REGRESSION(r200383): Setting lazily initialized properties across frame boundaries...

[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2016-05-03  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION(r200383): Setting lazily initialized properties across frame boundaries crashes
        https://bugs.webkit.org/show_bug.cgi?id=157333

        Reviewed by Benjamin Poulain.
        
        I forgot to add logic for lazy properties in putEntry(). It turns out that it's easy to
        add.

        * runtime/Lookup.h:
        (JSC::putEntry):
        * runtime/PropertySlot.h:

2016-05-03  Filip Pizlo  <fpizlo@apple.com>

        References from code to Structures should be stronger than weak
        https://bugs.webkit.org/show_bug.cgi?id=157324

        Reviewed by Mark Lam.
        
        If code refers to a Structure and the Structure dies, then previously we'd kill the code. 
        This makes sense because the Structure could be the only thing left referring to some global
        object or prototype.

        But this also causes unnecessary churn. Sometimes there will be a structure that we just
        haven't really done anything with recently and so it appears dead. The approach we use
        elsewhere in our type inference is that the type that the code uses is general enough to
        handle every past execution. Having the GC clear code when some Structure it uses dies means
        that we forget that the code used that Structure. We'll either assume that the code is more
        monomorphic than it really is (because after GC we patch in some other structure but not the
        deleted one, so it looks like we only ever saw the new structure), or we'll assume that it's
        crazier than it really is (because we'll remember that there had been some structure that
        caused deletion, so we'll assume that deletions might happen in the future, so we'll use a
        fully dynamic IC).

        This change introduces a more nuanced policy: if it's cheap to mark a dead Structure then we
        should mark it just so that all of the code that refers to it remembers that there had been
        this exact Structure in the past. If the code often goes through different Structures then
        we already have great mechanisms to realize that the code is nutty (namely, the
        PolymorphicAccess size limit). But if the code just does this a handful of times then
        remembering this old Structure is probably net good:

        - It obeys the "handle all past executions" law.
        - It preserves the history of the property access, allowing a precise measure of its past
          polymorphism.
        - It makes the code ready to run fast if the user decides to use that Structure again.
          Marking the Structure means it will stay in whatever property transition tables it was in,
          so if the program does the same thing it did in the past, it will get this old Structure.

        It looks like this is a progression in gbemu and it makes gbemu perform more
        deterministically. Also, it seems that this makes JetStream run faster.
        
        Over five in-browser runs of JetStream, here's what we see before and after:
        
        Geometric Mean:
            Before              After
            229.23 +- 8.2523    230.70 +- 12.888
            232.91 +- 15.638    239.04 +- 13.766
            234.79 +- 12.760    236.32 +- 15.562
            236.20 +- 23.125    242.02 +- 3.3865
            237.22 +- 2.1929    237.23 +- 17.664
        
        Just gbemu:
            Before              After
            541.0 +- 135.8      481.7 +- 143.4
            518.9 +- 15.65      508.1 +- 136.3
            362.5 +- 0.8884     489.7 +- 101.4
            470.7 +- 313.3      530.7 +- 11.49
            418.7 +- 180.6      537.2 +- 6.514
        
        Notice that there is plenty of noise before and after, but the noise is now far less severe.
        After this change I did not see any runs like "470.7 +- 313.3" where the size of the 
        confidence interval (313.3 * 2) is greater than the score (470.7). Also, notice that the
        least noisy run before the change also got a lower score than we ever observed after the
        change (36.5 +- 0.8884). The noise, and these occasional very low scores, are due to a
        pathology where the GC would reset some stubs at an unfortunate time during profiling,
        causing the optimizing compiler to make many poor decisions. That pathology doesn't exist
        anymore.
        
        On the other hand, prior to this change it was possible for gbemu to sometimes run sooooper
        fast because the GC would cause the profiler to forget gbemu's behavior on the first tick
        and focus only on its behavior in subsequent ticks. So, in steady state, we'd optimize gbemu
        for its later behavior rather than a combination of its early behavior and later behavior.
        We rarely got lucky this way, so it's not fair to view this quirk as a feature.
        
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::propagateTransitions):
        * bytecode/PolymorphicAccess.cpp:
        (JSC::AccessCase::visitWeak):
        (JSC::AccessCase::propagateTransitions):
        (JSC::AccessCase::generateWithGuard):
        (JSC::PolymorphicAccess::visitWeak):
        (JSC::PolymorphicAccess::propagateTransitions):
        (JSC::PolymorphicAccess::dump):
        * bytecode/PolymorphicAccess.h:
        * bytecode/StructureStubInfo.cpp:
        (JSC::StructureStubInfo::visitWeakReferences):
        (JSC::StructureStubInfo::propagateTransitions):
        (JSC::StructureStubInfo::containsPC):
        * bytecode/StructureStubInfo.h:
        (JSC::StructureStubInfo::considerCaching):
        * runtime/Structure.cpp:
        (JSC::Structure::visitChildren):
        (JSC::Structure::isCheapDuringGC):
        (JSC::Structure::markIfCheap):
        (JSC::Structure::prototypeChainMayInterceptStoreTo):
        * runtime/Structure.h:

2016-05-03  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Simplify console.clear
        https://bugs.webkit.org/show_bug.cgi?id=157316

        Reviewed by Timothy Hatcher.

        * inspector/ScriptArguments.cpp:
        (Inspector::ScriptArguments::createEmpty):
        (Inspector::ScriptArguments::ScriptArguments):
        * inspector/ScriptArguments.h:
        Provide a way to create an empty list.

        * runtime/ConsoleClient.cpp:
        (JSC::ConsoleClient::clear):
        * runtime/ConsoleClient.h:
        Drop unnecessary parameter.

        * runtime/ConsoleObject.cpp:
        (JSC::consoleProtoFuncClear):
        No need to parse arguments.

2016-05-03  Yusuke Suzuki  <utatane.tea@gmail.com>

        Improve Symbol() to string coercion error message
        https://bugs.webkit.org/show_bug.cgi?id=157317

        Reviewed by Geoffrey Garen.

        Improve error messages related to Symbols.

        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::toStringSlowCase):
        * runtime/Symbol.cpp:
        (JSC::Symbol::toNumber):
        * runtime/SymbolConstructor.cpp:
        (JSC::symbolConstructorKeyFor):
        * runtime/SymbolPrototype.cpp:
        (JSC::symbolProtoFuncToString):
        (JSC::symbolProtoFuncValueOf):
        * tests/stress/dfg-to-primitive-pass-symbol.js:
        * tests/stress/floating-point-div-to-mul.js:
        (i.catch):
        * tests/stress/string-from-code-point.js:
        (shouldThrow):
        (string_appeared_here.shouldThrow):
        * tests/stress/symbol-error-messages.js: Added.
        (shouldThrow):
        * tests/stress/symbol-registry.js:

2016-05-03  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Give console.time/timeEnd a default label and warnings
        https://bugs.webkit.org/show_bug.cgi?id=157325
        <rdar://problem/26073290>

        Reviewed by Timothy Hatcher.

        Provide more user friendly console.time/timeEnd. The timer name
        is now optional, and is "default" if not provided. Also provide
        warnings when attempting to start an already started timer,
        or stop a timer that does not exist.

        * inspector/agents/InspectorConsoleAgent.cpp:
        (Inspector::InspectorConsoleAgent::startTiming):
        (Inspector::InspectorConsoleAgent::stopTiming):
        Warnings for bad cases.

        * runtime/ConsoleObject.cpp:
        (JSC::defaultLabelString):
        (JSC::consoleProtoFuncTime):
        (JSC::consoleProtoFuncTimeEnd):
        Optional label becomes "default".

2016-05-03  Xan Lopez  <xlopez@igalia.com>

        Fix the ENABLE(WEBASSEMBLY) build
        https://bugs.webkit.org/show_bug.cgi?id=157312

        Reviewed by Darin Adler.

        * runtime/Executable.cpp:
        (JSC::WebAssemblyExecutable::WebAssemblyExecutable):
        * wasm/WASMFunctionCompiler.h:
        (JSC::WASMFunctionCompiler::convertValueToDouble):

2016-05-03  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Remove unused parameter of ScriptArguments::getFirstArgumentAsString
        https://bugs.webkit.org/show_bug.cgi?id=157301

        Reviewed by Timothy Hatcher.

        * inspector/ScriptArguments.cpp:
        (Inspector::ScriptArguments::getFirstArgumentAsString):
        * inspector/ScriptArguments.h:
        Remove unused argument and related code.

        * runtime/ConsoleClient.cpp:
        (JSC::ConsoleClient::printConsoleMessageWithArguments):
        Drive by remove unnecessary cast.

2016-05-03  Michael Saboff  <msaboff@apple.com>

        Crash: Array.prototype.slice() and .splice() can call fastSlice() after an array is truncated
        https://bugs.webkit.org/show_bug.cgi?id=157322

        Reviewed by Filip Pizlo.

        Check to see if the source array has changed length before calling fastSlice().
        If it has, take the slow path.

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncSlice):
        (JSC::arrayProtoFuncSplice):
        * tests/stress/regress-157322.js: New test.

2016-05-03  Joseph Pecoraro  <pecoraro@apple.com>

        Eliminate PassRefPtr conversion from ConsoleObject
        https://bugs.webkit.org/show_bug.cgi?id=157300

        Reviewed by Timothy Hatcher.

        * runtime/ConsoleObject.cpp:
        (JSC::consoleLogWithLevel):
        (JSC::consoleProtoFuncClear):
        (JSC::consoleProtoFuncDir):
        (JSC::consoleProtoFuncDirXML):
        (JSC::consoleProtoFuncTable):
        (JSC::consoleProtoFuncTrace):
        (JSC::consoleProtoFuncAssert):
        (JSC::consoleProtoFuncCount):
        (JSC::consoleProtoFuncTimeStamp):
        (JSC::consoleProtoFuncGroup):
        (JSC::consoleProtoFuncGroupCollapsed):
        (JSC::consoleProtoFuncGroupEnd):
        No need to release to a PassRefPtr, we can just move into the RefPtr<>&&.

2016-05-01  Filip Pizlo  <fpizlo@apple.com>

        Speed up JSGlobalObject initialization by making some properties lazy
        https://bugs.webkit.org/show_bug.cgi?id=157045

        Reviewed by Keith Miller.
        
        This makes about half of JSGlobalObject's state lazy. There are three categories of
        state in JSGlobalObject:
        
        1) C++ fields in JSGlobalObject.
        2) JS object properties in JSGlobalObject's JSObject superclass.
        3) JS variables in JSGlobalObject's JSSegmentedVariableObject superclass.
        
        State held in JS variables cannot yet be made lazy. That's why this patch only goes
        half-way.
        
        State in JS object properties can be made lazy if we move it to the static property
        hashtable. JSGlobalObject already had one of those. This patch makes static property
        hashtables a lot more powerful, by adding three new kinds of static properties. These
        new kinds allow us to make almost all of JSGlobalObject's object properties lazy.
        
        State in C++ fields can now be made lazy thanks in part to WTF's support for stateless
        lambdas. You can of course make anything lazy by hand, but there are many C++ fields in
        JSGlobalObject and we are adding more all the time. We don't want to require that each
        of these has a getter with an initialization check and a corresponding out-of-line slow
        path that does the initialization. We want this kind of boilerplate to be handled by
        some abstractions.
        
        The primary abstraction introduced in this patch is LazyProperty<Type>. Currently, this
        only works where Type is a subclass of JSCell. Such a property holds a pointer to Type.
        You can use it like you would a WriteBarrier<Type>. It even has set() and get() methods,
        so it's almost a drop-in replacement.
        
        The key to LazyProperty<Type>'s power is that you can do this:
        
            class Bar {
                ...
                LazyProperty<Foo> m_foo;
            };
            ...
            m_foo.initLater(
                [] (const LazyProperty<Foo>::Initializer<Bar>& init) {
                    init.set(Foo::create(init.vm, init.owner));
                });
        
        This initLater() call requires that you pass a stateless lambda (see WTF changelog for
        the definition). Miraculously, this initLater() call is guaranteed to compile to a store
        of a pointer constant to m_foo, as in:
        
            movabsq 0xBLAH, %rax
            movq %rax, &m_foo
        
        This magical pointer constant points to a callback that was generated by the template
        instantiation of initLater(). That callback knows to call your stateless lambda, but
        also does some other bookkeeping: it makes sure that you indeed initialized the property
        inside the callback and it manages recursive initializations. It's totally legal to call
        m_foo.get() inside the initLater() callback. If you do that before you call init.set(),
        m_foo.get() will return null. This is an excellent escape hatch if we ever find
        ourselves in a dependency cycle. I added this feature because I already had to create a
        dependency cycle.
        
        Note that using LazyProperties from DFG threads is super awkward. It's going to be hard
        to get this right. The DFG thread cannot initialize those fields, so it has to make sure
        that it does conservative things. But for some nodes this could mean adding a lot of new
        logic, like NewTypedArray, which currently is written in such a way that it assumes that
        we always have the typed array structure. Currently we take a two-fold approach: for
        typed arrays we don't handle the NewTypedArray intrinsic if the structure isn't
        initialized, and for everything else we don't make the properties lazy if the DFG needs
        them. As we optimize this further we might need to teach the DFG to handle more lazy
        properties. I tried to do this for RegExp but found it to be very confusing. With typed
        arrays I got lucky.
        
        There is also a somewhat more powerful construct called LazyClassStructure. We often
        need to keep around the structure of some standard JS class, like Date. We also need to
        make sure that the constructor ends up in the global object's property table. And we
        often need to keep the original value of the constructor for ourselves. In this case, we
        want to make sure that the creation of the structure-prototype-constructor constellation
        is atomic. We don't want code to start looking at the structure if it points to a
        prototype that doesn't have its "constructor" property set yet, for example.
        LazyClassStructure solves this by abstracting that whole initialization. You provide the
        callback that allocates everything, since we are super inconsistent about the way we
        initialize things, but LazyClassStructure establishes the workflow and helps you not
        mess up.
        
        Finally, the new static hashtable attributes allow for all of this to work with the JS
        property table:
        
        PropertyCallback: if you use this attribute, the second column in the table should be
        the name of a function to call to initialize this property. This is useful for things
        like the Math property. The Math object turns out to be very expensive to allocate.
        Delaying its allocation is super easy with the PropertyCallback attribute.
        
        CellProperty: with this attribute the second column should be a C++ field name like
        JSGlobalObject::m_evalErrorConstructor. The static hashtable will grab the offset of
        this property, and when it needs to be initialized, Lookup will assume you have a
        LazyProperty<JSCell> and call its get() method. It will initialize the property to
        whatever get() returned. Note that it's legal to cast a LazyProperty<Anything> to
        LazyProperty<JSCell> for the purpose of calling get() because the get() method will just
        call whatever callback function pointer is encoded in the property and it does not need
        to know anything about what type that callback will instantiate.
        
        ClassStructure: with this attribute the second column should be a C++ field name. The
        static hashtable will initialize the property by treating the field as a
        LazyClassStructure and it will call get(). LazyClassStructure completely owns the whole
        initialization workflow, so Lookup assumes that when LazyClassStructure::get() returns,
        the property in question will already be set. By convention, we have LazyClassStructure
        initialize the property with a pointer to the constructor, since that's how all of our
        classes work: "globalObject.Date" points to the DateConstructor.
        
        This is a 2x speed-up in JSGlobalObject initialization time in a microbenchmark that
        calls our C API. This is a 1% speed-up on SunSpider and JSRegress.

        * API/JSCallbackFunction.cpp:
        (JSC::JSCallbackFunction::create):
        * API/ObjCCallbackFunction.h:
        (JSC::ObjCCallbackFunction::impl):
        * API/ObjCCallbackFunction.mm:
        (JSC::ObjCCallbackFunction::ObjCCallbackFunction):
        (JSC::ObjCCallbackFunction::create):
        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * create_hash_table:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGAbstractValue.cpp:
        (JSC::DFG::AbstractValue::set):
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::originalArrayStructure):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStructureRegistrationPhase.cpp:
        (JSC::DFG::StructureRegistrationPhase::run):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
        * runtime/ClonedArguments.cpp:
        (JSC::ClonedArguments::getOwnPropertySlot):
        (JSC::ClonedArguments::materializeSpecials):
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/FunctionPrototype.cpp:
        (JSC::functionProtoFuncToString):
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::visitChildren):
        (JSC::InternalFunction::name):
        (JSC::InternalFunction::calculatedDisplayName):
        (JSC::InternalFunction::createSubclassStructure):
        * runtime/InternalFunction.h:
        * runtime/JSBoundFunction.cpp:
        (JSC::JSBoundFunction::finishCreation):
        (JSC::JSBoundFunction::visitChildren):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::getOwnPropertySlot):
        (JSC::JSFunction::defineOwnProperty):
        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
        (JSC::constructGenericTypedArrayView):
        * runtime/JSGlobalObject.cpp:
        (JSC::createProxyProperty):
        (JSC::createJSONProperty):
        (JSC::createMathProperty):
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::stringPrototypeChainIsSane):
        (JSC::JSGlobalObject::resetPrototype):
        (JSC::JSGlobalObject::visitChildren):
        (JSC::JSGlobalObject::toThis):
        (JSC::JSGlobalObject::getOwnPropertySlot):
        (JSC::JSGlobalObject::createThrowTypeError): Deleted.
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::objectConstructor):
        (JSC::JSGlobalObject::promiseConstructor):
        (JSC::JSGlobalObject::internalPromiseConstructor):
        (JSC::JSGlobalObject::evalErrorConstructor):
        (JSC::JSGlobalObject::rangeErrorConstructor):
        (JSC::JSGlobalObject::referenceErrorConstructor):
        (JSC::JSGlobalObject::syntaxErrorConstructor):
        (JSC::JSGlobalObject::typeErrorConstructor):
        (JSC::JSGlobalObject::URIErrorConstructor):
        (JSC::JSGlobalObject::nullGetterFunction):
        (JSC::JSGlobalObject::nullSetterFunction):
        (JSC::JSGlobalObject::callFunction):
        (JSC::JSGlobalObject::applyFunction):
        (JSC::JSGlobalObject::definePropertyFunction):
        (JSC::JSGlobalObject::arrayProtoValuesFunction):
        (JSC::JSGlobalObject::initializePromiseFunction):
        (JSC::JSGlobalObject::newPromiseCapabilityFunction):
        (JSC::JSGlobalObject::functionProtoHasInstanceSymbolFunction):
        (JSC::JSGlobalObject::regExpProtoExecFunction):
        (JSC::JSGlobalObject::regExpProtoSymbolReplaceFunction):
        (JSC::JSGlobalObject::regExpProtoGlobalGetter):
        (JSC::JSGlobalObject::regExpProtoUnicodeGetter):
        (JSC::JSGlobalObject::throwTypeErrorGetterSetter):
        (JSC::JSGlobalObject::moduleLoader):
        (JSC::JSGlobalObject::objectPrototype):
        (JSC::JSGlobalObject::functionPrototype):
        (JSC::JSGlobalObject::arrayPrototype):
        (JSC::JSGlobalObject::booleanPrototype):
        (JSC::JSGlobalObject::stringPrototype):
        (JSC::JSGlobalObject::symbolPrototype):
        (JSC::JSGlobalObject::numberPrototype):
        (JSC::JSGlobalObject::datePrototype):
        (JSC::JSGlobalObject::regExpPrototype):
        (JSC::JSGlobalObject::errorPrototype):
        (JSC::JSGlobalObject::iteratorPrototype):
        (JSC::JSGlobalObject::generatorFunctionPrototype):
        (JSC::JSGlobalObject::generatorPrototype):
        (JSC::JSGlobalObject::debuggerScopeStructure):
        (JSC::JSGlobalObject::withScopeStructure):
        (JSC::JSGlobalObject::strictEvalActivationStructure):
        (JSC::JSGlobalObject::activationStructure):
        (JSC::JSGlobalObject::moduleEnvironmentStructure):
        (JSC::JSGlobalObject::directArgumentsStructure):
        (JSC::JSGlobalObject::scopedArgumentsStructure):
        (JSC::JSGlobalObject::clonedArgumentsStructure):
        (JSC::JSGlobalObject::isOriginalArrayStructure):
        (JSC::JSGlobalObject::booleanObjectStructure):
        (JSC::JSGlobalObject::callbackConstructorStructure):
        (JSC::JSGlobalObject::callbackFunctionStructure):
        (JSC::JSGlobalObject::callbackObjectStructure):
        (JSC::JSGlobalObject::propertyNameIteratorStructure):
        (JSC::JSGlobalObject::objcCallbackFunctionStructure):
        (JSC::JSGlobalObject::objcWrapperObjectStructure):
        (JSC::JSGlobalObject::dateStructure):
        (JSC::JSGlobalObject::nullPrototypeObjectStructure):
        (JSC::JSGlobalObject::errorStructure):
        (JSC::JSGlobalObject::calleeStructure):
        (JSC::JSGlobalObject::functionStructure):
        (JSC::JSGlobalObject::boundFunctionStructure):
        (JSC::JSGlobalObject::boundSlotBaseFunctionStructure):
        (JSC::JSGlobalObject::getterSetterStructure):
        (JSC::JSGlobalObject::nativeStdFunctionStructure):
        (JSC::JSGlobalObject::namedFunctionStructure):
        (JSC::JSGlobalObject::functionNameOffset):
        (JSC::JSGlobalObject::numberObjectStructure):
        (JSC::JSGlobalObject::privateNameStructure):
        (JSC::JSGlobalObject::mapStructure):
        (JSC::JSGlobalObject::regExpStructure):
        (JSC::JSGlobalObject::generatorFunctionStructure):
        (JSC::JSGlobalObject::setStructure):
        (JSC::JSGlobalObject::stringObjectStructure):
        (JSC::JSGlobalObject::symbolObjectStructure):
        (JSC::JSGlobalObject::iteratorResultObjectStructure):
        (JSC::JSGlobalObject::lazyTypedArrayStructure):
        (JSC::JSGlobalObject::typedArrayStructure):
        (JSC::JSGlobalObject::typedArrayStructureConcurrently):
        (JSC::JSGlobalObject::isOriginalTypedArrayStructure):
        (JSC::JSGlobalObject::typedArrayConstructor):
        (JSC::JSGlobalObject::actualPointerFor):
        (JSC::JSGlobalObject::internalFunctionStructure): Deleted.
        * runtime/JSNativeStdFunction.cpp:
        (JSC::JSNativeStdFunction::create):
        * runtime/JSWithScope.cpp:
        (JSC::JSWithScope::create):
        (JSC::JSWithScope::visitChildren):
        (JSC::JSWithScope::createStructure):
        (JSC::JSWithScope::JSWithScope):
        * runtime/JSWithScope.h:
        (JSC::JSWithScope::object):
        (JSC::JSWithScope::create): Deleted.
        (JSC::JSWithScope::createStructure): Deleted.
        (JSC::JSWithScope::JSWithScope): Deleted.
        * runtime/LazyClassStructure.cpp: Added.
        (JSC::LazyClassStructure::Initializer::Initializer):
        (JSC::LazyClassStructure::Initializer::setPrototype):
        (JSC::LazyClassStructure::Initializer::setStructure):
        (JSC::LazyClassStructure::Initializer::setConstructor):
        (JSC::LazyClassStructure::visit):
        (JSC::LazyClassStructure::dump):
        * runtime/LazyClassStructure.h: Added.
        (JSC::LazyClassStructure::LazyClassStructure):
        (JSC::LazyClassStructure::get):
        (JSC::LazyClassStructure::prototype):
        (JSC::LazyClassStructure::constructor):
        (JSC::LazyClassStructure::getConcurrently):
        (JSC::LazyClassStructure::prototypeConcurrently):
        (JSC::LazyClassStructure::constructorConcurrently):
        * runtime/LazyClassStructureInlines.h: Added.
        (JSC::LazyClassStructure::initLater):
        * runtime/LazyProperty.h: Added.
        (JSC::LazyProperty::Initializer::Initializer):
        (JSC::LazyProperty::LazyProperty):
        (JSC::LazyProperty::get):
        (JSC::LazyProperty::getConcurrently):
        * runtime/LazyPropertyInlines.h: Added.
        (JSC::LazyProperty<ElementType>::Initializer<OwnerType>::set):
        (JSC::LazyProperty<ElementType>::initLater):
        (JSC::LazyProperty<ElementType>::setMayBeNull):
        (JSC::LazyProperty<ElementType>::set):
        (JSC::LazyProperty<ElementType>::visit):
        (JSC::LazyProperty<ElementType>::dump):
        (JSC::LazyProperty<ElementType>::callFunc):
        * runtime/Lookup.cpp:
        (JSC::setUpStaticFunctionSlot):
        * runtime/Lookup.h:
        (JSC::HashTableValue::function):
        (JSC::HashTableValue::functionLength):
        (JSC::HashTableValue::propertyGetter):
        (JSC::HashTableValue::propertyPutter):
        (JSC::HashTableValue::accessorGetter):
        (JSC::HashTableValue::accessorSetter):
        (JSC::HashTableValue::constantInteger):
        (JSC::HashTableValue::lexerValue):
        (JSC::HashTableValue::lazyCellPropertyOffset):
        (JSC::HashTableValue::lazyClassStructureOffset):
        (JSC::HashTableValue::lazyPropertyCallback):
        (JSC::getStaticPropertySlot):
        (JSC::getStaticValueSlot):
        (JSC::reifyStaticProperty):
        * runtime/PropertySlot.h:
        * runtime/TypedArrayType.h:

2016-05-03  Per Arne Vollan  <peavo@outlook.com>

        [Win] Remove Windows XP Compatibility Requirements
        https://bugs.webkit.org/show_bug.cgi?id=152899

        Reviewed by Brent Fulgham.

        Windows XP is not supported anymore, we can remove workarounds.

        * JavaScriptCore.vcxproj/jsc/DLLLauncherMain.cpp:
        (enableTerminationOnHeapCorruption):

2016-05-03  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: console.assert should do far less work when the assertion is true
        https://bugs.webkit.org/show_bug.cgi?id=157297
        <rdar://problem/26056556>

        Reviewed by Timothy Hatcher.

        * runtime/ConsoleClient.h:
        * runtime/ConsoleClient.cpp:
        (JSC::ConsoleClient::assertion):
        (JSC::ConsoleClient::assertCondition): Deleted.
        Rename, now that this will only get called when the assertion failed.

        * runtime/ConsoleObject.cpp:
        (JSC::consoleProtoFuncAssert):
        Avoid doing any work if the assertion succeeded.

2016-05-03  Joseph Pecoraro  <pecoraro@apple.com>

        Unreviewed follow-up testapi fix after r200355.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        Revert back to non-enumerable. This matches our older behavior,
        we can decide to make this Enumerable later if needed.

2016-05-02  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Reflect.toString() should be [object Object] not [object Reflect]
        https://bugs.webkit.org/show_bug.cgi?id=157288

        Reviewed by Darin Adler.

        * runtime/ReflectObject.cpp:
        * tests/stress/reflect.js: Added.

2016-05-02  Jon Davis  <jond@apple.com>

        Add Resource Timing entry to the Feature Status page.
        https://bugs.webkit.org/show_bug.cgi?id=157285

        Reviewed by Timothy Hatcher.

        * features.json:

2016-05-02  Joseph Pecoraro  <pecoraro@apple.com>

        Make console a namespace object (like Math/JSON), allowing functions to be called unbound
        https://bugs.webkit.org/show_bug.cgi?id=157286
        <rdar://problem/26052830>

        Reviewed by Timothy Hatcher.

        This changes `console` to be a global namespace object, like `Math` and `JSON`.
        It just holds a bunch of functions, that can be used on their own, unbound.
        For example, `[1,2,3].forEach(console.log)` and `var log = console.log; log(1)`
        used to throw exceptions and now do not.

        Previously console was an Object/Prototype pair, so functions were on
        ConsolePrototype (console.__proto__.log) and they needed to be called
        Console objects as the `this` value. Now, `console` is just a standard
        object with a bunch of functions. Since there is no console prototype the
        functions can be passed around and called as expected and they will
        just do the right thing.

        For compatability with other browsers, `console` was made enumerable
        on the global object.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        Add new files and remove old files.

        * runtime/CommonIdentifiers.h:
        Add "console".

        * runtime/ConsoleObject.cpp: Renamed from Source/JavaScriptCore/runtime/ConsolePrototype.cpp.
        (JSC::ConsoleObject::ConsoleObject):
        (JSC::ConsoleObject::finishCreation):
        (JSC::valueToStringWithUndefinedOrNullCheck):
        (JSC::consoleLogWithLevel):
        (JSC::consoleProtoFuncDebug):
        (JSC::consoleProtoFuncError):
        (JSC::consoleProtoFuncLog):
        (JSC::consoleProtoFuncInfo):
        (JSC::consoleProtoFuncWarn):
        (JSC::consoleProtoFuncClear):
        (JSC::consoleProtoFuncDir):
        (JSC::consoleProtoFuncDirXML):
        (JSC::consoleProtoFuncTable):
        (JSC::consoleProtoFuncTrace):
        (JSC::consoleProtoFuncAssert):
        (JSC::consoleProtoFuncCount):
        (JSC::consoleProtoFuncProfile):
        (JSC::consoleProtoFuncProfileEnd):
        (JSC::consoleProtoFuncTakeHeapSnapshot):
        (JSC::consoleProtoFuncTime):
        (JSC::consoleProtoFuncTimeEnd):
        (JSC::consoleProtoFuncTimeStamp):
        (JSC::consoleProtoFuncGroup):
        (JSC::consoleProtoFuncGroupCollapsed):
        (JSC::consoleProtoFuncGroupEnd):
        Console functions no longer need to check if the this object is
        a Console object. They will always just work now.

        * runtime/MathObject.cpp:
        * runtime/MathObject.h:
        * runtime/ConsoleObject.h: Renamed from Source/JavaScriptCore/runtime/ConsolePrototype.h.
        (JSC::ConsoleObject::create):
        (JSC::ConsoleObject::createStructure):
        ConsoleObject is a basic object like MathObject.

        * runtime/JSConsole.cpp: Removed.
        * runtime/JSConsole.h: Removed.
        * runtime/JSGlobalObject.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::visitChildren):
        Remove JSConsole / ConsolePrototype in favor of the single ConsoleObject.

2016-05-02  Per Arne Vollan  <peavo@outlook.com>

        [Win] Clean up annoying compiler warnings
        https://bugs.webkit.org/show_bug.cgi?id=149813

        Reviewed by Alex Christensen.

        * bytecode/PropertyCondition.cpp:
        (JSC::PropertyCondition::isWatchableWhenValid):
        * dfg/DFGObjectAllocationSinkingPhase.cpp:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * inspector/InspectorBackendDispatcher.cpp:
        (Inspector::BackendDispatcher::sendPendingErrors):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileOpCall):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseAssignmentExpression):
        * runtime/ClonedArguments.cpp:
        (JSC::ClonedArguments::createWithInlineFrame):
        * runtime/Error.cpp:
        (JSC::addErrorInfoAndGetBytecodeOffset):
        * runtime/IntlNumberFormat.cpp:
        (JSC::IntlNumberFormat::initializeNumberFormat):
        * runtime/JSObject.cpp:
        (JSC::JSObject::heapSnapshot):
        (JSC::callToPrimitiveFunction):
        * runtime/RegExpPrototype.cpp:
        (JSC::flagsString):
        * runtime/SamplingProfiler.cpp:
        (JSC::SamplingProfiler::StackFrame::functionStartColumn):

2016-05-02  Keith Miller  <keith_miller@apple.com>

        ToThis should be able to be eliminated in Constant Folding
        https://bugs.webkit.org/show_bug.cgi?id=157213

        Reviewed by Saam Barati.

        This patch enables eliminating the ToThis value when we have abstract interpreter
        indicates the node is not needed. Since there are Objects that override their
        ToThis behavior we first check if we can eliminate the node by looking at its
        speculated type. If the function is in strict mode then we can eliminate ToThis as
        long as the speculated type is not SpecObjectOther since that contains objects
        that may set OverridesToThis. If the function is not in strict mode then we can
        eliminate ToThis as long is the speculated type is an object that is not SpecObjectOther.

        If we can't eliminate with type information we can still eliminate the ToThis node with
        the proven structure set. When ToThis only sees structures that do not set OverridesToThis
        it can be eliminated. Additionally, if the function is in strict mode then we can eliminate
        ToThis as long as all only the object structures don't set OverridesToThis.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::isToThisAnIdentity):
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupToThis):
        * tests/stress/to-this-global-object.js: Added.
        (test):
        (test2):
        (get for):

2016-05-01  Skachkov Oleksandr  <gskachkov@gmail.com>

        Class contructor and methods shouldn't have "arguments" and "caller"
        https://bugs.webkit.org/show_bug.cgi?id=144238

        Reviewed by Ryosuke Niwa.

        Added TypeError that is raised in case of access to properties 'arguments' or 'caller'
        of constructor or method of class. Actually TypeError already raised for most cases, except
        case with undeclared constructor e. g. 
        class A {}
        (new A).constructor.caller 
        (new A).constructor.arguments

        * runtime/JSFunction.cpp:
        (JSC::getThrowTypeErrorGetterSetter):
        (JSC::JSFunction::getOwnPropertySlot):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::createThrowTypeErrorArgumentsAndCaller):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::throwTypeErrorArgumentsAndCallerGetterSetter):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncThrowTypeErrorArgumentsAndCaller):
        * runtime/JSGlobalObjectFunctions.h:

2016-05-02  Yoav Weiss  <yoav@yoav.ws>

        Move ResourceTiming behind a runtime flag
        https://bugs.webkit.org/show_bug.cgi?id=157133

        Reviewed by Alex Christensen.

        * runtime/CommonIdentifiers.h: Added PerformanceEntry, PerformanceEntryList and PerformanceResourceTiming as property names.

2016-05-02  Yusuke Suzuki  <utatane.tea@gmail.com>

        Assertion failure for bound function with custom prototype and Reflect.construct
        https://bugs.webkit.org/show_bug.cgi?id=157081

        Reviewed by Saam Barati.

        We ensured `newTarget != exec->callee()`. However, it does not mean `newTarget.get("prototype") != exec->callee()->get("prototype")`.
        When the given `prototype` is the same to `baseStructure->sotredPrototype()`, it is unnecessary to create a new structure from this
        baseStructure.

        * bytecode/InternalFunctionAllocationProfile.h:
        (JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase):
        * tests/stress/custom-prototype-may-be-same-to-original-one.js: Added.
        (shouldBe):
        (boundFunction):

2016-04-30  Konstantin Tokarev  <annulen@yandex.ru>

        Guard ObjC-specific code in Heap.cpp with USE(FOUNDATION)
        https://bugs.webkit.org/show_bug.cgi?id=157236

        Reviewed by Darin Adler.

        This also fixes build with GCC 4.8 which does not provide
        __has_include.

        * heap/Heap.cpp:

2016-04-30  Yusuke Suzuki  <utatane.tea@gmail.com>

        Assertion failure for destructuring assignment with new.target and unary operator
        https://bugs.webkit.org/show_bug.cgi?id=157149

        Reviewed by Saam Barati.

        The caller of parseDefaultValueForDestructuringPattern() should propagate errors.
        And this patch also cleans up createSavePoint and createSavePointForError; introducing SavePointWithError.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseSourceElements):
        (JSC::Parser<LexerType>::parseDestructuringPattern):
        Add propagateErorr() for parseDefaultValueForDestructuringPattern.

        (JSC::Parser<LexerType>::parseAssignmentExpression):
        * parser/Parser.h:
        (JSC::Parser::restoreLexerState):
        (JSC::Parser::internalSaveState):
        (JSC::Parser::createSavePointForError):
        (JSC::Parser::createSavePoint):
        (JSC::Parser::internalRestoreState):
        (JSC::Parser::restoreSavePointWithError):
        (JSC::Parser::restoreSavePoint):
        * tests/stress/default-value-parsing-should-propagate-error.js: Added.
        (testSyntaxError):
        (testSyntaxError.f):

2016-04-28  Darin Adler  <darin@apple.com>

        First step in using "enum class" instead of "String" for enumerations in DOM
        https://bugs.webkit.org/show_bug.cgi?id=157163

        Reviewed by Chris Dumez.

        * runtime/JSString.h:
        (JSC::jsStringWithCache): Deleted unneeded overload for AtomicString.

2016-04-29  Benjamin Poulain  <bpoulain@apple.com>

        [JSC][ARMv7S] Arithmetic module results change when tiering up to DFG
        https://bugs.webkit.org/show_bug.cgi?id=157217
        rdar://problem/24733432

        Reviewed by Mark Lam.

        ARMv7's fmod() returns less accurate results than an integer division.
        Since we have integer div on ARMv7s, the results start changing when
        we reach DFG.

        In this patch, I change our fmod slow path to behave like the fast path
        on ARMv7s.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArithMod):
        (JSC::DFG::fmodAsDFGOperation): Deleted.
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/MathCommon.cpp:
        (JSC::isStrictInt32):
        * runtime/MathCommon.h:

2016-04-29  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Issues inspecting the inspector, pausing on breakpoints causes content to not load
        https://bugs.webkit.org/show_bug.cgi?id=157198
        <rdar://problem/26011049>

        Reviewed by Timothy Hatcher.

        * inspector/InspectorBackendDispatcher.cpp:
        (Inspector::BackendDispatcher::sendResponse):
        While auditing the code, add a WTFMove.

2016-04-29  Mark Lam  <mark.lam@apple.com>

        Make RegExp.prototype.test spec compliant.
        https://bugs.webkit.org/show_bug.cgi?id=155862

        Reviewed by Saam Barati.

        * builtins/RegExpPrototype.js:
        (intrinsic.RegExpTestIntrinsic.test):

        * create_hash_table:
        - Delete obsoleted code.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::addToGraph):
        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
        - We now have 2 intrinsics for RegExp.prototype.test:
          RegExpTestIntrinsic and RegExpTestFastIntrinsic.

          RegExpTestIntrinsic maps to the entry at the top of the builtin ES6
          RegExp.prototype.test.
          RegExpTestFastIntrinsic maps to the fast path in the builtin ES6
          RegExp.prototype.test.

          Both will end up using the RegExpTest DFG node to implement the fast path
          of RegExp.prototype.test.  RegExpTestIntrinsic will have some additional checks
          before the RegExpTest node.  Those checks are for speculating that it is ok for
          us to take the fast path.

        * runtime/CommonIdentifiers.h:
        * runtime/Intrinsic.h:

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        - Added the regExpTestFast function.
        - Also fixed the parameter length on 2 other functions that were erroneous.

        * runtime/RegExpPrototype.cpp:
        (JSC::RegExpPrototype::finishCreation):
        (JSC::regExpProtoFuncTestFast):
        (JSC::regExpProtoFuncTest): Deleted.
        * runtime/RegExpPrototype.h:
        * tests/es6.yaml:

2016-04-29  Benjamin Poulain  <benjamin@webkit.org>

        Extend math-pow-stable-results.js to get more information about the failure

        * tests/stress/math-pow-stable-results.js:

2016-04-29  Yusuke Suzuki  <utatane.tea@gmail.com>

        Assertion failure for exception in "prototype" property getter and Reflect.construct
        https://bugs.webkit.org/show_bug.cgi?id=157084

        Reviewed by Mark Lam.

        InternalFunction::createSubclassStrucuture may throw exceptions because it performs [[Get]] to
        look up the "prototype" object. The current assertion is invalid.
        We also found that Object constructor is not aware of new.target. This is filed[1].

        [1]: https://bugs.webkit.org/show_bug.cgi?id=157196

        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::createSubclassStructure):
        * tests/stress/create-subclass-structure-may-throw-exception-when-getting-prototype.js: Added.
        (shouldThrow):
        (bf):

2016-04-29  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r200232.
        https://bugs.webkit.org/show_bug.cgi?id=157189

        This change broke the Mac CMake build and its LayoutTest is
        failing and/or flaky on all platforms (Requested by ryanhaddad
        on #webkit).

        Reverted changeset:

        "Move ResourceTiming behind a runtime flag"
        https://bugs.webkit.org/show_bug.cgi?id=157133
        http://trac.webkit.org/changeset/200232

2016-04-29  Yusuke Suzuki  <utatane.tea@gmail.com>

        [ES6] RegExp.prototype.@@replace should use @isObject instead of `instanceof` for object guard
        https://bugs.webkit.org/show_bug.cgi?id=157124

        Reviewed by Keith Miller.

        Use @isObject instead of `instanceof @Object`.
        The `instanceof` check is not enough to check Object Type.
        This fix itself is the same to r199647, and this patch is for RegExp.prototype.@@replace.

        * builtins/RegExpPrototype.js:
        (replace):
        * tests/stress/regexp-replace-in-other-realm-should-work.js: Added.
        (shouldBe):
        * tests/stress/regexp-replace-should-work-with-objects-not-inheriting-object-prototype.js: Added.
        (shouldBe):
        (regexp.exec):

2016-04-29  Yoav Weiss  <yoav@yoav.ws>

        Move ResourceTiming behind a runtime flag
        https://bugs.webkit.org/show_bug.cgi?id=157133

        Reviewed by Alex Christensen.

        * runtime/CommonIdentifiers.h: Added PerformanceEntry, PerformanceEntryList and PerformanceResourceTiming as property names.

2016-04-28  Joseph Pecoraro  <pecoraro@apple.com>

        Remove unused bool parameter in CodeCache::getGlobalCodeBlock
        https://bugs.webkit.org/show_bug.cgi?id=157156

        Reviewed by Mark Lam.

        The bool parameter appears to be isArrowFunctionContext, but the method's
        contents just get that property from the Executable, so the parameter is
        unnecessary and unused.

        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getGlobalCodeBlock):
        (JSC::CodeCache::getProgramCodeBlock):
        (JSC::CodeCache::getEvalCodeBlock):
        (JSC::CodeCache::getModuleProgramCodeBlock):
        * runtime/CodeCache.h:
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::create):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::createEvalCodeBlock):
        * runtime/JSGlobalObject.h:

2016-04-28  Caitlin Potter  <caitp@igalia.com>

        [JSC] re-implement String#padStart and String#padEnd in JavaScript
        https://bugs.webkit.org/show_bug.cgi?id=157146

        Reviewed by Saam Barati.

        * builtins/StringPrototype.js:
        (repeatCharactersSlowPath):
        (padStart):
        (padEnd):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::finishCreation): Deleted.
        (JSC::repeatStringPattern): Deleted.
        (JSC::padString): Deleted.
        (JSC::stringProtoFuncPadEnd): Deleted.
        (JSC::stringProtoFuncPadStart): Deleted.

2016-04-28  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Tweak auto attach initialization on some platforms
        https://bugs.webkit.org/show_bug.cgi?id=157150
        <rdar://problem/21222045>

        Reviewed by Timothy Hatcher.

        * inspector/EventLoop.cpp:
        (Inspector::EventLoop::cycle):
        * inspector/remote/RemoteInspector.mm:
        (Inspector::RemoteInspector::updateAutomaticInspectionCandidate):

2016-04-28  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Unify Math.pow() accross all tiers
        https://bugs.webkit.org/show_bug.cgi?id=157121

        Reviewed by Geoffrey Garen.

        My previous optimizations of DFG compile time have slowly
        regressed Sunspider's math-partial-sums.

        What is happenning is baseline used a thunk for Math.pow()
        that has a special case for an exponent of -0.5, while
        DFG/FTL have other special cases for other exponents.
        The faster we get to DFG, the less time we spend in that fast
        case for -0.5.

        While looking into this, I discovered some correctness issues. Baseline
        optimizes y=-0.5 by turning it into 1/sqrt(). DFG/FTL optimize constant
        y=0.5 by turning it into sqrt(). The problem is sqrt() behaves differently
        for -0 and -Infinity. With sqrt(), negative numbers are undefined,
        and the result is NaN. With pow(), they have a result.

        Something else that has bothered me for a while is that Math.pow()
        with the same arguments give you different results in LLINT, Baseline,
        and DFG/FTL. This seems a bit dangerous for numerical stability.

        With this patch, I unify the behaviors for all tiers while keeping
        the "special cases".

        We have pow() that is super slow, but most callers don't need the
        full power. We have:
        -pow() with an exponent between 0 and 1000 is a fast path implemented
         by multiplication only.
        -pow(x, 0.5) is sqrt with special checks for negative values.
        -pow(x, -0.5) is sqrt with special checks for negative values.

        The C++ implementation handles all those optimizations too. This ensure
        you get the same results from LLINT to FTL.

        The thunk is eliminated, it was producing incorrect results and only
        optimized Sunspider's partial-sums.

        DFG gets the optimized integer, 0.5 and -0.5 cases since those are important
        for somewhat-hot code. DFG falls back to the C++ code for any non-obvious case.

        FTL gets the full C++ implementation inlined in B3. B3 knows how to eliminate
        all the dead cases so you get the best if your code is hot enough to reach FTL.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode): Deleted.
        * dfg/DFGNode.h:
        (JSC::DFG::Node::convertToArithSqrt): Deleted.
        * dfg/DFGNodeType.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::compileArithPowIntegerFastPath):
        (JSC::DFG::SpeculativeJIT::compileArithPow):
        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileArithPow):
        * jit/ThunkGenerators.cpp:
        (JSC::powThunkGenerator): Deleted.
        * jit/ThunkGenerators.h:
        * runtime/MathCommon.cpp:
        (JSC::operationMathPow):
        * runtime/MathCommon.h:
        * runtime/VM.cpp:
        (JSC::thunkGeneratorForIntrinsic): Deleted.
        * tests/stress/math-pow-stable-results.js: Added.
        Getting consistent results when tiering up is new.
        This test verify that results always remains the same as LLINT.

        * tests/stress/math-pow-with-constants.js:
        (testPowUsedAsSqrt):
        (powUsedAsOneOverSqrt):
        (testPowUsedAsOneOverSqrt):
        (powUsedAsSquare):
        (testPowUsedAsSquare):

2016-04-28  Mark Lam  <mark.lam@apple.com>

        DebuggerScope::className() should not assert scope->isValid().
        https://bugs.webkit.org/show_bug.cgi?id=157143

        Reviewed by Keith Miller.

        DebuggerScope::className() should not assert scope->isValid() because the
        TypeProfiler logs objects it encounters, and may indirectly call
        JSObject::calculatedClassName() on those objects later, thereby calling
        DebuggerScope::className() on an invalidated DebuggerScope.

        The existing handling in DebuggerScope::className() for an invalidated scope
        (that returns a null string) is sufficient.

        * debugger/DebuggerScope.cpp:
        (JSC::DebuggerScope::className):

2016-04-28  Caitlin Potter  <caitp@igalia.com>

        [JSC] implement spec changes for String#padStart and String#padEnd
        https://bugs.webkit.org/show_bug.cgi?id=157139

        Reviewed by Keith Miller.

        Previously, if the fill string was the empty string, it was treated as a
        single U+0020 SPACE character. Now, if this occurs, the original string
        is returned instead.

        Change was discussed at TC39 in March [1], and is reflected in new
        test262 tests for the feature.

        [1] https://github.com/tc39/tc39-notes/blob/master/es7/2016-03/march-29.md#stringprototypepadstartpadend

        * runtime/StringPrototype.cpp:
        (JSC::padString):
        * tests/es6/String.prototype_methods_String.prototype.padEnd.js:
        (TestFillerToString):
        (TestFillerEmptyString):
        * tests/es6/String.prototype_methods_String.prototype.padStart.js:
        (TestFillerToString):
        (TestFillerEmptyString):

2016-04-28  Skachkov Oleksandr  <gskachkov@gmail.com>

        Crash for non-static super property call in derived class constructor
        https://bugs.webkit.org/show_bug.cgi?id=157089

        Reviewed by Darin Adler.
       
        Added tdz check of the 'this' before access to the 'super' for FunctionCallBracketNode, 
        the same as it was done for FunctionCallDotNode.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::FunctionCallBracketNode::emitBytecode):

2016-04-27  Mark Lam  <mark.lam@apple.com>

        The GetterSetter structure needs a globalObject.
        https://bugs.webkit.org/show_bug.cgi?id=157120

        Reviewed by Filip Pizlo.

        In r199170: <http://trac.webkit.org/r199170>, GetterSetter was promoted from
        being a JSCell to a JSObject.  JSObject methods expect their structure to have a
        globalObject.  For example, see JSObject::calculatedClassName().  GetterSetter
        was previously using a singleton getterSetterStructure owned by the VM.  That
        singleton getterSetterStructure is not associated with any globalObjects.  As a
        result, JSObject::calculatedClassName() will run into a null globalObject when it
        is called on a GetterSetter object.

        This patch removes the VM singleton getterSetterStructure, and instead, creates
        a getterSetterStructure for each JSGlobalObject.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGStructureRegistrationPhase.cpp:
        (JSC::DFG::StructureRegistrationPhase::run):
        * runtime/GetterSetter.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::functionStructure):
        (JSC::JSGlobalObject::boundFunctionStructure):
        (JSC::JSGlobalObject::boundSlotBaseFunctionStructure):
        (JSC::JSGlobalObject::getterSetterStructure):
        (JSC::JSGlobalObject::nativeStdFunctionStructure):
        (JSC::JSGlobalObject::namedFunctionStructure):
        (JSC::JSGlobalObject::functionNameOffset):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:

2016-04-27  Keith Miller  <keith_miller@apple.com>

        Unreviewed, Revert r199397 due to PLT regressions

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * builtins/ArrayPrototype.js:
        (concatSlowPath): Deleted.
        (concat): Deleted.
        * bytecode/BytecodeIntrinsicRegistry.cpp:
        (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry): Deleted.
        * bytecode/BytecodeIntrinsicRegistry.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
        (JSC::DFG::ByteCodeParser::handleIntrinsicCall): Deleted.
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC): Deleted.
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute): Deleted.
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
        (JSC::DFG::SpeculativeJIT::compileIsJSArray): Deleted.
        (JSC::DFG::SpeculativeJIT::compileIsArrayObject): Deleted.
        (JSC::DFG::SpeculativeJIT::compileIsArrayConstructor): Deleted.
        (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor): Deleted.
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation): Deleted.
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile): Deleted.
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile): Deleted.
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode): Deleted.
        (JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor): Deleted.
        (JSC::FTL::DFG::LowerDFGToB3::compileIsArrayObject): Deleted.
        (JSC::FTL::DFG::LowerDFGToB3::compileIsJSArray): Deleted.
        (JSC::FTL::DFG::LowerDFGToB3::compileIsArrayConstructor): Deleted.
        (JSC::FTL::DFG::LowerDFGToB3::isArray): Deleted.
        * jit/JITOperations.h:
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionDataLogValue): Deleted.
        * runtime/ArrayConstructor.cpp:
        (JSC::ArrayConstructor::finishCreation):
        (JSC::arrayConstructorPrivateFuncIsArrayConstructor):
        * runtime/ArrayConstructor.h:
        (JSC::isArrayConstructor): Deleted.
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::finishCreation):
        (JSC::arrayProtoFuncConcat):
        (JSC::arrayProtoPrivateFuncIsJSArray): Deleted.
        (JSC::moveElements): Deleted.
        (JSC::arrayProtoPrivateFuncConcatMemcpy): Deleted.
        (JSC::arrayProtoPrivateFuncAppendMemcpy): Deleted.
        * runtime/ArrayPrototype.h:
        * runtime/CommonIdentifiers.h:
        * runtime/Intrinsic.h:
        * runtime/JSArray.cpp:
        (JSC::JSArray::fastConcatWith):
        (JSC::JSArray::appendMemcpy): Deleted.
        * runtime/JSArray.h:
        (JSC::JSArray::fastConcatType):
        (JSC::JSArray::createStructure):
        (JSC::isJSArray):
        * runtime/JSArrayInlines.h: Removed.
        (JSC::JSArray::memCopyWithIndexingType): Deleted.
        (JSC::JSArray::canFastCopy): Deleted.
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * runtime/JSType.h:
        * runtime/ObjectConstructor.h:
        (JSC::constructObject): Deleted.
        * tests/es6.yaml:
        * tests/stress/array-concat-spread-object.js: Removed.
        (arrayEq): Deleted.
        * tests/stress/array-concat-spread-proxy-exception-check.js: Removed.
        (arrayEq): Deleted.
        * tests/stress/array-concat-spread-proxy.js: Removed.
        (arrayEq): Deleted.
        * tests/stress/array-concat-with-slow-indexingtypes.js: Removed.
        (arrayEq): Deleted.
        * tests/stress/array-species-config-array-constructor.js:

2016-04-27  Michael Saboff  <msaboff@apple.com>

        REGRESSION(r200117): Crash in lowerDFGToB3::compileStringReplace()
        https://bugs.webkit.org/show_bug.cgi?id=157099

        Reviewed by Saam Barati.

        Given that the DFGFixupPhase could mark the edge of child2 as StringUse,
        we need to lower that edge appropriately.

        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):

2016-04-27  Mark Lam  <mark.lam@apple.com>

        Address feedback from https://bugs.webkit.org/show_bug.cgi?id=157048#c5.
        https://bugs.webkit.org/show_bug.cgi?id=157096

        Reviewed by Geoffrey Garen.

        1. Check for USE(APPLE_INTERNAL_SDK) instead of __has_include(<mach-o/dyld_priv.h>).
        2. Rename webkitFirstSDKVersionWithInitConstructorSupport to
           firstSDKVersionWithInitConstructorSupport.

        * API/JSWrapperMap.mm:
        (supportsInitMethodConstructors):

2016-04-27  Mark Lam  <mark.lam@apple.com>

        Restrict the availability of some JSC options to local debug builds only.
        https://bugs.webkit.org/show_bug.cgi?id=157058

        Reviewed by Geoffrey Garen.

        1. Each option will be given an availability flag.
        2. The functionOverrides and useDollarVM (along with its alias, enableDollarVM)
           will have "Restricted" availability.
        3. All other options will have “Normal” availability.
        4. Any options with "Restricted" availability will only be accessible if function
           allowRestrictedOptions() returns true.
        5. For now, allowRestrictedOptions() always returns false for release builds, and
           true for debug builds.

        If an option is "Restricted" and restricted options are not allowed, the VM will
        behave semantically as if that option does not exist at all:
        1. Option dumps will not show the option.
        2. Attempts to set the option will fail as if the option does not exist.

        Behind the scene, the option does exist, and is set to its default value
        (whatever that may be) once and only once on options initialization.

        * runtime/Options.cpp:
        (JSC::allowRestrictedOptions):
        (JSC::parse):
        (JSC::overrideOptionWithHeuristic):
        (JSC::Options::initialize):
        (JSC::Options::setOptionWithoutAlias):
        (JSC::Options::dumpOption):
        * runtime/Options.h:
        (JSC::Option::type):
        (JSC::Option::availability):
        (JSC::Option::isOverridden):

2016-04-27  Gavin Barraclough  <barraclough@apple.com>

        Enable separated heap by default on ios
        https://bugs.webkit.org/show_bug.cgi?id=156720
        <rdar://problem/25841790>

        Unreviewed rollout - caused memory regression.

        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):

2016-04-27  Benjamin Poulain  <bpoulain@apple.com>

        Follow up for r200113 on 32bit

        I forgot to do the 32bit counterpart of r200113.
        The test fails on the bots.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2016-04-27  Alberto Garcia  <berto@igalia.com>

        [GTK] Fails to build randomly when generating LLIntDesiredOffsets.h
        https://bugs.webkit.org/show_bug.cgi?id=155427

        Reviewed by Carlos Garcia Campos.

        If the build directory contains the -I string, the script that
        generates LLIntDesiredOffsets.h will confuse it with an option to
        declare an include directory.

        In order to avoid that we should only use the arguments that start
        with -I when extracting the list of include directories, instead
        of using the ones that simply contain that string.

        * offlineasm/parser.rb:

2016-04-27  Saam barati  <sbarati@apple.com>

        JSC should have an option to allow global const redeclarations
        https://bugs.webkit.org/show_bug.cgi?id=157006

        Reviewed by Geoffrey Garen.

        This patch implements an option that dictates whether
        const redeclarations at the program level will throw.
        This option defaults to true but allows users of JSC
        to set it to false. This option is per VM. This is needed
        for backwards compatibility with our old const implementation.

        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionShadowChickenFunctionsOnStack):
        (functionSetGlobalConstRedeclarationShouldNotThrow):
        (functionReadline):
        * runtime/Executable.cpp:
        (JSC::ProgramExecutable::initializeGlobalProperties):
        * runtime/JSGlobalLexicalEnvironment.cpp:
        (JSC::JSGlobalLexicalEnvironment::put):
        (JSC::JSGlobalLexicalEnvironment::isConstVariable):
        * runtime/JSGlobalLexicalEnvironment.h:
        (JSC::JSGlobalLexicalEnvironment::isEmpty):
        * runtime/VM.h:
        (JSC::VM::setGlobalConstRedeclarationShouldThrow):
        (JSC::VM::globalConstRedeclarationShouldThrow):
        * tests/stress/global-const-redeclaration-setting: Added.
        * tests/stress/global-const-redeclaration-setting-2.js: Added.
        (assert):
        * tests/stress/global-const-redeclaration-setting-3.js: Added.
        (assert):
        (catch):
        * tests/stress/global-const-redeclaration-setting-4.js: Added.
        (assert):
        (catch):
        * tests/stress/global-const-redeclaration-setting-5.js: Added.
        (assert):
        (catch):
        * tests/stress/global-const-redeclaration-setting.js: Added.
        (assert):
        * tests/stress/global-const-redeclaration-setting/first.js: Added.
        * tests/stress/global-const-redeclaration-setting/let.js: Added.
        * tests/stress/global-const-redeclaration-setting/second.js: Added.
        * tests/stress/global-const-redeclaration-setting/strict.js: Added.

2016-04-26  Michael Saboff  <msaboff@apple.com>

        [ES] Implement RegExp.prototype.@@replace and use it for String.prototype.replace
        https://bugs.webkit.org/show_bug.cgi?id=156562

        Reviewed by Filip Pizlo.

        Added builtins for String.prototype.replace as well as RegExp.prototype[Symbol.replace].

        The String.prototype.replace also has an intrinsic, StringPrototypeReplaceIntrinsic.
        This original intrinsic was copied to make StringPrototypeReplaceRegExpIntrinsic.
        The difference between the two intrinsics is that StringPrototypeReplaceIntrinsic has
        the same checks found in the new builtin hasObservableSideEffectsForStringReplace.
        We implement these primordial checks for StringPrototypeReplaceIntrinsic in two places.
        First, we do a trial check during ByteCode parsing time to see if the current
        RegExp.prototype properties have changed from the original.  If they have, we don't
        inline the intrinsic.  Later, in the fixup phase, we add nodes to the IR to emit the
        checks at runtime.

        The new intrinsic StringPrototypeReplaceRegExpIntrinsic is only available via the
        private @replaceUsingRegExp, which is called in the String.prototype.replace builtin.
        It is only called after hasObservableSideEffectsForStringReplace has been called

        Both of these intrinsics are needed, because the JS code containing String.replace() calls
        runs initially in the LLint and then the baseline JIT.  Even after the function tiers up
        to the DFG JIT, the inlining budget may not allow StringPrototypeReplaceIntrinsic to be inlined.
        Having StringPrototypeReplaceRegExpIntrinsic allows for the String.prototype.replace builtin to
        get reasonable performance before the other intrinsic is inlined or when it can't.

        * builtins/RegExpPrototype.js:
        (match):
        (getSubstitution):
        (replace):
        (search):
        (split):
        * builtins/StringPrototype.js:
        (repeat):
        (hasObservableSideEffectsForStringReplace):
        (intrinsic.StringPrototypeReplaceIntrinsic.replace):
        (localeCompare):
        New builtins for String.prototype.replace and RegExp.prototype[Symbol.replace].

        * bytecode/BytecodeIntrinsicRegistry.cpp:
        * bytecode/BytecodeIntrinsicRegistry.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixupGetAndSetLocalsInBlock):
        (JSC::DFG::FixupPhase::tryAddStringReplacePrimordialChecks):
        (JSC::DFG::FixupPhase::checkArray):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::getRegExpPrototypeProperty):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::getRegExpPrototypeProperty):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasHeapPrediction):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        * runtime/CommonIdentifiers.h:
        * runtime/Intrinsic.h:
        * runtime/RegExpPrototype.cpp:
        (JSC::RegExpPrototype::finishCreation):
        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::finishCreation):
        (JSC::replace):
        (JSC::stringProtoFuncReplaceUsingRegExp):
        (JSC::stringProtoFuncReplaceUsingStringSearch):
        (JSC::operationStringProtoFuncReplaceGeneric):
        (JSC::stringProtoFuncReplace): Deleted.
        Added StringReplaceRegExp intrinsic.  Added checks for RegExp profiled arguments to StringReplace
        that mirror what is in hasObservableSideEffectsForStringReplace().  If we aren't able to add the
        checks, we OSR exit.  Add Graph::getPrimordialRegExpPrototypeProperty() as a helper to get the
        primordial values from RegExp.prototype.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init): Added @regExpPrototypeSymbolReplace and
        @hasObservableSideEffectsForStringReplace here instead og String.prototype so that we reduce the
        number of objects we have to traverse.

        * tests/es6.yaml: Changed expectations for the various replace related tests to passing.

        * tests/stress/regexp-replace-proxy.js:
        (assert):
        (let.getProxyNullExec.new.Proxy):
        (let.getSetProxyNullExec.new.Proxy):
        (get resetTracking):
        (let.getSetProxyMatches_comma.new.Proxy):
        (set get getSetProxyNullExec):
        (let.getSetProxyReplace_phoneNumber.new.Proxy):
        (set get getSetProxyMatches_comma):
        (let.getSetProxyReplaceUnicode_digit_nonGreedy.new.Proxy):
        (set get resetTracking):
        * tests/stress/string-replace-proxy.js:
        (assert):
        (let.getSetProxyReplace.new.Proxy.replace):
        New tests.

2016-04-26  Mark Lam  <mark.lam@apple.com>

        Gardening: speculative build fix.

        Not reviewed.

        * API/JSWrapperMap.mm:

2016-04-26  Mark Lam  <mark.lam@apple.com>

        Update the compatibility version check for the ObjC API's InitConstructorSupport to use dyld_get_program_sdk_version().
        https://bugs.webkit.org/show_bug.cgi?id=157048

        Reviewed by Geoffrey Garen.

        * API/JSWrapperMap.mm:
        (supportsInitMethodConstructors):
        (getJSExportProtocol):

2016-04-26  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] GetByVal on Undecided use its children before its OSR Exit
        https://bugs.webkit.org/show_bug.cgi?id=157046

        Reviewed by Mark Lam.

        Very silly bug: GetByVal on Undecided uses its children before
        the speculationCheck(). If we fail the speculation, we have already
        lost how to recover the values.

        The existing tests did not catch this because we tier up to B3
        before such Exits happen. B3 has explicit liveness and did not suffer
        from this bug.
        The new test has a smaller warmup to exercise the OSR Exit in DFG
        instead of FTL.

        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * tests/stress/get-by-val-on-undecided-out-of-bounds.js: Added.
        (string_appeared_here.opaqueGetByValKnownArray):

2016-04-26  Skachkov Oleksandr  <gskachkov@gmail.com>

        calling super() a second time in a constructor should throw
        https://bugs.webkit.org/show_bug.cgi?id=151113

        Reviewed by Saam Barati.

        Currently, our implementation checks if 'super()' was called in a constructor more
        than once and raises a RuntimeError before the second call. According to the spec
        we need to raise an error just after the second super() is finished and before
        the new 'this' is assigned https://esdiscuss.org/topic/duplicate-super-call-behaviour.
        To implement this behavior this patch adds a new op code, op_is_empty, that is used
        to check if 'this' is empty.

        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitIsEmpty):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::FunctionCallValueNode::emitBytecode):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileIsEmpty):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_is_empty):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_is_empty):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * tests/stress/class-syntax-double-constructor.js: Added.

2016-04-26  Mark Lam  <mark.lam@apple.com>

        Changed jsc options title to be more descriptive.
        https://bugs.webkit.org/show_bug.cgi?id=157036

        Reviewed by Joseph Pecoraro.

        Let the title for --dumpOptions be "Modified JSC runtime options:" since it only
        dumps overridden options.  The title for --options will remain "All JSC runtime
        options:" since it dumps all all options with verbose detail.

        * jsc.cpp:
        (CommandLine::parseArguments):

2016-04-26  Oliver Hunt  <oliver@apple.com>

        Enable separated heap by default on ios
        https://bugs.webkit.org/show_bug.cgi?id=156720

        Unreviewed roll-in of this change. There is only one
        additional allocation involved in this logic, and that
        is a duplicate mapping.

        Either our tools are not report real memory usage
        or this revision is not responsible for the regression.

        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):

2016-04-26  Filip Pizlo  <fpizlo@apple.com>

        DFG backends shouldn't emit type checks at KnownBlah edges
        https://bugs.webkit.org/show_bug.cgi?id=157025

        Reviewed by Michael Saboff.
        
        This fixes a crash I found when browsing Bing maps with forceEagerCompilation. I include a
        100% repro test case.
        
        The issue is that our code still doesn't fully appreciate the devious implications of
        KnownBlah use kinds. Consider KnownCell for example. It means: "trust me, I know that this
        value will be a cell". You aren't required to provide a proof when you use KnownCell. Often,
        we use it as a result of a path-sensitive proof. The abstract interpreter is not
        path-sensitive, so AI will be absolutely sure that the KnownCell use might see a non-cell.
        This can lead to debug assertions (which this change removes) and it can lead to the backends
        emitting a type check. That type check can be pure evil if the node that has this edge does
        not have an exit origin. Such a node would have passed validation because the validater would
        have thought that the node cannot exit (after all, according to the IR semantics, there is no
        speculation at KnownCell).

        This comprehensively fixes the issue by recognizing that Foo(KnownCell:@x) means: I have
        already proved that by the time you start executing Foo, @x will already be a cell. I cannot
        tell you how I proved this but you can rely on it anyway. AI now takes advantage of this
        meaning and will always do filtering of KnownBlah edges regardless of whether the backend
        actually emits any type checks for those edges. Since the filtering runs before the backend,
        the backend will not emit any checks because it will know that the edge was already checked
        (by whatever mechanism we used when we made the edge KnownBlah).
        
        Note that it's good that we found this bug now. The DFG currently does very few
        sparse-conditional or path-sensitive optimizations, but it will probably do more in the
        future. The bug happens because GetByOffset and friends can achieve path-sensitive proofs via
        watchpoints on the inferred type. Normally, AI can follow along with this proof. But in the
        example program, and on Bing maps, we would GCSE one GetByOffset with another that had a
        weaker proven type. That turned out to be completely sound - between the two GetByOffset's
        there was a Branch to null check it. The inferred type of the second GetByOffset ended up
        knowing that it cannot be null because null only occurred in some structures but not others.
        If we added more sparse-conditional stuff to Branch, then AI would know how to follow along
        with the proof but it would also create more situations where we'd have a path-sensitive
        proof. So, it's good that we're now getting this right.

        * dfg/DFGAbstractInterpreter.h:
        (JSC::DFG::AbstractInterpreter::filterEdgeByUse):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEdges):
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeKnownEdgeTypes):
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
        * dfg/DFGUseKind.h:
        (JSC::DFG::typeFilterFor):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        * tests/stress/path-sensitive-known-cell-crash.js: Added.
        (bar):
        (foo):

2016-04-26  Gavin Barraclough  <barraclough@apple.com>

        Enable separated heap by default on ios
        https://bugs.webkit.org/show_bug.cgi?id=156720

        Unreviewed rollout - caused memory regression.

        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):

2016-04-26  Joseph Pecoraro  <pecoraro@apple.com>

        Improve jsc --help and making sampling options
        https://bugs.webkit.org/show_bug.cgi?id=157015

        Reviewed by Saam Barati.

        Simplify sampling options to be easier to remember:

          * --reportSamplingProfilerData => --sample
          * --samplingProfilerTimingInterval => --sampleInterval

        Update the --help to mention --sample, and restore the behavior of
        --options outputing all possible options so you can discover which
        options are available.        

        * jsc.cpp:
        (printUsageStatement):
        (CommandLine::parseArguments):
        Improve help and modify option dumping.

        * runtime/Options.h:
        * runtime/SamplingProfiler.cpp:
        (JSC::SamplingProfiler::SamplingProfiler):
        Rename the sampling interval option.

2016-04-26  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r200083.
        https://bugs.webkit.org/show_bug.cgi?id=157033

         It brokes the debug build (Requested by gskachkov on
        #webkit).

        Reverted changeset:

        "calling super() a second time in a constructor should throw"
        https://bugs.webkit.org/show_bug.cgi?id=151113
        http://trac.webkit.org/changeset/200083

2016-04-26  Skachkov Oleksandr  <gskachkov@gmail.com>

        calling super() a second time in a constructor should throw
        https://bugs.webkit.org/show_bug.cgi?id=151113

        Reviewed by Saam Barati.

        Currently, our implementation checks if 'super()' was called in a constructor more 
        than once and raises a RuntimeError before the second call. According to the spec 
        we need to raise an error just after the second super() is finished and before 
        the new 'this' is assigned https://esdiscuss.org/topic/duplicate-super-call-behaviour. 
        To implement this behavior this patch adds a new op code, op_is_empty, that is used 
        to check if 'this' is empty.

        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitIsEmpty):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::FunctionCallValueNode::emitBytecode):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileIsEmpty):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_is_empty):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_is_empty):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * tests/stress/class-syntax-double-constructor.js: Added.

2016-04-25  Ryosuke Niwa  <rniwa@webkit.org>

        Remove the build flag for template elements
        https://bugs.webkit.org/show_bug.cgi?id=157022

        Reviewed by Daniel Bates.

        * Configurations/FeatureDefines.xcconfig:

2016-04-25  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Constant folding of UInt32ToNumber is incorrect
        https://bugs.webkit.org/show_bug.cgi?id=157011
        rdar://problem/25769641

        Reviewed by Geoffrey Garen.

        UInt32ToNumber should return the unsigned 32bit value of
        its child. The abstract interpreter fails to do that when handling
        Int52.

        None of the tests caught that because the bytecode generator already
        fold the operation if given a constant. If the constant is not visible
        from the bytecode generator (for example because it comes from an inlined call),
        then the abstract interpreter folding was producing invalid results.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * tests/stress/uint32-to-number-constant-folding.js: Added.
        (uint32ToNumberMinusOne):
        (uint32ToNumberMinusOnePlusInteger):
        (inlineMinusOne):
        (uint32ToNumberOnHiddenMinusOne):
        (uint32ToNumberOnHiddenMinusOnePlusInteger):
        (inlineLargeNegativeNumber1):
        (inlineLargeNegativeNumber2):
        (inlineLargeNegativeNumber3):
        (uint32ToNumberOnHiddenLargeNegativeNumber1):
        (uint32ToNumberOnHiddenLargeNegativeNumber2):
        (uint32ToNumberOnHiddenLargeNegativeNumber3):

2016-04-25  Fujii Hironori  <Hironori.Fujii@sony.com>

        Heap corruption is detected when destructing JSGlobalObject
        https://bugs.webkit.org/show_bug.cgi?id=156831

        Reviewed by Mark Lam.

        WebKit uses CRT static library on Windows.  Each copy of the CRT
        library has its own heap manager, allocating memory in one CRT
        library and passing the pointer across a DLL boundary to be freed
        by a different copy of the CRT library is a potential cause for
        heap corruption.

          Potential Errors Passing CRT Objects Across DLL Boundaries
          <https://msdn.microsoft.com/en-us/library/ms235460(v=vs.140).aspx>

        JSGlobalObject::createRareDataIfNeeded is inlined but
        JSGlobalObject::~JSGlobalObject is not.  Then, the heap of
        allocating JSGlobalObjectRareData is WebKit.dll, but deallocating
        JavaScriptCore.dll.  Adding WTF_MAKE_FAST_ALLOCATED to
        JSGlobalObjectRareData ensures heap consistency of it.  WTF::Lock
        also needs WTF_MAKE_FAST_ALLOCATED because it is allocated from
        the inlined constructor of JSGlobalObjectRareData.

        Test: fast/dom/insertedIntoDocument-iframe.html

        * runtime/JSGlobalObject.h:
        Add WTF_MAKE_FAST_ALLOCATED to JSGlobalObjectRareData.

2016-04-25  Michael Saboff  <msaboff@apple.com>

        Crash using @tryGetById in DFG
        https://bugs.webkit.org/show_bug.cgi?id=156992

        Reviewed by Filip Pizlo.

        We need to spill live registers when compiling TryGetById in DFG.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileTryGetById):
        * tests/stress/regress-156992.js: New test.
        (tryMultipleGetByIds):
        (test):

2016-04-25  Saam barati  <sbarati@apple.com>

        We don't have to parse a function's parameters every time if the function is in the source provider cache
        https://bugs.webkit.org/show_bug.cgi?id=156943

        Reviewed by Filip Pizlo.

        This patch makes a few changes to make parsing inner functions
        faster.

        First, we were always parsing an inner function's parameter
        list using the templatized TreeBuiler. This means if our parent scope
        was building an AST, we ended up building AST nodes for the inner
        function's parameter list even though these nodes would go unused.
        This patch fixes that to *always* build an inner function's parameter
        list using the SyntaxChecker. (Note that this is consistent now with
        always building an inner function's body with a SyntaxChecker.)

        Second, we were always parsing an inner function's parameter list
        even if we had that function saved in the source provider cache.
        I've fixed that bug and made it so that we skip over the parsing 
        of a function's parameter list when it's in the source provider
        cache. We could probably enhance this in the future to skip
        over the entirety of a function starting at the "function"
        keyword or any other start of the function (depending on
        the function type: arrow function, method, etc).

        This patch also renames a few fields. First, I fixed a typo
        from "tocken" => "token" for a few field names. Secondly,
        I renamed a field that was called 'bodyStartColumn' to 
        'parametersStartColumn' because the field really held the
        parameter list's start column.

        I'm benchmarking this as a 1.5-2% octane/jquery speedup
        on a 15" MBP.

        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createFunctionExpr):
        (JSC::ASTBuilder::createMethodDefinition):
        (JSC::ASTBuilder::createArrowFunctionExpr):
        (JSC::ASTBuilder::createGetterOrSetterProperty):
        (JSC::ASTBuilder::createFuncDeclStatement):
        * parser/Lexer.cpp:
        (JSC::Lexer<T>::lex):
        * parser/Lexer.h:
        (JSC::Lexer::currentPosition):
        (JSC::Lexer::positionBeforeLastNewline):
        (JSC::Lexer::lastTokenLocation):
        (JSC::Lexer::setLastLineNumber):
        (JSC::Lexer::lastLineNumber):
        (JSC::Lexer::prevTerminator):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseInner):
        (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
        (JSC::Parser<LexerType>::parseFunctionBody):
        (JSC::stringForFunctionMode):
        (JSC::Parser<LexerType>::parseFunctionParameters):
        (JSC::Parser<LexerType>::parseFunctionInfo):
        * parser/Parser.h:
        (JSC::Scope::usedVariablesContains):
        (JSC::Scope::forEachUsedVariable):
        (JSC::Scope::useVariable):
        (JSC::Scope::copyCapturedVariablesToVector):
        (JSC::Scope::fillParametersForSourceProviderCache):
        (JSC::Scope::restoreFromSourceProviderCache):
        * parser/ParserFunctionInfo.h:
        * parser/SourceProviderCacheItem.h:
        (JSC::SourceProviderCacheItem::endFunctionToken):
        (JSC::SourceProviderCacheItem::usedVariables):
        (JSC::SourceProviderCacheItem::SourceProviderCacheItem):

2016-04-25  Mark Lam  <mark.lam@apple.com>

        Renaming SpecInt32, SpecInt52, MachineInt to SpecInt32Only, SpecInt52Only, AnyInt.
        https://bugs.webkit.org/show_bug.cgi?id=156941

        Reviewed by Filip Pizlo.

        While looking at https://bugs.webkit.org/show_bug.cgi?id=153431, it was decided
        that SpecInt32Only, SpecInt52Only, and AnyInt would be better names for
        SpecInt32, SpecInt52, and MachineInt.  Let's do a bulk rename.

        This is only a renaming patch, and deletion of a piece of unused code.  There are
        no semantic changes.

        * bindings/ScriptValue.cpp:
        (Inspector::jsToInspectorValue):
        * bytecode/SpeculatedType.cpp:
        (JSC::dumpSpeculation):
        (JSC::speculationToAbbreviatedString):
        (JSC::speculationFromValue):
        (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
        (JSC::typeOfDoubleNegation):
        (JSC::typeOfDoubleRounding):
        * bytecode/SpeculatedType.h:
        (JSC::isInt32Speculation):
        (JSC::isInt32OrBooleanSpeculation):
        (JSC::isInt32SpeculationForArithmetic):
        (JSC::isInt32OrBooleanSpeculationForArithmetic):
        (JSC::isInt32OrBooleanSpeculationExpectingDefined):
        (JSC::isInt52Speculation):
        (JSC::isAnyIntSpeculation):
        (JSC::isAnyIntAsDoubleSpeculation):
        (JSC::isDoubleRealSpeculation):
        (JSC::isMachineIntSpeculation): Deleted.
        (JSC::isInt52AsDoubleSpeculation): Deleted.
        (JSC::isIntegerSpeculation): Deleted.
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGAbstractValue.cpp:
        (JSC::DFG::AbstractValue::set):
        (JSC::DFG::AbstractValue::fixTypeForRepresentation):
        (JSC::DFG::AbstractValue::checkConsistency):
        (JSC::DFG::AbstractValue::resultType):
        * dfg/DFGAbstractValue.h:
        (JSC::DFG::AbstractValue::validateType):
        * dfg/DFGArgumentsUtilities.cpp:
        (JSC::DFG::emitCodeToGetArgumentsArrayLength):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixupToThis):
        (JSC::DFG::FixupPhase::observeUseKindOnNode):
        (JSC::DFG::FixupPhase::fixIntConvertingEdge):
        (JSC::DFG::FixupPhase::fixIntOrBooleanEdge):
        (JSC::DFG::FixupPhase::fixDoubleOrBooleanEdge):
        (JSC::DFG::FixupPhase::truncateConstantToInt32):
        (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
        (JSC::DFG::FixupPhase::prependGetArrayLength):
        (JSC::DFG::FixupPhase::fixupChecksInBlock):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::addShouldSpeculateInt32):
        (JSC::DFG::Graph::addShouldSpeculateAnyInt):
        (JSC::DFG::Graph::binaryArithShouldSpeculateInt32):
        (JSC::DFG::Graph::binaryArithShouldSpeculateAnyInt):
        (JSC::DFG::Graph::unaryArithShouldSpeculateInt32):
        (JSC::DFG::Graph::unaryArithShouldSpeculateAnyInt):
        (JSC::DFG::Graph::addShouldSpeculateMachineInt): Deleted.
        (JSC::DFG::Graph::binaryArithShouldSpeculateMachineInt): Deleted.
        (JSC::DFG::Graph::unaryArithShouldSpeculateMachineInt): Deleted.
        * dfg/DFGInPlaceAbstractState.cpp:
        (JSC::DFG::InPlaceAbstractState::initialize):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::noticeOSREntry):
        * dfg/DFGNode.cpp:
        (JSC::DFG::Node::convertToIdentityOn):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::asNumber):
        (JSC::DFG::Node::isAnyIntConstant):
        (JSC::DFG::Node::asAnyInt):
        (JSC::DFG::Node::isBooleanConstant):
        (JSC::DFG::Node::shouldSpeculateInt32OrBooleanExpectingDefined):
        (JSC::DFG::Node::shouldSpeculateAnyInt):
        (JSC::DFG::Node::shouldSpeculateDouble):
        (JSC::DFG::Node::shouldSpeculateNumber):
        (JSC::DFG::Node::isMachineIntConstant): Deleted.
        (JSC::DFG::Node::asMachineInt): Deleted.
        (JSC::DFG::Node::shouldSpeculateMachineInt): Deleted.
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::OSREntryData::dumpInContext):
        (JSC::DFG::prepareOSREntry):
        * dfg/DFGOSREntry.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSSALoweringPhase.cpp:
        (JSC::DFG::SSALoweringPhase::handleNode):
        (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::SafeToExecuteEdge::operator()):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::silentFill):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compileArithAdd):
        (JSC::DFG::SpeculativeJIT::compileArithSub):
        (JSC::DFG::SpeculativeJIT::compileArithNegate):
        (JSC::DFG::SpeculativeJIT::speculateInt32):
        (JSC::DFG::SpeculativeJIT::speculateNumber):
        (JSC::DFG::SpeculativeJIT::speculateMisc):
        (JSC::DFG::SpeculativeJIT::speculate):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::spill):
        (JSC::DFG::SpeculativeJIT::isKnownInteger):
        (JSC::DFG::SpeculativeJIT::isKnownCell):
        (JSC::DFG::SpeculativeJIT::isKnownNotInteger):
        (JSC::DFG::SpeculativeJIT::isKnownNotNumber):
        (JSC::DFG::SpeculativeJIT::isKnownNotCell):
        (JSC::DFG::SpeculativeJIT::isKnownNotOther):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::blessBoolean):
        (JSC::DFG::SpeculativeJIT::convertAnyInt):
        (JSC::DFG::SpeculativeJIT::speculateAnyInt):
        (JSC::DFG::SpeculativeJIT::speculateDoubleRepAnyInt):
        (JSC::DFG::SpeculativeJIT::convertMachineInt): Deleted.
        (JSC::DFG::SpeculativeJIT::speculateMachineInt): Deleted.
        (JSC::DFG::SpeculativeJIT::speculateDoubleRepMachineInt): Deleted.
        * dfg/DFGUseKind.cpp:
        (WTF::printInternal):
        * dfg/DFGUseKind.h:
        (JSC::DFG::typeFilterFor):
        (JSC::DFG::isNumerical):
        (JSC::DFG::isDouble):
        * dfg/DFGValidate.cpp:
        * dfg/DFGVariableAccessData.cpp:
        (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
        (JSC::DFG::VariableAccessData::couldRepresentInt52Impl):
        (JSC::DFG::VariableAccessData::flushFormat):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileInt52Constant):
        (JSC::FTL::DFG::LowerDFGToB3::compileInt52Rep):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
        (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
        (JSC::FTL::DFG::LowerDFGToB3::lowInt32):
        (JSC::FTL::DFG::LowerDFGToB3::strictInt52ToInt32):
        (JSC::FTL::DFG::LowerDFGToB3::isInt32):
        (JSC::FTL::DFG::LowerDFGToB3::isNotInt32):
        (JSC::FTL::DFG::LowerDFGToB3::jsValueToStrictInt52):
        (JSC::FTL::DFG::LowerDFGToB3::doubleToStrictInt52):
        (JSC::FTL::DFG::LowerDFGToB3::speculate):
        (JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
        (JSC::FTL::DFG::LowerDFGToB3::speculateAnyInt):
        (JSC::FTL::DFG::LowerDFGToB3::speculateDoubleRepReal):
        (JSC::FTL::DFG::LowerDFGToB3::speculateDoubleRepAnyInt):
        (JSC::FTL::DFG::LowerDFGToB3::speculateMachineInt): Deleted.
        (JSC::FTL::DFG::LowerDFGToB3::speculateDoubleRepMachineInt): Deleted.
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_profile_type):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_profile_type):
        * runtime/JSCJSValue.h:
        * runtime/JSCJSValueInlines.h:
        (JSC::isInt52):
        (JSC::JSValue::isAnyInt):
        (JSC::JSValue::asAnyInt):
        (JSC::JSValue::isMachineInt): Deleted.
        (JSC::JSValue::asMachineInt): Deleted.
        * runtime/RuntimeType.cpp:
        (JSC::runtimeTypeForValue):
        (JSC::runtimeTypeAsString):
        * runtime/RuntimeType.h:
        * runtime/TypeSet.cpp:
        (JSC::TypeSet::dumpTypes):
        (JSC::TypeSet::displayName):
        (JSC::TypeSet::inspectorTypeSet):
        (JSC::TypeSet::toJSONString):

2016-04-24  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Optimize JSON.parse string fast path
        https://bugs.webkit.org/show_bug.cgi?id=156953

        Reviewed by Mark Lam.

        This patch further optimizes the string parsing fast path.
        Previously, we generated the WTF::String to hold the ownership of the token's string.
        And always copied the token in LiteralParser side.
        Instead, we hold the ownership of the token String by the StringBuilder in LiteralParser::Lexer,
        and remove the processing in the string parsing fast path.
        This patch gives us stable 1 - 2.5% improvement in Kraken json-parse-financial.

                                       Baseline                  Modified

        json-parse-financial        41.383+-0.248      ^      40.894+-0.189         ^ definitely 1.0120x faster

        * runtime/LiteralParser.cpp:
        (JSC::LiteralParser<CharType>::tryJSONPParse):
        (JSC::LiteralParser<CharType>::Lexer::lex):
        (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
        (JSC::LiteralParser<CharType>::parse):
        (JSC::LiteralParser<CharType>::Lexer::lexString): Deleted.
        * runtime/LiteralParser.h:
        (JSC::LiteralParser::tryLiteralParse):
        (JSC::LiteralParser::Lexer::currentToken):
        (JSC::LiteralParser::Lexer::LiteralParserTokenPtr::LiteralParserTokenPtr):
        (JSC::LiteralParser::Lexer::LiteralParserTokenPtr::operator->):

2016-04-24  Filip Pizlo <fpizlo@apple.com> and Andy VanWagoner <thetalecrafter@gmail.com>

        [INTL] Implement String.prototype.localeCompare in ECMA-402
        https://bugs.webkit.org/show_bug.cgi?id=147607

        Reviewed by Darin Adler.
        
        Part of this change is just rolling 194394 back in.
        
        The other part is making that not a regression on CDjs. Other than the fact that it uses
        bound functions, the problem with this new localeCompare implementation is that it uses
        the arguments object. It uses it in a way that *seems* like ArgumentsEliminationPhase
        ought to handle, but to my surprise it didn't:
        
        - If we have a ForceExit GetByVal on the arguments object, we would previously assume that
          it escaped. That's false since we just exit at ForceExit. On the other hand we probably
          should be pruning unreachable paths before we get here, but that's a separate issue. I
          don't want to play with phase order right now.
        
        - If we have a OutOfBounds GetByVal on the arguments object, then the best that would
          previously happen is that we'd compile it into an in-bounds arguments access. That's quite
          bad, as Andy's localeCompare illustrates: it uses out-of-bounds access on the arguments
          object to detect if an argument was passed. This change introduces an OutOfBounds version
          of GetMyArgumentByVal for this purpose.
        
        This change required registering sane chain watchpoints. In the process, I noticed that the
        old way of doing it had a race condition: we might register watchpoints for the structure
        that had become insane. This change introduces a double-checking idiom that I believe works
        because once the structure becomes insane it can't go back to sane and watchpoints
        registration already involves executing the hardest possible fences.

        * builtins/StringPrototype.js:
        (repeat):
        (localeCompare):
        (search):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGArgumentsEliminationPhase.cpp:
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::refine):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        * dfg/DFGPreciseLocalClobberize.h:
        (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGValidate.cpp:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
        (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
        * ftl/FTLTypedPointer.h:
        (JSC::FTL::TypedPointer::TypedPointer):
        (JSC::FTL::TypedPointer::operator bool):
        (JSC::FTL::TypedPointer::heap):
        (JSC::FTL::TypedPointer::operator!): Deleted.
        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::finishCreation):

2016-04-23  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, unbreak cloop.

        * runtime/VM.cpp:
        (JSC::VM::getHostFunction):

2016-04-22  Filip Pizlo  <fpizlo@apple.com>

        Speed up bound functions a bit
        https://bugs.webkit.org/show_bug.cgi?id=156889

        Reviewed by Saam Barati.
        
        Bound functions are hard to optimize because JSC doesn't have a good notion of non-JS code
        that does JS-ey things like make JS calls. What I mean by "non-JS code" is code that did not
        originate from JS source. A bound function does a highly polymorphic call to the target
        stored in the JSBoundFunction. Prior to this change, we represented it as native code that
        used the generic native->JS call API. That's not cheap.
        
        We could model bound functions using a builtin, but it's not clear that this would be easy
        to grok, since so much of the code would have to access special parts of the JSBoundFunction
        type. Doing it that way might solve the performance problems but it would mean extra work to
        arrange for the builtin to have speedy access to the call target, the bound this, and the
        bound arguments. Also, optimizing bound functions that way would mean that bound function
        performance would be gated on the performance of a bunch of other things in our system. For
        example, we'd want this polymorphic call to be handled like the funnel that it is: if we're
        compiling the bound function's outgoing call with no context then we should compile it as
        fully polymorphic but we can let it assume basic sanity like that the callee is a real
        function; but if we're compiling the call with any amount of calling context then we want to
        use normal call IC's.
        
        Since the builtin path wouldn't lead to a simpler patch and since I think that the VM will
        benefit in the long run from using custom handling for bound functions, I kept the native
        code and just added Intrinsic/thunk support.
        
        This just adds an Intrinsic for bound function calls where the JSBoundFunction targets a
        JSFunction instance and has no bound arguments (only bound this). This intrinsic is
        currently only implemented as a thunk and not yet recognized by the DFG bytecode parser.

        I needed to loosen some restrictions to do this. For one, I was really tired of our bad use
        of ENABLE(JIT) conditionals, which made it so that any serious client of Intrinsics would
        have to have #ifdefs. Really what should happen is that if the JIT is not enabled then we
        just ignore intrinsics. Also, the code was previously assuming that having a native
        constructor and knowing the Intrinsic for your native call were mutually exclusive. This
        change makes it possible to have a native executable that has a custom function, custom
        constructor, and an Intrinsic.
        
        This is a >4x speed-up on bound function calls with no bound arguments.

        In the future, we should teach the DFG Intrinsic handling to deal with bound functions and
        we should teach the inliner (and ByteCodeParser::handleCall() in general) how to deal with
        the function call inside the bound function. That would be super awesome.

        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::timesPtr):
        (JSC::AbstractMacroAssembler::Address::withOffset):
        (JSC::AbstractMacroAssembler::BaseIndex::BaseIndex):
        (JSC::MacroAssemblerType>::Address::indexedBy):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::storeCell):
        (JSC::AssemblyHelpers::loadCell):
        (JSC::AssemblyHelpers::storeValue):
        (JSC::AssemblyHelpers::emitSaveCalleeSaves):
        (JSC::AssemblyHelpers::emitSaveThenMaterializeTagRegisters):
        (JSC::AssemblyHelpers::emitRestoreCalleeSaves):
        (JSC::AssemblyHelpers::emitRestoreSavedTagRegisters):
        (JSC::AssemblyHelpers::copyCalleeSavesToVMCalleeSavesBuffer):
        * jit/JITThunks.cpp:
        (JSC::JITThunks::ctiNativeTailCall):
        (JSC::JITThunks::ctiNativeTailCallWithoutSavedTags):
        (JSC::JITThunks::ctiStub):
        (JSC::JITThunks::hostFunctionStub):
        (JSC::JITThunks::clearHostFunctionStubs):
        * jit/JITThunks.h:
        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::callDoubleToDoublePreservingReturn):
        (JSC::SpecializedThunkJIT::tagReturnAsInt32):
        (JSC::SpecializedThunkJIT::emitSaveThenMaterializeTagRegisters): Deleted.
        (JSC::SpecializedThunkJIT::emitRestoreSavedTagRegisters): Deleted.
        * jit/ThunkGenerators.cpp:
        (JSC::virtualThunkFor):
        (JSC::nativeForGenerator):
        (JSC::nativeCallGenerator):
        (JSC::nativeTailCallGenerator):
        (JSC::nativeTailCallWithoutSavedTagsGenerator):
        (JSC::nativeConstructGenerator):
        (JSC::randomThunkGenerator):
        (JSC::boundThisNoArgsFunctionCallGenerator):
        * jit/ThunkGenerators.h:
        * runtime/Executable.cpp:
        (JSC::NativeExecutable::create):
        (JSC::NativeExecutable::destroy):
        (JSC::NativeExecutable::createStructure):
        (JSC::NativeExecutable::finishCreation):
        (JSC::NativeExecutable::NativeExecutable):
        (JSC::ScriptExecutable::ScriptExecutable):
        * runtime/Executable.h:
        * runtime/FunctionPrototype.cpp:
        (JSC::functionProtoFuncBind):
        * runtime/IntlCollatorPrototype.cpp:
        (JSC::IntlCollatorPrototypeGetterCompare):
        * runtime/Intrinsic.h:
        * runtime/JSBoundFunction.cpp:
        (JSC::boundThisNoArgsFunctionCall):
        (JSC::boundFunctionCall):
        (JSC::boundThisNoArgsFunctionConstruct):
        (JSC::boundFunctionConstruct):
        (JSC::getBoundFunctionStructure):
        (JSC::JSBoundFunction::create):
        (JSC::JSBoundFunction::customHasInstance):
        (JSC::JSBoundFunction::JSBoundFunction):
        * runtime/JSBoundFunction.h:
        (JSC::JSBoundFunction::targetFunction):
        (JSC::JSBoundFunction::boundThis):
        (JSC::JSBoundFunction::boundArgs):
        (JSC::JSBoundFunction::createStructure):
        (JSC::JSBoundFunction::offsetOfTargetFunction):
        (JSC::JSBoundFunction::offsetOfBoundThis):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::lookUpOrCreateNativeExecutable):
        (JSC::JSFunction::create):
        * runtime/VM.cpp:
        (JSC::thunkGeneratorForIntrinsic):
        (JSC::VM::getHostFunction):
        * runtime/VM.h:
        (JSC::VM::getCTIStub):
        (JSC::VM::exceptionOffset):

2016-04-22  Joonghun Park  <jh718.park@samsung.com>

        [JSC] Fix build break since r199866
        https://bugs.webkit.org/show_bug.cgi?id=156892

        Reviewed by Darin Adler.

        * runtime/MathCommon.cpp: Follow up to r199913. Remove 'include cmath' in cpp file.

2016-04-22  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Optimize number parsing and string parsing in LiteralParser
        https://bugs.webkit.org/show_bug.cgi?id=156896

        Reviewed by Mark Lam.

        This patch aim to improve JSON.parse performance. Major 2 optimizations are included.

        1. Change `double result` to `int32_t result` in integer parsing case.
        We already have the optimized path for integer parsing, when it's digits are less than 10.
        At that case, the maximum number is 999999999, and the minimum number is -99999999.
        The both are in range of Int32. So We can use int32_t for accumulation instead of double.

        2. Add the string parsing fast / slow cases.
        We add the fast case for string parsing, which does not include any escape sequences.

        Both optimizations improve Kraken json-parse-financial, roughly 3.5 - 4.5%.

        json-parse-financial        49.128+-1.589             46.979+-0.912           might be 1.0457x faster

        * runtime/LiteralParser.cpp:
        (JSC::isJSONWhiteSpace):
        (JSC::isSafeStringCharacter):
        (JSC::LiteralParser<CharType>::Lexer::lexString):
        (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
        (JSC::LiteralParser<CharType>::Lexer::lexNumber):
        * runtime/LiteralParser.h:

2016-04-22  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Source directives lost when using Function constructor repeatedly
        https://bugs.webkit.org/show_bug.cgi?id=156863
        <rdar://problem/25861064>

        Reviewed by Geoffrey Garen.

        Source directives (sourceURL and sourceMappingURL) are normally accessed through
        the SourceProvider and normally set when the script is parsed. However, when a
        CodeCache lookup skips parsing, the new SourceProvider never gets the directives
        (sourceURL/sourceMappingURL). This patch stores the directives on the UnlinkedCodeBlock
        and UnlinkedFunctionExecutable when entering the cache, and copies to the new providers
        when the cache is used.

        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedCodeBlock::sourceURLDirective):
        (JSC::UnlinkedCodeBlock::sourceMappingURLDirective):
        (JSC::UnlinkedCodeBlock::setSourceURLDirective):
        (JSC::UnlinkedCodeBlock::setSourceMappingURLDirective):
        * bytecode/UnlinkedFunctionExecutable.h:
        * parser/SourceProvider.h:
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getGlobalCodeBlock):
        (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
        * runtime/CodeCache.h:
        Store directives on the unlinked code block / executable when adding
        to the cache, so they can be used to update new providers when the
        cache gets used.

        * runtime/JSGlobalObject.cpp:
        Add needed header after CodeCache header cleanup.

2016-04-22  Mark Lam  <mark.lam@apple.com>

        javascript jit bug affecting Google Maps.
        https://bugs.webkit.org/show_bug.cgi?id=153431

        Reviewed by Filip Pizlo.

        The issue was due to the abstract interpreter wrongly marking the type of the
        value read from the Uint3Array as SpecInt52, which precludes it from being an
        Int32.  This proves to be false, and the generated code failed to handle the case
        where the read value is actually an Int32.

        The fix is to have the abstract interpreter use SpecMachineInt instead of
        SpecInt52.

        * bytecode/SpeculatedType.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

2016-04-22  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] PredictionPropagation should not be in the top 5 heaviest phases
        https://bugs.webkit.org/show_bug.cgi?id=156891

        Reviewed by Mark Lam.

        In DFG, PredictionPropagation is often way too high in profiles.
        It is a simple phase, it should not be that hot.

        Most of the time is spent accessing memory. This patch attempts
        to reduce that.

        First, propagate() is split in processInvariants() and propagates().
        The step processInvariants() sets all the types for nodes for which
        the type does not depends on other nodes.

        Adding processInvariants() lowers two hotspot inside PredictionPropagation:
        speculationFromValue() and setPrediction().

        Next, to avoid touching all the nodes at every operation, we keep
        track of the nodes that actually need propagate().
        The vector m_dependentNodes keeps the list of those nodes and propagate()
        only need to process them at each phase.

        This is a smaller gain because growing m_dependentNodes negates
        some of the gains.

        On 3d-cube, this moves PredictionPropagation from fifth position
        to ninth. A lot of the remaining overhead is caused by double-voting
        and cannot be fixed by moving stuff around.

        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagateToFixpoint): Deleted.
        (JSC::DFG::PredictionPropagationPhase::propagate): Deleted.
        (JSC::DFG::PredictionPropagationPhase::propagateForward): Deleted.
        (JSC::DFG::PredictionPropagationPhase::propagateBackward): Deleted.
        (JSC::DFG::PredictionPropagationPhase::doDoubleVoting): Deleted.
        (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting): Deleted.
        (JSC::DFG::PredictionPropagationPhase::propagateThroughArgumentPositions): Deleted.

2016-04-22  Geoffrey Garen  <ggaren@apple.com>

        super should be available in object literals
        https://bugs.webkit.org/show_bug.cgi?id=156933

        Reviewed by Saam Barati.

        When we originally implemented classes, super seemed to be a class-only
        feature. But the final spec says it's available in object literals too.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::PropertyListNode::emitBytecode): Having 'super' and being a class
        property are no longer synonymous, so we track two separate variables.

        (JSC::PropertyListNode::emitPutConstantProperty): Being inside the super
        branch no longer guarantees that you're a class property, so we decide
        our attributes and our function name dynamically.

        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createArrowFunctionExpr):
        (JSC::ASTBuilder::createGetterOrSetterProperty):
        (JSC::ASTBuilder::createArguments):
        (JSC::ASTBuilder::createArgumentsList):
        (JSC::ASTBuilder::createProperty):
        (JSC::ASTBuilder::createPropertyList): Pass through state to indicate
        whether we're a class property, since we can't infer it from 'super'
        anymore.

        * parser/NodeConstructors.h:
        (JSC::PropertyNode::PropertyNode): See ASTBuilder.h.

        * parser/Nodes.h:
        (JSC::PropertyNode::expressionName):
        (JSC::PropertyNode::name):
        (JSC::PropertyNode::type):
        (JSC::PropertyNode::needsSuperBinding):
        (JSC::PropertyNode::isClassProperty):
        (JSC::PropertyNode::putType): See ASTBuilder.h.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseFunctionInfo):
        (JSC::Parser<LexerType>::parseClass):
        (JSC::Parser<LexerType>::parseProperty):
        (JSC::Parser<LexerType>::parsePropertyMethod):
        (JSC::Parser<LexerType>::parseGetterSetter):
        (JSC::Parser<LexerType>::parseMemberExpression): I made these error
        messages generic because it is no longer practical to say concise things
        about the list of places you can use super.

        * parser/Parser.h:

        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createArgumentsList):
        (JSC::SyntaxChecker::createProperty):
        (JSC::SyntaxChecker::appendExportSpecifier):
        (JSC::SyntaxChecker::appendConstDecl):
        (JSC::SyntaxChecker::createGetterOrSetterProperty): Updated for
        interface change.

        * tests/stress/generator-with-super.js:
        (test):
        * tests/stress/modules-syntax-error.js:
        * tests/stress/super-in-lexical-scope.js:
        (testSyntaxError):
        (testSyntaxError.test):
        * tests/stress/tagged-templates-syntax.js: Updated for error message
        changes. See Parser.cpp.

2016-04-22  Filip Pizlo  <fpizlo@apple.com>

        ASSERT(m_stack.last().isTailDeleted) at ShadowChicken.cpp:127 inspecting the inspector
        https://bugs.webkit.org/show_bug.cgi?id=156930

        Reviewed by Joseph Pecoraro.
        
        The loop that prunes the stack from the top should preserve the invariant that the top frame
        cannot be tail-deleted.

        * interpreter/ShadowChicken.cpp:
        (JSC::ShadowChicken::update):

2016-04-22  Benjamin Poulain  <benjamin@webkit.org>

        Attempt to fix the CLoop after r199866

        * runtime/MathCommon.h:

2016-04-22  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Integer Multiply of a number by itself does not need negative zero support
        https://bugs.webkit.org/show_bug.cgi?id=156895

        Reviewed by Saam Barati.

        You cannot produce negative zero by squaring an integer.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArithMul):
        Minor codegen fixes:
        -Use the right form of multiply for ARM.
        -Use a sign-extended 32bit immediates, that's the one with fast forms
         in the MacroAssembler.

2016-04-21  Darin Adler  <darin@apple.com>

        Follow-on to the build fix.

        * runtime/MathCommon.h: Use the C++ std namespace version of the
        frexp function too.

2016-04-21  Joonghun Park  <jh718.park@samsung.com>

        [JSC] Fix build break since r199866. Unreviewed.
        https://bugs.webkit.org/show_bug.cgi?id=156892

        * runtime/MathCommon.h: Add namespace std to isnormal invoking.

2016-04-21  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Add primitive String support to compare operators
        https://bugs.webkit.org/show_bug.cgi?id=156783

        Reviewed by Geoffrey Garen.

        Just the basics.
        We should eventually inline some of the simplest cases.

        This is a 2% improvement on Longspider. It is unfortunately neutral
        for Sunspider on my machine because most of the comparison are from
        baseline.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compare):
        (JSC::DFG::SpeculativeJIT::compileStringCompare):
        (JSC::DFG::SpeculativeJIT::compileStringIdentCompare):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileCompareLess):
        (JSC::FTL::DFG::LowerDFGToB3::compileCompareLessEq):
        (JSC::FTL::DFG::LowerDFGToB3::compileCompareGreater):
        (JSC::FTL::DFG::LowerDFGToB3::compileCompareGreaterEq):
        (JSC::FTL::DFG::LowerDFGToB3::compare):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::callWithoutSideEffects):
        * jit/JITOperations.h:
        * tests/stress/string-compare.js: Added.
        (makeRope):
        (makeString):
        (let.operator.of.operators.eval.compareStringIdent):
        (let.operator.of.operators.compareStringString):
        (let.operator.of.operators.compareStringIdentString):
        (let.operator.of.operators.compareStringStringIdent):
        (let.operator.of.operators.let.left.of.typeCases.let.right.of.typeCases.eval):

2016-04-21  Benjamin Poulain  <bpoulain@webkit.org>

        [JSC] Commute FDiv-by-constant into FMul-by-reciprocal when it is safe
        https://bugs.webkit.org/show_bug.cgi?id=156871

        Reviewed by Filip Pizlo.

        FMul is significantly faster than FDiv.
        For example, on Haswell, FMul has a latency of 5, a throughput of 1
        while FDiv has latency 10-24, throughput 8-18.

        Fortunately for us, Sunspider and Kraken have plenty of division
        by a simple power of 2 constant. Those are just exponent operations
        and can be easily reversed to use FMul instead of FDiv.

        LLVM does something similar in InstCombine.

        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):
        * jit/JITDivGenerator.cpp:
        (JSC::JITDivGenerator::loadOperand):
        (JSC::JITDivGenerator::generateFastPath):
        * jit/SnippetOperand.h:
        (JSC::SnippetOperand::asConstNumber):
        * runtime/MathCommon.h:
        (JSC::safeReciprocalForDivByConst):
        * tests/stress/floating-point-div-to-mul.js: Added.
        (opaqueDivBy2):
        (opaqueDivBy3):
        (opaqueDivBy4):
        (opaqueDivBySafeMaxMinusOne):
        (opaqueDivBySafeMax):
        (opaqueDivBySafeMaxPlusOne):
        (opaqueDivBySafeMin):
        (opaqueDivBySafeMinMinusOne):
        (i.catch):
        (i.result.opaqueDivBySafeMin.valueOf):

2016-04-21  Benjamin Poulain  <benjamin@webkit.org>

        [JSC] Improve the absThunkGenerator() for 64bit
        https://bugs.webkit.org/show_bug.cgi?id=156888

        Reviewed by Michael Saboff.

        A few tests spend a lot of time in this abs() with double argument.

        This patch adds custom handling for the JSValue64 representation.
        In particular:
        -Do not load the value twice. Unbox the GPR if it is not an Int32.
        -Deal with IntMin inline instead of falling back to the C function call.
        -Box the values ourself to avoid a duplicate function tail and return.

        * jit/ThunkGenerators.cpp:
        (JSC::absThunkGenerator):

2016-04-21  Saam barati  <sbarati@apple.com>

        LLInt CallSiteIndex off by 1
        https://bugs.webkit.org/show_bug.cgi?id=156886

        Reviewed by Benjamin Poulain.

        I think was done for historical reasons but isn't needed anymore.

        * llint/LLIntSlowPaths.cpp:

2016-04-21  Keith Miller  <keith_miller@apple.com>

        FTL should handle exceptions in operationInOptimize
        https://bugs.webkit.org/show_bug.cgi?id=156885

        Reviewed by Michael Saboff.

        For some reasone we didn't handle any exceptions in "in" when we called
        operationInOptimize in the FTL.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpAssumingJITType):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileIn):
        * ftl/FTLPatchpointExceptionHandle.h: Add comments explaining which
        function to use for different exception types.

        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionNoFTL):
        * runtime/Executable.cpp:
        (JSC::ScriptExecutable::ScriptExecutable):
        * runtime/Executable.h:
        (JSC::ScriptExecutable::setNeverFTLOptimize):
        (JSC::ScriptExecutable::neverFTLOptimize):
        * tests/stress/in-ftl-exception-check.js: Added.
        (foo):
        (bar):
        (catch):

2016-04-21  Filip Pizlo  <fpizlo@apple.com>

        JSC virtual call thunk shouldn't do a structure->classInfo lookup
        https://bugs.webkit.org/show_bug.cgi?id=156874

        Reviewed by Keith Miller.
        
        This lookup was unnecessary because we can just test the inlined type field.

        But also, this meant that we were exempting JSBoundFunction from the virtual call optimization.
        That's pretty bad.

        * jit/ThunkGenerators.cpp:
        (JSC::virtualThunkFor):

2016-04-21  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: sourceMappingURL not loaded in generated script
        https://bugs.webkit.org/show_bug.cgi?id=156022
        <rdar://problem/25438595>

        Reviewed by Geoffrey Garen.

        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
        Synthetic CallFrames for native code will not have script identifiers.

        * inspector/ScriptCallFrame.cpp:
        (Inspector::ScriptCallFrame::ScriptCallFrame):
        (Inspector::ScriptCallFrame::isEqual):
        (Inspector::ScriptCallFrame::buildInspectorObject):
        * inspector/ScriptCallFrame.h:
        * inspector/protocol/Console.json:
        Include the script identifier in ScriptCallFrame so we can correlate this
        to the exactly script, even if there isn't a URL. The Script may have a
        sourceURL, so the Web Inspector frontend may decide to show / link to it.

        * inspector/ScriptCallStackFactory.cpp:
        (Inspector::CreateScriptCallStackFunctor::operator()):
        (Inspector::createScriptCallStackFromException):
        Include SourceID when we have it.

        * interpreter/Interpreter.cpp:
        (JSC::GetStackTraceFunctor::operator()):
        * interpreter/Interpreter.h:
        * interpreter/StackVisitor.cpp:
        (JSC::StackVisitor::Frame::sourceID):
        * interpreter/StackVisitor.h:
        Access the SourceID when we have it.

2016-04-21  Saam barati  <sbarati@apple.com>

        Lets do less locking of symbol tables in the BytecodeGenerator where we don't have race conditions
        https://bugs.webkit.org/show_bug.cgi?id=156821

        Reviewed by Filip Pizlo.

        The BytecodeGenerator allocates all the SymbolTables that it uses.
        This is before any concurrent compiler thread can use that SymbolTable.
        This means we don't actually need to lock for any operations of the
        SymbolTable. This patch makes this change by removing all locking.
        To do this, I've introduced a new constructor for ConcurrentJITLocker
        which implies no locking is necessary. You instantiate such a ConcurrentJITLocker like so:
        `ConcurrentJITLocker locker(ConcurrentJITLocker::NoLockingNecessary);`

        This patch also removes all uses of Strong<SymbolTable> from the bytecode
        generator and instead wraps bytecode generation in a DeferGC.

        * bytecode/UnlinkedFunctionExecutable.cpp:
        (JSC::generateUnlinkedFunctionCodeBlock):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
        (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
        (JSC::BytecodeGenerator::instantiateLexicalVariables):
        (JSC::BytecodeGenerator::emitPrefillStackTDZVariables):
        (JSC::BytecodeGenerator::pushLexicalScopeInternal):
        (JSC::BytecodeGenerator::initializeBlockScopedFunctions):
        (JSC::BytecodeGenerator::hoistSloppyModeFunctionIfNecessary):
        (JSC::BytecodeGenerator::popLexicalScopeInternal):
        (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
        (JSC::BytecodeGenerator::variable):
        (JSC::BytecodeGenerator::createVariable):
        (JSC::BytecodeGenerator::emitResolveScope):
        (JSC::BytecodeGenerator::emitPushWithScope):
        (JSC::BytecodeGenerator::emitPushFunctionNameScope):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::constructorKind):
        (JSC::BytecodeGenerator::superBinding):
        (JSC::BytecodeGenerator::generate):
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getGlobalCodeBlock):
        * runtime/ConcurrentJITLock.h:
        (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
        (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase):
        (JSC::ConcurrentJITLocker::ConcurrentJITLocker):

2016-04-21  Saam barati  <sbarati@apple.com>

        Remove some unnecessary RefPtrs in the parser
        https://bugs.webkit.org/show_bug.cgi?id=156865

        Reviewed by Filip Pizlo.

        The IdentifierArena or the SourceProviderCacheItem will own these UniquedStringImpls
        while we are using them. There is no need for us to reference count them.

        This might be a 0.5% speedup on octane code-load.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseInner):
        * parser/Parser.h:
        (JSC::Scope::setIsLexicalScope):
        (JSC::Scope::isLexicalScope):
        (JSC::Scope::closedVariableCandidates):
        (JSC::Scope::declaredVariables):
        (JSC::Scope::lexicalVariables):
        (JSC::Scope::finalizeLexicalEnvironment):
        (JSC::Scope::computeLexicallyCapturedVariablesAndPurgeCandidates):
        (JSC::Scope::collectFreeVariables):
        (JSC::Scope::getCapturedVars):
        (JSC::Scope::setStrictMode):
        (JSC::Scope::isValidStrictMode):
        (JSC::Scope::shadowsArguments):
        (JSC::Scope::copyCapturedVariablesToVector):
        * parser/SourceProviderCacheItem.h:
        (JSC::SourceProviderCacheItem::usedVariables):
        (JSC::SourceProviderCacheItem::~SourceProviderCacheItem):
        (JSC::SourceProviderCacheItem::create):
        (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
        (JSC::SourceProviderCacheItem::writtenVariables): Deleted.

2016-04-21  Filip Pizlo  <fpizlo@apple.com>

        PolymorphicAccess adds sizeof(CallerFrameAndPC) rather than subtracting it when calculating stack height
        https://bugs.webkit.org/show_bug.cgi?id=156872

        Reviewed by Geoffrey Garen.
        
        The code that added sizeof(CallerFrameAndPC) emerged from a bad copy-paste in r189586. That was
        the revision that created the PolymorphicAccess class. It moved code for generating a
        getter/setter call from Repatch.cpp to PolymorphicAccess.cpp. You can see the code doing a
        subtraction here:
        
            http://trac.webkit.org/changeset/189586/trunk/Source/JavaScriptCore/jit/Repatch.cpp
        
        This makes the world right again.

        * bytecode/PolymorphicAccess.cpp:
        (JSC::AccessCase::generateImpl):

2016-04-21  Geoffrey Garen  <ggaren@apple.com>

        Build warning: CODE_SIGN_ENTITLEMENTS specified without specifying CODE_SIGN_IDENTITY
        https://bugs.webkit.org/show_bug.cgi?id=156862

        Reviewed by Joseph Pecoraro.

        * Configurations/Base.xcconfig: Specify the ad hoc signing identity by
        default. See <http://trac.webkit.org/changeset/143544>.

2016-04-21  Andy Estes  <aestes@apple.com>

        REGRESSION (r199734): WebKit crashes loading numerous websites in iOS Simulator
        https://bugs.webkit.org/show_bug.cgi?id=156842

        Reviewed by Daniel Bates.

        Disable separated heap on iOS Simulator.

        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):

2016-04-21  Michael Saboff  <msaboff@apple.com>

        Align RegExp[@@match] with other @@ methods
        https://bugs.webkit.org/show_bug.cgi?id=156832

        Reviewed by Mark Lam.

        Various changes to align the RegExp[@@match] with [@@search] and [@@split].

        Made RegExp.prototype.@exec a hidden property on the global object and
        called it @regExpBuiltinExec to match the name it has in the standard.
        Changed all places that used the old name to use the new one.

        Made the match fast path function, which used to be call @match, to be called
        @regExpMatchFast and put it on the global object.  Changed it to also handle
        expressions both with and without the global flag.  Refactored the builtin
        @match accordingly.

        Added the builtin function @hasObservableSideEffectsForRegExpMatch() that
        checks to see if we can use the fast path of if we need the explicit version.

        Put the main RegExp functions @match, @search and @split in alphabetical
        order in RegExpPrototype.js.  Did the same for @match, @repeat, @search and 
        @split in StringPrototype.js.
        
        * builtins/RegExpPrototype.js:
        (regExpExec):
        (hasObservableSideEffectsForRegExpMatch): New.
        (match):
        (search):
        (hasObservableSideEffectsForRegExpSplit):
        Reordered in the file and updated to use @regExpBuiltinExec.

        * builtins/StringPrototype.js:
        (match):
        (repeatSlowPath):
        (repeat):
        (search):
        (split):
        Reordered functions in the file.

        * runtime/CommonIdentifiers.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::setGlobalThis):
        (JSC::getById):
        (JSC::getGetterById):
        (JSC::JSGlobalObject::init):
        * runtime/RegExpPrototype.cpp:
        (JSC::RegExpPrototype::finishCreation):
        (JSC::regExpProtoFuncExec):
        (JSC::regExpProtoFuncMatchFast):
        (JSC::regExpProtoFuncMatchPrivate): Deleted.
        * runtime/RegExpPrototype.h:

2016-04-20  Geoffrey Garen  <ggaren@apple.com>

        JavaScriptCore garbage collection is missing an autorelease pool
        https://bugs.webkit.org/show_bug.cgi?id=156751
        <rdar://problem/25787802>

        Reviewed by Mark Lam.

        * heap/Heap.cpp:
        (JSC::Heap::releaseDelayedReleasedObjects): Add an autorelease pool to
        catch autoreleases when we call out to arbitrary ObjC code.

        We use the C interface here because this is not an ObjC compilation unit.

2016-04-20  Filip Pizlo  <fpizlo@apple.com>

        DFG del_by_id support forgets to set()
        https://bugs.webkit.org/show_bug.cgi?id=156830

        Reviewed by Saam Barati.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * tests/stress/dfg-del-by-id.js: Added.

2016-04-20  Saam barati  <sbarati@apple.com>

        Improve sampling profiler CLI JSC tool
        https://bugs.webkit.org/show_bug.cgi?id=156824

        Reviewed by Mark Lam.

        This patch enhances the Sampling Profiler CLI tool from the JSC shell
        to display the JITType of a particular CodeBlock. Because this happens
        once we process a log of stack frames, the data for a particular frame
        being in LLInt vs. Baseline could be wrong. For example, we may have taken 
        a stack trace of a CodeBlock while it was executing in the LLInt, then 
        it tiers up to the baseline, then we process the log. We will show such CodeBlocks
        as being in the baseline JIT. We could be smarter about this in the future if
        it turns out to truly be a problem.

        This patch also adds a 'samplingProfilerTimingInterval' JSC option to allow
        CLI users to control the sleep time between stack traces.

        * jsc.cpp:
        (jscmain):
        * runtime/Options.h:
        * runtime/SamplingProfiler.cpp:
        (JSC::SamplingProfiler::SamplingProfiler):
        (JSC::SamplingProfiler::processUnverifiedStackTraces):
        (JSC::SamplingProfiler::reportTopBytecodes):
        * runtime/SamplingProfiler.h:
        (JSC::SamplingProfiler::StackFrame::hasExpressionInfo):

2016-04-20  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] DFG should not generate two jumps when the target of DoubleBranch is the next block  
        https://bugs.webkit.org/show_bug.cgi?id=156815

        Reviewed by Mark Lam.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):

2016-04-20  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Add register reuse for ArithAdd of an Int32 and constant in DFG
        https://bugs.webkit.org/show_bug.cgi?id=155164

        Reviewed by Mark Lam.

        Every "inc" in loop was looking like this:
            move rX, rY
            inc rY
            jo 0x230f4a200580

        This patch add register Reuse to that case to remove
        the extra "move".

        * dfg/DFGOSRExit.h:
        (JSC::DFG::SpeculationRecovery::SpeculationRecovery):
        (JSC::DFG::SpeculationRecovery::immediate):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArithAdd):
        * tests/stress/arith-add-with-constant-overflow.js: Added.
        (opaqueAdd):

2016-04-20  Saam barati  <sbarati@apple.com>

        We don't need a manual stack for an RAII object when the machine's stack will do just fine
        https://bugs.webkit.org/show_bug.cgi?id=156807

        Reviewed by Mark Lam.

        We kept around a vector for an RAII object to maintain
        the recursive nature of having these RAII objects on
        the stack as the parser recursed. Instead, the RAII object
        can just have a field with the value it wants to restore
        and use the machine's stack.

        This is a 1% octane code-load progression.

        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::BinaryExprContext::BinaryExprContext):
        (JSC::SyntaxChecker::BinaryExprContext::~BinaryExprContext):
        (JSC::SyntaxChecker::UnaryExprContext::UnaryExprContext):
        (JSC::SyntaxChecker::UnaryExprContext::~UnaryExprContext):
        (JSC::SyntaxChecker::operatorStackPop):

2016-04-20  Michael Saboff  <msaboff@apple.com>

        REGRESSION(r190289): Spin trying to view/sign in to hbogo.com
        https://bugs.webkit.org/show_bug.cgi?id=156765

        Reviewed by Saam Barati.

        In the op_get_by_val case, we were holding the lock on a profiled CodeBlock
        when we call into handleGetById(). Changed to drop the lock before calling
        handleGetById().

        The bug here was that the call to handleGetById() may end up calling in to
        getPredictionWithoutOSRExit() for a tail call opcode. As part of that
        processing, we walk back up the stack to find the effective caller and when
        found, we lock the corresponding CodeBlock to get the predicition.
        That CodeBLock may be the same one locked above. There is no need anyway
        to hold the CodeBlock lock when calling handleGetById().

        Added a new stress test.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * tests/stress/regress-156765.js: Added.
        (realValue):
        (object.get hello):
        (ok):

2016-04-20  Mark Lam  <mark.lam@apple.com>

        Unindent an unnecessary block in stringProtoFuncSplitFast().
        https://bugs.webkit.org/show_bug.cgi?id=156802

        Reviewed by Filip Pizlo.

        In webkit.org/b/156013, I refactored stringProtoFuncSplit into
        stringProtoFuncSplitFast.  In that patch, I left an unnecessary block of code in
        its original block (with FIXMEs) to keep the diff for that patch minimal.  Now
        that the patch for webkit.org/b/156013 has landed, I will unindent that block and
        remove the FIXMEs.

        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncSplitFast):

2016-04-20  Brady Eidson  <beidson@apple.com>

        Modern IDB (Workers): Enable INDEXED_DATABASE_IN_WORKERS compile time flag, but disabled in RuntimeEnabledFeatures.
        https://bugs.webkit.org/show_bug.cgi?id=156782

        Reviewed by Alex Christensen.

        * Configurations/FeatureDefines.xcconfig:

2016-04-20  Saam barati  <sbarati@apple.com>

        Remove unused m_writtenVariables from the parser and related bits
        https://bugs.webkit.org/show_bug.cgi?id=156784

        Reviewed by Yusuke Suzuki.

        This isn't a octane/codeload speedup even though we're doing less work in
        collectFreeVariables. But it's good to get rid of things that are not used.

        * parser/Nodes.h:
        (JSC::ScopeNode::usesEval):
        (JSC::ScopeNode::usesArguments):
        (JSC::ScopeNode::usesArrowFunction):
        (JSC::ScopeNode::isStrictMode):
        (JSC::ScopeNode::setUsesArguments):
        (JSC::ScopeNode::usesThis):
        (JSC::ScopeNode::modifiesParameter): Deleted.
        (JSC::ScopeNode::modifiesArguments): Deleted.
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseInner):
        (JSC::Parser<LexerType>::parseAssignmentExpression):
        * parser/Parser.h:
        (JSC::Scope::Scope):
        (JSC::Scope::hasDeclaredParameter):
        (JSC::Scope::preventAllVariableDeclarations):
        (JSC::Scope::collectFreeVariables):
        (JSC::Scope::mergeInnerArrowFunctionFeatures):
        (JSC::Scope::getSloppyModeHoistedFunctions):
        (JSC::Scope::getCapturedVars):
        (JSC::Scope::setStrictMode):
        (JSC::Scope::strictMode):
        (JSC::Scope::fillParametersForSourceProviderCache):
        (JSC::Scope::restoreFromSourceProviderCache):
        (JSC::Parser::hasDeclaredParameter):
        (JSC::Parser::exportName):
        (JSC::Scope::declareWrite): Deleted.
        (JSC::Parser::declareWrite): Deleted.
        * parser/ParserModes.h:

2016-04-19  Saam barati  <sbarati@apple.com>

        Unreviewed, fix cloop build after r199754.

        * jsc.cpp:
        (jscmain):

2016-04-19  Michael Saboff  <msaboff@apple.com>

        iTunes crashing JavaScriptCore.dll
        https://bugs.webkit.org/show_bug.cgi?id=156647

        Reviewed by Filip Pizlo.

        Given that there there are only 128 FLS indices compared to over a 1000 for TLS,
        I eliminated the thread specific m_threadSpecificForThread and instead we look
        for the current thread in m_registeredThreads list when we need it.
        In most cases there will only be one thread.

        Added THREAD_SPECIFIC_CALL to signature of ThreadSpecific remove callbacks
        to set the calling convention correctly for Windows 32 bit.

        * heap/MachineStackMarker.cpp:
        (JSC::ActiveMachineThreadsManager::remove):
        (JSC::MachineThreads::MachineThreads):
        (JSC::MachineThreads::~MachineThreads):
        (JSC::MachineThreads::addCurrentThread):
        (JSC::MachineThreads::machineThreadForCurrentThread):
        (JSC::MachineThreads::removeThread):
        * heap/MachineStackMarker.h:

2016-04-19  Benjamin Poulain  <bpoulain@webkit.org>

        [JSC] Small cleanup of RegisterAtOffsetList
        https://bugs.webkit.org/show_bug.cgi?id=156779

        Reviewed by Mark Lam.

        I was wondering why RegisterAtOffsetList always cache-miss.
        It looks like it is doing more than it needs to.

        We do not need to sort the values. The total order of
        RegisterAtOffset is: