapDataImpl::shouldPack):
2528         (JSC::JSIterator>::MapDataImpl):
2529         (JSC::JSIterator>::KeyType::KeyType):
2530         (JSC::JSIterator>::IteratorData::IteratorData):
2531         (JSC::JSIterator>::IteratorData::next):
2532         (JSC::JSIterator>::IteratorData::ensureSlot):
2533         (JSC::JSIterator>::IteratorData::applyMapDataPatch):
2534         (JSC::JSIterator>::IteratorData::refreshCursor):
2535         (JSC::MapDataImpl::const_iterator::key): Deleted.
2536         (JSC::MapDataImpl::const_iterator::value): Deleted.
2537         (JSC::MapDataImpl::const_iterator::operator++): Deleted.
2538         (JSC::MapDataImpl::const_iterator::finish): Deleted.
2539         (JSC::MapDataImpl::const_iterator::atEnd): Deleted.
2540         (JSC::MapDataImpl::begin): Deleted.
2541         (JSC::MapDataImpl::end): Deleted.
2542         (JSC::MapDataImpl<Entry>::MapDataImpl): Deleted.
2543         (JSC::MapDataImpl<Entry>::clear): Deleted.
2544         (JSC::MapDataImpl<Entry>::KeyType::KeyType): Deleted.
2545         (JSC::MapDataImpl<Entry>::const_iterator::internalIncrement): Deleted.
2546         (JSC::MapDataImpl<Entry>::const_iterator::ensureSlot): Deleted.
2547         (JSC::MapDataImpl<Entry>::const_iterator::const_iterator): Deleted.
2548         (JSC::MapDataImpl<Entry>::const_iterator::~const_iterator): Deleted.
2549         (JSC::MapDataImpl<Entry>::const_iterator::operator): Deleted.
2550         (JSC::=): Deleted.
2551         * runtime/MapDataInlines.h:
2552         (JSC::JSIterator>::clear):
2553         (JSC::JSIterator>::find):
2554         (JSC::JSIterator>::contains):
2555         (JSC::JSIterator>::add):
2556         (JSC::JSIterator>::set):
2557         (JSC::JSIterator>::get):
2558         (JSC::JSIterator>::remove):
2559         (JSC::JSIterator>::replaceAndPackBackingStore):
2560         (JSC::JSIterator>::replaceBackingStore):
2561         (JSC::JSIterator>::ensureSpaceForAppend):
2562         (JSC::JSIterator>::visitChildren):
2563         (JSC::JSIterator>::copyBackingStore):
2564         (JSC::JSIterator>::applyMapDataPatch):
2565         (JSC::MapDataImpl<Entry>::find): Deleted.
2566         (JSC::MapDataImpl<Entry>::contains): Deleted.
2567         (JSC::MapDataImpl<Entry>::add): Deleted.
2568         (JSC::MapDataImpl<Entry>::set): Deleted.
2569         (JSC::MapDataImpl<Entry>::get): Deleted.
2570         (JSC::MapDataImpl<Entry>::remove): Deleted.
2571         (JSC::MapDataImpl<Entry>::replaceAndPackBackingStore): Deleted.
2572         (JSC::MapDataImpl<Entry>::replaceBackingStore): Deleted.
2573         (JSC::MapDataImpl<Entry>::ensureSpaceForAppend): Deleted.
2574         (JSC::MapDataImpl<Entry>::visitChildren): Deleted.
2575         (JSC::MapDataImpl<Entry>::copyBackingStore): Deleted.
2576         * runtime/MapPrototype.cpp:
2577         (JSC::mapProtoFuncForEach):
2578         * runtime/SetPrototype.cpp:
2579         (JSC::setProtoFuncForEach):
2580         * runtime/WeakGCMap.h:
2581         (JSC::WeakGCMap::forEach):
2582         * tests/stress/modify-map-during-iteration.js: Added.
2583         (testValue):
2584         (identityPairs):
2585         (.set if):
2586         (var):
2587         (set map):
2588         * tests/stress/modify-set-during-iteration.js: Added.
2589         (testValue):
2590         (set forEach):
2591         (set delete):
2592
2593 2015-03-24  Mark Lam  <mark.lam@apple.com>
2594
2595         The ExecutionTimeLimit test should use its own JSGlobalContextRef.
2596         <https://webkit.org/b/143024>
2597
2598         Reviewed by Geoffrey Garen.
2599
2600         Currently, the ExecutionTimeLimit test is using a JSGlobalContextRef
2601         passed in from testapi.c.  It should create its own for better
2602         encapsulation of the test.
2603
2604         * API/tests/ExecutionTimeLimitTest.cpp:
2605         (currentCPUTimeAsJSFunctionCallback):
2606         (testExecutionTimeLimit):
2607         * API/tests/ExecutionTimeLimitTest.h:
2608         * API/tests/testapi.c:
2609         (main):
2610
2611 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
2612
2613         ES6: Object Literal Methods toString is missing method name
2614         https://bugs.webkit.org/show_bug.cgi?id=142992
2615
2616         Reviewed by Geoffrey Garen.
2617
2618         Always stringify functions in the pattern:
2619
2620           "function " + <function name> + <text from opening parenthesis to closing brace>.
2621
2622         * runtime/FunctionPrototype.cpp:
2623         (JSC::functionProtoFuncToString):
2624         Update the path that was not stringifying in this pattern.
2625
2626         * bytecode/UnlinkedCodeBlock.cpp:
2627         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2628         * bytecode/UnlinkedCodeBlock.h:
2629         (JSC::UnlinkedFunctionExecutable::parametersStartOffset):
2630         * parser/Nodes.h:
2631         * runtime/Executable.cpp:
2632         (JSC::FunctionExecutable::FunctionExecutable):
2633         * runtime/Executable.h:
2634         (JSC::FunctionExecutable::parametersStartOffset):
2635         Pass the already known function parameter opening parenthesis
2636         start offset through to the FunctionExecutable. 
2637
2638         * tests/mozilla/js1_5/Scope/regress-185485.js:
2639         (with.g):
2640         Add back original space in this test that was removed by r181810
2641         now that we have the space again in stringification.
2642
2643 2015-03-24  Michael Saboff  <msaboff@apple.com>
2644
2645         REGRESSION (172175-172177): Change in for...in processing causes properties added in loop to be enumerated
2646         https://bugs.webkit.org/show_bug.cgi?id=142856
2647
2648         Reviewed by Filip Pizlo.
2649
2650         Refactored the way the for .. in enumeration over objects is done.  We used to make three C++ calls to
2651         get info for three loops to iterate over indexed properties, structure properties and other properties,
2652         respectively.  We still have the three loops, but now we make one C++ call to get all the info needed
2653         for all loops before we exectue any enumeration.
2654
2655         The JSPropertyEnumerator has a count of the indexed properties and a list of named properties.
2656         The named properties are one list, with structured properties in the range [0,m_endStructurePropertyIndex)
2657         and the generic properties in the range [m_endStructurePropertyIndex, m_endGenericPropertyIndex);
2658
2659         Eliminated the bytecodes op_get_structure_property_enumerator, op_get_generic_property_enumerator and
2660         op_next_enumerator_pname.
2661         Added the bytecodes op_get_property_enumerator, op_enumerator_structure_pname and op_enumerator_generic_pname.
2662         The bytecodes op_enumerator_structure_pname and op_enumerator_generic_pname are similar except for what
2663         end value we stop iterating on.
2664
2665         Made corresponding node changes to the DFG and FTL for the bytecode changes.
2666
2667         * bytecode/BytecodeList.json:
2668         * bytecode/BytecodeUseDef.h:
2669         (JSC::computeUsesForBytecodeOffset):
2670         (JSC::computeDefsForBytecodeOffset):
2671         * bytecode/CodeBlock.cpp:
2672         (JSC::CodeBlock::dumpBytecode):
2673         * bytecompiler/BytecodeGenerator.cpp:
2674         (JSC::BytecodeGenerator::emitGetPropertyEnumerator):
2675         (JSC::BytecodeGenerator::emitEnumeratorStructurePropertyName):
2676         (JSC::BytecodeGenerator::emitEnumeratorGenericPropertyName):
2677         (JSC::BytecodeGenerator::emitGetStructurePropertyEnumerator): Deleted.
2678         (JSC::BytecodeGenerator::emitGetGenericPropertyEnumerator): Deleted.
2679         (JSC::BytecodeGenerator::emitNextEnumeratorPropertyName): Deleted.
2680         * bytecompiler/BytecodeGenerator.h:
2681         * bytecompiler/NodesCodegen.cpp:
2682         (JSC::ForInNode::emitMultiLoopBytecode):
2683         * dfg/DFGAbstractInterpreterInlines.h:
2684         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2685         * dfg/DFGByteCodeParser.cpp:
2686         (JSC::DFG::ByteCodeParser::parseBlock):
2687         * dfg/DFGCapabilities.cpp:
2688         (JSC::DFG::capabilityLevel):
2689         * dfg/DFGClobberize.h:
2690         (JSC::DFG::clobberize):
2691         * dfg/DFGDoesGC.cpp:
2692         (JSC::DFG::doesGC):
2693         * dfg/DFGFixupPhase.cpp:
2694         (JSC::DFG::FixupPhase::fixupNode):
2695         * dfg/DFGNodeType.h:
2696         * dfg/DFGPredictionPropagationPhase.cpp:
2697         (JSC::DFG::PredictionPropagationPhase::propagate):
2698         * dfg/DFGSafeToExecute.h:
2699         (JSC::DFG::safeToExecute):
2700         * dfg/DFGSpeculativeJIT32_64.cpp:
2701         (JSC::DFG::SpeculativeJIT::compile):
2702         * dfg/DFGSpeculativeJIT64.cpp:
2703         (JSC::DFG::SpeculativeJIT::compile):
2704         * ftl/FTLAbstractHeapRepository.h:
2705         * ftl/FTLCapabilities.cpp:
2706         (JSC::FTL::canCompile):
2707         * ftl/FTLLowerDFGToLLVM.cpp:
2708         (JSC::FTL::LowerDFGToLLVM::compileNode):
2709         (JSC::FTL::LowerDFGToLLVM::compileGetEnumerableLength):
2710         (JSC::FTL::LowerDFGToLLVM::compileGetPropertyEnumerator):
2711         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorStructurePname):
2712         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorGenericPname):
2713         (JSC::FTL::LowerDFGToLLVM::compileGetStructurePropertyEnumerator): Deleted.
2714         (JSC::FTL::LowerDFGToLLVM::compileGetGenericPropertyEnumerator): Deleted.
2715         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname): Deleted.
2716         * jit/JIT.cpp:
2717         (JSC::JIT::privateCompileMainPass):
2718         * jit/JIT.h:
2719         * jit/JITOpcodes.cpp:
2720         (JSC::JIT::emit_op_enumerator_structure_pname):
2721         (JSC::JIT::emit_op_enumerator_generic_pname):
2722         (JSC::JIT::emit_op_get_property_enumerator):
2723         (JSC::JIT::emit_op_next_enumerator_pname): Deleted.
2724         (JSC::JIT::emit_op_get_structure_property_enumerator): Deleted.
2725         (JSC::JIT::emit_op_get_generic_property_enumerator): Deleted.
2726         * jit/JITOpcodes32_64.cpp:
2727         (JSC::JIT::emit_op_enumerator_structure_pname):
2728         (JSC::JIT::emit_op_enumerator_generic_pname):
2729         (JSC::JIT::emit_op_next_enumerator_pname): Deleted.
2730         * jit/JITOperations.cpp:
2731         * jit/JITOperations.h:
2732         * llint/LowLevelInterpreter.asm:
2733         * runtime/CommonSlowPaths.cpp:
2734         (JSC::SLOW_PATH_DECL):
2735         * runtime/CommonSlowPaths.h:
2736         * runtime/JSPropertyNameEnumerator.cpp:
2737         (JSC::JSPropertyNameEnumerator::create):
2738         (JSC::JSPropertyNameEnumerator::finishCreation):
2739         * runtime/JSPropertyNameEnumerator.h:
2740         (JSC::JSPropertyNameEnumerator::indexedLength):
2741         (JSC::JSPropertyNameEnumerator::endStructurePropertyIndex):
2742         (JSC::JSPropertyNameEnumerator::endGenericPropertyIndex):
2743         (JSC::JSPropertyNameEnumerator::indexedLengthOffset):
2744         (JSC::JSPropertyNameEnumerator::endStructurePropertyIndexOffset):
2745         (JSC::JSPropertyNameEnumerator::endGenericPropertyIndexOffset):
2746         (JSC::JSPropertyNameEnumerator::cachedInlineCapacityOffset):
2747         (JSC::propertyNameEnumerator):
2748         (JSC::JSPropertyNameEnumerator::cachedPropertyNamesLengthOffset): Deleted.
2749         (JSC::structurePropertyNameEnumerator): Deleted.
2750         (JSC::genericPropertyNameEnumerator): Deleted.
2751         * runtime/Structure.cpp:
2752         (JSC::Structure::setCachedPropertyNameEnumerator):
2753         (JSC::Structure::cachedPropertyNameEnumerator):
2754         (JSC::Structure::canCachePropertyNameEnumerator):
2755         (JSC::Structure::setCachedStructurePropertyNameEnumerator): Deleted.
2756         (JSC::Structure::cachedStructurePropertyNameEnumerator): Deleted.
2757         (JSC::Structure::setCachedGenericPropertyNameEnumerator): Deleted.
2758         (JSC::Structure::cachedGenericPropertyNameEnumerator): Deleted.
2759         (JSC::Structure::canCacheStructurePropertyNameEnumerator): Deleted.
2760         (JSC::Structure::canCacheGenericPropertyNameEnumerator): Deleted.
2761         * runtime/Structure.h:
2762         * runtime/StructureRareData.cpp:
2763         (JSC::StructureRareData::visitChildren):
2764         (JSC::StructureRareData::cachedPropertyNameEnumerator):
2765         (JSC::StructureRareData::setCachedPropertyNameEnumerator):
2766         (JSC::StructureRareData::cachedStructurePropertyNameEnumerator): Deleted.
2767         (JSC::StructureRareData::setCachedStructurePropertyNameEnumerator): Deleted.
2768         (JSC::StructureRareData::cachedGenericPropertyNameEnumerator): Deleted.
2769         (JSC::StructureRareData::setCachedGenericPropertyNameEnumerator): Deleted.
2770         * runtime/StructureRareData.h:
2771         * tests/stress/for-in-delete-during-iteration.js:
2772
2773 2015-03-24  Michael Saboff  <msaboff@apple.com>
2774
2775         Unreviewed build fix for debug builds.
2776
2777         * runtime/ExceptionHelpers.cpp:
2778         (JSC::invalidParameterInSourceAppender):
2779
2780 2015-03-24  Saam Barati  <saambarati1@gmail.com>
2781
2782         Improve error messages in JSC
2783         https://bugs.webkit.org/show_bug.cgi?id=141869
2784
2785         Reviewed by Geoffrey Garen.
2786
2787         JavaScriptCore has some unintuitive error messages associated
2788         with certain common errors. This patch changes some specific
2789         error messages to be more understandable and also creates a
2790         mechanism that will allow for easy modification of error messages
2791         in the future. The specific errors we change are not a function
2792         errors and invalid parameter errors.
2793
2794         * CMakeLists.txt:
2795         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2796         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2797         * JavaScriptCore.xcodeproj/project.pbxproj:
2798         * interpreter/Interpreter.cpp:
2799         (JSC::sizeOfVarargs):
2800         * jit/JITOperations.cpp:
2801         op_throw_static_error always has a JSString as its argument.
2802         There is no need to dance around this, and we should assert
2803         that this always holds. This JSString represents the error 
2804         message we want to display to the user, so there is no need
2805         to pass it into errorDescriptionForValue which will now place
2806         quotes around the string.
2807
2808         * llint/LLIntSlowPaths.cpp:
2809         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2810         * runtime/CommonSlowPaths.h:
2811         (JSC::CommonSlowPaths::opIn):
2812         * runtime/ErrorInstance.cpp:
2813         (JSC::ErrorInstance::ErrorInstance):
2814         * runtime/ErrorInstance.h:
2815         (JSC::ErrorInstance::hasSourceAppender):
2816         (JSC::ErrorInstance::sourceAppender):
2817         (JSC::ErrorInstance::setSourceAppender):
2818         (JSC::ErrorInstance::clearSourceAppender):
2819         (JSC::ErrorInstance::setRuntimeTypeForCause):
2820         (JSC::ErrorInstance::runtimeTypeForCause):
2821         (JSC::ErrorInstance::clearRuntimeTypeForCause):
2822         (JSC::ErrorInstance::appendSourceToMessage): Deleted.
2823         (JSC::ErrorInstance::setAppendSourceToMessage): Deleted.
2824         (JSC::ErrorInstance::clearAppendSourceToMessage): Deleted.
2825         * runtime/ExceptionHelpers.cpp:
2826         (JSC::errorDescriptionForValue):
2827         (JSC::defaultApproximateSourceError):
2828         (JSC::defaultSourceAppender):
2829         (JSC::functionCallBase):
2830         (JSC::notAFunctionSourceAppender):
2831         (JSC::invalidParameterInSourceAppender):
2832         (JSC::invalidParameterInstanceofSourceAppender):
2833         (JSC::createError):
2834         (JSC::createInvalidFunctionApplyParameterError):
2835         (JSC::createInvalidInParameterError):
2836         (JSC::createInvalidInstanceofParameterError):
2837         (JSC::createNotAConstructorError):
2838         (JSC::createNotAFunctionError):
2839         (JSC::createNotAnObjectError):
2840         (JSC::createInvalidParameterError): Deleted.
2841         * runtime/ExceptionHelpers.h:
2842         * runtime/JSObject.cpp:
2843         (JSC::JSObject::hasInstance):
2844         * runtime/RuntimeType.cpp: Added.
2845         (JSC::runtimeTypeForValue):
2846         (JSC::runtimeTypeAsString):
2847         * runtime/RuntimeType.h: Added.
2848         * runtime/TypeProfilerLog.cpp:
2849         (JSC::TypeProfilerLog::processLogEntries):
2850         * runtime/TypeSet.cpp:
2851         (JSC::TypeSet::getRuntimeTypeForValue): Deleted.
2852         * runtime/TypeSet.h:
2853         * runtime/VM.cpp:
2854         (JSC::appendSourceToError):
2855         (JSC::VM::throwException):
2856
2857 2015-03-23  Filip Pizlo  <fpizlo@apple.com>
2858
2859         JSC should have a low-cost asynchronous disassembler
2860         https://bugs.webkit.org/show_bug.cgi?id=142997
2861
2862         Reviewed by Mark Lam.
2863         
2864         This adds a JSC_asyncDisassembly option that disassembles on a thread. Disassembly
2865         doesn't block execution. Some code will live a little longer because of this, since the
2866         work tasks hold a ref to the code, but other than that there is basically no overhead.
2867         
2868         At present, this isn't really a replacement for JSC_showDisassembly, since it doesn't
2869         provide contextual IR information for Baseline and DFG disassemblies, and it doesn't do
2870         the separate IR dumps for FTL. Using JSC_showDisassembly and friends along with
2871         JSC_asyncDisassembly has bizarre behavior - so just choose one.
2872         
2873         A simple way of understanding how great this is, is to run a small benchmark like
2874         V8Spider/earley-boyer.
2875         
2876         Performance without any disassembly flags: 60ms
2877         Performance with JSC_showDisassembly=true: 477ms
2878         Performance with JSC_asyncDisassembly=true: 65ms
2879         
2880         So, the overhead of disassembly goes from 8x to 8%.
2881         
2882         Note that JSC_asyncDisassembly=true does make it incorrect to run "time" as a way of
2883         measuring benchmark performance. This is because at VM exit, we wait for all async
2884         disassembly requests to finish. For example, for earley-boyer, we spend an extra ~130ms
2885         after the benchmark completely finishes to finish the disassemblies. This small weirdness
2886         should be OK for the intended use-cases, since all you have to do to get around it is to
2887         measure the execution time of the benchmark payload rather than the end-to-end time of
2888         launching the VM.
2889
2890         * assembler/LinkBuffer.cpp:
2891         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
2892         * assembler/LinkBuffer.h:
2893         (JSC::LinkBuffer::wasAlreadyDisassembled):
2894         (JSC::LinkBuffer::didAlreadyDisassemble):
2895         * dfg/DFGJITCompiler.cpp:
2896         (JSC::DFG::JITCompiler::disassemble):
2897         * dfg/DFGJITFinalizer.cpp:
2898         (JSC::DFG::JITFinalizer::finalize):
2899         (JSC::DFG::JITFinalizer::finalizeFunction):
2900         * disassembler/Disassembler.cpp:
2901         (JSC::disassembleAsynchronously):
2902         (JSC::waitForAsynchronousDisassembly):
2903         * disassembler/Disassembler.h:
2904         * ftl/FTLCompile.cpp:
2905         (JSC::FTL::mmAllocateDataSection):
2906         * ftl/FTLLink.cpp:
2907         (JSC::FTL::link):
2908         * jit/JIT.cpp:
2909         (JSC::JIT::privateCompile):
2910         * jsc.cpp:
2911         * runtime/Options.h:
2912         * runtime/VM.cpp:
2913         (JSC::VM::~VM):
2914
2915 2015-03-23  Dean Jackson  <dino@apple.com>
2916
2917         ES7: Implement Array.prototype.includes
2918         https://bugs.webkit.org/show_bug.cgi?id=142707
2919
2920         Reviewed by Geoffrey Garen.
2921
2922         Add support for the ES7 includes method on Arrays.
2923         https://github.com/tc39/Array.prototype.includes
2924
2925         * builtins/Array.prototype.js:
2926         (includes): Implementation in JS.
2927         * runtime/ArrayPrototype.cpp: Add 'includes' to the lookup table.
2928
2929 2015-03-23  Joseph Pecoraro  <pecoraro@apple.com>
2930
2931         __defineGetter__/__defineSetter__ should throw exceptions
2932         https://bugs.webkit.org/show_bug.cgi?id=142934
2933
2934         Reviewed by Geoffrey Garen.
2935
2936         * runtime/ObjectPrototype.cpp:
2937         (JSC::objectProtoFuncDefineGetter):
2938         (JSC::objectProtoFuncDefineSetter):
2939         Throw exceptions when these functions are used directly.
2940
2941 2015-03-23  Joseph Pecoraro  <pecoraro@apple.com>
2942
2943         Fix DO_PROPERTYMAP_CONSTENCY_CHECK enabled build
2944         https://bugs.webkit.org/show_bug.cgi?id=142952
2945
2946         Reviewed by Geoffrey Garen.
2947
2948         * runtime/Structure.cpp:
2949         (JSC::PropertyTable::checkConsistency):
2950         The check offset method doesn't exist in PropertyTable, it exists in Structure.
2951
2952         (JSC::Structure::checkConsistency):
2953         So move it here, and always put it at the start to match normal behavior.
2954
2955 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
2956
2957         Remove DFG::ValueRecoveryOverride; it's been dead since we removed forward speculations
2958         https://bugs.webkit.org/show_bug.cgi?id=142956
2959
2960         Rubber stamped by Gyuyoung Kim.
2961         
2962         Just removing dead code.
2963
2964         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2965         * JavaScriptCore.xcodeproj/project.pbxproj:
2966         * dfg/DFGOSRExit.h:
2967         * dfg/DFGOSRExitCompiler.cpp:
2968         * dfg/DFGValueRecoveryOverride.h: Removed.
2969
2970 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
2971
2972         DFG OSR exit shouldn't assume that the frame count for exit is greater than the frame count in DFG
2973         https://bugs.webkit.org/show_bug.cgi?id=142948
2974
2975         Reviewed by Sam Weinig.
2976         
2977         It's necessary to ensure that the stack pointer accounts for the extent of our stack usage
2978         since a signal may clobber the area below the stack pointer. When the DFG is executing,
2979         the stack pointer accounts for the DFG's worst-case stack usage. When we OSR exit back to
2980         baseline, we will use a different amount of stack. This is because baseline is a different
2981         compiler. It will make different decisions. So it will use a different amount of stack.
2982         
2983         This gets tricky when we are in the process of doing an OSR exit, because we are sort of
2984         incrementally transforming the stack from how it looked in the DFG to how it will look in
2985         baseline. The most conservative approach would be to set the stack pointer to the max of
2986         DFG and baseline.
2987         
2988         When this code was written, a reckless assumption was made: that the stack usage in
2989         baseline is always at least as large as the stack usage in DFG. Based on this incorrect
2990         assumption, the code first adjusts the stack pointer to account for the baseline stack
2991         usage. This sort of usually works, because usually baseline does happen to use more stack.
2992         But that's not an invariant. Nobody guarantees this. We will never make any changes that
2993         would make this be guaranteed, because that would be antithetical to how optimizing
2994         compilers work. The DFG should be allowed to use however much stack it decides that it
2995         should use in order to get good performance, and it shouldn't try to guarantee that it
2996         always uses less stack than baseline.
2997         
2998         As such, we must always assume that the frame size for DFG execution (i.e.
2999         frameRegisterCount) and the frame size in baseline once we exit (i.e.
3000         requiredRegisterCountForExit) are two independent quantities and they have no
3001         relationship.
3002         
3003         Fortunately, though, this code can be made correct by just moving the stack adjustment to
3004         just before we do conversions. This is because we have since changed the OSR exit
3005         algorithm to first lift up all state from the DFG state into a scratch buffer, and then to
3006         drop it out of the scratch buffer and into the stack according to the baseline layout. The
3007         point just before conversions is the point where we have finished reading the DFG frame
3008         and will not read it anymore, and we haven't started writing the baseline frame. So, at
3009         this point it is safe to set the stack pointer to account for the frame size at exit.
3010         
3011         This is benign because baseline happens to create larger frames than DFG.
3012
3013         * dfg/DFGOSRExitCompiler32_64.cpp:
3014         (JSC::DFG::OSRExitCompiler::compileExit):
3015         * dfg/DFGOSRExitCompiler64.cpp:
3016         (JSC::DFG::OSRExitCompiler::compileExit):
3017         * dfg/DFGOSRExitCompilerCommon.cpp:
3018         (JSC::DFG::adjustAndJumpToTarget):
3019
3020 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
3021
3022         Shorten the number of iterations to 10,000 since that's enough to test all tiers.
3023
3024         Rubber stamped by Sam Weinig.
3025
3026         * tests/stress/equals-masquerader.js:
3027
3028 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
3029
3030         tests/stress/*tdz* tests do 10x more iterations than necessary
3031         https://bugs.webkit.org/show_bug.cgi?id=142946
3032
3033         Reviewed by Ryosuke Niwa.
3034         
3035         The stress test harness runs all of these tests in various configurations. This includes
3036         no-cjit, which has tier-up heuristics locked in such a way that 10,000 iterations is
3037         enough to get to the highest tier. The only exceptions are very large functions or
3038         functions that have some reoptimizations. That happens rarely, and when it does happen,
3039         usually 20,000 iterations is enough.
3040         
3041         Therefore, these tests use 10x too many iterations. This is bad, since these tests
3042         allocate on each iteration, and so they run very slowly in debug mode.
3043
3044         * tests/stress/class-syntax-no-loop-tdz.js:
3045         * tests/stress/class-syntax-no-tdz-in-catch.js:
3046         * tests/stress/class-syntax-no-tdz-in-conditional.js:
3047         * tests/stress/class-syntax-no-tdz-in-loop-no-inline-super.js:
3048         * tests/stress/class-syntax-no-tdz-in-loop.js:
3049         * tests/stress/class-syntax-no-tdz.js:
3050         * tests/stress/class-syntax-tdz-in-catch.js:
3051         * tests/stress/class-syntax-tdz-in-conditional.js:
3052         * tests/stress/class-syntax-tdz-in-loop.js:
3053         * tests/stress/class-syntax-tdz.js:
3054
3055 2015-03-21  Joseph Pecoraro  <pecoraro@apple.com>
3056
3057         Fix a typo in Parser error message
3058         https://bugs.webkit.org/show_bug.cgi?id=142942
3059
3060         Reviewed by Alexey Proskuryakov.
3061
3062         * jit/JITPropertyAccess.cpp:
3063         (JSC::JIT::emitSlow_op_resolve_scope):
3064         * jit/JITPropertyAccess32_64.cpp:
3065         (JSC::JIT::emitSlow_op_resolve_scope):
3066         * parser/Parser.cpp:
3067         (JSC::Parser<LexerType>::parseClass):
3068         Fix a common identifier typo.
3069
3070 2015-03-21  Joseph Pecoraro  <pecoraro@apple.com>
3071
3072         Computed Property names should allow only AssignmentExpressions not any Expression
3073         https://bugs.webkit.org/show_bug.cgi?id=142902
3074
3075         Reviewed by Ryosuke Niwa.
3076
3077         * parser/Parser.cpp:
3078         (JSC::Parser<LexerType>::parseProperty):
3079         Limit computed expressions to just assignment expressions instead of
3080         any expression (which allowed comma expressions).
3081
3082 2015-03-21  Andreas Kling  <akling@apple.com>
3083
3084         Make UnlinkedFunctionExecutable fit in a 128-byte cell.
3085         <https://webkit.org/b/142939>
3086
3087         Reviewed by Mark Hahnenberg.
3088
3089         Re-arrange the members of UnlinkedFunctionExecutable so it can fit inside
3090         a 128-byte heap cell instead of requiring a 256-byte one.
3091
3092         Threw in a static_assert to catch anyone pushing it over the limit again.
3093
3094         * bytecode/UnlinkedCodeBlock.cpp:
3095         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3096         * bytecode/UnlinkedCodeBlock.h:
3097         (JSC::UnlinkedFunctionExecutable::functionMode):
3098
3099 2015-03-20  Mark Hahnenberg  <mhahnenb@gmail.com>
3100
3101         GCTimer should know keep track of nested GC phases
3102         https://bugs.webkit.org/show_bug.cgi?id=142675
3103
3104         Reviewed by Darin Adler.
3105
3106         This improves the GC phase timing output in Heap.cpp by linking
3107         phases nested inside other phases together, allowing tools
3108         to compute how much time we're spending in various nested phases.
3109
3110         * heap/Heap.cpp:
3111
3112 2015-03-20  Geoffrey Garen  <ggaren@apple.com>
3113
3114         FunctionBodyNode should known where its parameters started
3115         https://bugs.webkit.org/show_bug.cgi?id=142926
3116
3117         Reviewed by Ryosuke Niwa.
3118
3119         This will allow us to re-parse parameters instead of keeping the
3120         parameters piece of the AST around forever.
3121
3122         I also took the opportunity to initialize most FunctionBodyNode data
3123         members at construction time, to help clarify that they are set right.
3124
3125         * parser/ASTBuilder.h:
3126         (JSC::ASTBuilder::createFunctionExpr): No need to pass
3127         functionKeywordStart here; we now provide it at FunctionBodyNode
3128         creation time.
3129
3130         (JSC::ASTBuilder::createFunctionBody): Require everything we need at
3131         construction time, including the start of our parameters.
3132
3133         (JSC::ASTBuilder::createGetterOrSetterProperty):
3134         (JSC::ASTBuilder::createFuncDeclStatement):  No need to pass
3135         functionKeywordStart here; we now provide it at FunctionBodyNode
3136         creation time.
3137
3138         (JSC::ASTBuilder::setFunctionNameStart): Deleted.
3139
3140         * parser/Nodes.cpp:
3141         (JSC::FunctionBodyNode::FunctionBodyNode): Initialize everything at
3142         construction time.
3143
3144         * parser/Nodes.h: Added a field for the location of our parameters.
3145
3146         * parser/Parser.cpp:
3147         (JSC::Parser<LexerType>::parseFunctionBody):
3148         (JSC::Parser<LexerType>::parseFunctionInfo):
3149         (JSC::Parser<LexerType>::parseFunctionDeclaration):
3150         (JSC::Parser<LexerType>::parseClass):
3151         (JSC::Parser<LexerType>::parsePropertyMethod):
3152         (JSC::Parser<LexerType>::parseGetterSetter):
3153         (JSC::Parser<LexerType>::parsePrimaryExpression):
3154         * parser/Parser.h: Refactored to match above interface changes.
3155
3156         * parser/SyntaxChecker.h:
3157         (JSC::SyntaxChecker::createFunctionExpr):
3158         (JSC::SyntaxChecker::createFunctionBody):
3159         (JSC::SyntaxChecker::createFuncDeclStatement):
3160         (JSC::SyntaxChecker::createGetterOrSetterProperty): Refactored to match
3161         above interface changes.
3162
3163         (JSC::SyntaxChecker::setFunctionNameStart): Deleted.
3164
3165 2015-03-20  Filip Pizlo  <fpizlo@apple.com>
3166
3167         Observably effectful nodes in DFG IR should come last in their bytecode instruction (i.e. forExit section), except for Hint nodes
3168         https://bugs.webkit.org/show_bug.cgi?id=142920
3169
3170         Reviewed by Oliver Hunt, Geoffrey Garen, and Mark Lam.
3171         
3172         Observably effectful, n.: If we reexecute the bytecode instruction after this node has
3173         executed, then something other than the bytecode instruction's specified outcome will
3174         happen.
3175
3176         We almost never had observably effectful nodes except at the end of the bytecode
3177         instruction.  The exception is a lowered transitioning PutById:
3178
3179         PutStructure(@o, S1 -> S2)
3180         PutByOffset(@o, @o, @v)
3181
3182         The PutStructure is observably effectful: if you try to reexecute the bytecode after
3183         doing the PutStructure, then we'll most likely crash.  The generic PutById handling means
3184         first checking what the old structure of the object is; but if we reexecute, the old
3185         structure will seem to be the new structure.  But the property ensured by the new
3186         structure hasn't been stored yet, so any attempt to load it or scan it will crash.
3187
3188         Intriguingly, however, none of the other operations involved in the PutById are
3189         observably effectful.  Consider this example:
3190
3191         PutByOffset(@o, @o, @v)
3192         PutStructure(@o, S1 -> S2)
3193
3194         Note that the PutStructure node doesn't reallocate property storage; see further below
3195         for an example that does that. Because no property storage is happening, we know that we
3196         already had room for the new property.  This means that the PutByOffset is no observable
3197         until the PutStructure executes and "reveals" the property.  Hence, PutByOffset is not
3198         observably effectful.
3199
3200         Now consider this:
3201
3202         b: AllocatePropertyStorage(@o)
3203         PutByOffset(@b, @o, @v)
3204         PutStructure(@o, S1 -> S2)
3205
3206         Surprisingly, this is also safe, because the AllocatePropertyStorage is not observably
3207         effectful. It *does* reallocate the property storage and the new property storage pointer
3208         is stored into the object. But until the PutStructure occurs, the world will just think
3209         that the reallocation didn't happen, in the sense that we'll think that the property
3210         storage is using less memory than what we just allocated. That's harmless.
3211
3212         The AllocatePropertyStorage is safe in other ways, too. Even if we GC'd after the
3213         AllocatePropertyStorage but before the PutByOffset (or before the PutStructure),
3214         everything could be expected to be fine, so long as all of @o, @v and @b are on the
3215         stack. If they are all on the stack, then the GC will leave the property storage alone
3216         (so the extra memory we just allocated would be safe). The GC will not scan the part of
3217         the property storage that contains @v, but that's fine, so long as @v is on the stack.
3218         
3219         The better long-term solution is probably bug 142921.
3220         
3221         But for now, this:
3222         
3223         - Fixes an object materialization bug, exemplified by the two tests, that previously
3224           crashed 100% of the time with FTL enabled and concurrent JIT disabled.
3225         
3226         - Allows us to remove the workaround introduced in r174856.
3227
3228         * dfg/DFGByteCodeParser.cpp:
3229         (JSC::DFG::ByteCodeParser::handlePutById):
3230         * dfg/DFGConstantFoldingPhase.cpp:
3231         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
3232         * dfg/DFGFixupPhase.cpp:
3233         (JSC::DFG::FixupPhase::insertCheck):
3234         (JSC::DFG::FixupPhase::indexOfNode): Deleted.
3235         (JSC::DFG::FixupPhase::indexOfFirstNodeOfExitOrigin): Deleted.
3236         * dfg/DFGInsertionSet.h:
3237         (JSC::DFG::InsertionSet::insertOutOfOrder): Deleted.
3238         (JSC::DFG::InsertionSet::insertOutOfOrderNode): Deleted.
3239         * tests/stress/materialize-past-butterfly-allocation.js: Added.
3240         (bar):
3241         (foo0):
3242         (foo1):
3243         (foo2):
3244         (foo3):
3245         (foo4):
3246         * tests/stress/materialize-past-put-structure.js: Added.
3247         (foo):
3248
3249 2015-03-20  Yusuke Suzuki  <utatane.tea@gmail.com>
3250
3251         REGRESSION (r179429): Potential Use after free in JavaScriptCore`WTF::StringImpl::ref + 83
3252         https://bugs.webkit.org/show_bug.cgi?id=142410
3253
3254         Reviewed by Geoffrey Garen.
3255
3256         Before this patch, added function JSValue::toPropertyKey returns PropertyName.
3257         Since PropertyName doesn't have AtomicStringImpl ownership,
3258         if Identifier is implicitly converted to PropertyName and Identifier is destructed,
3259         PropertyName may refer freed AtomicStringImpl*.
3260
3261         This patch changes the result type of JSValue::toPropertyName from PropertyName to Identifier,
3262         to keep AtomicStringImpl* ownership after the toPropertyName call is done.
3263         And receive the result value as Identifier type to keep ownership in the caller side.
3264
3265         To catch the result of toPropertyKey as is, we catch the result of toPropertyName as auto.
3266
3267         However, now we don't need to have both Identifier and PropertyName.
3268         So we'll merge PropertyName to Identifier in the subsequent patch.
3269
3270         * dfg/DFGOperations.cpp:
3271         (JSC::DFG::operationPutByValInternal):
3272         * jit/JITOperations.cpp:
3273         (JSC::getByVal):
3274         * llint/LLIntSlowPaths.cpp:
3275         (JSC::LLInt::getByVal):
3276         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3277         * runtime/CommonSlowPaths.cpp:
3278         (JSC::SLOW_PATH_DECL):
3279         * runtime/CommonSlowPaths.h:
3280         (JSC::CommonSlowPaths::opIn):
3281         * runtime/JSCJSValue.h:
3282         * runtime/JSCJSValueInlines.h:
3283         (JSC::JSValue::toPropertyKey):
3284         * runtime/ObjectConstructor.cpp:
3285         (JSC::objectConstructorGetOwnPropertyDescriptor):
3286         (JSC::objectConstructorDefineProperty):
3287         * runtime/ObjectPrototype.cpp:
3288         (JSC::objectProtoFuncPropertyIsEnumerable):
3289
3290 2015-03-18  Geoffrey Garen  <ggaren@apple.com>
3291
3292         Function.prototype.toString should not decompile the AST
3293         https://bugs.webkit.org/show_bug.cgi?id=142853
3294
3295         Reviewed by Sam Weinig.
3296
3297         To recover the function parameter string, Function.prototype.toString
3298         decompiles the function parameters from the AST. This is bad for a few
3299         reasons:
3300
3301         (1) It requires us to keep pieces of the AST live forever. This is an
3302         awkward design and a waste of memory.
3303
3304         (2) It doesn't match Firefox or Chrome (because it changes whitespace
3305         and ES6 destructuring expressions).
3306
3307         (3) It doesn't scale to ES6 default argument parameters, which require
3308         arbitrarily complex decompilation.
3309
3310         (4) It can counterfeit all the line numbers in a function (because
3311         whitespace can include newlines).
3312
3313         (5) It's expensive, and we've seen cases where websites invoke
3314         Function.prototype.toString a lot by accident.
3315
3316         The fix is to do what we do for the rest of the function: Just quote the
3317         original source text.
3318
3319         Since this change inevitably changes some function stringification, I
3320         took the opportunity to make our stringification match Firefox's and
3321         Chrome's.
3322
3323         * API/tests/testapi.c:
3324         (assertEqualsAsUTF8String): Be more informative when this fails.
3325
3326         (main): Updated to match new stringification rules.
3327
3328         * bytecode/UnlinkedCodeBlock.cpp:
3329         (JSC::UnlinkedFunctionExecutable::paramString): Deleted. Yay!
3330