a2c07101c371e6a1b42c5300c767818f01fac959
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         SparseValueMap check is skipped when the butterfly's vectorLength is larger than the access-requested index
4         https://bugs.webkit.org/show_bug.cgi?id=147265
5
6         Reviewed by Geoffrey Garen.
7
8         JSObject's vector holds the indexed values and we leverage it to represent stored values and holes.
9         By checking that the given index is in-bound of the vector's length, we can look up the property fast.
10         And for the sparse array, we have also the separated SparseValueMap to hold the pairs.
11         And we need to take care that the length of the vector should not overlap the indices stored in the SparseValueMap.
12
13         The vector only holds the pure JS values to avoid additional checking for accessors when looking up the value
14         from the vector. To achieve this, we also store the accessors (and attributed properties) to SparseValueMap
15         even the index is less than MIN_SPARSE_ARRAY_INDEX.
16
17         As a result, if the length of the vector overlaps the indices of the accessors stored in the SparseValueMap,
18         we accidentally skip the phase looking up from the SparseValueMap. Instead, we just load from the vector and
19         if the loaded value is an array hole, we decide the given object does not have the value for the given index.
20
21         This patch fixes the problem.
22         When defining the attributed value that index is smaller than the length of the vector, we throw away the vector
23         and change the object to DictionaryIndexingMode. Since we can assume that indexed accessors rarely exist in
24         practice, we expect this does not hurt the performance while keeping the fast property access system without
25         checking the sparse map.
26
27         * runtime/JSObject.cpp:
28         (JSC::JSObject::putDirectIndexBeyondVectorLength):
29         * tests/stress/sparse-map-non-overlapping.js: Added.
30         (shouldBe):
31         (testing):
32         (object.get 1000):
33         * tests/stress/sparse-map-non-skip-getter-overriding.js: Added.
34         (shouldBe):
35         (obj.get 1):
36         (testing):
37         * tests/stress/sparse-map-non-skip.js: Added.
38         (shouldBe):
39         (testing):
40         (testing2):
41         (.get for):
42
43 2015-07-27  Saam barati  <saambarati1@gmail.com>
44
45         Reduce execution time for "let" and "const" tests
46         https://bugs.webkit.org/show_bug.cgi?id=147291
47
48         Reviewed by Geoffrey Garen.
49
50         We don't need to loop so many times for things that will not make it 
51         into the DFG.  Also, we can loop a lot less for almost all the tests 
52         because they're mostly testing the bytecode generator.
53
54         * tests/stress/const-and-with-statement.js:
55         * tests/stress/const-exception-handling.js:
56         * tests/stress/const-loop-semantics.js:
57         * tests/stress/const-not-strict-mode.js:
58         * tests/stress/const-semantics.js:
59         * tests/stress/const-tdz.js:
60         * tests/stress/lexical-let-and-with-statement.js:
61         * tests/stress/lexical-let-exception-handling.js:
62         (assert):
63         * tests/stress/lexical-let-loop-semantics.js:
64         (assert):
65         (shouldThrowTDZ):
66         (.):
67         * tests/stress/lexical-let-not-strict-mode.js:
68         * tests/stress/lexical-let-semantics.js:
69         (.):
70         * tests/stress/lexical-let-tdz.js:
71         (shouldThrowTDZ):
72         (.):
73
74 2015-07-26  Yusuke Suzuki  <utatane.tea@gmail.com>
75
76         Rename PropertyNameMode::Both to PropertyNameMode::StringsAndSymbols
77         https://bugs.webkit.org/show_bug.cgi?id=147311
78
79         Reviewed by Sam Weinig.
80
81         To make the meaning clear in the user side (PropertyNameArray array(exec, PropertyNameMode::StringsAndSymbols)),
82         this patch renames PropertyNameMode::Both to PropertyNameMode::StringsAndSymbols.
83
84         * bytecode/ObjectAllocationProfile.h:
85         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
86         * runtime/EnumerationMode.h:
87         * runtime/ObjectConstructor.cpp:
88         (JSC::ownEnumerablePropertyKeys):
89         (JSC::defineProperties):
90         (JSC::objectConstructorSeal):
91         (JSC::objectConstructorFreeze):
92         (JSC::objectConstructorIsSealed):
93         (JSC::objectConstructorIsFrozen):
94         (JSC::ownPropertyKeys):
95         * runtime/ReflectObject.cpp:
96         (JSC::reflectObjectOwnKeys):
97
98 2015-07-27  Saam barati  <saambarati1@gmail.com>
99
100         Added a comment explaining that all "addVar()"s should happen before
101         emitting bytecode for a function's default parameter expressions
102
103         Rubber Stamped by Mark Lam.
104
105         * bytecompiler/BytecodeGenerator.cpp:
106         (JSC::BytecodeGenerator::BytecodeGenerator):
107
108 2015-07-26  Sam Weinig  <sam@webkit.org>
109
110         Add missing builtin files to the JavaScriptCore Xcode project
111         https://bugs.webkit.org/show_bug.cgi?id=147312
112
113         Reviewed by Darin Adler.
114
115         * JavaScriptCore.xcodeproj/project.pbxproj:
116         Add missing files.
117
118 2015-07-26  Yusuke Suzuki  <utatane.tea@gmail.com>
119
120         [ES6] Implement Reflect.isExtensible
121         https://bugs.webkit.org/show_bug.cgi?id=147308
122
123         Reviewed by Sam Weinig.
124
125         This patch implements Reflect.isExtensible.
126         It is similar to Object.isExtensible.
127         The difference is that it raises an error if the first argument is not an object.
128
129         * runtime/ReflectObject.cpp:
130         (JSC::reflectObjectIsExtensible):
131         * tests/stress/reflect-is-extensible.js: Added.
132         (shouldBe):
133         (shouldThrow):
134
135 2015-07-26  Yusuke Suzuki  <utatane.tea@gmail.com>
136
137         Unreviewed, fix the debug build due to touching the non-declared variable in ASSERT
138         https://bugs.webkit.org/show_bug.cgi?id=147307
139
140         * runtime/ObjectConstructor.cpp:
141         (JSC::ownPropertyKeys):
142
143 2015-07-25  Yusuke Suzuki  <utatane.tea@gmail.com>
144
145         [ES6] Implement Reflect.ownKeys
146         https://bugs.webkit.org/show_bug.cgi?id=147307
147
148         Reviewed by Sam Weinig.
149
150         This patch implements Reflect.ownKeys.
151         In this patch, we refactor the existing code to list up own keys in the object.
152         Such code is used by Object.getOwnPropertyNames, Object.getOwnPropertyKeys, Object.keys and @ownEnumerableKeys.
153         We factor out the listing up own keys as ownPropertyKeys function and also use it in Reflect.ownKeys.
154
155         * runtime/ObjectConstructor.cpp:
156         (JSC::objectConstructorGetOwnPropertyNames):
157         (JSC::objectConstructorGetOwnPropertySymbols):
158         (JSC::objectConstructorKeys):
159         (JSC::ownEnumerablePropertyKeys):
160         (JSC::ownPropertyKeys):
161         * runtime/ObjectConstructor.h:
162         * runtime/ReflectObject.cpp:
163         (JSC::reflectObjectOwnKeys):
164         * tests/stress/reflect-own-keys.js: Added.
165         (shouldBe):
166         (shouldThrow):
167         (shouldBeArray):
168
169 2015-07-26  Yusuke Suzuki  <utatane.tea@gmail.com>
170
171         [ES6] Implement Reflect.apply
172         https://bugs.webkit.org/show_bug.cgi?id=147306
173
174         Reviewed by Sam Weinig.
175
176         Implement Reflect.apply.
177         The large part of this can be implemented by the @apply builtin annotation.
178         The only thing which is different from the Funciton.prototype.apply is the third parameter,
179         "argumentsList" is needed to be an object.
180
181         * builtins/ReflectObject.js:
182         (apply):
183         (deleteProperty):
184         * runtime/ReflectObject.cpp:
185         * tests/stress/reflect-apply.js: Added.
186         (shouldBe):
187         (shouldThrow):
188         (get shouldThrow):
189         (.get shouldThrow):
190         (get var.array.get length):
191         (get var.array.get 0):
192         (.get var):
193         * tests/stress/reflect-delete-property.js:
194
195 2015-07-25  Yusuke Suzuki  <utatane.tea@gmail.com>
196
197         [ES6] Add Reflect namespace and add Reflect.deleteProperty
198         https://bugs.webkit.org/show_bug.cgi?id=147287
199
200         Reviewed by Sam Weinig.
201
202         This patch just creates the namespace for ES6 Reflect APIs.
203         And add template files to implement the actual code.
204
205         Not to keep the JS generated properties C array empty,
206         we added one small method, Reflect.deleteProperty in this patch.
207
208         * CMakeLists.txt:
209         * DerivedSources.make:
210         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
211         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
212         * JavaScriptCore.xcodeproj/project.pbxproj:
213         * builtins/ReflectObject.js: Added.
214         (deleteProperty):
215         * runtime/CommonIdentifiers.h:
216         * runtime/JSGlobalObject.cpp:
217         (JSC::JSGlobalObject::init):
218         * runtime/ReflectObject.cpp: Added.
219         (JSC::ReflectObject::ReflectObject):
220         (JSC::ReflectObject::finishCreation):
221         (JSC::ReflectObject::getOwnPropertySlot):
222         * runtime/ReflectObject.h: Added.
223         (JSC::ReflectObject::create):
224         (JSC::ReflectObject::createStructure):
225         * tests/stress/reflect-delete-property.js: Added.
226         (shouldBe):
227         (shouldThrow):
228
229 2015-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>
230
231         Avoid 2 times name iteration in Object.assign
232         https://bugs.webkit.org/show_bug.cgi?id=147268
233
234         Reviewed by Geoffrey Garen.
235
236         Object.assign calls Object.getOwnPropertyNames & Object.getOwnPropertySymbols to collect all the names.
237         But exposing the private API that collects both at the same time makes the API efficient when the given Object has so many non-indexed properties.
238         Since Object.assign is so generic API (some form of utility API), the form of the given Object is not expected.
239         So the taken object may have so many non-indexed properties.
240
241         In this patch, we introduce `ownEnumerablePropertyKeys` private function.
242         It is minor changed version of `[[OwnPropertyKeys]]` in the ES6 spec;
243         It only includes enumerable properties.
244
245         By filtering out the non-enumerable properties in the exposed private function,
246         we avoid calling @objectGetOwnPropertyDescriptor for each property at the same time.
247
248         * builtins/ObjectConstructor.js:
249         (assign):
250         * runtime/CommonIdentifiers.h:
251         * runtime/EnumerationMode.h:
252         * runtime/JSGlobalObject.cpp:
253         (JSC::JSGlobalObject::init):
254         * runtime/ObjectConstructor.cpp:
255         (JSC::ownEnumerablePropertyKeys):
256         * runtime/ObjectConstructor.h:
257         * tests/stress/object-assign-enumerable.js: Added.
258         (shouldBe):
259         * tests/stress/object-assign-order.js: Added.
260         (shouldBe):
261
262 2015-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>
263
264         Remove runtime flags for symbols
265         https://bugs.webkit.org/show_bug.cgi?id=147246
266
267         Reviewed by Alex Christensen.
268
269         * runtime/ArrayPrototype.cpp:
270         (JSC::ArrayPrototype::finishCreation):
271         * runtime/JSGlobalObject.cpp:
272         (JSC::JSGlobalObject::init): Deleted.
273         * runtime/JSGlobalObject.h:
274         * runtime/ObjectConstructor.cpp:
275         (JSC::ObjectConstructor::finishCreation):
276         * runtime/RuntimeFlags.h:
277
278 2015-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>
279
280         Object.getOwnPropertySymbols on large list takes very long
281         https://bugs.webkit.org/show_bug.cgi?id=146137
282
283         Reviewed by Mark Lam.
284
285         Before this patch, Object.getOwnPropertySymbols collects all the names including strings.
286         And after it's done, filter the names to only retrieve the symbols.
287         But it's so time consuming if the given object is a large non-holed array since it has
288         many indexed properties and all the indexes have to be converted to uniqued_strings and
289         added to the collection of property names (though they may not be of the requested type
290         and will be filtered out later)
291
292         This patch introduces PropertyNameMode.
293         We leverage this mode in 2 places.
294
295         1. PropertyNameArray side
296         It is set in PropertyNameArray and it filters the incoming added identifiers based on the mode.
297         It ensures that PropertyNameArray doesn't become so large in the pathological case.
298         And it ensures that non-expected typed keys by the filter (Symbols or Strings) are never added
299         to the property name array collections.
300         However it does not solve the whole problem because the huge array still incurs the many
301         "indexed property to uniqued string" conversion and the large iteration before adding the keys
302         to the property name array.
303
304         2. getOwnPropertyNames side
305         So we can use the PropertyNameMode in the caller side (getOwnPropertyNames) as a **hint**.
306         When the large iteration may occur, the caller side can use the PropertyNameMode as a hint to
307         avoid the iteration.
308         But we cannot exclusively rely on these caller side checks because it would require that we
309         exhaustively add the checks to all custom implementations of getOwnPropertyNames as well.
310         This process requires manual inspection of many pieces of code, and is error prone. Instead,
311         we only apply the caller side check in a few strategic places where it is known to yield
312         performance benefits; and we rely on the filter in PropertyNameArray::add() to reject the wrong
313         types of properties for all other calls to PropertyNameArray::add().
314
315         In this patch, there's a concept in use that is not clear just from reading the code, and hence
316         should be documented here. When selecting the PropertyNameMode for the PropertyNameArray to be
317         instantiated, we apply the following logic:
318
319         1. Only JavaScriptCore code is aware of ES6 Symbols.
320         We can assume that pre-existing external code that interfaces JSC are only looking for string named properties. This includes:
321             a. WebCore bindings
322             b. Serializer bindings
323             c. NPAPI bindings
324             d. Objective C bindings
325         2. In JSC, code that compute object storage space needs to iterate both Symbol and String named properties. Hence, use PropertyNameMode::Both.
326         3. In JSC, ES6 APIs that work with Symbols should use PropertyNameMode::Symbols.
327         4. In JSC, ES6 APIs that work with String named properties should use PropertyNameMode::Strings.
328
329         * API/JSObjectRef.cpp:
330         (JSObjectCopyPropertyNames):
331         * bindings/ScriptValue.cpp:
332         (Deprecated::jsToInspectorValue):
333         * bytecode/ObjectAllocationProfile.h:
334         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
335         * runtime/EnumerationMode.h:
336         (JSC::EnumerationMode::EnumerationMode):
337         (JSC::EnumerationMode::includeSymbolProperties): Deleted.
338         * runtime/GenericArgumentsInlines.h:
339         (JSC::GenericArguments<Type>::getOwnPropertyNames):
340         * runtime/JSGenericTypedArrayViewInlines.h:
341         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertyNames):
342         * runtime/JSLexicalEnvironment.cpp:
343         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
344         * runtime/JSONObject.cpp:
345         (JSC::Stringifier::Stringifier):
346         (JSC::Stringifier::Holder::appendNextProperty):
347         (JSC::Walker::walk):
348         * runtime/JSObject.cpp:
349         (JSC::JSObject::getOwnPropertyNames):
350         * runtime/JSPropertyNameEnumerator.cpp:
351         (JSC::JSPropertyNameEnumerator::create):
352         * runtime/JSPropertyNameEnumerator.h:
353         (JSC::propertyNameEnumerator):
354         * runtime/JSSymbolTableObject.cpp:
355         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
356         * runtime/ObjectConstructor.cpp:
357         (JSC::objectConstructorGetOwnPropertyNames):
358         (JSC::objectConstructorGetOwnPropertySymbols):
359         (JSC::objectConstructorKeys):
360         (JSC::defineProperties):
361         (JSC::objectConstructorSeal):
362         (JSC::objectConstructorFreeze):
363         (JSC::objectConstructorIsSealed):
364         (JSC::objectConstructorIsFrozen):
365         * runtime/PropertyNameArray.h:
366         (JSC::PropertyNameArray::PropertyNameArray):
367         (JSC::PropertyNameArray::mode):
368         (JSC::PropertyNameArray::addKnownUnique):
369         (JSC::PropertyNameArray::add):
370         (JSC::PropertyNameArray::isUidMatchedToTypeMode):
371         (JSC::PropertyNameArray::includeSymbolProperties):
372         (JSC::PropertyNameArray::includeStringProperties):
373         * runtime/StringObject.cpp:
374         (JSC::StringObject::getOwnPropertyNames):
375         * runtime/Structure.cpp:
376         (JSC::Structure::getPropertyNamesFromStructure):
377
378 2015-07-24  Saam barati  <saambarati1@gmail.com>
379
380         [ES6] Add support for default parameters
381         https://bugs.webkit.org/show_bug.cgi?id=38409
382
383         Reviewed by Filip Pizlo.
384
385         This patch implements ES6 default parameters according to the ES6
386         specification. This patch builds off the components introduced with 
387         "let" scoping and parsing function parameters in the same parser
388         arena as the function itself. "let" scoping allows functions with default 
389         parameter values to place their parameters under the TDZ. Parsing function
390         parameters in the same parser arena allows the FunctionParameters AST node
391         refer to ExpressionNodes.
392
393         The most subtle part of this patch is how we allocate lexical environments
394         when functions have default parameter values. If a function has default
395         parameter values then there must be a separate lexical environment for
396         its parameters. Then, the function's "var" lexical environment must have
397         the parameter lexical environment as its parent. The BytecodeGenerator
398         takes great care to not allocate the "var" lexical environment before its
399         really needed.
400
401         The "arguments" object for a function with default parameters will never be 
402         a mapped arugments object. It will always be a cloned arugments object.
403
404         * bytecompiler/BytecodeGenerator.cpp:
405         (JSC::BytecodeGenerator::generate):
406         (JSC::BytecodeGenerator::BytecodeGenerator):
407         (JSC::BytecodeGenerator::~BytecodeGenerator):
408         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
409         (JSC::BytecodeGenerator::initializeNextParameter):
410         (JSC::BytecodeGenerator::initializeVarLexicalEnvironment):
411         (JSC::BytecodeGenerator::visibleNameForParameter):
412         (JSC::BytecodeGenerator::emitLoadGlobalObject):
413         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
414         (JSC::BytecodeGenerator::pushLexicalScope):
415         (JSC::BytecodeGenerator::popLexicalScope):
416         * bytecompiler/BytecodeGenerator.h:
417         (JSC::BytecodeGenerator::lastOpcodeID):
418         * bytecompiler/NodesCodegen.cpp:
419         (JSC::FunctionNode::emitBytecode):
420         * jit/JITOperations.cpp:
421         * parser/ASTBuilder.h:
422         (JSC::ASTBuilder::createElementList):
423         (JSC::ASTBuilder::createFormalParameterList):
424         (JSC::ASTBuilder::appendParameter):
425         (JSC::ASTBuilder::createClause):
426         (JSC::ASTBuilder::createClauseList):
427         * parser/Nodes.h:
428         (JSC::FunctionParameters::size):
429         (JSC::FunctionParameters::at):
430         (JSC::FunctionParameters::hasDefaultParameterValues):
431         (JSC::FunctionParameters::append):
432         * parser/Parser.cpp:
433         (JSC::Parser<LexerType>::parseVariableDeclarationList):
434         (JSC::Parser<LexerType>::createBindingPattern):
435         (JSC::Parser<LexerType>::tryParseDestructuringPatternExpression):
436         (JSC::Parser<LexerType>::parseDestructuringPattern):
437         (JSC::Parser<LexerType>::parseFormalParameters):
438         (JSC::Parser<LexerType>::parseFunctionParameters):
439         * parser/Parser.h:
440         (JSC::Scope::declareParameter):
441         * parser/SyntaxChecker.h:
442         (JSC::SyntaxChecker::createElementList):
443         (JSC::SyntaxChecker::createFormalParameterList):
444         (JSC::SyntaxChecker::appendParameter):
445         (JSC::SyntaxChecker::createClause):
446         (JSC::SyntaxChecker::createClauseList):
447         * tests/stress/es6-default-parameters.js: Added.
448         (assert):
449         (shouldThrow):
450         (shouldThrowSyntaxError):
451         (shouldThrowTDZ):
452         (basic):
453         (basicFunctionCaptureInDefault.basicFunctionCaptureInDefault.basicCaptured):
454         (basicCaptured.basicCaptured.tricky):
455         (strict):
456         (playground):
457         (scoping):
458         (augmentsArguments1):
459         (augmentsArguments2):
460         (augmentsArguments3):
461         (augmentsArguments4):
462         (augmentsArguments5):
463
464 2015-07-24  Xabier Rodriguez Calvar  <calvaris@igalia.com>
465
466         Remove JS Promise constructor unused piece of code
467         https://bugs.webkit.org/show_bug.cgi?id=147262
468
469         Reviewed by Geoffrey Garen.
470
471         * runtime/JSPromiseConstructor.cpp:
472         (JSC::constructPromise): Deleted.
473         * runtime/JSPromiseConstructor.h: Removed JSC::constructPromise.
474
475 2015-07-24  Mark Lam  <mark.lam@apple.com>
476
477         Add WASM files to vcxproj files.
478         https://bugs.webkit.org/show_bug.cgi?id=147264
479
480         Reviewed by Geoffrey Garen.
481
482         This is a follow up to http://trac.webkit.org/changeset/187254 where WASM files
483         were introduced but were not able to be added to the vcxproj files yet.
484
485         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
486         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
487
488 2015-07-23  Filip Pizlo  <fpizlo@apple.com>
489
490         DFG::safeToExecute() is wrong for MultiGetByOffset, doesn't consider the structures of the prototypes that get loaded from
491         https://bugs.webkit.org/show_bug.cgi?id=147250
492
493         Reviewed by Geoffrey Garen.
494         
495         This fixes a nasty - but currently benign - bug in DFG::safeToExecute(). That function
496         will tell you if hoisting a node to some point is safe in the sense that the node will
497         not crash the VM if it executes at that point. A node may be unsafe to execute if we
498         cannot prove that at that point, the memory it is loading is not garbage. This is a
499         necessarily loose notion - for example it's OK to hoist a load if we haven't proved
500         that the load makes semantic sense at that point, since anyway the place where the node
501         did get used will still be guarded by any such semantic checks. But because we may also
502         hoist uses of the load, we need to make sure that it doesn't produce a garbage value.
503         Also, we need to ensure that the load won't trap. Hence safeToExecute() returns true
504         anytime we can be sure that a node will not produce a garbage result (i.e. a malformed
505         JSValue or object pointer) and will not trap when executed at the point in question.
506         
507         The bug is that this verification isn't performed for the loads from prototypes inside
508         MultiGetByOffset. DFG::ByteCodeParser will guard MultiGetByOffset with CheckStructure's
509         on the prototypes. So, hypothetically, you might end up hoisting a MultiGetByOffset
510         above those structure checks, which would mean that we might load a value from a memory
511         location without knowing that the location is valid. It might then return the value
512         loaded.
513         
514         This never happens in practice. Those structure checks are more hoistable that the
515         MultiGetByOffset, since they read a strict subset of the MultiGetByOffset's abstract
516         heap reads. Also, we hoist in program order. So, those CheckStructure's will always be
517         hoisted before the MultiGetByOffset gets hoisted.
518         
519         But we should fix this anyway. DFG::safeToExecute() has a clear definition of what a
520         "true" return means for IR transformations, and it fails in satisfying that definition
521         for MultiGetByOffset.
522         
523         There are various approaches we can use for making this safe. I considered two:
524         
525         1) Have MultiGetByOffset refer to the prototypes it is loading from in IR, so that we
526            can check if it's safe to load from them.
527         
528         2) Turn off MultiGetByOffset hoisting when it will emit loads from prototypes, and the
529            prototype structure isn't being watched.
530         
531         I ended up using (2), because it will be the most natural solution once I finish
532         https://bugs.webkit.org/show_bug.cgi?id=146929. Already now, it's somewhat more natural
533         than (1) since that requires more extensive IR changes. Also, (2) will give us what we
534         want in *most* cases: we will usually watch the prototype structure, and we will
535         usually constant-fold loads from prototypes. Both of these usually-true things would
536         have to become false for MultiGetByOffset hoisting to be disabled by this change.
537         
538         This change also adds my attempt at a test, though it's not really a test of this bug.
539         This bug is currently benign. But, the test does at least trigger the logic to run,
540         which is better than nothing.
541
542         * dfg/DFGSafeToExecute.h:
543         (JSC::DFG::safeToExecute):
544         * tests/stress/multi-get-by-offset-hoist-around-structure-check.js: Added.
545         (foo):
546
547 2015-07-23  Sukolsak Sakshuwong  <sukolsak@gmail.com>
548
549         Implement WebAssembly modules
550         https://bugs.webkit.org/show_bug.cgi?id=147222
551
552         Reviewed by Filip Pizlo.
553
554         Make JSWASMModule inherit from JSDestructibleObject so that the destructor is called.
555
556         * wasm/JSWASMModule.h:
557
558 2015-07-23  Alex Christensen  <achristensen@webkit.org>
559
560         Remove compile and runtime flags for promises.
561         https://bugs.webkit.org/show_bug.cgi?id=147244
562
563         Reviewed by Yusuke Suzuki.
564
565         * API/JSCallbackObjectFunctions.h:
566         (JSC::JSCallbackObject<Parent>::JSCallbackObject):
567         * API/JSContextRef.cpp:
568         (JSGlobalContextCreateInGroup):
569         * Configurations/FeatureDefines.xcconfig:
570         * inspector/JSInjectedScriptHost.cpp:
571         (Inspector::JSInjectedScriptHost::getInternalProperties):
572         * runtime/JSGlobalObject.cpp:
573         (JSC::JSGlobalObject::init):
574         (JSC::JSGlobalObject::visitChildren):
575         * runtime/JSGlobalObject.h:
576         (JSC::JSGlobalObject::create):
577         (JSC::JSGlobalObject::syntaxErrorConstructor):
578         (JSC::JSGlobalObject::typeErrorConstructor):
579         (JSC::JSGlobalObject::URIErrorConstructor):
580         (JSC::JSGlobalObject::promiseConstructor):
581         (JSC::JSGlobalObject::nullGetterFunction):
582         (JSC::JSGlobalObject::nullSetterFunction):
583         (JSC::JSGlobalObject::applyFunction):
584         (JSC::JSGlobalObject::definePropertyFunction):
585         (JSC::JSGlobalObject::arrayProtoValuesFunction):
586         (JSC::JSGlobalObject::initializePromiseFunction):
587         (JSC::JSGlobalObject::newPromiseDeferredFunction):
588         (JSC::JSGlobalObject::throwTypeErrorGetterSetter):
589         (JSC::JSGlobalObject::regExpPrototype):
590         (JSC::JSGlobalObject::errorPrototype):
591         (JSC::JSGlobalObject::iteratorPrototype):
592         (JSC::JSGlobalObject::promisePrototype):
593         (JSC::JSGlobalObject::debuggerScopeStructure):
594         (JSC::JSGlobalObject::withScopeStructure):
595         (JSC::JSGlobalObject::iteratorResultStructure):
596         (JSC::JSGlobalObject::iteratorResultStructureOffset):
597         (JSC::JSGlobalObject::regExpMatchesArrayStructure):
598         (JSC::JSGlobalObject::promiseStructure):
599         * runtime/JSPromise.cpp:
600         (JSC::JSPromise::result):
601         * runtime/JSPromise.h:
602         * runtime/JSPromiseConstructor.cpp:
603         (JSC::constructPromise):
604         * runtime/JSPromiseConstructor.h:
605         * runtime/JSPromiseDeferred.cpp:
606         (JSC::JSPromiseDeferred::visitChildren):
607         * runtime/JSPromiseDeferred.h:
608         * runtime/JSPromisePrototype.cpp:
609         (JSC::JSPromisePrototype::getOwnPropertySlot):
610         * runtime/JSPromisePrototype.h:
611         * runtime/RuntimeFlags.h:
612         * runtime/VM.cpp:
613         (JSC::VM::VM):
614         * runtime/VM.h:
615
616 2015-07-23  Sukolsak Sakshuwong  <sukolsak@gmail.com>
617
618         Implement WebAssembly modules
619         https://bugs.webkit.org/show_bug.cgi?id=147222
620
621         Reviewed by Mark Lam.
622
623         Introducing the boilerplate data structure for the WebAssembly module.
624         WebAssembly functionality will be added in a subsequent patch.
625
626         * CMakeLists.txt:
627         * JavaScriptCore.xcodeproj/project.pbxproj:
628         * wasm/JSWASMModule.cpp: Added.
629         (JSC::JSWASMModule::visitChildren):
630         * wasm/JSWASMModule.h: Added.
631         (JSC::JSWASMModule::create):
632         (JSC::JSWASMModule::createStructure):
633         (JSC::JSWASMModule::JSWASMModule):
634
635 2015-07-23  Devin Rousso  <drousso@apple.com>
636
637         Web Inspector: Add a function to CSSCompletions to get a list of supported system fonts
638         https://bugs.webkit.org/show_bug.cgi?id=147009
639
640         Reviewed by Joseph Pecoraro.
641
642         * inspector/protocol/CSS.json: Added getSupportedSystemFontFamilyNames function.
643
644 2015-07-22  Sukolsak Sakshuwong  <sukolsak@gmail.com>
645
646         Add ENABLE_WEBASSEMBLY feature flag for WebAssembly
647         https://bugs.webkit.org/show_bug.cgi?id=147212
648
649         Reviewed by Filip Pizlo.
650
651         * Configurations/FeatureDefines.xcconfig:
652
653 2015-07-22  Filip Pizlo  <fpizlo@apple.com>
654
655         Simplify DFG::DesiredIdentifiers and make it possible to turn a UniquedStringImpl* into an identifierNumber at any time
656         https://bugs.webkit.org/show_bug.cgi?id=147218
657
658         Reviewed by Sam Weinig.
659         
660         I want to be able to take a UniquedStringImpl* and turn it into an identifierNumber at
661         various points in my work on https://bugs.webkit.org/show_bug.cgi?id=146929. Currently,
662         most Nodes that deal with identifiers use identifierNumbers and you can only create an
663         identifierNumber in BytecodeGenerator. DFG::ByteCodeParser does sort of have the
664         ability to create new identifierNumbers when inlining - it takes the inlined code's
665         identifiers and either gives them new numbers or reuses numbers from the enclosing
666         code.
667         
668         This patch takes that basic functionality and puts it in
669         DFG::DesiredIdentifiers::ensure(). Anyone can call this at any time to turn a
670         UniquedStringImpl* into an identifierNumber. This data structure is already used by
671         Plan to properly install any newly created identifier table entries into the CodeBlock.
672
673         * dfg/DFGByteCodeParser.cpp:
674         (JSC::DFG::ByteCodeParser::ByteCodeParser):
675         (JSC::DFG::ByteCodeParser::noticeArgumentsUse):
676         (JSC::DFG::ByteCodeParser::linkBlocks):
677         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
678         (JSC::DFG::ByteCodeParser::buildOperandMapsIfNecessary): Deleted.
679         * dfg/DFGDesiredIdentifiers.cpp:
680         (JSC::DFG::DesiredIdentifiers::DesiredIdentifiers):
681         (JSC::DFG::DesiredIdentifiers::numberOfIdentifiers):
682         (JSC::DFG::DesiredIdentifiers::ensure):
683         (JSC::DFG::DesiredIdentifiers::at):
684         (JSC::DFG::DesiredIdentifiers::addLazily): Deleted.
685         * dfg/DFGDesiredIdentifiers.h:
686
687 2015-07-22  Filip Pizlo  <fpizlo@apple.com>
688
689         Simplify things like CompareEq(@x,@x)
690         https://bugs.webkit.org/show_bug.cgi?id=145850
691
692         Reviewed by Sam Weinig.
693         
694         This simplifies x==x to true, except in cases where x might be a double (in which case this
695         might still be false if x is NaN).
696
697         * dfg/DFGAbstractInterpreterInlines.h:
698         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
699         * tests/stress/nan-equal-untyped.js: Added.
700         (foo):
701         (test):
702         * tests/stress/nan-equal.js: Added.
703         (foo):
704
705 2015-07-22  Joseph Pecoraro  <pecoraro@apple.com>
706
707         Web Inspector: Timeline should immediately start moving play head when starting a new recording
708         https://bugs.webkit.org/show_bug.cgi?id=147210
709
710         Reviewed by Timothy Hatcher.
711
712         * inspector/protocol/Timeline.json:
713         Add timestamps to recordingStarted and recordingStopped events.
714
715 2015-07-22  Yusuke Suzuki  <utatane.tea@gmail.com>
716
717         Introducing construct ability into JS executables
718         https://bugs.webkit.org/show_bug.cgi?id=147183
719
720         Reviewed by Geoffrey Garen.
721
722         Decouple the construct ability from the builtin functions.
723         Currently, all builtin functions are not constructors after r182995.
724         In that patch, when the given function is builtin JS function, we recognize it as the non-constructor function.
725
726         But, we need to relax it to implement some constructors in builtins JS.
727         By decoupling the construct ability from whether the function is builtin or not, we can provide
728
729         1. constructors written in builtin JS
730         2. non-constructors in normal JS functions
731
732         (1) is needed for Promise constructor.
733         And (2) is needed for method functions and arrow functions.
734
735         This patch introduces ConstructAbility into the unlinked function executables.
736         It holds whether the given JS function has the construct ability or not.
737         By leveraging this, this patch disables the construct ability of the method definitions, setters, getters and arrow functions.
738
739         And at the same time, this patch introduces the annotation for constructor in builtin JS.
740         We can define the function as follows,
741
742             constructor Promise(executor)
743             {
744                 ...
745             }
746
747         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
748         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
749         * JavaScriptCore.xcodeproj/project.pbxproj:
750         * builtins/BuiltinExecutables.cpp:
751         (JSC::BuiltinExecutables::createDefaultConstructor):
752         (JSC::BuiltinExecutables::createExecutableInternal):
753         * builtins/BuiltinExecutables.h:
754         * builtins/Iterator.prototype.js:
755         (symbolIterator):
756         (SymbolIterator): Deleted.
757         * bytecode/UnlinkedCodeBlock.cpp:
758         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
759         * bytecode/UnlinkedCodeBlock.h:
760         * bytecompiler/BytecodeGenerator.h:
761         (JSC::BytecodeGenerator::makeFunction):
762         * generate-js-builtins:
763         (getCopyright):
764         (Function):
765         (Function.__init__):
766         (Function.mangleName):
767         (getFunctions):
768         (mangleName): Deleted.
769         * jit/JITOperations.cpp:
770         * llint/LLIntSlowPaths.cpp:
771         (JSC::LLInt::setUpCall):
772         * parser/Parser.cpp:
773         (JSC::Parser<LexerType>::parseClass):
774         * runtime/CodeCache.cpp:
775         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
776         * runtime/CommonIdentifiers.h:
777         * runtime/ConstructAbility.h: Copied from Source/JavaScriptCore/builtins/Iterator.prototype.js.
778         * runtime/Executable.h:
779         * runtime/JSFunction.cpp:
780         (JSC::JSFunction::getConstructData):
781         * runtime/JSGlobalObject.cpp:
782         (JSC::JSGlobalObject::init):
783         * tests/stress/non-constructors.js: Added.
784         (shouldThrow):
785         (.prototype.method):
786         (.prototype.get getter):
787         (.prototype.set setter):
788         (.method):
789         (.get shouldThrow):
790         (.set shouldThrow):
791         (set var.test.get getter):
792         (set var.test.set setter):
793         (set var.test.normal):
794         (.set var):
795         (.set new):
796
797 2015-07-22  Csaba Osztrogonác  <ossy@webkit.org>
798
799         [JSC] Enable exception fuzzing for GCC too
800         https://bugs.webkit.org/show_bug.cgi?id=146831
801
802         Reviewed by Darin Adler.
803
804         * jit/JITOperations.cpp:
805
806 2015-07-22  Filip Pizlo  <fpizlo@apple.com>
807
808         Fixed pool allocation should always be aligned
809         https://bugs.webkit.org/show_bug.cgi?id=147201
810
811         Reviewed by Simon Fraser.
812         
813         Passing an unaligned size to the allocator can cause asserts or even worse things. The
814         Options reservation value isn't going to be aligned.
815
816         * jit/ExecutableAllocatorFixedVMPool.cpp:
817         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
818
819 2015-07-22  Csaba Osztrogonác  <ossy@webkit.org>
820
821         Enable STATIC_ASSERT_IS_TRIVIALLY_DESTRUCTIBLE for GCC
822         https://bugs.webkit.org/show_bug.cgi?id=146829
823
824         Reviewed by Brent Fulgham.
825
826         * heap/GCAssertions.h:
827
828 2015-07-22  Alex Christensen  <achristensen@webkit.org>
829
830         Fix quirks in CMake build on Mac and Windows
831         https://bugs.webkit.org/show_bug.cgi?id=147174
832
833         Reviewed by Gyuyoung Kim.
834
835         * PlatformMac.cmake:
836         Add JSRemoteInspector.cpp and remove semicolon from command to make it actually run.
837
838 2015-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
839
840         Add newTarget accessor to JS constructor written in C++
841         https://bugs.webkit.org/show_bug.cgi?id=147160
842
843         Reviewed by Geoffrey Garen.
844
845         This patch adds `ExecState#newTarget()` which returns `new.target` defined in ECMA262 6th.
846         It enables some C++ constructors (like Intl.XXX constructors) to leverage this to complete
847         its implementation.
848
849         When the constructor is called, |this| in the arguments is used for storing new.target instead.
850         So by adding the accessor for |this|, JS constructor written in C++ can access new.target.
851
852         And at the same time, this patch extends the existing `construct` to accept new.target value.
853         It is corresponding to the spec's Construct abstract operation.
854
855         * interpreter/CallFrame.h:
856         (JSC::ExecState::newTarget):
857         * interpreter/Interpreter.cpp:
858         (JSC::Interpreter::executeConstruct):
859         * interpreter/Interpreter.h:
860         * runtime/ConstructData.cpp:
861         (JSC::construct):
862         * runtime/ConstructData.h:
863         (JSC::construct):
864
865 2015-07-21  Filip Pizlo  <fpizlo@apple.com>
866
867         Unreviewed, fix a lot of tests. Need to initialize WTF threading sooner.
868
869         * jsc.cpp:
870         (main):
871
872 2015-07-21  Filip Pizlo  <fpizlo@apple.com>
873
874         Fixed VM pool allocation should have a reserve for allocations that cannot fail
875         https://bugs.webkit.org/show_bug.cgi?id=147154
876         rdar://problem/21847618
877
878         Reviewed by Geoffrey Garen.
879         
880         This adds the notion of a JIT pool reserve fraction. Some fraction, currently 1/4, of
881         the JIT pool is reserved for allocations that cannot fail. It makes sense to make this
882         a fraction rather than a constant because each allocation that can fail may cause some
883         number of allocations that cannot fail (for example, the OSR exit thunks that we
884         compile when we exit from some CodeBlock cannot fail).
885         
886         I've tested this by adding a test mode where we artificially limit the JIT pool size.
887         Prior to the fix, we had >20 failures. Now we have none.
888
889         * heap/GCLogging.cpp:
890         (WTF::printInternal): I needed a dump method on Options members when debugging this.
891         * heap/GCLogging.h:
892         * jit/ExecutableAllocator.h: Raise the ARM64 limit to 32MB because 16MB is cutting it too close.
893         * jit/ExecutableAllocatorFixedVMPool.cpp:
894         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): Add the ability to artificially limit JIT pool size for testing.
895         (JSC::ExecutableAllocator::memoryPressureMultiplier): Implement the reserve when computing memory pressure for JIT tier-up heuristics.
896         (JSC::ExecutableAllocator::allocate): Implement the reserve when allocating can-fail things.
897         * jsc.cpp: Rewire some options parsing so that CommandLine happens before we create the JIT pool.
898         (main):
899         (CommandLine::parseArguments):
900         (jscmain):
901         * runtime/Options.cpp: 
902         (JSC::OptionRange::dump): I needed a dump method on Options members when debugging this.
903         (JSC::Options::initialize): This can now be called more than once.
904         * runtime/Options.h:
905
906 2015-07-21  Saam barati  <saambarati1@gmail.com>
907
908         ObjectPatternNode's entry should use "const Identifier&" instead of "Identifier"
909         https://bugs.webkit.org/show_bug.cgi?id=147156
910
911         Reviewed by Andreas Kling.
912
913         * parser/Nodes.h:
914
915 2015-07-21  Basile Clement  <basile_clement@apple.com>
916
917         Object allocation sinking phase is performing needless HashMap copies
918         https://bugs.webkit.org/show_bug.cgi?id=147159
919
920         Reviewed by Geoffrey Garen.
921
922         The points-to analyzer in the object allocation sinking phase is
923         currently performing copies of its allocation and pointers tables in
924         several places. While this is not a huge problem since those tables are
925         usually small and we are in the FTL path anyway, we still shouldn't be
926         doing such useless copying.
927
928         This patch also removes the DFGInsertOSRHintsForUpdate files that are
929         no longer needed with the new object sinking phase and should have been
930         removed in r186795.
931
932         * CMakeLists.txt:
933         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
934         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
935         * JavaScriptCore.xcodeproj/project.pbxproj:
936         * dfg/DFGInsertOSRHintsForUpdate.cpp: Removed.
937         (JSC::DFG::insertOSRHintsForUpdate): Deleted.
938         * dfg/DFGInsertOSRHintsForUpdate.h: Removed.
939         * dfg/DFGObjectAllocationSinkingPhase.cpp:
940
941 2015-07-21  Saam barati  <saambarati1@gmail.com>
942
943         DestructuringPatternNode and DestructuringAssignmentNode should be ParserArenaFreeable
944         https://bugs.webkit.org/show_bug.cgi?id=147140
945
946         Reviewed by Geoffrey Garen.
947
948         The descendants of DestructuringPatternNode that need destruction also
949         inherit from ParserArenaDeletable.
950
951         * parser/Nodes.h:
952         (JSC::DestructuringPatternNode::~DestructuringPatternNode):
953         (JSC::ObjectPatternNode::appendEntry):
954         (JSC::DestructuringAssignmentNode::bindings):
955
956 2015-07-21  Keith Miller  <keith_miller@apple.com>
957
958         Add support for the new.target syntax.
959         https://bugs.webkit.org/show_bug.cgi?id=147051
960
961         Reviewed by Yusuke Suzuki.
962
963         Add support for new.target. Essentially the implementation is, before constructor calls,
964         the target of a "new" is placed where "this" noramlly goes in the calling convention.
965         Then in the constructor before object is initialized we move the target of the "new"
966         into a local variable.
967
968         * bytecompiler/BytecodeGenerator.cpp:
969         (JSC::BytecodeGenerator::BytecodeGenerator):
970         * bytecompiler/NodesCodegen.cpp:
971         (JSC::NewTargetNode::emitBytecode):
972         * parser/ASTBuilder.h:
973         (JSC::ASTBuilder::newTargetExpr):
974         * parser/NodeConstructors.h:
975         (JSC::NewTargetNode::NewTargetNode):
976         * parser/Nodes.h:
977         * parser/Parser.cpp:
978         (JSC::Parser<LexerType>::parseMemberExpression):
979         * parser/SyntaxChecker.h:
980         (JSC::SyntaxChecker::newTargetExpr):
981         * runtime/CommonIdentifiers.h:
982         * tests/stress/new-target.js: Added.
983         (test):
984         (call):
985         (Constructor.subCall):
986         (Constructor.SubConstructor):
987         (Constructor):
988         (noAssign):
989         (doWeirdThings):
990         (SuperClass):
991         (SubClass):
992
993 2015-07-20  Saam barati  <saambarati1@gmail.com>
994
995         "let" scoping introduced incoherent story about symbol table cloning
996         https://bugs.webkit.org/show_bug.cgi?id=147046
997
998         Reviewed by Filip Pizlo.
999
1000         This patch now establishes a clear set of rules for how SymbolTables
1001         are owned by CodeBlock. Every SymbolTable that is used by a bytecode
1002         instruction must live in CodeBlock's constant register pool. When CodeBlock
1003         is being linked, it ensures that every SymbolTable in the constant pool is cloned. 
1004         This leaves no room for an un-cloned symbol table to be used by a bytecode instruction. 
1005         Some instructions may refer to SymbolTable's indirectly through a JSLexicalEnvironment. 
1006         This is fine, all JSLexicalEnvironment's are allocated with references to cloned symbol tables.
1007
1008         Another goal of this patch is to remove the notion that a SymbolTable is 1 to 1 
1009         with a CodeBlock. With lexical scoping, this view of the world is no longer
1010         correct. This patch begins to remove this assumption by making CodeBlock's
1011         symbolTable() getter method private. There is still one place where we need
1012         to purge our codebase of this assumption and that is the type profiler. It 
1013         has not been updated for lexical scoping. After it is updated in 
1014         https://bugs.webkit.org/show_bug.cgi?id=145438
1015         we will be able to remove CodeBlock's symbolTable() getter entirely.
1016
1017         * bytecode/CodeBlock.cpp:
1018         (JSC::CodeBlock::CodeBlock):
1019         (JSC::CodeBlock::nameForRegister):
1020         * bytecode/CodeBlock.h:
1021         (JSC::CodeBlock::addStringSwitchJumpTable):
1022         (JSC::CodeBlock::stringSwitchJumpTable):
1023         (JSC::CodeBlock::evalCodeCache):
1024         (JSC::CodeBlock::symbolTable):
1025         * bytecode/UnlinkedCodeBlock.cpp:
1026         (JSC::UnlinkedFunctionExecutable::visitChildren):
1027         (JSC::UnlinkedFunctionExecutable::link):
1028         (JSC::UnlinkedFunctionExecutable::codeBlockFor):
1029         * bytecode/UnlinkedCodeBlock.h:
1030         (JSC::UnlinkedCodeBlock::addExceptionHandler):
1031         (JSC::UnlinkedCodeBlock::exceptionHandler):
1032         (JSC::UnlinkedCodeBlock::setSymbolTableConstantIndex):
1033         (JSC::UnlinkedCodeBlock::symbolTableConstantIndex):
1034         (JSC::UnlinkedCodeBlock::symbolTable): Deleted.
1035         (JSC::UnlinkedCodeBlock::setSymbolTable): Deleted.
1036         * bytecompiler/BytecodeGenerator.cpp:
1037         (JSC::BytecodeGenerator::generate):
1038         (JSC::BytecodeGenerator::BytecodeGenerator):
1039         (JSC::BytecodeGenerator::pushLexicalScope):
1040         (JSC::BytecodeGenerator::variableForLocalEntry):
1041         (JSC::BytecodeGenerator::createVariable):
1042         (JSC::BytecodeGenerator::resolveType):
1043         (JSC::BytecodeGenerator::emitResolveScope):
1044         * bytecompiler/BytecodeGenerator.h:
1045         (JSC::BytecodeGenerator::thisRegister):
1046         (JSC::BytecodeGenerator::instructions):
1047         (JSC::BytecodeGenerator::symbolTable): Deleted.
1048         * dfg/DFGGraph.h:
1049         (JSC::DFG::Graph::baselineCodeBlockFor):
1050         (JSC::DFG::Graph::isStrictModeFor):
1051         (JSC::DFG::Graph::symbolTableFor): Deleted.
1052         * jit/AssemblyHelpers.h:
1053         (JSC::AssemblyHelpers::baselineCodeBlock):
1054         (JSC::AssemblyHelpers::argumentsStart):
1055         (JSC::AssemblyHelpers::symbolTableFor): Deleted.
1056         * runtime/CommonSlowPaths.cpp:
1057         (JSC::SLOW_PATH_DECL):
1058         * runtime/Executable.cpp:
1059         (JSC::FunctionExecutable::visitChildren):
1060         (JSC::FunctionExecutable::clearUnlinkedCodeForRecompilation):
1061         (JSC::FunctionExecutable::symbolTable): Deleted.
1062         * runtime/Executable.h:
1063
1064 2015-07-18  Filip Pizlo  <fpizlo@apple.com>
1065
1066         REGRESSION(186691): OSR entry is broken on loop headers that have no live variables
1067         https://bugs.webkit.org/show_bug.cgi?id=147074
1068         rdar://problem/21869970
1069
1070         Reviewed by Michael Saboff.
1071         
1072         The OSR entry must-handle block/value widening introduced in r186691 would cause the
1073         CFA to reexecute if it caused any live local variables to change value. But this fails
1074         if the must-handle block has no live local variables, and the entry block otherwise
1075         appears to be unreachable.
1076         
1077         This fixes the bug by having the change detection include whether the block hadn't been
1078         visited in addition to whether any local variable values got widened.
1079         
1080         This is a ~4% speed-up on SunSpider in browser.
1081
1082         * dfg/DFGCFAPhase.cpp:
1083         (JSC::DFG::CFAPhase::run):
1084
1085 2015-07-20  Mark Lam  <mark.lam@apple.com>
1086
1087         Rollout r187020 and r187021: breaks JSC API tests on debug builds.
1088         https://bugs.webkit.org/show_bug.cgi?id=147110
1089
1090         * heap/MachineStackMarker.cpp:
1091         (JSC::MachineThreads::addCurrentThread):
1092         * runtime/JSLock.cpp:
1093         (JSC::JSLockHolder::~JSLockHolder):
1094         (JSC::JSLock::JSLock):
1095         (JSC::JSLock::willDestroyVM):
1096         (JSC::JSLock::setExclusiveThread):
1097         (JSC::JSLock::lock):
1098         (JSC::JSLock::unlock):
1099         (JSC::JSLock::currentThreadIsHoldingLock):
1100         (JSC::JSLock::dropAllLocks):
1101         * runtime/JSLock.h:
1102         (JSC::JSLock::vm):
1103         (JSC::JSLock::hasExclusiveThread):
1104         (JSC::JSLock::exclusiveThread):
1105         * runtime/VM.h:
1106         (JSC::VM::hasExclusiveThread):
1107         (JSC::VM::exclusiveThread):
1108         (JSC::VM::setExclusiveThread):
1109
1110 2015-07-20  Per Arne Vollan  <peavo@outlook.com>
1111
1112         Unreviewed debug build fix after r187020.
1113
1114         * heap/MachineStackMarker.cpp:
1115         (JSC::MachineThreads::addCurrentThread):
1116         VM::exclusiveThread() has changed return type to ThreadIdentifier.
1117
1118 2015-07-20  Per Arne Vollan  <peavo@outlook.com>
1119
1120         JavaScriptCore performance is very bad on Windows
1121         https://bugs.webkit.org/show_bug.cgi?id=146448
1122
1123         Reviewed by Mark Lam.
1124
1125         Profiling shows that std::this_thread::get_id() is slow on Windows.
1126         Use WTF::currentThread() instead, which calls GetCurrentThreadId().
1127         This is faster on Windows. The issue has been reported to Microsoft,
1128         https://connect.microsoft.com/VisualStudio/feedback/details/1558211.
1129
1130         * runtime/JSLock.cpp:
1131         (JSC::JSLockHolder::~JSLockHolder):
1132         (JSC::JSLock::JSLock):
1133         (JSC::JSLock::willDestroyVM):
1134         (JSC::JSLock::setExclusiveThread):
1135         (JSC::JSLock::lock):
1136         (JSC::JSLock::unlock):
1137         (JSC::JSLock::currentThreadIsHoldingLock):
1138         * runtime/JSLock.h:
1139         (JSC::JSLock::vm):
1140         (JSC::JSLock::hasExclusiveThread):
1141         (JSC::JSLock::exclusiveThread):
1142         * runtime/VM.h:
1143         (JSC::VM::hasExclusiveThread):
1144         (JSC::VM::exclusiveThread):
1145         (JSC::VM::setExclusiveThread):
1146
1147 2015-07-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1148
1149         In strict mode, `Object.keys(arguments)` includes "length"
1150         https://bugs.webkit.org/show_bug.cgi?id=147071
1151
1152         Reviewed by Darin Adler.
1153
1154         ClonedAguments didn't set the "length" with DontEnum.
1155
1156         * runtime/ClonedArguments.cpp:
1157         (JSC::ClonedArguments::createWithInlineFrame):
1158         (JSC::ClonedArguments::createByCopyingFrom):
1159         * tests/stress/arguments-length-always-dont-enum.js: Added.
1160         (shouldBe):
1161         (argsSloppy):
1162         (argsStrict):
1163
1164 2015-07-19  Jordan Harband  <ljharb@gmail.com>
1165
1166         new Date(NaN).toJSON() must return null instead of throwing a TypeError
1167         https://bugs.webkit.org/show_bug.cgi?id=141115
1168
1169         Reviewed by Yusuke Suzuki.
1170
1171         * runtime/DatePrototype.cpp:
1172         (JSC::dateProtoFuncToJSON):
1173
1174 2015-07-19  Saam barati  <saambarati1@gmail.com>
1175
1176         Parser::parseFunctionInfo hits RELEASE_ASSERT for Arrow Functions
1177         https://bugs.webkit.org/show_bug.cgi?id=147090
1178
1179         Reviewed by Yusuke Suzuki.
1180
1181         ArrowFunction's have there ParserFunctionInfo "name" field to 
1182         be a non-null pointer. This is obviously allowed and valid except we 
1183         had a RELEASE_ASSERT that claimed otherwise. This is a mistake. 
1184
1185         Note: ArrowFunction's will never actually have a function name;
1186         there ParserFunctionInfo "name" field will be the empty string. 
1187         This is not be mistaken with the name field being a null pointer.
1188
1189         * parser/Parser.cpp:
1190         (JSC::Parser<LexerType>::parseFunctionInfo):
1191
1192 2015-07-18  Saam barati  <saambarati1@gmail.com>
1193
1194         [ES6] Add support for block scope const
1195         https://bugs.webkit.org/show_bug.cgi?id=31813
1196
1197         Reviewed by Filip Pizlo.
1198
1199         'const' is now implemented in an ES6 spec compliant manner.
1200         'const' variables are always block scoped and always live
1201         either on the stack or in a JSLexicalEnvironment. 'const'
1202         variables never live on the global object.
1203
1204         Inside the BytecodeGenerator, when assigning to a stack
1205         'const' variable or a LocalClosureVar 'const' variable,
1206         we will emit code that just throws a type error.
1207         When assigning to a ClosureVar const variable, CodeBlock linking
1208         will ensure that we perform a dynamic lookup of that variable so
1209         that put_to_scope's slow path throws a type error.
1210
1211         The old 'const' implementation has been removed in this patch.
1212
1213         * bytecode/BytecodeList.json:
1214         * bytecode/BytecodeUseDef.h:
1215         (JSC::computeUsesForBytecodeOffset):
1216         (JSC::computeDefsForBytecodeOffset):
1217         * bytecode/CodeBlock.cpp:
1218         (JSC::CodeBlock::dumpBytecode):
1219         (JSC::CodeBlock::CodeBlock):
1220         * bytecompiler/BytecodeGenerator.cpp:
1221         (JSC::BytecodeGenerator::BytecodeGenerator):
1222         (JSC::BytecodeGenerator::pushLexicalScope):
1223         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
1224         (JSC::BytecodeGenerator::variable):
1225         (JSC::BytecodeGenerator::variableForLocalEntry):
1226         (JSC::BytecodeGenerator::createVariable):
1227         (JSC::BytecodeGenerator::emitResolveScope):
1228         (JSC::BytecodeGenerator::emitInstanceOf):
1229         (JSC::BytecodeGenerator::emitGetById):
1230         (JSC::BytecodeGenerator::isArgumentNumber):
1231         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
1232         (JSC::BytecodeGenerator::emitEnumeration):
1233         (JSC::BytecodeGenerator::variablePerSymbolTable): Deleted.
1234         (JSC::BytecodeGenerator::emitInitGlobalConst): Deleted.
1235         * bytecompiler/BytecodeGenerator.h:
1236         (JSC::Variable::Variable):
1237         (JSC::Variable::isReadOnly):
1238         (JSC::Variable::isSpecial):
1239         (JSC::Variable::isConst):
1240         (JSC::BytecodeGenerator::thisRegister):
1241         (JSC::BytecodeGenerator::emitTypeOf):
1242         (JSC::BytecodeGenerator::emitIn):
1243         * bytecompiler/NodesCodegen.cpp:
1244         (JSC::PostfixNode::emitResolve):
1245         (JSC::PrefixNode::emitResolve):
1246         (JSC::ReadModifyResolveNode::emitBytecode):
1247         (JSC::AssignResolveNode::emitBytecode):
1248         (JSC::CommaNode::emitBytecode):
1249         (JSC::BindingNode::bindValue):
1250         (JSC::ConstDeclNode::emitCodeSingle): Deleted.
1251         (JSC::ConstDeclNode::emitBytecode): Deleted.
1252         (JSC::ConstStatementNode::emitBytecode): Deleted.
1253         * dfg/DFGByteCodeParser.cpp:
1254         (JSC::DFG::ByteCodeParser::parseBlock):
1255         * dfg/DFGCapabilities.cpp:
1256         (JSC::DFG::capabilityLevel):
1257         * jit/JIT.cpp:
1258         (JSC::JIT::privateCompileMainPass):
1259         * jit/JIT.h:
1260         * jit/JITPropertyAccess.cpp:
1261         (JSC::JIT::emit_op_put_to_arguments):
1262         (JSC::JIT::emit_op_init_global_const): Deleted.
1263         * jit/JITPropertyAccess32_64.cpp:
1264         (JSC::JIT::emit_op_put_to_arguments):
1265         (JSC::JIT::emit_op_init_global_const): Deleted.
1266         * llint/LowLevelInterpreter.asm:
1267         * llint/LowLevelInterpreter32_64.asm:
1268         * llint/LowLevelInterpreter64.asm:
1269         * parser/ASTBuilder.h:
1270         (JSC::ASTBuilder::createDeclarationStatement):
1271         (JSC::ASTBuilder::createEmptyVarExpression):
1272         (JSC::ASTBuilder::createDebugger):
1273         (JSC::ASTBuilder::appendStatement):
1274         (JSC::ASTBuilder::createVarStatement): Deleted.
1275         (JSC::ASTBuilder::createLetStatement): Deleted.
1276         (JSC::ASTBuilder::createConstStatement): Deleted.
1277         (JSC::ASTBuilder::appendConstDecl): Deleted.
1278         * parser/NodeConstructors.h:
1279         (JSC::CommaNode::CommaNode):
1280         (JSC::SourceElements::SourceElements):
1281         (JSC::SwitchNode::SwitchNode):
1282         (JSC::BlockNode::BlockNode):
1283         (JSC::ConstStatementNode::ConstStatementNode): Deleted.
1284         (JSC::ConstDeclNode::ConstDeclNode): Deleted.
1285         * parser/Nodes.h:
1286         (JSC::ConstDeclNode::hasInitializer): Deleted.
1287         (JSC::ConstDeclNode::ident): Deleted.
1288         * parser/Parser.cpp:
1289         (JSC::Parser<LexerType>::parseStatementListItem):
1290         (JSC::Parser<LexerType>::parseVariableDeclaration):
1291         (JSC::Parser<LexerType>::parseWhileStatement):
1292         (JSC::Parser<LexerType>::parseVariableDeclarationList):
1293         (JSC::Parser<LexerType>::createBindingPattern):
1294         (JSC::Parser<LexerType>::parseDestructuringPattern):
1295         (JSC::Parser<LexerType>::parseDefaultValueForDestructuringPattern):
1296         (JSC::Parser<LexerType>::parseForStatement):
1297         (JSC::Parser<LexerType>::parseTryStatement):
1298         (JSC::Parser<LexerType>::parseFunctionInfo):
1299         (JSC::Parser<LexerType>::parseFunctionDeclaration):
1300         (JSC::Parser<LexerType>::parseClass):
1301         (JSC::Parser<LexerType>::parseConstDeclaration): Deleted.
1302         (JSC::Parser<LexerType>::parseConstDeclarationList): Deleted.
1303         * parser/Parser.h:
1304         (JSC::isEvalNode):
1305         (JSC::isEvalNode<EvalNode>):
1306         (JSC::isArguments):
1307         (JSC::isEval):
1308         (JSC::isEvalOrArgumentsIdentifier):
1309         (JSC::Scope::Scope):
1310         (JSC::Scope::declareCallee):
1311         (JSC::Scope::declareVariable):
1312         (JSC::Scope::declareLexicalVariable):
1313         (JSC::Scope::hasDeclaredVariable):
1314         (JSC::Scope::allowsVarDeclarations):
1315         (JSC::Scope::allowsLexicalDeclarations):
1316         (JSC::Scope::declareParameter):
1317         (JSC::Scope::declareBoundParameter):
1318         (JSC::Parser::destructuringKindFromDeclarationType):
1319         (JSC::Parser::assignmentContextFromDeclarationType):
1320         (JSC::Parser::isEvalOrArguments):
1321         (JSC::Parser::currentScope):
1322         (JSC::Parser::popScope):
1323         (JSC::Parser::declareVariable):
1324         (JSC::Parser::hasDeclaredVariable):
1325         (JSC::Parser::setStrictMode):
1326         (JSC::Parser::strictMode):
1327         (JSC::Parser::isValidStrictMode):
1328         (JSC::Parser::declareParameter):
1329         (JSC::Parser::declareBoundParameter):
1330         (JSC::Parser::breakIsValid):
1331         * parser/SyntaxChecker.h:
1332         (JSC::SyntaxChecker::createForInLoop):
1333         (JSC::SyntaxChecker::createForOfLoop):
1334         (JSC::SyntaxChecker::createEmptyStatement):
1335         (JSC::SyntaxChecker::createDeclarationStatement):
1336         (JSC::SyntaxChecker::createReturnStatement):
1337         (JSC::SyntaxChecker::createBreakStatement):
1338         (JSC::SyntaxChecker::createVarStatement): Deleted.
1339         (JSC::SyntaxChecker::createLetStatement): Deleted.
1340         * parser/VariableEnvironment.h:
1341         (JSC::VariableEnvironmentEntry::isCaptured):
1342         (JSC::VariableEnvironmentEntry::isConst):
1343         (JSC::VariableEnvironmentEntry::isVar):
1344         (JSC::VariableEnvironmentEntry::isLet):
1345         (JSC::VariableEnvironmentEntry::setIsCaptured):
1346         (JSC::VariableEnvironmentEntry::setIsConst):
1347         (JSC::VariableEnvironmentEntry::setIsVar):
1348         (JSC::VariableEnvironmentEntry::setIsLet):
1349         (JSC::VariableEnvironmentEntry::isConstant): Deleted.
1350         (JSC::VariableEnvironmentEntry::setIsConstant): Deleted.
1351         * runtime/Executable.cpp:
1352         (JSC::ProgramExecutable::initializeGlobalProperties):
1353         * runtime/JSGlobalObject.cpp:
1354         (JSC::JSGlobalObject::defineOwnProperty):
1355         (JSC::JSGlobalObject::addGlobalVar):
1356         (JSC::JSGlobalObject::addFunction):
1357         (JSC::lastInPrototypeChain):
1358         * runtime/JSGlobalObject.h:
1359         (JSC::JSGlobalObject::finishCreation):
1360         (JSC::JSGlobalObject::addVar):
1361         (JSC::JSGlobalObject::addConst): Deleted.
1362         * runtime/JSLexicalEnvironment.cpp:
1363         (JSC::JSLexicalEnvironment::symbolTablePut):
1364         * tests/stress/const-and-with-statement.js: Added.
1365         (truth):
1366         (assert):
1367         (shouldThrowInvalidConstAssignment):
1368         (.):
1369         * tests/stress/const-exception-handling.js: Added.
1370         (truth):
1371         (assert):
1372         (.):
1373         * tests/stress/const-loop-semantics.js: Added.
1374         (truth):
1375         (assert):
1376         (shouldThrowInvalidConstAssignment):
1377         (.):
1378         * tests/stress/const-not-strict-mode.js: Added.
1379         (truth):
1380         (assert):
1381         (shouldThrowTDZ):
1382         (.):
1383         * tests/stress/const-semantics.js: Added.
1384         (truth):
1385         (assert):
1386         (shouldThrowInvalidConstAssignment):
1387         (.):
1388         * tests/stress/const-tdz.js: Added.
1389         (truth):
1390         (assert):
1391         (shouldThrowTDZ):
1392         (.):
1393
1394 2015-07-18  Saam barati  <saambarati1@gmail.com>
1395
1396         lexical scoping is broken with respect to "break" and "continue"
1397         https://bugs.webkit.org/show_bug.cgi?id=147063
1398
1399         Reviewed by Filip Pizlo.
1400
1401         Bug #142944 which introduced "let" and lexical scoping
1402         didn't properly hook into the bytecode generator's machinery
1403         for calculating scope depth deltas for "break" and "continue". This
1404         resulted in the bytecode generator popping an incorrect number
1405         of scopes when lexical scopes were involved.
1406
1407         This patch fixes this problem and generalizes this machinery a bit.
1408         This patch also renames old functions in a sensible way that is more
1409         coherent in a world with lexical scoping.
1410
1411         * bytecompiler/BytecodeGenerator.cpp:
1412         (JSC::BytecodeGenerator::BytecodeGenerator):
1413         (JSC::BytecodeGenerator::newLabelScope):
1414         (JSC::BytecodeGenerator::emitProfileType):
1415         (JSC::BytecodeGenerator::pushLexicalScope):
1416         (JSC::BytecodeGenerator::popLexicalScope):
1417         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
1418         (JSC::BytecodeGenerator::resolveType):
1419         (JSC::BytecodeGenerator::emitResolveScope):
1420         (JSC::BytecodeGenerator::emitGetFromScope):
1421         (JSC::BytecodeGenerator::emitPutToScope):
1422         (JSC::BytecodeGenerator::emitPushWithScope):
1423         (JSC::BytecodeGenerator::emitGetParentScope):
1424         (JSC::BytecodeGenerator::emitPopScope):
1425         (JSC::BytecodeGenerator::emitPopWithOrCatchScope):
1426         (JSC::BytecodeGenerator::emitPopScopes):
1427         (JSC::BytecodeGenerator::calculateTargetScopeDepthForExceptionHandler):
1428         (JSC::BytecodeGenerator::localScopeDepth):
1429         (JSC::BytecodeGenerator::labelScopeDepth):
1430         (JSC::BytecodeGenerator::emitThrowReferenceError):
1431         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
1432         (JSC::BytecodeGenerator::pushScopedControlFlowContext):
1433         (JSC::BytecodeGenerator::popScopedControlFlowContext):
1434         (JSC::BytecodeGenerator::emitPushCatchScope):
1435         (JSC::BytecodeGenerator::currentScopeDepth): Deleted.
1436         * bytecompiler/BytecodeGenerator.h:
1437         (JSC::BytecodeGenerator::hasFinaliser):
1438         (JSC::BytecodeGenerator::scopeDepth): Deleted.
1439         * bytecompiler/NodesCodegen.cpp:
1440         (JSC::ContinueNode::trivialTarget):
1441         (JSC::BreakNode::trivialTarget):
1442         (JSC::ReturnNode::emitBytecode):
1443         (JSC::WithNode::emitBytecode):
1444         (JSC::TryNode::emitBytecode):
1445         * tests/stress/lexical-scoping-break-continue.js: Added.
1446         (assert):
1447         (.):
1448
1449 2015-07-18  Commit Queue  <commit-queue@webkit.org>
1450
1451         Unreviewed, rolling out r186996.
1452         https://bugs.webkit.org/show_bug.cgi?id=147070
1453
1454         Broke JSC tests (Requested by smfr on #webkit).
1455
1456         Reverted changeset:
1457
1458         "lexical scoping is broken with respect to "break" and
1459         "continue""
1460         https://bugs.webkit.org/show_bug.cgi?id=147063
1461         http://trac.webkit.org/changeset/186996
1462
1463 2015-07-18  Saam barati  <saambarati1@gmail.com>
1464
1465         lexical scoping is broken with respect to "break" and "continue"
1466         https://bugs.webkit.org/show_bug.cgi?id=147063
1467
1468         Reviewed by Filip Pizlo.
1469
1470         Bug #142944 which introduced "let" and lexical scoping
1471         didn't properly hook into the bytecode generator's machinery
1472         for calculating scope depth deltas for "break" and "continue". This
1473         resulted in the bytecode generator popping an incorrect number
1474         of scopes when lexical scopes were involved.
1475
1476         This patch fixes this problem and generalizes this machinery a bit.
1477         This patch also renames old functions in a sensible way that is more
1478         coherent in a world with lexical scoping.
1479
1480         * bytecompiler/BytecodeGenerator.cpp:
1481         (JSC::BytecodeGenerator::BytecodeGenerator):
1482         (JSC::BytecodeGenerator::newLabelScope):
1483         (JSC::BytecodeGenerator::emitProfileType):
1484         (JSC::BytecodeGenerator::pushLexicalScope):
1485         (JSC::BytecodeGenerator::popLexicalScope):
1486         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
1487         (JSC::BytecodeGenerator::resolveType):
1488         (JSC::BytecodeGenerator::emitResolveScope):
1489         (JSC::BytecodeGenerator::emitGetFromScope):
1490         (JSC::BytecodeGenerator::emitPutToScope):
1491         (JSC::BytecodeGenerator::emitPushWithScope):
1492         (JSC::BytecodeGenerator::emitGetParentScope):
1493         (JSC::BytecodeGenerator::emitPopScope):
1494         (JSC::BytecodeGenerator::emitPopWithOrCatchScope):
1495         (JSC::BytecodeGenerator::emitPopScopes):
1496         (JSC::BytecodeGenerator::calculateTargetScopeDepthForExceptionHandler):
1497         (JSC::BytecodeGenerator::localScopeDepth):
1498         (JSC::BytecodeGenerator::labelScopeDepth):
1499         (JSC::BytecodeGenerator::emitThrowReferenceError):
1500         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
1501         (JSC::BytecodeGenerator::pushScopedControlFlowContext):
1502         (JSC::BytecodeGenerator::popScopedControlFlowContext):
1503         (JSC::BytecodeGenerator::emitPushCatchScope):
1504         (JSC::BytecodeGenerator::currentScopeDepth): Deleted.
1505         * bytecompiler/BytecodeGenerator.h:
1506         (JSC::BytecodeGenerator::hasFinaliser):
1507         (JSC::BytecodeGenerator::scopeDepth): Deleted.
1508         * bytecompiler/NodesCodegen.cpp:
1509         (JSC::ContinueNode::trivialTarget):
1510         (JSC::BreakNode::trivialTarget):
1511         (JSC::ReturnNode::emitBytecode):
1512         (JSC::WithNode::emitBytecode):
1513         (JSC::TryNode::emitBytecode):
1514         * tests/stress/lexical-scoping-break-continue.js: Added.
1515         (assert):
1516         (.):
1517
1518 2015-07-17  Filip Pizlo  <fpizlo@apple.com>
1519
1520         DFG should have some obvious mitigations against watching structures that are unprofitable to watch
1521         https://bugs.webkit.org/show_bug.cgi?id=147034
1522
1523         Reviewed by Mark Lam and Michael Saboff.
1524         
1525         This implements two guards against the DFG watching structures that are likely to fire
1526         their watchpoints:
1527         
1528         - Don't watch dictionaries or any structure that had a dictionary in its past. Dictionaries
1529           can be flattened, and then they can transform back to dictionaries.
1530         
1531         - Don't watch structures whose past structures were transitioned-away from while their
1532           transition watchpoints were being watched. This property gives us monotonicity: if we
1533           recompile because we watched structure S1 of object O, then we won't make the same mistake
1534           again when object O has structure S2, S3, and so on.
1535         
1536         This is a 1.5% speed-up on Kraken. It does penalize some Octane tests, but it also seems to
1537         help some of them, so on Octane it's basically neutral.
1538
1539         * bytecode/Watchpoint.h:
1540         (JSC::WatchpointSet::invalidate):
1541         (JSC::WatchpointSet::isBeingWatched):
1542         (JSC::WatchpointSet::addressOfState):
1543         (JSC::WatchpointSet::addressOfSetIsNotEmpty):
1544         (JSC::InlineWatchpointSet::touch):
1545         (JSC::InlineWatchpointSet::isBeingWatched):
1546         * runtime/JSGlobalObject.h:
1547         (JSC::JSGlobalObject::createStructure):
1548         (JSC::JSGlobalObject::registerWeakMap):
1549         * runtime/Structure.cpp:
1550         (JSC::Structure::Structure):
1551         (JSC::Structure::toDictionaryTransition):
1552         (JSC::Structure::didTransitionFromThisStructure):
1553         * runtime/Structure.h:
1554
1555 2015-07-16  Filip Pizlo  <fpizlo@apple.com>
1556
1557         Remove DFG::DesiredWriteBarriers because it's just a very difficult way of saying "please barrier the machine code block owner"
1558         https://bugs.webkit.org/show_bug.cgi?id=147030
1559
1560         Reviewed by Andreas Kling.
1561         
1562         All of the users of DesiredWriteBarriers were just using it to request that Plan
1563         finalization executes a barrier on codeBlock->ownerExecutable. Indeed, that's the only
1564         owning cell in the heap that compilation affects. So, we might as well just have Plan
1565         unconditionally execute that barrier and then we don't need DesiredWriteBarriers at
1566         all.
1567
1568         * CMakeLists.txt:
1569         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1570         * JavaScriptCore.xcodeproj/project.pbxproj:
1571         * dfg/DFGByteCodeParser.cpp:
1572         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1573         * dfg/DFGDesiredWriteBarriers.cpp: Removed.
1574         * dfg/DFGDesiredWriteBarriers.h: Removed.
1575         * dfg/DFGGraph.cpp:
1576         (JSC::DFG::Graph::registerFrozenValues):
1577         * dfg/DFGPlan.cpp:
1578         (JSC::DFG::Plan::reallyAdd):
1579         (JSC::DFG::Plan::notifyCompiling):
1580         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
1581         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
1582         (JSC::DFG::Plan::cancel):
1583         * dfg/DFGPlan.h:
1584
1585 2015-07-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1586
1587         Integrate automatic microtask draining into JSC framework and re-enable Promise
1588         https://bugs.webkit.org/show_bug.cgi?id=146828
1589
1590         Reviewed by Sam Weinig.
1591
1592         Add automatic microtask draining system into JSC framework.
1593         When the depth of VM lock becomes 0, before this, we drain the queued microtasks.
1594         Enqueuing behavior can be injected by the JSGlobalObject's method table.
1595         It is utilized in WebCore to post the microtask to WebCore's event loop.
1596
1597         In the case of JSC interactive shell, VM depth is always greater than 0.
1598         So we manually drains the queued microtasks after evaluating the written line.
1599
1600         Since now JSC framework has the microtask queue, we can drain the queued microtasks.
1601         So re-enable the Promise in the JSC framework context.
1602
1603         * API/JSContextRef.cpp:
1604         (javaScriptRuntimeFlags): Deleted.
1605         * API/tests/testapi.c:
1606         (main):
1607         * API/tests/testapi.mm:
1608         (testObjectiveCAPIMain):
1609         * jsc.cpp:
1610         (runInteractive):
1611         * runtime/JSGlobalObject.cpp:
1612         (JSC::JSGlobalObject::queueMicrotask):
1613         * runtime/JSLock.cpp:
1614         (JSC::JSLock::willReleaseLock):
1615         * runtime/VM.cpp:
1616         (JSC::VM::queueMicrotask):
1617         (JSC::VM::drainMicrotasks):
1618         (JSC::QueuedTask::run):
1619         * runtime/VM.h:
1620         (JSC::QueuedTask::QueuedTask):
1621
1622 2015-07-17  Saam barati  <saambarati1@gmail.com>
1623
1624         Function parameters should be parsed in the same parser arena as the function body
1625         https://bugs.webkit.org/show_bug.cgi?id=145995
1626
1627         Reviewed by Yusuke Suzuki.
1628
1629         This patch changes how functions are parsed in JSC. A function's
1630         parameters are now parsed in the same arena as the function itself.
1631         This allows us to arena allocate all destructuring AST nodes and
1632         the FunctionParameters node. This will help make implementing ES6
1633         default parameter values sane.
1634
1635         A source code that represents a function now includes the text of the function's 
1636         parameters. The starting offset is at the opening parenthesis of the parameter
1637         list or at the starting character of the identifier for arrow functions that
1638         have single arguments and don't start with parenthesis.
1639
1640         For example:
1641
1642         "function (param1, param2) { ... }"
1643                                    ^
1644                                    | This offset used to be the starting offset of a function's SourceCode
1645                   ^
1646                   | This is the new starting offset for a function's SourceCode.
1647
1648         This requires us to change how some offsets are calculated
1649         and also requires us to report some different line numbers for internal
1650         metrics that use a SourceCode's starting line and column numbers.
1651
1652         This patch also does a bit of cleanup with regards to how
1653         functions are parsed in general (especially arrow functions).
1654         It removes some unnecessary #ifdefs and the likes for arrow
1655         to make things clearer and more deliberate.
1656
1657         * API/JSScriptRef.cpp:
1658         (parseScript):
1659         * builtins/BuiltinExecutables.cpp:
1660         (JSC::BuiltinExecutables::createExecutableInternal):
1661         * bytecode/UnlinkedCodeBlock.cpp:
1662         (JSC::generateFunctionCodeBlock):
1663         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1664         (JSC::UnlinkedFunctionExecutable::visitChildren):
1665         (JSC::UnlinkedFunctionExecutable::parameterCount): Deleted.
1666         * bytecode/UnlinkedCodeBlock.h:
1667         * bytecompiler/NodesCodegen.cpp:
1668         (JSC::DestructuringAssignmentNode::emitBytecode):
1669         (JSC::assignDefaultValueIfUndefined):
1670         (JSC::ArrayPatternNode::collectBoundIdentifiers):
1671         (JSC::DestructuringPatternNode::~DestructuringPatternNode): Deleted.
1672         * parser/ASTBuilder.h:
1673         (JSC::ASTBuilder::createClassExpr):
1674         (JSC::ASTBuilder::createFunctionExpr):
1675         (JSC::ASTBuilder::createFunctionBody):
1676         (JSC::ASTBuilder::createArrowFunctionExpr):
1677         (JSC::ASTBuilder::createGetterOrSetterProperty):
1678         (JSC::ASTBuilder::createElementList):
1679         (JSC::ASTBuilder::createFormalParameterList):
1680         (JSC::ASTBuilder::appendParameter):
1681         (JSC::ASTBuilder::createClause):
1682         (JSC::ASTBuilder::createClauseList):
1683         (JSC::ASTBuilder::createFuncDeclStatement):
1684         (JSC::ASTBuilder::createForInLoop):
1685         (JSC::ASTBuilder::createForOfLoop):
1686         (JSC::ASTBuilder::isResolve):
1687         (JSC::ASTBuilder::createDestructuringAssignment):
1688         (JSC::ASTBuilder::createArrayPattern):
1689         (JSC::ASTBuilder::appendArrayPatternSkipEntry):
1690         (JSC::ASTBuilder::appendArrayPatternEntry):
1691         (JSC::ASTBuilder::appendArrayPatternRestEntry):
1692         (JSC::ASTBuilder::finishArrayPattern):
1693         (JSC::ASTBuilder::createObjectPattern):
1694         (JSC::ASTBuilder::appendObjectPatternEntry):
1695         (JSC::ASTBuilder::createBindingLocation):
1696         (JSC::ASTBuilder::setEndOffset):
1697         * parser/Lexer.cpp:
1698         (JSC::Lexer<T>::Lexer):
1699         (JSC::Lexer<T>::nextTokenIsColon):
1700         (JSC::Lexer<T>::setTokenPosition):
1701         (JSC::Lexer<T>::lex):
1702         (JSC::Lexer<T>::clear):
1703         * parser/Lexer.h:
1704         (JSC::Lexer::setIsReparsingFunction):
1705         (JSC::Lexer::isReparsingFunction):
1706         (JSC::Lexer::lineNumber):
1707         (JSC::Lexer::setIsReparsing): Deleted.
1708         (JSC::Lexer::isReparsing): Deleted.
1709         * parser/NodeConstructors.h:
1710         (JSC::TryNode::TryNode):
1711         (JSC::FunctionParameters::FunctionParameters):
1712         (JSC::FuncExprNode::FuncExprNode):
1713         (JSC::FuncDeclNode::FuncDeclNode):
1714         (JSC::ArrayPatternNode::ArrayPatternNode):
1715         (JSC::ObjectPatternNode::ObjectPatternNode):
1716         (JSC::BindingNode::BindingNode):
1717         (JSC::DestructuringAssignmentNode::DestructuringAssignmentNode):
1718         (JSC::ParameterNode::ParameterNode): Deleted.
1719         (JSC::ArrayPatternNode::create): Deleted.
1720         (JSC::ObjectPatternNode::create): Deleted.
1721         (JSC::BindingNode::create): Deleted.
1722         * parser/Nodes.cpp:
1723         (JSC::ProgramNode::ProgramNode):
1724         (JSC::EvalNode::EvalNode):
1725         (JSC::FunctionBodyNode::FunctionBodyNode):
1726         (JSC::FunctionBodyNode::finishParsing):
1727         (JSC::FunctionNode::FunctionNode):
1728         (JSC::FunctionNode::finishParsing):
1729         (JSC::FunctionParameters::create): Deleted.
1730         (JSC::FunctionParameters::FunctionParameters): Deleted.
1731         (JSC::FunctionParameters::~FunctionParameters): Deleted.
1732         * parser/Nodes.h:
1733         (JSC::ProgramNode::startColumn):
1734         (JSC::ProgramNode::endColumn):
1735         (JSC::EvalNode::startColumn):
1736         (JSC::EvalNode::endColumn):
1737         (JSC::FunctionParameters::size):
1738         (JSC::FunctionParameters::at):
1739         (JSC::FunctionParameters::append):
1740         (JSC::FuncExprNode::body):
1741         (JSC::DestructuringPatternNode::~DestructuringPatternNode):
1742         (JSC::DestructuringPatternNode::isBindingNode):
1743         (JSC::DestructuringPatternNode::emitDirectBinding):
1744         (JSC::ArrayPatternNode::appendIndex):
1745         (JSC::ObjectPatternNode::appendEntry):
1746         (JSC::BindingNode::boundProperty):
1747         (JSC::BindingNode::divotStart):
1748         (JSC::BindingNode::divotEnd):
1749         (JSC::DestructuringAssignmentNode::bindings):
1750         (JSC::FuncDeclNode::body):
1751         (JSC::ParameterNode::pattern): Deleted.
1752         (JSC::ParameterNode::nextParam): Deleted.
1753         (JSC::FunctionParameters::patterns): Deleted.
1754         * parser/Parser.cpp:
1755         (JSC::Parser<LexerType>::Parser):
1756         (JSC::Parser<LexerType>::~Parser):
1757         (JSC::Parser<LexerType>::parseInner):
1758         (JSC::Parser<LexerType>::allowAutomaticSemicolon):
1759         (JSC::Parser<LexerType>::parseSourceElements):
1760         (JSC::Parser<LexerType>::createBindingPattern):
1761         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBodySourceElements):
1762         (JSC::Parser<LexerType>::tryParseDestructuringPatternExpression):
1763         (JSC::Parser<LexerType>::parseSwitchClauses):
1764         (JSC::Parser<LexerType>::parseSwitchDefaultClause):
1765         (JSC::Parser<LexerType>::parseBlockStatement):
1766         (JSC::Parser<LexerType>::parseStatement):
1767         (JSC::Parser<LexerType>::parseFormalParameters):
1768         (JSC::Parser<LexerType>::parseFunctionBody):
1769         (JSC::stringForFunctionMode):
1770         (JSC::Parser<LexerType>::parseFunctionParameters):
1771         (JSC::Parser<LexerType>::parseFunctionInfo):
1772         (JSC::Parser<LexerType>::parseFunctionDeclaration):
1773         (JSC::Parser<LexerType>::parseClass):
1774         (JSC::Parser<LexerType>::parsePrimaryExpression):
1775         (JSC::Parser<LexerType>::parseMemberExpression):
1776         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
1777         (JSC::operatorString):
1778         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBody): Deleted.
1779         * parser/Parser.h:
1780         (JSC::Parser::positionBeforeLastNewline):
1781         (JSC::Parser::locationBeforeLastToken):
1782         (JSC::Parser::findCachedFunctionInfo):
1783         (JSC::Parser::isofToken):
1784         (JSC::Parser::isEndOfArrowFunction):
1785         (JSC::Parser::isArrowFunctionParamters):
1786         (JSC::Parser::tokenStart):
1787         (JSC::Parser::isLETMaskedAsIDENT):
1788         (JSC::Parser::autoSemiColon):
1789         (JSC::Parser::setEndOfStatement):
1790         (JSC::Parser::canRecurse):
1791         (JSC::Parser<LexerType>::parse):
1792         (JSC::parse):
1793         * parser/ParserFunctionInfo.h:
1794         * parser/ParserModes.h:
1795         (JSC::functionNameIsInScope):
1796         * parser/SourceCode.h:
1797         (JSC::makeSource):
1798         (JSC::SourceCode::subExpression):
1799         (JSC::SourceCode::subArrowExpression): Deleted.
1800         * parser/SourceProviderCache.h:
1801         (JSC::SourceProviderCache::get):
1802         * parser/SourceProviderCacheItem.h:
1803         (JSC::SourceProviderCacheItem::endFunctionToken):
1804         (JSC::SourceProviderCacheItem::usedVariables):
1805         (JSC::SourceProviderCacheItem::writtenVariables):
1806         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
1807         * parser/SyntaxChecker.h:
1808         (JSC::SyntaxChecker::SyntaxChecker):
1809         (JSC::SyntaxChecker::createClassExpr):
1810         (JSC::SyntaxChecker::createFunctionExpr):
1811         (JSC::SyntaxChecker::createFunctionBody):
1812         (JSC::SyntaxChecker::createArrowFunctionExpr):
1813         (JSC::SyntaxChecker::setFunctionNameStart):
1814         (JSC::SyntaxChecker::createArguments):
1815         (JSC::SyntaxChecker::createPropertyList):
1816         (JSC::SyntaxChecker::createElementList):
1817         (JSC::SyntaxChecker::createFormalParameterList):
1818         (JSC::SyntaxChecker::appendParameter):
1819         (JSC::SyntaxChecker::createClause):
1820         (JSC::SyntaxChecker::createClauseList):
1821         * runtime/CodeCache.cpp:
1822         (JSC::CodeCache::getGlobalCodeBlock):
1823         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
1824         * runtime/Completion.cpp:
1825         (JSC::checkSyntax):
1826         * runtime/Executable.cpp:
1827         (JSC::ProgramExecutable::checkSyntax):
1828         * tests/controlFlowProfiler/conditional-expression.js:
1829         (testConditionalFunctionCall):
1830
1831 2015-07-16  Filip Pizlo  <fpizlo@apple.com>
1832
1833         Unreviewed, fix build for newer LLVMs.
1834
1835         * llvm/LLVMHeaders.h:
1836         * llvm/library/LLVMExports.cpp:
1837
1838 2015-07-16  Mark Lam  <mark.lam@apple.com>
1839
1840         RegExp::match() should set m_state to ByteCode if compilation fails.
1841         https://bugs.webkit.org/show_bug.cgi?id=147023
1842
1843         Reviewed by Michael Saboff.
1844
1845         A RegExp has a YarrCodeBlock that has 4 MacroAssemblerCodeRefs for compiled code.
1846         If one of these compilations succeeds, RegExp::m_state will be set to JITCode.
1847         Subsequently, if RegExp tries to compile another one of these but fails, m_state
1848         will be left untouched i.e. it still says JITCode.  As a result, when
1849         RegExp::match() later tries to execute the non-existant compiled code, it will
1850         crash.
1851
1852         The fix is to downgrade m_state to ByteCode if RegExp ever fails to compile.
1853         This failure should be rare.  We'll do the minimal work here to fix the issue and
1854         keep an eye on the perf bots.  If perf regresses, we can do some optimization work then.
1855
1856         This issue is difficult to test for since it either requires a low memory condition
1857         to trigger a failed RegExp compilation at the right moment, or for the RegExp to
1858         succeed compilation in the MatchedOnly mode but fail in IncludeSubpatterns mode.
1859         Instead, I manually tested it by instrumenting RegExp::compile() to fail once in every
1860         10 compilation attempts.
1861
1862         * runtime/RegExp.cpp:
1863         (JSC::RegExp::compile):
1864         (JSC::RegExp::compileMatchOnly):
1865
1866 2015-07-15  Brent Fulgham  <bfulgham@apple.com>
1867
1868         [Win] Fix armv7 build.
1869
1870         * jit/CCallHelpers.h:
1871         (JSC::CCallHelpers::setupArgumentsWithExecState): The 64-bit argument
1872         version of poke is not available on armv7 builds.
1873
1874 2015-07-15  Brent Fulgham  <bfulgham@apple.com>
1875
1876         [Win] 64-bit Build Failure
1877         https://bugs.webkit.org/show_bug.cgi?id=146989
1878
1879         Reviewed by Mark Lam.
1880
1881         * jit/CCallHelpers.h:
1882         (JSC::CCallHelpers::setupArgumentsWithExecState): Add missing
1883         declaration for 64-bit type on 4-argument register machines (like
1884         Windows).
1885
1886 2015-07-15  Saam barati  <saambarati1@gmail.com>
1887
1888         [ES6] implement block scoping to enable 'let'
1889         https://bugs.webkit.org/show_bug.cgi?id=142944
1890
1891         Reviewed by Filip Pizlo.
1892
1893         * CMakeLists.txt:
1894         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1895         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1896         * JavaScriptCore.xcodeproj/project.pbxproj:
1897         * builtins/BuiltinExecutables.cpp:
1898         (JSC::BuiltinExecutables::createExecutableInternal):
1899         * bytecode/BytecodeList.json:
1900         This patch adds a new opcode and removes op_pop_scope:
1901         1) op_get_parent_scope returns the parent scope but doesn't 
1902         implicitly write that scope into the scope register. op_pop_scope
1903         is now reduced to op_get_parent_scope followed by op_mov.
1904
1905         * bytecode/BytecodeUseDef.h:
1906         (JSC::computeUsesForBytecodeOffset):
1907         (JSC::computeDefsForBytecodeOffset):
1908         * bytecode/CodeBlock.cpp:
1909         (JSC::CodeBlock::dumpBytecode):
1910         (JSC::CodeBlock::CodeBlock):
1911         (JSC::CodeBlock::stronglyVisitStrongReferences):
1912         * bytecode/CodeBlock.h:
1913         (JSC::CodeBlock::addStringSwitchJumpTable):
1914         (JSC::CodeBlock::stringSwitchJumpTable):
1915         (JSC::CodeBlock::symbolTable):
1916         (JSC::CodeBlock::evalCodeCache):
1917         (JSC::CodeBlock::setConstantRegisters):
1918         (JSC::CodeBlock::replaceConstant):
1919         op_put_to_scope for LocalClosureVar now takes as an argument
1920         the constant index for the Symbol Table it will be putting into.
1921         This argument is only used to communicate from the BytecodeGenerator
1922         to CodeBlock linking time and it is not present in the linked bytecode.
1923
1924         op_put_to_scope for non LocalClosureVar takes, at the same index, an
1925         argument that represents the local scope depth which it uses for
1926         JSScope::abstractResolve to know how many scopes it needs to skip.
1927         Again, this is not in the linked code.
1928         op_get_from_scope and op_resolve_scope also take as an argument
1929         the local scope depth to use in JSScope::abstractResolve. Again,
1930         this is not used in the linked code.
1931
1932         * bytecode/EvalCodeCache.h:
1933         (JSC::EvalCodeCache::tryGet):
1934         (JSC::EvalCodeCache::getSlow):
1935         (JSC::EvalCodeCache::clear):
1936         (JSC::EvalCodeCache::isCacheable):
1937         When direct eval is called and passed a scope that 
1938         corresponds to a lexical scope, we can't safely cache 
1939         that code because we won't be able to guarantee
1940         that the cached code is always executed in the same scope.
1941         Consider this example:
1942         function foo() {
1943             let x = 20;
1944             eval("x;");
1945             if (b) {
1946                 let x = 30;
1947                 if (b) {
1948                     let y = 40;
1949                     eval("x;")
1950                 }
1951             }
1952         }
1953
1954         We can't reuse resolution depth when linking get_from_scope in evals.
1955
1956         * bytecode/UnlinkedCodeBlock.cpp:
1957         (JSC::generateFunctionCodeBlock):
1958         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1959         (JSC::UnlinkedFunctionExecutable::parameterCount):
1960         * bytecode/UnlinkedCodeBlock.h:
1961         Unlinked functions now know the variables that were under TDZ in their parent
1962         scope.
1963
1964         (JSC::UnlinkedCodeBlock::symbolTable):
1965         (JSC::UnlinkedCodeBlock::setSymbolTable):
1966         (JSC::UnlinkedCodeBlock::setSymbolTableConstantIndex):
1967         (JSC::UnlinkedCodeBlock::symbolTableConstantIndex):
1968         (JSC::UnlinkedCodeBlock::vm):
1969         * bytecompiler/BytecodeGenerator.cpp:
1970         (JSC::BytecodeGenerator::generate):
1971         (JSC::BytecodeGenerator::BytecodeGenerator):
1972         (JSC::BytecodeGenerator::~BytecodeGenerator):
1973         (JSC::BytecodeGenerator::newRegister):
1974         (JSC::BytecodeGenerator::reclaimFreeRegisters):
1975         (JSC::BytecodeGenerator::newBlockScopeVariable):
1976         (JSC::BytecodeGenerator::newTemporary):
1977         (JSC::BytecodeGenerator::emitProfileType):
1978         (JSC::BytecodeGenerator::emitLoadGlobalObject):
1979         (JSC::BytecodeGenerator::pushLexicalScope):
1980         (JSC::BytecodeGenerator::popLexicalScope):
1981         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
1982         (JSC::BytecodeGenerator::variable):
1983         (JSC::BytecodeGenerator::variablePerSymbolTable):
1984         (JSC::BytecodeGenerator::variableForLocalEntry):
1985         (JSC::BytecodeGenerator::createVariable):
1986         (JSC::BytecodeGenerator::emitResolveScope):
1987         (JSC::BytecodeGenerator::emitGetFromScope):
1988         (JSC::BytecodeGenerator::emitPutToScope):
1989         (JSC::BytecodeGenerator::initializeVariable):
1990         (JSC::BytecodeGenerator::emitTDZCheck):
1991         (JSC::BytecodeGenerator::needsTDZCheck):
1992         (JSC::BytecodeGenerator::emitTDZCheckIfNecessary):
1993         (JSC::BytecodeGenerator::liftTDZCheckIfPossible):
1994         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
1995         (JSC::BytecodeGenerator::emitNewObject):
1996         (JSC::BytecodeGenerator::emitPushWithScope):
1997         (JSC::BytecodeGenerator::emitGetParentScope):
1998         (JSC::BytecodeGenerator::emitPopScope):
1999         (JSC::BytecodeGenerator::emitDebugHook):
2000         (JSC::BytecodeGenerator::pushFinallyContext):
2001         (JSC::BytecodeGenerator::pushIteratorCloseContext):
2002         (JSC::BytecodeGenerator::emitComplexPopScopes):
2003         (JSC::BytecodeGenerator::emitPopScopes):
2004         (JSC::BytecodeGenerator::popTryAndEmitCatch):
2005         (JSC::BytecodeGenerator::calculateTargetScopeDepthForExceptionHandler):
2006         (JSC::BytecodeGenerator::currentScopeDepth):
2007         (JSC::BytecodeGenerator::emitThrowReferenceError):
2008         (JSC::BytecodeGenerator::emitPushCatchScope):
2009         (JSC::BytecodeGenerator::beginSwitch):
2010         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
2011         (JSC::BytecodeGenerator::emitEnumeration):
2012         * bytecompiler/BytecodeGenerator.h:
2013         (JSC::Variable::Variable):
2014         (JSC::Variable::isResolved):
2015         (JSC::Variable::symbolTableConstantIndex):
2016         (JSC::Variable::ident):
2017         (JSC::BytecodeGenerator::ignoredResult):
2018         (JSC::BytecodeGenerator::tempDestination):
2019         (JSC::BytecodeGenerator::lastOpcodeID):
2020         (JSC::BytecodeGenerator::makeFunction):
2021         (JSC::BytecodeGenerator::symbolTable):
2022         (JSC::BytecodeGenerator::shouldOptimizeLocals): Deleted.
2023         (JSC::BytecodeGenerator::canOptimizeNonLocals): Deleted.
2024         The heart of the changes in this patch are in the bytecode generator.
2025         The bytecode generator now keeps a stack of tuples of 
2026         {symbol table, scope register, flag indicating catch or with scope, symbol table index in constant pool}
2027         that models the runtime scope stack. This symbol table stack is used
2028         in resolving local variables.
2029
2030         Also, the bytecode generator handles pushing and popping of lexical scopes. 
2031         This is relatively straight forward:
2032         Captured 'let' variables end up in the JSLexicalEnvironment scope and non-captured
2033         variables end up on the stack. Some trickiness is involved in generating
2034         code for 'for' loops that have captured variables (I'm talking about variables in the loop
2035         header, not the loop body). Each iteration of the for loop ends up with 
2036         its own JSLexicalEnvironment. Static code must be generated in such a way 
2037         to create this runtime behavior. This is done by emitting instructions to 
2038         push and pop a lexical scope at the end of each loop and copying values
2039         from the previous loop's scope into the new scope. This code must also
2040         ensure that each loop iteration's scope refers to the same underlying 
2041         SymbolTable so that no scope is accidentally mistaken as being a singleton scope.
2042
2043         When the debugger is enabled, all lexically defined variables will end up in the
2044         JSLexicalEnvironment.
2045
2046         * bytecompiler/NodesCodegen.cpp:
2047         (JSC::ResolveNode::emitBytecode):
2048         (JSC::FunctionCallResolveNode::emitBytecode):
2049         (JSC::PostfixNode::emitResolve):
2050         (JSC::DeleteResolveNode::emitBytecode):
2051         (JSC::TypeOfResolveNode::emitBytecode):
2052         (JSC::PrefixNode::emitResolve):
2053         (JSC::ReadModifyResolveNode::emitBytecode):
2054         (JSC::AssignResolveNode::emitBytecode):
2055         (JSC::BlockNode::emitBytecode):
2056         (JSC::ExprStatementNode::emitBytecode):
2057         (JSC::DeclarationStatement::emitBytecode):
2058         (JSC::EmptyVarExpression::emitBytecode):
2059         (JSC::EmptyLetExpression::emitBytecode):
2060         (JSC::ForNode::emitBytecode):
2061         (JSC::ForInNode::emitMultiLoopBytecode):
2062         (JSC::ForOfNode::emitBytecode):
2063         (JSC::SwitchNode::emitBytecode):
2064         (JSC::BindingNode::bindValue):
2065         (JSC::VarStatementNode::emitBytecode): Deleted.
2066         * debugger/DebuggerCallFrame.cpp:
2067         (JSC::DebuggerCallFrame::evaluate):
2068         * debugger/DebuggerScope.cpp:
2069         (JSC::DebuggerScope::getOwnPropertySlot):
2070         (JSC::DebuggerScope::put):
2071         * dfg/DFGByteCodeParser.cpp:
2072         (JSC::DFG::ByteCodeParser::parseBlock):
2073         * dfg/DFGCapabilities.cpp:
2074         (JSC::DFG::capabilityLevel):
2075         * dfg/DFGNode.h:
2076         (JSC::DFG::Node::castConstant):
2077         (JSC::DFG::Node::initializationValueForActivation):
2078         (JSC::DFG::Node::containsMovHint):
2079         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2080         CreateActivation nodes now have a second OpInfo that tracks the 
2081         initial value that needs to be placed in the activation. This initial value 
2082         is also used in allocation sinking to create proper bottom values for all 
2083         scope variables.
2084
2085         * dfg/DFGOperations.cpp:
2086         * dfg/DFGOperations.h:
2087         * dfg/DFGSpeculativeJIT.cpp:
2088         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
2089         * dfg/DFGSpeculativeJIT.h:
2090         (JSC::DFG::SpeculativeJIT::callOperation):
2091         * ftl/FTLIntrinsicRepository.h:
2092         * ftl/FTLLowerDFGToLLVM.cpp:
2093         (JSC::FTL::DFG::LowerDFGToLLVM::compileCreateActivation):
2094         (JSC::FTL::DFG::LowerDFGToLLVM::compileMaterializeCreateActivation):
2095         * ftl/FTLOperations.cpp:
2096         (JSC::FTL::operationMaterializeObjectInOSR):
2097         * interpreter/Interpreter.cpp:
2098         (JSC::Interpreter::execute):
2099         * jit/CCallHelpers.h:
2100         (JSC::CCallHelpers::setupArgumentsWithExecState):
2101         * jit/JIT.cpp:
2102         (JSC::JIT::privateCompileMainPass):
2103         * jit/JIT.h:
2104         * jit/JITInlines.h:
2105         (JSC::JIT::callOperation):
2106         * jit/JITOpcodes.cpp:
2107         (JSC::JIT::emit_op_push_with_scope):
2108         (JSC::JIT::compileOpStrictEq):
2109         (JSC::JIT::emit_op_catch):
2110         (JSC::JIT::emit_op_create_lexical_environment):
2111         (JSC::JIT::emit_op_get_parent_scope):
2112         (JSC::JIT::emit_op_switch_imm):
2113         (JSC::JIT::emit_op_enter):
2114         (JSC::JIT::emit_op_get_scope):
2115         (JSC::JIT::emit_op_pop_scope): Deleted.
2116         * jit/JITOpcodes32_64.cpp:
2117         (JSC::JIT::emit_op_push_with_scope):
2118         (JSC::JIT::emit_op_to_number):
2119         (JSC::JIT::emit_op_catch):
2120         (JSC::JIT::emit_op_create_lexical_environment):
2121         (JSC::JIT::emit_op_get_parent_scope):
2122         (JSC::JIT::emit_op_switch_imm):
2123         (JSC::JIT::emit_op_enter):
2124         (JSC::JIT::emit_op_get_scope):
2125         (JSC::JIT::emit_op_pop_scope): Deleted.
2126         * jit/JITOperations.cpp:
2127         (JSC::canAccessArgumentIndexQuickly):
2128         * jit/JITOperations.h:
2129         * llint/LLIntSlowPaths.cpp:
2130         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2131         * llint/LLIntSlowPaths.h:
2132         * llint/LowLevelInterpreter.asm:
2133         * llint/LowLevelInterpreter32_64.asm:
2134         * llint/LowLevelInterpreter64.asm:
2135         * parser/ASTBuilder.h:
2136         (JSC::ASTBuilder::createSourceElements):
2137         (JSC::ASTBuilder::funcDeclarations):
2138         (JSC::ASTBuilder::features):
2139         (JSC::ASTBuilder::numConstants):
2140         (JSC::ASTBuilder::createConditionalExpr):
2141         (JSC::ASTBuilder::createAssignResolve):
2142         (JSC::ASTBuilder::createClassDeclStatement):
2143         (JSC::ASTBuilder::createBlockStatement):
2144         (JSC::ASTBuilder::createIfStatement):
2145         (JSC::ASTBuilder::createForLoop):
2146         (JSC::ASTBuilder::createForInLoop):
2147         (JSC::ASTBuilder::createForOfLoop):
2148         (JSC::ASTBuilder::isBindingNode):
2149         (JSC::ASTBuilder::createEmptyStatement):
2150         (JSC::ASTBuilder::createDeclarationStatement):
2151         (JSC::ASTBuilder::createVarStatement):
2152         (JSC::ASTBuilder::createLetStatement):
2153         (JSC::ASTBuilder::createEmptyVarExpression):
2154         (JSC::ASTBuilder::createEmptyLetExpression):
2155         (JSC::ASTBuilder::createReturnStatement):
2156         (JSC::ASTBuilder::createTryStatement):
2157         (JSC::ASTBuilder::createSwitchStatement):
2158         (JSC::ASTBuilder::appendStatement):
2159         (JSC::ASTBuilder::createCommaExpr):
2160         (JSC::ASTBuilder::appendObjectPatternEntry):
2161         (JSC::ASTBuilder::createBindingLocation):
2162         (JSC::ASTBuilder::setEndOffset):
2163         (JSC::ASTBuilder::Scope::Scope):
2164         (JSC::ASTBuilder::makeAssignNode):
2165         (JSC::ASTBuilder::varDeclarations): Deleted.
2166         (JSC::ASTBuilder::addVar): Deleted.
2167         * parser/Keywords.table:
2168         * parser/NodeConstructors.h:
2169         (JSC::ReadModifyResolveNode::ReadModifyResolveNode):
2170         (JSC::AssignResolveNode::AssignResolveNode):
2171         (JSC::ExprStatementNode::ExprStatementNode):
2172         (JSC::DeclarationStatement::DeclarationStatement):
2173         (JSC::EmptyVarExpression::EmptyVarExpression):
2174         (JSC::EmptyLetExpression::EmptyLetExpression):
2175         (JSC::IfElseNode::IfElseNode):
2176         (JSC::WhileNode::WhileNode):
2177         (JSC::ForNode::ForNode):
2178         (JSC::CaseBlockNode::CaseBlockNode):
2179         (JSC::SwitchNode::SwitchNode):
2180         (JSC::ConstDeclNode::ConstDeclNode):
2181         (JSC::BlockNode::BlockNode):
2182         (JSC::EnumerationNode::EnumerationNode):
2183         (JSC::ForInNode::ForInNode):
2184         (JSC::ForOfNode::ForOfNode):
2185         (JSC::ObjectPatternNode::create):
2186         (JSC::BindingNode::create):
2187         (JSC::BindingNode::BindingNode):
2188         (JSC::VarStatementNode::VarStatementNode): Deleted.
2189         * parser/Nodes.cpp:
2190         (JSC::ScopeNode::ScopeNode):
2191         (JSC::ScopeNode::singleStatement):
2192         (JSC::ProgramNode::ProgramNode):
2193         (JSC::EvalNode::EvalNode):
2194         (JSC::FunctionNode::FunctionNode):
2195         (JSC::FunctionNode::finishParsing):
2196         (JSC::VariableEnvironmentNode::VariableEnvironmentNode):
2197         * parser/Nodes.h:
2198         (JSC::VariableEnvironmentNode::VariableEnvironmentNode):
2199         (JSC::VariableEnvironmentNode::lexicalVariables):
2200         (JSC::ScopeNode::usesThis):
2201         (JSC::ScopeNode::needsActivationForMoreThanVariables):
2202         (JSC::ScopeNode::needsActivation):
2203         (JSC::ScopeNode::hasCapturedVariables):
2204         (JSC::ScopeNode::captures):
2205         (JSC::ScopeNode::varDeclarations):
2206         (JSC::ScopeNode::functionStack):
2207         (JSC::ScopeNode::neededConstants):
2208         (JSC::ProgramNode::startColumn):
2209         (JSC::ProgramNode::endColumn):
2210         (JSC::EvalNode::startColumn):
2211         (JSC::EvalNode::endColumn):
2212         (JSC::BindingNode::boundProperty):
2213         (JSC::BindingNode::divotStart):
2214         (JSC::BindingNode::divotEnd):
2215         (JSC::ScopeNode::capturedVariableCount): Deleted.
2216         (JSC::ScopeNode::capturedVariables): Deleted.
2217         (JSC::ScopeNode::varStack): Deleted.
2218         There is a new class called 'VariableEnvironmentNode' that has the
2219         necessary fields to model a lexical scope. Multiple AST nodes now 
2220         also inherit from VariableEnvironmentNode.
2221
2222         * parser/Parser.cpp:
2223         (JSC::Parser<LexerType>::parseInner):
2224         (JSC::Parser<LexerType>::didFinishParsing):
2225         (JSC::Parser<LexerType>::parseStatementListItem):
2226         (JSC::Parser<LexerType>::parseVariableDeclaration):
2227         (JSC::Parser<LexerType>::parseWhileStatement):
2228         (JSC::Parser<LexerType>::parseVariableDeclarationList):
2229         (JSC::Parser<LexerType>::createBindingPattern):
2230         (JSC::Parser<LexerType>::tryParseDestructuringPatternExpression):
2231         (JSC::Parser<LexerType>::parseDestructuringPattern):
2232         (JSC::Parser<LexerType>::parseConstDeclarationList):
2233         (JSC::Parser<LexerType>::parseForStatement):
2234         (JSC::Parser<LexerType>::parseBreakStatement):
2235         (JSC::Parser<LexerType>::parseContinueStatement):
2236         (JSC::Parser<LexerType>::parseSwitchStatement):
2237         (JSC::Parser<LexerType>::parseTryStatement):
2238         (JSC::Parser<LexerType>::parseBlockStatement):
2239         (JSC::Parser<LexerType>::parseStatement):
2240         (JSC::Parser<LexerType>::parseFunctionInfo):
2241         (JSC::Parser<LexerType>::parseClassDeclaration):
2242         (JSC::Parser<LexerType>::parseClass):
2243         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
2244         (JSC::Parser<LexerType>::parseAssignmentExpression):
2245         (JSC::Parser<LexerType>::parseGetterSetter):
2246         (JSC::Parser<LexerType>::parsePrimaryExpression):
2247         (JSC::Parser<LexerType>::parseVarDeclaration): Deleted.
2248         (JSC::Parser<LexerType>::parseVarDeclarationList): Deleted.
2249         * parser/Parser.h:
2250         (JSC::Scope::Scope):
2251         (JSC::Scope::setIsFunction):
2252         (JSC::Scope::isFunction):
2253         (JSC::Scope::isFunctionBoundary):
2254         (JSC::Scope::setIsLexicalScope):
2255         (JSC::Scope::isLexicalScope):
2256         (JSC::Scope::declaredVariables):
2257         (JSC::Scope::finalizeLexicalEnvironment):
2258         (JSC::Scope::computeLexicallyCapturedVariablesAndPurgeCandidates):
2259         (JSC::Scope::declareCallee):
2260         (JSC::Scope::declareVariable):
2261         (JSC::Scope::declareLexicalVariable):
2262         (JSC::Scope::hasDeclaredVariable):
2263         (JSC::Scope::hasLexicallyDeclaredVariable):
2264         (JSC::Scope::hasDeclaredParameter):
2265         (JSC::Scope::declareWrite):
2266         (JSC::Scope::preventAllVariableDeclarations):
2267         (JSC::Scope::preventVarDeclarations):
2268         (JSC::Scope::allowsVarDeclarations):
2269         (JSC::Scope::allowsLexicalDeclarations):
2270         (JSC::Scope::declareParameter):
2271         (JSC::Scope::declareBoundParameter):
2272         (JSC::Scope::useVariable):
2273         (JSC::Scope::setNeedsFullActivation):
2274         (JSC::Scope::needsFullActivation):
2275         (JSC::Scope::hasDirectSuper):
2276         (JSC::Scope::setNeedsSuperBinding):
2277         (JSC::Scope::collectFreeVariables):
2278         (JSC::Scope::getCapturedVars):
2279         (JSC::Scope::copyCapturedVariablesToVector):
2280         (JSC::Parser::AutoCleanupLexicalScope::AutoCleanupLexicalScope):
2281         (JSC::Parser::AutoCleanupLexicalScope::~AutoCleanupLexicalScope):
2282         (JSC::Parser::AutoCleanupLexicalScope::setIsValid):
2283         (JSC::Parser::AutoCleanupLexicalScope::isValid):
2284         (JSC::Parser::AutoCleanupLexicalScope::setPopped):
2285         (JSC::Parser::AutoCleanupLexicalScope::scope):
2286         (JSC::Parser::currentScope):
2287         (JSC::Parser::pushScope):
2288         (JSC::Parser::popScopeInternal):
2289         (JSC::Parser::popScope):
2290         (JSC::Parser::declareVariable):
2291         (JSC::Parser::hasDeclaredVariable):
2292         (JSC::Parser::hasDeclaredParameter):
2293         (JSC::Parser::declareWrite):
2294         (JSC::Parser::findCachedFunctionInfo):
2295         (JSC::Parser::isFunctionBodyNode):
2296         (JSC::Parser::continueIsValid):
2297         (JSC::Parser::pushLabel):
2298         (JSC::Parser::popLabel):
2299         (JSC::Parser::getLabel):
2300         (JSC::Parser::isLETMaskedAsIDENT):
2301         (JSC::Parser<LexerType>::parse):
2302         (JSC::Scope::preventNewDecls): Deleted.
2303         (JSC::Scope::allowsNewDecls): Deleted.
2304         (JSC::Scope::getCapturedVariables): Deleted.
2305         There are basic parser changes that now allow for the 'let'
2306         keyword. The trickiest change is how we will still treat 'let' 
2307         as an identifier for sloppy-mode code sometimes. For example,
2308         "var let = ..." is allowed but "let let" or "const let" is not.
2309
2310         The most significant change to the parser made for this patch
2311         is appropriating the Scope struct to also also model a lexical 
2312         scope. Changes were made in how we track captured variables to 
2313         account for this. In general, I think some of this code could 
2314         benefit from a slight refactoring to make things cleaner.
2315
2316         * parser/ParserTokens.h:
2317         * parser/SyntaxChecker.h:
2318         (JSC::SyntaxChecker::createNewExpr):
2319         (JSC::SyntaxChecker::createConditionalExpr):
2320         (JSC::SyntaxChecker::createAssignResolve):
2321         (JSC::SyntaxChecker::createEmptyVarExpression):
2322         (JSC::SyntaxChecker::createEmptyLetExpression):
2323         (JSC::SyntaxChecker::createClassExpr):
2324         (JSC::SyntaxChecker::createClassDeclStatement):
2325         (JSC::SyntaxChecker::createBlockStatement):
2326         (JSC::SyntaxChecker::createExprStatement):
2327         (JSC::SyntaxChecker::createIfStatement):
2328         (JSC::SyntaxChecker::createForLoop):
2329         (JSC::SyntaxChecker::createForInLoop):
2330         (JSC::SyntaxChecker::createForOfLoop):
2331         (JSC::SyntaxChecker::createEmptyStatement):
2332         (JSC::SyntaxChecker::createVarStatement):
2333         (JSC::SyntaxChecker::createLetStatement):
2334         (JSC::SyntaxChecker::createReturnStatement):
2335         (JSC::SyntaxChecker::createBreakStatement):
2336         (JSC::SyntaxChecker::createContinueStatement):
2337         (JSC::SyntaxChecker::createTryStatement):
2338         (JSC::SyntaxChecker::createSwitchStatement):
2339         (JSC::SyntaxChecker::createWhileStatement):
2340         (JSC::SyntaxChecker::createWithStatement):
2341         (JSC::SyntaxChecker::createDoWhileStatement):
2342         (JSC::SyntaxChecker::createGetterOrSetterProperty):
2343         (JSC::SyntaxChecker::appendStatement):
2344         (JSC::SyntaxChecker::combineCommaNodes):
2345         (JSC::SyntaxChecker::evalCount):
2346         (JSC::SyntaxChecker::appendBinaryExpressionInfo):
2347         (JSC::SyntaxChecker::operatorStackPop):
2348         (JSC::SyntaxChecker::addVar): Deleted.
2349         * parser/VariableEnvironment.cpp: Added.
2350         (JSC::VariableEnvironment::markVariableAsCapturedIfDefined):
2351         (JSC::VariableEnvironment::markVariableAsCaptured):
2352         (JSC::VariableEnvironment::markAllVariablesAsCaptured):
2353         (JSC::VariableEnvironment::hasCapturedVariables):
2354         (JSC::VariableEnvironment::captures):
2355         (JSC::VariableEnvironment::swap):
2356         * parser/VariableEnvironment.h: Added.
2357         (JSC::VariableEnvironmentEntry::isCaptured):
2358         (JSC::VariableEnvironmentEntry::isConstant):
2359         (JSC::VariableEnvironmentEntry::isVar):
2360         (JSC::VariableEnvironmentEntry::isLet):
2361         (JSC::VariableEnvironmentEntry::setIsCaptured):
2362         (JSC::VariableEnvironmentEntry::setIsConstant):
2363         (JSC::VariableEnvironmentEntry::setIsVar):
2364         (JSC::VariableEnvironmentEntry::setIsLet):
2365         (JSC::VariableEnvironmentEntry::clearIsVar):
2366         (JSC::VariableEnvironment::begin):
2367         (JSC::VariableEnvironment::end):
2368         (JSC::VariableEnvironment::add):
2369         (JSC::VariableEnvironment::size):
2370         (JSC::VariableEnvironment::contains):
2371         (JSC::VariableEnvironment::remove):
2372         VariableEnvironment is a new class that keeps track
2373         of the static environment in the parser and the bytecode generator.
2374         VariableEnvironment behaves like SymbolTable but for the bytecode generator.
2375         It keeps track of variable types, i.e, if a variable is a "var", "let", "const" 
2376         and whether or not its captured.
2377
2378         * runtime/CodeCache.cpp:
2379         (JSC::CodeCache::getGlobalCodeBlock):
2380         (JSC::CodeCache::getProgramCodeBlock):
2381         (JSC::CodeCache::getEvalCodeBlock):
2382         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
2383         * runtime/CodeCache.h:
2384         (JSC::CodeCache::clear):
2385         * runtime/CommonSlowPaths.cpp:
2386         (JSC::SLOW_PATH_DECL):
2387         * runtime/CommonSlowPaths.h:
2388         * runtime/ExceptionHelpers.cpp:
2389         (JSC::createErrorForInvalidGlobalAssignment):
2390         (JSC::createTDZError):
2391         (JSC::throwOutOfMemoryError):
2392         * runtime/ExceptionHelpers.h:
2393         * runtime/Executable.cpp:
2394         (JSC::EvalExecutable::create):
2395         (JSC::ProgramExecutable::initializeGlobalProperties):
2396         * runtime/Executable.h:
2397         * runtime/JSCJSValue.h:
2398         (JSC::jsUndefined):
2399         (JSC::jsTDZValue):
2400         (JSC::jsBoolean):
2401         * runtime/JSEnvironmentRecord.h:
2402         (JSC::JSEnvironmentRecord::finishCreationUninitialized):
2403         (JSC::JSEnvironmentRecord::finishCreation):
2404         * runtime/JSGlobalObject.cpp:
2405         (JSC::JSGlobalObject::createProgramCodeBlock):
2406         (JSC::JSGlobalObject::createEvalCodeBlock):
2407         * runtime/JSGlobalObject.h:
2408         (JSC::JSGlobalObject::weakRandomInteger):
2409         * runtime/JSGlobalObjectFunctions.cpp:
2410         (JSC::globalFuncEval):
2411         * runtime/JSLexicalEnvironment.cpp:
2412         (JSC::JSLexicalEnvironment::symbolTableGet):
2413         * runtime/JSLexicalEnvironment.h:
2414         (JSC::JSLexicalEnvironment::create):
2415         * runtime/JSScope.cpp:
2416         (JSC::JSScope::resolve):
2417         (JSC::JSScope::abstractResolve):
2418         (JSC::JSScope::collectVariablesUnderTDZ):
2419         (JSC::JSScope::isLexicalScope):
2420         (JSC::resolveModeName):
2421         * runtime/JSScope.h:
2422         * runtime/PropertySlot.h:
2423         (JSC::PropertySlot::setValue):
2424         * runtime/SymbolTable.cpp:
2425         (JSC::SymbolTable::SymbolTable):
2426         (JSC::SymbolTable::cloneScopePart):
2427         * runtime/SymbolTable.h:
2428         SymbolTable now uses an extra bit to know if it corresponds
2429         to a "let"-like environment or not.
2430
2431         * runtime/WriteBarrier.h:
2432         (JSC::WriteBarrierBase<Unknown>::get):
2433         (JSC::WriteBarrierBase<Unknown>::clear):
2434         (JSC::WriteBarrierBase<Unknown>::setUndefined):
2435         (JSC::WriteBarrierBase<Unknown>::setStartingValue):
2436         (JSC::WriteBarrierBase<Unknown>::isNumber):
2437         (JSC::WriteBarrierBase<Unknown>::isObject):
2438         (JSC::WriteBarrierBase<Unknown>::isNull):
2439         * tests/stress/activation-sink-default-value-tdz-error.js: Added.
2440         (shouldThrowTDZ):
2441         (bar):
2442         (foo.cap):
2443         * tests/stress/activation-sink-osrexit-default-value-tdz-error.js: Added.
2444         (shouldThrowTDZ):
2445         (bar):
2446         * tests/stress/lexical-let-and-with-statement.js: Added.
2447         (truth):
2448         (assert):
2449         (.):
2450         * tests/stress/lexical-let-exception-handling.js: Added.
2451         (truth):
2452         (assert):
2453         (.):
2454         * tests/stress/lexical-let-global-not-captured-variables.js: Added.
2455         (truth):
2456         (assert):
2457         (foo):
2458         (.let.capY):
2459         * tests/stress/lexical-let-loop-semantics.js: Added.
2460         (truth):
2461         (assert):
2462         (shouldThrowTDZ):
2463         (.):
2464         * tests/stress/lexical-let-not-strict-mode.js: Added.
2465         (truth):
2466         (assert):
2467         (shouldThrowTDZ):
2468         (.):
2469         * tests/stress/lexical-let-semantics.js: Added.
2470         (truth):
2471         (assert):
2472         (let.globalFunction):
2473         (let.retGlobalNumberCaptured):
2474         (let.setGlobalNumberCaptured):
2475         (.):
2476         * tests/stress/lexical-let-tdz.js: Added.
2477         (truth):
2478         (assert):
2479         (shouldThrowTDZ):
2480         (.):
2481
2482 2015-07-15  Anders Carlsson  <andersca@apple.com>
2483
2484         Make JavaScriptCore SPI headers used by WebCore SPI headers self-contained
2485         https://bugs.webkit.org/show_bug.cgi?id=146978
2486
2487         Reviewed by Dan Bernstein.
2488
2489         * debugger/DebuggerPrimitives.h:
2490         * disassembler/Disassembler.h:
2491         * heap/Weak.h:
2492         * inspector/InspectorValues.h:
2493         * runtime/JSCJSValue.h:
2494
2495 2015-07-14  Anders Carlsson  <andersca@apple.com>
2496
2497         Assertions.h should include ExportMacros.h
2498         https://bugs.webkit.org/show_bug.cgi?id=146948
2499
2500         Reviewed by Tim Horton.
2501
2502         Remove now unneeded WTF_EXPORT_PRIVATE define.
2503
2504         * API/JSBase.h:
2505
2506 2015-07-14  Matthew Mirman  <mmirman@apple.com>
2507
2508         Repatch. Makes compileArithSub in the DFG ensure that the constant is an int32.
2509         https://bugs.webkit.org/show_bug.cgi?id=146910
2510         rdar://problem/21729083
2511
2512         Reviewed by Filip Pizlo.
2513         
2514         Also fixes the debug build problem where all edges are assumed to 
2515         have UntypedUse before the fixup phase.
2516
2517         * dfg/DFGSpeculativeJIT.cpp:
2518         (JSC::DFG::SpeculativeJIT::compileArithSub):
2519         * dfg/DFGValidate.cpp:
2520         (JSC::DFG::Validate::validateEdgeWithDoubleResultIfNecessary):
2521         * tests/stress/arith-add-with-constants.js: Added some tests for this case.
2522         (arithAdd42WrittenAsInteger):
2523         (testArithAdd42WrittenAsInteger):
2524         (arithSub42WrittenAsDouble):
2525         (testArithSub42WrittenAsDouble):
2526         (doubleConstant):
2527         (testDoubleConstant): Added test for the case of +0.0 and Math.min(0.0)
2528         (arithAdd42WrittenAsDouble): Deleted.
2529         (testArithAdd42WrittenAsDouble): Deleted.
2530
2531 2015-07-14  Matthew Mirman  <mmirman@apple.com>
2532
2533         Unreviewed, rolling out r186805.
2534
2535         Made raytracer on octane 80% slower
2536
2537         Reverted changeset:
2538
2539         "Makes compileArithSub in the DFG ensure that the constant is
2540         an int32."
2541         https://bugs.webkit.org/show_bug.cgi?id=146910
2542         http://trac.webkit.org/changeset/186805
2543
2544 2015-07-13  Matthew Mirman  <mmirman@apple.com>
2545
2546         Makes compileArithSub in the DFG ensure that the constant is an int32.
2547         https://bugs.webkit.org/show_bug.cgi?id=146910
2548         rdar://problem/21729083
2549
2550         Reviewed by Filip Pizlo.
2551         
2552         Also fixes the debug build problem where all edges are assumed to 
2553         have UntypedUse before the fixup phase.
2554
2555         * dfg/DFGSpeculativeJIT.cpp:
2556         (JSC::DFG::SpeculativeJIT::compileArithSub):
2557         * dfg/DFGValidate.cpp:
2558         (JSC::DFG::Validate::validateEdgeWithDoubleResultIfNecessary):
2559         * tests/stress/arith-add-with-constants.js: Added some tests for this case.
2560         (arithAdd42WrittenAsInteger):
2561         (testArithAdd42WrittenAsInteger):
2562         (arithSub42WrittenAsDouble):
2563         (testArithSub42WrittenAsDouble):
2564         (doubleConstant):
2565         (testDoubleConstant): Added test for the case of +0.0 and Math.min(0.0)
2566         (arithAdd42WrittenAsDouble): Deleted.
2567         (testArithAdd42WrittenAsDouble): Deleted.
2568
2569 2015-07-13  Basile Clement  <basile_clement@apple.com>
2570
2571         Object cycles should not prevent allocation elimination/sinking
2572         https://bugs.webkit.org/show_bug.cgi?id=143073
2573
2574         Reviewed by Filip Pizlo.
2575
2576         This patch introduces a new allocation sinking phase that is able to
2577         sink cycles, in DFGAllocationCycleSinkingPhase.cpp. This phase
2578         supersedes the old allocation sinking phase in
2579         DFGObjectAllocationSinkingPhase.cpp, as that previous phase was never
2580         able to sink allocation cycles while the new phase sometimes can; see
2581         DFGAllocationCycleSinkingPhase.cpp for details.
2582
2583         For now, the new sinking phase is kept behind a
2584         JSC_enableAllocationCycleSinking flag that reverts to the old sinking
2585         phase when false (i.e., by default). This also removes the old
2586         JSC_enableObjectAllocationSinking flag. run-javascriptcore-tests
2587         defaults to using the new sinking phase.
2588
2589         * dfg/DFGGraph.h:
2590         (JSC::DFG::Graph::addStructureSet): Allow empty structure sets
2591         * dfg/DFGLazyNode.cpp:
2592         (JSC::DFG::LazyNode::dump): Prettier dump
2593         * dfg/DFGNode.h:
2594         (JSC::DFG::Node::cellOperand): Move to opInfo for MaterializeCreateActivation
2595         (JSC::DFG::Node::hasStructureSet): Add MaterializeNewObject
2596         (JSC::DFG::Node::objectMaterializationData): Move to opInfo2
2597         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: Remove unused header
2598         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2599         (JSC::DFG::ObjectAllocationSinkingPhase::ObjectAllocationSinkingPhase): Deleted.
2600         (JSC::DFG::ObjectAllocationSinkingPhase::run): Deleted.
2601         (JSC::DFG::ObjectAllocationSinkingPhase::performSinking): Deleted.
2602         (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints): Deleted.
2603         (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints): Deleted.
2604         (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations): Deleted.
2605         (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields): Deleted.
2606         (JSC::DFG::ObjectAllocationSinkingPhase::resolve): Deleted.
2607         (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): Deleted.
2608         (JSC::DFG::ObjectAllocationSinkingPhase::createMaterialize): Deleted.
2609         (JSC::DFG::ObjectAllocationSinkingPhase::populateMaterialize): Deleted.
2610         * dfg/DFGObjectAllocationSinkingPhase.h:
2611         * dfg/DFGPromotedHeapLocation.h: Add a hash and a helper function to PromotedLocationDescriptor
2612         (JSC::DFG::PromotedLocationDescriptor::PromotedLocationDescriptor):
2613         (JSC::DFG::PromotedLocationDescriptor::operator bool):
2614         (JSC::DFG::PromotedLocationDescriptor::neededForMaterialization):
2615         (JSC::DFG::PromotedLocationDescriptorHash::hash):
2616         (JSC::DFG::PromotedLocationDescriptorHash::equal):
2617         * dfg/DFGValidate.cpp:
2618         (JSC::DFG::Validate::validateSSA): Assert that most nodes never see a phantom allocation
2619         * ftl/FTLLowerDFGToLLVM.cpp:
2620         (JSC::FTL::DFG::LowerDFGToLLVM::compileMaterializeNewObject): Use the new structureSet() operand
2621         (JSC::FTL::DFG::LowerDFGToLLVM::compileMaterializeCreateActivation): Node has a new child
2622         * ftl/FTLOSRExitCompiler.cpp: Handle materialization cycles
2623         (JSC::FTL::compileStub):
2624         * ftl/FTLOperations.cpp: Handle materialization cycles
2625         (JSC::FTL::operationPopulateObjectInOSR):
2626         (JSC::FTL::operationMaterializeObjectInOSR):
2627         * ftl/FTLOperations.h: Handle materialization cycles
2628         * tests/stress/correctly-sink-object-even-though-it-dies.js: Added.
2629         (clobber):
2630         (foo):
2631         * tests/stress/eliminate-object-read-over-call.js: Added.
2632         (clobber):
2633         (foo):
2634         * tests/stress/materialize-object-on-edge.js: Added.
2635         (call):
2636         (foo):
2637         * tests/stress/object-sinking-stress.js: Added.
2638         (foo):
2639         * tests/stress/sink-object-cycle.js: Added.
2640         (clobber):
2641         (foo):
2642         * tests/stress/sink-object-past-put.js: Added.
2643         (clobber):
2644         (foo):
2645         * tests/stress/sinkable-new-object-in-loop.js: Added.
2646         (foo):
2647
2648 2015-07-13  Daniel Bates  <dabates@apple.com>
2649
2650         Cleanup: Avoid extraneous increment and decrement of reference count of ScriptArguments in ConsoleClient
2651         https://bugs.webkit.org/show_bug.cgi?id=146920
2652
2653         Reviewed by Brian Burg.
2654
2655         Remove local variable RefPtr<ScriptArguments> and copy constructor call with an argument that
2656         was initialized with an rvalue reference. The argument itself is an lvalue reference.
2657
2658         * runtime/ConsoleClient.cpp:
2659         (JSC::ConsoleClient::printConsoleMessageWithArguments):
2660         (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
2661
2662 2015-07-13  Anders Carlsson  <andersca@apple.com>
2663
2664         Apps linked with a deployment target of iOS 7.x or earlier crash when using modern WebKit API
2665         https://bugs.webkit.org/show_bug.cgi?id=146913
2666         rdar://problem/21789252
2667
2668         Reviewed by Dan Bernstein.
2669
2670         Make a top-level symlink from /System/Library/PrivateFrameworks/JavaScriptCore.framework to
2671         /System/Library/Frameworks/JavaScriptCore.framework.
2672     
2673         * JavaScriptCore.xcodeproj/project.pbxproj:
2674
2675 2015-07-12  Filip Pizlo  <fpizlo@apple.com>
2676
2677         If Watchpoint::fire() looks at the state of the world, it should definitely see its set invalidated, and maybe it should see the object of interest in the transitioned-to state
2678         https://bugs.webkit.org/show_bug.cgi?id=146897
2679
2680         Reviewed by Mark Lam.
2681         
2682         The idea is to eventually support adaptive watchpoints. An adaptive watchpoint will be
2683         able to watch for a condition that is more fine-grained than any one watchpoint set. For
2684         example, we might watch a singleton object to see if it ever acquires a property called
2685         "foo". So long as it doesn't have such a property, we don't want to invalidate any code.
2686         But if it gets that property, then we should deoptimize. Current watchpoints will
2687         invalidate code as soon as any property is added (or deleted), because they will use the
2688         transition watchpoint set of the singleton object's structure, and that fires anytime
2689         there is any transition.
2690         
2691         An adaptive watchpoint would remember the singleton object, and when it got fired, it
2692         would check if the object's new structure has the property "foo". If not, it would check
2693         if the object's new structure is watchable (i.e. has a valid transition watchpoint set).
2694         If the property is missing and the structure is watchable, it would add itself to the
2695         watchpoint set of the new structure. Otherwise, it would deoptimize.
2696         
2697         There are two problems with this idea, and this patch fixes these problems. First, we
2698         usually fire the transition watchpoint before we do the structure transition. This means
2699         that if the fire() method looked at the singleton object's structure, it would see the old
2700         structure, not the new one. It would have no way of knowing what the new structure is.
2701         Second, inside the fire() method, the watchpoint set being invalidated still appears
2702         valid, since we change the state after we fire all watchpoints.
2703         
2704         This patch addresses both issues. Now, in the most important case (addPropertyTransition),
2705         we fire the watchpoint set after we have modified the object. This is accomplished using
2706         a deferral scope called DeferredStructureTransitionWatchpointFire. In cases where there is
2707         no deferral, the adaptive watchpoint will conservatively resort to deoptimization because
2708         it would find that the singleton object's structure is no longer watchable. This is
2709         because in the absence of deferral, the singleton object would still have the original
2710         structure, but that structure's watchpoint set would now report itself as having been
2711         invalidated.
2712
2713         * bytecode/Watchpoint.cpp:
2714         (JSC::WatchpointSet::fireAllSlow): Change the state of the set before firing all watchpoints.
2715         (JSC::WatchpointSet::fireAllWatchpoints):
2716         * runtime/JSObject.h:
2717         (JSC::JSObject::putDirectInternal): Use the deferral scope.
2718         * runtime/Structure.cpp:
2719         (JSC::Structure::Structure): Pass the deferral scope to didTransitionFromThisStructure.
2720         (JSC::Structure::addPropertyTransition): Pass the deferral scope to create().
2721         (JSC::StructureFireDetail::dump): This is no longer anonymous.
2722         (JSC::DeferredStructureTransitionWatchpointFire::DeferredStructureTransitionWatchpointFire): Start with a null structure.
2723         (JSC::DeferredStructureTransitionWatchpointFire::~DeferredStructureTransitionWatchpointFire): Fire the watchpoint if there is a structure.
2724         (JSC::DeferredStructureTransitionWatchpointFire::add): Add a structure. Logically this is a list of deferred things, but we assert that there only will be one (happens to be true now).
2725         (JSC::Structure::didTransitionFromThisStructure): Defer the watchpoint firing if there is a deferral scope.
2726         * runtime/Structure.h:
2727         (JSC::StructureFireDetail::StructureFireDetail): Move this to the header.
2728         * runtime/StructureInlines.h:
2729         (JSC::Structure::create): Pass the deferral scope to the constructor.
2730
2731 2015-07-12  Filip Pizlo  <fpizlo@apple.com>
2732
2733         Watchpoints should be removed from their owning WatchpointSet before they are fired
2734         https://bugs.webkit.org/show_bug.cgi?id=146895
2735
2736         Reviewed by Sam Weinig.
2737         
2738         This simplifies the WatchpointSet API by making it so that when Watchpoint::fire() is
2739         called, the Watchpoint is no longer in the set. This means that you don't have to remember
2740         to remove it from the set's list (currently we do that implicitly as part of whatever
2741         any particular Watchpoint::fireInternal() does), and you can now write adaptive
2742         watchpoints that re-add themselves to a different set if they determine that the thing
2743         they are actually watching is still intact but now needs to be watched in a different way
2744         (like watching for whether some singleton object has a property of some name).
2745
2746         * bytecode/Watchpoint.cpp:
2747         (JSC::Watchpoint::~Watchpoint): Add a comment about why this is necessary.
2748         (JSC::Watchpoint::fire): Make this out-of-line, private, and make it assert that we're no longer on the list.
2749         (JSC::WatchpointSet::fireAllWatchpoints): Make this remove the watchpoint from the list before firing it.
2750         * bytecode/Watchpoint.h:
2751         (JSC::Watchpoint::fire): Deleted. I moved this to Watchpoint.cpp.
2752
2753 2015-07-10  Filip Pizlo  <fpizlo@apple.com>
2754
2755         DFG::DesiredWatchpoints should accept WatchpointSetType's that aren't necessarily pointers
2756         https://bugs.webkit.org/show_bug.cgi?id=146875
2757
2758         Reviewed by Dan Bernstein.
2759         
2760         In the future we'll want to add a desired watchpoint set that's something like "please
2761         watch property 'Foo' for 'deletion' on structure 'S1'", so that the "set type" is struct
2762         like "struct MySet { StringImpl* property; Mode mode; Structure* structure };".
2763         
2764         This is a very mechanical change for now - all of the current users happen to use sets
2765         that are pointer typed, so it's just a matter of moving some "*"'s around.
2766
2767         * dfg/DFGDesiredWatchpoints.h:
2768         (JSC::DFG::GenericSetAdaptor::add):
2769         (JSC::DFG::GenericSetAdaptor::hasBeenInvalidated):
2770         (JSC::DFG::GenericDesiredWatchpoints::GenericDesiredWatchpoints):
2771         (JSC::DFG::GenericDesiredWatchpoints::addLazily):
2772         (JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
2773         (JSC::DFG::GenericDesiredWatchpoints::areStillValid):
2774         (JSC::DFG::GenericDesiredWatchpoints::isWatched):
2775         (JSC::DFG::DesiredWatchpoints::isWatched):
2776
2777 2015-07-10  Filip Pizlo  <fpizlo@apple.com>
2778
2779         Watchpoints should be allocated with FastMalloc
2780         https://bugs.webkit.org/show_bug.cgi?id=146874
2781
2782         Reviewed by Dan Bernstein.
2783         
2784         This is in preparation for adding new subclasses of Watchpoint. While starting to do this
2785         I realized that the way Watchpoints allocated themselves was unusual.
2786
2787         * bytecode/CodeBlockJettisoningWatchpoint.h:
2788         (JSC::CodeBlockJettisoningWatchpoint::CodeBlockJettisoningWatchpoint): No need for the default constructor.
2789         * bytecode/Watchpoint.h:
2790         (JSC::Watchpoint::Watchpoint): This should be noncopyable and fast-allocated.
2791         * dfg/DFGCommonData.h: Use a Bag<> instead of SegmentedVector<>. Bag means "malloc things but allow me to free them all at once", which is what we are doing here.
2792         * dfg/DFGDesiredWatchpoints.h:
2793         (JSC::DFG::GenericDesiredWatchpoints::reallyAdd): Use the Bag<> API rather than the very awkward SegmentedVector<> API.
2794
2795 2015-07-10  Filip Pizlo  <fpizlo@apple.com>
2796
2797         AI folding of IsObjectOrNull is broken for non-object types that may be null
2798         https://bugs.webkit.org/show_bug.cgi?id=146867
2799
2800         Reviewed by Ryosuke Niwa.
2801
2802         * dfg/DFGAbstractInterpreterInlines.h:
2803         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Fix the bug and add some text describing what is going on.
2804         * tests/stress/misc-is-object-or-null.js: Added. Test for the bug.
2805         (foo):
2806         * tests/stress/other-is-object-or-null.js: Added. Test for a bug I almost introduced.
2807         (foo):
2808
2809 2015-07-10  Filip Pizlo  <fpizlo@apple.com>
2810
2811         It should be easy to measure total compile times.
2812         https://bugs.webkit.org/show_bug.cgi?id=146857
2813
2814         Reviewed by Sam Weinig.
2815         
2816         This gives DFG::Plan the ability to track total compile times, and return them in a map
2817         of stats that jsc.cpp can display.
2818         
2819         I want to do some work to bring down DFG compile times. This will help me measure whether
2820         I'm making a difference or not.
2821
2822         * dfg/DFGPlan.cpp:
2823         (JSC::DFG::Plan::Plan):
2824         (JSC::DFG::Plan::~Plan):
2825         (JSC::DFG::Plan::computeCompileTimes):
2826         (JSC::DFG::Plan::reportCompileTimes):
2827         (JSC::DFG::Plan::compileInThread):
2828         (JSC::DFG::Plan::compileInThreadImpl):
2829         (JSC::DFG::Plan::cancel):
2830         (JSC::DFG::Plan::compileTimeStats):
2831         (JSC::DFG::dumpAndVerifyGraph): Deleted.
2832         (JSC::DFG::profilerCompilationKindForMode): Deleted.
2833         * dfg/DFGPlan.h:
2834         (JSC::DFG::Plan::compileTimeStats):
2835         * jsc.cpp:
2836         (jscmain):
2837         * runtime/Options.h:
2838
2839 2015-07-04  Filip Pizlo  <fpizlo@apple.com>
2840
2841         DFG fragile frozen values are fundamentally broken
2842         https://bugs.webkit.org/show_bug.cgi?id=146602
2843
2844         Reviewed by Mark Lam.
2845         
2846         This change gets rid of the FragileValue value strength, because it was fundamentally
2847         broken.
2848         
2849         FragileValue was a value known to the compiler but not tracked by the GC in any way -
2850         it wasn't marked and it wasn't weak. This was used to support AI bootstrap for OSR
2851         must-handle values. The philosophy was that if the compiler did use the value for
2852         optimization, it would have been strengthened to a weak value (or maybe even a strong
2853         value, though we probably won't do that). But this was too much of a pipe dream. I've
2854         found at least one case where the compiler did use the value, but never strengthened
2855         it: it would happen if the value ended up in an OSR entry data expected value. Then if
2856         we GCed, we might have killed the value, but OSR entry would still try to use it for
2857         validation. That might have sort of just worked, but it's clearly shady.
2858
2859         The reason why we made must-handle values fragile and not weak is that most of the time
2860         the values disappear from the abstract state: they are LUBed to a non-constant. If we
2861         kept them around as weak, we'd have too many cases of the GC killing the code because
2862         it thought that the value was somehow meaningful to the code when it was only used as a
2863         temporary artifact of optimization.
2864
2865         So, it's true that it's very important for must-handle values not to automatically be
2866         weak or strong. It's also true that the values are necessary for AI bootstrap because
2867         we need to know what values OSR entry will require. But we shouldn't accomplish these
2868         goals by having the compiler hold onto what are essentially dangling pointers.
2869         
2870         This implements a better solution: instead of having InPlaceAbstractState bootstrap the
2871         AI with must-handle values at the beginning, we now widen the valuesAtHead of the
2872         must-handle block after AI converges. This widening is done in CFAPhase. This allows us
2873         to see if the must-handle values are necessary at all. In most cases, the widening
2874         takes a non-constant abstract value and simply amends something to its type based on
2875         the type of the must-handle value, and so the must-handle value never actually shows up
2876         in either the IR or any abstract value. In the unlikely event that the value at head is
2877         bottom, we freeze the must-handle value. This change removes FragileValue, and this
2878         freezing uses WeakValue as the strength. That makes sense: since the abstract value was
2879         bottom, the must-handle value becomes integral to the IR and so it makes no sense for
2880         the GC to keep the resulting CodeBlock alive if that must-handle value dies. This will
2881         sometimes happen for example if you have a very long-running loop whose pre-header
2882         allocates some object, but that pre-header appears to always exit to the optimizing JIT
2883         because it was only profiled once in the LLInt and that profiling appears insufficient
2884         to the DFG. In that case, we'll effectively constant-fold the references to the object
2885         inside the loop, which is both efficient (yay constant folding!) and necessary
2886         (otherwise we wouldn't know what the type of the variable should have been).
2887         
2888         Testing and debugging this is complicated. So, this adds some new capabilities:
2889         
2890         - DFG IR dumps also dump all of the FrozenValues that point to the heap along with
2891           their strengths, so that it's easy to see what GC objects the DFG feels are necessary
2892           for the compilation.
2893         
2894         - DFG OSR entry preparation prints out the OSR entry data structures, so that it's easy
2895           to see what GC pointers (and other things) are used for OSR entry validation. The
2896           printouts are quite detailed, and should also help other kinds of OSR entry
2897           debugging.
2898         
2899         - DFG::Plan now validates whether all of the GC pointers planted in the various JITCode
2900           data structures are also properly registered as either weak or strong pointers in the
2901           CodeBlock. This validation check previously failed due to fragile values ending up in
2902           the OSR entry data structures, both in the newly added test (dead-osr-entry-value.js)
2903           and in some pre-existing tests (like earley-boyer and 3d-raytrace).
2904
2905         * CMakeLists.txt:
2906         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2907         * JavaScriptCore.xcodeproj/project.pbxproj:
2908         * bytecode/CodeBlock.cpp:
2909         (JSC::CodeBlock::stronglyVisitStrongReferences):
2910         * bytecode/CodeOrigin.cpp:
2911         (JSC::InlineCallFrame::visitAggregate):
2912         * bytecode/Operands.h:
2913         (JSC::Operands::operand):
2914         (JSC::Operands::hasOperand):
2915         * bytecode/StructureSet.cpp:
2916         (JSC::StructureSet::dump):
2917         (JSC::StructureSet::validateReferences):
2918         * bytecode/StructureSet.h:
2919         * bytecode/TrackedReferences.cpp: Added.
2920         (JSC::TrackedReferences::TrackedReferences):
2921         (JSC::TrackedReferences::~TrackedReferences):
2922         (JSC::TrackedReferences::add):
2923         (JSC::TrackedReferences::check):
2924         (JSC::TrackedReferences::dump):
2925         * bytecode/TrackedReferences.h: Added.
2926         * dfg/DFGAbstractValue.cpp:
2927         (JSC::DFG::AbstractValue::observeTransitions):
2928         (JSC::DFG::AbstractValue::set):
2929         (JSC::DFG::AbstractValue::fixTypeForRepresentation):
2930         (JSC::DFG::AbstractValue::mergeOSREntryValue):
2931         (JSC::DFG::AbstractValue::filter):
2932         (JSC::DFG::AbstractValue::dumpInContext):
2933         (JSC::DFG::AbstractValue::validateReferences):
2934         (JSC::DFG::AbstractValue::setOSREntryValue): Deleted.
2935         * dfg/DFGAbstractValue.h:
2936         (JSC::DFG::AbstractValue::fullTop):
2937         (JSC::DFG::AbstractValue::merge):
2938         * dfg/DFGByteCodeParser.cpp:
2939         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2940         * dfg/DFGCFAPhase.cpp:
2941         (JSC::DFG::CFAPhase::run):
2942         * dfg/DFGCommonData.cpp:
2943         (JSC::DFG::CommonData::invalidate):
2944         (JSC::DFG::CommonData::validateReferences):
2945         * dfg/DFGCommonData.h:
2946         (JSC::DFG::CommonData::requiredRegisterCountForExecutionAndExit):
2947         * dfg/DFGFrozenValue.h:
2948         (JSC::DFG::FrozenValue::FrozenValue):
2949         (JSC::DFG::FrozenValue::strengthenTo):
2950         (JSC::DFG::FrozenValue::pointsToHeap):
2951         (JSC::DFG::FrozenValue::strength):
2952         (JSC::DFG::FrozenValue::freeze):
2953         * dfg/DFGGraph.cpp:
2954         (JSC::DFG::Graph::Graph):
2955         (JSC::DFG::Graph::dump):
2956         (JSC::DFG::Graph::registerFrozenValues):
2957         (JSC::DFG::Graph::visitChildren):
2958         (JSC::DFG::Graph::freeze):
2959         (JSC::DFG::Graph::freezeStrong):
2960         (JSC::DFG::Graph::freezeFragile): Deleted.
2961         * dfg/DFGGraph.h:
2962         * dfg/DFGInPlaceAbstractState.cpp:
2963         (JSC::DFG::InPlaceAbstractState::initialize):
2964         * dfg/DFGJITCode.cpp:
2965         (JSC::DFG::JITCode::setOptimizationThresholdBasedOnCompilationResult):
2966         (JSC::DFG::JITCode::validateReferences):
2967         * dfg/DFGJITCode.h:
2968         * dfg/DFGJITCompiler.cpp:
2969         (JSC::DFG::JITCompiler::addressOfDoubleConstant):
2970         (JSC::DFG::JITCompiler::noticeOSREntry):
2971         * dfg/DFGJITCompiler.h:
2972         (JSC::DFG::JITCompiler::branchStructurePtr):
2973         (JSC::DFG::JITCompiler::jitCode):
2974         (JSC::DFG::JITCompiler::noticeOSREntry): Deleted.
2975         * dfg/DFGMinifiedGraph.cpp: Added.
2976         (JSC::DFG::MinifiedGraph::prepareAndShrink):
2977         (JSC::DFG::MinifiedGraph::validateReferences):
2978         * dfg/DFGMinifiedGraph.h:
2979         (JSC::DFG::MinifiedGraph::append):
2980         (JSC::DFG::MinifiedGraph::prepareAndShrink): Deleted.
2981         * dfg/DFGOSREntry.cpp:
2982         (JSC::DFG::OSREntryData::dumpInContext):
2983         (JSC::DFG::OSREntryData::dump):
2984         (JSC::DFG::prepareOSREntry):
2985         * dfg/DFGOSREntry.h:
2986         (JSC::DFG::getOSREntryDataBytecodeIndex):
2987         * dfg/DFGPlan.cpp:
2988         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
2989         * dfg/DFGSpeculativeJIT.cpp:
2990         (JSC::DFG::SpeculativeJIT::linkOSREntries):
2991         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
2992         * dfg/DFGStructureAbstractValue.cpp:
2993         (JSC::DFG::StructureAbstractValue::dump):
2994         (JSC::DFG::StructureAbstractValue::validateReferences):
2995         * dfg/DFGStructureAbstractValue.h:
2996         * dfg/DFGValidate.cpp:
2997         (JSC::DFG::Validate::validate):
2998         * dfg/DFGValueStrength.cpp:
2999         (WTF::printInternal):
3000         * dfg/DFGValueStrength.h:
3001         (JSC::DFG::merge):
3002         * ftl/FTLExitPropertyValue.cpp:
3003         (JSC::FTL::ExitPropertyValue::dump):
3004         (JSC::FTL::ExitPropertyValue::validateReferences):
3005         * ftl/FTLExitPropertyValue.h:
3006         * ftl/FTLExitTimeObjectMaterialization.cpp:
3007         (JSC::FTL::ExitTimeObjectMaterialization::dump):
3008         (JSC::FTL::ExitTimeObjectMaterialization::validateReferences):
3009         * ftl/FTLExitTimeObjectMaterialization.h:
3010         * ftl/FTLExitValue.cpp:
3011         (JSC::FTL::ExitValue::dump):
3012         (JSC::FTL::ExitValue::validateReferences):
3013         * ftl/FTLExitValue.h:
3014         * ftl/FTLJITCode.cpp:
3015         (JSC::FTL::JITCode::dfgCommon):
3016         (JSC::FTL::JITCode::validateReferences):
3017         * ftl/FTLJITCode.h:
3018         (JSC::FTL::JITCode::handles):
3019         (JSC::FTL::JITCode::dataSections):
3020         * ftl/FTLOSRExit.cpp:
3021         (JSC::FTL::OSRExit::codeLocationForRepatch):
3022         (JSC::FTL::OSRExit::validateReferences):
3023         * ftl/FTLOSRExit.h:
3024         (JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
3025         * jit/JITCode.cpp:
3026         (JSC::JITCode::typeName):
3027         (JSC::JITCode::validateReferences):
3028         (JSC::JITCode::execute):
3029         * jit/JITCode.h:
3030         (JSC::JITCode::start):
3031         * tests/stress/dead-osr-entry-value.js: Added.
3032         (foo):
3033
3034 2015-07-09  Filip Pizlo  <fpizlo@apple.com>
3035
3036         It should be possible to run the OSR exit fuzzer
3037         https://bugs.webkit.org/show_bug.cgi?id=146814
3038
3039         Reviewed by Mark Lam.
3040         
3041         Fix a silly bug: the option matching was accidentally allowing a prefix match, which
3042         always did the wrong thing for --fireOSRExitFuzzAt and --fireOSRExitFuzzAtStatic. Make
3043         this an exact match instead.
3044
3045         * runtime/Options.cpp:
3046         (JSC::Options::setOption):
3047
3048 2015-07-09  Mark Lam  <mark.lam@apple.com>
3049
3050         SymbolTable::entryFor() should do a bounds check before indexing into the localToEntry vector.
3051         https://bugs.webkit.org/show_bug.cgi?id=146807
3052
3053         Reviewed by Filip Pizlo.
3054
3055         When we capture an argument by name and we use "arguments", we put all of the
3056         arguments into the scope.  But destructured arguments are put into the scope
3057         anonymously i.e. the SymbolTable knows that the scope offset is in use via
3058         SymbolTable::m_maxScopeOffset, but that ScopeOffset won't appear in
3059         SymbolTable::m_map.
3060
3061         The SymbolTable's m_localToEntry vector is synthesized from its m_map, and will
3062         have a size which is based on the largest ScopeOffset in the m_map.  If we have a
3063         scenario where the anonymous argument is at a higher ScopeOffset than all the
3064         named arguments, then the m_localsToEntry vector will not have an entry for it
3065         i.e. the m_localsToEntry vector will have a size that is <= the ScopeOffset of
3066         the anonymous argument.
3067
3068         Hence, SymbolTable::entryFor() should ensure that the requested ScopeOffset is
3069         within the bounds of the m_localToEntry vector before indexing into it.
3070
3071         * runtime/SymbolTable.cpp:
3072         (JSC::SymbolTable::entryFor):
3073
3074 2015-07-09  Michael Saboff  <msaboff@apple.com>
3075
3076         REGRESSION (r180248): Repro Crash: com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::createRangeError + 20
3077         https://bugs.webkit.org/show_bug.cgi?id=146767
3078
3079         Reviewed by Geoffrey Garen.
3080
3081         If the stack check fails at the top most frame, we must use that frame to
3082         generate the exception.  Reverted the code to always use the current frame to
3083         throw an out of stack exception.
3084
3085         * llint/LLIntSlowPaths.cpp:
3086         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3087
3088 2015-07-03  Filip Pizlo  <fpizlo@apple.com>
3089
3090         OSR exit fuzzing should allow us to select a static exit site
3091         https://bugs.webkit.org/show_bug.cgi?id=146601
3092
3093         Reviewed by Geoffrey Garen.
3094         
3095         The original implementation of the fuzzer allows us to trigger an exit based on its index
3096         in the dynamic sequence of exit sites encountered. But there are usually millions of
3097         dynamically encountered exit sites, even if the program only has thousands of static exit
3098         sites. That means that we would at best be able to do a random sampling of exits, and
3099         those would be biased to the hottest exit sites.
3100         
3101         This change allows us to also select exit sites based on their index in the static
3102         sequence of exit sites that the compiler compiled. Then, once that static exit site is
3103         selected, we can select which dynamic exit at that exit site we should trigger. Since the
3104         number of static exit sites is usually smallish (it's bounded by program size), we can do
3105         an exhaustive search over all exit sites in most programs.
3106
3107         * dfg/DFGOSRExitFuzz.cpp:
3108         (JSC::numberOfStaticOSRExitFuzzChecks):
3109         (JSC::numberOfOSRExitFuzzChecks):
3110         * dfg/DFGOSRExitFuzz.h:
3111         (JSC::DFG::doOSRExitFuzzing):
3112         * dfg/DFGSpeculativeJIT.cpp:
3113         (JSC::DFG::SpeculativeJIT::emitOSRExitFuzzCheck):
3114         * ftl/FTLLowerDFGToLLVM.cpp:
3115         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
3116         * jsc.cpp:
3117         (jscmain):
3118         * runtime/Options.h:
3119         * runtime/TestRunnerUtils.h:
3120
3121 2015-07-08  Joseph Pecoraro  <pecoraro@apple.com>
3122
3123         Fix grammar issue in TypeError attempting to change an unconfigurable property
3124         https://bugs.webkit.org/show_bug.cgi?id=146774
3125
3126         Reviewed by Brent Fulgham.
3127
3128         * runtime/JSFunction.cpp:
3129         (JSC::JSFunction::defineOwnProperty):
3130         * runtime/JSObject.cpp:
3131         (JSC::JSObject::defineOwnNonIndexProperty):
3132         * runtime/StringObject.cpp:
3133         (JSC::StringObject::defineOwnProperty):
3134
3135 2015-07-06  Csaba Osztrogonác  <ossy@webkit.org>
3136
3137         Remove the unused HeapBlock.h
3138         https://bugs.webkit.org/show_bug.cgi?id=146580
3139
3140         Reviewed by Andreas Kling.
3141
3142         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3143         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3144         * JavaScriptCore.xcodeproj/project.pbxproj:
3145         * heap/CopiedBlock.h:
3146         * heap/CopiedSpace.h:
3147         * heap/CopiedSpaceInlines.h:
3148         * heap/HandleBlock.h:
3149         * heap/HeapBlock.h: Removed.
3150         * heap/MarkedBlock.h:
3151
3152 2015-07-06  Saam barati  <saambarati1@gmail.com>
3153
3154         JSC's parser should follow the ES6 spec with respect to parsing Declarations
3155         https://bugs.webkit.org/show_bug.cgi?id=146621
3156
3157         Reviewed by Mark Lam.
3158
3159         There were a few locations where JSC would allow declaration statements
3160         in incorrect ways. JSC didn't distinguish between 'Statement' and
3161         'StatementListItem' grammar productions. The relevant grammar is here:
3162         http://www.ecma-international.org/ecma-262/6.0/index.html#sec-statements
3163
3164         From the ECMA Script 6.0 spec:
3165         1. Section 13.6 The if Statement (http://www.ecma-international.org/ecma-262/6.0/index.html#sec-if-statement) 
3166          says that IfStatements only takes Statements for the "then-else" clauses, not StatementListItems.
3167          (Same with 'while/for/do-while' loop bodies).
3168         2. Section 13 ECMAScript Language: Statements and Declarations 
3169          (http://www.ecma-international.org/ecma-262/6.0/index.html#sec-ecmascript-language-statements-and-declarations)
3170          defines the syntax of Statements, and they do not include ClassDeclarations and LexicalDeclarations 
3171          (const, let, see 13.3.1 Let and Const Declarations).
3172          Declarations can only be in the “then-else” clauses when embedded in a StatementListItem in a BlockStatement (see 13.2).
3173
3174         Hence, the following style of declarations are no longer allowed:
3175             'if/for/while (condition) const x = 40;'
3176             'if/for/while (condition) class C { }'
3177
3178         Instead, we mandate such declaration constructs are within a StatementList 
3179        (which is the production that JSC's Parser::parseSourceElements function parses):
3180            'if/for/while (condition) { const x = 40; }'
3181            'if/for/while (condition) { class C { } }'
3182
3183         * parser/Parser.cpp:
3184         (JSC::Parser<LexerType>::parseSourceElements):
3185         (JSC::Parser<LexerType>::parseStatementListItem):
3186         (JSC::Parser<LexerType>::parseVarDeclaration):
3187         (JSC::Parser<LexerType>::parseStatement):
3188         (JSC::Parser<LexerType>::parseExpressionStatement):
3189         * parser/Parser.h:
3190         (JSC::Parser::getLabel):
3191
3192 2015-07-06  Alex Christensen  <achristensen@webkit.org>
3193
3194         Unreviewed debug build fix after r186358.
3195
3196         * runtime/JSArray.cpp:
3197         (JSC::JSArray::fastConcatWith):
3198         Pass vm parameter to fastConcatType.
3199
3200 2015-07-06  Ryosuke Niwa  <rniwa@webkit.org>
3201
3202         Array.concat should be fast for integer or double arrays
3203         https://bugs.webkit.org/show_bug.cgi?id=146260
3204
3205         Reviewed by Darin Adler.
3206
3207         Added a fast path to Array.prototype.concat. When concatenating two Int32, Double, or Contiguous
3208         arrays, simply memcopy the arrays into a new uninitialized buffer.
3209
3210         This improves huffman encoding in CompressionBench by 3.7x on a Mid 2014 MacBookPro.
3211
3212         * runtime/ArrayPrototype.cpp:
3213         (JSC::arrayProtoFuncConcat):
3214         * runtime/JSArray.cpp:
3215         (JSC::JSArray::fastConcatWith): Added.
3216         * runtime/JSArray.h:
3217         (JSC::JSArray::fastConcatType): Added. Returns the resultant array's indexing type if we can use
3218         the fact path. Returns NonArray otherwise.
3219
3220 2015-07-06  Youenn Fablet  <youenn.fablet@crf.canon.fr>
3221
3222         [Streams API] Remove ReadableStream custom constructor
3223         https://bugs.webkit.org/show_bug.cgi?id=146547
3224
3225         Reviewed by Darin Adler.
3226
3227         Adding helper function to throw range errors.
3228
3229         * runtime/Error.h:
3230         (JSC::throwRangeError):
3231         (JSC::throwVMRangeError):
3232
3233 2015-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
3234
3235         [ES6] Implement the latest Promise spec in JS
3236         https://bugs.webkit.org/show_bug.cgi?id=146229
3237
3238         Reviewed by Sam Weinig.
3239
3240         Updated the Promise implementation to meet to the ES6 spec.
3241         This patch
3242         1. Implement ES6 Promise and related abstract operations in builtins JS
3243         2. Expose @enqueueJob private function to JS world to post the microtask
3244
3245         Updated implementation has one-on-one correspondence to the ES6 spec description.
3246         And keep the JSPromiseDeferred because it is the interface used from the WebCore.
3247
3248         * CMakeLists.txt:
3249         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3250         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3251         * JavaScriptCore.xcodeproj/project.pbxproj:
3252         * builtins/Array.prototype.js:
3253         (reduce):
3254         (reduceRight):
3255         (every):
3256         (forEach):
3257         (filter):
3258         (map):
3259         (some):
3260         (fill):
3261         (find):
3262         (findIndex):
3263         (includes):
3264         (copyWithin):
3265         ToInteger / ToLength are renamed to toInteger and toLength.
3266         * builtins/ArrayConstructor.js:
3267         (from):
3268         ToInteger / ToLength are renamed to toInteger and toLength.
3269         * builtins/GlobalObject.js:
3270         (toInteger):
3271         (toLength):
3272         (isObject):
3273         (ToInteger): Deleted.
3274         (ToLength): Deleted.
3275         ToInteger / ToLength are renamed to toInteger and toLength.
3276         Add new abstract operation, isObject.
3277         * builtins/Operations.Promise.js: Added.
3278         (isPromise):
3279         (newPromiseReaction):
3280         (newPromiseDeferred):
3281         (newPromiseCapability.executor):
3282         (newPromiseCapability):
3283         (triggerPromiseReactions):
3284         (rejectPromise):
3285         (fulfillPromise):
3286         (createResolvingFunctions.resolve):
3287         (createResolvingFunctions.reject):
3288         (createResolvingFunctions):
3289         (promiseReactionJob):
3290         (promiseResolveThenableJob):
3291         (initializePromise):
3292         Added Promise related abstract operations.
3293         * builtins/Promise.prototype.js:
3294         (catch):
3295         (.onFulfilled):
3296         (.onRejected):
3297         (then):
3298         Promise#then implementation in JS.
3299         * builtins/PromiseConstructor.js: Added.
3300         (all.newResolveElement):
3301         (all):
3302         (race):
3303         (reject):
3304         (resolve):
3305         Promise static functions implementations in JS.
3306         * builtins/StringConstructor.js:
3307         (raw):
3308         ToInteger / ToLength are renamed to toInteger and toLength.
3309         * inspector/JSInjectedScriptHost.cpp:
3310         (Inspector::JSInjectedScriptHost::getInternalProperties):
3311         * runtime/CommonIdentifiers.h:
3312         * runtime/JSGlobalObject.cpp:
3313         (JSC::enqueueJob):
3314         (JSC::JSGlobalObject::init):
3315         (JSC::JSGlobalObject::visitChildren):
3316         * runtime/JSGlobalObject.h:
3317         (JSC::JSGlobalObject::initializePromiseFunction):
3318         (JSC::JSGlobalObject::newPromiseDeferredFunction):
3319         * runtime/JSJob.cpp: Renamed from Source/JavaScriptCore/runtime/JSPromiseReaction.h.
3320         (JSC::createJSJob):
3321         (JSC::JSJobMicrotask::run):
3322         * runtime/JSJob.h: Renamed from Source/JavaScriptCore/runtime/JSPromiseFunctions.h.
3323         * runtime/JSPromise.cpp:
3324         (JSC::JSPromise::create):
3325         (JSC::JSPromise::JSPromise):
3326         (JSC::JSPromise::finishCreation):
3327         (JSC::JSPromise::result):
3328         (JSC::JSPromise::destroy): Deleted.
3329         (JSC::JSPromise::visitChildren): Deleted.
3330         (JSC::JSPromise::reject): Deleted.
3331         (JSC::JSPromise::resolve): Deleted.
3332         (JSC::JSPromise::appendResolveReaction): Deleted.
3333         (JSC::JSPromise::appendRejectReaction): Deleted.
3334         (JSC::triggerPromiseReactions): Deleted.
3335         * runtime/JSPromise.h:
3336         (JSC::JSPromise::status): Deleted.
3337         (JSC::JSPromise::result): Deleted.
3338         (JSC::JSPromise::constructor): Deleted.
3339         * runtime/JSPromiseConstructor.cpp:
3340         (JSC::constructPromise):
3341         (JSC::JSPromiseConstructorFuncResolve): Deleted.
3342         (JSC::JSPromiseConstructorFuncReject): Deleted.
3343         (JSC::performPromiseRaceLoop): Deleted.
3344         (JSC::JSPromiseConstructorFuncRace): Deleted.
3345         (JSC::performPromiseAll): Deleted.
3346         (JSC::JSPromiseConstructorFuncAll): Deleted.
3347         * runtime/JSPromiseDeferred.cpp:
3348         (JSC::JSPromiseDeferred::create):
3349         (JSC::createJSPromiseDeferredFromConstructor): Deleted.
3350         (JSC::updateDeferredFromPotentialThenable): Deleted.
3351         (JSC::performDeferredResolve): Deleted.
3352         (JSC::performDeferredReject): Deleted.
3353         (JSC::abruptRejection): Deleted.
3354         * runtime/JSPromiseDeferred.h:
3355         * runtime/JSPromiseFunctions.cpp: Removed.
3356         (JSC::deferredConstructionFunction): Deleted.
3357         (JSC::createDeferredConstructionFunction): Deleted.
3358         (JSC::identifyFunction): Deleted.
3359         (JSC::createIdentifyFunction): Deleted.
3360         (JSC::promiseAllCountdownFunction): Deleted.
3361         (JSC::createPromiseAllCountdownFunction): Deleted.
3362         (JSC::promiseResolutionHandlerFunction): Deleted.
3363         (JSC::createPromiseResolutionHandlerFunction): Deleted.
3364         (JSC::rejectPromiseFunction): Deleted.
3365         (JSC::createRejectPromiseFunction): Deleted.
3366         (JSC::resolvePromiseFunction): Deleted.
3367         (JSC::createResolvePromiseFunction): Deleted.
3368         (JSC::throwerFunction): Deleted.
3369         (JSC::createThrowerFunction): Deleted.
3370         * runtime/JSPromisePrototype.cpp:
3371         (JSC::JSPromisePrototypeFuncThen): Deleted.
3372         * runtime/JSPromiseReaction.cpp: Removed.
3373         (JSC::createExecutePromiseReactionMicrotask): Deleted.
3374         (JSC::ExecutePromiseReactionMicrotask::run): Deleted.
3375         (JSC::JSPromiseReaction::create): Deleted.
3376         (JSC::JSPromiseReaction::JSPromiseReaction): Deleted.
3377         (JSC::JSPromiseReaction::finishCreation): Deleted.
3378         (JSC::JSPromiseReaction::visitChildren): Deleted.
3379         * runtime/VM.cpp:
3380         (JSC::VM::VM): Deleted.
3381         * runtime/VM.h:
3382
3383 2015-07-04  Chris Dumez  <cdumez@apple.com>
3384
3385         Drop RefPtr::clear() method
3386         https://bugs.webkit.org/show_bug.cgi?id=146556
3387
3388         Reviewed by Brady Eidson.
3389
3390         Drop RefPtr::clear() method in favor of "= nullptr;" pattern.
3391
3392 2015-07-03  Dan Bernstein  <mitz@apple.com>
3393
3394         Just give up on -Wunreachable-code in JavaScriptCore.
3395
3396         * Configurations/Base.xcconfig:
3397         * llint/LowLevelInterpreter.cpp:
3398         (JSC::CLoop::execute):
3399
3400 2015-07-03  Dan Bernstein  <mitz@apple.com>
3401
3402         Fixed the LLINT CLoop build.
3403
3404         * llint/LowLevelInterpreter.cpp:
3405         (JSC::CLoop::execute):
3406
3407 2015-07-03  Dan Bernstein  <mitz@apple.com>
3408
3409         [Xcode] Update some build settings as recommended by Xcode 7
3410         https://bugs.webkit.org/show_bug.cgi?id=146597
3411
3412         Reviewed by Sam Weinig.
3413
3414         * Configurations/Base.xcconfig: Enabled CLANG_WARN_UNREACHABLE_CODE and
3415         GCC_NO_COMMON_BLOCKS. Removed GCC_MODEL_TUNING.
3416
3417         * JavaScriptCore.xcodeproj/project.pbxproj: Updated LastUpgradeCheck.
3418
3419         * dfg/DFGGraph.h: Tweaked the definition of DFG_CRASH to suppress unreachable code warnings.
3420
3421 2015-07-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3422
3423         Relax builtin JS restriction about try-catch
3424         https://bugs.webkit.org/show_bug.cgi?id=146555
3425
3426         Reviewed by Sam Weinig.
3427
3428         When retrieving the captured variables from the full activated scope,
3429         it swapped the given vector with the stored declared variables vector.
3430         This is because retrieving the captured variables are executed in the
3431         last sequence of the parser, so declared variables are no longer used.
3432         However, in builtins functions case, after retrieving the captured
3433         variables, we check the variables by using declared variables vector.
3434         So at that time, the declared variables vector becomes empty and it
3435         raises assertion failures when the builtins function contains the full
3436         activated scope. try-catch's catch scope requires the upper scope full
3437         activated, so JS code in the builtins cannot use the try-catch.
3438
3439         This patch relaxes this restriction. When retrieving the captured
3440         variables from the scope, just copy to the given vector.
3441
3442         * parser/Parser.h:
3443         (JSC::Scope::getCapturedVariables):
3444
3445 2015-07-02  Filip Pizlo  <fpizlo@apple.com>
3446
3447         DFG and FTL should have an OSR exit fuzzer
3448         https://bugs.webkit.org/show_bug.cgi?id=146562
3449
3450         Reviewed by Benjamin Poulain.
3451         
3452         Adds a basic OSR exit fuzzer to JSC. This isn't hooked into any test harnesses yet, but I
3453         spot-checked it on v8-earley-boyer.js and so far found no bugs. I'd like to figure out how
3454         to harness this after I land it.
3455         
3456         Since it's turned off by default, it should have no effect on behavior.
3457
3458         * CMakeLists.txt:
3459         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3460         * JavaScriptCore.xcodeproj/project.pbxproj:
3461         * dfg/DFGOSRExitFuzz.cpp: Added.
3462         (JSC::numberOfOSRExitFuzzChecks):
3463         * dfg/DFGOSRExitFuzz.h: Added.
3464         * dfg/DFGSpeculativeJIT.cpp:
3465         (JSC::DFG::SpeculativeJIT::emitGetArgumentStart):
3466         (JSC::DFG::SpeculativeJIT::emitOSRExitFuzzCheck):
3467         (JSC::DFG::SpeculativeJIT::speculationCheck):
3468         * dfg/DFGSpeculativeJIT.h:
3469         * ftl/FTLLowerDFGToLLVM.cpp:
3470         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
3471         * jsc.cpp:
3472         (jscmain):
3473         * runtime/Options.h:
3474         * runtime/TestRunnerUtils.h:
3475
3476 2015-07-02  Saam barati  <saambarati1@gmail.com>
3477
3478         Rename "Deconstruction" to "Destructuring" throughout JSC
3479         https://bugs.webkit.org/show_bug.cgi?id=146100
3480
3481         Reviewed by Mark Lam.
3482
3483         It is good to use the same naming conventions as the ES6 
3484         spec because it is the de facto way of speaking about these 
3485         language features. This also has the benefit of improving JSC's
3486         hackability because it improves code readability for newcomers 
3487         to JSC or newcomers to this part of the code base.
3488
3489         * bytecompiler/BytecodeGenerator.cpp:
3490         (JSC::BytecodeGenerator::generate):
3491         (JSC::BytecodeGenerator::BytecodeGenerator):
3492         (JSC::BytecodeGenerator::initializeNextParameter):
3493         (JSC::BytecodeGenerator::visibleNameForParameter):
3494         * bytecompiler/BytecodeGenerator.h:
3495         (JSC::BytecodeGenerator::registerFor):
3496         * bytecompiler/NodesCodegen.cpp:
3497         (JSC::ForInNode::tryGetBoundLocal):
3498         (JSC::ForInNode::emitLoopHeader):
3499         (JSC::ForOfNode::emitBytecode):
3500         (JSC::ClassExprNode::emitBytecode):
3501         (JSC::DestructuringAssignmentNode::emitBytecode):
3502         (JSC::DestructuringPatternNode::~DestructuringPatternNode):
3503         (JSC::ArrayPatternNode::collectBoundIdentifiers):
3504         (JSC::DeconstructingAssignmentNode::emitBytecode): Deleted.
3505         (JSC::DeconstructionPatternNode::~DeconstructionPatternNode): Deleted.
3506         * parser/ASTBuilder.h:
3507         (JSC::ASTBuilder::createElementList):
3508         (JSC::ASTBuilder::createFormalParameterList):
3509         (JSC::ASTBuilder::createClause):
3510         (JSC::ASTBuilder::createClauseList):
3511         (JSC::ASTBuilder::createForInLoop):
3512         (JSC::ASTBuilder::createForOfLoop):
3513         (JSC::ASTBuilder::isBindingNode):
3514         (JSC::ASTBuilder::isResolve):
3515         (JSC::ASTBuilder::createDestructuringAssignment):
3516         (JSC::ASTBuilder::createArrayPattern):
3517         (JSC::ASTBuilder::appendArrayPatternSkipEntry):
3518         (JSC::ASTBuilder::appendArrayPatternEntry):
3519         (JSC::ASTBuilder::appendArrayPatternRestEntry):
3520         (JSC::ASTBuilder::createObjectPattern):
3521         (JSC::ASTBuilder::appendObjectPatternEntry):
3522         (JSC::ASTBuilder::createDeconstructingAssignment): Deleted.
3523         * parser/NodeConstructors.h:
3524         (JSC::TryNode::TryNode):
3525         (JSC::ParameterNode::ParameterNode):
3526         (JSC::ForOfNode::ForOfNode):
3527         (JSC::DestructuringPatternNode::DestructuringPatternNode):
3528         (JSC::ArrayPatternNode::ArrayPatternNode):
3529         (JSC::ArrayPatternNode::create):
3530         (JSC::ObjectPatternNode::ObjectPatternNode):
3531         (JSC::BindingNode::create):
3532         (JSC::BindingNode::BindingNode):
3533         (JSC::DestructuringAssignmentNode::DestructuringAssignmentNode):
3534         (JSC::DeconstructionPatternNode::DeconstructionPatternNode): Deleted.
3535         (JSC::DeconstructingAssignmentNode::DeconstructingAssignmentNode): Deleted.
3536         * parser/Nodes.cpp:
3537         (JSC::FunctionParameters::create):
3538         * parser/Nodes.h:
3539         (JSC::ExpressionNode::isResolveNode):
3540         (JSC::ExpressionNode::isBracketAccessorNode):
3541         (JSC::ExpressionNode::isDotAccessorNode):
3542         (JSC::ExpressionNode::isDestructuringNode):
3543         (JSC::ExpressionNode::isFuncExprNode):
3544         (JSC::ExpressionNode::isCommaNode):
3545         (JSC::ExpressionNode::isSimpleArray):
3546         (JSC::ParameterNode::pattern):
3547         (JSC::ParameterNode::nextParam):
3548         (JSC::FunctionParameters::size):
3549         (JSC::FunctionParameters::at):
3550         (JSC::FunctionParameters::patterns):
3551         (JSC::DestructuringPatternNode::isBindingNode):
3552         (JSC::DestructuringPatternNode::emitDirectBinding):
3553         (JSC::ArrayPatternNode::appendIndex):
3554         (JSC::ObjectPatternNode::appendEntry):
3555         (JSC::BindingNode::boundProperty):
3556         (JSC::DestructuringAssignmentNode::bindings):
3557         (JSC::ExpressionNode::isDeconstructionNode): Deleted.
3558         (JSC::DeconstructionPatternNode::isBindingNode): Deleted.
3559         (JSC::DeconstructionPatternNode::emitDirectBinding): Deleted.
3560         (JSC::DeconstructingAssignmentNode::bindings): Deleted.
3561         * parser/Parser.cpp:
3562         (JSC::Parser<LexerType>::parseVarDeclaration):
3563         (JSC::Parser<LexerType>::parseWhileStatement):
3564         (JSC::Parser<LexerType>::parseVarDeclarationList):
3565         (JSC::Parser<LexerType>::createBindingPattern):
3566         (JSC::Parser<LexerType>::tryParseDestructuringPatternExpression):
3567         (JSC::Parser<LexerType>::parseDestructuringPattern):
3568         (JSC::Parser<LexerType>::parseDefaultValueForDestructuringPattern):
3569         (JSC::Parser<LexerType>::parseForStatement):
3570         (JSC::Parser<LexerType>::parseFormalParameters):
3571         (JSC::Parser<LexerType>::parseFunctionParameters):
3572         (JSC::Parser<LexerType>::parseAssignmentExpression):
3573         (JSC::Parser<LexerType>::tryParseDeconstructionPatternExpression): Deleted.
3574         (JSC::Parser<LexerType>::parseDeconstructionPattern): Deleted.
3575         (JSC::Parser<LexerType>::parseDefaultValueForDeconstructionPattern): Deleted.
3576         * parser/Parser.h:
3577         (JSC::isEvalNode):
3578         * parser/SyntaxChecker.h:
3579         (JSC::SyntaxChecker::createPropertyList):
3580         (JSC::SyntaxChecker::createElementList):
3581         (JSC::SyntaxChecker::createFormalParameterList):
3582         (JSC::SyntaxChecker::createClause):
3583         (JSC::SyntaxChecker::createClauseList):
3584         (JSC::SyntaxChecker::operatorStackPop):
3585         * tests/stress/reserved-word-with-escape.js:
3586         * tests/stress/rest-elements.js:
3587
3588 2015-07-02  Mark Lam  <mark.lam@apple.com>
3589
3590         Build fix for Win EWS bot.
3591         https://bugs.webkit.org/show_bug.cgi?id=146551
3592
3593         Not reviewed.
3594
3595         * tools/JSDollarVMPrototype.cpp:
3596         (JSC::functionCrash):
3597
3598 2015-07-02  Dan Bernstein  <mitz@apple.com>
3599
3600         <rdar://problem/21429613> [iOS] Stop making symlinks from PrivateFrameworks to Frameworks
3601         https://bugs.webkit.org/show_bug.cgi?id=146542
3602
3603         Reviewed by Sam Weinig.
3604
3605         * JavaScriptCore.xcodeproj/project.pbxproj: Removed the build phase that makes the symlink.
3606
3607 2015-07-01  Joseph Pecoraro  <pecoraro@apple.com>
3608
3609         Web Inspector: Aggregate profile call information on the backend to drastically reduce profile sizes
3610         https://bugs.webkit.org/show_bug.cgi?id=146536
3611
3612         Reviewed by Timothy Hatcher.
3613
3614         * inspector/protocol/Timeline.json:
3615         Change a CPUProfile from sending a required "calls" param to sending a required
3616         "callInfo" param which includes aggregated information about the calls.
3617
3618 2015-06-30  Filip Pizlo  <fpizlo@apple.com>
3619
3620         DFG::freezeFragile should register the frozen value's structure
3621         https://bugs.webkit.org/show_bug.cgi?id=136055
3622         rdar://problem/21042120
3623
3624         Reviewed by Mark Lam and Geoffrey Garen.
3625         
3626         This fixes weird concurrency bugs where the constant folding phase tries to convert
3627         something to a constant but then crashes because the constant's structure wasn't
3628         registered. The AI was registering the structure of any value it saw, but constant folding
3629         wasn't - and that's fine so long as there ain't no concurrency.
3630         
3631         The best fix is to just make it impossible to introduce a constant into the IR without
3632         registering its structure. That's what this change does. This is not only a great
3633         concurrency fix - it also makes the compiler somewhat easier to hack on because it's one
3634         less case of structure registering that you have to remember about.
3635         
3636         * dfg/DFGAbstractValue.cpp:
3637         (JSC::DFG::AbstractValue::setOSREntryValue): No need to register.
3638         (JSC::DFG::AbstractValue::set): We still call register, but just to get the watchpoint state.
3639         * dfg/DFGGraph.cpp:
3640         (JSC::DFG::Graph::freezeFragile): Register the structure.
3641         * dfg/DFGStructureRegistrationPhase.cpp:
3642         (JSC::DFG::StructureRegistrationPhase::run): Assert that these are all registered.
3643
3644 2015-07-01  Matthew Mirman  <mmirman@apple.com>
3645
3646         Unreviewed, rolling out r185889
3647         https://bugs.webkit.org/show_bug.cgi?id=146528
3648         rdar://problem/21573959
3649
3650         Patch breaks chromeexperiments.com
3651         
3652         Reverted changeset:
3653         
3654         * CMakeLists.txt:
3655         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3656         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3657         * JavaScriptCore.xcodeproj/project.pbxproj:
3658         * inspector/InjectedScriptSource.js:
3659         (.):
3660         * runtime/JSBoundSlotBaseFunction.cpp: Removed.
3661         * runtime/JSBoundSlotBaseFunction.h: Removed.
3662         * runtime/JSGlobalObject.cpp:
3663         (JSC::JSGlobalObject::init): Deleted.
3664         (JSC::JSGlobalObject::visitChildren): Deleted.
3665         * runtime/JSGlobalObject.h:
3666         (JSC::JSGlobalObject::boundSlotBaseFunctionStructure): Deleted.
3667         * runtime/JSObject.cpp:
3668         (JSC::JSObject::getOwnPropertyDescriptor):
3669         (JSC::getBoundSlotBaseFunctionForGetterSetter): Deleted.
3670         * runtime/VM.cpp:
3671         (JSC::VM::VM): Deleted.
3672         * runtime/VM.h:
3673
3674 2015-07-01  Dean Jackson  <dino@apple.com>
3675
3676         Disable the experimental WebGL2 implementation
3677         https://bugs.webkit.org/show_bug.cgi?id=146526
3678         <rdar://problem/21641235>
3679
3680         Reviewed by Myles Maxfield.
3681
3682         Add (and disable) an ENABLE_WEBGL2 flag.
3683
3684         * Configurations/FeatureDefines.xcconfig:
3685
3686 2015-07-01  Matthew Daiter  <mdaiter@apple.com>
3687
3688         Enable MEDIA_STREAM flag
3689         https://bugs.webkit.org/show_bug.cgi?id=145947
3690         <rdar://problem/21365829>
3691
3692         Reviewed by Eric Carlson.
3693
3694         * Configurations/FeatureDefines.xcconfig: Added MEDIA_STREAM flag
3695
3696 2015-06-30  Andy VanWagoner  <thetalecrafter@gmail.com>
3697
3698         Implement ECMAScript Internationalization API
3699         https://bugs.webkit.org/show_bug.cgi?id=90906
3700
3701         Reviewed by Benjamin Poulain.
3702
3703         * CMakeLists.txt: add IntlObject.cpp
3704         * Configurations/FeatureDefines.xcconfig: add ENABLE_INTL flag
3705         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: add IntlObject
3706         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: add IntlObject
3707         * JavaScriptCore.xcodeproj/project.pbxproj: add IntlObject
3708         * runtime/CommonIdentifiers.h: add "Intl" name
3709         * runtime/IntlObject.cpp: Added.
3710         (JSC::IntlObject::IntlObject):
3711         (JSC::IntlObject::create):
3712         (JSC::IntlObject::finishCreation):
3713         (JSC::IntlObject::createStructure):
3714         * runtime/IntlObject.h: Added.
3715         * runtime/JSGlobalObject.cpp: Add global Intl
3716         (JSC::JSGlobalObject::init):
3717
3718 2015-06-30  Basile Clement  <basile_clement@apple.com>
3719
3720         Allow object allocation sinking through GetScope, GetExecutable and SkipScope nodes
3721         https://bugs.webkit.org/show_bug.cgi?id=146431
3722
3723         Reviewed by Filip Pizlo.
3724
3725         * dfg/DFGNode.h:
3726         (JSC::DFG::Node::isFunctionAllocation):
3727         (JSC::DFG::Node::isPhantomFunctionAllocation):
3728         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3729         (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
3730         * dfg/DFGPromoteHeapAccess.h:
3731         (JSC::DFG::promoteHeapAccess):
3732
3733 2015-06-30  Matt Baker  <mattbaker@apple.com>
3734
3735         Web Inspector: Reduce rendering frames "Other" time by instrumenting compositing
3736         https://bugs.webkit.org/show_bug.cgi?id=146168
3737
3738         Reviewed by Brian Burg.
3739
3740         * inspector/protocol/Timeline.json:
3741         New timeline record type for compositing events.
3742
3743 2015-06-29  Dean Jackson  <dino@apple.com>
3744
3745         Temporarily disable PICTURE_SIZES
3746         https://bugs.webkit.org/show_bug.cgi?id=146435
3747         <rdar://problem/21087013>
3748
3749         Reviewed by Tim Horton.
3750
3751         Temporarily disable PICTURE_SIZES because it causes problems with out
3752         of date <picture> polyfills.
3753
3754         * Configurations/FeatureDefines.xcconfig:
3755
3756 2015-06-29  Youenn Fablet  <youenn.fablet@crf.canon.fr>
3757
3758         Binding generator should allow using JSC::Value for "any" parameter in lieu of ScriptValue
3759         https://bugs.webkit.org/show_bug.cgi?id=146403
3760
3761         Reviewed by Darin Adler.
3762
3763         * bindings/ScriptValue.h: Added implicit conversion to JSC::JSValue.
3764
3765 2015-06-28 Aleksandr Skachkov   <gskachkov@gmail.com>
3766
3767         [ES6] Implement ES6 arrow function syntax. No Line terminator between function parameters and =>
3768         https://bugs.webkit.org/show_bug.cgi?id=146394
3769
3770         Reviewed by Yusuke Suzuki.
3771
3772         * parser/Parser.cpp:
3773         (JSC::Parser<LexerType>::parseFunctionInfo):
3774
3775 2015-06-27  Darin Adler  <darin@apple.com>
3776
3777         Make converting JSString to StringView idiomatically safe
3778         https://bugs.webkit.org/show_bug.cgi?id=146387
3779
3780         Reviewed by Anders Carlsson.
3781
3782         * jsc.cpp:
3783         (functionPrint): Add explicit call to SafeView::get, needed since there
3784         is no StringView temporary.
3785         (functionDebug): Ditto.
3786
3787         * runtime/ArrayPrototype.cpp:
3788         (JSC::holesMustForwardToPrototype): Refactored into helper function.
3789         (JSC::join): Refactored so that StringView is a function argument, making
3790         the lifetime simpler.
3791         (JSC::arrayProtoFuncJoin): Ditto.
3792         (JSC::arrayProtoFuncReverse): Use new holesMustForwardToPrototype helper.
3793
3794         * runtime/JSGlobalObjectFunctions.cpp:
3795         (JSC::encode): Add explicit call to SafeView::get.
3796
3797         * runtime/JSString.h: Moved declarations of functions to the top of the
3798         file instead of mixing them in with the function definitions. Changed
3799         return type of the view function to return a JSString::SafeView so that
3800         the JSString's lifetime will last as long as the StringView does in
3801         typical coding idioms.
3802         (JSC::JSString::getIndex): Use unsafeView so we can index into the
3803         view; could also have used view.get but here in this class this seems fine.
3804         (JSC::JSRopeString::unsafeView): Renamed existing view function to this.
3805         (JSC::JSString::unsafeView): Ditto.
3806         (JSC::JSString::SafeView::SafeView): Contains reference to an ExecState
3807         and a JSString. The ExecState is needed to create the StringView, and the
3808         JSString needs to be kept alive as long as the StringView is.
3809         (JSC::JSString::SafeView::operator StringView): Call unsafeView.
3810         (JSC::JSString::SafeView::get): Convenience for when we want to call
3811         StringView member functions.
3812         (JSC::JSString::view): Added. Returns a SafeView.
3813
3814         * runtime/StringPrototype.cpp:
3815         (JSC::stringProtoFuncIndexOf): Add explicit call to SafeView::get.
3816
3817 2015-06-26  Csaba Osztrogonác  <ossy@webkit.org>
3818
3819         Remove ARMv7Assembler.cpp
3820         https://bugs.webkit.org/show_bug.cgi?id=146340
3821
3822         Reviewed by Filip Pizlo.
3823
3824         * CMakeLists.txt:
3825         * JavaScriptCore.xcodeproj/project.pbxproj:
3826         * assembler/ARMv7Assembler.cpp: Removed.
3827
3828 2015-06-26  Csaba Osztrogonác  <ossy@webkit.org>
3829
3830         Fix the !ENABLE(ES6_ARROWFUNCTION_SYNTAX) build after r185989
3831         https://bugs.webkit.org/show_bug.cgi?id=146344
3832
3833         Reviewed by Yusuke Suzuki.
3834
3835         * parser/Parser.cpp:
3836         (JSC::Parser<LexerType>::parseSourceElements):
3837
3838 2015-06-26 Aleksandr Skachkov  <gskachkov@gmail.com>
3839
3840          [ES6] Implement ES6 arrow function syntax. Parser of arrow function with execution as common function. 
3841          https://bugs.webkit.org/show_bug.cgi?id=144955
3842
3843          Reviewed by Yusuke Suzuki.
3844
3845          Added support of ES6 arrow function. Changes were made according to following spec http://wiki.ecmascript.org/doku.php?id=harmony:arrow_function_syntax. Patch does not include any arrow function specific behavior e.g. lexical bind this, arguments and etc.     
3846         This patch implements the simplest cases of arrow function declaration:
3847            parameters             () => 10 + 20
3848            parameter               x => x + 20
3849            parameters         (x, y) => x + y
3850            function with block     x => { return x*10; }
3851
3852         Not implemented:
3853            bind of the this, arguments, super and etc.
3854            exception in case of trying to use 'new' with arrow function
3855
3856         * parser/ASTBuilder.h:
3857         (JSC::ASTBuilder::createFunctionExpr):
3858         (JSC::ASTBuilder::createArrowFunctionExpr):
3859         (JSC::ASTBuilder::createGetterOrSetterProperty):
3860         (JSC::ASTBuilder::createFuncDeclStatement):
3861         * parser/Lexer.cpp:
3862         (JSC::Lexer<T>::setTokenPosition):
3863         (JSC::Lexer<T>::lex):
3864         * parser/Lexer.h:
3865         (JSC::Lexer::lastTokenLocation):
3866         (JSC::Lexer::setTerminator):
3867         * parser/Parser.cpp:
3868         (JSC::Parser<LexerType>::parseInner):
3869         (JSC::Parser<LexerType>::parseSourceElements):
3870         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBody):
3871         (JSC::Parser<LexerType>::parseSwitchClauses):
3872         (JSC::Parser<LexerType>::parseSwitchDefaultClause):
3873         (JSC::Parser<LexerType>::parseBlockStatement):
3874         (JSC::Parser<LexerType>::parseFunctionBody):
3875         (JSC::stringForFunctionMode):
3876         (JSC::Parser<LexerType>::parseFunctionParameters):
3877         (JSC::Parser<LexerType>::parseFunctionInfo):