d92beb01de1b1e7a3861e3e33f1a91b55a15ef27
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-04-06  Mark Lam  <mark.lam@apple.com>
2
3         In the 64-bit DFG and FTL, Array::Double case for HasIndexedProperty should set its result to true when all is well.
4         <https://webkit.org/b/143396>
5
6         Reviewed by Filip Pizlo.
7
8         The DFG was neglecting to set the result boolean.  The FTL was setting it with
9         an inverted value.  Both of these are now resolved.
10
11         * dfg/DFGSpeculativeJIT64.cpp:
12         (JSC::DFG::SpeculativeJIT::compile):
13         * ftl/FTLLowerDFGToLLVM.cpp:
14         (JSC::FTL::LowerDFGToLLVM::compileHasIndexedProperty):
15         * tests/stress/for-in-array-mode.js: Added.
16         (.):
17         (test):
18
19 2015-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>
20
21         [ES6] DFG and FTL should be aware of that StringConstructor behavior for symbols becomes different from ToString
22         https://bugs.webkit.org/show_bug.cgi?id=143424
23
24         Reviewed by Geoffrey Garen.
25
26         In ES6, StringConstructor behavior becomes different from ToString abstract operations in the spec. (and JSValue::toString).
27
28         ToString(symbol) throws a type error.
29         However, String(symbol) produces SymbolDescriptiveString(symbol).
30
31         So, in DFG and FTL phase, they should not inline StringConstructor to ToString.
32
33         Now, in the template literals patch, ToString DFG operation is planned to be used.
34         And current ToString behavior is aligned to the spec (and JSValue::toString) and it's better.
35         So intead of changing ToString behavior, this patch adds CallStringConstructor operation into DFG and FTL.
36         In CallStringConstructor, all behavior in DFG analysis is the same.
37         Only the difference from ToString is, when calling DFG operation functions, it calls
38         operationCallStringConstructorOnCell and operationCallStringConstructor instead of
39         operationToStringOnCell and operationToString.
40
41         * dfg/DFGAbstractInterpreterInlines.h:
42         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
43         * dfg/DFGBackwardsPropagationPhase.cpp:
44         (JSC::DFG::BackwardsPropagationPhase::propagate):
45         * dfg/DFGByteCodeParser.cpp:
46         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
47         * dfg/DFGClobberize.h:
48         (JSC::DFG::clobberize):
49         * dfg/DFGDoesGC.cpp:
50         (JSC::DFG::doesGC):
51         * dfg/DFGFixupPhase.cpp:
52         (JSC::DFG::FixupPhase::fixupNode):
53         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
54         (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
55         (JSC::DFG::FixupPhase::fixupToString): Deleted.
56         * dfg/DFGNodeType.h:
57         * dfg/DFGOperations.cpp:
58         * dfg/DFGOperations.h:
59         * dfg/DFGPredictionPropagationPhase.cpp:
60         (JSC::DFG::PredictionPropagationPhase::propagate):
61         * dfg/DFGSafeToExecute.h:
62         (JSC::DFG::safeToExecute):
63         * dfg/DFGSpeculativeJIT.cpp:
64         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnCell):
65         (JSC::DFG::SpeculativeJIT::compileToStringOnCell): Deleted.
66         * dfg/DFGSpeculativeJIT.h:
67         * dfg/DFGSpeculativeJIT32_64.cpp:
68         (JSC::DFG::SpeculativeJIT::compile):
69         * dfg/DFGSpeculativeJIT64.cpp:
70         (JSC::DFG::SpeculativeJIT::compile):
71         * dfg/DFGStructureRegistrationPhase.cpp:
72         (JSC::DFG::StructureRegistrationPhase::run):
73         * ftl/FTLCapabilities.cpp:
74         (JSC::FTL::canCompile):
75         * ftl/FTLLowerDFGToLLVM.cpp:
76         (JSC::FTL::LowerDFGToLLVM::compileNode):
77         (JSC::FTL::LowerDFGToLLVM::compileToStringOrCallStringConstructor):
78         (JSC::FTL::LowerDFGToLLVM::compileToString): Deleted.
79         * runtime/StringConstructor.cpp:
80         (JSC::stringConstructor):
81         (JSC::callStringConstructor):
82         * runtime/StringConstructor.h:
83         * tests/stress/symbol-and-string-constructor.js: Added.
84         (performString):
85
86 2015-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>
87
88         Return Optional<uint32_t> from PropertyName::asIndex
89         https://bugs.webkit.org/show_bug.cgi?id=143422
90
91         Reviewed by Darin Adler.
92
93         PropertyName::asIndex returns uint32_t and use UINT_MAX as NotAnIndex.
94         But it's not obvious to callers.
95
96         This patch changes
97         1. PropertyName::asIndex() to return Optional<uint32_t> and
98         2. function name `asIndex()` to `parseIndex()`.
99         It forces callers to check the value is index or not explicitly.
100
101         * bytecode/GetByIdStatus.cpp:
102         (JSC::GetByIdStatus::computeFor):
103         * bytecode/PutByIdStatus.cpp:
104         (JSC::PutByIdStatus::computeFor):
105         * bytecompiler/BytecodeGenerator.cpp:
106         (JSC::BytecodeGenerator::emitDirectPutById):
107         * jit/Repatch.cpp:
108         (JSC::emitPutTransitionStubAndGetOldStructure):
109         * jsc.cpp:
110         * runtime/ArrayPrototype.cpp:
111         (JSC::arrayProtoFuncSort):
112         * runtime/GenericArgumentsInlines.h:
113         (JSC::GenericArguments<Type>::getOwnPropertySlot):
114         (JSC::GenericArguments<Type>::put):
115         (JSC::GenericArguments<Type>::deleteProperty):
116         (JSC::GenericArguments<Type>::defineOwnProperty):
117         * runtime/Identifier.h:
118         (JSC::parseIndex):
119         (JSC::Identifier::isSymbol):
120         * runtime/JSArray.cpp:
121         (JSC::JSArray::defineOwnProperty):
122         * runtime/JSCJSValue.cpp:
123         (JSC::JSValue::putToPrimitive):
124         * runtime/JSGenericTypedArrayViewInlines.h:
125         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
126         (JSC::JSGenericTypedArrayView<Adaptor>::put):
127         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
128         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
129         * runtime/JSObject.cpp:
130         (JSC::JSObject::put):
131         (JSC::JSObject::putDirectAccessor):
132         (JSC::JSObject::putDirectCustomAccessor):
133         (JSC::JSObject::deleteProperty):
134         (JSC::JSObject::putDirectMayBeIndex):
135         (JSC::JSObject::defineOwnProperty):
136         * runtime/JSObject.h:
137         (JSC::JSObject::getOwnPropertySlot):
138         (JSC::JSObject::getPropertySlot):
139         (JSC::JSObject::putDirectInternal):
140         * runtime/JSString.cpp:
141         (JSC::JSString::getStringPropertyDescriptor):
142         * runtime/JSString.h:
143         (JSC::JSString::getStringPropertySlot):
144         * runtime/LiteralParser.cpp:
145         (JSC::LiteralParser<CharType>::parse):
146         * runtime/PropertyName.h:
147         (JSC::parseIndex):
148         (JSC::toUInt32FromCharacters): Deleted.
149         (JSC::toUInt32FromStringImpl): Deleted.
150         (JSC::PropertyName::asIndex): Deleted.
151         * runtime/PropertyNameArray.cpp:
152         (JSC::PropertyNameArray::add):
153         * runtime/StringObject.cpp:
154         (JSC::StringObject::deleteProperty):
155         * runtime/Structure.cpp:
156         (JSC::Structure::prototypeChainMayInterceptStoreTo):
157
158 2015-04-05  Andreas Kling  <akling@apple.com>
159
160         URI encoding/escaping should use efficient string building instead of calling snprintf().
161         <https://webkit.org/b/143426>
162
163         Reviewed by Gavin Barraclough.
164
165         I saw 0.5% of main thread time in snprintf() on <http://polymerlabs.github.io/benchmarks/>
166         which seemed pretty silly. This change gets that down to nothing in favor of using our
167         existing JSStringBuilder and HexNumber.h facilities.
168
169         These APIs are well-exercised by our existing test suite.
170
171         * runtime/JSGlobalObjectFunctions.cpp:
172         (JSC::encode):
173         (JSC::globalFuncEscape):
174
175 2015-04-05  Masataka Yakura  <masataka.yakura@gmail.com>
176
177         documentation for ES Promises points to the wrong one
178         https://bugs.webkit.org/show_bug.cgi?id=143263
179
180         Reviewed by Darin Adler.
181
182         * features.json:
183
184 2015-04-05  Simon Fraser  <simon.fraser@apple.com>
185
186         Remove "go ahead and" from comments
187         https://bugs.webkit.org/show_bug.cgi?id=143421
188
189         Reviewed by Darin Adler, Benjamin Poulain.
190
191         Remove the phrase "go ahead and" from comments where it doesn't add
192         anything (which is almost all of them).
193
194         * interpreter/JSStack.cpp:
195         (JSC::JSStack::growSlowCase):
196
197 2015-04-04  Andreas Kling  <akling@apple.com>
198
199         Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely.
200         <https://webkit.org/b/143210>
201
202         Reviewed by Geoffrey Garen.
203
204         Since a MarkedBlock cannot be destroyed until all the WeakBlocks pointing into it are gone,
205         we had a little problem where WeakBlocks with only null pointers would still keep their
206         MarkedBlock alive.
207
208         This patch fixes that by detaching WeakBlocks from their MarkedBlock once a sweep discovers
209         that the WeakBlock contains no pointers to live objects. Ownership of the WeakBlock is passed
210         to the Heap, which will sweep the list of these detached WeakBlocks as part of a full GC,
211         destroying them once they're fully dead.
212
213         This allows the garbage collector to reclaim the 64kB MarkedBlocks much sooner, and resolves
214         a mysterious issue where doing two full garbage collections back-to-back would free additional
215         memory in the second collection.
216
217         Management of detached WeakBlocks is implemented as a Vector<WeakBlock*> in Heap, along with
218         an index of the next block in that vector that needs to be swept. The IncrementalSweeper then
219         calls into Heap::sweepNextLogicallyEmptyWeakBlock() to sweep one block at a time.
220
221         * heap/Heap.h:
222         * heap/Heap.cpp:
223         (JSC::Heap::collectAllGarbage): Add a final pass where we sweep the logically empty WeakBlocks
224         owned by Heap, after everything else has been swept.
225
226         (JSC::Heap::notifyIncrementalSweeper): Set up an incremental sweep of logically empty WeakBlocks
227         after a full garbage collection ends. Note that we don't do this after Eden collections, since
228         they are unlikely to cause entire WeakBlocks to go empty.
229
230         (JSC::Heap::addLogicallyEmptyWeakBlock): Added. Interface for passing ownership of a WeakBlock
231         to the Heap when it's detached from a WeakSet.
232
233         (JSC::Heap::sweepAllLogicallyEmptyWeakBlocks): Helper for collectAllGarbage() that sweeps all
234         of the logically empty WeakBlocks owned by Heap.
235
236         (JSC::Heap::sweepNextLogicallyEmptyWeakBlock): Sweeps one logically empty WeakBlock if needed
237         and updates the next-logically-empty-weak-block-to-sweep index.
238
239         (JSC::Heap::lastChanceToFinalize): call sweepAllLogicallyEmptyWeakBlocks() here, since there
240         won't be another chance after this.
241
242         * heap/IncrementalSweeper.h:
243         (JSC::IncrementalSweeper::hasWork): Deleted.
244
245         * heap/IncrementalSweeper.cpp:
246         (JSC::IncrementalSweeper::fullSweep):
247         (JSC::IncrementalSweeper::doSweep):
248         (JSC::IncrementalSweeper::sweepNextBlock): Restructured IncrementalSweeper a bit to simplify
249         adding a new sweeping stage for the Heap's logically empty WeakBlocks. sweepNextBlock() is
250         changed to return a bool (true if there's more work to be done.)
251
252         * heap/WeakBlock.cpp:
253         (JSC::WeakBlock::sweep): This now figures out if the WeakBlock is logically empty, i.e doesn't
254         contain any pointers to live objects. The answer is stored in a new SweepResult member.
255
256         * heap/WeakBlock.h:
257         (JSC::WeakBlock::isLogicallyEmptyButNotFree): Added. Can be queried after a sweep to determine
258         if the WeakBlock could be detached from the MarkedBlock.
259
260         (JSC::WeakBlock::SweepResult::SweepResult): Deleted in favor of initializing member variables
261         when declaring them.
262
263 2015-04-04  Yusuke Suzuki  <utatane.tea@gmail.com>
264
265         Implement ES6 Object.getOwnPropertySymbols
266         https://bugs.webkit.org/show_bug.cgi?id=141106
267
268         Reviewed by Geoffrey Garen.
269
270         This patch implements `Object.getOwnPropertySymbols`.
271         One technical issue is that, since we use private symbols (such as `@Object`) in the
272         privileged JS code in `builtins/`, they should not be exposed.
273         To distinguish them from the usual symbols, check the target `StringImpl*` is a not private name
274         before adding it into PropertyNameArray.
275
276         To check the target `StringImpl*` is a private name, we leverage privateToPublic map in `BuiltinNames`
277         since all private symbols are held in this map.
278
279         * builtins/BuiltinExecutables.cpp:
280         (JSC::BuiltinExecutables::createExecutableInternal):
281         * builtins/BuiltinNames.h:
282         (JSC::BuiltinNames::isPrivateName):
283         * runtime/CommonIdentifiers.cpp:
284         (JSC::CommonIdentifiers::isPrivateName):
285         * runtime/CommonIdentifiers.h:
286         * runtime/EnumerationMode.h:
287         (JSC::EnumerationMode::EnumerationMode):
288         (JSC::EnumerationMode::includeSymbolProperties):
289         * runtime/ExceptionHelpers.cpp:
290         (JSC::createUndefinedVariableError):
291         * runtime/JSGlobalObject.cpp:
292         (JSC::JSGlobalObject::init):
293         * runtime/JSLexicalEnvironment.cpp:
294         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
295         * runtime/JSSymbolTableObject.cpp:
296         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
297         * runtime/ObjectConstructor.cpp:
298         (JSC::ObjectConstructor::finishCreation):
299         (JSC::objectConstructorGetOwnPropertySymbols):
300         (JSC::defineProperties):
301         (JSC::objectConstructorSeal):
302         (JSC::objectConstructorFreeze):
303         (JSC::objectConstructorIsSealed):
304         (JSC::objectConstructorIsFrozen):
305         * runtime/ObjectConstructor.h:
306         (JSC::ObjectConstructor::create):
307         * runtime/Structure.cpp:
308         (JSC::Structure::getPropertyNamesFromStructure):
309         * tests/stress/object-get-own-property-symbols-perform-to-object.js: Added.
310         (compare):
311         * tests/stress/object-get-own-property-symbols.js: Added.
312         (forIn):
313         * tests/stress/symbol-define-property.js: Added.
314         (testSymbol):
315         * tests/stress/symbol-seal-and-freeze.js: Added.
316         * tests/stress/symbol-with-json.js: Added.
317
318 2015-04-03  Mark Lam  <mark.lam@apple.com>
319
320         Add Options::jitPolicyScale() as a single knob to make all compilations happen sooner.
321         <https://webkit.org/b/143385>
322
323         Reviewed by Geoffrey Garen.
324
325         For debugging purposes, sometimes, we want to be able to make compilation happen
326         sooner to see if we can accelerate the manifestation of certain events / bugs.
327         Currently, in order to achieve this, we'll have to tweak multiple JIT thresholds
328         which make up the compilation policy.  Let's add a single knob that can tune all
329         the thresholds up / down in one go proportionately so that we can easily tweak
330         how soon compilation occurs.
331
332         * runtime/Options.cpp:
333         (JSC::scaleJITPolicy):
334         (JSC::recomputeDependentOptions):
335         * runtime/Options.h:
336
337 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
338
339         is* API methods should be @properties
340         https://bugs.webkit.org/show_bug.cgi?id=143388
341
342         Reviewed by Mark Lam.
343
344         This appears to be the preferred idiom in WebKit, CA, AppKit, and
345         Foundation.
346
347         * API/JSValue.h: Be @properties.
348
349         * API/tests/testapi.mm:
350         (testObjectiveCAPI): Use the @properties.
351
352 2015-04-03  Mark Lam  <mark.lam@apple.com>
353
354         Some JSC Options refactoring and enhancements.
355         <https://webkit.org/b/143384>
356
357         Rubber stamped by Benjamin Poulain.
358
359         Create a better encapsulated Option class to make working with options easier.  This
360         is a building block towards a JIT policy scaling debugging option I will introduce later.
361
362         This work entails:
363         1. Convert Options::Option into a public class Option (who works closely with Options).
364         2. Convert Options::EntryType into an enum class Options::Type and make it public.
365         3. Renamed Options::OPT_<option name> to Options::<option name>ID because it reads better.
366         4. Add misc methods to class Option to make it more useable.
367
368         * runtime/Options.cpp:
369         (JSC::Options::dumpOption):
370         (JSC::Option::dump):
371         (JSC::Option::operator==):
372         (JSC::Options::Option::dump): Deleted.
373         (JSC::Options::Option::operator==): Deleted.
374         * runtime/Options.h:
375         (JSC::Option::Option):
376         (JSC::Option::operator!=):
377         (JSC::Option::name):
378         (JSC::Option::description):
379         (JSC::Option::type):
380         (JSC::Option::isOverridden):
381         (JSC::Option::defaultOption):
382         (JSC::Option::boolVal):
383         (JSC::Option::unsignedVal):
384         (JSC::Option::doubleVal):
385         (JSC::Option::int32Val):
386         (JSC::Option::optionRangeVal):
387         (JSC::Option::optionStringVal):
388         (JSC::Option::gcLogLevelVal):
389         (JSC::Options::Option::Option): Deleted.
390         (JSC::Options::Option::operator!=): Deleted.
391
392 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
393
394         JavaScriptCore API should support type checking for Array and Date
395         https://bugs.webkit.org/show_bug.cgi?id=143324
396
397         Follow-up to address a comment by Dan.
398
399         * API/WebKitAvailability.h: __MAC_OS_X_VERSION_MIN_REQUIRED <= 101100
400         is wrong, since this API is available when __MAC_OS_X_VERSION_MIN_REQUIRED
401         is equal to 101100.
402
403 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
404
405         JavaScriptCore API should support type checking for Array and Date
406         https://bugs.webkit.org/show_bug.cgi?id=143324
407
408         Follow-up to address a comment by Dan.
409
410         * API/WebKitAvailability.h: Do use 10.0 because it was right all along.
411         Added a comment explaining why.
412
413 2015-04-03  Csaba Osztrogonác  <ossy@webkit.org>
414
415         FTL JIT tests should fail if LLVM library isn't available
416         https://bugs.webkit.org/show_bug.cgi?id=143374
417
418         Reviewed by Mark Lam.
419
420         * dfg/DFGPlan.cpp:
421         (JSC::DFG::Plan::compileInThreadImpl):
422         * runtime/Options.h:
423
424 2015-04-03  Zan Dobersek  <zdobersek@igalia.com>
425
426         Fix the EFL and GTK build after r182243
427         https://bugs.webkit.org/show_bug.cgi?id=143361
428
429         Reviewed by Csaba Osztrogonác.
430
431         * CMakeLists.txt: InspectorBackendCommands.js is generated in the
432         DerivedSources/JavaScriptCore/inspector/ directory.
433
434 2015-04-03  Zan Dobersek  <zdobersek@igalia.com>
435
436         Unreviewed, fixing Clang builds of the GTK port on Linux.
437
438         * runtime/Options.cpp:
439         Include the <math.h> header for isnan().
440
441 2015-04-02  Mark Lam  <mark.lam@apple.com>
442
443         Enhance ability to dump JSC Options.
444         <https://webkit.org/b/143357>
445
446         Reviewed by Benjamin Poulain.
447
448         Some enhancements to how the JSC options work:
449
450         1. Add a JSC_showOptions option which take values: 0 = None, 1 = Overridden only,
451            2 = All, 3 = Verbose.
452
453            The default is 0 (None).  This dumps nothing.
454            With the Overridden setting, at VM initialization time, we will dump all
455            option values that have been changed from their default.
456            With the All setting, at VM initialization time, we will dump all option values.
457            With the Verbose setting, at VM initialization time, we will dump all option
458            values along with their descriptions (if available).
459
460         2. We now store a copy of the default option values.
461
462            We later use this for comparison to tell if an option has been overridden, and
463            print the default value for reference.  As a result, we no longer need the
464            didOverride flag since we can compute whether the option is overridden at any time.
465
466         3. Added description strings to some options to be printed when JSC_showOptions=3 (Verbose).
467
468            This will come in handy later when we want to rename some of the options to more sane
469            names that are easier to remember.  For example, we can change
470            Options::dfgFunctionWhitelistFile() to Options::dfgWhiteList(), and
471            Options::slowPathAllocsBetweenGCs() to Options::forcedGcRate().  With the availability
472            of the description, we can afford to use shorter and less descriptive option names,
473            but they will be easier to remember and use for day to day debugging work.
474
475            In this patch, I did not change the names of any of the options yet.  I only added
476            description strings for options that I know about, and where I think the option name
477            isn't already descriptive enough.
478
479         4. Also deleted some unused code.
480
481         * jsc.cpp:
482         (CommandLine::parseArguments):
483         * runtime/Options.cpp:
484         (JSC::Options::initialize):
485         (JSC::Options::setOption):
486         (JSC::Options::dumpAllOptions):
487         (JSC::Options::dumpOption):
488         (JSC::Options::Option::dump):
489         (JSC::Options::Option::operator==):
490         * runtime/Options.h:
491         (JSC::OptionRange::rangeString):
492         (JSC::Options::Option::Option):
493         (JSC::Options::Option::operator!=):
494
495 2015-04-02  Geoffrey Garen  <ggaren@apple.com>
496
497         JavaScriptCore API should support type checking for Array and Date
498         https://bugs.webkit.org/show_bug.cgi?id=143324
499
500         Reviewed by Darin Adler, Sam Weinig, Dan Bernstein.
501
502         * API/JSValue.h:
503         * API/JSValue.mm:
504         (-[JSValue isArray]):
505         (-[JSValue isDate]): Added an ObjC API.
506
507         * API/JSValueRef.cpp:
508         (JSValueIsArray):
509         (JSValueIsDate):
510         * API/JSValueRef.h: Added a C API.
511
512         * API/WebKitAvailability.h: Brought our availability macros up to date
513         and fixed a harmless bug where "10_10" translated to "10.0".
514
515         * API/tests/testapi.c:
516         (main): Added a test and corrected a pre-existing leak.
517
518         * API/tests/testapi.mm:
519         (testObjectiveCAPI): Added a test.
520
521 2015-04-02  Mark Lam  <mark.lam@apple.com>
522
523         Add Options::dumpSourceAtDFGTime().
524         <https://webkit.org/b/143349>
525
526         Reviewed by Oliver Hunt, and Michael Saboff.
527
528         Sometimes, we will want to see the JS source code that we're compiling, and it
529         would be nice to be able to do this without having to jump thru a lot of hoops.
530         So, let's add a Options::dumpSourceAtDFGTime() option just like we have a
531         Options::dumpBytecodeAtDFGTime() option.
532
533         Also added versions of CodeBlock::dumpSource() and CodeBlock::dumpBytecode()
534         that explicitly take no arguments (instead of relying on the version that takes
535         the default argument).  These versions are friendlier to use when we want to call
536         them from an interactive debugging session.
537
538         * bytecode/CodeBlock.cpp:
539         (JSC::CodeBlock::dumpSource):
540         (JSC::CodeBlock::dumpBytecode):
541         * bytecode/CodeBlock.h:
542         * dfg/DFGByteCodeParser.cpp:
543         (JSC::DFG::ByteCodeParser::parseCodeBlock):
544         * runtime/Options.h:
545
546 2015-04-02  Yusuke Suzuki  <utatane.tea@gmail.com>
547
548         Clean up EnumerationMode to easily extend
549         https://bugs.webkit.org/show_bug.cgi?id=143276
550
551         Reviewed by Geoffrey Garen.
552
553         To make the followings easily,
554         1. Adding new flag Include/ExcludeSymbols in the Object.getOwnPropertySymbols patch
555         2. Make ExcludeSymbols implicitly default for the existing flags
556         we encapsulate EnumerationMode flags into EnumerationMode class.
557
558         And this class manages 2 flags. Later it will be extended to 3.
559         1. DontEnumPropertiesMode (default is Exclude)
560         2. JSObjectPropertiesMode (default is Include)
561         3. SymbolPropertiesMode (default is Exclude)
562             SymbolPropertiesMode will be added in Object.getOwnPropertySymbols patch.
563
564         This patch replaces places using ExcludeDontEnumProperties
565         to EnumerationMode() value which represents default mode.
566
567         * API/JSCallbackObjectFunctions.h:
568         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
569         * API/JSObjectRef.cpp:
570         (JSObjectCopyPropertyNames):
571         * bindings/ScriptValue.cpp:
572         (Deprecated::jsToInspectorValue):
573         * bytecode/ObjectAllocationProfile.h:
574         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
575         * runtime/ArrayPrototype.cpp:
576         (JSC::arrayProtoFuncSort):
577         * runtime/EnumerationMode.h:
578         (JSC::EnumerationMode::EnumerationMode):
579         (JSC::EnumerationMode::includeDontEnumProperties):
580         (JSC::EnumerationMode::includeJSObjectProperties):
581         (JSC::shouldIncludeDontEnumProperties): Deleted.
582         (JSC::shouldExcludeDontEnumProperties): Deleted.
583         (JSC::shouldIncludeJSObjectPropertyNames): Deleted.
584         (JSC::modeThatSkipsJSObject): Deleted.
585         * runtime/GenericArgumentsInlines.h:
586         (JSC::GenericArguments<Type>::getOwnPropertyNames):
587         * runtime/JSArray.cpp:
588         (JSC::JSArray::getOwnNonIndexPropertyNames):
589         * runtime/JSArrayBuffer.cpp:
590         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
591         * runtime/JSArrayBufferView.cpp:
592         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
593         * runtime/JSFunction.cpp:
594         (JSC::JSFunction::getOwnNonIndexPropertyNames):
595         * runtime/JSFunction.h:
596         * runtime/JSGenericTypedArrayViewInlines.h:
597         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnNonIndexPropertyNames):
598         * runtime/JSLexicalEnvironment.cpp:
599         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
600         * runtime/JSONObject.cpp:
601         (JSC::Stringifier::Holder::appendNextProperty):
602         (JSC::Walker::walk):
603         * runtime/JSObject.cpp:
604         (JSC::getClassPropertyNames):
605         (JSC::JSObject::getOwnPropertyNames):
606         (JSC::JSObject::getOwnNonIndexPropertyNames):
607         (JSC::JSObject::getGenericPropertyNames):
608         * runtime/JSPropertyNameEnumerator.h:
609         (JSC::propertyNameEnumerator):
610         * runtime/JSSymbolTableObject.cpp:
611         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
612         * runtime/ObjectConstructor.cpp:
613         (JSC::objectConstructorGetOwnPropertyNames):
614         (JSC::objectConstructorKeys):
615         (JSC::defineProperties):
616         (JSC::objectConstructorSeal):
617         (JSC::objectConstructorFreeze):
618         (JSC::objectConstructorIsSealed):
619         (JSC::objectConstructorIsFrozen):
620         * runtime/RegExpObject.cpp:
621         (JSC::RegExpObject::getOwnNonIndexPropertyNames):
622         (JSC::RegExpObject::getPropertyNames):
623         (JSC::RegExpObject::getGenericPropertyNames):
624         * runtime/StringObject.cpp:
625         (JSC::StringObject::getOwnPropertyNames):
626         * runtime/Structure.cpp:
627         (JSC::Structure::getPropertyNamesFromStructure):
628
629 2015-04-01  Alex Christensen  <achristensen@webkit.org>
630
631         Progress towards CMake on Windows and Mac.
632         https://bugs.webkit.org/show_bug.cgi?id=143293
633
634         Reviewed by Filip Pizlo.
635
636         * CMakeLists.txt:
637         Enabled using assembly on Windows.
638         Replaced unix commands with CMake commands.
639         * PlatformMac.cmake:
640         Tell open source builders where to find unicode headers.
641
642 2015-04-01  Yusuke Suzuki  <utatane.tea@gmail.com>
643
644         IteratorClose should be called when jumping over the target for-of loop
645         https://bugs.webkit.org/show_bug.cgi?id=143140
646
647         Reviewed by Geoffrey Garen.
648
649         This patch fixes labeled break/continue behaviors with for-of and iterators.
650
651         1. Support IteratorClose beyond multiple loop contexts
652         Previously, IteratorClose is only executed in for-of's breakTarget().
653         However, this misses IteratorClose execution when statement roll-ups multiple control flow contexts.
654         For example,
655         outer: for (var e1 of outer) {
656             inner: for (var e2 of inner) {
657                 break outer;
658             }
659         }
660         In this case, return method of inner should be called.
661         We leverage the existing system for `finally` to execute inner.return method correctly.
662         Leveraging `finally` system fixes `break`, `continue` and `return` cases.
663         `throw` case is already supported by emitting try-catch handlers in for-of.
664
665         2. Incorrect LabelScope creation is done in ForOfNode
666         ForOfNode creates duplicated LabelScope.
667         It causes infinite loop when executing the following program that contains
668         explicitly labeled for-of loop.
669         For example,
670         inner: for (var elm of array) {
671             continue inner;
672         }
673
674         * bytecompiler/BytecodeGenerator.cpp:
675         (JSC::BytecodeGenerator::pushFinallyContext):
676         (JSC::BytecodeGenerator::pushIteratorCloseContext):
677         (JSC::BytecodeGenerator::popFinallyContext):
678         (JSC::BytecodeGenerator::popIteratorCloseContext):
679         (JSC::BytecodeGenerator::emitComplexPopScopes):
680         (JSC::BytecodeGenerator::emitEnumeration):
681         (JSC::BytecodeGenerator::emitIteratorClose):
682         * bytecompiler/BytecodeGenerator.h:
683         * bytecompiler/NodesCodegen.cpp:
684         (JSC::ForOfNode::emitBytecode):
685         * tests/stress/iterator-return-beyond-multiple-iteration-scopes.js: Added.
686         (createIterator.iterator.return):
687         (createIterator):
688         * tests/stress/raise-error-in-iterator-close.js: Added.
689         (createIterator.iterator.return):
690         (createIterator):
691
692 2015-04-01  Yusuke Suzuki  <utatane.tea@gmail.com>
693
694         [ES6] Implement Symbol.unscopables
695         https://bugs.webkit.org/show_bug.cgi?id=142829
696
697         Reviewed by Geoffrey Garen.
698
699         This patch introduces Symbol.unscopables functionality.
700         In ES6, some generic names (like keys, values) are introduced
701         as Array's method name. And this breaks the web since some web sites
702         use like the following code.
703
704         var values = ...;
705         with (array) {
706             values;  // This values is trapped by array's method "values".
707         }
708
709         To fix this, Symbol.unscopables introduces blacklist
710         for with scope's trapping. When resolving scope,
711         if name is found in the target scope and the target scope is with scope,
712         we check Symbol.unscopables object to filter generic names.
713
714         This functionality is only active for with scopes.
715         Global scope does not have unscopables functionality.
716
717         And since
718         1) op_resolve_scope for with scope always return Dynamic resolve type,
719         2) in that case, JSScope::resolve is always used in JIT and LLInt,
720         3) the code which contains op_resolve_scope that returns Dynamic cannot be compiled with DFG and FTL,
721         to implement this functionality, we just change JSScope::resolve and no need to change JIT code.
722         So performance regression is only visible in Dynamic resolving case, and it is already much slow.
723
724         * runtime/ArrayPrototype.cpp:
725         (JSC::ArrayPrototype::finishCreation):
726         * runtime/CommonIdentifiers.h:
727         * runtime/JSGlobalObject.h:
728         (JSC::JSGlobalObject::runtimeFlags):
729         * runtime/JSScope.cpp:
730         (JSC::isUnscopable):
731         (JSC::JSScope::resolve):
732         * runtime/JSScope.h:
733         (JSC::ScopeChainIterator::scope):
734         * tests/stress/global-environment-does-not-trap-unscopables.js: Added.
735         (test):
736         * tests/stress/unscopables.js: Added.
737         (test):
738         (.):
739
740 2015-03-31  Ryosuke Niwa  <rniwa@webkit.org>
741
742         ES6 class syntax should allow static setters and getters
743         https://bugs.webkit.org/show_bug.cgi?id=143180
744
745         Reviewed by Filip Pizlo
746
747         Apparently I misread the spec when I initially implemented parseClass.
748         ES6 class syntax allows static getters and setters so just allow that.
749
750         * parser/Parser.cpp:
751         (JSC::Parser<LexerType>::parseClass):
752
753 2015-03-31  Filip Pizlo  <fpizlo@apple.com>
754
755         PutClosureVar CSE def() rule has a wrong base
756         https://bugs.webkit.org/show_bug.cgi?id=143280
757
758         Reviewed by Michael Saboff.
759         
760         I think that this code was incorrect in a benign way, since the base of a
761         PutClosureVar is not a JS-visible object. But it was preventing some optimizations.
762
763         * dfg/DFGClobberize.h:
764         (JSC::DFG::clobberize):
765
766 2015-03-31  Commit Queue  <commit-queue@webkit.org>
767
768         Unreviewed, rolling out r182200.
769         https://bugs.webkit.org/show_bug.cgi?id=143279
770
771         Probably causing assertion extravaganza on bots. (Requested by
772         kling on #webkit).
773
774         Reverted changeset:
775
776         "Logically empty WeakBlocks should not pin down their
777         MarkedBlocks indefinitely."
778         https://bugs.webkit.org/show_bug.cgi?id=143210
779         http://trac.webkit.org/changeset/182200
780
781 2015-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>
782
783         Clean up Identifier factories to clarify the meaning of StringImpl*
784         https://bugs.webkit.org/show_bug.cgi?id=143146
785
786         Reviewed by Filip Pizlo.
787
788         In the a lot of places, `Identifier(VM*/ExecState*, StringImpl*)` constructor is used.
789         However, it's ambiguous because `StringImpl*` has 2 different meanings.
790         1) normal string, it is replacable with `WTFString` and
791         2) `uid`, which holds `isSymbol` information to represent Symbols.
792         So we dropped Identifier constructors for strings and instead, introduced 2 factory functions.
793         + `Identifier::fromString(VM*/ExecState*, const String&)`.
794         Just construct Identifier from strings. The symbol-ness of StringImpl* is not kept.
795         + `Identifier::fromUid(VM*/ExecState*, StringImpl*)`.
796         This function is used for 2) `uid`. So symbol-ness of `StringImpl*` is kept.
797
798         And to clean up `StringImpl` which is used as uid,
799         we introduce `StringKind` into `StringImpl`. There's 3 kinds
800         1. StringNormal (non-atomic, non-symbol)
801         2. StringAtomic (atomic, non-symbol)
802         3. StringSymbol (non-atomic, symbol)
803         They are mutually exclusive. And (atomic, symbol) case should not exist.
804
805         * API/JSCallbackObjectFunctions.h:
806         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
807         * API/JSObjectRef.cpp:
808         (JSObjectMakeFunction):
809         * API/OpaqueJSString.cpp:
810         (OpaqueJSString::identifier):
811         * bindings/ScriptFunctionCall.cpp:
812         (Deprecated::ScriptFunctionCall::call):
813         * builtins/BuiltinExecutables.cpp:
814         (JSC::BuiltinExecutables::createExecutableInternal):
815         * builtins/BuiltinNames.h:
816         (JSC::BuiltinNames::BuiltinNames):
817         * bytecompiler/BytecodeGenerator.cpp:
818         (JSC::BytecodeGenerator::BytecodeGenerator):
819         (JSC::BytecodeGenerator::emitThrowReferenceError):
820         (JSC::BytecodeGenerator::emitThrowTypeError):
821         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
822         (JSC::BytecodeGenerator::emitEnumeration):
823         * dfg/DFGDesiredIdentifiers.cpp:
824         (JSC::DFG::DesiredIdentifiers::reallyAdd):
825         * inspector/JSInjectedScriptHost.cpp:
826         (Inspector::JSInjectedScriptHost::functionDetails):
827         (Inspector::constructInternalProperty):
828         (Inspector::JSInjectedScriptHost::weakMapEntries):
829         (Inspector::JSInjectedScriptHost::iteratorEntries):
830         * inspector/JSInjectedScriptHostPrototype.cpp:
831         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
832         * inspector/JSJavaScriptCallFramePrototype.cpp:
833         * inspector/ScriptCallStackFactory.cpp:
834         (Inspector::extractSourceInformationFromException):
835         * jit/JITOperations.cpp:
836         * jsc.cpp:
837         (GlobalObject::finishCreation):
838         (GlobalObject::addFunction):
839         (GlobalObject::addConstructableFunction):
840         (functionRun):
841         (runWithScripts):
842         * llint/LLIntData.cpp:
843         (JSC::LLInt::Data::performAssertions):
844         * llint/LowLevelInterpreter.asm:
845         * parser/ASTBuilder.h:
846         (JSC::ASTBuilder::addVar):
847         * parser/Parser.cpp:
848         (JSC::Parser<LexerType>::parseInner):
849         (JSC::Parser<LexerType>::createBindingPattern):
850         * parser/ParserArena.h:
851         (JSC::IdentifierArena::makeIdentifier):
852         (JSC::IdentifierArena::makeIdentifierLCharFromUChar):
853         (JSC::IdentifierArena::makeNumericIdentifier):
854         * runtime/ArgumentsIteratorPrototype.cpp:
855         (JSC::ArgumentsIteratorPrototype::finishCreation):
856         * runtime/ArrayIteratorPrototype.cpp:
857         (JSC::ArrayIteratorPrototype::finishCreation):
858         * runtime/ArrayPrototype.cpp:
859         (JSC::ArrayPrototype::finishCreation):
860         (JSC::arrayProtoFuncPush):
861         * runtime/ClonedArguments.cpp:
862         (JSC::ClonedArguments::getOwnPropertySlot):
863         * runtime/CommonIdentifiers.cpp:
864         (JSC::CommonIdentifiers::CommonIdentifiers):
865         * runtime/CommonIdentifiers.h:
866         * runtime/Error.cpp:
867         (JSC::addErrorInfo):
868         (JSC::hasErrorInfo):
869         * runtime/ExceptionHelpers.cpp:
870         (JSC::createUndefinedVariableError):
871         * runtime/GenericArgumentsInlines.h:
872         (JSC::GenericArguments<Type>::getOwnPropertySlot):
873         * runtime/Identifier.h:
874         (JSC::Identifier::isSymbol):
875         (JSC::Identifier::Identifier):
876         (JSC::Identifier::from): Deleted.
877         * runtime/IdentifierInlines.h:
878         (JSC::Identifier::Identifier):
879         (JSC::Identifier::fromUid):
880         (JSC::Identifier::fromString):
881         * runtime/JSCJSValue.cpp:
882         (JSC::JSValue::dumpInContextAssumingStructure):
883         * runtime/JSCJSValueInlines.h:
884         (JSC::JSValue::toPropertyKey):
885         * runtime/JSGlobalObject.cpp:
886         (JSC::JSGlobalObject::init):
887         * runtime/JSLexicalEnvironment.cpp:
888         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
889         * runtime/JSObject.cpp:
890         (JSC::getClassPropertyNames):
891         (JSC::JSObject::reifyStaticFunctionsForDelete):
892         * runtime/JSObject.h:
893         (JSC::makeIdentifier):
894         * runtime/JSPromiseConstructor.cpp:
895         (JSC::JSPromiseConstructorFuncRace):
896         (JSC::JSPromiseConstructorFuncAll):
897         * runtime/JSString.h:
898         (JSC::JSString::toIdentifier):
899         * runtime/JSSymbolTableObject.cpp:
900         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
901         * runtime/LiteralParser.cpp:
902         (JSC::LiteralParser<CharType>::tryJSONPParse):
903         (JSC::LiteralParser<CharType>::makeIdentifier):
904         * runtime/Lookup.h:
905         (JSC::reifyStaticProperties):
906         * runtime/MapConstructor.cpp:
907         (JSC::constructMap):
908         * runtime/MapIteratorPrototype.cpp:
909         (JSC::MapIteratorPrototype::finishCreation):
910         * runtime/MapPrototype.cpp:
911         (JSC::MapPrototype::finishCreation):
912         * runtime/MathObject.cpp:
913         (JSC::MathObject::finishCreation):
914         * runtime/NumberConstructor.cpp:
915         (JSC::NumberConstructor::finishCreation):
916         * runtime/ObjectConstructor.cpp:
917         (JSC::ObjectConstructor::finishCreation):
918         * runtime/PrivateName.h:
919         (JSC::PrivateName::PrivateName):
920         * runtime/PropertyMapHashTable.h:
921         (JSC::PropertyTable::find):
922         (JSC::PropertyTable::get):
923         * runtime/PropertyName.h:
924         (JSC::PropertyName::PropertyName):
925         (JSC::PropertyName::publicName):
926         (JSC::PropertyName::asIndex):
927         * runtime/PropertyNameArray.cpp:
928         (JSC::PropertyNameArray::add):
929         * runtime/PropertyNameArray.h:
930         (JSC::PropertyNameArray::addKnownUnique):
931         * runtime/RegExpConstructor.cpp:
932         (JSC::RegExpConstructor::finishCreation):
933         * runtime/SetConstructor.cpp:
934         (JSC::constructSet):
935         * runtime/SetIteratorPrototype.cpp:
936         (JSC::SetIteratorPrototype::finishCreation):
937         * runtime/SetPrototype.cpp:
938         (JSC::SetPrototype::finishCreation):
939         * runtime/StringIteratorPrototype.cpp:
940         (JSC::StringIteratorPrototype::finishCreation):
941         * runtime/StringPrototype.cpp:
942         (JSC::StringPrototype::finishCreation):
943         * runtime/Structure.cpp:
944         (JSC::Structure::getPropertyNamesFromStructure):
945         * runtime/SymbolConstructor.cpp:
946         * runtime/VM.cpp:
947         (JSC::VM::throwException):
948         * runtime/WeakMapConstructor.cpp:
949         (JSC::constructWeakMap):
950
951 2015-03-31  Andreas Kling  <akling@apple.com>
952
953         Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely.
954         <https://webkit.org/b/143210>
955
956         Reviewed by Geoffrey Garen.
957
958         Since a MarkedBlock cannot be destroyed until all the WeakBlocks pointing into it are gone,
959         we had a little problem where WeakBlocks with only null pointers would still keep their
960         MarkedBlock alive.
961
962         This patch fixes that by detaching WeakBlocks from their MarkedBlock once a sweep discovers
963         that the WeakBlock contains no pointers to live objects. Ownership of the WeakBlock is passed
964         to the Heap, which will sweep the list of these detached WeakBlocks as part of a full GC,
965         destroying them once they're fully dead.
966
967         This allows the garbage collector to reclaim the 64kB MarkedBlocks much sooner, and resolves
968         a mysterious issue where doing two full garbage collections back-to-back would free additional
969         memory in the second collection.
970
971         Management of detached WeakBlocks is implemented as a Vector<WeakBlock*> in Heap, along with
972         an index of the next block in that vector that needs to be swept. The IncrementalSweeper then
973         calls into Heap::sweepNextLogicallyEmptyWeakBlock() to sweep one block at a time.
974
975         * heap/Heap.h:
976         * heap/Heap.cpp:
977         (JSC::Heap::collectAllGarbage): Add a final pass where we sweep the logically empty WeakBlocks
978         owned by Heap, after everything else has been swept.
979
980         (JSC::Heap::notifyIncrementalSweeper): Set up an incremental sweep of logically empty WeakBlocks
981         after a full garbage collection ends. Note that we don't do this after Eden collections, since
982         they are unlikely to cause entire WeakBlocks to go empty.
983
984         (JSC::Heap::addLogicallyEmptyWeakBlock): Added. Interface for passing ownership of a WeakBlock
985         to the Heap when it's detached from a WeakSet.
986
987         (JSC::Heap::sweepAllLogicallyEmptyWeakBlocks): Helper for collectAllGarbage() that sweeps all
988         of the logically empty WeakBlocks owned by Heap.
989
990         (JSC::Heap::sweepNextLogicallyEmptyWeakBlock): Sweeps one logically empty WeakBlock if needed
991         and updates the next-logically-empty-weak-block-to-sweep index.
992
993         (JSC::Heap::lastChanceToFinalize): call sweepAllLogicallyEmptyWeakBlocks() here, since there
994         won't be another chance after this.
995
996         * heap/IncrementalSweeper.h:
997         (JSC::IncrementalSweeper::hasWork): Deleted.
998
999         * heap/IncrementalSweeper.cpp:
1000         (JSC::IncrementalSweeper::fullSweep):
1001         (JSC::IncrementalSweeper::doSweep):
1002         (JSC::IncrementalSweeper::sweepNextBlock): Restructured IncrementalSweeper a bit to simplify
1003         adding a new sweeping stage for the Heap's logically empty WeakBlocks. sweepNextBlock() is
1004         changed to return a bool (true if there's more work to be done.)
1005
1006         * heap/WeakBlock.cpp:
1007         (JSC::WeakBlock::sweep): This now figures out if the WeakBlock is logically empty, i.e doesn't
1008         contain any pointers to live objects. The answer is stored in a new SweepResult member.
1009
1010         * heap/WeakBlock.h:
1011         (JSC::WeakBlock::isLogicallyEmptyButNotFree): Added. Can be queried after a sweep to determine
1012         if the WeakBlock could be detached from the MarkedBlock.
1013
1014         (JSC::WeakBlock::SweepResult::SweepResult): Deleted in favor of initializing member variables
1015         when declaring them.
1016
1017 2015-03-31  Ryosuke Niwa  <rniwa@webkit.org>
1018
1019         eval("this.foo") causes a crash if this had not been initialized in a derived class's constructor
1020         https://bugs.webkit.org/show_bug.cgi?id=142883
1021
1022         Reviewed by Filip Pizlo.
1023
1024         The crash was caused by eval inside the constructor of a derived class not checking TDZ.
1025
1026         Fixed the bug by adding a parser flag that forces the TDZ check to be always emitted when accessing "this"
1027         in eval inside a derived class' constructor.
1028
1029         * bytecode/EvalCodeCache.h:
1030         (JSC::EvalCodeCache::getSlow):
1031         * bytecompiler/NodesCodegen.cpp:
1032         (JSC::ThisNode::emitBytecode):
1033         * debugger/DebuggerCallFrame.cpp:
1034         (JSC::DebuggerCallFrame::evaluate):
1035         * interpreter/Interpreter.cpp:
1036         (JSC::eval):
1037         * parser/ASTBuilder.h:
1038         (JSC::ASTBuilder::thisExpr):
1039         * parser/NodeConstructors.h:
1040         (JSC::ThisNode::ThisNode):
1041         * parser/Nodes.h:
1042         * parser/Parser.cpp:
1043         (JSC::Parser<LexerType>::Parser):
1044         (JSC::Parser<LexerType>::parsePrimaryExpression):
1045         * parser/Parser.h:
1046         (JSC::parse):
1047         * parser/ParserModes.h:
1048         * parser/SyntaxChecker.h:
1049         (JSC::SyntaxChecker::thisExpr):
1050         * runtime/CodeCache.cpp:
1051         (JSC::CodeCache::getGlobalCodeBlock):
1052         (JSC::CodeCache::getProgramCodeBlock):
1053         (JSC::CodeCache::getEvalCodeBlock):
1054         * runtime/CodeCache.h:
1055         (JSC::SourceCodeKey::SourceCodeKey):
1056         * runtime/Executable.cpp:
1057         (JSC::EvalExecutable::create):
1058         * runtime/Executable.h:
1059         * runtime/JSGlobalObject.cpp:
1060         (JSC::JSGlobalObject::createEvalCodeBlock):
1061         * runtime/JSGlobalObject.h:
1062         * runtime/JSGlobalObjectFunctions.cpp:
1063         (JSC::globalFuncEval):
1064         * tests/stress/class-syntax-no-tdz-in-eval.js: Added.
1065         * tests/stress/class-syntax-tdz-in-eval.js: Added.
1066
1067 2015-03-31  Commit Queue  <commit-queue@webkit.org>
1068
1069         Unreviewed, rolling out r182186.
1070         https://bugs.webkit.org/show_bug.cgi?id=143270
1071
1072         it crashes all the WebGL tests on the Debug bots (Requested by
1073         dino on #webkit).
1074
1075         Reverted changeset:
1076
1077         "Web Inspector: add 2D/WebGL canvas instrumentation
1078         infrastructure"
1079         https://bugs.webkit.org/show_bug.cgi?id=137278
1080         http://trac.webkit.org/changeset/182186
1081
1082 2015-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1083
1084         [ES6] Object type restrictions on a first parameter of several Object.* functions are relaxed
1085         https://bugs.webkit.org/show_bug.cgi?id=142937
1086
1087         Reviewed by Darin Adler.
1088
1089         In ES6, Object type restrictions on a first parameter of several Object.* functions are relaxed.
1090         In ES5 or prior, when a first parameter is not object type, these functions raise TypeError.
1091         But now, several functions perform ToObject onto a non-object parameter.
1092         And others behaves as if a parameter is a non-extensible ordinary object with no own properties.
1093         It is described in ES6 Annex E.
1094         Functions different from ES5 are following.
1095
1096         1. An attempt is make to coerce the argument using ToObject.
1097             Object.getOwnPropertyDescriptor
1098             Object.getOwnPropertyNames
1099             Object.getPrototypeOf
1100             Object.keys
1101
1102         2. Treated as if it was a non-extensible ordinary object with no own properties.
1103             Object.freeze
1104             Object.isExtensible
1105             Object.isFrozen
1106             Object.isSealed
1107             Object.preventExtensions
1108             Object.seal
1109
1110         * runtime/ObjectConstructor.cpp:
1111         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
1112         (JSC::objectConstructorGetPrototypeOf):
1113         (JSC::objectConstructorGetOwnPropertyDescriptor):
1114         (JSC::objectConstructorGetOwnPropertyNames):
1115         (JSC::objectConstructorKeys):
1116         (JSC::objectConstructorSeal):
1117         (JSC::objectConstructorFreeze):
1118         (JSC::objectConstructorPreventExtensions):
1119         (JSC::objectConstructorIsSealed):
1120         (JSC::objectConstructorIsFrozen):
1121         (JSC::objectConstructorIsExtensible):
1122         * tests/stress/object-freeze-accept-non-object.js: Added.
1123         * tests/stress/object-get-own-property-descriptor-perform-to-object.js: Added.
1124         (canary):
1125         * tests/stress/object-get-own-property-names-perform-to-object.js: Added.
1126         (compare):
1127         * tests/stress/object-get-prototype-of-perform-to-object.js: Added.
1128         * tests/stress/object-is-extensible-accept-non-object.js: Added.
1129         * tests/stress/object-is-frozen-accept-non-object.js: Added.
1130         * tests/stress/object-is-sealed-accept-non-object.js: Added.
1131         * tests/stress/object-keys-perform-to-object.js: Added.
1132         (compare):
1133         * tests/stress/object-prevent-extensions-accept-non-object.js: Added.
1134         * tests/stress/object-seal-accept-non-object.js: Added.
1135
1136 2015-03-31  Matt Baker  <mattbaker@apple.com>
1137
1138         Web Inspector: add 2D/WebGL canvas instrumentation infrastructure
1139         https://bugs.webkit.org/show_bug.cgi?id=137278
1140
1141         Reviewed by Timothy Hatcher.
1142
1143         Added Canvas protocol which defines types used by InspectorCanvasAgent.
1144
1145         * CMakeLists.txt:
1146         * DerivedSources.make:
1147         * inspector/protocol/Canvas.json: Added.
1148
1149         * inspector/scripts/codegen/generator.py:
1150         (Generator.stylized_name_for_enum_value):
1151         Added special handling for 2D (always uppercase) and WebGL (rename mapping) enum strings.
1152
1153 2015-03-30  Ryosuke Niwa  <rniwa@webkit.org>
1154
1155         Extending null should set __proto__ to null
1156         https://bugs.webkit.org/show_bug.cgi?id=142882
1157
1158         Reviewed by Geoffrey Garen and Benjamin Poulain.
1159
1160         Set Derived.prototype.__proto__ to null when extending null.
1161
1162         * bytecompiler/NodesCodegen.cpp:
1163         (JSC::ClassExprNode::emitBytecode):
1164
1165 2015-03-30  Mark Lam  <mark.lam@apple.com>
1166
1167         REGRESSION (r181993): inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html crashes.
1168         <https://webkit.org/b/143105>
1169
1170         Reviewed by Filip Pizlo.
1171
1172         With r181993, the DFG and FTL may elide the storing of the scope register.  As a result,
1173         on OSR exits from DFG / FTL frames where this elision has take place, we may get baseline
1174         JIT frames that may have its scope register not set.  The Debugger's current implementation
1175         which relies on the scope register is not happy about this.  For example, this results in a
1176         crash in the layout test inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html.
1177
1178         The fix is to disable inlining when the debugger is in use.  Also, we add Flush nodes to
1179         ensure that the scope register value is flushed to the register in the stack frame.
1180
1181         * dfg/DFGByteCodeParser.cpp:
1182         (JSC::DFG::ByteCodeParser::ByteCodeParser):
1183         (JSC::DFG::ByteCodeParser::setLocal):
1184         (JSC::DFG::ByteCodeParser::flush):
1185         - Add code to flush the scope register.
1186         (JSC::DFG::ByteCodeParser::inliningCost):
1187         - Pretend that all codeBlocks are too expensive to inline if the debugger is in use, thereby
1188           disabling inlining whenever the debugger is in use.
1189         * dfg/DFGGraph.cpp:
1190         (JSC::DFG::Graph::Graph):
1191         * dfg/DFGGraph.h:
1192         (JSC::DFG::Graph::hasDebuggerEnabled):
1193         * dfg/DFGStackLayoutPhase.cpp:
1194         (JSC::DFG::StackLayoutPhase::run):
1195         - Update the DFG codeBlock's scopeRegister since it can be moved during stack layout.
1196         * ftl/FTLCompile.cpp:
1197         (JSC::FTL::mmAllocateDataSection):
1198         - Update the FTL codeBlock's scopeRegister since it can be moved during stack layout.
1199
1200 2015-03-30  Michael Saboff  <msaboff@apple.com>
1201
1202         Fix flakey float32-repeat-out-of-bounds.js and int8-repeat-out-of-bounds.js tests for ARM64
1203         https://bugs.webkit.org/show_bug.cgi?id=138391
1204
1205         Reviewed by Mark Lam.
1206
1207         Re-enabling these tests as I can't get them to fail on local iOS test devices.
1208         There have been many changes since these tests were disabled.
1209         I'll watch automated test results for failures.  If there are failures running automated
1210         testing, it might be due to the device's relative CPU performance.
1211         
1212         * tests/stress/float32-repeat-out-of-bounds.js:
1213         * tests/stress/int8-repeat-out-of-bounds.js:
1214
1215 2015-03-30  Joseph Pecoraro  <pecoraro@apple.com>
1216
1217         Web Inspector: Regression: Preview for [[null]] shouldn't be []
1218         https://bugs.webkit.org/show_bug.cgi?id=143208
1219
1220         Reviewed by Mark Lam.
1221
1222         * inspector/InjectedScriptSource.js:
1223         Handle null when generating simple object previews.
1224
1225 2015-03-30  Per Arne Vollan  <peavo@outlook.com>
1226
1227         Avoid using hardcoded values for JSValue::Int32Tag, if possible.
1228         https://bugs.webkit.org/show_bug.cgi?id=143134
1229
1230         Reviewed by Geoffrey Garen.
1231
1232         * jit/JSInterfaceJIT.h:
1233         * jit/Repatch.cpp:
1234         (JSC::tryCacheGetByID):
1235
1236 2015-03-30  Filip Pizlo  <fpizlo@apple.com>
1237
1238         REGRESSION: js/regress/inline-arguments-local-escape.html is flaky
1239         https://bugs.webkit.org/show_bug.cgi?id=143104
1240
1241         Reviewed by Geoffrey Garen.
1242         
1243         Created a test that is a 100% repro of the flaky failure. This test is called
1244         get-my-argument-by-val-for-inlined-escaped-arguments.js. It fails all of the time because it
1245         always causes the compiler to emit a GetMyArgumentByVal of the arguments object returned by
1246         the inlined function. Other than that, it's the same as inline-arguments-local-escape.
1247         
1248         Also created three more tests for three similar, but not identical, failures.
1249         
1250         Then fixed the bug: PreciseLocalClobberize was assuming that if we read(Stack) then we are
1251         only reading those parts of the stack that are relevant to the current semantic code origin.
1252         That's false after ArgumentsEliminationPhase - we might have operations on phantom arguments,
1253         like GetMyArgumentByVal, ForwardVarargs, CallForwardVarargs, and ConstructForwardVarargs, that
1254         read parts of the stack associated with the inline call frame for the phantom arguments. This
1255         may not be subsumed by the current semantic origin's stack area in cases that the arguments
1256         were allowed to "locally" escape.
1257         
1258         The higher-order lesson here is that in DFG SSA IR, the current semantic origin's stack area
1259         is not really a meaningful concept anymore. It is only meaningful for nodes that will read
1260         the stack due to function.arguments, but there are a bunch of other ways that we could also
1261         read the stack and those operations may read any stack slot. I believe that this change makes
1262         PreciseLocalClobberize right: it will refine a read(Stack) from Clobberize correctly by casing
1263         on node type. In future, if we add a read(Stack) to Clobberize, we'll have to make sure that
1264         readTop() in PreciseLocalClobberize does the right thing.
1265
1266         * dfg/DFGClobberize.h:
1267         (JSC::DFG::clobberize):
1268         * dfg/DFGPreciseLocalClobberize.h:
1269         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1270         * dfg/DFGPutStackSinkingPhase.cpp:
1271         * tests/stress/call-forward-varargs-for-inlined-escaped-arguments.js: Added.
1272         * tests/stress/construct-forward-varargs-for-inlined-escaped-arguments.js: Added.
1273         * tests/stress/forward-varargs-for-inlined-escaped-arguments.js: Added.
1274         * tests/stress/get-my-argument-by-val-for-inlined-escaped-arguments.js: Added.
1275         * tests/stress/real-forward-varargs-for-inlined-escaped-arguments.js: Added.
1276
1277 2015-03-30  Benjamin Poulain  <benjamin@webkit.org>
1278
1279         Start the features.json files
1280         https://bugs.webkit.org/show_bug.cgi?id=143207
1281
1282         Reviewed by Darin Adler.
1283
1284         Start the features.json files to have something to experiment
1285         with for the UI.
1286
1287         * features.json: Added.
1288
1289 2015-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
1290
1291         [Win] Addresing post-review comment after r182122
1292         https://bugs.webkit.org/show_bug.cgi?id=143189
1293
1294         Unreviewed.
1295
1296 2015-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
1297
1298         [Win] Allow building JavaScriptCore without Cygwin
1299         https://bugs.webkit.org/show_bug.cgi?id=143189
1300
1301         Reviewed by Brent Fulgham.
1302
1303         Paths like /usr/bin/ don't exist on Windows.
1304         Hashbangs don't work on Windows. Instead we must explicitly call the executable.
1305         Prefixing commands with environment variables doesn't work on Windows.
1306         Windows doesn't have 'cmp'
1307         Windows uses 'del' instead of 'rm'
1308         Windows uses 'type NUL' intead of 'touch'
1309
1310         * DerivedSources.make:
1311         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
1312         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
1313         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl:
1314         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
1315         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl:
1316         * JavaScriptCore.vcxproj/build-generated-files.pl:
1317         * UpdateContents.py: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl.
1318
1319 2015-03-28  Joseph Pecoraro  <pecoraro@apple.com>
1320
1321         Clean up JavaScriptCore/builtins
1322         https://bugs.webkit.org/show_bug.cgi?id=143177
1323
1324         Reviewed by Ryosuke Niwa.
1325
1326         * builtins/ArrayConstructor.js:
1327         (from):
1328         - We can compare to undefined instead of using a typeof undefined check.
1329         - Converge on double quoted strings everywhere.
1330
1331         * builtins/ArrayIterator.prototype.js:
1332         (next):
1333         * builtins/StringIterator.prototype.js:
1334         (next):
1335         - Use shorthand object construction to avoid duplication.
1336         - Improve grammar in error messages.
1337
1338         * tests/stress/array-iterators-next-with-call.js:
1339         * tests/stress/string-iterators.js:
1340         - Update for new error message strings.
1341
1342 2015-03-28  Saam Barati  <saambarati1@gmail.com>
1343
1344         Web Inspector: ES6: Better support for Symbol types in Type Profiler
1345         https://bugs.webkit.org/show_bug.cgi?id=141257
1346
1347         Reviewed by Joseph Pecoraro.
1348
1349         ES6 introduces the new primitive type Symbol. This patch makes JSC's 
1350         type profiler support this new primitive type.
1351
1352         * dfg/DFGFixupPhase.cpp:
1353         (JSC::DFG::FixupPhase::fixupNode):
1354         * inspector/protocol/Runtime.json:
1355         * runtime/RuntimeType.cpp:
1356         (JSC::runtimeTypeForValue):
1357         * runtime/RuntimeType.h:
1358         (JSC::runtimeTypeIsPrimitive):
1359         * runtime/TypeSet.cpp:
1360         (JSC::TypeSet::addTypeInformation):
1361         (JSC::TypeSet::dumpTypes):
1362         (JSC::TypeSet::doesTypeConformTo):
1363         (JSC::TypeSet::displayName):
1364         (JSC::TypeSet::inspectorTypeSet):
1365         (JSC::TypeSet::toJSONString):
1366         * runtime/TypeSet.h:
1367         (JSC::TypeSet::seenTypes):
1368         * tests/typeProfiler/driver/driver.js:
1369         * tests/typeProfiler/symbol.js: Added.
1370         (wrapper.foo):
1371         (wrapper.bar):
1372         (wrapper.bar.bar.baz):
1373         (wrapper):
1374
1375 2015-03-27  Saam Barati  <saambarati1@gmail.com>
1376
1377         Deconstruction parameters are bound too late
1378         https://bugs.webkit.org/show_bug.cgi?id=143148
1379
1380         Reviewed by Filip Pizlo.
1381
1382         Currently, a deconstruction pattern named with the same
1383         name as a function will shadow the function. This is
1384         wrong. It should be the other way around.
1385
1386         * bytecompiler/BytecodeGenerator.cpp:
1387         (JSC::BytecodeGenerator::generate):
1388
1389 2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>
1390
1391         parse doesn't initialize the 16-bit version of the JSC parser with defaultConstructorKind
1392         https://bugs.webkit.org/show_bug.cgi?id=143170
1393
1394         Reviewed by Benjamin Poulain.
1395
1396         Assert that we never use 16-bit version of the parser to parse a default constructor
1397         since both base and derived default constructors should be using a 8-bit string.
1398
1399         * parser/Parser.h:
1400         (JSC::parse):
1401
1402 2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>
1403
1404         ES6 Classes: Runtime error in JIT'd class calling super() with arguments and superclass has default constructor
1405         https://bugs.webkit.org/show_bug.cgi?id=142862
1406
1407         Reviewed by Benjamin Poulain.
1408
1409         Add a test that used to fail in DFG now that the bug has been fixed by r181993.
1410
1411         * tests/stress/class-syntax-derived-default-constructor.js: Added.
1412
1413 2015-03-27  Michael Saboff  <msaboff@apple.com>
1414
1415         load8Signed() and load16Signed() should be renamed to avoid confusion
1416         https://bugs.webkit.org/show_bug.cgi?id=143168
1417
1418         Reviewed by Benjamin Poulain.
1419
1420         Renamed load8Signed() to load8SignedExtendTo32() and load16Signed() to load16SignedExtendTo32().
1421
1422         * assembler/MacroAssemblerARM.h:
1423         (JSC::MacroAssemblerARM::load8SignedExtendTo32):
1424         (JSC::MacroAssemblerARM::load16SignedExtendTo32):
1425         (JSC::MacroAssemblerARM::load8Signed): Deleted.
1426         (JSC::MacroAssemblerARM::load16Signed): Deleted.
1427         * assembler/MacroAssemblerARM64.h:
1428         (JSC::MacroAssemblerARM64::load16SignedExtendTo32):
1429         (JSC::MacroAssemblerARM64::load8SignedExtendTo32):
1430         (JSC::MacroAssemblerARM64::load16Signed): Deleted.
1431         (JSC::MacroAssemblerARM64::load8Signed): Deleted.
1432         * assembler/MacroAssemblerARMv7.h:
1433         (JSC::MacroAssemblerARMv7::load16SignedExtendTo32):
1434         (JSC::MacroAssemblerARMv7::load8SignedExtendTo32):
1435         (JSC::MacroAssemblerARMv7::load16Signed): Deleted.
1436         (JSC::MacroAssemblerARMv7::load8Signed): Deleted.
1437         * assembler/MacroAssemblerMIPS.h:
1438         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
1439         (JSC::MacroAssemblerMIPS::load16SignedExtendTo32):
1440         (JSC::MacroAssemblerMIPS::load8Signed): Deleted.
1441         (JSC::MacroAssemblerMIPS::load16Signed): Deleted.
1442         * assembler/MacroAssemblerSH4.h:
1443         (JSC::MacroAssemblerSH4::load8SignedExtendTo32):
1444         (JSC::MacroAssemblerSH4::load8):
1445         (JSC::MacroAssemblerSH4::load16SignedExtendTo32):
1446         (JSC::MacroAssemblerSH4::load16):
1447         (JSC::MacroAssemblerSH4::load8Signed): Deleted.
1448         (JSC::MacroAssemblerSH4::load16Signed): Deleted.
1449         * assembler/MacroAssemblerX86Common.h:
1450         (JSC::MacroAssemblerX86Common::load8SignedExtendTo32):
1451         (JSC::MacroAssemblerX86Common::load16SignedExtendTo32):
1452         (JSC::MacroAssemblerX86Common::load8Signed): Deleted.
1453         (JSC::MacroAssemblerX86Common::load16Signed): Deleted.
1454         * dfg/DFGSpeculativeJIT.cpp:
1455         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
1456         * jit/JITPropertyAccess.cpp:
1457         (JSC::JIT::emitIntTypedArrayGetByVal):
1458
1459 2015-03-27  Michael Saboff  <msaboff@apple.com>
1460
1461         Fix flakey dfg-int8array.js and dfg-int16array.js tests for ARM64
1462         https://bugs.webkit.org/show_bug.cgi?id=138390
1463
1464         Reviewed by Mark Lam.
1465
1466         Changed load8Signed() and load16Signed() to only sign extend the loaded value to 32 bits
1467         instead of 64 bits.  This is what X86-64 does.
1468
1469         * assembler/MacroAssemblerARM64.h:
1470         (JSC::MacroAssemblerARM64::load16Signed):
1471         (JSC::MacroAssemblerARM64::load8Signed):
1472
1473 2015-03-27  Saam Barati  <saambarati1@gmail.com>
1474
1475         Add back previously broken assert from bug 141869
1476         https://bugs.webkit.org/show_bug.cgi?id=143005
1477
1478         Reviewed by Michael Saboff.
1479
1480         * runtime/ExceptionHelpers.cpp:
1481         (JSC::invalidParameterInSourceAppender):
1482
1483 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
1484
1485         Make some more objects use FastMalloc
1486         https://bugs.webkit.org/show_bug.cgi?id=143122
1487
1488         Reviewed by Csaba Osztrogonác.
1489
1490         * API/JSCallbackObject.h:
1491         * heap/IncrementalSweeper.h:
1492         * jit/JITThunks.h:
1493         * runtime/JSGlobalObjectDebuggable.h:
1494         * runtime/RegExpCache.h:
1495
1496 2015-03-27  Michael Saboff  <msaboff@apple.com>
1497
1498         Objects with numeric properties intermittently get a phantom 'length' property
1499         https://bugs.webkit.org/show_bug.cgi?id=142792
1500
1501         Reviewed by Csaba Osztrogonác.
1502
1503         Fixed a > (greater than) that should be a >> (right shift) in the code that disassembles
1504         test and branch instructions.  This function is used for linking tbz/tbnz branches between
1505         two seperately JIT'ed sections of code.  Sometime we'd create a bogus tbz instruction in
1506         the failure case checks in the GetById array length stub created for "obj.length" access.
1507         If the failure case code address was at a negative offset from the stub, we'd look for bit 1
1508         being set when we should have been looking for bit 0.
1509
1510         * assembler/ARM64Assembler.h:
1511         (JSC::ARM64Assembler::disassembleTestAndBranchImmediate):
1512
1513 2015-03-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1514
1515         Insert exception check around toPropertyKey call
1516         https://bugs.webkit.org/show_bug.cgi?id=142922
1517
1518         Reviewed by Geoffrey Garen.
1519
1520         In some places, exception check is missing after/before toPropertyKey.
1521         However, since it calls toString, it's observable to users,
1522
1523         Missing exception checks in Object.prototype methods can be
1524         observed since it would be overridden with toObject(null/undefined) errors.
1525         We inserted exception checks after toPropertyKey.
1526
1527         Missing exception checks in GetById related code can be
1528         observed since it would be overridden with toObject(null/undefined) errors.
1529         In this case, we need to insert exception checks before/after toPropertyKey
1530         since RequireObjectCoercible followed by toPropertyKey can cause exceptions.
1531
1532         JSValue::get checks null/undefined and raise an exception if |this| is null or undefined.
1533         However, we need to check whether the baseValue is object coercible before executing JSValue::toPropertyKey.
1534         According to the spec, we first perform RequireObjectCoercible and check the exception.
1535         And second, we perform ToPropertyKey and check the exception.
1536         Since JSValue::toPropertyKey can cause toString call, this is observable to users.
1537         For example, if the target is not object coercible,
1538         ToPropertyKey should not be executed, and toString should not be executed by ToPropertyKey.
1539         So the order of observable actions (RequireObjectCoercible and ToPropertyKey) should be correct to the spec.
1540
1541         This patch introduces JSValue::requireObjectCoercible and use it because of the following 2 reasons.
1542
1543         1. Using toObject instead of requireObjectCoercible produces unnecessary wrapper object.
1544
1545         toObject converts primitive types into wrapper objects.
1546         But it is not efficient since wrapper objects are not necessary
1547         if we look up methods from primitive values's prototype. (using synthesizePrototype is better).
1548
1549         2. Using the result of toObject is not correct to the spec.
1550
1551         To align to the spec correctly, we cannot use JSObject::get
1552         by using the wrapper object produced by the toObject suggested in (1).
1553         If we use JSObject that is converted by toObject, getter will be called by using this JSObject as |this|.
1554         It is not correct since getter should be called with the original |this| value that may be primitive types.
1555
1556         So in this patch, we use JSValue::requireObjectCoercible
1557         to check the target is object coercible and raise an error if it's not.
1558
1559         * dfg/DFGOperations.cpp:
1560         * jit/JITOperations.cpp:
1561         (JSC::getByVal):
1562         * llint/LLIntSlowPaths.cpp:
1563         (JSC::LLInt::getByVal):
1564         * runtime/CommonSlowPaths.cpp:
1565         (JSC::SLOW_PATH_DECL):
1566         * runtime/JSCJSValue.h:
1567         * runtime/JSCJSValueInlines.h:
1568         (JSC::JSValue::requireObjectCoercible):
1569         * runtime/ObjectPrototype.cpp:
1570         (JSC::objectProtoFuncHasOwnProperty):
1571         (JSC::objectProtoFuncDefineGetter):
1572         (JSC::objectProtoFuncDefineSetter):
1573         (JSC::objectProtoFuncLookupGetter):
1574         (JSC::objectProtoFuncLookupSetter):
1575         (JSC::objectProtoFuncPropertyIsEnumerable):
1576         * tests/stress/exception-in-to-property-key-should-be-handled-early-in-object-methods.js: Added.
1577         (shouldThrow):
1578         (if):
1579         * tests/stress/exception-in-to-property-key-should-be-handled-early.js: Added.
1580         (shouldThrow):
1581         (.):
1582
1583 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
1584
1585         WebContent Crash when instantiating class with Type Profiling enabled
1586         https://bugs.webkit.org/show_bug.cgi?id=143037
1587
1588         Reviewed by Ryosuke Niwa.
1589
1590         * bytecompiler/BytecodeGenerator.h:
1591         * bytecompiler/BytecodeGenerator.cpp:
1592         (JSC::BytecodeGenerator::BytecodeGenerator):
1593         (JSC::BytecodeGenerator::emitMoveEmptyValue):
1594         We cannot profile the type of an uninitialized empty JSValue.
1595         Nor do we expect this to be necessary, since it is effectively
1596         an unseen undefined value. So add a way to put the empty value
1597         without profiling.
1598
1599         (JSC::BytecodeGenerator::emitMove):
1600         Add an assert to try to catch this issue early on, and force
1601         callers to explicitly use emitMoveEmptyValue instead.
1602
1603         * tests/typeProfiler/classes.js: Added.
1604         (wrapper.Base):
1605         (wrapper.Derived):
1606         (wrapper):
1607         Add test coverage both for this case and classes in general.
1608
1609 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
1610
1611         Web Inspector: ES6: Provide a better view for Classes in the console
1612         https://bugs.webkit.org/show_bug.cgi?id=142999
1613
1614         Reviewed by Timothy Hatcher.
1615
1616         * inspector/protocol/Runtime.json:
1617         Provide a new `subtype` enum "class". This is a subtype of `type`
1618         "function", all other subtypes are subtypes of `object` types.
1619         For a class, the frontend will immediately want to get the prototype
1620         to enumerate its methods, so include the `classPrototype`.
1621
1622         * inspector/JSInjectedScriptHost.cpp:
1623         (Inspector::JSInjectedScriptHost::subtype):
1624         Denote class construction functions as "class" subtypes.
1625
1626         * inspector/InjectedScriptSource.js:
1627         Handling for the new "class" type.
1628
1629         * bytecode/UnlinkedCodeBlock.h:
1630         (JSC::UnlinkedFunctionExecutable::isClassConstructorFunction):
1631         * runtime/Executable.h:
1632         (JSC::FunctionExecutable::isClassConstructorFunction):
1633         * runtime/JSFunction.h:
1634         * runtime/JSFunctionInlines.h:
1635         (JSC::JSFunction::isClassConstructorFunction):
1636         Check if this function is a class constructor function. That information
1637         is on the UnlinkedFunctionExecutable, so plumb it through to JSFunction.
1638
1639 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
1640
1641         Function.prototype.toString should not decompile the AST
1642         https://bugs.webkit.org/show_bug.cgi?id=142853
1643
1644         Reviewed by Darin Adler.
1645
1646         Following up on Darin's review comments.
1647
1648         * runtime/FunctionConstructor.cpp:
1649         (JSC::constructFunctionSkippingEvalEnabledCheck):
1650
1651 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
1652
1653         "lineNo" does not match WebKit coding style guidelines
1654         https://bugs.webkit.org/show_bug.cgi?id=143119
1655
1656         Reviewed by Michael Saboff.
1657
1658         We can afford to use whole words.
1659
1660         * bytecode/CodeBlock.cpp:
1661         (JSC::CodeBlock::lineNumberForBytecodeOffset):
1662         (JSC::CodeBlock::expressionRangeForBytecodeOffset):
1663         * bytecode/UnlinkedCodeBlock.cpp:
1664         (JSC::UnlinkedFunctionExecutable::link):
1665         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
1666         * bytecode/UnlinkedCodeBlock.h:
1667         * bytecompiler/NodesCodegen.cpp:
1668         (JSC::WhileNode::emitBytecode):
1669         * debugger/Debugger.cpp:
1670         (JSC::Debugger::toggleBreakpoint):
1671         * interpreter/Interpreter.cpp:
1672         (JSC::StackFrame::computeLineAndColumn):
1673         (JSC::GetStackTraceFunctor::operator()):
1674         (JSC::Interpreter::execute):
1675         * interpreter/StackVisitor.cpp:
1676         (JSC::StackVisitor::Frame::computeLineAndColumn):
1677         * parser/Nodes.h:
1678         (JSC::Node::firstLine):
1679         (JSC::Node::lineNo): Deleted.
1680         (JSC::StatementNode::firstLine): Deleted.
1681         * parser/ParserError.h:
1682         (JSC::ParserError::toErrorObject):
1683         * profiler/LegacyProfiler.cpp:
1684         (JSC::createCallIdentifierFromFunctionImp):
1685         * runtime/CodeCache.cpp:
1686         (JSC::CodeCache::getGlobalCodeBlock):
1687         * runtime/Executable.cpp:
1688         (JSC::ScriptExecutable::ScriptExecutable):
1689         (JSC::ScriptExecutable::newCodeBlockFor):
1690         (JSC::FunctionExecutable::fromGlobalCode):
1691         * runtime/Executable.h:
1692         (JSC::ScriptExecutable::firstLine):
1693         (JSC::ScriptExecutable::setOverrideLineNumber):
1694         (JSC::ScriptExecutable::hasOverrideLineNumber):
1695         (JSC::ScriptExecutable::overrideLineNumber):
1696         (JSC::ScriptExecutable::lineNo): Deleted.
1697         (JSC::ScriptExecutable::setOverrideLineNo): Deleted.
1698         (JSC::ScriptExecutable::hasOverrideLineNo): Deleted.
1699         (JSC::ScriptExecutable::overrideLineNo): Deleted.
1700         * runtime/FunctionConstructor.cpp:
1701         (JSC::constructFunctionSkippingEvalEnabledCheck):
1702         * runtime/FunctionConstructor.h:
1703         * tools/CodeProfile.cpp:
1704         (JSC::CodeProfile::report):
1705         * tools/CodeProfile.h:
1706         (JSC::CodeProfile::CodeProfile):
1707
1708 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
1709
1710         Assertion firing in JavaScriptCore/parser/parser.h for statesman.com site
1711         https://bugs.webkit.org/show_bug.cgi?id=142974
1712
1713         Reviewed by Joseph Pecoraro.
1714
1715         This patch does two things:
1716
1717         (1) Restore JavaScriptCore's sanitization of line and column numbers to
1718         one-based values.
1719
1720         We need this because WebCore sometimes provides huge negative column
1721         numbers.
1722
1723         (2) Solve the attribute event listener line numbering problem a different
1724         way: Rather than offseting all line numbers by -1 in an attribute event
1725         listener in order to arrange for a custom result, instead use an explicit
1726         feature for saying "all errors in this code should map to this line number".
1727
1728         * bytecode/UnlinkedCodeBlock.cpp:
1729         (JSC::UnlinkedFunctionExecutable::link):
1730         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
1731         * bytecode/UnlinkedCodeBlock.h:
1732         * interpreter/Interpreter.cpp:
1733         (JSC::StackFrame::computeLineAndColumn):
1734         (JSC::GetStackTraceFunctor::operator()):
1735         * interpreter/Interpreter.h:
1736         * interpreter/StackVisitor.cpp:
1737         (JSC::StackVisitor::Frame::computeLineAndColumn):
1738         * parser/ParserError.h:
1739         (JSC::ParserError::toErrorObject): Plumb through an override line number.
1740         When a function has an override line number, all syntax and runtime
1741         errors in the function will map to it. This is useful for attribute event
1742         listeners.
1743  
1744         * parser/SourceCode.h:
1745         (JSC::SourceCode::SourceCode): Restore the old sanitization of line and
1746         column numbers to one-based integers. It was kind of a hack to remove this.
1747
1748         * runtime/Executable.cpp:
1749         (JSC::ScriptExecutable::ScriptExecutable):
1750         (JSC::FunctionExecutable::fromGlobalCode):
1751         * runtime/Executable.h:
1752         (JSC::ScriptExecutable::setOverrideLineNo):
1753         (JSC::ScriptExecutable::hasOverrideLineNo):
1754         (JSC::ScriptExecutable::overrideLineNo):
1755         * runtime/FunctionConstructor.cpp:
1756         (JSC::constructFunctionSkippingEvalEnabledCheck):
1757         * runtime/FunctionConstructor.h: Plumb through an override line number.
1758
1759 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
1760
1761         If we're in code for accessing scoped arguments, we should probably check if the object is a scoped arguments rather than checking if it's a direct arguments.
1762
1763         Reviewed by Michael Saboff.
1764
1765         * jit/JITPropertyAccess.cpp:
1766         (JSC::JIT::emitScopedArgumentsGetByVal):
1767         * tests/stress/scoped-then-direct-arguments-get-by-val-in-baseline.js: Added.
1768
1769 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
1770
1771         FTL ScopedArguments GetArrayLength generates incorrect code and crashes in LLVM
1772         https://bugs.webkit.org/show_bug.cgi?id=143098
1773
1774         Reviewed by Csaba Osztrogonác.
1775
1776         * ftl/FTLLowerDFGToLLVM.cpp:
1777         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength): Fix a typo.
1778         * tests/stress/scoped-arguments-array-length.js: Added. This test previously always crashed in ftl-no-cjit mode.
1779
1780 2015-03-26  Csaba Osztrogonác  <ossy@webkit.org>
1781
1782         Unreviewed gardening, skip failing tests on AArch64 Linux.
1783
1784         * tests/mozilla/mozilla-tests.yaml:
1785         * tests/stress/cached-prototype-setter.js:
1786
1787 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
1788
1789         Unreviewed, fixes to silly things. While landing fixes to r181993, I introduced crashes. This fixes them.
1790
1791         * dfg/DFGConstantFoldingPhase.cpp:
1792         (JSC::DFG::ConstantFoldingPhase::foldConstants): I landed a fix for a VS warning. It broke this. Now I'm fixing it.
1793         * ftl/FTLCompile.cpp:
1794         (JSC::FTL::compile): Make sure we pass the module when dumping. This makes FTL debugging possible again.
1795         * ftl/FTLState.cpp:
1796         (JSC::FTL::State::dumpState): New overload that takes a module, so that we can call this after FTL::compile() clears State's module.
1797         * ftl/FTLState.h:
1798
1799 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1800
1801         Unreviewed, fix obvious goof that was causing 32-bit debug crashes. The 64-bit version did it
1802         right, so this just makes 32-bit do the same.
1803
1804         * dfg/DFGSpeculativeJIT32_64.cpp:
1805         (JSC::DFG::SpeculativeJIT::emitCall):
1806
1807 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1808
1809         Fix a typo that ggaren found but that I didn't fix before.
1810
1811         * runtime/DirectArgumentsOffset.h:
1812
1813 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1814
1815         Unreviewed, VC found a bug. This fixes the bug.
1816
1817         * dfg/DFGConstantFoldingPhase.cpp:
1818         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1819
1820 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1821
1822         Unreviewed, try to fix Windows build.
1823
1824         * runtime/ClonedArguments.cpp:
1825         (JSC::ClonedArguments::createWithInlineFrame):
1826
1827 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1828
1829         Unreviewed, fix debug build.
1830
1831         * bytecompiler/NodesCodegen.cpp:
1832         (JSC::ConstDeclNode::emitCodeSingle):
1833
1834 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1835
1836         Unreviewed, fix CLOOP build.
1837
1838         * dfg/DFGMinifiedID.h:
1839
1840 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1841
1842         Heap variables shouldn't end up in the stack frame
1843         https://bugs.webkit.org/show_bug.cgi?id=141174
1844
1845         Reviewed by Geoffrey Garen.
1846         
1847         This is a major change to how JavaScriptCore handles declared variables (i.e. "var"). It removes
1848         any ambiguity about whether a variable should be in the heap or on the stack. A variable will no
1849         longer move between heap and stack during its lifetime. This enables a bunch of optimizations and
1850         simplifications:
1851         
1852         - Accesses to variables no longer need checks or indirections to determine where the variable is
1853           at that moment in time. For example, loading a closure variable now takes just one load instead
1854           of two. Loading an argument by index now takes a bounds check and a load in the fastest case
1855           (when no arguments object allocation is required) while previously that same operation required
1856           a "did I allocate arguments yet" check, a bounds check, and then the load.
1857         
1858         - Reasoning about the allocation of an activation or arguments object now follows the same simple
1859           logic as the allocation of any other kind of object. Previously, those objects were lazily
1860           allocated - so an allocation instruction wasn't the actual allocation site, since it might not
1861           allocate anything at all. This made the implementation of traditional escape analyses really
1862           awkward, and ultimately it meant that we missed important cases. Now, we can reason about the
1863           arguments object using the usual SSA tricks which allows for more comprehensive removal.
1864         
1865         - The allocations of arguments objects, functions, and activations are now much faster. While
1866           this patch generally expands our ability to eliminate arguments object allocations, an earlier
1867           version of the patch - which lacked that functionality - was a progression on some arguments-
1868           and closure-happy benchmarks because although no allocations were eliminated, all allocations
1869           were faster.
1870         
1871         - There is no tear-off. The runtime no loner needs to know about where on the stack a frame keeps
1872           its arguments objects or activations. The runtime doesn't have to do things to the arguments
1873           objects and activations that a frame allocated, when the frame is unwound. We always had horrid
1874           bugs in that code, so it's good to see it go. This removes *a ton* of machinery from the DFG,
1875           FTL, CodeBlock, and other places. All of the things having to do with "captured variables" is
1876           now gone. This also enables implementing block-scoping. Without this change, block-scope
1877           support would require telling CodeBlock and all of the rest of the runtime about all of the
1878           variables that store currently-live scopes. That would have been so disastrously hard that it
1879           might as well be impossible. With this change, it's fair game for the bytecode generator to
1880           simply allocate whatever activations it wants, wherever it wants, and to keep them live for
1881           however long it wants. This all works, because after bytecode generation, an activation is just
1882           an object and variables that refer to it are just normal variables.
1883         
1884         - SymbolTable can now tell you explicitly where a variable lives. The answer is in the form of a
1885           VarOffset object, which has methods like isStack(), isScope(), etc. VirtualRegister is never
1886           used for offsets of non-stack variables anymore. We now have shiny new objects for other kinds
1887           of offsets - ScopeOffset for offsets into scopes, and DirectArgumentsOffset for offsets into
1888           an arguments object.
1889         
1890         - Functions that create activations can now tier-up into the FTL. Previously they couldn't. Also,
1891           using activations used to prevent inlining; now functions that use activations can be inlined
1892           just fine.
1893         
1894         This is a >1% speed-up on Octane. This is a >2% speed-up on CompressionBench. This is a tiny
1895         speed-up on AsmBench (~0.4% or something). This looks like it might be a speed-up on SunSpider.
1896         It's only a slow-down on very short-running microbenchmarks we had previously written for our old
1897         style of tear-off-based arguments optimization. Those benchmarks are not part of any major suite.
1898         
1899         The easiest way of understanding this change is to start by looking at the changes in runtime/,
1900         and then the changes in bytecompiler/, and then sort of work your way up the compiler tiers.
1901
1902         * CMakeLists.txt:
1903         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1904         * JavaScriptCore.xcodeproj/project.pbxproj:
1905         * assembler/AbortReason.h:
1906         * assembler/AbstractMacroAssembler.h:
1907         (JSC::AbstractMacroAssembler::BaseIndex::withOffset):
1908         * bytecode/ByValInfo.h:
1909         (JSC::hasOptimizableIndexingForJSType):
1910         (JSC::hasOptimizableIndexing):
1911         (JSC::jitArrayModeForJSType):
1912         (JSC::jitArrayModePermitsPut):
1913         (JSC::jitArrayModeForStructure):
1914         * bytecode/BytecodeKills.h: Added.
1915         (JSC::BytecodeKills::BytecodeKills):
1916         (JSC::BytecodeKills::operandIsKilled):
1917         (JSC::BytecodeKills::forEachOperandKilledAt):
1918         (JSC::BytecodeKills::KillSet::KillSet):
1919         (JSC::BytecodeKills::KillSet::add):
1920         (JSC::BytecodeKills::KillSet::forEachLocal):
1921         (JSC::BytecodeKills::KillSet::contains):
1922         * bytecode/BytecodeList.json:
1923         * bytecode/BytecodeLivenessAnalysis.cpp:
1924         (JSC::isValidRegisterForLiveness):
1925         (JSC::stepOverInstruction):
1926         (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint):
1927         (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset):
1928         (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset):
1929         (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
1930         (JSC::BytecodeLivenessAnalysis::computeKills):
1931         (JSC::indexForOperand): Deleted.
1932         (JSC::BytecodeLivenessAnalysis::getLivenessInfoForNonCapturedVarsAtBytecodeOffset): Deleted.
1933         (JSC::getLivenessInfo): Deleted.
1934         * bytecode/BytecodeLivenessAnalysis.h:
1935         * bytecode/BytecodeLivenessAnalysisInlines.h:
1936         (JSC::operandIsAlwaysLive):
1937         (JSC::operandThatIsNotAlwaysLiveIsLive):
1938         (JSC::operandIsLive):
1939         * bytecode/BytecodeUseDef.h:
1940         (JSC::computeUsesForBytecodeOffset):
1941         (JSC::computeDefsForBytecodeOffset):
1942         * bytecode/CodeBlock.cpp:
1943         (JSC::CodeBlock::dumpBytecode):
1944         (JSC::CodeBlock::CodeBlock):
1945         (JSC::CodeBlock::nameForRegister):
1946         (JSC::CodeBlock::validate):
1947         (JSC::CodeBlock::isCaptured): Deleted.
1948         (JSC::CodeBlock::framePointerOffsetToGetActivationRegisters): Deleted.
1949         (JSC::CodeBlock::machineSlowArguments): Deleted.
1950         * bytecode/CodeBlock.h:
1951         (JSC::unmodifiedArgumentsRegister): Deleted.
1952         (JSC::CodeBlock::setArgumentsRegister): Deleted.
1953         (JSC::CodeBlock::argumentsRegister): Deleted.
1954         (JSC::CodeBlock::uncheckedArgumentsRegister): Deleted.
1955         (JSC::CodeBlock::usesArguments): Deleted.
1956         (JSC::CodeBlock::captureCount): Deleted.
1957         (JSC::CodeBlock::captureStart): Deleted.
1958         (JSC::CodeBlock::captureEnd): Deleted.
1959         (JSC::CodeBlock::argumentIndexAfterCapture): Deleted.
1960         (JSC::CodeBlock::hasSlowArguments): Deleted.
1961         (JSC::ExecState::argumentAfterCapture): Deleted.
1962         * bytecode/CodeOrigin.h:
1963         * bytecode/DataFormat.h:
1964         (JSC::dataFormatToString):
1965         * bytecode/FullBytecodeLiveness.h:
1966         (JSC::FullBytecodeLiveness::getLiveness):
1967         (JSC::FullBytecodeLiveness::operandIsLive):
1968         (JSC::FullBytecodeLiveness::FullBytecodeLiveness): Deleted.
1969         (JSC::FullBytecodeLiveness::getOut): Deleted.
1970         * bytecode/Instruction.h:
1971         (JSC::Instruction::Instruction):
1972         * bytecode/Operands.h:
1973         (JSC::Operands::virtualRegisterForIndex):
1974         * bytecode/SpeculatedType.cpp:
1975         (JSC::dumpSpeculation):
1976         (JSC::speculationToAbbreviatedString):
1977         (JSC::speculationFromClassInfo):
1978         * bytecode/SpeculatedType.h:
1979         (JSC::isDirectArgumentsSpeculation):
1980         (JSC::isScopedArgumentsSpeculation):
1981         (JSC::isActionableMutableArraySpeculation):
1982         (JSC::isActionableArraySpeculation):
1983         (JSC::isArgumentsSpeculation): Deleted.
1984         * bytecode/UnlinkedCodeBlock.cpp:
1985         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1986         * bytecode/UnlinkedCodeBlock.h:
1987         (JSC::UnlinkedCodeBlock::setArgumentsRegister): Deleted.
1988         (JSC::UnlinkedCodeBlock::usesArguments): Deleted.
1989         (JSC::UnlinkedCodeBlock::argumentsRegister): Deleted.
1990         * bytecode/ValueRecovery.cpp:
1991         (JSC::ValueRecovery::dumpInContext):
1992         * bytecode/ValueRecovery.h:
1993         (JSC::ValueRecovery::directArgumentsThatWereNotCreated):
1994         (JSC::ValueRecovery::outOfBandArgumentsThatWereNotCreated):
1995         (JSC::ValueRecovery::nodeID):
1996         (JSC::ValueRecovery::argumentsThatWereNotCreated): Deleted.
1997         * bytecode/VirtualRegister.h:
1998         (JSC::VirtualRegister::operator==):
1999         (JSC::VirtualRegister::operator!=):
2000         (JSC::VirtualRegister::operator<):
2001         (JSC::VirtualRegister::operator>):
2002         (JSC::VirtualRegister::operator<=):
2003         (JSC::VirtualRegister::operator>=):
2004         * bytecompiler/BytecodeGenerator.cpp:
2005         (JSC::BytecodeGenerator::generate):
2006         (JSC::BytecodeGenerator::BytecodeGenerator):
2007         (JSC::BytecodeGenerator::initializeNextParameter):
2008         (JSC::BytecodeGenerator::visibleNameForParameter):
2009         (JSC::BytecodeGenerator::emitMove):
2010         (JSC::BytecodeGenerator::variable):
2011         (JSC::BytecodeGenerator::createVariable):
2012         (JSC::BytecodeGenerator::emitResolveScope):
2013         (JSC::BytecodeGenerator::emitGetFromScope):
2014         (JSC::BytecodeGenerator::emitPutToScope):
2015         (JSC::BytecodeGenerator::initializeVariable):
2016         (JSC::BytecodeGenerator::emitInstanceOf):
2017         (JSC::BytecodeGenerator::emitNewFunction):
2018         (JSC::BytecodeGenerator::emitNewFunctionInternal):
2019         (JSC::BytecodeGenerator::emitCall):
2020         (JSC::BytecodeGenerator::emitReturn):
2021         (JSC::BytecodeGenerator::emitConstruct):
2022         (JSC::BytecodeGenerator::isArgumentNumber):
2023         (JSC::BytecodeGenerator::emitEnumeration):
2024         (JSC::BytecodeGenerator::addVar): Deleted.
2025         (JSC::BytecodeGenerator::emitInitLazyRegister): Deleted.
2026         (JSC::BytecodeGenerator::initializeCapturedVariable): Deleted.
2027         (JSC::BytecodeGenerator::resolveCallee): Deleted.
2028         (JSC::BytecodeGenerator::addCallee): Deleted.
2029         (JSC::BytecodeGenerator::addParameter): Deleted.
2030         (JSC::BytecodeGenerator::willResolveToArgumentsRegister): Deleted.
2031         (JSC::BytecodeGenerator::uncheckedLocalArgumentsRegister): Deleted.
2032         (JSC::BytecodeGenerator::createLazyRegisterIfNecessary): Deleted.
2033         (JSC::BytecodeGenerator::isCaptured): Deleted.
2034         (JSC::BytecodeGenerator::local): Deleted.
2035         (JSC::BytecodeGenerator::constLocal): Deleted.
2036         (JSC::BytecodeGenerator::emitResolveConstantLocal): Deleted.
2037         (JSC::BytecodeGenerator::emitGetArgumentsLength): Deleted.
2038         (JSC::BytecodeGenerator::emitGetArgumentByVal): Deleted.
2039         (JSC::BytecodeGenerator::emitLazyNewFunction): Deleted.
2040         (JSC::BytecodeGenerator::createArgumentsIfNecessary): Deleted.
2041         * bytecompiler/BytecodeGenerator.h:
2042         (JSC::Variable::Variable):
2043         (JSC::Variable::isResolved):
2044         (JSC::Variable::ident):
2045         (JSC::Variable::offset):
2046         (JSC::Variable::isLocal):
2047         (JSC::Variable::local):
2048         (JSC::Variable::isSpecial):
2049         (JSC::BytecodeGenerator::argumentsRegister):
2050         (JSC::BytecodeGenerator::emitNode):
2051         (JSC::BytecodeGenerator::registerFor):
2052         (JSC::Local::Local): Deleted.
2053         (JSC::Local::operator bool): Deleted.
2054         (JSC::Local::get): Deleted.
2055         (JSC::Local::isSpecial): Deleted.
2056         (JSC::ResolveScopeInfo::ResolveScopeInfo): Deleted.
2057         (JSC::ResolveScopeInfo::isLocal): Deleted.
2058         (JSC::ResolveScopeInfo::localIndex): Deleted.
2059         (JSC::BytecodeGenerator::hasSafeLocalArgumentsRegister): Deleted.
2060         (JSC::BytecodeGenerator::captureMode): Deleted.
2061         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly): Deleted.
2062         (JSC::BytecodeGenerator::shouldCreateArgumentsEagerly): Deleted.
2063         (JSC::BytecodeGenerator::hasWatchableVariable): Deleted.
2064         (JSC::BytecodeGenerator::watchableVariableIdentifier): Deleted.
2065         * bytecompiler/NodesCodegen.cpp:
2066         (JSC::ResolveNode::isPure):
2067         (JSC::ResolveNode::emitBytecode):
2068         (JSC::BracketAccessorNode::emitBytecode):
2069         (JSC::DotAccessorNode::emitBytecode):
2070         (JSC::EvalFunctionCallNode::emitBytecode):
2071         (JSC::FunctionCallResolveNode::emitBytecode):
2072         (JSC::CallFunctionCallDotNode::emitBytecode):
2073         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2074         (JSC::PostfixNode::emitResolve):
2075         (JSC::DeleteResolveNode::emitBytecode):
2076         (JSC::TypeOfResolveNode::emitBytecode):
2077         (JSC::PrefixNode::emitResolve):
2078         (JSC::ReadModifyResolveNode::emitBytecode):
2079         (JSC::AssignResolveNode::emitBytecode):
2080         (JSC::ConstDeclNode::emitCodeSingle):
2081         (JSC::EmptyVarExpression::emitBytecode):
2082         (JSC::ForInNode::tryGetBoundLocal):
2083         (JSC::ForInNode::emitLoopHeader):
2084         (JSC::ForOfNode::emitBytecode):
2085         (JSC::ArrayPatternNode::emitDirectBinding):
2086         (JSC::BindingNode::bindValue):
2087         (JSC::getArgumentByVal): Deleted.
2088         * dfg/DFGAbstractHeap.h:
2089         * dfg/DFGAbstractInterpreter.h:
2090         * dfg/DFGAbstractInterpreterInlines.h:
2091         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2092         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberWorld):
2093         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberCapturedVars): Deleted.
2094         * dfg/DFGAbstractValue.h:
2095         * dfg/DFGArgumentPosition.h:
2096         (JSC::DFG::ArgumentPosition::addVariable):
2097         * dfg/DFGArgumentsEliminationPhase.cpp: Added.
2098         (JSC::DFG::performArgumentsElimination):
2099         * dfg/DFGArgumentsEliminationPhase.h: Added.
2100         * dfg/DFGArgumentsSimplificationPhase.cpp: Removed.
2101         * dfg/DFGArgumentsSimplificationPhase.h: Removed.
2102         * dfg/DFGArgumentsUtilities.cpp: Added.
2103         (JSC::DFG::argumentsInvolveStackSlot):
2104         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
2105         * dfg/DFGArgumentsUtilities.h: Added.
2106         * dfg/DFGArrayMode.cpp:
2107         (JSC::DFG::ArrayMode::refine):
2108         (JSC::DFG::ArrayMode::alreadyChecked):
2109         (JSC::DFG::arrayTypeToString):
2110         * dfg/DFGArrayMode.h:
2111         (JSC::DFG::ArrayMode::canCSEStorage):
2112         (JSC::DFG::ArrayMode::modeForPut):
2113         * dfg/DFGAvailabilityMap.cpp:
2114         (JSC::DFG::AvailabilityMap::prune):
2115         * dfg/DFGAvailabilityMap.h:
2116         (JSC::DFG::AvailabilityMap::closeOverNodes):
2117         (JSC::DFG::AvailabilityMap::closeStartingWithLocal):
2118         * dfg/DFGBackwardsPropagationPhase.cpp:
2119         (JSC::DFG::BackwardsPropagationPhase::propagate):
2120         * dfg/DFGByteCodeParser.cpp:
2121         (JSC::DFG::ByteCodeParser::newVariableAccessData):
2122         (JSC::DFG::ByteCodeParser::getLocal):
2123         (JSC::DFG::ByteCodeParser::setLocal):
2124         (JSC::DFG::ByteCodeParser::getArgument):
2125         (JSC::DFG::ByteCodeParser::setArgument):
2126         (JSC::DFG::ByteCodeParser::flushDirect):
2127         (JSC::DFG::ByteCodeParser::flush):
2128         (JSC::DFG::ByteCodeParser::noticeArgumentsUse):
2129         (JSC::DFG::ByteCodeParser::handleVarargsCall):
2130         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
2131         (JSC::DFG::ByteCodeParser::handleInlining):
2132         (JSC::DFG::ByteCodeParser::parseBlock):
2133         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2134         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2135         * dfg/DFGCPSRethreadingPhase.cpp:
2136         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
2137         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
2138         * dfg/DFGCSEPhase.cpp:
2139         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h: Added.
2140         (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
2141         * dfg/DFGCapabilities.cpp:
2142         (JSC::DFG::isSupportedForInlining):
2143         (JSC::DFG::capabilityLevel):
2144         * dfg/DFGClobberize.h:
2145         (JSC::DFG::clobberize):
2146         * dfg/DFGCommon.h:
2147         * dfg/DFGCommonData.h:
2148         (JSC::DFG::CommonData::CommonData):
2149         * dfg/DFGConstantFoldingPhase.cpp:
2150         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2151         * dfg/DFGDCEPhase.cpp:
2152         (JSC::DFG::DCEPhase::cleanVariables):
2153         * dfg/DFGDisassembler.h:
2154         * dfg/DFGDoesGC.cpp:
2155         (JSC::DFG::doesGC):
2156         * dfg/DFGFixupPhase.cpp:
2157         (JSC::DFG::FixupPhase::fixupNode):
2158         * dfg/DFGFlushFormat.cpp:
2159         (WTF::printInternal):
2160         * dfg/DFGFlushFormat.h:
2161         (JSC::DFG::resultFor):
2162         (JSC::DFG::useKindFor):
2163         (JSC::DFG::dataFormatFor):
2164         * dfg/DFGForAllKills.h: Added.
2165         (JSC::DFG::forAllLiveNodesAtTail):
2166         (JSC::DFG::forAllDirectlyKilledOperands):
2167         (JSC::DFG::forAllKilledOperands):
2168         (JSC::DFG::forAllKilledNodesAtNodeIndex):
2169         (JSC::DFG::forAllKillsInBlock):
2170         * dfg/DFGGraph.cpp:
2171         (JSC::DFG::Graph::Graph):
2172         (JSC::DFG::Graph::dump):
2173         (JSC::DFG::Graph::substituteGetLocal):
2174         (JSC::DFG::Graph::livenessFor):
2175         (JSC::DFG::Graph::killsFor):
2176         (JSC::DFG::Graph::tryGetConstantClosureVar):
2177         (JSC::DFG::Graph::tryGetRegisters): Deleted.
2178         * dfg/DFGGraph.h:
2179         (JSC::DFG::Graph::symbolTableFor):
2180         (JSC::DFG::Graph::uses):
2181         (JSC::DFG::Graph::bytecodeRegisterForArgument): Deleted.
2182         (JSC::DFG::Graph::capturedVarsFor): Deleted.
2183         (JSC::DFG::Graph::usesArguments): Deleted.
2184         (JSC::DFG::Graph::argumentsRegisterFor): Deleted.
2185         (JSC::DFG::Graph::machineArgumentsRegisterFor): Deleted.
2186         (JSC::DFG::Graph::uncheckedArgumentsRegisterFor): Deleted.
2187         * dfg/DFGHeapLocation.cpp:
2188         (WTF::printInternal):
2189         * dfg/DFGHeapLocation.h:
2190         * dfg/DFGInPlaceAbstractState.cpp:
2191         (JSC::DFG::InPlaceAbstractState::initialize):
2192         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
2193         * dfg/DFGJITCompiler.cpp:
2194         (JSC::DFG::JITCompiler::link):
2195         * dfg/DFGMayExit.cpp:
2196         (JSC::DFG::mayExit):
2197         * dfg/DFGMinifiedID.h:
2198         * dfg/DFGMinifiedNode.cpp:
2199         (JSC::DFG::MinifiedNode::fromNode):
2200         * dfg/DFGMinifiedNode.h:
2201         (JSC::DFG::belongsInMinifiedGraph):
2202         (JSC::DFG::MinifiedNode::hasInlineCallFrame):
2203         (JSC::DFG::MinifiedNode::inlineCallFrame):
2204         * dfg/DFGNode.cpp:
2205         (JSC::DFG::Node::convertToIdentityOn):
2206         * dfg/DFGNode.h:
2207         (JSC::DFG::Node::hasConstant):
2208         (JSC::DFG::Node::constant):
2209         (JSC::DFG::Node::hasScopeOffset):
2210         (JSC::DFG::Node::scopeOffset):
2211         (JSC::DFG::Node::hasDirectArgumentsOffset):
2212         (JSC::DFG::Node::capturedArgumentsOffset):
2213         (JSC::DFG::Node::variablePointer):
2214         (JSC::DFG::Node::hasCallVarargsData):
2215         (JSC::DFG::Node::hasLoadVarargsData):
2216         (JSC::DFG::Node::hasHeapPrediction):
2217         (JSC::DFG::Node::hasCellOperand):
2218         (JSC::DFG::Node::objectMaterializationData):
2219         (JSC::DFG::Node::isPhantomAllocation):
2220         (JSC::DFG::Node::willHaveCodeGenOrOSR):
2221         (JSC::DFG::Node::shouldSpeculateDirectArguments):
2222         (JSC::DFG::Node::shouldSpeculateScopedArguments):
2223         (JSC::DFG::Node::isPhantomArguments): Deleted.
2224         (JSC::DFG::Node::hasVarNumber): Deleted.
2225         (JSC::DFG::Node::varNumber): Deleted.
2226         (JSC::DFG::Node::registerPointer): Deleted.
2227         (JSC::DFG::Node::shouldSpeculateArguments): Deleted.
2228         * dfg/DFGNodeType.h:
2229         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2230         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
2231         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
2232         * dfg/DFGOSRExitCompiler.cpp:
2233         (JSC::DFG::OSRExitCompiler::emitRestoreArguments):
2234         * dfg/DFGOSRExitCompiler.h:
2235         (JSC::DFG::OSRExitCompiler::badIndex): Deleted.
2236         (JSC::DFG::OSRExitCompiler::initializePoisoned): Deleted.
2237         (JSC::DFG::OSRExitCompiler::poisonIndex): Deleted.
2238         * dfg/DFGOSRExitCompiler32_64.cpp:
2239         (JSC::DFG::OSRExitCompiler::compileExit):
2240         * dfg/DFGOSRExitCompiler64.cpp:
2241         (JSC::DFG::OSRExitCompiler::compileExit):
2242         * dfg/DFGOSRExitCompilerCommon.cpp:
2243         (JSC::DFG::reifyInlinedCallFrames):
2244         (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator): Deleted.
2245         (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator): Deleted.
2246         (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): Deleted.
2247         * dfg/DFGOSRExitCompilerCommon.h:
2248         * dfg/DFGOperations.cpp:
2249         * dfg/DFGOperations.h:
2250         * dfg/DFGPlan.cpp:
2251         (JSC::DFG::Plan::compileInThreadImpl):
2252         * dfg/DFGPreciseLocalClobberize.h:
2253         (JSC::DFG::PreciseLocalClobberizeAdaptor::read):
2254         (JSC::DFG::PreciseLocalClobberizeAdaptor::write):
2255         (JSC::DFG::PreciseLocalClobberizeAdaptor::def):
2256         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
2257         (JSC::DFG::preciseLocalClobberize):
2258         (JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop): Deleted.
2259         (JSC::DFG::forEachLocalReadByUnwind): Deleted.
2260         * dfg/DFGPredictionPropagationPhase.cpp:
2261         (JSC::DFG::PredictionPropagationPhase::run):
2262         (JSC::DFG::PredictionPropagationPhase::propagate):
2263         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
2264         (JSC::DFG::PredictionPropagationPhase::propagateThroughArgumentPositions):
2265         * dfg/DFGPromoteHeapAccess.h:
2266         (JSC::DFG::promoteHeapAccess):
2267         * dfg/DFGPromotedHeapLocation.cpp:
2268         (WTF::printInternal):
2269         * dfg/DFGPromotedHeapLocation.h:
2270         * dfg/DFGSSAConversionPhase.cpp:
2271         (JSC::DFG::SSAConversionPhase::run):
2272         * dfg/DFGSafeToExecute.h:
2273         (JSC::DFG::safeToExecute):
2274         * dfg/DFGSpeculativeJIT.cpp:
2275         (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
2276         (JSC::DFG::SpeculativeJIT::emitGetLength):
2277         (JSC::DFG::SpeculativeJIT::emitGetCallee):
2278         (JSC::DFG::SpeculativeJIT::emitGetArgumentStart):
2279         (JSC::DFG::SpeculativeJIT::checkArray):
2280         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
2281         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
2282         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
2283         (JSC::DFG::SpeculativeJIT::compileNewFunction):
2284         (JSC::DFG::SpeculativeJIT::compileForwardVarargs):
2285         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
2286         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
2287         (JSC::DFG::SpeculativeJIT::compileGetFromArguments):
2288         (JSC::DFG::SpeculativeJIT::compilePutToArguments):
2289         (JSC::DFG::SpeculativeJIT::compileCreateScopedArguments):
2290         (JSC::DFG::SpeculativeJIT::compileCreateClonedArguments):
2291         (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Deleted.
2292         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments): Deleted.
2293         (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength): Deleted.
2294         (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck): Deleted.
2295         (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression): Deleted.
2296         * dfg/DFGSpeculativeJIT.h:
2297         (JSC::DFG::SpeculativeJIT::callOperation):
2298         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
2299         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
2300         (JSC::DFG::SpeculativeJIT::framePointerOffsetToGetActivationRegisters): Deleted.
2301         * dfg/DFGSpeculativeJIT32_64.cpp:
2302         (JSC::DFG::SpeculativeJIT::emitCall):
2303         (JSC::DFG::SpeculativeJIT::compile):
2304         * dfg/DFGSpeculativeJIT64.cpp:
2305         (JSC::DFG::SpeculativeJIT::emitCall):
2306         (JSC::DFG::SpeculativeJIT::compile):
2307         * dfg/DFGStackLayoutPhase.cpp:
2308         (JSC::DFG::StackLayoutPhase::run):
2309         * dfg/DFGStrengthReductionPhase.cpp:
2310         (JSC::DFG::StrengthReductionPhase::handleNode):
2311         * dfg/DFGStructureRegistrationPhase.cpp:
2312         (JSC::DFG::StructureRegistrationPhase::run):
2313         * dfg/DFGUnificationPhase.cpp:
2314         (JSC::DFG::UnificationPhase::run):
2315         * dfg/DFGValidate.cpp:
2316         (JSC::DFG::Validate::validateCPS):
2317         * dfg/DFGValueSource.cpp:
2318         (JSC::DFG::ValueSource::dump):
2319         * dfg/DFGValueSource.h:
2320         (JSC::DFG::dataFormatToValueSourceKind):
2321         (JSC::DFG::valueSourceKindToDataFormat):
2322         (JSC::DFG::ValueSource::ValueSource):
2323         (JSC::DFG::ValueSource::forFlushFormat):
2324         (JSC::DFG::ValueSource::valueRecovery):
2325         * dfg/DFGVarargsForwardingPhase.cpp: Added.
2326         (JSC::DFG::performVarargsForwarding):
2327         * dfg/DFGVarargsForwardingPhase.h: Added.
2328         * dfg/DFGVariableAccessData.cpp:
2329         (JSC::DFG::VariableAccessData::VariableAccessData):
2330         (JSC::DFG::VariableAccessData::flushFormat):
2331         (JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted.
2332         * dfg/DFGVariableAccessData.h:
2333         (JSC::DFG::VariableAccessData::shouldNeverUnbox):
2334         (JSC::DFG::VariableAccessData::shouldUseDoubleFormat):
2335         (JSC::DFG::VariableAccessData::isCaptured): Deleted.
2336         (JSC::DFG::VariableAccessData::mergeIsArgumentsAlias): Deleted.
2337         (JSC::DFG::VariableAccessData::isArgumentsAlias): Deleted.
2338         * dfg/DFGVariableAccessDataDump.cpp:
2339         (JSC::DFG::VariableAccessDataDump::dump):
2340         * dfg/DFGVariableAccessDataDump.h:
2341         * dfg/DFGVariableEventStream.cpp:
2342         (JSC::DFG::VariableEventStream::tryToSetConstantRecovery):
2343         * dfg/DFGVariableEventStream.h:
2344         * ftl/FTLAbstractHeap.cpp:
2345         (JSC::FTL::AbstractHeap::dump):
2346         (JSC::FTL::AbstractField::dump):
2347         (JSC::FTL::IndexedAbstractHeap::dump):
2348         (JSC::FTL::NumberedAbstractHeap::dump):
2349         (JSC::FTL::AbsoluteAbstractHeap::dump):
2350         * ftl/FTLAbstractHeap.h:
2351         * ftl/FTLAbstractHeapRepository.cpp:
2352         * ftl/FTLAbstractHeapRepository.h:
2353         * ftl/FTLCapabilities.cpp:
2354         (JSC::FTL::canCompile):
2355         * ftl/FTLCompile.cpp:
2356         (JSC::FTL::mmAllocateDataSection):
2357         * ftl/FTLExitArgument.cpp:
2358         (JSC::FTL::ExitArgument::dump):
2359         * ftl/FTLExitPropertyValue.cpp:
2360         (JSC::FTL::ExitPropertyValue::withLocalsOffset):
2361         * ftl/FTLExitPropertyValue.h:
2362         * ftl/FTLExitTimeObjectMaterialization.cpp:
2363         (JSC::FTL::ExitTimeObjectMaterialization::ExitTimeObjectMaterialization):
2364         (JSC::FTL::ExitTimeObjectMaterialization::accountForLocalsOffset):
2365         * ftl/FTLExitTimeObjectMaterialization.h:
2366         (JSC::FTL::ExitTimeObjectMaterialization::origin):
2367         * ftl/FTLExitValue.cpp:
2368         (JSC::FTL::ExitValue::withLocalsOffset):
2369         (JSC::FTL::ExitValue::valueFormat):
2370         (JSC::FTL::ExitValue::dumpInContext):
2371         * ftl/FTLExitValue.h:
2372         (JSC::FTL::ExitValue::isArgument):
2373         (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated): Deleted.
2374         (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated): Deleted.
2375         (JSC::FTL::ExitValue::valueFormat): Deleted.
2376         * ftl/FTLInlineCacheSize.cpp:
2377         (JSC::FTL::sizeOfCallForwardVarargs):
2378         (JSC::FTL::sizeOfConstructForwardVarargs):
2379         (JSC::FTL::sizeOfICFor):
2380         * ftl/FTLInlineCacheSize.h:
2381         * ftl/FTLIntrinsicRepository.h:
2382         * ftl/FTLJSCallVarargs.cpp:
2383         (JSC::FTL::JSCallVarargs::JSCallVarargs):
2384         (JSC::FTL::JSCallVarargs::emit):
2385         * ftl/FTLJSCallVarargs.h:
2386         * ftl/FTLLowerDFGToLLVM.cpp:
2387         (JSC::FTL::LowerDFGToLLVM::lower):
2388         (JSC::FTL::LowerDFGToLLVM::compileNode):
2389         (JSC::FTL::LowerDFGToLLVM::compilePutStack):
2390         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
2391         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2392         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
2393         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2394         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
2395         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
2396         (JSC::FTL::LowerDFGToLLVM::compileCreateActivation):
2397         (JSC::FTL::LowerDFGToLLVM::compileNewFunction):
2398         (JSC::FTL::LowerDFGToLLVM::compileCreateDirectArguments):
2399         (JSC::FTL::LowerDFGToLLVM::compileCreateScopedArguments):
2400         (JSC::FTL::LowerDFGToLLVM::compileCreateClonedArguments):
2401         (JSC::FTL::LowerDFGToLLVM::compileStringCharAt):
2402         (JSC::FTL::LowerDFGToLLVM::compileStringCharCodeAt):
2403         (JSC::FTL::LowerDFGToLLVM::compileGetGlobalVar):
2404         (JSC::FTL::LowerDFGToLLVM::compilePutGlobalVar):
2405         (JSC::FTL::LowerDFGToLLVM::compileGetArgumentCount):
2406         (JSC::FTL::LowerDFGToLLVM::compileGetClosureVar):
2407         (JSC::FTL::LowerDFGToLLVM::compilePutClosureVar):
2408         (JSC::FTL::LowerDFGToLLVM::compileGetFromArguments):
2409         (JSC::FTL::LowerDFGToLLVM::compilePutToArguments):
2410         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs):
2411         (JSC::FTL::LowerDFGToLLVM::compileForwardVarargs):
2412         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname):
2413         (JSC::FTL::LowerDFGToLLVM::ArgumentsLength::ArgumentsLength):
2414         (JSC::FTL::LowerDFGToLLVM::getArgumentsLength):
2415         (JSC::FTL::LowerDFGToLLVM::getCurrentCallee):
2416         (JSC::FTL::LowerDFGToLLVM::getArgumentsStart):
2417         (JSC::FTL::LowerDFGToLLVM::baseIndex):
2418         (JSC::FTL::LowerDFGToLLVM::allocateObject):
2419         (JSC::FTL::LowerDFGToLLVM::allocateVariableSizedObject):
2420         (JSC::FTL::LowerDFGToLLVM::isArrayType):
2421         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
2422         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
2423         (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
2424         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
2425         (JSC::FTL::LowerDFGToLLVM::loadStructure):
2426         (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments): Deleted.
2427         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength): Deleted.
2428         (JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters): Deleted.
2429         (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated): Deleted.
2430         (JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated): Deleted.
2431         * ftl/FTLOSRExitCompiler.cpp:
2432         (JSC::FTL::compileRecovery):
2433         (JSC::FTL::compileStub):
2434         * ftl/FTLOperations.cpp:
2435         (JSC::FTL::operationMaterializeObjectInOSR):
2436         * ftl/FTLOutput.h:
2437         (JSC::FTL::Output::aShr):
2438         (JSC::FTL::Output::lShr):
2439         (JSC::FTL::Output::zeroExtPtr):
2440         * heap/CopyToken.h:
2441         * interpreter/CallFrame.h:
2442         (JSC::ExecState::getArgumentUnsafe):
2443         * interpreter/Interpreter.cpp:
2444         (JSC::sizeOfVarargs):
2445         (JSC::sizeFrameForVarargs):
2446         (JSC::loadVarargs):
2447         (JSC::unwindCallFrame):
2448         * interpreter/Interpreter.h:
2449         * interpreter/StackVisitor.cpp:
2450         (JSC::StackVisitor::Frame::createArguments):
2451         (JSC::StackVisitor::Frame::existingArguments): Deleted.
2452         * interpreter/StackVisitor.h:
2453         * jit/AssemblyHelpers.h:
2454         (JSC::AssemblyHelpers::storeValue):
2455         (JSC::AssemblyHelpers::loadValue):
2456         (JSC::AssemblyHelpers::storeTrustedValue):
2457         (JSC::AssemblyHelpers::branchIfNotCell):
2458         (JSC::AssemblyHelpers::branchIsEmpty):
2459         (JSC::AssemblyHelpers::argumentsStart):
2460         (JSC::AssemblyHelpers::baselineArgumentsRegisterFor): Deleted.
2461         (JSC::AssemblyHelpers::offsetOfLocals): Deleted.
2462         (JSC::AssemblyHelpers::offsetOfArguments): Deleted.
2463         * jit/CCallHelpers.h:
2464         (JSC::CCallHelpers::setupArgument):
2465         * jit/GPRInfo.h:
2466         (JSC::JSValueRegs::withTwoAvailableRegs):
2467         * jit/JIT.cpp:
2468         (JSC::JIT::privateCompileMainPass):
2469         (JSC::JIT::privateCompileSlowCases):
2470         * jit/JIT.h:
2471         * jit/JITCall.cpp:
2472         (JSC::JIT::compileSetupVarargsFrame):
2473         * jit/JITCall32_64.cpp:
2474         (JSC::JIT::compileSetupVarargsFrame):
2475         * jit/JITInlines.h:
2476         (JSC::JIT::callOperation):
2477         * jit/JITOpcodes.cpp:
2478         (JSC::JIT::emit_op_create_lexical_environment):
2479         (JSC::JIT::emit_op_new_func):
2480         (JSC::JIT::emit_op_create_direct_arguments):
2481         (JSC::JIT::emit_op_create_scoped_arguments):
2482         (JSC::JIT::emit_op_create_out_of_band_arguments):
2483         (JSC::JIT::emit_op_tear_off_arguments): Deleted.
2484         (JSC::JIT::emit_op_create_arguments): Deleted.
2485         (JSC::JIT::emit_op_init_lazy_reg): Deleted.
2486         (JSC::JIT::emit_op_get_arguments_length): Deleted.
2487         (JSC::JIT::emitSlow_op_get_arguments_length): Deleted.
2488         (JSC::JIT::emit_op_get_argument_by_val): Deleted.
2489         (JSC::JIT::emitSlow_op_get_argument_by_val): Deleted.
2490         * jit/JITOpcodes32_64.cpp:
2491         (JSC::JIT::emit_op_create_lexical_environment):
2492         (JSC::JIT::emit_op_tear_off_arguments): Deleted.
2493         (JSC::JIT::emit_op_create_arguments): Deleted.
2494         (JSC::JIT::emit_op_init_lazy_reg): Deleted.
2495         (JSC::JIT::emit_op_get_arguments_length): Deleted.
2496         (JSC::JIT::emitSlow_op_get_arguments_length): Deleted.
2497         (JSC::JIT::emit_op_get_argument_by_val): Deleted.
2498         (JSC::JIT::emitSlow_op_get_argument_by_val): Deleted.
2499         * jit/JITOperations.cpp:
2500         * jit/JITOperations.h:
2501         * jit/JITPropertyAccess.cpp:
2502         (JSC::JIT::emitGetClosureVar):
2503         (JSC::JIT::emitPutClosureVar):
2504         (JSC::JIT::emit_op_get_from_arguments):
2505         (JSC::JIT::emit_op_put_to_arguments):
2506         (JSC::JIT::emit_op_init_global_const):
2507         (JSC::JIT::privateCompileGetByVal):
2508         (JSC::JIT::emitDirectArgumentsGetByVal):
2509         (JSC::JIT::emitScopedArgumentsGetByVal):
2510         * jit/JITPropertyAccess32_64.cpp:
2511         (JSC::JIT::emitGetClosureVar):
2512         (JSC::JIT::emitPutClosureVar):
2513         (JSC::JIT::emit_op_get_from_arguments):
2514         (JSC::JIT::emit_op_put_to_arguments):
2515         (JSC::JIT::emit_op_init_global_const):
2516         * jit/SetupVarargsFrame.cpp:
2517         (JSC::emitSetupVarargsFrameFastCase):
2518         * llint/LLIntOffsetsExtractor.cpp:
2519         * llint/LLIntSlowPaths.cpp:
2520         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2521         * llint/LowLevelInterpreter.asm:
2522         * llint/LowLevelInterpreter32_64.asm:
2523         * llint/LowLevelInterpreter64.asm:
2524         * parser/Nodes.h:
2525         (JSC::ScopeNode::captures):
2526         * runtime/Arguments.cpp: Removed.
2527         * runtime/Arguments.h: Removed.
2528         * runtime/ArgumentsMode.h: Added.
2529         * runtime/DirectArgumentsOffset.cpp: Added.
2530         (JSC::DirectArgumentsOffset::dump):
2531         * runtime/DirectArgumentsOffset.h: Added.
2532         (JSC::DirectArgumentsOffset::DirectArgumentsOffset):
2533         * runtime/CommonSlowPaths.cpp:
2534         (JSC::SLOW_PATH_DECL):
2535         * runtime/CommonSlowPaths.h:
2536         * runtime/ConstantMode.cpp: Added.
2537         (WTF::printInternal):
2538         * runtime/ConstantMode.h:
2539         (JSC::modeForIsConstant):
2540         * runtime/DirectArguments.cpp: Added.
2541         (JSC::DirectArguments::DirectArguments):
2542         (JSC::DirectArguments::createUninitialized):
2543         (JSC::DirectArguments::create):
2544         (JSC::DirectArguments::createByCopying):
2545         (JSC::DirectArguments::visitChildren):
2546         (JSC::DirectArguments::copyBackingStore):
2547         (JSC::DirectArguments::createStructure):
2548         (JSC::DirectArguments::overrideThings):
2549         (JSC::DirectArguments::overrideThingsIfNecessary):
2550         (JSC::DirectArguments::overrideArgument):
2551         (JSC::DirectArguments::copyToArguments):
2552         (JSC::DirectArguments::overridesSize):
2553         * runtime/DirectArguments.h: Added.
2554         (JSC::DirectArguments::internalLength):
2555         (JSC::DirectArguments::length):
2556         (JSC::DirectArguments::canAccessIndexQuickly):
2557         (JSC::DirectArguments::getIndexQuickly):
2558         (JSC::DirectArguments::setIndexQuickly):
2559         (JSC::DirectArguments::callee):
2560         (JSC::DirectArguments::argument):
2561         (JSC::DirectArguments::overrodeThings):
2562         (JSC::DirectArguments::offsetOfCallee):
2563         (JSC::DirectArguments::offsetOfLength):
2564         (JSC::DirectArguments::offsetOfMinCapacity):
2565         (JSC::DirectArguments::offsetOfOverrides):
2566         (JSC::DirectArguments::storageOffset):
2567         (JSC::DirectArguments::offsetOfSlot):
2568         (JSC::DirectArguments::allocationSize):
2569         (JSC::DirectArguments::storage):
2570         * runtime/FunctionPrototype.cpp:
2571         * runtime/GenericArguments.h: Added.
2572         (JSC::GenericArguments::GenericArguments):
2573         * runtime/GenericArgumentsInlines.h: Added.
2574         (JSC::GenericArguments<Type>::getOwnPropertySlot):
2575         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
2576         (JSC::GenericArguments<Type>::getOwnPropertyNames):
2577         (JSC::GenericArguments<Type>::put):
2578         (JSC::GenericArguments<Type>::putByIndex):
2579         (JSC::GenericArguments<Type>::deleteProperty):
2580         (JSC::GenericArguments<Type>::deletePropertyByIndex):
2581         (JSC::GenericArguments<Type>::defineOwnProperty):
2582         (JSC::GenericArguments<Type>::copyToArguments):
2583         * runtime/GenericOffset.h: Added.
2584         (JSC::GenericOffset::GenericOffset):
2585         (JSC::GenericOffset::operator!):
2586         (JSC::GenericOffset::offsetUnchecked):
2587         (JSC::GenericOffset::offset):
2588         (JSC::GenericOffset::operator==):
2589         (JSC::GenericOffset::operator!=):
2590         (JSC::GenericOffset::operator<):
2591         (JSC::GenericOffset::operator>):
2592         (JSC::GenericOffset::operator<=):
2593         (JSC::GenericOffset::operator>=):
2594         (JSC::GenericOffset::operator+):
2595         (JSC::GenericOffset::operator-):
2596         (JSC::GenericOffset::operator+=):
2597         (JSC::GenericOffset::operator-=):
2598         * runtime/JSArgumentsIterator.cpp:
2599         (JSC::JSArgumentsIterator::finishCreation):
2600         (JSC::argumentsFuncIterator):
2601         * runtime/JSArgumentsIterator.h:
2602         (JSC::JSArgumentsIterator::create):
2603         (JSC::JSArgumentsIterator::next):
2604         * runtime/JSEnvironmentRecord.cpp:
2605         (JSC::JSEnvironmentRecord::visitChildren):
2606         * runtime/JSEnvironmentRecord.h:
2607         (JSC::JSEnvironmentRecord::variables):
2608         (JSC::JSEnvironmentRecord::isValid):
2609         (JSC::JSEnvironmentRecord::variableAt):
2610         (JSC::JSEnvironmentRecord::offsetOfVariables):
2611         (JSC::JSEnvironmentRecord::offsetOfVariable):
2612         (JSC::JSEnvironmentRecord::allocationSizeForScopeSize):
2613         (JSC::JSEnvironmentRecord::allocationSize):
2614         (JSC::JSEnvironmentRecord::JSEnvironmentRecord):
2615         (JSC::JSEnvironmentRecord::finishCreationUninitialized):
2616         (JSC::JSEnvironmentRecord::finishCreation):
2617         (JSC::JSEnvironmentRecord::registers): Deleted.
2618         (JSC::JSEnvironmentRecord::registerAt): Deleted.
2619         (JSC::JSEnvironmentRecord::addressOfRegisters): Deleted.
2620         (JSC::JSEnvironmentRecord::offsetOfRegisters): Deleted.
2621         * runtime/JSFunction.cpp:
2622         * runtime/JSGlobalObject.cpp:
2623         (JSC::JSGlobalObject::init):
2624         (JSC::JSGlobalObject::addGlobalVar):
2625         (JSC::JSGlobalObject::addFunction):
2626         (JSC::JSGlobalObject::visitChildren):
2627         (JSC::JSGlobalObject::addStaticGlobals):
2628         * runtime/JSGlobalObject.h:
2629         (JSC::JSGlobalObject::directArgumentsStructure):
2630         (JSC::JSGlobalObject::scopedArgumentsStructure):
2631         (JSC::JSGlobalObject::outOfBandArgumentsStructure):
2632         (JSC::JSGlobalObject::argumentsStructure): Deleted.
2633         * runtime/JSLexicalEnvironment.cpp:
2634         (JSC::JSLexicalEnvironment::symbolTableGet):
2635         (JSC::JSLexicalEnvironment::symbolTablePut):
2636         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
2637         (JSC::JSLexicalEnvironment::symbolTablePutWithAttributes):
2638         (JSC::JSLexicalEnvironment::visitChildren): Deleted.
2639         * runtime/JSLexicalEnvironment.h:
2640         (JSC::JSLexicalEnvironment::create):
2641         (JSC::JSLexicalEnvironment::JSLexicalEnvironment):
2642         (JSC::JSLexicalEnvironment::registersOffset): Deleted.
2643         (JSC::JSLexicalEnvironment::storageOffset): Deleted.
2644         (JSC::JSLexicalEnvironment::storage): Deleted.
2645         (JSC::JSLexicalEnvironment::allocationSize): Deleted.
2646         (JSC::JSLexicalEnvironment::isValidIndex): Deleted.
2647         (JSC::JSLexicalEnvironment::isValid): Deleted.
2648         (JSC::JSLexicalEnvironment::registerAt): Deleted.
2649         * runtime/JSNameScope.cpp:
2650         (JSC::JSNameScope::visitChildren): Deleted.
2651         * runtime/JSNameScope.h:
2652         (JSC::JSNameScope::create):
2653         (JSC::JSNameScope::value):
2654         (JSC::JSNameScope::finishCreation):
2655         (JSC::JSNameScope::JSNameScope):
2656         * runtime/JSScope.cpp:
2657         (JSC::abstractAccess):
2658         * runtime/JSSegmentedVariableObject.cpp:
2659         (JSC::JSSegmentedVariableObject::findVariableIndex):
2660         (JSC::JSSegmentedVariableObject::addVariables):
2661         (JSC::JSSegmentedVariableObject::visitChildren):
2662         (JSC::JSSegmentedVariableObject::findRegisterIndex): Deleted.
2663         (JSC::JSSegmentedVariableObject::addRegisters): Deleted.
2664         * runtime/JSSegmentedVariableObject.h:
2665         (JSC::JSSegmentedVariableObject::variableAt):
2666         (JSC::JSSegmentedVariableObject::assertVariableIsInThisObject):
2667         (JSC::JSSegmentedVariableObject::registerAt): Deleted.
2668         (JSC::JSSegmentedVariableObject::assertRegisterIsInThisObject): Deleted.
2669         * runtime/JSSymbolTableObject.h:
2670         (JSC::JSSymbolTableObject::offsetOfSymbolTable):
2671         (JSC::symbolTableGet):
2672         (JSC::symbolTablePut):
2673         (JSC::symbolTablePutWithAttributes):
2674         * runtime/JSType.h:
2675         * runtime/Options.h:
2676         * runtime/ClonedArguments.cpp: Added.
2677         (JSC::ClonedArguments::ClonedArguments):
2678         (JSC::ClonedArguments::createEmpty):
2679         (JSC::ClonedArguments::createWithInlineFrame):
2680         (JSC::ClonedArguments::createWithMachineFrame):
2681         (JSC::ClonedArguments::createByCopyingFrom):
2682         (JSC::ClonedArguments::createStructure):
2683         (JSC::ClonedArguments::getOwnPropertySlot):
2684         (JSC::ClonedArguments::getOwnPropertyNames):
2685         (JSC::ClonedArguments::put):
2686         (JSC::ClonedArguments::deleteProperty):
2687         (JSC::ClonedArguments::defineOwnProperty):
2688         (JSC::ClonedArguments::materializeSpecials):
2689         (JSC::ClonedArguments::materializeSpecialsIfNecessary):
2690         * runtime/ClonedArguments.h: Added.
2691         (JSC::ClonedArguments::specialsMaterialized):
2692         * runtime/ScopeOffset.cpp: Added.
2693         (JSC::ScopeOffset::dump):
2694         * runtime/ScopeOffset.h: Added.
2695         (JSC::ScopeOffset::ScopeOffset):
2696         * runtime/ScopedArguments.cpp: Added.
2697         (JSC::ScopedArguments::ScopedArguments):
2698         (JSC::ScopedArguments::finishCreation):
2699         (JSC::ScopedArguments::createUninitialized):
2700         (JSC::ScopedArguments::create):
2701         (JSC::ScopedArguments::createByCopying):
2702         (JSC::ScopedArguments::createByCopyingFrom):
2703         (JSC::ScopedArguments::visitChildren):
2704         (JSC::ScopedArguments::createStructure):
2705         (JSC::ScopedArguments::overrideThings):
2706         (JSC::ScopedArguments::overrideThingsIfNecessary):
2707         (JSC::ScopedArguments::overrideArgument):
2708         (JSC::ScopedArguments::copyToArguments):
2709         * runtime/ScopedArguments.h: Added.
2710         (JSC::ScopedArguments::internalLength):
2711         (JSC::ScopedArguments::length):
2712         (JSC::ScopedArguments::canAccessIndexQuickly):
2713         (JSC::ScopedArguments::getIndexQuickly):
2714         (JSC::ScopedArguments::setIndexQuickly):
2715         (JSC::ScopedArguments::callee):
2716         (JSC::ScopedArguments::overrodeThings):
2717         (JSC::ScopedArguments::offsetOfOverrodeThings):
2718         (JSC::ScopedArguments::offsetOfTotalLength):
2719         (JSC::ScopedArguments::offsetOfTable):
2720         (JSC::ScopedArguments::offsetOfScope):
2721         (JSC::ScopedArguments::overflowStorageOffset):
2722         (JSC::ScopedArguments::allocationSize):
2723         (JSC::ScopedArguments::overflowStorage):
2724         * runtime/ScopedArgumentsTable.cpp: Added.
2725         (JSC::ScopedArgumentsTable::ScopedArgumentsTable):
2726         (JSC::ScopedArgumentsTable::~ScopedArgumentsTable):
2727         (JSC::ScopedArgumentsTable::destroy):
2728         (JSC::ScopedArgumentsTable::create):
2729         (JSC::ScopedArgumentsTable::clone):
2730         (JSC::ScopedArgumentsTable::setLength):
2731         (JSC::ScopedArgumentsTable::set):
2732         (JSC::ScopedArgumentsTable::createStructure):
2733         * runtime/ScopedArgumentsTable.h: Added.
2734         (JSC::ScopedArgumentsTable::length):
2735         (JSC::ScopedArgumentsTable::get):
2736         (JSC::ScopedArgumentsTable::lock):
2737         (JSC::ScopedArgumentsTable::offsetOfLength):
2738         (JSC::ScopedArgumentsTable::offsetOfArguments):
2739         (JSC::ScopedArgumentsTable::at):
2740         * runtime/SymbolTable.cpp:
2741         (JSC::SymbolTableEntry::prepareToWatch):
2742         (JSC::SymbolTable::SymbolTable):
2743         (JSC::SymbolTable::visitChildren):
2744         (JSC::SymbolTable::localToEntry):
2745         (JSC::SymbolTable::entryFor):
2746         (JSC::SymbolTable::cloneScopePart):
2747         (JSC::SymbolTable::prepareForTypeProfiling):
2748         (JSC::SymbolTable::uniqueIDForOffset):
2749         (JSC::SymbolTable::globalTypeSetForOffset):
2750         (JSC::SymbolTable::cloneCapturedNames): Deleted.
2751         (JSC::SymbolTable::uniqueIDForRegister): Deleted.
2752         (JSC::SymbolTable::globalTypeSetForRegister): Deleted.
2753         * runtime/SymbolTable.h:
2754         (JSC::SymbolTableEntry::varOffsetFromBits):
2755         (JSC::SymbolTableEntry::scopeOffsetFromBits):
2756         (JSC::SymbolTableEntry::Fast::varOffset):
2757         (JSC::SymbolTableEntry::Fast::scopeOffset):
2758         (JSC::SymbolTableEntry::Fast::isDontEnum):
2759         (JSC::SymbolTableEntry::Fast::getAttributes):
2760         (JSC::SymbolTableEntry::SymbolTableEntry):
2761         (JSC::SymbolTableEntry::varOffset):
2762         (JSC::SymbolTableEntry::isWatchable):
2763         (JSC::SymbolTableEntry::scopeOffset):
2764         (JSC::SymbolTableEntry::setAttributes):
2765         (JSC::SymbolTableEntry::constantMode):
2766         (JSC::SymbolTableEntry::isDontEnum):
2767         (JSC::SymbolTableEntry::disableWatching):
2768         (JSC::SymbolTableEntry::pack):
2769         (JSC::SymbolTableEntry::isValidVarOffset):
2770         (JSC::SymbolTable::createNameScopeTable):
2771         (JSC::SymbolTable::maxScopeOffset):
2772         (JSC::SymbolTable::didUseScopeOffset):
2773         (JSC::SymbolTable::didUseVarOffset):
2774         (JSC::SymbolTable::scopeSize):
2775         (JSC::SymbolTable::nextScopeOffset):
2776         (JSC::SymbolTable::takeNextScopeOffset):
2777         (JSC::SymbolTable::add):
2778         (JSC::SymbolTable::set):
2779         (JSC::SymbolTable::argumentsLength):
2780         (JSC::SymbolTable::setArgumentsLength):
2781         (JSC::SymbolTable::argumentOffset):
2782         (JSC::SymbolTable::setArgumentOffset):
2783         (JSC::SymbolTable::arguments):
2784         (JSC::SlowArgument::SlowArgument): Deleted.
2785         (JSC::SymbolTableEntry::Fast::getIndex): Deleted.
2786         (JSC::SymbolTableEntry::getIndex): Deleted.
2787         (JSC::SymbolTableEntry::isValidIndex): Deleted.
2788         (JSC::SymbolTable::captureStart): Deleted.
2789         (JSC::SymbolTable::setCaptureStart): Deleted.
2790         (JSC::SymbolTable::captureEnd): Deleted.
2791         (JSC::SymbolTable::setCaptureEnd): Deleted.
2792         (JSC::SymbolTable::captureCount): Deleted.
2793         (JSC::SymbolTable::isCaptured): Deleted.
2794         (JSC::SymbolTable::parameterCount): Deleted.
2795         (JSC::SymbolTable::parameterCountIncludingThis): Deleted.
2796         (JSC::SymbolTable::setParameterCountIncludingThis): Deleted.
2797         (JSC::SymbolTable::slowArguments): Deleted.
2798         (JSC::SymbolTable::setSlowArguments): Deleted.
2799         * runtime/VM.cpp:
2800         (JSC::VM::VM):
2801         * runtime/VM.h:
2802         * runtime/VarOffset.cpp: Added.
2803         (JSC::VarOffset::dump):
2804         (WTF::printInternal):
2805         * runtime/VarOffset.h: Added.
2806         (JSC::VarOffset::VarOffset):
2807         (JSC::VarOffset::assemble):
2808         (JSC::VarOffset::isValid):
2809         (JSC::VarOffset::operator!):
2810         (JSC::VarOffset::kind):
2811         (JSC::VarOffset::isStack):
2812         (JSC::VarOffset::isScope):
2813         (JSC::VarOffset::isDirectArgument):
2814         (JSC::VarOffset::stackOffsetUnchecked):
2815         (JSC::VarOffset::scopeOffsetUnchecked):
2816         (JSC::VarOffset::capturedArgumentsOffsetUnchecked):
2817         (JSC::VarOffset::stackOffset):
2818         (JSC::VarOffset::scopeOffset):
2819         (JSC::VarOffset::capturedArgumentsOffset):
2820         (JSC::VarOffset::rawOffset):
2821         (JSC::VarOffset::checkSanity):
2822         (JSC::VarOffset::operator==):
2823         (JSC::VarOffset::operator!=):
2824         (JSC::VarOffset::hash):
2825         (JSC::VarOffset::isHashTableDeletedValue):
2826         (JSC::VarOffsetHash::hash):
2827         (JSC::VarOffsetHash::equal):
2828         * tests/stress/arguments-exit-strict-mode.js: Added.
2829         * tests/stress/arguments-exit.js: Added.
2830         * tests/stress/arguments-inlined-exit-strict-mode-fixed.js: Added.
2831         * tests/stress/arguments-inlined-exit-strict-mode.js: Added.
2832         * tests/stress/arguments-inlined-exit.js: Added.
2833         * tests/stress/arguments-interference.js: Added.
2834         * tests/stress/arguments-interference-cfg.js: Added.
2835         * tests/stress/dead-get-closure-var.js: Added.
2836         * tests/stress/get-declared-unpassed-argument-in-direct-arguments.js: Added.
2837         * tests/stress/get-declared-unpassed-argument-in-scoped-arguments.js: Added.
2838         * tests/stress/varargs-closure-inlined-exit-strict-mode.js: Added.
2839         * tests/stress/varargs-closure-inlined-exit.js: Added.
2840         * tests/stress/varargs-exit.js: Added.
2841         * tests/stress/varargs-inlined-exit.js: Added.
2842         * tests/stress/varargs-inlined-simple-exit-aliasing-weird-reversed-args.js: Added.
2843         * tests/stress/varargs-inlined-simple-exit-aliasing-weird.js: Added.
2844         * tests/stress/varargs-inlined-simple-exit-aliasing.js: Added.
2845         * tests/stress/varargs-inlined-simple-exit.js: Added.
2846         * tests/stress/varargs-too-few-arguments.js: Added.
2847         * tests/stress/varargs-varargs-closure-inlined-exit.js: Added.
2848         * tests/stress/varargs-varargs-inlined-exit-strict-mode.js: Added.
2849         * tests/stress/varargs-varargs-inlined-exit.js: Added.
2850
2851 2015-03-25  Andy Estes  <aestes@apple.com>
2852
2853         [Cocoa] RemoteInspectorXPCConnection::deserializeMessage() leaks a NSDictionary under Objective-C GC
2854         https://bugs.webkit.org/show_bug.cgi?id=143068
2855
2856         Reviewed by Dan Bernstein.
2857
2858         * inspector/remote/RemoteInspectorXPCConnection.mm:
2859         (Inspector::RemoteInspectorXPCConnection::deserializeMessage): Used RetainPtr::autorelease(), which does the right thing under GC.
2860
2861 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2862
2863         Use JITCompilationCanFail in more places, and make the fail path of JITCompilationMustSucceed a crash instead of attempting GC
2864         https://bugs.webkit.org/show_bug.cgi?id=142993
2865
2866         Reviewed by Geoffrey Garen and Mark Lam.
2867         
2868         This changes the most commonly invoked paths that relied on JITCompilationMustSucceed
2869         into using JITCompilationCanFail and having a legit fallback path. This mostly involves
2870         having the FTL JIT do the same trick as the DFG JIT in case of any memory allocation
2871         failure, but also involves adding the same kind of thing to the stub generators in
2872         Repatch.
2873         
2874         Because of that change, there are relatively few uses of JITCompilationMustSucceed. Most
2875         of those uses cannot handle a GC, and so cannot do releaseExecutableMemory(). Only a few,
2876         like host call stub generation, could handle a GC, but those get invoked very rarely. So,
2877         this patch changes the releaseExecutableMemory() call into a crash with some diagnostic
2878         printout.
2879         
2880         Also add a way of inducing executable allocation failure, so that we can test this.
2881
2882         * CMakeLists.txt:
2883         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2884         * JavaScriptCore.xcodeproj/project.pbxproj:
2885         * dfg/DFGJITCompiler.cpp:
2886         (JSC::DFG::JITCompiler::compile):
2887         (JSC::DFG::JITCompiler::compileFunction):
2888         (JSC::DFG::JITCompiler::link): Deleted.
2889         (JSC::DFG::JITCompiler::linkFunction): Deleted.
2890         * dfg/DFGJITCompiler.h:
2891         * dfg/DFGPlan.cpp:
2892         (JSC::DFG::Plan::compileInThreadImpl):
2893         * ftl/FTLCompile.cpp:
2894         (JSC::FTL::mmAllocateCodeSection):
2895         (JSC::FTL::mmAllocateDataSection):
2896         * ftl/FTLLink.cpp:
2897         (JSC::FTL::link):
2898         * ftl/FTLState.h:
2899         * jit/ArityCheckFailReturnThunks.cpp:
2900         (JSC::ArityCheckFailReturnThunks::returnPCsFor):
2901         * jit/ExecutableAllocationFuzz.cpp: Added.
2902         (JSC::numberOfExecutableAllocationFuzzChecks):
2903         (JSC::doExecutableAllocationFuzzing):
2904         * jit/ExecutableAllocationFuzz.h: Added.
2905         (JSC::doExecutableAllocationFuzzingIfEnabled):
2906         * jit/ExecutableAllocatorFixedVMPool.cpp:
2907         (JSC::ExecutableAllocator::allocate):
2908         * jit/JIT.cpp:
2909         (JSC::JIT::privateCompile):
2910         * jit/JITCompilationEffort.h:
2911         * jit/Repatch.cpp:
2912         (JSC::generateByIdStub):
2913         (JSC::tryCacheGetByID):
2914         (JSC::tryBuildGetByIDList):
2915         (JSC::emitPutReplaceStub):
2916         (JSC::emitPutTransitionStubAndGetOldStructure):
2917         (JSC::tryCachePutByID):
2918         (JSC::tryBuildPutByIdList):
2919         (JSC::tryRepatchIn):
2920         (JSC::linkPolymorphicCall):
2921         * jsc.cpp:
2922         (jscmain):
2923         * runtime/Options.h:
2924         * runtime/TestRunnerUtils.h:
2925         * runtime/VM.cpp:
2926         * tests/executableAllocationFuzz: Added.
2927         * tests/executableAllocationFuzz.yaml: Added.
2928         * tests/executableAllocationFuzz/v8-raytrace.js: Added.
2929
2930 2015-03-25  Mark Lam  <mark.lam@apple.com>
2931
2932         REGRESSION(169139): LLINT intermittently fails JSC testapi tests.
2933         <https://webkit.org/b/135719>
2934
2935         Reviewed by Geoffrey Garen.
2936
2937         This is a regression introduced in http://trac.webkit.org/changeset/169139 which
2938         changed VM::watchdog from an embedded field into a std::unique_ptr, but did not
2939         update the LLINT to access it as such.
2940
2941         The issue has only manifested so far on the CLoop tests because those are LLINT
2942         only.  In the non-CLoop cases, the JIT kicks in and does the right thing, thereby
2943         hiding the bug in the LLINT.
2944
2945         * API/JSContextRef.cpp:
2946         (createWatchdogIfNeeded):
2947         (JSContextGroupSetExecutionTimeLimit):
2948         (JSContextGroupClearExecutionTimeLimit):
2949         * llint/LowLevelInterpreter.asm:
2950
2951 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2952
2953         Change Atomic methods from using the_wrong_naming_conventions to using theRightNamingConventions. Also make seq_cst the default.
2954
2955         Rubber stamped by Geoffrey Garen.
2956
2957         * bytecode/CodeBlock.cpp:
2958         (JSC::CodeBlock::visitAggregate):
2959
2960 2015-03-25  Joseph Pecoraro  <pecoraro@apple.com>
2961
2962         Fix formatting in BuiltinExecutables
2963         https://bugs.webkit.org/show_bug.cgi?id=143061
2964
2965         Reviewed by Ryosuke Niwa.
2966
2967         * builtins/BuiltinExecutables.cpp:
2968         (JSC::BuiltinExecutables::createExecutableInternal):
2969
2970 2015-03-25  Joseph Pecoraro  <pecoraro@apple.com>
2971
2972         ES6: Classes: Program level class statement throws exception in strict mode
2973         https://bugs.webkit.org/show_bug.cgi?id=143038
2974
2975         Reviewed by Ryosuke Niwa.
2976
2977         Classes expose a name to the current lexical environment. This treats
2978         "class X {}" like "var X = class X {}". Ideally it would be "let X = class X {}".
2979         Also, improve error messages for class statements where the class is missing a name.
2980
2981         * parser/Parser.h:
2982         * parser/Parser.cpp:
2983         (JSC::Parser<LexerType>::parseClass):
2984         Fill name in info parameter if needed. Better error message if name is needed and missing.
2985
2986         (JSC::Parser<LexerType>::parseClassDeclaration):
2987         Pass info parameter to get name, and expose the name as a variable name.
2988
2989         (JSC::Parser<LexerType>::parsePrimaryExpression):
2990         Pass info parameter that is ignored.
2991
2992         * parser/ParserFunctionInfo.h:
2993         Add a parser info for class, to extract the name.
2994
2995 2015-03-25  Yusuke Suzuki  <utatane.tea@gmail.com>
2996
2997         New map and set modification tests in r181922 fails
2998         https://bugs.webkit.org/show_bug.cgi?id=143031
2999
3000         Reviewed and tweaked by Geoffrey Garen.
3001
3002         When packing Map/Set backing store, we need to decrement Map/Set iterator's m_index
3003         to adjust for the packed backing store.
3004
3005         Consider the following map data.
3006
3007         x: deleted, o: exists
3008         0 1 2 3 4
3009         x x x x o
3010
3011         And iterator with m_index 3.
3012
3013         When packing the map data, map data will become,
3014
3015         0
3016         o
3017
3018         At that time, we perfom didRemoveEntry 4 times on iterators.
3019         times => m_index/index/result
3020         1 => 3/0/dec
3021         2 => 2/1/dec
3022         3 => 1/2/nothing
3023         4 => 1/3/nothing
3024
3025         After iteration, iterator's m_index becomes 1. But we expected that becomes 0.
3026         This is because if we use decremented m_index for comparison,
3027         while provided deletedIndex is the index in old storage, m_index is the index in partially packed storage.
3028
3029         In this patch, we compare against the packed index instead.
3030         times => m_index/packedIndex/result
3031         1 => 3/0/dec
3032         2 => 2/0/dec
3033         3 => 1/0/dec
3034         4 => 0/0/nothing
3035
3036         So m_index becomes 0 as expected.
3037
3038         And according to the spec, once the iterator is closed (becomes done: true),
3039         its internal [[Map]]/[[Set]] is set to undefined.
3040         So after the iterator is finished, we don't revive the iterator (e.g. by clearing m_index = 0).
3041
3042         In this patch, we change 2 things.
3043         1.
3044         Compare an iterator's index against the packed index when removing an entry.
3045
3046         2.
3047         If the iterator is closed (isFinished()), we don't apply adjustment to the iterator.
3048
3049         * runtime/MapData.h:
3050         (JSC::MapDataImpl::IteratorData::finish):
3051         (JSC::MapDataImpl::IteratorData::isFinished):
3052         (JSC::MapDataImpl::IteratorData::didRemoveEntry):
3053         (JSC::MapDataImpl::IteratorData::didRemoveAllEntries):
3054         (JSC::MapDataImpl::IteratorData::startPackBackingStore):
3055         * runtime/MapDataInlines.h:
3056         (JSC::JSIterator>::replaceAndPackBackingStore):
3057         * tests/stress/modify-map-during-iteration.js:
3058         * tests/stress/modify-set-during-iteration.js:
3059
3060 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
3061
3062         Setter should have a single formal parameter, Getter no parameters
3063         https://bugs.webkit.org/show_bug.cgi?id=142903
3064
3065         Reviewed by Geoffrey Garen.
3066
3067         * parser/Parser.cpp:
3068         (JSC::Parser<LexerType>::parseFunctionInfo):
3069         Enforce no parameters for getters and a single parameter
3070         for setters, with informational error messages.
3071
3072 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
3073
3074         ES6: Classes: Early return in sub-class constructor results in returning undefined instead of instance
3075         https://bugs.webkit.org/show_bug.cgi?id=143012
3076
3077         Reviewed by Ryosuke Niwa.
3078
3079         * bytecompiler/BytecodeGenerator.cpp:
3080         (JSC::BytecodeGenerator::emitReturn):
3081         Fix handling of "undefined" when returned from a Derived class. It was
3082         returning "undefined" when it should have returned "this".
3083
3084 2015-03-24  Yusuke Suzuki  <utatane.tea@gmail.com>
3085
3086         REGRESSION (r181458): Heap use-after-free in JSSetIterator destructor
3087         https://bugs.webkit.org/show_bug.cgi?id=142696
3088
3089         Reviewed and tweaked by Geoffrey Garen.
3090
3091         Before r142556, JSSetIterator::destroy was not defined.
3092         So accidentally MapData::const_iterator in JSSet was never destroyed.
3093         But it had non trivial destructor, decrementing MapData->m_iteratorCount.
3094
3095         After r142556, JSSetIterator::destroy works.
3096         It correctly destruct MapData::const_iterator and m_iteratorCount partially works.
3097         But JSSetIterator::~JSSetIterator requires owned JSSet since it mutates MapData->m_iteratorCount.
3098
3099         It is guaranteed that JSSet is live since JSSetIterator has a reference to JSSet
3100         and marks it in visitChildren (WriteBarrier<Unknown>).
3101         However, the order of destructions is not guaranteed in GC-ed system.
3102
3103         Consider the following case,
3104         allocate JSSet and subsequently allocate JSSetIterator.
3105         And they resides in the separated MarkedBlock, <1> and <2>.
3106
3107         JSSet<1> <- JSSetIterator<2>
3108
3109         And after that, when performing GC, Marker decides that the above 2 objects are not marked.
3110         And Marker also decides MarkedBlocks <1> and <2> can be sweeped.
3111
3112         First Sweeper sweep <1>, destruct JSSet<1> and free MarkedBlock<1>.
3113         Second Sweeper sweep <2>, attempt to destruct JSSetIterator<2>.
3114         However, JSSetIterator<2>'s destructor,
3115         JSSetIterator::~JSSetIterator requires live JSSet<1>, it causes use-after-free.
3116
3117         In this patch, we introduce WeakGCMap into JSMap/JSSet to track live iterators.
3118         When packing the removed elements in JSSet/JSMap, we apply the change to all live
3119         iterators tracked by WeakGCMap.
3120
3121         WeakGCMap can only track JSCell since they are managed by GC.
3122         So we drop JSSet/JSMap C++ style iterators. Instead of C++ style iterator, this patch
3123         introduces JS style iterator signatures into C++ class IteratorData.
3124         If we need to iterate over JSMap/JSSet, use JSSetIterator/JSMapIterator instead of using
3125         IteratorData directly.
3126
3127         * runtime/JSMap.cpp:
3128         (JSC::JSMap::destroy):
3129         * runtime/JSMap.h:
3130         (JSC::JSMap::JSMap):
3131         (JSC::JSMap::begin): Deleted.
3132         (JSC::JSMap::end): Deleted.
3133         * runtime/JSMapIterator.cpp:
3134         (JSC::JSMapIterator::destroy):
3135         * runtime/JSMapIterator.h:
3136         (JSC::JSMapIterator::next):
3137         (JSC::JSMapIterator::nextKeyValue):
3138         (JSC::JSMapIterator::iteratorData):
3139         (JSC::JSMapIterator::JSMapIterator):
3140         * runtime/JSSet.cpp:
3141         (JSC::JSSet::destroy):
3142         * runtime/JSSet.h:
3143         (JSC::JSSet::JSSet):
3144         (JSC::JSSet::begin): Deleted.
3145         (JSC::JSSet::end): Deleted.
3146         * runtime/JSSetIterator.cpp:
3147         (JSC::JSSetIterator::destroy):
3148         * runtime/JSSetIterator.h:
3149         (JSC::JSSetIterator::next):
3150         (JSC::JSSetIterator::iteratorData):
3151         (JSC::JSSetIterator::JSSetIterator):
3152         * runtime/MapData.h:
3153         (JSC::MapDataImpl::IteratorData::finish):
3154         (JSC::MapDataImpl::IteratorData::isFinished):
3155         (JSC::MapDataImpl::shouldPack):
3156         (JSC::JSIterator>::MapDataImpl):
3157         (JSC::JSIterator>::KeyType::KeyType):
3158         (JSC::JSIterator>::IteratorData::IteratorData):
3159         (JSC::JSIterator>::IteratorData::next):
3160         (JSC::JSIterator>::IteratorData::ensureSlot):
3161         (JSC::JSIterator>::IteratorData::applyMapDataPatch):
3162         (JSC::JSIterator>::IteratorData::refreshCursor):
3163         (JSC::MapDataImpl::const_iterator::key): Deleted.
3164         (JSC::MapDataImpl::const_iterator::value): Deleted.
3165         (JSC::MapDataImpl::const_iterator::operator++): Deleted.
3166         (JSC::MapDataImpl::const_iterator::finish): Deleted.
3167         (JSC::MapDataImpl::const_iterator::atEnd): Deleted.
3168         (JSC::MapDataImpl::begin): Deleted.
3169         (JSC::MapDataImpl::end): Deleted.
3170         (JSC::MapDataImpl<Entry>::MapDataImpl): Deleted.
3171         (JSC::MapDataImpl<Entry>::clear): Deleted.
3172         (JSC::MapDataImpl<Entry>::KeyType::KeyType): Deleted.
3173         (JSC::MapDataImpl<Entry>::const_iterator::internalIncrement): Deleted.
3174         (JSC::MapDataImpl<Entry>::const_iterator::ensureSlot): Deleted.
3175         (JSC::MapDataImpl<Entry>::const_iterator::const_iterator): Deleted.
3176         (JSC::MapDataImpl<Entry>::const_iterator::~const_iterator): Deleted.
3177         (JSC::MapDataImpl<Entry>::const_iterator::operator): Deleted.
3178         (JSC::=): Deleted.
3179         * runtime/MapDataInlines.h:
3180         (JSC::JSIterator>::clear):
3181         (JSC::JSIterator>::find):
3182         (JSC::JSIterator>::contains):
3183         (JSC::JSIterator>::add):
3184         (JSC::JSIterator>::set):
3185         (JSC::JSIterator>::get):
3186         (JSC::JSIterator>::remove):
3187         (JSC::JSIterator>::replaceAndPackBackingStore):
3188         (JSC::JSIterator>::replaceBackingStore):
3189         (JSC::JSIterator>::ensureSpaceForAppend):
3190         (JSC::JSIterator>::visitChildren):
3191         (JSC::JSIterator>::copyBackingStore):
3192         (JSC::JSIterator>::applyMapDataPatch):
3193         (JSC::MapDataImpl<Entry>::find): Deleted.
3194         (JSC::MapDataImpl<Entry>::contains): Deleted.
3195         (JSC::MapDataImpl<Entry>::add): Deleted.
3196         (JSC::MapDataImpl<Entry>::set): Deleted.
3197         (JSC::MapDataImpl<Entry>::get): Deleted.
3198         (JSC::MapDataImpl<Entry>::remove): Deleted.
3199         (JSC::MapDataImpl<Entry>::replaceAndPackBackingStore): Deleted.
3200         (JSC::MapDataImpl<Entry>::replaceBackingStore): Deleted.
3201         (JSC::MapDataImpl<Entry>::ensureSpaceForAppend): Deleted.
3202         (JSC::MapDataImpl<Entry>::visitChildren): Deleted.
3203         (JSC::MapDataImpl<Entry>::copyBackingStore): Deleted.
3204         * runtime/MapPrototype.cpp:
3205         (JSC::mapProtoFuncForEach):
3206         * runtime/SetPrototype.cpp:
3207         (JSC::setProtoFuncForEach):
3208         * runtime/WeakGCMap.h:
3209         (JSC::WeakGCMap::forEach):
3210         * tests/stress/modify-map-during-iteration.js: Added.
3211         (testValue):
3212         (identityPairs):
3213         (.set if):
3214         (var):
3215         (set map):
3216         * tests/stress/modify-set-during-iteration.js: Added.
3217         (testValue):
3218         (set forEach):
3219         (set delete):
3220
3221 2015-03-24  Mark Lam  <mark.lam@apple.com>
3222
3223         The ExecutionTimeLimit test should use its own JSGlobalContextRef.
3224         <https://webkit.org/b/143024>
3225
3226         Reviewed by Geoffrey Garen.
3227
3228         Currently, the ExecutionTimeLimit test is using a JSGlobalContextRef
3229         passed in from testapi.c.  It should create its own for better
3230         encapsulation of the test.
3231
3232         * API/tests/ExecutionTimeLimitTest.cpp:
3233         (currentCPUTimeAsJSFunctionCallback):
3234         (testExecutionTimeLimit):
3235         * API/tests/ExecutionTimeLimitTest.h:
3236         * API/tests/testapi.c:
3237         (main):
3238
3239 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
3240
3241         ES6: Object Literal Methods toString is missing method name
3242         https://bugs.webkit.org/show_bug.cgi?id=142992
3243
3244         Reviewed by Geoffrey Garen.
3245
3246         Always stringify functions in the pattern:
3247
3248           "function " + <function name> + <text from opening parenthesis to closing brace>.
3249
3250         * runtime/FunctionPrototype.cpp:
3251         (JSC::functionProtoFuncToString):
3252         Update the path that was not stringifying in this pattern.
3253
3254         * bytecode/UnlinkedCodeBlock.cpp:
3255         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3256         * bytecode/UnlinkedCodeBlock.h:
3257         (JSC::UnlinkedFunctionExecutable::parametersStartOffset):
3258         * parser/Nodes.h:
3259         * runtime/Executable.cpp:
3260         (JSC::FunctionExecutable::FunctionExecutable):
3261         * runtime/Executable.h:
3262         (JSC::FunctionExecutable::parametersStartOffset):
3263         Pass the already known function parameter opening parenthesis
3264         start offset through to the FunctionExecutable. 
3265
3266         * tests/mozilla/js1_5/Scope/regress-185485.js:
3267         (with.g):
3268         Add back original space in this test that was removed by r181810
3269         now that we have the space again in stringification.
3270
3271 2015-03-24  Michael Saboff  <msaboff@apple.com>
3272
3273         REGRESSION (172175-172177): Change in for...in processing causes properties added in loop to be enumerated
3274         https://bugs.webkit.org/show_bug.cgi?id=142856
3275
3276         Reviewed by Filip Pizlo.
3277
3278         Refactored the way the for .. in enumeration over objects is done.  We used to make three C++ calls to
3279         get info for three loops to iterate over indexed properties, structure properties and other properties,
3280         respectively.  We still have the three loops, but now we make one C++ call to get all the info needed
3281         for all loops before we exectue any enumeration.
3282
3283         The JSPropertyEnumerator has a count of the indexed properties and a list of named properties.
3284         The named properties are one list, with structured properties in the range [0,m_endStructurePropertyIndex)
3285         and the generic properties in the range [m_endStructurePropertyIndex, m_endGenericPropertyIndex);
3286
3287         Eliminated the bytecodes op_get_structure_property_enumerator, op_get_generic_property_enumerator and
3288         op_next_enumerator_pname.
3289         Added the bytecodes op_get_property_enumerator, op_enumerator_structure_pname and op_enumerator_generic_pname.
3290         The bytecodes op_enumerator_structure_pname and op_enumerator_generic_pname are similar except for what
3291         end value we stop iterating on.
3292
3293         Made corresponding node changes to the DFG and FTL for the bytecode changes.
3294
3295         * bytecode/BytecodeList.json:
3296         * bytecode/BytecodeUseDef.h:
3297         (JSC::computeUsesForBytecodeOffset):
3298         (JSC::computeDefsForBytecodeOffset):
3299         * bytecode/CodeBlock.cpp:
3300         (JSC::CodeBlock::dumpBytecode):
3301         * bytecompiler/BytecodeGenerator.cpp:
3302         (JSC::BytecodeGenerator::emitGetPropertyEnumerator):
3303         (JSC::BytecodeGenerator::emitEnumeratorStructurePropertyName):
3304         (JSC::BytecodeGenerator::emitEnumeratorGenericPropertyName):
3305         (JSC::BytecodeGenerator::emitGetStructurePropertyEnumerator): Deleted.
3306         (JSC::BytecodeGenerator::emitGetGenericPropertyEnumerator): Deleted.
3307         (JSC::BytecodeGenerator::emitNextEnumeratorPropertyName): Deleted.
3308         * bytecompiler/BytecodeGenerator.h:
3309         * bytecompiler/NodesCodegen.cpp:
3310         (JSC::ForInNode::emitMultiLoopBytecode):
3311         * dfg/DFGAbstractInterpreterInlines.h:
3312         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3313         * dfg/DFGByteCodeParser.cpp:
3314         (JSC::DFG::ByteCodeParser::parseBlock):
3315         * dfg/DFGCapabilities.cpp:
3316         (JSC::DFG::capabilityLevel):
3317         * dfg/DFGClobberize.h:
3318         (JSC::DFG::clobberize):
3319         * dfg/DFGDoesGC.cpp:
3320         (JSC::DFG::doesGC):
3321         * dfg/DFGFixupPhase.cpp:
3322         (JSC::DFG::FixupPhase::fixupNode):
3323         * dfg/DFGNodeType.h:
3324         * dfg/DFGPredictionPropagationPhase.cpp:
3325         (JSC::DFG::PredictionPropagationPhase::propagate):
3326         * dfg/DFGSafeToExecute.h:
3327         (JSC::DFG::safeToExecute):
3328         * dfg/DFGSpeculativeJIT32_64.cpp:
3329         (JSC::DFG::SpeculativeJIT::compile):
3330         * dfg/DFGSpeculativeJIT64.cpp:
3331         (JSC::DFG::SpeculativeJIT::compile):
3332         * ftl/FTLAbstractHeapRepository.h:
3333         * ftl/FTLCapabilities.cpp:
3334         (JSC::FTL::canCompile):
3335         * ftl/FTLLowerDFGToLLVM.cpp:
3336         (JSC::FTL::LowerDFGToLLVM::compileNode):
3337         (JSC::FTL::LowerDFGToLLVM::compileGetEnumerableLength):
3338         (JSC::FTL::LowerDFGToLLVM::compileGetPropertyEnumerator):
3339         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorStructurePname):
3340         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorGenericPname):
3341         (JSC::FTL::LowerDFGToLLVM::compileGetStructurePropertyEnumerator): Deleted.
3342         (JSC::FTL::LowerDFGToLLVM::compileGetGenericPropertyEnumerator): Deleted.
3343         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname): Deleted.
3344         * jit/JIT.cpp:
3345         (JSC::JIT::privateCompileMainPass):
3346         * jit/JIT.h:
3347         * jit/JITOpcodes.cpp:
3348         (JSC::JIT::emit_op_enumerator_structure_pname):
3349         (JSC::JIT::emit_op_enumerator_generic_pname):
3350         (JSC::JIT::emit_op_get_property_enumerator):
3351         (JSC::JIT::emit_op_next_enumerator_pname): Deleted.
3352         (JSC::JIT::emit_op_get_structure_property_enumerator): Deleted.
3353         (JSC::JIT::emit_op_get_generic_property_enumerator): Deleted.
3354         * jit/JITOpcodes32_64.cpp:
3355         (JSC::JIT::emit_op_enumerator_structure_pname):
3356         (JSC::JIT::emit_op_enumerator_generic_pname):
3357         (JSC::JIT::emit_op_next_enumerator_pname): Deleted.
3358         * jit/JITOperations.cpp:
3359         * jit/JITOperations.h:
3360         * llint/LowLevelInterpreter.asm:
3361         * runtime/CommonSlowPaths.cpp:
3362         (JSC::SLOW_PATH_DECL):
3363         * runtime/CommonSlowPaths.h:
3364         * runtime/JSPropertyNameEnumerator.cpp:
3365         (JSC::JSPropertyNameEnumerator::create):
3366         (JSC::JSPropertyNameEnumerator::finishCreation):
3367         * runtime/JSPropertyNameEnumerator.h:
3368         (JSC::JSPropertyNameEnumerator::indexedLength):
3369         (JSC::JSPropertyNameEnumerator::endStructurePropertyIndex):
3370         (JSC::JSPropertyNameEnumerator::endGenericPropertyIndex):
3371         (JSC::JSPropertyNameEnumerator::indexedLengthOffset):
3372         (JSC::JSPropertyNameEnumerator::endStructurePropertyIndexOffset):
3373         (JSC::JSPropertyNameEnumerator::endGenericPropertyIndexOffset):
3374         (JSC::JSPropertyNameEnumerator::cachedInlineCapacityOffset):
3375         (JSC::propertyNameEnumerator):
3376         (JSC::JSPropertyNameEnumerator::cachedPropertyNamesLengthOffset): Deleted.
3377         (JSC::structurePropertyNameEnumerator): Deleted.
3378         (JSC::genericPropertyNameEnumerator): Deleted.
3379         * runtime/Structure.cpp:
3380         (JSC::Structure::setCachedPropertyNameEnumerator):
3381         (JSC::Structure::cachedPropertyNameEnumerator):
3382         (JSC::Structure::canCachePropertyNameEnumerator):
3383         (JSC::Structure::setCachedStructurePropertyNameEnumerator): Deleted.
3384         (JSC::Structure::cachedStructurePropertyNameEnumerator): Deleted.
3385         (JSC::Structure::setCachedGenericPropertyNameEnumerator): Deleted.
3386         (JSC::Structure::cachedGenericPropertyNameEnumerator): Deleted.
3387         (JSC::Structure::canCacheStructurePropertyNameEnumerator): Deleted.
3388         (JSC::Structure::canCacheGenericPropertyNameEnumerator): Deleted.
3389         * runtime/Structure.h:
3390         * runtime/StructureRareData.cpp:
3391         (JSC::StructureRareData::visitChildren):
3392         (JSC::StructureRareData::cachedPropertyNameEnumerator):
3393         (JSC::StructureRareData::setCachedPropertyNameEnumerator):
3394         (JSC::StructureRareData::cachedStructurePropertyNameEnumerator): Deleted.
3395         (JSC::StructureRareData::setCachedStructurePropertyNameEnumerator): Deleted.
3396         (JSC::StructureRareData::cachedGenericPropertyNameEnumerator): Deleted.
3397         (JSC::StructureRareData::setCachedGenericPropertyNameEnumerator): Deleted.
3398         * runtime/StructureRareData.h:
3399         * tests/stress/for-in-delete-during-iteration.js:
3400
3401 2015-03-24  Michael Saboff  <msaboff@apple.com>
3402
3403         Unreviewed build fix for debug builds.
3404
3405         * runtime/ExceptionHelpers.cpp:
3406         (JSC::invalidParameterInSourceAppender):
3407
3408 2015-03-24  Saam Barati  <saambarati1@gmail.com>
3409
3410         Improve error messages in JSC
3411         https://bugs.webkit.org/show_bug.cgi?id=141869
3412
3413         Reviewed by Geoffrey Garen.
3414
3415         JavaScriptCore has some unintuitive error messages associated
3416         with certain common errors. This patch changes some specific
3417         error messages to be more understandable and also creates a
3418         mechanism that will allow for easy modification of error messages
3419         in the future. The specific errors we change are not a function
3420         errors and invalid parameter errors.
3421
3422         * CMakeLists.txt:
3423         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3424         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3425         * JavaScriptCore.xcodeproj/project.pbxproj:
3426         * interpreter/Interpreter.cpp:
3427         (JSC::sizeOfVarargs):
3428         * jit/JITOperations.cpp:
3429         op_throw_static_error always has a JSString as its argument.
3430         There is no need to dance around this, and we should assert
3431         that this always holds. This JSString represents the error 
3432         message we want to display to the user, so there is no need
3433         to pass it into errorDescriptionForValue which will now place
3434         quotes around the string.
3435
3436         * llint/LLIntSlowPaths.cpp:
3437         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3438         * runtime/CommonSlowPaths.h:
3439         (JSC::CommonSlowPaths::opIn):
3440         * runtime/ErrorInstance.cpp:
3441         (JSC::ErrorInstance::ErrorInstance):
3442         * runtime/ErrorInstance.h:
3443         (JSC::ErrorInstance::hasSourceAppender):
3444         (JSC::ErrorInstance::sourceAppender):
3445         (JSC::ErrorInstance::setSourceAppender):
3446         (JSC::ErrorInstance::clearSourceAppender):
3447         (JSC::ErrorInstance::setRuntimeTypeForCause):
3448         (JSC::ErrorInstance::runtimeTypeForCause):
3449         (JSC::ErrorInstance::clearRuntimeTypeForCause):
3450         (JSC::ErrorInstance::appendSourceToMessage): Deleted.
3451         (JSC::ErrorInstance::setAppendSourceToMessage): Deleted.
3452         (JSC::ErrorInstance::clearAppendSourceToMessage): Deleted.
3453         * runtime/ExceptionHelpers.cpp:
3454         (JSC::errorDescriptionForValue):
3455         (JSC::defaultApproximateSourceError):
3456         (JSC::defaultSourceAppender):
3457         (JSC::functionCallBase):
3458         (JSC::notAFunctionSourceAppender):
3459         (JSC::invalidParameterInSourceAppender):
3460         (JSC::invalidParameterInstanceofSourceAppender):
3461         (JSC::createError):
3462         (JSC::createInvalidFunctionApplyParameterError):
3463         (JSC::createInvalidInParameterError):
3464         (JSC::createInvalidInstanceofParameterError):
3465         (JSC::createNotAConstructorError):
3466         (JSC::createNotAFunctionError):
3467         (JSC::createNotAnObjectError):
3468         (JSC::createInvalidParameterError): Deleted.
3469         * runtime/ExceptionHelpers.h:
3470         * runtime/JSObject.cpp:
3471         (JSC::JSObject::hasInstance):
3472         * runtime/RuntimeType.cpp: Added.
3473         (JSC::runtimeTypeForValue):
3474         (JSC::runtimeTypeAsString):
3475         * runtime/RuntimeType.h: Added.
3476         * runtime/TypeProfilerLog.cpp:
3477         (JSC::TypeProfilerLog::processLogEntries):
3478         * runtime/TypeSet.cpp:
3479         (JSC::TypeSet::getRuntimeTypeForValue): Deleted.
3480         * runtime/TypeSet.h:
3481         * runtime/VM.cpp:
3482         (JSC::appendSourceToError):
3483         (JSC::VM::throwException):
3484
3485 2015-03-23  Filip Pizlo  <fpizlo@apple.com>
3486
3487         JSC should have a low-cost asynchronous disassembler
3488         https://bugs.webkit.org/show_bug.cgi?id=142997
3489
3490         Reviewed by Mark Lam.
3491         
3492         This adds a JSC_asyncDisassembly option that disassembles on a thread. Disassembly
3493         doesn't block execution. Some code will live a little longer because of this, since the
3494         work tasks hold a ref to the code, but other than that there is basically no overhead.
3495         
3496         At present, this isn't really a replacement for JSC_showDisassembly, since it doesn't
3497         provide contextual IR information for Baseline and DFG disassemblies, and it doesn't do
3498         the separate IR dumps for FTL. Using JSC_showDisassembly and friends along with
3499         JSC_asyncDisassembly has bizarre behavior - so just choose one.
3500         
3501         A simple way of understanding how great this is, is to run a small benchmark like
3502         V8Spider/earley-boyer.
3503         
3504         Performance without any disassembly flags: 60ms
3505         Performance with JSC_showDisassembly=true: 477ms
3506         Performance with JSC_asyncDisassembly=true: 65ms
3507         
3508         So, the overhead of disassembly goes from 8x to 8%.
3509         
3510         Note that JSC_asyncDisassembly=true does make it incorrect to run "time" as a way of
3511         measuring benchmark performance. This is because at VM exit, we wait for all async
3512         disassembly requests to finish. For example, for earley-boyer, we spend an extra ~130ms
3513         after the benchmark completely finishes to finish the disassemblies. This small weirdness
3514         should be OK for the intended use-cases, since all you have to do to get around it is to
3515         measure the execution time of the benchmark payload rather than the end-to-end time of
3516         launching the VM.
3517
3518         * assembler/LinkBuffer.cpp:
3519         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
3520         * assembler/LinkBuffer.h:
3521         (JSC::LinkBuffer::wasAlreadyDisassembled):
3522         (JSC::LinkBuffer::didAlreadyDisassemble):
3523         * dfg/DFGJITCompiler.cpp:
3524         (JSC::DFG::JITCompiler::disassemble):
3525         * dfg/DFGJITFinalizer.cpp:
3526         (JSC::DFG::JITFinalizer::finalize):
3527         (JSC::DFG::JITFinalizer::finalizeFunction):
3528         * disassembler/Disassembler.cpp:
3529         (JSC::disassembleAsynchronously):
3530         (JSC::waitForAsynchronousDisassembly):
3531         * disassembler/Disassembler.h:
3532         * ftl/FTLCompile.cpp:
3533         (JSC::FTL::mmAllocateDataSection):
3534         * ftl/FTLLink.cpp:
3535         (JSC::FTL::link):
3536         * jit/JIT.cpp:
3537         (JSC::JIT::privateCompile):
3538         * jsc.cpp:
3539         * runtime/Options.h:
3540         * runtime/VM.cpp:
3541         (JSC::VM::~VM):
3542
3543 2015-03-23  Dean Jackson  <dino@apple.com>
3544
3545         ES7: Implement Array.prototype.includes
3546         https://bugs.webkit.org/show_bug.cgi?id=142707
3547
3548         Reviewed by Geoffrey Garen.
3549
3550         Add support for the ES7 includes method on Arrays.
3551         https://github.com/tc39/Array.prototype.includes
3552
3553         * builtins/Array.prototype.js:
3554         (includes): Implementation in JS.
3555         * runtime/ArrayPrototype.cpp: Add 'includes' to the lookup table.
3556
3557 2015-03-23  Joseph Pecoraro  <pecoraro@apple.com>
3558
3559         __defineGetter__/__defineSetter__ should throw exceptions
3560         https://bugs.webkit.org/show_bug.cgi?id=142934
3561
3562         Reviewed by Geoffrey Garen.
3563
3564         * runtime/ObjectPrototype.cpp:
3565         (JSC::objectProtoFuncDefineGetter):
3566         (JSC::objectProtoFuncDefineSetter):
3567         Throw exceptions when these functions are used directly.
3568
3569 2015-03-23  Joseph Pecoraro  <pecoraro@apple.com>
3570
3571         Fix DO_PROPERTYMAP_CONSTENCY_CHECK enabled build
3572         https://bugs.webkit.org/show_bug.cgi?id=142952
3573
3574         Reviewed by Geoffrey Garen.
3575
3576         * runtime/Structure.cpp:
3577         (JSC::PropertyTable::checkConsistency):
3578         The check offset method doesn't exist in PropertyTable, it exists in Structure.
3579
3580         (JSC::Structure::checkConsistency):
3581         So move it here, and always put it at the start to match normal behavior.
3582
3583 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
3584
3585         Remove DFG::ValueRecoveryOverride; it's been dead since we removed forward speculations
3586         https://bugs.webkit.org/show_bug.cgi?id=142956
3587
3588         Rubber stamped by Gyuyoung Kim.
3589         
3590         Just removing dead code.
3591
3592         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3593         * JavaScriptCore.xcodeproj/project.pbxproj:
3594         * dfg/DFGOSRExit.h:
3595         * dfg/DFGOSRExitCompiler.cpp:
3596         * dfg/DFGValueRecoveryOverride.h: Removed.
3597
3598 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
3599
3600         DFG OSR exit shouldn't assume that the frame count for exit is greater than the frame count in DFG
3601         https://bugs.webkit.org/show_bug.cgi?id=142948
3602
3603         Reviewed by Sam Weinig.
3604         
3605         It's necessary to ensure that the stack pointer accounts for the extent of our stack usage
3606         since a signal may clobber the area below the stack pointer. When the DFG is executing,
3607         the stack pointer accounts for the DFG's worst-case stack usage. When we OSR exit back to
3608         baseline, we will use a different amount of stack. This is because baseline is a different
3609         compiler. It will make different decisions. So it will use a different amount of stack.
3610         
3611         This gets tricky when we are in the process of doing an OSR exit, because we are sort of
3612         incrementally transforming the stack from how it looked in the DFG to how it will look in
3613         baseline. The most conservative approach would be to set the stack pointer to the max of
3614         DFG and baseline.
3615         
3616         When this code was written, a reckless assumption was made: that the stack usage in
3617         baseline is always at least as large as the stack usage in DFG. Based on this incorrect
3618         assumption, the code first adjusts the stack pointer to account for the baseline stack
3619         usage. This sort of usually works, because usually baseline does happen to use more stack.
3620         But that's not an invariant. Nobody guarantees this. We will never make any changes that
3621         would make this be guaranteed, because that would be antithetical to how optimizing
3622         compilers work. The DFG should be allowed to use however much stack it decides that it
3623         should use in order to get good performance, and it shouldn't try to guarantee that it
3624         always uses less stack than baseline.
3625         
3626         As such, we must always assume that the frame size for DFG execution (i.e.
3627         frameRegisterCount) and the frame size in baseline once we exit (i.e.
3628         requiredRegisterCountForExit) are two independent quantities and they have no
3629         relationship.
3630         
3631         Fortunately, though, this code can be made correct by just moving the stack adjustment to
3632         just before we do conversions. This is because we have since changed the OSR exit
3633         algorithm to first lift up all state from the DFG state into a scratch buffer, and then to
3634         drop it out of the scratch buffer and into the stack according to the baseline layout. The
3635         point just before conversions is the point where we have finished reading the DFG frame
3636         and will not read it anymore, and we haven't started writing the baseline frame. So, at
3637         this point it is safe to set the stack pointer to account for the frame size at exit.
3638         
3639         This is benign because baseline happens to create larger frames than DFG.
3640
3641         * dfg/DFGOSRExitCompiler32_64.cpp:
3642         (JSC::DFG::OSRExitCompiler::compileExit):
3643         * dfg/DFGOSRExitCompiler64.cpp:
3644         (JSC::DFG::OSRExitCompiler::compileExit):
3645         * dfg/DFGOSRExitCompilerCommon.cpp:
3646         (JSC::DFG::adjustAndJumpToTarget):
3647
3648 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
3649
3650         Shorten the number of iterations to 10,000 since that's enough to test all tiers.
3651
3652         Rubber stamped by Sam Weinig.
3653
3654         * tests/stress/equals-masquerader.js:
3655
3656 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
3657
3658         tests/stress/*tdz* tests do 10x more iterations than necessary
3659         https://bugs.webkit.org/show_bug.cgi?id=142946
3660
3661         Reviewed by Ryosuke Niwa.
3662         
3663         The stress test harness runs all of these tests in various configurations. This includes
3664         no-cjit, which has tier-up heuristics locked in such a way that 10,000 iterations is
3665         enough to get to the highest tier. The only exceptions are very large functions or
3666         functions that have some reoptimizations. That happens rarely, and when it does happen,
3667         usually 20,000 iterations is enough.
3668         
3669         Therefore, these tests use 10x too many iterations. This is bad, since these tests
3670         allocate on each iteration, and so they run very slowly in debug mode.
3671
3672         * tests/stress/class-syntax-no-loop-tdz.js:
3673         * tests/stress/class-syntax-no-tdz-in-catch.js:
3674         * tests/stress/class-syntax-no-tdz-in-conditional.js:
3675         * tests/stress/class-syntax-no-tdz-in-loop-no-inline-super.js:
3676         * tests/stress/class-syntax-no-tdz-in-loop.js:
3677         * tests/stress/class-syntax-no-tdz.js:
3678         * tests/stress/class-syntax-tdz-in-catch.js:
3679         * tests/stress/class-syntax-tdz-in-conditional.js:
3680         * tests/stress/class-syntax-tdz-in-loop.js:
3681         * tests/stress/class-syntax-tdz.js:
3682
3683 2015-03-21  Joseph Pecoraro  <pecoraro@apple.com>
3684
3685         Fix a typo in Parser error message
3686         https://bugs.webkit.org/show_bug.cgi?id=142942
3687
3688         Reviewed by Alexey Proskuryakov.
3689
3690         * jit/JITPropertyAccess.cpp:
3691         (JSC::JIT::emitSlow_op_resolve_scope):
3692         * jit/JITPropertyAccess32_64.cpp:
3693         (JSC::JIT::emitSlow_op_resolve_scope):
3694         * parser/Parser.cpp:
3695         (JSC::Parser<LexerType>::parseClass):
3696         Fix a common identifier typo.
3697
3698 2015-03-21  Joseph Pecoraro  <pecoraro@apple.com>
3699
3700         Computed Property names should allow only AssignmentExpressions not any Expression
3701         https://bugs.webkit.org/show_bug.cgi?id=142902
3702
3703         Reviewed by Ryosuke Niwa.
3704
3705         * parser/Parser.cpp:
3706         (JSC::Parser<LexerType>::parseProperty):
3707         Limit computed expressions to just assignment expressions instead of
3708         any expression (which allowed comma expressions).
3709
3710 2015-03-21  Andreas Kling  <akling@apple.com>
3711
3712         Make UnlinkedFunctionExecutable fit in a 128-byte cell.
3713         <https://webkit.org/b/142939>
3714
3715         Reviewed by Mark Hahnenberg.
3716
3717         Re-arrange the members of UnlinkedFunctionExecutable so it can fit inside
3718         a 128-byte heap cell instead of requiring a 256-byte one.
3719
3720         Threw in a static_assert to catch anyone pushing it over the limit again.
3721
3722         * bytecode/UnlinkedCodeBlock.cpp:
3723         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3724         * bytecode/UnlinkedCodeBlock.h:
3725         (JSC::UnlinkedFunctionExecutable::functionMode):
3726
3727 2015-03-20  Mark Hahnenberg  <mhahnenb@gmail.com>
3728
3729         GCTimer should know keep track of nested GC phases
3730         https://bugs.webkit.org/show_bug.cgi?id=142675
3731
3732         Reviewed by Darin Adler.
3733
3734         This improves the GC phase timing output in Heap.cpp by linking
3735         phases nested inside other phases together, allowing tools
3736         to compute how much time we're spending in various nested phases.
3737
3738         * heap/Heap.cpp:
3739
3740 2015-03-20  Geoffrey Garen  <ggaren@apple.com>
3741
3742         FunctionBodyNode should known where its parameters started
3743         https://bugs.webkit.org/show_bug.cgi?id=142926
3744
3745         Reviewed by Ryosuke Niwa.
3746
3747         This will allow us to re-parse parameters instead of keeping the
3748         parameters piece of the AST around forever.
3749
3750         I also took the opportunity to initialize most FunctionBodyNode data
3751         members at construction time, to help clarify that they are set right.
3752
3753         * parser/ASTBuilder.h:
3754         (JSC::ASTBuilder::createFunctionExpr): No need to pass
3755         functionKeywordStart here; we now provide it at FunctionBodyNode
3756         creation time.
3757
3758         (JSC::ASTBuilder::createFunctionBody): Require everything we need at
3759         construction time, including the start of our parameters.
3760
3761         (JSC::ASTBuilder::createGetterOrSetterProperty):
3762         (JSC::ASTBuilder::createFuncDeclStatement):  No need to pass
3763         functionKeywordStart here; we now provide it at FunctionBodyNode
3764         creation time.
3765
3766         (JSC::ASTBuilder::setFunctionNameStart): Deleted.
3767
3768         * parser/Nodes.cpp:
3769         (JSC::FunctionBodyNode::FunctionBodyNode): Initialize everything at
3770         construction time.
3771
3772         * parser/Nodes.h: Added a field for the location of our parameters.
3773
3774         * parser/Parser.cpp:
3775         (JSC::Parser<LexerType>::parseFunctionBody):
3776         (JSC::Parser<LexerType>::parseFunctionInfo):
3777         (JSC::Parser<LexerType>::parseFunctionDeclaration):
3778         (JSC::Parser<LexerType>::parseClass):
3779         (JSC::Parser<LexerType>::parsePropertyMethod):
3780         (JSC::Parser<LexerType>::parseGetterSetter):
3781         (JSC::Parser<LexerType>::parsePrimaryExpression):
3782         * parser/Parser.h: Refactored to match above interface changes.
3783
3784         * parser/SyntaxChecker.h:
3785         (JSC::SyntaxChecker::createFunctionExpr):
3786         (JSC::SyntaxChecker::createFunctionBody):
3787         (JSC::SyntaxChecker::createFuncDeclStatement):
3788         (JSC::SyntaxChecker::createGetterOrSetterProperty): Refactored to match
3789         above interface changes.
3790
3791         (JSC::SyntaxChecker::setFunctionNameStart): Deleted.
3792
3793 2015-03-20  Filip Pizlo  <fpizlo@apple.com>
3794
3795         Observably effectful nodes in DFG IR should come last in their bytecode instruction (i.e. forExit section), except for Hint nodes
3796         https://bugs.webkit.org/show_bug.cgi?id=142920
3797
3798         Reviewed by Oliver Hunt, Geoffrey Garen, and Mark Lam.
3799         
3800         Observably effectful, n.: If we reexecute the bytecode instruction after this node has
3801         executed, then something other than the bytecode instruction's specified outcome will
3802         happen.
3803
3804         We almost never had observably effectful nodes except at the end of the bytecode
3805         instruction.  The exception is a lowered transitioning PutById:
3806
3807         PutStructure(@o, S1 -> S2)
3808         PutByOffset(@o, @o, @v)
3809
3810         The PutStructure is observably effectful: if you try to reexecute the bytecode after
3811         doing the PutStructure, then we'll most likely crash.  The generic PutById handling means
3812         first checking what the old structure of the object is; but if we reexecute, the old
3813         structure will seem to be the new structure.  But the property ensured by the new
3814         structure hasn't been stored yet, so any attempt to load it or scan it will crash.
3815
3816         Intriguingly, however, none of the other operations involved in the PutById are
3817         observably effectful.  Consider this example:
3818
3819         PutByOffset(@o, @o, @v)
3820         PutStructure(@o, S1 -> S2)
3821
3822         Note that the PutStructure node doesn't reallocate property storage; see further below
3823         for an example that does that. Because no property storage is happening, we know that we
3824         already had room for the new property.  This means that the PutByOffset is no observable
3825         until the PutStructure executes and "reveals" the property.  Hence, PutByOffset is not
3826         observably effectful.
3827
3828         Now consider this:
3829
3830         b: AllocatePropertyStorage(@o)
3831         PutByOffset(@b, @o, @v)
3832         PutStructure(@o, S1 -> S2)
3833
3834         Surprisingly, this is also safe, because the AllocatePropertyStorage is not observably
3835         effectful. It *does* reallocate the property storage and the new property storage pointer
3836         is stored into the object. But until the PutStructure occurs, the world will just think
3837         that the reallocation didn't happen, in the sense that we'll think that the property
3838         storage is using less memory than what we just allocated. That's harmless.
3839
3840         The AllocatePropertyStorage is safe in other ways, too. Even if we GC'd after the
3841         AllocatePropertyStorage but before the PutByOffset (or before the PutStructure),
3842         everything could be expected to be fine, so long as all of @o, @v and @b are on the
3843         stack. If they are all on the stack, then the GC will leave the property storage alone
3844         (so the extra memory we just allocated would be safe). The GC will not scan the part of
3845         the property storage that contains @v, but that's fine, so long as @v is on the stack.
3846         
3847         The better long-term solution is probably bug 142921.
3848         
3849         But for now, this:
3850         
3851         - Fixes an object materialization bug, exemplified by the two tests, that previously
3852           crashed 100% of the time with FTL enabled and concurrent JIT disabled.
3853         
3854         - Allows us to remove the workaround introduced in r174856.
3855
3856         * dfg/DFGByteCodeParser.cpp:
3857         (JSC::DFG::ByteCodeParser::handlePutById):
3858         * dfg/DFGConstantFoldingPhase.cpp:
3859         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
3860         * dfg/DFGFixupPhase.cpp:
3861         (JSC::DFG::FixupPhase::insertCheck):
3862         (JSC::DFG::FixupPhase::indexOfNode): Deleted.
3863         (JSC::DFG::FixupPhase::indexOfFirstNodeOfExitOrigin): Deleted.
3864         * dfg/DFGInsertionSet.h:
3865         (JSC::DFG::InsertionSet::insertOutOfOrder): Deleted.
3866         (JSC::DFG::InsertionSet::insertOutOfOrderNode): Deleted.
3867         * tests/stress/materialize-past-butterfly-allocation.js: Added.
3868         (bar):
3869         (foo0):
3870         (foo1):
3871         (foo2):
3872         (foo3):
3873         (foo4):
3874         * tests/stress/materialize-past-put-structure.js: Added.
3875         (foo):
3876
3877 2015-03-20  Yusuke Suzuki  <utatane.tea@gmail.com>
3878
3879         REGRESSION (r179429): Potential Use after free in JavaScriptCore`WTF::StringImpl::ref + 83
3880         https://bugs.webkit.org/show_bug.cgi?id=142410
3881
3882         Reviewed by Geoffrey Garen.
3883
3884         Before this patch, added function JSVal