ae723dde3191eb0a7576c640243e56554a23541d
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-08-04  Filip Pizlo  <fpizlo@apple.com>
2
3         Rename Mutex to DeprecatedMutex
4         https://bugs.webkit.org/show_bug.cgi?id=147675
5
6         Reviewed by Geoffrey Garen.
7
8         * bytecode/SamplingTool.cpp:
9         (JSC::SamplingTool::doRun):
10         (JSC::SamplingTool::notifyOfScope):
11         * bytecode/SamplingTool.h:
12         * dfg/DFGThreadData.h:
13         * dfg/DFGWorklist.cpp:
14         (JSC::DFG::Worklist::~Worklist):
15         (JSC::DFG::Worklist::isActiveForVM):
16         (JSC::DFG::Worklist::enqueue):
17         (JSC::DFG::Worklist::compilationState):
18         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
19         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
20         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
21         (JSC::DFG::Worklist::visitWeakReferences):
22         (JSC::DFG::Worklist::removeDeadPlans):
23         (JSC::DFG::Worklist::queueLength):
24         (JSC::DFG::Worklist::dump):
25         (JSC::DFG::Worklist::runThread):
26         * dfg/DFGWorklist.h:
27         * disassembler/Disassembler.cpp:
28         * heap/CopiedSpace.cpp:
29         (JSC::CopiedSpace::doneFillingBlock):
30         (JSC::CopiedSpace::doneCopying):
31         * heap/CopiedSpace.h:
32         * heap/CopiedSpaceInlines.h:
33         (JSC::CopiedSpace::recycleBorrowedBlock):
34         (JSC::CopiedSpace::allocateBlockForCopyingPhase):
35         * heap/HeapTimer.h:
36         * heap/MachineStackMarker.cpp:
37         (JSC::ActiveMachineThreadsManager::Locker::Locker):
38         (JSC::ActiveMachineThreadsManager::add):
39         (JSC::ActiveMachineThreadsManager::remove):
40         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager):
41         (JSC::MachineThreads::~MachineThreads):
42         (JSC::MachineThreads::addCurrentThread):
43         (JSC::MachineThreads::removeThreadIfFound):
44         (JSC::MachineThreads::tryCopyOtherThreadStack):
45         (JSC::MachineThreads::tryCopyOtherThreadStacks):
46         (JSC::MachineThreads::gatherConservativeRoots):
47         * heap/MachineStackMarker.h:
48         * interpreter/JSStack.cpp:
49         (JSC::stackStatisticsMutex):
50         (JSC::JSStack::addToCommittedByteCount):
51         (JSC::JSStack::committedByteCount):
52         * jit/JITThunks.h:
53         * profiler/ProfilerDatabase.h:
54
55 2015-08-05  Saam barati  <saambarati1@gmail.com>
56
57         Replace JSFunctionNameScope with JSLexicalEnvironment for the function name scope.
58         https://bugs.webkit.org/show_bug.cgi?id=147657
59
60         Reviewed by Mark Lam.
61
62         This kills the last of the name scope objects. Function name scopes are
63         now built on top of the scoping mechanisms introduced with ES6 block scoping.
64         A name scope is now just a JSLexicalEnvironment.  We treat assignments to the
65         function name scoped variable carefully depending on if the function is in
66         strict mode. If we're in strict mode, then we treat the variable exactly
67         like a "const" variable. If we're not in strict mode, we can't treat
68         this variable like like ES6 "const" because that would cause the bytecode
69         generator to throw an exception when it shouldn't.
70
71         * CMakeLists.txt:
72         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
73         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
74         * JavaScriptCore.xcodeproj/project.pbxproj:
75         * bytecode/BytecodeList.json:
76         * bytecode/BytecodeUseDef.h:
77         (JSC::computeUsesForBytecodeOffset):
78         (JSC::computeDefsForBytecodeOffset):
79         * bytecode/CodeBlock.cpp:
80         (JSC::CodeBlock::dumpBytecode):
81         * bytecompiler/BytecodeGenerator.cpp:
82         (JSC::BytecodeGenerator::BytecodeGenerator):
83         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
84         (JSC::BytecodeGenerator::pushLexicalScope):
85         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
86         (JSC::BytecodeGenerator::variable):
87         (JSC::BytecodeGenerator::resolveType):
88         (JSC::BytecodeGenerator::emitThrowTypeError):
89         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
90         (JSC::BytecodeGenerator::pushScopedControlFlowContext):
91         (JSC::BytecodeGenerator::emitPushCatchScope):
92         * bytecompiler/BytecodeGenerator.h:
93         * bytecompiler/NodesCodegen.cpp:
94         * debugger/DebuggerScope.cpp:
95         * dfg/DFGOperations.cpp:
96         * interpreter/Interpreter.cpp:
97         * jit/JIT.cpp:
98         (JSC::JIT::privateCompileMainPass):
99         * jit/JIT.h:
100         * jit/JITOpcodes.cpp:
101         (JSC::JIT::emit_op_to_string):
102         (JSC::JIT::emit_op_catch):
103         (JSC::JIT::emit_op_push_name_scope): Deleted.
104         * jit/JITOpcodes32_64.cpp:
105         (JSC::JIT::emitSlow_op_to_string):
106         (JSC::JIT::emit_op_catch):
107         (JSC::JIT::emit_op_push_name_scope): Deleted.
108         * jit/JITOperations.cpp:
109         (JSC::pushNameScope): Deleted.
110         * llint/LLIntSlowPaths.cpp:
111         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
112         * llint/LLIntSlowPaths.h:
113         * llint/LowLevelInterpreter.asm:
114         * parser/Nodes.cpp:
115         * runtime/CommonSlowPaths.cpp:
116         * runtime/Executable.cpp:
117         (JSC::ScriptExecutable::newCodeBlockFor):
118         * runtime/JSFunctionNameScope.cpp: Removed.
119         * runtime/JSFunctionNameScope.h: Removed.
120         * runtime/JSGlobalObject.cpp:
121         (JSC::JSGlobalObject::init):
122         (JSC::JSGlobalObject::visitChildren):
123         * runtime/JSGlobalObject.h:
124         (JSC::JSGlobalObject::withScopeStructure):
125         (JSC::JSGlobalObject::strictEvalActivationStructure):
126         (JSC::JSGlobalObject::activationStructure):
127         (JSC::JSGlobalObject::directArgumentsStructure):
128         (JSC::JSGlobalObject::scopedArgumentsStructure):
129         (JSC::JSGlobalObject::outOfBandArgumentsStructure):
130         (JSC::JSGlobalObject::functionNameScopeStructure): Deleted.
131         * runtime/JSNameScope.cpp: Removed.
132         * runtime/JSNameScope.h: Removed.
133         * runtime/JSObject.cpp:
134         (JSC::JSObject::toThis):
135         (JSC::JSObject::seal):
136         (JSC::JSObject::isFunctionNameScopeObject): Deleted.
137         * runtime/JSObject.h:
138         * runtime/JSScope.cpp:
139         (JSC::JSScope::isCatchScope):
140         (JSC::JSScope::isFunctionNameScopeObject):
141         (JSC::resolveModeName):
142         * runtime/JSScope.h:
143         * runtime/JSSymbolTableObject.cpp:
144         * runtime/SymbolTable.h:
145         * runtime/VM.cpp:
146
147 2015-08-05  Joseph Pecoraro  <pecoraro@apple.com>
148
149         Web Inspector: Improve Support for PropertyName Iterator (Reflect.enumerate) in Inspector
150         https://bugs.webkit.org/show_bug.cgi?id=147679
151
152         Reviewed by Timothy Hatcher.
153
154         Improve native iterator support for the PropertyName Iterator by
155         allowing inspection of the internal object within the iterator
156         and peeking of the next upcoming values of the iterator.
157
158         * inspector/JSInjectedScriptHost.cpp:
159         (Inspector::JSInjectedScriptHost::subtype):
160         (Inspector::JSInjectedScriptHost::getInternalProperties):
161         (Inspector::JSInjectedScriptHost::iteratorEntries):
162         * runtime/JSPropertyNameIterator.h:
163         (JSC::JSPropertyNameIterator::iteratedValue):
164
165 2015-08-04  Brent Fulgham  <bfulgham@apple.com>
166
167         [Win] Update Apple Windows build for VS2015
168         https://bugs.webkit.org/show_bug.cgi?id=147653
169
170         Reviewed by Dean Jackson.
171
172         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Drive-by-fix.
173         Show JSC files in proper project locations in IDE.
174
175 2015-08-04  Joseph Pecoraro  <pecoraro@apple.com>
176
177         Web Inspector: Object previews for SVG elements shows SVGAnimatedString instead of text
178         https://bugs.webkit.org/show_bug.cgi?id=147328
179
180         Reviewed by Timothy Hatcher.
181
182         * inspector/InjectedScriptSource.js:
183         Use classList and classList.toString instead of className.
184
185 2015-08-04  Yusuke Suzuki  <utatane.tea@gmail.com>
186
187         [ES6] Support Module Syntax
188         https://bugs.webkit.org/show_bug.cgi?id=147422
189
190         Reviewed by Saam Barati.
191
192         This patch introduces ES6 Modules syntax parsing part.
193         In this patch, ASTBuilder just produces the corresponding nodes to the ES6 Modules syntax,
194         and this patch does not include the code generator part.
195
196         Modules require 2 phase parsing. In the first pass, we just analyze the dependent modules
197         and do not execute the body or construct the AST. And after analyzing all the dependent
198         modules, we will parse the dependent modules next.
199         After all analyzing part is done, we will start the second pass. In the second pass, we
200         will parse the module, produce the AST, and execute the body.
201         If we don't do so, we need to create all the ASTs in the module's dependent graph at first
202         because the given module can be executed after the all dependent modules are executed. It
203         means that we need to hold so many parser arenas. To avoid this, the first pass only extracts
204         the dependent modules' information.
205
206         In this patch, we don't add this analyzing part yet. This patch only implements the second pass.
207         This patch aims at just implementing the syntax parsing functionality correctly.
208         After this patch is landed, we will create the ModuleDependencyAnalyzer that inherits SyntaxChecker
209         to collect the dependent modules fast[1].
210
211         To test the parsing, we added the "checkModuleSyntax" function into jsc shell.
212         By using this, we can parse the given string as the module.
213
214         [1]: https://bugs.webkit.org/show_bug.cgi?id=147353
215
216         * bytecompiler/NodesCodegen.cpp:
217         (JSC::ModuleProgramNode::emitBytecode):
218         (JSC::ImportDeclarationNode::emitBytecode):
219         (JSC::ExportAllDeclarationNode::emitBytecode):
220         (JSC::ExportDefaultDeclarationNode::emitBytecode):
221         (JSC::ExportLocalDeclarationNode::emitBytecode):
222         (JSC::ExportNamedDeclarationNode::emitBytecode):
223         * jsc.cpp:
224         (GlobalObject::finishCreation):
225         (functionCheckModuleSyntax):
226         * parser/ASTBuilder.h:
227         (JSC::ASTBuilder::createModuleSpecifier):
228         (JSC::ASTBuilder::createImportSpecifier):
229         (JSC::ASTBuilder::createImportSpecifierList):
230         (JSC::ASTBuilder::appendImportSpecifier):
231         (JSC::ASTBuilder::createImportDeclaration):
232         (JSC::ASTBuilder::createExportAllDeclaration):
233         (JSC::ASTBuilder::createExportDefaultDeclaration):
234         (JSC::ASTBuilder::createExportLocalDeclaration):
235         (JSC::ASTBuilder::createExportNamedDeclaration):
236         (JSC::ASTBuilder::createExportSpecifier):
237         (JSC::ASTBuilder::createExportSpecifierList):
238         (JSC::ASTBuilder::appendExportSpecifier):
239         * parser/Keywords.table:
240         * parser/NodeConstructors.h:
241         (JSC::ModuleSpecifierNode::ModuleSpecifierNode):
242         (JSC::ImportSpecifierNode::ImportSpecifierNode):
243         (JSC::ImportDeclarationNode::ImportDeclarationNode):
244         (JSC::ExportAllDeclarationNode::ExportAllDeclarationNode):
245         (JSC::ExportDefaultDeclarationNode::ExportDefaultDeclarationNode):
246         (JSC::ExportLocalDeclarationNode::ExportLocalDeclarationNode):
247         (JSC::ExportNamedDeclarationNode::ExportNamedDeclarationNode):
248         (JSC::ExportSpecifierNode::ExportSpecifierNode):
249         * parser/Nodes.cpp:
250         (JSC::ModuleProgramNode::ModuleProgramNode):
251         * parser/Nodes.h:
252         (JSC::ModuleProgramNode::startColumn):
253         (JSC::ModuleProgramNode::endColumn):
254         (JSC::ModuleSpecifierNode::moduleName):
255         (JSC::ImportSpecifierNode::importedName):
256         (JSC::ImportSpecifierNode::localName):
257         (JSC::ImportSpecifierListNode::specifiers):
258         (JSC::ImportSpecifierListNode::append):
259         (JSC::ImportDeclarationNode::specifierList):
260         (JSC::ImportDeclarationNode::moduleSpecifier):
261         (JSC::ExportAllDeclarationNode::moduleSpecifier):
262         (JSC::ExportDefaultDeclarationNode::declaration):
263         (JSC::ExportLocalDeclarationNode::declaration):
264         (JSC::ExportSpecifierNode::exportedName):
265         (JSC::ExportSpecifierNode::localName):
266         (JSC::ExportSpecifierListNode::specifiers):
267         (JSC::ExportSpecifierListNode::append):
268         (JSC::ExportNamedDeclarationNode::specifierList):
269         (JSC::ExportNamedDeclarationNode::moduleSpecifier):
270         * parser/Parser.cpp:
271         (JSC::Parser<LexerType>::Parser):
272         (JSC::Parser<LexerType>::parseInner):
273         (JSC::Parser<LexerType>::parseModuleSourceElements):
274         (JSC::Parser<LexerType>::parseVariableDeclaration):
275         (JSC::Parser<LexerType>::parseVariableDeclarationList):
276         (JSC::Parser<LexerType>::createBindingPattern):
277         (JSC::Parser<LexerType>::tryParseDestructuringPatternExpression):
278         (JSC::Parser<LexerType>::parseDestructuringPattern):
279         (JSC::Parser<LexerType>::parseForStatement):
280         (JSC::Parser<LexerType>::parseFormalParameters):
281         (JSC::Parser<LexerType>::parseFunctionParameters):
282         (JSC::Parser<LexerType>::parseFunctionDeclaration):
283         (JSC::Parser<LexerType>::parseClassDeclaration):
284         (JSC::Parser<LexerType>::parseModuleSpecifier):
285         (JSC::Parser<LexerType>::parseImportClauseItem):
286         (JSC::Parser<LexerType>::parseImportDeclaration):
287         (JSC::Parser<LexerType>::parseExportSpecifier):
288         (JSC::Parser<LexerType>::parseExportDeclaration):
289         (JSC::Parser<LexerType>::parseMemberExpression):
290         * parser/Parser.h:
291         (JSC::isIdentifierOrKeyword):
292         (JSC::ModuleScopeData::create):
293         (JSC::ModuleScopeData::exportedBindings):
294         (JSC::ModuleScopeData::exportName):
295         (JSC::ModuleScopeData::exportBinding):
296         (JSC::Scope::Scope):
297         (JSC::Scope::setIsModule):
298         (JSC::Scope::moduleScopeData):
299         (JSC::Parser::matchContextualKeyword):
300         (JSC::Parser::matchIdentifierOrKeyword):
301         (JSC::Parser::isofToken): Deleted.
302         * parser/ParserModes.h:
303         * parser/ParserTokens.h:
304         * parser/SyntaxChecker.h:
305         (JSC::SyntaxChecker::createModuleSpecifier):
306         (JSC::SyntaxChecker::createImportSpecifier):
307         (JSC::SyntaxChecker::createImportSpecifierList):
308         (JSC::SyntaxChecker::appendImportSpecifier):
309         (JSC::SyntaxChecker::createImportDeclaration):
310         (JSC::SyntaxChecker::createExportAllDeclaration):
311         (JSC::SyntaxChecker::createExportDefaultDeclaration):
312         (JSC::SyntaxChecker::createExportLocalDeclaration):
313         (JSC::SyntaxChecker::createExportNamedDeclaration):
314         (JSC::SyntaxChecker::createExportSpecifier):
315         (JSC::SyntaxChecker::createExportSpecifierList):
316         (JSC::SyntaxChecker::appendExportSpecifier):
317         * runtime/CommonIdentifiers.cpp:
318         (JSC::CommonIdentifiers::CommonIdentifiers):
319         * runtime/CommonIdentifiers.h:
320         * runtime/Completion.cpp:
321         (JSC::checkModuleSyntax):
322         * runtime/Completion.h:
323         * tests/stress/modules-syntax-error-with-names.js: Added.
324         (shouldThrow):
325         * tests/stress/modules-syntax-error.js: Added.
326         (shouldThrow):
327         (checkModuleSyntaxError.checkModuleSyntaxError.checkModuleSyntaxError):
328         * tests/stress/modules-syntax.js: Added.
329         (prototype.checkModuleSyntax):
330         (checkModuleSyntax):
331         * tests/stress/tagged-templates-syntax.js:
332
333 2015-08-03  Csaba Osztrogonác  <ossy@webkit.org>
334
335         Introduce COMPILER(GCC_OR_CLANG) guard and make COMPILER(GCC) true only for GCC
336         https://bugs.webkit.org/show_bug.cgi?id=146833
337
338         Reviewed by Alexey Proskuryakov.
339
340         * assembler/ARM64Assembler.h:
341         * assembler/ARMAssembler.h:
342         (JSC::ARMAssembler::cacheFlush):
343         * assembler/MacroAssemblerARM.cpp:
344         (JSC::isVFPPresent):
345         * assembler/MacroAssemblerX86Common.h:
346         (JSC::MacroAssemblerX86Common::isSSE2Present):
347         * heap/MachineStackMarker.h:
348         * interpreter/StackVisitor.cpp: Removed redundant COMPILER(CLANG) guards.
349         (JSC::logF):
350         * jit/HostCallReturnValue.h:
351         * jit/JIT.h:
352         * jit/JITOperations.cpp:
353         * jit/JITStubsARM.h:
354         * jit/JITStubsARMv7.h:
355         * jit/JITStubsX86.h:
356         * jit/JITStubsX86Common.h:
357         * jit/JITStubsX86_64.h:
358         * jit/ThunkGenerators.cpp:
359         * runtime/JSExportMacros.h:
360         * runtime/MathCommon.h: Removed redundant COMPILER(CLANG) guard.
361         (JSC::clz32):
362
363 2015-08-03  Filip Pizlo  <fpizlo@apple.com>
364
365         Unreviewed, fix uninitialized property leading to an assert.
366
367         * runtime/PutPropertySlot.h:
368         (JSC::PutPropertySlot::PutPropertySlot):
369
370 2015-08-03  Filip Pizlo  <fpizlo@apple.com>
371
372         Unreviewed, fix Windows.
373
374         * bytecode/ObjectPropertyConditionSet.h:
375         (JSC::ObjectPropertyConditionSet::fromRawPointer):
376
377 2015-07-31  Filip Pizlo  <fpizlo@apple.com>
378
379         DFG should have adaptive structure watchpoints
380         https://bugs.webkit.org/show_bug.cgi?id=146929
381
382         Reviewed by Geoffrey Garen.
383
384         Before this change, if you wanted to efficiently validate whether an object has (or doesn't have) a
385         property, you'd check that the object still has the structure that you first saw the object have. We
386         optimized this a bit with transition watchpoints on the structure, which sometimes allowed us to
387         elide the structure check.
388
389         But this approach fails when that object frequently has new properties added to it. This would
390         change the structure and fire the transition watchpoint, so the code we emitted would be invalid and
391         we'd have to recompile either the IC or an entire code block.
392
393         This change introduces a new concept: an object property condition. This value describes some
394         condition involving a property on some object. There are four kinds: presence, absence,
395         absence-of-setter, and equivalence. For example, a presence condition says that we expect that the
396         object has some property at some offset with some attributes. This allows us to implement a new kind
397         of watchpoint, which knows about the object property condition that it's being used to enforce. If
398         the watchpoint fires because of a structure transition, the watchpoint may simply reinstall itself
399         on the new structure.
400
401         Object property conditions are used on the prototype chain of PutById transitions, GetById misses,
402         and prototype accesses. They are also used for any DFG accesses to object constants, including
403         global property accesses.
404
405         Mostly because of the effect on global property access, this is a 9% speed-up on Kraken. It's
406         neutral on most other things. It's a 68x speed-up on a microbenchmark that illustrates the prototype
407         chain situation. It's also a small speed-up on getter-richards.
408
409         * CMakeLists.txt:
410         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
411         * JavaScriptCore.xcodeproj/project.pbxproj:
412         * bytecode/CodeBlock.cpp:
413         (JSC::CodeBlock::printGetByIdCacheStatus):
414         (JSC::CodeBlock::printPutByIdCacheStatus):
415         * bytecode/CodeBlockJettisoningWatchpoint.cpp:
416         (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
417         * bytecode/ComplexGetStatus.cpp:
418         (JSC::ComplexGetStatus::computeFor):
419         * bytecode/ComplexGetStatus.h:
420         (JSC::ComplexGetStatus::ComplexGetStatus):
421         (JSC::ComplexGetStatus::takesSlowPath):
422         (JSC::ComplexGetStatus::kind):
423         (JSC::ComplexGetStatus::offset):
424         (JSC::ComplexGetStatus::conditionSet):
425         (JSC::ComplexGetStatus::attributes): Deleted.
426         (JSC::ComplexGetStatus::specificValue): Deleted.
427         (JSC::ComplexGetStatus::chain): Deleted.
428         * bytecode/ConstantStructureCheck.cpp: Removed.
429         * bytecode/ConstantStructureCheck.h: Removed.
430         * bytecode/GetByIdStatus.cpp:
431         (JSC::GetByIdStatus::computeForStubInfo):
432         * bytecode/GetByIdVariant.cpp:
433         (JSC::GetByIdVariant::GetByIdVariant):
434         (JSC::GetByIdVariant::~GetByIdVariant):
435         (JSC::GetByIdVariant::operator=):
436         (JSC::GetByIdVariant::attemptToMerge):
437         (JSC::GetByIdVariant::dumpInContext):
438         (JSC::GetByIdVariant::baseStructure): Deleted.
439         * bytecode/GetByIdVariant.h:
440         (JSC::GetByIdVariant::operator!):
441         (JSC::GetByIdVariant::structureSet):
442         (JSC::GetByIdVariant::conditionSet):
443         (JSC::GetByIdVariant::offset):
444         (JSC::GetByIdVariant::callLinkStatus):
445         (JSC::GetByIdVariant::constantChecks): Deleted.
446         (JSC::GetByIdVariant::alternateBase): Deleted.
447         * bytecode/ObjectPropertyCondition.cpp: Added.
448         (JSC::ObjectPropertyCondition::dumpInContext):
449         (JSC::ObjectPropertyCondition::dump):
450         (JSC::ObjectPropertyCondition::structureEnsuresValidityAssumingImpurePropertyWatchpoint):
451         (JSC::ObjectPropertyCondition::validityRequiresImpurePropertyWatchpoint):
452         (JSC::ObjectPropertyCondition::isStillValid):
453         (JSC::ObjectPropertyCondition::structureEnsuresValidity):
454         (JSC::ObjectPropertyCondition::isWatchableAssumingImpurePropertyWatchpoint):
455         (JSC::ObjectPropertyCondition::isWatchable):
456         (JSC::ObjectPropertyCondition::isStillLive):
457         (JSC::ObjectPropertyCondition::validateReferences):
458         (JSC::ObjectPropertyCondition::attemptToMakeEquivalenceWithoutBarrier):
459         * bytecode/ObjectPropertyCondition.h: Added.
460         (JSC::ObjectPropertyCondition::ObjectPropertyCondition):
461         (JSC::ObjectPropertyCondition::presenceWithoutBarrier):
462         (JSC::ObjectPropertyCondition::presence):
463         (JSC::ObjectPropertyCondition::absenceWithoutBarrier):
464         (JSC::ObjectPropertyCondition::absence):
465         (JSC::ObjectPropertyCondition::absenceOfSetterWithoutBarrier):
466         (JSC::ObjectPropertyCondition::absenceOfSetter):
467         (JSC::ObjectPropertyCondition::equivalenceWithoutBarrier):
468         (JSC::ObjectPropertyCondition::equivalence):
469         (JSC::ObjectPropertyCondition::operator!):
470         (JSC::ObjectPropertyCondition::object):
471         (JSC::ObjectPropertyCondition::condition):
472         (JSC::ObjectPropertyCondition::kind):
473         (JSC::ObjectPropertyCondition::uid):
474         (JSC::ObjectPropertyCondition::hasOffset):
475         (JSC::ObjectPropertyCondition::offset):
476         (JSC::ObjectPropertyCondition::hasAttributes):
477         (JSC::ObjectPropertyCondition::attributes):
478         (JSC::ObjectPropertyCondition::hasPrototype):
479         (JSC::ObjectPropertyCondition::prototype):
480         (JSC::ObjectPropertyCondition::hasRequiredValue):
481         (JSC::ObjectPropertyCondition::requiredValue):
482         (JSC::ObjectPropertyCondition::hash):
483         (JSC::ObjectPropertyCondition::operator==):
484         (JSC::ObjectPropertyCondition::isHashTableDeletedValue):
485         (JSC::ObjectPropertyCondition::isCompatibleWith):
486         (JSC::ObjectPropertyCondition::watchingRequiresStructureTransitionWatchpoint):
487         (JSC::ObjectPropertyCondition::watchingRequiresReplacementWatchpoint):
488         (JSC::ObjectPropertyCondition::isValidValueForPresence):
489         (JSC::ObjectPropertyConditionHash::hash):
490         (JSC::ObjectPropertyConditionHash::equal):
491         * bytecode/ObjectPropertyConditionSet.cpp: Added.
492         (JSC::ObjectPropertyConditionSet::forObject):
493         (JSC::ObjectPropertyConditionSet::forConditionKind):
494         (JSC::ObjectPropertyConditionSet::numberOfConditionsWithKind):
495         (JSC::ObjectPropertyConditionSet::hasOneSlotBaseCondition):
496         (JSC::ObjectPropertyConditionSet::slotBaseCondition):
497         (JSC::ObjectPropertyConditionSet::mergedWith):
498         (JSC::ObjectPropertyConditionSet::structuresEnsureValidity):
499         (JSC::ObjectPropertyConditionSet::structuresEnsureValidityAssumingImpurePropertyWatchpoint):
500         (JSC::ObjectPropertyConditionSet::needImpurePropertyWatchpoint):
501         (JSC::ObjectPropertyConditionSet::areStillLive):
502         (JSC::ObjectPropertyConditionSet::dumpInContext):
503         (JSC::ObjectPropertyConditionSet::dump):
504         (JSC::generateConditionsForPropertyMiss):
505         (JSC::generateConditionsForPropertySetterMiss):
506         (JSC::generateConditionsForPrototypePropertyHit):
507         (JSC::generateConditionsForPrototypePropertyHitCustom):
508         (JSC::generateConditionsForPropertySetterMissConcurrently):
509         * bytecode/ObjectPropertyConditionSet.h: Added.
510         (JSC::ObjectPropertyConditionSet::ObjectPropertyConditionSet):
511         (JSC::ObjectPropertyConditionSet::invalid):
512         (JSC::ObjectPropertyConditionSet::nonEmpty):
513         (JSC::ObjectPropertyConditionSet::isValid):
514         (JSC::ObjectPropertyConditionSet::isEmpty):
515         (JSC::ObjectPropertyConditionSet::begin):
516         (JSC::ObjectPropertyConditionSet::end):
517         (JSC::ObjectPropertyConditionSet::releaseRawPointer):
518         (JSC::ObjectPropertyConditionSet::adoptRawPointer):
519         (JSC::ObjectPropertyConditionSet::fromRawPointer):
520         (JSC::ObjectPropertyConditionSet::Data::Data):
521         * bytecode/PolymorphicGetByIdList.cpp:
522         (JSC::GetByIdAccess::GetByIdAccess):
523         (JSC::GetByIdAccess::~GetByIdAccess):
524         (JSC::GetByIdAccess::visitWeak):
525         * bytecode/PolymorphicGetByIdList.h:
526         (JSC::GetByIdAccess::GetByIdAccess):
527         (JSC::GetByIdAccess::structure):
528         (JSC::GetByIdAccess::conditionSet):
529         (JSC::GetByIdAccess::stubRoutine):
530         (JSC::GetByIdAccess::chain): Deleted.
531         (JSC::GetByIdAccess::chainCount): Deleted.
532         * bytecode/PolymorphicPutByIdList.cpp:
533         (JSC::PutByIdAccess::fromStructureStubInfo):
534         (JSC::PutByIdAccess::visitWeak):
535         * bytecode/PolymorphicPutByIdList.h:
536         (JSC::PutByIdAccess::PutByIdAccess):
537         (JSC::PutByIdAccess::transition):
538         (JSC::PutByIdAccess::setter):
539         (JSC::PutByIdAccess::newStructure):
540         (JSC::PutByIdAccess::conditionSet):
541         (JSC::PutByIdAccess::stubRoutine):
542         (JSC::PutByIdAccess::chain): Deleted.
543         (JSC::PutByIdAccess::chainCount): Deleted.
544         * bytecode/PropertyCondition.cpp: Added.
545         (JSC::PropertyCondition::dumpInContext):
546         (JSC::PropertyCondition::dump):
547         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):
548         (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint):
549         (JSC::PropertyCondition::isStillValid):
550         (JSC::PropertyCondition::isWatchableWhenValid):
551         (JSC::PropertyCondition::isWatchableAssumingImpurePropertyWatchpoint):
552         (JSC::PropertyCondition::isWatchable):
553         (JSC::PropertyCondition::isStillLive):
554         (JSC::PropertyCondition::validateReferences):
555         (JSC::PropertyCondition::isValidValueForAttributes):
556         (JSC::PropertyCondition::isValidValueForPresence):
557         (JSC::PropertyCondition::attemptToMakeEquivalenceWithoutBarrier):
558         (WTF::printInternal):
559         * bytecode/PropertyCondition.h: Added.
560         (JSC::PropertyCondition::PropertyCondition):
561         (JSC::PropertyCondition::presenceWithoutBarrier):
562         (JSC::PropertyCondition::presence):
563         (JSC::PropertyCondition::absenceWithoutBarrier):
564         (JSC::PropertyCondition::absence):
565         (JSC::PropertyCondition::absenceOfSetterWithoutBarrier):
566         (JSC::PropertyCondition::absenceOfSetter):
567         (JSC::PropertyCondition::equivalenceWithoutBarrier):
568         (JSC::PropertyCondition::equivalence):
569         (JSC::PropertyCondition::operator!):
570         (JSC::PropertyCondition::kind):
571         (JSC::PropertyCondition::uid):
572         (JSC::PropertyCondition::hasOffset):
573         (JSC::PropertyCondition::offset):
574         (JSC::PropertyCondition::hasAttributes):
575         (JSC::PropertyCondition::attributes):
576         (JSC::PropertyCondition::hasPrototype):
577         (JSC::PropertyCondition::prototype):
578         (JSC::PropertyCondition::hasRequiredValue):
579         (JSC::PropertyCondition::requiredValue):
580         (JSC::PropertyCondition::hash):
581         (JSC::PropertyCondition::operator==):
582         (JSC::PropertyCondition::isHashTableDeletedValue):
583         (JSC::PropertyCondition::isCompatibleWith):
584         (JSC::PropertyCondition::watchingRequiresStructureTransitionWatchpoint):
585         (JSC::PropertyCondition::watchingRequiresReplacementWatchpoint):
586         (JSC::PropertyConditionHash::hash):
587         (JSC::PropertyConditionHash::equal):
588         * bytecode/PutByIdStatus.cpp:
589         (JSC::PutByIdStatus::computeFromLLInt):
590         (JSC::PutByIdStatus::computeFor):
591         (JSC::PutByIdStatus::computeForStubInfo):
592         * bytecode/PutByIdVariant.cpp:
593         (JSC::PutByIdVariant::operator=):
594         (JSC::PutByIdVariant::transition):
595         (JSC::PutByIdVariant::setter):
596         (JSC::PutByIdVariant::makesCalls):
597         (JSC::PutByIdVariant::attemptToMerge):
598         (JSC::PutByIdVariant::attemptToMergeTransitionWithReplace):
599         (JSC::PutByIdVariant::dumpInContext):
600         (JSC::PutByIdVariant::baseStructure): Deleted.
601         * bytecode/PutByIdVariant.h:
602         (JSC::PutByIdVariant::PutByIdVariant):
603         (JSC::PutByIdVariant::kind):
604         (JSC::PutByIdVariant::structure):
605         (JSC::PutByIdVariant::structureSet):
606         (JSC::PutByIdVariant::oldStructure):
607         (JSC::PutByIdVariant::conditionSet):
608         (JSC::PutByIdVariant::offset):
609         (JSC::PutByIdVariant::callLinkStatus):
610         (JSC::PutByIdVariant::constantChecks): Deleted.
611         (JSC::PutByIdVariant::alternateBase): Deleted.
612         * bytecode/StructureStubClearingWatchpoint.cpp:
613         (JSC::StructureStubClearingWatchpoint::~StructureStubClearingWatchpoint):
614         (JSC::StructureStubClearingWatchpoint::push):
615         (JSC::StructureStubClearingWatchpoint::fireInternal):
616         (JSC::WatchpointsOnStructureStubInfo::~WatchpointsOnStructureStubInfo):
617         (JSC::WatchpointsOnStructureStubInfo::addWatchpoint):
618         (JSC::WatchpointsOnStructureStubInfo::ensureReferenceAndAddWatchpoint):
619         * bytecode/StructureStubClearingWatchpoint.h:
620         (JSC::StructureStubClearingWatchpoint::StructureStubClearingWatchpoint):
621         (JSC::WatchpointsOnStructureStubInfo::codeBlock):
622         (JSC::WatchpointsOnStructureStubInfo::stubInfo):
623         * bytecode/StructureStubInfo.cpp:
624         (JSC::StructureStubInfo::deref):
625         (JSC::StructureStubInfo::visitWeakReferences):
626         * bytecode/StructureStubInfo.h:
627         (JSC::StructureStubInfo::initPutByIdTransition):
628         (JSC::StructureStubInfo::initPutByIdReplace):
629         (JSC::StructureStubInfo::setSeen):
630         (JSC::StructureStubInfo::addWatchpoint):
631         * dfg/DFGAbstractInterpreterInlines.h:
632         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
633         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp: Added.
634         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::AdaptiveInferredPropertyValueWatchpoint):
635         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::install):
636         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::fire):
637         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::StructureWatchpoint::fireInternal):
638         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::PropertyWatchpoint::fireInternal):
639         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.h: Added.
640         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::key):
641         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::StructureWatchpoint::StructureWatchpoint):
642         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::PropertyWatchpoint::PropertyWatchpoint):
643         * dfg/DFGAdaptiveStructureWatchpoint.cpp: Added.
644         (JSC::DFG::AdaptiveStructureWatchpoint::AdaptiveStructureWatchpoint):
645         (JSC::DFG::AdaptiveStructureWatchpoint::install):
646         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
647         * dfg/DFGAdaptiveStructureWatchpoint.h: Added.
648         (JSC::DFG::AdaptiveStructureWatchpoint::key):
649         * dfg/DFGByteCodeParser.cpp:
650         (JSC::DFG::ByteCodeParser::cellConstantWithStructureCheck):
651         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
652         (JSC::DFG::ByteCodeParser::handleGetByOffset):
653         (JSC::DFG::ByteCodeParser::handlePutByOffset):
654         (JSC::DFG::ByteCodeParser::check):
655         (JSC::DFG::ByteCodeParser::promoteToConstant):
656         (JSC::DFG::ByteCodeParser::planLoad):
657         (JSC::DFG::ByteCodeParser::load):
658         (JSC::DFG::ByteCodeParser::presenceLike):
659         (JSC::DFG::ByteCodeParser::checkPresenceLike):
660         (JSC::DFG::ByteCodeParser::store):
661         (JSC::DFG::ByteCodeParser::handleGetById):
662         (JSC::DFG::ByteCodeParser::handlePutById):
663         (JSC::DFG::ByteCodeParser::parseBlock):
664         (JSC::DFG::ByteCodeParser::emitChecks): Deleted.
665         * dfg/DFGCommonData.cpp:
666         (JSC::DFG::CommonData::validateReferences):
667         * dfg/DFGCommonData.h:
668         * dfg/DFGConstantFoldingPhase.cpp:
669         (JSC::DFG::ConstantFoldingPhase::foldConstants):
670         (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
671         (JSC::DFG::ConstantFoldingPhase::addBaseCheck):
672         (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
673         (JSC::DFG::ConstantFoldingPhase::addChecks): Deleted.
674         * dfg/DFGDesiredWatchpoints.cpp:
675         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
676         (JSC::DFG::InferredValueAdaptor::add):
677         (JSC::DFG::AdaptiveStructureWatchpointAdaptor::add):
678         (JSC::DFG::DesiredWatchpoints::DesiredWatchpoints):
679         (JSC::DFG::DesiredWatchpoints::addLazily):
680         (JSC::DFG::DesiredWatchpoints::consider):
681         (JSC::DFG::DesiredWatchpoints::reallyAdd):
682         (JSC::DFG::DesiredWatchpoints::areStillValid):
683         (JSC::DFG::DesiredWatchpoints::dumpInContext):
684         * dfg/DFGDesiredWatchpoints.h:
685         (JSC::DFG::SetPointerAdaptor::add):
686         (JSC::DFG::SetPointerAdaptor::hasBeenInvalidated):
687         (JSC::DFG::SetPointerAdaptor::dumpInContext):
688         (JSC::DFG::InferredValueAdaptor::hasBeenInvalidated):
689         (JSC::DFG::InferredValueAdaptor::dumpInContext):
690         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::hasBeenInvalidated):
691         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::dumpInContext):
692         (JSC::DFG::AdaptiveStructureWatchpointAdaptor::hasBeenInvalidated):
693         (JSC::DFG::AdaptiveStructureWatchpointAdaptor::dumpInContext):
694         (JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
695         (JSC::DFG::GenericDesiredWatchpoints::isWatched):
696         (JSC::DFG::GenericDesiredWatchpoints::dumpInContext):
697         (JSC::DFG::DesiredWatchpoints::isWatched):
698         (JSC::DFG::GenericSetAdaptor::add): Deleted.
699         (JSC::DFG::GenericSetAdaptor::hasBeenInvalidated): Deleted.
700         * dfg/DFGDesiredWeakReferences.cpp:
701         (JSC::DFG::DesiredWeakReferences::addLazily):
702         (JSC::DFG::DesiredWeakReferences::contains):
703         * dfg/DFGDesiredWeakReferences.h:
704         * dfg/DFGGraph.cpp:
705         (JSC::DFG::Graph::dump):
706         (JSC::DFG::Graph::clearFlagsOnAllNodes):
707         (JSC::DFG::Graph::watchCondition):
708         (JSC::DFG::Graph::isSafeToLoad):
709         (JSC::DFG::Graph::livenessFor):
710         (JSC::DFG::Graph::tryGetConstantProperty):
711         (JSC::DFG::Graph::visitChildren):
712         * dfg/DFGGraph.h:
713         (JSC::DFG::Graph::identifiers):
714         (JSC::DFG::Graph::watchpoints):
715         * dfg/DFGMultiGetByOffsetData.cpp: Added.
716         (JSC::DFG::GetByOffsetMethod::dumpInContext):
717         (JSC::DFG::GetByOffsetMethod::dump):
718         (JSC::DFG::MultiGetByOffsetCase::dumpInContext):
719         (JSC::DFG::MultiGetByOffsetCase::dump):
720         (WTF::printInternal):
721         * dfg/DFGMultiGetByOffsetData.h: Added.
722         (JSC::DFG::GetByOffsetMethod::GetByOffsetMethod):
723         (JSC::DFG::GetByOffsetMethod::constant):
724         (JSC::DFG::GetByOffsetMethod::load):
725         (JSC::DFG::GetByOffsetMethod::loadFromPrototype):
726         (JSC::DFG::GetByOffsetMethod::operator!):
727         (JSC::DFG::GetByOffsetMethod::kind):
728         (JSC::DFG::GetByOffsetMethod::prototype):
729         (JSC::DFG::GetByOffsetMethod::offset):
730         (JSC::DFG::MultiGetByOffsetCase::MultiGetByOffsetCase):
731         (JSC::DFG::MultiGetByOffsetCase::set):
732         (JSC::DFG::MultiGetByOffsetCase::method):
733         * dfg/DFGNode.h:
734         * dfg/DFGSafeToExecute.h:
735         (JSC::DFG::safeToExecute):
736         * dfg/DFGStructureRegistrationPhase.cpp:
737         (JSC::DFG::StructureRegistrationPhase::run):
738         * ftl/FTLLowerDFGToLLVM.cpp:
739         (JSC::FTL::DFG::LowerDFGToLLVM::compileMultiGetByOffset):
740         * jit/Repatch.cpp:
741         (JSC::repatchByIdSelfAccess):
742         (JSC::checkObjectPropertyCondition):
743         (JSC::checkObjectPropertyConditions):
744         (JSC::replaceWithJump):
745         (JSC::generateByIdStub):
746         (JSC::actionForCell):
747         (JSC::tryBuildGetByIDList):
748         (JSC::emitPutReplaceStub):
749         (JSC::emitPutTransitionStub):
750         (JSC::tryCachePutByID):
751         (JSC::tryBuildPutByIdList):
752         (JSC::tryRepatchIn):
753         (JSC::addStructureTransitionCheck): Deleted.
754         (JSC::emitPutTransitionStubAndGetOldStructure): Deleted.
755         * runtime/IntendedStructureChain.cpp: Removed.
756         * runtime/IntendedStructureChain.h: Removed.
757         * runtime/JSCJSValue.h:
758         * runtime/JSObject.cpp:
759         (JSC::throwTypeError):
760         (JSC::JSObject::convertToDictionary):
761         (JSC::JSObject::shiftButterflyAfterFlattening):
762         * runtime/JSObject.h:
763         (JSC::JSObject::flattenDictionaryObject):
764         (JSC::JSObject::convertToDictionary): Deleted.
765         * runtime/Operations.h:
766         (JSC::normalizePrototypeChain):
767         (JSC::normalizePrototypeChainForChainAccess): Deleted.
768         (JSC::isPrototypeChainNormalized): Deleted.
769         * runtime/PropertySlot.h:
770         (JSC::PropertySlot::PropertySlot):
771         (JSC::PropertySlot::slotBase):
772         * runtime/Structure.cpp:
773         (JSC::Structure::addPropertyTransition):
774         (JSC::Structure::attributeChangeTransition):
775         (JSC::Structure::toDictionaryTransition):
776         (JSC::Structure::toCacheableDictionaryTransition):
777         (JSC::Structure::toUncacheableDictionaryTransition):
778         (JSC::Structure::ensurePropertyReplacementWatchpointSet):
779         (JSC::Structure::startWatchingPropertyForReplacements):
780         (JSC::Structure::didCachePropertyReplacement):
781         (JSC::Structure::dump):
782         * runtime/Structure.h:
783         * runtime/VM.h:
784         * tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check-new.js: Added.
785         (foo):
786         (bar):
787         (baz):
788         * tests/stress/multi-get-by-offset-self-or-proto.js: Added.
789         (foo):
790         * tests/stress/replacement-watchpoint-dictionary.js: Added.
791         (foo):
792         * tests/stress/replacement-watchpoint.js: Added.
793         (foo):
794         * tests/stress/undefined-access-dictionary-then-proto-change.js: Added.
795         (foo):
796         * tests/stress/undefined-access-then-proto-change.js: Added.
797         (foo):
798
799 2015-08-03  Yusuke Suzuki  <utatane.tea@gmail.com>
800
801         JavascriptCore Crash in JSC::ASTBuilder::Property JSC::Parser<JSC::Lexer<unsigned char> >::parseProperty<JSC::ASTBuilder>(JSC::ASTBuilder&, bool)
802         https://bugs.webkit.org/show_bug.cgi?id=147538
803
804         Reviewed by Geoffrey Garen.
805
806         Due to the order of the ARROWFUNCTION token in JSTokenType enum, it is categorized as the one of the Keyword.
807         As a result, when lexing the property name that can take the keywords, the ARROWFUNCTION token is accidentally accepted.
808         This patch changes the order of the ARROWFUNCTION token in JSTokenType to make it the operator token.
809
810         * parser/ParserTokens.h:
811         * tests/stress/arrow-function-token-is-not-keyword.js: Added.
812         (testSyntaxError):
813
814 2015-08-03  Keith Miller  <keith_miller@apple.com>
815
816         Clean up the naming for AST expression generation.
817         https://bugs.webkit.org/show_bug.cgi?id=147581
818
819         Reviewed by Yusuke Suzuki.
820
821         * parser/ASTBuilder.h:
822         (JSC::ASTBuilder::createThisExpr):
823         (JSC::ASTBuilder::createSuperExpr):
824         (JSC::ASTBuilder::createNewTargetExpr):
825         (JSC::ASTBuilder::thisExpr): Deleted.
826         (JSC::ASTBuilder::superExpr): Deleted.
827         (JSC::ASTBuilder::newTargetExpr): Deleted.
828         * parser/Parser.cpp:
829         (JSC::Parser<LexerType>::parsePrimaryExpression):
830         (JSC::Parser<LexerType>::parseMemberExpression):
831         * parser/SyntaxChecker.h:
832         (JSC::SyntaxChecker::createThisExpr):
833         (JSC::SyntaxChecker::createSuperExpr):
834         (JSC::SyntaxChecker::createNewTargetExpr):
835         (JSC::SyntaxChecker::thisExpr): Deleted.
836         (JSC::SyntaxChecker::superExpr): Deleted.
837         (JSC::SyntaxChecker::newTargetExpr): Deleted.
838
839 2015-08-03  Yusuke Suzuki  <utatane.tea@gmail.com>
840
841         Don't set up the callsite to operationGetByValDefault when the optimization is already done
842         https://bugs.webkit.org/show_bug.cgi?id=147577
843
844         Reviewed by Filip Pizlo.
845
846         operationGetByValDefault should be called only when the IC is not set.
847         operationGetByValString breaks this invariant and `ASSERT(!byValInfo.stubRoutine)` in
848         operationGetByValDefault raises the assertion failure.
849         In this patch, we change the callsite setting up code in operationGetByValString when
850         the IC is already set. And to make the operation's meaning explicitly, we changed the
851         name operationGetByValDefault to operationGetByValOptimize, that is aligned to the
852         GetById case.
853
854         * jit/JITOperations.cpp:
855         * jit/JITOperations.h:
856         * jit/JITPropertyAccess.cpp:
857         (JSC::JIT::emitSlow_op_get_by_val):
858         * jit/JITPropertyAccess32_64.cpp:
859         (JSC::JIT::emitSlow_op_get_by_val):
860         * tests/stress/operation-get-by-val-default-should-not-called-for-already-optimized-site.js: Added.
861         (hello):
862
863 2015-08-03  Csaba Osztrogonác  <ossy@webkit.org>
864
865         [FTL] Remove unused scripts related to native call inlining
866         https://bugs.webkit.org/show_bug.cgi?id=147448
867
868         Reviewed by Filip Pizlo.
869
870         * build-symbol-table-index.py: Removed.
871         * copy-llvm-ir-to-derived-sources.sh: Removed.
872         * create-llvm-ir-from-source-file.py: Removed.
873         * create-symbol-table-index.py: Removed.
874
875 2015-08-02  Benjamin Poulain  <bpoulain@apple.com>
876
877         Investigate HashTable::HashTable(const HashTable&) and HashTable::operator=(const HashTable&) performance for hash-based static analyses
878         https://bugs.webkit.org/show_bug.cgi?id=118455
879
880         Reviewed by Filip Pizlo.
881
882         LivenessAnalysisPhase lights up like a christmas tree in profiles.
883
884         This patch cuts its cost by 4.
885         About half of the gains come from removing many rehash() when copying
886         the HashSet.
887         The last quarter is achieved by having a special add() function for initializing
888         a HashSet.
889
890         This makes benchmarks progress by 1-2% here and there. Nothing massive.
891
892         * dfg/DFGLivenessAnalysisPhase.cpp:
893         (JSC::DFG::LivenessAnalysisPhase::process):
894         The m_live HashSet is only useful per block. When we are done with it,
895         we can transfer it to liveAtHead to avoid a copy.
896
897 2015-08-01  Saam barati  <saambarati1@gmail.com>
898
899         Unreviewed. Remove unintentional "print" statement in test case.
900         https://bugs.webkit.org/show_bug.cgi?id=142567
901
902         * tests/stress/class-syntax-definition-semantics.js:
903         (shouldBeSyntaxError):
904
905 2015-07-31  Alex Christensen  <achristensen@webkit.org>
906
907         Prepare for VS2015
908         https://bugs.webkit.org/show_bug.cgi?id=146579
909
910         Reviewed by Jon Honeycutt.
911
912         * heap/Heap.h:
913         Fix compiler error by explicitly casting zombifiedBits to the size of a pointer.
914
915 2015-07-31  Saam barati  <saambarati1@gmail.com>
916
917         ES6 class syntax should use block scoping
918         https://bugs.webkit.org/show_bug.cgi?id=142567
919
920         Reviewed by Geoffrey Garen.
921
922         We treat class declarations like we do "let" declarations.
923         The class name is under TDZ until the class declaration
924         statement is evaluated. Class declarations also follow
925         the same rules as "let": No duplicate definitions inside
926         a lexical environment.
927
928         * parser/ASTBuilder.h:
929         (JSC::ASTBuilder::createClassDeclStatement):
930         * parser/Parser.cpp:
931         (JSC::Parser<LexerType>::parseClassDeclaration):
932         * tests/stress/class-syntax-block-scoping.js: Added.
933         (assert):
934         (truth):
935         (.):
936         * tests/stress/class-syntax-definition-semantics.js: Added.
937         (shouldBeSyntaxError):
938         (shouldNotBeSyntaxError):
939         (truth):
940         * tests/stress/class-syntax-tdz.js:
941         (assert):
942         (shouldThrowTDZ):
943         (truth):
944         (.):
945
946 2015-07-31  Sukolsak Sakshuwong  <sukolsak@gmail.com>
947
948         Implement WebAssembly module parser
949         https://bugs.webkit.org/show_bug.cgi?id=147293
950
951         Reviewed by Mark Lam.
952
953         Re-landing after fix for the "..\..\jsc.cpp(46): fatal error C1083: Cannot open
954         include file: 'JSWASMModule.h'" issue on Windows.
955
956         Implement WebAssembly module parser for WebAssembly files produced by pack-asmjs
957         <https://github.com/WebAssembly/polyfill-prototype-1>. This patch only checks
958         the magic number at the beginning of the files. Parsing of the rest will be
959         implemented in a subsequent patch.
960
961         * CMakeLists.txt:
962         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
963         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
964         * JavaScriptCore.xcodeproj/project.pbxproj:
965         * jsc.cpp:
966         (GlobalObject::finishCreation):
967         (functionLoadWebAssembly):
968         * parser/SourceProvider.h:
969         (JSC::WebAssemblySourceProvider::create):
970         (JSC::WebAssemblySourceProvider::data):
971         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
972         * runtime/JSGlobalObject.cpp:
973         (JSC::JSGlobalObject::init):
974         (JSC::JSGlobalObject::visitChildren):
975         * runtime/JSGlobalObject.h:
976         (JSC::JSGlobalObject::wasmModuleStructure):
977         * wasm/WASMMagicNumber.h: Added.
978         * wasm/WASMModuleParser.cpp: Added.
979         (JSC::WASMModuleParser::WASMModuleParser):
980         (JSC::WASMModuleParser::parse):
981         (JSC::WASMModuleParser::parseModule):
982         (JSC::parseWebAssembly):
983         * wasm/WASMModuleParser.h: Added.
984         * wasm/WASMReader.cpp: Added.
985         (JSC::WASMReader::readUnsignedInt32):
986         (JSC::WASMReader::readFloat):
987         (JSC::WASMReader::readDouble):
988         * wasm/WASMReader.h: Added.
989         (JSC::WASMReader::WASMReader):
990
991 2015-07-30  Sukolsak Sakshuwong  <sukolsak@gmail.com>
992
993         Add the "wasm" directory to the Additional Include Directories for jsc.exe
994         https://bugs.webkit.org/show_bug.cgi?id=147443
995
996         Reviewed by Mark Lam.
997
998         This patch should fix the "..\..\jsc.cpp(46): fatal error C1083:
999         Cannot open include file: 'JSWASMModule.h'" error in the Windows build.
1000
1001         * JavaScriptCore.vcxproj/jsc/jscCommon.props:
1002
1003 2015-07-30  Chris Dumez  <cdumez@apple.com>
1004
1005         Mark more classes as fast allocated
1006         https://bugs.webkit.org/show_bug.cgi?id=147440
1007
1008         Reviewed by Sam Weinig.
1009
1010         Mark more classes as fast allocated for performance. We heap-allocate
1011         objects of those types throughout the code base.
1012
1013         * API/JSCallbackObject.h:
1014         * API/ObjCCallbackFunction.mm:
1015         * bytecode/BytecodeKills.h:
1016         * bytecode/BytecodeLivenessAnalysis.h:
1017         * bytecode/CallLinkStatus.h:
1018         * bytecode/FullBytecodeLiveness.h:
1019         * bytecode/SamplingTool.h:
1020         * bytecompiler/BytecodeGenerator.h:
1021         * dfg/DFGBasicBlock.h:
1022         * dfg/DFGBlockMap.h:
1023         * dfg/DFGInPlaceAbstractState.h:
1024         * dfg/DFGThreadData.h:
1025         * heap/HeapVerifier.h:
1026         * heap/SlotVisitor.h:
1027         * parser/Lexer.h:
1028         * runtime/ControlFlowProfiler.h:
1029         * runtime/TypeProfiler.h:
1030         * runtime/TypeProfilerLog.h:
1031         * runtime/Watchdog.h:
1032
1033 2015-07-29  Filip Pizlo  <fpizlo@apple.com>
1034
1035         DFG::ArgumentsEliminationPhase should emit a PutStack for all of the GetStacks that the ByteCodeParser emitted
1036         https://bugs.webkit.org/show_bug.cgi?id=147433
1037         rdar://problem/21668986
1038
1039         Reviewed by Mark Lam.
1040
1041         Ideally, the ByteCodeParser would only emit SetArgument nodes for named arguments.  But
1042         currently that's not what it does - it emits a SetArgument for every argument that a varargs
1043         call may pass.  Each SetArgument gets turned into a GetStack.  This means that if
1044         ArgumentsEliminationPhase optimizes away PutStacks for those varargs arguments that didn't
1045         get passed or used, we get degenerate IR where we have a GetStack of something that didn't
1046         have a PutStack.
1047
1048         This fixes the bug by removing the code to optimize away PutStacks in
1049         ArgumentsEliminationPhase.
1050
1051         * dfg/DFGArgumentsEliminationPhase.cpp:
1052         * tests/stress/varargs-inlining-underflow.js: Added.
1053         (baz):
1054         (bar):
1055         (foo):
1056
1057 2015-07-29  Andy VanWagoner  <thetalecrafter@gmail.com>
1058
1059         Implement basic types for ECMAScript Internationalization API
1060         https://bugs.webkit.org/show_bug.cgi?id=146926
1061
1062         Reviewed by Benjamin Poulain.
1063
1064         Adds basic types for ECMA-402 2nd edition, but does not implement the full locale-aware features yet.
1065         http://www.ecma-international.org/ecma-402/2.0/ECMA-402.pdf
1066
1067         * CMakeLists.txt: Added new Intl files.
1068         * Configurations/FeatureDefines.xcconfig: Enable INTL.
1069         * DerivedSources.make: Added Intl files.
1070         * JavaScriptCore.xcodeproj/project.pbxproj: Added Intl files.
1071         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added Intl files.
1072         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Added Intl files.
1073         * runtime/CommonIdentifiers.h: Added Collator, NumberFormat, and DateTimeFormat.
1074         * runtime/DateConstructor.cpp: Made Date.now public.
1075         * runtime/DateConstructor.h: Made Date.now public.
1076         * runtime/IntlCollator.cpp: Added.
1077         (JSC::IntlCollator::create):
1078         (JSC::IntlCollator::createStructure):
1079         (JSC::IntlCollator::IntlCollator):
1080         (JSC::IntlCollator::finishCreation):
1081         (JSC::IntlCollator::destroy):
1082         (JSC::IntlCollator::visitChildren):
1083         (JSC::IntlCollator::setBoundCompare):
1084         (JSC::IntlCollatorFuncCompare): Added placeholder implementation using codePointCompare.
1085         * runtime/IntlCollator.h: Added.
1086         (JSC::IntlCollator::constructor):
1087         (JSC::IntlCollator::boundCompare):
1088         * runtime/IntlCollatorConstructor.cpp: Added.
1089         (JSC::IntlCollatorConstructor::create):
1090         (JSC::IntlCollatorConstructor::createStructure):
1091         (JSC::IntlCollatorConstructor::IntlCollatorConstructor):
1092         (JSC::IntlCollatorConstructor::finishCreation):
1093         (JSC::constructIntlCollator): Added Collator constructor (10.1.2).
1094         (JSC::callIntlCollator): Added Collator constructor (10.1.2).
1095         (JSC::IntlCollatorConstructor::getConstructData):
1096         (JSC::IntlCollatorConstructor::getCallData):
1097         (JSC::IntlCollatorConstructor::getOwnPropertySlot):
1098         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf): Added placeholder implementation returning [].
1099         (JSC::IntlCollatorConstructor::visitChildren):
1100         * runtime/IntlCollatorConstructor.h: Added.
1101         (JSC::IntlCollatorConstructor::collatorStructure):
1102         * runtime/IntlCollatorPrototype.cpp: Added.
1103         (JSC::IntlCollatorPrototype::create):
1104         (JSC::IntlCollatorPrototype::createStructure):
1105         (JSC::IntlCollatorPrototype::IntlCollatorPrototype):
1106         (JSC::IntlCollatorPrototype::finishCreation):
1107         (JSC::IntlCollatorPrototype::getOwnPropertySlot):
1108         (JSC::IntlCollatorPrototypeGetterCompare): Added compare getter (10.3.3)
1109         (JSC::IntlCollatorPrototypeFuncResolvedOptions): Added placeholder implementation returning {}.
1110         * runtime/IntlCollatorPrototype.h: Added.
1111         * runtime/IntlDateTimeFormat.cpp: Added.
1112         (JSC::IntlDateTimeFormat::create):
1113         (JSC::IntlDateTimeFormat::createStructure):
1114         (JSC::IntlDateTimeFormat::IntlDateTimeFormat):
1115         (JSC::IntlDateTimeFormat::finishCreation):
1116         (JSC::IntlDateTimeFormat::destroy):
1117         (JSC::IntlDateTimeFormat::visitChildren):
1118         (JSC::IntlDateTimeFormat::setBoundFormat):
1119         (JSC::IntlDateTimeFormatFuncFormatDateTime): Added placeholder implementation returning new Date(value).toString().
1120         * runtime/IntlDateTimeFormat.h: Added.
1121         (JSC::IntlDateTimeFormat::constructor):
1122         (JSC::IntlDateTimeFormat::boundFormat):
1123         * runtime/IntlDateTimeFormatConstructor.cpp: Added.
1124         (JSC::IntlDateTimeFormatConstructor::create):
1125         (JSC::IntlDateTimeFormatConstructor::createStructure):
1126         (JSC::IntlDateTimeFormatConstructor::IntlDateTimeFormatConstructor):
1127         (JSC::IntlDateTimeFormatConstructor::finishCreation):
1128         (JSC::constructIntlDateTimeFormat): Added DateTimeFormat constructor (12.1.2).
1129         (JSC::callIntlDateTimeFormat): Added DateTimeFormat constructor (12.1.2).
1130         (JSC::IntlDateTimeFormatConstructor::getConstructData):
1131         (JSC::IntlDateTimeFormatConstructor::getCallData):
1132         (JSC::IntlDateTimeFormatConstructor::getOwnPropertySlot):
1133         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf): Added placeholder implementation returning [].
1134         (JSC::IntlDateTimeFormatConstructor::visitChildren):
1135         * runtime/IntlDateTimeFormatConstructor.h: Added.
1136         (JSC::IntlDateTimeFormatConstructor::dateTimeFormatStructure):
1137         * runtime/IntlDateTimeFormatPrototype.cpp: Added.
1138         (JSC::IntlDateTimeFormatPrototype::create):
1139         (JSC::IntlDateTimeFormatPrototype::createStructure):
1140         (JSC::IntlDateTimeFormatPrototype::IntlDateTimeFormatPrototype):
1141         (JSC::IntlDateTimeFormatPrototype::finishCreation):
1142         (JSC::IntlDateTimeFormatPrototype::getOwnPropertySlot):
1143         (JSC::IntlDateTimeFormatPrototypeGetterFormat): Added format getter (12.3.3).
1144         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions): Added placeholder implementation returning {}.
1145         * runtime/IntlDateTimeFormatPrototype.h: Added.
1146         * runtime/IntlNumberFormat.cpp: Added.
1147         (JSC::IntlNumberFormat::create):
1148         (JSC::IntlNumberFormat::createStructure):
1149         (JSC::IntlNumberFormat::IntlNumberFormat):
1150         (JSC::IntlNumberFormat::finishCreation):
1151         (JSC::IntlNumberFormat::destroy):
1152         (JSC::IntlNumberFormat::visitChildren):
1153         (JSC::IntlNumberFormat::setBoundFormat):
1154         (JSC::IntlNumberFormatFuncFormatNumber): Added placeholder implementation returning Number(value).toString().
1155         * runtime/IntlNumberFormat.h: Added.
1156         (JSC::IntlNumberFormat::constructor):
1157         (JSC::IntlNumberFormat::boundFormat):
1158         * runtime/IntlNumberFormatConstructor.cpp: Added.
1159         (JSC::IntlNumberFormatConstructor::create):
1160         (JSC::IntlNumberFormatConstructor::createStructure):
1161         (JSC::IntlNumberFormatConstructor::IntlNumberFormatConstructor):
1162         (JSC::IntlNumberFormatConstructor::finishCreation):
1163         (JSC::constructIntlNumberFormat): Added NumberFormat constructor (11.1.2).
1164         (JSC::callIntlNumberFormat): Added NumberFormat constructor (11.1.2).
1165         (JSC::IntlNumberFormatConstructor::getConstructData):
1166         (JSC::IntlNumberFormatConstructor::getCallData):
1167         (JSC::IntlNumberFormatConstructor::getOwnPropertySlot):
1168         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf): Added placeholder implementation returning [].
1169         (JSC::IntlNumberFormatConstructor::visitChildren):
1170         * runtime/IntlNumberFormatConstructor.h: Added.
1171         (JSC::IntlNumberFormatConstructor::numberFormatStructure):
1172         * runtime/IntlNumberFormatPrototype.cpp: Added.
1173         (JSC::IntlNumberFormatPrototype::create):
1174         (JSC::IntlNumberFormatPrototype::createStructure):
1175         (JSC::IntlNumberFormatPrototype::IntlNumberFormatPrototype):
1176         (JSC::IntlNumberFormatPrototype::finishCreation):
1177         (JSC::IntlNumberFormatPrototype::getOwnPropertySlot):
1178         (JSC::IntlNumberFormatPrototypeGetterFormat): Added format getter (11.3.3).
1179         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions): Added placeholder implementation returning {}.
1180         * runtime/IntlNumberFormatPrototype.h: Added.
1181         * runtime/IntlObject.cpp:
1182         (JSC::IntlObject::create):
1183         (JSC::IntlObject::finishCreation): Added Collator, NumberFormat, and DateTimeFormat properties (8.1).
1184         (JSC::IntlObject::visitChildren):
1185         * runtime/IntlObject.h:
1186         (JSC::IntlObject::collatorConstructor):
1187         (JSC::IntlObject::collatorPrototype):
1188         (JSC::IntlObject::collatorStructure):
1189         (JSC::IntlObject::numberFormatConstructor):
1190         (JSC::IntlObject::numberFormatPrototype):
1191         (JSC::IntlObject::numberFormatStructure):
1192         (JSC::IntlObject::dateTimeFormatConstructor):
1193         (JSC::IntlObject::dateTimeFormatPrototype):
1194         (JSC::IntlObject::dateTimeFormatStructure):
1195         * runtime/JSGlobalObject.cpp:
1196         (JSC::JSGlobalObject::init):
1197
1198 2015-07-29  Commit Queue  <commit-queue@webkit.org>
1199
1200         Unreviewed, rolling out r187550.
1201         https://bugs.webkit.org/show_bug.cgi?id=147420
1202
1203         Broke Windows build (again) (Requested by smfr on #webkit).
1204
1205         Reverted changeset:
1206
1207         "Implement WebAssembly module parser"
1208         https://bugs.webkit.org/show_bug.cgi?id=147293
1209         http://trac.webkit.org/changeset/187550
1210
1211 2015-07-29  Basile Clement  <basile_clement@apple.com>
1212
1213         Remove native call inlining
1214         https://bugs.webkit.org/show_bug.cgi?id=147417
1215
1216         Rubber Stamped by Filip Pizlo.
1217
1218         * CMakeLists.txt:
1219         * dfg/DFGAbstractInterpreterInlines.h:
1220         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Deleted.
1221         * dfg/DFGByteCodeParser.cpp:
1222         (JSC::DFG::ByteCodeParser::handleCall): Deleted.
1223         * dfg/DFGClobberize.h:
1224         (JSC::DFG::clobberize): Deleted.
1225         * dfg/DFGDoesGC.cpp:
1226         (JSC::DFG::doesGC): Deleted.
1227         * dfg/DFGFixupPhase.cpp:
1228         (JSC::DFG::FixupPhase::fixupNode): Deleted.
1229         * dfg/DFGNode.h:
1230         (JSC::DFG::Node::hasHeapPrediction): Deleted.
1231         (JSC::DFG::Node::hasCellOperand): Deleted.
1232         * dfg/DFGNodeType.h:
1233         * dfg/DFGPredictionPropagationPhase.cpp:
1234         (JSC::DFG::PredictionPropagationPhase::propagate): Deleted.
1235         * dfg/DFGSafeToExecute.h:
1236         (JSC::DFG::safeToExecute): Deleted.
1237         * dfg/DFGSpeculativeJIT32_64.cpp:
1238         (JSC::DFG::SpeculativeJIT::compile): Deleted.
1239         * dfg/DFGSpeculativeJIT64.cpp:
1240         (JSC::DFG::SpeculativeJIT::compile): Deleted.
1241         * ftl/FTLCapabilities.cpp:
1242         (JSC::FTL::canCompile): Deleted.
1243         * ftl/FTLLowerDFGToLLVM.cpp:
1244         (JSC::FTL::DFG::LowerDFGToLLVM::lower): Deleted.
1245         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode): Deleted.
1246         (JSC::FTL::DFG::LowerDFGToLLVM::compileNativeCallOrConstruct): Deleted.
1247         (JSC::FTL::DFG::LowerDFGToLLVM::getFunctionBySymbol): Deleted.
1248         (JSC::FTL::DFG::LowerDFGToLLVM::getModuleByPathForSymbol): Deleted.
1249         (JSC::FTL::DFG::LowerDFGToLLVM::didOverflowStack): Deleted.
1250         * ftl/FTLState.cpp:
1251         (JSC::FTL::State::State): Deleted.
1252         * ftl/FTLState.h:
1253         * runtime/BundlePath.cpp: Removed.
1254         (JSC::bundlePath): Deleted.
1255         * runtime/JSDataViewPrototype.cpp:
1256         (JSC::getData):
1257         (JSC::setData):
1258         * runtime/Options.h:
1259
1260 2015-07-29  Basile Clement  <basile_clement@apple.com>
1261
1262         Unreviewed, skipping a test that is too complex for its own good
1263         https://bugs.webkit.org/show_bug.cgi?id=147167
1264
1265         * tests/stress/math-pow-coherency.js:
1266
1267 2015-07-29  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1268
1269         Implement WebAssembly module parser
1270         https://bugs.webkit.org/show_bug.cgi?id=147293
1271
1272         Reviewed by Mark Lam.
1273
1274         Reupload the patch, since r187539 should fix the "Cannot open include file:
1275         'JSWASMModule.h'" issue in the Windows build.
1276
1277         * CMakeLists.txt:
1278         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1279         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1280         * JavaScriptCore.xcodeproj/project.pbxproj:
1281         * jsc.cpp:
1282         (GlobalObject::finishCreation):
1283         (functionLoadWebAssembly):
1284         * parser/SourceProvider.h:
1285         (JSC::WebAssemblySourceProvider::create):
1286         (JSC::WebAssemblySourceProvider::data):
1287         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
1288         * runtime/JSGlobalObject.cpp:
1289         (JSC::JSGlobalObject::init):
1290         (JSC::JSGlobalObject::visitChildren):
1291         * runtime/JSGlobalObject.h:
1292         (JSC::JSGlobalObject::wasmModuleStructure):
1293         * wasm/WASMMagicNumber.h: Added.
1294         * wasm/WASMModuleParser.cpp: Added.
1295         (JSC::WASMModuleParser::WASMModuleParser):
1296         (JSC::WASMModuleParser::parse):
1297         (JSC::WASMModuleParser::parseModule):
1298         (JSC::parseWebAssembly):
1299         * wasm/WASMModuleParser.h: Added.
1300         * wasm/WASMReader.cpp: Added.
1301         (JSC::WASMReader::readUnsignedInt32):
1302         (JSC::WASMReader::readFloat):
1303         (JSC::WASMReader::readDouble):
1304         * wasm/WASMReader.h: Added.
1305         (JSC::WASMReader::WASMReader):
1306
1307 2015-07-29  Basile Clement  <basile_clement@apple.com>
1308
1309         Unreviewed, lower the number of test iterations to prevent timing out on Debug builds
1310         https://bugs.webkit.org/show_bug.cgi?id=147167
1311
1312         * tests/stress/math-pow-coherency.js:
1313
1314 2015-07-28  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1315
1316         Add the "wasm" directory to Visual Studio project files
1317         https://bugs.webkit.org/show_bug.cgi?id=147400
1318
1319         Reviewed by Simon Fraser.
1320
1321         This patch should fix the "Cannot open include file: 'JSWASMModule.h'" issue
1322         in the Windows build.
1323
1324         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
1325         * JavaScriptCore.vcxproj/copy-files.cmd:
1326
1327 2015-07-28  Commit Queue  <commit-queue@webkit.org>
1328
1329         Unreviewed, rolling out r187531.
1330         https://bugs.webkit.org/show_bug.cgi?id=147397
1331
1332         Broke Windows bild (Requested by smfr on #webkit).
1333
1334         Reverted changeset:
1335
1336         "Implement WebAssembly module parser"
1337         https://bugs.webkit.org/show_bug.cgi?id=147293
1338         http://trac.webkit.org/changeset/187531
1339
1340 2015-07-28  Benjamin Poulain  <bpoulain@apple.com>
1341
1342         Speed up the Stringifier::toJSON() fast case
1343         https://bugs.webkit.org/show_bug.cgi?id=147383
1344
1345         Reviewed by Andreas Kling.
1346
1347         * runtime/JSONObject.cpp:
1348         (JSC::Stringifier::toJSON):
1349         (JSC::Stringifier::toJSONImpl):
1350
1351 2015-07-28  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1352
1353         Implement WebAssembly module parser
1354         https://bugs.webkit.org/show_bug.cgi?id=147293
1355
1356         Reviewed by Geoffrey Garen.
1357
1358         Implement WebAssembly module parser for WebAssembly files produced by pack-asmjs
1359         <https://github.com/WebAssembly/polyfill-prototype-1>. This patch only checks
1360         the magic number at the beginning of the files. Parsing of the rest will be
1361         implemented in a subsequent patch.
1362
1363         * CMakeLists.txt:
1364         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1365         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1366         * JavaScriptCore.xcodeproj/project.pbxproj:
1367         * jsc.cpp:
1368         (GlobalObject::finishCreation):
1369         (functionLoadWebAssembly):
1370         * parser/SourceProvider.h:
1371         (JSC::WebAssemblySourceProvider::create):
1372         (JSC::WebAssemblySourceProvider::data):
1373         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
1374         * runtime/JSGlobalObject.cpp:
1375         (JSC::JSGlobalObject::init):
1376         (JSC::JSGlobalObject::visitChildren):
1377         * runtime/JSGlobalObject.h:
1378         (JSC::JSGlobalObject::wasmModuleStructure):
1379         * wasm/WASMMagicNumber.h: Added.
1380         * wasm/WASMModuleParser.cpp: Added.
1381         (JSC::WASMModuleParser::WASMModuleParser):
1382         (JSC::WASMModuleParser::parse):
1383         (JSC::WASMModuleParser::parseModule):
1384         (JSC::parseWebAssembly):
1385         * wasm/WASMModuleParser.h: Added.
1386         * wasm/WASMReader.cpp: Added.
1387         (JSC::WASMReader::readUnsignedInt32):
1388         (JSC::WASMReader::readFloat):
1389         (JSC::WASMReader::readDouble):
1390         * wasm/WASMReader.h: Added.
1391         (JSC::WASMReader::WASMReader):
1392
1393 2015-07-28  Yusuke Suzuki  <utatane.tea@gmail.com>
1394
1395         [ES6] Add ENABLE_ES6_MODULES compile time flag with the default value "false"
1396         https://bugs.webkit.org/show_bug.cgi?id=147350
1397
1398         Reviewed by Sam Weinig.
1399
1400         * Configurations/FeatureDefines.xcconfig:
1401
1402 2015-07-28  Saam barati  <saambarati1@gmail.com>
1403
1404         Make the type profiler work with lexical scoping and add tests
1405         https://bugs.webkit.org/show_bug.cgi?id=145438
1406
1407         Reviewed by Geoffrey Garen.
1408
1409         op_profile_type now knows how to resolve variables allocated within
1410         the local scope stack. This means it knows how to resolve "let"
1411         and "const" variables. Also, some refactoring was done inside
1412         the BytecodeGenerator to make writing code to support the type
1413         profiler much simpler and clearer.
1414
1415         * bytecode/CodeBlock.cpp:
1416         (JSC::CodeBlock::CodeBlock):
1417         * bytecode/CodeBlock.h:
1418         (JSC::CodeBlock::symbolTable): Deleted.
1419         * bytecode/UnlinkedCodeBlock.h:
1420         (JSC::UnlinkedCodeBlock::addExceptionHandler):
1421         (JSC::UnlinkedCodeBlock::exceptionHandler):
1422         (JSC::UnlinkedCodeBlock::vm):
1423         (JSC::UnlinkedCodeBlock::addArrayProfile):
1424         (JSC::UnlinkedCodeBlock::setSymbolTableConstantIndex): Deleted.
1425         (JSC::UnlinkedCodeBlock::symbolTableConstantIndex): Deleted.
1426         * bytecompiler/BytecodeGenerator.cpp:
1427         (JSC::BytecodeGenerator::BytecodeGenerator):
1428         (JSC::BytecodeGenerator::emitMove):
1429         (JSC::BytecodeGenerator::emitTypeProfilerExpressionInfo):
1430         (JSC::BytecodeGenerator::emitProfileType):
1431         (JSC::BytecodeGenerator::emitProfileControlFlow):
1432         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
1433         * bytecompiler/BytecodeGenerator.h:
1434         (JSC::BytecodeGenerator::emitNodeForLeftHandSide):
1435         * bytecompiler/NodesCodegen.cpp:
1436         (JSC::ThisNode::emitBytecode):
1437         (JSC::ResolveNode::emitBytecode):
1438         (JSC::BracketAccessorNode::emitBytecode):
1439         (JSC::DotAccessorNode::emitBytecode):
1440         (JSC::FunctionCallValueNode::emitBytecode):
1441         (JSC::FunctionCallResolveNode::emitBytecode):
1442         (JSC::FunctionCallBracketNode::emitBytecode):
1443         (JSC::FunctionCallDotNode::emitBytecode):
1444         (JSC::CallFunctionCallDotNode::emitBytecode):
1445         (JSC::ApplyFunctionCallDotNode::emitBytecode):
1446         (JSC::PostfixNode::emitResolve):
1447         (JSC::PostfixNode::emitBracket):
1448         (JSC::PostfixNode::emitDot):
1449         (JSC::PrefixNode::emitResolve):
1450         (JSC::PrefixNode::emitBracket):
1451         (JSC::PrefixNode::emitDot):
1452         (JSC::ReadModifyResolveNode::emitBytecode):
1453         (JSC::AssignResolveNode::emitBytecode):
1454         (JSC::AssignDotNode::emitBytecode):
1455         (JSC::ReadModifyDotNode::emitBytecode):
1456         (JSC::AssignBracketNode::emitBytecode):
1457         (JSC::ReadModifyBracketNode::emitBytecode):
1458         (JSC::EmptyVarExpression::emitBytecode):
1459         (JSC::EmptyLetExpression::emitBytecode):
1460         (JSC::ForInNode::emitLoopHeader):
1461         (JSC::ForOfNode::emitBytecode):
1462         (JSC::ReturnNode::emitBytecode):
1463         (JSC::FunctionNode::emitBytecode):
1464         (JSC::BindingNode::bindValue):
1465         * dfg/DFGSpeculativeJIT32_64.cpp:
1466         (JSC::DFG::SpeculativeJIT::compile):
1467         * dfg/DFGSpeculativeJIT64.cpp:
1468         (JSC::DFG::SpeculativeJIT::compile):
1469         * jit/JITOpcodes.cpp:
1470         (JSC::JIT::emit_op_profile_type):
1471         * jit/JITOpcodes32_64.cpp:
1472         (JSC::JIT::emit_op_profile_type):
1473         * llint/LowLevelInterpreter32_64.asm:
1474         * llint/LowLevelInterpreter64.asm:
1475         * tests/typeProfiler/es6-block-scoping.js: Added.
1476         (noop):
1477         (arr):
1478         (wrapper.changeFoo):
1479         (wrapper.scoping):
1480         (wrapper.scoping2):
1481         (wrapper):
1482         * tests/typeProfiler/es6-classes.js: Added.
1483         (noop):
1484         (wrapper.Animal):
1485         (wrapper.Animal.prototype.methodA):
1486         (wrapper.Dog):
1487         (wrapper.Dog.prototype.methodB):
1488         (wrapper):
1489
1490 2015-07-28  Saam barati  <saambarati1@gmail.com>
1491
1492         Implement catch scope using lexical scoping constructs introduced with "let" scoping patch
1493         https://bugs.webkit.org/show_bug.cgi?id=146979
1494
1495         Reviewed by Geoffrey Garen.
1496
1497         Now that BytecodeGenerator has a notion of local scope depth,
1498         we can easily implement a catch scope that doesn't claim that
1499         all variables are dynamically scoped. This means that functions
1500         that use try/catch can have local variable resolution. This also
1501         means that all functions that use try/catch don't have all
1502         their variables marked as being captured.
1503
1504         Catch scopes now behave like a "let" scope (sans the TDZ logic) with a 
1505         single variable. Catch scopes are now just JSLexicalEnvironments and the 
1506         symbol table backing the catch scope knows that it corresponds to a catch scope.
1507
1508         * CMakeLists.txt:
1509         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1510         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1511         * JavaScriptCore.xcodeproj/project.pbxproj:
1512         * bytecode/CodeBlock.cpp:
1513         (JSC::CodeBlock::dumpBytecode):
1514         * bytecode/EvalCodeCache.h:
1515         (JSC::EvalCodeCache::isCacheable):
1516         * bytecompiler/BytecodeGenerator.cpp:
1517         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
1518         (JSC::BytecodeGenerator::emitLoadGlobalObject):
1519         (JSC::BytecodeGenerator::pushLexicalScope):
1520         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
1521         (JSC::BytecodeGenerator::popLexicalScope):
1522         (JSC::BytecodeGenerator::popLexicalScopeInternal):
1523         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
1524         (JSC::BytecodeGenerator::variable):
1525         (JSC::BytecodeGenerator::resolveType):
1526         (JSC::BytecodeGenerator::emitResolveScope):
1527         (JSC::BytecodeGenerator::emitPopScope):
1528         (JSC::BytecodeGenerator::emitPopWithScope):
1529         (JSC::BytecodeGenerator::emitDebugHook):
1530         (JSC::BytecodeGenerator::popScopedControlFlowContext):
1531         (JSC::BytecodeGenerator::emitPushCatchScope):
1532         (JSC::BytecodeGenerator::emitPopCatchScope):
1533         (JSC::BytecodeGenerator::beginSwitch):
1534         (JSC::BytecodeGenerator::emitPopWithOrCatchScope): Deleted.
1535         * bytecompiler/BytecodeGenerator.h:
1536         (JSC::BytecodeGenerator::lastOpcodeID):
1537         * bytecompiler/NodesCodegen.cpp:
1538         (JSC::AssignResolveNode::emitBytecode):
1539         (JSC::WithNode::emitBytecode):
1540         (JSC::TryNode::emitBytecode):
1541         * debugger/DebuggerScope.cpp:
1542         (JSC::DebuggerScope::isCatchScope):
1543         (JSC::DebuggerScope::isFunctionNameScope):
1544         (JSC::DebuggerScope::isFunctionOrEvalScope):
1545         (JSC::DebuggerScope::caughtValue):
1546         * debugger/DebuggerScope.h:
1547         * inspector/ScriptDebugServer.cpp:
1548         (Inspector::ScriptDebugServer::exceptionOrCaughtValue):
1549         * interpreter/Interpreter.cpp:
1550         (JSC::Interpreter::execute):
1551         * jit/JITOpcodes.cpp:
1552         (JSC::JIT::emit_op_push_name_scope):
1553         * jit/JITOpcodes32_64.cpp:
1554         (JSC::JIT::emit_op_push_name_scope):
1555         * jit/JITOperations.cpp:
1556         * jit/JITOperations.h:
1557         * parser/ASTBuilder.h:
1558         (JSC::ASTBuilder::createContinueStatement):
1559         (JSC::ASTBuilder::createTryStatement):
1560         * parser/NodeConstructors.h:
1561         (JSC::ThrowNode::ThrowNode):
1562         (JSC::TryNode::TryNode):
1563         (JSC::FunctionParameters::FunctionParameters):
1564         * parser/Nodes.h:
1565         * parser/Parser.cpp:
1566         (JSC::Parser<LexerType>::parseTryStatement):
1567         * parser/SyntaxChecker.h:
1568         (JSC::SyntaxChecker::createBreakStatement):
1569         (JSC::SyntaxChecker::createContinueStatement):
1570         (JSC::SyntaxChecker::createTryStatement):
1571         (JSC::SyntaxChecker::createSwitchStatement):
1572         (JSC::SyntaxChecker::createWhileStatement):
1573         (JSC::SyntaxChecker::createWithStatement):
1574         * runtime/JSCatchScope.cpp:
1575         * runtime/JSCatchScope.h:
1576         (JSC::JSCatchScope::JSCatchScope): Deleted.
1577         (JSC::JSCatchScope::create): Deleted.
1578         (JSC::JSCatchScope::createStructure): Deleted.
1579         * runtime/JSFunctionNameScope.h:
1580         (JSC::JSFunctionNameScope::JSFunctionNameScope):
1581         * runtime/JSGlobalObject.cpp:
1582         (JSC::JSGlobalObject::init):
1583         (JSC::JSGlobalObject::visitChildren):
1584         * runtime/JSGlobalObject.h:
1585         (JSC::JSGlobalObject::withScopeStructure):
1586         (JSC::JSGlobalObject::strictEvalActivationStructure):
1587         (JSC::JSGlobalObject::activationStructure):
1588         (JSC::JSGlobalObject::functionNameScopeStructure):
1589         (JSC::JSGlobalObject::directArgumentsStructure):
1590         (JSC::JSGlobalObject::scopedArgumentsStructure):
1591         (JSC::JSGlobalObject::catchScopeStructure): Deleted.
1592         * runtime/JSNameScope.cpp:
1593         (JSC::JSNameScope::create):
1594         (JSC::JSNameScope::toThis):
1595         * runtime/JSNameScope.h:
1596         * runtime/JSObject.cpp:
1597         (JSC::JSObject::toThis):
1598         (JSC::JSObject::isFunctionNameScopeObject):
1599         (JSC::JSObject::isCatchScopeObject): Deleted.
1600         * runtime/JSObject.h:
1601         * runtime/JSScope.cpp:
1602         (JSC::JSScope::collectVariablesUnderTDZ):
1603         (JSC::JSScope::isLexicalScope):
1604         (JSC::JSScope::isCatchScope):
1605         (JSC::resolveModeName):
1606         * runtime/JSScope.h:
1607         * runtime/SymbolTable.cpp:
1608         (JSC::SymbolTable::SymbolTable):
1609         (JSC::SymbolTable::cloneScopePart):
1610         * runtime/SymbolTable.h:
1611         * tests/stress/const-semantics.js:
1612         (.):
1613
1614 2015-07-28  Filip Pizlo  <fpizlo@apple.com>
1615
1616         DFG::ArgumentsEliminationPhase has a redundant check for inserting CheckInBounds when converting GetByVal to GetStack in the inline non-varargs case
1617         https://bugs.webkit.org/show_bug.cgi?id=147373
1618
1619         Reviewed by Mark Lam.
1620
1621         The code was doing a check for "index >= inlineCallFrame->arguments.size() - 1" in code where
1622         safeToGetStack is true and we aren't in varargs context, but in a non-varargs context,
1623         safeToGetStack can only be true if "index < inlineCallFrame->arguments.size() - 1".
1624
1625         When converting a GetByVal to GetStack, there are three possibilities:
1626
1627         1) Impossible to convert. This can happen if the GetByVal is out-of-bounds of the things we
1628            know to have stored to the stack. For example, if we inline a function that does
1629            "arguments[42]" at a call that passes no arguments.
1630
1631         2) Possible to convert, but we cannot prove statically that the GetByVal was in bounds. This
1632            can happen for "arguments[42]" with no inline call frame (since we don't know statically
1633            how many arguments we will be passed) or in a varargs call frame.
1634
1635         3) Possible to convert, and we know statically that the GetByVal is in bounds. This can
1636            happen for "arguments[42]" if we have an inline call frame, and it's not a varargs call
1637            frame, and we know that the caller passed 42 or more arguments.
1638
1639         The way the phase handles this is it first determines that we're not in case (1). This is
1640         called safeToGetStack. safeToGetStack is true if we have case (2) or (3). For inline call
1641         frames that have no varargs, this means that safeToGetStack is true exactly when the GetByVal
1642         is in-bounds (i.e. case (3)).
1643
1644         But the phase was again doing a check for whether the index is in-bounds for non-varargs
1645         inline call frames even when safeToGetStack was true. That check is redundant and should be
1646         eliminated, since it makes the code confusing.
1647
1648         * dfg/DFGArgumentsEliminationPhase.cpp:
1649
1650 2015-07-28  Filip Pizlo  <fpizlo@apple.com>
1651
1652         DFG::PutStackSinkingPhase should be more aggressive about its "no GetStack until put" rule
1653         https://bugs.webkit.org/show_bug.cgi?id=147371
1654
1655         Reviewed by Mark Lam.
1656
1657         Two fixes:
1658
1659         - Make ConflictingFlush really mean that you can't load from the stack slot. This means not
1660           using ConflictingFlush for arguments.
1661
1662         - Assert that a GetStack never sees ConflictingFlush.
1663
1664         * dfg/DFGPutStackSinkingPhase.cpp:
1665
1666 2015-07-28  Basile Clement  <basile_clement@apple.com>
1667
1668         Misleading error message: "At least one digit must occur after a decimal point"
1669         https://bugs.webkit.org/show_bug.cgi?id=146238
1670
1671         Reviewed by Geoffrey Garen.
1672
1673         Interestingly, we had a comment explaining what this error message was
1674         about that is much clearer than the error message itself. This patch
1675         simply replaces the error message with the explanation from the
1676         comment.
1677
1678         * parser/Lexer.cpp:
1679         (JSC::Lexer<T>::lex):
1680
1681 2015-07-28  Basile Clement  <basile_clement@apple.com>
1682
1683         Simplify call linking
1684         https://bugs.webkit.org/show_bug.cgi?id=147363
1685
1686         Reviewed by Filip Pizlo.
1687
1688         Previously, we were passing both the CallLinkInfo and a
1689         (CodeSpecializationKind, RegisterPreservationMode) pair to the
1690         different call linking slow paths. However, the CallLinkInfo already
1691         has all of that information, and we don't gain anything by having them
1692         in additional static parameters - except possibly a very small
1693         performance gain in presence of inlining. However since those are
1694         already slow paths, this performance loss (if it exists) will not be
1695         visible in practice.
1696
1697         This patch removes the various specialized thunks and JIT operations
1698         for regular and polymorphic call linking with a single thunk and
1699         operation for each case. Moreover, it removes the four specialized
1700         virtual call thunks and operations with one virtual call thunk for each
1701         call link info, allowing for better branch prediction by the CPU and
1702         fixing a pre-existing FIXME.
1703
1704         * bytecode/CallLinkInfo.cpp:
1705         (JSC::CallLinkInfo::unlink):
1706         (JSC::CallLinkInfo::dummy): Deleted.
1707         * bytecode/CallLinkInfo.h:
1708         (JSC::CallLinkInfo::CallLinkInfo):
1709         (JSC::CallLinkInfo::registerPreservationMode):
1710         (JSC::CallLinkInfo::setUpCallFromFTL):
1711         (JSC::CallLinkInfo::setSlowStub):
1712         (JSC::CallLinkInfo::clearSlowStub):
1713         (JSC::CallLinkInfo::slowStub):
1714         * dfg/DFGDriver.cpp:
1715         (JSC::DFG::compileImpl):
1716         * dfg/DFGJITCompiler.cpp:
1717         (JSC::DFG::JITCompiler::link):
1718         * ftl/FTLJSCallBase.cpp:
1719         (JSC::FTL::JSCallBase::link):
1720         * jit/JITCall.cpp:
1721         (JSC::JIT::compileCallEvalSlowCase):
1722         (JSC::JIT::compileOpCall):
1723         (JSC::JIT::compileOpCallSlowCase):
1724         * jit/JITCall32_64.cpp:
1725         (JSC::JIT::compileCallEvalSlowCase):
1726         (JSC::JIT::compileOpCall):
1727         (JSC::JIT::compileOpCallSlowCase):
1728         * jit/JITOperations.cpp:
1729         * jit/JITOperations.h:
1730         (JSC::operationLinkFor): Deleted.
1731         (JSC::operationVirtualFor): Deleted.
1732         (JSC::operationLinkPolymorphicCallFor): Deleted.
1733         * jit/Repatch.cpp:
1734         (JSC::generateByIdStub):
1735         (JSC::linkSlowFor):
1736         (JSC::linkFor):
1737         (JSC::revertCall):
1738         (JSC::unlinkFor):
1739         (JSC::linkVirtualFor):
1740         (JSC::linkPolymorphicCall):
1741         * jit/Repatch.h:
1742         * jit/ThunkGenerators.cpp:
1743         (JSC::linkCallThunkGenerator):
1744         (JSC::linkPolymorphicCallThunkGenerator):
1745         (JSC::virtualThunkFor):
1746         (JSC::linkForThunkGenerator): Deleted.
1747         (JSC::linkConstructThunkGenerator): Deleted.
1748         (JSC::linkCallThatPreservesRegsThunkGenerator): Deleted.
1749         (JSC::linkConstructThatPreservesRegsThunkGenerator): Deleted.
1750         (JSC::linkPolymorphicCallForThunkGenerator): Deleted.
1751         (JSC::linkPolymorphicCallThatPreservesRegsThunkGenerator): Deleted.
1752         (JSC::virtualForThunkGenerator): Deleted.
1753         (JSC::virtualCallThunkGenerator): Deleted.
1754         (JSC::virtualConstructThunkGenerator): Deleted.
1755         (JSC::virtualCallThatPreservesRegsThunkGenerator): Deleted.
1756         (JSC::virtualConstructThatPreservesRegsThunkGenerator): Deleted.
1757         * jit/ThunkGenerators.h:
1758         (JSC::linkThunkGeneratorFor): Deleted.
1759         (JSC::linkPolymorphicCallThunkGeneratorFor): Deleted.
1760         (JSC::virtualThunkGeneratorFor): Deleted.
1761
1762 2015-07-28  Basile Clement  <basile_clement@apple.com>
1763
1764         stress/math-pow-with-constants.js fails in cloop
1765         https://bugs.webkit.org/show_bug.cgi?id=147167
1766
1767         Reviewed by Geoffrey Garen.
1768
1769         Baseline JIT, DFG and FTL are using a fast exponentiation fast path
1770         when computing Math.pow() with an integer exponent that is not taken in
1771         the LLInt (or the DFG abstract interpreter). This leads to the result
1772         of pow changing depending on the compilation tier or the fact that
1773         constant propagation kicks in, which is undesirable.
1774
1775         This patch adds the fast path to the slow operationMathPow in order to
1776         maintain an illusion of consistency.
1777
1778         * runtime/MathCommon.cpp:
1779         (JSC::operationMathPow):
1780         * tests/stress/math-pow-coherency.js: Added.
1781         (pow42):
1782         (build42AsDouble.opaqueAdd):
1783         (build42AsDouble):
1784         (powDouble42):
1785         (clobber):
1786         (pow42NoConstantFolding):
1787         (powDouble42NoConstantFolding):
1788
1789 2015-07-28  Joseph Pecoraro  <pecoraro@apple.com>
1790
1791         Web Inspector: Show Pseudo Elements in DOM Tree
1792         https://bugs.webkit.org/show_bug.cgi?id=139612
1793
1794         Reviewed by Timothy Hatcher.
1795
1796         * inspector/protocol/DOM.json:
1797         Add new properties to DOMNode if it is a pseudo element or if it has
1798         pseudo element children. Add new events for if a pseudo element is
1799         added or removed dynamically to an existing DOMNode.
1800
1801 2015-07-27  Filip Pizlo  <fpizlo@apple.com>
1802
1803         Add logging when executable code gets deallocated
1804         https://bugs.webkit.org/show_bug.cgi?id=147355
1805
1806         Reviewed by Mark Lam.
1807
1808         * ftl/FTLJITCode.cpp:
1809         (JSC::FTL::JITCode::~JITCode): Print something when this is freed.
1810         * jit/JITCode.cpp:
1811         (JSC::JITCodeWithCodeRef::~JITCodeWithCodeRef): Print something when this is freed.
1812
1813 2015-07-27  Filip Pizlo  <fpizlo@apple.com>
1814
1815         DFG::safeToExecute() cases for GetByOffset/PutByOffset don't handle clobbered structure abstract values correctly
1816         https://bugs.webkit.org/show_bug.cgi?id=147354
1817
1818         Reviewed by Michael Saboff.
1819
1820         If m_structure.isClobbered(), it means that we had a side effect that clobbered
1821         the abstract value but it may recover back to its original value at the next
1822         invalidation point. Since the invalidation point hasn't been reached yet, we need
1823         to conservatively treat the clobbered state as if it was top. At the invalidation
1824         point, the clobbered set will return back to being unclobbered.
1825
1826         In addition to fixing the bug, this introduces isInfinite(), which should be used
1827         in places where it's tempting to just use isTop().
1828
1829         * dfg/DFGSafeToExecute.h:
1830         (JSC::DFG::safeToExecute): Fix the bug.
1831         * dfg/DFGStructureAbstractValue.cpp:
1832         (JSC::DFG::StructureAbstractValue::contains): Switch to using isInfinite().
1833         (JSC::DFG::StructureAbstractValue::isSubsetOf): Switch to using isInfinite().
1834         (JSC::DFG::StructureAbstractValue::isSupersetOf): Switch to using isInfinite().
1835         (JSC::DFG::StructureAbstractValue::overlaps): Switch to using isInfinite().
1836         * dfg/DFGStructureAbstractValue.h:
1837         (JSC::DFG::StructureAbstractValue::isFinite): New convenience method.
1838         (JSC::DFG::StructureAbstractValue::isInfinite): New convenience method.
1839         (JSC::DFG::StructureAbstractValue::onlyStructure): Switch to using isInfinite().
1840
1841 2015-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1842
1843         [ES6] Implement Reflect.enumerate
1844         https://bugs.webkit.org/show_bug.cgi?id=147347
1845
1846         Reviewed by Sam Weinig.
1847
1848         This patch implements Reflect.enumerate.
1849         It returns the iterator that iterates the enumerable keys of the given object.
1850         It follows the for-in's enumeration order.
1851
1852         To implement it, we write down the same logic to the for-in's enumeration code in C++.
1853
1854         * CMakeLists.txt:
1855         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1856         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1857         * JavaScriptCore.xcodeproj/project.pbxproj:
1858         * runtime/JSGlobalObject.cpp:
1859         (JSC::JSGlobalObject::init):
1860         (JSC::JSGlobalObject::visitChildren):
1861         * runtime/JSGlobalObject.h:
1862         (JSC::JSGlobalObject::propertyNameIteratorStructure):
1863         * runtime/JSPropertyNameIterator.cpp: Added.
1864         (JSC::JSPropertyNameIterator::JSPropertyNameIterator):
1865         (JSC::JSPropertyNameIterator::clone):
1866         (JSC::JSPropertyNameIterator::create):
1867         (JSC::JSPropertyNameIterator::finishCreation):
1868         (JSC::JSPropertyNameIterator::visitChildren):
1869         (JSC::JSPropertyNameIterator::next):
1870         (JSC::propertyNameIteratorFuncNext):
1871         * runtime/JSPropertyNameIterator.h: Added.
1872         (JSC::JSPropertyNameIterator::createStructure):
1873         * runtime/ReflectObject.cpp:
1874         (JSC::reflectObjectEnumerate):
1875         * tests/stress/reflect-enumerate.js: Added.
1876         (shouldBe):
1877         (shouldThrow):
1878
1879 2015-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1880
1881         [ES6] Implement Reflect.preventExtensions
1882         https://bugs.webkit.org/show_bug.cgi?id=147331
1883
1884         Reviewed by Sam Weinig.
1885
1886         Implement Reflect.preventExtensions.
1887         This is different from Object.preventExensions.
1888
1889         1. When preventExtensions is called onto the non-object, it raises the TypeError.
1890         2. Reflect.preventExtensions does not raise the TypeError when the preventExtensions operation is failed.
1891
1892         For the (2) case, since there is no Proxy implementation currently, Reflect.preventExtensions always succeed.
1893
1894         * runtime/ReflectObject.cpp:
1895         (JSC::reflectObjectPreventExtensions):
1896         * tests/stress/reflect-prevent-extensions.js: Added.
1897         (shouldBe):
1898         (shouldThrow):
1899
1900 2015-07-27  Alex Christensen  <achristensen@webkit.org>
1901
1902         Use Ninja on Windows.
1903         https://bugs.webkit.org/show_bug.cgi?id=147228
1904
1905         Reviewed by Martin Robinson.
1906
1907         * CMakeLists.txt:
1908         Set the working directory when generating LowLevelInterpreterWin.asm to put LowLevelInterpreterWin.asm.sym in the right place.
1909
1910 2015-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1911
1912         SparseValueMap check is skipped when the butterfly's vectorLength is larger than the access-requested index
1913         https://bugs.webkit.org/show_bug.cgi?id=147265
1914
1915         Reviewed by Geoffrey Garen.
1916
1917         JSObject's vector holds the indexed values and we leverage it to represent stored values and holes.
1918         By checking that the given index is in-bound of the vector's length, we can look up the property fast.
1919         And for the sparse array, we have also the separated SparseValueMap to hold the pairs.
1920         And we need to take care that the length of the vector should not overlap the indices stored in the SparseValueMap.
1921
1922         The vector only holds the pure JS values to avoid additional checking for accessors when looking up the value
1923         from the vector. To achieve this, we also store the accessors (and attributed properties) to SparseValueMap
1924         even the index is less than MIN_SPARSE_ARRAY_INDEX.
1925
1926         As a result, if the length of the vector overlaps the indices of the accessors stored in the SparseValueMap,
1927         we accidentally skip the phase looking up from the SparseValueMap. Instead, we just load from the vector and
1928         if the loaded value is an array hole, we decide the given object does not have the value for the given index.
1929
1930         This patch fixes the problem.
1931         When defining the attributed value that index is smaller than the length of the vector, we throw away the vector
1932         and change the object to DictionaryIndexingMode. Since we can assume that indexed accessors rarely exist in
1933         practice, we expect this does not hurt the performance while keeping the fast property access system without
1934         checking the sparse map.
1935
1936         * runtime/JSObject.cpp:
1937         (JSC::JSObject::putDirectIndexBeyondVectorLength):
1938         * tests/stress/sparse-map-non-overlapping.js: Added.
1939         (shouldBe):
1940         (testing):
1941         (object.get 1000):
1942         * tests/stress/sparse-map-non-skip-getter-overriding.js: Added.
1943         (shouldBe):
1944         (obj.get 1):
1945         (testing):
1946         * tests/stress/sparse-map-non-skip.js: Added.
1947         (shouldBe):
1948         (testing):
1949         (testing2):
1950         (.get for):
1951
1952 2015-07-27  Saam barati  <saambarati1@gmail.com>
1953
1954         Reduce execution time for "let" and "const" tests
1955         https://bugs.webkit.org/show_bug.cgi?id=147291
1956
1957         Reviewed by Geoffrey Garen.
1958
1959         We don't need to loop so many times for things that will not make it 
1960         into the DFG.  Also, we can loop a lot less for almost all the tests 
1961         because they're mostly testing the bytecode generator.
1962
1963         * tests/stress/const-and-with-statement.js:
1964         * tests/stress/const-exception-handling.js:
1965         * tests/stress/const-loop-semantics.js:
1966         * tests/stress/const-not-strict-mode.js:
1967         * tests/stress/const-semantics.js:
1968         * tests/stress/const-tdz.js:
1969         * tests/stress/lexical-let-and-with-statement.js:
1970         * tests/stress/lexical-let-exception-handling.js:
1971         (assert):
1972         * tests/stress/lexical-let-loop-semantics.js:
1973         (assert):
1974         (shouldThrowTDZ):
1975         (.):
1976         * tests/stress/lexical-let-not-strict-mode.js:
1977         * tests/stress/lexical-let-semantics.js:
1978         (.):
1979         * tests/stress/lexical-let-tdz.js:
1980         (shouldThrowTDZ):
1981         (.):
1982
1983 2015-07-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1984
1985         Rename PropertyNameMode::Both to PropertyNameMode::StringsAndSymbols
1986         https://bugs.webkit.org/show_bug.cgi?id=147311
1987
1988         Reviewed by Sam Weinig.
1989
1990         To make the meaning clear in the user side (PropertyNameArray array(exec, PropertyNameMode::StringsAndSymbols)),
1991         this patch renames PropertyNameMode::Both to PropertyNameMode::StringsAndSymbols.
1992
1993         * bytecode/ObjectAllocationProfile.h:
1994         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
1995         * runtime/EnumerationMode.h:
1996         * runtime/ObjectConstructor.cpp:
1997         (JSC::ownEnumerablePropertyKeys):
1998         (JSC::defineProperties):
1999         (JSC::objectConstructorSeal):
2000         (JSC::objectConstructorFreeze):
2001         (JSC::objectConstructorIsSealed):
2002         (JSC::objectConstructorIsFrozen):
2003         (JSC::ownPropertyKeys):
2004         * runtime/ReflectObject.cpp:
2005         (JSC::reflectObjectOwnKeys):
2006
2007 2015-07-27  Saam barati  <saambarati1@gmail.com>
2008
2009         Added a comment explaining that all "addVar()"s should happen before
2010         emitting bytecode for a function's default parameter expressions
2011
2012         Rubber Stamped by Mark Lam.
2013
2014         * bytecompiler/BytecodeGenerator.cpp:
2015         (JSC::BytecodeGenerator::BytecodeGenerator):
2016
2017 2015-07-26  Sam Weinig  <sam@webkit.org>
2018
2019         Add missing builtin files to the JavaScriptCore Xcode project
2020         https://bugs.webkit.org/show_bug.cgi?id=147312
2021
2022         Reviewed by Darin Adler.
2023
2024         * JavaScriptCore.xcodeproj/project.pbxproj:
2025         Add missing files.
2026
2027 2015-07-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2028
2029         [ES6] Implement Reflect.isExtensible
2030         https://bugs.webkit.org/show_bug.cgi?id=147308
2031
2032         Reviewed by Sam Weinig.
2033
2034         This patch implements Reflect.isExtensible.
2035         It is similar to Object.isExtensible.
2036         The difference is that it raises an error if the first argument is not an object.
2037
2038         * runtime/ReflectObject.cpp:
2039         (JSC::reflectObjectIsExtensible):
2040         * tests/stress/reflect-is-extensible.js: Added.
2041         (shouldBe):
2042         (shouldThrow):
2043
2044 2015-07-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2045
2046         Unreviewed, fix the debug build due to touching the non-declared variable in ASSERT
2047         https://bugs.webkit.org/show_bug.cgi?id=147307
2048
2049         * runtime/ObjectConstructor.cpp:
2050         (JSC::ownPropertyKeys):
2051
2052 2015-07-25  Yusuke Suzuki  <utatane.tea@gmail.com>
2053
2054         [ES6] Implement Reflect.ownKeys
2055         https://bugs.webkit.org/show_bug.cgi?id=147307
2056
2057         Reviewed by Sam Weinig.
2058
2059         This patch implements Reflect.ownKeys.
2060         In this patch, we refactor the existing code to list up own keys in the object.
2061         Such code is used by Object.getOwnPropertyNames, Object.getOwnPropertyKeys, Object.keys and @ownEnumerableKeys.
2062         We factor out the listing up own keys as ownPropertyKeys function and also use it in Reflect.ownKeys.
2063
2064         * runtime/ObjectConstructor.cpp:
2065         (JSC::objectConstructorGetOwnPropertyNames):
2066         (JSC::objectConstructorGetOwnPropertySymbols):
2067         (JSC::objectConstructorKeys):
2068         (JSC::ownEnumerablePropertyKeys):
2069         (JSC::ownPropertyKeys):
2070         * runtime/ObjectConstructor.h:
2071         * runtime/ReflectObject.cpp:
2072         (JSC::reflectObjectOwnKeys):
2073         * tests/stress/reflect-own-keys.js: Added.
2074         (shouldBe):
2075         (shouldThrow):
2076         (shouldBeArray):
2077
2078 2015-07-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2079
2080         [ES6] Implement Reflect.apply
2081         https://bugs.webkit.org/show_bug.cgi?id=147306
2082
2083         Reviewed by Sam Weinig.
2084
2085         Implement Reflect.apply.
2086         The large part of this can be implemented by the @apply builtin annotation.
2087         The only thing which is different from the Funciton.prototype.apply is the third parameter,
2088         "argumentsList" is needed to be an object.
2089
2090         * builtins/ReflectObject.js:
2091         (apply):
2092         (deleteProperty):
2093         * runtime/ReflectObject.cpp:
2094         * tests/stress/reflect-apply.js: Added.
2095         (shouldBe):
2096         (shouldThrow):
2097         (get shouldThrow):
2098         (.get shouldThrow):
2099         (get var.array.get length):
2100         (get var.array.get 0):
2101         (.get var):
2102         * tests/stress/reflect-delete-property.js:
2103
2104 2015-07-25  Yusuke Suzuki  <utatane.tea@gmail.com>
2105
2106         [ES6] Add Reflect namespace and add Reflect.deleteProperty
2107         https://bugs.webkit.org/show_bug.cgi?id=147287
2108
2109         Reviewed by Sam Weinig.
2110
2111         This patch just creates the namespace for ES6 Reflect APIs.
2112         And add template files to implement the actual code.
2113
2114         Not to keep the JS generated properties C array empty,
2115         we added one small method, Reflect.deleteProperty in this patch.
2116
2117         * CMakeLists.txt:
2118         * DerivedSources.make:
2119         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2120         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2121         * JavaScriptCore.xcodeproj/project.pbxproj:
2122         * builtins/ReflectObject.js: Added.
2123         (deleteProperty):
2124         * runtime/CommonIdentifiers.h:
2125         * runtime/JSGlobalObject.cpp:
2126         (JSC::JSGlobalObject::init):
2127         * runtime/ReflectObject.cpp: Added.
2128         (JSC::ReflectObject::ReflectObject):
2129         (JSC::ReflectObject::finishCreation):
2130         (JSC::ReflectObject::getOwnPropertySlot):
2131         * runtime/ReflectObject.h: Added.
2132         (JSC::ReflectObject::create):
2133         (JSC::ReflectObject::createStructure):
2134         * tests/stress/reflect-delete-property.js: Added.
2135         (shouldBe):
2136         (shouldThrow):
2137
2138 2015-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2139
2140         Avoid 2 times name iteration in Object.assign
2141         https://bugs.webkit.org/show_bug.cgi?id=147268
2142
2143         Reviewed by Geoffrey Garen.
2144
2145         Object.assign calls Object.getOwnPropertyNames & Object.getOwnPropertySymbols to collect all the names.
2146         But exposing the private API that collects both at the same time makes the API efficient when the given Object has so many non-indexed properties.
2147         Since Object.assign is so generic API (some form of utility API), the form of the given Object is not expected.
2148         So the taken object may have so many non-indexed properties.
2149
2150         In this patch, we introduce `ownEnumerablePropertyKeys` private function.
2151         It is minor changed version of `[[OwnPropertyKeys]]` in the ES6 spec;
2152         It only includes enumerable properties.
2153
2154         By filtering out the non-enumerable properties in the exposed private function,
2155         we avoid calling @objectGetOwnPropertyDescriptor for each property at the same time.
2156
2157         * builtins/ObjectConstructor.js:
2158         (assign):
2159         * runtime/CommonIdentifiers.h:
2160         * runtime/EnumerationMode.h:
2161         * runtime/JSGlobalObject.cpp:
2162         (JSC::JSGlobalObject::init):
2163         * runtime/ObjectConstructor.cpp:
2164         (JSC::ownEnumerablePropertyKeys):
2165         * runtime/ObjectConstructor.h:
2166         * tests/stress/object-assign-enumerable.js: Added.
2167         (shouldBe):
2168         * tests/stress/object-assign-order.js: Added.
2169         (shouldBe):
2170
2171 2015-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2172
2173         Remove runtime flags for symbols
2174         https://bugs.webkit.org/show_bug.cgi?id=147246
2175
2176         Reviewed by Alex Christensen.
2177
2178         * runtime/ArrayPrototype.cpp:
2179         (JSC::ArrayPrototype::finishCreation):
2180         * runtime/JSGlobalObject.cpp:
2181         (JSC::JSGlobalObject::init): Deleted.
2182         * runtime/JSGlobalObject.h:
2183         * runtime/ObjectConstructor.cpp:
2184         (JSC::ObjectConstructor::finishCreation):
2185         * runtime/RuntimeFlags.h:
2186
2187 2015-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2188
2189         Object.getOwnPropertySymbols on large list takes very long
2190         https://bugs.webkit.org/show_bug.cgi?id=146137
2191
2192         Reviewed by Mark Lam.
2193
2194         Before this patch, Object.getOwnPropertySymbols collects all the names including strings.
2195         And after it's done, filter the names to only retrieve the symbols.
2196         But it's so time consuming if the given object is a large non-holed array since it has
2197         many indexed properties and all the indexes have to be converted to uniqued_strings and
2198         added to the collection of property names (though they may not be of the requested type
2199         and will be filtered out later)
2200
2201         This patch introduces PropertyNameMode.
2202         We leverage this mode in 2 places.
2203
2204         1. PropertyNameArray side
2205         It is set in PropertyNameArray and it filters the incoming added identifiers based on the mode.
2206         It ensures that PropertyNameArray doesn't become so large in the pathological case.
2207         And it ensures that non-expected typed keys by the filter (Symbols or Strings) are never added
2208         to the property name array collections.
2209         However it does not solve the whole problem because the huge array still incurs the many
2210         "indexed property to uniqued string" conversion and the large iteration before adding the keys
2211         to the property name array.
2212
2213         2. getOwnPropertyNames side
2214         So we can use the PropertyNameMode in the caller side (getOwnPropertyNames) as a **hint**.
2215         When the large iteration may occur, the caller side can use the PropertyNameMode as a hint to
2216         avoid the iteration.
2217         But we cannot exclusively rely on these caller side checks because it would require that we
2218         exhaustively add the checks to all custom implementations of getOwnPropertyNames as well.
2219         This process requires manual inspection of many pieces of code, and is error prone. Instead,
2220         we only apply the caller side check in a few strategic places where it is known to yield
2221         performance benefits; and we rely on the filter in PropertyNameArray::add() to reject the wrong
2222         types of properties for all other calls to PropertyNameArray::add().
2223
2224         In this patch, there's a concept in use that is not clear just from reading the code, and hence
2225         should be documented here. When selecting the PropertyNameMode for the PropertyNameArray to be
2226         instantiated, we apply the following logic:
2227
2228         1. Only JavaScriptCore code is aware of ES6 Symbols.
2229         We can assume that pre-existing external code that interfaces JSC are only looking for string named properties. This includes:
2230             a. WebCore bindings
2231             b. Serializer bindings
2232             c. NPAPI bindings
2233             d. Objective C bindings
2234         2. In JSC, code that compute object storage space needs to iterate both Symbol and String named properties. Hence, use PropertyNameMode::Both.
2235         3. In JSC, ES6 APIs that work with Symbols should use PropertyNameMode::Symbols.
2236         4. In JSC, ES6 APIs that work with String named properties should use PropertyNameMode::Strings.
2237
2238         * API/JSObjectRef.cpp:
2239         (JSObjectCopyPropertyNames):
2240         * bindings/ScriptValue.cpp:
2241         (Deprecated::jsToInspectorValue):
2242         * bytecode/ObjectAllocationProfile.h:
2243         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
2244         * runtime/EnumerationMode.h:
2245         (JSC::EnumerationMode::EnumerationMode):
2246         (JSC::EnumerationMode::includeSymbolProperties): Deleted.
2247         * runtime/GenericArgumentsInlines.h:
2248         (JSC::GenericArguments<Type>::getOwnPropertyNames):
2249         * runtime/JSGenericTypedArrayViewInlines.h:
2250         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertyNames):
2251         * runtime/JSLexicalEnvironment.cpp:
2252         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
2253         * runtime/JSONObject.cpp:
2254         (JSC::Stringifier::Stringifier):
2255         (JSC::Stringifier::Holder::appendNextProperty):
2256         (JSC::Walker::walk):
2257         * runtime/JSObject.cpp:
2258         (JSC::JSObject::getOwnPropertyNames):
2259         * runtime/JSPropertyNameEnumerator.cpp:
2260         (JSC::JSPropertyNameEnumerator::create):
2261         * runtime/JSPropertyNameEnumerator.h:
2262         (JSC::propertyNameEnumerator):
2263         * runtime/JSSymbolTableObject.cpp:
2264         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
2265         * runtime/ObjectConstructor.cpp:
2266         (JSC::objectConstructorGetOwnPropertyNames):
2267         (JSC::objectConstructorGetOwnPropertySymbols):
2268         (JSC::objectConstructorKeys):
2269         (JSC::defineProperties):
2270         (JSC::objectConstructorSeal):
2271         (JSC::objectConstructorFreeze):
2272         (JSC::objectConstructorIsSealed):
2273         (JSC::objectConstructorIsFrozen):
2274         * runtime/PropertyNameArray.h:
2275         (JSC::PropertyNameArray::PropertyNameArray):
2276         (JSC::PropertyNameArray::mode):
2277         (JSC::PropertyNameArray::addKnownUnique):
2278         (JSC::PropertyNameArray::add):
2279         (JSC::PropertyNameArray::isUidMatchedToTypeMode):
2280         (JSC::PropertyNameArray::includeSymbolProperties):
2281         (JSC::PropertyNameArray::includeStringProperties):
2282         * runtime/StringObject.cpp:
2283         (JSC::StringObject::getOwnPropertyNames):
2284         * runtime/Structure.cpp:
2285         (JSC::Structure::getPropertyNamesFromStructure):
2286
2287 2015-07-24  Saam barati  <saambarati1@gmail.com>
2288
2289         [ES6] Add support for default parameters
2290         https://bugs.webkit.org/show_bug.cgi?id=38409
2291
2292         Reviewed by Filip Pizlo.
2293
2294         This patch implements ES6 default parameters according to the ES6
2295         specification. This patch builds off the components introduced with 
2296         "let" scoping and parsing function parameters in the same parser
2297         arena as the function itself. "let" scoping allows functions with default 
2298         parameter values to place their parameters under the TDZ. Parsing function
2299         parameters in the same parser arena allows the FunctionParameters AST node
2300         refer to ExpressionNodes.
2301
2302         The most subtle part of this patch is how we allocate lexical environments
2303         when functions have default parameter values. If a function has default
2304         parameter values then there must be a separate lexical environment for
2305         its parameters. Then, the function's "var" lexical environment must have
2306         the parameter lexical environment as its parent. The BytecodeGenerator
2307         takes great care to not allocate the "var" lexical environment before its
2308         really needed.
2309
2310         The "arguments" object for a function with default parameters will never be 
2311         a mapped arugments object. It will always be a cloned arugments object.
2312
2313         * bytecompiler/BytecodeGenerator.cpp:
2314         (JSC::BytecodeGenerator::generate):
2315         (JSC::BytecodeGenerator::BytecodeGenerator):
2316         (JSC::BytecodeGenerator::~BytecodeGenerator):
2317         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
2318         (JSC::BytecodeGenerator::initializeNextParameter):
2319         (JSC::BytecodeGenerator::initializeVarLexicalEnvironment):
2320         (JSC::BytecodeGenerator::visibleNameForParameter):
2321         (JSC::BytecodeGenerator::emitLoadGlobalObject):
2322         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
2323         (JSC::BytecodeGenerator::pushLexicalScope):
2324         (JSC::BytecodeGenerator::popLexicalScope):
2325         * bytecompiler/BytecodeGenerator.h:
2326         (JSC::BytecodeGenerator::lastOpcodeID):
2327         * bytecompiler/NodesCodegen.cpp:
2328         (JSC::FunctionNode::emitBytecode):
2329         * jit/JITOperations.cpp:
2330         * parser/ASTBuilder.h:
2331         (JSC::ASTBuilder::createElementList):
2332         (JSC::ASTBuilder::createFormalParameterList):
2333         (JSC::ASTBuilder::appendParameter):
2334         (JSC::ASTBuilder::createClause):
2335         (JSC::ASTBuilder::createClauseList):
2336         * parser/Nodes.h:
2337         (JSC::FunctionParameters::size):
2338         (JSC::FunctionParameters::at):
2339         (JSC::FunctionParameters::hasDefaultParameterValues):
2340         (JSC::FunctionParameters::append):
2341         * parser/Parser.cpp:
2342         (JSC::Parser<LexerType>::parseVariableDeclarationList):
2343         (JSC::Parser<LexerType>::createBindingPattern):
2344         (JSC::Parser<LexerType>::tryParseDestructuringPatternExpression):
2345         (JSC::Parser<LexerType>::parseDestructuringPattern):
2346         (JSC::Parser<LexerType>::parseFormalParameters):
2347         (JSC::Parser<LexerType>::parseFunctionParameters):
2348         * parser/Parser.h:
2349         (JSC::Scope::declareParameter):
2350         * parser/SyntaxChecker.h:
2351         (JSC::SyntaxChecker::createElementList):
2352         (JSC::SyntaxChecker::createFormalParameterList):
2353         (JSC::SyntaxChecker::appendParameter):
2354         (JSC::SyntaxChecker::createClause):
2355         (JSC::SyntaxChecker::createClauseList):
2356         * tests/stress/es6-default-parameters.js: Added.
2357         (assert):
2358         (shouldThrow):
2359         (shouldThrowSyntaxError):
2360         (shouldThrowTDZ):
2361         (basic):
2362         (basicFunctionCaptureInDefault.basicFunctionCaptureInDefault.basicCaptured):
2363         (basicCaptured.basicCaptured.tricky):
2364         (strict):
2365         (playground):
2366         (scoping):
2367         (augmentsArguments1):
2368         (augmentsArguments2):
2369         (augmentsArguments3):
2370         (augmentsArguments4):
2371         (augmentsArguments5):
2372
2373 2015-07-24  Xabier Rodriguez Calvar  <calvaris@igalia.com>
2374
2375         Remove JS Promise constructor unused piece of code
2376         https://bugs.webkit.org/show_bug.cgi?id=147262
2377
2378         Reviewed by Geoffrey Garen.
2379
2380         * runtime/JSPromiseConstructor.cpp:
2381         (JSC::constructPromise): Deleted.
2382         * runtime/JSPromiseConstructor.h: Removed JSC::constructPromise.
2383
2384 2015-07-24  Mark Lam  <mark.lam@apple.com>
2385
2386         Add WASM files to vcxproj files.
2387         https://bugs.webkit.org/show_bug.cgi?id=147264
2388
2389         Reviewed by Geoffrey Garen.
2390
2391         This is a follow up to http://trac.webkit.org/changeset/187254 where WASM files
2392         were introduced but were not able to be added to the vcxproj files yet.
2393
2394         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2395         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2396
2397 2015-07-23  Filip Pizlo  <fpizlo@apple.com>
2398
2399         DFG::safeToExecute() is wrong for MultiGetByOffset, doesn't consider the structures of the prototypes that get loaded from
2400         https://bugs.webkit.org/show_bug.cgi?id=147250
2401
2402         Reviewed by Geoffrey Garen.
2403         
2404         This fixes a nasty - but currently benign - bug in DFG::safeToExecute(). That function
2405         will tell you if hoisting a node to some point is safe in the sense that the node will
2406         not crash the VM if it executes at that point. A node may be unsafe to execute if we
2407         cannot prove that at that point, the memory it is loading is not garbage. This is a
2408         necessarily loose notion - for example it's OK to hoist a load if we haven't proved
2409         that the load makes semantic sense at that point, since anyway the place where the node
2410         did get used will still be guarded by any such semantic checks. But because we may also
2411         hoist uses of the load, we need to make sure that it doesn't produce a garbage value.
2412         Also, we need to ensure that the load won't trap. Hence safeToExecute() returns true
2413         anytime we can be sure that a node will not produce a garbage result (i.e. a malformed
2414         JSValue or object pointer) and will not trap when executed at the point in question.
2415         
2416         The bug is that this verification isn't performed for the loads from prototypes inside
2417         MultiGetByOffset. DFG::ByteCodeParser will guard MultiGetByOffset with CheckStructure's
2418         on the prototypes. So, hypothetically, you might end up hoisting a MultiGetByOffset
2419         above those structure checks, which would mean that we might load a value from a memory
2420         location without knowing that the location is valid. It might then return the value
2421         loaded.
2422         
2423         This never happens in practice. Those structure checks are more hoistable that the
2424         MultiGetByOffset, since they read a strict subset of the MultiGetByOffset's abstract
2425         heap reads. Also, we hoist in program order. So, those CheckStructure's will always be
2426         hoisted before the MultiGetByOffset gets hoisted.
2427         
2428         But we should fix this anyway. DFG::safeToExecute() has a clear definition of what a
2429         "true" return means for IR transformations, and it fails in satisfying that definition
2430         for MultiGetByOffset.
2431         
2432         There are various approaches we can use for making this safe. I considered two:
2433         
2434         1) Have MultiGetByOffset refer to the prototypes it is loading from in IR, so that we
2435            can check if it's safe to load from them.
2436         
2437         2) Turn off MultiGetByOffset hoisting when it will emit loads from prototypes, and the
2438            prototype structure isn't being watched.
2439         
2440         I ended up using (2), because it will be the most natural solution once I finish
2441         https://bugs.webkit.org/show_bug.cgi?id=146929. Already now, it's somewhat more natural
2442         than (1) since that requires more extensive IR changes. Also, (2) will give us what we
2443         want in *most* cases: we will usually watch the prototype structure, and we will
2444         usually constant-fold loads from prototypes. Both of these usually-true things would
2445         have to become false for MultiGetByOffset hoisting to be disabled by this change.
2446         
2447         This change also adds my attempt at a test, though it's not really a test of this bug.
2448         This bug is currently benign. But, the test does at least trigger the logic to run,
2449         which is better than nothing.
2450
2451         * dfg/DFGSafeToExecute.h:
2452         (JSC::DFG::safeToExecute):
2453         * tests/stress/multi-get-by-offset-hoist-around-structure-check.js: Added.
2454         (foo):
2455
2456 2015-07-23  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2457
2458         Implement WebAssembly modules
2459         https://bugs.webkit.org/show_bug.cgi?id=147222
2460
2461         Reviewed by Filip Pizlo.
2462
2463         Make JSWASMModule inherit from JSDestructibleObject so that the destructor is called.
2464
2465         * wasm/JSWASMModule.h:
2466
2467 2015-07-23  Alex Christensen  <achristensen@webkit.org>
2468
2469         Remove compile and runtime flags for promises.
2470         https://bugs.webkit.org/show_bug.cgi?id=147244
2471
2472         Reviewed by Yusuke Suzuki.
2473
2474         * API/JSCallbackObjectFunctions.h:
2475         (JSC::JSCallbackObject<Parent>::JSCallbackObject):
2476         * API/JSContextRef.cpp:
2477         (JSGlobalContextCreateInGroup):
2478         * Configurations/FeatureDefines.xcconfig:
2479         * inspector/JSInjectedScriptHost.cpp:
2480         (Inspector::JSInjectedScriptHost::getInternalProperties):
2481         * runtime/JSGlobalObject.cpp:
2482         (JSC::JSGlobalObject::init):
2483         (JSC::JSGlobalObject::visitChildren):
2484         * runtime/JSGlobalObject.h:
2485         (JSC::JSGlobalObject::create):
2486         (JSC::JSGlobalObject::syntaxErrorConstructor):
2487         (JSC::JSGlobalObject::typeErrorConstructor):
2488         (JSC::JSGlobalObject::URIErrorConstructor):
2489         (JSC::JSGlobalObject::promiseConstructor):
2490         (JSC::JSGlobalObject::nullGetterFunction):
2491         (JSC::JSGlobalObject::nullSetterFunction):
2492         (JSC::JSGlobalObject::applyFunction):
2493         (JSC::JSGlobalObject::definePropertyFunction):
2494         (JSC::JSGlobalObject::arrayProtoValuesFunction):
2495         (JSC::JSGlobalObject::initializePromiseFunction):
2496         (JSC::JSGlobalObject::newPromiseDeferredFunction):
2497         (JSC::JSGlobalObject::throwTypeErrorGetterSetter):
2498         (JSC::JSGlobalObject::regExpPrototype):
2499         (JSC::JSGlobalObject::errorPrototype):
2500         (JSC::JSGlobalObject::iteratorPrototype):
2501         (JSC::JSGlobalObject::promisePrototype):
2502         (JSC::JSGlobalObject::debuggerScopeStructure):
2503         (JSC::JSGlobalObject::withScopeStructure):
2504         (JSC::JSGlobalObject::iteratorResultStructure):
2505         (JSC::JSGlobalObject::iteratorResultStructureOffset):
2506         (JSC::JSGlobalObject::regExpMatchesArrayStructure):
2507         (JSC::JSGlobalObject::promiseStructure):
2508         * runtime/JSPromise.cpp:
2509         (JSC::JSPromise::result):
2510         * runtime/JSPromise.h:
2511         * runtime/JSPromiseConstructor.cpp:
2512         (JSC::constructPromise):
2513         * runtime/JSPromiseConstructor.h:
2514         * runtime/JSPromiseDeferred.cpp:
2515         (JSC::JSPromiseDeferred::visitChildren):
2516         * runtime/JSPromiseDeferred.h:
2517         * runtime/JSPromisePrototype.cpp:
2518         (JSC::JSPromisePrototype::getOwnPropertySlot):
2519         * runtime/JSPromisePrototype.h:
2520         * runtime/RuntimeFlags.h:
2521         * runtime/VM.cpp:
2522         (JSC::VM::VM):
2523         * runtime/VM.h:
2524
2525 2015-07-23  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2526
2527         Implement WebAssembly modules
2528         https://bugs.webkit.org/show_bug.cgi?id=147222
2529
2530         Reviewed by Mark Lam.
2531
2532         Introducing the boilerplate data structure for the WebAssembly module.
2533         WebAssembly functionality will be added in a subsequent patch.
2534
2535         * CMakeLists.txt:
2536         * JavaScriptCore.xcodeproj/project.pbxproj:
2537         * wasm/JSWASMModule.cpp: Added.
2538         (JSC::JSWASMModule::visitChildren):
2539         * wasm/JSWASMModule.h: Added.
2540         (JSC::JSWASMModule::create):
2541         (JSC::JSWASMModule::createStructure):
2542         (JSC::JSWASMModule::JSWASMModule):
2543
2544 2015-07-23  Devin Rousso  <drousso@apple.com>
2545
2546         Web Inspector: Add a function to CSSCompletions to get a list of supported system fonts
2547         https://bugs.webkit.org/show_bug.cgi?id=147009
2548
2549         Reviewed by Joseph Pecoraro.
2550
2551         * inspector/protocol/CSS.json: Added getSupportedSystemFontFamilyNames function.
2552
2553 2015-07-22  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2554
2555         Add ENABLE_WEBASSEMBLY feature flag for WebAssembly
2556         https://bugs.webkit.org/show_bug.cgi?id=147212
2557
2558         Reviewed by Filip Pizlo.
2559
2560         * Configurations/FeatureDefines.xcconfig:
2561
2562 2015-07-22  Filip Pizlo  <fpizlo@apple.com>
2563
2564         Simplify DFG::DesiredIdentifiers and make it possible to turn a UniquedStringImpl* into an identifierNumber at any time
2565         https://bugs.webkit.org/show_bug.cgi?id=147218
2566
2567         Reviewed by Sam Weinig.
2568         
2569         I want to be able to take a UniquedStringImpl* and turn it into an identifierNumber at
2570         various points in my work on https://bugs.webkit.org/show_bug.cgi?id=146929. Currently,
2571         most Nodes that deal with identifiers use identifierNumbers and you can only create an
2572         identifierNumber in BytecodeGenerator. DFG::ByteCodeParser does sort of have the
2573         ability to create new identifierNumbers when inlining - it takes the inlined code's
2574         identifiers and either gives them new numbers or reuses numbers from the enclosing
2575         code.
2576         
2577         This patch takes that basic functionality and puts it in
2578         DFG::DesiredIdentifiers::ensure(). Anyone can call this at any time to turn a
2579         UniquedStringImpl* into an identifierNumber. This data structure is already used by
2580         Plan to properly install any newly created identifier table entries into the CodeBlock.
2581
2582         * dfg/DFGByteCodeParser.cpp:
2583         (JSC::DFG::ByteCodeParser::ByteCodeParser):
2584         (JSC::DFG::ByteCodeParser::noticeArgumentsUse):
2585         (JSC::DFG::ByteCodeParser::linkBlocks):
2586         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2587         (JSC::DFG::ByteCodeParser::buildOperandMapsIfNecessary): Deleted.
2588         * dfg/DFGDesiredIdentifiers.cpp:
2589         (JSC::DFG::DesiredIdentifiers::DesiredIdentifiers):
2590         (JSC::DFG::DesiredIdentifiers::numberOfIdentifiers):
2591         (JSC::DFG::DesiredIdentifiers::ensure):
2592         (JSC::DFG::DesiredIdentifiers::at):
2593         (JSC::DFG::DesiredIdentifiers::addLazily): Deleted.
2594         * dfg/DFGDesiredIdentifiers.h:
2595
2596 2015-07-22  Filip Pizlo  <fpizlo@apple.com>
2597
2598         Simplify things like CompareEq(@x,@x)
2599         https://bugs.webkit.org/show_bug.cgi?id=145850
2600
2601         Reviewed by Sam Weinig.
2602         
2603         This simplifies x==x to true, except in cases where x might be a double (in which case this
2604         might still be false if x is NaN).
2605
2606         * dfg/DFGAbstractInterpreterInlines.h:
2607         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2608         * tests/stress/nan-equal-untyped.js: Added.
2609         (foo):
2610         (test):
2611         * tests/stress/nan-equal.js: Added.
2612         (foo):
2613
2614 2015-07-22  Joseph Pecoraro  <pecoraro@apple.com>
2615
2616         Web Inspector: Timeline should immediately start moving play head when starting a new recording
2617         https://bugs.webkit.org/show_bug.cgi?id=147210
2618
2619         Reviewed by Timothy Hatcher.
2620
2621         * inspector/protocol/Timeline.json:
2622         Add timestamps to recordingStarted and recordingStopped events.
2623
2624 2015-07-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2625
2626         Introducing construct ability into JS executables
2627         https://bugs.webkit.org/show_bug.cgi?id=147183
2628
2629         Reviewed by Geoffrey Garen.
2630
2631         Decouple the construct ability from the builtin functions.
2632         Currently, all builtin functions are not constructors after r182995.
2633         In that patch, when the given function is builtin JS function, we recognize it as the non-constructor function.
2634
2635         But, we need to relax it to implement some constructors in builtins JS.
2636         By decoupling the construct ability from whether the function is builtin or not, we can provide
2637
2638         1. constructors written in builtin JS
2639         2. non-constructors in normal JS functions
2640
2641         (1) is needed for Promise constructor.
2642         And (2) is needed for method functions and arrow functions.
2643
2644         This patch introduces ConstructAbility into the unlinked function executables.
2645         It holds whether the given JS function has the construct ability or not.
2646         By leveraging this, this patch disables the construct ability of the method definitions, setters, getters and arrow functions.
2647
2648         And at the same time, this patch introduces the annotation for constructor in builtin JS.
2649         We can define the function as follows,
2650
2651             constructor Promise(executor)
2652             {
2653                 ...
2654             }
2655
2656         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2657         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2658         * JavaScriptCore.xcodeproj/project.pbxproj:
2659         * builtins/BuiltinExecutables.cpp:
2660         (JSC::BuiltinExecutables::createDefaultConstructor):
2661         (JSC::BuiltinExecutables::createExecutableInternal):
2662         * builtins/BuiltinExecutables.h:
2663         * builtins/Iterator.prototype.js:
2664         (symbolIterator):
2665         (SymbolIterator): Deleted.
2666         * bytecode/UnlinkedCodeBlock.cpp:
2667         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2668         * bytecode/UnlinkedCodeBlock.h:
2669         * bytecompiler/BytecodeGenerator.h:
2670         (JSC::BytecodeGenerator::makeFunction):
2671         * generate-js-builtins:
2672         (getCopyright):
2673         (Function):
2674         (Function.__init__):
2675         (Function.mangleName):
2676         (getFunctions):
2677         (mangleName): Deleted.
2678         * jit/JITOperations.cpp:
2679         * llint/LLIntSlowPaths.cpp:
2680         (JSC::LLInt::setUpCall):
2681         * parser/Parser.cpp:
2682         (JSC::Parser<LexerType>::parseClass):
2683         * runtime/CodeCache.cpp:
2684         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
2685         * runtime/CommonIdentifiers.h:
2686         * runtime/ConstructAbility.h: Copied from Source/JavaScriptCore/builtins/Iterator.prototype.js.
2687         * runtime/Executable.h:
2688         * runtime/JSFunction.cpp:
2689         (JSC::JSFunction::getConstructData):
2690         * runtime/JSGlobalObject.cpp:
2691         (JSC::JSGlobalObject::init):
2692         * tests/stress/non-constructors.js: Added.
2693         (shouldThrow):
2694         (.prototype.method):
2695         (.prototype.get getter):
2696         (.prototype.set setter):
2697         (.method):
2698         (.get shouldThrow):
2699         (.set shouldThrow):
2700         (set var.test.get getter):
2701         (set var.test.set setter):
2702         (set var.test.normal):
2703         (.set var):
2704         (.set new):
2705
2706 2015-07-22  Csaba Osztrogonác  <ossy@webkit.org>
2707
2708         [JSC] Enable exception fuzzing for GCC too
2709         https://bugs.webkit.org/show_bug.cgi?id=146831
2710
2711         Reviewed by Darin Adler.
2712
2713         * jit/JITOperations.cpp:
2714
2715 2015-07-22  Filip Pizlo  <fpizlo@apple.com>
2716
2717         Fixed pool allocation should always be aligned
2718         https://bugs.webkit.org/show_bug.cgi?id=147201
2719
2720         Reviewed by Simon Fraser.
2721         
2722         Passing an unaligned size to the allocator can cause asserts or even worse things. The
2723         Options reservation value isn't going to be aligned.
2724
2725         * jit/ExecutableAllocatorFixedVMPool.cpp:
2726         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
2727
2728 2015-07-22  Csaba Osztrogonác  <ossy@webkit.org>
2729
2730         Enable STATIC_ASSERT_IS_TRIVIALLY_DESTRUCTIBLE for GCC
2731         https://bugs.webkit.org/show_bug.cgi?id=146829
2732
2733         Reviewed by Brent Fulgham.
2734
2735         * heap/GCAssertions.h:
2736
2737 2015-07-22  Alex Christensen  <achristensen@webkit.org>
2738
2739         Fix quirks in CMake build on Mac and Windows
2740         https://bugs.webkit.org/show_bug.cgi?id=147174
2741
2742         Reviewed by Gyuyoung Kim.
2743
2744         * PlatformMac.cmake:
2745         Add JSRemoteInspector.cpp and remove semicolon from command to make it actually run.
2746
2747 2015-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2748
2749         Add newTarget accessor to JS constructor written in C++
2750         https://bugs.webkit.org/show_bug.cgi?id=147160
2751
2752         Reviewed by Geoffrey Garen.
2753
2754         This patch adds `ExecState#newTarget()` which returns `new.target` defined in ECMA262 6th.
2755         It enables some C++ constructors (like Intl.XXX constructors) to leverage this to complete
2756         its implementation.
2757
2758         When the constructor is called, |this| in the arguments is used for storing new.target instead.
2759         So by adding the accessor for |this|, JS constructor written in C++ can access new.target.
2760
2761         And at the same time, this patch extends the existing `construct` to accept new.target value.
2762         It is corresponding to the spec's Construct abstract operation.
2763
2764         * interpreter/CallFrame.h:
2765         (JSC::ExecState::newTarget):
2766         * interpreter/Interpreter.cpp:
2767         (JSC::Interpreter::executeConstruct):
2768         * interpreter/Interpreter.h:
2769         * runtime/ConstructData.cpp:
2770         (JSC::construct):
2771         * runtime/ConstructData.h:
2772         (JSC::construct):
2773
2774 2015-07-21  Filip Pizlo  <fpizlo@apple.com>
2775
2776         Unreviewed, fix a lot of tests. Need to initialize WTF threading sooner.
2777
2778         * jsc.cpp:
2779         (main):
2780
2781 2015-07-21  Filip Pizlo  <fpizlo@apple.com>
2782
2783         Fixed VM pool allocation should have a reserve for allocations that cannot fail
2784         https://bugs.webkit.org/show_bug.cgi?id=147154
2785         rdar://problem/21847618
2786
2787         Reviewed by Geoffrey Garen.
2788         
2789         This adds the notion of a JIT pool reserve fraction. Some fraction, currently 1/4, of
2790         the JIT pool is reserved for allocations that cannot fail. It makes sense to make this
2791         a fraction rather than a constant because each allocation that can fail may cause some
2792         number of allocations that cannot fail (for example, the OSR exit thunks that we
2793         compile when we exit from some CodeBlock cannot fail).
2794         
2795         I've tested this by adding a test mode where we artificially limit the JIT pool size.
2796         Prior to the fix, we had >20 failures. Now we have none.
2797
2798         * heap/GCLogging.cpp:
2799         (WTF::printInternal): I needed a dump method on Options members when debugging this.
2800         * heap/GCLogging.h:
2801         * jit/ExecutableAllocator.h: Raise the ARM64 limit to 32MB because 16MB is cutting it too close.
2802         * jit/ExecutableAllocatorFixedVMPool.cpp:
2803         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): Add the ability to artificially limit JIT pool size for testing.
2804         (JSC::ExecutableAllocator::memoryPressureMultiplier): Implement the reserve when computing memory pressure for JIT tier-up heuristics.
2805         (JSC::ExecutableAllocator::allocate): Implement the reserve when allocating can-fail things.
2806         * jsc.cpp: Rewire some options parsing so that CommandLine happens before we create the JIT pool.
2807         (main):
2808         (CommandLine::parseArguments):
2809         (jscmain):
2810         * runtime/Options.cpp: 
2811         (JSC::OptionRange::dump): I needed a dump method on Options members when debugging this.
2812         (JSC::Options::initialize): This can now be called more than once.
2813         * runtime/Options.h:
2814
2815 2015-07-21  Saam barati  <saambarati1@gmail.com>
2816
2817         ObjectPatternNode's entry should use "const Identifier&" instead of "Identifier"
2818         https://bugs.webkit.org/show_bug.cgi?id=147156
2819
2820         Reviewed by Andreas Kling.
2821
2822         * parser/Nodes.h:
2823
2824 2015-07-21  Basile Clement  <basile_clement@apple.com>
2825
2826         Object allocation sinking phase is performing needless HashMap copies
2827         https://bugs.webkit.org/show_bug.cgi?id=147159
2828
2829         Reviewed by Geoffrey Garen.
2830
2831         The points-to analyzer in the object allocation sinking phase is
2832         currently performing copies of its allocation and pointers tables in
2833         several places. While this is not a huge problem since those tables are
2834         usually small and we are in the FTL path anyway, we still shouldn't be
2835         doing such useless copying.
2836
2837         This patch also removes the DFGInsertOSRHintsForUpdate files that are
2838         no longer needed with the new object sinking phase and should have been
2839         removed in r186795.
2840
2841         * CMakeLists.txt:
2842         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2843         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2844         * JavaScriptCore.xcodeproj/project.pbxproj:
2845         * dfg/DFGInsertOSRHintsForUpdate.cpp: Removed.
2846         (JSC::DFG::insertOSRHintsForUpdate): Deleted.
2847         * dfg/DFGInsertOSRHintsForUpdate.h: Removed.
2848         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2849
2850 2015-07-21  Saam barati  <saambarati1@gmail.com>
2851
2852         DestructuringPatternNode and DestructuringAssignmentNode should be ParserArenaFreeable
2853         https://bugs.webkit.org/show_bug.cgi?id=147140
2854
2855         Reviewed by Geoffrey Garen.
2856
2857         The descendants of DestructuringPatternNode that need destruction also
2858         inherit from ParserArenaDeletable.
2859
2860         * parser/Nodes.h:
2861         (JSC::DestructuringPatternNode::~DestructuringPatternNode):
2862         (JSC::ObjectPatternNode::appendEntry):
2863         (JSC::DestructuringAssignmentNode::bindings):
2864
2865 2015-07-21  Keith Miller  <keith_miller@apple.com>
2866
2867         Add support for the new.target syntax.
2868         https://bugs.webkit.org/show_bug.cgi?id=147051
2869
2870         Reviewed by Yusuke Suzuki.
2871
2872         Add support for new.target. Essentially the implementation is, before constructor calls,
2873         the target of a "new" is placed where "this" noramlly goes in the calling convention.
2874         Then in the constructor before object is initialized we move the target of the "new"
2875         into a local variable.
2876
2877         * bytecompiler/BytecodeGenerator.cpp:
2878         (JSC::BytecodeGenerator::BytecodeGenerator):
2879         * bytecompiler/NodesCodegen.cpp:
2880         (JSC::NewTargetNode::emitBytecode):
2881         * parser/ASTBuilder.h:
2882         (JSC::ASTBuilder::newTargetExpr):
2883         * parser/NodeConstructors.h:
2884         (JSC::NewTargetNode::NewTargetNode):
2885         * parser/Nodes.h:
2886         * parser/Parser.cpp:
2887         (JSC::Parser<LexerType>::parseMemberExpression):
2888         * parser/SyntaxChecker.h:
2889         (JSC::SyntaxChecker::newTargetExpr):
2890         * runtime/CommonIdentifiers.h:
2891         * tests/stress/new-target.js: Added.
2892         (test):
2893         (call):
2894         (Constructor.subCall):
2895         (Constructor.SubConstructor):
2896         (Constructor):
2897         (noAssign):
2898         (doWeirdThings):
2899         (SuperClass):
2900         (SubClass):
2901
2902 2015-07-20  Saam barati  <saambarati1@gmail.com>
2903
2904         "let" scoping introduced incoherent story about symbol table cloning
2905         https://bugs.webkit.org/show_bug.cgi?id=147046
2906
2907         Reviewed by Filip Pizlo.
2908
2909         This patch now establishes a clear set of rules for how SymbolTables
2910         are owned by CodeBlock. Every SymbolTable that is used by a bytecode
2911         instruction must live in CodeBlock's constant register pool. When CodeBlock
2912         is being linked, it ensures that every SymbolTable in the constant pool is cloned. 
2913         This leaves no room for an un-cloned symbol table to be used by a bytecode instruction. 
2914         Some instructions may refer to SymbolTable's indirectly through a JSLexicalEnvironment. 
2915         This is fine, all JSLexicalEnvironment's are allocated with references to cloned symbol tables.
2916
2917         Another goal of this patch is to remove the notion that a SymbolTable is 1 to 1 
2918         with a CodeBlock. With lexical scoping, this view of the world is no longer
2919         correct. This patch begins to remove this assumption by making CodeBlock's
2920         symbolTable() getter method private. There is still one place where we need
2921         to purge our codebase of this assumption and that is the type profiler. It 
2922         has not been updated for lexical scoping. After it is updated in 
2923         https://bugs.webkit.org/show_bug.cgi?id=145438
2924         we will be able to remove CodeBlock's symbolTable() getter entirely.
2925
2926         * bytecode/CodeBlock.cpp:
2927         (JSC::CodeBlock::CodeBlock):
2928         (JSC::CodeBlock::nameForRegister):
2929         * bytecode/CodeBlock.h:
2930         (JSC::CodeBlock::addStringSwitchJumpTable):
2931         (JSC::CodeBlock::stringSwitchJumpTable):
2932         (JSC::CodeBlock::evalCodeCache):
2933         (JSC::CodeBlock::symbolTable):
2934         * bytecode/UnlinkedCodeBlock.cpp:
2935         (JSC::UnlinkedFunctionExecutable::visitChildren):
2936         (JSC::UnlinkedFunctionExecutable::link):
2937         (JSC::UnlinkedFunctionExecutable::codeBlockFor):
2938         * bytecode/UnlinkedCodeBlock.h:
2939         (JSC::UnlinkedCodeBlock::addExceptionHandler):
2940         (JSC::UnlinkedCodeBlock::exceptionHandler):
2941         (JSC::UnlinkedCodeBlock::setSymbolTableConstantIndex):
2942         (JSC::UnlinkedCodeBlock::symbolTableConstantIndex):
2943         (JSC::UnlinkedCodeBlock::symbolTable): Deleted.
2944         (JSC::UnlinkedCodeBlock::setSymbolTable): Deleted.
2945         * bytecompiler/BytecodeGenerator.cpp:
2946         (JSC::BytecodeGenerator::generate):
2947         (JSC::BytecodeGenerator::BytecodeGenerator):
2948         (JSC::BytecodeGenerator::pushLexicalScope):
2949         (JSC::BytecodeGenerator::variableForLocalEntry):
2950         (JSC::BytecodeGenerator::createVariable):
2951         (JSC::BytecodeGenerator::resolveType):
2952         (JSC::BytecodeGenerator::emitResolveScope):
2953         * bytecompiler/BytecodeGenerator.h:
2954         (JSC::BytecodeGenerator::thisRegister):
2955         (JSC::BytecodeGenerator::instructions):
2956         (JSC::BytecodeGenerator::symbolTable): Deleted.
2957         * dfg/DFGGraph.h:
2958         (JSC::DFG::Graph::baselineCodeBlockFor):
2959         (JSC::DFG::Graph::isStrictModeFor):
2960         (JSC::DFG::Graph::symbolTableFor): Deleted.
2961         * jit/AssemblyHelpers.h:
2962         (JSC::AssemblyHelpers::baselineCodeBlock):
2963         (JSC::AssemblyHelpers::argumentsStart):
2964         (JSC::AssemblyHelpers::symbolTableFor): Deleted.
2965         * runtime/CommonSlowPaths.cpp:
2966         (JSC::SLOW_PATH_DECL):
2967         * runtime/Executable.cpp:
2968         (JSC::FunctionExecutable::visitChildren):
2969         (JSC::FunctionExecutable::clearUnlinkedCodeForRecompilation):
2970         (JSC::FunctionExecutable::symbolTable): Deleted.
2971         * runtime/Executable.h:
2972
2973 2015-07-18  Filip Pizlo  <fpizlo@apple.com>
2974
2975         REGRESSION(186691): OSR entry is broken on loop headers that have no live variables
2976         https://bugs.webkit.org/show_bug.cgi?id=147074
2977         rdar://problem/21869970
2978
2979         Reviewed by Michael Saboff.
2980         
2981         The OSR entry must-handle block/value widening introduced in r186691 would cause the
2982         CFA to reexecute if it caused any live local variables to change value. But this fails
2983         if the must-handle block has no live local variables, and the entry block otherwise
2984         appears to be unreachable.
2985         
2986         This fixes the bug by having the change detection include whether the block hadn't been
2987         visited in addition to whether any local variable values got widened.
2988         
2989         This is a ~4% speed-up on SunSpider in browser.
2990
2991         * dfg/DFGCFAPhase.cpp:
2992         (JSC::DFG::CFAPhase::run):
2993
2994 2015-07-20  Mark Lam  <mark.lam@apple.com>
2995
2996         Rollout r187020 and r187021: breaks JSC API tests on debug builds.
2997         https://bugs.webkit.org/show_bug.cgi?id=147110
2998
2999         * heap/MachineStackMarker.cpp:
3000         (JSC::MachineThreads::addCurrentThread):
3001         * runtime/JSLock.cpp:
3002         (JSC::JSLockHolder::~JSLockHolder):
3003         (JSC::JSLock::JSLock):
3004         (JSC::JSLock::willDestroyVM):
3005         (JSC::JSLock::setExclusiveThread):
3006         (JSC::JSLock::lock):
3007         (JSC::JSLock::unlock):
3008         (JSC::JSLock::currentThreadIsHoldingLock):
3009         (JSC::JSLock::dropAllLocks):
3010         * runtime/JSLock.h:
3011         (JSC::JSLock::vm):
3012         (JSC::JSLock::hasExclusiveThread):
3013         (JSC::JSLock::exclusiveThread):
3014         * runtime/VM.h:
3015         (JSC::VM::hasExclusiveThread):
3016         (JSC::VM::exclusiveThread):
3017         (JSC::VM::setExclusiveThread):
3018
3019 2015-07-20  Per Arne Vollan  <peavo@outlook.com>
3020
3021         Unreviewed debug build fix after r187020.
3022
3023         * heap/MachineStackMarker.cpp:
3024         (JSC::MachineThreads::addCurrentThread):
3025         VM::exclusiveThread() has changed return type to ThreadIdentifier.
3026
3027 2015-07-20  Per Arne Vollan  <peavo@outlook.com>
3028
3029         JavaScriptCore performance is very bad on Windows
3030         https://bugs.webkit.org/show_bug.cgi?id=146448
3031
3032         Reviewed by Mark Lam.
3033
3034         Profiling shows that std::this_thread::get_id() is slow on Windows.
3035         Use WTF::currentThread() instead, which calls GetCurrentThreadId().
3036         This is faster on Windows. The issue has been reported to Microsoft,
3037         https://connect.microsoft.com/VisualStudio/feedback/details/1558211.
3038
3039         * runtime/JSLock.cpp:
3040         (JSC::JSLockHolder::~JSLockHolder):
3041         (JSC::JSLock::JSLock):
3042         (JSC::JSLock::willDestroyVM):
3043         (JSC::JSLock::setExclusiveThread):
3044         (JSC::JSLock::lock):
3045         (JSC::JSLock::unlock):
3046         (JSC::JSLock::currentThreadIsHoldingLock):
3047         * runtime/JSLock.h:
3048         (JSC::JSLock::vm):
3049         (JSC::JSLock::hasExclusiveThread):
3050         (JSC::JSLock::exclusiveThread):
3051         * runtime/VM.h:
3052         (JSC::VM::hasExclusiveThread):
3053         (JSC::VM::exclusiveThread):
3054         (JSC::VM::setExclusiveThread):
3055
3056 2015-07-19  Yusuke Suzuki  <utatane.tea@gmail.com>
3057
3058         In strict mode, `Object.keys(arguments)` includes "length"
3059         https://bugs.webkit.org/show_bug.cgi?id=147071
3060
3061         Reviewed by Darin Adler.
3062
3063         ClonedAguments didn't set the "length" with DontEnum.
3064
3065         * runtime/ClonedArguments.cpp:
3066         (JSC::ClonedArguments::createWithInlineFrame):
3067         (JSC::ClonedArguments::createByCopyingFrom):
3068         * tests/stress/arguments-length-always-dont-enum.js: Added.
3069         (shouldBe):
3070         (argsSloppy):
3071         (argsStrict):
3072
3073 2015-07-19  Jordan Harband  <ljharb@gmail.com>
3074
3075         new Date(NaN).toJSON() must return null instead of throwing a TypeError
3076         https://bugs.webkit.org/show_bug.cgi?id=141115
3077
3078         Reviewed by Yusuke Suzuki.
3079
3080         * runtime/DatePrototype.cpp:
3081         (JSC::dateProtoFuncToJSON):
3082
3083 2015-07-19  Saam barati  <saambarati1@gmail.com>
3084
3085         Parser::parseFunctionInfo hits RELEASE_ASSERT for Arrow Functions
3086         https://bugs.webkit.org/show_bug.cgi?id=147090
3087
3088         Reviewed by Yusuke Suzuki.
3089
3090         ArrowFunction's have there ParserFunctionInfo "name" field to 
3091         be a non-null pointer. This is obviously allowed and valid except we 
3092         had a RELEASE_ASSERT that claimed otherwise. This is a mistake. 
3093
3094         Note: ArrowFunction's will never actually have a function name;
3095         there ParserFunctionInfo "name" field will be the empty string. 
3096         This is not be mistaken with the name field being a null pointer.
3097
3098         * parser/Parser.cpp:
3099         (JSC::Parser<LexerType>::parseFunctionInfo):
3100
3101 2015-07-18  Saam barati  <saambarati1@gmail.com>
3102
3103         [ES6] Add support for block scope const
3104         https://bugs.webkit.org/show_bug.cgi?id=31813
3105
3106         Reviewed by Filip Pizlo.
3107
3108         'const' is now implemented in an ES6 spec compliant manner.
3109         'const' variables are always block scoped and always live
3110         either on the stack or in a JSLexicalEnvironment. 'const'
3111         variables never live on the global object.
3112
3113         Inside the BytecodeGenerator, when assigning to a stack
3114         'const' variable or a LocalClosureVar 'const' variable,
3115         we will emit code that just throws a type error.
3116         When assigning to a ClosureVar const variable, CodeBlock linking
3117         will ensure that we perform a dynamic lookup of that variable so
3118         that put_to_scope's slow path throws a type error.
3119
3120         The old 'const' implementation has been removed in this patch.
3121
3122         * bytecode/BytecodeList.json:
3123         * bytecode/BytecodeUseDef.h:
3124         (JSC::computeUsesForBytecodeOffset):
3125         (JSC::computeDefsForBytecodeOffset):
3126         * bytecode/CodeBlock.cpp:
3127         (JSC::CodeBlock::dumpBytecode):
3128         (JSC::CodeBlock::CodeBlock):
3129         * bytecompiler/BytecodeGenerator.cpp:
3130         (JSC::BytecodeGenerator::BytecodeGenerator):
3131         (JSC::BytecodeGenerator::pushLexicalScope):
3132         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
3133         (JSC::BytecodeGenerator::variable):
3134         (JSC::BytecodeGenerator::variableForLocalEntry):
3135         (JSC::BytecodeGenerator::createVariable):
3136         (JSC::BytecodeGenerator::emitResolveScope):
3137         (JSC::BytecodeGenerator::emitInstanceOf):
3138         (JSC::BytecodeGenerator::emitGetById):
3139         (JSC::BytecodeGenerator::isArgumentNumber):
3140         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
3141         (JSC::BytecodeGenerator::emitEnumeration):
3142         (JSC::BytecodeGenerator::variablePerSymbolTable): Deleted.
3143         (JSC::BytecodeGenerator::emitInitGlobalConst): Deleted.
3144         * bytecompiler/BytecodeGenerator.h:
3145         (JSC::Variable::Variable):
3146         (JSC::Variable::isReadOnly):
3147         (JSC::Variable::isSpecial):
3148         (JSC::Variable::isConst):
3149         (JSC::BytecodeGenerator::thisRegister):
3150         (JSC::BytecodeGenerator::emitTypeOf):
3151         (JSC::BytecodeGenerator::emitIn):
3152         * bytecompiler/NodesCodegen.cpp:
3153         (JSC::PostfixNode::emitResolve):
3154         (JSC::PrefixNode::emitResolve):
3155         (JSC::ReadModifyResolveNode::emitBytecode):
3156         (JSC::AssignResolveNode::emitBytecode):
3157         (JSC::CommaNode::emitBytecode):
3158         (JSC::BindingNode::bindValue):
3159         (JSC::ConstDeclNode::emitCodeSingle): Deleted.
3160         (JSC::ConstDeclNode::emitBytecode): Deleted.
3161         (JSC::ConstStatementNode::emitBytecode): Deleted.
3162         * dfg/DFGByteCodeParser.cpp:
3163         (JSC::DFG::ByteCodeParser::parseBlock):
3164         * dfg/DFGCapabilities.cpp:
3165         (JSC::DFG::capabilityLevel):
3166         * jit/JIT.cpp:
3167         (JSC::JIT::privateCompileMainPass):
3168         * jit/JIT.h:
3169         * jit/JITPropertyAccess.cpp:
3170         (JSC::JIT::emit_op_put_to_arguments):
3171         (JSC::JIT::emit_op_init_global_const): Deleted.
3172         * jit/JITPropertyAccess32_64.cpp:
3173         (JSC::JIT::emit_op_put_to_arguments):
3174         (JSC::JIT::emit_op_init_global_const): Deleted.
3175         * llint/LowLevelInterpreter.asm:
3176         * llint/LowLevelInterpreter32_64.asm:
3177         * llint/LowLevelInterpreter64.asm:
3178         * parser/ASTBuilder.h:
3179         (JSC::ASTBuilder::createDeclarationStatement):
3180         (JSC::ASTBuilder::createEmptyVarExpression):
3181         (JSC::ASTBuilder::createDebugger):
3182         (JSC::ASTBuilder::appendStatement):
3183         (JSC::ASTBuilder::createVarStatement): Deleted.
3184         (JSC::ASTBuilder::createLetStatement): Deleted.
3185         (JSC::ASTBuilder::createConstStatement): Deleted.
3186         (JSC::ASTBuilder::appendConstDecl): Deleted.
3187         * parser/NodeConstructors.h:
3188         (JSC::CommaNode::CommaNode):
3189         (JSC::SourceElements::SourceElements):
3190         (JSC::SwitchNode::SwitchNode):
3191         (JSC::BlockNode::BlockNode):
3192         (JSC::ConstStatementNode::ConstStatementNode): Deleted.
3193         (JSC::ConstDeclNode::ConstDeclNode): Deleted.
3194         * parser/Nodes.h:
3195         (JSC::ConstDeclNode::hasInitializer): Deleted.
3196         (JSC::ConstDeclNode::ident): Deleted.
3197         * parser/Parser.cpp:
3198         (JSC::Parser<LexerType>::parseStatementListItem):
3199         (JSC::Parser<LexerType>::parseVariableDeclaration):
3200         (JSC::Parser<LexerType>::parseWhileStatement):
3201         (JSC::Parser<LexerType>::parseVariableDeclarationList):
3202         (JSC::Parser<LexerType>::createBindingPattern):
3203         (JSC::Parser<LexerType>::parseDestructuringPattern):
3204         (JSC::Parser<LexerType>::parseDefaultValueForDestructuringPattern):
3205         (JSC::Parser<LexerType>::parseForStatement):
3206         (JSC::Parser<LexerType>::parseTryStatement):
3207         (JSC::Parser<LexerType>::parseFunctionInfo):
3208         (JSC::Parser<LexerType>::parseFunctionDeclaration):
3209         (JSC::Parser<LexerType>::parseClass):
3210         (JSC::Parser<LexerType>::parseConstDeclaration): Deleted.
3211         (JSC::Parser<LexerType>::parseConstDeclarationList): Deleted.
3212         * parser/Parser.h:
3213         (JSC::isEvalNode):
3214         (JSC::isEvalNode<EvalNode>):
3215         (JSC::isArguments):
3216         (JSC::isEval):
3217         (JSC::isEvalOrArgumentsIdentifier):
3218         (JSC::Scope::Scope):
3219         (JSC::Scope::declareCallee):
3220         (JSC::Scope::declareVariable):
3221         (JSC::Scope::declareLexicalVariable):
3222         (JSC::Scope::hasDeclaredVariable):
3223         (JSC::Scope::allowsVarDeclarations):
3224         (JSC::Scope::allowsLexicalDeclarations):
3225         (JSC::Scope::declareParameter):
3226         (JSC::Scope::declareBoundParameter):
3227         (JSC::Parser::destructuringKindFromDeclarationType):
3228         (JSC::Parser::assignmentContextFromDeclarationType):
3229         (JSC::Parser::isEvalOrArguments):
3230         (JSC::Parser::currentScope):
3231         (JSC::Parser::popScope):
3232         (JSC::Parser::declareVariable):
3233         (JSC::Parser::hasDeclaredVariable):
3234         (JSC::Parser::setStrictMode):
3235         (JSC::Parser::strictMode):
3236         (JSC::Parser::isValidStrictMode):
3237         (JSC::Parser::declareParameter):
3238         (JSC::Parser::declareBoundParameter):
3239         (JSC::Parser::breakIsValid):
3240         * parser/SyntaxChecker.h:
3241         (JSC::SyntaxChecker::createForInLoop):
3242         (JSC::SyntaxChecker::createForOfLoop):
3243         (JSC::SyntaxChecker::createEmptyStatement):
3244         (JSC::SyntaxChecker::createDeclarationStatement):
3245         (JSC::SyntaxChecker::createReturnStatement):
3246         (JSC::SyntaxChecker::createBreakStatement):
3247         (JSC::SyntaxChecker::createVarStatement): Deleted.
3248         (JSC::SyntaxChecker::createLetStatement): Deleted.
3249         * parser/VariableEnvironment.h:
3250         (JSC::VariableEnvironmentEntry::isCaptured):
3251         (JSC::VariableEnvironmentEntry::isConst):
3252         (JSC::VariableEnvironmentEntry::isVar):
3253         (JSC::VariableEnvironmentEntry::isLet):
3254         (JSC::VariableEnvironmentEntry::setIsCaptured):
3255         (JSC::VariableEnvironmentEntry::setIsConst):
3256         (JSC::VariableEnvironmentEntry::setIsVar):
3257         (JSC::VariableEnvironmentEntry::setIsLet):
3258         (JSC::VariableEnvironmentEntry::isConstant): Deleted.
3259         (JSC::VariableEnvironmentEntry::setIsConstant): Deleted.
3260         * runtime/Executable.cpp:
3261         (JSC::ProgramExecutable::initializeGlobalProperties):
3262         * runtime/JSGlobalObject.cpp:
3263         (JSC::JSGlobalObject::defineOwnProperty):
3264         (JSC::JSGlobalObject::addGlobalVar):
3265         (JSC::JSGlobalObject::addFunction):
3266         (JSC::lastInPrototypeChain):
3267         * runtime/JSGlobalObject.h:
3268         (JSC::JSGlobalObject::finishCreation):
3269         (JSC::JSGlobalObject::addVar):
3270         (JSC::JSGlobalObject::addConst): Deleted.
3271         * runtime/JSLexicalEnvironment.cpp:
3272         (JSC::JSLexicalEnvironment::symbolTablePut):
3273         * tests/stress/const-and-with-statement.js: Added.
3274         (truth):
3275         (assert):
3276         (shouldThrowInvalidConstAssignment):
3277         (.):
3278         * tests/stress/const-exception-handling.js: Added.
3279         (truth):
3280         (assert):
3281         (.):
3282         * tests/stress/const-loop-semantics.js: Added.
3283         (truth):
3284         (assert):
3285         (shouldThrowInvalidConstAssignment):
3286         (.):
3287         * tests/stress/const-not-strict-mode.js: Added.
3288         (truth):
3289         (assert):
3290         (shouldThrowTDZ):
3291         (.):
3292         * tests/stress/const-semantics.js: Added.
3293         (truth):
3294         (assert):
3295         (shouldThrowInvalidConstAssignment):
3296         (.):
3297         * tests/stress/const-tdz.js: Added.
3298         (truth):
3299         (assert):
3300         (shouldThrowTDZ):
3301         (.):
3302
3303 2015-07-18  Saam barati  <saambarati1@gmail.com>
3304
3305         lexical scoping is broken with respect to "break" and "continue"
3306         https://bugs.webkit.org/show_bug.cgi?id=147063
3307
3308         Reviewed by Filip Pizlo.
3309
3310         Bug #142944 which introduced "let" and lexical scoping
3311         didn't properly hook into the bytecode generator's machinery
3312         for calculating scope depth deltas for "break" and "continue". This
3313         resulted in the bytecode generator popping an incorrect number
3314         of scopes when lexical scopes were involved.
3315
3316         This patch fixes this problem and generalizes this machinery a bit.
3317         This patch also renames old functions in a sensible way that is more
3318         coherent in a world with lexical scoping.
3319
3320         * bytecompiler/BytecodeGenerator.cpp:
3321         (JSC::BytecodeGenerator::BytecodeGenerator):
3322         (JSC::BytecodeGenerator::newLabelScope):
3323         (JSC::BytecodeGenerator::emitProfileType):
3324         (JSC::BytecodeGenerator::pushLexicalScope):
3325         (JSC::BytecodeGenerator::popLexicalScope):
3326         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
3327         (JSC::BytecodeGenerator::resolveType):
3328         (JSC::BytecodeGenerator::emitResolveScope):
3329         (JSC::BytecodeGenerator::emitGetFromScope):
3330         (JSC::BytecodeGenerator::emitPutToScope):
3331         (JSC::BytecodeGenerator::emitPushWithScope):
3332         (JSC::BytecodeGenerator::emitGetParentScope):
3333         (JSC::BytecodeGenerator::emitPopScope):
3334         (JSC::BytecodeGenerator::emitPopWithOrCatchScope):
3335         (JSC::BytecodeGenerator::emitPopScopes):
3336         (JSC::BytecodeGenerator::calculateTargetScopeDepthForExceptionHandler):
3337         (JSC::BytecodeGenerator::localScopeDepth):
3338         (JSC::BytecodeGenerator::labelScopeDepth):
3339         (JSC::BytecodeGenerator::emitThrowReferenceError):
3340         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
3341         (JSC::BytecodeGenerator::pushScopedControlFlowContext):
3342         (JSC::BytecodeGenerator::popScopedControlFlowContext):
3343         (JSC::BytecodeGenerator::emitPushCatchScope):
3344         (JSC::BytecodeGenerator::currentScopeDepth): Deleted.
3345         * bytecompiler/BytecodeGenerator.h:
3346         (JSC::BytecodeGenerator::hasFinaliser):
3347         (JSC::BytecodeGenerator::scopeDepth): Deleted.
3348         * bytecompiler/NodesCodegen.cpp:
3349         (JSC::ContinueNode::trivialTarget):
3350         (JSC::BreakNode::trivialTarget):
3351         (JSC::ReturnNode::emitBytecode):
3352         (JSC::WithNode::emitBytecode):
3353         (JSC::TryNode::emitBytecode):
3354         * tests/stress/lexical-scoping-break-continue.js: Added.
3355         (assert):
3356         (.):
3357
3358 2015-07-18  Commit Queue  <commit-queue@webkit.org>
3359
3360         Unreviewed, rolling out r186996.
3361         https://bugs.webkit.org/show_bug.cgi?id=147070
3362
3363         Broke JSC tests (Requested by smfr on #webkit).
3364
3365         Reverted changeset:
3366
3367         "lexical scoping is broken with respect to "break" and
3368         "continue""
3369         https://bugs.webkit.org/show_bug.cgi?id=147063
3370         http://trac.webkit.org/changeset/186996
3371
3372 2015-07-18  Saam barati  <saambarati1@gmail.com>
3373
3374         lexical scoping is broken with respect to "break" and "continue"
3375         https://bugs.webkit.org/show_bug.cgi?id=147063
3376
3377         Reviewed by Filip Pizlo.
3378
3379         Bug #142944 which introduced "let" and lexical scoping
3380         didn't properly hook into the bytecode generator's machinery
3381         for calculating scope depth deltas for "break" and "continue". This
3382         resulted in the bytecode generator popping an incorrect number
3383         of scopes when lexical scopes were involved.
3384
3385         This patch fixes this problem and generalizes this machinery a bit.
3386         This patch also renames old functions in a sensible way that is more
3387         coherent in a world with lexical scoping.
3388
3389         * bytecompiler/BytecodeGenerator.cpp:
3390         (JSC::BytecodeGenerator::BytecodeGenerator):
3391         (JSC::BytecodeGenerator::newLabelScope):
3392         (JSC::BytecodeGenerator::emitProfileType):
3393         (JSC::BytecodeGenerator::pushLexicalScope):
3394         (JSC::BytecodeGenerator::popLexicalScope):
3395         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
3396         (JSC::BytecodeGenerator::resolveType):
3397         (JSC::BytecodeGenerator::emitResolveScope):
3398         (JSC::BytecodeGenerator::emitGetFromScope):
3399         (JSC::BytecodeGenerator::emitPutToScope):
3400         (JSC::BytecodeGenerator::emitPushWithScope):
3401         (JSC::BytecodeGenerator::emitGetParentScope):
3402         (JSC::BytecodeGenerator::emitPopScope):
3403         (JSC::BytecodeGenerator::emitPopWithOrCatchScope):
3404         (JSC::BytecodeGenerator::emitPopScopes):
3405         (JSC::BytecodeGenerator::calculateTargetScopeDepthForExceptionHandler):
3406         (JSC::BytecodeGenerator::localScopeDepth):
3407         (JSC::BytecodeGenerator::labelScopeDepth):
3408         (JSC::BytecodeGenerator::emitThrowReferenceError):
3409         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
3410         (JSC::BytecodeGenerator::pushScopedControlFlowContext):
3411         (JSC::BytecodeGenerator::popScopedControlFlowContext):
3412         (JSC::BytecodeGenerator::emitPushCatchScope):
3413         (JSC::BytecodeGenerator::currentScopeDepth): Deleted.
3414         * bytecompiler/BytecodeGenerator.h:
3415         (JSC::BytecodeGenerator::hasFinaliser):
3416         (JSC::BytecodeGenerator::scopeDepth): Deleted.
3417         * bytecompiler/NodesCodegen.cpp:
3418         (JSC::ContinueNode::trivialTarget):
3419         (JSC::BreakNode::trivialTarget):
3420         (JSC::ReturnNode::emitBytecode):
3421         (JSC::WithNode::emitBytecode):
3422         (JSC::TryNode::emitBytecode):
3423         * tests/stress/lexical-scoping-break-continue.js: Added.
3424         (assert):
3425         (.):
3426
3427 2015-07-17  Filip Pizlo  <fpizlo@apple.com>
3428
3429         DFG should have some obvious mitigations against watching structures that are unprofitable to watch
3430         https://bugs.webkit.org/show_bug.cgi?id=147034
3431
3432         Reviewed by Mark Lam and Michael Saboff.
3433         
3434         This implements two guards against the DFG watching structures that are likely to fire
3435         their watchpoints:
3436         
3437         - Don't watch dictionaries or any structure that had a dictionary in its past. Dictionaries
3438           can be flattened, and then they can transform back to dictionaries.
3439         
3440         - Don't watch structures whose past structures were transitioned-away from while their
3441           transition watchpoints were being watched. This property gives us monotonicity: if we
3442           recompile because we watched structure S1 of object O, then we won't make the same mistake
3443           again when object O has structure S2, S3, and so on.
3444         
3445         This is a 1.5% speed-up on Kraken. It does penalize some Octane tests, but it also seems to
3446         help some of them, so on Octane it's basically neutral.
3447
3448         * bytecode/Watchpoint.h:
3449         (JSC::WatchpointSet::invalidate):
3450         (JSC::WatchpointSet::isBeingWatched):
3451         (JSC::WatchpointSet::addressOfState):
3452         (JSC::WatchpointSet::addressOfSetIsNotEmpty):
3453         (JSC::InlineWatchpointSet::touch):
3454         (JSC::InlineWatchpointSet::isBeingWatched):
3455         * runtime/JSGlobalObject.h:
3456         (JSC::JSGlobalObject::createStructure):
3457         (JSC::JSGlobalObject::registerWeakMap):
3458         * runtime/Structure.cpp:
3459         (JSC::Structure::Structure):
3460         (JSC::Structure::toDictionaryTransition):
3461         (JSC::Structure::didTransitionFromThisStructure):
3462         * runtime/Structure.h:
3463
3464 2015-07-16  Filip Pizlo  <fpizlo@apple.com>
3465
3466         Remove DFG::DesiredWriteBarriers because it's just a very difficult way of saying "please barrier the machine code block owner"
3467         https://bugs.webkit.org/show_bug.cgi?id=147030
3468
3469         Reviewed by Andreas Kling.
3470         
3471         All of the users of DesiredWriteBarriers were just using it to request that Plan
3472         finalization executes a barrier on codeBlock->ownerExecutable. Indeed, that's the only
3473         owning cell in the heap that compilation affects. So, we might as well just have Plan
3474         unconditionally execute that barrier and then we don't need DesiredWriteBarriers at
3475         all.
3476
3477         * CMakeLists.txt:
3478         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3479         * JavaScriptCore.xcodeproj/project.pbxproj:
3480         * dfg/DFGByteCodeParser.cpp:
3481         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
3482         * dfg/DFGDesiredWriteBarriers.cpp: Removed.
3483         * dfg/DFGDesiredWriteBarriers.h: Removed.
3484         * dfg/DFGGraph.cpp:
3485         (JSC::DFG::Graph::registerFrozenValues):
3486         * dfg/DFGPlan.cpp:
3487         (JSC::DFG::Plan::reallyAdd):
3488         (JSC::DFG::Plan::notifyCompiling):
3489         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
3490         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
3491         (JSC::DFG::Plan::cancel):
3492         * dfg/DFGPlan.h:
3493
3494 2015-07-17  Yusuke Suzuki  <utatane.tea@gmail.com>
3495
3496         Integrate automatic microtask draining into JSC framework and re-enable Promise
3497         https://bugs.webkit.org/show_bug.cgi?id=146828
3498
3499         Reviewed by Sam Weinig.
3500
3501         Add automatic microtask draining system into JSC framework.
3502         When the depth of VM lock becomes 0, before this, we drain the queued microtasks.
3503         Enqueuing behavior can be injected by the JSGlobalObject's method table.
3504         It is utilized in WebCore to post the microtask to WebCore's event loop.
3505
3506         In the case of JSC interactive shell, VM depth is always greater than 0.
3507         So we manually drains the queued microtasks after evaluating the written line.
3508
3509         Since now JSC framework has the microtask queue, we can drain the queued microtasks.
3510         So re-enable the Promise in the JSC framework context.
3511
3512         * API/JSContextRef.cpp:
3513         (javaScriptRuntimeFlags): Deleted.
3514         * API/tests/testapi.c:
3515         (main):
3516         * API/tests/testapi.mm:
3517         (testObjectiveCAPIMain):
3518         * jsc.cpp:
3519         (runInteractive):
3520         * runtime/JSGlobalObject.cpp:
3521         (JSC::JSGlobalObject::queueMicrotask):
3522         * runtime/JSLock.cpp:
3523         (JSC::JSLock::willReleaseLock):
3524         * runtime/VM.cpp:
3525         (JSC::VM::queueMicrotask):
3526         (JSC::VM::drainMicrotasks):
3527         (JSC::QueuedTask::run):
3528         * runtime/VM.h:
3529         (JSC::QueuedTask::QueuedTask):
3530
3531 2015-07-17  Saam barati  <saambarati1@gmail.com>
3532
3533         Function parameters should be parsed in the same parser arena as the function body
3534         https://bugs.webkit.org/show_bug.cgi?id=145995
3535
3536         Reviewed by Yusuke Suzuki.
3537
3538         This patch changes how functions are parsed in JSC. A function's
3539         parameters are now parsed in the same arena as the function itself.
3540         This allows us to arena allocate all destructuring AST nodes and
3541         the FunctionParameters node. This will help make implementing ES6
3542         default parameter values sane.
3543
3544         A source code that represents a function now includes the text of the function's 
3545         parameters. The starting offset is at the opening parenthesis of the parameter
3546         list or at the starting character of the identifier for arrow functions that
3547         have single arguments and don't start with parenthesis.
3548
3549         For example:
3550
3551         "function (param1, param2) { ... }"
3552                                    ^
3553                                    | This offset used to be the starting offset of a function's SourceCode
3554                   ^
3555                   | This is the new starting offset for a function's SourceCode.
3556
3557         This requires us to change how some offsets are calculated
3558         and also requires us to report some different line numbers for internal
3559         metrics that use a SourceCode's starting line and column numbers.
3560
3561         This patch also does a bit of cleanup with regards to how
3562         functions are parsed in general (especially arrow functions).
3563         It removes some unnecessary #ifdefs and the likes for arrow
3564         to make things clearer and more deliberate.
3565
3566         * API/JSScriptRef.cpp:
3567         (parseScript):
3568         * builtins/BuiltinExecutables.cpp:
3569         (JSC::BuiltinExecutables::createExecutableInternal):
3570         * bytecode/UnlinkedCodeBlock.cpp:
3571         (JSC::generateFunctionCodeBlock):
3572         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3573         (JSC::UnlinkedFunctionExecutable::visitChildren):
3574         (JSC::UnlinkedFunctionExecutable::parameterCount): Deleted.
3575         * bytecode/UnlinkedCodeBlock.h:
3576         * bytecompiler/NodesCodegen.cpp:
3577         (JSC::DestructuringAssignmentNode::emitBytecode):
3578         (JSC::assignDefaultValueIfUndefined):
3579         (JSC::ArrayPatternNode::collectBoundIdentifiers):
3580         (JSC::DestructuringPatternNode::~DestructuringPatternNode): Deleted.
3581         * parser/ASTBuilder.h:
3582         (JSC::ASTBuilder::createClassExpr):
3583         (JSC::ASTBuilder::createFunctionExpr):
3584         (JSC::ASTBuilder::createFunctionBody):
3585         (JSC::ASTBuilder::createArrowFunctionExpr):
3586         (JSC::ASTBuilder::createGetterOrSetterProperty):
3587         (JSC::ASTBuilder::createElementList):
3588         (JSC::ASTBuilder::createFormalParameterList):
3589         (JSC::ASTBuilder::appendParameter):
3590         (JSC::ASTBuilder::createClause):
3591         (JSC::ASTBuilder::createClauseList):
3592         (JSC::ASTBuilder::createFuncDeclStatement):
3593         (JSC::ASTBuilder::createForInLoop):
3594         (JSC::ASTBuilder::createForOfLoop):
3595         (JSC::ASTBuilder::isResolve):
3596         (JSC::ASTBuilder::createDestructuringAssignment):
3597         (JSC::ASTBuilder::createArrayPattern):
3598         (JSC::ASTBuilder::appendArrayPatternSkipEntry):
3599         (JSC::ASTBuilder::appendArrayPatternEntry):
3600         (JSC::ASTBuilder::appendArrayPatternRestEntry):
3601         (JSC::ASTBuilder::finishArrayPattern):
3602         (JSC::ASTBuilder::createObjectPattern):
3603         (JSC::ASTBuilder::appendObjectPatternEntry):
3604         (JSC::ASTBuilder::createBindingLocation):
3605         (JSC::ASTBuilder::setEndOffset):
3606         * parser/Lexer.cpp:
3607         (JSC::Lexer<T>::Lexer):
3608         (JSC::Lexer<T>::nextTokenIsColon):
3609         (JSC::Lexer<T>::setTokenPosition):
3610         (JSC::Lexer<T>::lex):
3611         (JSC::Lexer<T>::clear):
3612         * parser/Lexer.h:
3613         (JSC::Lexer::setIsReparsingFunction):
3614         (JSC::Lexer::isReparsingFunction):
3615         (JSC::Lexer::lineNumber):
3616         (JSC::Lexer::setIsReparsing): Deleted.
3617         (JSC::Lexer::isReparsing): Deleted.
3618         * parser/NodeConstructors.h:
3619         (JSC::TryNode::TryNode):
3620         (JSC::FunctionParameters::FunctionParameters):
3621         (JSC::FuncExprNode::FuncExprNode):
3622         (JSC::FuncDeclNode::FuncDeclNode):
3623         (JSC::ArrayPatternNode::ArrayPatternNode):
3624         (JSC::ObjectPatternNode::ObjectPatternNode):
3625         (JSC::BindingNode::BindingNode):
3626         (JSC::DestructuringAssignmentNode::DestructuringAssignmentNode):
3627         (JSC::ParameterNode::ParameterNode): Deleted.
3628         (JSC::ArrayPatternNode::create): Deleted.
3629         (JSC::ObjectPatternNode::create): Deleted.
3630         (JSC::BindingNode::create): Deleted.
3631         * parser/Nodes.cpp:
3632         (JSC::ProgramNode::ProgramNode):
3633         (JSC::EvalNode::EvalNode):
3634         (JSC::FunctionBodyNode::FunctionBodyNode):
3635         (JSC::FunctionBodyNode::finishParsing):
3636         (JSC::FunctionNode::FunctionNode):
3637         (JSC::FunctionNode::finishParsing):
3638         (JSC::FunctionParameters::create): Deleted.
3639         (JSC::FunctionParameters::FunctionParameters): Deleted.
3640         (JSC::FunctionParameters::~FunctionParameters): Deleted.
3641         * parser/Nodes.h:
3642         (JSC::ProgramNode::startColumn):
3643         (JSC::ProgramNode::endColumn):
3644         (JSC::EvalNode::startColumn):
3645         (JSC::EvalNode::endColumn):
3646         (JSC::FunctionParameters::size):
3647         (JSC::FunctionParameters::at):
3648         (JSC::FunctionParameters::append):
3649         (JSC::FuncExprNode::body):
3650         (JSC::DestructuringPatternNode::~DestructuringPatternNode):
3651         (JSC::DestructuringPatternNode::isBindingNode):
3652         (JSC::DestructuringPatternNode::emitDirectBinding):
3653         (JSC::ArrayPatternNode::appendIndex):
3654         (JSC::ObjectPatternNode::appendEntry):
3655         (JSC::BindingNode::boundProperty):
3656         (JSC::BindingNode::divotStart):
3657         (JSC::BindingNode::divotEnd):
3658         (JSC::DestructuringAssignmentNode::bindings):
3659         (JSC::FuncDeclNode::body):
3660         (JSC::ParameterNode::pattern): Deleted.
3661         (JSC::ParameterNode::nextParam): Deleted.
3662         (JSC::FunctionParameters::patterns): Deleted.
3663         * parser/Parser.cpp:
3664         (JSC::Parser<LexerType>::Parser):
3665         (JSC::Parser<LexerType>::~Parser):
3666         (JSC::Parser<LexerType>::parseInner):
3667         (JSC::Parser<LexerType>::allowAutomaticSemicolon):
3668         (JSC::Parser<LexerType>::parseSourceElements):
3669         (JSC::Parser<LexerType>::createBindingPattern):
3670         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBodySourceElements):
3671         (JSC::Parser<LexerType>::tryParseDestructuringPatternExpression):
3672         (JSC::Parser<LexerType>::parseSwitchClauses):
3673         (JSC::Parser<LexerType>::parseSwitchDefaultClause):
3674         (JSC::Parser<LexerType>::parseBlockStatement):
3675         (JSC::Parser<LexerType>::parseStatement):
3676         (JSC::Parser<LexerType>::parseFormalParameters):
3677         (JSC::Parser<LexerType>::parseFunctionBody):
3678         (JSC::stringForFunctionMode):
3679         (JSC::Parser<LexerType>::parseFunctionParameters):
3680         (JSC::Parser<LexerType>::parseFunctionInfo):
3681         (JSC::Parser<LexerType>::parseFunctionDeclaration):
3682         (JSC::Parser<LexerType>::parseClass):
3683         (JSC::Parser<LexerType>::parsePrimaryExpression):
3684         (JSC::Parser<LexerType>::parseMemberExpression):
3685         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
3686         (JSC::operatorString):
3687         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBody): Deleted.
3688         * parser/Parser.h:
3689         (JSC::Parser::positionBeforeLastNewline):
3690         (JSC::Parser::locationBeforeLastToken):
3691         (JSC::Parser::findCachedFunctionInfo):
3692         (JSC::Parser::isofToken):
3693         (JSC::Parser::isEndOfArrowFunction):
3694         (JSC::Parser::isArrowFunctionParamters):
3695         (JSC::Parser::tokenStart):
3696         (JSC::Parser::isLETMaskedAsIDENT):
3697         (JSC::Parser::autoSemiColon):
3698         (JSC::Parser::setEndOfStatement):
3699         (JSC::Parser::canRecurse):
3700         (JSC::Parser<LexerType>::parse):
3701         (JSC::parse):
3702         * parser/ParserFunctionInfo.h:
3703         * parser/ParserModes.h:
3704         (JSC::functionNameIsInScope):
3705         * parser/SourceCode.h:
3706         (JSC::makeSource):
3707         (JSC::SourceCode::subExpression):
3708         (JSC::SourceCode::subArrowExpression): Deleted.
3709         * parser/SourceProviderCache.h:
3710         (JSC::SourceProviderCache::get):
3711         * parser/SourceProviderCacheItem.h:
3712         (JSC::SourceProviderCacheItem::endFunctionToken):
3713         (JSC::SourceProviderCacheItem::usedVariables):
3714         (JSC::SourceProviderCacheItem::writtenVariables):
3715         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
3716         * parser/SyntaxChecker.h:
3717         (JSC::SyntaxChecker::SyntaxChecker):
3718         (JSC::SyntaxChecker::createClassExpr):
3719         (JSC::SyntaxChecker::createFunctionExpr):
3720         (JSC::SyntaxChecker::createFunctionBody):
3721         (JSC::SyntaxChecker::createArrowFunctionExpr):
3722         (JSC::SyntaxChecker::setFunctionNameStart):
3723         (JSC::SyntaxChecker::createArguments):
3724         (JSC::SyntaxChecker::createPropertyList):
3725         (JSC::SyntaxChecker::createElementList):
3726         (JSC::SyntaxChecker::createFormalParameterList):
3727         (JSC::SyntaxChecker::appendParameter):
3728         (JSC::SyntaxChecker::createClause):
3729         (JSC::SyntaxChecker::createClauseList):
3730         * runtime/CodeCache.cpp:
3731         (JSC::CodeCache::getGlobalCodeBlock):
3732         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
3733         * runtime/Completion.cpp:
3734         (JSC::checkSyntax):
3735         * runtime/Executable.cpp:
3736         (JSC::ProgramExecutable::checkSyntax):
3737         * tests/controlFlowProfiler/conditional-expression.js:
3738         (testConditionalFunctionCall):
3739
3740 2015-07-16  Filip Pizlo  <fpizlo@apple.com>
3741
3742         Unreviewed, fix build for newer LLVMs.
3743
3744         * llvm/LLVMHeaders.h:
3745         * llvm/library/LLVMExports.cpp:
3746
3747 2015-07-16  Mark Lam  <mark.lam@apple.com>
3748
3749         RegExp::match() should set m_state to ByteCode if compilation fails.
3750         https://bugs.webkit.org/show_bug.cgi?id=147023
3751
3752         Reviewed by Michael Saboff.
3753
3754         A RegExp has a YarrCodeBlock that has 4 MacroAssemblerCodeRefs for compiled code.
3755         If one of these compilations succeeds, RegExp::m_state will be set to JITCode.
3756         Subsequently, if RegExp tries to compile another one of these but fails, m_state
3757         will be left untouched i.e. it still says JITCode.  As a result, when
3758         RegExp::match() later tries to execute the non-existant compiled code, it will
3759         crash.
3760
3761         The fix is to downgrade m_state to ByteCode if RegExp ever fails to compile.
3762         This failure should be rare.  We'll do the minimal work here to fix the issue and
3763         keep an eye on the perf bots.  If perf regresses, we can do some optimization work then.
3764
3765         This issue is difficult to test for since it either requires a low memory condition
3766         to trigger a failed RegExp compilation at the right moment, or for the RegExp to
3767         succeed compilation in the MatchedOnly mode but fail in IncludeSubpatterns mode.
3768         Instead, I manually tested it by instrumenting RegExp::compile() to fail once in every
3769         10 compilation attempts.
3770
3771         * runtime/RegExp.cpp:
3772         (JSC::RegExp::compile):
3773         (JSC::RegExp::compileMatchOnly):
3774
3775 2015-07-15  Brent Fulgham  <bfulgham@apple.com>
3776
3777         [Win] Fix armv7 build.
3778
3779         * jit/CCallHelpers.h:
3780         (JSC::CCallHelpers::setupArgumentsWithExecState): The 64-bit argument
3781         version of poke is not available on armv7 builds.
3782
3783 2015-07-15  Brent Fulgham  <bfulgham@apple.com>
3784
3785         [Win] 64-bit Build Failure
3786         https://bugs.webkit.org/show_bug.cgi?id=146989
3787
3788         Reviewed by Mark Lam.
3789
3790         * jit/CCallHelpers.h:
3791         (JSC::CCallHelpers::setupArgumentsWithExecState): Add missing
3792         declaration for 64-bit type on 4-argument register machines (like
3793         Windows).
3794
3795 2015-07-15  Saam barati  <saambarati1@gmail.com>
3796
3797         [ES6] implement block scoping to enable 'let'
3798         https://bugs.webkit.org/show_bug.cgi?id=142944
3799
3800         Reviewed by Filip Pizlo.
3801
3802         * CMakeLists.txt:
3803         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3804         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3805         * JavaScriptCore.xcodeproj/project.pbxproj:
3806         * builtins/BuiltinExecutables.cpp:
3807         (JSC::BuiltinExecutables::createExecutableInternal):
3808         * bytecode/BytecodeList.json:
3809         This patch adds a new opcode and removes op_pop_scope:
3810         1) op_get_parent_scope returns the parent scope but doesn't 
3811         implicitly write that scope into the scope register. op_pop_scope
3812         is now reduced to op_get_parent_scope followed by op_mov.
3813
3814         * bytecode/BytecodeUseDef.h:
3815         (JSC::computeUsesForBytecodeOffset):
3816         (JSC::computeDefsForBytecodeOffset):
3817         * bytecode/CodeBlock.cpp:
3818         (JSC::CodeBlock::dumpBytecode):
3819         (JSC::CodeBlock::CodeBlock):
3820         (JSC::CodeBlock::stronglyVisitStrongReferences):
3821         * bytecode/CodeBlock.h:
3822         (JSC::CodeBlock::addStringSwitchJumpTable):
3823         (JSC::CodeBlock::stringSwitchJumpTable):
3824         (JSC::CodeBlock::symbolTable):
3825         (JSC::CodeBlock::evalCodeCache):
3826         (JSC::CodeBlock::setConstantRegisters):
3827         (JSC::CodeBlock::replaceConstant):
3828         op_put_to_scope for LocalClosureVar now takes as an argument
3829         the constant index for the Symbol Table it will be putting into.
3830         This argument is only used to communicate from the BytecodeGenerator
3831         to CodeBlock linking time and it is not present in the linked bytecode.
3832
3833         op_put_to_scope for non LocalClosureVar takes, at the same index, an
3834         argument that represents the local scope depth which it uses for
3835         JSScope::abstractResolve to know how many scopes it needs to skip.
3836         Again, this is not in the linked code.
3837         op_get_from_scope and op_resolve_scope also take as an argument
3838         the local scope depth to use in JSScope::abstractResolve. Again,
3839         this is not used in the linked code.
3840
3841         * bytecode/EvalCodeCache.h:
3842         (JSC::EvalCodeCache::tryGet):
3843         (JSC::EvalCodeCache::getSlow):
3844         (JSC::EvalCodeCache::clear):
3845         (JSC::EvalCodeCache::isCacheable):
3846         When direct eval is called and passed a scope that 
3847         corresponds to a lexical scope, we can't safely cache 
3848         that code because we won't be able to guarantee
3849         that the cached code is always executed in the same scope.
3850         Consider this example:
3851         function foo() {
3852             let x = 20;
3853             eval("x;");
3854             if (b) {
3855                 let x = 30;
3856                 if (b) {
3857                     let y = 40;
3858                     eval("x;")
3859                 }
3860             }
3861         }
3862
3863         We can't reuse resolution depth when linking get_from_scope in evals.
3864
3865         * bytecode/UnlinkedCodeBlock.cpp:
3866         (JSC::generateFunctionCodeBlock):
3867         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3868         (JSC::UnlinkedFunctionExecutable::parameterCount):
3869         * bytecode/UnlinkedCodeBlock.h:
3870         Unlinked functions now know the variables that were under TDZ in their parent
3871         scope.
3872
3873         (JSC::UnlinkedCodeBlock::symbolTable):
3874         (JSC::UnlinkedCodeBlock::setSymbolTable):
3875         (JSC::UnlinkedCodeBlock::setSymbolTableConstantIndex):
3876         (JSC::UnlinkedCodeBlock::symbolTableConstantIndex):
3877         (JSC::UnlinkedCodeBlock::vm):
3878         * bytecompiler/BytecodeGenerator.cpp:
3879         (JSC::BytecodeGenerator::generate):
3880         (JSC::BytecodeGenerator::BytecodeGenerator):
3881         (JSC::BytecodeGenerator::~BytecodeGenerator):
3882         (JSC::BytecodeGenerator::newRegister):
3883         (JSC::BytecodeGenerator::reclaimFreeRegisters):
3884         (JSC::BytecodeGenerator::newBlockScopeVariable):
3885         (JSC::BytecodeGenerator::newTemporary):
3886         (JSC::BytecodeGenerator::emitProfileType):
3887         (JSC::BytecodeGenerator::emitLoadGlobalObject):
3888         (JSC::BytecodeGenerator::pushLexicalScope):
3889         (JSC::BytecodeGenerator::popLexicalScope):
3890         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
3891         (JSC::BytecodeGenerator::variable):
3892         (JSC::BytecodeGenerator::variablePerSymbolTable):
3893         (JSC::BytecodeGenerator::variableForLocalEntry):
3894         (JSC::BytecodeGenerator::createVariable):
3895         (JSC::BytecodeGenerator::emitResolveScope):
3896         (JSC::BytecodeGenerator::emitGetFromScope):
3897         (JSC::BytecodeGenerator::emitPutToScope):
3898         (JSC::BytecodeGenerator::initializeVariable):
3899         (JSC::BytecodeGenerator::emitTDZCheck):
3900         (JSC::BytecodeGenerator::needsTDZCheck):
3901         (JSC::BytecodeGenerator::emitTDZCheckIfNecessary):
3902         (JSC::BytecodeGenerator::liftTDZCheckIfPossible):