[Content Extensions] Add memory reporting.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-04-03  Mark Lam  <mark.lam@apple.com>
2
3         Some JSC Options refactoring and enhancements.
4         <https://webkit.org/b/143384>
5
6         Rubber stamped by Benjamin Poulain.
7
8         Create a better encapsulated Option class to make working with options easier.  This
9         is a building block towards a JIT policy scaling debugging option I will introduce later.
10
11         This work entails:
12         1. Convert Options::Option into a public class Option (who works closely with Options).
13         2. Convert Options::EntryType into an enum class Options::Type and make it public.
14         3. Renamed Options::OPT_<option name> to Options::<option name>ID because it reads better.
15         4. Add misc methods to class Option to make it more useable.
16
17         * runtime/Options.cpp:
18         (JSC::Options::dumpOption):
19         (JSC::Option::dump):
20         (JSC::Option::operator==):
21         (JSC::Options::Option::dump): Deleted.
22         (JSC::Options::Option::operator==): Deleted.
23         * runtime/Options.h:
24         (JSC::Option::Option):
25         (JSC::Option::operator!=):
26         (JSC::Option::name):
27         (JSC::Option::description):
28         (JSC::Option::type):
29         (JSC::Option::isOverridden):
30         (JSC::Option::defaultOption):
31         (JSC::Option::boolVal):
32         (JSC::Option::unsignedVal):
33         (JSC::Option::doubleVal):
34         (JSC::Option::int32Val):
35         (JSC::Option::optionRangeVal):
36         (JSC::Option::optionStringVal):
37         (JSC::Option::gcLogLevelVal):
38         (JSC::Options::Option::Option): Deleted.
39         (JSC::Options::Option::operator!=): Deleted.
40
41 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
42
43         JavaScriptCore API should support type checking for Array and Date
44         https://bugs.webkit.org/show_bug.cgi?id=143324
45
46         Follow-up to address a comment by Dan.
47
48         * API/WebKitAvailability.h: __MAC_OS_X_VERSION_MIN_REQUIRED <= 101100
49         is wrong, since this API is available when __MAC_OS_X_VERSION_MIN_REQUIRED
50         is equal to 101100.
51
52 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
53
54         JavaScriptCore API should support type checking for Array and Date
55         https://bugs.webkit.org/show_bug.cgi?id=143324
56
57         Follow-up to address a comment by Dan.
58
59         * API/WebKitAvailability.h: Do use 10.0 because it was right all along.
60         Added a comment explaining why.
61
62 2015-04-03  Csaba Osztrogonác  <ossy@webkit.org>
63
64         FTL JIT tests should fail if LLVM library isn't available
65         https://bugs.webkit.org/show_bug.cgi?id=143374
66
67         Reviewed by Mark Lam.
68
69         * dfg/DFGPlan.cpp:
70         (JSC::DFG::Plan::compileInThreadImpl):
71         * runtime/Options.h:
72
73 2015-04-03  Zan Dobersek  <zdobersek@igalia.com>
74
75         Fix the EFL and GTK build after r182243
76         https://bugs.webkit.org/show_bug.cgi?id=143361
77
78         Reviewed by Csaba Osztrogonác.
79
80         * CMakeLists.txt: InspectorBackendCommands.js is generated in the
81         DerivedSources/JavaScriptCore/inspector/ directory.
82
83 2015-04-03  Zan Dobersek  <zdobersek@igalia.com>
84
85         Unreviewed, fixing Clang builds of the GTK port on Linux.
86
87         * runtime/Options.cpp:
88         Include the <math.h> header for isnan().
89
90 2015-04-02  Mark Lam  <mark.lam@apple.com>
91
92         Enhance ability to dump JSC Options.
93         <https://webkit.org/b/143357>
94
95         Reviewed by Benjamin Poulain.
96
97         Some enhancements to how the JSC options work:
98
99         1. Add a JSC_showOptions option which take values: 0 = None, 1 = Overridden only,
100            2 = All, 3 = Verbose.
101
102            The default is 0 (None).  This dumps nothing.
103            With the Overridden setting, at VM initialization time, we will dump all
104            option values that have been changed from their default.
105            With the All setting, at VM initialization time, we will dump all option values.
106            With the Verbose setting, at VM initialization time, we will dump all option
107            values along with their descriptions (if available).
108
109         2. We now store a copy of the default option values.
110
111            We later use this for comparison to tell if an option has been overridden, and
112            print the default value for reference.  As a result, we no longer need the
113            didOverride flag since we can compute whether the option is overridden at any time.
114
115         3. Added description strings to some options to be printed when JSC_showOptions=3 (Verbose).
116
117            This will come in handy later when we want to rename some of the options to more sane
118            names that are easier to remember.  For example, we can change
119            Options::dfgFunctionWhitelistFile() to Options::dfgWhiteList(), and
120            Options::slowPathAllocsBetweenGCs() to Options::forcedGcRate().  With the availability
121            of the description, we can afford to use shorter and less descriptive option names,
122            but they will be easier to remember and use for day to day debugging work.
123
124            In this patch, I did not change the names of any of the options yet.  I only added
125            description strings for options that I know about, and where I think the option name
126            isn't already descriptive enough.
127
128         4. Also deleted some unused code.
129
130         * jsc.cpp:
131         (CommandLine::parseArguments):
132         * runtime/Options.cpp:
133         (JSC::Options::initialize):
134         (JSC::Options::setOption):
135         (JSC::Options::dumpAllOptions):
136         (JSC::Options::dumpOption):
137         (JSC::Options::Option::dump):
138         (JSC::Options::Option::operator==):
139         * runtime/Options.h:
140         (JSC::OptionRange::rangeString):
141         (JSC::Options::Option::Option):
142         (JSC::Options::Option::operator!=):
143
144 2015-04-02  Geoffrey Garen  <ggaren@apple.com>
145
146         JavaScriptCore API should support type checking for Array and Date
147         https://bugs.webkit.org/show_bug.cgi?id=143324
148
149         Reviewed by Darin Adler, Sam Weinig, Dan Bernstein.
150
151         * API/JSValue.h:
152         * API/JSValue.mm:
153         (-[JSValue isArray]):
154         (-[JSValue isDate]): Added an ObjC API.
155
156         * API/JSValueRef.cpp:
157         (JSValueIsArray):
158         (JSValueIsDate):
159         * API/JSValueRef.h: Added a C API.
160
161         * API/WebKitAvailability.h: Brought our availability macros up to date
162         and fixed a harmless bug where "10_10" translated to "10.0".
163
164         * API/tests/testapi.c:
165         (main): Added a test and corrected a pre-existing leak.
166
167         * API/tests/testapi.mm:
168         (testObjectiveCAPI): Added a test.
169
170 2015-04-02  Mark Lam  <mark.lam@apple.com>
171
172         Add Options::dumpSourceAtDFGTime().
173         <https://webkit.org/b/143349>
174
175         Reviewed by Oliver Hunt, and Michael Saboff.
176
177         Sometimes, we will want to see the JS source code that we're compiling, and it
178         would be nice to be able to do this without having to jump thru a lot of hoops.
179         So, let's add a Options::dumpSourceAtDFGTime() option just like we have a
180         Options::dumpBytecodeAtDFGTime() option.
181
182         Also added versions of CodeBlock::dumpSource() and CodeBlock::dumpBytecode()
183         that explicitly take no arguments (instead of relying on the version that takes
184         the default argument).  These versions are friendlier to use when we want to call
185         them from an interactive debugging session.
186
187         * bytecode/CodeBlock.cpp:
188         (JSC::CodeBlock::dumpSource):
189         (JSC::CodeBlock::dumpBytecode):
190         * bytecode/CodeBlock.h:
191         * dfg/DFGByteCodeParser.cpp:
192         (JSC::DFG::ByteCodeParser::parseCodeBlock):
193         * runtime/Options.h:
194
195 2015-04-02  Yusuke Suzuki  <utatane.tea@gmail.com>
196
197         Clean up EnumerationMode to easily extend
198         https://bugs.webkit.org/show_bug.cgi?id=143276
199
200         Reviewed by Geoffrey Garen.
201
202         To make the followings easily,
203         1. Adding new flag Include/ExcludeSymbols in the Object.getOwnPropertySymbols patch
204         2. Make ExcludeSymbols implicitly default for the existing flags
205         we encapsulate EnumerationMode flags into EnumerationMode class.
206
207         And this class manages 2 flags. Later it will be extended to 3.
208         1. DontEnumPropertiesMode (default is Exclude)
209         2. JSObjectPropertiesMode (default is Include)
210         3. SymbolPropertiesMode (default is Exclude)
211             SymbolPropertiesMode will be added in Object.getOwnPropertySymbols patch.
212
213         This patch replaces places using ExcludeDontEnumProperties
214         to EnumerationMode() value which represents default mode.
215
216         * API/JSCallbackObjectFunctions.h:
217         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
218         * API/JSObjectRef.cpp:
219         (JSObjectCopyPropertyNames):
220         * bindings/ScriptValue.cpp:
221         (Deprecated::jsToInspectorValue):
222         * bytecode/ObjectAllocationProfile.h:
223         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
224         * runtime/ArrayPrototype.cpp:
225         (JSC::arrayProtoFuncSort):
226         * runtime/EnumerationMode.h:
227         (JSC::EnumerationMode::EnumerationMode):
228         (JSC::EnumerationMode::includeDontEnumProperties):
229         (JSC::EnumerationMode::includeJSObjectProperties):
230         (JSC::shouldIncludeDontEnumProperties): Deleted.
231         (JSC::shouldExcludeDontEnumProperties): Deleted.
232         (JSC::shouldIncludeJSObjectPropertyNames): Deleted.
233         (JSC::modeThatSkipsJSObject): Deleted.
234         * runtime/GenericArgumentsInlines.h:
235         (JSC::GenericArguments<Type>::getOwnPropertyNames):
236         * runtime/JSArray.cpp:
237         (JSC::JSArray::getOwnNonIndexPropertyNames):
238         * runtime/JSArrayBuffer.cpp:
239         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
240         * runtime/JSArrayBufferView.cpp:
241         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
242         * runtime/JSFunction.cpp:
243         (JSC::JSFunction::getOwnNonIndexPropertyNames):
244         * runtime/JSFunction.h:
245         * runtime/JSGenericTypedArrayViewInlines.h:
246         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnNonIndexPropertyNames):
247         * runtime/JSLexicalEnvironment.cpp:
248         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
249         * runtime/JSONObject.cpp:
250         (JSC::Stringifier::Holder::appendNextProperty):
251         (JSC::Walker::walk):
252         * runtime/JSObject.cpp:
253         (JSC::getClassPropertyNames):
254         (JSC::JSObject::getOwnPropertyNames):
255         (JSC::JSObject::getOwnNonIndexPropertyNames):
256         (JSC::JSObject::getGenericPropertyNames):
257         * runtime/JSPropertyNameEnumerator.h:
258         (JSC::propertyNameEnumerator):
259         * runtime/JSSymbolTableObject.cpp:
260         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
261         * runtime/ObjectConstructor.cpp:
262         (JSC::objectConstructorGetOwnPropertyNames):
263         (JSC::objectConstructorKeys):
264         (JSC::defineProperties):
265         (JSC::objectConstructorSeal):
266         (JSC::objectConstructorFreeze):
267         (JSC::objectConstructorIsSealed):
268         (JSC::objectConstructorIsFrozen):
269         * runtime/RegExpObject.cpp:
270         (JSC::RegExpObject::getOwnNonIndexPropertyNames):
271         (JSC::RegExpObject::getPropertyNames):
272         (JSC::RegExpObject::getGenericPropertyNames):
273         * runtime/StringObject.cpp:
274         (JSC::StringObject::getOwnPropertyNames):
275         * runtime/Structure.cpp:
276         (JSC::Structure::getPropertyNamesFromStructure):
277
278 2015-04-01  Alex Christensen  <achristensen@webkit.org>
279
280         Progress towards CMake on Windows and Mac.
281         https://bugs.webkit.org/show_bug.cgi?id=143293
282
283         Reviewed by Filip Pizlo.
284
285         * CMakeLists.txt:
286         Enabled using assembly on Windows.
287         Replaced unix commands with CMake commands.
288         * PlatformMac.cmake:
289         Tell open source builders where to find unicode headers.
290
291 2015-04-01  Yusuke Suzuki  <utatane.tea@gmail.com>
292
293         IteratorClose should be called when jumping over the target for-of loop
294         https://bugs.webkit.org/show_bug.cgi?id=143140
295
296         Reviewed by Geoffrey Garen.
297
298         This patch fixes labeled break/continue behaviors with for-of and iterators.
299
300         1. Support IteratorClose beyond multiple loop contexts
301         Previously, IteratorClose is only executed in for-of's breakTarget().
302         However, this misses IteratorClose execution when statement roll-ups multiple control flow contexts.
303         For example,
304         outer: for (var e1 of outer) {
305             inner: for (var e2 of inner) {
306                 break outer;
307             }
308         }
309         In this case, return method of inner should be called.
310         We leverage the existing system for `finally` to execute inner.return method correctly.
311         Leveraging `finally` system fixes `break`, `continue` and `return` cases.
312         `throw` case is already supported by emitting try-catch handlers in for-of.
313
314         2. Incorrect LabelScope creation is done in ForOfNode
315         ForOfNode creates duplicated LabelScope.
316         It causes infinite loop when executing the following program that contains
317         explicitly labeled for-of loop.
318         For example,
319         inner: for (var elm of array) {
320             continue inner;
321         }
322
323         * bytecompiler/BytecodeGenerator.cpp:
324         (JSC::BytecodeGenerator::pushFinallyContext):
325         (JSC::BytecodeGenerator::pushIteratorCloseContext):
326         (JSC::BytecodeGenerator::popFinallyContext):
327         (JSC::BytecodeGenerator::popIteratorCloseContext):
328         (JSC::BytecodeGenerator::emitComplexPopScopes):
329         (JSC::BytecodeGenerator::emitEnumeration):
330         (JSC::BytecodeGenerator::emitIteratorClose):
331         * bytecompiler/BytecodeGenerator.h:
332         * bytecompiler/NodesCodegen.cpp:
333         (JSC::ForOfNode::emitBytecode):
334         * tests/stress/iterator-return-beyond-multiple-iteration-scopes.js: Added.
335         (createIterator.iterator.return):
336         (createIterator):
337         * tests/stress/raise-error-in-iterator-close.js: Added.
338         (createIterator.iterator.return):
339         (createIterator):
340
341 2015-04-01  Yusuke Suzuki  <utatane.tea@gmail.com>
342
343         [ES6] Implement Symbol.unscopables
344         https://bugs.webkit.org/show_bug.cgi?id=142829
345
346         Reviewed by Geoffrey Garen.
347
348         This patch introduces Symbol.unscopables functionality.
349         In ES6, some generic names (like keys, values) are introduced
350         as Array's method name. And this breaks the web since some web sites
351         use like the following code.
352
353         var values = ...;
354         with (array) {
355             values;  // This values is trapped by array's method "values".
356         }
357
358         To fix this, Symbol.unscopables introduces blacklist
359         for with scope's trapping. When resolving scope,
360         if name is found in the target scope and the target scope is with scope,
361         we check Symbol.unscopables object to filter generic names.
362
363         This functionality is only active for with scopes.
364         Global scope does not have unscopables functionality.
365
366         And since
367         1) op_resolve_scope for with scope always return Dynamic resolve type,
368         2) in that case, JSScope::resolve is always used in JIT and LLInt,
369         3) the code which contains op_resolve_scope that returns Dynamic cannot be compiled with DFG and FTL,
370         to implement this functionality, we just change JSScope::resolve and no need to change JIT code.
371         So performance regression is only visible in Dynamic resolving case, and it is already much slow.
372
373         * runtime/ArrayPrototype.cpp:
374         (JSC::ArrayPrototype::finishCreation):
375         * runtime/CommonIdentifiers.h:
376         * runtime/JSGlobalObject.h:
377         (JSC::JSGlobalObject::runtimeFlags):
378         * runtime/JSScope.cpp:
379         (JSC::isUnscopable):
380         (JSC::JSScope::resolve):
381         * runtime/JSScope.h:
382         (JSC::ScopeChainIterator::scope):
383         * tests/stress/global-environment-does-not-trap-unscopables.js: Added.
384         (test):
385         * tests/stress/unscopables.js: Added.
386         (test):
387         (.):
388
389 2015-03-31  Ryosuke Niwa  <rniwa@webkit.org>
390
391         ES6 class syntax should allow static setters and getters
392         https://bugs.webkit.org/show_bug.cgi?id=143180
393
394         Reviewed by Filip Pizlo
395
396         Apparently I misread the spec when I initially implemented parseClass.
397         ES6 class syntax allows static getters and setters so just allow that.
398
399         * parser/Parser.cpp:
400         (JSC::Parser<LexerType>::parseClass):
401
402 2015-03-31  Filip Pizlo  <fpizlo@apple.com>
403
404         PutClosureVar CSE def() rule has a wrong base
405         https://bugs.webkit.org/show_bug.cgi?id=143280
406
407         Reviewed by Michael Saboff.
408         
409         I think that this code was incorrect in a benign way, since the base of a
410         PutClosureVar is not a JS-visible object. But it was preventing some optimizations.
411
412         * dfg/DFGClobberize.h:
413         (JSC::DFG::clobberize):
414
415 2015-03-31  Commit Queue  <commit-queue@webkit.org>
416
417         Unreviewed, rolling out r182200.
418         https://bugs.webkit.org/show_bug.cgi?id=143279
419
420         Probably causing assertion extravaganza on bots. (Requested by
421         kling on #webkit).
422
423         Reverted changeset:
424
425         "Logically empty WeakBlocks should not pin down their
426         MarkedBlocks indefinitely."
427         https://bugs.webkit.org/show_bug.cgi?id=143210
428         http://trac.webkit.org/changeset/182200
429
430 2015-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>
431
432         Clean up Identifier factories to clarify the meaning of StringImpl*
433         https://bugs.webkit.org/show_bug.cgi?id=143146
434
435         Reviewed by Filip Pizlo.
436
437         In the a lot of places, `Identifier(VM*/ExecState*, StringImpl*)` constructor is used.
438         However, it's ambiguous because `StringImpl*` has 2 different meanings.
439         1) normal string, it is replacable with `WTFString` and
440         2) `uid`, which holds `isSymbol` information to represent Symbols.
441         So we dropped Identifier constructors for strings and instead, introduced 2 factory functions.
442         + `Identifier::fromString(VM*/ExecState*, const String&)`.
443         Just construct Identifier from strings. The symbol-ness of StringImpl* is not kept.
444         + `Identifier::fromUid(VM*/ExecState*, StringImpl*)`.
445         This function is used for 2) `uid`. So symbol-ness of `StringImpl*` is kept.
446
447         And to clean up `StringImpl` which is used as uid,
448         we introduce `StringKind` into `StringImpl`. There's 3 kinds
449         1. StringNormal (non-atomic, non-symbol)
450         2. StringAtomic (atomic, non-symbol)
451         3. StringSymbol (non-atomic, symbol)
452         They are mutually exclusive. And (atomic, symbol) case should not exist.
453
454         * API/JSCallbackObjectFunctions.h:
455         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
456         * API/JSObjectRef.cpp:
457         (JSObjectMakeFunction):
458         * API/OpaqueJSString.cpp:
459         (OpaqueJSString::identifier):
460         * bindings/ScriptFunctionCall.cpp:
461         (Deprecated::ScriptFunctionCall::call):
462         * builtins/BuiltinExecutables.cpp:
463         (JSC::BuiltinExecutables::createExecutableInternal):
464         * builtins/BuiltinNames.h:
465         (JSC::BuiltinNames::BuiltinNames):
466         * bytecompiler/BytecodeGenerator.cpp:
467         (JSC::BytecodeGenerator::BytecodeGenerator):
468         (JSC::BytecodeGenerator::emitThrowReferenceError):
469         (JSC::BytecodeGenerator::emitThrowTypeError):
470         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
471         (JSC::BytecodeGenerator::emitEnumeration):
472         * dfg/DFGDesiredIdentifiers.cpp:
473         (JSC::DFG::DesiredIdentifiers::reallyAdd):
474         * inspector/JSInjectedScriptHost.cpp:
475         (Inspector::JSInjectedScriptHost::functionDetails):
476         (Inspector::constructInternalProperty):
477         (Inspector::JSInjectedScriptHost::weakMapEntries):
478         (Inspector::JSInjectedScriptHost::iteratorEntries):
479         * inspector/JSInjectedScriptHostPrototype.cpp:
480         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
481         * inspector/JSJavaScriptCallFramePrototype.cpp:
482         * inspector/ScriptCallStackFactory.cpp:
483         (Inspector::extractSourceInformationFromException):
484         * jit/JITOperations.cpp:
485         * jsc.cpp:
486         (GlobalObject::finishCreation):
487         (GlobalObject::addFunction):
488         (GlobalObject::addConstructableFunction):
489         (functionRun):
490         (runWithScripts):
491         * llint/LLIntData.cpp:
492         (JSC::LLInt::Data::performAssertions):
493         * llint/LowLevelInterpreter.asm:
494         * parser/ASTBuilder.h:
495         (JSC::ASTBuilder::addVar):
496         * parser/Parser.cpp:
497         (JSC::Parser<LexerType>::parseInner):
498         (JSC::Parser<LexerType>::createBindingPattern):
499         * parser/ParserArena.h:
500         (JSC::IdentifierArena::makeIdentifier):
501         (JSC::IdentifierArena::makeIdentifierLCharFromUChar):
502         (JSC::IdentifierArena::makeNumericIdentifier):
503         * runtime/ArgumentsIteratorPrototype.cpp:
504         (JSC::ArgumentsIteratorPrototype::finishCreation):
505         * runtime/ArrayIteratorPrototype.cpp:
506         (JSC::ArrayIteratorPrototype::finishCreation):
507         * runtime/ArrayPrototype.cpp:
508         (JSC::ArrayPrototype::finishCreation):
509         (JSC::arrayProtoFuncPush):
510         * runtime/ClonedArguments.cpp:
511         (JSC::ClonedArguments::getOwnPropertySlot):
512         * runtime/CommonIdentifiers.cpp:
513         (JSC::CommonIdentifiers::CommonIdentifiers):
514         * runtime/CommonIdentifiers.h:
515         * runtime/Error.cpp:
516         (JSC::addErrorInfo):
517         (JSC::hasErrorInfo):
518         * runtime/ExceptionHelpers.cpp:
519         (JSC::createUndefinedVariableError):
520         * runtime/GenericArgumentsInlines.h:
521         (JSC::GenericArguments<Type>::getOwnPropertySlot):
522         * runtime/Identifier.h:
523         (JSC::Identifier::isSymbol):
524         (JSC::Identifier::Identifier):
525         (JSC::Identifier::from): Deleted.
526         * runtime/IdentifierInlines.h:
527         (JSC::Identifier::Identifier):
528         (JSC::Identifier::fromUid):
529         (JSC::Identifier::fromString):
530         * runtime/JSCJSValue.cpp:
531         (JSC::JSValue::dumpInContextAssumingStructure):
532         * runtime/JSCJSValueInlines.h:
533         (JSC::JSValue::toPropertyKey):
534         * runtime/JSGlobalObject.cpp:
535         (JSC::JSGlobalObject::init):
536         * runtime/JSLexicalEnvironment.cpp:
537         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
538         * runtime/JSObject.cpp:
539         (JSC::getClassPropertyNames):
540         (JSC::JSObject::reifyStaticFunctionsForDelete):
541         * runtime/JSObject.h:
542         (JSC::makeIdentifier):
543         * runtime/JSPromiseConstructor.cpp:
544         (JSC::JSPromiseConstructorFuncRace):
545         (JSC::JSPromiseConstructorFuncAll):
546         * runtime/JSString.h:
547         (JSC::JSString::toIdentifier):
548         * runtime/JSSymbolTableObject.cpp:
549         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
550         * runtime/LiteralParser.cpp:
551         (JSC::LiteralParser<CharType>::tryJSONPParse):
552         (JSC::LiteralParser<CharType>::makeIdentifier):
553         * runtime/Lookup.h:
554         (JSC::reifyStaticProperties):
555         * runtime/MapConstructor.cpp:
556         (JSC::constructMap):
557         * runtime/MapIteratorPrototype.cpp:
558         (JSC::MapIteratorPrototype::finishCreation):
559         * runtime/MapPrototype.cpp:
560         (JSC::MapPrototype::finishCreation):
561         * runtime/MathObject.cpp:
562         (JSC::MathObject::finishCreation):
563         * runtime/NumberConstructor.cpp:
564         (JSC::NumberConstructor::finishCreation):
565         * runtime/ObjectConstructor.cpp:
566         (JSC::ObjectConstructor::finishCreation):
567         * runtime/PrivateName.h:
568         (JSC::PrivateName::PrivateName):
569         * runtime/PropertyMapHashTable.h:
570         (JSC::PropertyTable::find):
571         (JSC::PropertyTable::get):
572         * runtime/PropertyName.h:
573         (JSC::PropertyName::PropertyName):
574         (JSC::PropertyName::publicName):
575         (JSC::PropertyName::asIndex):
576         * runtime/PropertyNameArray.cpp:
577         (JSC::PropertyNameArray::add):
578         * runtime/PropertyNameArray.h:
579         (JSC::PropertyNameArray::addKnownUnique):
580         * runtime/RegExpConstructor.cpp:
581         (JSC::RegExpConstructor::finishCreation):
582         * runtime/SetConstructor.cpp:
583         (JSC::constructSet):
584         * runtime/SetIteratorPrototype.cpp:
585         (JSC::SetIteratorPrototype::finishCreation):
586         * runtime/SetPrototype.cpp:
587         (JSC::SetPrototype::finishCreation):
588         * runtime/StringIteratorPrototype.cpp:
589         (JSC::StringIteratorPrototype::finishCreation):
590         * runtime/StringPrototype.cpp:
591         (JSC::StringPrototype::finishCreation):
592         * runtime/Structure.cpp:
593         (JSC::Structure::getPropertyNamesFromStructure):
594         * runtime/SymbolConstructor.cpp:
595         * runtime/VM.cpp:
596         (JSC::VM::throwException):
597         * runtime/WeakMapConstructor.cpp:
598         (JSC::constructWeakMap):
599
600 2015-03-31  Andreas Kling  <akling@apple.com>
601
602         Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely.
603         <https://webkit.org/b/143210>
604
605         Reviewed by Geoffrey Garen.
606
607         Since a MarkedBlock cannot be destroyed until all the WeakBlocks pointing into it are gone,
608         we had a little problem where WeakBlocks with only null pointers would still keep their
609         MarkedBlock alive.
610
611         This patch fixes that by detaching WeakBlocks from their MarkedBlock once a sweep discovers
612         that the WeakBlock contains no pointers to live objects. Ownership of the WeakBlock is passed
613         to the Heap, which will sweep the list of these detached WeakBlocks as part of a full GC,
614         destroying them once they're fully dead.
615
616         This allows the garbage collector to reclaim the 64kB MarkedBlocks much sooner, and resolves
617         a mysterious issue where doing two full garbage collections back-to-back would free additional
618         memory in the second collection.
619
620         Management of detached WeakBlocks is implemented as a Vector<WeakBlock*> in Heap, along with
621         an index of the next block in that vector that needs to be swept. The IncrementalSweeper then
622         calls into Heap::sweepNextLogicallyEmptyWeakBlock() to sweep one block at a time.
623
624         * heap/Heap.h:
625         * heap/Heap.cpp:
626         (JSC::Heap::collectAllGarbage): Add a final pass where we sweep the logically empty WeakBlocks
627         owned by Heap, after everything else has been swept.
628
629         (JSC::Heap::notifyIncrementalSweeper): Set up an incremental sweep of logically empty WeakBlocks
630         after a full garbage collection ends. Note that we don't do this after Eden collections, since
631         they are unlikely to cause entire WeakBlocks to go empty.
632
633         (JSC::Heap::addLogicallyEmptyWeakBlock): Added. Interface for passing ownership of a WeakBlock
634         to the Heap when it's detached from a WeakSet.
635
636         (JSC::Heap::sweepAllLogicallyEmptyWeakBlocks): Helper for collectAllGarbage() that sweeps all
637         of the logically empty WeakBlocks owned by Heap.
638
639         (JSC::Heap::sweepNextLogicallyEmptyWeakBlock): Sweeps one logically empty WeakBlock if needed
640         and updates the next-logically-empty-weak-block-to-sweep index.
641
642         (JSC::Heap::lastChanceToFinalize): call sweepAllLogicallyEmptyWeakBlocks() here, since there
643         won't be another chance after this.
644
645         * heap/IncrementalSweeper.h:
646         (JSC::IncrementalSweeper::hasWork): Deleted.
647
648         * heap/IncrementalSweeper.cpp:
649         (JSC::IncrementalSweeper::fullSweep):
650         (JSC::IncrementalSweeper::doSweep):
651         (JSC::IncrementalSweeper::sweepNextBlock): Restructured IncrementalSweeper a bit to simplify
652         adding a new sweeping stage for the Heap's logically empty WeakBlocks. sweepNextBlock() is
653         changed to return a bool (true if there's more work to be done.)
654
655         * heap/WeakBlock.cpp:
656         (JSC::WeakBlock::sweep): This now figures out if the WeakBlock is logically empty, i.e doesn't
657         contain any pointers to live objects. The answer is stored in a new SweepResult member.
658
659         * heap/WeakBlock.h:
660         (JSC::WeakBlock::isLogicallyEmptyButNotFree): Added. Can be queried after a sweep to determine
661         if the WeakBlock could be detached from the MarkedBlock.
662
663         (JSC::WeakBlock::SweepResult::SweepResult): Deleted in favor of initializing member variables
664         when declaring them.
665
666 2015-03-31  Ryosuke Niwa  <rniwa@webkit.org>
667
668         eval("this.foo") causes a crash if this had not been initialized in a derived class's constructor
669         https://bugs.webkit.org/show_bug.cgi?id=142883
670
671         Reviewed by Filip Pizlo.
672
673         The crash was caused by eval inside the constructor of a derived class not checking TDZ.
674
675         Fixed the bug by adding a parser flag that forces the TDZ check to be always emitted when accessing "this"
676         in eval inside a derived class' constructor.
677
678         * bytecode/EvalCodeCache.h:
679         (JSC::EvalCodeCache::getSlow):
680         * bytecompiler/NodesCodegen.cpp:
681         (JSC::ThisNode::emitBytecode):
682         * debugger/DebuggerCallFrame.cpp:
683         (JSC::DebuggerCallFrame::evaluate):
684         * interpreter/Interpreter.cpp:
685         (JSC::eval):
686         * parser/ASTBuilder.h:
687         (JSC::ASTBuilder::thisExpr):
688         * parser/NodeConstructors.h:
689         (JSC::ThisNode::ThisNode):
690         * parser/Nodes.h:
691         * parser/Parser.cpp:
692         (JSC::Parser<LexerType>::Parser):
693         (JSC::Parser<LexerType>::parsePrimaryExpression):
694         * parser/Parser.h:
695         (JSC::parse):
696         * parser/ParserModes.h:
697         * parser/SyntaxChecker.h:
698         (JSC::SyntaxChecker::thisExpr):
699         * runtime/CodeCache.cpp:
700         (JSC::CodeCache::getGlobalCodeBlock):
701         (JSC::CodeCache::getProgramCodeBlock):
702         (JSC::CodeCache::getEvalCodeBlock):
703         * runtime/CodeCache.h:
704         (JSC::SourceCodeKey::SourceCodeKey):
705         * runtime/Executable.cpp:
706         (JSC::EvalExecutable::create):
707         * runtime/Executable.h:
708         * runtime/JSGlobalObject.cpp:
709         (JSC::JSGlobalObject::createEvalCodeBlock):
710         * runtime/JSGlobalObject.h:
711         * runtime/JSGlobalObjectFunctions.cpp:
712         (JSC::globalFuncEval):
713         * tests/stress/class-syntax-no-tdz-in-eval.js: Added.
714         * tests/stress/class-syntax-tdz-in-eval.js: Added.
715
716 2015-03-31  Commit Queue  <commit-queue@webkit.org>
717
718         Unreviewed, rolling out r182186.
719         https://bugs.webkit.org/show_bug.cgi?id=143270
720
721         it crashes all the WebGL tests on the Debug bots (Requested by
722         dino on #webkit).
723
724         Reverted changeset:
725
726         "Web Inspector: add 2D/WebGL canvas instrumentation
727         infrastructure"
728         https://bugs.webkit.org/show_bug.cgi?id=137278
729         http://trac.webkit.org/changeset/182186
730
731 2015-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>
732
733         [ES6] Object type restrictions on a first parameter of several Object.* functions are relaxed
734         https://bugs.webkit.org/show_bug.cgi?id=142937
735
736         Reviewed by Darin Adler.
737
738         In ES6, Object type restrictions on a first parameter of several Object.* functions are relaxed.
739         In ES5 or prior, when a first parameter is not object type, these functions raise TypeError.
740         But now, several functions perform ToObject onto a non-object parameter.
741         And others behaves as if a parameter is a non-extensible ordinary object with no own properties.
742         It is described in ES6 Annex E.
743         Functions different from ES5 are following.
744
745         1. An attempt is make to coerce the argument using ToObject.
746             Object.getOwnPropertyDescriptor
747             Object.getOwnPropertyNames
748             Object.getPrototypeOf
749             Object.keys
750
751         2. Treated as if it was a non-extensible ordinary object with no own properties.
752             Object.freeze
753             Object.isExtensible
754             Object.isFrozen
755             Object.isSealed
756             Object.preventExtensions
757             Object.seal
758
759         * runtime/ObjectConstructor.cpp:
760         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
761         (JSC::objectConstructorGetPrototypeOf):
762         (JSC::objectConstructorGetOwnPropertyDescriptor):
763         (JSC::objectConstructorGetOwnPropertyNames):
764         (JSC::objectConstructorKeys):
765         (JSC::objectConstructorSeal):
766         (JSC::objectConstructorFreeze):
767         (JSC::objectConstructorPreventExtensions):
768         (JSC::objectConstructorIsSealed):
769         (JSC::objectConstructorIsFrozen):
770         (JSC::objectConstructorIsExtensible):
771         * tests/stress/object-freeze-accept-non-object.js: Added.
772         * tests/stress/object-get-own-property-descriptor-perform-to-object.js: Added.
773         (canary):
774         * tests/stress/object-get-own-property-names-perform-to-object.js: Added.
775         (compare):
776         * tests/stress/object-get-prototype-of-perform-to-object.js: Added.
777         * tests/stress/object-is-extensible-accept-non-object.js: Added.
778         * tests/stress/object-is-frozen-accept-non-object.js: Added.
779         * tests/stress/object-is-sealed-accept-non-object.js: Added.
780         * tests/stress/object-keys-perform-to-object.js: Added.
781         (compare):
782         * tests/stress/object-prevent-extensions-accept-non-object.js: Added.
783         * tests/stress/object-seal-accept-non-object.js: Added.
784
785 2015-03-31  Matt Baker  <mattbaker@apple.com>
786
787         Web Inspector: add 2D/WebGL canvas instrumentation infrastructure
788         https://bugs.webkit.org/show_bug.cgi?id=137278
789
790         Reviewed by Timothy Hatcher.
791
792         Added Canvas protocol which defines types used by InspectorCanvasAgent.
793
794         * CMakeLists.txt:
795         * DerivedSources.make:
796         * inspector/protocol/Canvas.json: Added.
797
798         * inspector/scripts/codegen/generator.py:
799         (Generator.stylized_name_for_enum_value):
800         Added special handling for 2D (always uppercase) and WebGL (rename mapping) enum strings.
801
802 2015-03-30  Ryosuke Niwa  <rniwa@webkit.org>
803
804         Extending null should set __proto__ to null
805         https://bugs.webkit.org/show_bug.cgi?id=142882
806
807         Reviewed by Geoffrey Garen and Benjamin Poulain.
808
809         Set Derived.prototype.__proto__ to null when extending null.
810
811         * bytecompiler/NodesCodegen.cpp:
812         (JSC::ClassExprNode::emitBytecode):
813
814 2015-03-30  Mark Lam  <mark.lam@apple.com>
815
816         REGRESSION (r181993): inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html crashes.
817         <https://webkit.org/b/143105>
818
819         Reviewed by Filip Pizlo.
820
821         With r181993, the DFG and FTL may elide the storing of the scope register.  As a result,
822         on OSR exits from DFG / FTL frames where this elision has take place, we may get baseline
823         JIT frames that may have its scope register not set.  The Debugger's current implementation
824         which relies on the scope register is not happy about this.  For example, this results in a
825         crash in the layout test inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html.
826
827         The fix is to disable inlining when the debugger is in use.  Also, we add Flush nodes to
828         ensure that the scope register value is flushed to the register in the stack frame.
829
830         * dfg/DFGByteCodeParser.cpp:
831         (JSC::DFG::ByteCodeParser::ByteCodeParser):
832         (JSC::DFG::ByteCodeParser::setLocal):
833         (JSC::DFG::ByteCodeParser::flush):
834         - Add code to flush the scope register.
835         (JSC::DFG::ByteCodeParser::inliningCost):
836         - Pretend that all codeBlocks are too expensive to inline if the debugger is in use, thereby
837           disabling inlining whenever the debugger is in use.
838         * dfg/DFGGraph.cpp:
839         (JSC::DFG::Graph::Graph):
840         * dfg/DFGGraph.h:
841         (JSC::DFG::Graph::hasDebuggerEnabled):
842         * dfg/DFGStackLayoutPhase.cpp:
843         (JSC::DFG::StackLayoutPhase::run):
844         - Update the DFG codeBlock's scopeRegister since it can be moved during stack layout.
845         * ftl/FTLCompile.cpp:
846         (JSC::FTL::mmAllocateDataSection):
847         - Update the FTL codeBlock's scopeRegister since it can be moved during stack layout.
848
849 2015-03-30  Michael Saboff  <msaboff@apple.com>
850
851         Fix flakey float32-repeat-out-of-bounds.js and int8-repeat-out-of-bounds.js tests for ARM64
852         https://bugs.webkit.org/show_bug.cgi?id=138391
853
854         Reviewed by Mark Lam.
855
856         Re-enabling these tests as I can't get them to fail on local iOS test devices.
857         There have been many changes since these tests were disabled.
858         I'll watch automated test results for failures.  If there are failures running automated
859         testing, it might be due to the device's relative CPU performance.
860         
861         * tests/stress/float32-repeat-out-of-bounds.js:
862         * tests/stress/int8-repeat-out-of-bounds.js:
863
864 2015-03-30  Joseph Pecoraro  <pecoraro@apple.com>
865
866         Web Inspector: Regression: Preview for [[null]] shouldn't be []
867         https://bugs.webkit.org/show_bug.cgi?id=143208
868
869         Reviewed by Mark Lam.
870
871         * inspector/InjectedScriptSource.js:
872         Handle null when generating simple object previews.
873
874 2015-03-30  Per Arne Vollan  <peavo@outlook.com>
875
876         Avoid using hardcoded values for JSValue::Int32Tag, if possible.
877         https://bugs.webkit.org/show_bug.cgi?id=143134
878
879         Reviewed by Geoffrey Garen.
880
881         * jit/JSInterfaceJIT.h:
882         * jit/Repatch.cpp:
883         (JSC::tryCacheGetByID):
884
885 2015-03-30  Filip Pizlo  <fpizlo@apple.com>
886
887         REGRESSION: js/regress/inline-arguments-local-escape.html is flaky
888         https://bugs.webkit.org/show_bug.cgi?id=143104
889
890         Reviewed by Geoffrey Garen.
891         
892         Created a test that is a 100% repro of the flaky failure. This test is called
893         get-my-argument-by-val-for-inlined-escaped-arguments.js. It fails all of the time because it
894         always causes the compiler to emit a GetMyArgumentByVal of the arguments object returned by
895         the inlined function. Other than that, it's the same as inline-arguments-local-escape.
896         
897         Also created three more tests for three similar, but not identical, failures.
898         
899         Then fixed the bug: PreciseLocalClobberize was assuming that if we read(Stack) then we are
900         only reading those parts of the stack that are relevant to the current semantic code origin.
901         That's false after ArgumentsEliminationPhase - we might have operations on phantom arguments,
902         like GetMyArgumentByVal, ForwardVarargs, CallForwardVarargs, and ConstructForwardVarargs, that
903         read parts of the stack associated with the inline call frame for the phantom arguments. This
904         may not be subsumed by the current semantic origin's stack area in cases that the arguments
905         were allowed to "locally" escape.
906         
907         The higher-order lesson here is that in DFG SSA IR, the current semantic origin's stack area
908         is not really a meaningful concept anymore. It is only meaningful for nodes that will read
909         the stack due to function.arguments, but there are a bunch of other ways that we could also
910         read the stack and those operations may read any stack slot. I believe that this change makes
911         PreciseLocalClobberize right: it will refine a read(Stack) from Clobberize correctly by casing
912         on node type. In future, if we add a read(Stack) to Clobberize, we'll have to make sure that
913         readTop() in PreciseLocalClobberize does the right thing.
914
915         * dfg/DFGClobberize.h:
916         (JSC::DFG::clobberize):
917         * dfg/DFGPreciseLocalClobberize.h:
918         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
919         * dfg/DFGPutStackSinkingPhase.cpp:
920         * tests/stress/call-forward-varargs-for-inlined-escaped-arguments.js: Added.
921         * tests/stress/construct-forward-varargs-for-inlined-escaped-arguments.js: Added.
922         * tests/stress/forward-varargs-for-inlined-escaped-arguments.js: Added.
923         * tests/stress/get-my-argument-by-val-for-inlined-escaped-arguments.js: Added.
924         * tests/stress/real-forward-varargs-for-inlined-escaped-arguments.js: Added.
925
926 2015-03-30  Benjamin Poulain  <benjamin@webkit.org>
927
928         Start the features.json files
929         https://bugs.webkit.org/show_bug.cgi?id=143207
930
931         Reviewed by Darin Adler.
932
933         Start the features.json files to have something to experiment
934         with for the UI.
935
936         * features.json: Added.
937
938 2015-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
939
940         [Win] Addresing post-review comment after r182122
941         https://bugs.webkit.org/show_bug.cgi?id=143189
942
943         Unreviewed.
944
945 2015-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
946
947         [Win] Allow building JavaScriptCore without Cygwin
948         https://bugs.webkit.org/show_bug.cgi?id=143189
949
950         Reviewed by Brent Fulgham.
951
952         Paths like /usr/bin/ don't exist on Windows.
953         Hashbangs don't work on Windows. Instead we must explicitly call the executable.
954         Prefixing commands with environment variables doesn't work on Windows.
955         Windows doesn't have 'cmp'
956         Windows uses 'del' instead of 'rm'
957         Windows uses 'type NUL' intead of 'touch'
958
959         * DerivedSources.make:
960         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
961         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
962         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl:
963         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
964         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl:
965         * JavaScriptCore.vcxproj/build-generated-files.pl:
966         * UpdateContents.py: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl.
967
968 2015-03-28  Joseph Pecoraro  <pecoraro@apple.com>
969
970         Clean up JavaScriptCore/builtins
971         https://bugs.webkit.org/show_bug.cgi?id=143177
972
973         Reviewed by Ryosuke Niwa.
974
975         * builtins/ArrayConstructor.js:
976         (from):
977         - We can compare to undefined instead of using a typeof undefined check.
978         - Converge on double quoted strings everywhere.
979
980         * builtins/ArrayIterator.prototype.js:
981         (next):
982         * builtins/StringIterator.prototype.js:
983         (next):
984         - Use shorthand object construction to avoid duplication.
985         - Improve grammar in error messages.
986
987         * tests/stress/array-iterators-next-with-call.js:
988         * tests/stress/string-iterators.js:
989         - Update for new error message strings.
990
991 2015-03-28  Saam Barati  <saambarati1@gmail.com>
992
993         Web Inspector: ES6: Better support for Symbol types in Type Profiler
994         https://bugs.webkit.org/show_bug.cgi?id=141257
995
996         Reviewed by Joseph Pecoraro.
997
998         ES6 introduces the new primitive type Symbol. This patch makes JSC's 
999         type profiler support this new primitive type.
1000
1001         * dfg/DFGFixupPhase.cpp:
1002         (JSC::DFG::FixupPhase::fixupNode):
1003         * inspector/protocol/Runtime.json:
1004         * runtime/RuntimeType.cpp:
1005         (JSC::runtimeTypeForValue):
1006         * runtime/RuntimeType.h:
1007         (JSC::runtimeTypeIsPrimitive):
1008         * runtime/TypeSet.cpp:
1009         (JSC::TypeSet::addTypeInformation):
1010         (JSC::TypeSet::dumpTypes):
1011         (JSC::TypeSet::doesTypeConformTo):
1012         (JSC::TypeSet::displayName):
1013         (JSC::TypeSet::inspectorTypeSet):
1014         (JSC::TypeSet::toJSONString):
1015         * runtime/TypeSet.h:
1016         (JSC::TypeSet::seenTypes):
1017         * tests/typeProfiler/driver/driver.js:
1018         * tests/typeProfiler/symbol.js: Added.
1019         (wrapper.foo):
1020         (wrapper.bar):
1021         (wrapper.bar.bar.baz):
1022         (wrapper):
1023
1024 2015-03-27  Saam Barati  <saambarati1@gmail.com>
1025
1026         Deconstruction parameters are bound too late
1027         https://bugs.webkit.org/show_bug.cgi?id=143148
1028
1029         Reviewed by Filip Pizlo.
1030
1031         Currently, a deconstruction pattern named with the same
1032         name as a function will shadow the function. This is
1033         wrong. It should be the other way around.
1034
1035         * bytecompiler/BytecodeGenerator.cpp:
1036         (JSC::BytecodeGenerator::generate):
1037
1038 2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>
1039
1040         parse doesn't initialize the 16-bit version of the JSC parser with defaultConstructorKind
1041         https://bugs.webkit.org/show_bug.cgi?id=143170
1042
1043         Reviewed by Benjamin Poulain.
1044
1045         Assert that we never use 16-bit version of the parser to parse a default constructor
1046         since both base and derived default constructors should be using a 8-bit string.
1047
1048         * parser/Parser.h:
1049         (JSC::parse):
1050
1051 2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>
1052
1053         ES6 Classes: Runtime error in JIT'd class calling super() with arguments and superclass has default constructor
1054         https://bugs.webkit.org/show_bug.cgi?id=142862
1055
1056         Reviewed by Benjamin Poulain.
1057
1058         Add a test that used to fail in DFG now that the bug has been fixed by r181993.
1059
1060         * tests/stress/class-syntax-derived-default-constructor.js: Added.
1061
1062 2015-03-27  Michael Saboff  <msaboff@apple.com>
1063
1064         load8Signed() and load16Signed() should be renamed to avoid confusion
1065         https://bugs.webkit.org/show_bug.cgi?id=143168
1066
1067         Reviewed by Benjamin Poulain.
1068
1069         Renamed load8Signed() to load8SignedExtendTo32() and load16Signed() to load16SignedExtendTo32().
1070
1071         * assembler/MacroAssemblerARM.h:
1072         (JSC::MacroAssemblerARM::load8SignedExtendTo32):
1073         (JSC::MacroAssemblerARM::load16SignedExtendTo32):
1074         (JSC::MacroAssemblerARM::load8Signed): Deleted.
1075         (JSC::MacroAssemblerARM::load16Signed): Deleted.
1076         * assembler/MacroAssemblerARM64.h:
1077         (JSC::MacroAssemblerARM64::load16SignedExtendTo32):
1078         (JSC::MacroAssemblerARM64::load8SignedExtendTo32):
1079         (JSC::MacroAssemblerARM64::load16Signed): Deleted.
1080         (JSC::MacroAssemblerARM64::load8Signed): Deleted.
1081         * assembler/MacroAssemblerARMv7.h:
1082         (JSC::MacroAssemblerARMv7::load16SignedExtendTo32):
1083         (JSC::MacroAssemblerARMv7::load8SignedExtendTo32):
1084         (JSC::MacroAssemblerARMv7::load16Signed): Deleted.
1085         (JSC::MacroAssemblerARMv7::load8Signed): Deleted.
1086         * assembler/MacroAssemblerMIPS.h:
1087         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
1088         (JSC::MacroAssemblerMIPS::load16SignedExtendTo32):
1089         (JSC::MacroAssemblerMIPS::load8Signed): Deleted.
1090         (JSC::MacroAssemblerMIPS::load16Signed): Deleted.
1091         * assembler/MacroAssemblerSH4.h:
1092         (JSC::MacroAssemblerSH4::load8SignedExtendTo32):
1093         (JSC::MacroAssemblerSH4::load8):
1094         (JSC::MacroAssemblerSH4::load16SignedExtendTo32):
1095         (JSC::MacroAssemblerSH4::load16):
1096         (JSC::MacroAssemblerSH4::load8Signed): Deleted.
1097         (JSC::MacroAssemblerSH4::load16Signed): Deleted.
1098         * assembler/MacroAssemblerX86Common.h:
1099         (JSC::MacroAssemblerX86Common::load8SignedExtendTo32):
1100         (JSC::MacroAssemblerX86Common::load16SignedExtendTo32):
1101         (JSC::MacroAssemblerX86Common::load8Signed): Deleted.
1102         (JSC::MacroAssemblerX86Common::load16Signed): Deleted.
1103         * dfg/DFGSpeculativeJIT.cpp:
1104         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
1105         * jit/JITPropertyAccess.cpp:
1106         (JSC::JIT::emitIntTypedArrayGetByVal):
1107
1108 2015-03-27  Michael Saboff  <msaboff@apple.com>
1109
1110         Fix flakey dfg-int8array.js and dfg-int16array.js tests for ARM64
1111         https://bugs.webkit.org/show_bug.cgi?id=138390
1112
1113         Reviewed by Mark Lam.
1114
1115         Changed load8Signed() and load16Signed() to only sign extend the loaded value to 32 bits
1116         instead of 64 bits.  This is what X86-64 does.
1117
1118         * assembler/MacroAssemblerARM64.h:
1119         (JSC::MacroAssemblerARM64::load16Signed):
1120         (JSC::MacroAssemblerARM64::load8Signed):
1121
1122 2015-03-27  Saam Barati  <saambarati1@gmail.com>
1123
1124         Add back previously broken assert from bug 141869
1125         https://bugs.webkit.org/show_bug.cgi?id=143005
1126
1127         Reviewed by Michael Saboff.
1128
1129         * runtime/ExceptionHelpers.cpp:
1130         (JSC::invalidParameterInSourceAppender):
1131
1132 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
1133
1134         Make some more objects use FastMalloc
1135         https://bugs.webkit.org/show_bug.cgi?id=143122
1136
1137         Reviewed by Csaba Osztrogonác.
1138
1139         * API/JSCallbackObject.h:
1140         * heap/IncrementalSweeper.h:
1141         * jit/JITThunks.h:
1142         * runtime/JSGlobalObjectDebuggable.h:
1143         * runtime/RegExpCache.h:
1144
1145 2015-03-27  Michael Saboff  <msaboff@apple.com>
1146
1147         Objects with numeric properties intermittently get a phantom 'length' property
1148         https://bugs.webkit.org/show_bug.cgi?id=142792
1149
1150         Reviewed by Csaba Osztrogonác.
1151
1152         Fixed a > (greater than) that should be a >> (right shift) in the code that disassembles
1153         test and branch instructions.  This function is used for linking tbz/tbnz branches between
1154         two seperately JIT'ed sections of code.  Sometime we'd create a bogus tbz instruction in
1155         the failure case checks in the GetById array length stub created for "obj.length" access.
1156         If the failure case code address was at a negative offset from the stub, we'd look for bit 1
1157         being set when we should have been looking for bit 0.
1158
1159         * assembler/ARM64Assembler.h:
1160         (JSC::ARM64Assembler::disassembleTestAndBranchImmediate):
1161
1162 2015-03-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1163
1164         Insert exception check around toPropertyKey call
1165         https://bugs.webkit.org/show_bug.cgi?id=142922
1166
1167         Reviewed by Geoffrey Garen.
1168
1169         In some places, exception check is missing after/before toPropertyKey.
1170         However, since it calls toString, it's observable to users,
1171
1172         Missing exception checks in Object.prototype methods can be
1173         observed since it would be overridden with toObject(null/undefined) errors.
1174         We inserted exception checks after toPropertyKey.
1175
1176         Missing exception checks in GetById related code can be
1177         observed since it would be overridden with toObject(null/undefined) errors.
1178         In this case, we need to insert exception checks before/after toPropertyKey
1179         since RequireObjectCoercible followed by toPropertyKey can cause exceptions.
1180
1181         JSValue::get checks null/undefined and raise an exception if |this| is null or undefined.
1182         However, we need to check whether the baseValue is object coercible before executing JSValue::toPropertyKey.
1183         According to the spec, we first perform RequireObjectCoercible and check the exception.
1184         And second, we perform ToPropertyKey and check the exception.
1185         Since JSValue::toPropertyKey can cause toString call, this is observable to users.
1186         For example, if the target is not object coercible,
1187         ToPropertyKey should not be executed, and toString should not be executed by ToPropertyKey.
1188         So the order of observable actions (RequireObjectCoercible and ToPropertyKey) should be correct to the spec.
1189
1190         This patch introduces JSValue::requireObjectCoercible and use it because of the following 2 reasons.
1191
1192         1. Using toObject instead of requireObjectCoercible produces unnecessary wrapper object.
1193
1194         toObject converts primitive types into wrapper objects.
1195         But it is not efficient since wrapper objects are not necessary
1196         if we look up methods from primitive values's prototype. (using synthesizePrototype is better).
1197
1198         2. Using the result of toObject is not correct to the spec.
1199
1200         To align to the spec correctly, we cannot use JSObject::get
1201         by using the wrapper object produced by the toObject suggested in (1).
1202         If we use JSObject that is converted by toObject, getter will be called by using this JSObject as |this|.
1203         It is not correct since getter should be called with the original |this| value that may be primitive types.
1204
1205         So in this patch, we use JSValue::requireObjectCoercible
1206         to check the target is object coercible and raise an error if it's not.
1207
1208         * dfg/DFGOperations.cpp:
1209         * jit/JITOperations.cpp:
1210         (JSC::getByVal):
1211         * llint/LLIntSlowPaths.cpp:
1212         (JSC::LLInt::getByVal):
1213         * runtime/CommonSlowPaths.cpp:
1214         (JSC::SLOW_PATH_DECL):
1215         * runtime/JSCJSValue.h:
1216         * runtime/JSCJSValueInlines.h:
1217         (JSC::JSValue::requireObjectCoercible):
1218         * runtime/ObjectPrototype.cpp:
1219         (JSC::objectProtoFuncHasOwnProperty):
1220         (JSC::objectProtoFuncDefineGetter):
1221         (JSC::objectProtoFuncDefineSetter):
1222         (JSC::objectProtoFuncLookupGetter):
1223         (JSC::objectProtoFuncLookupSetter):
1224         (JSC::objectProtoFuncPropertyIsEnumerable):
1225         * tests/stress/exception-in-to-property-key-should-be-handled-early-in-object-methods.js: Added.
1226         (shouldThrow):
1227         (if):
1228         * tests/stress/exception-in-to-property-key-should-be-handled-early.js: Added.
1229         (shouldThrow):
1230         (.):
1231
1232 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
1233
1234         WebContent Crash when instantiating class with Type Profiling enabled
1235         https://bugs.webkit.org/show_bug.cgi?id=143037
1236
1237         Reviewed by Ryosuke Niwa.
1238
1239         * bytecompiler/BytecodeGenerator.h:
1240         * bytecompiler/BytecodeGenerator.cpp:
1241         (JSC::BytecodeGenerator::BytecodeGenerator):
1242         (JSC::BytecodeGenerator::emitMoveEmptyValue):
1243         We cannot profile the type of an uninitialized empty JSValue.
1244         Nor do we expect this to be necessary, since it is effectively
1245         an unseen undefined value. So add a way to put the empty value
1246         without profiling.
1247
1248         (JSC::BytecodeGenerator::emitMove):
1249         Add an assert to try to catch this issue early on, and force
1250         callers to explicitly use emitMoveEmptyValue instead.
1251
1252         * tests/typeProfiler/classes.js: Added.
1253         (wrapper.Base):
1254         (wrapper.Derived):
1255         (wrapper):
1256         Add test coverage both for this case and classes in general.
1257
1258 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
1259
1260         Web Inspector: ES6: Provide a better view for Classes in the console
1261         https://bugs.webkit.org/show_bug.cgi?id=142999
1262
1263         Reviewed by Timothy Hatcher.
1264
1265         * inspector/protocol/Runtime.json:
1266         Provide a new `subtype` enum "class". This is a subtype of `type`
1267         "function", all other subtypes are subtypes of `object` types.
1268         For a class, the frontend will immediately want to get the prototype
1269         to enumerate its methods, so include the `classPrototype`.
1270
1271         * inspector/JSInjectedScriptHost.cpp:
1272         (Inspector::JSInjectedScriptHost::subtype):
1273         Denote class construction functions as "class" subtypes.
1274
1275         * inspector/InjectedScriptSource.js:
1276         Handling for the new "class" type.
1277
1278         * bytecode/UnlinkedCodeBlock.h:
1279         (JSC::UnlinkedFunctionExecutable::isClassConstructorFunction):
1280         * runtime/Executable.h:
1281         (JSC::FunctionExecutable::isClassConstructorFunction):
1282         * runtime/JSFunction.h:
1283         * runtime/JSFunctionInlines.h:
1284         (JSC::JSFunction::isClassConstructorFunction):
1285         Check if this function is a class constructor function. That information
1286         is on the UnlinkedFunctionExecutable, so plumb it through to JSFunction.
1287
1288 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
1289
1290         Function.prototype.toString should not decompile the AST
1291         https://bugs.webkit.org/show_bug.cgi?id=142853
1292
1293         Reviewed by Darin Adler.
1294
1295         Following up on Darin's review comments.
1296
1297         * runtime/FunctionConstructor.cpp:
1298         (JSC::constructFunctionSkippingEvalEnabledCheck):
1299
1300 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
1301
1302         "lineNo" does not match WebKit coding style guidelines
1303         https://bugs.webkit.org/show_bug.cgi?id=143119
1304
1305         Reviewed by Michael Saboff.
1306
1307         We can afford to use whole words.
1308
1309         * bytecode/CodeBlock.cpp:
1310         (JSC::CodeBlock::lineNumberForBytecodeOffset):
1311         (JSC::CodeBlock::expressionRangeForBytecodeOffset):
1312         * bytecode/UnlinkedCodeBlock.cpp:
1313         (JSC::UnlinkedFunctionExecutable::link):
1314         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
1315         * bytecode/UnlinkedCodeBlock.h:
1316         * bytecompiler/NodesCodegen.cpp:
1317         (JSC::WhileNode::emitBytecode):
1318         * debugger/Debugger.cpp:
1319         (JSC::Debugger::toggleBreakpoint):
1320         * interpreter/Interpreter.cpp:
1321         (JSC::StackFrame::computeLineAndColumn):
1322         (JSC::GetStackTraceFunctor::operator()):
1323         (JSC::Interpreter::execute):
1324         * interpreter/StackVisitor.cpp:
1325         (JSC::StackVisitor::Frame::computeLineAndColumn):
1326         * parser/Nodes.h:
1327         (JSC::Node::firstLine):
1328         (JSC::Node::lineNo): Deleted.
1329         (JSC::StatementNode::firstLine): Deleted.
1330         * parser/ParserError.h:
1331         (JSC::ParserError::toErrorObject):
1332         * profiler/LegacyProfiler.cpp:
1333         (JSC::createCallIdentifierFromFunctionImp):
1334         * runtime/CodeCache.cpp:
1335         (JSC::CodeCache::getGlobalCodeBlock):
1336         * runtime/Executable.cpp:
1337         (JSC::ScriptExecutable::ScriptExecutable):
1338         (JSC::ScriptExecutable::newCodeBlockFor):
1339         (JSC::FunctionExecutable::fromGlobalCode):
1340         * runtime/Executable.h:
1341         (JSC::ScriptExecutable::firstLine):
1342         (JSC::ScriptExecutable::setOverrideLineNumber):
1343         (JSC::ScriptExecutable::hasOverrideLineNumber):
1344         (JSC::ScriptExecutable::overrideLineNumber):
1345         (JSC::ScriptExecutable::lineNo): Deleted.
1346         (JSC::ScriptExecutable::setOverrideLineNo): Deleted.
1347         (JSC::ScriptExecutable::hasOverrideLineNo): Deleted.
1348         (JSC::ScriptExecutable::overrideLineNo): Deleted.
1349         * runtime/FunctionConstructor.cpp:
1350         (JSC::constructFunctionSkippingEvalEnabledCheck):
1351         * runtime/FunctionConstructor.h:
1352         * tools/CodeProfile.cpp:
1353         (JSC::CodeProfile::report):
1354         * tools/CodeProfile.h:
1355         (JSC::CodeProfile::CodeProfile):
1356
1357 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
1358
1359         Assertion firing in JavaScriptCore/parser/parser.h for statesman.com site
1360         https://bugs.webkit.org/show_bug.cgi?id=142974
1361
1362         Reviewed by Joseph Pecoraro.
1363
1364         This patch does two things:
1365
1366         (1) Restore JavaScriptCore's sanitization of line and column numbers to
1367         one-based values.
1368
1369         We need this because WebCore sometimes provides huge negative column
1370         numbers.
1371
1372         (2) Solve the attribute event listener line numbering problem a different
1373         way: Rather than offseting all line numbers by -1 in an attribute event
1374         listener in order to arrange for a custom result, instead use an explicit
1375         feature for saying "all errors in this code should map to this line number".
1376
1377         * bytecode/UnlinkedCodeBlock.cpp:
1378         (JSC::UnlinkedFunctionExecutable::link):
1379         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
1380         * bytecode/UnlinkedCodeBlock.h:
1381         * interpreter/Interpreter.cpp:
1382         (JSC::StackFrame::computeLineAndColumn):
1383         (JSC::GetStackTraceFunctor::operator()):
1384         * interpreter/Interpreter.h:
1385         * interpreter/StackVisitor.cpp:
1386         (JSC::StackVisitor::Frame::computeLineAndColumn):
1387         * parser/ParserError.h:
1388         (JSC::ParserError::toErrorObject): Plumb through an override line number.
1389         When a function has an override line number, all syntax and runtime
1390         errors in the function will map to it. This is useful for attribute event
1391         listeners.
1392  
1393         * parser/SourceCode.h:
1394         (JSC::SourceCode::SourceCode): Restore the old sanitization of line and
1395         column numbers to one-based integers. It was kind of a hack to remove this.
1396
1397         * runtime/Executable.cpp:
1398         (JSC::ScriptExecutable::ScriptExecutable):
1399         (JSC::FunctionExecutable::fromGlobalCode):
1400         * runtime/Executable.h:
1401         (JSC::ScriptExecutable::setOverrideLineNo):
1402         (JSC::ScriptExecutable::hasOverrideLineNo):
1403         (JSC::ScriptExecutable::overrideLineNo):
1404         * runtime/FunctionConstructor.cpp:
1405         (JSC::constructFunctionSkippingEvalEnabledCheck):
1406         * runtime/FunctionConstructor.h: Plumb through an override line number.
1407
1408 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
1409
1410         If we're in code for accessing scoped arguments, we should probably check if the object is a scoped arguments rather than checking if it's a direct arguments.
1411
1412         Reviewed by Michael Saboff.
1413
1414         * jit/JITPropertyAccess.cpp:
1415         (JSC::JIT::emitScopedArgumentsGetByVal):
1416         * tests/stress/scoped-then-direct-arguments-get-by-val-in-baseline.js: Added.
1417
1418 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
1419
1420         FTL ScopedArguments GetArrayLength generates incorrect code and crashes in LLVM
1421         https://bugs.webkit.org/show_bug.cgi?id=143098
1422
1423         Reviewed by Csaba Osztrogonác.
1424
1425         * ftl/FTLLowerDFGToLLVM.cpp:
1426         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength): Fix a typo.
1427         * tests/stress/scoped-arguments-array-length.js: Added. This test previously always crashed in ftl-no-cjit mode.
1428
1429 2015-03-26  Csaba Osztrogonác  <ossy@webkit.org>
1430
1431         Unreviewed gardening, skip failing tests on AArch64 Linux.
1432
1433         * tests/mozilla/mozilla-tests.yaml:
1434         * tests/stress/cached-prototype-setter.js:
1435
1436 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
1437
1438         Unreviewed, fixes to silly things. While landing fixes to r181993, I introduced crashes. This fixes them.
1439
1440         * dfg/DFGConstantFoldingPhase.cpp:
1441         (JSC::DFG::ConstantFoldingPhase::foldConstants): I landed a fix for a VS warning. It broke this. Now I'm fixing it.
1442         * ftl/FTLCompile.cpp:
1443         (JSC::FTL::compile): Make sure we pass the module when dumping. This makes FTL debugging possible again.
1444         * ftl/FTLState.cpp:
1445         (JSC::FTL::State::dumpState): New overload that takes a module, so that we can call this after FTL::compile() clears State's module.
1446         * ftl/FTLState.h:
1447
1448 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1449
1450         Unreviewed, fix obvious goof that was causing 32-bit debug crashes. The 64-bit version did it
1451         right, so this just makes 32-bit do the same.
1452
1453         * dfg/DFGSpeculativeJIT32_64.cpp:
1454         (JSC::DFG::SpeculativeJIT::emitCall):
1455
1456 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1457
1458         Fix a typo that ggaren found but that I didn't fix before.
1459
1460         * runtime/DirectArgumentsOffset.h:
1461
1462 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1463
1464         Unreviewed, VC found a bug. This fixes the bug.
1465
1466         * dfg/DFGConstantFoldingPhase.cpp:
1467         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1468
1469 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1470
1471         Unreviewed, try to fix Windows build.
1472
1473         * runtime/ClonedArguments.cpp:
1474         (JSC::ClonedArguments::createWithInlineFrame):
1475
1476 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1477
1478         Unreviewed, fix debug build.
1479
1480         * bytecompiler/NodesCodegen.cpp:
1481         (JSC::ConstDeclNode::emitCodeSingle):
1482
1483 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1484
1485         Unreviewed, fix CLOOP build.
1486
1487         * dfg/DFGMinifiedID.h:
1488
1489 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1490
1491         Heap variables shouldn't end up in the stack frame
1492         https://bugs.webkit.org/show_bug.cgi?id=141174
1493
1494         Reviewed by Geoffrey Garen.
1495         
1496         This is a major change to how JavaScriptCore handles declared variables (i.e. "var"). It removes
1497         any ambiguity about whether a variable should be in the heap or on the stack. A variable will no
1498         longer move between heap and stack during its lifetime. This enables a bunch of optimizations and
1499         simplifications:
1500         
1501         - Accesses to variables no longer need checks or indirections to determine where the variable is
1502           at that moment in time. For example, loading a closure variable now takes just one load instead
1503           of two. Loading an argument by index now takes a bounds check and a load in the fastest case
1504           (when no arguments object allocation is required) while previously that same operation required
1505           a "did I allocate arguments yet" check, a bounds check, and then the load.
1506         
1507         - Reasoning about the allocation of an activation or arguments object now follows the same simple
1508           logic as the allocation of any other kind of object. Previously, those objects were lazily
1509           allocated - so an allocation instruction wasn't the actual allocation site, since it might not
1510           allocate anything at all. This made the implementation of traditional escape analyses really
1511           awkward, and ultimately it meant that we missed important cases. Now, we can reason about the
1512           arguments object using the usual SSA tricks which allows for more comprehensive removal.
1513         
1514         - The allocations of arguments objects, functions, and activations are now much faster. While
1515           this patch generally expands our ability to eliminate arguments object allocations, an earlier
1516           version of the patch - which lacked that functionality - was a progression on some arguments-
1517           and closure-happy benchmarks because although no allocations were eliminated, all allocations
1518           were faster.
1519         
1520         - There is no tear-off. The runtime no loner needs to know about where on the stack a frame keeps
1521           its arguments objects or activations. The runtime doesn't have to do things to the arguments
1522           objects and activations that a frame allocated, when the frame is unwound. We always had horrid
1523           bugs in that code, so it's good to see it go. This removes *a ton* of machinery from the DFG,
1524           FTL, CodeBlock, and other places. All of the things having to do with "captured variables" is
1525           now gone. This also enables implementing block-scoping. Without this change, block-scope
1526           support would require telling CodeBlock and all of the rest of the runtime about all of the
1527           variables that store currently-live scopes. That would have been so disastrously hard that it
1528           might as well be impossible. With this change, it's fair game for the bytecode generator to
1529           simply allocate whatever activations it wants, wherever it wants, and to keep them live for
1530           however long it wants. This all works, because after bytecode generation, an activation is just
1531           an object and variables that refer to it are just normal variables.
1532         
1533         - SymbolTable can now tell you explicitly where a variable lives. The answer is in the form of a
1534           VarOffset object, which has methods like isStack(), isScope(), etc. VirtualRegister is never
1535           used for offsets of non-stack variables anymore. We now have shiny new objects for other kinds
1536           of offsets - ScopeOffset for offsets into scopes, and DirectArgumentsOffset for offsets into
1537           an arguments object.
1538         
1539         - Functions that create activations can now tier-up into the FTL. Previously they couldn't. Also,
1540           using activations used to prevent inlining; now functions that use activations can be inlined
1541           just fine.
1542         
1543         This is a >1% speed-up on Octane. This is a >2% speed-up on CompressionBench. This is a tiny
1544         speed-up on AsmBench (~0.4% or something). This looks like it might be a speed-up on SunSpider.
1545         It's only a slow-down on very short-running microbenchmarks we had previously written for our old
1546         style of tear-off-based arguments optimization. Those benchmarks are not part of any major suite.
1547         
1548         The easiest way of understanding this change is to start by looking at the changes in runtime/,
1549         and then the changes in bytecompiler/, and then sort of work your way up the compiler tiers.
1550
1551         * CMakeLists.txt:
1552         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1553         * JavaScriptCore.xcodeproj/project.pbxproj:
1554         * assembler/AbortReason.h:
1555         * assembler/AbstractMacroAssembler.h:
1556         (JSC::AbstractMacroAssembler::BaseIndex::withOffset):
1557         * bytecode/ByValInfo.h:
1558         (JSC::hasOptimizableIndexingForJSType):
1559         (JSC::hasOptimizableIndexing):
1560         (JSC::jitArrayModeForJSType):
1561         (JSC::jitArrayModePermitsPut):
1562         (JSC::jitArrayModeForStructure):
1563         * bytecode/BytecodeKills.h: Added.
1564         (JSC::BytecodeKills::BytecodeKills):
1565         (JSC::BytecodeKills::operandIsKilled):
1566         (JSC::BytecodeKills::forEachOperandKilledAt):
1567         (JSC::BytecodeKills::KillSet::KillSet):
1568         (JSC::BytecodeKills::KillSet::add):
1569         (JSC::BytecodeKills::KillSet::forEachLocal):
1570         (JSC::BytecodeKills::KillSet::contains):
1571         * bytecode/BytecodeList.json:
1572         * bytecode/BytecodeLivenessAnalysis.cpp:
1573         (JSC::isValidRegisterForLiveness):
1574         (JSC::stepOverInstruction):
1575         (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint):
1576         (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset):
1577         (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset):
1578         (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
1579         (JSC::BytecodeLivenessAnalysis::computeKills):
1580         (JSC::indexForOperand): Deleted.
1581         (JSC::BytecodeLivenessAnalysis::getLivenessInfoForNonCapturedVarsAtBytecodeOffset): Deleted.
1582         (JSC::getLivenessInfo): Deleted.
1583         * bytecode/BytecodeLivenessAnalysis.h:
1584         * bytecode/BytecodeLivenessAnalysisInlines.h:
1585         (JSC::operandIsAlwaysLive):
1586         (JSC::operandThatIsNotAlwaysLiveIsLive):
1587         (JSC::operandIsLive):
1588         * bytecode/BytecodeUseDef.h:
1589         (JSC::computeUsesForBytecodeOffset):
1590         (JSC::computeDefsForBytecodeOffset):
1591         * bytecode/CodeBlock.cpp:
1592         (JSC::CodeBlock::dumpBytecode):
1593         (JSC::CodeBlock::CodeBlock):
1594         (JSC::CodeBlock::nameForRegister):
1595         (JSC::CodeBlock::validate):
1596         (JSC::CodeBlock::isCaptured): Deleted.
1597         (JSC::CodeBlock::framePointerOffsetToGetActivationRegisters): Deleted.
1598         (JSC::CodeBlock::machineSlowArguments): Deleted.
1599         * bytecode/CodeBlock.h:
1600         (JSC::unmodifiedArgumentsRegister): Deleted.
1601         (JSC::CodeBlock::setArgumentsRegister): Deleted.
1602         (JSC::CodeBlock::argumentsRegister): Deleted.
1603         (JSC::CodeBlock::uncheckedArgumentsRegister): Deleted.
1604         (JSC::CodeBlock::usesArguments): Deleted.
1605         (JSC::CodeBlock::captureCount): Deleted.
1606         (JSC::CodeBlock::captureStart): Deleted.
1607         (JSC::CodeBlock::captureEnd): Deleted.
1608         (JSC::CodeBlock::argumentIndexAfterCapture): Deleted.
1609         (JSC::CodeBlock::hasSlowArguments): Deleted.
1610         (JSC::ExecState::argumentAfterCapture): Deleted.
1611         * bytecode/CodeOrigin.h:
1612         * bytecode/DataFormat.h:
1613         (JSC::dataFormatToString):
1614         * bytecode/FullBytecodeLiveness.h:
1615         (JSC::FullBytecodeLiveness::getLiveness):
1616         (JSC::FullBytecodeLiveness::operandIsLive):
1617         (JSC::FullBytecodeLiveness::FullBytecodeLiveness): Deleted.
1618         (JSC::FullBytecodeLiveness::getOut): Deleted.
1619         * bytecode/Instruction.h:
1620         (JSC::Instruction::Instruction):
1621         * bytecode/Operands.h:
1622         (JSC::Operands::virtualRegisterForIndex):
1623         * bytecode/SpeculatedType.cpp:
1624         (JSC::dumpSpeculation):
1625         (JSC::speculationToAbbreviatedString):
1626         (JSC::speculationFromClassInfo):
1627         * bytecode/SpeculatedType.h:
1628         (JSC::isDirectArgumentsSpeculation):
1629         (JSC::isScopedArgumentsSpeculation):
1630         (JSC::isActionableMutableArraySpeculation):
1631         (JSC::isActionableArraySpeculation):
1632         (JSC::isArgumentsSpeculation): Deleted.
1633         * bytecode/UnlinkedCodeBlock.cpp:
1634         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1635         * bytecode/UnlinkedCodeBlock.h:
1636         (JSC::UnlinkedCodeBlock::setArgumentsRegister): Deleted.
1637         (JSC::UnlinkedCodeBlock::usesArguments): Deleted.
1638         (JSC::UnlinkedCodeBlock::argumentsRegister): Deleted.
1639         * bytecode/ValueRecovery.cpp:
1640         (JSC::ValueRecovery::dumpInContext):
1641         * bytecode/ValueRecovery.h:
1642         (JSC::ValueRecovery::directArgumentsThatWereNotCreated):
1643         (JSC::ValueRecovery::outOfBandArgumentsThatWereNotCreated):
1644         (JSC::ValueRecovery::nodeID):
1645         (JSC::ValueRecovery::argumentsThatWereNotCreated): Deleted.
1646         * bytecode/VirtualRegister.h:
1647         (JSC::VirtualRegister::operator==):
1648         (JSC::VirtualRegister::operator!=):
1649         (JSC::VirtualRegister::operator<):
1650         (JSC::VirtualRegister::operator>):
1651         (JSC::VirtualRegister::operator<=):
1652         (JSC::VirtualRegister::operator>=):
1653         * bytecompiler/BytecodeGenerator.cpp:
1654         (JSC::BytecodeGenerator::generate):
1655         (JSC::BytecodeGenerator::BytecodeGenerator):
1656         (JSC::BytecodeGenerator::initializeNextParameter):
1657         (JSC::BytecodeGenerator::visibleNameForParameter):
1658         (JSC::BytecodeGenerator::emitMove):
1659         (JSC::BytecodeGenerator::variable):
1660         (JSC::BytecodeGenerator::createVariable):
1661         (JSC::BytecodeGenerator::emitResolveScope):
1662         (JSC::BytecodeGenerator::emitGetFromScope):
1663         (JSC::BytecodeGenerator::emitPutToScope):
1664         (JSC::BytecodeGenerator::initializeVariable):
1665         (JSC::BytecodeGenerator::emitInstanceOf):
1666         (JSC::BytecodeGenerator::emitNewFunction):
1667         (JSC::BytecodeGenerator::emitNewFunctionInternal):
1668         (JSC::BytecodeGenerator::emitCall):
1669         (JSC::BytecodeGenerator::emitReturn):
1670         (JSC::BytecodeGenerator::emitConstruct):
1671         (JSC::BytecodeGenerator::isArgumentNumber):
1672         (JSC::BytecodeGenerator::emitEnumeration):
1673         (JSC::BytecodeGenerator::addVar): Deleted.
1674         (JSC::BytecodeGenerator::emitInitLazyRegister): Deleted.
1675         (JSC::BytecodeGenerator::initializeCapturedVariable): Deleted.
1676         (JSC::BytecodeGenerator::resolveCallee): Deleted.
1677         (JSC::BytecodeGenerator::addCallee): Deleted.
1678         (JSC::BytecodeGenerator::addParameter): Deleted.
1679         (JSC::BytecodeGenerator::willResolveToArgumentsRegister): Deleted.
1680         (JSC::BytecodeGenerator::uncheckedLocalArgumentsRegister): Deleted.
1681         (JSC::BytecodeGenerator::createLazyRegisterIfNecessary): Deleted.
1682         (JSC::BytecodeGenerator::isCaptured): Deleted.
1683         (JSC::BytecodeGenerator::local): Deleted.
1684         (JSC::BytecodeGenerator::constLocal): Deleted.
1685         (JSC::BytecodeGenerator::emitResolveConstantLocal): Deleted.
1686         (JSC::BytecodeGenerator::emitGetArgumentsLength): Deleted.
1687         (JSC::BytecodeGenerator::emitGetArgumentByVal): Deleted.
1688         (JSC::BytecodeGenerator::emitLazyNewFunction): Deleted.
1689         (JSC::BytecodeGenerator::createArgumentsIfNecessary): Deleted.
1690         * bytecompiler/BytecodeGenerator.h:
1691         (JSC::Variable::Variable):
1692         (JSC::Variable::isResolved):
1693         (JSC::Variable::ident):
1694         (JSC::Variable::offset):
1695         (JSC::Variable::isLocal):
1696         (JSC::Variable::local):
1697         (JSC::Variable::isSpecial):
1698         (JSC::BytecodeGenerator::argumentsRegister):
1699         (JSC::BytecodeGenerator::emitNode):
1700         (JSC::BytecodeGenerator::registerFor):
1701         (JSC::Local::Local): Deleted.
1702         (JSC::Local::operator bool): Deleted.
1703         (JSC::Local::get): Deleted.
1704         (JSC::Local::isSpecial): Deleted.
1705         (JSC::ResolveScopeInfo::ResolveScopeInfo): Deleted.
1706         (JSC::ResolveScopeInfo::isLocal): Deleted.
1707         (JSC::ResolveScopeInfo::localIndex): Deleted.
1708         (JSC::BytecodeGenerator::hasSafeLocalArgumentsRegister): Deleted.
1709         (JSC::BytecodeGenerator::captureMode): Deleted.
1710         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly): Deleted.
1711         (JSC::BytecodeGenerator::shouldCreateArgumentsEagerly): Deleted.
1712         (JSC::BytecodeGenerator::hasWatchableVariable): Deleted.
1713         (JSC::BytecodeGenerator::watchableVariableIdentifier): Deleted.
1714         * bytecompiler/NodesCodegen.cpp:
1715         (JSC::ResolveNode::isPure):
1716         (JSC::ResolveNode::emitBytecode):
1717         (JSC::BracketAccessorNode::emitBytecode):
1718         (JSC::DotAccessorNode::emitBytecode):
1719         (JSC::EvalFunctionCallNode::emitBytecode):
1720         (JSC::FunctionCallResolveNode::emitBytecode):
1721         (JSC::CallFunctionCallDotNode::emitBytecode):
1722         (JSC::ApplyFunctionCallDotNode::emitBytecode):
1723         (JSC::PostfixNode::emitResolve):
1724         (JSC::DeleteResolveNode::emitBytecode):
1725         (JSC::TypeOfResolveNode::emitBytecode):
1726         (JSC::PrefixNode::emitResolve):
1727         (JSC::ReadModifyResolveNode::emitBytecode):
1728         (JSC::AssignResolveNode::emitBytecode):
1729         (JSC::ConstDeclNode::emitCodeSingle):
1730         (JSC::EmptyVarExpression::emitBytecode):
1731         (JSC::ForInNode::tryGetBoundLocal):
1732         (JSC::ForInNode::emitLoopHeader):
1733         (JSC::ForOfNode::emitBytecode):
1734         (JSC::ArrayPatternNode::emitDirectBinding):
1735         (JSC::BindingNode::bindValue):
1736         (JSC::getArgumentByVal): Deleted.
1737         * dfg/DFGAbstractHeap.h:
1738         * dfg/DFGAbstractInterpreter.h:
1739         * dfg/DFGAbstractInterpreterInlines.h:
1740         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1741         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberWorld):
1742         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberCapturedVars): Deleted.
1743         * dfg/DFGAbstractValue.h:
1744         * dfg/DFGArgumentPosition.h:
1745         (JSC::DFG::ArgumentPosition::addVariable):
1746         * dfg/DFGArgumentsEliminationPhase.cpp: Added.
1747         (JSC::DFG::performArgumentsElimination):
1748         * dfg/DFGArgumentsEliminationPhase.h: Added.
1749         * dfg/DFGArgumentsSimplificationPhase.cpp: Removed.
1750         * dfg/DFGArgumentsSimplificationPhase.h: Removed.
1751         * dfg/DFGArgumentsUtilities.cpp: Added.
1752         (JSC::DFG::argumentsInvolveStackSlot):
1753         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
1754         * dfg/DFGArgumentsUtilities.h: Added.
1755         * dfg/DFGArrayMode.cpp:
1756         (JSC::DFG::ArrayMode::refine):
1757         (JSC::DFG::ArrayMode::alreadyChecked):
1758         (JSC::DFG::arrayTypeToString):
1759         * dfg/DFGArrayMode.h:
1760         (JSC::DFG::ArrayMode::canCSEStorage):
1761         (JSC::DFG::ArrayMode::modeForPut):
1762         * dfg/DFGAvailabilityMap.cpp:
1763         (JSC::DFG::AvailabilityMap::prune):
1764         * dfg/DFGAvailabilityMap.h:
1765         (JSC::DFG::AvailabilityMap::closeOverNodes):
1766         (JSC::DFG::AvailabilityMap::closeStartingWithLocal):
1767         * dfg/DFGBackwardsPropagationPhase.cpp:
1768         (JSC::DFG::BackwardsPropagationPhase::propagate):
1769         * dfg/DFGByteCodeParser.cpp:
1770         (JSC::DFG::ByteCodeParser::newVariableAccessData):
1771         (JSC::DFG::ByteCodeParser::getLocal):
1772         (JSC::DFG::ByteCodeParser::setLocal):
1773         (JSC::DFG::ByteCodeParser::getArgument):
1774         (JSC::DFG::ByteCodeParser::setArgument):
1775         (JSC::DFG::ByteCodeParser::flushDirect):
1776         (JSC::DFG::ByteCodeParser::flush):
1777         (JSC::DFG::ByteCodeParser::noticeArgumentsUse):
1778         (JSC::DFG::ByteCodeParser::handleVarargsCall):
1779         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
1780         (JSC::DFG::ByteCodeParser::handleInlining):
1781         (JSC::DFG::ByteCodeParser::parseBlock):
1782         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1783         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1784         * dfg/DFGCPSRethreadingPhase.cpp:
1785         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
1786         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
1787         * dfg/DFGCSEPhase.cpp:
1788         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h: Added.
1789         (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
1790         * dfg/DFGCapabilities.cpp:
1791         (JSC::DFG::isSupportedForInlining):
1792         (JSC::DFG::capabilityLevel):
1793         * dfg/DFGClobberize.h:
1794         (JSC::DFG::clobberize):
1795         * dfg/DFGCommon.h:
1796         * dfg/DFGCommonData.h:
1797         (JSC::DFG::CommonData::CommonData):
1798         * dfg/DFGConstantFoldingPhase.cpp:
1799         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1800         * dfg/DFGDCEPhase.cpp:
1801         (JSC::DFG::DCEPhase::cleanVariables):
1802         * dfg/DFGDisassembler.h:
1803         * dfg/DFGDoesGC.cpp:
1804         (JSC::DFG::doesGC):
1805         * dfg/DFGFixupPhase.cpp:
1806         (JSC::DFG::FixupPhase::fixupNode):
1807         * dfg/DFGFlushFormat.cpp:
1808         (WTF::printInternal):
1809         * dfg/DFGFlushFormat.h:
1810         (JSC::DFG::resultFor):
1811         (JSC::DFG::useKindFor):
1812         (JSC::DFG::dataFormatFor):
1813         * dfg/DFGForAllKills.h: Added.
1814         (JSC::DFG::forAllLiveNodesAtTail):
1815         (JSC::DFG::forAllDirectlyKilledOperands):
1816         (JSC::DFG::forAllKilledOperands):
1817         (JSC::DFG::forAllKilledNodesAtNodeIndex):
1818         (JSC::DFG::forAllKillsInBlock):
1819         * dfg/DFGGraph.cpp:
1820         (JSC::DFG::Graph::Graph):
1821         (JSC::DFG::Graph::dump):
1822         (JSC::DFG::Graph::substituteGetLocal):
1823         (JSC::DFG::Graph::livenessFor):
1824         (JSC::DFG::Graph::killsFor):
1825         (JSC::DFG::Graph::tryGetConstantClosureVar):
1826         (JSC::DFG::Graph::tryGetRegisters): Deleted.
1827         * dfg/DFGGraph.h:
1828         (JSC::DFG::Graph::symbolTableFor):
1829         (JSC::DFG::Graph::uses):
1830         (JSC::DFG::Graph::bytecodeRegisterForArgument): Deleted.
1831         (JSC::DFG::Graph::capturedVarsFor): Deleted.
1832         (JSC::DFG::Graph::usesArguments): Deleted.
1833         (JSC::DFG::Graph::argumentsRegisterFor): Deleted.
1834         (JSC::DFG::Graph::machineArgumentsRegisterFor): Deleted.
1835         (JSC::DFG::Graph::uncheckedArgumentsRegisterFor): Deleted.
1836         * dfg/DFGHeapLocation.cpp:
1837         (WTF::printInternal):
1838         * dfg/DFGHeapLocation.h:
1839         * dfg/DFGInPlaceAbstractState.cpp:
1840         (JSC::DFG::InPlaceAbstractState::initialize):
1841         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
1842         * dfg/DFGJITCompiler.cpp:
1843         (JSC::DFG::JITCompiler::link):
1844         * dfg/DFGMayExit.cpp:
1845         (JSC::DFG::mayExit):
1846         * dfg/DFGMinifiedID.h:
1847         * dfg/DFGMinifiedNode.cpp:
1848         (JSC::DFG::MinifiedNode::fromNode):
1849         * dfg/DFGMinifiedNode.h:
1850         (JSC::DFG::belongsInMinifiedGraph):
1851         (JSC::DFG::MinifiedNode::hasInlineCallFrame):
1852         (JSC::DFG::MinifiedNode::inlineCallFrame):
1853         * dfg/DFGNode.cpp:
1854         (JSC::DFG::Node::convertToIdentityOn):
1855         * dfg/DFGNode.h:
1856         (JSC::DFG::Node::hasConstant):
1857         (JSC::DFG::Node::constant):
1858         (JSC::DFG::Node::hasScopeOffset):
1859         (JSC::DFG::Node::scopeOffset):
1860         (JSC::DFG::Node::hasDirectArgumentsOffset):
1861         (JSC::DFG::Node::capturedArgumentsOffset):
1862         (JSC::DFG::Node::variablePointer):
1863         (JSC::DFG::Node::hasCallVarargsData):
1864         (JSC::DFG::Node::hasLoadVarargsData):
1865         (JSC::DFG::Node::hasHeapPrediction):
1866         (JSC::DFG::Node::hasCellOperand):
1867         (JSC::DFG::Node::objectMaterializationData):
1868         (JSC::DFG::Node::isPhantomAllocation):
1869         (JSC::DFG::Node::willHaveCodeGenOrOSR):
1870         (JSC::DFG::Node::shouldSpeculateDirectArguments):
1871         (JSC::DFG::Node::shouldSpeculateScopedArguments):
1872         (JSC::DFG::Node::isPhantomArguments): Deleted.
1873         (JSC::DFG::Node::hasVarNumber): Deleted.
1874         (JSC::DFG::Node::varNumber): Deleted.
1875         (JSC::DFG::Node::registerPointer): Deleted.
1876         (JSC::DFG::Node::shouldSpeculateArguments): Deleted.
1877         * dfg/DFGNodeType.h:
1878         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
1879         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
1880         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
1881         * dfg/DFGOSRExitCompiler.cpp:
1882         (JSC::DFG::OSRExitCompiler::emitRestoreArguments):
1883         * dfg/DFGOSRExitCompiler.h:
1884         (JSC::DFG::OSRExitCompiler::badIndex): Deleted.
1885         (JSC::DFG::OSRExitCompiler::initializePoisoned): Deleted.
1886         (JSC::DFG::OSRExitCompiler::poisonIndex): Deleted.
1887         * dfg/DFGOSRExitCompiler32_64.cpp:
1888         (JSC::DFG::OSRExitCompiler::compileExit):
1889         * dfg/DFGOSRExitCompiler64.cpp:
1890         (JSC::DFG::OSRExitCompiler::compileExit):
1891         * dfg/DFGOSRExitCompilerCommon.cpp:
1892         (JSC::DFG::reifyInlinedCallFrames):
1893         (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator): Deleted.
1894         (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator): Deleted.
1895         (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): Deleted.
1896         * dfg/DFGOSRExitCompilerCommon.h:
1897         * dfg/DFGOperations.cpp:
1898         * dfg/DFGOperations.h:
1899         * dfg/DFGPlan.cpp:
1900         (JSC::DFG::Plan::compileInThreadImpl):
1901         * dfg/DFGPreciseLocalClobberize.h:
1902         (JSC::DFG::PreciseLocalClobberizeAdaptor::read):
1903         (JSC::DFG::PreciseLocalClobberizeAdaptor::write):
1904         (JSC::DFG::PreciseLocalClobberizeAdaptor::def):
1905         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1906         (JSC::DFG::preciseLocalClobberize):
1907         (JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop): Deleted.
1908         (JSC::DFG::forEachLocalReadByUnwind): Deleted.
1909         * dfg/DFGPredictionPropagationPhase.cpp:
1910         (JSC::DFG::PredictionPropagationPhase::run):
1911         (JSC::DFG::PredictionPropagationPhase::propagate):
1912         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
1913         (JSC::DFG::PredictionPropagationPhase::propagateThroughArgumentPositions):
1914         * dfg/DFGPromoteHeapAccess.h:
1915         (JSC::DFG::promoteHeapAccess):
1916         * dfg/DFGPromotedHeapLocation.cpp:
1917         (WTF::printInternal):
1918         * dfg/DFGPromotedHeapLocation.h:
1919         * dfg/DFGSSAConversionPhase.cpp:
1920         (JSC::DFG::SSAConversionPhase::run):
1921         * dfg/DFGSafeToExecute.h:
1922         (JSC::DFG::safeToExecute):
1923         * dfg/DFGSpeculativeJIT.cpp:
1924         (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
1925         (JSC::DFG::SpeculativeJIT::emitGetLength):
1926         (JSC::DFG::SpeculativeJIT::emitGetCallee):
1927         (JSC::DFG::SpeculativeJIT::emitGetArgumentStart):
1928         (JSC::DFG::SpeculativeJIT::checkArray):
1929         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
1930         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1931         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
1932         (JSC::DFG::SpeculativeJIT::compileNewFunction):
1933         (JSC::DFG::SpeculativeJIT::compileForwardVarargs):
1934         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
1935         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
1936         (JSC::DFG::SpeculativeJIT::compileGetFromArguments):
1937         (JSC::DFG::SpeculativeJIT::compilePutToArguments):
1938         (JSC::DFG::SpeculativeJIT::compileCreateScopedArguments):
1939         (JSC::DFG::SpeculativeJIT::compileCreateClonedArguments):
1940         (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Deleted.
1941         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments): Deleted.
1942         (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength): Deleted.
1943         (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck): Deleted.
1944         (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression): Deleted.
1945         * dfg/DFGSpeculativeJIT.h:
1946         (JSC::DFG::SpeculativeJIT::callOperation):
1947         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
1948         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
1949         (JSC::DFG::SpeculativeJIT::framePointerOffsetToGetActivationRegisters): Deleted.
1950         * dfg/DFGSpeculativeJIT32_64.cpp:
1951         (JSC::DFG::SpeculativeJIT::emitCall):
1952         (JSC::DFG::SpeculativeJIT::compile):
1953         * dfg/DFGSpeculativeJIT64.cpp:
1954         (JSC::DFG::SpeculativeJIT::emitCall):
1955         (JSC::DFG::SpeculativeJIT::compile):
1956         * dfg/DFGStackLayoutPhase.cpp:
1957         (JSC::DFG::StackLayoutPhase::run):
1958         * dfg/DFGStrengthReductionPhase.cpp:
1959         (JSC::DFG::StrengthReductionPhase::handleNode):
1960         * dfg/DFGStructureRegistrationPhase.cpp:
1961         (JSC::DFG::StructureRegistrationPhase::run):
1962         * dfg/DFGUnificationPhase.cpp:
1963         (JSC::DFG::UnificationPhase::run):
1964         * dfg/DFGValidate.cpp:
1965         (JSC::DFG::Validate::validateCPS):
1966         * dfg/DFGValueSource.cpp:
1967         (JSC::DFG::ValueSource::dump):
1968         * dfg/DFGValueSource.h:
1969         (JSC::DFG::dataFormatToValueSourceKind):
1970         (JSC::DFG::valueSourceKindToDataFormat):
1971         (JSC::DFG::ValueSource::ValueSource):
1972         (JSC::DFG::ValueSource::forFlushFormat):
1973         (JSC::DFG::ValueSource::valueRecovery):
1974         * dfg/DFGVarargsForwardingPhase.cpp: Added.
1975         (JSC::DFG::performVarargsForwarding):
1976         * dfg/DFGVarargsForwardingPhase.h: Added.
1977         * dfg/DFGVariableAccessData.cpp:
1978         (JSC::DFG::VariableAccessData::VariableAccessData):
1979         (JSC::DFG::VariableAccessData::flushFormat):
1980         (JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted.
1981         * dfg/DFGVariableAccessData.h:
1982         (JSC::DFG::VariableAccessData::shouldNeverUnbox):
1983         (JSC::DFG::VariableAccessData::shouldUseDoubleFormat):
1984         (JSC::DFG::VariableAccessData::isCaptured): Deleted.
1985         (JSC::DFG::VariableAccessData::mergeIsArgumentsAlias): Deleted.
1986         (JSC::DFG::VariableAccessData::isArgumentsAlias): Deleted.
1987         * dfg/DFGVariableAccessDataDump.cpp:
1988         (JSC::DFG::VariableAccessDataDump::dump):
1989         * dfg/DFGVariableAccessDataDump.h:
1990         * dfg/DFGVariableEventStream.cpp:
1991         (JSC::DFG::VariableEventStream::tryToSetConstantRecovery):
1992         * dfg/DFGVariableEventStream.h:
1993         * ftl/FTLAbstractHeap.cpp:
1994         (JSC::FTL::AbstractHeap::dump):
1995         (JSC::FTL::AbstractField::dump):
1996         (JSC::FTL::IndexedAbstractHeap::dump):
1997         (JSC::FTL::NumberedAbstractHeap::dump):
1998         (JSC::FTL::AbsoluteAbstractHeap::dump):
1999         * ftl/FTLAbstractHeap.h:
2000         * ftl/FTLAbstractHeapRepository.cpp:
2001         * ftl/FTLAbstractHeapRepository.h:
2002         * ftl/FTLCapabilities.cpp:
2003         (JSC::FTL::canCompile):
2004         * ftl/FTLCompile.cpp:
2005         (JSC::FTL::mmAllocateDataSection):
2006         * ftl/FTLExitArgument.cpp:
2007         (JSC::FTL::ExitArgument::dump):
2008         * ftl/FTLExitPropertyValue.cpp:
2009         (JSC::FTL::ExitPropertyValue::withLocalsOffset):
2010         * ftl/FTLExitPropertyValue.h:
2011         * ftl/FTLExitTimeObjectMaterialization.cpp:
2012         (JSC::FTL::ExitTimeObjectMaterialization::ExitTimeObjectMaterialization):
2013         (JSC::FTL::ExitTimeObjectMaterialization::accountForLocalsOffset):
2014         * ftl/FTLExitTimeObjectMaterialization.h:
2015         (JSC::FTL::ExitTimeObjectMaterialization::origin):
2016         * ftl/FTLExitValue.cpp:
2017         (JSC::FTL::ExitValue::withLocalsOffset):
2018         (JSC::FTL::ExitValue::valueFormat):
2019         (JSC::FTL::ExitValue::dumpInContext):
2020         * ftl/FTLExitValue.h:
2021         (JSC::FTL::ExitValue::isArgument):
2022         (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated): Deleted.
2023         (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated): Deleted.
2024         (JSC::FTL::ExitValue::valueFormat): Deleted.
2025         * ftl/FTLInlineCacheSize.cpp:
2026         (JSC::FTL::sizeOfCallForwardVarargs):
2027         (JSC::FTL::sizeOfConstructForwardVarargs):
2028         (JSC::FTL::sizeOfICFor):
2029         * ftl/FTLInlineCacheSize.h:
2030         * ftl/FTLIntrinsicRepository.h:
2031         * ftl/FTLJSCallVarargs.cpp:
2032         (JSC::FTL::JSCallVarargs::JSCallVarargs):
2033         (JSC::FTL::JSCallVarargs::emit):
2034         * ftl/FTLJSCallVarargs.h:
2035         * ftl/FTLLowerDFGToLLVM.cpp:
2036         (JSC::FTL::LowerDFGToLLVM::lower):
2037         (JSC::FTL::LowerDFGToLLVM::compileNode):
2038         (JSC::FTL::LowerDFGToLLVM::compilePutStack):
2039         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
2040         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2041         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
2042         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2043         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
2044         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
2045         (JSC::FTL::LowerDFGToLLVM::compileCreateActivation):
2046         (JSC::FTL::LowerDFGToLLVM::compileNewFunction):
2047         (JSC::FTL::LowerDFGToLLVM::compileCreateDirectArguments):
2048         (JSC::FTL::LowerDFGToLLVM::compileCreateScopedArguments):
2049         (JSC::FTL::LowerDFGToLLVM::compileCreateClonedArguments):
2050         (JSC::FTL::LowerDFGToLLVM::compileStringCharAt):
2051         (JSC::FTL::LowerDFGToLLVM::compileStringCharCodeAt):
2052         (JSC::FTL::LowerDFGToLLVM::compileGetGlobalVar):
2053         (JSC::FTL::LowerDFGToLLVM::compilePutGlobalVar):
2054         (JSC::FTL::LowerDFGToLLVM::compileGetArgumentCount):
2055         (JSC::FTL::LowerDFGToLLVM::compileGetClosureVar):
2056         (JSC::FTL::LowerDFGToLLVM::compilePutClosureVar):
2057         (JSC::FTL::LowerDFGToLLVM::compileGetFromArguments):
2058         (JSC::FTL::LowerDFGToLLVM::compilePutToArguments):
2059         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs):
2060         (JSC::FTL::LowerDFGToLLVM::compileForwardVarargs):
2061         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname):
2062         (JSC::FTL::LowerDFGToLLVM::ArgumentsLength::ArgumentsLength):
2063         (JSC::FTL::LowerDFGToLLVM::getArgumentsLength):
2064         (JSC::FTL::LowerDFGToLLVM::getCurrentCallee):
2065         (JSC::FTL::LowerDFGToLLVM::getArgumentsStart):
2066         (JSC::FTL::LowerDFGToLLVM::baseIndex):
2067         (JSC::FTL::LowerDFGToLLVM::allocateObject):
2068         (JSC::FTL::LowerDFGToLLVM::allocateVariableSizedObject):
2069         (JSC::FTL::LowerDFGToLLVM::isArrayType):
2070         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
2071         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
2072         (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
2073         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
2074         (JSC::FTL::LowerDFGToLLVM::loadStructure):
2075         (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments): Deleted.
2076         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength): Deleted.
2077         (JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters): Deleted.
2078         (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated): Deleted.
2079         (JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated): Deleted.
2080         * ftl/FTLOSRExitCompiler.cpp:
2081         (JSC::FTL::compileRecovery):
2082         (JSC::FTL::compileStub):
2083         * ftl/FTLOperations.cpp:
2084         (JSC::FTL::operationMaterializeObjectInOSR):
2085         * ftl/FTLOutput.h:
2086         (JSC::FTL::Output::aShr):
2087         (JSC::FTL::Output::lShr):
2088         (JSC::FTL::Output::zeroExtPtr):
2089         * heap/CopyToken.h:
2090         * interpreter/CallFrame.h:
2091         (JSC::ExecState::getArgumentUnsafe):
2092         * interpreter/Interpreter.cpp:
2093         (JSC::sizeOfVarargs):
2094         (JSC::sizeFrameForVarargs):
2095         (JSC::loadVarargs):
2096         (JSC::unwindCallFrame):
2097         * interpreter/Interpreter.h:
2098         * interpreter/StackVisitor.cpp:
2099         (JSC::StackVisitor::Frame::createArguments):
2100         (JSC::StackVisitor::Frame::existingArguments): Deleted.
2101         * interpreter/StackVisitor.h:
2102         * jit/AssemblyHelpers.h:
2103         (JSC::AssemblyHelpers::storeValue):
2104         (JSC::AssemblyHelpers::loadValue):
2105         (JSC::AssemblyHelpers::storeTrustedValue):
2106         (JSC::AssemblyHelpers::branchIfNotCell):
2107         (JSC::AssemblyHelpers::branchIsEmpty):
2108         (JSC::AssemblyHelpers::argumentsStart):
2109         (JSC::AssemblyHelpers::baselineArgumentsRegisterFor): Deleted.
2110         (JSC::AssemblyHelpers::offsetOfLocals): Deleted.
2111         (JSC::AssemblyHelpers::offsetOfArguments): Deleted.
2112         * jit/CCallHelpers.h:
2113         (JSC::CCallHelpers::setupArgument):
2114         * jit/GPRInfo.h:
2115         (JSC::JSValueRegs::withTwoAvailableRegs):
2116         * jit/JIT.cpp:
2117         (JSC::JIT::privateCompileMainPass):
2118         (JSC::JIT::privateCompileSlowCases):
2119         * jit/JIT.h:
2120         * jit/JITCall.cpp:
2121         (JSC::JIT::compileSetupVarargsFrame):
2122         * jit/JITCall32_64.cpp:
2123         (JSC::JIT::compileSetupVarargsFrame):
2124         * jit/JITInlines.h:
2125         (JSC::JIT::callOperation):
2126         * jit/JITOpcodes.cpp:
2127         (JSC::JIT::emit_op_create_lexical_environment):
2128         (JSC::JIT::emit_op_new_func):
2129         (JSC::JIT::emit_op_create_direct_arguments):
2130         (JSC::JIT::emit_op_create_scoped_arguments):
2131         (JSC::JIT::emit_op_create_out_of_band_arguments):
2132         (JSC::JIT::emit_op_tear_off_arguments): Deleted.
2133         (JSC::JIT::emit_op_create_arguments): Deleted.
2134         (JSC::JIT::emit_op_init_lazy_reg): Deleted.
2135         (JSC::JIT::emit_op_get_arguments_length): Deleted.
2136         (JSC::JIT::emitSlow_op_get_arguments_length): Deleted.
2137         (JSC::JIT::emit_op_get_argument_by_val): Deleted.
2138         (JSC::JIT::emitSlow_op_get_argument_by_val): Deleted.
2139         * jit/JITOpcodes32_64.cpp:
2140         (JSC::JIT::emit_op_create_lexical_environment):
2141         (JSC::JIT::emit_op_tear_off_arguments): Deleted.
2142         (JSC::JIT::emit_op_create_arguments): Deleted.
2143         (JSC::JIT::emit_op_init_lazy_reg): Deleted.
2144         (JSC::JIT::emit_op_get_arguments_length): Deleted.
2145         (JSC::JIT::emitSlow_op_get_arguments_length): Deleted.
2146         (JSC::JIT::emit_op_get_argument_by_val): Deleted.
2147         (JSC::JIT::emitSlow_op_get_argument_by_val): Deleted.
2148         * jit/JITOperations.cpp:
2149         * jit/JITOperations.h:
2150         * jit/JITPropertyAccess.cpp:
2151         (JSC::JIT::emitGetClosureVar):
2152         (JSC::JIT::emitPutClosureVar):
2153         (JSC::JIT::emit_op_get_from_arguments):
2154         (JSC::JIT::emit_op_put_to_arguments):
2155         (JSC::JIT::emit_op_init_global_const):
2156         (JSC::JIT::privateCompileGetByVal):
2157         (JSC::JIT::emitDirectArgumentsGetByVal):
2158         (JSC::JIT::emitScopedArgumentsGetByVal):
2159         * jit/JITPropertyAccess32_64.cpp:
2160         (JSC::JIT::emitGetClosureVar):
2161         (JSC::JIT::emitPutClosureVar):
2162         (JSC::JIT::emit_op_get_from_arguments):
2163         (JSC::JIT::emit_op_put_to_arguments):
2164         (JSC::JIT::emit_op_init_global_const):
2165         * jit/SetupVarargsFrame.cpp:
2166         (JSC::emitSetupVarargsFrameFastCase):
2167         * llint/LLIntOffsetsExtractor.cpp:
2168         * llint/LLIntSlowPaths.cpp:
2169         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2170         * llint/LowLevelInterpreter.asm:
2171         * llint/LowLevelInterpreter32_64.asm:
2172         * llint/LowLevelInterpreter64.asm:
2173         * parser/Nodes.h:
2174         (JSC::ScopeNode::captures):
2175         * runtime/Arguments.cpp: Removed.
2176         * runtime/Arguments.h: Removed.
2177         * runtime/ArgumentsMode.h: Added.
2178         * runtime/DirectArgumentsOffset.cpp: Added.
2179         (JSC::DirectArgumentsOffset::dump):
2180         * runtime/DirectArgumentsOffset.h: Added.
2181         (JSC::DirectArgumentsOffset::DirectArgumentsOffset):
2182         * runtime/CommonSlowPaths.cpp:
2183         (JSC::SLOW_PATH_DECL):
2184         * runtime/CommonSlowPaths.h:
2185         * runtime/ConstantMode.cpp: Added.
2186         (WTF::printInternal):
2187         * runtime/ConstantMode.h:
2188         (JSC::modeForIsConstant):
2189         * runtime/DirectArguments.cpp: Added.
2190         (JSC::DirectArguments::DirectArguments):
2191         (JSC::DirectArguments::createUninitialized):
2192         (JSC::DirectArguments::create):
2193         (JSC::DirectArguments::createByCopying):
2194         (JSC::DirectArguments::visitChildren):
2195         (JSC::DirectArguments::copyBackingStore):
2196         (JSC::DirectArguments::createStructure):
2197         (JSC::DirectArguments::overrideThings):
2198         (JSC::DirectArguments::overrideThingsIfNecessary):
2199         (JSC::DirectArguments::overrideArgument):
2200         (JSC::DirectArguments::copyToArguments):
2201         (JSC::DirectArguments::overridesSize):
2202         * runtime/DirectArguments.h: Added.
2203         (JSC::DirectArguments::internalLength):
2204         (JSC::DirectArguments::length):
2205         (JSC::DirectArguments::canAccessIndexQuickly):
2206         (JSC::DirectArguments::getIndexQuickly):
2207         (JSC::DirectArguments::setIndexQuickly):
2208         (JSC::DirectArguments::callee):
2209         (JSC::DirectArguments::argument):
2210         (JSC::DirectArguments::overrodeThings):
2211         (JSC::DirectArguments::offsetOfCallee):
2212         (JSC::DirectArguments::offsetOfLength):
2213         (JSC::DirectArguments::offsetOfMinCapacity):
2214         (JSC::DirectArguments::offsetOfOverrides):
2215         (JSC::DirectArguments::storageOffset):
2216         (JSC::DirectArguments::offsetOfSlot):
2217         (JSC::DirectArguments::allocationSize):
2218         (JSC::DirectArguments::storage):
2219         * runtime/FunctionPrototype.cpp:
2220         * runtime/GenericArguments.h: Added.
2221         (JSC::GenericArguments::GenericArguments):
2222         * runtime/GenericArgumentsInlines.h: Added.
2223         (JSC::GenericArguments<Type>::getOwnPropertySlot):
2224         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
2225         (JSC::GenericArguments<Type>::getOwnPropertyNames):
2226         (JSC::GenericArguments<Type>::put):
2227         (JSC::GenericArguments<Type>::putByIndex):
2228         (JSC::GenericArguments<Type>::deleteProperty):
2229         (JSC::GenericArguments<Type>::deletePropertyByIndex):
2230         (JSC::GenericArguments<Type>::defineOwnProperty):
2231         (JSC::GenericArguments<Type>::copyToArguments):
2232         * runtime/GenericOffset.h: Added.
2233         (JSC::GenericOffset::GenericOffset):
2234         (JSC::GenericOffset::operator!):
2235         (JSC::GenericOffset::offsetUnchecked):
2236         (JSC::GenericOffset::offset):
2237         (JSC::GenericOffset::operator==):
2238         (JSC::GenericOffset::operator!=):
2239         (JSC::GenericOffset::operator<):
2240         (JSC::GenericOffset::operator>):
2241         (JSC::GenericOffset::operator<=):
2242         (JSC::GenericOffset::operator>=):
2243         (JSC::GenericOffset::operator+):
2244         (JSC::GenericOffset::operator-):
2245         (JSC::GenericOffset::operator+=):
2246         (JSC::GenericOffset::operator-=):
2247         * runtime/JSArgumentsIterator.cpp:
2248         (JSC::JSArgumentsIterator::finishCreation):
2249         (JSC::argumentsFuncIterator):
2250         * runtime/JSArgumentsIterator.h:
2251         (JSC::JSArgumentsIterator::create):
2252         (JSC::JSArgumentsIterator::next):
2253         * runtime/JSEnvironmentRecord.cpp:
2254         (JSC::JSEnvironmentRecord::visitChildren):
2255         * runtime/JSEnvironmentRecord.h:
2256         (JSC::JSEnvironmentRecord::variables):
2257         (JSC::JSEnvironmentRecord::isValid):
2258         (JSC::JSEnvironmentRecord::variableAt):
2259         (JSC::JSEnvironmentRecord::offsetOfVariables):
2260         (JSC::JSEnvironmentRecord::offsetOfVariable):
2261         (JSC::JSEnvironmentRecord::allocationSizeForScopeSize):
2262         (JSC::JSEnvironmentRecord::allocationSize):
2263         (JSC::JSEnvironmentRecord::JSEnvironmentRecord):
2264         (JSC::JSEnvironmentRecord::finishCreationUninitialized):
2265         (JSC::JSEnvironmentRecord::finishCreation):
2266         (JSC::JSEnvironmentRecord::registers): Deleted.
2267         (JSC::JSEnvironmentRecord::registerAt): Deleted.
2268         (JSC::JSEnvironmentRecord::addressOfRegisters): Deleted.
2269         (JSC::JSEnvironmentRecord::offsetOfRegisters): Deleted.
2270         * runtime/JSFunction.cpp:
2271         * runtime/JSGlobalObject.cpp:
2272         (JSC::JSGlobalObject::init):
2273         (JSC::JSGlobalObject::addGlobalVar):
2274         (JSC::JSGlobalObject::addFunction):
2275         (JSC::JSGlobalObject::visitChildren):
2276         (JSC::JSGlobalObject::addStaticGlobals):
2277         * runtime/JSGlobalObject.h:
2278         (JSC::JSGlobalObject::directArgumentsStructure):
2279         (JSC::JSGlobalObject::scopedArgumentsStructure):
2280         (JSC::JSGlobalObject::outOfBandArgumentsStructure):
2281         (JSC::JSGlobalObject::argumentsStructure): Deleted.
2282         * runtime/JSLexicalEnvironment.cpp:
2283         (JSC::JSLexicalEnvironment::symbolTableGet):
2284         (JSC::JSLexicalEnvironment::symbolTablePut):
2285         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
2286         (JSC::JSLexicalEnvironment::symbolTablePutWithAttributes):
2287         (JSC::JSLexicalEnvironment::visitChildren): Deleted.
2288         * runtime/JSLexicalEnvironment.h:
2289         (JSC::JSLexicalEnvironment::create):
2290         (JSC::JSLexicalEnvironment::JSLexicalEnvironment):
2291         (JSC::JSLexicalEnvironment::registersOffset): Deleted.
2292         (JSC::JSLexicalEnvironment::storageOffset): Deleted.
2293         (JSC::JSLexicalEnvironment::storage): Deleted.
2294         (JSC::JSLexicalEnvironment::allocationSize): Deleted.
2295         (JSC::JSLexicalEnvironment::isValidIndex): Deleted.
2296         (JSC::JSLexicalEnvironment::isValid): Deleted.
2297         (JSC::JSLexicalEnvironment::registerAt): Deleted.
2298         * runtime/JSNameScope.cpp:
2299         (JSC::JSNameScope::visitChildren): Deleted.
2300         * runtime/JSNameScope.h:
2301         (JSC::JSNameScope::create):
2302         (JSC::JSNameScope::value):
2303         (JSC::JSNameScope::finishCreation):
2304         (JSC::JSNameScope::JSNameScope):
2305         * runtime/JSScope.cpp:
2306         (JSC::abstractAccess):
2307         * runtime/JSSegmentedVariableObject.cpp:
2308         (JSC::JSSegmentedVariableObject::findVariableIndex):
2309         (JSC::JSSegmentedVariableObject::addVariables):
2310         (JSC::JSSegmentedVariableObject::visitChildren):
2311         (JSC::JSSegmentedVariableObject::findRegisterIndex): Deleted.
2312         (JSC::JSSegmentedVariableObject::addRegisters): Deleted.
2313         * runtime/JSSegmentedVariableObject.h:
2314         (JSC::JSSegmentedVariableObject::variableAt):
2315         (JSC::JSSegmentedVariableObject::assertVariableIsInThisObject):
2316         (JSC::JSSegmentedVariableObject::registerAt): Deleted.
2317         (JSC::JSSegmentedVariableObject::assertRegisterIsInThisObject): Deleted.
2318         * runtime/JSSymbolTableObject.h:
2319         (JSC::JSSymbolTableObject::offsetOfSymbolTable):
2320         (JSC::symbolTableGet):
2321         (JSC::symbolTablePut):
2322         (JSC::symbolTablePutWithAttributes):
2323         * runtime/JSType.h:
2324         * runtime/Options.h:
2325         * runtime/ClonedArguments.cpp: Added.
2326         (JSC::ClonedArguments::ClonedArguments):
2327         (JSC::ClonedArguments::createEmpty):
2328         (JSC::ClonedArguments::createWithInlineFrame):
2329         (JSC::ClonedArguments::createWithMachineFrame):
2330         (JSC::ClonedArguments::createByCopyingFrom):
2331         (JSC::ClonedArguments::createStructure):
2332         (JSC::ClonedArguments::getOwnPropertySlot):
2333         (JSC::ClonedArguments::getOwnPropertyNames):
2334         (JSC::ClonedArguments::put):
2335         (JSC::ClonedArguments::deleteProperty):
2336         (JSC::ClonedArguments::defineOwnProperty):
2337         (JSC::ClonedArguments::materializeSpecials):
2338         (JSC::ClonedArguments::materializeSpecialsIfNecessary):
2339         * runtime/ClonedArguments.h: Added.
2340         (JSC::ClonedArguments::specialsMaterialized):
2341         * runtime/ScopeOffset.cpp: Added.
2342         (JSC::ScopeOffset::dump):
2343         * runtime/ScopeOffset.h: Added.
2344         (JSC::ScopeOffset::ScopeOffset):
2345         * runtime/ScopedArguments.cpp: Added.
2346         (JSC::ScopedArguments::ScopedArguments):
2347         (JSC::ScopedArguments::finishCreation):
2348         (JSC::ScopedArguments::createUninitialized):
2349         (JSC::ScopedArguments::create):
2350         (JSC::ScopedArguments::createByCopying):
2351         (JSC::ScopedArguments::createByCopyingFrom):
2352         (JSC::ScopedArguments::visitChildren):
2353         (JSC::ScopedArguments::createStructure):
2354         (JSC::ScopedArguments::overrideThings):
2355         (JSC::ScopedArguments::overrideThingsIfNecessary):
2356         (JSC::ScopedArguments::overrideArgument):
2357         (JSC::ScopedArguments::copyToArguments):
2358         * runtime/ScopedArguments.h: Added.
2359         (JSC::ScopedArguments::internalLength):
2360         (JSC::ScopedArguments::length):
2361         (JSC::ScopedArguments::canAccessIndexQuickly):
2362         (JSC::ScopedArguments::getIndexQuickly):
2363         (JSC::ScopedArguments::setIndexQuickly):
2364         (JSC::ScopedArguments::callee):
2365         (JSC::ScopedArguments::overrodeThings):
2366         (JSC::ScopedArguments::offsetOfOverrodeThings):
2367         (JSC::ScopedArguments::offsetOfTotalLength):
2368         (JSC::ScopedArguments::offsetOfTable):
2369         (JSC::ScopedArguments::offsetOfScope):
2370         (JSC::ScopedArguments::overflowStorageOffset):
2371         (JSC::ScopedArguments::allocationSize):
2372         (JSC::ScopedArguments::overflowStorage):
2373         * runtime/ScopedArgumentsTable.cpp: Added.
2374         (JSC::ScopedArgumentsTable::ScopedArgumentsTable):
2375         (JSC::ScopedArgumentsTable::~ScopedArgumentsTable):
2376         (JSC::ScopedArgumentsTable::destroy):
2377         (JSC::ScopedArgumentsTable::create):
2378         (JSC::ScopedArgumentsTable::clone):
2379         (JSC::ScopedArgumentsTable::setLength):
2380         (JSC::ScopedArgumentsTable::set):
2381         (JSC::ScopedArgumentsTable::createStructure):
2382         * runtime/ScopedArgumentsTable.h: Added.
2383         (JSC::ScopedArgumentsTable::length):
2384         (JSC::ScopedArgumentsTable::get):
2385         (JSC::ScopedArgumentsTable::lock):
2386         (JSC::ScopedArgumentsTable::offsetOfLength):
2387         (JSC::ScopedArgumentsTable::offsetOfArguments):
2388         (JSC::ScopedArgumentsTable::at):
2389         * runtime/SymbolTable.cpp:
2390         (JSC::SymbolTableEntry::prepareToWatch):
2391         (JSC::SymbolTable::SymbolTable):
2392         (JSC::SymbolTable::visitChildren):
2393         (JSC::SymbolTable::localToEntry):
2394         (JSC::SymbolTable::entryFor):
2395         (JSC::SymbolTable::cloneScopePart):
2396         (JSC::SymbolTable::prepareForTypeProfiling):
2397         (JSC::SymbolTable::uniqueIDForOffset):
2398         (JSC::SymbolTable::globalTypeSetForOffset):
2399         (JSC::SymbolTable::cloneCapturedNames): Deleted.
2400         (JSC::SymbolTable::uniqueIDForRegister): Deleted.
2401         (JSC::SymbolTable::globalTypeSetForRegister): Deleted.
2402         * runtime/SymbolTable.h:
2403         (JSC::SymbolTableEntry::varOffsetFromBits):
2404         (JSC::SymbolTableEntry::scopeOffsetFromBits):
2405         (JSC::SymbolTableEntry::Fast::varOffset):
2406         (JSC::SymbolTableEntry::Fast::scopeOffset):
2407         (JSC::SymbolTableEntry::Fast::isDontEnum):
2408         (JSC::SymbolTableEntry::Fast::getAttributes):
2409         (JSC::SymbolTableEntry::SymbolTableEntry):
2410         (JSC::SymbolTableEntry::varOffset):
2411         (JSC::SymbolTableEntry::isWatchable):
2412         (JSC::SymbolTableEntry::scopeOffset):
2413         (JSC::SymbolTableEntry::setAttributes):
2414         (JSC::SymbolTableEntry::constantMode):
2415         (JSC::SymbolTableEntry::isDontEnum):
2416         (JSC::SymbolTableEntry::disableWatching):
2417         (JSC::SymbolTableEntry::pack):
2418         (JSC::SymbolTableEntry::isValidVarOffset):
2419         (JSC::SymbolTable::createNameScopeTable):
2420         (JSC::SymbolTable::maxScopeOffset):
2421         (JSC::SymbolTable::didUseScopeOffset):
2422         (JSC::SymbolTable::didUseVarOffset):
2423         (JSC::SymbolTable::scopeSize):
2424         (JSC::SymbolTable::nextScopeOffset):
2425         (JSC::SymbolTable::takeNextScopeOffset):
2426         (JSC::SymbolTable::add):
2427         (JSC::SymbolTable::set):
2428         (JSC::SymbolTable::argumentsLength):
2429         (JSC::SymbolTable::setArgumentsLength):
2430         (JSC::SymbolTable::argumentOffset):
2431         (JSC::SymbolTable::setArgumentOffset):
2432         (JSC::SymbolTable::arguments):
2433         (JSC::SlowArgument::SlowArgument): Deleted.
2434         (JSC::SymbolTableEntry::Fast::getIndex): Deleted.
2435         (JSC::SymbolTableEntry::getIndex): Deleted.
2436         (JSC::SymbolTableEntry::isValidIndex): Deleted.
2437         (JSC::SymbolTable::captureStart): Deleted.
2438         (JSC::SymbolTable::setCaptureStart): Deleted.
2439         (JSC::SymbolTable::captureEnd): Deleted.
2440         (JSC::SymbolTable::setCaptureEnd): Deleted.
2441         (JSC::SymbolTable::captureCount): Deleted.
2442         (JSC::SymbolTable::isCaptured): Deleted.
2443         (JSC::SymbolTable::parameterCount): Deleted.
2444         (JSC::SymbolTable::parameterCountIncludingThis): Deleted.
2445         (JSC::SymbolTable::setParameterCountIncludingThis): Deleted.
2446         (JSC::SymbolTable::slowArguments): Deleted.
2447         (JSC::SymbolTable::setSlowArguments): Deleted.
2448         * runtime/VM.cpp:
2449         (JSC::VM::VM):
2450         * runtime/VM.h:
2451         * runtime/VarOffset.cpp: Added.
2452         (JSC::VarOffset::dump):
2453         (WTF::printInternal):
2454         * runtime/VarOffset.h: Added.
2455         (JSC::VarOffset::VarOffset):
2456         (JSC::VarOffset::assemble):
2457         (JSC::VarOffset::isValid):
2458         (JSC::VarOffset::operator!):
2459         (JSC::VarOffset::kind):
2460         (JSC::VarOffset::isStack):
2461         (JSC::VarOffset::isScope):
2462         (JSC::VarOffset::isDirectArgument):
2463         (JSC::VarOffset::stackOffsetUnchecked):
2464         (JSC::VarOffset::scopeOffsetUnchecked):
2465         (JSC::VarOffset::capturedArgumentsOffsetUnchecked):
2466         (JSC::VarOffset::stackOffset):
2467         (JSC::VarOffset::scopeOffset):
2468         (JSC::VarOffset::capturedArgumentsOffset):
2469         (JSC::VarOffset::rawOffset):
2470         (JSC::VarOffset::checkSanity):
2471         (JSC::VarOffset::operator==):
2472         (JSC::VarOffset::operator!=):
2473         (JSC::VarOffset::hash):
2474         (JSC::VarOffset::isHashTableDeletedValue):
2475         (JSC::VarOffsetHash::hash):
2476         (JSC::VarOffsetHash::equal):
2477         * tests/stress/arguments-exit-strict-mode.js: Added.
2478         * tests/stress/arguments-exit.js: Added.
2479         * tests/stress/arguments-inlined-exit-strict-mode-fixed.js: Added.
2480         * tests/stress/arguments-inlined-exit-strict-mode.js: Added.
2481         * tests/stress/arguments-inlined-exit.js: Added.
2482         * tests/stress/arguments-interference.js: Added.
2483         * tests/stress/arguments-interference-cfg.js: Added.
2484         * tests/stress/dead-get-closure-var.js: Added.
2485         * tests/stress/get-declared-unpassed-argument-in-direct-arguments.js: Added.
2486         * tests/stress/get-declared-unpassed-argument-in-scoped-arguments.js: Added.
2487         * tests/stress/varargs-closure-inlined-exit-strict-mode.js: Added.
2488         * tests/stress/varargs-closure-inlined-exit.js: Added.
2489         * tests/stress/varargs-exit.js: Added.
2490         * tests/stress/varargs-inlined-exit.js: Added.
2491         * tests/stress/varargs-inlined-simple-exit-aliasing-weird-reversed-args.js: Added.
2492         * tests/stress/varargs-inlined-simple-exit-aliasing-weird.js: Added.
2493         * tests/stress/varargs-inlined-simple-exit-aliasing.js: Added.
2494         * tests/stress/varargs-inlined-simple-exit.js: Added.
2495         * tests/stress/varargs-too-few-arguments.js: Added.
2496         * tests/stress/varargs-varargs-closure-inlined-exit.js: Added.
2497         * tests/stress/varargs-varargs-inlined-exit-strict-mode.js: Added.
2498         * tests/stress/varargs-varargs-inlined-exit.js: Added.
2499
2500 2015-03-25  Andy Estes  <aestes@apple.com>
2501
2502         [Cocoa] RemoteInspectorXPCConnection::deserializeMessage() leaks a NSDictionary under Objective-C GC
2503         https://bugs.webkit.org/show_bug.cgi?id=143068
2504
2505         Reviewed by Dan Bernstein.
2506
2507         * inspector/remote/RemoteInspectorXPCConnection.mm:
2508         (Inspector::RemoteInspectorXPCConnection::deserializeMessage): Used RetainPtr::autorelease(), which does the right thing under GC.
2509
2510 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2511
2512         Use JITCompilationCanFail in more places, and make the fail path of JITCompilationMustSucceed a crash instead of attempting GC
2513         https://bugs.webkit.org/show_bug.cgi?id=142993
2514
2515         Reviewed by Geoffrey Garen and Mark Lam.
2516         
2517         This changes the most commonly invoked paths that relied on JITCompilationMustSucceed
2518         into using JITCompilationCanFail and having a legit fallback path. This mostly involves
2519         having the FTL JIT do the same trick as the DFG JIT in case of any memory allocation
2520         failure, but also involves adding the same kind of thing to the stub generators in
2521         Repatch.
2522         
2523         Because of that change, there are relatively few uses of JITCompilationMustSucceed. Most
2524         of those uses cannot handle a GC, and so cannot do releaseExecutableMemory(). Only a few,
2525         like host call stub generation, could handle a GC, but those get invoked very rarely. So,
2526         this patch changes the releaseExecutableMemory() call into a crash with some diagnostic
2527         printout.
2528         
2529         Also add a way of inducing executable allocation failure, so that we can test this.
2530
2531         * CMakeLists.txt:
2532         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2533         * JavaScriptCore.xcodeproj/project.pbxproj:
2534         * dfg/DFGJITCompiler.cpp:
2535         (JSC::DFG::JITCompiler::compile):
2536         (JSC::DFG::JITCompiler::compileFunction):
2537         (JSC::DFG::JITCompiler::link): Deleted.
2538         (JSC::DFG::JITCompiler::linkFunction): Deleted.
2539         * dfg/DFGJITCompiler.h:
2540         * dfg/DFGPlan.cpp:
2541         (JSC::DFG::Plan::compileInThreadImpl):
2542         * ftl/FTLCompile.cpp:
2543         (JSC::FTL::mmAllocateCodeSection):
2544         (JSC::FTL::mmAllocateDataSection):
2545         * ftl/FTLLink.cpp:
2546         (JSC::FTL::link):
2547         * ftl/FTLState.h:
2548         * jit/ArityCheckFailReturnThunks.cpp:
2549         (JSC::ArityCheckFailReturnThunks::returnPCsFor):
2550         * jit/ExecutableAllocationFuzz.cpp: Added.
2551         (JSC::numberOfExecutableAllocationFuzzChecks):
2552         (JSC::doExecutableAllocationFuzzing):
2553         * jit/ExecutableAllocationFuzz.h: Added.
2554         (JSC::doExecutableAllocationFuzzingIfEnabled):
2555         * jit/ExecutableAllocatorFixedVMPool.cpp:
2556         (JSC::ExecutableAllocator::allocate):
2557         * jit/JIT.cpp:
2558         (JSC::JIT::privateCompile):
2559         * jit/JITCompilationEffort.h:
2560         * jit/Repatch.cpp:
2561         (JSC::generateByIdStub):
2562         (JSC::tryCacheGetByID):
2563         (JSC::tryBuildGetByIDList):
2564         (JSC::emitPutReplaceStub):
2565         (JSC::emitPutTransitionStubAndGetOldStructure):
2566         (JSC::tryCachePutByID):
2567         (JSC::tryBuildPutByIdList):
2568         (JSC::tryRepatchIn):
2569         (JSC::linkPolymorphicCall):
2570         * jsc.cpp:
2571         (jscmain):
2572         * runtime/Options.h:
2573         * runtime/TestRunnerUtils.h:
2574         * runtime/VM.cpp:
2575         * tests/executableAllocationFuzz: Added.
2576         * tests/executableAllocationFuzz.yaml: Added.
2577         * tests/executableAllocationFuzz/v8-raytrace.js: Added.
2578
2579 2015-03-25  Mark Lam  <mark.lam@apple.com>
2580
2581         REGRESSION(169139): LLINT intermittently fails JSC testapi tests.
2582         <https://webkit.org/b/135719>
2583
2584         Reviewed by Geoffrey Garen.
2585
2586         This is a regression introduced in http://trac.webkit.org/changeset/169139 which
2587         changed VM::watchdog from an embedded field into a std::unique_ptr, but did not
2588         update the LLINT to access it as such.
2589
2590         The issue has only manifested so far on the CLoop tests because those are LLINT
2591         only.  In the non-CLoop cases, the JIT kicks in and does the right thing, thereby
2592         hiding the bug in the LLINT.
2593
2594         * API/JSContextRef.cpp:
2595         (createWatchdogIfNeeded):
2596         (JSContextGroupSetExecutionTimeLimit):
2597         (JSContextGroupClearExecutionTimeLimit):
2598         * llint/LowLevelInterpreter.asm:
2599
2600 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2601
2602         Change Atomic methods from using the_wrong_naming_conventions to using theRightNamingConventions. Also make seq_cst the default.
2603
2604         Rubber stamped by Geoffrey Garen.
2605
2606         * bytecode/CodeBlock.cpp:
2607         (JSC::CodeBlock::visitAggregate):
2608
2609 2015-03-25  Joseph Pecoraro  <pecoraro@apple.com>
2610
2611         Fix formatting in BuiltinExecutables
2612         https://bugs.webkit.org/show_bug.cgi?id=143061
2613
2614         Reviewed by Ryosuke Niwa.
2615
2616         * builtins/BuiltinExecutables.cpp:
2617         (JSC::BuiltinExecutables::createExecutableInternal):
2618
2619 2015-03-25  Joseph Pecoraro  <pecoraro@apple.com>
2620
2621         ES6: Classes: Program level class statement throws exception in strict mode
2622         https://bugs.webkit.org/show_bug.cgi?id=143038
2623
2624         Reviewed by Ryosuke Niwa.
2625
2626         Classes expose a name to the current lexical environment. This treats
2627         "class X {}" like "var X = class X {}". Ideally it would be "let X = class X {}".
2628         Also, improve error messages for class statements where the class is missing a name.
2629
2630         * parser/Parser.h:
2631         * parser/Parser.cpp:
2632         (JSC::Parser<LexerType>::parseClass):
2633         Fill name in info parameter if needed. Better error message if name is needed and missing.
2634
2635         (JSC::Parser<LexerType>::parseClassDeclaration):
2636         Pass info parameter to get name, and expose the name as a variable name.
2637
2638         (JSC::Parser<LexerType>::parsePrimaryExpression):
2639         Pass info parameter that is ignored.
2640
2641         * parser/ParserFunctionInfo.h:
2642         Add a parser info for class, to extract the name.
2643
2644 2015-03-25  Yusuke Suzuki  <utatane.tea@gmail.com>
2645
2646         New map and set modification tests in r181922 fails
2647         https://bugs.webkit.org/show_bug.cgi?id=143031
2648
2649         Reviewed and tweaked by Geoffrey Garen.
2650
2651         When packing Map/Set backing store, we need to decrement Map/Set iterator's m_index
2652         to adjust for the packed backing store.
2653
2654         Consider the following map data.
2655
2656         x: deleted, o: exists
2657         0 1 2 3 4
2658         x x x x o
2659
2660         And iterator with m_index 3.
2661
2662         When packing the map data, map data will become,
2663
2664         0
2665         o
2666
2667         At that time, we perfom didRemoveEntry 4 times on iterators.
2668         times => m_index/index/result
2669         1 => 3/0/dec
2670         2 => 2/1/dec
2671         3 => 1/2/nothing
2672         4 => 1/3/nothing
2673
2674         After iteration, iterator's m_index becomes 1. But we expected that becomes 0.
2675         This is because if we use decremented m_index for comparison,
2676         while provided deletedIndex is the index in old storage, m_index is the index in partially packed storage.
2677
2678         In this patch, we compare against the packed index instead.
2679         times => m_index/packedIndex/result
2680         1 => 3/0/dec
2681         2 => 2/0/dec
2682         3 => 1/0/dec
2683         4 => 0/0/nothing
2684
2685         So m_index becomes 0 as expected.
2686
2687         And according to the spec, once the iterator is closed (becomes done: true),
2688         its internal [[Map]]/[[Set]] is set to undefined.
2689         So after the iterator is finished, we don't revive the iterator (e.g. by clearing m_index = 0).
2690
2691         In this patch, we change 2 things.
2692         1.
2693         Compare an iterator's index against the packed index when removing an entry.
2694
2695         2.
2696         If the iterator is closed (isFinished()), we don't apply adjustment to the iterator.
2697
2698         * runtime/MapData.h:
2699         (JSC::MapDataImpl::IteratorData::finish):
2700         (JSC::MapDataImpl::IteratorData::isFinished):
2701         (JSC::MapDataImpl::IteratorData::didRemoveEntry):
2702         (JSC::MapDataImpl::IteratorData::didRemoveAllEntries):
2703         (JSC::MapDataImpl::IteratorData::startPackBackingStore):
2704         * runtime/MapDataInlines.h:
2705         (JSC::JSIterator>::replaceAndPackBackingStore):
2706         * tests/stress/modify-map-during-iteration.js:
2707         * tests/stress/modify-set-during-iteration.js:
2708
2709 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
2710
2711         Setter should have a single formal parameter, Getter no parameters
2712         https://bugs.webkit.org/show_bug.cgi?id=142903
2713
2714         Reviewed by Geoffrey Garen.
2715
2716         * parser/Parser.cpp:
2717         (JSC::Parser<LexerType>::parseFunctionInfo):
2718         Enforce no parameters for getters and a single parameter
2719         for setters, with informational error messages.
2720
2721 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
2722
2723         ES6: Classes: Early return in sub-class constructor results in returning undefined instead of instance
2724         https://bugs.webkit.org/show_bug.cgi?id=143012
2725
2726         Reviewed by Ryosuke Niwa.
2727
2728         * bytecompiler/BytecodeGenerator.cpp:
2729         (JSC::BytecodeGenerator::emitReturn):
2730         Fix handling of "undefined" when returned from a Derived class. It was
2731         returning "undefined" when it should have returned "this".
2732
2733 2015-03-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2734
2735         REGRESSION (r181458): Heap use-after-free in JSSetIterator destructor
2736         https://bugs.webkit.org/show_bug.cgi?id=142696
2737
2738         Reviewed and tweaked by Geoffrey Garen.
2739
2740         Before r142556, JSSetIterator::destroy was not defined.
2741         So accidentally MapData::const_iterator in JSSet was never destroyed.
2742         But it had non trivial destructor, decrementing MapData->m_iteratorCount.
2743
2744         After r142556, JSSetIterator::destroy works.
2745         It correctly destruct MapData::const_iterator and m_iteratorCount partially works.
2746         But JSSetIterator::~JSSetIterator requires owned JSSet since it mutates MapData->m_iteratorCount.
2747
2748         It is guaranteed that JSSet is live since JSSetIterator has a reference to JSSet
2749         and marks it in visitChildren (WriteBarrier<Unknown>).
2750         However, the order of destructions is not guaranteed in GC-ed system.
2751
2752         Consider the following case,
2753         allocate JSSet and subsequently allocate JSSetIterator.
2754         And they resides in the separated MarkedBlock, <1> and <2>.
2755
2756         JSSet<1> <- JSSetIterator<2>
2757
2758         And after that, when performing GC, Marker decides that the above 2 objects are not marked.
2759         And Marker also decides MarkedBlocks <1> and <2> can be sweeped.
2760
2761         First Sweeper sweep <1>, destruct JSSet<1> and free MarkedBlock<1>.
2762         Second Sweeper sweep <2>, attempt to destruct JSSetIterator<2>.
2763         However, JSSetIterator<2>'s destructor,
2764         JSSetIterator::~JSSetIterator requires live JSSet<1>, it causes use-after-free.
2765
2766         In this patch, we introduce WeakGCMap into JSMap/JSSet to track live iterators.
2767         When packing the removed elements in JSSet/JSMap, we apply the change to all live
2768         iterators tracked by WeakGCMap.
2769
2770         WeakGCMap can only track JSCell since they are managed by GC.
2771         So we drop JSSet/JSMap C++ style iterators. Instead of C++ style iterator, this patch
2772         introduces JS style iterator signatures into C++ class IteratorData.
2773         If we need to iterate over JSMap/JSSet, use JSSetIterator/JSMapIterator instead of using
2774         IteratorData directly.
2775
2776         * runtime/JSMap.cpp:
2777         (JSC::JSMap::destroy):
2778         * runtime/JSMap.h:
2779         (JSC::JSMap::JSMap):
2780         (JSC::JSMap::begin): Deleted.
2781         (JSC::JSMap::end): Deleted.
2782         * runtime/JSMapIterator.cpp:
2783         (JSC::JSMapIterator::destroy):
2784         * runtime/JSMapIterator.h:
2785         (JSC::JSMapIterator::next):
2786         (JSC::JSMapIterator::nextKeyValue):
2787         (JSC::JSMapIterator::iteratorData):
2788         (JSC::JSMapIterator::JSMapIterator):
2789         * runtime/JSSet.cpp:
2790         (JSC::JSSet::destroy):
2791         * runtime/JSSet.h:
2792         (JSC::JSSet::JSSet):
2793         (JSC::JSSet::begin): Deleted.
2794         (JSC::JSSet::end): Deleted.
2795         * runtime/JSSetIterator.cpp:
2796         (JSC::JSSetIterator::destroy):
2797         * runtime/JSSetIterator.h:
2798         (JSC::JSSetIterator::next):
2799         (JSC::JSSetIterator::iteratorData):
2800         (JSC::JSSetIterator::JSSetIterator):
2801         * runtime/MapData.h:
2802         (JSC::MapDataImpl::IteratorData::finish):
2803         (JSC::MapDataImpl::IteratorData::isFinished):
2804         (JSC::MapDataImpl::shouldPack):
2805         (JSC::JSIterator>::MapDataImpl):
2806         (JSC::JSIterator>::KeyType::KeyType):
2807         (JSC::JSIterator>::IteratorData::IteratorData):
2808         (JSC::JSIterator>::IteratorData::next):
2809         (JSC::JSIterator>::IteratorData::ensureSlot):
2810         (JSC::JSIterator>::IteratorData::applyMapDataPatch):
2811         (JSC::JSIterator>::IteratorData::refreshCursor):
2812         (JSC::MapDataImpl::const_iterator::key): Deleted.
2813         (JSC::MapDataImpl::const_iterator::value): Deleted.
2814         (JSC::MapDataImpl::const_iterator::operator++): Deleted.
2815         (JSC::MapDataImpl::const_iterator::finish): Deleted.
2816         (JSC::MapDataImpl::const_iterator::atEnd): Deleted.
2817         (JSC::MapDataImpl::begin): Deleted.
2818         (JSC::MapDataImpl::end): Deleted.
2819         (JSC::MapDataImpl<Entry>::MapDataImpl): Deleted.
2820         (JSC::MapDataImpl<Entry>::clear): Deleted.
2821         (JSC::MapDataImpl<Entry>::KeyType::KeyType): Deleted.
2822         (JSC::MapDataImpl<Entry>::const_iterator::internalIncrement): Deleted.
2823         (JSC::MapDataImpl<Entry>::const_iterator::ensureSlot): Deleted.
2824         (JSC::MapDataImpl<Entry>::const_iterator::const_iterator): Deleted.
2825         (JSC::MapDataImpl<Entry>::const_iterator::~const_iterator): Deleted.
2826         (JSC::MapDataImpl<Entry>::const_iterator::operator): Deleted.
2827         (JSC::=): Deleted.
2828         * runtime/MapDataInlines.h:
2829         (JSC::JSIterator>::clear):
2830         (JSC::JSIterator>::find):
2831         (JSC::JSIterator>::contains):
2832         (JSC::JSIterator>::add):
2833         (JSC::JSIterator>::set):
2834         (JSC::JSIterator>::get):
2835         (JSC::JSIterator>::remove):
2836         (JSC::JSIterator>::replaceAndPackBackingStore):
2837         (JSC::JSIterator>::replaceBackingStore):
2838         (JSC::JSIterator>::ensureSpaceForAppend):
2839         (JSC::JSIterator>::visitChildren):
2840         (JSC::JSIterator>::copyBackingStore):
2841         (JSC::JSIterator>::applyMapDataPatch):
2842         (JSC::MapDataImpl<Entry>::find): Deleted.
2843         (JSC::MapDataImpl<Entry>::contains): Deleted.
2844         (JSC::MapDataImpl<Entry>::add): Deleted.
2845         (JSC::MapDataImpl<Entry>::set): Deleted.
2846         (JSC::MapDataImpl<Entry>::get): Deleted.
2847         (JSC::MapDataImpl<Entry>::remove): Deleted.
2848         (JSC::MapDataImpl<Entry>::replaceAndPackBackingStore): Deleted.
2849         (JSC::MapDataImpl<Entry>::replaceBackingStore): Deleted.
2850         (JSC::MapDataImpl<Entry>::ensureSpaceForAppend): Deleted.
2851         (JSC::MapDataImpl<Entry>::visitChildren): Deleted.
2852         (JSC::MapDataImpl<Entry>::copyBackingStore): Deleted.
2853         * runtime/MapPrototype.cpp:
2854         (JSC::mapProtoFuncForEach):
2855         * runtime/SetPrototype.cpp:
2856         (JSC::setProtoFuncForEach):
2857         * runtime/WeakGCMap.h:
2858         (JSC::WeakGCMap::forEach):
2859         * tests/stress/modify-map-during-iteration.js: Added.
2860         (testValue):
2861         (identityPairs):
2862         (.set if):
2863         (var):
2864         (set map):
2865         * tests/stress/modify-set-during-iteration.js: Added.
2866         (testValue):
2867         (set forEach):
2868         (set delete):
2869
2870 2015-03-24  Mark Lam  <mark.lam@apple.com>
2871
2872         The ExecutionTimeLimit test should use its own JSGlobalContextRef.
2873         <https://webkit.org/b/143024>
2874
2875         Reviewed by Geoffrey Garen.
2876
2877         Currently, the ExecutionTimeLimit test is using a JSGlobalContextRef
2878         passed in from testapi.c.  It should create its own for better
2879         encapsulation of the test.
2880
2881         * API/tests/ExecutionTimeLimitTest.cpp:
2882         (currentCPUTimeAsJSFunctionCallback):
2883         (testExecutionTimeLimit):
2884         * API/tests/ExecutionTimeLimitTest.h:
2885         * API/tests/testapi.c:
2886         (main):
2887
2888 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
2889
2890         ES6: Object Literal Methods toString is missing method name
2891         https://bugs.webkit.org/show_bug.cgi?id=142992
2892
2893         Reviewed by Geoffrey Garen.
2894
2895         Always stringify functions in the pattern:
2896
2897           "function " + <function name> + <text from opening parenthesis to closing brace>.
2898
2899         * runtime/FunctionPrototype.cpp:
2900         (JSC::functionProtoFuncToString):
2901         Update the path that was not stringifying in this pattern.
2902
2903         * bytecode/UnlinkedCodeBlock.cpp:
2904         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2905         * bytecode/UnlinkedCodeBlock.h:
2906         (JSC::UnlinkedFunctionExecutable::parametersStartOffset):
2907         * parser/Nodes.h:
2908         * runtime/Executable.cpp:
2909         (JSC::FunctionExecutable::FunctionExecutable):
2910         * runtime/Executable.h:
2911         (JSC::FunctionExecutable::parametersStartOffset):
2912         Pass the already known function parameter opening parenthesis
2913         start offset through to the FunctionExecutable. 
2914
2915         * tests/mozilla/js1_5/Scope/regress-185485.js:
2916         (with.g):
2917         Add back original space in this test that was removed by r181810
2918         now that we have the space again in stringification.
2919
2920 2015-03-24  Michael Saboff  <msaboff@apple.com>
2921
2922         REGRESSION (172175-172177): Change in for...in processing causes properties added in loop to be enumerated
2923         https://bugs.webkit.org/show_bug.cgi?id=142856
2924
2925         Reviewed by Filip Pizlo.
2926
2927         Refactored the way the for .. in enumeration over objects is done.  We used to make three C++ calls to
2928         get info for three loops to iterate over indexed properties, structure properties and other properties,
2929         respectively.  We still have the three loops, but now we make one C++ call to get all the info needed
2930         for all loops before we exectue any enumeration.
2931
2932         The JSPropertyEnumerator has a count of the indexed properties and a list of named properties.
2933         The named properties are one list, with structured properties in the range [0,m_endStructurePropertyIndex)
2934         and the generic properties in the range [m_endStructurePropertyIndex, m_endGenericPropertyIndex);
2935
2936         Eliminated the bytecodes op_get_structure_property_enumerator, op_get_generic_property_enumerator and
2937         op_next_enumerator_pname.
2938         Added the bytecodes op_get_property_enumerator, op_enumerator_structure_pname and op_enumerator_generic_pname.
2939         The bytecodes op_enumerator_structure_pname and op_enumerator_generic_pname are similar except for what
2940         end value we stop iterating on.
2941
2942         Made corresponding node changes to the DFG and FTL for the bytecode changes.
2943
2944         * bytecode/BytecodeList.json:
2945         * bytecode/BytecodeUseDef.h:
2946         (JSC::computeUsesForBytecodeOffset):
2947         (JSC::computeDefsForBytecodeOffset):
2948         * bytecode/CodeBlock.cpp:
2949         (JSC::CodeBlock::dumpBytecode):
2950         * bytecompiler/BytecodeGenerator.cpp:
2951         (JSC::BytecodeGenerator::emitGetPropertyEnumerator):
2952         (JSC::BytecodeGenerator::emitEnumeratorStructurePropertyName):
2953         (JSC::BytecodeGenerator::emitEnumeratorGenericPropertyName):
2954         (JSC::BytecodeGenerator::emitGetStructurePropertyEnumerator): Deleted.
2955         (JSC::BytecodeGenerator::emitGetGenericPropertyEnumerator): Deleted.
2956         (JSC::BytecodeGenerator::emitNextEnumeratorPropertyName): Deleted.
2957         * bytecompiler/BytecodeGenerator.h:
2958         * bytecompiler/NodesCodegen.cpp:
2959         (JSC::ForInNode::emitMultiLoopBytecode):
2960         * dfg/DFGAbstractInterpreterInlines.h:
2961         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2962         * dfg/DFGByteCodeParser.cpp:
2963         (JSC::DFG::ByteCodeParser::parseBlock):
2964         * dfg/DFGCapabilities.cpp:
2965         (JSC::DFG::capabilityLevel):
2966         * dfg/DFGClobberize.h:
2967         (JSC::DFG::clobberize):
2968         * dfg/DFGDoesGC.cpp:
2969         (JSC::DFG::doesGC):
2970         * dfg/DFGFixupPhase.cpp:
2971         (JSC::DFG::FixupPhase::fixupNode):
2972         * dfg/DFGNodeType.h:
2973         * dfg/DFGPredictionPropagationPhase.cpp:
2974         (JSC::DFG::PredictionPropagationPhase::propagate):
2975         * dfg/DFGSafeToExecute.h:
2976         (JSC::DFG::safeToExecute):
2977         * dfg/DFGSpeculativeJIT32_64.cpp:
2978         (JSC::DFG::SpeculativeJIT::compile):
2979         * dfg/DFGSpeculativeJIT64.cpp:
2980         (JSC::DFG::SpeculativeJIT::compile):
2981         * ftl/FTLAbstractHeapRepository.h:
2982         * ftl/FTLCapabilities.cpp:
2983         (JSC::FTL::canCompile):
2984         * ftl/FTLLowerDFGToLLVM.cpp:
2985         (JSC::FTL::LowerDFGToLLVM::compileNode):
2986         (JSC::FTL::LowerDFGToLLVM::compileGetEnumerableLength):
2987         (JSC::FTL::LowerDFGToLLVM::compileGetPropertyEnumerator):
2988         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorStructurePname):
2989         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorGenericPname):
2990         (JSC::FTL::LowerDFGToLLVM::compileGetStructurePropertyEnumerator): Deleted.
2991         (JSC::FTL::LowerDFGToLLVM::compileGetGenericPropertyEnumerator): Deleted.
2992         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname): Deleted.
2993         * jit/JIT.cpp:
2994         (JSC::JIT::privateCompileMainPass):
2995         * jit/JIT.h:
2996         * jit/JITOpcodes.cpp:
2997         (JSC::JIT::emit_op_enumerator_structure_pname):
2998         (JSC::JIT::emit_op_enumerator_generic_pname):
2999         (JSC::JIT::emit_op_get_property_enumerator):
3000         (JSC::JIT::emit_op_next_enumerator_pname): Deleted.
3001         (JSC::JIT::emit_op_get_structure_property_enumerator): Deleted.
3002         (JSC::JIT::emit_op_get_generic_property_enumerator): Deleted.
3003         * jit/JITOpcodes32_64.cpp:
3004         (JSC::JIT::emit_op_enumerator_structure_pname):
3005         (JSC::JIT::emit_op_enumerator_generic_pname):
3006         (JSC::JIT::emit_op_next_enumerator_pname): Deleted.
3007         * jit/JITOperations.cpp:
3008         * jit/JITOperations.h:
3009         * llint/LowLevelInterpreter.asm:
3010         * runtime/CommonSlowPaths.cpp:
3011         (JSC::SLOW_PATH_DECL):
3012         * runtime/CommonSlowPaths.h:
3013         * runtime/JSPropertyNameEnumerator.cpp:
3014         (JSC::JSPropertyNameEnumerator::create):
3015         (JSC::JSPropertyNameEnumerator::finishCreation):
3016         * runtime/JSPropertyNameEnumerator.h:
3017         (JSC::JSPropertyNameEnumerator::indexedLength):
3018         (JSC::JSPropertyNameEnumerator::endStructurePropertyIndex):
3019         (JSC::JSPropertyNameEnumerator::endGenericPropertyIndex):
3020         (JSC::JSPropertyNameEnumerator::indexedLengthOffset):
3021         (JSC::JSPropertyNameEnumerator::endStructurePropertyIndexOffset):
3022         (JSC::JSPropertyNameEnumerator::endGenericPropertyIndexOffset):
3023         (JSC::JSPropertyNameEnumerator::cachedInlineCapacityOffset):
3024         (JSC::propertyNameEnumerator):
3025         (JSC::JSPropertyNameEnumerator::cachedPropertyNamesLengthOffset): Deleted.
3026         (JSC::structurePropertyNameEnumerator): Deleted.
3027         (JSC::genericPropertyNameEnumerator): Deleted.
3028         * runtime/Structure.cpp:
3029         (JSC::Structure::setCachedPropertyNameEnumerator):
3030         (JSC::Structure::cachedPropertyNameEnumerator):
3031         (JSC::Structure::canCachePropertyNameEnumerator):
3032         (JSC::Structure::setCachedStructurePropertyNameEnumerator): Deleted.
3033         (JSC::Structure::cachedStructurePropertyNameEnumerator): Deleted.
3034         (JSC::Structure::setCachedGenericPropertyNameEnumerator): Deleted.
3035         (JSC::Structure::cachedGenericPropertyNameEnumerator): Deleted.
3036         (JSC::Structure::canCacheStructurePropertyNameEnumerator): Deleted.
3037         (JSC::Structure::canCacheGenericPropertyNameEnumerator): Deleted.
3038         * runtime/Structure.h:
3039         * runtime/StructureRareData.cpp:
3040         (JSC::StructureRareData::visitChildren):
3041         (JSC::StructureRareData::cachedPropertyNameEnumerator):
3042         (JSC::StructureRareData::setCachedPropertyNameEnumerator):
3043         (JSC::StructureRareData::cachedStructurePropertyNameEnumerator): Deleted.
3044         (JSC::StructureRareData::setCachedStructurePropertyNameEnumerator): Deleted.
3045         (JSC::StructureRareData::cachedGenericPropertyNameEnumerator): Deleted.
3046         (JSC::StructureRareData::setCachedGenericPropertyNameEnumerator): Deleted.
3047         * runtime/StructureRareData.h:
3048         * tests/stress/for-in-delete-during-iteration.js:
3049
3050 2015-03-24  Michael Saboff  <msaboff@apple.com>
3051
3052         Unreviewed build fix for debug builds.
3053
3054         * runtime/ExceptionHelpers.cpp:
3055         (JSC::invalidParameterInSourceAppender):
3056
3057 2015-03-24  Saam Barati  <saambarati1@gmail.com>
3058
3059         Improve error messages in JSC
3060         https://bugs.webkit.org/show_bug.cgi?id=141869
3061
3062         Reviewed by Geoffrey Garen.
3063
3064         JavaScriptCore has some unintuitive error messages associated
3065         with certain common errors. This patch changes some specific
3066         error messages to be more understandable and also creates a
3067         mechanism that will allow for easy modification of error messages
3068         in the future. The specific errors we change are not a function
3069         errors and invalid parameter errors.
3070
3071         * CMakeLists.txt:
3072         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3073         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3074         * JavaScriptCore.xcodeproj/project.pbxproj:
3075         * interpreter/Interpreter.cpp:
3076         (JSC::sizeOfVarargs):
3077         * jit/JITOperations.cpp:
3078         op_throw_static_error always has a JSString as its argument.
3079         There is no need to dance around this, and we should assert
3080         that this always holds. This JSString represents the error 
3081         message we want to display to the user, so there is no need
3082         to pass it into errorDescriptionForValue which will now place
3083         quotes around the string.
3084
3085         * llint/LLIntSlowPaths.cpp:
3086         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3087         * runtime/CommonSlowPaths.h:
3088         (JSC::CommonSlowPaths::opIn):
3089         * runtime/ErrorInstance.cpp:
3090         (JSC::ErrorInstance::ErrorInstance):
3091         * runtime/ErrorInstance.h:
3092         (JSC::ErrorInstance::hasSourceAppender):
3093         (JSC::ErrorInstance::sourceAppender):
3094         (JSC::ErrorInstance::setSourceAppender):
3095         (JSC::ErrorInstance::clearSourceAppender):
3096         (JSC::ErrorInstance::setRuntimeTypeForCause):
3097         (JSC::ErrorInstance::runtimeTypeForCause):
3098         (JSC::ErrorInstance::clearRuntimeTypeForCause):
3099         (JSC::ErrorInstance::appendSourceToMessage): Deleted.
3100         (JSC::ErrorInstance::setAppendSourceToMessage): Deleted.
3101         (JSC::ErrorInstance::clearAppendSourceToMessage): Deleted.
3102         * runtime/ExceptionHelpers.cpp:
3103         (JSC::errorDescriptionForValue):
3104         (JSC::defaultApproximateSourceError):
3105         (JSC::defaultSourceAppender):
3106         (JSC::functionCallBase):
3107         (JSC::notAFunctionSourceAppender):
3108         (JSC::invalidParameterInSourceAppender):
3109         (JSC::invalidParameterInstanceofSourceAppender):
3110         (JSC::createError):
3111         (JSC::createInvalidFunctionApplyParameterError):
3112         (JSC::createInvalidInParameterError):
3113         (JSC::createInvalidInstanceofParameterError):
3114         (JSC::createNotAConstructorError):
3115         (JSC::createNotAFunctionError):
3116         (JSC::createNotAnObjectError):
3117         (JSC::createInvalidParameterError): Deleted.
3118         * runtime/ExceptionHelpers.h:
3119         * runtime/JSObject.cpp:
3120         (JSC::JSObject::hasInstance):
3121         * runtime/RuntimeType.cpp: Added.
3122         (JSC::runtimeTypeForValue):
3123         (JSC::runtimeTypeAsString):
3124         * runtime/RuntimeType.h: Added.
3125         * runtime/TypeProfilerLog.cpp:
3126         (JSC::TypeProfilerLog::processLogEntries):
3127         * runtime/TypeSet.cpp:
3128         (JSC::TypeSet::getRuntimeTypeForValue): Deleted.
3129         * runtime/TypeSet.h:
3130         * runtime/VM.cpp:
3131         (JSC::appendSourceToError):
3132         (JSC::VM::throwException):
3133
3134 2015-03-23  Filip Pizlo  <fpizlo@apple.com>
3135
3136         JSC should have a low-cost asynchronous disassembler
3137         https://bugs.webkit.org/show_bug.cgi?id=142997
3138
3139         Reviewed by Mark Lam.
3140         
3141         This adds a JSC_asyncDisassembly option that disassembles on a thread. Disassembly
3142         doesn't block execution. Some code will live a little longer because of this, since the
3143         work tasks hold a ref to the code, but other than that there is basically no overhead.
3144         
3145         At present, this isn't really a replacement for JSC_showDisassembly, since it doesn't
3146         provide contextual IR information for Baseline and DFG disassemblies, and it doesn't do
3147         the separate IR dumps for FTL. Using JSC_showDisassembly and friends along with
3148         JSC_asyncDisassembly has bizarre behavior - so just choose one.
3149         
3150         A simple way of understanding how great this is, is to run a small benchmark like
3151         V8Spider/earley-boyer.
3152         
3153         Performance without any disassembly flags: 60ms
3154         Performance with JSC_showDisassembly=true: 477ms
3155         Performance with JSC_asyncDisassembly=true: 65ms
3156         
3157         So, the overhead of disassembly goes from 8x to 8%.
3158         
3159         Note that JSC_asyncDisassembly=true does make it incorrect to run "time" as a way of
3160         measuring benchmark performance. This is because at VM exit, we wait for all async
3161         disassembly requests to finish. For example, for earley-boyer, we spend an extra ~130ms
3162         after the benchmark completely finishes to finish the disassemblies. This small weirdness
3163         should be OK for the intended use-cases, since all you have to do to get around it is to
3164         measure the execution time of the benchmark payload rather than the end-to-end time of
3165         launching the VM.
3166
3167         * assembler/LinkBuffer.cpp:
3168         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
3169         * assembler/LinkBuffer.h:
3170         (JSC::LinkBuffer::wasAlreadyDisassembled):
3171         (JSC::LinkBuffer::didAlreadyDisassemble):
3172         * dfg/DFGJITCompiler.cpp:
3173         (JSC::DFG::JITCompiler::disassemble):
3174         * dfg/DFGJITFinalizer.cpp:
3175         (JSC::DFG::JITFinalizer::finalize):
3176         (JSC::DFG::JITFinalizer::finalizeFunction):
3177         * disassembler/Disassembler.cpp:
3178         (JSC::disassembleAsynchronously):
3179         (JSC::waitForAsynchronousDisassembly):
3180         * disassembler/Disassembler.h:
3181         * ftl/FTLCompile.cpp:
3182         (JSC::FTL::mmAllocateDataSection):
3183         * ftl/FTLLink.cpp:
3184         (JSC::FTL::link):
3185         * jit/JIT.cpp:
3186         (JSC::JIT::privateCompile):
3187         * jsc.cpp:
3188         * runtime/Options.h:
3189         * runtime/VM.cpp:
3190         (JSC::VM::~VM):
3191
3192 2015-03-23  Dean Jackson  <dino@apple.com>
3193
3194         ES7: Implement Array.prototype.includes
3195         https://bugs.webkit.org/show_bug.cgi?id=142707
3196
3197         Reviewed by Geoffrey Garen.
3198
3199         Add support for the ES7 includes method on Arrays.
3200         https://github.com/tc39/Array.prototype.includes
3201
3202         * builtins/Array.prototype.js:
3203         (includes): Implementation in JS.
3204         * runtime/ArrayPrototype.cpp: Add 'includes' to the lookup table.
3205
3206 2015-03-23  Joseph Pecoraro  <pecoraro@apple.com>
3207
3208         __defineGetter__/__defineSetter__ should throw exceptions
3209         https://bugs.webkit.org/show_bug.cgi?id=142934
3210
3211         Reviewed by Geoffrey Garen.
3212
3213         * runtime/ObjectPrototype.cpp:
3214         (JSC::objectProtoFuncDefineGetter):
3215         (JSC::objectProtoFuncDefineSetter):
3216         Throw exceptions when these functions are used directly.
3217
3218 2015-03-23  Joseph Pecoraro  <pecoraro@apple.com>
3219
3220         Fix DO_PROPERTYMAP_CONSTENCY_CHECK enabled build
3221         https://bugs.webkit.org/show_bug.cgi?id=142952
3222
3223         Reviewed by Geoffrey Garen.
3224
3225         * runtime/Structure.cpp:
3226         (JSC::PropertyTable::checkConsistency):
3227         The check offset method doesn't exist in PropertyTable, it exists in Structure.
3228
3229         (JSC::Structure::checkConsistency):
3230         So move it here, and always put it at the start to match normal behavior.
3231
3232 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
3233
3234         Remove DFG::ValueRecoveryOverride; it's been dead since we removed forward speculations
3235         https://bugs.webkit.org/show_bug.cgi?id=142956
3236
3237         Rubber stamped by Gyuyoung Kim.
3238         
3239         Just removing dead code.
3240
3241         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3242         * JavaScriptCore.xcodeproj/project.pbxproj:
3243         * dfg/DFGOSRExit.h:
3244         * dfg/DFGOSRExitCompiler.cpp:
3245         * dfg/DFGValueRecoveryOverride.h: Removed.
3246
3247 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
3248
3249         DFG OSR exit shouldn't assume that the frame count for exit is greater than the frame count in DFG
3250         https://bugs.webkit.org/show_bug.cgi?id=142948
3251
3252         Reviewed by Sam Weinig.
3253         
3254         It's necessary to ensure that the stack pointer accounts for the extent of our stack usage
3255         since a signal may clobber the area below the stack pointer. When the DFG is executing,
3256         the stack pointer accounts for the DFG's worst-case stack usage. When we OSR exit back to
3257         baseline, we will use a different amount of stack. This is because baseline is a different
3258         compiler. It will make different decisions. So it will use a different amount of stack.
3259         
3260         This gets tricky when we are in the process of doing an OSR exit, because we are sort of
3261         incrementally transforming the stack from how it looked in the DFG to how it will look in
3262         baseline. The most conservative approach would be to set the stack pointer to the max of
3263         DFG and baseline.
3264         
3265         When this code was written, a reckless assumption was made: that the stack usage in
3266         baseline is always at least as large as the stack usage in DFG. Based on this incorrect
3267         assumption, the code first adjusts the stack pointer to account for the baseline stack
3268         usage. This sort of usually works, because usually baseline does happen to use more stack.
3269         But that's not an invariant. Nobody guarantees this. We will never make any changes that
3270         would make this be guaranteed, because that would be antithetical to how optimizing
3271         compilers work. The DFG should be allowed to use however much stack it decides that it
3272         should use in order to get good performance, and it shouldn't try to guarantee that it
3273         always uses less stack than baseline.
3274         
3275         As such, we must always assume that the frame size for DFG execution (i.e.
3276         frameRegisterCount) and the frame size in baseline once we exit (i.e.
3277         requiredRegisterCountForExit) are two independent quantities and they have no
3278         relationship.
3279         
3280         Fortunately, though, this code can be made correct by just moving the stack adjustment to
3281         just before we do conversions. This is because we have since changed the OSR exit
3282         algorithm to first lift up all state from the DFG state into a scratch buffer, and then to
3283         drop it out of the scratch buffer and into the stack according to the baseline layout. The
3284         point just before conversions is the point where we have finished reading the DFG frame
3285         and will not read it anymore, and we haven't started writing the baseline frame. So, at
3286         this point it is safe to set the stack pointer to account for the frame size at exit.
3287         
3288         This is benign because baseline happens to create larger frames than DFG.
3289
3290         * dfg/DFGOSRExitCompiler32_64.cpp:
3291         (JSC::DFG::OSRExitCompiler::compileExit):
3292         * dfg/DFGOSRExitCompiler64.cpp:
3293         (JSC::DFG::OSRExitCompiler::compileExit):
3294         * dfg/DFGOSRExitCompilerCommon.cpp:
3295         (JSC::DFG::adjustAndJumpToTarget):
3296
3297 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
3298
3299         Shorten the number of iterations to 10,000 since that's enough to test all tiers.
3300
3301         Rubber stamped by Sam Weinig.
3302
3303         * tests/stress/equals-masquerader.js:
3304
3305 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
3306
3307         tests/stress/*tdz* tests do 10x more iterations than necessary
3308         https://bugs.webkit.org/show_bug.cgi?id=142946
3309
3310         Reviewed by Ryosuke Niwa.
3311         
3312         The stress test harness runs all of these tests in various configurations. This includes
3313         no-cjit, which has tier-up heuristics locked in such a way that 10,000 iterations is
3314         enough to get to the highest tier. The only exceptions are very large functions or
3315         functions that have some reoptimizations. That happens rarely, and when it does happen,
3316         usually 20,000 iterations is enough.
3317         
3318         Therefore, these tests use 10x too many iterations. This is bad, since these tests
3319         allocate on each iteration, and so they run very slowly in debug mode.
3320
3321         * tests/stress/class-syntax-no-loop-tdz.js:
3322         * tests/stress/class-syntax-no-tdz-in-catch.js:
3323         * tests/stress/class-syntax-no-tdz-in-conditional.js:
3324         * tests/stress/class-syntax-no-tdz-in-loop-no-inline-super.js:
3325         * tests/stress/class-syntax-no-tdz-in-loop.js:
3326         * tests/stress/class-syntax-no-tdz.js:
3327         * tests/stress/class-syntax-tdz-in-catch.js:
3328         * tests/stress/class-syntax-tdz-in-conditional.js:
3329         * tests/stress/class-syntax-tdz-in-loop.js:
3330         * tests/stress/class-syntax-tdz.js:
3331
3332 2015-03-21  Joseph Pecoraro  <pecoraro@apple.com>