is* API methods should be @properties
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
2
3         is* API methods should be @properties
4         https://bugs.webkit.org/show_bug.cgi?id=143388
5
6         Reviewed by Mark Lam.
7
8         This appears to be the preferred idiom in WebKit, CA, AppKit, and
9         Foundation.
10
11         * API/JSValue.h: Be @properties.
12
13         * API/tests/testapi.mm:
14         (testObjectiveCAPI): Use the @properties.
15
16 2015-04-03  Mark Lam  <mark.lam@apple.com>
17
18         Some JSC Options refactoring and enhancements.
19         <https://webkit.org/b/143384>
20
21         Rubber stamped by Benjamin Poulain.
22
23         Create a better encapsulated Option class to make working with options easier.  This
24         is a building block towards a JIT policy scaling debugging option I will introduce later.
25
26         This work entails:
27         1. Convert Options::Option into a public class Option (who works closely with Options).
28         2. Convert Options::EntryType into an enum class Options::Type and make it public.
29         3. Renamed Options::OPT_<option name> to Options::<option name>ID because it reads better.
30         4. Add misc methods to class Option to make it more useable.
31
32         * runtime/Options.cpp:
33         (JSC::Options::dumpOption):
34         (JSC::Option::dump):
35         (JSC::Option::operator==):
36         (JSC::Options::Option::dump): Deleted.
37         (JSC::Options::Option::operator==): Deleted.
38         * runtime/Options.h:
39         (JSC::Option::Option):
40         (JSC::Option::operator!=):
41         (JSC::Option::name):
42         (JSC::Option::description):
43         (JSC::Option::type):
44         (JSC::Option::isOverridden):
45         (JSC::Option::defaultOption):
46         (JSC::Option::boolVal):
47         (JSC::Option::unsignedVal):
48         (JSC::Option::doubleVal):
49         (JSC::Option::int32Val):
50         (JSC::Option::optionRangeVal):
51         (JSC::Option::optionStringVal):
52         (JSC::Option::gcLogLevelVal):
53         (JSC::Options::Option::Option): Deleted.
54         (JSC::Options::Option::operator!=): Deleted.
55
56 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
57
58         JavaScriptCore API should support type checking for Array and Date
59         https://bugs.webkit.org/show_bug.cgi?id=143324
60
61         Follow-up to address a comment by Dan.
62
63         * API/WebKitAvailability.h: __MAC_OS_X_VERSION_MIN_REQUIRED <= 101100
64         is wrong, since this API is available when __MAC_OS_X_VERSION_MIN_REQUIRED
65         is equal to 101100.
66
67 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
68
69         JavaScriptCore API should support type checking for Array and Date
70         https://bugs.webkit.org/show_bug.cgi?id=143324
71
72         Follow-up to address a comment by Dan.
73
74         * API/WebKitAvailability.h: Do use 10.0 because it was right all along.
75         Added a comment explaining why.
76
77 2015-04-03  Csaba Osztrogonác  <ossy@webkit.org>
78
79         FTL JIT tests should fail if LLVM library isn't available
80         https://bugs.webkit.org/show_bug.cgi?id=143374
81
82         Reviewed by Mark Lam.
83
84         * dfg/DFGPlan.cpp:
85         (JSC::DFG::Plan::compileInThreadImpl):
86         * runtime/Options.h:
87
88 2015-04-03  Zan Dobersek  <zdobersek@igalia.com>
89
90         Fix the EFL and GTK build after r182243
91         https://bugs.webkit.org/show_bug.cgi?id=143361
92
93         Reviewed by Csaba Osztrogonác.
94
95         * CMakeLists.txt: InspectorBackendCommands.js is generated in the
96         DerivedSources/JavaScriptCore/inspector/ directory.
97
98 2015-04-03  Zan Dobersek  <zdobersek@igalia.com>
99
100         Unreviewed, fixing Clang builds of the GTK port on Linux.
101
102         * runtime/Options.cpp:
103         Include the <math.h> header for isnan().
104
105 2015-04-02  Mark Lam  <mark.lam@apple.com>
106
107         Enhance ability to dump JSC Options.
108         <https://webkit.org/b/143357>
109
110         Reviewed by Benjamin Poulain.
111
112         Some enhancements to how the JSC options work:
113
114         1. Add a JSC_showOptions option which take values: 0 = None, 1 = Overridden only,
115            2 = All, 3 = Verbose.
116
117            The default is 0 (None).  This dumps nothing.
118            With the Overridden setting, at VM initialization time, we will dump all
119            option values that have been changed from their default.
120            With the All setting, at VM initialization time, we will dump all option values.
121            With the Verbose setting, at VM initialization time, we will dump all option
122            values along with their descriptions (if available).
123
124         2. We now store a copy of the default option values.
125
126            We later use this for comparison to tell if an option has been overridden, and
127            print the default value for reference.  As a result, we no longer need the
128            didOverride flag since we can compute whether the option is overridden at any time.
129
130         3. Added description strings to some options to be printed when JSC_showOptions=3 (Verbose).
131
132            This will come in handy later when we want to rename some of the options to more sane
133            names that are easier to remember.  For example, we can change
134            Options::dfgFunctionWhitelistFile() to Options::dfgWhiteList(), and
135            Options::slowPathAllocsBetweenGCs() to Options::forcedGcRate().  With the availability
136            of the description, we can afford to use shorter and less descriptive option names,
137            but they will be easier to remember and use for day to day debugging work.
138
139            In this patch, I did not change the names of any of the options yet.  I only added
140            description strings for options that I know about, and where I think the option name
141            isn't already descriptive enough.
142
143         4. Also deleted some unused code.
144
145         * jsc.cpp:
146         (CommandLine::parseArguments):
147         * runtime/Options.cpp:
148         (JSC::Options::initialize):
149         (JSC::Options::setOption):
150         (JSC::Options::dumpAllOptions):
151         (JSC::Options::dumpOption):
152         (JSC::Options::Option::dump):
153         (JSC::Options::Option::operator==):
154         * runtime/Options.h:
155         (JSC::OptionRange::rangeString):
156         (JSC::Options::Option::Option):
157         (JSC::Options::Option::operator!=):
158
159 2015-04-02  Geoffrey Garen  <ggaren@apple.com>
160
161         JavaScriptCore API should support type checking for Array and Date
162         https://bugs.webkit.org/show_bug.cgi?id=143324
163
164         Reviewed by Darin Adler, Sam Weinig, Dan Bernstein.
165
166         * API/JSValue.h:
167         * API/JSValue.mm:
168         (-[JSValue isArray]):
169         (-[JSValue isDate]): Added an ObjC API.
170
171         * API/JSValueRef.cpp:
172         (JSValueIsArray):
173         (JSValueIsDate):
174         * API/JSValueRef.h: Added a C API.
175
176         * API/WebKitAvailability.h: Brought our availability macros up to date
177         and fixed a harmless bug where "10_10" translated to "10.0".
178
179         * API/tests/testapi.c:
180         (main): Added a test and corrected a pre-existing leak.
181
182         * API/tests/testapi.mm:
183         (testObjectiveCAPI): Added a test.
184
185 2015-04-02  Mark Lam  <mark.lam@apple.com>
186
187         Add Options::dumpSourceAtDFGTime().
188         <https://webkit.org/b/143349>
189
190         Reviewed by Oliver Hunt, and Michael Saboff.
191
192         Sometimes, we will want to see the JS source code that we're compiling, and it
193         would be nice to be able to do this without having to jump thru a lot of hoops.
194         So, let's add a Options::dumpSourceAtDFGTime() option just like we have a
195         Options::dumpBytecodeAtDFGTime() option.
196
197         Also added versions of CodeBlock::dumpSource() and CodeBlock::dumpBytecode()
198         that explicitly take no arguments (instead of relying on the version that takes
199         the default argument).  These versions are friendlier to use when we want to call
200         them from an interactive debugging session.
201
202         * bytecode/CodeBlock.cpp:
203         (JSC::CodeBlock::dumpSource):
204         (JSC::CodeBlock::dumpBytecode):
205         * bytecode/CodeBlock.h:
206         * dfg/DFGByteCodeParser.cpp:
207         (JSC::DFG::ByteCodeParser::parseCodeBlock):
208         * runtime/Options.h:
209
210 2015-04-02  Yusuke Suzuki  <utatane.tea@gmail.com>
211
212         Clean up EnumerationMode to easily extend
213         https://bugs.webkit.org/show_bug.cgi?id=143276
214
215         Reviewed by Geoffrey Garen.
216
217         To make the followings easily,
218         1. Adding new flag Include/ExcludeSymbols in the Object.getOwnPropertySymbols patch
219         2. Make ExcludeSymbols implicitly default for the existing flags
220         we encapsulate EnumerationMode flags into EnumerationMode class.
221
222         And this class manages 2 flags. Later it will be extended to 3.
223         1. DontEnumPropertiesMode (default is Exclude)
224         2. JSObjectPropertiesMode (default is Include)
225         3. SymbolPropertiesMode (default is Exclude)
226             SymbolPropertiesMode will be added in Object.getOwnPropertySymbols patch.
227
228         This patch replaces places using ExcludeDontEnumProperties
229         to EnumerationMode() value which represents default mode.
230
231         * API/JSCallbackObjectFunctions.h:
232         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
233         * API/JSObjectRef.cpp:
234         (JSObjectCopyPropertyNames):
235         * bindings/ScriptValue.cpp:
236         (Deprecated::jsToInspectorValue):
237         * bytecode/ObjectAllocationProfile.h:
238         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
239         * runtime/ArrayPrototype.cpp:
240         (JSC::arrayProtoFuncSort):
241         * runtime/EnumerationMode.h:
242         (JSC::EnumerationMode::EnumerationMode):
243         (JSC::EnumerationMode::includeDontEnumProperties):
244         (JSC::EnumerationMode::includeJSObjectProperties):
245         (JSC::shouldIncludeDontEnumProperties): Deleted.
246         (JSC::shouldExcludeDontEnumProperties): Deleted.
247         (JSC::shouldIncludeJSObjectPropertyNames): Deleted.
248         (JSC::modeThatSkipsJSObject): Deleted.
249         * runtime/GenericArgumentsInlines.h:
250         (JSC::GenericArguments<Type>::getOwnPropertyNames):
251         * runtime/JSArray.cpp:
252         (JSC::JSArray::getOwnNonIndexPropertyNames):
253         * runtime/JSArrayBuffer.cpp:
254         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
255         * runtime/JSArrayBufferView.cpp:
256         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
257         * runtime/JSFunction.cpp:
258         (JSC::JSFunction::getOwnNonIndexPropertyNames):
259         * runtime/JSFunction.h:
260         * runtime/JSGenericTypedArrayViewInlines.h:
261         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnNonIndexPropertyNames):
262         * runtime/JSLexicalEnvironment.cpp:
263         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
264         * runtime/JSONObject.cpp:
265         (JSC::Stringifier::Holder::appendNextProperty):
266         (JSC::Walker::walk):
267         * runtime/JSObject.cpp:
268         (JSC::getClassPropertyNames):
269         (JSC::JSObject::getOwnPropertyNames):
270         (JSC::JSObject::getOwnNonIndexPropertyNames):
271         (JSC::JSObject::getGenericPropertyNames):
272         * runtime/JSPropertyNameEnumerator.h:
273         (JSC::propertyNameEnumerator):
274         * runtime/JSSymbolTableObject.cpp:
275         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
276         * runtime/ObjectConstructor.cpp:
277         (JSC::objectConstructorGetOwnPropertyNames):
278         (JSC::objectConstructorKeys):
279         (JSC::defineProperties):
280         (JSC::objectConstructorSeal):
281         (JSC::objectConstructorFreeze):
282         (JSC::objectConstructorIsSealed):
283         (JSC::objectConstructorIsFrozen):
284         * runtime/RegExpObject.cpp:
285         (JSC::RegExpObject::getOwnNonIndexPropertyNames):
286         (JSC::RegExpObject::getPropertyNames):
287         (JSC::RegExpObject::getGenericPropertyNames):
288         * runtime/StringObject.cpp:
289         (JSC::StringObject::getOwnPropertyNames):
290         * runtime/Structure.cpp:
291         (JSC::Structure::getPropertyNamesFromStructure):
292
293 2015-04-01  Alex Christensen  <achristensen@webkit.org>
294
295         Progress towards CMake on Windows and Mac.
296         https://bugs.webkit.org/show_bug.cgi?id=143293
297
298         Reviewed by Filip Pizlo.
299
300         * CMakeLists.txt:
301         Enabled using assembly on Windows.
302         Replaced unix commands with CMake commands.
303         * PlatformMac.cmake:
304         Tell open source builders where to find unicode headers.
305
306 2015-04-01  Yusuke Suzuki  <utatane.tea@gmail.com>
307
308         IteratorClose should be called when jumping over the target for-of loop
309         https://bugs.webkit.org/show_bug.cgi?id=143140
310
311         Reviewed by Geoffrey Garen.
312
313         This patch fixes labeled break/continue behaviors with for-of and iterators.
314
315         1. Support IteratorClose beyond multiple loop contexts
316         Previously, IteratorClose is only executed in for-of's breakTarget().
317         However, this misses IteratorClose execution when statement roll-ups multiple control flow contexts.
318         For example,
319         outer: for (var e1 of outer) {
320             inner: for (var e2 of inner) {
321                 break outer;
322             }
323         }
324         In this case, return method of inner should be called.
325         We leverage the existing system for `finally` to execute inner.return method correctly.
326         Leveraging `finally` system fixes `break`, `continue` and `return` cases.
327         `throw` case is already supported by emitting try-catch handlers in for-of.
328
329         2. Incorrect LabelScope creation is done in ForOfNode
330         ForOfNode creates duplicated LabelScope.
331         It causes infinite loop when executing the following program that contains
332         explicitly labeled for-of loop.
333         For example,
334         inner: for (var elm of array) {
335             continue inner;
336         }
337
338         * bytecompiler/BytecodeGenerator.cpp:
339         (JSC::BytecodeGenerator::pushFinallyContext):
340         (JSC::BytecodeGenerator::pushIteratorCloseContext):
341         (JSC::BytecodeGenerator::popFinallyContext):
342         (JSC::BytecodeGenerator::popIteratorCloseContext):
343         (JSC::BytecodeGenerator::emitComplexPopScopes):
344         (JSC::BytecodeGenerator::emitEnumeration):
345         (JSC::BytecodeGenerator::emitIteratorClose):
346         * bytecompiler/BytecodeGenerator.h:
347         * bytecompiler/NodesCodegen.cpp:
348         (JSC::ForOfNode::emitBytecode):
349         * tests/stress/iterator-return-beyond-multiple-iteration-scopes.js: Added.
350         (createIterator.iterator.return):
351         (createIterator):
352         * tests/stress/raise-error-in-iterator-close.js: Added.
353         (createIterator.iterator.return):
354         (createIterator):
355
356 2015-04-01  Yusuke Suzuki  <utatane.tea@gmail.com>
357
358         [ES6] Implement Symbol.unscopables
359         https://bugs.webkit.org/show_bug.cgi?id=142829
360
361         Reviewed by Geoffrey Garen.
362
363         This patch introduces Symbol.unscopables functionality.
364         In ES6, some generic names (like keys, values) are introduced
365         as Array's method name. And this breaks the web since some web sites
366         use like the following code.
367
368         var values = ...;
369         with (array) {
370             values;  // This values is trapped by array's method "values".
371         }
372
373         To fix this, Symbol.unscopables introduces blacklist
374         for with scope's trapping. When resolving scope,
375         if name is found in the target scope and the target scope is with scope,
376         we check Symbol.unscopables object to filter generic names.
377
378         This functionality is only active for with scopes.
379         Global scope does not have unscopables functionality.
380
381         And since
382         1) op_resolve_scope for with scope always return Dynamic resolve type,
383         2) in that case, JSScope::resolve is always used in JIT and LLInt,
384         3) the code which contains op_resolve_scope that returns Dynamic cannot be compiled with DFG and FTL,
385         to implement this functionality, we just change JSScope::resolve and no need to change JIT code.
386         So performance regression is only visible in Dynamic resolving case, and it is already much slow.
387
388         * runtime/ArrayPrototype.cpp:
389         (JSC::ArrayPrototype::finishCreation):
390         * runtime/CommonIdentifiers.h:
391         * runtime/JSGlobalObject.h:
392         (JSC::JSGlobalObject::runtimeFlags):
393         * runtime/JSScope.cpp:
394         (JSC::isUnscopable):
395         (JSC::JSScope::resolve):
396         * runtime/JSScope.h:
397         (JSC::ScopeChainIterator::scope):
398         * tests/stress/global-environment-does-not-trap-unscopables.js: Added.
399         (test):
400         * tests/stress/unscopables.js: Added.
401         (test):
402         (.):
403
404 2015-03-31  Ryosuke Niwa  <rniwa@webkit.org>
405
406         ES6 class syntax should allow static setters and getters
407         https://bugs.webkit.org/show_bug.cgi?id=143180
408
409         Reviewed by Filip Pizlo
410
411         Apparently I misread the spec when I initially implemented parseClass.
412         ES6 class syntax allows static getters and setters so just allow that.
413
414         * parser/Parser.cpp:
415         (JSC::Parser<LexerType>::parseClass):
416
417 2015-03-31  Filip Pizlo  <fpizlo@apple.com>
418
419         PutClosureVar CSE def() rule has a wrong base
420         https://bugs.webkit.org/show_bug.cgi?id=143280
421
422         Reviewed by Michael Saboff.
423         
424         I think that this code was incorrect in a benign way, since the base of a
425         PutClosureVar is not a JS-visible object. But it was preventing some optimizations.
426
427         * dfg/DFGClobberize.h:
428         (JSC::DFG::clobberize):
429
430 2015-03-31  Commit Queue  <commit-queue@webkit.org>
431
432         Unreviewed, rolling out r182200.
433         https://bugs.webkit.org/show_bug.cgi?id=143279
434
435         Probably causing assertion extravaganza on bots. (Requested by
436         kling on #webkit).
437
438         Reverted changeset:
439
440         "Logically empty WeakBlocks should not pin down their
441         MarkedBlocks indefinitely."
442         https://bugs.webkit.org/show_bug.cgi?id=143210
443         http://trac.webkit.org/changeset/182200
444
445 2015-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>
446
447         Clean up Identifier factories to clarify the meaning of StringImpl*
448         https://bugs.webkit.org/show_bug.cgi?id=143146
449
450         Reviewed by Filip Pizlo.
451
452         In the a lot of places, `Identifier(VM*/ExecState*, StringImpl*)` constructor is used.
453         However, it's ambiguous because `StringImpl*` has 2 different meanings.
454         1) normal string, it is replacable with `WTFString` and
455         2) `uid`, which holds `isSymbol` information to represent Symbols.
456         So we dropped Identifier constructors for strings and instead, introduced 2 factory functions.
457         + `Identifier::fromString(VM*/ExecState*, const String&)`.
458         Just construct Identifier from strings. The symbol-ness of StringImpl* is not kept.
459         + `Identifier::fromUid(VM*/ExecState*, StringImpl*)`.
460         This function is used for 2) `uid`. So symbol-ness of `StringImpl*` is kept.
461
462         And to clean up `StringImpl` which is used as uid,
463         we introduce `StringKind` into `StringImpl`. There's 3 kinds
464         1. StringNormal (non-atomic, non-symbol)
465         2. StringAtomic (atomic, non-symbol)
466         3. StringSymbol (non-atomic, symbol)
467         They are mutually exclusive. And (atomic, symbol) case should not exist.
468
469         * API/JSCallbackObjectFunctions.h:
470         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
471         * API/JSObjectRef.cpp:
472         (JSObjectMakeFunction):
473         * API/OpaqueJSString.cpp:
474         (OpaqueJSString::identifier):
475         * bindings/ScriptFunctionCall.cpp:
476         (Deprecated::ScriptFunctionCall::call):
477         * builtins/BuiltinExecutables.cpp:
478         (JSC::BuiltinExecutables::createExecutableInternal):
479         * builtins/BuiltinNames.h:
480         (JSC::BuiltinNames::BuiltinNames):
481         * bytecompiler/BytecodeGenerator.cpp:
482         (JSC::BytecodeGenerator::BytecodeGenerator):
483         (JSC::BytecodeGenerator::emitThrowReferenceError):
484         (JSC::BytecodeGenerator::emitThrowTypeError):
485         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
486         (JSC::BytecodeGenerator::emitEnumeration):
487         * dfg/DFGDesiredIdentifiers.cpp:
488         (JSC::DFG::DesiredIdentifiers::reallyAdd):
489         * inspector/JSInjectedScriptHost.cpp:
490         (Inspector::JSInjectedScriptHost::functionDetails):
491         (Inspector::constructInternalProperty):
492         (Inspector::JSInjectedScriptHost::weakMapEntries):
493         (Inspector::JSInjectedScriptHost::iteratorEntries):
494         * inspector/JSInjectedScriptHostPrototype.cpp:
495         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
496         * inspector/JSJavaScriptCallFramePrototype.cpp:
497         * inspector/ScriptCallStackFactory.cpp:
498         (Inspector::extractSourceInformationFromException):
499         * jit/JITOperations.cpp:
500         * jsc.cpp:
501         (GlobalObject::finishCreation):
502         (GlobalObject::addFunction):
503         (GlobalObject::addConstructableFunction):
504         (functionRun):
505         (runWithScripts):
506         * llint/LLIntData.cpp:
507         (JSC::LLInt::Data::performAssertions):
508         * llint/LowLevelInterpreter.asm:
509         * parser/ASTBuilder.h:
510         (JSC::ASTBuilder::addVar):
511         * parser/Parser.cpp:
512         (JSC::Parser<LexerType>::parseInner):
513         (JSC::Parser<LexerType>::createBindingPattern):
514         * parser/ParserArena.h:
515         (JSC::IdentifierArena::makeIdentifier):
516         (JSC::IdentifierArena::makeIdentifierLCharFromUChar):
517         (JSC::IdentifierArena::makeNumericIdentifier):
518         * runtime/ArgumentsIteratorPrototype.cpp:
519         (JSC::ArgumentsIteratorPrototype::finishCreation):
520         * runtime/ArrayIteratorPrototype.cpp:
521         (JSC::ArrayIteratorPrototype::finishCreation):
522         * runtime/ArrayPrototype.cpp:
523         (JSC::ArrayPrototype::finishCreation):
524         (JSC::arrayProtoFuncPush):
525         * runtime/ClonedArguments.cpp:
526         (JSC::ClonedArguments::getOwnPropertySlot):
527         * runtime/CommonIdentifiers.cpp:
528         (JSC::CommonIdentifiers::CommonIdentifiers):
529         * runtime/CommonIdentifiers.h:
530         * runtime/Error.cpp:
531         (JSC::addErrorInfo):
532         (JSC::hasErrorInfo):
533         * runtime/ExceptionHelpers.cpp:
534         (JSC::createUndefinedVariableError):
535         * runtime/GenericArgumentsInlines.h:
536         (JSC::GenericArguments<Type>::getOwnPropertySlot):
537         * runtime/Identifier.h:
538         (JSC::Identifier::isSymbol):
539         (JSC::Identifier::Identifier):
540         (JSC::Identifier::from): Deleted.
541         * runtime/IdentifierInlines.h:
542         (JSC::Identifier::Identifier):
543         (JSC::Identifier::fromUid):
544         (JSC::Identifier::fromString):
545         * runtime/JSCJSValue.cpp:
546         (JSC::JSValue::dumpInContextAssumingStructure):
547         * runtime/JSCJSValueInlines.h:
548         (JSC::JSValue::toPropertyKey):
549         * runtime/JSGlobalObject.cpp:
550         (JSC::JSGlobalObject::init):
551         * runtime/JSLexicalEnvironment.cpp:
552         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
553         * runtime/JSObject.cpp:
554         (JSC::getClassPropertyNames):
555         (JSC::JSObject::reifyStaticFunctionsForDelete):
556         * runtime/JSObject.h:
557         (JSC::makeIdentifier):
558         * runtime/JSPromiseConstructor.cpp:
559         (JSC::JSPromiseConstructorFuncRace):
560         (JSC::JSPromiseConstructorFuncAll):
561         * runtime/JSString.h:
562         (JSC::JSString::toIdentifier):
563         * runtime/JSSymbolTableObject.cpp:
564         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
565         * runtime/LiteralParser.cpp:
566         (JSC::LiteralParser<CharType>::tryJSONPParse):
567         (JSC::LiteralParser<CharType>::makeIdentifier):
568         * runtime/Lookup.h:
569         (JSC::reifyStaticProperties):
570         * runtime/MapConstructor.cpp:
571         (JSC::constructMap):
572         * runtime/MapIteratorPrototype.cpp:
573         (JSC::MapIteratorPrototype::finishCreation):
574         * runtime/MapPrototype.cpp:
575         (JSC::MapPrototype::finishCreation):
576         * runtime/MathObject.cpp:
577         (JSC::MathObject::finishCreation):
578         * runtime/NumberConstructor.cpp:
579         (JSC::NumberConstructor::finishCreation):
580         * runtime/ObjectConstructor.cpp:
581         (JSC::ObjectConstructor::finishCreation):
582         * runtime/PrivateName.h:
583         (JSC::PrivateName::PrivateName):
584         * runtime/PropertyMapHashTable.h:
585         (JSC::PropertyTable::find):
586         (JSC::PropertyTable::get):
587         * runtime/PropertyName.h:
588         (JSC::PropertyName::PropertyName):
589         (JSC::PropertyName::publicName):
590         (JSC::PropertyName::asIndex):
591         * runtime/PropertyNameArray.cpp:
592         (JSC::PropertyNameArray::add):
593         * runtime/PropertyNameArray.h:
594         (JSC::PropertyNameArray::addKnownUnique):
595         * runtime/RegExpConstructor.cpp:
596         (JSC::RegExpConstructor::finishCreation):
597         * runtime/SetConstructor.cpp:
598         (JSC::constructSet):
599         * runtime/SetIteratorPrototype.cpp:
600         (JSC::SetIteratorPrototype::finishCreation):
601         * runtime/SetPrototype.cpp:
602         (JSC::SetPrototype::finishCreation):
603         * runtime/StringIteratorPrototype.cpp:
604         (JSC::StringIteratorPrototype::finishCreation):
605         * runtime/StringPrototype.cpp:
606         (JSC::StringPrototype::finishCreation):
607         * runtime/Structure.cpp:
608         (JSC::Structure::getPropertyNamesFromStructure):
609         * runtime/SymbolConstructor.cpp:
610         * runtime/VM.cpp:
611         (JSC::VM::throwException):
612         * runtime/WeakMapConstructor.cpp:
613         (JSC::constructWeakMap):
614
615 2015-03-31  Andreas Kling  <akling@apple.com>
616
617         Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely.
618         <https://webkit.org/b/143210>
619
620         Reviewed by Geoffrey Garen.
621
622         Since a MarkedBlock cannot be destroyed until all the WeakBlocks pointing into it are gone,
623         we had a little problem where WeakBlocks with only null pointers would still keep their
624         MarkedBlock alive.
625
626         This patch fixes that by detaching WeakBlocks from their MarkedBlock once a sweep discovers
627         that the WeakBlock contains no pointers to live objects. Ownership of the WeakBlock is passed
628         to the Heap, which will sweep the list of these detached WeakBlocks as part of a full GC,
629         destroying them once they're fully dead.
630
631         This allows the garbage collector to reclaim the 64kB MarkedBlocks much sooner, and resolves
632         a mysterious issue where doing two full garbage collections back-to-back would free additional
633         memory in the second collection.
634
635         Management of detached WeakBlocks is implemented as a Vector<WeakBlock*> in Heap, along with
636         an index of the next block in that vector that needs to be swept. The IncrementalSweeper then
637         calls into Heap::sweepNextLogicallyEmptyWeakBlock() to sweep one block at a time.
638
639         * heap/Heap.h:
640         * heap/Heap.cpp:
641         (JSC::Heap::collectAllGarbage): Add a final pass where we sweep the logically empty WeakBlocks
642         owned by Heap, after everything else has been swept.
643
644         (JSC::Heap::notifyIncrementalSweeper): Set up an incremental sweep of logically empty WeakBlocks
645         after a full garbage collection ends. Note that we don't do this after Eden collections, since
646         they are unlikely to cause entire WeakBlocks to go empty.
647
648         (JSC::Heap::addLogicallyEmptyWeakBlock): Added. Interface for passing ownership of a WeakBlock
649         to the Heap when it's detached from a WeakSet.
650
651         (JSC::Heap::sweepAllLogicallyEmptyWeakBlocks): Helper for collectAllGarbage() that sweeps all
652         of the logically empty WeakBlocks owned by Heap.
653
654         (JSC::Heap::sweepNextLogicallyEmptyWeakBlock): Sweeps one logically empty WeakBlock if needed
655         and updates the next-logically-empty-weak-block-to-sweep index.
656
657         (JSC::Heap::lastChanceToFinalize): call sweepAllLogicallyEmptyWeakBlocks() here, since there
658         won't be another chance after this.
659
660         * heap/IncrementalSweeper.h:
661         (JSC::IncrementalSweeper::hasWork): Deleted.
662
663         * heap/IncrementalSweeper.cpp:
664         (JSC::IncrementalSweeper::fullSweep):
665         (JSC::IncrementalSweeper::doSweep):
666         (JSC::IncrementalSweeper::sweepNextBlock): Restructured IncrementalSweeper a bit to simplify
667         adding a new sweeping stage for the Heap's logically empty WeakBlocks. sweepNextBlock() is
668         changed to return a bool (true if there's more work to be done.)
669
670         * heap/WeakBlock.cpp:
671         (JSC::WeakBlock::sweep): This now figures out if the WeakBlock is logically empty, i.e doesn't
672         contain any pointers to live objects. The answer is stored in a new SweepResult member.
673
674         * heap/WeakBlock.h:
675         (JSC::WeakBlock::isLogicallyEmptyButNotFree): Added. Can be queried after a sweep to determine
676         if the WeakBlock could be detached from the MarkedBlock.
677
678         (JSC::WeakBlock::SweepResult::SweepResult): Deleted in favor of initializing member variables
679         when declaring them.
680
681 2015-03-31  Ryosuke Niwa  <rniwa@webkit.org>
682
683         eval("this.foo") causes a crash if this had not been initialized in a derived class's constructor
684         https://bugs.webkit.org/show_bug.cgi?id=142883
685
686         Reviewed by Filip Pizlo.
687
688         The crash was caused by eval inside the constructor of a derived class not checking TDZ.
689
690         Fixed the bug by adding a parser flag that forces the TDZ check to be always emitted when accessing "this"
691         in eval inside a derived class' constructor.
692
693         * bytecode/EvalCodeCache.h:
694         (JSC::EvalCodeCache::getSlow):
695         * bytecompiler/NodesCodegen.cpp:
696         (JSC::ThisNode::emitBytecode):
697         * debugger/DebuggerCallFrame.cpp:
698         (JSC::DebuggerCallFrame::evaluate):
699         * interpreter/Interpreter.cpp:
700         (JSC::eval):
701         * parser/ASTBuilder.h:
702         (JSC::ASTBuilder::thisExpr):
703         * parser/NodeConstructors.h:
704         (JSC::ThisNode::ThisNode):
705         * parser/Nodes.h:
706         * parser/Parser.cpp:
707         (JSC::Parser<LexerType>::Parser):
708         (JSC::Parser<LexerType>::parsePrimaryExpression):
709         * parser/Parser.h:
710         (JSC::parse):
711         * parser/ParserModes.h:
712         * parser/SyntaxChecker.h:
713         (JSC::SyntaxChecker::thisExpr):
714         * runtime/CodeCache.cpp:
715         (JSC::CodeCache::getGlobalCodeBlock):
716         (JSC::CodeCache::getProgramCodeBlock):
717         (JSC::CodeCache::getEvalCodeBlock):
718         * runtime/CodeCache.h:
719         (JSC::SourceCodeKey::SourceCodeKey):
720         * runtime/Executable.cpp:
721         (JSC::EvalExecutable::create):
722         * runtime/Executable.h:
723         * runtime/JSGlobalObject.cpp:
724         (JSC::JSGlobalObject::createEvalCodeBlock):
725         * runtime/JSGlobalObject.h:
726         * runtime/JSGlobalObjectFunctions.cpp:
727         (JSC::globalFuncEval):
728         * tests/stress/class-syntax-no-tdz-in-eval.js: Added.
729         * tests/stress/class-syntax-tdz-in-eval.js: Added.
730
731 2015-03-31  Commit Queue  <commit-queue@webkit.org>
732
733         Unreviewed, rolling out r182186.
734         https://bugs.webkit.org/show_bug.cgi?id=143270
735
736         it crashes all the WebGL tests on the Debug bots (Requested by
737         dino on #webkit).
738
739         Reverted changeset:
740
741         "Web Inspector: add 2D/WebGL canvas instrumentation
742         infrastructure"
743         https://bugs.webkit.org/show_bug.cgi?id=137278
744         http://trac.webkit.org/changeset/182186
745
746 2015-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>
747
748         [ES6] Object type restrictions on a first parameter of several Object.* functions are relaxed
749         https://bugs.webkit.org/show_bug.cgi?id=142937
750
751         Reviewed by Darin Adler.
752
753         In ES6, Object type restrictions on a first parameter of several Object.* functions are relaxed.
754         In ES5 or prior, when a first parameter is not object type, these functions raise TypeError.
755         But now, several functions perform ToObject onto a non-object parameter.
756         And others behaves as if a parameter is a non-extensible ordinary object with no own properties.
757         It is described in ES6 Annex E.
758         Functions different from ES5 are following.
759
760         1. An attempt is make to coerce the argument using ToObject.
761             Object.getOwnPropertyDescriptor
762             Object.getOwnPropertyNames
763             Object.getPrototypeOf
764             Object.keys
765
766         2. Treated as if it was a non-extensible ordinary object with no own properties.
767             Object.freeze
768             Object.isExtensible
769             Object.isFrozen
770             Object.isSealed
771             Object.preventExtensions
772             Object.seal
773
774         * runtime/ObjectConstructor.cpp:
775         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
776         (JSC::objectConstructorGetPrototypeOf):
777         (JSC::objectConstructorGetOwnPropertyDescriptor):
778         (JSC::objectConstructorGetOwnPropertyNames):
779         (JSC::objectConstructorKeys):
780         (JSC::objectConstructorSeal):
781         (JSC::objectConstructorFreeze):
782         (JSC::objectConstructorPreventExtensions):
783         (JSC::objectConstructorIsSealed):
784         (JSC::objectConstructorIsFrozen):
785         (JSC::objectConstructorIsExtensible):
786         * tests/stress/object-freeze-accept-non-object.js: Added.
787         * tests/stress/object-get-own-property-descriptor-perform-to-object.js: Added.
788         (canary):
789         * tests/stress/object-get-own-property-names-perform-to-object.js: Added.
790         (compare):
791         * tests/stress/object-get-prototype-of-perform-to-object.js: Added.
792         * tests/stress/object-is-extensible-accept-non-object.js: Added.
793         * tests/stress/object-is-frozen-accept-non-object.js: Added.
794         * tests/stress/object-is-sealed-accept-non-object.js: Added.
795         * tests/stress/object-keys-perform-to-object.js: Added.
796         (compare):
797         * tests/stress/object-prevent-extensions-accept-non-object.js: Added.
798         * tests/stress/object-seal-accept-non-object.js: Added.
799
800 2015-03-31  Matt Baker  <mattbaker@apple.com>
801
802         Web Inspector: add 2D/WebGL canvas instrumentation infrastructure
803         https://bugs.webkit.org/show_bug.cgi?id=137278
804
805         Reviewed by Timothy Hatcher.
806
807         Added Canvas protocol which defines types used by InspectorCanvasAgent.
808
809         * CMakeLists.txt:
810         * DerivedSources.make:
811         * inspector/protocol/Canvas.json: Added.
812
813         * inspector/scripts/codegen/generator.py:
814         (Generator.stylized_name_for_enum_value):
815         Added special handling for 2D (always uppercase) and WebGL (rename mapping) enum strings.
816
817 2015-03-30  Ryosuke Niwa  <rniwa@webkit.org>
818
819         Extending null should set __proto__ to null
820         https://bugs.webkit.org/show_bug.cgi?id=142882
821
822         Reviewed by Geoffrey Garen and Benjamin Poulain.
823
824         Set Derived.prototype.__proto__ to null when extending null.
825
826         * bytecompiler/NodesCodegen.cpp:
827         (JSC::ClassExprNode::emitBytecode):
828
829 2015-03-30  Mark Lam  <mark.lam@apple.com>
830
831         REGRESSION (r181993): inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html crashes.
832         <https://webkit.org/b/143105>
833
834         Reviewed by Filip Pizlo.
835
836         With r181993, the DFG and FTL may elide the storing of the scope register.  As a result,
837         on OSR exits from DFG / FTL frames where this elision has take place, we may get baseline
838         JIT frames that may have its scope register not set.  The Debugger's current implementation
839         which relies on the scope register is not happy about this.  For example, this results in a
840         crash in the layout test inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html.
841
842         The fix is to disable inlining when the debugger is in use.  Also, we add Flush nodes to
843         ensure that the scope register value is flushed to the register in the stack frame.
844
845         * dfg/DFGByteCodeParser.cpp:
846         (JSC::DFG::ByteCodeParser::ByteCodeParser):
847         (JSC::DFG::ByteCodeParser::setLocal):
848         (JSC::DFG::ByteCodeParser::flush):
849         - Add code to flush the scope register.
850         (JSC::DFG::ByteCodeParser::inliningCost):
851         - Pretend that all codeBlocks are too expensive to inline if the debugger is in use, thereby
852           disabling inlining whenever the debugger is in use.
853         * dfg/DFGGraph.cpp:
854         (JSC::DFG::Graph::Graph):
855         * dfg/DFGGraph.h:
856         (JSC::DFG::Graph::hasDebuggerEnabled):
857         * dfg/DFGStackLayoutPhase.cpp:
858         (JSC::DFG::StackLayoutPhase::run):
859         - Update the DFG codeBlock's scopeRegister since it can be moved during stack layout.
860         * ftl/FTLCompile.cpp:
861         (JSC::FTL::mmAllocateDataSection):
862         - Update the FTL codeBlock's scopeRegister since it can be moved during stack layout.
863
864 2015-03-30  Michael Saboff  <msaboff@apple.com>
865
866         Fix flakey float32-repeat-out-of-bounds.js and int8-repeat-out-of-bounds.js tests for ARM64
867         https://bugs.webkit.org/show_bug.cgi?id=138391
868
869         Reviewed by Mark Lam.
870
871         Re-enabling these tests as I can't get them to fail on local iOS test devices.
872         There have been many changes since these tests were disabled.
873         I'll watch automated test results for failures.  If there are failures running automated
874         testing, it might be due to the device's relative CPU performance.
875         
876         * tests/stress/float32-repeat-out-of-bounds.js:
877         * tests/stress/int8-repeat-out-of-bounds.js:
878
879 2015-03-30  Joseph Pecoraro  <pecoraro@apple.com>
880
881         Web Inspector: Regression: Preview for [[null]] shouldn't be []
882         https://bugs.webkit.org/show_bug.cgi?id=143208
883
884         Reviewed by Mark Lam.
885
886         * inspector/InjectedScriptSource.js:
887         Handle null when generating simple object previews.
888
889 2015-03-30  Per Arne Vollan  <peavo@outlook.com>
890
891         Avoid using hardcoded values for JSValue::Int32Tag, if possible.
892         https://bugs.webkit.org/show_bug.cgi?id=143134
893
894         Reviewed by Geoffrey Garen.
895
896         * jit/JSInterfaceJIT.h:
897         * jit/Repatch.cpp:
898         (JSC::tryCacheGetByID):
899
900 2015-03-30  Filip Pizlo  <fpizlo@apple.com>
901
902         REGRESSION: js/regress/inline-arguments-local-escape.html is flaky
903         https://bugs.webkit.org/show_bug.cgi?id=143104
904
905         Reviewed by Geoffrey Garen.
906         
907         Created a test that is a 100% repro of the flaky failure. This test is called
908         get-my-argument-by-val-for-inlined-escaped-arguments.js. It fails all of the time because it
909         always causes the compiler to emit a GetMyArgumentByVal of the arguments object returned by
910         the inlined function. Other than that, it's the same as inline-arguments-local-escape.
911         
912         Also created three more tests for three similar, but not identical, failures.
913         
914         Then fixed the bug: PreciseLocalClobberize was assuming that if we read(Stack) then we are
915         only reading those parts of the stack that are relevant to the current semantic code origin.
916         That's false after ArgumentsEliminationPhase - we might have operations on phantom arguments,
917         like GetMyArgumentByVal, ForwardVarargs, CallForwardVarargs, and ConstructForwardVarargs, that
918         read parts of the stack associated with the inline call frame for the phantom arguments. This
919         may not be subsumed by the current semantic origin's stack area in cases that the arguments
920         were allowed to "locally" escape.
921         
922         The higher-order lesson here is that in DFG SSA IR, the current semantic origin's stack area
923         is not really a meaningful concept anymore. It is only meaningful for nodes that will read
924         the stack due to function.arguments, but there are a bunch of other ways that we could also
925         read the stack and those operations may read any stack slot. I believe that this change makes
926         PreciseLocalClobberize right: it will refine a read(Stack) from Clobberize correctly by casing
927         on node type. In future, if we add a read(Stack) to Clobberize, we'll have to make sure that
928         readTop() in PreciseLocalClobberize does the right thing.
929
930         * dfg/DFGClobberize.h:
931         (JSC::DFG::clobberize):
932         * dfg/DFGPreciseLocalClobberize.h:
933         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
934         * dfg/DFGPutStackSinkingPhase.cpp:
935         * tests/stress/call-forward-varargs-for-inlined-escaped-arguments.js: Added.
936         * tests/stress/construct-forward-varargs-for-inlined-escaped-arguments.js: Added.
937         * tests/stress/forward-varargs-for-inlined-escaped-arguments.js: Added.
938         * tests/stress/get-my-argument-by-val-for-inlined-escaped-arguments.js: Added.
939         * tests/stress/real-forward-varargs-for-inlined-escaped-arguments.js: Added.
940
941 2015-03-30  Benjamin Poulain  <benjamin@webkit.org>
942
943         Start the features.json files
944         https://bugs.webkit.org/show_bug.cgi?id=143207
945
946         Reviewed by Darin Adler.
947
948         Start the features.json files to have something to experiment
949         with for the UI.
950
951         * features.json: Added.
952
953 2015-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
954
955         [Win] Addresing post-review comment after r182122
956         https://bugs.webkit.org/show_bug.cgi?id=143189
957
958         Unreviewed.
959
960 2015-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
961
962         [Win] Allow building JavaScriptCore without Cygwin
963         https://bugs.webkit.org/show_bug.cgi?id=143189
964
965         Reviewed by Brent Fulgham.
966
967         Paths like /usr/bin/ don't exist on Windows.
968         Hashbangs don't work on Windows. Instead we must explicitly call the executable.
969         Prefixing commands with environment variables doesn't work on Windows.
970         Windows doesn't have 'cmp'
971         Windows uses 'del' instead of 'rm'
972         Windows uses 'type NUL' intead of 'touch'
973
974         * DerivedSources.make:
975         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
976         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
977         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl:
978         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
979         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl:
980         * JavaScriptCore.vcxproj/build-generated-files.pl:
981         * UpdateContents.py: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl.
982
983 2015-03-28  Joseph Pecoraro  <pecoraro@apple.com>
984
985         Clean up JavaScriptCore/builtins
986         https://bugs.webkit.org/show_bug.cgi?id=143177
987
988         Reviewed by Ryosuke Niwa.
989
990         * builtins/ArrayConstructor.js:
991         (from):
992         - We can compare to undefined instead of using a typeof undefined check.
993         - Converge on double quoted strings everywhere.
994
995         * builtins/ArrayIterator.prototype.js:
996         (next):
997         * builtins/StringIterator.prototype.js:
998         (next):
999         - Use shorthand object construction to avoid duplication.
1000         - Improve grammar in error messages.
1001
1002         * tests/stress/array-iterators-next-with-call.js:
1003         * tests/stress/string-iterators.js:
1004         - Update for new error message strings.
1005
1006 2015-03-28  Saam Barati  <saambarati1@gmail.com>
1007
1008         Web Inspector: ES6: Better support for Symbol types in Type Profiler
1009         https://bugs.webkit.org/show_bug.cgi?id=141257
1010
1011         Reviewed by Joseph Pecoraro.
1012
1013         ES6 introduces the new primitive type Symbol. This patch makes JSC's 
1014         type profiler support this new primitive type.
1015
1016         * dfg/DFGFixupPhase.cpp:
1017         (JSC::DFG::FixupPhase::fixupNode):
1018         * inspector/protocol/Runtime.json:
1019         * runtime/RuntimeType.cpp:
1020         (JSC::runtimeTypeForValue):
1021         * runtime/RuntimeType.h:
1022         (JSC::runtimeTypeIsPrimitive):
1023         * runtime/TypeSet.cpp:
1024         (JSC::TypeSet::addTypeInformation):
1025         (JSC::TypeSet::dumpTypes):
1026         (JSC::TypeSet::doesTypeConformTo):
1027         (JSC::TypeSet::displayName):
1028         (JSC::TypeSet::inspectorTypeSet):
1029         (JSC::TypeSet::toJSONString):
1030         * runtime/TypeSet.h:
1031         (JSC::TypeSet::seenTypes):
1032         * tests/typeProfiler/driver/driver.js:
1033         * tests/typeProfiler/symbol.js: Added.
1034         (wrapper.foo):
1035         (wrapper.bar):
1036         (wrapper.bar.bar.baz):
1037         (wrapper):
1038
1039 2015-03-27  Saam Barati  <saambarati1@gmail.com>
1040
1041         Deconstruction parameters are bound too late
1042         https://bugs.webkit.org/show_bug.cgi?id=143148
1043
1044         Reviewed by Filip Pizlo.
1045
1046         Currently, a deconstruction pattern named with the same
1047         name as a function will shadow the function. This is
1048         wrong. It should be the other way around.
1049
1050         * bytecompiler/BytecodeGenerator.cpp:
1051         (JSC::BytecodeGenerator::generate):
1052
1053 2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>
1054
1055         parse doesn't initialize the 16-bit version of the JSC parser with defaultConstructorKind
1056         https://bugs.webkit.org/show_bug.cgi?id=143170
1057
1058         Reviewed by Benjamin Poulain.
1059
1060         Assert that we never use 16-bit version of the parser to parse a default constructor
1061         since both base and derived default constructors should be using a 8-bit string.
1062
1063         * parser/Parser.h:
1064         (JSC::parse):
1065
1066 2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>
1067
1068         ES6 Classes: Runtime error in JIT'd class calling super() with arguments and superclass has default constructor
1069         https://bugs.webkit.org/show_bug.cgi?id=142862
1070
1071         Reviewed by Benjamin Poulain.
1072
1073         Add a test that used to fail in DFG now that the bug has been fixed by r181993.
1074
1075         * tests/stress/class-syntax-derived-default-constructor.js: Added.
1076
1077 2015-03-27  Michael Saboff  <msaboff@apple.com>
1078
1079         load8Signed() and load16Signed() should be renamed to avoid confusion
1080         https://bugs.webkit.org/show_bug.cgi?id=143168
1081
1082         Reviewed by Benjamin Poulain.
1083
1084         Renamed load8Signed() to load8SignedExtendTo32() and load16Signed() to load16SignedExtendTo32().
1085
1086         * assembler/MacroAssemblerARM.h:
1087         (JSC::MacroAssemblerARM::load8SignedExtendTo32):
1088         (JSC::MacroAssemblerARM::load16SignedExtendTo32):
1089         (JSC::MacroAssemblerARM::load8Signed): Deleted.
1090         (JSC::MacroAssemblerARM::load16Signed): Deleted.
1091         * assembler/MacroAssemblerARM64.h:
1092         (JSC::MacroAssemblerARM64::load16SignedExtendTo32):
1093         (JSC::MacroAssemblerARM64::load8SignedExtendTo32):
1094         (JSC::MacroAssemblerARM64::load16Signed): Deleted.
1095         (JSC::MacroAssemblerARM64::load8Signed): Deleted.
1096         * assembler/MacroAssemblerARMv7.h:
1097         (JSC::MacroAssemblerARMv7::load16SignedExtendTo32):
1098         (JSC::MacroAssemblerARMv7::load8SignedExtendTo32):
1099         (JSC::MacroAssemblerARMv7::load16Signed): Deleted.
1100         (JSC::MacroAssemblerARMv7::load8Signed): Deleted.
1101         * assembler/MacroAssemblerMIPS.h:
1102         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
1103         (JSC::MacroAssemblerMIPS::load16SignedExtendTo32):
1104         (JSC::MacroAssemblerMIPS::load8Signed): Deleted.
1105         (JSC::MacroAssemblerMIPS::load16Signed): Deleted.
1106         * assembler/MacroAssemblerSH4.h:
1107         (JSC::MacroAssemblerSH4::load8SignedExtendTo32):
1108         (JSC::MacroAssemblerSH4::load8):
1109         (JSC::MacroAssemblerSH4::load16SignedExtendTo32):
1110         (JSC::MacroAssemblerSH4::load16):
1111         (JSC::MacroAssemblerSH4::load8Signed): Deleted.
1112         (JSC::MacroAssemblerSH4::load16Signed): Deleted.
1113         * assembler/MacroAssemblerX86Common.h:
1114         (JSC::MacroAssemblerX86Common::load8SignedExtendTo32):
1115         (JSC::MacroAssemblerX86Common::load16SignedExtendTo32):
1116         (JSC::MacroAssemblerX86Common::load8Signed): Deleted.
1117         (JSC::MacroAssemblerX86Common::load16Signed): Deleted.
1118         * dfg/DFGSpeculativeJIT.cpp:
1119         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
1120         * jit/JITPropertyAccess.cpp:
1121         (JSC::JIT::emitIntTypedArrayGetByVal):
1122
1123 2015-03-27  Michael Saboff  <msaboff@apple.com>
1124
1125         Fix flakey dfg-int8array.js and dfg-int16array.js tests for ARM64
1126         https://bugs.webkit.org/show_bug.cgi?id=138390
1127
1128         Reviewed by Mark Lam.
1129
1130         Changed load8Signed() and load16Signed() to only sign extend the loaded value to 32 bits
1131         instead of 64 bits.  This is what X86-64 does.
1132
1133         * assembler/MacroAssemblerARM64.h:
1134         (JSC::MacroAssemblerARM64::load16Signed):
1135         (JSC::MacroAssemblerARM64::load8Signed):
1136
1137 2015-03-27  Saam Barati  <saambarati1@gmail.com>
1138
1139         Add back previously broken assert from bug 141869
1140         https://bugs.webkit.org/show_bug.cgi?id=143005
1141
1142         Reviewed by Michael Saboff.
1143
1144         * runtime/ExceptionHelpers.cpp:
1145         (JSC::invalidParameterInSourceAppender):
1146
1147 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
1148
1149         Make some more objects use FastMalloc
1150         https://bugs.webkit.org/show_bug.cgi?id=143122
1151
1152         Reviewed by Csaba Osztrogonác.
1153
1154         * API/JSCallbackObject.h:
1155         * heap/IncrementalSweeper.h:
1156         * jit/JITThunks.h:
1157         * runtime/JSGlobalObjectDebuggable.h:
1158         * runtime/RegExpCache.h:
1159
1160 2015-03-27  Michael Saboff  <msaboff@apple.com>
1161
1162         Objects with numeric properties intermittently get a phantom 'length' property
1163         https://bugs.webkit.org/show_bug.cgi?id=142792
1164
1165         Reviewed by Csaba Osztrogonác.
1166
1167         Fixed a > (greater than) that should be a >> (right shift) in the code that disassembles
1168         test and branch instructions.  This function is used for linking tbz/tbnz branches between
1169         two seperately JIT'ed sections of code.  Sometime we'd create a bogus tbz instruction in
1170         the failure case checks in the GetById array length stub created for "obj.length" access.
1171         If the failure case code address was at a negative offset from the stub, we'd look for bit 1
1172         being set when we should have been looking for bit 0.
1173
1174         * assembler/ARM64Assembler.h:
1175         (JSC::ARM64Assembler::disassembleTestAndBranchImmediate):
1176
1177 2015-03-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1178
1179         Insert exception check around toPropertyKey call
1180         https://bugs.webkit.org/show_bug.cgi?id=142922
1181
1182         Reviewed by Geoffrey Garen.
1183
1184         In some places, exception check is missing after/before toPropertyKey.
1185         However, since it calls toString, it's observable to users,
1186
1187         Missing exception checks in Object.prototype methods can be
1188         observed since it would be overridden with toObject(null/undefined) errors.
1189         We inserted exception checks after toPropertyKey.
1190
1191         Missing exception checks in GetById related code can be
1192         observed since it would be overridden with toObject(null/undefined) errors.
1193         In this case, we need to insert exception checks before/after toPropertyKey
1194         since RequireObjectCoercible followed by toPropertyKey can cause exceptions.
1195
1196         JSValue::get checks null/undefined and raise an exception if |this| is null or undefined.
1197         However, we need to check whether the baseValue is object coercible before executing JSValue::toPropertyKey.
1198         According to the spec, we first perform RequireObjectCoercible and check the exception.
1199         And second, we perform ToPropertyKey and check the exception.
1200         Since JSValue::toPropertyKey can cause toString call, this is observable to users.
1201         For example, if the target is not object coercible,
1202         ToPropertyKey should not be executed, and toString should not be executed by ToPropertyKey.
1203         So the order of observable actions (RequireObjectCoercible and ToPropertyKey) should be correct to the spec.
1204
1205         This patch introduces JSValue::requireObjectCoercible and use it because of the following 2 reasons.
1206
1207         1. Using toObject instead of requireObjectCoercible produces unnecessary wrapper object.
1208
1209         toObject converts primitive types into wrapper objects.
1210         But it is not efficient since wrapper objects are not necessary
1211         if we look up methods from primitive values's prototype. (using synthesizePrototype is better).
1212
1213         2. Using the result of toObject is not correct to the spec.
1214
1215         To align to the spec correctly, we cannot use JSObject::get
1216         by using the wrapper object produced by the toObject suggested in (1).
1217         If we use JSObject that is converted by toObject, getter will be called by using this JSObject as |this|.
1218         It is not correct since getter should be called with the original |this| value that may be primitive types.
1219
1220         So in this patch, we use JSValue::requireObjectCoercible
1221         to check the target is object coercible and raise an error if it's not.
1222
1223         * dfg/DFGOperations.cpp:
1224         * jit/JITOperations.cpp:
1225         (JSC::getByVal):
1226         * llint/LLIntSlowPaths.cpp:
1227         (JSC::LLInt::getByVal):
1228         * runtime/CommonSlowPaths.cpp:
1229         (JSC::SLOW_PATH_DECL):
1230         * runtime/JSCJSValue.h:
1231         * runtime/JSCJSValueInlines.h:
1232         (JSC::JSValue::requireObjectCoercible):
1233         * runtime/ObjectPrototype.cpp:
1234         (JSC::objectProtoFuncHasOwnProperty):
1235         (JSC::objectProtoFuncDefineGetter):
1236         (JSC::objectProtoFuncDefineSetter):
1237         (JSC::objectProtoFuncLookupGetter):
1238         (JSC::objectProtoFuncLookupSetter):
1239         (JSC::objectProtoFuncPropertyIsEnumerable):
1240         * tests/stress/exception-in-to-property-key-should-be-handled-early-in-object-methods.js: Added.
1241         (shouldThrow):
1242         (if):
1243         * tests/stress/exception-in-to-property-key-should-be-handled-early.js: Added.
1244         (shouldThrow):
1245         (.):
1246
1247 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
1248
1249         WebContent Crash when instantiating class with Type Profiling enabled
1250         https://bugs.webkit.org/show_bug.cgi?id=143037
1251
1252         Reviewed by Ryosuke Niwa.
1253
1254         * bytecompiler/BytecodeGenerator.h:
1255         * bytecompiler/BytecodeGenerator.cpp:
1256         (JSC::BytecodeGenerator::BytecodeGenerator):
1257         (JSC::BytecodeGenerator::emitMoveEmptyValue):
1258         We cannot profile the type of an uninitialized empty JSValue.
1259         Nor do we expect this to be necessary, since it is effectively
1260         an unseen undefined value. So add a way to put the empty value
1261         without profiling.
1262
1263         (JSC::BytecodeGenerator::emitMove):
1264         Add an assert to try to catch this issue early on, and force
1265         callers to explicitly use emitMoveEmptyValue instead.
1266
1267         * tests/typeProfiler/classes.js: Added.
1268         (wrapper.Base):
1269         (wrapper.Derived):
1270         (wrapper):
1271         Add test coverage both for this case and classes in general.
1272
1273 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
1274
1275         Web Inspector: ES6: Provide a better view for Classes in the console
1276         https://bugs.webkit.org/show_bug.cgi?id=142999
1277
1278         Reviewed by Timothy Hatcher.
1279
1280         * inspector/protocol/Runtime.json:
1281         Provide a new `subtype` enum "class". This is a subtype of `type`
1282         "function", all other subtypes are subtypes of `object` types.
1283         For a class, the frontend will immediately want to get the prototype
1284         to enumerate its methods, so include the `classPrototype`.
1285
1286         * inspector/JSInjectedScriptHost.cpp:
1287         (Inspector::JSInjectedScriptHost::subtype):
1288         Denote class construction functions as "class" subtypes.
1289
1290         * inspector/InjectedScriptSource.js:
1291         Handling for the new "class" type.
1292
1293         * bytecode/UnlinkedCodeBlock.h:
1294         (JSC::UnlinkedFunctionExecutable::isClassConstructorFunction):
1295         * runtime/Executable.h:
1296         (JSC::FunctionExecutable::isClassConstructorFunction):
1297         * runtime/JSFunction.h:
1298         * runtime/JSFunctionInlines.h:
1299         (JSC::JSFunction::isClassConstructorFunction):
1300         Check if this function is a class constructor function. That information
1301         is on the UnlinkedFunctionExecutable, so plumb it through to JSFunction.
1302
1303 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
1304
1305         Function.prototype.toString should not decompile the AST
1306         https://bugs.webkit.org/show_bug.cgi?id=142853
1307
1308         Reviewed by Darin Adler.
1309
1310         Following up on Darin's review comments.
1311
1312         * runtime/FunctionConstructor.cpp:
1313         (JSC::constructFunctionSkippingEvalEnabledCheck):
1314
1315 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
1316
1317         "lineNo" does not match WebKit coding style guidelines
1318         https://bugs.webkit.org/show_bug.cgi?id=143119
1319
1320         Reviewed by Michael Saboff.
1321
1322         We can afford to use whole words.
1323
1324         * bytecode/CodeBlock.cpp:
1325         (JSC::CodeBlock::lineNumberForBytecodeOffset):
1326         (JSC::CodeBlock::expressionRangeForBytecodeOffset):
1327         * bytecode/UnlinkedCodeBlock.cpp:
1328         (JSC::UnlinkedFunctionExecutable::link):
1329         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
1330         * bytecode/UnlinkedCodeBlock.h:
1331         * bytecompiler/NodesCodegen.cpp:
1332         (JSC::WhileNode::emitBytecode):
1333         * debugger/Debugger.cpp:
1334         (JSC::Debugger::toggleBreakpoint):
1335         * interpreter/Interpreter.cpp:
1336         (JSC::StackFrame::computeLineAndColumn):
1337         (JSC::GetStackTraceFunctor::operator()):
1338         (JSC::Interpreter::execute):
1339         * interpreter/StackVisitor.cpp:
1340         (JSC::StackVisitor::Frame::computeLineAndColumn):
1341         * parser/Nodes.h:
1342         (JSC::Node::firstLine):
1343         (JSC::Node::lineNo): Deleted.
1344         (JSC::StatementNode::firstLine): Deleted.
1345         * parser/ParserError.h:
1346         (JSC::ParserError::toErrorObject):
1347         * profiler/LegacyProfiler.cpp:
1348         (JSC::createCallIdentifierFromFunctionImp):
1349         * runtime/CodeCache.cpp:
1350         (JSC::CodeCache::getGlobalCodeBlock):
1351         * runtime/Executable.cpp:
1352         (JSC::ScriptExecutable::ScriptExecutable):
1353         (JSC::ScriptExecutable::newCodeBlockFor):
1354         (JSC::FunctionExecutable::fromGlobalCode):
1355         * runtime/Executable.h:
1356         (JSC::ScriptExecutable::firstLine):
1357         (JSC::ScriptExecutable::setOverrideLineNumber):
1358         (JSC::ScriptExecutable::hasOverrideLineNumber):
1359         (JSC::ScriptExecutable::overrideLineNumber):
1360         (JSC::ScriptExecutable::lineNo): Deleted.
1361         (JSC::ScriptExecutable::setOverrideLineNo): Deleted.
1362         (JSC::ScriptExecutable::hasOverrideLineNo): Deleted.
1363         (JSC::ScriptExecutable::overrideLineNo): Deleted.
1364         * runtime/FunctionConstructor.cpp:
1365         (JSC::constructFunctionSkippingEvalEnabledCheck):
1366         * runtime/FunctionConstructor.h:
1367         * tools/CodeProfile.cpp:
1368         (JSC::CodeProfile::report):
1369         * tools/CodeProfile.h:
1370         (JSC::CodeProfile::CodeProfile):
1371
1372 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
1373
1374         Assertion firing in JavaScriptCore/parser/parser.h for statesman.com site
1375         https://bugs.webkit.org/show_bug.cgi?id=142974
1376
1377         Reviewed by Joseph Pecoraro.
1378
1379         This patch does two things:
1380
1381         (1) Restore JavaScriptCore's sanitization of line and column numbers to
1382         one-based values.
1383
1384         We need this because WebCore sometimes provides huge negative column
1385         numbers.
1386
1387         (2) Solve the attribute event listener line numbering problem a different
1388         way: Rather than offseting all line numbers by -1 in an attribute event
1389         listener in order to arrange for a custom result, instead use an explicit
1390         feature for saying "all errors in this code should map to this line number".
1391
1392         * bytecode/UnlinkedCodeBlock.cpp:
1393         (JSC::UnlinkedFunctionExecutable::link):
1394         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
1395         * bytecode/UnlinkedCodeBlock.h:
1396         * interpreter/Interpreter.cpp:
1397         (JSC::StackFrame::computeLineAndColumn):
1398         (JSC::GetStackTraceFunctor::operator()):
1399         * interpreter/Interpreter.h:
1400         * interpreter/StackVisitor.cpp:
1401         (JSC::StackVisitor::Frame::computeLineAndColumn):
1402         * parser/ParserError.h:
1403         (JSC::ParserError::toErrorObject): Plumb through an override line number.
1404         When a function has an override line number, all syntax and runtime
1405         errors in the function will map to it. This is useful for attribute event
1406         listeners.
1407  
1408         * parser/SourceCode.h:
1409         (JSC::SourceCode::SourceCode): Restore the old sanitization of line and
1410         column numbers to one-based integers. It was kind of a hack to remove this.
1411
1412         * runtime/Executable.cpp:
1413         (JSC::ScriptExecutable::ScriptExecutable):
1414         (JSC::FunctionExecutable::fromGlobalCode):
1415         * runtime/Executable.h:
1416         (JSC::ScriptExecutable::setOverrideLineNo):
1417         (JSC::ScriptExecutable::hasOverrideLineNo):
1418         (JSC::ScriptExecutable::overrideLineNo):
1419         * runtime/FunctionConstructor.cpp:
1420         (JSC::constructFunctionSkippingEvalEnabledCheck):
1421         * runtime/FunctionConstructor.h: Plumb through an override line number.
1422
1423 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
1424
1425         If we're in code for accessing scoped arguments, we should probably check if the object is a scoped arguments rather than checking if it's a direct arguments.
1426
1427         Reviewed by Michael Saboff.
1428
1429         * jit/JITPropertyAccess.cpp:
1430         (JSC::JIT::emitScopedArgumentsGetByVal):
1431         * tests/stress/scoped-then-direct-arguments-get-by-val-in-baseline.js: Added.
1432
1433 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
1434
1435         FTL ScopedArguments GetArrayLength generates incorrect code and crashes in LLVM
1436         https://bugs.webkit.org/show_bug.cgi?id=143098
1437
1438         Reviewed by Csaba Osztrogonác.
1439
1440         * ftl/FTLLowerDFGToLLVM.cpp:
1441         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength): Fix a typo.
1442         * tests/stress/scoped-arguments-array-length.js: Added. This test previously always crashed in ftl-no-cjit mode.
1443
1444 2015-03-26  Csaba Osztrogonác  <ossy@webkit.org>
1445
1446         Unreviewed gardening, skip failing tests on AArch64 Linux.
1447
1448         * tests/mozilla/mozilla-tests.yaml:
1449         * tests/stress/cached-prototype-setter.js:
1450
1451 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
1452
1453         Unreviewed, fixes to silly things. While landing fixes to r181993, I introduced crashes. This fixes them.
1454
1455         * dfg/DFGConstantFoldingPhase.cpp:
1456         (JSC::DFG::ConstantFoldingPhase::foldConstants): I landed a fix for a VS warning. It broke this. Now I'm fixing it.
1457         * ftl/FTLCompile.cpp:
1458         (JSC::FTL::compile): Make sure we pass the module when dumping. This makes FTL debugging possible again.
1459         * ftl/FTLState.cpp:
1460         (JSC::FTL::State::dumpState): New overload that takes a module, so that we can call this after FTL::compile() clears State's module.
1461         * ftl/FTLState.h:
1462
1463 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1464
1465         Unreviewed, fix obvious goof that was causing 32-bit debug crashes. The 64-bit version did it
1466         right, so this just makes 32-bit do the same.
1467
1468         * dfg/DFGSpeculativeJIT32_64.cpp:
1469         (JSC::DFG::SpeculativeJIT::emitCall):
1470
1471 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1472
1473         Fix a typo that ggaren found but that I didn't fix before.
1474
1475         * runtime/DirectArgumentsOffset.h:
1476
1477 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1478
1479         Unreviewed, VC found a bug. This fixes the bug.
1480
1481         * dfg/DFGConstantFoldingPhase.cpp:
1482         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1483
1484 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1485
1486         Unreviewed, try to fix Windows build.
1487
1488         * runtime/ClonedArguments.cpp:
1489         (JSC::ClonedArguments::createWithInlineFrame):
1490
1491 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1492
1493         Unreviewed, fix debug build.
1494
1495         * bytecompiler/NodesCodegen.cpp:
1496         (JSC::ConstDeclNode::emitCodeSingle):
1497
1498 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1499
1500         Unreviewed, fix CLOOP build.
1501
1502         * dfg/DFGMinifiedID.h:
1503
1504 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1505
1506         Heap variables shouldn't end up in the stack frame
1507         https://bugs.webkit.org/show_bug.cgi?id=141174
1508
1509         Reviewed by Geoffrey Garen.
1510         
1511         This is a major change to how JavaScriptCore handles declared variables (i.e. "var"). It removes
1512         any ambiguity about whether a variable should be in the heap or on the stack. A variable will no
1513         longer move between heap and stack during its lifetime. This enables a bunch of optimizations and
1514         simplifications:
1515         
1516         - Accesses to variables no longer need checks or indirections to determine where the variable is
1517           at that moment in time. For example, loading a closure variable now takes just one load instead
1518           of two. Loading an argument by index now takes a bounds check and a load in the fastest case
1519           (when no arguments object allocation is required) while previously that same operation required
1520           a "did I allocate arguments yet" check, a bounds check, and then the load.
1521         
1522         - Reasoning about the allocation of an activation or arguments object now follows the same simple
1523           logic as the allocation of any other kind of object. Previously, those objects were lazily
1524           allocated - so an allocation instruction wasn't the actual allocation site, since it might not
1525           allocate anything at all. This made the implementation of traditional escape analyses really
1526           awkward, and ultimately it meant that we missed important cases. Now, we can reason about the
1527           arguments object using the usual SSA tricks which allows for more comprehensive removal.
1528         
1529         - The allocations of arguments objects, functions, and activations are now much faster. While
1530           this patch generally expands our ability to eliminate arguments object allocations, an earlier
1531           version of the patch - which lacked that functionality - was a progression on some arguments-
1532           and closure-happy benchmarks because although no allocations were eliminated, all allocations
1533           were faster.
1534         
1535         - There is no tear-off. The runtime no loner needs to know about where on the stack a frame keeps
1536           its arguments objects or activations. The runtime doesn't have to do things to the arguments
1537           objects and activations that a frame allocated, when the frame is unwound. We always had horrid
1538           bugs in that code, so it's good to see it go. This removes *a ton* of machinery from the DFG,
1539           FTL, CodeBlock, and other places. All of the things having to do with "captured variables" is
1540           now gone. This also enables implementing block-scoping. Without this change, block-scope
1541           support would require telling CodeBlock and all of the rest of the runtime about all of the
1542           variables that store currently-live scopes. That would have been so disastrously hard that it
1543           might as well be impossible. With this change, it's fair game for the bytecode generator to
1544           simply allocate whatever activations it wants, wherever it wants, and to keep them live for
1545           however long it wants. This all works, because after bytecode generation, an activation is just
1546           an object and variables that refer to it are just normal variables.
1547         
1548         - SymbolTable can now tell you explicitly where a variable lives. The answer is in the form of a
1549           VarOffset object, which has methods like isStack(), isScope(), etc. VirtualRegister is never
1550           used for offsets of non-stack variables anymore. We now have shiny new objects for other kinds
1551           of offsets - ScopeOffset for offsets into scopes, and DirectArgumentsOffset for offsets into
1552           an arguments object.
1553         
1554         - Functions that create activations can now tier-up into the FTL. Previously they couldn't. Also,
1555           using activations used to prevent inlining; now functions that use activations can be inlined
1556           just fine.
1557         
1558         This is a >1% speed-up on Octane. This is a >2% speed-up on CompressionBench. This is a tiny
1559         speed-up on AsmBench (~0.4% or something). This looks like it might be a speed-up on SunSpider.
1560         It's only a slow-down on very short-running microbenchmarks we had previously written for our old
1561         style of tear-off-based arguments optimization. Those benchmarks are not part of any major suite.
1562         
1563         The easiest way of understanding this change is to start by looking at the changes in runtime/,
1564         and then the changes in bytecompiler/, and then sort of work your way up the compiler tiers.
1565
1566         * CMakeLists.txt:
1567         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1568         * JavaScriptCore.xcodeproj/project.pbxproj:
1569         * assembler/AbortReason.h:
1570         * assembler/AbstractMacroAssembler.h:
1571         (JSC::AbstractMacroAssembler::BaseIndex::withOffset):
1572         * bytecode/ByValInfo.h:
1573         (JSC::hasOptimizableIndexingForJSType):
1574         (JSC::hasOptimizableIndexing):
1575         (JSC::jitArrayModeForJSType):
1576         (JSC::jitArrayModePermitsPut):
1577         (JSC::jitArrayModeForStructure):
1578         * bytecode/BytecodeKills.h: Added.
1579         (JSC::BytecodeKills::BytecodeKills):
1580         (JSC::BytecodeKills::operandIsKilled):
1581         (JSC::BytecodeKills::forEachOperandKilledAt):
1582         (JSC::BytecodeKills::KillSet::KillSet):
1583         (JSC::BytecodeKills::KillSet::add):
1584         (JSC::BytecodeKills::KillSet::forEachLocal):
1585         (JSC::BytecodeKills::KillSet::contains):
1586         * bytecode/BytecodeList.json:
1587         * bytecode/BytecodeLivenessAnalysis.cpp:
1588         (JSC::isValidRegisterForLiveness):
1589         (JSC::stepOverInstruction):
1590         (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint):
1591         (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset):
1592         (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset):
1593         (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
1594         (JSC::BytecodeLivenessAnalysis::computeKills):
1595         (JSC::indexForOperand): Deleted.
1596         (JSC::BytecodeLivenessAnalysis::getLivenessInfoForNonCapturedVarsAtBytecodeOffset): Deleted.
1597         (JSC::getLivenessInfo): Deleted.
1598         * bytecode/BytecodeLivenessAnalysis.h:
1599         * bytecode/BytecodeLivenessAnalysisInlines.h:
1600         (JSC::operandIsAlwaysLive):
1601         (JSC::operandThatIsNotAlwaysLiveIsLive):
1602         (JSC::operandIsLive):
1603         * bytecode/BytecodeUseDef.h:
1604         (JSC::computeUsesForBytecodeOffset):
1605         (JSC::computeDefsForBytecodeOffset):
1606         * bytecode/CodeBlock.cpp:
1607         (JSC::CodeBlock::dumpBytecode):
1608         (JSC::CodeBlock::CodeBlock):
1609         (JSC::CodeBlock::nameForRegister):
1610         (JSC::CodeBlock::validate):
1611         (JSC::CodeBlock::isCaptured): Deleted.
1612         (JSC::CodeBlock::framePointerOffsetToGetActivationRegisters): Deleted.
1613         (JSC::CodeBlock::machineSlowArguments): Deleted.
1614         * bytecode/CodeBlock.h:
1615         (JSC::unmodifiedArgumentsRegister): Deleted.
1616         (JSC::CodeBlock::setArgumentsRegister): Deleted.
1617         (JSC::CodeBlock::argumentsRegister): Deleted.
1618         (JSC::CodeBlock::uncheckedArgumentsRegister): Deleted.
1619         (JSC::CodeBlock::usesArguments): Deleted.
1620         (JSC::CodeBlock::captureCount): Deleted.
1621         (JSC::CodeBlock::captureStart): Deleted.
1622         (JSC::CodeBlock::captureEnd): Deleted.
1623         (JSC::CodeBlock::argumentIndexAfterCapture): Deleted.
1624         (JSC::CodeBlock::hasSlowArguments): Deleted.
1625         (JSC::ExecState::argumentAfterCapture): Deleted.
1626         * bytecode/CodeOrigin.h:
1627         * bytecode/DataFormat.h:
1628         (JSC::dataFormatToString):
1629         * bytecode/FullBytecodeLiveness.h:
1630         (JSC::FullBytecodeLiveness::getLiveness):
1631         (JSC::FullBytecodeLiveness::operandIsLive):
1632         (JSC::FullBytecodeLiveness::FullBytecodeLiveness): Deleted.
1633         (JSC::FullBytecodeLiveness::getOut): Deleted.
1634         * bytecode/Instruction.h:
1635         (JSC::Instruction::Instruction):
1636         * bytecode/Operands.h:
1637         (JSC::Operands::virtualRegisterForIndex):
1638         * bytecode/SpeculatedType.cpp:
1639         (JSC::dumpSpeculation):
1640         (JSC::speculationToAbbreviatedString):
1641         (JSC::speculationFromClassInfo):
1642         * bytecode/SpeculatedType.h:
1643         (JSC::isDirectArgumentsSpeculation):
1644         (JSC::isScopedArgumentsSpeculation):
1645         (JSC::isActionableMutableArraySpeculation):
1646         (JSC::isActionableArraySpeculation):
1647         (JSC::isArgumentsSpeculation): Deleted.
1648         * bytecode/UnlinkedCodeBlock.cpp:
1649         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1650         * bytecode/UnlinkedCodeBlock.h:
1651         (JSC::UnlinkedCodeBlock::setArgumentsRegister): Deleted.
1652         (JSC::UnlinkedCodeBlock::usesArguments): Deleted.
1653         (JSC::UnlinkedCodeBlock::argumentsRegister): Deleted.
1654         * bytecode/ValueRecovery.cpp:
1655         (JSC::ValueRecovery::dumpInContext):
1656         * bytecode/ValueRecovery.h:
1657         (JSC::ValueRecovery::directArgumentsThatWereNotCreated):
1658         (JSC::ValueRecovery::outOfBandArgumentsThatWereNotCreated):
1659         (JSC::ValueRecovery::nodeID):
1660         (JSC::ValueRecovery::argumentsThatWereNotCreated): Deleted.
1661         * bytecode/VirtualRegister.h:
1662         (JSC::VirtualRegister::operator==):
1663         (JSC::VirtualRegister::operator!=):
1664         (JSC::VirtualRegister::operator<):
1665         (JSC::VirtualRegister::operator>):
1666         (JSC::VirtualRegister::operator<=):
1667         (JSC::VirtualRegister::operator>=):
1668         * bytecompiler/BytecodeGenerator.cpp:
1669         (JSC::BytecodeGenerator::generate):
1670         (JSC::BytecodeGenerator::BytecodeGenerator):
1671         (JSC::BytecodeGenerator::initializeNextParameter):
1672         (JSC::BytecodeGenerator::visibleNameForParameter):
1673         (JSC::BytecodeGenerator::emitMove):
1674         (JSC::BytecodeGenerator::variable):
1675         (JSC::BytecodeGenerator::createVariable):
1676         (JSC::BytecodeGenerator::emitResolveScope):
1677         (JSC::BytecodeGenerator::emitGetFromScope):
1678         (JSC::BytecodeGenerator::emitPutToScope):
1679         (JSC::BytecodeGenerator::initializeVariable):
1680         (JSC::BytecodeGenerator::emitInstanceOf):
1681         (JSC::BytecodeGenerator::emitNewFunction):
1682         (JSC::BytecodeGenerator::emitNewFunctionInternal):
1683         (JSC::BytecodeGenerator::emitCall):
1684         (JSC::BytecodeGenerator::emitReturn):
1685         (JSC::BytecodeGenerator::emitConstruct):
1686         (JSC::BytecodeGenerator::isArgumentNumber):
1687         (JSC::BytecodeGenerator::emitEnumeration):
1688         (JSC::BytecodeGenerator::addVar): Deleted.
1689         (JSC::BytecodeGenerator::emitInitLazyRegister): Deleted.
1690         (JSC::BytecodeGenerator::initializeCapturedVariable): Deleted.
1691         (JSC::BytecodeGenerator::resolveCallee): Deleted.
1692         (JSC::BytecodeGenerator::addCallee): Deleted.
1693         (JSC::BytecodeGenerator::addParameter): Deleted.
1694         (JSC::BytecodeGenerator::willResolveToArgumentsRegister): Deleted.
1695         (JSC::BytecodeGenerator::uncheckedLocalArgumentsRegister): Deleted.
1696         (JSC::BytecodeGenerator::createLazyRegisterIfNecessary): Deleted.
1697         (JSC::BytecodeGenerator::isCaptured): Deleted.
1698         (JSC::BytecodeGenerator::local): Deleted.
1699         (JSC::BytecodeGenerator::constLocal): Deleted.
1700         (JSC::BytecodeGenerator::emitResolveConstantLocal): Deleted.
1701         (JSC::BytecodeGenerator::emitGetArgumentsLength): Deleted.
1702         (JSC::BytecodeGenerator::emitGetArgumentByVal): Deleted.
1703         (JSC::BytecodeGenerator::emitLazyNewFunction): Deleted.
1704         (JSC::BytecodeGenerator::createArgumentsIfNecessary): Deleted.
1705         * bytecompiler/BytecodeGenerator.h:
1706         (JSC::Variable::Variable):
1707         (JSC::Variable::isResolved):
1708         (JSC::Variable::ident):
1709         (JSC::Variable::offset):
1710         (JSC::Variable::isLocal):
1711         (JSC::Variable::local):
1712         (JSC::Variable::isSpecial):
1713         (JSC::BytecodeGenerator::argumentsRegister):
1714         (JSC::BytecodeGenerator::emitNode):
1715         (JSC::BytecodeGenerator::registerFor):
1716         (JSC::Local::Local): Deleted.
1717         (JSC::Local::operator bool): Deleted.
1718         (JSC::Local::get): Deleted.
1719         (JSC::Local::isSpecial): Deleted.
1720         (JSC::ResolveScopeInfo::ResolveScopeInfo): Deleted.
1721         (JSC::ResolveScopeInfo::isLocal): Deleted.
1722         (JSC::ResolveScopeInfo::localIndex): Deleted.
1723         (JSC::BytecodeGenerator::hasSafeLocalArgumentsRegister): Deleted.
1724         (JSC::BytecodeGenerator::captureMode): Deleted.
1725         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly): Deleted.
1726         (JSC::BytecodeGenerator::shouldCreateArgumentsEagerly): Deleted.
1727         (JSC::BytecodeGenerator::hasWatchableVariable): Deleted.
1728         (JSC::BytecodeGenerator::watchableVariableIdentifier): Deleted.
1729         * bytecompiler/NodesCodegen.cpp:
1730         (JSC::ResolveNode::isPure):
1731         (JSC::ResolveNode::emitBytecode):
1732         (JSC::BracketAccessorNode::emitBytecode):
1733         (JSC::DotAccessorNode::emitBytecode):
1734         (JSC::EvalFunctionCallNode::emitBytecode):
1735         (JSC::FunctionCallResolveNode::emitBytecode):
1736         (JSC::CallFunctionCallDotNode::emitBytecode):
1737         (JSC::ApplyFunctionCallDotNode::emitBytecode):
1738         (JSC::PostfixNode::emitResolve):
1739         (JSC::DeleteResolveNode::emitBytecode):
1740         (JSC::TypeOfResolveNode::emitBytecode):
1741         (JSC::PrefixNode::emitResolve):
1742         (JSC::ReadModifyResolveNode::emitBytecode):
1743         (JSC::AssignResolveNode::emitBytecode):
1744         (JSC::ConstDeclNode::emitCodeSingle):
1745         (JSC::EmptyVarExpression::emitBytecode):
1746         (JSC::ForInNode::tryGetBoundLocal):
1747         (JSC::ForInNode::emitLoopHeader):
1748         (JSC::ForOfNode::emitBytecode):
1749         (JSC::ArrayPatternNode::emitDirectBinding):
1750         (JSC::BindingNode::bindValue):
1751         (JSC::getArgumentByVal): Deleted.
1752         * dfg/DFGAbstractHeap.h:
1753         * dfg/DFGAbstractInterpreter.h:
1754         * dfg/DFGAbstractInterpreterInlines.h:
1755         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1756         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberWorld):
1757         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberCapturedVars): Deleted.
1758         * dfg/DFGAbstractValue.h:
1759         * dfg/DFGArgumentPosition.h:
1760         (JSC::DFG::ArgumentPosition::addVariable):
1761         * dfg/DFGArgumentsEliminationPhase.cpp: Added.
1762         (JSC::DFG::performArgumentsElimination):
1763         * dfg/DFGArgumentsEliminationPhase.h: Added.
1764         * dfg/DFGArgumentsSimplificationPhase.cpp: Removed.
1765         * dfg/DFGArgumentsSimplificationPhase.h: Removed.
1766         * dfg/DFGArgumentsUtilities.cpp: Added.
1767         (JSC::DFG::argumentsInvolveStackSlot):
1768         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
1769         * dfg/DFGArgumentsUtilities.h: Added.
1770         * dfg/DFGArrayMode.cpp:
1771         (JSC::DFG::ArrayMode::refine):
1772         (JSC::DFG::ArrayMode::alreadyChecked):
1773         (JSC::DFG::arrayTypeToString):
1774         * dfg/DFGArrayMode.h:
1775         (JSC::DFG::ArrayMode::canCSEStorage):
1776         (JSC::DFG::ArrayMode::modeForPut):
1777         * dfg/DFGAvailabilityMap.cpp:
1778         (JSC::DFG::AvailabilityMap::prune):
1779         * dfg/DFGAvailabilityMap.h:
1780         (JSC::DFG::AvailabilityMap::closeOverNodes):
1781         (JSC::DFG::AvailabilityMap::closeStartingWithLocal):
1782         * dfg/DFGBackwardsPropagationPhase.cpp:
1783         (JSC::DFG::BackwardsPropagationPhase::propagate):
1784         * dfg/DFGByteCodeParser.cpp:
1785         (JSC::DFG::ByteCodeParser::newVariableAccessData):
1786         (JSC::DFG::ByteCodeParser::getLocal):
1787         (JSC::DFG::ByteCodeParser::setLocal):
1788         (JSC::DFG::ByteCodeParser::getArgument):
1789         (JSC::DFG::ByteCodeParser::setArgument):
1790         (JSC::DFG::ByteCodeParser::flushDirect):
1791         (JSC::DFG::ByteCodeParser::flush):
1792         (JSC::DFG::ByteCodeParser::noticeArgumentsUse):
1793         (JSC::DFG::ByteCodeParser::handleVarargsCall):
1794         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
1795         (JSC::DFG::ByteCodeParser::handleInlining):
1796         (JSC::DFG::ByteCodeParser::parseBlock):
1797         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1798         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1799         * dfg/DFGCPSRethreadingPhase.cpp:
1800         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
1801         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
1802         * dfg/DFGCSEPhase.cpp:
1803         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h: Added.
1804         (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
1805         * dfg/DFGCapabilities.cpp:
1806         (JSC::DFG::isSupportedForInlining):
1807         (JSC::DFG::capabilityLevel):
1808         * dfg/DFGClobberize.h:
1809         (JSC::DFG::clobberize):
1810         * dfg/DFGCommon.h:
1811         * dfg/DFGCommonData.h:
1812         (JSC::DFG::CommonData::CommonData):
1813         * dfg/DFGConstantFoldingPhase.cpp:
1814         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1815         * dfg/DFGDCEPhase.cpp:
1816         (JSC::DFG::DCEPhase::cleanVariables):
1817         * dfg/DFGDisassembler.h:
1818         * dfg/DFGDoesGC.cpp:
1819         (JSC::DFG::doesGC):
1820         * dfg/DFGFixupPhase.cpp:
1821         (JSC::DFG::FixupPhase::fixupNode):
1822         * dfg/DFGFlushFormat.cpp:
1823         (WTF::printInternal):
1824         * dfg/DFGFlushFormat.h:
1825         (JSC::DFG::resultFor):
1826         (JSC::DFG::useKindFor):
1827         (JSC::DFG::dataFormatFor):
1828         * dfg/DFGForAllKills.h: Added.
1829         (JSC::DFG::forAllLiveNodesAtTail):
1830         (JSC::DFG::forAllDirectlyKilledOperands):
1831         (JSC::DFG::forAllKilledOperands):
1832         (JSC::DFG::forAllKilledNodesAtNodeIndex):
1833         (JSC::DFG::forAllKillsInBlock):
1834         * dfg/DFGGraph.cpp:
1835         (JSC::DFG::Graph::Graph):
1836         (JSC::DFG::Graph::dump):
1837         (JSC::DFG::Graph::substituteGetLocal):
1838         (JSC::DFG::Graph::livenessFor):
1839         (JSC::DFG::Graph::killsFor):
1840         (JSC::DFG::Graph::tryGetConstantClosureVar):
1841         (JSC::DFG::Graph::tryGetRegisters): Deleted.
1842         * dfg/DFGGraph.h:
1843         (JSC::DFG::Graph::symbolTableFor):
1844         (JSC::DFG::Graph::uses):
1845         (JSC::DFG::Graph::bytecodeRegisterForArgument): Deleted.
1846         (JSC::DFG::Graph::capturedVarsFor): Deleted.
1847         (JSC::DFG::Graph::usesArguments): Deleted.
1848         (JSC::DFG::Graph::argumentsRegisterFor): Deleted.
1849         (JSC::DFG::Graph::machineArgumentsRegisterFor): Deleted.
1850         (JSC::DFG::Graph::uncheckedArgumentsRegisterFor): Deleted.
1851         * dfg/DFGHeapLocation.cpp:
1852         (WTF::printInternal):
1853         * dfg/DFGHeapLocation.h:
1854         * dfg/DFGInPlaceAbstractState.cpp:
1855         (JSC::DFG::InPlaceAbstractState::initialize):
1856         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
1857         * dfg/DFGJITCompiler.cpp:
1858         (JSC::DFG::JITCompiler::link):
1859         * dfg/DFGMayExit.cpp:
1860         (JSC::DFG::mayExit):
1861         * dfg/DFGMinifiedID.h:
1862         * dfg/DFGMinifiedNode.cpp:
1863         (JSC::DFG::MinifiedNode::fromNode):
1864         * dfg/DFGMinifiedNode.h:
1865         (JSC::DFG::belongsInMinifiedGraph):
1866         (JSC::DFG::MinifiedNode::hasInlineCallFrame):
1867         (JSC::DFG::MinifiedNode::inlineCallFrame):
1868         * dfg/DFGNode.cpp:
1869         (JSC::DFG::Node::convertToIdentityOn):
1870         * dfg/DFGNode.h:
1871         (JSC::DFG::Node::hasConstant):
1872         (JSC::DFG::Node::constant):
1873         (JSC::DFG::Node::hasScopeOffset):
1874         (JSC::DFG::Node::scopeOffset):
1875         (JSC::DFG::Node::hasDirectArgumentsOffset):
1876         (JSC::DFG::Node::capturedArgumentsOffset):
1877         (JSC::DFG::Node::variablePointer):
1878         (JSC::DFG::Node::hasCallVarargsData):
1879         (JSC::DFG::Node::hasLoadVarargsData):
1880         (JSC::DFG::Node::hasHeapPrediction):
1881         (JSC::DFG::Node::hasCellOperand):
1882         (JSC::DFG::Node::objectMaterializationData):
1883         (JSC::DFG::Node::isPhantomAllocation):
1884         (JSC::DFG::Node::willHaveCodeGenOrOSR):
1885         (JSC::DFG::Node::shouldSpeculateDirectArguments):
1886         (JSC::DFG::Node::shouldSpeculateScopedArguments):
1887         (JSC::DFG::Node::isPhantomArguments): Deleted.
1888         (JSC::DFG::Node::hasVarNumber): Deleted.
1889         (JSC::DFG::Node::varNumber): Deleted.
1890         (JSC::DFG::Node::registerPointer): Deleted.
1891         (JSC::DFG::Node::shouldSpeculateArguments): Deleted.
1892         * dfg/DFGNodeType.h:
1893         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
1894         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
1895         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
1896         * dfg/DFGOSRExitCompiler.cpp:
1897         (JSC::DFG::OSRExitCompiler::emitRestoreArguments):
1898         * dfg/DFGOSRExitCompiler.h:
1899         (JSC::DFG::OSRExitCompiler::badIndex): Deleted.
1900         (JSC::DFG::OSRExitCompiler::initializePoisoned): Deleted.
1901         (JSC::DFG::OSRExitCompiler::poisonIndex): Deleted.
1902         * dfg/DFGOSRExitCompiler32_64.cpp:
1903         (JSC::DFG::OSRExitCompiler::compileExit):
1904         * dfg/DFGOSRExitCompiler64.cpp:
1905         (JSC::DFG::OSRExitCompiler::compileExit):
1906         * dfg/DFGOSRExitCompilerCommon.cpp:
1907         (JSC::DFG::reifyInlinedCallFrames):
1908         (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator): Deleted.
1909         (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator): Deleted.
1910         (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): Deleted.
1911         * dfg/DFGOSRExitCompilerCommon.h:
1912         * dfg/DFGOperations.cpp:
1913         * dfg/DFGOperations.h:
1914         * dfg/DFGPlan.cpp:
1915         (JSC::DFG::Plan::compileInThreadImpl):
1916         * dfg/DFGPreciseLocalClobberize.h:
1917         (JSC::DFG::PreciseLocalClobberizeAdaptor::read):
1918         (JSC::DFG::PreciseLocalClobberizeAdaptor::write):
1919         (JSC::DFG::PreciseLocalClobberizeAdaptor::def):
1920         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1921         (JSC::DFG::preciseLocalClobberize):
1922         (JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop): Deleted.
1923         (JSC::DFG::forEachLocalReadByUnwind): Deleted.
1924         * dfg/DFGPredictionPropagationPhase.cpp:
1925         (JSC::DFG::PredictionPropagationPhase::run):
1926         (JSC::DFG::PredictionPropagationPhase::propagate):
1927         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
1928         (JSC::DFG::PredictionPropagationPhase::propagateThroughArgumentPositions):
1929         * dfg/DFGPromoteHeapAccess.h:
1930         (JSC::DFG::promoteHeapAccess):
1931         * dfg/DFGPromotedHeapLocation.cpp:
1932         (WTF::printInternal):
1933         * dfg/DFGPromotedHeapLocation.h:
1934         * dfg/DFGSSAConversionPhase.cpp:
1935         (JSC::DFG::SSAConversionPhase::run):
1936         * dfg/DFGSafeToExecute.h:
1937         (JSC::DFG::safeToExecute):
1938         * dfg/DFGSpeculativeJIT.cpp:
1939         (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
1940         (JSC::DFG::SpeculativeJIT::emitGetLength):
1941         (JSC::DFG::SpeculativeJIT::emitGetCallee):
1942         (JSC::DFG::SpeculativeJIT::emitGetArgumentStart):
1943         (JSC::DFG::SpeculativeJIT::checkArray):
1944         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
1945         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1946         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
1947         (JSC::DFG::SpeculativeJIT::compileNewFunction):
1948         (JSC::DFG::SpeculativeJIT::compileForwardVarargs):
1949         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
1950         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
1951         (JSC::DFG::SpeculativeJIT::compileGetFromArguments):
1952         (JSC::DFG::SpeculativeJIT::compilePutToArguments):
1953         (JSC::DFG::SpeculativeJIT::compileCreateScopedArguments):
1954         (JSC::DFG::SpeculativeJIT::compileCreateClonedArguments):
1955         (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Deleted.
1956         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments): Deleted.
1957         (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength): Deleted.
1958         (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck): Deleted.
1959         (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression): Deleted.
1960         * dfg/DFGSpeculativeJIT.h:
1961         (JSC::DFG::SpeculativeJIT::callOperation):
1962         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
1963         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
1964         (JSC::DFG::SpeculativeJIT::framePointerOffsetToGetActivationRegisters): Deleted.
1965         * dfg/DFGSpeculativeJIT32_64.cpp:
1966         (JSC::DFG::SpeculativeJIT::emitCall):
1967         (JSC::DFG::SpeculativeJIT::compile):
1968         * dfg/DFGSpeculativeJIT64.cpp:
1969         (JSC::DFG::SpeculativeJIT::emitCall):
1970         (JSC::DFG::SpeculativeJIT::compile):
1971         * dfg/DFGStackLayoutPhase.cpp:
1972         (JSC::DFG::StackLayoutPhase::run):
1973         * dfg/DFGStrengthReductionPhase.cpp:
1974         (JSC::DFG::StrengthReductionPhase::handleNode):
1975         * dfg/DFGStructureRegistrationPhase.cpp:
1976         (JSC::DFG::StructureRegistrationPhase::run):
1977         * dfg/DFGUnificationPhase.cpp:
1978         (JSC::DFG::UnificationPhase::run):
1979         * dfg/DFGValidate.cpp:
1980         (JSC::DFG::Validate::validateCPS):
1981         * dfg/DFGValueSource.cpp:
1982         (JSC::DFG::ValueSource::dump):
1983         * dfg/DFGValueSource.h:
1984         (JSC::DFG::dataFormatToValueSourceKind):
1985         (JSC::DFG::valueSourceKindToDataFormat):
1986         (JSC::DFG::ValueSource::ValueSource):
1987         (JSC::DFG::ValueSource::forFlushFormat):
1988         (JSC::DFG::ValueSource::valueRecovery):
1989         * dfg/DFGVarargsForwardingPhase.cpp: Added.
1990         (JSC::DFG::performVarargsForwarding):
1991         * dfg/DFGVarargsForwardingPhase.h: Added.
1992         * dfg/DFGVariableAccessData.cpp:
1993         (JSC::DFG::VariableAccessData::VariableAccessData):
1994         (JSC::DFG::VariableAccessData::flushFormat):
1995         (JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted.
1996         * dfg/DFGVariableAccessData.h:
1997         (JSC::DFG::VariableAccessData::shouldNeverUnbox):
1998         (JSC::DFG::VariableAccessData::shouldUseDoubleFormat):
1999         (JSC::DFG::VariableAccessData::isCaptured): Deleted.
2000         (JSC::DFG::VariableAccessData::mergeIsArgumentsAlias): Deleted.
2001         (JSC::DFG::VariableAccessData::isArgumentsAlias): Deleted.
2002         * dfg/DFGVariableAccessDataDump.cpp:
2003         (JSC::DFG::VariableAccessDataDump::dump):
2004         * dfg/DFGVariableAccessDataDump.h:
2005         * dfg/DFGVariableEventStream.cpp:
2006         (JSC::DFG::VariableEventStream::tryToSetConstantRecovery):
2007         * dfg/DFGVariableEventStream.h:
2008         * ftl/FTLAbstractHeap.cpp:
2009         (JSC::FTL::AbstractHeap::dump):
2010         (JSC::FTL::AbstractField::dump):
2011         (JSC::FTL::IndexedAbstractHeap::dump):
2012         (JSC::FTL::NumberedAbstractHeap::dump):
2013         (JSC::FTL::AbsoluteAbstractHeap::dump):
2014         * ftl/FTLAbstractHeap.h:
2015         * ftl/FTLAbstractHeapRepository.cpp:
2016         * ftl/FTLAbstractHeapRepository.h:
2017         * ftl/FTLCapabilities.cpp:
2018         (JSC::FTL::canCompile):
2019         * ftl/FTLCompile.cpp:
2020         (JSC::FTL::mmAllocateDataSection):
2021         * ftl/FTLExitArgument.cpp:
2022         (JSC::FTL::ExitArgument::dump):
2023         * ftl/FTLExitPropertyValue.cpp:
2024         (JSC::FTL::ExitPropertyValue::withLocalsOffset):
2025         * ftl/FTLExitPropertyValue.h:
2026         * ftl/FTLExitTimeObjectMaterialization.cpp:
2027         (JSC::FTL::ExitTimeObjectMaterialization::ExitTimeObjectMaterialization):
2028         (JSC::FTL::ExitTimeObjectMaterialization::accountForLocalsOffset):
2029         * ftl/FTLExitTimeObjectMaterialization.h:
2030         (JSC::FTL::ExitTimeObjectMaterialization::origin):
2031         * ftl/FTLExitValue.cpp:
2032         (JSC::FTL::ExitValue::withLocalsOffset):
2033         (JSC::FTL::ExitValue::valueFormat):
2034         (JSC::FTL::ExitValue::dumpInContext):
2035         * ftl/FTLExitValue.h:
2036         (JSC::FTL::ExitValue::isArgument):
2037         (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated): Deleted.
2038         (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated): Deleted.
2039         (JSC::FTL::ExitValue::valueFormat): Deleted.
2040         * ftl/FTLInlineCacheSize.cpp:
2041         (JSC::FTL::sizeOfCallForwardVarargs):
2042         (JSC::FTL::sizeOfConstructForwardVarargs):
2043         (JSC::FTL::sizeOfICFor):
2044         * ftl/FTLInlineCacheSize.h:
2045         * ftl/FTLIntrinsicRepository.h:
2046         * ftl/FTLJSCallVarargs.cpp:
2047         (JSC::FTL::JSCallVarargs::JSCallVarargs):
2048         (JSC::FTL::JSCallVarargs::emit):
2049         * ftl/FTLJSCallVarargs.h:
2050         * ftl/FTLLowerDFGToLLVM.cpp:
2051         (JSC::FTL::LowerDFGToLLVM::lower):
2052         (JSC::FTL::LowerDFGToLLVM::compileNode):
2053         (JSC::FTL::LowerDFGToLLVM::compilePutStack):
2054         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
2055         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2056         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
2057         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2058         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
2059         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
2060         (JSC::FTL::LowerDFGToLLVM::compileCreateActivation):
2061         (JSC::FTL::LowerDFGToLLVM::compileNewFunction):
2062         (JSC::FTL::LowerDFGToLLVM::compileCreateDirectArguments):
2063         (JSC::FTL::LowerDFGToLLVM::compileCreateScopedArguments):
2064         (JSC::FTL::LowerDFGToLLVM::compileCreateClonedArguments):
2065         (JSC::FTL::LowerDFGToLLVM::compileStringCharAt):
2066         (JSC::FTL::LowerDFGToLLVM::compileStringCharCodeAt):
2067         (JSC::FTL::LowerDFGToLLVM::compileGetGlobalVar):
2068         (JSC::FTL::LowerDFGToLLVM::compilePutGlobalVar):
2069         (JSC::FTL::LowerDFGToLLVM::compileGetArgumentCount):
2070         (JSC::FTL::LowerDFGToLLVM::compileGetClosureVar):
2071         (JSC::FTL::LowerDFGToLLVM::compilePutClosureVar):
2072         (JSC::FTL::LowerDFGToLLVM::compileGetFromArguments):
2073         (JSC::FTL::LowerDFGToLLVM::compilePutToArguments):
2074         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs):
2075         (JSC::FTL::LowerDFGToLLVM::compileForwardVarargs):
2076         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname):
2077         (JSC::FTL::LowerDFGToLLVM::ArgumentsLength::ArgumentsLength):
2078         (JSC::FTL::LowerDFGToLLVM::getArgumentsLength):
2079         (JSC::FTL::LowerDFGToLLVM::getCurrentCallee):
2080         (JSC::FTL::LowerDFGToLLVM::getArgumentsStart):
2081         (JSC::FTL::LowerDFGToLLVM::baseIndex):
2082         (JSC::FTL::LowerDFGToLLVM::allocateObject):
2083         (JSC::FTL::LowerDFGToLLVM::allocateVariableSizedObject):
2084         (JSC::FTL::LowerDFGToLLVM::isArrayType):
2085         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
2086         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
2087         (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
2088         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
2089         (JSC::FTL::LowerDFGToLLVM::loadStructure):
2090         (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments): Deleted.
2091         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength): Deleted.
2092         (JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters): Deleted.
2093         (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated): Deleted.
2094         (JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated): Deleted.
2095         * ftl/FTLOSRExitCompiler.cpp:
2096         (JSC::FTL::compileRecovery):
2097         (JSC::FTL::compileStub):
2098         * ftl/FTLOperations.cpp:
2099         (JSC::FTL::operationMaterializeObjectInOSR):
2100         * ftl/FTLOutput.h:
2101         (JSC::FTL::Output::aShr):
2102         (JSC::FTL::Output::lShr):
2103         (JSC::FTL::Output::zeroExtPtr):
2104         * heap/CopyToken.h:
2105         * interpreter/CallFrame.h:
2106         (JSC::ExecState::getArgumentUnsafe):
2107         * interpreter/Interpreter.cpp:
2108         (JSC::sizeOfVarargs):
2109         (JSC::sizeFrameForVarargs):
2110         (JSC::loadVarargs):
2111         (JSC::unwindCallFrame):
2112         * interpreter/Interpreter.h:
2113         * interpreter/StackVisitor.cpp:
2114         (JSC::StackVisitor::Frame::createArguments):
2115         (JSC::StackVisitor::Frame::existingArguments): Deleted.
2116         * interpreter/StackVisitor.h:
2117         * jit/AssemblyHelpers.h:
2118         (JSC::AssemblyHelpers::storeValue):
2119         (JSC::AssemblyHelpers::loadValue):
2120         (JSC::AssemblyHelpers::storeTrustedValue):
2121         (JSC::AssemblyHelpers::branchIfNotCell):
2122         (JSC::AssemblyHelpers::branchIsEmpty):
2123         (JSC::AssemblyHelpers::argumentsStart):
2124         (JSC::AssemblyHelpers::baselineArgumentsRegisterFor): Deleted.
2125         (JSC::AssemblyHelpers::offsetOfLocals): Deleted.
2126         (JSC::AssemblyHelpers::offsetOfArguments): Deleted.
2127         * jit/CCallHelpers.h:
2128         (JSC::CCallHelpers::setupArgument):
2129         * jit/GPRInfo.h:
2130         (JSC::JSValueRegs::withTwoAvailableRegs):
2131         * jit/JIT.cpp:
2132         (JSC::JIT::privateCompileMainPass):
2133         (JSC::JIT::privateCompileSlowCases):
2134         * jit/JIT.h:
2135         * jit/JITCall.cpp:
2136         (JSC::JIT::compileSetupVarargsFrame):
2137         * jit/JITCall32_64.cpp:
2138         (JSC::JIT::compileSetupVarargsFrame):
2139         * jit/JITInlines.h:
2140         (JSC::JIT::callOperation):
2141         * jit/JITOpcodes.cpp:
2142         (JSC::JIT::emit_op_create_lexical_environment):
2143         (JSC::JIT::emit_op_new_func):
2144         (JSC::JIT::emit_op_create_direct_arguments):
2145         (JSC::JIT::emit_op_create_scoped_arguments):
2146         (JSC::JIT::emit_op_create_out_of_band_arguments):
2147         (JSC::JIT::emit_op_tear_off_arguments): Deleted.
2148         (JSC::JIT::emit_op_create_arguments): Deleted.
2149         (JSC::JIT::emit_op_init_lazy_reg): Deleted.
2150         (JSC::JIT::emit_op_get_arguments_length): Deleted.
2151         (JSC::JIT::emitSlow_op_get_arguments_length): Deleted.
2152         (JSC::JIT::emit_op_get_argument_by_val): Deleted.
2153         (JSC::JIT::emitSlow_op_get_argument_by_val): Deleted.
2154         * jit/JITOpcodes32_64.cpp:
2155         (JSC::JIT::emit_op_create_lexical_environment):
2156         (JSC::JIT::emit_op_tear_off_arguments): Deleted.
2157         (JSC::JIT::emit_op_create_arguments): Deleted.
2158         (JSC::JIT::emit_op_init_lazy_reg): Deleted.
2159         (JSC::JIT::emit_op_get_arguments_length): Deleted.
2160         (JSC::JIT::emitSlow_op_get_arguments_length): Deleted.
2161         (JSC::JIT::emit_op_get_argument_by_val): Deleted.
2162         (JSC::JIT::emitSlow_op_get_argument_by_val): Deleted.
2163         * jit/JITOperations.cpp:
2164         * jit/JITOperations.h:
2165         * jit/JITPropertyAccess.cpp:
2166         (JSC::JIT::emitGetClosureVar):
2167         (JSC::JIT::emitPutClosureVar):
2168         (JSC::JIT::emit_op_get_from_arguments):
2169         (JSC::JIT::emit_op_put_to_arguments):
2170         (JSC::JIT::emit_op_init_global_const):
2171         (JSC::JIT::privateCompileGetByVal):
2172         (JSC::JIT::emitDirectArgumentsGetByVal):
2173         (JSC::JIT::emitScopedArgumentsGetByVal):
2174         * jit/JITPropertyAccess32_64.cpp:
2175         (JSC::JIT::emitGetClosureVar):
2176         (JSC::JIT::emitPutClosureVar):
2177         (JSC::JIT::emit_op_get_from_arguments):
2178         (JSC::JIT::emit_op_put_to_arguments):
2179         (JSC::JIT::emit_op_init_global_const):
2180         * jit/SetupVarargsFrame.cpp:
2181         (JSC::emitSetupVarargsFrameFastCase):
2182         * llint/LLIntOffsetsExtractor.cpp:
2183         * llint/LLIntSlowPaths.cpp:
2184         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2185         * llint/LowLevelInterpreter.asm:
2186         * llint/LowLevelInterpreter32_64.asm:
2187         * llint/LowLevelInterpreter64.asm:
2188         * parser/Nodes.h:
2189         (JSC::ScopeNode::captures):
2190         * runtime/Arguments.cpp: Removed.
2191         * runtime/Arguments.h: Removed.
2192         * runtime/ArgumentsMode.h: Added.
2193         * runtime/DirectArgumentsOffset.cpp: Added.
2194         (JSC::DirectArgumentsOffset::dump):
2195         * runtime/DirectArgumentsOffset.h: Added.
2196         (JSC::DirectArgumentsOffset::DirectArgumentsOffset):
2197         * runtime/CommonSlowPaths.cpp:
2198         (JSC::SLOW_PATH_DECL):
2199         * runtime/CommonSlowPaths.h:
2200         * runtime/ConstantMode.cpp: Added.
2201         (WTF::printInternal):
2202         * runtime/ConstantMode.h:
2203         (JSC::modeForIsConstant):
2204         * runtime/DirectArguments.cpp: Added.
2205         (JSC::DirectArguments::DirectArguments):
2206         (JSC::DirectArguments::createUninitialized):
2207         (JSC::DirectArguments::create):
2208         (JSC::DirectArguments::createByCopying):
2209         (JSC::DirectArguments::visitChildren):
2210         (JSC::DirectArguments::copyBackingStore):
2211         (JSC::DirectArguments::createStructure):
2212         (JSC::DirectArguments::overrideThings):
2213         (JSC::DirectArguments::overrideThingsIfNecessary):
2214         (JSC::DirectArguments::overrideArgument):
2215         (JSC::DirectArguments::copyToArguments):
2216         (JSC::DirectArguments::overridesSize):
2217         * runtime/DirectArguments.h: Added.
2218         (JSC::DirectArguments::internalLength):
2219         (JSC::DirectArguments::length):
2220         (JSC::DirectArguments::canAccessIndexQuickly):
2221         (JSC::DirectArguments::getIndexQuickly):
2222         (JSC::DirectArguments::setIndexQuickly):
2223         (JSC::DirectArguments::callee):
2224         (JSC::DirectArguments::argument):
2225         (JSC::DirectArguments::overrodeThings):
2226         (JSC::DirectArguments::offsetOfCallee):
2227         (JSC::DirectArguments::offsetOfLength):
2228         (JSC::DirectArguments::offsetOfMinCapacity):
2229         (JSC::DirectArguments::offsetOfOverrides):
2230         (JSC::DirectArguments::storageOffset):
2231         (JSC::DirectArguments::offsetOfSlot):
2232         (JSC::DirectArguments::allocationSize):
2233         (JSC::DirectArguments::storage):
2234         * runtime/FunctionPrototype.cpp:
2235         * runtime/GenericArguments.h: Added.
2236         (JSC::GenericArguments::GenericArguments):
2237         * runtime/GenericArgumentsInlines.h: Added.
2238         (JSC::GenericArguments<Type>::getOwnPropertySlot):
2239         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
2240         (JSC::GenericArguments<Type>::getOwnPropertyNames):
2241         (JSC::GenericArguments<Type>::put):
2242         (JSC::GenericArguments<Type>::putByIndex):
2243         (JSC::GenericArguments<Type>::deleteProperty):
2244         (JSC::GenericArguments<Type>::deletePropertyByIndex):
2245         (JSC::GenericArguments<Type>::defineOwnProperty):
2246         (JSC::GenericArguments<Type>::copyToArguments):
2247         * runtime/GenericOffset.h: Added.
2248         (JSC::GenericOffset::GenericOffset):
2249         (JSC::GenericOffset::operator!):
2250         (JSC::GenericOffset::offsetUnchecked):
2251         (JSC::GenericOffset::offset):
2252         (JSC::GenericOffset::operator==):
2253         (JSC::GenericOffset::operator!=):
2254         (JSC::GenericOffset::operator<):
2255         (JSC::GenericOffset::operator>):
2256         (JSC::GenericOffset::operator<=):
2257         (JSC::GenericOffset::operator>=):
2258         (JSC::GenericOffset::operator+):
2259         (JSC::GenericOffset::operator-):
2260         (JSC::GenericOffset::operator+=):
2261         (JSC::GenericOffset::operator-=):
2262         * runtime/JSArgumentsIterator.cpp:
2263         (JSC::JSArgumentsIterator::finishCreation):
2264         (JSC::argumentsFuncIterator):
2265         * runtime/JSArgumentsIterator.h:
2266         (JSC::JSArgumentsIterator::create):
2267         (JSC::JSArgumentsIterator::next):
2268         * runtime/JSEnvironmentRecord.cpp:
2269         (JSC::JSEnvironmentRecord::visitChildren):
2270         * runtime/JSEnvironmentRecord.h:
2271         (JSC::JSEnvironmentRecord::variables):
2272         (JSC::JSEnvironmentRecord::isValid):
2273         (JSC::JSEnvironmentRecord::variableAt):
2274         (JSC::JSEnvironmentRecord::offsetOfVariables):
2275         (JSC::JSEnvironmentRecord::offsetOfVariable):
2276         (JSC::JSEnvironmentRecord::allocationSizeForScopeSize):
2277         (JSC::JSEnvironmentRecord::allocationSize):
2278         (JSC::JSEnvironmentRecord::JSEnvironmentRecord):
2279         (JSC::JSEnvironmentRecord::finishCreationUninitialized):
2280         (JSC::JSEnvironmentRecord::finishCreation):
2281         (JSC::JSEnvironmentRecord::registers): Deleted.
2282         (JSC::JSEnvironmentRecord::registerAt): Deleted.
2283         (JSC::JSEnvironmentRecord::addressOfRegisters): Deleted.
2284         (JSC::JSEnvironmentRecord::offsetOfRegisters): Deleted.
2285         * runtime/JSFunction.cpp:
2286         * runtime/JSGlobalObject.cpp:
2287         (JSC::JSGlobalObject::init):
2288         (JSC::JSGlobalObject::addGlobalVar):
2289         (JSC::JSGlobalObject::addFunction):
2290         (JSC::JSGlobalObject::visitChildren):
2291         (JSC::JSGlobalObject::addStaticGlobals):
2292         * runtime/JSGlobalObject.h:
2293         (JSC::JSGlobalObject::directArgumentsStructure):
2294         (JSC::JSGlobalObject::scopedArgumentsStructure):
2295         (JSC::JSGlobalObject::outOfBandArgumentsStructure):
2296         (JSC::JSGlobalObject::argumentsStructure): Deleted.
2297         * runtime/JSLexicalEnvironment.cpp:
2298         (JSC::JSLexicalEnvironment::symbolTableGet):
2299         (JSC::JSLexicalEnvironment::symbolTablePut):
2300         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
2301         (JSC::JSLexicalEnvironment::symbolTablePutWithAttributes):
2302         (JSC::JSLexicalEnvironment::visitChildren): Deleted.
2303         * runtime/JSLexicalEnvironment.h:
2304         (JSC::JSLexicalEnvironment::create):
2305         (JSC::JSLexicalEnvironment::JSLexicalEnvironment):
2306         (JSC::JSLexicalEnvironment::registersOffset): Deleted.
2307         (JSC::JSLexicalEnvironment::storageOffset): Deleted.
2308         (JSC::JSLexicalEnvironment::storage): Deleted.
2309         (JSC::JSLexicalEnvironment::allocationSize): Deleted.
2310         (JSC::JSLexicalEnvironment::isValidIndex): Deleted.
2311         (JSC::JSLexicalEnvironment::isValid): Deleted.
2312         (JSC::JSLexicalEnvironment::registerAt): Deleted.
2313         * runtime/JSNameScope.cpp:
2314         (JSC::JSNameScope::visitChildren): Deleted.
2315         * runtime/JSNameScope.h:
2316         (JSC::JSNameScope::create):
2317         (JSC::JSNameScope::value):
2318         (JSC::JSNameScope::finishCreation):
2319         (JSC::JSNameScope::JSNameScope):
2320         * runtime/JSScope.cpp:
2321         (JSC::abstractAccess):
2322         * runtime/JSSegmentedVariableObject.cpp:
2323         (JSC::JSSegmentedVariableObject::findVariableIndex):
2324         (JSC::JSSegmentedVariableObject::addVariables):
2325         (JSC::JSSegmentedVariableObject::visitChildren):
2326         (JSC::JSSegmentedVariableObject::findRegisterIndex): Deleted.
2327         (JSC::JSSegmentedVariableObject::addRegisters): Deleted.
2328         * runtime/JSSegmentedVariableObject.h:
2329         (JSC::JSSegmentedVariableObject::variableAt):
2330         (JSC::JSSegmentedVariableObject::assertVariableIsInThisObject):
2331         (JSC::JSSegmentedVariableObject::registerAt): Deleted.
2332         (JSC::JSSegmentedVariableObject::assertRegisterIsInThisObject): Deleted.
2333         * runtime/JSSymbolTableObject.h:
2334         (JSC::JSSymbolTableObject::offsetOfSymbolTable):
2335         (JSC::symbolTableGet):
2336         (JSC::symbolTablePut):
2337         (JSC::symbolTablePutWithAttributes):
2338         * runtime/JSType.h:
2339         * runtime/Options.h:
2340         * runtime/ClonedArguments.cpp: Added.
2341         (JSC::ClonedArguments::ClonedArguments):
2342         (JSC::ClonedArguments::createEmpty):
2343         (JSC::ClonedArguments::createWithInlineFrame):
2344         (JSC::ClonedArguments::createWithMachineFrame):
2345         (JSC::ClonedArguments::createByCopyingFrom):
2346         (JSC::ClonedArguments::createStructure):
2347         (JSC::ClonedArguments::getOwnPropertySlot):
2348         (JSC::ClonedArguments::getOwnPropertyNames):
2349         (JSC::ClonedArguments::put):
2350         (JSC::ClonedArguments::deleteProperty):
2351         (JSC::ClonedArguments::defineOwnProperty):
2352         (JSC::ClonedArguments::materializeSpecials):
2353         (JSC::ClonedArguments::materializeSpecialsIfNecessary):
2354         * runtime/ClonedArguments.h: Added.
2355         (JSC::ClonedArguments::specialsMaterialized):
2356         * runtime/ScopeOffset.cpp: Added.
2357         (JSC::ScopeOffset::dump):
2358         * runtime/ScopeOffset.h: Added.
2359         (JSC::ScopeOffset::ScopeOffset):
2360         * runtime/ScopedArguments.cpp: Added.
2361         (JSC::ScopedArguments::ScopedArguments):
2362         (JSC::ScopedArguments::finishCreation):
2363         (JSC::ScopedArguments::createUninitialized):
2364         (JSC::ScopedArguments::create):
2365         (JSC::ScopedArguments::createByCopying):
2366         (JSC::ScopedArguments::createByCopyingFrom):
2367         (JSC::ScopedArguments::visitChildren):
2368         (JSC::ScopedArguments::createStructure):
2369         (JSC::ScopedArguments::overrideThings):
2370         (JSC::ScopedArguments::overrideThingsIfNecessary):
2371         (JSC::ScopedArguments::overrideArgument):
2372         (JSC::ScopedArguments::copyToArguments):
2373         * runtime/ScopedArguments.h: Added.
2374         (JSC::ScopedArguments::internalLength):
2375         (JSC::ScopedArguments::length):
2376         (JSC::ScopedArguments::canAccessIndexQuickly):
2377         (JSC::ScopedArguments::getIndexQuickly):
2378         (JSC::ScopedArguments::setIndexQuickly):
2379         (JSC::ScopedArguments::callee):
2380         (JSC::ScopedArguments::overrodeThings):
2381         (JSC::ScopedArguments::offsetOfOverrodeThings):
2382         (JSC::ScopedArguments::offsetOfTotalLength):
2383         (JSC::ScopedArguments::offsetOfTable):
2384         (JSC::ScopedArguments::offsetOfScope):
2385         (JSC::ScopedArguments::overflowStorageOffset):
2386         (JSC::ScopedArguments::allocationSize):
2387         (JSC::ScopedArguments::overflowStorage):
2388         * runtime/ScopedArgumentsTable.cpp: Added.
2389         (JSC::ScopedArgumentsTable::ScopedArgumentsTable):
2390         (JSC::ScopedArgumentsTable::~ScopedArgumentsTable):
2391         (JSC::ScopedArgumentsTable::destroy):
2392         (JSC::ScopedArgumentsTable::create):
2393         (JSC::ScopedArgumentsTable::clone):
2394         (JSC::ScopedArgumentsTable::setLength):
2395         (JSC::ScopedArgumentsTable::set):
2396         (JSC::ScopedArgumentsTable::createStructure):
2397         * runtime/ScopedArgumentsTable.h: Added.
2398         (JSC::ScopedArgumentsTable::length):
2399         (JSC::ScopedArgumentsTable::get):
2400         (JSC::ScopedArgumentsTable::lock):
2401         (JSC::ScopedArgumentsTable::offsetOfLength):
2402         (JSC::ScopedArgumentsTable::offsetOfArguments):
2403         (JSC::ScopedArgumentsTable::at):
2404         * runtime/SymbolTable.cpp:
2405         (JSC::SymbolTableEntry::prepareToWatch):
2406         (JSC::SymbolTable::SymbolTable):
2407         (JSC::SymbolTable::visitChildren):
2408         (JSC::SymbolTable::localToEntry):
2409         (JSC::SymbolTable::entryFor):
2410         (JSC::SymbolTable::cloneScopePart):
2411         (JSC::SymbolTable::prepareForTypeProfiling):
2412         (JSC::SymbolTable::uniqueIDForOffset):
2413         (JSC::SymbolTable::globalTypeSetForOffset):
2414         (JSC::SymbolTable::cloneCapturedNames): Deleted.
2415         (JSC::SymbolTable::uniqueIDForRegister): Deleted.
2416         (JSC::SymbolTable::globalTypeSetForRegister): Deleted.
2417         * runtime/SymbolTable.h:
2418         (JSC::SymbolTableEntry::varOffsetFromBits):
2419         (JSC::SymbolTableEntry::scopeOffsetFromBits):
2420         (JSC::SymbolTableEntry::Fast::varOffset):
2421         (JSC::SymbolTableEntry::Fast::scopeOffset):
2422         (JSC::SymbolTableEntry::Fast::isDontEnum):
2423         (JSC::SymbolTableEntry::Fast::getAttributes):
2424         (JSC::SymbolTableEntry::SymbolTableEntry):
2425         (JSC::SymbolTableEntry::varOffset):
2426         (JSC::SymbolTableEntry::isWatchable):
2427         (JSC::SymbolTableEntry::scopeOffset):
2428         (JSC::SymbolTableEntry::setAttributes):
2429         (JSC::SymbolTableEntry::constantMode):
2430         (JSC::SymbolTableEntry::isDontEnum):
2431         (JSC::SymbolTableEntry::disableWatching):
2432         (JSC::SymbolTableEntry::pack):
2433         (JSC::SymbolTableEntry::isValidVarOffset):
2434         (JSC::SymbolTable::createNameScopeTable):
2435         (JSC::SymbolTable::maxScopeOffset):
2436         (JSC::SymbolTable::didUseScopeOffset):
2437         (JSC::SymbolTable::didUseVarOffset):
2438         (JSC::SymbolTable::scopeSize):
2439         (JSC::SymbolTable::nextScopeOffset):
2440         (JSC::SymbolTable::takeNextScopeOffset):
2441         (JSC::SymbolTable::add):
2442         (JSC::SymbolTable::set):
2443         (JSC::SymbolTable::argumentsLength):
2444         (JSC::SymbolTable::setArgumentsLength):
2445         (JSC::SymbolTable::argumentOffset):
2446         (JSC::SymbolTable::setArgumentOffset):
2447         (JSC::SymbolTable::arguments):
2448         (JSC::SlowArgument::SlowArgument): Deleted.
2449         (JSC::SymbolTableEntry::Fast::getIndex): Deleted.
2450         (JSC::SymbolTableEntry::getIndex): Deleted.
2451         (JSC::SymbolTableEntry::isValidIndex): Deleted.
2452         (JSC::SymbolTable::captureStart): Deleted.
2453         (JSC::SymbolTable::setCaptureStart): Deleted.
2454         (JSC::SymbolTable::captureEnd): Deleted.
2455         (JSC::SymbolTable::setCaptureEnd): Deleted.
2456         (JSC::SymbolTable::captureCount): Deleted.
2457         (JSC::SymbolTable::isCaptured): Deleted.
2458         (JSC::SymbolTable::parameterCount): Deleted.
2459         (JSC::SymbolTable::parameterCountIncludingThis): Deleted.
2460         (JSC::SymbolTable::setParameterCountIncludingThis): Deleted.
2461         (JSC::SymbolTable::slowArguments): Deleted.
2462         (JSC::SymbolTable::setSlowArguments): Deleted.
2463         * runtime/VM.cpp:
2464         (JSC::VM::VM):
2465         * runtime/VM.h:
2466         * runtime/VarOffset.cpp: Added.
2467         (JSC::VarOffset::dump):
2468         (WTF::printInternal):
2469         * runtime/VarOffset.h: Added.
2470         (JSC::VarOffset::VarOffset):
2471         (JSC::VarOffset::assemble):
2472         (JSC::VarOffset::isValid):
2473         (JSC::VarOffset::operator!):
2474         (JSC::VarOffset::kind):
2475         (JSC::VarOffset::isStack):
2476         (JSC::VarOffset::isScope):
2477         (JSC::VarOffset::isDirectArgument):
2478         (JSC::VarOffset::stackOffsetUnchecked):
2479         (JSC::VarOffset::scopeOffsetUnchecked):
2480         (JSC::VarOffset::capturedArgumentsOffsetUnchecked):
2481         (JSC::VarOffset::stackOffset):
2482         (JSC::VarOffset::scopeOffset):
2483         (JSC::VarOffset::capturedArgumentsOffset):
2484         (JSC::VarOffset::rawOffset):
2485         (JSC::VarOffset::checkSanity):
2486         (JSC::VarOffset::operator==):
2487         (JSC::VarOffset::operator!=):
2488         (JSC::VarOffset::hash):
2489         (JSC::VarOffset::isHashTableDeletedValue):
2490         (JSC::VarOffsetHash::hash):
2491         (JSC::VarOffsetHash::equal):
2492         * tests/stress/arguments-exit-strict-mode.js: Added.
2493         * tests/stress/arguments-exit.js: Added.
2494         * tests/stress/arguments-inlined-exit-strict-mode-fixed.js: Added.
2495         * tests/stress/arguments-inlined-exit-strict-mode.js: Added.
2496         * tests/stress/arguments-inlined-exit.js: Added.
2497         * tests/stress/arguments-interference.js: Added.
2498         * tests/stress/arguments-interference-cfg.js: Added.
2499         * tests/stress/dead-get-closure-var.js: Added.
2500         * tests/stress/get-declared-unpassed-argument-in-direct-arguments.js: Added.
2501         * tests/stress/get-declared-unpassed-argument-in-scoped-arguments.js: Added.
2502         * tests/stress/varargs-closure-inlined-exit-strict-mode.js: Added.
2503         * tests/stress/varargs-closure-inlined-exit.js: Added.
2504         * tests/stress/varargs-exit.js: Added.
2505         * tests/stress/varargs-inlined-exit.js: Added.
2506         * tests/stress/varargs-inlined-simple-exit-aliasing-weird-reversed-args.js: Added.
2507         * tests/stress/varargs-inlined-simple-exit-aliasing-weird.js: Added.
2508         * tests/stress/varargs-inlined-simple-exit-aliasing.js: Added.
2509         * tests/stress/varargs-inlined-simple-exit.js: Added.
2510         * tests/stress/varargs-too-few-arguments.js: Added.
2511         * tests/stress/varargs-varargs-closure-inlined-exit.js: Added.
2512         * tests/stress/varargs-varargs-inlined-exit-strict-mode.js: Added.
2513         * tests/stress/varargs-varargs-inlined-exit.js: Added.
2514
2515 2015-03-25  Andy Estes  <aestes@apple.com>
2516
2517         [Cocoa] RemoteInspectorXPCConnection::deserializeMessage() leaks a NSDictionary under Objective-C GC
2518         https://bugs.webkit.org/show_bug.cgi?id=143068
2519
2520         Reviewed by Dan Bernstein.
2521
2522         * inspector/remote/RemoteInspectorXPCConnection.mm:
2523         (Inspector::RemoteInspectorXPCConnection::deserializeMessage): Used RetainPtr::autorelease(), which does the right thing under GC.
2524
2525 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2526
2527         Use JITCompilationCanFail in more places, and make the fail path of JITCompilationMustSucceed a crash instead of attempting GC
2528         https://bugs.webkit.org/show_bug.cgi?id=142993
2529
2530         Reviewed by Geoffrey Garen and Mark Lam.
2531         
2532         This changes the most commonly invoked paths that relied on JITCompilationMustSucceed
2533         into using JITCompilationCanFail and having a legit fallback path. This mostly involves
2534         having the FTL JIT do the same trick as the DFG JIT in case of any memory allocation
2535         failure, but also involves adding the same kind of thing to the stub generators in
2536         Repatch.
2537         
2538         Because of that change, there are relatively few uses of JITCompilationMustSucceed. Most
2539         of those uses cannot handle a GC, and so cannot do releaseExecutableMemory(). Only a few,
2540         like host call stub generation, could handle a GC, but those get invoked very rarely. So,
2541         this patch changes the releaseExecutableMemory() call into a crash with some diagnostic
2542         printout.
2543         
2544         Also add a way of inducing executable allocation failure, so that we can test this.
2545
2546         * CMakeLists.txt:
2547         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2548         * JavaScriptCore.xcodeproj/project.pbxproj:
2549         * dfg/DFGJITCompiler.cpp:
2550         (JSC::DFG::JITCompiler::compile):
2551         (JSC::DFG::JITCompiler::compileFunction):
2552         (JSC::DFG::JITCompiler::link): Deleted.
2553         (JSC::DFG::JITCompiler::linkFunction): Deleted.
2554         * dfg/DFGJITCompiler.h:
2555         * dfg/DFGPlan.cpp:
2556         (JSC::DFG::Plan::compileInThreadImpl):
2557         * ftl/FTLCompile.cpp:
2558         (JSC::FTL::mmAllocateCodeSection):
2559         (JSC::FTL::mmAllocateDataSection):
2560         * ftl/FTLLink.cpp:
2561         (JSC::FTL::link):
2562         * ftl/FTLState.h:
2563         * jit/ArityCheckFailReturnThunks.cpp:
2564         (JSC::ArityCheckFailReturnThunks::returnPCsFor):
2565         * jit/ExecutableAllocationFuzz.cpp: Added.
2566         (JSC::numberOfExecutableAllocationFuzzChecks):
2567         (JSC::doExecutableAllocationFuzzing):
2568         * jit/ExecutableAllocationFuzz.h: Added.
2569         (JSC::doExecutableAllocationFuzzingIfEnabled):
2570         * jit/ExecutableAllocatorFixedVMPool.cpp:
2571         (JSC::ExecutableAllocator::allocate):
2572         * jit/JIT.cpp:
2573         (JSC::JIT::privateCompile):
2574         * jit/JITCompilationEffort.h:
2575         * jit/Repatch.cpp:
2576         (JSC::generateByIdStub):
2577         (JSC::tryCacheGetByID):
2578         (JSC::tryBuildGetByIDList):
2579         (JSC::emitPutReplaceStub):
2580         (JSC::emitPutTransitionStubAndGetOldStructure):
2581         (JSC::tryCachePutByID):
2582         (JSC::tryBuildPutByIdList):
2583         (JSC::tryRepatchIn):
2584         (JSC::linkPolymorphicCall):
2585         * jsc.cpp:
2586         (jscmain):
2587         * runtime/Options.h:
2588         * runtime/TestRunnerUtils.h:
2589         * runtime/VM.cpp:
2590         * tests/executableAllocationFuzz: Added.
2591         * tests/executableAllocationFuzz.yaml: Added.
2592         * tests/executableAllocationFuzz/v8-raytrace.js: Added.
2593
2594 2015-03-25  Mark Lam  <mark.lam@apple.com>
2595
2596         REGRESSION(169139): LLINT intermittently fails JSC testapi tests.
2597         <https://webkit.org/b/135719>
2598
2599         Reviewed by Geoffrey Garen.
2600
2601         This is a regression introduced in http://trac.webkit.org/changeset/169139 which
2602         changed VM::watchdog from an embedded field into a std::unique_ptr, but did not
2603         update the LLINT to access it as such.
2604
2605         The issue has only manifested so far on the CLoop tests because those are LLINT
2606         only.  In the non-CLoop cases, the JIT kicks in and does the right thing, thereby
2607         hiding the bug in the LLINT.
2608
2609         * API/JSContextRef.cpp:
2610         (createWatchdogIfNeeded):
2611         (JSContextGroupSetExecutionTimeLimit):
2612         (JSContextGroupClearExecutionTimeLimit):
2613         * llint/LowLevelInterpreter.asm:
2614
2615 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2616
2617         Change Atomic methods from using the_wrong_naming_conventions to using theRightNamingConventions. Also make seq_cst the default.
2618
2619         Rubber stamped by Geoffrey Garen.
2620
2621         * bytecode/CodeBlock.cpp:
2622         (JSC::CodeBlock::visitAggregate):
2623
2624 2015-03-25  Joseph Pecoraro  <pecoraro@apple.com>
2625
2626         Fix formatting in BuiltinExecutables
2627         https://bugs.webkit.org/show_bug.cgi?id=143061
2628
2629         Reviewed by Ryosuke Niwa.
2630
2631         * builtins/BuiltinExecutables.cpp:
2632         (JSC::BuiltinExecutables::createExecutableInternal):
2633
2634 2015-03-25  Joseph Pecoraro  <pecoraro@apple.com>
2635
2636         ES6: Classes: Program level class statement throws exception in strict mode
2637         https://bugs.webkit.org/show_bug.cgi?id=143038
2638
2639         Reviewed by Ryosuke Niwa.
2640
2641         Classes expose a name to the current lexical environment. This treats
2642         "class X {}" like "var X = class X {}". Ideally it would be "let X = class X {}".
2643         Also, improve error messages for class statements where the class is missing a name.
2644
2645         * parser/Parser.h:
2646         * parser/Parser.cpp:
2647         (JSC::Parser<LexerType>::parseClass):
2648         Fill name in info parameter if needed. Better error message if name is needed and missing.
2649
2650         (JSC::Parser<LexerType>::parseClassDeclaration):
2651         Pass info parameter to get name, and expose the name as a variable name.
2652
2653         (JSC::Parser<LexerType>::parsePrimaryExpression):
2654         Pass info parameter that is ignored.
2655
2656         * parser/ParserFunctionInfo.h:
2657         Add a parser info for class, to extract the name.
2658
2659 2015-03-25  Yusuke Suzuki  <utatane.tea@gmail.com>
2660
2661         New map and set modification tests in r181922 fails
2662         https://bugs.webkit.org/show_bug.cgi?id=143031
2663
2664         Reviewed and tweaked by Geoffrey Garen.
2665
2666         When packing Map/Set backing store, we need to decrement Map/Set iterator's m_index
2667         to adjust for the packed backing store.
2668
2669         Consider the following map data.
2670
2671         x: deleted, o: exists
2672         0 1 2 3 4
2673         x x x x o
2674
2675         And iterator with m_index 3.
2676
2677         When packing the map data, map data will become,
2678
2679         0
2680         o
2681
2682         At that time, we perfom didRemoveEntry 4 times on iterators.
2683         times => m_index/index/result
2684         1 => 3/0/dec
2685         2 => 2/1/dec
2686         3 => 1/2/nothing
2687         4 => 1/3/nothing
2688
2689         After iteration, iterator's m_index becomes 1. But we expected that becomes 0.
2690         This is because if we use decremented m_index for comparison,
2691         while provided deletedIndex is the index in old storage, m_index is the index in partially packed storage.
2692
2693         In this patch, we compare against the packed index instead.
2694         times => m_index/packedIndex/result
2695         1 => 3/0/dec
2696         2 => 2/0/dec
2697         3 => 1/0/dec
2698         4 => 0/0/nothing
2699
2700         So m_index becomes 0 as expected.
2701
2702         And according to the spec, once the iterator is closed (becomes done: true),
2703         its internal [[Map]]/[[Set]] is set to undefined.
2704         So after the iterator is finished, we don't revive the iterator (e.g. by clearing m_index = 0).
2705
2706         In this patch, we change 2 things.
2707         1.
2708         Compare an iterator's index against the packed index when removing an entry.
2709
2710         2.
2711         If the iterator is closed (isFinished()), we don't apply adjustment to the iterator.
2712
2713         * runtime/MapData.h:
2714         (JSC::MapDataImpl::IteratorData::finish):
2715         (JSC::MapDataImpl::IteratorData::isFinished):
2716         (JSC::MapDataImpl::IteratorData::didRemoveEntry):
2717         (JSC::MapDataImpl::IteratorData::didRemoveAllEntries):
2718         (JSC::MapDataImpl::IteratorData::startPackBackingStore):
2719         * runtime/MapDataInlines.h:
2720         (JSC::JSIterator>::replaceAndPackBackingStore):
2721         * tests/stress/modify-map-during-iteration.js:
2722         * tests/stress/modify-set-during-iteration.js:
2723
2724 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
2725
2726         Setter should have a single formal parameter, Getter no parameters
2727         https://bugs.webkit.org/show_bug.cgi?id=142903
2728
2729         Reviewed by Geoffrey Garen.
2730
2731         * parser/Parser.cpp:
2732         (JSC::Parser<LexerType>::parseFunctionInfo):
2733         Enforce no parameters for getters and a single parameter
2734         for setters, with informational error messages.
2735
2736 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
2737
2738         ES6: Classes: Early return in sub-class constructor results in returning undefined instead of instance
2739         https://bugs.webkit.org/show_bug.cgi?id=143012
2740
2741         Reviewed by Ryosuke Niwa.
2742
2743         * bytecompiler/BytecodeGenerator.cpp:
2744         (JSC::BytecodeGenerator::emitReturn):
2745         Fix handling of "undefined" when returned from a Derived class. It was
2746         returning "undefined" when it should have returned "this".
2747
2748 2015-03-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2749
2750         REGRESSION (r181458): Heap use-after-free in JSSetIterator destructor
2751         https://bugs.webkit.org/show_bug.cgi?id=142696
2752
2753         Reviewed and tweaked by Geoffrey Garen.
2754
2755         Before r142556, JSSetIterator::destroy was not defined.
2756         So accidentally MapData::const_iterator in JSSet was never destroyed.
2757         But it had non trivial destructor, decrementing MapData->m_iteratorCount.
2758
2759         After r142556, JSSetIterator::destroy works.
2760         It correctly destruct MapData::const_iterator and m_iteratorCount partially works.
2761         But JSSetIterator::~JSSetIterator requires owned JSSet since it mutates MapData->m_iteratorCount.
2762
2763         It is guaranteed that JSSet is live since JSSetIterator has a reference to JSSet
2764         and marks it in visitChildren (WriteBarrier<Unknown>).
2765         However, the order of destructions is not guaranteed in GC-ed system.
2766
2767         Consider the following case,
2768         allocate JSSet and subsequently allocate JSSetIterator.
2769         And they resides in the separated MarkedBlock, <1> and <2>.
2770
2771         JSSet<1> <- JSSetIterator<2>
2772
2773         And after that, when performing GC, Marker decides that the above 2 objects are not marked.
2774         And Marker also decides MarkedBlocks <1> and <2> can be sweeped.
2775
2776         First Sweeper sweep <1>, destruct JSSet<1> and free MarkedBlock<1>.
2777         Second Sweeper sweep <2>, attempt to destruct JSSetIterator<2>.
2778         However, JSSetIterator<2>'s destructor,
2779         JSSetIterator::~JSSetIterator requires live JSSet<1>, it causes use-after-free.
2780
2781         In this patch, we introduce WeakGCMap into JSMap/JSSet to track live iterators.
2782         When packing the removed elements in JSSet/JSMap, we apply the change to all live
2783         iterators tracked by WeakGCMap.
2784
2785         WeakGCMap can only track JSCell since they are managed by GC.
2786         So we drop JSSet/JSMap C++ style iterators. Instead of C++ style iterator, this patch
2787         introduces JS style iterator signatures into C++ class IteratorData.
2788         If we need to iterate over JSMap/JSSet, use JSSetIterator/JSMapIterator instead of using
2789         IteratorData directly.
2790
2791         * runtime/JSMap.cpp:
2792         (JSC::JSMap::destroy):
2793         * runtime/JSMap.h:
2794         (JSC::JSMap::JSMap):
2795         (JSC::JSMap::begin): Deleted.
2796         (JSC::JSMap::end): Deleted.
2797         * runtime/JSMapIterator.cpp:
2798         (JSC::JSMapIterator::destroy):
2799         * runtime/JSMapIterator.h:
2800         (JSC::JSMapIterator::next):
2801         (JSC::JSMapIterator::nextKeyValue):
2802         (JSC::JSMapIterator::iteratorData):
2803         (JSC::JSMapIterator::JSMapIterator):
2804         * runtime/JSSet.cpp:
2805         (JSC::JSSet::destroy):
2806         * runtime/JSSet.h:
2807         (JSC::JSSet::JSSet):
2808         (JSC::JSSet::begin): Deleted.
2809         (JSC::JSSet::end): Deleted.
2810         * runtime/JSSetIterator.cpp:
2811         (JSC::JSSetIterator::destroy):
2812         * runtime/JSSetIterator.h:
2813         (JSC::JSSetIterator::next):
2814         (JSC::JSSetIterator::iteratorData):
2815         (JSC::JSSetIterator::JSSetIterator):
2816         * runtime/MapData.h:
2817         (JSC::MapDataImpl::IteratorData::finish):
2818         (JSC::MapDataImpl::IteratorData::isFinished):
2819         (JSC::MapDataImpl::shouldPack):
2820         (JSC::JSIterator>::MapDataImpl):
2821         (JSC::JSIterator>::KeyType::KeyType):
2822         (JSC::JSIterator>::IteratorData::IteratorData):
2823         (JSC::JSIterator>::IteratorData::next):
2824         (JSC::JSIterator>::IteratorData::ensureSlot):
2825         (JSC::JSIterator>::IteratorData::applyMapDataPatch):
2826         (JSC::JSIterator>::IteratorData::refreshCursor):
2827         (JSC::MapDataImpl::const_iterator::key): Deleted.
2828         (JSC::MapDataImpl::const_iterator::value): Deleted.
2829         (JSC::MapDataImpl::const_iterator::operator++): Deleted.
2830         (JSC::MapDataImpl::const_iterator::finish): Deleted.
2831         (JSC::MapDataImpl::const_iterator::atEnd): Deleted.
2832         (JSC::MapDataImpl::begin): Deleted.
2833         (JSC::MapDataImpl::end): Deleted.
2834         (JSC::MapDataImpl<Entry>::MapDataImpl): Deleted.
2835         (JSC::MapDataImpl<Entry>::clear): Deleted.
2836         (JSC::MapDataImpl<Entry>::KeyType::KeyType): Deleted.
2837         (JSC::MapDataImpl<Entry>::const_iterator::internalIncrement): Deleted.
2838         (JSC::MapDataImpl<Entry>::const_iterator::ensureSlot): Deleted.
2839         (JSC::MapDataImpl<Entry>::const_iterator::const_iterator): Deleted.
2840         (JSC::MapDataImpl<Entry>::const_iterator::~const_iterator): Deleted.
2841         (JSC::MapDataImpl<Entry>::const_iterator::operator): Deleted.
2842         (JSC::=): Deleted.
2843         * runtime/MapDataInlines.h:
2844         (JSC::JSIterator>::clear):
2845         (JSC::JSIterator>::find):
2846         (JSC::JSIterator>::contains):
2847         (JSC::JSIterator>::add):
2848         (JSC::JSIterator>::set):
2849         (JSC::JSIterator>::get):
2850         (JSC::JSIterator>::remove):
2851         (JSC::JSIterator>::replaceAndPackBackingStore):
2852         (JSC::JSIterator>::replaceBackingStore):
2853         (JSC::JSIterator>::ensureSpaceForAppend):
2854         (JSC::JSIterator>::visitChildren):
2855         (JSC::JSIterator>::copyBackingStore):
2856         (JSC::JSIterator>::applyMapDataPatch):
2857         (JSC::MapDataImpl<Entry>::find): Deleted.
2858         (JSC::MapDataImpl<Entry>::contains): Deleted.
2859         (JSC::MapDataImpl<Entry>::add): Deleted.
2860         (JSC::MapDataImpl<Entry>::set): Deleted.
2861         (JSC::MapDataImpl<Entry>::get): Deleted.
2862         (JSC::MapDataImpl<Entry>::remove): Deleted.
2863         (JSC::MapDataImpl<Entry>::replaceAndPackBackingStore): Deleted.
2864         (JSC::MapDataImpl<Entry>::replaceBackingStore): Deleted.
2865         (JSC::MapDataImpl<Entry>::ensureSpaceForAppend): Deleted.
2866         (JSC::MapDataImpl<Entry>::visitChildren): Deleted.
2867         (JSC::MapDataImpl<Entry>::copyBackingStore): Deleted.
2868         * runtime/MapPrototype.cpp:
2869         (JSC::mapProtoFuncForEach):
2870         * runtime/SetPrototype.cpp:
2871         (JSC::setProtoFuncForEach):
2872         * runtime/WeakGCMap.h:
2873         (JSC::WeakGCMap::forEach):
2874         * tests/stress/modify-map-during-iteration.js: Added.
2875         (testValue):
2876         (identityPairs):
2877         (.set if):
2878         (var):
2879         (set map):
2880         * tests/stress/modify-set-during-iteration.js: Added.
2881         (testValue):
2882         (set forEach):
2883         (set delete):
2884
2885 2015-03-24  Mark Lam  <mark.lam@apple.com>
2886
2887         The ExecutionTimeLimit test should use its own JSGlobalContextRef.
2888         <https://webkit.org/b/143024>
2889
2890         Reviewed by Geoffrey Garen.
2891
2892         Currently, the ExecutionTimeLimit test is using a JSGlobalContextRef
2893         passed in from testapi.c.  It should create its own for better
2894         encapsulation of the test.
2895
2896         * API/tests/ExecutionTimeLimitTest.cpp:
2897         (currentCPUTimeAsJSFunctionCallback):
2898         (testExecutionTimeLimit):
2899         * API/tests/ExecutionTimeLimitTest.h:
2900         * API/tests/testapi.c:
2901         (main):
2902
2903 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
2904
2905         ES6: Object Literal Methods toString is missing method name
2906         https://bugs.webkit.org/show_bug.cgi?id=142992
2907
2908         Reviewed by Geoffrey Garen.
2909
2910         Always stringify functions in the pattern:
2911
2912           "function " + <function name> + <text from opening parenthesis to closing brace>.
2913
2914         * runtime/FunctionPrototype.cpp:
2915         (JSC::functionProtoFuncToString):
2916         Update the path that was not stringifying in this pattern.
2917
2918         * bytecode/UnlinkedCodeBlock.cpp:
2919         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2920         * bytecode/UnlinkedCodeBlock.h:
2921         (JSC::UnlinkedFunctionExecutable::parametersStartOffset):
2922         * parser/Nodes.h:
2923         * runtime/Executable.cpp:
2924         (JSC::FunctionExecutable::FunctionExecutable):
2925         * runtime/Executable.h:
2926         (JSC::FunctionExecutable::parametersStartOffset):
2927         Pass the already known function parameter opening parenthesis
2928         start offset through to the FunctionExecutable. 
2929
2930         * tests/mozilla/js1_5/Scope/regress-185485.js:
2931         (with.g):
2932         Add back original space in this test that was removed by r181810
2933         now that we have the space again in stringification.
2934
2935 2015-03-24  Michael Saboff  <msaboff@apple.com>
2936
2937         REGRESSION (172175-172177): Change in for...in processing causes properties added in loop to be enumerated
2938         https://bugs.webkit.org/show_bug.cgi?id=142856
2939
2940         Reviewed by Filip Pizlo.
2941
2942         Refactored the way the for .. in enumeration over objects is done.  We used to make three C++ calls to
2943         get info for three loops to iterate over indexed properties, structure properties and other properties,
2944         respectively.  We still have the three loops, but now we make one C++ call to get all the info needed
2945         for all loops before we exectue any enumeration.
2946
2947         The JSPropertyEnumerator has a count of the indexed properties and a list of named properties.
2948         The named properties are one list, with structured properties in the range [0,m_endStructurePropertyIndex)
2949         and the generic properties in the range [m_endStructurePropertyIndex, m_endGenericPropertyIndex);
2950
2951         Eliminated the bytecodes op_get_structure_property_enumerator, op_get_generic_property_enumerator and
2952         op_next_enumerator_pname.
2953         Added the bytecodes op_get_property_enumerator, op_enumerator_structure_pname and op_enumerator_generic_pname.
2954         The bytecodes op_enumerator_structure_pname and op_enumerator_generic_pname are similar except for what
2955         end value we stop iterating on.
2956
2957         Made corresponding node changes to the DFG and FTL for the bytecode changes.
2958
2959         * bytecode/BytecodeList.json:
2960         * bytecode/BytecodeUseDef.h:
2961         (JSC::computeUsesForBytecodeOffset):
2962         (JSC::computeDefsForBytecodeOffset):
2963         * bytecode/CodeBlock.cpp:
2964         (JSC::CodeBlock::dumpBytecode):
2965         * bytecompiler/BytecodeGenerator.cpp:
2966         (JSC::BytecodeGenerator::emitGetPropertyEnumerator):
2967         (JSC::BytecodeGenerator::emitEnumeratorStructurePropertyName):
2968         (JSC::BytecodeGenerator::emitEnumeratorGenericPropertyName):
2969         (JSC::BytecodeGenerator::emitGetStructurePropertyEnumerator): Deleted.
2970         (JSC::BytecodeGenerator::emitGetGenericPropertyEnumerator): Deleted.
2971         (JSC::BytecodeGenerator::emitNextEnumeratorPropertyName): Deleted.
2972         * bytecompiler/BytecodeGenerator.h:
2973         * bytecompiler/NodesCodegen.cpp:
2974         (JSC::ForInNode::emitMultiLoopBytecode):
2975         * dfg/DFGAbstractInterpreterInlines.h:
2976         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2977         * dfg/DFGByteCodeParser.cpp:
2978         (JSC::DFG::ByteCodeParser::parseBlock):
2979         * dfg/DFGCapabilities.cpp:
2980         (JSC::DFG::capabilityLevel):
2981         * dfg/DFGClobberize.h:
2982         (JSC::DFG::clobberize):
2983         * dfg/DFGDoesGC.cpp:
2984         (JSC::DFG::doesGC):
2985         * dfg/DFGFixupPhase.cpp:
2986         (JSC::DFG::FixupPhase::fixupNode):
2987         * dfg/DFGNodeType.h:
2988         * dfg/DFGPredictionPropagationPhase.cpp:
2989         (JSC::DFG::PredictionPropagationPhase::propagate):
2990         * dfg/DFGSafeToExecute.h:
2991         (JSC::DFG::safeToExecute):
2992         * dfg/DFGSpeculativeJIT32_64.cpp:
2993         (JSC::DFG::SpeculativeJIT::compile):
2994         * dfg/DFGSpeculativeJIT64.cpp:
2995         (JSC::DFG::SpeculativeJIT::compile):
2996         * ftl/FTLAbstractHeapRepository.h:
2997         * ftl/FTLCapabilities.cpp:
2998         (JSC::FTL::canCompile):
2999         * ftl/FTLLowerDFGToLLVM.cpp:
3000         (JSC::FTL::LowerDFGToLLVM::compileNode):
3001         (JSC::FTL::LowerDFGToLLVM::compileGetEnumerableLength):
3002         (JSC::FTL::LowerDFGToLLVM::compileGetPropertyEnumerator):
3003         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorStructurePname):
3004         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorGenericPname):
3005         (JSC::FTL::LowerDFGToLLVM::compileGetStructurePropertyEnumerator): Deleted.
3006         (JSC::FTL::LowerDFGToLLVM::compileGetGenericPropertyEnumerator): Deleted.
3007         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname): Deleted.
3008         * jit/JIT.cpp:
3009         (JSC::JIT::privateCompileMainPass):
3010         * jit/JIT.h:
3011         * jit/JITOpcodes.cpp:
3012         (JSC::JIT::emit_op_enumerator_structure_pname):
3013         (JSC::JIT::emit_op_enumerator_generic_pname):
3014         (JSC::JIT::emit_op_get_property_enumerator):
3015         (JSC::JIT::emit_op_next_enumerator_pname): Deleted.
3016         (JSC::JIT::emit_op_get_structure_property_enumerator): Deleted.
3017         (JSC::JIT::emit_op_get_generic_property_enumerator): Deleted.
3018         * jit/JITOpcodes32_64.cpp:
3019         (JSC::JIT::emit_op_enumerator_structure_pname):
3020         (JSC::JIT::emit_op_enumerator_generic_pname):
3021         (JSC::JIT::emit_op_next_enumerator_pname): Deleted.
3022         * jit/JITOperations.cpp:
3023         * jit/JITOperations.h:
3024         * llint/LowLevelInterpreter.asm:
3025         * runtime/CommonSlowPaths.cpp:
3026         (JSC::SLOW_PATH_DECL):
3027         * runtime/CommonSlowPaths.h:
3028         * runtime/JSPropertyNameEnumerator.cpp:
3029         (JSC::JSPropertyNameEnumerator::create):
3030         (JSC::JSPropertyNameEnumerator::finishCreation):
3031         * runtime/JSPropertyNameEnumerator.h:
3032         (JSC::JSPropertyNameEnumerator::indexedLength):
3033         (JSC::JSPropertyNameEnumerator::endStructurePropertyIndex):
3034         (JSC::JSPropertyNameEnumerator::endGenericPropertyIndex):
3035         (JSC::JSPropertyNameEnumerator::indexedLengthOffset):
3036         (JSC::JSPropertyNameEnumerator::endStructurePropertyIndexOffset):
3037         (JSC::JSPropertyNameEnumerator::endGenericPropertyIndexOffset):
3038         (JSC::JSPropertyNameEnumerator::cachedInlineCapacityOffset):
3039         (JSC::propertyNameEnumerator):
3040         (JSC::JSPropertyNameEnumerator::cachedPropertyNamesLengthOffset): Deleted.
3041         (JSC::structurePropertyNameEnumerator): Deleted.
3042         (JSC::genericPropertyNameEnumerator): Deleted.
3043         * runtime/Structure.cpp:
3044         (JSC::Structure::setCachedPropertyNameEnumerator):
3045         (JSC::Structure::cachedPropertyNameEnumerator):
3046         (JSC::Structure::canCachePropertyNameEnumerator):
3047         (JSC::Structure::setCachedStructurePropertyNameEnumerator): Deleted.
3048         (JSC::Structure::cachedStructurePropertyNameEnumerator): Deleted.
3049         (JSC::Structure::setCachedGenericPropertyNameEnumerator): Deleted.
3050         (JSC::Structure::cachedGenericPropertyNameEnumerator): Deleted.
3051         (JSC::Structure::canCacheStructurePropertyNameEnumerator): Deleted.
3052         (JSC::Structure::canCacheGenericPropertyNameEnumerator): Deleted.
3053         * runtime/Structure.h:
3054         * runtime/StructureRareData.cpp:
3055         (JSC::StructureRareData::visitChildren):
3056         (JSC::StructureRareData::cachedPropertyNameEnumerator):
3057         (JSC::StructureRareData::setCachedPropertyNameEnumerator):
3058         (JSC::StructureRareData::cachedStructurePropertyNameEnumerator): Deleted.
3059         (JSC::StructureRareData::setCachedStructurePropertyNameEnumerator): Deleted.
3060         (JSC::StructureRareData::cachedGenericPropertyNameEnumerator): Deleted.
3061         (JSC::StructureRareData::setCachedGenericPropertyNameEnumerator): Deleted.
3062         * runtime/StructureRareData.h:
3063         * tests/stress/for-in-delete-during-iteration.js:
3064
3065 2015-03-24  Michael Saboff  <msaboff@apple.com>
3066
3067         Unreviewed build fix for debug builds.
3068
3069         * runtime/ExceptionHelpers.cpp:
3070         (JSC::invalidParameterInSourceAppender):
3071
3072 2015-03-24  Saam Barati  <saambarati1@gmail.com>
3073
3074         Improve error messages in JSC
3075         https://bugs.webkit.org/show_bug.cgi?id=141869
3076
3077         Reviewed by Geoffrey Garen.
3078
3079         JavaScriptCore has some unintuitive error messages associated
3080         with certain common errors. This patch changes some specific
3081         error messages to be more understandable and also creates a
3082         mechanism that will allow for easy modification of error messages
3083         in the future. The specific errors we change are not a function
3084         errors and invalid parameter errors.
3085
3086         * CMakeLists.txt:
3087         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3088         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3089         * JavaScriptCore.xcodeproj/project.pbxproj:
3090         * interpreter/Interpreter.cpp:
3091         (JSC::sizeOfVarargs):
3092         * jit/JITOperations.cpp:
3093         op_throw_static_error always has a JSString as its argument.
3094         There is no need to dance around this, and we should assert
3095         that this always holds. This JSString represents the error 
3096         message we want to display to the user, so there is no need
3097         to pass it into errorDescriptionForValue which will now place
3098         quotes around the string.
3099
3100         * llint/LLIntSlowPaths.cpp:
3101         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3102         * runtime/CommonSlowPaths.h:
3103         (JSC::CommonSlowPaths::opIn):
3104         * runtime/ErrorInstance.cpp:
3105         (JSC::ErrorInstance::ErrorInstance):
3106         * runtime/ErrorInstance.h:
3107         (JSC::ErrorInstance::hasSourceAppender):
3108         (JSC::ErrorInstance::sourceAppender):
3109         (JSC::ErrorInstance::setSourceAppender):
3110         (JSC::ErrorInstance::clearSourceAppender):
3111         (JSC::ErrorInstance::setRuntimeTypeForCause):
3112         (JSC::ErrorInstance::runtimeTypeForCause):
3113         (JSC::ErrorInstance::clearRuntimeTypeForCause):
3114         (JSC::ErrorInstance::appendSourceToMessage): Deleted.
3115         (JSC::ErrorInstance::setAppendSourceToMessage): Deleted.
3116         (JSC::ErrorInstance::clearAppendSourceToMessage): Deleted.
3117         * runtime/ExceptionHelpers.cpp:
3118         (JSC::errorDescriptionForValue):
3119         (JSC::defaultApproximateSourceError):
3120         (JSC::defaultSourceAppender):
3121         (JSC::functionCallBase):
3122         (JSC::notAFunctionSourceAppender):
3123         (JSC::invalidParameterInSourceAppender):
3124         (JSC::invalidParameterInstanceofSourceAppender):
3125         (JSC::createError):
3126         (JSC::createInvalidFunctionApplyParameterError):
3127         (JSC::createInvalidInParameterError):
3128         (JSC::createInvalidInstanceofParameterError):
3129         (JSC::createNotAConstructorError):
3130         (JSC::createNotAFunctionError):
3131         (JSC::createNotAnObjectError):
3132         (JSC::createInvalidParameterError): Deleted.
3133         * runtime/ExceptionHelpers.h:
3134         * runtime/JSObject.cpp:
3135         (JSC::JSObject::hasInstance):
3136         * runtime/RuntimeType.cpp: Added.
3137         (JSC::runtimeTypeForValue):
3138         (JSC::runtimeTypeAsString):
3139         * runtime/RuntimeType.h: Added.
3140         * runtime/TypeProfilerLog.cpp:
3141         (JSC::TypeProfilerLog::processLogEntries):
3142         * runtime/TypeSet.cpp:
3143         (JSC::TypeSet::getRuntimeTypeForValue): Deleted.
3144         * runtime/TypeSet.h:
3145         * runtime/VM.cpp:
3146         (JSC::appendSourceToError):
3147         (JSC::VM::throwException):
3148
3149 2015-03-23  Filip Pizlo  <fpizlo@apple.com>
3150
3151         JSC should have a low-cost asynchronous disassembler
3152         https://bugs.webkit.org/show_bug.cgi?id=142997
3153
3154         Reviewed by Mark Lam.
3155         
3156         This adds a JSC_asyncDisassembly option that disassembles on a thread. Disassembly
3157         doesn't block execution. Some code will live a little longer because of this, since the
3158         work tasks hold a ref to the code, but other than that there is basically no overhead.
3159         
3160         At present, this isn't really a replacement for JSC_showDisassembly, since it doesn't
3161         provide contextual IR information for Baseline and DFG disassemblies, and it doesn't do
3162         the separate IR dumps for FTL. Using JSC_showDisassembly and friends along with
3163         JSC_asyncDisassembly has bizarre behavior - so just choose one.
3164         
3165         A simple way of understanding how great this is, is to run a small benchmark like
3166         V8Spider/earley-boyer.
3167         
3168         Performance without any disassembly flags: 60ms
3169         Performance with JSC_showDisassembly=true: 477ms
3170         Performance with JSC_asyncDisassembly=true: 65ms
3171         
3172         So, the overhead of disassembly goes from 8x to 8%.
3173         
3174         Note that JSC_asyncDisassembly=true does make it incorrect to run "time" as a way of
3175         measuring benchmark performance. This is because at VM exit, we wait for all async
3176         disassembly requests to finish. For example, for earley-boyer, we spend an extra ~130ms
3177         after the benchmark completely finishes to finish the disassemblies. This small weirdness
3178         should be OK for the intended use-cases, since all you have to do to get around it is to
3179         measure the execution time of the benchmark payload rather than the end-to-end time of
3180         launching the VM.
3181
3182         * assembler/LinkBuffer.cpp:
3183         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
3184         * assembler/LinkBuffer.h:
3185         (JSC::LinkBuffer::wasAlreadyDisassembled):
3186         (JSC::LinkBuffer::didAlreadyDisassemble):
3187         * dfg/DFGJITCompiler.cpp:
3188         (JSC::DFG::JITCompiler::disassemble):
3189         * dfg/DFGJITFinalizer.cpp:
3190         (JSC::DFG::JITFinalizer::finalize):
3191         (JSC::DFG::JITFinalizer::finalizeFunction):
3192         * disassembler/Disassembler.cpp:
3193         (JSC::disassembleAsynchronously):
3194         (JSC::waitForAsynchronousDisassembly):
3195         * disassembler/Disassembler.h:
3196         * ftl/FTLCompile.cpp:
3197         (JSC::FTL::mmAllocateDataSection):
3198         * ftl/FTLLink.cpp:
3199         (JSC::FTL::link):
3200         * jit/JIT.cpp:
3201         (JSC::JIT::privateCompile):
3202         * jsc.cpp:
3203         * runtime/Options.h:
3204         * runtime/VM.cpp:
3205         (JSC::VM::~VM):
3206
3207 2015-03-23  Dean Jackson  <dino@apple.com>
3208
3209         ES7: Implement Array.prototype.includes
3210         https://bugs.webkit.org/show_bug.cgi?id=142707
3211
3212         Reviewed by Geoffrey Garen.
3213
3214         Add support for the ES7 includes method on Arrays.
3215         https://github.com/tc39/Array.prototype.includes
3216
3217         * builtins/Array.prototype.js:
3218         (includes): Implementation in JS.
3219         * runtime/ArrayPrototype.cpp: Add 'includes' to the lookup table.
3220
3221 2015-03-23  Joseph Pecoraro  <pecoraro@apple.com>
3222
3223         __defineGetter__/__defineSetter__ should throw exceptions
3224         https://bugs.webkit.org/show_bug.cgi?id=142934
3225
3226         Reviewed by Geoffrey Garen.
3227
3228         * runtime/ObjectPrototype.cpp:
3229         (JSC::objectProtoFuncDefineGetter):
3230         (JSC::objectProtoFuncDefineSetter):
3231         Throw exceptions when these functions are used directly.
3232
3233 2015-03-23  Joseph Pecoraro  <pecoraro@apple.com>
3234
3235         Fix DO_PROPERTYMAP_CONSTENCY_CHECK enabled build
3236         https://bugs.webkit.org/show_bug.cgi?id=142952
3237
3238         Reviewed by Geoffrey Garen.
3239
3240         * runtime/Structure.cpp:
3241         (JSC::PropertyTable::checkConsistency):
3242         The check offset method doesn't exist in PropertyTable, it exists in Structure.
3243
3244         (JSC::Structure::checkConsistency):
3245         So move it here, and always put it at the start to match normal behavior.
3246
3247 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
3248
3249         Remove DFG::ValueRecoveryOverride; it's been dead since we removed forward speculations
3250         https://bugs.webkit.org/show_bug.cgi?id=142956
3251
3252         Rubber stamped by Gyuyoung Kim.
3253         
3254         Just removing dead code.
3255
3256         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3257         * JavaScriptCore.xcodeproj/project.pbxproj:
3258         * dfg/DFGOSRExit.h:
3259         * dfg/DFGOSRExitCompiler.cpp:
3260         * dfg/DFGValueRecoveryOverride.h: Removed.
3261
3262 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
3263
3264         DFG OSR exit shouldn't assume that the frame count for exit is greater than the frame count in DFG
3265         https://bugs.webkit.org/show_bug.cgi?id=142948
3266
3267         Reviewed by Sam Weinig.
3268         
3269         It's necessary to ensure that the stack pointer accounts for the extent of our stack usage
3270         since a signal may clobber the area below the stack pointer. When the DFG is executing,
3271         the stack pointer accounts for the DFG's worst-case stack usage. When we OSR exit back to
3272         baseline, we will use a different amount of stack. This is because baseline is a different
3273         compiler. It will make different decisions. So it will use a different amount of stack.
3274         
3275         This gets tricky when we are in the process of doing an OSR exit, because we are sort of
3276         incrementally transforming the stack from how it looked in the DFG to how it will look in
3277         baseline. The most conservative approach would be to set the stack pointer to the max of
3278         DFG and baseline.
3279         
3280         When this code was written, a reckless assumption was made: that the stack usage in
3281         baseline is always at least as large as the stack usage in DFG. Based on this incorrect
3282         assumption, the code first adjusts the stack pointer to account for the baseline stack
3283         usage. This sort of usually works, because usually baseline does happen to use more stack.
3284         But that's not an invariant. Nobody guarantees this. We will never make any changes that
3285         would make this be guaranteed, because that would be antithetical to how optimizing
3286         compilers work. The DFG should be allowed to use however much stack it decides that it
3287         should use in order to get good performance, and it shouldn't try to guarantee that it
3288         always uses less stack than baseline.
3289         
3290         As such, we must always assume that the frame size for DFG execution (i.e.
3291         frameRegisterCount) and the frame size in baseline once we exit (i.e.
3292         requiredRegisterCountForExit) are two independent quantities and they have no
3293         relationship.
3294         
3295         Fortunately, though, this code can be made correct by just moving the stack adjustment to
3296         just before we do conversions. This is because we have since changed the OSR exit
3297         algorithm to first lift up all state from the DFG state into a scratch buffer, and then to
3298         drop it out of the scratch buffer and into the stack according to the baseline layout. The
3299         point just before conversions is the point where we have finished reading the DFG frame
3300         and will not read it anymore, and we haven't started writing the baseline frame. So, at
3301         this point it is safe to set the stack pointer to account for the frame size at exit.
3302         
3303         This is benign because baseline happens to create larger frames than DFG.
3304
3305         * dfg/DFGOSRExitCompiler32_64.cpp:
3306         (JSC::DFG::OSRExitCompiler::compileExit):
3307         * dfg/DFGOSRExitCompiler64.cpp:
3308         (JSC::DFG::OSRExitCompiler::compileExit):
3309         * dfg/DFGOSRExitCompilerCommon.cpp:
3310         (JSC::DFG::adjustAndJumpToTarget):
3311
3312 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
3313
3314         Shorten the number of iterations to 10,000 since that's enough to test all tiers.
3315
3316         Rubber stamped by Sam Weinig.
3317
3318         * tests/stress/equals-masquerader.js:
3319
3320 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
3321
3322         tests/stress/*tdz* tests do 10x more iterations than necessary
3323         https://bugs.webkit.org/show_bug.cgi?id=142946
3324
3325         Reviewed by Ryosuke Niwa.
3326         
3327         The stress test harness runs all of these tests in various configurations. This includes
3328         no-cjit, which has tier-up heuristics locked in such a way that 10,000 iterations is
3329         enough to get to the highest tier. The only exceptions are very large functions or
3330         functions that have some reoptimizations. That happens rarely, and when it does happen,
3331         usually 20,000 iterations is enough.
3332         
3333         Therefore, these tests use 10x too many iterations. This is bad, since these tests
3334         allocate on each iteration, and so they run very slow