new Date(NaN).toJSON() must return null instead of throwing a TypeError
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-07-19  Jordan Harband  <ljharb@gmail.com>
2
3         new Date(NaN).toJSON() must return null instead of throwing a TypeError
4         https://bugs.webkit.org/show_bug.cgi?id=141115
5
6         Reviewed by Yusuke Suzuki.
7
8         * runtime/DatePrototype.cpp:
9         (JSC::dateProtoFuncToJSON):
10
11 2015-07-19  Saam barati  <saambarati1@gmail.com>
12
13         Parser::parseFunctionInfo hits RELEASE_ASSERT for Arrow Functions
14         https://bugs.webkit.org/show_bug.cgi?id=147090
15
16         Reviewed by Yusuke Suzuki.
17
18         ArrowFunction's have there ParserFunctionInfo "name" field to 
19         be a non-null pointer. This is obviously allowed and valid except we 
20         had a RELEASE_ASSERT that claimed otherwise. This is a mistake. 
21
22         Note: ArrowFunction's will never actually have a function name;
23         there ParserFunctionInfo "name" field will be the empty string. 
24         This is not be mistaken with the name field being a null pointer.
25
26         * parser/Parser.cpp:
27         (JSC::Parser<LexerType>::parseFunctionInfo):
28
29 2015-07-18  Saam barati  <saambarati1@gmail.com>
30
31         [ES6] Add support for block scope const
32         https://bugs.webkit.org/show_bug.cgi?id=31813
33
34         Reviewed by Filip Pizlo.
35
36         'const' is now implemented in an ES6 spec compliant manner.
37         'const' variables are always block scoped and always live
38         either on the stack or in a JSLexicalEnvironment. 'const'
39         variables never live on the global object.
40
41         Inside the BytecodeGenerator, when assigning to a stack
42         'const' variable or a LocalClosureVar 'const' variable,
43         we will emit code that just throws a type error.
44         When assigning to a ClosureVar const variable, CodeBlock linking
45         will ensure that we perform a dynamic lookup of that variable so
46         that put_to_scope's slow path throws a type error.
47
48         The old 'const' implementation has been removed in this patch.
49
50         * bytecode/BytecodeList.json:
51         * bytecode/BytecodeUseDef.h:
52         (JSC::computeUsesForBytecodeOffset):
53         (JSC::computeDefsForBytecodeOffset):
54         * bytecode/CodeBlock.cpp:
55         (JSC::CodeBlock::dumpBytecode):
56         (JSC::CodeBlock::CodeBlock):
57         * bytecompiler/BytecodeGenerator.cpp:
58         (JSC::BytecodeGenerator::BytecodeGenerator):
59         (JSC::BytecodeGenerator::pushLexicalScope):
60         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
61         (JSC::BytecodeGenerator::variable):
62         (JSC::BytecodeGenerator::variableForLocalEntry):
63         (JSC::BytecodeGenerator::createVariable):
64         (JSC::BytecodeGenerator::emitResolveScope):
65         (JSC::BytecodeGenerator::emitInstanceOf):
66         (JSC::BytecodeGenerator::emitGetById):
67         (JSC::BytecodeGenerator::isArgumentNumber):
68         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
69         (JSC::BytecodeGenerator::emitEnumeration):
70         (JSC::BytecodeGenerator::variablePerSymbolTable): Deleted.
71         (JSC::BytecodeGenerator::emitInitGlobalConst): Deleted.
72         * bytecompiler/BytecodeGenerator.h:
73         (JSC::Variable::Variable):
74         (JSC::Variable::isReadOnly):
75         (JSC::Variable::isSpecial):
76         (JSC::Variable::isConst):
77         (JSC::BytecodeGenerator::thisRegister):
78         (JSC::BytecodeGenerator::emitTypeOf):
79         (JSC::BytecodeGenerator::emitIn):
80         * bytecompiler/NodesCodegen.cpp:
81         (JSC::PostfixNode::emitResolve):
82         (JSC::PrefixNode::emitResolve):
83         (JSC::ReadModifyResolveNode::emitBytecode):
84         (JSC::AssignResolveNode::emitBytecode):
85         (JSC::CommaNode::emitBytecode):
86         (JSC::BindingNode::bindValue):
87         (JSC::ConstDeclNode::emitCodeSingle): Deleted.
88         (JSC::ConstDeclNode::emitBytecode): Deleted.
89         (JSC::ConstStatementNode::emitBytecode): Deleted.
90         * dfg/DFGByteCodeParser.cpp:
91         (JSC::DFG::ByteCodeParser::parseBlock):
92         * dfg/DFGCapabilities.cpp:
93         (JSC::DFG::capabilityLevel):
94         * jit/JIT.cpp:
95         (JSC::JIT::privateCompileMainPass):
96         * jit/JIT.h:
97         * jit/JITPropertyAccess.cpp:
98         (JSC::JIT::emit_op_put_to_arguments):
99         (JSC::JIT::emit_op_init_global_const): Deleted.
100         * jit/JITPropertyAccess32_64.cpp:
101         (JSC::JIT::emit_op_put_to_arguments):
102         (JSC::JIT::emit_op_init_global_const): Deleted.
103         * llint/LowLevelInterpreter.asm:
104         * llint/LowLevelInterpreter32_64.asm:
105         * llint/LowLevelInterpreter64.asm:
106         * parser/ASTBuilder.h:
107         (JSC::ASTBuilder::createDeclarationStatement):
108         (JSC::ASTBuilder::createEmptyVarExpression):
109         (JSC::ASTBuilder::createDebugger):
110         (JSC::ASTBuilder::appendStatement):
111         (JSC::ASTBuilder::createVarStatement): Deleted.
112         (JSC::ASTBuilder::createLetStatement): Deleted.
113         (JSC::ASTBuilder::createConstStatement): Deleted.
114         (JSC::ASTBuilder::appendConstDecl): Deleted.
115         * parser/NodeConstructors.h:
116         (JSC::CommaNode::CommaNode):
117         (JSC::SourceElements::SourceElements):
118         (JSC::SwitchNode::SwitchNode):
119         (JSC::BlockNode::BlockNode):
120         (JSC::ConstStatementNode::ConstStatementNode): Deleted.
121         (JSC::ConstDeclNode::ConstDeclNode): Deleted.
122         * parser/Nodes.h:
123         (JSC::ConstDeclNode::hasInitializer): Deleted.
124         (JSC::ConstDeclNode::ident): Deleted.
125         * parser/Parser.cpp:
126         (JSC::Parser<LexerType>::parseStatementListItem):
127         (JSC::Parser<LexerType>::parseVariableDeclaration):
128         (JSC::Parser<LexerType>::parseWhileStatement):
129         (JSC::Parser<LexerType>::parseVariableDeclarationList):
130         (JSC::Parser<LexerType>::createBindingPattern):
131         (JSC::Parser<LexerType>::parseDestructuringPattern):
132         (JSC::Parser<LexerType>::parseDefaultValueForDestructuringPattern):
133         (JSC::Parser<LexerType>::parseForStatement):
134         (JSC::Parser<LexerType>::parseTryStatement):
135         (JSC::Parser<LexerType>::parseFunctionInfo):
136         (JSC::Parser<LexerType>::parseFunctionDeclaration):
137         (JSC::Parser<LexerType>::parseClass):
138         (JSC::Parser<LexerType>::parseConstDeclaration): Deleted.
139         (JSC::Parser<LexerType>::parseConstDeclarationList): Deleted.
140         * parser/Parser.h:
141         (JSC::isEvalNode):
142         (JSC::isEvalNode<EvalNode>):
143         (JSC::isArguments):
144         (JSC::isEval):
145         (JSC::isEvalOrArgumentsIdentifier):
146         (JSC::Scope::Scope):
147         (JSC::Scope::declareCallee):
148         (JSC::Scope::declareVariable):
149         (JSC::Scope::declareLexicalVariable):
150         (JSC::Scope::hasDeclaredVariable):
151         (JSC::Scope::allowsVarDeclarations):
152         (JSC::Scope::allowsLexicalDeclarations):
153         (JSC::Scope::declareParameter):
154         (JSC::Scope::declareBoundParameter):
155         (JSC::Parser::destructuringKindFromDeclarationType):
156         (JSC::Parser::assignmentContextFromDeclarationType):
157         (JSC::Parser::isEvalOrArguments):
158         (JSC::Parser::currentScope):
159         (JSC::Parser::popScope):
160         (JSC::Parser::declareVariable):
161         (JSC::Parser::hasDeclaredVariable):
162         (JSC::Parser::setStrictMode):
163         (JSC::Parser::strictMode):
164         (JSC::Parser::isValidStrictMode):
165         (JSC::Parser::declareParameter):
166         (JSC::Parser::declareBoundParameter):
167         (JSC::Parser::breakIsValid):
168         * parser/SyntaxChecker.h:
169         (JSC::SyntaxChecker::createForInLoop):
170         (JSC::SyntaxChecker::createForOfLoop):
171         (JSC::SyntaxChecker::createEmptyStatement):
172         (JSC::SyntaxChecker::createDeclarationStatement):
173         (JSC::SyntaxChecker::createReturnStatement):
174         (JSC::SyntaxChecker::createBreakStatement):
175         (JSC::SyntaxChecker::createVarStatement): Deleted.
176         (JSC::SyntaxChecker::createLetStatement): Deleted.
177         * parser/VariableEnvironment.h:
178         (JSC::VariableEnvironmentEntry::isCaptured):
179         (JSC::VariableEnvironmentEntry::isConst):
180         (JSC::VariableEnvironmentEntry::isVar):
181         (JSC::VariableEnvironmentEntry::isLet):
182         (JSC::VariableEnvironmentEntry::setIsCaptured):
183         (JSC::VariableEnvironmentEntry::setIsConst):
184         (JSC::VariableEnvironmentEntry::setIsVar):
185         (JSC::VariableEnvironmentEntry::setIsLet):
186         (JSC::VariableEnvironmentEntry::isConstant): Deleted.
187         (JSC::VariableEnvironmentEntry::setIsConstant): Deleted.
188         * runtime/Executable.cpp:
189         (JSC::ProgramExecutable::initializeGlobalProperties):
190         * runtime/JSGlobalObject.cpp:
191         (JSC::JSGlobalObject::defineOwnProperty):
192         (JSC::JSGlobalObject::addGlobalVar):
193         (JSC::JSGlobalObject::addFunction):
194         (JSC::lastInPrototypeChain):
195         * runtime/JSGlobalObject.h:
196         (JSC::JSGlobalObject::finishCreation):
197         (JSC::JSGlobalObject::addVar):
198         (JSC::JSGlobalObject::addConst): Deleted.
199         * runtime/JSLexicalEnvironment.cpp:
200         (JSC::JSLexicalEnvironment::symbolTablePut):
201         * tests/stress/const-and-with-statement.js: Added.
202         (truth):
203         (assert):
204         (shouldThrowInvalidConstAssignment):
205         (.):
206         * tests/stress/const-exception-handling.js: Added.
207         (truth):
208         (assert):
209         (.):
210         * tests/stress/const-loop-semantics.js: Added.
211         (truth):
212         (assert):
213         (shouldThrowInvalidConstAssignment):
214         (.):
215         * tests/stress/const-not-strict-mode.js: Added.
216         (truth):
217         (assert):
218         (shouldThrowTDZ):
219         (.):
220         * tests/stress/const-semantics.js: Added.
221         (truth):
222         (assert):
223         (shouldThrowInvalidConstAssignment):
224         (.):
225         * tests/stress/const-tdz.js: Added.
226         (truth):
227         (assert):
228         (shouldThrowTDZ):
229         (.):
230
231 2015-07-18  Saam barati  <saambarati1@gmail.com>
232
233         lexical scoping is broken with respect to "break" and "continue"
234         https://bugs.webkit.org/show_bug.cgi?id=147063
235
236         Reviewed by Filip Pizlo.
237
238         Bug #142944 which introduced "let" and lexical scoping
239         didn't properly hook into the bytecode generator's machinery
240         for calculating scope depth deltas for "break" and "continue". This
241         resulted in the bytecode generator popping an incorrect number
242         of scopes when lexical scopes were involved.
243
244         This patch fixes this problem and generalizes this machinery a bit.
245         This patch also renames old functions in a sensible way that is more
246         coherent in a world with lexical scoping.
247
248         * bytecompiler/BytecodeGenerator.cpp:
249         (JSC::BytecodeGenerator::BytecodeGenerator):
250         (JSC::BytecodeGenerator::newLabelScope):
251         (JSC::BytecodeGenerator::emitProfileType):
252         (JSC::BytecodeGenerator::pushLexicalScope):
253         (JSC::BytecodeGenerator::popLexicalScope):
254         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
255         (JSC::BytecodeGenerator::resolveType):
256         (JSC::BytecodeGenerator::emitResolveScope):
257         (JSC::BytecodeGenerator::emitGetFromScope):
258         (JSC::BytecodeGenerator::emitPutToScope):
259         (JSC::BytecodeGenerator::emitPushWithScope):
260         (JSC::BytecodeGenerator::emitGetParentScope):
261         (JSC::BytecodeGenerator::emitPopScope):
262         (JSC::BytecodeGenerator::emitPopWithOrCatchScope):
263         (JSC::BytecodeGenerator::emitPopScopes):
264         (JSC::BytecodeGenerator::calculateTargetScopeDepthForExceptionHandler):
265         (JSC::BytecodeGenerator::localScopeDepth):
266         (JSC::BytecodeGenerator::labelScopeDepth):
267         (JSC::BytecodeGenerator::emitThrowReferenceError):
268         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
269         (JSC::BytecodeGenerator::pushScopedControlFlowContext):
270         (JSC::BytecodeGenerator::popScopedControlFlowContext):
271         (JSC::BytecodeGenerator::emitPushCatchScope):
272         (JSC::BytecodeGenerator::currentScopeDepth): Deleted.
273         * bytecompiler/BytecodeGenerator.h:
274         (JSC::BytecodeGenerator::hasFinaliser):
275         (JSC::BytecodeGenerator::scopeDepth): Deleted.
276         * bytecompiler/NodesCodegen.cpp:
277         (JSC::ContinueNode::trivialTarget):
278         (JSC::BreakNode::trivialTarget):
279         (JSC::ReturnNode::emitBytecode):
280         (JSC::WithNode::emitBytecode):
281         (JSC::TryNode::emitBytecode):
282         * tests/stress/lexical-scoping-break-continue.js: Added.
283         (assert):
284         (.):
285
286 2015-07-18  Commit Queue  <commit-queue@webkit.org>
287
288         Unreviewed, rolling out r186996.
289         https://bugs.webkit.org/show_bug.cgi?id=147070
290
291         Broke JSC tests (Requested by smfr on #webkit).
292
293         Reverted changeset:
294
295         "lexical scoping is broken with respect to "break" and
296         "continue""
297         https://bugs.webkit.org/show_bug.cgi?id=147063
298         http://trac.webkit.org/changeset/186996
299
300 2015-07-18  Saam barati  <saambarati1@gmail.com>
301
302         lexical scoping is broken with respect to "break" and "continue"
303         https://bugs.webkit.org/show_bug.cgi?id=147063
304
305         Reviewed by Filip Pizlo.
306
307         Bug #142944 which introduced "let" and lexical scoping
308         didn't properly hook into the bytecode generator's machinery
309         for calculating scope depth deltas for "break" and "continue". This
310         resulted in the bytecode generator popping an incorrect number
311         of scopes when lexical scopes were involved.
312
313         This patch fixes this problem and generalizes this machinery a bit.
314         This patch also renames old functions in a sensible way that is more
315         coherent in a world with lexical scoping.
316
317         * bytecompiler/BytecodeGenerator.cpp:
318         (JSC::BytecodeGenerator::BytecodeGenerator):
319         (JSC::BytecodeGenerator::newLabelScope):
320         (JSC::BytecodeGenerator::emitProfileType):
321         (JSC::BytecodeGenerator::pushLexicalScope):
322         (JSC::BytecodeGenerator::popLexicalScope):
323         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
324         (JSC::BytecodeGenerator::resolveType):
325         (JSC::BytecodeGenerator::emitResolveScope):
326         (JSC::BytecodeGenerator::emitGetFromScope):
327         (JSC::BytecodeGenerator::emitPutToScope):
328         (JSC::BytecodeGenerator::emitPushWithScope):
329         (JSC::BytecodeGenerator::emitGetParentScope):
330         (JSC::BytecodeGenerator::emitPopScope):
331         (JSC::BytecodeGenerator::emitPopWithOrCatchScope):
332         (JSC::BytecodeGenerator::emitPopScopes):
333         (JSC::BytecodeGenerator::calculateTargetScopeDepthForExceptionHandler):
334         (JSC::BytecodeGenerator::localScopeDepth):
335         (JSC::BytecodeGenerator::labelScopeDepth):
336         (JSC::BytecodeGenerator::emitThrowReferenceError):
337         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
338         (JSC::BytecodeGenerator::pushScopedControlFlowContext):
339         (JSC::BytecodeGenerator::popScopedControlFlowContext):
340         (JSC::BytecodeGenerator::emitPushCatchScope):
341         (JSC::BytecodeGenerator::currentScopeDepth): Deleted.
342         * bytecompiler/BytecodeGenerator.h:
343         (JSC::BytecodeGenerator::hasFinaliser):
344         (JSC::BytecodeGenerator::scopeDepth): Deleted.
345         * bytecompiler/NodesCodegen.cpp:
346         (JSC::ContinueNode::trivialTarget):
347         (JSC::BreakNode::trivialTarget):
348         (JSC::ReturnNode::emitBytecode):
349         (JSC::WithNode::emitBytecode):
350         (JSC::TryNode::emitBytecode):
351         * tests/stress/lexical-scoping-break-continue.js: Added.
352         (assert):
353         (.):
354
355 2015-07-17  Filip Pizlo  <fpizlo@apple.com>
356
357         DFG should have some obvious mitigations against watching structures that are unprofitable to watch
358         https://bugs.webkit.org/show_bug.cgi?id=147034
359
360         Reviewed by Mark Lam and Michael Saboff.
361         
362         This implements two guards against the DFG watching structures that are likely to fire
363         their watchpoints:
364         
365         - Don't watch dictionaries or any structure that had a dictionary in its past. Dictionaries
366           can be flattened, and then they can transform back to dictionaries.
367         
368         - Don't watch structures whose past structures were transitioned-away from while their
369           transition watchpoints were being watched. This property gives us monotonicity: if we
370           recompile because we watched structure S1 of object O, then we won't make the same mistake
371           again when object O has structure S2, S3, and so on.
372         
373         This is a 1.5% speed-up on Kraken. It does penalize some Octane tests, but it also seems to
374         help some of them, so on Octane it's basically neutral.
375
376         * bytecode/Watchpoint.h:
377         (JSC::WatchpointSet::invalidate):
378         (JSC::WatchpointSet::isBeingWatched):
379         (JSC::WatchpointSet::addressOfState):
380         (JSC::WatchpointSet::addressOfSetIsNotEmpty):
381         (JSC::InlineWatchpointSet::touch):
382         (JSC::InlineWatchpointSet::isBeingWatched):
383         * runtime/JSGlobalObject.h:
384         (JSC::JSGlobalObject::createStructure):
385         (JSC::JSGlobalObject::registerWeakMap):
386         * runtime/Structure.cpp:
387         (JSC::Structure::Structure):
388         (JSC::Structure::toDictionaryTransition):
389         (JSC::Structure::didTransitionFromThisStructure):
390         * runtime/Structure.h:
391
392 2015-07-16  Filip Pizlo  <fpizlo@apple.com>
393
394         Remove DFG::DesiredWriteBarriers because it's just a very difficult way of saying "please barrier the machine code block owner"
395         https://bugs.webkit.org/show_bug.cgi?id=147030
396
397         Reviewed by Andreas Kling.
398         
399         All of the users of DesiredWriteBarriers were just using it to request that Plan
400         finalization executes a barrier on codeBlock->ownerExecutable. Indeed, that's the only
401         owning cell in the heap that compilation affects. So, we might as well just have Plan
402         unconditionally execute that barrier and then we don't need DesiredWriteBarriers at
403         all.
404
405         * CMakeLists.txt:
406         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
407         * JavaScriptCore.xcodeproj/project.pbxproj:
408         * dfg/DFGByteCodeParser.cpp:
409         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
410         * dfg/DFGDesiredWriteBarriers.cpp: Removed.
411         * dfg/DFGDesiredWriteBarriers.h: Removed.
412         * dfg/DFGGraph.cpp:
413         (JSC::DFG::Graph::registerFrozenValues):
414         * dfg/DFGPlan.cpp:
415         (JSC::DFG::Plan::reallyAdd):
416         (JSC::DFG::Plan::notifyCompiling):
417         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
418         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
419         (JSC::DFG::Plan::cancel):
420         * dfg/DFGPlan.h:
421
422 2015-07-17  Yusuke Suzuki  <utatane.tea@gmail.com>
423
424         Integrate automatic microtask draining into JSC framework and re-enable Promise
425         https://bugs.webkit.org/show_bug.cgi?id=146828
426
427         Reviewed by Sam Weinig.
428
429         Add automatic microtask draining system into JSC framework.
430         When the depth of VM lock becomes 0, before this, we drain the queued microtasks.
431         Enqueuing behavior can be injected by the JSGlobalObject's method table.
432         It is utilized in WebCore to post the microtask to WebCore's event loop.
433
434         In the case of JSC interactive shell, VM depth is always greater than 0.
435         So we manually drains the queued microtasks after evaluating the written line.
436
437         Since now JSC framework has the microtask queue, we can drain the queued microtasks.
438         So re-enable the Promise in the JSC framework context.
439
440         * API/JSContextRef.cpp:
441         (javaScriptRuntimeFlags): Deleted.
442         * API/tests/testapi.c:
443         (main):
444         * API/tests/testapi.mm:
445         (testObjectiveCAPIMain):
446         * jsc.cpp:
447         (runInteractive):
448         * runtime/JSGlobalObject.cpp:
449         (JSC::JSGlobalObject::queueMicrotask):
450         * runtime/JSLock.cpp:
451         (JSC::JSLock::willReleaseLock):
452         * runtime/VM.cpp:
453         (JSC::VM::queueMicrotask):
454         (JSC::VM::drainMicrotasks):
455         (JSC::QueuedTask::run):
456         * runtime/VM.h:
457         (JSC::QueuedTask::QueuedTask):
458
459 2015-07-17  Saam barati  <saambarati1@gmail.com>
460
461         Function parameters should be parsed in the same parser arena as the function body
462         https://bugs.webkit.org/show_bug.cgi?id=145995
463
464         Reviewed by Yusuke Suzuki.
465
466         This patch changes how functions are parsed in JSC. A function's
467         parameters are now parsed in the same arena as the function itself.
468         This allows us to arena allocate all destructuring AST nodes and
469         the FunctionParameters node. This will help make implementing ES6
470         default parameter values sane.
471
472         A source code that represents a function now includes the text of the function's 
473         parameters. The starting offset is at the opening parenthesis of the parameter
474         list or at the starting character of the identifier for arrow functions that
475         have single arguments and don't start with parenthesis.
476
477         For example:
478
479         "function (param1, param2) { ... }"
480                                    ^
481                                    | This offset used to be the starting offset of a function's SourceCode
482                   ^
483                   | This is the new starting offset for a function's SourceCode.
484
485         This requires us to change how some offsets are calculated
486         and also requires us to report some different line numbers for internal
487         metrics that use a SourceCode's starting line and column numbers.
488
489         This patch also does a bit of cleanup with regards to how
490         functions are parsed in general (especially arrow functions).
491         It removes some unnecessary #ifdefs and the likes for arrow
492         to make things clearer and more deliberate.
493
494         * API/JSScriptRef.cpp:
495         (parseScript):
496         * builtins/BuiltinExecutables.cpp:
497         (JSC::BuiltinExecutables::createExecutableInternal):
498         * bytecode/UnlinkedCodeBlock.cpp:
499         (JSC::generateFunctionCodeBlock):
500         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
501         (JSC::UnlinkedFunctionExecutable::visitChildren):
502         (JSC::UnlinkedFunctionExecutable::parameterCount): Deleted.
503         * bytecode/UnlinkedCodeBlock.h:
504         * bytecompiler/NodesCodegen.cpp:
505         (JSC::DestructuringAssignmentNode::emitBytecode):
506         (JSC::assignDefaultValueIfUndefined):
507         (JSC::ArrayPatternNode::collectBoundIdentifiers):
508         (JSC::DestructuringPatternNode::~DestructuringPatternNode): Deleted.
509         * parser/ASTBuilder.h:
510         (JSC::ASTBuilder::createClassExpr):
511         (JSC::ASTBuilder::createFunctionExpr):
512         (JSC::ASTBuilder::createFunctionBody):
513         (JSC::ASTBuilder::createArrowFunctionExpr):
514         (JSC::ASTBuilder::createGetterOrSetterProperty):
515         (JSC::ASTBuilder::createElementList):
516         (JSC::ASTBuilder::createFormalParameterList):
517         (JSC::ASTBuilder::appendParameter):
518         (JSC::ASTBuilder::createClause):
519         (JSC::ASTBuilder::createClauseList):
520         (JSC::ASTBuilder::createFuncDeclStatement):
521         (JSC::ASTBuilder::createForInLoop):
522         (JSC::ASTBuilder::createForOfLoop):
523         (JSC::ASTBuilder::isResolve):
524         (JSC::ASTBuilder::createDestructuringAssignment):
525         (JSC::ASTBuilder::createArrayPattern):
526         (JSC::ASTBuilder::appendArrayPatternSkipEntry):
527         (JSC::ASTBuilder::appendArrayPatternEntry):
528         (JSC::ASTBuilder::appendArrayPatternRestEntry):
529         (JSC::ASTBuilder::finishArrayPattern):
530         (JSC::ASTBuilder::createObjectPattern):
531         (JSC::ASTBuilder::appendObjectPatternEntry):
532         (JSC::ASTBuilder::createBindingLocation):
533         (JSC::ASTBuilder::setEndOffset):
534         * parser/Lexer.cpp:
535         (JSC::Lexer<T>::Lexer):
536         (JSC::Lexer<T>::nextTokenIsColon):
537         (JSC::Lexer<T>::setTokenPosition):
538         (JSC::Lexer<T>::lex):
539         (JSC::Lexer<T>::clear):
540         * parser/Lexer.h:
541         (JSC::Lexer::setIsReparsingFunction):
542         (JSC::Lexer::isReparsingFunction):
543         (JSC::Lexer::lineNumber):
544         (JSC::Lexer::setIsReparsing): Deleted.
545         (JSC::Lexer::isReparsing): Deleted.
546         * parser/NodeConstructors.h:
547         (JSC::TryNode::TryNode):
548         (JSC::FunctionParameters::FunctionParameters):
549         (JSC::FuncExprNode::FuncExprNode):
550         (JSC::FuncDeclNode::FuncDeclNode):
551         (JSC::ArrayPatternNode::ArrayPatternNode):
552         (JSC::ObjectPatternNode::ObjectPatternNode):
553         (JSC::BindingNode::BindingNode):
554         (JSC::DestructuringAssignmentNode::DestructuringAssignmentNode):
555         (JSC::ParameterNode::ParameterNode): Deleted.
556         (JSC::ArrayPatternNode::create): Deleted.
557         (JSC::ObjectPatternNode::create): Deleted.
558         (JSC::BindingNode::create): Deleted.
559         * parser/Nodes.cpp:
560         (JSC::ProgramNode::ProgramNode):
561         (JSC::EvalNode::EvalNode):
562         (JSC::FunctionBodyNode::FunctionBodyNode):
563         (JSC::FunctionBodyNode::finishParsing):
564         (JSC::FunctionNode::FunctionNode):
565         (JSC::FunctionNode::finishParsing):
566         (JSC::FunctionParameters::create): Deleted.
567         (JSC::FunctionParameters::FunctionParameters): Deleted.
568         (JSC::FunctionParameters::~FunctionParameters): Deleted.
569         * parser/Nodes.h:
570         (JSC::ProgramNode::startColumn):
571         (JSC::ProgramNode::endColumn):
572         (JSC::EvalNode::startColumn):
573         (JSC::EvalNode::endColumn):
574         (JSC::FunctionParameters::size):
575         (JSC::FunctionParameters::at):
576         (JSC::FunctionParameters::append):
577         (JSC::FuncExprNode::body):
578         (JSC::DestructuringPatternNode::~DestructuringPatternNode):
579         (JSC::DestructuringPatternNode::isBindingNode):
580         (JSC::DestructuringPatternNode::emitDirectBinding):
581         (JSC::ArrayPatternNode::appendIndex):
582         (JSC::ObjectPatternNode::appendEntry):
583         (JSC::BindingNode::boundProperty):
584         (JSC::BindingNode::divotStart):
585         (JSC::BindingNode::divotEnd):
586         (JSC::DestructuringAssignmentNode::bindings):
587         (JSC::FuncDeclNode::body):
588         (JSC::ParameterNode::pattern): Deleted.
589         (JSC::ParameterNode::nextParam): Deleted.
590         (JSC::FunctionParameters::patterns): Deleted.
591         * parser/Parser.cpp:
592         (JSC::Parser<LexerType>::Parser):
593         (JSC::Parser<LexerType>::~Parser):
594         (JSC::Parser<LexerType>::parseInner):
595         (JSC::Parser<LexerType>::allowAutomaticSemicolon):
596         (JSC::Parser<LexerType>::parseSourceElements):
597         (JSC::Parser<LexerType>::createBindingPattern):
598         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBodySourceElements):
599         (JSC::Parser<LexerType>::tryParseDestructuringPatternExpression):
600         (JSC::Parser<LexerType>::parseSwitchClauses):
601         (JSC::Parser<LexerType>::parseSwitchDefaultClause):
602         (JSC::Parser<LexerType>::parseBlockStatement):
603         (JSC::Parser<LexerType>::parseStatement):
604         (JSC::Parser<LexerType>::parseFormalParameters):
605         (JSC::Parser<LexerType>::parseFunctionBody):
606         (JSC::stringForFunctionMode):
607         (JSC::Parser<LexerType>::parseFunctionParameters):
608         (JSC::Parser<LexerType>::parseFunctionInfo):
609         (JSC::Parser<LexerType>::parseFunctionDeclaration):
610         (JSC::Parser<LexerType>::parseClass):
611         (JSC::Parser<LexerType>::parsePrimaryExpression):
612         (JSC::Parser<LexerType>::parseMemberExpression):
613         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
614         (JSC::operatorString):
615         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBody): Deleted.
616         * parser/Parser.h:
617         (JSC::Parser::positionBeforeLastNewline):
618         (JSC::Parser::locationBeforeLastToken):
619         (JSC::Parser::findCachedFunctionInfo):
620         (JSC::Parser::isofToken):
621         (JSC::Parser::isEndOfArrowFunction):
622         (JSC::Parser::isArrowFunctionParamters):
623         (JSC::Parser::tokenStart):
624         (JSC::Parser::isLETMaskedAsIDENT):
625         (JSC::Parser::autoSemiColon):
626         (JSC::Parser::setEndOfStatement):
627         (JSC::Parser::canRecurse):
628         (JSC::Parser<LexerType>::parse):
629         (JSC::parse):
630         * parser/ParserFunctionInfo.h:
631         * parser/ParserModes.h:
632         (JSC::functionNameIsInScope):
633         * parser/SourceCode.h:
634         (JSC::makeSource):
635         (JSC::SourceCode::subExpression):
636         (JSC::SourceCode::subArrowExpression): Deleted.
637         * parser/SourceProviderCache.h:
638         (JSC::SourceProviderCache::get):
639         * parser/SourceProviderCacheItem.h:
640         (JSC::SourceProviderCacheItem::endFunctionToken):
641         (JSC::SourceProviderCacheItem::usedVariables):
642         (JSC::SourceProviderCacheItem::writtenVariables):
643         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
644         * parser/SyntaxChecker.h:
645         (JSC::SyntaxChecker::SyntaxChecker):
646         (JSC::SyntaxChecker::createClassExpr):
647         (JSC::SyntaxChecker::createFunctionExpr):
648         (JSC::SyntaxChecker::createFunctionBody):
649         (JSC::SyntaxChecker::createArrowFunctionExpr):
650         (JSC::SyntaxChecker::setFunctionNameStart):
651         (JSC::SyntaxChecker::createArguments):
652         (JSC::SyntaxChecker::createPropertyList):
653         (JSC::SyntaxChecker::createElementList):
654         (JSC::SyntaxChecker::createFormalParameterList):
655         (JSC::SyntaxChecker::appendParameter):
656         (JSC::SyntaxChecker::createClause):
657         (JSC::SyntaxChecker::createClauseList):
658         * runtime/CodeCache.cpp:
659         (JSC::CodeCache::getGlobalCodeBlock):
660         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
661         * runtime/Completion.cpp:
662         (JSC::checkSyntax):
663         * runtime/Executable.cpp:
664         (JSC::ProgramExecutable::checkSyntax):
665         * tests/controlFlowProfiler/conditional-expression.js:
666         (testConditionalFunctionCall):
667
668 2015-07-16  Filip Pizlo  <fpizlo@apple.com>
669
670         Unreviewed, fix build for newer LLVMs.
671
672         * llvm/LLVMHeaders.h:
673         * llvm/library/LLVMExports.cpp:
674
675 2015-07-16  Mark Lam  <mark.lam@apple.com>
676
677         RegExp::match() should set m_state to ByteCode if compilation fails.
678         https://bugs.webkit.org/show_bug.cgi?id=147023
679
680         Reviewed by Michael Saboff.
681
682         A RegExp has a YarrCodeBlock that has 4 MacroAssemblerCodeRefs for compiled code.
683         If one of these compilations succeeds, RegExp::m_state will be set to JITCode.
684         Subsequently, if RegExp tries to compile another one of these but fails, m_state
685         will be left untouched i.e. it still says JITCode.  As a result, when
686         RegExp::match() later tries to execute the non-existant compiled code, it will
687         crash.
688
689         The fix is to downgrade m_state to ByteCode if RegExp ever fails to compile.
690         This failure should be rare.  We'll do the minimal work here to fix the issue and
691         keep an eye on the perf bots.  If perf regresses, we can do some optimization work then.
692
693         This issue is difficult to test for since it either requires a low memory condition
694         to trigger a failed RegExp compilation at the right moment, or for the RegExp to
695         succeed compilation in the MatchedOnly mode but fail in IncludeSubpatterns mode.
696         Instead, I manually tested it by instrumenting RegExp::compile() to fail once in every
697         10 compilation attempts.
698
699         * runtime/RegExp.cpp:
700         (JSC::RegExp::compile):
701         (JSC::RegExp::compileMatchOnly):
702
703 2015-07-15  Brent Fulgham  <bfulgham@apple.com>
704
705         [Win] Fix armv7 build.
706
707         * jit/CCallHelpers.h:
708         (JSC::CCallHelpers::setupArgumentsWithExecState): The 64-bit argument
709         version of poke is not available on armv7 builds.
710
711 2015-07-15  Brent Fulgham  <bfulgham@apple.com>
712
713         [Win] 64-bit Build Failure
714         https://bugs.webkit.org/show_bug.cgi?id=146989
715
716         Reviewed by Mark Lam.
717
718         * jit/CCallHelpers.h:
719         (JSC::CCallHelpers::setupArgumentsWithExecState): Add missing
720         declaration for 64-bit type on 4-argument register machines (like
721         Windows).
722
723 2015-07-15  Saam barati  <saambarati1@gmail.com>
724
725         [ES6] implement block scoping to enable 'let'
726         https://bugs.webkit.org/show_bug.cgi?id=142944
727
728         Reviewed by Filip Pizlo.
729
730         * CMakeLists.txt:
731         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
732         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
733         * JavaScriptCore.xcodeproj/project.pbxproj:
734         * builtins/BuiltinExecutables.cpp:
735         (JSC::BuiltinExecutables::createExecutableInternal):
736         * bytecode/BytecodeList.json:
737         This patch adds a new opcode and removes op_pop_scope:
738         1) op_get_parent_scope returns the parent scope but doesn't 
739         implicitly write that scope into the scope register. op_pop_scope
740         is now reduced to op_get_parent_scope followed by op_mov.
741
742         * bytecode/BytecodeUseDef.h:
743         (JSC::computeUsesForBytecodeOffset):
744         (JSC::computeDefsForBytecodeOffset):
745         * bytecode/CodeBlock.cpp:
746         (JSC::CodeBlock::dumpBytecode):
747         (JSC::CodeBlock::CodeBlock):
748         (JSC::CodeBlock::stronglyVisitStrongReferences):
749         * bytecode/CodeBlock.h:
750         (JSC::CodeBlock::addStringSwitchJumpTable):
751         (JSC::CodeBlock::stringSwitchJumpTable):
752         (JSC::CodeBlock::symbolTable):
753         (JSC::CodeBlock::evalCodeCache):
754         (JSC::CodeBlock::setConstantRegisters):
755         (JSC::CodeBlock::replaceConstant):
756         op_put_to_scope for LocalClosureVar now takes as an argument
757         the constant index for the Symbol Table it will be putting into.
758         This argument is only used to communicate from the BytecodeGenerator
759         to CodeBlock linking time and it is not present in the linked bytecode.
760
761         op_put_to_scope for non LocalClosureVar takes, at the same index, an
762         argument that represents the local scope depth which it uses for
763         JSScope::abstractResolve to know how many scopes it needs to skip.
764         Again, this is not in the linked code.
765         op_get_from_scope and op_resolve_scope also take as an argument
766         the local scope depth to use in JSScope::abstractResolve. Again,
767         this is not used in the linked code.
768
769         * bytecode/EvalCodeCache.h:
770         (JSC::EvalCodeCache::tryGet):
771         (JSC::EvalCodeCache::getSlow):
772         (JSC::EvalCodeCache::clear):
773         (JSC::EvalCodeCache::isCacheable):
774         When direct eval is called and passed a scope that 
775         corresponds to a lexical scope, we can't safely cache 
776         that code because we won't be able to guarantee
777         that the cached code is always executed in the same scope.
778         Consider this example:
779         function foo() {
780             let x = 20;
781             eval("x;");
782             if (b) {
783                 let x = 30;
784                 if (b) {
785                     let y = 40;
786                     eval("x;")
787                 }
788             }
789         }
790
791         We can't reuse resolution depth when linking get_from_scope in evals.
792
793         * bytecode/UnlinkedCodeBlock.cpp:
794         (JSC::generateFunctionCodeBlock):
795         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
796         (JSC::UnlinkedFunctionExecutable::parameterCount):
797         * bytecode/UnlinkedCodeBlock.h:
798         Unlinked functions now know the variables that were under TDZ in their parent
799         scope.
800
801         (JSC::UnlinkedCodeBlock::symbolTable):
802         (JSC::UnlinkedCodeBlock::setSymbolTable):
803         (JSC::UnlinkedCodeBlock::setSymbolTableConstantIndex):
804         (JSC::UnlinkedCodeBlock::symbolTableConstantIndex):
805         (JSC::UnlinkedCodeBlock::vm):
806         * bytecompiler/BytecodeGenerator.cpp:
807         (JSC::BytecodeGenerator::generate):
808         (JSC::BytecodeGenerator::BytecodeGenerator):
809         (JSC::BytecodeGenerator::~BytecodeGenerator):
810         (JSC::BytecodeGenerator::newRegister):
811         (JSC::BytecodeGenerator::reclaimFreeRegisters):
812         (JSC::BytecodeGenerator::newBlockScopeVariable):
813         (JSC::BytecodeGenerator::newTemporary):
814         (JSC::BytecodeGenerator::emitProfileType):
815         (JSC::BytecodeGenerator::emitLoadGlobalObject):
816         (JSC::BytecodeGenerator::pushLexicalScope):
817         (JSC::BytecodeGenerator::popLexicalScope):
818         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
819         (JSC::BytecodeGenerator::variable):
820         (JSC::BytecodeGenerator::variablePerSymbolTable):
821         (JSC::BytecodeGenerator::variableForLocalEntry):
822         (JSC::BytecodeGenerator::createVariable):
823         (JSC::BytecodeGenerator::emitResolveScope):
824         (JSC::BytecodeGenerator::emitGetFromScope):
825         (JSC::BytecodeGenerator::emitPutToScope):
826         (JSC::BytecodeGenerator::initializeVariable):
827         (JSC::BytecodeGenerator::emitTDZCheck):
828         (JSC::BytecodeGenerator::needsTDZCheck):
829         (JSC::BytecodeGenerator::emitTDZCheckIfNecessary):
830         (JSC::BytecodeGenerator::liftTDZCheckIfPossible):
831         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
832         (JSC::BytecodeGenerator::emitNewObject):
833         (JSC::BytecodeGenerator::emitPushWithScope):
834         (JSC::BytecodeGenerator::emitGetParentScope):
835         (JSC::BytecodeGenerator::emitPopScope):
836         (JSC::BytecodeGenerator::emitDebugHook):
837         (JSC::BytecodeGenerator::pushFinallyContext):
838         (JSC::BytecodeGenerator::pushIteratorCloseContext):
839         (JSC::BytecodeGenerator::emitComplexPopScopes):
840         (JSC::BytecodeGenerator::emitPopScopes):
841         (JSC::BytecodeGenerator::popTryAndEmitCatch):
842         (JSC::BytecodeGenerator::calculateTargetScopeDepthForExceptionHandler):
843         (JSC::BytecodeGenerator::currentScopeDepth):
844         (JSC::BytecodeGenerator::emitThrowReferenceError):
845         (JSC::BytecodeGenerator::emitPushCatchScope):
846         (JSC::BytecodeGenerator::beginSwitch):
847         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
848         (JSC::BytecodeGenerator::emitEnumeration):
849         * bytecompiler/BytecodeGenerator.h:
850         (JSC::Variable::Variable):
851         (JSC::Variable::isResolved):
852         (JSC::Variable::symbolTableConstantIndex):
853         (JSC::Variable::ident):
854         (JSC::BytecodeGenerator::ignoredResult):
855         (JSC::BytecodeGenerator::tempDestination):
856         (JSC::BytecodeGenerator::lastOpcodeID):
857         (JSC::BytecodeGenerator::makeFunction):
858         (JSC::BytecodeGenerator::symbolTable):
859         (JSC::BytecodeGenerator::shouldOptimizeLocals): Deleted.
860         (JSC::BytecodeGenerator::canOptimizeNonLocals): Deleted.
861         The heart of the changes in this patch are in the bytecode generator.
862         The bytecode generator now keeps a stack of tuples of 
863         {symbol table, scope register, flag indicating catch or with scope, symbol table index in constant pool}
864         that models the runtime scope stack. This symbol table stack is used
865         in resolving local variables.
866
867         Also, the bytecode generator handles pushing and popping of lexical scopes. 
868         This is relatively straight forward:
869         Captured 'let' variables end up in the JSLexicalEnvironment scope and non-captured
870         variables end up on the stack. Some trickiness is involved in generating
871         code for 'for' loops that have captured variables (I'm talking about variables in the loop
872         header, not the loop body). Each iteration of the for loop ends up with 
873         its own JSLexicalEnvironment. Static code must be generated in such a way 
874         to create this runtime behavior. This is done by emitting instructions to 
875         push and pop a lexical scope at the end of each loop and copying values
876         from the previous loop's scope into the new scope. This code must also
877         ensure that each loop iteration's scope refers to the same underlying 
878         SymbolTable so that no scope is accidentally mistaken as being a singleton scope.
879
880         When the debugger is enabled, all lexically defined variables will end up in the
881         JSLexicalEnvironment.
882
883         * bytecompiler/NodesCodegen.cpp:
884         (JSC::ResolveNode::emitBytecode):
885         (JSC::FunctionCallResolveNode::emitBytecode):
886         (JSC::PostfixNode::emitResolve):
887         (JSC::DeleteResolveNode::emitBytecode):
888         (JSC::TypeOfResolveNode::emitBytecode):
889         (JSC::PrefixNode::emitResolve):
890         (JSC::ReadModifyResolveNode::emitBytecode):
891         (JSC::AssignResolveNode::emitBytecode):
892         (JSC::BlockNode::emitBytecode):
893         (JSC::ExprStatementNode::emitBytecode):
894         (JSC::DeclarationStatement::emitBytecode):
895         (JSC::EmptyVarExpression::emitBytecode):
896         (JSC::EmptyLetExpression::emitBytecode):
897         (JSC::ForNode::emitBytecode):
898         (JSC::ForInNode::emitMultiLoopBytecode):
899         (JSC::ForOfNode::emitBytecode):
900         (JSC::SwitchNode::emitBytecode):
901         (JSC::BindingNode::bindValue):
902         (JSC::VarStatementNode::emitBytecode): Deleted.
903         * debugger/DebuggerCallFrame.cpp:
904         (JSC::DebuggerCallFrame::evaluate):
905         * debugger/DebuggerScope.cpp:
906         (JSC::DebuggerScope::getOwnPropertySlot):
907         (JSC::DebuggerScope::put):
908         * dfg/DFGByteCodeParser.cpp:
909         (JSC::DFG::ByteCodeParser::parseBlock):
910         * dfg/DFGCapabilities.cpp:
911         (JSC::DFG::capabilityLevel):
912         * dfg/DFGNode.h:
913         (JSC::DFG::Node::castConstant):
914         (JSC::DFG::Node::initializationValueForActivation):
915         (JSC::DFG::Node::containsMovHint):
916         * dfg/DFGObjectAllocationSinkingPhase.cpp:
917         CreateActivation nodes now have a second OpInfo that tracks the 
918         initial value that needs to be placed in the activation. This initial value 
919         is also used in allocation sinking to create proper bottom values for all 
920         scope variables.
921
922         * dfg/DFGOperations.cpp:
923         * dfg/DFGOperations.h:
924         * dfg/DFGSpeculativeJIT.cpp:
925         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
926         * dfg/DFGSpeculativeJIT.h:
927         (JSC::DFG::SpeculativeJIT::callOperation):
928         * ftl/FTLIntrinsicRepository.h:
929         * ftl/FTLLowerDFGToLLVM.cpp:
930         (JSC::FTL::DFG::LowerDFGToLLVM::compileCreateActivation):
931         (JSC::FTL::DFG::LowerDFGToLLVM::compileMaterializeCreateActivation):
932         * ftl/FTLOperations.cpp:
933         (JSC::FTL::operationMaterializeObjectInOSR):
934         * interpreter/Interpreter.cpp:
935         (JSC::Interpreter::execute):
936         * jit/CCallHelpers.h:
937         (JSC::CCallHelpers::setupArgumentsWithExecState):
938         * jit/JIT.cpp:
939         (JSC::JIT::privateCompileMainPass):
940         * jit/JIT.h:
941         * jit/JITInlines.h:
942         (JSC::JIT::callOperation):
943         * jit/JITOpcodes.cpp:
944         (JSC::JIT::emit_op_push_with_scope):
945         (JSC::JIT::compileOpStrictEq):
946         (JSC::JIT::emit_op_catch):
947         (JSC::JIT::emit_op_create_lexical_environment):
948         (JSC::JIT::emit_op_get_parent_scope):
949         (JSC::JIT::emit_op_switch_imm):
950         (JSC::JIT::emit_op_enter):
951         (JSC::JIT::emit_op_get_scope):
952         (JSC::JIT::emit_op_pop_scope): Deleted.
953         * jit/JITOpcodes32_64.cpp:
954         (JSC::JIT::emit_op_push_with_scope):
955         (JSC::JIT::emit_op_to_number):
956         (JSC::JIT::emit_op_catch):
957         (JSC::JIT::emit_op_create_lexical_environment):
958         (JSC::JIT::emit_op_get_parent_scope):
959         (JSC::JIT::emit_op_switch_imm):
960         (JSC::JIT::emit_op_enter):
961         (JSC::JIT::emit_op_get_scope):
962         (JSC::JIT::emit_op_pop_scope): Deleted.
963         * jit/JITOperations.cpp:
964         (JSC::canAccessArgumentIndexQuickly):
965         * jit/JITOperations.h:
966         * llint/LLIntSlowPaths.cpp:
967         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
968         * llint/LLIntSlowPaths.h:
969         * llint/LowLevelInterpreter.asm:
970         * llint/LowLevelInterpreter32_64.asm:
971         * llint/LowLevelInterpreter64.asm:
972         * parser/ASTBuilder.h:
973         (JSC::ASTBuilder::createSourceElements):
974         (JSC::ASTBuilder::funcDeclarations):
975         (JSC::ASTBuilder::features):
976         (JSC::ASTBuilder::numConstants):
977         (JSC::ASTBuilder::createConditionalExpr):
978         (JSC::ASTBuilder::createAssignResolve):
979         (JSC::ASTBuilder::createClassDeclStatement):
980         (JSC::ASTBuilder::createBlockStatement):
981         (JSC::ASTBuilder::createIfStatement):
982         (JSC::ASTBuilder::createForLoop):
983         (JSC::ASTBuilder::createForInLoop):
984         (JSC::ASTBuilder::createForOfLoop):
985         (JSC::ASTBuilder::isBindingNode):
986         (JSC::ASTBuilder::createEmptyStatement):
987         (JSC::ASTBuilder::createDeclarationStatement):
988         (JSC::ASTBuilder::createVarStatement):
989         (JSC::ASTBuilder::createLetStatement):
990         (JSC::ASTBuilder::createEmptyVarExpression):
991         (JSC::ASTBuilder::createEmptyLetExpression):
992         (JSC::ASTBuilder::createReturnStatement):
993         (JSC::ASTBuilder::createTryStatement):
994         (JSC::ASTBuilder::createSwitchStatement):
995         (JSC::ASTBuilder::appendStatement):
996         (JSC::ASTBuilder::createCommaExpr):
997         (JSC::ASTBuilder::appendObjectPatternEntry):
998         (JSC::ASTBuilder::createBindingLocation):
999         (JSC::ASTBuilder::setEndOffset):
1000         (JSC::ASTBuilder::Scope::Scope):
1001         (JSC::ASTBuilder::makeAssignNode):
1002         (JSC::ASTBuilder::varDeclarations): Deleted.
1003         (JSC::ASTBuilder::addVar): Deleted.
1004         * parser/Keywords.table:
1005         * parser/NodeConstructors.h:
1006         (JSC::ReadModifyResolveNode::ReadModifyResolveNode):
1007         (JSC::AssignResolveNode::AssignResolveNode):
1008         (JSC::ExprStatementNode::ExprStatementNode):
1009         (JSC::DeclarationStatement::DeclarationStatement):
1010         (JSC::EmptyVarExpression::EmptyVarExpression):
1011         (JSC::EmptyLetExpression::EmptyLetExpression):
1012         (JSC::IfElseNode::IfElseNode):
1013         (JSC::WhileNode::WhileNode):
1014         (JSC::ForNode::ForNode):
1015         (JSC::CaseBlockNode::CaseBlockNode):
1016         (JSC::SwitchNode::SwitchNode):
1017         (JSC::ConstDeclNode::ConstDeclNode):
1018         (JSC::BlockNode::BlockNode):
1019         (JSC::EnumerationNode::EnumerationNode):
1020         (JSC::ForInNode::ForInNode):
1021         (JSC::ForOfNode::ForOfNode):
1022         (JSC::ObjectPatternNode::create):
1023         (JSC::BindingNode::create):
1024         (JSC::BindingNode::BindingNode):
1025         (JSC::VarStatementNode::VarStatementNode): Deleted.
1026         * parser/Nodes.cpp:
1027         (JSC::ScopeNode::ScopeNode):
1028         (JSC::ScopeNode::singleStatement):
1029         (JSC::ProgramNode::ProgramNode):
1030         (JSC::EvalNode::EvalNode):
1031         (JSC::FunctionNode::FunctionNode):
1032         (JSC::FunctionNode::finishParsing):
1033         (JSC::VariableEnvironmentNode::VariableEnvironmentNode):
1034         * parser/Nodes.h:
1035         (JSC::VariableEnvironmentNode::VariableEnvironmentNode):
1036         (JSC::VariableEnvironmentNode::lexicalVariables):
1037         (JSC::ScopeNode::usesThis):
1038         (JSC::ScopeNode::needsActivationForMoreThanVariables):
1039         (JSC::ScopeNode::needsActivation):
1040         (JSC::ScopeNode::hasCapturedVariables):
1041         (JSC::ScopeNode::captures):
1042         (JSC::ScopeNode::varDeclarations):
1043         (JSC::ScopeNode::functionStack):
1044         (JSC::ScopeNode::neededConstants):
1045         (JSC::ProgramNode::startColumn):
1046         (JSC::ProgramNode::endColumn):
1047         (JSC::EvalNode::startColumn):
1048         (JSC::EvalNode::endColumn):
1049         (JSC::BindingNode::boundProperty):
1050         (JSC::BindingNode::divotStart):
1051         (JSC::BindingNode::divotEnd):
1052         (JSC::ScopeNode::capturedVariableCount): Deleted.
1053         (JSC::ScopeNode::capturedVariables): Deleted.
1054         (JSC::ScopeNode::varStack): Deleted.
1055         There is a new class called 'VariableEnvironmentNode' that has the
1056         necessary fields to model a lexical scope. Multiple AST nodes now 
1057         also inherit from VariableEnvironmentNode.
1058
1059         * parser/Parser.cpp:
1060         (JSC::Parser<LexerType>::parseInner):
1061         (JSC::Parser<LexerType>::didFinishParsing):
1062         (JSC::Parser<LexerType>::parseStatementListItem):
1063         (JSC::Parser<LexerType>::parseVariableDeclaration):
1064         (JSC::Parser<LexerType>::parseWhileStatement):
1065         (JSC::Parser<LexerType>::parseVariableDeclarationList):
1066         (JSC::Parser<LexerType>::createBindingPattern):
1067         (JSC::Parser<LexerType>::tryParseDestructuringPatternExpression):
1068         (JSC::Parser<LexerType>::parseDestructuringPattern):
1069         (JSC::Parser<LexerType>::parseConstDeclarationList):
1070         (JSC::Parser<LexerType>::parseForStatement):
1071         (JSC::Parser<LexerType>::parseBreakStatement):
1072         (JSC::Parser<LexerType>::parseContinueStatement):
1073         (JSC::Parser<LexerType>::parseSwitchStatement):
1074         (JSC::Parser<LexerType>::parseTryStatement):
1075         (JSC::Parser<LexerType>::parseBlockStatement):
1076         (JSC::Parser<LexerType>::parseStatement):
1077         (JSC::Parser<LexerType>::parseFunctionInfo):
1078         (JSC::Parser<LexerType>::parseClassDeclaration):
1079         (JSC::Parser<LexerType>::parseClass):
1080         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
1081         (JSC::Parser<LexerType>::parseAssignmentExpression):
1082         (JSC::Parser<LexerType>::parseGetterSetter):
1083         (JSC::Parser<LexerType>::parsePrimaryExpression):
1084         (JSC::Parser<LexerType>::parseVarDeclaration): Deleted.
1085         (JSC::Parser<LexerType>::parseVarDeclarationList): Deleted.
1086         * parser/Parser.h:
1087         (JSC::Scope::Scope):
1088         (JSC::Scope::setIsFunction):
1089         (JSC::Scope::isFunction):
1090         (JSC::Scope::isFunctionBoundary):
1091         (JSC::Scope::setIsLexicalScope):
1092         (JSC::Scope::isLexicalScope):
1093         (JSC::Scope::declaredVariables):
1094         (JSC::Scope::finalizeLexicalEnvironment):
1095         (JSC::Scope::computeLexicallyCapturedVariablesAndPurgeCandidates):
1096         (JSC::Scope::declareCallee):
1097         (JSC::Scope::declareVariable):
1098         (JSC::Scope::declareLexicalVariable):
1099         (JSC::Scope::hasDeclaredVariable):
1100         (JSC::Scope::hasLexicallyDeclaredVariable):
1101         (JSC::Scope::hasDeclaredParameter):
1102         (JSC::Scope::declareWrite):
1103         (JSC::Scope::preventAllVariableDeclarations):
1104         (JSC::Scope::preventVarDeclarations):
1105         (JSC::Scope::allowsVarDeclarations):
1106         (JSC::Scope::allowsLexicalDeclarations):
1107         (JSC::Scope::declareParameter):
1108         (JSC::Scope::declareBoundParameter):
1109         (JSC::Scope::useVariable):
1110         (JSC::Scope::setNeedsFullActivation):
1111         (JSC::Scope::needsFullActivation):
1112         (JSC::Scope::hasDirectSuper):
1113         (JSC::Scope::setNeedsSuperBinding):
1114         (JSC::Scope::collectFreeVariables):
1115         (JSC::Scope::getCapturedVars):
1116         (JSC::Scope::copyCapturedVariablesToVector):
1117         (JSC::Parser::AutoCleanupLexicalScope::AutoCleanupLexicalScope):
1118         (JSC::Parser::AutoCleanupLexicalScope::~AutoCleanupLexicalScope):
1119         (JSC::Parser::AutoCleanupLexicalScope::setIsValid):
1120         (JSC::Parser::AutoCleanupLexicalScope::isValid):
1121         (JSC::Parser::AutoCleanupLexicalScope::setPopped):
1122         (JSC::Parser::AutoCleanupLexicalScope::scope):
1123         (JSC::Parser::currentScope):
1124         (JSC::Parser::pushScope):
1125         (JSC::Parser::popScopeInternal):
1126         (JSC::Parser::popScope):
1127         (JSC::Parser::declareVariable):
1128         (JSC::Parser::hasDeclaredVariable):
1129         (JSC::Parser::hasDeclaredParameter):
1130         (JSC::Parser::declareWrite):
1131         (JSC::Parser::findCachedFunctionInfo):
1132         (JSC::Parser::isFunctionBodyNode):
1133         (JSC::Parser::continueIsValid):
1134         (JSC::Parser::pushLabel):
1135         (JSC::Parser::popLabel):
1136         (JSC::Parser::getLabel):
1137         (JSC::Parser::isLETMaskedAsIDENT):
1138         (JSC::Parser<LexerType>::parse):
1139         (JSC::Scope::preventNewDecls): Deleted.
1140         (JSC::Scope::allowsNewDecls): Deleted.
1141         (JSC::Scope::getCapturedVariables): Deleted.
1142         There are basic parser changes that now allow for the 'let'
1143         keyword. The trickiest change is how we will still treat 'let' 
1144         as an identifier for sloppy-mode code sometimes. For example,
1145         "var let = ..." is allowed but "let let" or "const let" is not.
1146
1147         The most significant change to the parser made for this patch
1148         is appropriating the Scope struct to also also model a lexical 
1149         scope. Changes were made in how we track captured variables to 
1150         account for this. In general, I think some of this code could 
1151         benefit from a slight refactoring to make things cleaner.
1152
1153         * parser/ParserTokens.h:
1154         * parser/SyntaxChecker.h:
1155         (JSC::SyntaxChecker::createNewExpr):
1156         (JSC::SyntaxChecker::createConditionalExpr):
1157         (JSC::SyntaxChecker::createAssignResolve):
1158         (JSC::SyntaxChecker::createEmptyVarExpression):
1159         (JSC::SyntaxChecker::createEmptyLetExpression):
1160         (JSC::SyntaxChecker::createClassExpr):
1161         (JSC::SyntaxChecker::createClassDeclStatement):
1162         (JSC::SyntaxChecker::createBlockStatement):
1163         (JSC::SyntaxChecker::createExprStatement):
1164         (JSC::SyntaxChecker::createIfStatement):
1165         (JSC::SyntaxChecker::createForLoop):
1166         (JSC::SyntaxChecker::createForInLoop):
1167         (JSC::SyntaxChecker::createForOfLoop):
1168         (JSC::SyntaxChecker::createEmptyStatement):
1169         (JSC::SyntaxChecker::createVarStatement):
1170         (JSC::SyntaxChecker::createLetStatement):
1171         (JSC::SyntaxChecker::createReturnStatement):
1172         (JSC::SyntaxChecker::createBreakStatement):
1173         (JSC::SyntaxChecker::createContinueStatement):
1174         (JSC::SyntaxChecker::createTryStatement):
1175         (JSC::SyntaxChecker::createSwitchStatement):
1176         (JSC::SyntaxChecker::createWhileStatement):
1177         (JSC::SyntaxChecker::createWithStatement):
1178         (JSC::SyntaxChecker::createDoWhileStatement):
1179         (JSC::SyntaxChecker::createGetterOrSetterProperty):
1180         (JSC::SyntaxChecker::appendStatement):
1181         (JSC::SyntaxChecker::combineCommaNodes):
1182         (JSC::SyntaxChecker::evalCount):
1183         (JSC::SyntaxChecker::appendBinaryExpressionInfo):
1184         (JSC::SyntaxChecker::operatorStackPop):
1185         (JSC::SyntaxChecker::addVar): Deleted.
1186         * parser/VariableEnvironment.cpp: Added.
1187         (JSC::VariableEnvironment::markVariableAsCapturedIfDefined):
1188         (JSC::VariableEnvironment::markVariableAsCaptured):
1189         (JSC::VariableEnvironment::markAllVariablesAsCaptured):
1190         (JSC::VariableEnvironment::hasCapturedVariables):
1191         (JSC::VariableEnvironment::captures):
1192         (JSC::VariableEnvironment::swap):
1193         * parser/VariableEnvironment.h: Added.
1194         (JSC::VariableEnvironmentEntry::isCaptured):
1195         (JSC::VariableEnvironmentEntry::isConstant):
1196         (JSC::VariableEnvironmentEntry::isVar):
1197         (JSC::VariableEnvironmentEntry::isLet):
1198         (JSC::VariableEnvironmentEntry::setIsCaptured):
1199         (JSC::VariableEnvironmentEntry::setIsConstant):
1200         (JSC::VariableEnvironmentEntry::setIsVar):
1201         (JSC::VariableEnvironmentEntry::setIsLet):
1202         (JSC::VariableEnvironmentEntry::clearIsVar):
1203         (JSC::VariableEnvironment::begin):
1204         (JSC::VariableEnvironment::end):
1205         (JSC::VariableEnvironment::add):
1206         (JSC::VariableEnvironment::size):
1207         (JSC::VariableEnvironment::contains):
1208         (JSC::VariableEnvironment::remove):
1209         VariableEnvironment is a new class that keeps track
1210         of the static environment in the parser and the bytecode generator.
1211         VariableEnvironment behaves like SymbolTable but for the bytecode generator.
1212         It keeps track of variable types, i.e, if a variable is a "var", "let", "const" 
1213         and whether or not its captured.
1214
1215         * runtime/CodeCache.cpp:
1216         (JSC::CodeCache::getGlobalCodeBlock):
1217         (JSC::CodeCache::getProgramCodeBlock):
1218         (JSC::CodeCache::getEvalCodeBlock):
1219         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
1220         * runtime/CodeCache.h:
1221         (JSC::CodeCache::clear):
1222         * runtime/CommonSlowPaths.cpp:
1223         (JSC::SLOW_PATH_DECL):
1224         * runtime/CommonSlowPaths.h:
1225         * runtime/ExceptionHelpers.cpp:
1226         (JSC::createErrorForInvalidGlobalAssignment):
1227         (JSC::createTDZError):
1228         (JSC::throwOutOfMemoryError):
1229         * runtime/ExceptionHelpers.h:
1230         * runtime/Executable.cpp:
1231         (JSC::EvalExecutable::create):
1232         (JSC::ProgramExecutable::initializeGlobalProperties):
1233         * runtime/Executable.h:
1234         * runtime/JSCJSValue.h:
1235         (JSC::jsUndefined):
1236         (JSC::jsTDZValue):
1237         (JSC::jsBoolean):
1238         * runtime/JSEnvironmentRecord.h:
1239         (JSC::JSEnvironmentRecord::finishCreationUninitialized):
1240         (JSC::JSEnvironmentRecord::finishCreation):
1241         * runtime/JSGlobalObject.cpp:
1242         (JSC::JSGlobalObject::createProgramCodeBlock):
1243         (JSC::JSGlobalObject::createEvalCodeBlock):
1244         * runtime/JSGlobalObject.h:
1245         (JSC::JSGlobalObject::weakRandomInteger):
1246         * runtime/JSGlobalObjectFunctions.cpp:
1247         (JSC::globalFuncEval):
1248         * runtime/JSLexicalEnvironment.cpp:
1249         (JSC::JSLexicalEnvironment::symbolTableGet):
1250         * runtime/JSLexicalEnvironment.h:
1251         (JSC::JSLexicalEnvironment::create):
1252         * runtime/JSScope.cpp:
1253         (JSC::JSScope::resolve):
1254         (JSC::JSScope::abstractResolve):
1255         (JSC::JSScope::collectVariablesUnderTDZ):
1256         (JSC::JSScope::isLexicalScope):
1257         (JSC::resolveModeName):
1258         * runtime/JSScope.h:
1259         * runtime/PropertySlot.h:
1260         (JSC::PropertySlot::setValue):
1261         * runtime/SymbolTable.cpp:
1262         (JSC::SymbolTable::SymbolTable):
1263         (JSC::SymbolTable::cloneScopePart):
1264         * runtime/SymbolTable.h:
1265         SymbolTable now uses an extra bit to know if it corresponds
1266         to a "let"-like environment or not.
1267
1268         * runtime/WriteBarrier.h:
1269         (JSC::WriteBarrierBase<Unknown>::get):
1270         (JSC::WriteBarrierBase<Unknown>::clear):
1271         (JSC::WriteBarrierBase<Unknown>::setUndefined):
1272         (JSC::WriteBarrierBase<Unknown>::setStartingValue):
1273         (JSC::WriteBarrierBase<Unknown>::isNumber):
1274         (JSC::WriteBarrierBase<Unknown>::isObject):
1275         (JSC::WriteBarrierBase<Unknown>::isNull):
1276         * tests/stress/activation-sink-default-value-tdz-error.js: Added.
1277         (shouldThrowTDZ):
1278         (bar):
1279         (foo.cap):
1280         * tests/stress/activation-sink-osrexit-default-value-tdz-error.js: Added.
1281         (shouldThrowTDZ):
1282         (bar):
1283         * tests/stress/lexical-let-and-with-statement.js: Added.
1284         (truth):
1285         (assert):
1286         (.):
1287         * tests/stress/lexical-let-exception-handling.js: Added.
1288         (truth):
1289         (assert):
1290         (.):
1291         * tests/stress/lexical-let-global-not-captured-variables.js: Added.
1292         (truth):
1293         (assert):
1294         (foo):
1295         (.let.capY):
1296         * tests/stress/lexical-let-loop-semantics.js: Added.
1297         (truth):
1298         (assert):
1299         (shouldThrowTDZ):
1300         (.):
1301         * tests/stress/lexical-let-not-strict-mode.js: Added.
1302         (truth):
1303         (assert):
1304         (shouldThrowTDZ):
1305         (.):
1306         * tests/stress/lexical-let-semantics.js: Added.
1307         (truth):
1308         (assert):
1309         (let.globalFunction):
1310         (let.retGlobalNumberCaptured):
1311         (let.setGlobalNumberCaptured):
1312         (.):
1313         * tests/stress/lexical-let-tdz.js: Added.
1314         (truth):
1315         (assert):
1316         (shouldThrowTDZ):
1317         (.):
1318
1319 2015-07-15  Anders Carlsson  <andersca@apple.com>
1320
1321         Make JavaScriptCore SPI headers used by WebCore SPI headers self-contained
1322         https://bugs.webkit.org/show_bug.cgi?id=146978
1323
1324         Reviewed by Dan Bernstein.
1325
1326         * debugger/DebuggerPrimitives.h:
1327         * disassembler/Disassembler.h:
1328         * heap/Weak.h:
1329         * inspector/InspectorValues.h:
1330         * runtime/JSCJSValue.h:
1331
1332 2015-07-14  Anders Carlsson  <andersca@apple.com>
1333
1334         Assertions.h should include ExportMacros.h
1335         https://bugs.webkit.org/show_bug.cgi?id=146948
1336
1337         Reviewed by Tim Horton.
1338
1339         Remove now unneeded WTF_EXPORT_PRIVATE define.
1340
1341         * API/JSBase.h:
1342
1343 2015-07-14  Matthew Mirman  <mmirman@apple.com>
1344
1345         Repatch. Makes compileArithSub in the DFG ensure that the constant is an int32.
1346         https://bugs.webkit.org/show_bug.cgi?id=146910
1347         rdar://problem/21729083
1348
1349         Reviewed by Filip Pizlo.
1350         
1351         Also fixes the debug build problem where all edges are assumed to 
1352         have UntypedUse before the fixup phase.
1353
1354         * dfg/DFGSpeculativeJIT.cpp:
1355         (JSC::DFG::SpeculativeJIT::compileArithSub):
1356         * dfg/DFGValidate.cpp:
1357         (JSC::DFG::Validate::validateEdgeWithDoubleResultIfNecessary):
1358         * tests/stress/arith-add-with-constants.js: Added some tests for this case.
1359         (arithAdd42WrittenAsInteger):
1360         (testArithAdd42WrittenAsInteger):
1361         (arithSub42WrittenAsDouble):
1362         (testArithSub42WrittenAsDouble):
1363         (doubleConstant):
1364         (testDoubleConstant): Added test for the case of +0.0 and Math.min(0.0)
1365         (arithAdd42WrittenAsDouble): Deleted.
1366         (testArithAdd42WrittenAsDouble): Deleted.
1367
1368 2015-07-14  Matthew Mirman  <mmirman@apple.com>
1369
1370         Unreviewed, rolling out r186805.
1371
1372         Made raytracer on octane 80% slower
1373
1374         Reverted changeset:
1375
1376         "Makes compileArithSub in the DFG ensure that the constant is
1377         an int32."
1378         https://bugs.webkit.org/show_bug.cgi?id=146910
1379         http://trac.webkit.org/changeset/186805
1380
1381 2015-07-13  Matthew Mirman  <mmirman@apple.com>
1382
1383         Makes compileArithSub in the DFG ensure that the constant is an int32.
1384         https://bugs.webkit.org/show_bug.cgi?id=146910
1385         rdar://problem/21729083
1386
1387         Reviewed by Filip Pizlo.
1388         
1389         Also fixes the debug build problem where all edges are assumed to 
1390         have UntypedUse before the fixup phase.
1391
1392         * dfg/DFGSpeculativeJIT.cpp:
1393         (JSC::DFG::SpeculativeJIT::compileArithSub):
1394         * dfg/DFGValidate.cpp:
1395         (JSC::DFG::Validate::validateEdgeWithDoubleResultIfNecessary):
1396         * tests/stress/arith-add-with-constants.js: Added some tests for this case.
1397         (arithAdd42WrittenAsInteger):
1398         (testArithAdd42WrittenAsInteger):
1399         (arithSub42WrittenAsDouble):
1400         (testArithSub42WrittenAsDouble):
1401         (doubleConstant):
1402         (testDoubleConstant): Added test for the case of +0.0 and Math.min(0.0)
1403         (arithAdd42WrittenAsDouble): Deleted.
1404         (testArithAdd42WrittenAsDouble): Deleted.
1405
1406 2015-07-13  Basile Clement  <basile_clement@apple.com>
1407
1408         Object cycles should not prevent allocation elimination/sinking
1409         https://bugs.webkit.org/show_bug.cgi?id=143073
1410
1411         Reviewed by Filip Pizlo.
1412
1413         This patch introduces a new allocation sinking phase that is able to
1414         sink cycles, in DFGAllocationCycleSinkingPhase.cpp. This phase
1415         supersedes the old allocation sinking phase in
1416         DFGObjectAllocationSinkingPhase.cpp, as that previous phase was never
1417         able to sink allocation cycles while the new phase sometimes can; see
1418         DFGAllocationCycleSinkingPhase.cpp for details.
1419
1420         For now, the new sinking phase is kept behind a
1421         JSC_enableAllocationCycleSinking flag that reverts to the old sinking
1422         phase when false (i.e., by default). This also removes the old
1423         JSC_enableObjectAllocationSinking flag. run-javascriptcore-tests
1424         defaults to using the new sinking phase.
1425
1426         * dfg/DFGGraph.h:
1427         (JSC::DFG::Graph::addStructureSet): Allow empty structure sets
1428         * dfg/DFGLazyNode.cpp:
1429         (JSC::DFG::LazyNode::dump): Prettier dump
1430         * dfg/DFGNode.h:
1431         (JSC::DFG::Node::cellOperand): Move to opInfo for MaterializeCreateActivation
1432         (JSC::DFG::Node::hasStructureSet): Add MaterializeNewObject
1433         (JSC::DFG::Node::objectMaterializationData): Move to opInfo2
1434         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: Remove unused header
1435         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1436         (JSC::DFG::ObjectAllocationSinkingPhase::ObjectAllocationSinkingPhase): Deleted.
1437         (JSC::DFG::ObjectAllocationSinkingPhase::run): Deleted.
1438         (JSC::DFG::ObjectAllocationSinkingPhase::performSinking): Deleted.
1439         (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints): Deleted.
1440         (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints): Deleted.
1441         (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations): Deleted.
1442         (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields): Deleted.
1443         (JSC::DFG::ObjectAllocationSinkingPhase::resolve): Deleted.
1444         (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): Deleted.
1445         (JSC::DFG::ObjectAllocationSinkingPhase::createMaterialize): Deleted.
1446         (JSC::DFG::ObjectAllocationSinkingPhase::populateMaterialize): Deleted.
1447         * dfg/DFGObjectAllocationSinkingPhase.h:
1448         * dfg/DFGPromotedHeapLocation.h: Add a hash and a helper function to PromotedLocationDescriptor
1449         (JSC::DFG::PromotedLocationDescriptor::PromotedLocationDescriptor):
1450         (JSC::DFG::PromotedLocationDescriptor::operator bool):
1451         (JSC::DFG::PromotedLocationDescriptor::neededForMaterialization):
1452         (JSC::DFG::PromotedLocationDescriptorHash::hash):
1453         (JSC::DFG::PromotedLocationDescriptorHash::equal):
1454         * dfg/DFGValidate.cpp:
1455         (JSC::DFG::Validate::validateSSA): Assert that most nodes never see a phantom allocation
1456         * ftl/FTLLowerDFGToLLVM.cpp:
1457         (JSC::FTL::DFG::LowerDFGToLLVM::compileMaterializeNewObject): Use the new structureSet() operand
1458         (JSC::FTL::DFG::LowerDFGToLLVM::compileMaterializeCreateActivation): Node has a new child
1459         * ftl/FTLOSRExitCompiler.cpp: Handle materialization cycles
1460         (JSC::FTL::compileStub):
1461         * ftl/FTLOperations.cpp: Handle materialization cycles
1462         (JSC::FTL::operationPopulateObjectInOSR):
1463         (JSC::FTL::operationMaterializeObjectInOSR):
1464         * ftl/FTLOperations.h: Handle materialization cycles
1465         * tests/stress/correctly-sink-object-even-though-it-dies.js: Added.
1466         (clobber):
1467         (foo):
1468         * tests/stress/eliminate-object-read-over-call.js: Added.
1469         (clobber):
1470         (foo):
1471         * tests/stress/materialize-object-on-edge.js: Added.
1472         (call):
1473         (foo):
1474         * tests/stress/object-sinking-stress.js: Added.
1475         (foo):
1476         * tests/stress/sink-object-cycle.js: Added.
1477         (clobber):
1478         (foo):
1479         * tests/stress/sink-object-past-put.js: Added.
1480         (clobber):
1481         (foo):
1482         * tests/stress/sinkable-new-object-in-loop.js: Added.
1483         (foo):
1484
1485 2015-07-13  Daniel Bates  <dabates@apple.com>
1486
1487         Cleanup: Avoid extraneous increment and decrement of reference count of ScriptArguments in ConsoleClient
1488         https://bugs.webkit.org/show_bug.cgi?id=146920
1489
1490         Reviewed by Brian Burg.
1491
1492         Remove local variable RefPtr<ScriptArguments> and copy constructor call with an argument that
1493         was initialized with an rvalue reference. The argument itself is an lvalue reference.
1494
1495         * runtime/ConsoleClient.cpp:
1496         (JSC::ConsoleClient::printConsoleMessageWithArguments):
1497         (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
1498
1499 2015-07-13  Anders Carlsson  <andersca@apple.com>
1500
1501         Apps linked with a deployment target of iOS 7.x or earlier crash when using modern WebKit API
1502         https://bugs.webkit.org/show_bug.cgi?id=146913
1503         rdar://problem/21789252
1504
1505         Reviewed by Dan Bernstein.
1506
1507         Make a top-level symlink from /System/Library/PrivateFrameworks/JavaScriptCore.framework to
1508         /System/Library/Frameworks/JavaScriptCore.framework.
1509     
1510         * JavaScriptCore.xcodeproj/project.pbxproj:
1511
1512 2015-07-12  Filip Pizlo  <fpizlo@apple.com>
1513
1514         If Watchpoint::fire() looks at the state of the world, it should definitely see its set invalidated, and maybe it should see the object of interest in the transitioned-to state
1515         https://bugs.webkit.org/show_bug.cgi?id=146897
1516
1517         Reviewed by Mark Lam.
1518         
1519         The idea is to eventually support adaptive watchpoints. An adaptive watchpoint will be
1520         able to watch for a condition that is more fine-grained than any one watchpoint set. For
1521         example, we might watch a singleton object to see if it ever acquires a property called
1522         "foo". So long as it doesn't have such a property, we don't want to invalidate any code.
1523         But if it gets that property, then we should deoptimize. Current watchpoints will
1524         invalidate code as soon as any property is added (or deleted), because they will use the
1525         transition watchpoint set of the singleton object's structure, and that fires anytime
1526         there is any transition.
1527         
1528         An adaptive watchpoint would remember the singleton object, and when it got fired, it
1529         would check if the object's new structure has the property "foo". If not, it would check
1530         if the object's new structure is watchable (i.e. has a valid transition watchpoint set).
1531         If the property is missing and the structure is watchable, it would add itself to the
1532         watchpoint set of the new structure. Otherwise, it would deoptimize.
1533         
1534         There are two problems with this idea, and this patch fixes these problems. First, we
1535         usually fire the transition watchpoint before we do the structure transition. This means
1536         that if the fire() method looked at the singleton object's structure, it would see the old
1537         structure, not the new one. It would have no way of knowing what the new structure is.
1538         Second, inside the fire() method, the watchpoint set being invalidated still appears
1539         valid, since we change the state after we fire all watchpoints.
1540         
1541         This patch addresses both issues. Now, in the most important case (addPropertyTransition),
1542         we fire the watchpoint set after we have modified the object. This is accomplished using
1543         a deferral scope called DeferredStructureTransitionWatchpointFire. In cases where there is
1544         no deferral, the adaptive watchpoint will conservatively resort to deoptimization because
1545         it would find that the singleton object's structure is no longer watchable. This is
1546         because in the absence of deferral, the singleton object would still have the original
1547         structure, but that structure's watchpoint set would now report itself as having been
1548         invalidated.
1549
1550         * bytecode/Watchpoint.cpp:
1551         (JSC::WatchpointSet::fireAllSlow): Change the state of the set before firing all watchpoints.
1552         (JSC::WatchpointSet::fireAllWatchpoints):
1553         * runtime/JSObject.h:
1554         (JSC::JSObject::putDirectInternal): Use the deferral scope.
1555         * runtime/Structure.cpp:
1556         (JSC::Structure::Structure): Pass the deferral scope to didTransitionFromThisStructure.
1557         (JSC::Structure::addPropertyTransition): Pass the deferral scope to create().
1558         (JSC::StructureFireDetail::dump): This is no longer anonymous.
1559         (JSC::DeferredStructureTransitionWatchpointFire::DeferredStructureTransitionWatchpointFire): Start with a null structure.
1560         (JSC::DeferredStructureTransitionWatchpointFire::~DeferredStructureTransitionWatchpointFire): Fire the watchpoint if there is a structure.
1561         (JSC::DeferredStructureTransitionWatchpointFire::add): Add a structure. Logically this is a list of deferred things, but we assert that there only will be one (happens to be true now).
1562         (JSC::Structure::didTransitionFromThisStructure): Defer the watchpoint firing if there is a deferral scope.
1563         * runtime/Structure.h:
1564         (JSC::StructureFireDetail::StructureFireDetail): Move this to the header.
1565         * runtime/StructureInlines.h:
1566         (JSC::Structure::create): Pass the deferral scope to the constructor.
1567
1568 2015-07-12  Filip Pizlo  <fpizlo@apple.com>
1569
1570         Watchpoints should be removed from their owning WatchpointSet before they are fired
1571         https://bugs.webkit.org/show_bug.cgi?id=146895
1572
1573         Reviewed by Sam Weinig.
1574         
1575         This simplifies the WatchpointSet API by making it so that when Watchpoint::fire() is
1576         called, the Watchpoint is no longer in the set. This means that you don't have to remember
1577         to remove it from the set's list (currently we do that implicitly as part of whatever
1578         any particular Watchpoint::fireInternal() does), and you can now write adaptive
1579         watchpoints that re-add themselves to a different set if they determine that the thing
1580         they are actually watching is still intact but now needs to be watched in a different way
1581         (like watching for whether some singleton object has a property of some name).
1582
1583         * bytecode/Watchpoint.cpp:
1584         (JSC::Watchpoint::~Watchpoint): Add a comment about why this is necessary.
1585         (JSC::Watchpoint::fire): Make this out-of-line, private, and make it assert that we're no longer on the list.
1586         (JSC::WatchpointSet::fireAllWatchpoints): Make this remove the watchpoint from the list before firing it.
1587         * bytecode/Watchpoint.h:
1588         (JSC::Watchpoint::fire): Deleted. I moved this to Watchpoint.cpp.
1589
1590 2015-07-10  Filip Pizlo  <fpizlo@apple.com>
1591
1592         DFG::DesiredWatchpoints should accept WatchpointSetType's that aren't necessarily pointers
1593         https://bugs.webkit.org/show_bug.cgi?id=146875
1594
1595         Reviewed by Dan Bernstein.
1596         
1597         In the future we'll want to add a desired watchpoint set that's something like "please
1598         watch property 'Foo' for 'deletion' on structure 'S1'", so that the "set type" is struct
1599         like "struct MySet { StringImpl* property; Mode mode; Structure* structure };".
1600         
1601         This is a very mechanical change for now - all of the current users happen to use sets
1602         that are pointer typed, so it's just a matter of moving some "*"'s around.
1603
1604         * dfg/DFGDesiredWatchpoints.h:
1605         (JSC::DFG::GenericSetAdaptor::add):
1606         (JSC::DFG::GenericSetAdaptor::hasBeenInvalidated):
1607         (JSC::DFG::GenericDesiredWatchpoints::GenericDesiredWatchpoints):
1608         (JSC::DFG::GenericDesiredWatchpoints::addLazily):
1609         (JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
1610         (JSC::DFG::GenericDesiredWatchpoints::areStillValid):
1611         (JSC::DFG::GenericDesiredWatchpoints::isWatched):
1612         (JSC::DFG::DesiredWatchpoints::isWatched):
1613
1614 2015-07-10  Filip Pizlo  <fpizlo@apple.com>
1615
1616         Watchpoints should be allocated with FastMalloc
1617         https://bugs.webkit.org/show_bug.cgi?id=146874
1618
1619         Reviewed by Dan Bernstein.
1620         
1621         This is in preparation for adding new subclasses of Watchpoint. While starting to do this
1622         I realized that the way Watchpoints allocated themselves was unusual.
1623
1624         * bytecode/CodeBlockJettisoningWatchpoint.h:
1625         (JSC::CodeBlockJettisoningWatchpoint::CodeBlockJettisoningWatchpoint): No need for the default constructor.
1626         * bytecode/Watchpoint.h:
1627         (JSC::Watchpoint::Watchpoint): This should be noncopyable and fast-allocated.
1628         * dfg/DFGCommonData.h: Use a Bag<> instead of SegmentedVector<>. Bag means "malloc things but allow me to free them all at once", which is what we are doing here.
1629         * dfg/DFGDesiredWatchpoints.h:
1630         (JSC::DFG::GenericDesiredWatchpoints::reallyAdd): Use the Bag<> API rather than the very awkward SegmentedVector<> API.
1631
1632 2015-07-10  Filip Pizlo  <fpizlo@apple.com>
1633
1634         AI folding of IsObjectOrNull is broken for non-object types that may be null
1635         https://bugs.webkit.org/show_bug.cgi?id=146867
1636
1637         Reviewed by Ryosuke Niwa.
1638
1639         * dfg/DFGAbstractInterpreterInlines.h:
1640         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Fix the bug and add some text describing what is going on.
1641         * tests/stress/misc-is-object-or-null.js: Added. Test for the bug.
1642         (foo):
1643         * tests/stress/other-is-object-or-null.js: Added. Test for a bug I almost introduced.
1644         (foo):
1645
1646 2015-07-10  Filip Pizlo  <fpizlo@apple.com>
1647
1648         It should be easy to measure total compile times.
1649         https://bugs.webkit.org/show_bug.cgi?id=146857
1650
1651         Reviewed by Sam Weinig.
1652         
1653         This gives DFG::Plan the ability to track total compile times, and return them in a map
1654         of stats that jsc.cpp can display.
1655         
1656         I want to do some work to bring down DFG compile times. This will help me measure whether
1657         I'm making a difference or not.
1658
1659         * dfg/DFGPlan.cpp:
1660         (JSC::DFG::Plan::Plan):
1661         (JSC::DFG::Plan::~Plan):
1662         (JSC::DFG::Plan::computeCompileTimes):
1663         (JSC::DFG::Plan::reportCompileTimes):
1664         (JSC::DFG::Plan::compileInThread):
1665         (JSC::DFG::Plan::compileInThreadImpl):
1666         (JSC::DFG::Plan::cancel):
1667         (JSC::DFG::Plan::compileTimeStats):
1668         (JSC::DFG::dumpAndVerifyGraph): Deleted.
1669         (JSC::DFG::profilerCompilationKindForMode): Deleted.
1670         * dfg/DFGPlan.h:
1671         (JSC::DFG::Plan::compileTimeStats):
1672         * jsc.cpp:
1673         (jscmain):
1674         * runtime/Options.h:
1675
1676 2015-07-04  Filip Pizlo  <fpizlo@apple.com>
1677
1678         DFG fragile frozen values are fundamentally broken
1679         https://bugs.webkit.org/show_bug.cgi?id=146602
1680
1681         Reviewed by Mark Lam.
1682         
1683         This change gets rid of the FragileValue value strength, because it was fundamentally
1684         broken.
1685         
1686         FragileValue was a value known to the compiler but not tracked by the GC in any way -
1687         it wasn't marked and it wasn't weak. This was used to support AI bootstrap for OSR
1688         must-handle values. The philosophy was that if the compiler did use the value for
1689         optimization, it would have been strengthened to a weak value (or maybe even a strong
1690         value, though we probably won't do that). But this was too much of a pipe dream. I've
1691         found at least one case where the compiler did use the value, but never strengthened
1692         it: it would happen if the value ended up in an OSR entry data expected value. Then if
1693         we GCed, we might have killed the value, but OSR entry would still try to use it for
1694         validation. That might have sort of just worked, but it's clearly shady.
1695
1696         The reason why we made must-handle values fragile and not weak is that most of the time
1697         the values disappear from the abstract state: they are LUBed to a non-constant. If we
1698         kept them around as weak, we'd have too many cases of the GC killing the code because
1699         it thought that the value was somehow meaningful to the code when it was only used as a
1700         temporary artifact of optimization.
1701
1702         So, it's true that it's very important for must-handle values not to automatically be
1703         weak or strong. It's also true that the values are necessary for AI bootstrap because
1704         we need to know what values OSR entry will require. But we shouldn't accomplish these
1705         goals by having the compiler hold onto what are essentially dangling pointers.
1706         
1707         This implements a better solution: instead of having InPlaceAbstractState bootstrap the
1708         AI with must-handle values at the beginning, we now widen the valuesAtHead of the
1709         must-handle block after AI converges. This widening is done in CFAPhase. This allows us
1710         to see if the must-handle values are necessary at all. In most cases, the widening
1711         takes a non-constant abstract value and simply amends something to its type based on
1712         the type of the must-handle value, and so the must-handle value never actually shows up
1713         in either the IR or any abstract value. In the unlikely event that the value at head is
1714         bottom, we freeze the must-handle value. This change removes FragileValue, and this
1715         freezing uses WeakValue as the strength. That makes sense: since the abstract value was
1716         bottom, the must-handle value becomes integral to the IR and so it makes no sense for
1717         the GC to keep the resulting CodeBlock alive if that must-handle value dies. This will
1718         sometimes happen for example if you have a very long-running loop whose pre-header
1719         allocates some object, but that pre-header appears to always exit to the optimizing JIT
1720         because it was only profiled once in the LLInt and that profiling appears insufficient
1721         to the DFG. In that case, we'll effectively constant-fold the references to the object
1722         inside the loop, which is both efficient (yay constant folding!) and necessary
1723         (otherwise we wouldn't know what the type of the variable should have been).
1724         
1725         Testing and debugging this is complicated. So, this adds some new capabilities:
1726         
1727         - DFG IR dumps also dump all of the FrozenValues that point to the heap along with
1728           their strengths, so that it's easy to see what GC objects the DFG feels are necessary
1729           for the compilation.
1730         
1731         - DFG OSR entry preparation prints out the OSR entry data structures, so that it's easy
1732           to see what GC pointers (and other things) are used for OSR entry validation. The
1733           printouts are quite detailed, and should also help other kinds of OSR entry
1734           debugging.
1735         
1736         - DFG::Plan now validates whether all of the GC pointers planted in the various JITCode
1737           data structures are also properly registered as either weak or strong pointers in the
1738           CodeBlock. This validation check previously failed due to fragile values ending up in
1739           the OSR entry data structures, both in the newly added test (dead-osr-entry-value.js)
1740           and in some pre-existing tests (like earley-boyer and 3d-raytrace).
1741
1742         * CMakeLists.txt:
1743         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1744         * JavaScriptCore.xcodeproj/project.pbxproj:
1745         * bytecode/CodeBlock.cpp:
1746         (JSC::CodeBlock::stronglyVisitStrongReferences):
1747         * bytecode/CodeOrigin.cpp:
1748         (JSC::InlineCallFrame::visitAggregate):
1749         * bytecode/Operands.h:
1750         (JSC::Operands::operand):
1751         (JSC::Operands::hasOperand):
1752         * bytecode/StructureSet.cpp:
1753         (JSC::StructureSet::dump):
1754         (JSC::StructureSet::validateReferences):
1755         * bytecode/StructureSet.h:
1756         * bytecode/TrackedReferences.cpp: Added.
1757         (JSC::TrackedReferences::TrackedReferences):
1758         (JSC::TrackedReferences::~TrackedReferences):
1759         (JSC::TrackedReferences::add):
1760         (JSC::TrackedReferences::check):
1761         (JSC::TrackedReferences::dump):
1762         * bytecode/TrackedReferences.h: Added.
1763         * dfg/DFGAbstractValue.cpp:
1764         (JSC::DFG::AbstractValue::observeTransitions):
1765         (JSC::DFG::AbstractValue::set):
1766         (JSC::DFG::AbstractValue::fixTypeForRepresentation):
1767         (JSC::DFG::AbstractValue::mergeOSREntryValue):
1768         (JSC::DFG::AbstractValue::filter):
1769         (JSC::DFG::AbstractValue::dumpInContext):
1770         (JSC::DFG::AbstractValue::validateReferences):
1771         (JSC::DFG::AbstractValue::setOSREntryValue): Deleted.
1772         * dfg/DFGAbstractValue.h:
1773         (JSC::DFG::AbstractValue::fullTop):
1774         (JSC::DFG::AbstractValue::merge):
1775         * dfg/DFGByteCodeParser.cpp:
1776         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1777         * dfg/DFGCFAPhase.cpp:
1778         (JSC::DFG::CFAPhase::run):
1779         * dfg/DFGCommonData.cpp:
1780         (JSC::DFG::CommonData::invalidate):
1781         (JSC::DFG::CommonData::validateReferences):
1782         * dfg/DFGCommonData.h:
1783         (JSC::DFG::CommonData::requiredRegisterCountForExecutionAndExit):
1784         * dfg/DFGFrozenValue.h:
1785         (JSC::DFG::FrozenValue::FrozenValue):
1786         (JSC::DFG::FrozenValue::strengthenTo):
1787         (JSC::DFG::FrozenValue::pointsToHeap):
1788         (JSC::DFG::FrozenValue::strength):
1789         (JSC::DFG::FrozenValue::freeze):
1790         * dfg/DFGGraph.cpp:
1791         (JSC::DFG::Graph::Graph):
1792         (JSC::DFG::Graph::dump):
1793         (JSC::DFG::Graph::registerFrozenValues):
1794         (JSC::DFG::Graph::visitChildren):
1795         (JSC::DFG::Graph::freeze):
1796         (JSC::DFG::Graph::freezeStrong):
1797         (JSC::DFG::Graph::freezeFragile): Deleted.
1798         * dfg/DFGGraph.h:
1799         * dfg/DFGInPlaceAbstractState.cpp:
1800         (JSC::DFG::InPlaceAbstractState::initialize):
1801         * dfg/DFGJITCode.cpp:
1802         (JSC::DFG::JITCode::setOptimizationThresholdBasedOnCompilationResult):
1803         (JSC::DFG::JITCode::validateReferences):
1804         * dfg/DFGJITCode.h:
1805         * dfg/DFGJITCompiler.cpp:
1806         (JSC::DFG::JITCompiler::addressOfDoubleConstant):
1807         (JSC::DFG::JITCompiler::noticeOSREntry):
1808         * dfg/DFGJITCompiler.h:
1809         (JSC::DFG::JITCompiler::branchStructurePtr):
1810         (JSC::DFG::JITCompiler::jitCode):
1811         (JSC::DFG::JITCompiler::noticeOSREntry): Deleted.
1812         * dfg/DFGMinifiedGraph.cpp: Added.
1813         (JSC::DFG::MinifiedGraph::prepareAndShrink):
1814         (JSC::DFG::MinifiedGraph::validateReferences):
1815         * dfg/DFGMinifiedGraph.h:
1816         (JSC::DFG::MinifiedGraph::append):
1817         (JSC::DFG::MinifiedGraph::prepareAndShrink): Deleted.
1818         * dfg/DFGOSREntry.cpp:
1819         (JSC::DFG::OSREntryData::dumpInContext):
1820         (JSC::DFG::OSREntryData::dump):
1821         (JSC::DFG::prepareOSREntry):
1822         * dfg/DFGOSREntry.h:
1823         (JSC::DFG::getOSREntryDataBytecodeIndex):
1824         * dfg/DFGPlan.cpp:
1825         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
1826         * dfg/DFGSpeculativeJIT.cpp:
1827         (JSC::DFG::SpeculativeJIT::linkOSREntries):
1828         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
1829         * dfg/DFGStructureAbstractValue.cpp:
1830         (JSC::DFG::StructureAbstractValue::dump):
1831         (JSC::DFG::StructureAbstractValue::validateReferences):
1832         * dfg/DFGStructureAbstractValue.h:
1833         * dfg/DFGValidate.cpp:
1834         (JSC::DFG::Validate::validate):
1835         * dfg/DFGValueStrength.cpp:
1836         (WTF::printInternal):
1837         * dfg/DFGValueStrength.h:
1838         (JSC::DFG::merge):
1839         * ftl/FTLExitPropertyValue.cpp:
1840         (JSC::FTL::ExitPropertyValue::dump):
1841         (JSC::FTL::ExitPropertyValue::validateReferences):
1842         * ftl/FTLExitPropertyValue.h:
1843         * ftl/FTLExitTimeObjectMaterialization.cpp:
1844         (JSC::FTL::ExitTimeObjectMaterialization::dump):
1845         (JSC::FTL::ExitTimeObjectMaterialization::validateReferences):
1846         * ftl/FTLExitTimeObjectMaterialization.h:
1847         * ftl/FTLExitValue.cpp:
1848         (JSC::FTL::ExitValue::dump):
1849         (JSC::FTL::ExitValue::validateReferences):
1850         * ftl/FTLExitValue.h:
1851         * ftl/FTLJITCode.cpp:
1852         (JSC::FTL::JITCode::dfgCommon):
1853         (JSC::FTL::JITCode::validateReferences):
1854         * ftl/FTLJITCode.h:
1855         (JSC::FTL::JITCode::handles):
1856         (JSC::FTL::JITCode::dataSections):
1857         * ftl/FTLOSRExit.cpp:
1858         (JSC::FTL::OSRExit::codeLocationForRepatch):
1859         (JSC::FTL::OSRExit::validateReferences):
1860         * ftl/FTLOSRExit.h:
1861         (JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
1862         * jit/JITCode.cpp:
1863         (JSC::JITCode::typeName):
1864         (JSC::JITCode::validateReferences):
1865         (JSC::JITCode::execute):
1866         * jit/JITCode.h:
1867         (JSC::JITCode::start):
1868         * tests/stress/dead-osr-entry-value.js: Added.
1869         (foo):
1870
1871 2015-07-09  Filip Pizlo  <fpizlo@apple.com>
1872
1873         It should be possible to run the OSR exit fuzzer
1874         https://bugs.webkit.org/show_bug.cgi?id=146814
1875
1876         Reviewed by Mark Lam.
1877         
1878         Fix a silly bug: the option matching was accidentally allowing a prefix match, which
1879         always did the wrong thing for --fireOSRExitFuzzAt and --fireOSRExitFuzzAtStatic. Make
1880         this an exact match instead.
1881
1882         * runtime/Options.cpp:
1883         (JSC::Options::setOption):
1884
1885 2015-07-09  Mark Lam  <mark.lam@apple.com>
1886
1887         SymbolTable::entryFor() should do a bounds check before indexing into the localToEntry vector.
1888         https://bugs.webkit.org/show_bug.cgi?id=146807
1889
1890         Reviewed by Filip Pizlo.
1891
1892         When we capture an argument by name and we use "arguments", we put all of the
1893         arguments into the scope.  But destructured arguments are put into the scope
1894         anonymously i.e. the SymbolTable knows that the scope offset is in use via
1895         SymbolTable::m_maxScopeOffset, but that ScopeOffset won't appear in
1896         SymbolTable::m_map.
1897
1898         The SymbolTable's m_localToEntry vector is synthesized from its m_map, and will
1899         have a size which is based on the largest ScopeOffset in the m_map.  If we have a
1900         scenario where the anonymous argument is at a higher ScopeOffset than all the
1901         named arguments, then the m_localsToEntry vector will not have an entry for it
1902         i.e. the m_localsToEntry vector will have a size that is <= the ScopeOffset of
1903         the anonymous argument.
1904
1905         Hence, SymbolTable::entryFor() should ensure that the requested ScopeOffset is
1906         within the bounds of the m_localToEntry vector before indexing into it.
1907
1908         * runtime/SymbolTable.cpp:
1909         (JSC::SymbolTable::entryFor):
1910
1911 2015-07-09  Michael Saboff  <msaboff@apple.com>
1912
1913         REGRESSION (r180248): Repro Crash: com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::createRangeError + 20
1914         https://bugs.webkit.org/show_bug.cgi?id=146767
1915
1916         Reviewed by Geoffrey Garen.
1917
1918         If the stack check fails at the top most frame, we must use that frame to
1919         generate the exception.  Reverted the code to always use the current frame to
1920         throw an out of stack exception.
1921
1922         * llint/LLIntSlowPaths.cpp:
1923         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1924
1925 2015-07-03  Filip Pizlo  <fpizlo@apple.com>
1926
1927         OSR exit fuzzing should allow us to select a static exit site
1928         https://bugs.webkit.org/show_bug.cgi?id=146601
1929
1930         Reviewed by Geoffrey Garen.
1931         
1932         The original implementation of the fuzzer allows us to trigger an exit based on its index
1933         in the dynamic sequence of exit sites encountered. But there are usually millions of
1934         dynamically encountered exit sites, even if the program only has thousands of static exit
1935         sites. That means that we would at best be able to do a random sampling of exits, and
1936         those would be biased to the hottest exit sites.
1937         
1938         This change allows us to also select exit sites based on their index in the static
1939         sequence of exit sites that the compiler compiled. Then, once that static exit site is
1940         selected, we can select which dynamic exit at that exit site we should trigger. Since the
1941         number of static exit sites is usually smallish (it's bounded by program size), we can do
1942         an exhaustive search over all exit sites in most programs.
1943
1944         * dfg/DFGOSRExitFuzz.cpp:
1945         (JSC::numberOfStaticOSRExitFuzzChecks):
1946         (JSC::numberOfOSRExitFuzzChecks):
1947         * dfg/DFGOSRExitFuzz.h:
1948         (JSC::DFG::doOSRExitFuzzing):
1949         * dfg/DFGSpeculativeJIT.cpp:
1950         (JSC::DFG::SpeculativeJIT::emitOSRExitFuzzCheck):
1951         * ftl/FTLLowerDFGToLLVM.cpp:
1952         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
1953         * jsc.cpp:
1954         (jscmain):
1955         * runtime/Options.h:
1956         * runtime/TestRunnerUtils.h:
1957
1958 2015-07-08  Joseph Pecoraro  <pecoraro@apple.com>
1959
1960         Fix grammar issue in TypeError attempting to change an unconfigurable property
1961         https://bugs.webkit.org/show_bug.cgi?id=146774
1962
1963         Reviewed by Brent Fulgham.
1964
1965         * runtime/JSFunction.cpp:
1966         (JSC::JSFunction::defineOwnProperty):
1967         * runtime/JSObject.cpp:
1968         (JSC::JSObject::defineOwnNonIndexProperty):
1969         * runtime/StringObject.cpp:
1970         (JSC::StringObject::defineOwnProperty):
1971
1972 2015-07-06  Csaba Osztrogonác  <ossy@webkit.org>
1973
1974         Remove the unused HeapBlock.h
1975         https://bugs.webkit.org/show_bug.cgi?id=146580
1976
1977         Reviewed by Andreas Kling.
1978
1979         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1980         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1981         * JavaScriptCore.xcodeproj/project.pbxproj:
1982         * heap/CopiedBlock.h:
1983         * heap/CopiedSpace.h:
1984         * heap/CopiedSpaceInlines.h:
1985         * heap/HandleBlock.h:
1986         * heap/HeapBlock.h: Removed.
1987         * heap/MarkedBlock.h:
1988
1989 2015-07-06  Saam barati  <saambarati1@gmail.com>
1990
1991         JSC's parser should follow the ES6 spec with respect to parsing Declarations
1992         https://bugs.webkit.org/show_bug.cgi?id=146621
1993
1994         Reviewed by Mark Lam.
1995
1996         There were a few locations where JSC would allow declaration statements
1997         in incorrect ways. JSC didn't distinguish between 'Statement' and
1998         'StatementListItem' grammar productions. The relevant grammar is here:
1999         http://www.ecma-international.org/ecma-262/6.0/index.html#sec-statements
2000
2001         From the ECMA Script 6.0 spec:
2002         1. Section 13.6 The if Statement (http://www.ecma-international.org/ecma-262/6.0/index.html#sec-if-statement) 
2003          says that IfStatements only takes Statements for the "then-else" clauses, not StatementListItems.
2004          (Same with 'while/for/do-while' loop bodies).
2005         2. Section 13 ECMAScript Language: Statements and Declarations 
2006          (http://www.ecma-international.org/ecma-262/6.0/index.html#sec-ecmascript-language-statements-and-declarations)
2007          defines the syntax of Statements, and they do not include ClassDeclarations and LexicalDeclarations 
2008          (const, let, see 13.3.1 Let and Const Declarations).
2009          Declarations can only be in the “then-else” clauses when embedded in a StatementListItem in a BlockStatement (see 13.2).
2010
2011         Hence, the following style of declarations are no longer allowed:
2012             'if/for/while (condition) const x = 40;'
2013             'if/for/while (condition) class C { }'
2014
2015         Instead, we mandate such declaration constructs are within a StatementList 
2016        (which is the production that JSC's Parser::parseSourceElements function parses):
2017            'if/for/while (condition) { const x = 40; }'
2018            'if/for/while (condition) { class C { } }'
2019
2020         * parser/Parser.cpp:
2021         (JSC::Parser<LexerType>::parseSourceElements):
2022         (JSC::Parser<LexerType>::parseStatementListItem):
2023         (JSC::Parser<LexerType>::parseVarDeclaration):
2024         (JSC::Parser<LexerType>::parseStatement):
2025         (JSC::Parser<LexerType>::parseExpressionStatement):
2026         * parser/Parser.h:
2027         (JSC::Parser::getLabel):
2028
2029 2015-07-06  Alex Christensen  <achristensen@webkit.org>
2030
2031         Unreviewed debug build fix after r186358.
2032
2033         * runtime/JSArray.cpp:
2034         (JSC::JSArray::fastConcatWith):
2035         Pass vm parameter to fastConcatType.
2036
2037 2015-07-06  Ryosuke Niwa  <rniwa@webkit.org>
2038
2039         Array.concat should be fast for integer or double arrays
2040         https://bugs.webkit.org/show_bug.cgi?id=146260
2041
2042         Reviewed by Darin Adler.
2043
2044         Added a fast path to Array.prototype.concat. When concatenating two Int32, Double, or Contiguous
2045         arrays, simply memcopy the arrays into a new uninitialized buffer.
2046
2047         This improves huffman encoding in CompressionBench by 3.7x on a Mid 2014 MacBookPro.
2048
2049         * runtime/ArrayPrototype.cpp:
2050         (JSC::arrayProtoFuncConcat):
2051         * runtime/JSArray.cpp:
2052         (JSC::JSArray::fastConcatWith): Added.
2053         * runtime/JSArray.h:
2054         (JSC::JSArray::fastConcatType): Added. Returns the resultant array's indexing type if we can use
2055         the fact path. Returns NonArray otherwise.
2056
2057 2015-07-06  Youenn Fablet  <youenn.fablet@crf.canon.fr>
2058
2059         [Streams API] Remove ReadableStream custom constructor
2060         https://bugs.webkit.org/show_bug.cgi?id=146547
2061
2062         Reviewed by Darin Adler.
2063
2064         Adding helper function to throw range errors.
2065
2066         * runtime/Error.h:
2067         (JSC::throwRangeError):
2068         (JSC::throwVMRangeError):
2069
2070 2015-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2071
2072         [ES6] Implement the latest Promise spec in JS
2073         https://bugs.webkit.org/show_bug.cgi?id=146229
2074
2075         Reviewed by Sam Weinig.
2076
2077         Updated the Promise implementation to meet to the ES6 spec.
2078         This patch
2079         1. Implement ES6 Promise and related abstract operations in builtins JS
2080         2. Expose @enqueueJob private function to JS world to post the microtask
2081
2082         Updated implementation has one-on-one correspondence to the ES6 spec description.
2083         And keep the JSPromiseDeferred because it is the interface used from the WebCore.
2084
2085         * CMakeLists.txt:
2086         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2087         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2088         * JavaScriptCore.xcodeproj/project.pbxproj:
2089         * builtins/Array.prototype.js:
2090         (reduce):
2091         (reduceRight):
2092         (every):
2093         (forEach):
2094         (filter):
2095         (map):
2096         (some):
2097         (fill):
2098         (find):
2099         (findIndex):
2100         (includes):
2101         (copyWithin):
2102         ToInteger / ToLength are renamed to toInteger and toLength.
2103         * builtins/ArrayConstructor.js:
2104         (from):
2105         ToInteger / ToLength are renamed to toInteger and toLength.
2106         * builtins/GlobalObject.js:
2107         (toInteger):
2108         (toLength):
2109         (isObject):
2110         (ToInteger): Deleted.
2111         (ToLength): Deleted.
2112         ToInteger / ToLength are renamed to toInteger and toLength.
2113         Add new abstract operation, isObject.
2114         * builtins/Operations.Promise.js: Added.
2115         (isPromise):
2116         (newPromiseReaction):
2117         (newPromiseDeferred):
2118         (newPromiseCapability.executor):
2119         (newPromiseCapability):
2120         (triggerPromiseReactions):
2121         (rejectPromise):
2122         (fulfillPromise):
2123         (createResolvingFunctions.resolve):
2124         (createResolvingFunctions.reject):
2125         (createResolvingFunctions):
2126         (promiseReactionJob):
2127         (promiseResolveThenableJob):
2128         (initializePromise):
2129         Added Promise related abstract operations.
2130         * builtins/Promise.prototype.js:
2131         (catch):
2132         (.onFulfilled):
2133         (.onRejected):
2134         (then):
2135         Promise#then implementation in JS.
2136         * builtins/PromiseConstructor.js: Added.
2137         (all.newResolveElement):
2138         (all):
2139         (race):
2140         (reject):
2141         (resolve):
2142         Promise static functions implementations in JS.
2143         * builtins/StringConstructor.js:
2144         (raw):
2145         ToInteger / ToLength are renamed to toInteger and toLength.
2146         * inspector/JSInjectedScriptHost.cpp:
2147         (Inspector::JSInjectedScriptHost::getInternalProperties):
2148         * runtime/CommonIdentifiers.h:
2149         * runtime/JSGlobalObject.cpp:
2150         (JSC::enqueueJob):
2151         (JSC::JSGlobalObject::init):
2152         (JSC::JSGlobalObject::visitChildren):
2153         * runtime/JSGlobalObject.h:
2154         (JSC::JSGlobalObject::initializePromiseFunction):
2155         (JSC::JSGlobalObject::newPromiseDeferredFunction):
2156         * runtime/JSJob.cpp: Renamed from Source/JavaScriptCore/runtime/JSPromiseReaction.h.
2157         (JSC::createJSJob):
2158         (JSC::JSJobMicrotask::run):
2159         * runtime/JSJob.h: Renamed from Source/JavaScriptCore/runtime/JSPromiseFunctions.h.
2160         * runtime/JSPromise.cpp:
2161         (JSC::JSPromise::create):
2162         (JSC::JSPromise::JSPromise):
2163         (JSC::JSPromise::finishCreation):
2164         (JSC::JSPromise::result):
2165         (JSC::JSPromise::destroy): Deleted.
2166         (JSC::JSPromise::visitChildren): Deleted.
2167         (JSC::JSPromise::reject): Deleted.
2168         (JSC::JSPromise::resolve): Deleted.
2169         (JSC::JSPromise::appendResolveReaction): Deleted.
2170         (JSC::JSPromise::appendRejectReaction): Deleted.
2171         (JSC::triggerPromiseReactions): Deleted.
2172         * runtime/JSPromise.h:
2173         (JSC::JSPromise::status): Deleted.
2174         (JSC::JSPromise::result): Deleted.
2175         (JSC::JSPromise::constructor): Deleted.
2176         * runtime/JSPromiseConstructor.cpp:
2177         (JSC::constructPromise):
2178         (JSC::JSPromiseConstructorFuncResolve): Deleted.
2179         (JSC::JSPromiseConstructorFuncReject): Deleted.
2180         (JSC::performPromiseRaceLoop): Deleted.
2181         (JSC::JSPromiseConstructorFuncRace): Deleted.
2182         (JSC::performPromiseAll): Deleted.
2183         (JSC::JSPromiseConstructorFuncAll): Deleted.
2184         * runtime/JSPromiseDeferred.cpp:
2185         (JSC::JSPromiseDeferred::create):
2186         (JSC::createJSPromiseDeferredFromConstructor): Deleted.
2187         (JSC::updateDeferredFromPotentialThenable): Deleted.
2188         (JSC::performDeferredResolve): Deleted.
2189         (JSC::performDeferredReject): Deleted.
2190         (JSC::abruptRejection): Deleted.
2191         * runtime/JSPromiseDeferred.h:
2192         * runtime/JSPromiseFunctions.cpp: Removed.
2193         (JSC::deferredConstructionFunction): Deleted.
2194         (JSC::createDeferredConstructionFunction): Deleted.
2195         (JSC::identifyFunction): Deleted.
2196         (JSC::createIdentifyFunction): Deleted.
2197         (JSC::promiseAllCountdownFunction): Deleted.
2198         (JSC::createPromiseAllCountdownFunction): Deleted.
2199         (JSC::promiseResolutionHandlerFunction): Deleted.
2200         (JSC::createPromiseResolutionHandlerFunction): Deleted.
2201         (JSC::rejectPromiseFunction): Deleted.
2202         (JSC::createRejectPromiseFunction): Deleted.
2203         (JSC::resolvePromiseFunction): Deleted.
2204         (JSC::createResolvePromiseFunction): Deleted.
2205         (JSC::throwerFunction): Deleted.
2206         (JSC::createThrowerFunction): Deleted.
2207         * runtime/JSPromisePrototype.cpp:
2208         (JSC::JSPromisePrototypeFuncThen): Deleted.
2209         * runtime/JSPromiseReaction.cpp: Removed.
2210         (JSC::createExecutePromiseReactionMicrotask): Deleted.
2211         (JSC::ExecutePromiseReactionMicrotask::run): Deleted.
2212         (JSC::JSPromiseReaction::create): Deleted.
2213         (JSC::JSPromiseReaction::JSPromiseReaction): Deleted.
2214         (JSC::JSPromiseReaction::finishCreation): Deleted.
2215         (JSC::JSPromiseReaction::visitChildren): Deleted.
2216         * runtime/VM.cpp:
2217         (JSC::VM::VM): Deleted.
2218         * runtime/VM.h:
2219
2220 2015-07-04  Chris Dumez  <cdumez@apple.com>
2221
2222         Drop RefPtr::clear() method
2223         https://bugs.webkit.org/show_bug.cgi?id=146556
2224
2225         Reviewed by Brady Eidson.
2226
2227         Drop RefPtr::clear() method in favor of "= nullptr;" pattern.
2228
2229 2015-07-03  Dan Bernstein  <mitz@apple.com>
2230
2231         Just give up on -Wunreachable-code in JavaScriptCore.
2232
2233         * Configurations/Base.xcconfig:
2234         * llint/LowLevelInterpreter.cpp:
2235         (JSC::CLoop::execute):
2236
2237 2015-07-03  Dan Bernstein  <mitz@apple.com>
2238
2239         Fixed the LLINT CLoop build.
2240
2241         * llint/LowLevelInterpreter.cpp:
2242         (JSC::CLoop::execute):
2243
2244 2015-07-03  Dan Bernstein  <mitz@apple.com>
2245
2246         [Xcode] Update some build settings as recommended by Xcode 7
2247         https://bugs.webkit.org/show_bug.cgi?id=146597
2248
2249         Reviewed by Sam Weinig.
2250
2251         * Configurations/Base.xcconfig: Enabled CLANG_WARN_UNREACHABLE_CODE and
2252         GCC_NO_COMMON_BLOCKS. Removed GCC_MODEL_TUNING.
2253
2254         * JavaScriptCore.xcodeproj/project.pbxproj: Updated LastUpgradeCheck.
2255
2256         * dfg/DFGGraph.h: Tweaked the definition of DFG_CRASH to suppress unreachable code warnings.
2257
2258 2015-07-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2259
2260         Relax builtin JS restriction about try-catch
2261         https://bugs.webkit.org/show_bug.cgi?id=146555
2262
2263         Reviewed by Sam Weinig.
2264
2265         When retrieving the captured variables from the full activated scope,
2266         it swapped the given vector with the stored declared variables vector.
2267         This is because retrieving the captured variables are executed in the
2268         last sequence of the parser, so declared variables are no longer used.
2269         However, in builtins functions case, after retrieving the captured
2270         variables, we check the variables by using declared variables vector.
2271         So at that time, the declared variables vector becomes empty and it
2272         raises assertion failures when the builtins function contains the full
2273         activated scope. try-catch's catch scope requires the upper scope full
2274         activated, so JS code in the builtins cannot use the try-catch.
2275
2276         This patch relaxes this restriction. When retrieving the captured
2277         variables from the scope, just copy to the given vector.
2278
2279         * parser/Parser.h:
2280         (JSC::Scope::getCapturedVariables):
2281
2282 2015-07-02  Filip Pizlo  <fpizlo@apple.com>
2283
2284         DFG and FTL should have an OSR exit fuzzer
2285         https://bugs.webkit.org/show_bug.cgi?id=146562
2286
2287         Reviewed by Benjamin Poulain.
2288         
2289         Adds a basic OSR exit fuzzer to JSC. This isn't hooked into any test harnesses yet, but I
2290         spot-checked it on v8-earley-boyer.js and so far found no bugs. I'd like to figure out how
2291         to harness this after I land it.
2292         
2293         Since it's turned off by default, it should have no effect on behavior.
2294
2295         * CMakeLists.txt:
2296         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2297         * JavaScriptCore.xcodeproj/project.pbxproj:
2298         * dfg/DFGOSRExitFuzz.cpp: Added.
2299         (JSC::numberOfOSRExitFuzzChecks):
2300         * dfg/DFGOSRExitFuzz.h: Added.
2301         * dfg/DFGSpeculativeJIT.cpp:
2302         (JSC::DFG::SpeculativeJIT::emitGetArgumentStart):
2303         (JSC::DFG::SpeculativeJIT::emitOSRExitFuzzCheck):
2304         (JSC::DFG::SpeculativeJIT::speculationCheck):
2305         * dfg/DFGSpeculativeJIT.h:
2306         * ftl/FTLLowerDFGToLLVM.cpp:
2307         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
2308         * jsc.cpp:
2309         (jscmain):
2310         * runtime/Options.h:
2311         * runtime/TestRunnerUtils.h:
2312
2313 2015-07-02  Saam barati  <saambarati1@gmail.com>
2314
2315         Rename "Deconstruction" to "Destructuring" throughout JSC
2316         https://bugs.webkit.org/show_bug.cgi?id=146100
2317
2318         Reviewed by Mark Lam.
2319
2320         It is good to use the same naming conventions as the ES6 
2321         spec because it is the de facto way of speaking about these 
2322         language features. This also has the benefit of improving JSC's
2323         hackability because it improves code readability for newcomers 
2324         to JSC or newcomers to this part of the code base.
2325
2326         * bytecompiler/BytecodeGenerator.cpp:
2327         (JSC::BytecodeGenerator::generate):
2328         (JSC::BytecodeGenerator::BytecodeGenerator):
2329         (JSC::BytecodeGenerator::initializeNextParameter):
2330         (JSC::BytecodeGenerator::visibleNameForParameter):
2331         * bytecompiler/BytecodeGenerator.h:
2332         (JSC::BytecodeGenerator::registerFor):
2333         * bytecompiler/NodesCodegen.cpp:
2334         (JSC::ForInNode::tryGetBoundLocal):
2335         (JSC::ForInNode::emitLoopHeader):
2336         (JSC::ForOfNode::emitBytecode):
2337         (JSC::ClassExprNode::emitBytecode):
2338         (JSC::DestructuringAssignmentNode::emitBytecode):
2339         (JSC::DestructuringPatternNode::~DestructuringPatternNode):
2340         (JSC::ArrayPatternNode::collectBoundIdentifiers):
2341         (JSC::DeconstructingAssignmentNode::emitBytecode): Deleted.
2342         (JSC::DeconstructionPatternNode::~DeconstructionPatternNode): Deleted.
2343         * parser/ASTBuilder.h:
2344         (JSC::ASTBuilder::createElementList):
2345         (JSC::ASTBuilder::createFormalParameterList):
2346         (JSC::ASTBuilder::createClause):
2347         (JSC::ASTBuilder::createClauseList):
2348         (JSC::ASTBuilder::createForInLoop):
2349         (JSC::ASTBuilder::createForOfLoop):
2350         (JSC::ASTBuilder::isBindingNode):
2351         (JSC::ASTBuilder::isResolve):
2352         (JSC::ASTBuilder::createDestructuringAssignment):
2353         (JSC::ASTBuilder::createArrayPattern):
2354         (JSC::ASTBuilder::appendArrayPatternSkipEntry):
2355         (JSC::ASTBuilder::appendArrayPatternEntry):
2356         (JSC::ASTBuilder::appendArrayPatternRestEntry):
2357         (JSC::ASTBuilder::createObjectPattern):
2358         (JSC::ASTBuilder::appendObjectPatternEntry):
2359         (JSC::ASTBuilder::createDeconstructingAssignment): Deleted.
2360         * parser/NodeConstructors.h:
2361         (JSC::TryNode::TryNode):
2362         (JSC::ParameterNode::ParameterNode):
2363         (JSC::ForOfNode::ForOfNode):
2364         (JSC::DestructuringPatternNode::DestructuringPatternNode):
2365         (JSC::ArrayPatternNode::ArrayPatternNode):
2366         (JSC::ArrayPatternNode::create):
2367         (JSC::ObjectPatternNode::ObjectPatternNode):
2368         (JSC::BindingNode::create):
2369         (JSC::BindingNode::BindingNode):
2370         (JSC::DestructuringAssignmentNode::DestructuringAssignmentNode):
2371         (JSC::DeconstructionPatternNode::DeconstructionPatternNode): Deleted.
2372         (JSC::DeconstructingAssignmentNode::DeconstructingAssignmentNode): Deleted.
2373         * parser/Nodes.cpp:
2374         (JSC::FunctionParameters::create):
2375         * parser/Nodes.h:
2376         (JSC::ExpressionNode::isResolveNode):
2377         (JSC::ExpressionNode::isBracketAccessorNode):
2378         (JSC::ExpressionNode::isDotAccessorNode):
2379         (JSC::ExpressionNode::isDestructuringNode):
2380         (JSC::ExpressionNode::isFuncExprNode):
2381         (JSC::ExpressionNode::isCommaNode):
2382         (JSC::ExpressionNode::isSimpleArray):
2383         (JSC::ParameterNode::pattern):
2384         (JSC::ParameterNode::nextParam):
2385         (JSC::FunctionParameters::size):
2386         (JSC::FunctionParameters::at):
2387         (JSC::FunctionParameters::patterns):
2388         (JSC::DestructuringPatternNode::isBindingNode):
2389         (JSC::DestructuringPatternNode::emitDirectBinding):
2390         (JSC::ArrayPatternNode::appendIndex):
2391         (JSC::ObjectPatternNode::appendEntry):
2392         (JSC::BindingNode::boundProperty):
2393         (JSC::DestructuringAssignmentNode::bindings):
2394         (JSC::ExpressionNode::isDeconstructionNode): Deleted.
2395         (JSC::DeconstructionPatternNode::isBindingNode): Deleted.
2396         (JSC::DeconstructionPatternNode::emitDirectBinding): Deleted.
2397         (JSC::DeconstructingAssignmentNode::bindings): Deleted.
2398         * parser/Parser.cpp:
2399         (JSC::Parser<LexerType>::parseVarDeclaration):
2400         (JSC::Parser<LexerType>::parseWhileStatement):
2401         (JSC::Parser<LexerType>::parseVarDeclarationList):
2402         (JSC::Parser<LexerType>::createBindingPattern):
2403         (JSC::Parser<LexerType>::tryParseDestructuringPatternExpression):
2404         (JSC::Parser<LexerType>::parseDestructuringPattern):
2405         (JSC::Parser<LexerType>::parseDefaultValueForDestructuringPattern):
2406         (JSC::Parser<LexerType>::parseForStatement):
2407         (JSC::Parser<LexerType>::parseFormalParameters):
2408         (JSC::Parser<LexerType>::parseFunctionParameters):
2409         (JSC::Parser<LexerType>::parseAssignmentExpression):
2410         (JSC::Parser<LexerType>::tryParseDeconstructionPatternExpression): Deleted.
2411         (JSC::Parser<LexerType>::parseDeconstructionPattern): Deleted.
2412         (JSC::Parser<LexerType>::parseDefaultValueForDeconstructionPattern): Deleted.
2413         * parser/Parser.h:
2414         (JSC::isEvalNode):
2415         * parser/SyntaxChecker.h:
2416         (JSC::SyntaxChecker::createPropertyList):
2417         (JSC::SyntaxChecker::createElementList):
2418         (JSC::SyntaxChecker::createFormalParameterList):
2419         (JSC::SyntaxChecker::createClause):
2420         (JSC::SyntaxChecker::createClauseList):
2421         (JSC::SyntaxChecker::operatorStackPop):
2422         * tests/stress/reserved-word-with-escape.js:
2423         * tests/stress/rest-elements.js:
2424
2425 2015-07-02  Mark Lam  <mark.lam@apple.com>
2426
2427         Build fix for Win EWS bot.
2428         https://bugs.webkit.org/show_bug.cgi?id=146551
2429
2430         Not reviewed.
2431
2432         * tools/JSDollarVMPrototype.cpp:
2433         (JSC::functionCrash):
2434
2435 2015-07-02  Dan Bernstein  <mitz@apple.com>
2436
2437         <rdar://problem/21429613> [iOS] Stop making symlinks from PrivateFrameworks to Frameworks
2438         https://bugs.webkit.org/show_bug.cgi?id=146542
2439
2440         Reviewed by Sam Weinig.
2441
2442         * JavaScriptCore.xcodeproj/project.pbxproj: Removed the build phase that makes the symlink.
2443
2444 2015-07-01  Joseph Pecoraro  <pecoraro@apple.com>
2445
2446         Web Inspector: Aggregate profile call information on the backend to drastically reduce profile sizes
2447         https://bugs.webkit.org/show_bug.cgi?id=146536
2448
2449         Reviewed by Timothy Hatcher.
2450
2451         * inspector/protocol/Timeline.json:
2452         Change a CPUProfile from sending a required "calls" param to sending a required
2453         "callInfo" param which includes aggregated information about the calls.
2454
2455 2015-06-30  Filip Pizlo  <fpizlo@apple.com>
2456
2457         DFG::freezeFragile should register the frozen value's structure
2458         https://bugs.webkit.org/show_bug.cgi?id=136055
2459         rdar://problem/21042120
2460
2461         Reviewed by Mark Lam and Geoffrey Garen.
2462         
2463         This fixes weird concurrency bugs where the constant folding phase tries to convert
2464         something to a constant but then crashes because the constant's structure wasn't
2465         registered. The AI was registering the structure of any value it saw, but constant folding
2466         wasn't - and that's fine so long as there ain't no concurrency.
2467         
2468         The best fix is to just make it impossible to introduce a constant into the IR without
2469         registering its structure. That's what this change does. This is not only a great
2470         concurrency fix - it also makes the compiler somewhat easier to hack on because it's one
2471         less case of structure registering that you have to remember about.
2472         
2473         * dfg/DFGAbstractValue.cpp:
2474         (JSC::DFG::AbstractValue::setOSREntryValue): No need to register.
2475         (JSC::DFG::AbstractValue::set): We still call register, but just to get the watchpoint state.
2476         * dfg/DFGGraph.cpp:
2477         (JSC::DFG::Graph::freezeFragile): Register the structure.
2478         * dfg/DFGStructureRegistrationPhase.cpp:
2479         (JSC::DFG::StructureRegistrationPhase::run): Assert that these are all registered.
2480
2481 2015-07-01  Matthew Mirman  <mmirman@apple.com>
2482
2483         Unreviewed, rolling out r185889
2484         https://bugs.webkit.org/show_bug.cgi?id=146528
2485         rdar://problem/21573959
2486
2487         Patch breaks chromeexperiments.com
2488         
2489         Reverted changeset:
2490         
2491         * CMakeLists.txt:
2492         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2493         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2494         * JavaScriptCore.xcodeproj/project.pbxproj:
2495         * inspector/InjectedScriptSource.js:
2496         (.):
2497         * runtime/JSBoundSlotBaseFunction.cpp: Removed.
2498         * runtime/JSBoundSlotBaseFunction.h: Removed.
2499         * runtime/JSGlobalObject.cpp:
2500         (JSC::JSGlobalObject::init): Deleted.
2501         (JSC::JSGlobalObject::visitChildren): Deleted.
2502         * runtime/JSGlobalObject.h:
2503         (JSC::JSGlobalObject::boundSlotBaseFunctionStructure): Deleted.
2504         * runtime/JSObject.cpp:
2505         (JSC::JSObject::getOwnPropertyDescriptor):
2506         (JSC::getBoundSlotBaseFunctionForGetterSetter): Deleted.
2507         * runtime/VM.cpp:
2508         (JSC::VM::VM): Deleted.
2509         * runtime/VM.h:
2510
2511 2015-07-01  Dean Jackson  <dino@apple.com>
2512
2513         Disable the experimental WebGL2 implementation
2514         https://bugs.webkit.org/show_bug.cgi?id=146526
2515         <rdar://problem/21641235>
2516
2517         Reviewed by Myles Maxfield.
2518
2519         Add (and disable) an ENABLE_WEBGL2 flag.
2520
2521         * Configurations/FeatureDefines.xcconfig:
2522
2523 2015-07-01  Matthew Daiter  <mdaiter@apple.com>
2524
2525         Enable MEDIA_STREAM flag
2526         https://bugs.webkit.org/show_bug.cgi?id=145947
2527         <rdar://problem/21365829>
2528
2529         Reviewed by Eric Carlson.
2530
2531         * Configurations/FeatureDefines.xcconfig: Added MEDIA_STREAM flag
2532
2533 2015-06-30  Andy VanWagoner  <thetalecrafter@gmail.com>
2534
2535         Implement ECMAScript Internationalization API
2536         https://bugs.webkit.org/show_bug.cgi?id=90906
2537
2538         Reviewed by Benjamin Poulain.
2539
2540         * CMakeLists.txt: add IntlObject.cpp
2541         * Configurations/FeatureDefines.xcconfig: add ENABLE_INTL flag
2542         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: add IntlObject
2543         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: add IntlObject
2544         * JavaScriptCore.xcodeproj/project.pbxproj: add IntlObject
2545         * runtime/CommonIdentifiers.h: add "Intl" name
2546         * runtime/IntlObject.cpp: Added.
2547         (JSC::IntlObject::IntlObject):
2548         (JSC::IntlObject::create):
2549         (JSC::IntlObject::finishCreation):
2550         (JSC::IntlObject::createStructure):
2551         * runtime/IntlObject.h: Added.
2552         * runtime/JSGlobalObject.cpp: Add global Intl
2553         (JSC::JSGlobalObject::init):
2554
2555 2015-06-30  Basile Clement  <basile_clement@apple.com>
2556
2557         Allow object allocation sinking through GetScope, GetExecutable and SkipScope nodes
2558         https://bugs.webkit.org/show_bug.cgi?id=146431
2559
2560         Reviewed by Filip Pizlo.
2561
2562         * dfg/DFGNode.h:
2563         (JSC::DFG::Node::isFunctionAllocation):
2564         (JSC::DFG::Node::isPhantomFunctionAllocation):
2565         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2566         (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
2567         * dfg/DFGPromoteHeapAccess.h:
2568         (JSC::DFG::promoteHeapAccess):
2569
2570 2015-06-30  Matt Baker  <mattbaker@apple.com>
2571
2572         Web Inspector: Reduce rendering frames "Other" time by instrumenting compositing
2573         https://bugs.webkit.org/show_bug.cgi?id=146168
2574
2575         Reviewed by Brian Burg.
2576
2577         * inspector/protocol/Timeline.json:
2578         New timeline record type for compositing events.
2579
2580 2015-06-29  Dean Jackson  <dino@apple.com>
2581
2582         Temporarily disable PICTURE_SIZES
2583         https://bugs.webkit.org/show_bug.cgi?id=146435
2584         <rdar://problem/21087013>
2585
2586         Reviewed by Tim Horton.
2587
2588         Temporarily disable PICTURE_SIZES because it causes problems with out
2589         of date <picture> polyfills.
2590
2591         * Configurations/FeatureDefines.xcconfig:
2592
2593 2015-06-29  Youenn Fablet  <youenn.fablet@crf.canon.fr>
2594
2595         Binding generator should allow using JSC::Value for "any" parameter in lieu of ScriptValue
2596         https://bugs.webkit.org/show_bug.cgi?id=146403
2597
2598         Reviewed by Darin Adler.
2599
2600         * bindings/ScriptValue.h: Added implicit conversion to JSC::JSValue.
2601
2602 2015-06-28 Aleksandr Skachkov   <gskachkov@gmail.com>
2603
2604         [ES6] Implement ES6 arrow function syntax. No Line terminator between function parameters and =>
2605         https://bugs.webkit.org/show_bug.cgi?id=146394
2606
2607         Reviewed by Yusuke Suzuki.
2608
2609         * parser/Parser.cpp:
2610         (JSC::Parser<LexerType>::parseFunctionInfo):
2611
2612 2015-06-27  Darin Adler  <darin@apple.com>
2613
2614         Make converting JSString to StringView idiomatically safe
2615         https://bugs.webkit.org/show_bug.cgi?id=146387
2616
2617         Reviewed by Anders Carlsson.
2618
2619         * jsc.cpp:
2620         (functionPrint): Add explicit call to SafeView::get, needed since there
2621         is no StringView temporary.
2622         (functionDebug): Ditto.
2623
2624         * runtime/ArrayPrototype.cpp:
2625         (JSC::holesMustForwardToPrototype): Refactored into helper function.
2626         (JSC::join): Refactored so that StringView is a function argument, making
2627         the lifetime simpler.
2628         (JSC::arrayProtoFuncJoin): Ditto.
2629         (JSC::arrayProtoFuncReverse): Use new holesMustForwardToPrototype helper.
2630
2631         * runtime/JSGlobalObjectFunctions.cpp:
2632         (JSC::encode): Add explicit call to SafeView::get.
2633
2634         * runtime/JSString.h: Moved declarations of functions to the top of the
2635         file instead of mixing them in with the function definitions. Changed
2636         return type of the view function to return a JSString::SafeView so that
2637         the JSString's lifetime will last as long as the StringView does in
2638         typical coding idioms.
2639         (JSC::JSString::getIndex): Use unsafeView so we can index into the
2640         view; could also have used view.get but here in this class this seems fine.
2641         (JSC::JSRopeString::unsafeView): Renamed existing view function to this.
2642         (JSC::JSString::unsafeView): Ditto.
2643         (JSC::JSString::SafeView::SafeView): Contains reference to an ExecState
2644         and a JSString. The ExecState is needed to create the StringView, and the
2645         JSString needs to be kept alive as long as the StringView is.
2646         (JSC::JSString::SafeView::operator StringView): Call unsafeView.
2647         (JSC::JSString::SafeView::get): Convenience for when we want to call
2648         StringView member functions.
2649         (JSC::JSString::view): Added. Returns a SafeView.
2650
2651         * runtime/StringPrototype.cpp:
2652         (JSC::stringProtoFuncIndexOf): Add explicit call to SafeView::get.
2653
2654 2015-06-26  Csaba Osztrogonác  <ossy@webkit.org>
2655
2656         Remove ARMv7Assembler.cpp
2657         https://bugs.webkit.org/show_bug.cgi?id=146340
2658
2659         Reviewed by Filip Pizlo.
2660
2661         * CMakeLists.txt:
2662         * JavaScriptCore.xcodeproj/project.pbxproj:
2663         * assembler/ARMv7Assembler.cpp: Removed.
2664
2665 2015-06-26  Csaba Osztrogonác  <ossy@webkit.org>
2666
2667         Fix the !ENABLE(ES6_ARROWFUNCTION_SYNTAX) build after r185989
2668         https://bugs.webkit.org/show_bug.cgi?id=146344
2669
2670         Reviewed by Yusuke Suzuki.
2671
2672         * parser/Parser.cpp:
2673         (JSC::Parser<LexerType>::parseSourceElements):
2674
2675 2015-06-26 Aleksandr Skachkov  <gskachkov@gmail.com>
2676
2677          [ES6] Implement ES6 arrow function syntax. Parser of arrow function with execution as common function. 
2678          https://bugs.webkit.org/show_bug.cgi?id=144955
2679
2680          Reviewed by Yusuke Suzuki.
2681
2682          Added support of ES6 arrow function. Changes were made according to following spec http://wiki.ecmascript.org/doku.php?id=harmony:arrow_function_syntax. Patch does not include any arrow function specific behavior e.g. lexical bind this, arguments and etc.     
2683         This patch implements the simplest cases of arrow function declaration:
2684            parameters             () => 10 + 20
2685            parameter               x => x + 20
2686            parameters         (x, y) => x + y
2687            function with block     x => { return x*10; }
2688
2689         Not implemented:
2690            bind of the this, arguments, super and etc.
2691            exception in case of trying to use 'new' with arrow function
2692
2693         * parser/ASTBuilder.h:
2694         (JSC::ASTBuilder::createFunctionExpr):
2695         (JSC::ASTBuilder::createArrowFunctionExpr):
2696         (JSC::ASTBuilder::createGetterOrSetterProperty):
2697         (JSC::ASTBuilder::createFuncDeclStatement):
2698         * parser/Lexer.cpp:
2699         (JSC::Lexer<T>::setTokenPosition):
2700         (JSC::Lexer<T>::lex):
2701         * parser/Lexer.h:
2702         (JSC::Lexer::lastTokenLocation):
2703         (JSC::Lexer::setTerminator):
2704         * parser/Parser.cpp:
2705         (JSC::Parser<LexerType>::parseInner):
2706         (JSC::Parser<LexerType>::parseSourceElements):
2707         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBody):
2708         (JSC::Parser<LexerType>::parseSwitchClauses):
2709         (JSC::Parser<LexerType>::parseSwitchDefaultClause):
2710         (JSC::Parser<LexerType>::parseBlockStatement):
2711         (JSC::Parser<LexerType>::parseFunctionBody):
2712         (JSC::stringForFunctionMode):
2713         (JSC::Parser<LexerType>::parseFunctionParameters):
2714         (JSC::Parser<LexerType>::parseFunctionInfo):
2715         (JSC::Parser<LexerType>::parseFunctionDeclaration):
2716         (JSC::Parser<LexerType>::parseClass):
2717         (JSC::Parser<LexerType>::parseAssignmentExpression):
2718         (JSC::Parser<LexerType>::parsePropertyMethod):
2719         (JSC::Parser<LexerType>::parseGetterSetter):
2720         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
2721         * parser/Parser.h:
2722         (JSC::Parser::locationBeforeLastToken):
2723         (JSC::Parser::isEndOfArrowFunction):
2724         (JSC::Parser::isArrowFunctionParamters):
2725         (JSC::Parser::setEndOfStatement):
2726         * parser/ParserFunctionInfo.h:
2727         * parser/ParserTokens.h:
2728         * parser/SourceCode.h:
2729         (JSC::SourceCode::subArrowExpression):
2730         * parser/SourceProviderCacheItem.h:
2731         (JSC::SourceProviderCacheItem::endFunctionToken):
2732         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
2733         * parser/SyntaxChecker.h:
2734         (JSC::SyntaxChecker::createArrowFunctionExpr):
2735         (JSC::SyntaxChecker::setFunctionNameStart):
2736
2737 2015-06-25  Yusuke Suzuki  <utatane.tea@gmail.com>
2738
2739         [ES6] Support rest element in destructuring assignments
2740         https://bugs.webkit.org/show_bug.cgi?id=146206
2741
2742         Reviewed by Oliver Hunt.
2743
2744         This patch enables rest element (...rest) in array binding patterns.
2745         It generates array from the iterables.
2746         In variable declarations and parameters, `[...identifier]` form is only allowed,
2747         while expressions can take `[...[...rest]]` pattern.
2748
2749         * bytecompiler/BytecodeGenerator.cpp:
2750         (JSC::BytecodeGenerator::emitEnumeration):
2751         (JSC::BytecodeGenerator::emitIteratorNext):
2752         * bytecompiler/BytecodeGenerator.h:
2753         * bytecompiler/NodesCodegen.cpp:
2754         (JSC::ArrayPatternNode::bindValue):
2755         (JSC::ArrayPatternNode::toString):
2756         * parser/ASTBuilder.h:
2757         (JSC::ASTBuilder::appendArrayPatternSkipEntry):
2758         (JSC::ASTBuilder::appendArrayPatternEntry):
2759         (JSC::ASTBuilder::appendArrayPatternRestEntry):
2760         * parser/Nodes.h:
2761         (JSC::ArrayPatternNode::appendIndex):
2762         * parser/Parser.cpp:
2763         (JSC::Parser<LexerType>::parseDeconstructionPattern):
2764         * parser/SyntaxChecker.h:
2765         (JSC::SyntaxChecker::operatorStackPop):
2766         * tests/stress/rest-elements.js: Added.
2767         (shouldBe):
2768         (shouldThrow):
2769
2770 2015-06-25  Commit Queue  <commit-queue@webkit.org>
2771
2772         Unreviewed, rolling out r185956.
2773         https://bugs.webkit.org/show_bug.cgi?id=146321
2774
2775         Causes massive crashes on test bots (Requested by bfulgham on
2776         #webkit).
2777
2778         Reverted changeset:
2779
2780         "Enabling MEDIA_STREAM"
2781         https://bugs.webkit.org/show_bug.cgi?id=145947
2782         http://trac.webkit.org/changeset/185956
2783
2784 2015-06-25  Michael Saboff  <msaboff@apple.com>
2785
2786         Minor fix to idx bounds check after 185954
2787
2788         Rubber Stamped by Ryosuke Niwa.
2789
2790         Changed "idx > 1" to "idx > 0" in two places.
2791
2792         * runtime/ExceptionHelpers.cpp:
2793         (JSC::functionCallBase):
2794
2795 2015-06-25  Keith Miller  <keith_miller@apple.com>
2796
2797         Address Sanitizer does not play well with memcpy in JSC::MachineThreads::tryCopyOtherThreadStack.
2798         https://bugs.webkit.org/show_bug.cgi?id=146297
2799
2800         Reviewed by Filip Pizlo.
2801
2802         Since we cannot blacklist the system memcpy we must use our own naive implementation,
2803         copyMemory. This is not a significant performance loss as tryCopyOtherThreadStack is
2804         only called as part of an O(heapsize) operation. As the heap is generally much larger
2805         than the stack the performance hit is minimal.
2806
2807         * heap/MachineStackMarker.cpp:
2808         (JSC::copyMemory):
2809         (JSC::MachineThreads::tryCopyOtherThreadStack):
2810         (JSC::asanUnsafeMemcpy): Deleted.
2811
2812 2015-06-25  Matthew Daiter  <mdaiter@apple.com>
2813
2814         Enabling MEDIA_STREAM
2815         https://bugs.webkit.org/show_bug.cgi?id=145947
2816         <rdar://problem/21365829>
2817
2818         Reviewed by Brent Fulgham.
2819
2820         * Configurations/FeatureDefines.xcconfig:
2821
2822 2015-06-25  Michael Saboff  <msaboff@apple.com>
2823
2824         REGRESSION (r181889): basspro.com hangs on load under JSC::ErrorInstance::finishCreation(JSC::ExecState*, JSC::VM&, WTF::String const&, bool) + 2801 (JavaScriptCore + 3560689)
2825         https://bugs.webkit.org/show_bug.cgi?id=146298
2826
2827         Reviewed by Mark Lam.
2828
2829         We were underflowing in ExceptionHelpers.cpp::functionCallBase() with a right to left
2830         string index.  Added checks that idx stays within the string.  Also added a termination
2831         condition when idx is 0.
2832
2833         * runtime/ExceptionHelpers.cpp:
2834         (JSC::functionCallBase):
2835
2836 2015-06-24  Chris Dumez  <cdumez@apple.com>
2837
2838         Unreviewed, speculative build fix after r185942.
2839
2840         Add missing include for StrongInlines.h.
2841
2842         * runtime/ArrayPrototype.cpp:
2843
2844 2015-06-24  Darin Adler  <darin@apple.com>
2845
2846         Optimize Array.join and Array.reverse for high speed array types
2847         https://bugs.webkit.org/show_bug.cgi?id=146275
2848
2849         Reviewed by Mark Lam.
2850
2851         This seems to yield another 17% speed improvement in the array
2852         test from the Peacekeeper benchmark.
2853
2854         * runtime/ArrayPrototype.cpp:
2855         (JSC::isHole): Added. Helper to check for holes.
2856         (JSC::containsHole): Ditto.
2857         (JSC::arrayProtoFuncJoin): Added special cases for the various types
2858         of arrays that could be in a butterfly.
2859         (JSC::arrayProtoFuncReverse): Ditto.
2860
2861         * runtime/JSStringJoiner.h: Made appendEmptyString public so we can
2862         call it from the new parts of Array.join.
2863
2864 2015-06-24  Filip Pizlo  <fpizlo@apple.com>
2865
2866         DFG::SpeculativeJIT shouldn't use filter==Contradiction when it meant isClear
2867         https://bugs.webkit.org/show_bug.cgi?id=146291
2868         rdar://problem/21435366
2869
2870         Reviewed by Michael Saboff.
2871         
2872         The filter() method returns Contradiction only when a value *becomes* clear. This is
2873         necessary for supporting the convention that non-JSValue nodes have a bottom proved
2874         type. (We should fix that convention eventually, but for now let's just be consistent
2875         about it.)
2876         
2877         * dfg/DFGFiltrationResult.h: Document the issue.
2878         * dfg/DFGSpeculativeJIT32_64.cpp: Work around the issue.
2879         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2880         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2881         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2882         * dfg/DFGSpeculativeJIT64.cpp: Work around the issue.
2883         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2884         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
2885         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2886         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2887
2888 2015-06-24  Michael Saboff  <msaboff@apple.com>
2889
2890         Crash on gog.com due to PolymorphicCallNode's having stale references to CallLinkInfo
2891         https://bugs.webkit.org/show_bug.cgi?id=146285
2892
2893         Reviewed by Filip Pizlo.
2894
2895         CallLinkInfo's contain a RefPtr to a PolymorphicCallStubRoutine, named stub, which contains
2896         a collection of PolymorphicCallNode.  Those PolymorphicCallNodes have a reference back to the
2897         CallLinkInfo.  When a CallLinkInfo replaces or clears "stub", the ref count of the
2898         PolymorphicCallStubRoutine is decremented as expected, but since it inherits from
2899         GCAwareJITStubRoutine, it isn't actually deleted until GC.  In the mean time, the original
2900         CallLinkInfo can go away.  If PolymorphicCallNode::unlink() is called at that point,
2901         it will try to unlink a now deleted CallLinkInfo and crash as a result.
2902
2903         The fix is to clear the CallLinkInfo references from any PolymorphicCallNode objects when
2904         when we set a new stub or clear an existing stub for a CallLinkInfo.  This is done by
2905         calling PolymorphicCallNode::clearCallNodesFor() on the old stub.
2906
2907         The prior code would only call clearCallNodesFor() from the CallLinkInfo destructor.
2908         This only took care of the last PolymorphicCallStubRoutine held in the CallLinkInfo.
2909         Any prior PolymorphicCallStubRoutine would still have a, now bad, reference to the CallLinkInfo.
2910
2911         In the process I refactored CallLinkInfo from a struct to a class with proper accessors and
2912         made all the data elements private.
2913
2914         * bytecode/CallLinkInfo.cpp:
2915         (JSC::CallLinkInfo::clearStub): Updated to call PolymorphicCallStubRoutine::clearCallNodesFor()
2916         to clear the back references to this CallLinkInfo.
2917         * bytecode/CallLinkInfo.h:
2918         (JSC::CallLinkInfo::~CallLinkInfo): Moved clearCallNodesFor() call to clearStub().
2919         (JSC::CallLinkInfo::setStub): Clear any prior stub before changing to the new stub.
2920
2921 2015-06-24  Michael Saboff  <msaboff@apple.com>
2922
2923         Refactor CallLinkInfo from a struct to a class
2924         https://bugs.webkit.org/show_bug.cgi?id=146292
2925
2926         Rubber stamped by Filip Pizlo.
2927
2928         Refactored CallLinkInfo from a struct to a class with proper accessors and made all the
2929         data elements private.
2930
2931         Done in preparation for fixing https://bugs.webkit.org/show_bug.cgi?id=146285.
2932
2933         * bytecode/CallLinkInfo.cpp:
2934         (JSC::CallLinkInfo::clearStub):
2935         (JSC::CallLinkInfo::unlink):
2936         (JSC::CallLinkInfo::visitWeak):
2937         * bytecode/CallLinkInfo.h:
2938         (JSC::CallLinkInfo::callTypeFor):
2939         (JSC::CallLinkInfo::CallLinkInfo):
2940         (JSC::CallLinkInfo::~CallLinkInfo):
2941         (JSC::CallLinkInfo::specializationKindFor):
2942         (JSC::CallLinkInfo::specializationKind):
2943         (JSC::CallLinkInfo::isLinked):
2944         (JSC::CallLinkInfo::setUpCall):
2945         (JSC::CallLinkInfo::setCallLocations):
2946         (JSC::CallLinkInfo::setUpCallFromFTL):
2947         (JSC::CallLinkInfo::callReturnLocation):
2948         (JSC::CallLinkInfo::hotPathBegin):
2949         (JSC::CallLinkInfo::hotPathOther):
2950         (JSC::CallLinkInfo::setCallee):
2951         (JSC::CallLinkInfo::clearCallee):
2952         (JSC::CallLinkInfo::callee):
2953         (JSC::CallLinkInfo::setLastSeenCallee):
2954         (JSC::CallLinkInfo::clearLastSeenCallee):
2955         (JSC::CallLinkInfo::lastSeenCallee):
2956         (JSC::CallLinkInfo::haveLastSeenCallee):
2957         (JSC::CallLinkInfo::setStub):
2958         (JSC::CallLinkInfo::stub):
2959         (JSC::CallLinkInfo::seenOnce):
2960         (JSC::CallLinkInfo::clearSeen):
2961         (JSC::CallLinkInfo::setSeen):
2962         (JSC::CallLinkInfo::hasSeenClosure):
2963         (JSC::CallLinkInfo::setHasSeenClosure):
2964         (JSC::CallLinkInfo::clearedByGC):
2965         (JSC::CallLinkInfo::setCallType):
2966         (JSC::CallLinkInfo::callType):
2967         (JSC::CallLinkInfo::addressOfMaxNumArguments):
2968         (JSC::CallLinkInfo::maxNumArguments):
2969         (JSC::CallLinkInfo::offsetOfSlowPathCount):
2970         (JSC::CallLinkInfo::setCalleeGPR):
2971         (JSC::CallLinkInfo::calleeGPR):
2972         (JSC::CallLinkInfo::slowPathCount):
2973         (JSC::CallLinkInfo::setCodeOrigin):
2974         (JSC::CallLinkInfo::codeOrigin):
2975         (JSC::getCallLinkInfoCodeOrigin):
2976         * bytecode/CallLinkStatus.cpp:
2977         (JSC::CallLinkStatus::computeFor):
2978         (JSC::CallLinkStatus::computeFromCallLinkInfo):
2979         (JSC::CallLinkStatus::computeDFGStatuses):
2980         * bytecode/CallLinkStatus.h:
2981         * bytecode/CodeBlock.cpp:
2982         (JSC::CodeBlock::printCallOp):
2983         (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
2984         * dfg/DFGJITCompiler.cpp:
2985         (JSC::DFG::JITCompiler::link):
2986         * dfg/DFGOSRExitCompilerCommon.cpp:
2987         (JSC::DFG::reifyInlinedCallFrames):
2988         * dfg/DFGSpeculativeJIT32_64.cpp:
2989         (JSC::DFG::SpeculativeJIT::emitCall):
2990         * dfg/DFGSpeculativeJIT64.cpp:
2991         (JSC::DFG::SpeculativeJIT::emitCall):
2992         * ftl/FTLJSCallBase.cpp:
2993         (JSC::FTL::JSCallBase::link):
2994         * jit/AccessorCallJITStubRoutine.h:
2995         * jit/JIT.cpp:
2996         (JSC::JIT::privateCompile):
2997         * jit/JIT.h:
2998         * jit/JITCall.cpp:
2999         (JSC::JIT::compileSetupVarargsFrame):
3000         (JSC::JIT::compileOpCall):
3001         * jit/JITCall32_64.cpp:
3002         (JSC::JIT::compileSetupVarargsFrame):
3003         (JSC::JIT::compileOpCall):
3004         * jit/JITOperations.cpp:
3005         * jit/PolymorphicCallStubRoutine.cpp:
3006         (JSC::PolymorphicCallNode::unlink):
3007         (JSC::PolymorphicCallNode::clearCallLinkInfo):
3008         * jit/PolymorphicCallStubRoutine.h:
3009         * jit/Repatch.cpp:
3010         (JSC::generateByIdStub):
3011         (JSC::linkSlowFor):
3012         (JSC::linkFor):
3013         (JSC::revertCall):
3014         (JSC::unlinkFor):
3015         (JSC::linkPolymorphicCall):
3016         * jit/ThunkGenerators.cpp:
3017         (JSC::virtualForThunkGenerator):
3018
3019 2015-06-24  Doug Russell  <d_russell@apple.com>
3020
3021         Bug 146177 - AX: AXObjectCache should try to use an unignored accessibilityObject 
3022         when posting a selection notification when on the border between two accessibilityObjects
3023         https://bugs.webkit.org/show_bug.cgi?id=146177
3024
3025         Add an adopt() function to simplify JSRetainPtr<JSStringRef> { Adopt, string } to adopt(string).
3026
3027         Reviewed by Darin Adler.
3028
3029         * API/JSRetainPtr.h:
3030         (adopt):
3031
3032 2015-06-24  Keith Miller  <keith_miller@apple.com>
3033
3034         Strict Equality on objects should only check that one of the two sides is an object.
3035         https://bugs.webkit.org/show_bug.cgi?id=145992
3036
3037         This patch adds a new optimization for checking strict equality on objects.
3038         If we speculate that a strict equality comparison has an object on one side
3039         we only need to type check that side. Equality is then determined by a pointer
3040         comparison between the two values (although in the 32-bit case we must also check
3041         that the other side is a cell). Once LICM hoists type checks out of a loop we
3042         can be cleverer about how we choose the operand we type check if both are
3043         speculated to be objects.
3044
3045         For testing I added the addressOf function, which returns the address
3046         of a Cell to the runtime.
3047
3048         Reviewed by Mark Lam.
3049
3050         * dfg/DFGFixupPhase.cpp:
3051         (JSC::DFG::FixupPhase::fixupNode):
3052         * dfg/DFGSpeculativeJIT.cpp:
3053         (JSC::DFG::SpeculativeJIT::compileStrictEq):
3054         * dfg/DFGSpeculativeJIT.h:
3055         * dfg/DFGSpeculativeJIT32_64.cpp:
3056         (JSC::DFG::SpeculativeJIT::compileObjectStrictEquality):
3057         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectStrictEquality):
3058         * dfg/DFGSpeculativeJIT64.cpp:
3059         (JSC::DFG::SpeculativeJIT::compileObjectStrictEquality):
3060         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectStrictEquality):
3061         * ftl/FTLCapabilities.cpp:
3062         (JSC::FTL::canCompile):
3063         * ftl/FTLLowerDFGToLLVM.cpp:
3064         (JSC::FTL::DFG::LowerDFGToLLVM::compileCompareStrictEq):
3065         * jsc.cpp:
3066         (GlobalObject::finishCreation):
3067         (functionAddressOf):
3068         * tests/stress/equality-type-checking.js: Added.
3069         (Foo):
3070         (checkStrictEq):
3071         (checkStrictEqOther):
3072
3073 2015-06-24  Mark Lam  <mark.lam@apple.com>
3074
3075         Fixed assertion in JSStringJoiner::join() (regression from r185899).
3076
3077         Not reviewed.
3078
3079         JSStringJoiner did not account for the case where the array being joined can
3080         have null or undefined elements.  As a result, its size may be less than
3081         its initially reserved capacity (which was estimated based on the array length).
3082
3083         * runtime/JSStringJoiner.cpp:
3084         (JSC::JSStringJoiner::join):
3085
3086 2015-06-24  Darin Adler  <darin@apple.com>
3087
3088         Fix Array.concat with RuntimeArray (regression from my last patch)
3089
3090         * runtime/ArrayPrototype.cpp:
3091         (JSC::arrayProtoFuncConcat): Use getLength instead of JSArray::length.
3092
3093         * runtime/JSArray.cpp:
3094         (JSC::JSArray::defineOwnProperty): Added comment about use of
3095         JSArray::length here that is incorrect (in a really non-obvious way).
3096         (JSC::JSArray::fillArgList): Ditto.
3097         (JSC::JSArray::copyToArguments): Ditto.
3098
3099         * runtime/JSArray.h: Added a comment explaining that it is not always
3100         safe to use JSArray::length.
3101
3102 2015-06-23  Mark Lam  <mark.lam@apple.com>
3103
3104         Gardening: Fixing 2 bad asserts from r185889.
3105         https://bugs.webkit.org/show_bug.cgi?id=140575
3106
3107         Not reviewed.
3108
3109         * runtime/JSBoundSlotBaseFunction.cpp:
3110         (JSC::JSBoundSlotBaseFunction::finishCreation):
3111
3112 2015-06-23  Dan Bernstein  <mitz@apple.com>
3113
3114         Fixed iOS production builds.
3115
3116         * JavaScriptCore.xcodeproj/project.pbxproj:
3117
3118 2015-06-22  Darin Adler  <darin@apple.com>
3119
3120         Make Array.join work directly on substrings without reifying them
3121         https://bugs.webkit.org/show_bug.cgi?id=146191
3122
3123         Reviewed by Andreas Kling.
3124
3125         Besides the Array.join change, this has other optimizations based on
3126         profiling the Peacekeeper array benchmark.
3127
3128         I measured a 14% speed improvement in the Peacekeeper array benchmark.
3129
3130         Still a lot of low hanging fruit in that test because so many of functions
3131         on the array prototype are not optimizing for simple cases. For example,
3132         the reverse function does individual get and put calls even when the array
3133         is entirely made up of integers in contiguous storage.
3134
3135         * runtime/ArrayPrototype.cpp:
3136         (JSC::getProperty): Use tryGetIndexQuickly first before getPropertySlot.
3137         (JSC::argumentClampedIndexFromStartOrEnd): Marked inline.
3138         (JSC::shift): Use the getProperty helper in this file instead of using
3139         getPropertySlot. Use putByIndexInline instead of calling putByIndex directly.
3140         In both cases this can yield a faster code path.
3141         (JSC::unshift): Ditto.
3142         (JSC::arrayProtoFuncToString): Updated to use the new JSStringJoiner
3143         interface. Changed local variable name to thisArray since it's not a
3144         JSObject*. Changed loop index to i instead of k.
3145         (JSC::arrayProtoFuncToLocaleString): Updated to use the new JSStringJoiner
3146         interface. Renamed thisObj to thisObject. Added a missing exception check
3147         after the toLocaleString function is called, but before toString is called
3148         the result of that function.
3149         (JSC::arrayProtoFuncJoin): Updated to use the new JSStringJointer interface.
3150         Added a missing exception check after calling toString on the separator
3151         but before calling get to get the first element in the array-like object
3152         being joined. Changed loop index to i instead of k. Added missing exception
3153         check after calling toString on each string from the array before calling
3154         get for the next element.
3155         (JSC::arrayProtoFuncConcat): Use JSArray::length instead of using the
3156         getLength function.
3157         (JSC::arrayProtoFuncReverse): Ditto. Also use putByIndexInline.
3158         (JSC::arrayProtoFuncShift): Ditto.
3159         (JSC::arrayProtoFuncSplice): Use getIndex instead of get, which includes some
3160         additional optimizations.
3161         (JSC::getOrHole): Deleted. Unused function.
3162         (JSC::arrayProtoFuncUnShift): Use putByIndexInline.
3163
3164         * runtime/ExceptionHelpers.cpp:
3165         (JSC::errorDescriptionForValue): Removed the duplicate copy of the the logic
3166         from JSValue::toString.
3167
3168         * runtime/JSCJSValue.cpp:
3169         (JSC::JSValue::toStringSlowCase): Improved the performance when converting a
3170         small integer to a single character string.
3171         (JSC::JSValue::toWTFStringSlowCase): Moved the contents of the
3172         inlineJSValueNotStringtoString function here.
3173         * runtime/JSCJSValue.h: Removed no longer used toWTFStringInline and fixed
3174         a comment with a typo.
3175
3176         * runtime/JSObject.h:
3177         (JSC::JSObject::putByIndexInline): Marked ALWAYS_INLINE because this was not
3178         getting inlined at some call sites.
3179         (JSC::JSObject::indexingData): Deleted. Unused function.
3180         (JSC::JSObject::currentIndexingData): Deleted. Unused function.
3181         (JSC::JSObject::getHolyIndexQuickly): Deleted. Unused function.
3182         (JSC::JSObject::relevantLength): Deleted. Unused function.
3183         (JSC::JSObject::currentRelevantLength): Deleted. Unused function.
3184
3185         * runtime/JSString.h: Added the StringViewWithUnderlyingString struct and
3186         the viewWithUnderlyingString function. Removed the inlineJSValueNotStringtoString
3187         and toWTFStringInline functions.
3188
3189         * runtime/JSStringJoiner.cpp:
3190         (JSC::appendStringToData): Changed this to be a template instead of writing
3191         it out, since StringView::getCharactersWithUpconvert does almsot exactly what
3192         this function was trying to do.
3193         (JSC::joinStrings): Rewrote this to use StringView.
3194         (JSC::JSStringJoiner::joinedLength): Added. Factored out from the join function.
3195         (JSC::JSStringJoiner::join): Rewrote to make it a bit simpler. Added an assertion
3196         that we entirely filled capacity, since we are now reserving capacity and using
3197         uncheckedAppend. Use String instead of RefPtr<StringImpl> because there was no
3198         particular value to using the impl directly.
3199
3200         * runtime/JSStringJoiner.h: Changed the interface to the class to use StringView.
3201         Also changed this class so it now has the responsibility to convert each JSValue
3202         into a string. This let us share more code between toString and join, and also
3203         lets us use the new viewWithUnderlyingString function, which could be confusing at
3204         all the call sites, but is easier to understand here.
3205
3206 2015-06-23  Matthew Mirman  <mmirman@apple.com>
3207
3208         Completes native binding descriptors with native getters and potentially setters.
3209         https://bugs.webkit.org/show_bug.cgi?id=140575
3210         rdar://problem/19506502
3211
3212         Reviewed by Mark Lam.
3213
3214         * CMakeLists.txt:  Added JSBoundSlotBaseFunction.cpp
3215         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3216         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3217         * JavaScriptCore.xcodeproj/project.pbxproj:
3218         * inspector/InjectedScriptSource.js: Added case for descriptor having a native getter.
3219         * runtime/JSBoundSlotBaseFunction.cpp: Added.
3220         (JSC::boundSlotBaseFunctionCall):
3221         (JSC::JSBoundSlotBaseFunction::JSBoundSlotBaseFunction):  
3222         Necessary wrapper for custom getters and setters as objects.
3223         (JSC::JSBoundSlotBaseFunction::create):
3224         (JSC::JSBoundSlotBaseFunction::visitChildren):
3225         (JSC::JSBoundSlotBaseFunction::finishCreation):
3226         * runtime/JSBoundSlotBaseFunction.h: Added.
3227         (JSC::JSBoundSlotBaseFunction::createStructure):
3228         (JSC::JSBoundSlotBaseFunction::boundSlotBase):
3229         (JSC::JSBoundSlotBaseFunction::customGetterSetter):
3230         (JSC::JSBoundSlotBaseFunction::isGetter):
3231         * runtime/JSGlobalObject.cpp:
3232         (JSC::JSGlobalObject::init): Added a globally initialized structure for JSBoundSlotBaseFunction
3233         (JSC::JSGlobalObject::visitChildren): visits that structure
3234         * runtime/JSGlobalObject.h:
3235         (JSC::JSGlobalObject::boundSlotBaseFunctionStructure): added a getter for that structure
3236         * runtime/JSObject.cpp:
3237         (JSC::JSObject::getOwnPropertyDescriptor): extends the case for CustomGetterSetter to 
3238         actually include GetterSetter as a JSBoundSlotBaseFunction
3239         * runtime/VM.cpp: Added initializer for customGetterSetterFunctionMap
3240         * runtime/VM.h: Added cache for JSBoundSlotBaseFunction
3241
3242 2015-06-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3243
3244         [ES6] Allow trailing comma in ArrayBindingPattern and ObjectBindingPattern
3245         https://bugs.webkit.org/show_bug.cgi?id=146192
3246
3247         Reviewed by Darin Adler.
3248
3249         According to the ES6 spec, trailing comma in ArrayBindingPattern and ObjectBindingPattern is allowed.
3250         And empty ArrayBindingPattern and ObjectBindingPattern is also allowed.
3251
3252         This patch allows trailing comma and empty binding patterns.
3253
3254         * bytecompiler/NodesCodegen.cpp:
3255         (JSC::ArrayPatternNode::bindValue):
3256         * parser/Parser.cpp:
3257         (JSC::Parser<LexerType>::parseDeconstructionPattern):
3258         * tests/stress/trailing-comma-in-patterns.js: Added.
3259         (shouldBe):
3260         (iterator):
3261
3262 2015-06-20  Yusuke Suzuki  <utatane.tea@gmail.com>
3263
3264         [ES6] Destructuring assignment need to accept iterables
3265         https://bugs.webkit.org/show_bug.cgi?id=144111
3266
3267         Reviewed by Darin Adler.
3268
3269         This patch makes that destructuring assignments to array binding patterns accept iterables.
3270         Previously, it just access the indexed properties.
3271         After this patch, it iterates the given value by using ES6 iterator protocol.
3272
3273         The iteration becomes different from the for-of case.
3274         1. Since there's no break/continue case, finally scope is not necessary.
3275         2. When the error is raised, the close status of the iterator becomes true. So IteratorClose is not called for that.
3276         3. Since the array binding patterns requires a limited count of iterations (if there is no rest(...rest) case), IteratorClose is called when the iteration does not consume the all values of the iterator.
3277         4. Since the array binding patterns requires a specified count of iterations, iterator's next call is skipped when iterator becomes closed.
3278
3279         * bytecompiler/BytecodeGenerator.cpp:
3280         (JSC::BytecodeGenerator::emitIteratorClose):
3281         * bytecompiler/BytecodeGenerator.h:
3282         * bytecompiler/NodesCodegen.cpp:
3283         (JSC::ArrayPatternNode::bindValue):
3284         * parser/ASTBuilder.h:
3285         (JSC::ASTBuilder::finishArrayPattern):
3286         * parser/Nodes.h:
3287         * parser/Parser.cpp:
3288         (JSC::Parser<LexerType>::parseDeconstructionPattern):
3289         * parser/SyntaxChecker.h:
3290         (JSC::SyntaxChecker::operatorStackPop):
3291         * tests/stress/destructuring-assignment-accepts-iterables.js: Added.
3292         (shouldBe):
3293         (shouldThrow):
3294         (.set shouldThrow):
3295
3296 2015-06-19  Devin Rousso  <drousso@apple.com>
3297
3298         Web Inspector: Highlight currently edited CSS selector
3299         https://bugs.webkit.org/show_bug.cgi?id=145658
3300
3301         Reviewed by Joseph Pecoraro.
3302
3303         * inspector/protocol/DOM.json: Added highlightSelector to show highlight over multiple nodes.
3304
3305 2015-06-19  Mark Lam  <mark.lam@apple.com>
3306
3307         Gardening: fix build for EWS bots.
3308
3309         Not reviewed.
3310
3311         * runtime/JSArray.cpp:
3312         (JSC::JSArray::setLengthWithArrayStorage):
3313
3314 2015-06-19  Michael Saboff  <msaboff@apple.com>
3315
3316         Crash in com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::FTL::fixFunctionBasedOnStackMaps + 17225
3317         https://bugs.webkit.org/show_bug.cgi?id=146133
3318
3319         Reviewed by Geoffrey Garen.
3320
3321         When generating code to put in inline caching areas, if there isn't enough space,
3322         then create and link to an out of line area.  We connect the inline code to this
3323         out of line code area by planting a jump from the inline area to the out of line
3324         code and appending a jump at the end of the out of line code bck to the instruction
3325         following the inline area.  We fill the unused inline area with nops, primarily to 
3326         ensure the disassembler doesn't get confused.
3327
3328         * ftl/FTLCompile.cpp: