e265d68a9061a297f1b62510231e52d975fced1d
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-08-05  Saam barati  <saambarati1@gmail.com>
2
3         Bytecodegenerator emits crappy code for returns in a lexical scope.
4         https://bugs.webkit.org/show_bug.cgi?id=147688
5
6         Reviewed by Mark Lam.
7
8         When returning, we only need to emit complex pop scopes if we're in 
9         a finally block. Otherwise, we can just return like normal. This saves
10         us from inefficiently emitting unnecessary pop scopes.
11
12         * bytecompiler/BytecodeGenerator.h:
13         (JSC::BytecodeGenerator::isInFinallyBlock):
14         (JSC::BytecodeGenerator::hasFinaliser): Deleted.
15         * bytecompiler/NodesCodegen.cpp:
16         (JSC::ReturnNode::emitBytecode):
17
18 2015-08-05  Benjamin Poulain  <benjamin@webkit.org>
19
20         Add the Intl API to the status page
21
22         * features.json:
23         Andy VanWagoner landed the skeleton of the API and it is
24         enabled by default.
25
26 2015-08-04  Filip Pizlo  <fpizlo@apple.com>
27
28         Rename Mutex to DeprecatedMutex
29         https://bugs.webkit.org/show_bug.cgi?id=147675
30
31         Reviewed by Geoffrey Garen.
32
33         * bytecode/SamplingTool.cpp:
34         (JSC::SamplingTool::doRun):
35         (JSC::SamplingTool::notifyOfScope):
36         * bytecode/SamplingTool.h:
37         * dfg/DFGThreadData.h:
38         * dfg/DFGWorklist.cpp:
39         (JSC::DFG::Worklist::~Worklist):
40         (JSC::DFG::Worklist::isActiveForVM):
41         (JSC::DFG::Worklist::enqueue):
42         (JSC::DFG::Worklist::compilationState):
43         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
44         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
45         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
46         (JSC::DFG::Worklist::visitWeakReferences):
47         (JSC::DFG::Worklist::removeDeadPlans):
48         (JSC::DFG::Worklist::queueLength):
49         (JSC::DFG::Worklist::dump):
50         (JSC::DFG::Worklist::runThread):
51         * dfg/DFGWorklist.h:
52         * disassembler/Disassembler.cpp:
53         * heap/CopiedSpace.cpp:
54         (JSC::CopiedSpace::doneFillingBlock):
55         (JSC::CopiedSpace::doneCopying):
56         * heap/CopiedSpace.h:
57         * heap/CopiedSpaceInlines.h:
58         (JSC::CopiedSpace::recycleBorrowedBlock):
59         (JSC::CopiedSpace::allocateBlockForCopyingPhase):
60         * heap/HeapTimer.h:
61         * heap/MachineStackMarker.cpp:
62         (JSC::ActiveMachineThreadsManager::Locker::Locker):
63         (JSC::ActiveMachineThreadsManager::add):
64         (JSC::ActiveMachineThreadsManager::remove):
65         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager):
66         (JSC::MachineThreads::~MachineThreads):
67         (JSC::MachineThreads::addCurrentThread):
68         (JSC::MachineThreads::removeThreadIfFound):
69         (JSC::MachineThreads::tryCopyOtherThreadStack):
70         (JSC::MachineThreads::tryCopyOtherThreadStacks):
71         (JSC::MachineThreads::gatherConservativeRoots):
72         * heap/MachineStackMarker.h:
73         * interpreter/JSStack.cpp:
74         (JSC::stackStatisticsMutex):
75         (JSC::JSStack::addToCommittedByteCount):
76         (JSC::JSStack::committedByteCount):
77         * jit/JITThunks.h:
78         * profiler/ProfilerDatabase.h:
79
80 2015-08-05  Saam barati  <saambarati1@gmail.com>
81
82         Replace JSFunctionNameScope with JSLexicalEnvironment for the function name scope.
83         https://bugs.webkit.org/show_bug.cgi?id=147657
84
85         Reviewed by Mark Lam.
86
87         This kills the last of the name scope objects. Function name scopes are
88         now built on top of the scoping mechanisms introduced with ES6 block scoping.
89         A name scope is now just a JSLexicalEnvironment.  We treat assignments to the
90         function name scoped variable carefully depending on if the function is in
91         strict mode. If we're in strict mode, then we treat the variable exactly
92         like a "const" variable. If we're not in strict mode, we can't treat
93         this variable like like ES6 "const" because that would cause the bytecode
94         generator to throw an exception when it shouldn't.
95
96         * CMakeLists.txt:
97         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
98         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
99         * JavaScriptCore.xcodeproj/project.pbxproj:
100         * bytecode/BytecodeList.json:
101         * bytecode/BytecodeUseDef.h:
102         (JSC::computeUsesForBytecodeOffset):
103         (JSC::computeDefsForBytecodeOffset):
104         * bytecode/CodeBlock.cpp:
105         (JSC::CodeBlock::dumpBytecode):
106         * bytecompiler/BytecodeGenerator.cpp:
107         (JSC::BytecodeGenerator::BytecodeGenerator):
108         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
109         (JSC::BytecodeGenerator::pushLexicalScope):
110         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
111         (JSC::BytecodeGenerator::variable):
112         (JSC::BytecodeGenerator::resolveType):
113         (JSC::BytecodeGenerator::emitThrowTypeError):
114         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
115         (JSC::BytecodeGenerator::pushScopedControlFlowContext):
116         (JSC::BytecodeGenerator::emitPushCatchScope):
117         * bytecompiler/BytecodeGenerator.h:
118         * bytecompiler/NodesCodegen.cpp:
119         * debugger/DebuggerScope.cpp:
120         * dfg/DFGOperations.cpp:
121         * interpreter/Interpreter.cpp:
122         * jit/JIT.cpp:
123         (JSC::JIT::privateCompileMainPass):
124         * jit/JIT.h:
125         * jit/JITOpcodes.cpp:
126         (JSC::JIT::emit_op_to_string):
127         (JSC::JIT::emit_op_catch):
128         (JSC::JIT::emit_op_push_name_scope): Deleted.
129         * jit/JITOpcodes32_64.cpp:
130         (JSC::JIT::emitSlow_op_to_string):
131         (JSC::JIT::emit_op_catch):
132         (JSC::JIT::emit_op_push_name_scope): Deleted.
133         * jit/JITOperations.cpp:
134         (JSC::pushNameScope): Deleted.
135         * llint/LLIntSlowPaths.cpp:
136         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
137         * llint/LLIntSlowPaths.h:
138         * llint/LowLevelInterpreter.asm:
139         * parser/Nodes.cpp:
140         * runtime/CommonSlowPaths.cpp:
141         * runtime/Executable.cpp:
142         (JSC::ScriptExecutable::newCodeBlockFor):
143         * runtime/JSFunctionNameScope.cpp: Removed.
144         * runtime/JSFunctionNameScope.h: Removed.
145         * runtime/JSGlobalObject.cpp:
146         (JSC::JSGlobalObject::init):
147         (JSC::JSGlobalObject::visitChildren):
148         * runtime/JSGlobalObject.h:
149         (JSC::JSGlobalObject::withScopeStructure):
150         (JSC::JSGlobalObject::strictEvalActivationStructure):
151         (JSC::JSGlobalObject::activationStructure):
152         (JSC::JSGlobalObject::directArgumentsStructure):
153         (JSC::JSGlobalObject::scopedArgumentsStructure):
154         (JSC::JSGlobalObject::outOfBandArgumentsStructure):
155         (JSC::JSGlobalObject::functionNameScopeStructure): Deleted.
156         * runtime/JSNameScope.cpp: Removed.
157         * runtime/JSNameScope.h: Removed.
158         * runtime/JSObject.cpp:
159         (JSC::JSObject::toThis):
160         (JSC::JSObject::seal):
161         (JSC::JSObject::isFunctionNameScopeObject): Deleted.
162         * runtime/JSObject.h:
163         * runtime/JSScope.cpp:
164         (JSC::JSScope::isCatchScope):
165         (JSC::JSScope::isFunctionNameScopeObject):
166         (JSC::resolveModeName):
167         * runtime/JSScope.h:
168         * runtime/JSSymbolTableObject.cpp:
169         * runtime/SymbolTable.h:
170         * runtime/VM.cpp:
171
172 2015-08-05  Joseph Pecoraro  <pecoraro@apple.com>
173
174         Web Inspector: Improve Support for PropertyName Iterator (Reflect.enumerate) in Inspector
175         https://bugs.webkit.org/show_bug.cgi?id=147679
176
177         Reviewed by Timothy Hatcher.
178
179         Improve native iterator support for the PropertyName Iterator by
180         allowing inspection of the internal object within the iterator
181         and peeking of the next upcoming values of the iterator.
182
183         * inspector/JSInjectedScriptHost.cpp:
184         (Inspector::JSInjectedScriptHost::subtype):
185         (Inspector::JSInjectedScriptHost::getInternalProperties):
186         (Inspector::JSInjectedScriptHost::iteratorEntries):
187         * runtime/JSPropertyNameIterator.h:
188         (JSC::JSPropertyNameIterator::iteratedValue):
189
190 2015-08-04  Brent Fulgham  <bfulgham@apple.com>
191
192         [Win] Update Apple Windows build for VS2015
193         https://bugs.webkit.org/show_bug.cgi?id=147653
194
195         Reviewed by Dean Jackson.
196
197         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Drive-by-fix.
198         Show JSC files in proper project locations in IDE.
199
200 2015-08-04  Joseph Pecoraro  <pecoraro@apple.com>
201
202         Web Inspector: Object previews for SVG elements shows SVGAnimatedString instead of text
203         https://bugs.webkit.org/show_bug.cgi?id=147328
204
205         Reviewed by Timothy Hatcher.
206
207         * inspector/InjectedScriptSource.js:
208         Use classList and classList.toString instead of className.
209
210 2015-08-04  Yusuke Suzuki  <utatane.tea@gmail.com>
211
212         [ES6] Support Module Syntax
213         https://bugs.webkit.org/show_bug.cgi?id=147422
214
215         Reviewed by Saam Barati.
216
217         This patch introduces ES6 Modules syntax parsing part.
218         In this patch, ASTBuilder just produces the corresponding nodes to the ES6 Modules syntax,
219         and this patch does not include the code generator part.
220
221         Modules require 2 phase parsing. In the first pass, we just analyze the dependent modules
222         and do not execute the body or construct the AST. And after analyzing all the dependent
223         modules, we will parse the dependent modules next.
224         After all analyzing part is done, we will start the second pass. In the second pass, we
225         will parse the module, produce the AST, and execute the body.
226         If we don't do so, we need to create all the ASTs in the module's dependent graph at first
227         because the given module can be executed after the all dependent modules are executed. It
228         means that we need to hold so many parser arenas. To avoid this, the first pass only extracts
229         the dependent modules' information.
230
231         In this patch, we don't add this analyzing part yet. This patch only implements the second pass.
232         This patch aims at just implementing the syntax parsing functionality correctly.
233         After this patch is landed, we will create the ModuleDependencyAnalyzer that inherits SyntaxChecker
234         to collect the dependent modules fast[1].
235
236         To test the parsing, we added the "checkModuleSyntax" function into jsc shell.
237         By using this, we can parse the given string as the module.
238
239         [1]: https://bugs.webkit.org/show_bug.cgi?id=147353
240
241         * bytecompiler/NodesCodegen.cpp:
242         (JSC::ModuleProgramNode::emitBytecode):
243         (JSC::ImportDeclarationNode::emitBytecode):
244         (JSC::ExportAllDeclarationNode::emitBytecode):
245         (JSC::ExportDefaultDeclarationNode::emitBytecode):
246         (JSC::ExportLocalDeclarationNode::emitBytecode):
247         (JSC::ExportNamedDeclarationNode::emitBytecode):
248         * jsc.cpp:
249         (GlobalObject::finishCreation):
250         (functionCheckModuleSyntax):
251         * parser/ASTBuilder.h:
252         (JSC::ASTBuilder::createModuleSpecifier):
253         (JSC::ASTBuilder::createImportSpecifier):
254         (JSC::ASTBuilder::createImportSpecifierList):
255         (JSC::ASTBuilder::appendImportSpecifier):
256         (JSC::ASTBuilder::createImportDeclaration):
257         (JSC::ASTBuilder::createExportAllDeclaration):
258         (JSC::ASTBuilder::createExportDefaultDeclaration):
259         (JSC::ASTBuilder::createExportLocalDeclaration):
260         (JSC::ASTBuilder::createExportNamedDeclaration):
261         (JSC::ASTBuilder::createExportSpecifier):
262         (JSC::ASTBuilder::createExportSpecifierList):
263         (JSC::ASTBuilder::appendExportSpecifier):
264         * parser/Keywords.table:
265         * parser/NodeConstructors.h:
266         (JSC::ModuleSpecifierNode::ModuleSpecifierNode):
267         (JSC::ImportSpecifierNode::ImportSpecifierNode):
268         (JSC::ImportDeclarationNode::ImportDeclarationNode):
269         (JSC::ExportAllDeclarationNode::ExportAllDeclarationNode):
270         (JSC::ExportDefaultDeclarationNode::ExportDefaultDeclarationNode):
271         (JSC::ExportLocalDeclarationNode::ExportLocalDeclarationNode):
272         (JSC::ExportNamedDeclarationNode::ExportNamedDeclarationNode):
273         (JSC::ExportSpecifierNode::ExportSpecifierNode):
274         * parser/Nodes.cpp:
275         (JSC::ModuleProgramNode::ModuleProgramNode):
276         * parser/Nodes.h:
277         (JSC::ModuleProgramNode::startColumn):
278         (JSC::ModuleProgramNode::endColumn):
279         (JSC::ModuleSpecifierNode::moduleName):
280         (JSC::ImportSpecifierNode::importedName):
281         (JSC::ImportSpecifierNode::localName):
282         (JSC::ImportSpecifierListNode::specifiers):
283         (JSC::ImportSpecifierListNode::append):
284         (JSC::ImportDeclarationNode::specifierList):
285         (JSC::ImportDeclarationNode::moduleSpecifier):
286         (JSC::ExportAllDeclarationNode::moduleSpecifier):
287         (JSC::ExportDefaultDeclarationNode::declaration):
288         (JSC::ExportLocalDeclarationNode::declaration):
289         (JSC::ExportSpecifierNode::exportedName):
290         (JSC::ExportSpecifierNode::localName):
291         (JSC::ExportSpecifierListNode::specifiers):
292         (JSC::ExportSpecifierListNode::append):
293         (JSC::ExportNamedDeclarationNode::specifierList):
294         (JSC::ExportNamedDeclarationNode::moduleSpecifier):
295         * parser/Parser.cpp:
296         (JSC::Parser<LexerType>::Parser):
297         (JSC::Parser<LexerType>::parseInner):
298         (JSC::Parser<LexerType>::parseModuleSourceElements):
299         (JSC::Parser<LexerType>::parseVariableDeclaration):
300         (JSC::Parser<LexerType>::parseVariableDeclarationList):
301         (JSC::Parser<LexerType>::createBindingPattern):
302         (JSC::Parser<LexerType>::tryParseDestructuringPatternExpression):
303         (JSC::Parser<LexerType>::parseDestructuringPattern):
304         (JSC::Parser<LexerType>::parseForStatement):
305         (JSC::Parser<LexerType>::parseFormalParameters):
306         (JSC::Parser<LexerType>::parseFunctionParameters):
307         (JSC::Parser<LexerType>::parseFunctionDeclaration):
308         (JSC::Parser<LexerType>::parseClassDeclaration):
309         (JSC::Parser<LexerType>::parseModuleSpecifier):
310         (JSC::Parser<LexerType>::parseImportClauseItem):
311         (JSC::Parser<LexerType>::parseImportDeclaration):
312         (JSC::Parser<LexerType>::parseExportSpecifier):
313         (JSC::Parser<LexerType>::parseExportDeclaration):
314         (JSC::Parser<LexerType>::parseMemberExpression):
315         * parser/Parser.h:
316         (JSC::isIdentifierOrKeyword):
317         (JSC::ModuleScopeData::create):
318         (JSC::ModuleScopeData::exportedBindings):
319         (JSC::ModuleScopeData::exportName):
320         (JSC::ModuleScopeData::exportBinding):
321         (JSC::Scope::Scope):
322         (JSC::Scope::setIsModule):
323         (JSC::Scope::moduleScopeData):
324         (JSC::Parser::matchContextualKeyword):
325         (JSC::Parser::matchIdentifierOrKeyword):
326         (JSC::Parser::isofToken): Deleted.
327         * parser/ParserModes.h:
328         * parser/ParserTokens.h:
329         * parser/SyntaxChecker.h:
330         (JSC::SyntaxChecker::createModuleSpecifier):
331         (JSC::SyntaxChecker::createImportSpecifier):
332         (JSC::SyntaxChecker::createImportSpecifierList):
333         (JSC::SyntaxChecker::appendImportSpecifier):
334         (JSC::SyntaxChecker::createImportDeclaration):
335         (JSC::SyntaxChecker::createExportAllDeclaration):
336         (JSC::SyntaxChecker::createExportDefaultDeclaration):
337         (JSC::SyntaxChecker::createExportLocalDeclaration):
338         (JSC::SyntaxChecker::createExportNamedDeclaration):
339         (JSC::SyntaxChecker::createExportSpecifier):
340         (JSC::SyntaxChecker::createExportSpecifierList):
341         (JSC::SyntaxChecker::appendExportSpecifier):
342         * runtime/CommonIdentifiers.cpp:
343         (JSC::CommonIdentifiers::CommonIdentifiers):
344         * runtime/CommonIdentifiers.h:
345         * runtime/Completion.cpp:
346         (JSC::checkModuleSyntax):
347         * runtime/Completion.h:
348         * tests/stress/modules-syntax-error-with-names.js: Added.
349         (shouldThrow):
350         * tests/stress/modules-syntax-error.js: Added.
351         (shouldThrow):
352         (checkModuleSyntaxError.checkModuleSyntaxError.checkModuleSyntaxError):
353         * tests/stress/modules-syntax.js: Added.
354         (prototype.checkModuleSyntax):
355         (checkModuleSyntax):
356         * tests/stress/tagged-templates-syntax.js:
357
358 2015-08-03  Csaba Osztrogonác  <ossy@webkit.org>
359
360         Introduce COMPILER(GCC_OR_CLANG) guard and make COMPILER(GCC) true only for GCC
361         https://bugs.webkit.org/show_bug.cgi?id=146833
362
363         Reviewed by Alexey Proskuryakov.
364
365         * assembler/ARM64Assembler.h:
366         * assembler/ARMAssembler.h:
367         (JSC::ARMAssembler::cacheFlush):
368         * assembler/MacroAssemblerARM.cpp:
369         (JSC::isVFPPresent):
370         * assembler/MacroAssemblerX86Common.h:
371         (JSC::MacroAssemblerX86Common::isSSE2Present):
372         * heap/MachineStackMarker.h:
373         * interpreter/StackVisitor.cpp: Removed redundant COMPILER(CLANG) guards.
374         (JSC::logF):
375         * jit/HostCallReturnValue.h:
376         * jit/JIT.h:
377         * jit/JITOperations.cpp:
378         * jit/JITStubsARM.h:
379         * jit/JITStubsARMv7.h:
380         * jit/JITStubsX86.h:
381         * jit/JITStubsX86Common.h:
382         * jit/JITStubsX86_64.h:
383         * jit/ThunkGenerators.cpp:
384         * runtime/JSExportMacros.h:
385         * runtime/MathCommon.h: Removed redundant COMPILER(CLANG) guard.
386         (JSC::clz32):
387
388 2015-08-03  Filip Pizlo  <fpizlo@apple.com>
389
390         Unreviewed, fix uninitialized property leading to an assert.
391
392         * runtime/PutPropertySlot.h:
393         (JSC::PutPropertySlot::PutPropertySlot):
394
395 2015-08-03  Filip Pizlo  <fpizlo@apple.com>
396
397         Unreviewed, fix Windows.
398
399         * bytecode/ObjectPropertyConditionSet.h:
400         (JSC::ObjectPropertyConditionSet::fromRawPointer):
401
402 2015-07-31  Filip Pizlo  <fpizlo@apple.com>
403
404         DFG should have adaptive structure watchpoints
405         https://bugs.webkit.org/show_bug.cgi?id=146929
406
407         Reviewed by Geoffrey Garen.
408
409         Before this change, if you wanted to efficiently validate whether an object has (or doesn't have) a
410         property, you'd check that the object still has the structure that you first saw the object have. We
411         optimized this a bit with transition watchpoints on the structure, which sometimes allowed us to
412         elide the structure check.
413
414         But this approach fails when that object frequently has new properties added to it. This would
415         change the structure and fire the transition watchpoint, so the code we emitted would be invalid and
416         we'd have to recompile either the IC or an entire code block.
417
418         This change introduces a new concept: an object property condition. This value describes some
419         condition involving a property on some object. There are four kinds: presence, absence,
420         absence-of-setter, and equivalence. For example, a presence condition says that we expect that the
421         object has some property at some offset with some attributes. This allows us to implement a new kind
422         of watchpoint, which knows about the object property condition that it's being used to enforce. If
423         the watchpoint fires because of a structure transition, the watchpoint may simply reinstall itself
424         on the new structure.
425
426         Object property conditions are used on the prototype chain of PutById transitions, GetById misses,
427         and prototype accesses. They are also used for any DFG accesses to object constants, including
428         global property accesses.
429
430         Mostly because of the effect on global property access, this is a 9% speed-up on Kraken. It's
431         neutral on most other things. It's a 68x speed-up on a microbenchmark that illustrates the prototype
432         chain situation. It's also a small speed-up on getter-richards.
433
434         * CMakeLists.txt:
435         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
436         * JavaScriptCore.xcodeproj/project.pbxproj:
437         * bytecode/CodeBlock.cpp:
438         (JSC::CodeBlock::printGetByIdCacheStatus):
439         (JSC::CodeBlock::printPutByIdCacheStatus):
440         * bytecode/CodeBlockJettisoningWatchpoint.cpp:
441         (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
442         * bytecode/ComplexGetStatus.cpp:
443         (JSC::ComplexGetStatus::computeFor):
444         * bytecode/ComplexGetStatus.h:
445         (JSC::ComplexGetStatus::ComplexGetStatus):
446         (JSC::ComplexGetStatus::takesSlowPath):
447         (JSC::ComplexGetStatus::kind):
448         (JSC::ComplexGetStatus::offset):
449         (JSC::ComplexGetStatus::conditionSet):
450         (JSC::ComplexGetStatus::attributes): Deleted.
451         (JSC::ComplexGetStatus::specificValue): Deleted.
452         (JSC::ComplexGetStatus::chain): Deleted.
453         * bytecode/ConstantStructureCheck.cpp: Removed.
454         * bytecode/ConstantStructureCheck.h: Removed.
455         * bytecode/GetByIdStatus.cpp:
456         (JSC::GetByIdStatus::computeForStubInfo):
457         * bytecode/GetByIdVariant.cpp:
458         (JSC::GetByIdVariant::GetByIdVariant):
459         (JSC::GetByIdVariant::~GetByIdVariant):
460         (JSC::GetByIdVariant::operator=):
461         (JSC::GetByIdVariant::attemptToMerge):
462         (JSC::GetByIdVariant::dumpInContext):
463         (JSC::GetByIdVariant::baseStructure): Deleted.
464         * bytecode/GetByIdVariant.h:
465         (JSC::GetByIdVariant::operator!):
466         (JSC::GetByIdVariant::structureSet):
467         (JSC::GetByIdVariant::conditionSet):
468         (JSC::GetByIdVariant::offset):
469         (JSC::GetByIdVariant::callLinkStatus):
470         (JSC::GetByIdVariant::constantChecks): Deleted.
471         (JSC::GetByIdVariant::alternateBase): Deleted.
472         * bytecode/ObjectPropertyCondition.cpp: Added.
473         (JSC::ObjectPropertyCondition::dumpInContext):
474         (JSC::ObjectPropertyCondition::dump):
475         (JSC::ObjectPropertyCondition::structureEnsuresValidityAssumingImpurePropertyWatchpoint):
476         (JSC::ObjectPropertyCondition::validityRequiresImpurePropertyWatchpoint):
477         (JSC::ObjectPropertyCondition::isStillValid):
478         (JSC::ObjectPropertyCondition::structureEnsuresValidity):
479         (JSC::ObjectPropertyCondition::isWatchableAssumingImpurePropertyWatchpoint):
480         (JSC::ObjectPropertyCondition::isWatchable):
481         (JSC::ObjectPropertyCondition::isStillLive):
482         (JSC::ObjectPropertyCondition::validateReferences):
483         (JSC::ObjectPropertyCondition::attemptToMakeEquivalenceWithoutBarrier):
484         * bytecode/ObjectPropertyCondition.h: Added.
485         (JSC::ObjectPropertyCondition::ObjectPropertyCondition):
486         (JSC::ObjectPropertyCondition::presenceWithoutBarrier):
487         (JSC::ObjectPropertyCondition::presence):
488         (JSC::ObjectPropertyCondition::absenceWithoutBarrier):
489         (JSC::ObjectPropertyCondition::absence):
490         (JSC::ObjectPropertyCondition::absenceOfSetterWithoutBarrier):
491         (JSC::ObjectPropertyCondition::absenceOfSetter):
492         (JSC::ObjectPropertyCondition::equivalenceWithoutBarrier):
493         (JSC::ObjectPropertyCondition::equivalence):
494         (JSC::ObjectPropertyCondition::operator!):
495         (JSC::ObjectPropertyCondition::object):
496         (JSC::ObjectPropertyCondition::condition):
497         (JSC::ObjectPropertyCondition::kind):
498         (JSC::ObjectPropertyCondition::uid):
499         (JSC::ObjectPropertyCondition::hasOffset):
500         (JSC::ObjectPropertyCondition::offset):
501         (JSC::ObjectPropertyCondition::hasAttributes):
502         (JSC::ObjectPropertyCondition::attributes):
503         (JSC::ObjectPropertyCondition::hasPrototype):
504         (JSC::ObjectPropertyCondition::prototype):
505         (JSC::ObjectPropertyCondition::hasRequiredValue):
506         (JSC::ObjectPropertyCondition::requiredValue):
507         (JSC::ObjectPropertyCondition::hash):
508         (JSC::ObjectPropertyCondition::operator==):
509         (JSC::ObjectPropertyCondition::isHashTableDeletedValue):
510         (JSC::ObjectPropertyCondition::isCompatibleWith):
511         (JSC::ObjectPropertyCondition::watchingRequiresStructureTransitionWatchpoint):
512         (JSC::ObjectPropertyCondition::watchingRequiresReplacementWatchpoint):
513         (JSC::ObjectPropertyCondition::isValidValueForPresence):
514         (JSC::ObjectPropertyConditionHash::hash):
515         (JSC::ObjectPropertyConditionHash::equal):
516         * bytecode/ObjectPropertyConditionSet.cpp: Added.
517         (JSC::ObjectPropertyConditionSet::forObject):
518         (JSC::ObjectPropertyConditionSet::forConditionKind):
519         (JSC::ObjectPropertyConditionSet::numberOfConditionsWithKind):
520         (JSC::ObjectPropertyConditionSet::hasOneSlotBaseCondition):
521         (JSC::ObjectPropertyConditionSet::slotBaseCondition):
522         (JSC::ObjectPropertyConditionSet::mergedWith):
523         (JSC::ObjectPropertyConditionSet::structuresEnsureValidity):
524         (JSC::ObjectPropertyConditionSet::structuresEnsureValidityAssumingImpurePropertyWatchpoint):
525         (JSC::ObjectPropertyConditionSet::needImpurePropertyWatchpoint):
526         (JSC::ObjectPropertyConditionSet::areStillLive):
527         (JSC::ObjectPropertyConditionSet::dumpInContext):
528         (JSC::ObjectPropertyConditionSet::dump):
529         (JSC::generateConditionsForPropertyMiss):
530         (JSC::generateConditionsForPropertySetterMiss):
531         (JSC::generateConditionsForPrototypePropertyHit):
532         (JSC::generateConditionsForPrototypePropertyHitCustom):
533         (JSC::generateConditionsForPropertySetterMissConcurrently):
534         * bytecode/ObjectPropertyConditionSet.h: Added.
535         (JSC::ObjectPropertyConditionSet::ObjectPropertyConditionSet):
536         (JSC::ObjectPropertyConditionSet::invalid):
537         (JSC::ObjectPropertyConditionSet::nonEmpty):
538         (JSC::ObjectPropertyConditionSet::isValid):
539         (JSC::ObjectPropertyConditionSet::isEmpty):
540         (JSC::ObjectPropertyConditionSet::begin):
541         (JSC::ObjectPropertyConditionSet::end):
542         (JSC::ObjectPropertyConditionSet::releaseRawPointer):
543         (JSC::ObjectPropertyConditionSet::adoptRawPointer):
544         (JSC::ObjectPropertyConditionSet::fromRawPointer):
545         (JSC::ObjectPropertyConditionSet::Data::Data):
546         * bytecode/PolymorphicGetByIdList.cpp:
547         (JSC::GetByIdAccess::GetByIdAccess):
548         (JSC::GetByIdAccess::~GetByIdAccess):
549         (JSC::GetByIdAccess::visitWeak):
550         * bytecode/PolymorphicGetByIdList.h:
551         (JSC::GetByIdAccess::GetByIdAccess):
552         (JSC::GetByIdAccess::structure):
553         (JSC::GetByIdAccess::conditionSet):
554         (JSC::GetByIdAccess::stubRoutine):
555         (JSC::GetByIdAccess::chain): Deleted.
556         (JSC::GetByIdAccess::chainCount): Deleted.
557         * bytecode/PolymorphicPutByIdList.cpp:
558         (JSC::PutByIdAccess::fromStructureStubInfo):
559         (JSC::PutByIdAccess::visitWeak):
560         * bytecode/PolymorphicPutByIdList.h:
561         (JSC::PutByIdAccess::PutByIdAccess):
562         (JSC::PutByIdAccess::transition):
563         (JSC::PutByIdAccess::setter):
564         (JSC::PutByIdAccess::newStructure):
565         (JSC::PutByIdAccess::conditionSet):
566         (JSC::PutByIdAccess::stubRoutine):
567         (JSC::PutByIdAccess::chain): Deleted.
568         (JSC::PutByIdAccess::chainCount): Deleted.
569         * bytecode/PropertyCondition.cpp: Added.
570         (JSC::PropertyCondition::dumpInContext):
571         (JSC::PropertyCondition::dump):
572         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):
573         (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint):
574         (JSC::PropertyCondition::isStillValid):
575         (JSC::PropertyCondition::isWatchableWhenValid):
576         (JSC::PropertyCondition::isWatchableAssumingImpurePropertyWatchpoint):
577         (JSC::PropertyCondition::isWatchable):
578         (JSC::PropertyCondition::isStillLive):
579         (JSC::PropertyCondition::validateReferences):
580         (JSC::PropertyCondition::isValidValueForAttributes):
581         (JSC::PropertyCondition::isValidValueForPresence):
582         (JSC::PropertyCondition::attemptToMakeEquivalenceWithoutBarrier):
583         (WTF::printInternal):
584         * bytecode/PropertyCondition.h: Added.
585         (JSC::PropertyCondition::PropertyCondition):
586         (JSC::PropertyCondition::presenceWithoutBarrier):
587         (JSC::PropertyCondition::presence):
588         (JSC::PropertyCondition::absenceWithoutBarrier):
589         (JSC::PropertyCondition::absence):
590         (JSC::PropertyCondition::absenceOfSetterWithoutBarrier):
591         (JSC::PropertyCondition::absenceOfSetter):
592         (JSC::PropertyCondition::equivalenceWithoutBarrier):
593         (JSC::PropertyCondition::equivalence):
594         (JSC::PropertyCondition::operator!):
595         (JSC::PropertyCondition::kind):
596         (JSC::PropertyCondition::uid):
597         (JSC::PropertyCondition::hasOffset):
598         (JSC::PropertyCondition::offset):
599         (JSC::PropertyCondition::hasAttributes):
600         (JSC::PropertyCondition::attributes):
601         (JSC::PropertyCondition::hasPrototype):
602         (JSC::PropertyCondition::prototype):
603         (JSC::PropertyCondition::hasRequiredValue):
604         (JSC::PropertyCondition::requiredValue):
605         (JSC::PropertyCondition::hash):
606         (JSC::PropertyCondition::operator==):
607         (JSC::PropertyCondition::isHashTableDeletedValue):
608         (JSC::PropertyCondition::isCompatibleWith):
609         (JSC::PropertyCondition::watchingRequiresStructureTransitionWatchpoint):
610         (JSC::PropertyCondition::watchingRequiresReplacementWatchpoint):
611         (JSC::PropertyConditionHash::hash):
612         (JSC::PropertyConditionHash::equal):
613         * bytecode/PutByIdStatus.cpp:
614         (JSC::PutByIdStatus::computeFromLLInt):
615         (JSC::PutByIdStatus::computeFor):
616         (JSC::PutByIdStatus::computeForStubInfo):
617         * bytecode/PutByIdVariant.cpp:
618         (JSC::PutByIdVariant::operator=):
619         (JSC::PutByIdVariant::transition):
620         (JSC::PutByIdVariant::setter):
621         (JSC::PutByIdVariant::makesCalls):
622         (JSC::PutByIdVariant::attemptToMerge):
623         (JSC::PutByIdVariant::attemptToMergeTransitionWithReplace):
624         (JSC::PutByIdVariant::dumpInContext):
625         (JSC::PutByIdVariant::baseStructure): Deleted.
626         * bytecode/PutByIdVariant.h:
627         (JSC::PutByIdVariant::PutByIdVariant):
628         (JSC::PutByIdVariant::kind):
629         (JSC::PutByIdVariant::structure):
630         (JSC::PutByIdVariant::structureSet):
631         (JSC::PutByIdVariant::oldStructure):
632         (JSC::PutByIdVariant::conditionSet):
633         (JSC::PutByIdVariant::offset):
634         (JSC::PutByIdVariant::callLinkStatus):
635         (JSC::PutByIdVariant::constantChecks): Deleted.
636         (JSC::PutByIdVariant::alternateBase): Deleted.
637         * bytecode/StructureStubClearingWatchpoint.cpp:
638         (JSC::StructureStubClearingWatchpoint::~StructureStubClearingWatchpoint):
639         (JSC::StructureStubClearingWatchpoint::push):
640         (JSC::StructureStubClearingWatchpoint::fireInternal):
641         (JSC::WatchpointsOnStructureStubInfo::~WatchpointsOnStructureStubInfo):
642         (JSC::WatchpointsOnStructureStubInfo::addWatchpoint):
643         (JSC::WatchpointsOnStructureStubInfo::ensureReferenceAndAddWatchpoint):
644         * bytecode/StructureStubClearingWatchpoint.h:
645         (JSC::StructureStubClearingWatchpoint::StructureStubClearingWatchpoint):
646         (JSC::WatchpointsOnStructureStubInfo::codeBlock):
647         (JSC::WatchpointsOnStructureStubInfo::stubInfo):
648         * bytecode/StructureStubInfo.cpp:
649         (JSC::StructureStubInfo::deref):
650         (JSC::StructureStubInfo::visitWeakReferences):
651         * bytecode/StructureStubInfo.h:
652         (JSC::StructureStubInfo::initPutByIdTransition):
653         (JSC::StructureStubInfo::initPutByIdReplace):
654         (JSC::StructureStubInfo::setSeen):
655         (JSC::StructureStubInfo::addWatchpoint):
656         * dfg/DFGAbstractInterpreterInlines.h:
657         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
658         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp: Added.
659         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::AdaptiveInferredPropertyValueWatchpoint):
660         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::install):
661         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::fire):
662         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::StructureWatchpoint::fireInternal):
663         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::PropertyWatchpoint::fireInternal):
664         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.h: Added.
665         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::key):
666         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::StructureWatchpoint::StructureWatchpoint):
667         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::PropertyWatchpoint::PropertyWatchpoint):
668         * dfg/DFGAdaptiveStructureWatchpoint.cpp: Added.
669         (JSC::DFG::AdaptiveStructureWatchpoint::AdaptiveStructureWatchpoint):
670         (JSC::DFG::AdaptiveStructureWatchpoint::install):
671         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
672         * dfg/DFGAdaptiveStructureWatchpoint.h: Added.
673         (JSC::DFG::AdaptiveStructureWatchpoint::key):
674         * dfg/DFGByteCodeParser.cpp:
675         (JSC::DFG::ByteCodeParser::cellConstantWithStructureCheck):
676         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
677         (JSC::DFG::ByteCodeParser::handleGetByOffset):
678         (JSC::DFG::ByteCodeParser::handlePutByOffset):
679         (JSC::DFG::ByteCodeParser::check):
680         (JSC::DFG::ByteCodeParser::promoteToConstant):
681         (JSC::DFG::ByteCodeParser::planLoad):
682         (JSC::DFG::ByteCodeParser::load):
683         (JSC::DFG::ByteCodeParser::presenceLike):
684         (JSC::DFG::ByteCodeParser::checkPresenceLike):
685         (JSC::DFG::ByteCodeParser::store):
686         (JSC::DFG::ByteCodeParser::handleGetById):
687         (JSC::DFG::ByteCodeParser::handlePutById):
688         (JSC::DFG::ByteCodeParser::parseBlock):
689         (JSC::DFG::ByteCodeParser::emitChecks): Deleted.
690         * dfg/DFGCommonData.cpp:
691         (JSC::DFG::CommonData::validateReferences):
692         * dfg/DFGCommonData.h:
693         * dfg/DFGConstantFoldingPhase.cpp:
694         (JSC::DFG::ConstantFoldingPhase::foldConstants):
695         (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
696         (JSC::DFG::ConstantFoldingPhase::addBaseCheck):
697         (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
698         (JSC::DFG::ConstantFoldingPhase::addChecks): Deleted.
699         * dfg/DFGDesiredWatchpoints.cpp:
700         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
701         (JSC::DFG::InferredValueAdaptor::add):
702         (JSC::DFG::AdaptiveStructureWatchpointAdaptor::add):
703         (JSC::DFG::DesiredWatchpoints::DesiredWatchpoints):
704         (JSC::DFG::DesiredWatchpoints::addLazily):
705         (JSC::DFG::DesiredWatchpoints::consider):
706         (JSC::DFG::DesiredWatchpoints::reallyAdd):
707         (JSC::DFG::DesiredWatchpoints::areStillValid):
708         (JSC::DFG::DesiredWatchpoints::dumpInContext):
709         * dfg/DFGDesiredWatchpoints.h:
710         (JSC::DFG::SetPointerAdaptor::add):
711         (JSC::DFG::SetPointerAdaptor::hasBeenInvalidated):
712         (JSC::DFG::SetPointerAdaptor::dumpInContext):
713         (JSC::DFG::InferredValueAdaptor::hasBeenInvalidated):
714         (JSC::DFG::InferredValueAdaptor::dumpInContext):
715         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::hasBeenInvalidated):
716         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::dumpInContext):
717         (JSC::DFG::AdaptiveStructureWatchpointAdaptor::hasBeenInvalidated):
718         (JSC::DFG::AdaptiveStructureWatchpointAdaptor::dumpInContext):
719         (JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
720         (JSC::DFG::GenericDesiredWatchpoints::isWatched):
721         (JSC::DFG::GenericDesiredWatchpoints::dumpInContext):
722         (JSC::DFG::DesiredWatchpoints::isWatched):
723         (JSC::DFG::GenericSetAdaptor::add): Deleted.
724         (JSC::DFG::GenericSetAdaptor::hasBeenInvalidated): Deleted.
725         * dfg/DFGDesiredWeakReferences.cpp:
726         (JSC::DFG::DesiredWeakReferences::addLazily):
727         (JSC::DFG::DesiredWeakReferences::contains):
728         * dfg/DFGDesiredWeakReferences.h:
729         * dfg/DFGGraph.cpp:
730         (JSC::DFG::Graph::dump):
731         (JSC::DFG::Graph::clearFlagsOnAllNodes):
732         (JSC::DFG::Graph::watchCondition):
733         (JSC::DFG::Graph::isSafeToLoad):
734         (JSC::DFG::Graph::livenessFor):
735         (JSC::DFG::Graph::tryGetConstantProperty):
736         (JSC::DFG::Graph::visitChildren):
737         * dfg/DFGGraph.h:
738         (JSC::DFG::Graph::identifiers):
739         (JSC::DFG::Graph::watchpoints):
740         * dfg/DFGMultiGetByOffsetData.cpp: Added.
741         (JSC::DFG::GetByOffsetMethod::dumpInContext):
742         (JSC::DFG::GetByOffsetMethod::dump):
743         (JSC::DFG::MultiGetByOffsetCase::dumpInContext):
744         (JSC::DFG::MultiGetByOffsetCase::dump):
745         (WTF::printInternal):
746         * dfg/DFGMultiGetByOffsetData.h: Added.
747         (JSC::DFG::GetByOffsetMethod::GetByOffsetMethod):
748         (JSC::DFG::GetByOffsetMethod::constant):
749         (JSC::DFG::GetByOffsetMethod::load):
750         (JSC::DFG::GetByOffsetMethod::loadFromPrototype):
751         (JSC::DFG::GetByOffsetMethod::operator!):
752         (JSC::DFG::GetByOffsetMethod::kind):
753         (JSC::DFG::GetByOffsetMethod::prototype):
754         (JSC::DFG::GetByOffsetMethod::offset):
755         (JSC::DFG::MultiGetByOffsetCase::MultiGetByOffsetCase):
756         (JSC::DFG::MultiGetByOffsetCase::set):
757         (JSC::DFG::MultiGetByOffsetCase::method):
758         * dfg/DFGNode.h:
759         * dfg/DFGSafeToExecute.h:
760         (JSC::DFG::safeToExecute):
761         * dfg/DFGStructureRegistrationPhase.cpp:
762         (JSC::DFG::StructureRegistrationPhase::run):
763         * ftl/FTLLowerDFGToLLVM.cpp:
764         (JSC::FTL::DFG::LowerDFGToLLVM::compileMultiGetByOffset):
765         * jit/Repatch.cpp:
766         (JSC::repatchByIdSelfAccess):
767         (JSC::checkObjectPropertyCondition):
768         (JSC::checkObjectPropertyConditions):
769         (JSC::replaceWithJump):
770         (JSC::generateByIdStub):
771         (JSC::actionForCell):
772         (JSC::tryBuildGetByIDList):
773         (JSC::emitPutReplaceStub):
774         (JSC::emitPutTransitionStub):
775         (JSC::tryCachePutByID):
776         (JSC::tryBuildPutByIdList):
777         (JSC::tryRepatchIn):
778         (JSC::addStructureTransitionCheck): Deleted.
779         (JSC::emitPutTransitionStubAndGetOldStructure): Deleted.
780         * runtime/IntendedStructureChain.cpp: Removed.
781         * runtime/IntendedStructureChain.h: Removed.
782         * runtime/JSCJSValue.h:
783         * runtime/JSObject.cpp:
784         (JSC::throwTypeError):
785         (JSC::JSObject::convertToDictionary):
786         (JSC::JSObject::shiftButterflyAfterFlattening):
787         * runtime/JSObject.h:
788         (JSC::JSObject::flattenDictionaryObject):
789         (JSC::JSObject::convertToDictionary): Deleted.
790         * runtime/Operations.h:
791         (JSC::normalizePrototypeChain):
792         (JSC::normalizePrototypeChainForChainAccess): Deleted.
793         (JSC::isPrototypeChainNormalized): Deleted.
794         * runtime/PropertySlot.h:
795         (JSC::PropertySlot::PropertySlot):
796         (JSC::PropertySlot::slotBase):
797         * runtime/Structure.cpp:
798         (JSC::Structure::addPropertyTransition):
799         (JSC::Structure::attributeChangeTransition):
800         (JSC::Structure::toDictionaryTransition):
801         (JSC::Structure::toCacheableDictionaryTransition):
802         (JSC::Structure::toUncacheableDictionaryTransition):
803         (JSC::Structure::ensurePropertyReplacementWatchpointSet):
804         (JSC::Structure::startWatchingPropertyForReplacements):
805         (JSC::Structure::didCachePropertyReplacement):
806         (JSC::Structure::dump):
807         * runtime/Structure.h:
808         * runtime/VM.h:
809         * tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check-new.js: Added.
810         (foo):
811         (bar):
812         (baz):
813         * tests/stress/multi-get-by-offset-self-or-proto.js: Added.
814         (foo):
815         * tests/stress/replacement-watchpoint-dictionary.js: Added.
816         (foo):
817         * tests/stress/replacement-watchpoint.js: Added.
818         (foo):
819         * tests/stress/undefined-access-dictionary-then-proto-change.js: Added.
820         (foo):
821         * tests/stress/undefined-access-then-proto-change.js: Added.
822         (foo):
823
824 2015-08-03  Yusuke Suzuki  <utatane.tea@gmail.com>
825
826         JavascriptCore Crash in JSC::ASTBuilder::Property JSC::Parser<JSC::Lexer<unsigned char> >::parseProperty<JSC::ASTBuilder>(JSC::ASTBuilder&, bool)
827         https://bugs.webkit.org/show_bug.cgi?id=147538
828
829         Reviewed by Geoffrey Garen.
830
831         Due to the order of the ARROWFUNCTION token in JSTokenType enum, it is categorized as the one of the Keyword.
832         As a result, when lexing the property name that can take the keywords, the ARROWFUNCTION token is accidentally accepted.
833         This patch changes the order of the ARROWFUNCTION token in JSTokenType to make it the operator token.
834
835         * parser/ParserTokens.h:
836         * tests/stress/arrow-function-token-is-not-keyword.js: Added.
837         (testSyntaxError):
838
839 2015-08-03  Keith Miller  <keith_miller@apple.com>
840
841         Clean up the naming for AST expression generation.
842         https://bugs.webkit.org/show_bug.cgi?id=147581
843
844         Reviewed by Yusuke Suzuki.
845
846         * parser/ASTBuilder.h:
847         (JSC::ASTBuilder::createThisExpr):
848         (JSC::ASTBuilder::createSuperExpr):
849         (JSC::ASTBuilder::createNewTargetExpr):
850         (JSC::ASTBuilder::thisExpr): Deleted.
851         (JSC::ASTBuilder::superExpr): Deleted.
852         (JSC::ASTBuilder::newTargetExpr): Deleted.
853         * parser/Parser.cpp:
854         (JSC::Parser<LexerType>::parsePrimaryExpression):
855         (JSC::Parser<LexerType>::parseMemberExpression):
856         * parser/SyntaxChecker.h:
857         (JSC::SyntaxChecker::createThisExpr):
858         (JSC::SyntaxChecker::createSuperExpr):
859         (JSC::SyntaxChecker::createNewTargetExpr):
860         (JSC::SyntaxChecker::thisExpr): Deleted.
861         (JSC::SyntaxChecker::superExpr): Deleted.
862         (JSC::SyntaxChecker::newTargetExpr): Deleted.
863
864 2015-08-03  Yusuke Suzuki  <utatane.tea@gmail.com>
865
866         Don't set up the callsite to operationGetByValDefault when the optimization is already done
867         https://bugs.webkit.org/show_bug.cgi?id=147577
868
869         Reviewed by Filip Pizlo.
870
871         operationGetByValDefault should be called only when the IC is not set.
872         operationGetByValString breaks this invariant and `ASSERT(!byValInfo.stubRoutine)` in
873         operationGetByValDefault raises the assertion failure.
874         In this patch, we change the callsite setting up code in operationGetByValString when
875         the IC is already set. And to make the operation's meaning explicitly, we changed the
876         name operationGetByValDefault to operationGetByValOptimize, that is aligned to the
877         GetById case.
878
879         * jit/JITOperations.cpp:
880         * jit/JITOperations.h:
881         * jit/JITPropertyAccess.cpp:
882         (JSC::JIT::emitSlow_op_get_by_val):
883         * jit/JITPropertyAccess32_64.cpp:
884         (JSC::JIT::emitSlow_op_get_by_val):
885         * tests/stress/operation-get-by-val-default-should-not-called-for-already-optimized-site.js: Added.
886         (hello):
887
888 2015-08-03  Csaba Osztrogonác  <ossy@webkit.org>
889
890         [FTL] Remove unused scripts related to native call inlining
891         https://bugs.webkit.org/show_bug.cgi?id=147448
892
893         Reviewed by Filip Pizlo.
894
895         * build-symbol-table-index.py: Removed.
896         * copy-llvm-ir-to-derived-sources.sh: Removed.
897         * create-llvm-ir-from-source-file.py: Removed.
898         * create-symbol-table-index.py: Removed.
899
900 2015-08-02  Benjamin Poulain  <bpoulain@apple.com>
901
902         Investigate HashTable::HashTable(const HashTable&) and HashTable::operator=(const HashTable&) performance for hash-based static analyses
903         https://bugs.webkit.org/show_bug.cgi?id=118455
904
905         Reviewed by Filip Pizlo.
906
907         LivenessAnalysisPhase lights up like a christmas tree in profiles.
908
909         This patch cuts its cost by 4.
910         About half of the gains come from removing many rehash() when copying
911         the HashSet.
912         The last quarter is achieved by having a special add() function for initializing
913         a HashSet.
914
915         This makes benchmarks progress by 1-2% here and there. Nothing massive.
916
917         * dfg/DFGLivenessAnalysisPhase.cpp:
918         (JSC::DFG::LivenessAnalysisPhase::process):
919         The m_live HashSet is only useful per block. When we are done with it,
920         we can transfer it to liveAtHead to avoid a copy.
921
922 2015-08-01  Saam barati  <saambarati1@gmail.com>
923
924         Unreviewed. Remove unintentional "print" statement in test case.
925         https://bugs.webkit.org/show_bug.cgi?id=142567
926
927         * tests/stress/class-syntax-definition-semantics.js:
928         (shouldBeSyntaxError):
929
930 2015-07-31  Alex Christensen  <achristensen@webkit.org>
931
932         Prepare for VS2015
933         https://bugs.webkit.org/show_bug.cgi?id=146579
934
935         Reviewed by Jon Honeycutt.
936
937         * heap/Heap.h:
938         Fix compiler error by explicitly casting zombifiedBits to the size of a pointer.
939
940 2015-07-31  Saam barati  <saambarati1@gmail.com>
941
942         ES6 class syntax should use block scoping
943         https://bugs.webkit.org/show_bug.cgi?id=142567
944
945         Reviewed by Geoffrey Garen.
946
947         We treat class declarations like we do "let" declarations.
948         The class name is under TDZ until the class declaration
949         statement is evaluated. Class declarations also follow
950         the same rules as "let": No duplicate definitions inside
951         a lexical environment.
952
953         * parser/ASTBuilder.h:
954         (JSC::ASTBuilder::createClassDeclStatement):
955         * parser/Parser.cpp:
956         (JSC::Parser<LexerType>::parseClassDeclaration):
957         * tests/stress/class-syntax-block-scoping.js: Added.
958         (assert):
959         (truth):
960         (.):
961         * tests/stress/class-syntax-definition-semantics.js: Added.
962         (shouldBeSyntaxError):
963         (shouldNotBeSyntaxError):
964         (truth):
965         * tests/stress/class-syntax-tdz.js:
966         (assert):
967         (shouldThrowTDZ):
968         (truth):
969         (.):
970
971 2015-07-31  Sukolsak Sakshuwong  <sukolsak@gmail.com>
972
973         Implement WebAssembly module parser
974         https://bugs.webkit.org/show_bug.cgi?id=147293
975
976         Reviewed by Mark Lam.
977
978         Re-landing after fix for the "..\..\jsc.cpp(46): fatal error C1083: Cannot open
979         include file: 'JSWASMModule.h'" issue on Windows.
980
981         Implement WebAssembly module parser for WebAssembly files produced by pack-asmjs
982         <https://github.com/WebAssembly/polyfill-prototype-1>. This patch only checks
983         the magic number at the beginning of the files. Parsing of the rest will be
984         implemented in a subsequent patch.
985
986         * CMakeLists.txt:
987         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
988         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
989         * JavaScriptCore.xcodeproj/project.pbxproj:
990         * jsc.cpp:
991         (GlobalObject::finishCreation):
992         (functionLoadWebAssembly):
993         * parser/SourceProvider.h:
994         (JSC::WebAssemblySourceProvider::create):
995         (JSC::WebAssemblySourceProvider::data):
996         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
997         * runtime/JSGlobalObject.cpp:
998         (JSC::JSGlobalObject::init):
999         (JSC::JSGlobalObject::visitChildren):
1000         * runtime/JSGlobalObject.h:
1001         (JSC::JSGlobalObject::wasmModuleStructure):
1002         * wasm/WASMMagicNumber.h: Added.
1003         * wasm/WASMModuleParser.cpp: Added.
1004         (JSC::WASMModuleParser::WASMModuleParser):
1005         (JSC::WASMModuleParser::parse):
1006         (JSC::WASMModuleParser::parseModule):
1007         (JSC::parseWebAssembly):
1008         * wasm/WASMModuleParser.h: Added.
1009         * wasm/WASMReader.cpp: Added.
1010         (JSC::WASMReader::readUnsignedInt32):
1011         (JSC::WASMReader::readFloat):
1012         (JSC::WASMReader::readDouble):
1013         * wasm/WASMReader.h: Added.
1014         (JSC::WASMReader::WASMReader):
1015
1016 2015-07-30  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1017
1018         Add the "wasm" directory to the Additional Include Directories for jsc.exe
1019         https://bugs.webkit.org/show_bug.cgi?id=147443
1020
1021         Reviewed by Mark Lam.
1022
1023         This patch should fix the "..\..\jsc.cpp(46): fatal error C1083:
1024         Cannot open include file: 'JSWASMModule.h'" error in the Windows build.
1025
1026         * JavaScriptCore.vcxproj/jsc/jscCommon.props:
1027
1028 2015-07-30  Chris Dumez  <cdumez@apple.com>
1029
1030         Mark more classes as fast allocated
1031         https://bugs.webkit.org/show_bug.cgi?id=147440
1032
1033         Reviewed by Sam Weinig.
1034
1035         Mark more classes as fast allocated for performance. We heap-allocate
1036         objects of those types throughout the code base.
1037
1038         * API/JSCallbackObject.h:
1039         * API/ObjCCallbackFunction.mm:
1040         * bytecode/BytecodeKills.h:
1041         * bytecode/BytecodeLivenessAnalysis.h:
1042         * bytecode/CallLinkStatus.h:
1043         * bytecode/FullBytecodeLiveness.h:
1044         * bytecode/SamplingTool.h:
1045         * bytecompiler/BytecodeGenerator.h:
1046         * dfg/DFGBasicBlock.h:
1047         * dfg/DFGBlockMap.h:
1048         * dfg/DFGInPlaceAbstractState.h:
1049         * dfg/DFGThreadData.h:
1050         * heap/HeapVerifier.h:
1051         * heap/SlotVisitor.h:
1052         * parser/Lexer.h:
1053         * runtime/ControlFlowProfiler.h:
1054         * runtime/TypeProfiler.h:
1055         * runtime/TypeProfilerLog.h:
1056         * runtime/Watchdog.h:
1057
1058 2015-07-29  Filip Pizlo  <fpizlo@apple.com>
1059
1060         DFG::ArgumentsEliminationPhase should emit a PutStack for all of the GetStacks that the ByteCodeParser emitted
1061         https://bugs.webkit.org/show_bug.cgi?id=147433
1062         rdar://problem/21668986
1063
1064         Reviewed by Mark Lam.
1065
1066         Ideally, the ByteCodeParser would only emit SetArgument nodes for named arguments.  But
1067         currently that's not what it does - it emits a SetArgument for every argument that a varargs
1068         call may pass.  Each SetArgument gets turned into a GetStack.  This means that if
1069         ArgumentsEliminationPhase optimizes away PutStacks for those varargs arguments that didn't
1070         get passed or used, we get degenerate IR where we have a GetStack of something that didn't
1071         have a PutStack.
1072
1073         This fixes the bug by removing the code to optimize away PutStacks in
1074         ArgumentsEliminationPhase.
1075
1076         * dfg/DFGArgumentsEliminationPhase.cpp:
1077         * tests/stress/varargs-inlining-underflow.js: Added.
1078         (baz):
1079         (bar):
1080         (foo):
1081
1082 2015-07-29  Andy VanWagoner  <thetalecrafter@gmail.com>
1083
1084         Implement basic types for ECMAScript Internationalization API
1085         https://bugs.webkit.org/show_bug.cgi?id=146926
1086
1087         Reviewed by Benjamin Poulain.
1088
1089         Adds basic types for ECMA-402 2nd edition, but does not implement the full locale-aware features yet.
1090         http://www.ecma-international.org/ecma-402/2.0/ECMA-402.pdf
1091
1092         * CMakeLists.txt: Added new Intl files.
1093         * Configurations/FeatureDefines.xcconfig: Enable INTL.
1094         * DerivedSources.make: Added Intl files.
1095         * JavaScriptCore.xcodeproj/project.pbxproj: Added Intl files.
1096         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added Intl files.
1097         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Added Intl files.
1098         * runtime/CommonIdentifiers.h: Added Collator, NumberFormat, and DateTimeFormat.
1099         * runtime/DateConstructor.cpp: Made Date.now public.
1100         * runtime/DateConstructor.h: Made Date.now public.
1101         * runtime/IntlCollator.cpp: Added.
1102         (JSC::IntlCollator::create):
1103         (JSC::IntlCollator::createStructure):
1104         (JSC::IntlCollator::IntlCollator):
1105         (JSC::IntlCollator::finishCreation):
1106         (JSC::IntlCollator::destroy):
1107         (JSC::IntlCollator::visitChildren):
1108         (JSC::IntlCollator::setBoundCompare):
1109         (JSC::IntlCollatorFuncCompare): Added placeholder implementation using codePointCompare.
1110         * runtime/IntlCollator.h: Added.
1111         (JSC::IntlCollator::constructor):
1112         (JSC::IntlCollator::boundCompare):
1113         * runtime/IntlCollatorConstructor.cpp: Added.
1114         (JSC::IntlCollatorConstructor::create):
1115         (JSC::IntlCollatorConstructor::createStructure):
1116         (JSC::IntlCollatorConstructor::IntlCollatorConstructor):
1117         (JSC::IntlCollatorConstructor::finishCreation):
1118         (JSC::constructIntlCollator): Added Collator constructor (10.1.2).
1119         (JSC::callIntlCollator): Added Collator constructor (10.1.2).
1120         (JSC::IntlCollatorConstructor::getConstructData):
1121         (JSC::IntlCollatorConstructor::getCallData):
1122         (JSC::IntlCollatorConstructor::getOwnPropertySlot):
1123         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf): Added placeholder implementation returning [].
1124         (JSC::IntlCollatorConstructor::visitChildren):
1125         * runtime/IntlCollatorConstructor.h: Added.
1126         (JSC::IntlCollatorConstructor::collatorStructure):
1127         * runtime/IntlCollatorPrototype.cpp: Added.
1128         (JSC::IntlCollatorPrototype::create):
1129         (JSC::IntlCollatorPrototype::createStructure):
1130         (JSC::IntlCollatorPrototype::IntlCollatorPrototype):
1131         (JSC::IntlCollatorPrototype::finishCreation):
1132         (JSC::IntlCollatorPrototype::getOwnPropertySlot):
1133         (JSC::IntlCollatorPrototypeGetterCompare): Added compare getter (10.3.3)
1134         (JSC::IntlCollatorPrototypeFuncResolvedOptions): Added placeholder implementation returning {}.
1135         * runtime/IntlCollatorPrototype.h: Added.
1136         * runtime/IntlDateTimeFormat.cpp: Added.
1137         (JSC::IntlDateTimeFormat::create):
1138         (JSC::IntlDateTimeFormat::createStructure):
1139         (JSC::IntlDateTimeFormat::IntlDateTimeFormat):
1140         (JSC::IntlDateTimeFormat::finishCreation):
1141         (JSC::IntlDateTimeFormat::destroy):
1142         (JSC::IntlDateTimeFormat::visitChildren):
1143         (JSC::IntlDateTimeFormat::setBoundFormat):
1144         (JSC::IntlDateTimeFormatFuncFormatDateTime): Added placeholder implementation returning new Date(value).toString().
1145         * runtime/IntlDateTimeFormat.h: Added.
1146         (JSC::IntlDateTimeFormat::constructor):
1147         (JSC::IntlDateTimeFormat::boundFormat):
1148         * runtime/IntlDateTimeFormatConstructor.cpp: Added.
1149         (JSC::IntlDateTimeFormatConstructor::create):
1150         (JSC::IntlDateTimeFormatConstructor::createStructure):
1151         (JSC::IntlDateTimeFormatConstructor::IntlDateTimeFormatConstructor):
1152         (JSC::IntlDateTimeFormatConstructor::finishCreation):
1153         (JSC::constructIntlDateTimeFormat): Added DateTimeFormat constructor (12.1.2).
1154         (JSC::callIntlDateTimeFormat): Added DateTimeFormat constructor (12.1.2).
1155         (JSC::IntlDateTimeFormatConstructor::getConstructData):
1156         (JSC::IntlDateTimeFormatConstructor::getCallData):
1157         (JSC::IntlDateTimeFormatConstructor::getOwnPropertySlot):
1158         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf): Added placeholder implementation returning [].
1159         (JSC::IntlDateTimeFormatConstructor::visitChildren):
1160         * runtime/IntlDateTimeFormatConstructor.h: Added.
1161         (JSC::IntlDateTimeFormatConstructor::dateTimeFormatStructure):
1162         * runtime/IntlDateTimeFormatPrototype.cpp: Added.
1163         (JSC::IntlDateTimeFormatPrototype::create):
1164         (JSC::IntlDateTimeFormatPrototype::createStructure):
1165         (JSC::IntlDateTimeFormatPrototype::IntlDateTimeFormatPrototype):
1166         (JSC::IntlDateTimeFormatPrototype::finishCreation):
1167         (JSC::IntlDateTimeFormatPrototype::getOwnPropertySlot):
1168         (JSC::IntlDateTimeFormatPrototypeGetterFormat): Added format getter (12.3.3).
1169         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions): Added placeholder implementation returning {}.
1170         * runtime/IntlDateTimeFormatPrototype.h: Added.
1171         * runtime/IntlNumberFormat.cpp: Added.
1172         (JSC::IntlNumberFormat::create):
1173         (JSC::IntlNumberFormat::createStructure):
1174         (JSC::IntlNumberFormat::IntlNumberFormat):
1175         (JSC::IntlNumberFormat::finishCreation):
1176         (JSC::IntlNumberFormat::destroy):
1177         (JSC::IntlNumberFormat::visitChildren):
1178         (JSC::IntlNumberFormat::setBoundFormat):
1179         (JSC::IntlNumberFormatFuncFormatNumber): Added placeholder implementation returning Number(value).toString().
1180         * runtime/IntlNumberFormat.h: Added.
1181         (JSC::IntlNumberFormat::constructor):
1182         (JSC::IntlNumberFormat::boundFormat):
1183         * runtime/IntlNumberFormatConstructor.cpp: Added.
1184         (JSC::IntlNumberFormatConstructor::create):
1185         (JSC::IntlNumberFormatConstructor::createStructure):
1186         (JSC::IntlNumberFormatConstructor::IntlNumberFormatConstructor):
1187         (JSC::IntlNumberFormatConstructor::finishCreation):
1188         (JSC::constructIntlNumberFormat): Added NumberFormat constructor (11.1.2).
1189         (JSC::callIntlNumberFormat): Added NumberFormat constructor (11.1.2).
1190         (JSC::IntlNumberFormatConstructor::getConstructData):
1191         (JSC::IntlNumberFormatConstructor::getCallData):
1192         (JSC::IntlNumberFormatConstructor::getOwnPropertySlot):
1193         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf): Added placeholder implementation returning [].
1194         (JSC::IntlNumberFormatConstructor::visitChildren):
1195         * runtime/IntlNumberFormatConstructor.h: Added.
1196         (JSC::IntlNumberFormatConstructor::numberFormatStructure):
1197         * runtime/IntlNumberFormatPrototype.cpp: Added.
1198         (JSC::IntlNumberFormatPrototype::create):
1199         (JSC::IntlNumberFormatPrototype::createStructure):
1200         (JSC::IntlNumberFormatPrototype::IntlNumberFormatPrototype):
1201         (JSC::IntlNumberFormatPrototype::finishCreation):
1202         (JSC::IntlNumberFormatPrototype::getOwnPropertySlot):
1203         (JSC::IntlNumberFormatPrototypeGetterFormat): Added format getter (11.3.3).
1204         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions): Added placeholder implementation returning {}.
1205         * runtime/IntlNumberFormatPrototype.h: Added.
1206         * runtime/IntlObject.cpp:
1207         (JSC::IntlObject::create):
1208         (JSC::IntlObject::finishCreation): Added Collator, NumberFormat, and DateTimeFormat properties (8.1).
1209         (JSC::IntlObject::visitChildren):
1210         * runtime/IntlObject.h:
1211         (JSC::IntlObject::collatorConstructor):
1212         (JSC::IntlObject::collatorPrototype):
1213         (JSC::IntlObject::collatorStructure):
1214         (JSC::IntlObject::numberFormatConstructor):
1215         (JSC::IntlObject::numberFormatPrototype):
1216         (JSC::IntlObject::numberFormatStructure):
1217         (JSC::IntlObject::dateTimeFormatConstructor):
1218         (JSC::IntlObject::dateTimeFormatPrototype):
1219         (JSC::IntlObject::dateTimeFormatStructure):
1220         * runtime/JSGlobalObject.cpp:
1221         (JSC::JSGlobalObject::init):
1222
1223 2015-07-29  Commit Queue  <commit-queue@webkit.org>
1224
1225         Unreviewed, rolling out r187550.
1226         https://bugs.webkit.org/show_bug.cgi?id=147420
1227
1228         Broke Windows build (again) (Requested by smfr on #webkit).
1229
1230         Reverted changeset:
1231
1232         "Implement WebAssembly module parser"
1233         https://bugs.webkit.org/show_bug.cgi?id=147293
1234         http://trac.webkit.org/changeset/187550
1235
1236 2015-07-29  Basile Clement  <basile_clement@apple.com>
1237
1238         Remove native call inlining
1239         https://bugs.webkit.org/show_bug.cgi?id=147417
1240
1241         Rubber Stamped by Filip Pizlo.
1242
1243         * CMakeLists.txt:
1244         * dfg/DFGAbstractInterpreterInlines.h:
1245         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Deleted.
1246         * dfg/DFGByteCodeParser.cpp:
1247         (JSC::DFG::ByteCodeParser::handleCall): Deleted.
1248         * dfg/DFGClobberize.h:
1249         (JSC::DFG::clobberize): Deleted.
1250         * dfg/DFGDoesGC.cpp:
1251         (JSC::DFG::doesGC): Deleted.
1252         * dfg/DFGFixupPhase.cpp:
1253         (JSC::DFG::FixupPhase::fixupNode): Deleted.
1254         * dfg/DFGNode.h:
1255         (JSC::DFG::Node::hasHeapPrediction): Deleted.
1256         (JSC::DFG::Node::hasCellOperand): Deleted.
1257         * dfg/DFGNodeType.h:
1258         * dfg/DFGPredictionPropagationPhase.cpp:
1259         (JSC::DFG::PredictionPropagationPhase::propagate): Deleted.
1260         * dfg/DFGSafeToExecute.h:
1261         (JSC::DFG::safeToExecute): Deleted.
1262         * dfg/DFGSpeculativeJIT32_64.cpp:
1263         (JSC::DFG::SpeculativeJIT::compile): Deleted.
1264         * dfg/DFGSpeculativeJIT64.cpp:
1265         (JSC::DFG::SpeculativeJIT::compile): Deleted.
1266         * ftl/FTLCapabilities.cpp:
1267         (JSC::FTL::canCompile): Deleted.
1268         * ftl/FTLLowerDFGToLLVM.cpp:
1269         (JSC::FTL::DFG::LowerDFGToLLVM::lower): Deleted.
1270         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode): Deleted.
1271         (JSC::FTL::DFG::LowerDFGToLLVM::compileNativeCallOrConstruct): Deleted.
1272         (JSC::FTL::DFG::LowerDFGToLLVM::getFunctionBySymbol): Deleted.
1273         (JSC::FTL::DFG::LowerDFGToLLVM::getModuleByPathForSymbol): Deleted.
1274         (JSC::FTL::DFG::LowerDFGToLLVM::didOverflowStack): Deleted.
1275         * ftl/FTLState.cpp:
1276         (JSC::FTL::State::State): Deleted.
1277         * ftl/FTLState.h:
1278         * runtime/BundlePath.cpp: Removed.
1279         (JSC::bundlePath): Deleted.
1280         * runtime/JSDataViewPrototype.cpp:
1281         (JSC::getData):
1282         (JSC::setData):
1283         * runtime/Options.h:
1284
1285 2015-07-29  Basile Clement  <basile_clement@apple.com>
1286
1287         Unreviewed, skipping a test that is too complex for its own good
1288         https://bugs.webkit.org/show_bug.cgi?id=147167
1289
1290         * tests/stress/math-pow-coherency.js:
1291
1292 2015-07-29  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1293
1294         Implement WebAssembly module parser
1295         https://bugs.webkit.org/show_bug.cgi?id=147293
1296
1297         Reviewed by Mark Lam.
1298
1299         Reupload the patch, since r187539 should fix the "Cannot open include file:
1300         'JSWASMModule.h'" issue in the Windows build.
1301
1302         * CMakeLists.txt:
1303         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1304         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1305         * JavaScriptCore.xcodeproj/project.pbxproj:
1306         * jsc.cpp:
1307         (GlobalObject::finishCreation):
1308         (functionLoadWebAssembly):
1309         * parser/SourceProvider.h:
1310         (JSC::WebAssemblySourceProvider::create):
1311         (JSC::WebAssemblySourceProvider::data):
1312         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
1313         * runtime/JSGlobalObject.cpp:
1314         (JSC::JSGlobalObject::init):
1315         (JSC::JSGlobalObject::visitChildren):
1316         * runtime/JSGlobalObject.h:
1317         (JSC::JSGlobalObject::wasmModuleStructure):
1318         * wasm/WASMMagicNumber.h: Added.
1319         * wasm/WASMModuleParser.cpp: Added.
1320         (JSC::WASMModuleParser::WASMModuleParser):
1321         (JSC::WASMModuleParser::parse):
1322         (JSC::WASMModuleParser::parseModule):
1323         (JSC::parseWebAssembly):
1324         * wasm/WASMModuleParser.h: Added.
1325         * wasm/WASMReader.cpp: Added.
1326         (JSC::WASMReader::readUnsignedInt32):
1327         (JSC::WASMReader::readFloat):
1328         (JSC::WASMReader::readDouble):
1329         * wasm/WASMReader.h: Added.
1330         (JSC::WASMReader::WASMReader):
1331
1332 2015-07-29  Basile Clement  <basile_clement@apple.com>
1333
1334         Unreviewed, lower the number of test iterations to prevent timing out on Debug builds
1335         https://bugs.webkit.org/show_bug.cgi?id=147167
1336
1337         * tests/stress/math-pow-coherency.js:
1338
1339 2015-07-28  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1340
1341         Add the "wasm" directory to Visual Studio project files
1342         https://bugs.webkit.org/show_bug.cgi?id=147400
1343
1344         Reviewed by Simon Fraser.
1345
1346         This patch should fix the "Cannot open include file: 'JSWASMModule.h'" issue
1347         in the Windows build.
1348
1349         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
1350         * JavaScriptCore.vcxproj/copy-files.cmd:
1351
1352 2015-07-28  Commit Queue  <commit-queue@webkit.org>
1353
1354         Unreviewed, rolling out r187531.
1355         https://bugs.webkit.org/show_bug.cgi?id=147397
1356
1357         Broke Windows bild (Requested by smfr on #webkit).
1358
1359         Reverted changeset:
1360
1361         "Implement WebAssembly module parser"
1362         https://bugs.webkit.org/show_bug.cgi?id=147293
1363         http://trac.webkit.org/changeset/187531
1364
1365 2015-07-28  Benjamin Poulain  <bpoulain@apple.com>
1366
1367         Speed up the Stringifier::toJSON() fast case
1368         https://bugs.webkit.org/show_bug.cgi?id=147383
1369
1370         Reviewed by Andreas Kling.
1371
1372         * runtime/JSONObject.cpp:
1373         (JSC::Stringifier::toJSON):
1374         (JSC::Stringifier::toJSONImpl):
1375
1376 2015-07-28  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1377
1378         Implement WebAssembly module parser
1379         https://bugs.webkit.org/show_bug.cgi?id=147293
1380
1381         Reviewed by Geoffrey Garen.
1382
1383         Implement WebAssembly module parser for WebAssembly files produced by pack-asmjs
1384         <https://github.com/WebAssembly/polyfill-prototype-1>. This patch only checks
1385         the magic number at the beginning of the files. Parsing of the rest will be
1386         implemented in a subsequent patch.
1387
1388         * CMakeLists.txt:
1389         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1390         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1391         * JavaScriptCore.xcodeproj/project.pbxproj:
1392         * jsc.cpp:
1393         (GlobalObject::finishCreation):
1394         (functionLoadWebAssembly):
1395         * parser/SourceProvider.h:
1396         (JSC::WebAssemblySourceProvider::create):
1397         (JSC::WebAssemblySourceProvider::data):
1398         (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
1399         * runtime/JSGlobalObject.cpp:
1400         (JSC::JSGlobalObject::init):
1401         (JSC::JSGlobalObject::visitChildren):
1402         * runtime/JSGlobalObject.h:
1403         (JSC::JSGlobalObject::wasmModuleStructure):
1404         * wasm/WASMMagicNumber.h: Added.
1405         * wasm/WASMModuleParser.cpp: Added.
1406         (JSC::WASMModuleParser::WASMModuleParser):
1407         (JSC::WASMModuleParser::parse):
1408         (JSC::WASMModuleParser::parseModule):
1409         (JSC::parseWebAssembly):
1410         * wasm/WASMModuleParser.h: Added.
1411         * wasm/WASMReader.cpp: Added.
1412         (JSC::WASMReader::readUnsignedInt32):
1413         (JSC::WASMReader::readFloat):
1414         (JSC::WASMReader::readDouble):
1415         * wasm/WASMReader.h: Added.
1416         (JSC::WASMReader::WASMReader):
1417
1418 2015-07-28  Yusuke Suzuki  <utatane.tea@gmail.com>
1419
1420         [ES6] Add ENABLE_ES6_MODULES compile time flag with the default value "false"
1421         https://bugs.webkit.org/show_bug.cgi?id=147350
1422
1423         Reviewed by Sam Weinig.
1424
1425         * Configurations/FeatureDefines.xcconfig:
1426
1427 2015-07-28  Saam barati  <saambarati1@gmail.com>
1428
1429         Make the type profiler work with lexical scoping and add tests
1430         https://bugs.webkit.org/show_bug.cgi?id=145438
1431
1432         Reviewed by Geoffrey Garen.
1433
1434         op_profile_type now knows how to resolve variables allocated within
1435         the local scope stack. This means it knows how to resolve "let"
1436         and "const" variables. Also, some refactoring was done inside
1437         the BytecodeGenerator to make writing code to support the type
1438         profiler much simpler and clearer.
1439
1440         * bytecode/CodeBlock.cpp:
1441         (JSC::CodeBlock::CodeBlock):
1442         * bytecode/CodeBlock.h:
1443         (JSC::CodeBlock::symbolTable): Deleted.
1444         * bytecode/UnlinkedCodeBlock.h:
1445         (JSC::UnlinkedCodeBlock::addExceptionHandler):
1446         (JSC::UnlinkedCodeBlock::exceptionHandler):
1447         (JSC::UnlinkedCodeBlock::vm):
1448         (JSC::UnlinkedCodeBlock::addArrayProfile):
1449         (JSC::UnlinkedCodeBlock::setSymbolTableConstantIndex): Deleted.
1450         (JSC::UnlinkedCodeBlock::symbolTableConstantIndex): Deleted.
1451         * bytecompiler/BytecodeGenerator.cpp:
1452         (JSC::BytecodeGenerator::BytecodeGenerator):
1453         (JSC::BytecodeGenerator::emitMove):
1454         (JSC::BytecodeGenerator::emitTypeProfilerExpressionInfo):
1455         (JSC::BytecodeGenerator::emitProfileType):
1456         (JSC::BytecodeGenerator::emitProfileControlFlow):
1457         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
1458         * bytecompiler/BytecodeGenerator.h:
1459         (JSC::BytecodeGenerator::emitNodeForLeftHandSide):
1460         * bytecompiler/NodesCodegen.cpp:
1461         (JSC::ThisNode::emitBytecode):
1462         (JSC::ResolveNode::emitBytecode):
1463         (JSC::BracketAccessorNode::emitBytecode):
1464         (JSC::DotAccessorNode::emitBytecode):
1465         (JSC::FunctionCallValueNode::emitBytecode):
1466         (JSC::FunctionCallResolveNode::emitBytecode):
1467         (JSC::FunctionCallBracketNode::emitBytecode):
1468         (JSC::FunctionCallDotNode::emitBytecode):
1469         (JSC::CallFunctionCallDotNode::emitBytecode):
1470         (JSC::ApplyFunctionCallDotNode::emitBytecode):
1471         (JSC::PostfixNode::emitResolve):
1472         (JSC::PostfixNode::emitBracket):
1473         (JSC::PostfixNode::emitDot):
1474         (JSC::PrefixNode::emitResolve):
1475         (JSC::PrefixNode::emitBracket):
1476         (JSC::PrefixNode::emitDot):
1477         (JSC::ReadModifyResolveNode::emitBytecode):
1478         (JSC::AssignResolveNode::emitBytecode):
1479         (JSC::AssignDotNode::emitBytecode):
1480         (JSC::ReadModifyDotNode::emitBytecode):
1481         (JSC::AssignBracketNode::emitBytecode):
1482         (JSC::ReadModifyBracketNode::emitBytecode):
1483         (JSC::EmptyVarExpression::emitBytecode):
1484         (JSC::EmptyLetExpression::emitBytecode):
1485         (JSC::ForInNode::emitLoopHeader):
1486         (JSC::ForOfNode::emitBytecode):
1487         (JSC::ReturnNode::emitBytecode):
1488         (JSC::FunctionNode::emitBytecode):
1489         (JSC::BindingNode::bindValue):
1490         * dfg/DFGSpeculativeJIT32_64.cpp:
1491         (JSC::DFG::SpeculativeJIT::compile):
1492         * dfg/DFGSpeculativeJIT64.cpp:
1493         (JSC::DFG::SpeculativeJIT::compile):
1494         * jit/JITOpcodes.cpp:
1495         (JSC::JIT::emit_op_profile_type):
1496         * jit/JITOpcodes32_64.cpp:
1497         (JSC::JIT::emit_op_profile_type):
1498         * llint/LowLevelInterpreter32_64.asm:
1499         * llint/LowLevelInterpreter64.asm:
1500         * tests/typeProfiler/es6-block-scoping.js: Added.
1501         (noop):
1502         (arr):
1503         (wrapper.changeFoo):
1504         (wrapper.scoping):
1505         (wrapper.scoping2):
1506         (wrapper):
1507         * tests/typeProfiler/es6-classes.js: Added.
1508         (noop):
1509         (wrapper.Animal):
1510         (wrapper.Animal.prototype.methodA):
1511         (wrapper.Dog):
1512         (wrapper.Dog.prototype.methodB):
1513         (wrapper):
1514
1515 2015-07-28  Saam barati  <saambarati1@gmail.com>
1516
1517         Implement catch scope using lexical scoping constructs introduced with "let" scoping patch
1518         https://bugs.webkit.org/show_bug.cgi?id=146979
1519
1520         Reviewed by Geoffrey Garen.
1521
1522         Now that BytecodeGenerator has a notion of local scope depth,
1523         we can easily implement a catch scope that doesn't claim that
1524         all variables are dynamically scoped. This means that functions
1525         that use try/catch can have local variable resolution. This also
1526         means that all functions that use try/catch don't have all
1527         their variables marked as being captured.
1528
1529         Catch scopes now behave like a "let" scope (sans the TDZ logic) with a 
1530         single variable. Catch scopes are now just JSLexicalEnvironments and the 
1531         symbol table backing the catch scope knows that it corresponds to a catch scope.
1532
1533         * CMakeLists.txt:
1534         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1535         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1536         * JavaScriptCore.xcodeproj/project.pbxproj:
1537         * bytecode/CodeBlock.cpp:
1538         (JSC::CodeBlock::dumpBytecode):
1539         * bytecode/EvalCodeCache.h:
1540         (JSC::EvalCodeCache::isCacheable):
1541         * bytecompiler/BytecodeGenerator.cpp:
1542         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
1543         (JSC::BytecodeGenerator::emitLoadGlobalObject):
1544         (JSC::BytecodeGenerator::pushLexicalScope):
1545         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
1546         (JSC::BytecodeGenerator::popLexicalScope):
1547         (JSC::BytecodeGenerator::popLexicalScopeInternal):
1548         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
1549         (JSC::BytecodeGenerator::variable):
1550         (JSC::BytecodeGenerator::resolveType):
1551         (JSC::BytecodeGenerator::emitResolveScope):
1552         (JSC::BytecodeGenerator::emitPopScope):
1553         (JSC::BytecodeGenerator::emitPopWithScope):
1554         (JSC::BytecodeGenerator::emitDebugHook):
1555         (JSC::BytecodeGenerator::popScopedControlFlowContext):
1556         (JSC::BytecodeGenerator::emitPushCatchScope):
1557         (JSC::BytecodeGenerator::emitPopCatchScope):
1558         (JSC::BytecodeGenerator::beginSwitch):
1559         (JSC::BytecodeGenerator::emitPopWithOrCatchScope): Deleted.
1560         * bytecompiler/BytecodeGenerator.h:
1561         (JSC::BytecodeGenerator::lastOpcodeID):
1562         * bytecompiler/NodesCodegen.cpp:
1563         (JSC::AssignResolveNode::emitBytecode):
1564         (JSC::WithNode::emitBytecode):
1565         (JSC::TryNode::emitBytecode):
1566         * debugger/DebuggerScope.cpp:
1567         (JSC::DebuggerScope::isCatchScope):
1568         (JSC::DebuggerScope::isFunctionNameScope):
1569         (JSC::DebuggerScope::isFunctionOrEvalScope):
1570         (JSC::DebuggerScope::caughtValue):
1571         * debugger/DebuggerScope.h:
1572         * inspector/ScriptDebugServer.cpp:
1573         (Inspector::ScriptDebugServer::exceptionOrCaughtValue):
1574         * interpreter/Interpreter.cpp:
1575         (JSC::Interpreter::execute):
1576         * jit/JITOpcodes.cpp:
1577         (JSC::JIT::emit_op_push_name_scope):
1578         * jit/JITOpcodes32_64.cpp:
1579         (JSC::JIT::emit_op_push_name_scope):
1580         * jit/JITOperations.cpp:
1581         * jit/JITOperations.h:
1582         * parser/ASTBuilder.h:
1583         (JSC::ASTBuilder::createContinueStatement):
1584         (JSC::ASTBuilder::createTryStatement):
1585         * parser/NodeConstructors.h:
1586         (JSC::ThrowNode::ThrowNode):
1587         (JSC::TryNode::TryNode):
1588         (JSC::FunctionParameters::FunctionParameters):
1589         * parser/Nodes.h:
1590         * parser/Parser.cpp:
1591         (JSC::Parser<LexerType>::parseTryStatement):
1592         * parser/SyntaxChecker.h:
1593         (JSC::SyntaxChecker::createBreakStatement):
1594         (JSC::SyntaxChecker::createContinueStatement):
1595         (JSC::SyntaxChecker::createTryStatement):
1596         (JSC::SyntaxChecker::createSwitchStatement):
1597         (JSC::SyntaxChecker::createWhileStatement):
1598         (JSC::SyntaxChecker::createWithStatement):
1599         * runtime/JSCatchScope.cpp:
1600         * runtime/JSCatchScope.h:
1601         (JSC::JSCatchScope::JSCatchScope): Deleted.
1602         (JSC::JSCatchScope::create): Deleted.
1603         (JSC::JSCatchScope::createStructure): Deleted.
1604         * runtime/JSFunctionNameScope.h:
1605         (JSC::JSFunctionNameScope::JSFunctionNameScope):
1606         * runtime/JSGlobalObject.cpp:
1607         (JSC::JSGlobalObject::init):
1608         (JSC::JSGlobalObject::visitChildren):
1609         * runtime/JSGlobalObject.h:
1610         (JSC::JSGlobalObject::withScopeStructure):
1611         (JSC::JSGlobalObject::strictEvalActivationStructure):
1612         (JSC::JSGlobalObject::activationStructure):
1613         (JSC::JSGlobalObject::functionNameScopeStructure):
1614         (JSC::JSGlobalObject::directArgumentsStructure):
1615         (JSC::JSGlobalObject::scopedArgumentsStructure):
1616         (JSC::JSGlobalObject::catchScopeStructure): Deleted.
1617         * runtime/JSNameScope.cpp:
1618         (JSC::JSNameScope::create):
1619         (JSC::JSNameScope::toThis):
1620         * runtime/JSNameScope.h:
1621         * runtime/JSObject.cpp:
1622         (JSC::JSObject::toThis):
1623         (JSC::JSObject::isFunctionNameScopeObject):
1624         (JSC::JSObject::isCatchScopeObject): Deleted.
1625         * runtime/JSObject.h:
1626         * runtime/JSScope.cpp:
1627         (JSC::JSScope::collectVariablesUnderTDZ):
1628         (JSC::JSScope::isLexicalScope):
1629         (JSC::JSScope::isCatchScope):
1630         (JSC::resolveModeName):
1631         * runtime/JSScope.h:
1632         * runtime/SymbolTable.cpp:
1633         (JSC::SymbolTable::SymbolTable):
1634         (JSC::SymbolTable::cloneScopePart):
1635         * runtime/SymbolTable.h:
1636         * tests/stress/const-semantics.js:
1637         (.):
1638
1639 2015-07-28  Filip Pizlo  <fpizlo@apple.com>
1640
1641         DFG::ArgumentsEliminationPhase has a redundant check for inserting CheckInBounds when converting GetByVal to GetStack in the inline non-varargs case
1642         https://bugs.webkit.org/show_bug.cgi?id=147373
1643
1644         Reviewed by Mark Lam.
1645
1646         The code was doing a check for "index >= inlineCallFrame->arguments.size() - 1" in code where
1647         safeToGetStack is true and we aren't in varargs context, but in a non-varargs context,
1648         safeToGetStack can only be true if "index < inlineCallFrame->arguments.size() - 1".
1649
1650         When converting a GetByVal to GetStack, there are three possibilities:
1651
1652         1) Impossible to convert. This can happen if the GetByVal is out-of-bounds of the things we
1653            know to have stored to the stack. For example, if we inline a function that does
1654            "arguments[42]" at a call that passes no arguments.
1655
1656         2) Possible to convert, but we cannot prove statically that the GetByVal was in bounds. This
1657            can happen for "arguments[42]" with no inline call frame (since we don't know statically
1658            how many arguments we will be passed) or in a varargs call frame.
1659
1660         3) Possible to convert, and we know statically that the GetByVal is in bounds. This can
1661            happen for "arguments[42]" if we have an inline call frame, and it's not a varargs call
1662            frame, and we know that the caller passed 42 or more arguments.
1663
1664         The way the phase handles this is it first determines that we're not in case (1). This is
1665         called safeToGetStack. safeToGetStack is true if we have case (2) or (3). For inline call
1666         frames that have no varargs, this means that safeToGetStack is true exactly when the GetByVal
1667         is in-bounds (i.e. case (3)).
1668
1669         But the phase was again doing a check for whether the index is in-bounds for non-varargs
1670         inline call frames even when safeToGetStack was true. That check is redundant and should be
1671         eliminated, since it makes the code confusing.
1672
1673         * dfg/DFGArgumentsEliminationPhase.cpp:
1674
1675 2015-07-28  Filip Pizlo  <fpizlo@apple.com>
1676
1677         DFG::PutStackSinkingPhase should be more aggressive about its "no GetStack until put" rule
1678         https://bugs.webkit.org/show_bug.cgi?id=147371
1679
1680         Reviewed by Mark Lam.
1681
1682         Two fixes:
1683
1684         - Make ConflictingFlush really mean that you can't load from the stack slot. This means not
1685           using ConflictingFlush for arguments.
1686
1687         - Assert that a GetStack never sees ConflictingFlush.
1688
1689         * dfg/DFGPutStackSinkingPhase.cpp:
1690
1691 2015-07-28  Basile Clement  <basile_clement@apple.com>
1692
1693         Misleading error message: "At least one digit must occur after a decimal point"
1694         https://bugs.webkit.org/show_bug.cgi?id=146238
1695
1696         Reviewed by Geoffrey Garen.
1697
1698         Interestingly, we had a comment explaining what this error message was
1699         about that is much clearer than the error message itself. This patch
1700         simply replaces the error message with the explanation from the
1701         comment.
1702
1703         * parser/Lexer.cpp:
1704         (JSC::Lexer<T>::lex):
1705
1706 2015-07-28  Basile Clement  <basile_clement@apple.com>
1707
1708         Simplify call linking
1709         https://bugs.webkit.org/show_bug.cgi?id=147363
1710
1711         Reviewed by Filip Pizlo.
1712
1713         Previously, we were passing both the CallLinkInfo and a
1714         (CodeSpecializationKind, RegisterPreservationMode) pair to the
1715         different call linking slow paths. However, the CallLinkInfo already
1716         has all of that information, and we don't gain anything by having them
1717         in additional static parameters - except possibly a very small
1718         performance gain in presence of inlining. However since those are
1719         already slow paths, this performance loss (if it exists) will not be
1720         visible in practice.
1721
1722         This patch removes the various specialized thunks and JIT operations
1723         for regular and polymorphic call linking with a single thunk and
1724         operation for each case. Moreover, it removes the four specialized
1725         virtual call thunks and operations with one virtual call thunk for each
1726         call link info, allowing for better branch prediction by the CPU and
1727         fixing a pre-existing FIXME.
1728
1729         * bytecode/CallLinkInfo.cpp:
1730         (JSC::CallLinkInfo::unlink):
1731         (JSC::CallLinkInfo::dummy): Deleted.
1732         * bytecode/CallLinkInfo.h:
1733         (JSC::CallLinkInfo::CallLinkInfo):
1734         (JSC::CallLinkInfo::registerPreservationMode):
1735         (JSC::CallLinkInfo::setUpCallFromFTL):
1736         (JSC::CallLinkInfo::setSlowStub):
1737         (JSC::CallLinkInfo::clearSlowStub):
1738         (JSC::CallLinkInfo::slowStub):
1739         * dfg/DFGDriver.cpp:
1740         (JSC::DFG::compileImpl):
1741         * dfg/DFGJITCompiler.cpp:
1742         (JSC::DFG::JITCompiler::link):
1743         * ftl/FTLJSCallBase.cpp:
1744         (JSC::FTL::JSCallBase::link):
1745         * jit/JITCall.cpp:
1746         (JSC::JIT::compileCallEvalSlowCase):
1747         (JSC::JIT::compileOpCall):
1748         (JSC::JIT::compileOpCallSlowCase):
1749         * jit/JITCall32_64.cpp:
1750         (JSC::JIT::compileCallEvalSlowCase):
1751         (JSC::JIT::compileOpCall):
1752         (JSC::JIT::compileOpCallSlowCase):
1753         * jit/JITOperations.cpp:
1754         * jit/JITOperations.h:
1755         (JSC::operationLinkFor): Deleted.
1756         (JSC::operationVirtualFor): Deleted.
1757         (JSC::operationLinkPolymorphicCallFor): Deleted.
1758         * jit/Repatch.cpp:
1759         (JSC::generateByIdStub):
1760         (JSC::linkSlowFor):
1761         (JSC::linkFor):
1762         (JSC::revertCall):
1763         (JSC::unlinkFor):
1764         (JSC::linkVirtualFor):
1765         (JSC::linkPolymorphicCall):
1766         * jit/Repatch.h:
1767         * jit/ThunkGenerators.cpp:
1768         (JSC::linkCallThunkGenerator):
1769         (JSC::linkPolymorphicCallThunkGenerator):
1770         (JSC::virtualThunkFor):
1771         (JSC::linkForThunkGenerator): Deleted.
1772         (JSC::linkConstructThunkGenerator): Deleted.
1773         (JSC::linkCallThatPreservesRegsThunkGenerator): Deleted.
1774         (JSC::linkConstructThatPreservesRegsThunkGenerator): Deleted.
1775         (JSC::linkPolymorphicCallForThunkGenerator): Deleted.
1776         (JSC::linkPolymorphicCallThatPreservesRegsThunkGenerator): Deleted.
1777         (JSC::virtualForThunkGenerator): Deleted.
1778         (JSC::virtualCallThunkGenerator): Deleted.
1779         (JSC::virtualConstructThunkGenerator): Deleted.
1780         (JSC::virtualCallThatPreservesRegsThunkGenerator): Deleted.
1781         (JSC::virtualConstructThatPreservesRegsThunkGenerator): Deleted.
1782         * jit/ThunkGenerators.h:
1783         (JSC::linkThunkGeneratorFor): Deleted.
1784         (JSC::linkPolymorphicCallThunkGeneratorFor): Deleted.
1785         (JSC::virtualThunkGeneratorFor): Deleted.
1786
1787 2015-07-28  Basile Clement  <basile_clement@apple.com>
1788
1789         stress/math-pow-with-constants.js fails in cloop
1790         https://bugs.webkit.org/show_bug.cgi?id=147167
1791
1792         Reviewed by Geoffrey Garen.
1793
1794         Baseline JIT, DFG and FTL are using a fast exponentiation fast path
1795         when computing Math.pow() with an integer exponent that is not taken in
1796         the LLInt (or the DFG abstract interpreter). This leads to the result
1797         of pow changing depending on the compilation tier or the fact that
1798         constant propagation kicks in, which is undesirable.
1799
1800         This patch adds the fast path to the slow operationMathPow in order to
1801         maintain an illusion of consistency.
1802
1803         * runtime/MathCommon.cpp:
1804         (JSC::operationMathPow):
1805         * tests/stress/math-pow-coherency.js: Added.
1806         (pow42):
1807         (build42AsDouble.opaqueAdd):
1808         (build42AsDouble):
1809         (powDouble42):
1810         (clobber):
1811         (pow42NoConstantFolding):
1812         (powDouble42NoConstantFolding):
1813
1814 2015-07-28  Joseph Pecoraro  <pecoraro@apple.com>
1815
1816         Web Inspector: Show Pseudo Elements in DOM Tree
1817         https://bugs.webkit.org/show_bug.cgi?id=139612
1818
1819         Reviewed by Timothy Hatcher.
1820
1821         * inspector/protocol/DOM.json:
1822         Add new properties to DOMNode if it is a pseudo element or if it has
1823         pseudo element children. Add new events for if a pseudo element is
1824         added or removed dynamically to an existing DOMNode.
1825
1826 2015-07-27  Filip Pizlo  <fpizlo@apple.com>
1827
1828         Add logging when executable code gets deallocated
1829         https://bugs.webkit.org/show_bug.cgi?id=147355
1830
1831         Reviewed by Mark Lam.
1832
1833         * ftl/FTLJITCode.cpp:
1834         (JSC::FTL::JITCode::~JITCode): Print something when this is freed.
1835         * jit/JITCode.cpp:
1836         (JSC::JITCodeWithCodeRef::~JITCodeWithCodeRef): Print something when this is freed.
1837
1838 2015-07-27  Filip Pizlo  <fpizlo@apple.com>
1839
1840         DFG::safeToExecute() cases for GetByOffset/PutByOffset don't handle clobbered structure abstract values correctly
1841         https://bugs.webkit.org/show_bug.cgi?id=147354
1842
1843         Reviewed by Michael Saboff.
1844
1845         If m_structure.isClobbered(), it means that we had a side effect that clobbered
1846         the abstract value but it may recover back to its original value at the next
1847         invalidation point. Since the invalidation point hasn't been reached yet, we need
1848         to conservatively treat the clobbered state as if it was top. At the invalidation
1849         point, the clobbered set will return back to being unclobbered.
1850
1851         In addition to fixing the bug, this introduces isInfinite(), which should be used
1852         in places where it's tempting to just use isTop().
1853
1854         * dfg/DFGSafeToExecute.h:
1855         (JSC::DFG::safeToExecute): Fix the bug.
1856         * dfg/DFGStructureAbstractValue.cpp:
1857         (JSC::DFG::StructureAbstractValue::contains): Switch to using isInfinite().
1858         (JSC::DFG::StructureAbstractValue::isSubsetOf): Switch to using isInfinite().
1859         (JSC::DFG::StructureAbstractValue::isSupersetOf): Switch to using isInfinite().
1860         (JSC::DFG::StructureAbstractValue::overlaps): Switch to using isInfinite().
1861         * dfg/DFGStructureAbstractValue.h:
1862         (JSC::DFG::StructureAbstractValue::isFinite): New convenience method.
1863         (JSC::DFG::StructureAbstractValue::isInfinite): New convenience method.
1864         (JSC::DFG::StructureAbstractValue::onlyStructure): Switch to using isInfinite().
1865
1866 2015-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1867
1868         [ES6] Implement Reflect.enumerate
1869         https://bugs.webkit.org/show_bug.cgi?id=147347
1870
1871         Reviewed by Sam Weinig.
1872
1873         This patch implements Reflect.enumerate.
1874         It returns the iterator that iterates the enumerable keys of the given object.
1875         It follows the for-in's enumeration order.
1876
1877         To implement it, we write down the same logic to the for-in's enumeration code in C++.
1878
1879         * CMakeLists.txt:
1880         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1881         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1882         * JavaScriptCore.xcodeproj/project.pbxproj:
1883         * runtime/JSGlobalObject.cpp:
1884         (JSC::JSGlobalObject::init):
1885         (JSC::JSGlobalObject::visitChildren):
1886         * runtime/JSGlobalObject.h:
1887         (JSC::JSGlobalObject::propertyNameIteratorStructure):
1888         * runtime/JSPropertyNameIterator.cpp: Added.
1889         (JSC::JSPropertyNameIterator::JSPropertyNameIterator):
1890         (JSC::JSPropertyNameIterator::clone):
1891         (JSC::JSPropertyNameIterator::create):
1892         (JSC::JSPropertyNameIterator::finishCreation):
1893         (JSC::JSPropertyNameIterator::visitChildren):
1894         (JSC::JSPropertyNameIterator::next):
1895         (JSC::propertyNameIteratorFuncNext):
1896         * runtime/JSPropertyNameIterator.h: Added.
1897         (JSC::JSPropertyNameIterator::createStructure):
1898         * runtime/ReflectObject.cpp:
1899         (JSC::reflectObjectEnumerate):
1900         * tests/stress/reflect-enumerate.js: Added.
1901         (shouldBe):
1902         (shouldThrow):
1903
1904 2015-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1905
1906         [ES6] Implement Reflect.preventExtensions
1907         https://bugs.webkit.org/show_bug.cgi?id=147331
1908
1909         Reviewed by Sam Weinig.
1910
1911         Implement Reflect.preventExtensions.
1912         This is different from Object.preventExensions.
1913
1914         1. When preventExtensions is called onto the non-object, it raises the TypeError.
1915         2. Reflect.preventExtensions does not raise the TypeError when the preventExtensions operation is failed.
1916
1917         For the (2) case, since there is no Proxy implementation currently, Reflect.preventExtensions always succeed.
1918
1919         * runtime/ReflectObject.cpp:
1920         (JSC::reflectObjectPreventExtensions):
1921         * tests/stress/reflect-prevent-extensions.js: Added.
1922         (shouldBe):
1923         (shouldThrow):
1924
1925 2015-07-27  Alex Christensen  <achristensen@webkit.org>
1926
1927         Use Ninja on Windows.
1928         https://bugs.webkit.org/show_bug.cgi?id=147228
1929
1930         Reviewed by Martin Robinson.
1931
1932         * CMakeLists.txt:
1933         Set the working directory when generating LowLevelInterpreterWin.asm to put LowLevelInterpreterWin.asm.sym in the right place.
1934
1935 2015-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1936
1937         SparseValueMap check is skipped when the butterfly's vectorLength is larger than the access-requested index
1938         https://bugs.webkit.org/show_bug.cgi?id=147265
1939
1940         Reviewed by Geoffrey Garen.
1941
1942         JSObject's vector holds the indexed values and we leverage it to represent stored values and holes.
1943         By checking that the given index is in-bound of the vector's length, we can look up the property fast.
1944         And for the sparse array, we have also the separated SparseValueMap to hold the pairs.
1945         And we need to take care that the length of the vector should not overlap the indices stored in the SparseValueMap.
1946
1947         The vector only holds the pure JS values to avoid additional checking for accessors when looking up the value
1948         from the vector. To achieve this, we also store the accessors (and attributed properties) to SparseValueMap
1949         even the index is less than MIN_SPARSE_ARRAY_INDEX.
1950
1951         As a result, if the length of the vector overlaps the indices of the accessors stored in the SparseValueMap,
1952         we accidentally skip the phase looking up from the SparseValueMap. Instead, we just load from the vector and
1953         if the loaded value is an array hole, we decide the given object does not have the value for the given index.
1954
1955         This patch fixes the problem.
1956         When defining the attributed value that index is smaller than the length of the vector, we throw away the vector
1957         and change the object to DictionaryIndexingMode. Since we can assume that indexed accessors rarely exist in
1958         practice, we expect this does not hurt the performance while keeping the fast property access system without
1959         checking the sparse map.
1960
1961         * runtime/JSObject.cpp:
1962         (JSC::JSObject::putDirectIndexBeyondVectorLength):
1963         * tests/stress/sparse-map-non-overlapping.js: Added.
1964         (shouldBe):
1965         (testing):
1966         (object.get 1000):
1967         * tests/stress/sparse-map-non-skip-getter-overriding.js: Added.
1968         (shouldBe):
1969         (obj.get 1):
1970         (testing):
1971         * tests/stress/sparse-map-non-skip.js: Added.
1972         (shouldBe):
1973         (testing):
1974         (testing2):
1975         (.get for):
1976
1977 2015-07-27  Saam barati  <saambarati1@gmail.com>
1978
1979         Reduce execution time for "let" and "const" tests
1980         https://bugs.webkit.org/show_bug.cgi?id=147291
1981
1982         Reviewed by Geoffrey Garen.
1983
1984         We don't need to loop so many times for things that will not make it 
1985         into the DFG.  Also, we can loop a lot less for almost all the tests 
1986         because they're mostly testing the bytecode generator.
1987
1988         * tests/stress/const-and-with-statement.js:
1989         * tests/stress/const-exception-handling.js:
1990         * tests/stress/const-loop-semantics.js:
1991         * tests/stress/const-not-strict-mode.js:
1992         * tests/stress/const-semantics.js:
1993         * tests/stress/const-tdz.js:
1994         * tests/stress/lexical-let-and-with-statement.js:
1995         * tests/stress/lexical-let-exception-handling.js:
1996         (assert):
1997         * tests/stress/lexical-let-loop-semantics.js:
1998         (assert):
1999         (shouldThrowTDZ):
2000         (.):
2001         * tests/stress/lexical-let-not-strict-mode.js:
2002         * tests/stress/lexical-let-semantics.js:
2003         (.):
2004         * tests/stress/lexical-let-tdz.js:
2005         (shouldThrowTDZ):
2006         (.):
2007
2008 2015-07-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2009
2010         Rename PropertyNameMode::Both to PropertyNameMode::StringsAndSymbols
2011         https://bugs.webkit.org/show_bug.cgi?id=147311
2012
2013         Reviewed by Sam Weinig.
2014
2015         To make the meaning clear in the user side (PropertyNameArray array(exec, PropertyNameMode::StringsAndSymbols)),
2016         this patch renames PropertyNameMode::Both to PropertyNameMode::StringsAndSymbols.
2017
2018         * bytecode/ObjectAllocationProfile.h:
2019         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
2020         * runtime/EnumerationMode.h:
2021         * runtime/ObjectConstructor.cpp:
2022         (JSC::ownEnumerablePropertyKeys):
2023         (JSC::defineProperties):
2024         (JSC::objectConstructorSeal):
2025         (JSC::objectConstructorFreeze):
2026         (JSC::objectConstructorIsSealed):
2027         (JSC::objectConstructorIsFrozen):
2028         (JSC::ownPropertyKeys):
2029         * runtime/ReflectObject.cpp:
2030         (JSC::reflectObjectOwnKeys):
2031
2032 2015-07-27  Saam barati  <saambarati1@gmail.com>
2033
2034         Added a comment explaining that all "addVar()"s should happen before
2035         emitting bytecode for a function's default parameter expressions
2036
2037         Rubber Stamped by Mark Lam.
2038
2039         * bytecompiler/BytecodeGenerator.cpp:
2040         (JSC::BytecodeGenerator::BytecodeGenerator):
2041
2042 2015-07-26  Sam Weinig  <sam@webkit.org>
2043
2044         Add missing builtin files to the JavaScriptCore Xcode project
2045         https://bugs.webkit.org/show_bug.cgi?id=147312
2046
2047         Reviewed by Darin Adler.
2048
2049         * JavaScriptCore.xcodeproj/project.pbxproj:
2050         Add missing files.
2051
2052 2015-07-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2053
2054         [ES6] Implement Reflect.isExtensible
2055         https://bugs.webkit.org/show_bug.cgi?id=147308
2056
2057         Reviewed by Sam Weinig.
2058
2059         This patch implements Reflect.isExtensible.
2060         It is similar to Object.isExtensible.
2061         The difference is that it raises an error if the first argument is not an object.
2062
2063         * runtime/ReflectObject.cpp:
2064         (JSC::reflectObjectIsExtensible):
2065         * tests/stress/reflect-is-extensible.js: Added.
2066         (shouldBe):
2067         (shouldThrow):
2068
2069 2015-07-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2070
2071         Unreviewed, fix the debug build due to touching the non-declared variable in ASSERT
2072         https://bugs.webkit.org/show_bug.cgi?id=147307
2073
2074         * runtime/ObjectConstructor.cpp:
2075         (JSC::ownPropertyKeys):
2076
2077 2015-07-25  Yusuke Suzuki  <utatane.tea@gmail.com>
2078
2079         [ES6] Implement Reflect.ownKeys
2080         https://bugs.webkit.org/show_bug.cgi?id=147307
2081
2082         Reviewed by Sam Weinig.
2083
2084         This patch implements Reflect.ownKeys.
2085         In this patch, we refactor the existing code to list up own keys in the object.
2086         Such code is used by Object.getOwnPropertyNames, Object.getOwnPropertyKeys, Object.keys and @ownEnumerableKeys.
2087         We factor out the listing up own keys as ownPropertyKeys function and also use it in Reflect.ownKeys.
2088
2089         * runtime/ObjectConstructor.cpp:
2090         (JSC::objectConstructorGetOwnPropertyNames):
2091         (JSC::objectConstructorGetOwnPropertySymbols):
2092         (JSC::objectConstructorKeys):
2093         (JSC::ownEnumerablePropertyKeys):
2094         (JSC::ownPropertyKeys):
2095         * runtime/ObjectConstructor.h:
2096         * runtime/ReflectObject.cpp:
2097         (JSC::reflectObjectOwnKeys):
2098         * tests/stress/reflect-own-keys.js: Added.
2099         (shouldBe):
2100         (shouldThrow):
2101         (shouldBeArray):
2102
2103 2015-07-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2104
2105         [ES6] Implement Reflect.apply
2106         https://bugs.webkit.org/show_bug.cgi?id=147306
2107
2108         Reviewed by Sam Weinig.
2109
2110         Implement Reflect.apply.
2111         The large part of this can be implemented by the @apply builtin annotation.
2112         The only thing which is different from the Funciton.prototype.apply is the third parameter,
2113         "argumentsList" is needed to be an object.
2114
2115         * builtins/ReflectObject.js:
2116         (apply):
2117         (deleteProperty):
2118         * runtime/ReflectObject.cpp:
2119         * tests/stress/reflect-apply.js: Added.
2120         (shouldBe):
2121         (shouldThrow):
2122         (get shouldThrow):
2123         (.get shouldThrow):
2124         (get var.array.get length):
2125         (get var.array.get 0):
2126         (.get var):
2127         * tests/stress/reflect-delete-property.js:
2128
2129 2015-07-25  Yusuke Suzuki  <utatane.tea@gmail.com>
2130
2131         [ES6] Add Reflect namespace and add Reflect.deleteProperty
2132         https://bugs.webkit.org/show_bug.cgi?id=147287
2133
2134         Reviewed by Sam Weinig.
2135
2136         This patch just creates the namespace for ES6 Reflect APIs.
2137         And add template files to implement the actual code.
2138
2139         Not to keep the JS generated properties C array empty,
2140         we added one small method, Reflect.deleteProperty in this patch.
2141
2142         * CMakeLists.txt:
2143         * DerivedSources.make:
2144         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2145         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2146         * JavaScriptCore.xcodeproj/project.pbxproj:
2147         * builtins/ReflectObject.js: Added.
2148         (deleteProperty):
2149         * runtime/CommonIdentifiers.h:
2150         * runtime/JSGlobalObject.cpp:
2151         (JSC::JSGlobalObject::init):
2152         * runtime/ReflectObject.cpp: Added.
2153         (JSC::ReflectObject::ReflectObject):
2154         (JSC::ReflectObject::finishCreation):
2155         (JSC::ReflectObject::getOwnPropertySlot):
2156         * runtime/ReflectObject.h: Added.
2157         (JSC::ReflectObject::create):
2158         (JSC::ReflectObject::createStructure):
2159         * tests/stress/reflect-delete-property.js: Added.
2160         (shouldBe):
2161         (shouldThrow):
2162
2163 2015-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2164
2165         Avoid 2 times name iteration in Object.assign
2166         https://bugs.webkit.org/show_bug.cgi?id=147268
2167
2168         Reviewed by Geoffrey Garen.
2169
2170         Object.assign calls Object.getOwnPropertyNames & Object.getOwnPropertySymbols to collect all the names.
2171         But exposing the private API that collects both at the same time makes the API efficient when the given Object has so many non-indexed properties.
2172         Since Object.assign is so generic API (some form of utility API), the form of the given Object is not expected.
2173         So the taken object may have so many non-indexed properties.
2174
2175         In this patch, we introduce `ownEnumerablePropertyKeys` private function.
2176         It is minor changed version of `[[OwnPropertyKeys]]` in the ES6 spec;
2177         It only includes enumerable properties.
2178
2179         By filtering out the non-enumerable properties in the exposed private function,
2180         we avoid calling @objectGetOwnPropertyDescriptor for each property at the same time.
2181
2182         * builtins/ObjectConstructor.js:
2183         (assign):
2184         * runtime/CommonIdentifiers.h:
2185         * runtime/EnumerationMode.h:
2186         * runtime/JSGlobalObject.cpp:
2187         (JSC::JSGlobalObject::init):
2188         * runtime/ObjectConstructor.cpp:
2189         (JSC::ownEnumerablePropertyKeys):
2190         * runtime/ObjectConstructor.h:
2191         * tests/stress/object-assign-enumerable.js: Added.
2192         (shouldBe):
2193         * tests/stress/object-assign-order.js: Added.
2194         (shouldBe):
2195
2196 2015-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2197
2198         Remove runtime flags for symbols
2199         https://bugs.webkit.org/show_bug.cgi?id=147246
2200
2201         Reviewed by Alex Christensen.
2202
2203         * runtime/ArrayPrototype.cpp:
2204         (JSC::ArrayPrototype::finishCreation):
2205         * runtime/JSGlobalObject.cpp:
2206         (JSC::JSGlobalObject::init): Deleted.
2207         * runtime/JSGlobalObject.h:
2208         * runtime/ObjectConstructor.cpp:
2209         (JSC::ObjectConstructor::finishCreation):
2210         * runtime/RuntimeFlags.h:
2211
2212 2015-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2213
2214         Object.getOwnPropertySymbols on large list takes very long
2215         https://bugs.webkit.org/show_bug.cgi?id=146137
2216
2217         Reviewed by Mark Lam.
2218
2219         Before this patch, Object.getOwnPropertySymbols collects all the names including strings.
2220         And after it's done, filter the names to only retrieve the symbols.
2221         But it's so time consuming if the given object is a large non-holed array since it has
2222         many indexed properties and all the indexes have to be converted to uniqued_strings and
2223         added to the collection of property names (though they may not be of the requested type
2224         and will be filtered out later)
2225
2226         This patch introduces PropertyNameMode.
2227         We leverage this mode in 2 places.
2228
2229         1. PropertyNameArray side
2230         It is set in PropertyNameArray and it filters the incoming added identifiers based on the mode.
2231         It ensures that PropertyNameArray doesn't become so large in the pathological case.
2232         And it ensures that non-expected typed keys by the filter (Symbols or Strings) are never added
2233         to the property name array collections.
2234         However it does not solve the whole problem because the huge array still incurs the many
2235         "indexed property to uniqued string" conversion and the large iteration before adding the keys
2236         to the property name array.
2237
2238         2. getOwnPropertyNames side
2239         So we can use the PropertyNameMode in the caller side (getOwnPropertyNames) as a **hint**.
2240         When the large iteration may occur, the caller side can use the PropertyNameMode as a hint to
2241         avoid the iteration.
2242         But we cannot exclusively rely on these caller side checks because it would require that we
2243         exhaustively add the checks to all custom implementations of getOwnPropertyNames as well.
2244         This process requires manual inspection of many pieces of code, and is error prone. Instead,
2245         we only apply the caller side check in a few strategic places where it is known to yield
2246         performance benefits; and we rely on the filter in PropertyNameArray::add() to reject the wrong
2247         types of properties for all other calls to PropertyNameArray::add().
2248
2249         In this patch, there's a concept in use that is not clear just from reading the code, and hence
2250         should be documented here. When selecting the PropertyNameMode for the PropertyNameArray to be
2251         instantiated, we apply the following logic:
2252
2253         1. Only JavaScriptCore code is aware of ES6 Symbols.
2254         We can assume that pre-existing external code that interfaces JSC are only looking for string named properties. This includes:
2255             a. WebCore bindings
2256             b. Serializer bindings
2257             c. NPAPI bindings
2258             d. Objective C bindings
2259         2. In JSC, code that compute object storage space needs to iterate both Symbol and String named properties. Hence, use PropertyNameMode::Both.
2260         3. In JSC, ES6 APIs that work with Symbols should use PropertyNameMode::Symbols.
2261         4. In JSC, ES6 APIs that work with String named properties should use PropertyNameMode::Strings.
2262
2263         * API/JSObjectRef.cpp:
2264         (JSObjectCopyPropertyNames):
2265         * bindings/ScriptValue.cpp:
2266         (Deprecated::jsToInspectorValue):
2267         * bytecode/ObjectAllocationProfile.h:
2268         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
2269         * runtime/EnumerationMode.h:
2270         (JSC::EnumerationMode::EnumerationMode):
2271         (JSC::EnumerationMode::includeSymbolProperties): Deleted.
2272         * runtime/GenericArgumentsInlines.h:
2273         (JSC::GenericArguments<Type>::getOwnPropertyNames):
2274         * runtime/JSGenericTypedArrayViewInlines.h:
2275         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertyNames):
2276         * runtime/JSLexicalEnvironment.cpp:
2277         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
2278         * runtime/JSONObject.cpp:
2279         (JSC::Stringifier::Stringifier):
2280         (JSC::Stringifier::Holder::appendNextProperty):
2281         (JSC::Walker::walk):
2282         * runtime/JSObject.cpp:
2283         (JSC::JSObject::getOwnPropertyNames):
2284         * runtime/JSPropertyNameEnumerator.cpp:
2285         (JSC::JSPropertyNameEnumerator::create):
2286         * runtime/JSPropertyNameEnumerator.h:
2287         (JSC::propertyNameEnumerator):
2288         * runtime/JSSymbolTableObject.cpp:
2289         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
2290         * runtime/ObjectConstructor.cpp:
2291         (JSC::objectConstructorGetOwnPropertyNames):
2292         (JSC::objectConstructorGetOwnPropertySymbols):
2293         (JSC::objectConstructorKeys):
2294         (JSC::defineProperties):
2295         (JSC::objectConstructorSeal):
2296         (JSC::objectConstructorFreeze):
2297         (JSC::objectConstructorIsSealed):
2298         (JSC::objectConstructorIsFrozen):
2299         * runtime/PropertyNameArray.h:
2300         (JSC::PropertyNameArray::PropertyNameArray):
2301         (JSC::PropertyNameArray::mode):
2302         (JSC::PropertyNameArray::addKnownUnique):
2303         (JSC::PropertyNameArray::add):
2304         (JSC::PropertyNameArray::isUidMatchedToTypeMode):
2305         (JSC::PropertyNameArray::includeSymbolProperties):
2306         (JSC::PropertyNameArray::includeStringProperties):
2307         * runtime/StringObject.cpp:
2308         (JSC::StringObject::getOwnPropertyNames):
2309         * runtime/Structure.cpp:
2310         (JSC::Structure::getPropertyNamesFromStructure):
2311
2312 2015-07-24  Saam barati  <saambarati1@gmail.com>
2313
2314         [ES6] Add support for default parameters
2315         https://bugs.webkit.org/show_bug.cgi?id=38409
2316
2317         Reviewed by Filip Pizlo.
2318
2319         This patch implements ES6 default parameters according to the ES6
2320         specification. This patch builds off the components introduced with 
2321         "let" scoping and parsing function parameters in the same parser
2322         arena as the function itself. "let" scoping allows functions with default 
2323         parameter values to place their parameters under the TDZ. Parsing function
2324         parameters in the same parser arena allows the FunctionParameters AST node
2325         refer to ExpressionNodes.
2326
2327         The most subtle part of this patch is how we allocate lexical environments
2328         when functions have default parameter values. If a function has default
2329         parameter values then there must be a separate lexical environment for
2330         its parameters. Then, the function's "var" lexical environment must have
2331         the parameter lexical environment as its parent. The BytecodeGenerator
2332         takes great care to not allocate the "var" lexical environment before its
2333         really needed.
2334
2335         The "arguments" object for a function with default parameters will never be 
2336         a mapped arugments object. It will always be a cloned arugments object.
2337
2338         * bytecompiler/BytecodeGenerator.cpp:
2339         (JSC::BytecodeGenerator::generate):
2340         (JSC::BytecodeGenerator::BytecodeGenerator):
2341         (JSC::BytecodeGenerator::~BytecodeGenerator):
2342         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
2343         (JSC::BytecodeGenerator::initializeNextParameter):
2344         (JSC::BytecodeGenerator::initializeVarLexicalEnvironment):
2345         (JSC::BytecodeGenerator::visibleNameForParameter):
2346         (JSC::BytecodeGenerator::emitLoadGlobalObject):
2347         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
2348         (JSC::BytecodeGenerator::pushLexicalScope):
2349         (JSC::BytecodeGenerator::popLexicalScope):
2350         * bytecompiler/BytecodeGenerator.h:
2351         (JSC::BytecodeGenerator::lastOpcodeID):
2352         * bytecompiler/NodesCodegen.cpp:
2353         (JSC::FunctionNode::emitBytecode):
2354         * jit/JITOperations.cpp:
2355         * parser/ASTBuilder.h:
2356         (JSC::ASTBuilder::createElementList):
2357         (JSC::ASTBuilder::createFormalParameterList):
2358         (JSC::ASTBuilder::appendParameter):
2359         (JSC::ASTBuilder::createClause):
2360         (JSC::ASTBuilder::createClauseList):
2361         * parser/Nodes.h:
2362         (JSC::FunctionParameters::size):
2363         (JSC::FunctionParameters::at):
2364         (JSC::FunctionParameters::hasDefaultParameterValues):
2365         (JSC::FunctionParameters::append):
2366         * parser/Parser.cpp:
2367         (JSC::Parser<LexerType>::parseVariableDeclarationList):
2368         (JSC::Parser<LexerType>::createBindingPattern):
2369         (JSC::Parser<LexerType>::tryParseDestructuringPatternExpression):
2370         (JSC::Parser<LexerType>::parseDestructuringPattern):
2371         (JSC::Parser<LexerType>::parseFormalParameters):
2372         (JSC::Parser<LexerType>::parseFunctionParameters):
2373         * parser/Parser.h:
2374         (JSC::Scope::declareParameter):
2375         * parser/SyntaxChecker.h:
2376         (JSC::SyntaxChecker::createElementList):
2377         (JSC::SyntaxChecker::createFormalParameterList):
2378         (JSC::SyntaxChecker::appendParameter):
2379         (JSC::SyntaxChecker::createClause):
2380         (JSC::SyntaxChecker::createClauseList):
2381         * tests/stress/es6-default-parameters.js: Added.
2382         (assert):
2383         (shouldThrow):
2384         (shouldThrowSyntaxError):
2385         (shouldThrowTDZ):
2386         (basic):
2387         (basicFunctionCaptureInDefault.basicFunctionCaptureInDefault.basicCaptured):
2388         (basicCaptured.basicCaptured.tricky):
2389         (strict):
2390         (playground):
2391         (scoping):
2392         (augmentsArguments1):
2393         (augmentsArguments2):
2394         (augmentsArguments3):
2395         (augmentsArguments4):
2396         (augmentsArguments5):
2397
2398 2015-07-24  Xabier Rodriguez Calvar  <calvaris@igalia.com>
2399
2400         Remove JS Promise constructor unused piece of code
2401         https://bugs.webkit.org/show_bug.cgi?id=147262
2402
2403         Reviewed by Geoffrey Garen.
2404
2405         * runtime/JSPromiseConstructor.cpp:
2406         (JSC::constructPromise): Deleted.
2407         * runtime/JSPromiseConstructor.h: Removed JSC::constructPromise.
2408
2409 2015-07-24  Mark Lam  <mark.lam@apple.com>
2410
2411         Add WASM files to vcxproj files.
2412         https://bugs.webkit.org/show_bug.cgi?id=147264
2413
2414         Reviewed by Geoffrey Garen.
2415
2416         This is a follow up to http://trac.webkit.org/changeset/187254 where WASM files
2417         were introduced but were not able to be added to the vcxproj files yet.
2418
2419         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2420         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2421
2422 2015-07-23  Filip Pizlo  <fpizlo@apple.com>
2423
2424         DFG::safeToExecute() is wrong for MultiGetByOffset, doesn't consider the structures of the prototypes that get loaded from
2425         https://bugs.webkit.org/show_bug.cgi?id=147250
2426
2427         Reviewed by Geoffrey Garen.
2428         
2429         This fixes a nasty - but currently benign - bug in DFG::safeToExecute(). That function
2430         will tell you if hoisting a node to some point is safe in the sense that the node will
2431         not crash the VM if it executes at that point. A node may be unsafe to execute if we
2432         cannot prove that at that point, the memory it is loading is not garbage. This is a
2433         necessarily loose notion - for example it's OK to hoist a load if we haven't proved
2434         that the load makes semantic sense at that point, since anyway the place where the node
2435         did get used will still be guarded by any such semantic checks. But because we may also
2436         hoist uses of the load, we need to make sure that it doesn't produce a garbage value.
2437         Also, we need to ensure that the load won't trap. Hence safeToExecute() returns true
2438         anytime we can be sure that a node will not produce a garbage result (i.e. a malformed
2439         JSValue or object pointer) and will not trap when executed at the point in question.
2440         
2441         The bug is that this verification isn't performed for the loads from prototypes inside
2442         MultiGetByOffset. DFG::ByteCodeParser will guard MultiGetByOffset with CheckStructure's
2443         on the prototypes. So, hypothetically, you might end up hoisting a MultiGetByOffset
2444         above those structure checks, which would mean that we might load a value from a memory
2445         location without knowing that the location is valid. It might then return the value
2446         loaded.
2447         
2448         This never happens in practice. Those structure checks are more hoistable that the
2449         MultiGetByOffset, since they read a strict subset of the MultiGetByOffset's abstract
2450         heap reads. Also, we hoist in program order. So, those CheckStructure's will always be
2451         hoisted before the MultiGetByOffset gets hoisted.
2452         
2453         But we should fix this anyway. DFG::safeToExecute() has a clear definition of what a
2454         "true" return means for IR transformations, and it fails in satisfying that definition
2455         for MultiGetByOffset.
2456         
2457         There are various approaches we can use for making this safe. I considered two:
2458         
2459         1) Have MultiGetByOffset refer to the prototypes it is loading from in IR, so that we
2460            can check if it's safe to load from them.
2461         
2462         2) Turn off MultiGetByOffset hoisting when it will emit loads from prototypes, and the
2463            prototype structure isn't being watched.
2464         
2465         I ended up using (2), because it will be the most natural solution once I finish
2466         https://bugs.webkit.org/show_bug.cgi?id=146929. Already now, it's somewhat more natural
2467         than (1) since that requires more extensive IR changes. Also, (2) will give us what we
2468         want in *most* cases: we will usually watch the prototype structure, and we will
2469         usually constant-fold loads from prototypes. Both of these usually-true things would
2470         have to become false for MultiGetByOffset hoisting to be disabled by this change.
2471         
2472         This change also adds my attempt at a test, though it's not really a test of this bug.
2473         This bug is currently benign. But, the test does at least trigger the logic to run,
2474         which is better than nothing.
2475
2476         * dfg/DFGSafeToExecute.h:
2477         (JSC::DFG::safeToExecute):
2478         * tests/stress/multi-get-by-offset-hoist-around-structure-check.js: Added.
2479         (foo):
2480
2481 2015-07-23  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2482
2483         Implement WebAssembly modules
2484         https://bugs.webkit.org/show_bug.cgi?id=147222
2485
2486         Reviewed by Filip Pizlo.
2487
2488         Make JSWASMModule inherit from JSDestructibleObject so that the destructor is called.
2489
2490         * wasm/JSWASMModule.h:
2491
2492 2015-07-23  Alex Christensen  <achristensen@webkit.org>
2493
2494         Remove compile and runtime flags for promises.
2495         https://bugs.webkit.org/show_bug.cgi?id=147244
2496
2497         Reviewed by Yusuke Suzuki.
2498
2499         * API/JSCallbackObjectFunctions.h:
2500         (JSC::JSCallbackObject<Parent>::JSCallbackObject):
2501         * API/JSContextRef.cpp:
2502         (JSGlobalContextCreateInGroup):
2503         * Configurations/FeatureDefines.xcconfig:
2504         * inspector/JSInjectedScriptHost.cpp:
2505         (Inspector::JSInjectedScriptHost::getInternalProperties):
2506         * runtime/JSGlobalObject.cpp:
2507         (JSC::JSGlobalObject::init):
2508         (JSC::JSGlobalObject::visitChildren):
2509         * runtime/JSGlobalObject.h:
2510         (JSC::JSGlobalObject::create):
2511         (JSC::JSGlobalObject::syntaxErrorConstructor):
2512         (JSC::JSGlobalObject::typeErrorConstructor):
2513         (JSC::JSGlobalObject::URIErrorConstructor):
2514         (JSC::JSGlobalObject::promiseConstructor):
2515         (JSC::JSGlobalObject::nullGetterFunction):
2516         (JSC::JSGlobalObject::nullSetterFunction):
2517         (JSC::JSGlobalObject::applyFunction):
2518         (JSC::JSGlobalObject::definePropertyFunction):
2519         (JSC::JSGlobalObject::arrayProtoValuesFunction):
2520         (JSC::JSGlobalObject::initializePromiseFunction):
2521         (JSC::JSGlobalObject::newPromiseDeferredFunction):
2522         (JSC::JSGlobalObject::throwTypeErrorGetterSetter):
2523         (JSC::JSGlobalObject::regExpPrototype):
2524         (JSC::JSGlobalObject::errorPrototype):
2525         (JSC::JSGlobalObject::iteratorPrototype):
2526         (JSC::JSGlobalObject::promisePrototype):
2527         (JSC::JSGlobalObject::debuggerScopeStructure):
2528         (JSC::JSGlobalObject::withScopeStructure):
2529         (JSC::JSGlobalObject::iteratorResultStructure):
2530         (JSC::JSGlobalObject::iteratorResultStructureOffset):
2531         (JSC::JSGlobalObject::regExpMatchesArrayStructure):
2532         (JSC::JSGlobalObject::promiseStructure):
2533         * runtime/JSPromise.cpp:
2534         (JSC::JSPromise::result):
2535         * runtime/JSPromise.h:
2536         * runtime/JSPromiseConstructor.cpp:
2537         (JSC::constructPromise):
2538         * runtime/JSPromiseConstructor.h:
2539         * runtime/JSPromiseDeferred.cpp:
2540         (JSC::JSPromiseDeferred::visitChildren):
2541         * runtime/JSPromiseDeferred.h:
2542         * runtime/JSPromisePrototype.cpp:
2543         (JSC::JSPromisePrototype::getOwnPropertySlot):
2544         * runtime/JSPromisePrototype.h:
2545         * runtime/RuntimeFlags.h:
2546         * runtime/VM.cpp:
2547         (JSC::VM::VM):
2548         * runtime/VM.h:
2549
2550 2015-07-23  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2551
2552         Implement WebAssembly modules
2553         https://bugs.webkit.org/show_bug.cgi?id=147222
2554
2555         Reviewed by Mark Lam.
2556
2557         Introducing the boilerplate data structure for the WebAssembly module.
2558         WebAssembly functionality will be added in a subsequent patch.
2559
2560         * CMakeLists.txt:
2561         * JavaScriptCore.xcodeproj/project.pbxproj:
2562         * wasm/JSWASMModule.cpp: Added.
2563         (JSC::JSWASMModule::visitChildren):
2564         * wasm/JSWASMModule.h: Added.
2565         (JSC::JSWASMModule::create):
2566         (JSC::JSWASMModule::createStructure):
2567         (JSC::JSWASMModule::JSWASMModule):
2568
2569 2015-07-23  Devin Rousso  <drousso@apple.com>
2570
2571         Web Inspector: Add a function to CSSCompletions to get a list of supported system fonts
2572         https://bugs.webkit.org/show_bug.cgi?id=147009
2573
2574         Reviewed by Joseph Pecoraro.
2575
2576         * inspector/protocol/CSS.json: Added getSupportedSystemFontFamilyNames function.
2577
2578 2015-07-22  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2579
2580         Add ENABLE_WEBASSEMBLY feature flag for WebAssembly
2581         https://bugs.webkit.org/show_bug.cgi?id=147212
2582
2583         Reviewed by Filip Pizlo.
2584
2585         * Configurations/FeatureDefines.xcconfig:
2586
2587 2015-07-22  Filip Pizlo  <fpizlo@apple.com>
2588
2589         Simplify DFG::DesiredIdentifiers and make it possible to turn a UniquedStringImpl* into an identifierNumber at any time
2590         https://bugs.webkit.org/show_bug.cgi?id=147218
2591
2592         Reviewed by Sam Weinig.
2593         
2594         I want to be able to take a UniquedStringImpl* and turn it into an identifierNumber at
2595         various points in my work on https://bugs.webkit.org/show_bug.cgi?id=146929. Currently,
2596         most Nodes that deal with identifiers use identifierNumbers and you can only create an
2597         identifierNumber in BytecodeGenerator. DFG::ByteCodeParser does sort of have the
2598         ability to create new identifierNumbers when inlining - it takes the inlined code's
2599         identifiers and either gives them new numbers or reuses numbers from the enclosing
2600         code.
2601         
2602         This patch takes that basic functionality and puts it in
2603         DFG::DesiredIdentifiers::ensure(). Anyone can call this at any time to turn a
2604         UniquedStringImpl* into an identifierNumber. This data structure is already used by
2605         Plan to properly install any newly created identifier table entries into the CodeBlock.
2606
2607         * dfg/DFGByteCodeParser.cpp:
2608         (JSC::DFG::ByteCodeParser::ByteCodeParser):
2609         (JSC::DFG::ByteCodeParser::noticeArgumentsUse):
2610         (JSC::DFG::ByteCodeParser::linkBlocks):
2611         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2612         (JSC::DFG::ByteCodeParser::buildOperandMapsIfNecessary): Deleted.
2613         * dfg/DFGDesiredIdentifiers.cpp:
2614         (JSC::DFG::DesiredIdentifiers::DesiredIdentifiers):
2615         (JSC::DFG::DesiredIdentifiers::numberOfIdentifiers):
2616         (JSC::DFG::DesiredIdentifiers::ensure):
2617         (JSC::DFG::DesiredIdentifiers::at):
2618         (JSC::DFG::DesiredIdentifiers::addLazily): Deleted.
2619         * dfg/DFGDesiredIdentifiers.h:
2620
2621 2015-07-22  Filip Pizlo  <fpizlo@apple.com>
2622
2623         Simplify things like CompareEq(@x,@x)
2624         https://bugs.webkit.org/show_bug.cgi?id=145850
2625
2626         Reviewed by Sam Weinig.
2627         
2628         This simplifies x==x to true, except in cases where x might be a double (in which case this
2629         might still be false if x is NaN).
2630
2631         * dfg/DFGAbstractInterpreterInlines.h:
2632         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2633         * tests/stress/nan-equal-untyped.js: Added.
2634         (foo):
2635         (test):
2636         * tests/stress/nan-equal.js: Added.
2637         (foo):
2638
2639 2015-07-22  Joseph Pecoraro  <pecoraro@apple.com>
2640
2641         Web Inspector: Timeline should immediately start moving play head when starting a new recording
2642         https://bugs.webkit.org/show_bug.cgi?id=147210
2643
2644         Reviewed by Timothy Hatcher.
2645
2646         * inspector/protocol/Timeline.json:
2647         Add timestamps to recordingStarted and recordingStopped events.
2648
2649 2015-07-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2650
2651         Introducing construct ability into JS executables
2652         https://bugs.webkit.org/show_bug.cgi?id=147183
2653
2654         Reviewed by Geoffrey Garen.
2655
2656         Decouple the construct ability from the builtin functions.
2657         Currently, all builtin functions are not constructors after r182995.
2658         In that patch, when the given function is builtin JS function, we recognize it as the non-constructor function.
2659
2660         But, we need to relax it to implement some constructors in builtins JS.
2661         By decoupling the construct ability from whether the function is builtin or not, we can provide
2662
2663         1. constructors written in builtin JS
2664         2. non-constructors in normal JS functions
2665
2666         (1) is needed for Promise constructor.
2667         And (2) is needed for method functions and arrow functions.
2668
2669         This patch introduces ConstructAbility into the unlinked function executables.
2670         It holds whether the given JS function has the construct ability or not.
2671         By leveraging this, this patch disables the construct ability of the method definitions, setters, getters and arrow functions.
2672
2673         And at the same time, this patch introduces the annotation for constructor in builtin JS.
2674         We can define the function as follows,
2675
2676             constructor Promise(executor)
2677             {
2678                 ...
2679             }
2680
2681         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2682         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2683         * JavaScriptCore.xcodeproj/project.pbxproj:
2684         * builtins/BuiltinExecutables.cpp:
2685         (JSC::BuiltinExecutables::createDefaultConstructor):
2686         (JSC::BuiltinExecutables::createExecutableInternal):
2687         * builtins/BuiltinExecutables.h:
2688         * builtins/Iterator.prototype.js:
2689         (symbolIterator):
2690         (SymbolIterator): Deleted.
2691         * bytecode/UnlinkedCodeBlock.cpp:
2692         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2693         * bytecode/UnlinkedCodeBlock.h:
2694         * bytecompiler/BytecodeGenerator.h:
2695         (JSC::BytecodeGenerator::makeFunction):
2696         * generate-js-builtins:
2697         (getCopyright):
2698         (Function):
2699         (Function.__init__):
2700         (Function.mangleName):
2701         (getFunctions):
2702         (mangleName): Deleted.
2703         * jit/JITOperations.cpp:
2704         * llint/LLIntSlowPaths.cpp:
2705         (JSC::LLInt::setUpCall):
2706         * parser/Parser.cpp:
2707         (JSC::Parser<LexerType>::parseClass):
2708         * runtime/CodeCache.cpp:
2709         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
2710         * runtime/CommonIdentifiers.h:
2711         * runtime/ConstructAbility.h: Copied from Source/JavaScriptCore/builtins/Iterator.prototype.js.
2712         * runtime/Executable.h:
2713         * runtime/JSFunction.cpp:
2714         (JSC::JSFunction::getConstructData):
2715         * runtime/JSGlobalObject.cpp:
2716         (JSC::JSGlobalObject::init):
2717         * tests/stress/non-constructors.js: Added.
2718         (shouldThrow):
2719         (.prototype.method):
2720         (.prototype.get getter):
2721         (.prototype.set setter):
2722         (.method):
2723         (.get shouldThrow):
2724         (.set shouldThrow):
2725         (set var.test.get getter):
2726         (set var.test.set setter):
2727         (set var.test.normal):
2728         (.set var):
2729         (.set new):
2730
2731 2015-07-22  Csaba Osztrogonác  <ossy@webkit.org>
2732
2733         [JSC] Enable exception fuzzing for GCC too
2734         https://bugs.webkit.org/show_bug.cgi?id=146831
2735
2736         Reviewed by Darin Adler.
2737
2738         * jit/JITOperations.cpp:
2739
2740 2015-07-22  Filip Pizlo  <fpizlo@apple.com>
2741
2742         Fixed pool allocation should always be aligned
2743         https://bugs.webkit.org/show_bug.cgi?id=147201
2744
2745         Reviewed by Simon Fraser.
2746         
2747         Passing an unaligned size to the allocator can cause asserts or even worse things. The
2748         Options reservation value isn't going to be aligned.
2749
2750         * jit/ExecutableAllocatorFixedVMPool.cpp:
2751         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
2752
2753 2015-07-22  Csaba Osztrogonác  <ossy@webkit.org>
2754
2755         Enable STATIC_ASSERT_IS_TRIVIALLY_DESTRUCTIBLE for GCC
2756         https://bugs.webkit.org/show_bug.cgi?id=146829
2757
2758         Reviewed by Brent Fulgham.
2759
2760         * heap/GCAssertions.h:
2761
2762 2015-07-22  Alex Christensen  <achristensen@webkit.org>
2763
2764         Fix quirks in CMake build on Mac and Windows
2765         https://bugs.webkit.org/show_bug.cgi?id=147174
2766
2767         Reviewed by Gyuyoung Kim.
2768
2769         * PlatformMac.cmake:
2770         Add JSRemoteInspector.cpp and remove semicolon from command to make it actually run.
2771
2772 2015-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2773
2774         Add newTarget accessor to JS constructor written in C++
2775         https://bugs.webkit.org/show_bug.cgi?id=147160
2776
2777         Reviewed by Geoffrey Garen.
2778
2779         This patch adds `ExecState#newTarget()` which returns `new.target` defined in ECMA262 6th.
2780         It enables some C++ constructors (like Intl.XXX constructors) to leverage this to complete
2781         its implementation.
2782
2783         When the constructor is called, |this| in the arguments is used for storing new.target instead.
2784         So by adding the accessor for |this|, JS constructor written in C++ can access new.target.
2785
2786         And at the same time, this patch extends the existing `construct` to accept new.target value.
2787         It is corresponding to the spec's Construct abstract operation.
2788
2789         * interpreter/CallFrame.h:
2790         (JSC::ExecState::newTarget):
2791         * interpreter/Interpreter.cpp:
2792         (JSC::Interpreter::executeConstruct):
2793         * interpreter/Interpreter.h:
2794         * runtime/ConstructData.cpp:
2795         (JSC::construct):
2796         * runtime/ConstructData.h:
2797         (JSC::construct):
2798
2799 2015-07-21  Filip Pizlo  <fpizlo@apple.com>
2800
2801         Unreviewed, fix a lot of tests. Need to initialize WTF threading sooner.
2802
2803         * jsc.cpp:
2804         (main):
2805
2806 2015-07-21  Filip Pizlo  <fpizlo@apple.com>
2807
2808         Fixed VM pool allocation should have a reserve for allocations that cannot fail
2809         https://bugs.webkit.org/show_bug.cgi?id=147154
2810         rdar://problem/21847618
2811
2812         Reviewed by Geoffrey Garen.
2813         
2814         This adds the notion of a JIT pool reserve fraction. Some fraction, currently 1/4, of
2815         the JIT pool is reserved for allocations that cannot fail. It makes sense to make this
2816         a fraction rather than a constant because each allocation that can fail may cause some
2817         number of allocations that cannot fail (for example, the OSR exit thunks that we
2818         compile when we exit from some CodeBlock cannot fail).
2819         
2820         I've tested this by adding a test mode where we artificially limit the JIT pool size.
2821         Prior to the fix, we had >20 failures. Now we have none.
2822
2823         * heap/GCLogging.cpp:
2824         (WTF::printInternal): I needed a dump method on Options members when debugging this.
2825         * heap/GCLogging.h:
2826         * jit/ExecutableAllocator.h: Raise the ARM64 limit to 32MB because 16MB is cutting it too close.
2827         * jit/ExecutableAllocatorFixedVMPool.cpp:
2828         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): Add the ability to artificially limit JIT pool size for testing.
2829         (JSC::ExecutableAllocator::memoryPressureMultiplier): Implement the reserve when computing memory pressure for JIT tier-up heuristics.
2830         (JSC::ExecutableAllocator::allocate): Implement the reserve when allocating can-fail things.
2831         * jsc.cpp: Rewire some options parsing so that CommandLine happens before we create the JIT pool.
2832         (main):
2833         (CommandLine::parseArguments):
2834         (jscmain):
2835         * runtime/Options.cpp: 
2836         (JSC::OptionRange::dump): I needed a dump method on Options members when debugging this.
2837         (JSC::Options::initialize): This can now be called more than once.
2838         * runtime/Options.h:
2839
2840 2015-07-21  Saam barati  <saambarati1@gmail.com>
2841
2842         ObjectPatternNode's entry should use "const Identifier&" instead of "Identifier"
2843         https://bugs.webkit.org/show_bug.cgi?id=147156
2844
2845         Reviewed by Andreas Kling.
2846
2847         * parser/Nodes.h:
2848
2849 2015-07-21  Basile Clement  <basile_clement@apple.com>
2850
2851         Object allocation sinking phase is performing needless HashMap copies
2852         https://bugs.webkit.org/show_bug.cgi?id=147159
2853
2854         Reviewed by Geoffrey Garen.
2855
2856         The points-to analyzer in the object allocation sinking phase is
2857         currently performing copies of its allocation and pointers tables in
2858         several places. While this is not a huge problem since those tables are
2859         usually small and we are in the FTL path anyway, we still shouldn't be
2860         doing such useless copying.
2861
2862         This patch also removes the DFGInsertOSRHintsForUpdate files that are
2863         no longer needed with the new object sinking phase and should have been
2864         removed in r186795.
2865
2866         * CMakeLists.txt:
2867         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2868         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2869         * JavaScriptCore.xcodeproj/project.pbxproj:
2870         * dfg/DFGInsertOSRHintsForUpdate.cpp: Removed.
2871         (JSC::DFG::insertOSRHintsForUpdate): Deleted.
2872         * dfg/DFGInsertOSRHintsForUpdate.h: Removed.
2873         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2874
2875 2015-07-21  Saam barati  <saambarati1@gmail.com>
2876
2877         DestructuringPatternNode and DestructuringAssignmentNode should be ParserArenaFreeable
2878         https://bugs.webkit.org/show_bug.cgi?id=147140
2879
2880         Reviewed by Geoffrey Garen.
2881
2882         The descendants of DestructuringPatternNode that need destruction also
2883         inherit from ParserArenaDeletable.
2884
2885         * parser/Nodes.h:
2886         (JSC::DestructuringPatternNode::~DestructuringPatternNode):
2887         (JSC::ObjectPatternNode::appendEntry):
2888         (JSC::DestructuringAssignmentNode::bindings):
2889
2890 2015-07-21  Keith Miller  <keith_miller@apple.com>
2891
2892         Add support for the new.target syntax.
2893         https://bugs.webkit.org/show_bug.cgi?id=147051
2894
2895         Reviewed by Yusuke Suzuki.
2896
2897         Add support for new.target. Essentially the implementation is, before constructor calls,
2898         the target of a "new" is placed where "this" noramlly goes in the calling convention.
2899         Then in the constructor before object is initialized we move the target of the "new"
2900         into a local variable.
2901
2902         * bytecompiler/BytecodeGenerator.cpp:
2903         (JSC::BytecodeGenerator::BytecodeGenerator):
2904         * bytecompiler/NodesCodegen.cpp:
2905         (JSC::NewTargetNode::emitBytecode):
2906         * parser/ASTBuilder.h:
2907         (JSC::ASTBuilder::newTargetExpr):
2908         * parser/NodeConstructors.h:
2909         (JSC::NewTargetNode::NewTargetNode):
2910         * parser/Nodes.h:
2911         * parser/Parser.cpp:
2912         (JSC::Parser<LexerType>::parseMemberExpression):
2913         * parser/SyntaxChecker.h:
2914         (JSC::SyntaxChecker::newTargetExpr):
2915         * runtime/CommonIdentifiers.h:
2916         * tests/stress/new-target.js: Added.
2917         (test):
2918         (call):
2919         (Constructor.subCall):
2920         (Constructor.SubConstructor):
2921         (Constructor):
2922         (noAssign):
2923         (doWeirdThings):
2924         (SuperClass):
2925         (SubClass):
2926
2927 2015-07-20  Saam barati  <saambarati1@gmail.com>
2928
2929         "let" scoping introduced incoherent story about symbol table cloning
2930         https://bugs.webkit.org/show_bug.cgi?id=147046
2931
2932         Reviewed by Filip Pizlo.
2933
2934         This patch now establishes a clear set of rules for how SymbolTables
2935         are owned by CodeBlock. Every SymbolTable that is used by a bytecode
2936         instruction must live in CodeBlock's constant register pool. When CodeBlock
2937         is being linked, it ensures that every SymbolTable in the constant pool is cloned. 
2938         This leaves no room for an un-cloned symbol table to be used by a bytecode instruction. 
2939         Some instructions may refer to SymbolTable's indirectly through a JSLexicalEnvironment. 
2940         This is fine, all JSLexicalEnvironment's are allocated with references to cloned symbol tables.
2941
2942         Another goal of this patch is to remove the notion that a SymbolTable is 1 to 1 
2943         with a CodeBlock. With lexical scoping, this view of the world is no longer
2944         correct. This patch begins to remove this assumption by making CodeBlock's
2945         symbolTable() getter method private. There is still one place where we need
2946         to purge our codebase of this assumption and that is the type profiler. It 
2947         has not been updated for lexical scoping. After it is updated in 
2948         https://bugs.webkit.org/show_bug.cgi?id=145438
2949         we will be able to remove CodeBlock's symbolTable() getter entirely.
2950
2951         * bytecode/CodeBlock.cpp:
2952         (JSC::CodeBlock::CodeBlock):
2953         (JSC::CodeBlock::nameForRegister):
2954         * bytecode/CodeBlock.h:
2955         (JSC::CodeBlock::addStringSwitchJumpTable):
2956         (JSC::CodeBlock::stringSwitchJumpTable):
2957         (JSC::CodeBlock::evalCodeCache):
2958         (JSC::CodeBlock::symbolTable):
2959         * bytecode/UnlinkedCodeBlock.cpp:
2960         (JSC::UnlinkedFunctionExecutable::visitChildren):
2961         (JSC::UnlinkedFunctionExecutable::link):
2962         (JSC::UnlinkedFunctionExecutable::codeBlockFor):
2963         * bytecode/UnlinkedCodeBlock.h:
2964         (JSC::UnlinkedCodeBlock::addExceptionHandler):
2965         (JSC::UnlinkedCodeBlock::exceptionHandler):
2966         (JSC::UnlinkedCodeBlock::setSymbolTableConstantIndex):
2967         (JSC::UnlinkedCodeBlock::symbolTableConstantIndex):
2968         (JSC::UnlinkedCodeBlock::symbolTable): Deleted.
2969         (JSC::UnlinkedCodeBlock::setSymbolTable): Deleted.
2970         * bytecompiler/BytecodeGenerator.cpp:
2971         (JSC::BytecodeGenerator::generate):
2972         (JSC::BytecodeGenerator::BytecodeGenerator):
2973         (JSC::BytecodeGenerator::pushLexicalScope):
2974         (JSC::BytecodeGenerator::variableForLocalEntry):
2975         (JSC::BytecodeGenerator::createVariable):
2976         (JSC::BytecodeGenerator::resolveType):
2977         (JSC::BytecodeGenerator::emitResolveScope):
2978         * bytecompiler/BytecodeGenerator.h:
2979         (JSC::BytecodeGenerator::thisRegister):
2980         (JSC::BytecodeGenerator::instructions):
2981         (JSC::BytecodeGenerator::symbolTable): Deleted.
2982         * dfg/DFGGraph.h:
2983         (JSC::DFG::Graph::baselineCodeBlockFor):
2984         (JSC::DFG::Graph::isStrictModeFor):
2985         (JSC::DFG::Graph::symbolTableFor): Deleted.
2986         * jit/AssemblyHelpers.h:
2987         (JSC::AssemblyHelpers::baselineCodeBlock):
2988         (JSC::AssemblyHelpers::argumentsStart):
2989         (JSC::AssemblyHelpers::symbolTableFor): Deleted.
2990         * runtime/CommonSlowPaths.cpp:
2991         (JSC::SLOW_PATH_DECL):
2992         * runtime/Executable.cpp:
2993         (JSC::FunctionExecutable::visitChildren):
2994         (JSC::FunctionExecutable::clearUnlinkedCodeForRecompilation):
2995         (JSC::FunctionExecutable::symbolTable): Deleted.
2996         * runtime/Executable.h:
2997
2998 2015-07-18  Filip Pizlo  <fpizlo@apple.com>
2999
3000         REGRESSION(186691): OSR entry is broken on loop headers that have no live variables
3001         https://bugs.webkit.org/show_bug.cgi?id=147074
3002         rdar://problem/21869970
3003
3004         Reviewed by Michael Saboff.
3005         
3006         The OSR entry must-handle block/value widening introduced in r186691 would cause the
3007         CFA to reexecute if it caused any live local variables to change value. But this fails
3008         if the must-handle block has no live local variables, and the entry block otherwise
3009         appears to be unreachable.
3010         
3011         This fixes the bug by having the change detection include whether the block hadn't been
3012         visited in addition to whether any local variable values got widened.
3013         
3014         This is a ~4% speed-up on SunSpider in browser.
3015
3016         * dfg/DFGCFAPhase.cpp:
3017         (JSC::DFG::CFAPhase::run):
3018
3019 2015-07-20  Mark Lam  <mark.lam@apple.com>
3020
3021         Rollout r187020 and r187021: breaks JSC API tests on debug builds.
3022         https://bugs.webkit.org/show_bug.cgi?id=147110
3023
3024         * heap/MachineStackMarker.cpp:
3025         (JSC::MachineThreads::addCurrentThread):
3026         * runtime/JSLock.cpp:
3027         (JSC::JSLockHolder::~JSLockHolder):
3028         (JSC::JSLock::JSLock):
3029         (JSC::JSLock::willDestroyVM):
3030         (JSC::JSLock::setExclusiveThread):
3031         (JSC::JSLock::lock):
3032         (JSC::JSLock::unlock):
3033         (JSC::JSLock::currentThreadIsHoldingLock):
3034         (JSC::JSLock::dropAllLocks):
3035         * runtime/JSLock.h:
3036         (JSC::JSLock::vm):
3037         (JSC::JSLock::hasExclusiveThread):
3038         (JSC::JSLock::exclusiveThread):
3039         * runtime/VM.h:
3040         (JSC::VM::hasExclusiveThread):
3041         (JSC::VM::exclusiveThread):
3042         (JSC::VM::setExclusiveThread):
3043
3044 2015-07-20  Per Arne Vollan  <peavo@outlook.com>
3045
3046         Unreviewed debug build fix after r187020.
3047
3048         * heap/MachineStackMarker.cpp:
3049         (JSC::MachineThreads::addCurrentThread):
3050         VM::exclusiveThread() has changed return type to ThreadIdentifier.
3051
3052 2015-07-20  Per Arne Vollan  <peavo@outlook.com>
3053
3054         JavaScriptCore performance is very bad on Windows
3055         https://bugs.webkit.org/show_bug.cgi?id=146448
3056
3057         Reviewed by Mark Lam.
3058
3059         Profiling shows that std::this_thread::get_id() is slow on Windows.
3060         Use WTF::currentThread() instead, which calls GetCurrentThreadId().
3061         This is faster on Windows. The issue has been reported to Microsoft,
3062         https://connect.microsoft.com/VisualStudio/feedback/details/1558211.
3063
3064         * runtime/JSLock.cpp:
3065         (JSC::JSLockHolder::~JSLockHolder):
3066         (JSC::JSLock::JSLock):
3067         (JSC::JSLock::willDestroyVM):
3068         (JSC::JSLock::setExclusiveThread):
3069         (JSC::JSLock::lock):
3070         (JSC::JSLock::unlock):
3071         (JSC::JSLock::currentThreadIsHoldingLock):
3072         * runtime/JSLock.h:
3073         (JSC::JSLock::vm):
3074         (JSC::JSLock::hasExclusiveThread):
3075         (JSC::JSLock::exclusiveThread):
3076         * runtime/VM.h:
3077         (JSC::VM::hasExclusiveThread):
3078         (JSC::VM::exclusiveThread):
3079         (JSC::VM::setExclusiveThread):
3080
3081 2015-07-19  Yusuke Suzuki  <utatane.tea@gmail.com>
3082
3083         In strict mode, `Object.keys(arguments)` includes "length"
3084         https://bugs.webkit.org/show_bug.cgi?id=147071
3085
3086         Reviewed by Darin Adler.
3087
3088         ClonedAguments didn't set the "length" with DontEnum.
3089
3090         * runtime/ClonedArguments.cpp:
3091         (JSC::ClonedArguments::createWithInlineFrame):
3092         (JSC::ClonedArguments::createByCopyingFrom):
3093         * tests/stress/arguments-length-always-dont-enum.js: Added.
3094         (shouldBe):
3095         (argsSloppy):
3096         (argsStrict):
3097
3098 2015-07-19  Jordan Harband  <ljharb@gmail.com>
3099
3100         new Date(NaN).toJSON() must return null instead of throwing a TypeError
3101         https://bugs.webkit.org/show_bug.cgi?id=141115
3102
3103         Reviewed by Yusuke Suzuki.
3104
3105         * runtime/DatePrototype.cpp:
3106         (JSC::dateProtoFuncToJSON):
3107
3108 2015-07-19  Saam barati  <saambarati1@gmail.com>
3109
3110         Parser::parseFunctionInfo hits RELEASE_ASSERT for Arrow Functions
3111         https://bugs.webkit.org/show_bug.cgi?id=147090
3112
3113         Reviewed by Yusuke Suzuki.
3114
3115         ArrowFunction's have there ParserFunctionInfo "name" field to 
3116         be a non-null pointer. This is obviously allowed and valid except we 
3117         had a RELEASE_ASSERT that claimed otherwise. This is a mistake. 
3118
3119         Note: ArrowFunction's will never actually have a function name;
3120         there ParserFunctionInfo "name" field will be the empty string. 
3121         This is not be mistaken with the name field being a null pointer.
3122
3123         * parser/Parser.cpp:
3124         (JSC::Parser<LexerType>::parseFunctionInfo):
3125
3126 2015-07-18  Saam barati  <saambarati1@gmail.com>
3127
3128         [ES6] Add support for block scope const
3129         https://bugs.webkit.org/show_bug.cgi?id=31813
3130
3131         Reviewed by Filip Pizlo.
3132
3133         'const' is now implemented in an ES6 spec compliant manner.
3134         'const' variables are always block scoped and always live
3135         either on the stack or in a JSLexicalEnvironment. 'const'
3136         variables never live on the global object.
3137
3138         Inside the BytecodeGenerator, when assigning to a stack
3139         'const' variable or a LocalClosureVar 'const' variable,
3140         we will emit code that just throws a type error.
3141         When assigning to a ClosureVar const variable, CodeBlock linking
3142         will ensure that we perform a dynamic lookup of that variable so
3143         that put_to_scope's slow path throws a type error.
3144
3145         The old 'const' implementation has been removed in this patch.
3146
3147         * bytecode/BytecodeList.json:
3148         * bytecode/BytecodeUseDef.h:
3149         (JSC::computeUsesForBytecodeOffset):
3150         (JSC::computeDefsForBytecodeOffset):
3151         * bytecode/CodeBlock.cpp:
3152         (JSC::CodeBlock::dumpBytecode):
3153         (JSC::CodeBlock::CodeBlock):
3154         * bytecompiler/BytecodeGenerator.cpp:
3155         (JSC::BytecodeGenerator::BytecodeGenerator):
3156         (JSC::BytecodeGenerator::pushLexicalScope):
3157         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
3158         (JSC::BytecodeGenerator::variable):
3159         (JSC::BytecodeGenerator::variableForLocalEntry):
3160         (JSC::BytecodeGenerator::createVariable):
3161         (JSC::BytecodeGenerator::emitResolveScope):
3162         (JSC::BytecodeGenerator::emitInstanceOf):
3163         (JSC::BytecodeGenerator::emitGetById):
3164         (JSC::BytecodeGenerator::isArgumentNumber):
3165         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
3166         (JSC::BytecodeGenerator::emitEnumeration):
3167         (JSC::BytecodeGenerator::variablePerSymbolTable): Deleted.
3168         (JSC::BytecodeGenerator::emitInitGlobalConst): Deleted.
3169         * bytecompiler/BytecodeGenerator.h:
3170         (JSC::Variable::Variable):
3171         (JSC::Variable::isReadOnly):
3172         (JSC::Variable::isSpecial):
3173         (JSC::Variable::isConst):
3174         (JSC::BytecodeGenerator::thisRegister):
3175         (JSC::BytecodeGenerator::emitTypeOf):
3176         (JSC::BytecodeGenerator::emitIn):
3177         * bytecompiler/NodesCodegen.cpp:
3178         (JSC::PostfixNode::emitResolve):
3179         (JSC::PrefixNode::emitResolve):
3180         (JSC::ReadModifyResolveNode::emitBytecode):
3181         (JSC::AssignResolveNode::emitBytecode):
3182         (JSC::CommaNode::emitBytecode):
3183         (JSC::BindingNode::bindValue):
3184         (JSC::ConstDeclNode::emitCodeSingle): Deleted.
3185         (JSC::ConstDeclNode::emitBytecode): Deleted.
3186         (JSC::ConstStatementNode::emitBytecode): Deleted.
3187         * dfg/DFGByteCodeParser.cpp:
3188         (JSC::DFG::ByteCodeParser::parseBlock):
3189         * dfg/DFGCapabilities.cpp:
3190         (JSC::DFG::capabilityLevel):
3191         * jit/JIT.cpp:
3192         (JSC::JIT::privateCompileMainPass):
3193         * jit/JIT.h:
3194         * jit/JITPropertyAccess.cpp:
3195         (JSC::JIT::emit_op_put_to_arguments):
3196         (JSC::JIT::emit_op_init_global_const): Deleted.
3197         * jit/JITPropertyAccess32_64.cpp:
3198         (JSC::JIT::emit_op_put_to_arguments):
3199         (JSC::JIT::emit_op_init_global_const): Deleted.
3200         * llint/LowLevelInterpreter.asm:
3201         * llint/LowLevelInterpreter32_64.asm:
3202         * llint/LowLevelInterpreter64.asm:
3203         * parser/ASTBuilder.h:
3204         (JSC::ASTBuilder::createDeclarationStatement):
3205         (JSC::ASTBuilder::createEmptyVarExpression):
3206         (JSC::ASTBuilder::createDebugger):
3207         (JSC::ASTBuilder::appendStatement):
3208         (JSC::ASTBuilder::createVarStatement): Deleted.
3209         (JSC::ASTBuilder::createLetStatement): Deleted.
3210         (JSC::ASTBuilder::createConstStatement): Deleted.
3211         (JSC::ASTBuilder::appendConstDecl): Deleted.
3212         * parser/NodeConstructors.h:
3213         (JSC::CommaNode::CommaNode):
3214         (JSC::SourceElements::SourceElements):
3215         (JSC::SwitchNode::SwitchNode):
3216         (JSC::BlockNode::BlockNode):
3217         (JSC::ConstStatementNode::ConstStatementNode): Deleted.
3218         (JSC::ConstDeclNode::ConstDeclNode): Deleted.
3219         * parser/Nodes.h:
3220         (JSC::ConstDeclNode::hasInitializer): Deleted.
3221         (JSC::ConstDeclNode::ident): Deleted.
3222         * parser/Parser.cpp:
3223         (JSC::Parser<LexerType>::parseStatementListItem):
3224         (JSC::Parser<LexerType>::parseVariableDeclaration):
3225         (JSC::Parser<LexerType>::parseWhileStatement):
3226         (JSC::Parser<LexerType>::parseVariableDeclarationList):
3227         (JSC::Parser<LexerType>::createBindingPattern):
3228         (JSC::Parser<LexerType>::parseDestructuringPattern):
3229         (JSC::Parser<LexerType>::parseDefaultValueForDestructuringPattern):
3230         (JSC::Parser<LexerType>::parseForStatement):
3231         (JSC::Parser<LexerType>::parseTryStatement):
3232         (JSC::Parser<LexerType>::parseFunctionInfo):
3233         (JSC::Parser<LexerType>::parseFunctionDeclaration):
3234         (JSC::Parser<LexerType>::parseClass):
3235         (JSC::Parser<LexerType>::parseConstDeclaration): Deleted.
3236         (JSC::Parser<LexerType>::parseConstDeclarationList): Deleted.
3237         * parser/Parser.h:
3238         (JSC::isEvalNode):
3239         (JSC::isEvalNode<EvalNode>):
3240         (JSC::isArguments):
3241         (JSC::isEval):
3242         (JSC::isEvalOrArgumentsIdentifier):
3243         (JSC::Scope::Scope):
3244         (JSC::Scope::declareCallee):
3245         (JSC::Scope::declareVariable):
3246         (JSC::Scope::declareLexicalVariable):
3247         (JSC::Scope::hasDeclaredVariable):
3248         (JSC::Scope::allowsVarDeclarations):
3249         (JSC::Scope::allowsLexicalDeclarations):
3250         (JSC::Scope::declareParameter):
3251         (JSC::Scope::declareBoundParameter):
3252         (JSC::Parser::destructuringKindFromDeclarationType):
3253         (JSC::Parser::assignmentContextFromDeclarationType):
3254         (JSC::Parser::isEvalOrArguments):
3255         (JSC::Parser::currentScope):
3256         (JSC::Parser::popScope):
3257         (JSC::Parser::declareVariable):
3258         (JSC::Parser::hasDeclaredVariable):
3259         (JSC::Parser::setStrictMode):
3260         (JSC::Parser::strictMode):
3261         (JSC::Parser::isValidStrictMode):
3262         (JSC::Parser::declareParameter):
3263         (JSC::Parser::declareBoundParameter):
3264         (JSC::Parser::breakIsValid):
3265         * parser/SyntaxChecker.h:
3266         (JSC::SyntaxChecker::createForInLoop):
3267         (JSC::SyntaxChecker::createForOfLoop):
3268         (JSC::SyntaxChecker::createEmptyStatement):
3269         (JSC::SyntaxChecker::createDeclarationStatement):
3270         (JSC::SyntaxChecker::createReturnStatement):
3271         (JSC::SyntaxChecker::createBreakStatement):
3272         (JSC::SyntaxChecker::createVarStatement): Deleted.
3273         (JSC::SyntaxChecker::createLetStatement): Deleted.
3274         * parser/VariableEnvironment.h:
3275         (JSC::VariableEnvironmentEntry::isCaptured):
3276         (JSC::VariableEnvironmentEntry::isConst):
3277         (JSC::VariableEnvironmentEntry::isVar):
3278         (JSC::VariableEnvironmentEntry::isLet):
3279         (JSC::VariableEnvironmentEntry::setIsCaptured):
3280         (JSC::VariableEnvironmentEntry::setIsConst):
3281         (JSC::VariableEnvironmentEntry::setIsVar):
3282         (JSC::VariableEnvironmentEntry::setIsLet):
3283         (JSC::VariableEnvironmentEntry::isConstant): Deleted.
3284         (JSC::VariableEnvironmentEntry::setIsConstant): Deleted.
3285         * runtime/Executable.cpp:
3286         (JSC::ProgramExecutable::initializeGlobalProperties):
3287         * runtime/JSGlobalObject.cpp:
3288         (JSC::JSGlobalObject::defineOwnProperty):
3289         (JSC::JSGlobalObject::addGlobalVar):
3290         (JSC::JSGlobalObject::addFunction):
3291         (JSC::lastInPrototypeChain):
3292         * runtime/JSGlobalObject.h:
3293         (JSC::JSGlobalObject::finishCreation):
3294         (JSC::JSGlobalObject::addVar):
3295         (JSC::JSGlobalObject::addConst): Deleted.
3296         * runtime/JSLexicalEnvironment.cpp:
3297         (JSC::JSLexicalEnvironment::symbolTablePut):
3298         * tests/stress/const-and-with-statement.js: Added.
3299         (truth):
3300         (assert):
3301         (shouldThrowInvalidConstAssignment):
3302         (.):
3303         * tests/stress/const-exception-handling.js: Added.
3304         (truth):
3305         (assert):
3306         (.):
3307         * tests/stress/const-loop-semantics.js: Added.
3308         (truth):
3309         (assert):
3310         (shouldThrowInvalidConstAssignment):
3311         (.):
3312         * tests/stress/const-not-strict-mode.js: Added.
3313         (truth):
3314         (assert):
3315         (shouldThrowTDZ):
3316         (.):
3317         * tests/stress/const-semantics.js: Added.
3318         (truth):
3319         (assert):
3320         (shouldThrowInvalidConstAssignment):
3321         (.):
3322         * tests/stress/const-tdz.js: Added.
3323         (truth):
3324         (assert):
3325         (shouldThrowTDZ):
3326         (.):
3327
3328 2015-07-18  Saam barati  <saambarati1@gmail.com>
3329
3330         lexical scoping is broken with respect to "break" and "continue"
3331         https://bugs.webkit.org/show_bug.cgi?id=147063
3332
3333         Reviewed by Filip Pizlo.
3334
3335         Bug #142944 which introduced "let" and lexical scoping
3336         didn't properly hook into the bytecode generator's machinery
3337         for calculating scope depth deltas for "break" and "continue". This
3338         resulted in the bytecode generator popping an incorrect number
3339         of scopes when lexical scopes were involved.
3340
3341         This patch fixes this problem and generalizes this machinery a bit.
3342         This patch also renames old functions in a sensible way that is more
3343         coherent in a world with lexical scoping.
3344
3345         * bytecompiler/BytecodeGenerator.cpp:
3346         (JSC::BytecodeGenerator::BytecodeGenerator):
3347         (JSC::BytecodeGenerator::newLabelScope):
3348         (JSC::BytecodeGenerator::emitProfileType):
3349         (JSC::BytecodeGenerator::pushLexicalScope):
3350         (JSC::BytecodeGenerator::popLexicalScope):
3351         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
3352         (JSC::BytecodeGenerator::resolveType):
3353         (JSC::BytecodeGenerator::emitResolveScope):
3354         (JSC::BytecodeGenerator::emitGetFromScope):
3355         (JSC::BytecodeGenerator::emitPutToScope):
3356         (JSC::BytecodeGenerator::emitPushWithScope):
3357         (JSC::BytecodeGenerator::emitGetParentScope):
3358         (JSC::BytecodeGenerator::emitPopScope):
3359         (JSC::BytecodeGenerator::emitPopWithOrCatchScope):
3360         (JSC::BytecodeGenerator::emitPopScopes):
3361         (JSC::BytecodeGenerator::calculateTargetScopeDepthForExceptionHandler):
3362         (JSC::BytecodeGenerator::localScopeDepth):
3363         (JSC::BytecodeGenerator::labelScopeDepth):
3364         (JSC::BytecodeGenerator::emitThrowReferenceError):
3365         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
3366         (JSC::BytecodeGenerator::pushScopedControlFlowContext):
3367         (JSC::BytecodeGenerator::popScopedControlFlowContext):
3368         (JSC::BytecodeGenerator::emitPushCatchScope):
3369         (JSC::BytecodeGenerator::currentScopeDepth): Deleted.
3370         * bytecompiler/BytecodeGenerator.h:
3371         (JSC::BytecodeGenerator::hasFinaliser):
3372         (JSC::BytecodeGenerator::scopeDepth): Deleted.
3373         * bytecompiler/NodesCodegen.cpp:
3374         (JSC::ContinueNode::trivialTarget):
3375         (JSC::BreakNode::trivialTarget):
3376         (JSC::ReturnNode::emitBytecode):
3377         (JSC::WithNode::emitBytecode):
3378         (JSC::TryNode::emitBytecode):
3379         * tests/stress/lexical-scoping-break-continue.js: Added.
3380         (assert):
3381         (.):
3382
3383 2015-07-18  Commit Queue  <commit-queue@webkit.org>
3384
3385         Unreviewed, rolling out r186996.
3386         https://bugs.webkit.org/show_bug.cgi?id=147070
3387
3388         Broke JSC tests (Requested by smfr on #webkit).
3389
3390         Reverted changeset:
3391
3392         "lexical scoping is broken with respect to "break" and
3393         "continue""
3394         https://bugs.webkit.org/show_bug.cgi?id=147063
3395         http://trac.webkit.org/changeset/186996
3396
3397 2015-07-18  Saam barati  <saambarati1@gmail.com>
3398
3399         lexical scoping is broken with respect to "break" and "continue"
3400         https://bugs.webkit.org/show_bug.cgi?id=147063
3401
3402         Reviewed by Filip Pizlo.
3403
3404         Bug #142944 which introduced "let" and lexical scoping
3405         didn't properly hook into the bytecode generator's machinery
3406         for calculating scope depth deltas for "break" and "continue". This
3407         resulted in the bytecode generator popping an incorrect number
3408         of scopes when lexical scopes were involved.
3409
3410         This patch fixes this problem and generalizes this machinery a bit.
3411         This patch also renames old functions in a sensible way that is more
3412         coherent in a world with lexical scoping.
3413
3414         * bytecompiler/BytecodeGenerator.cpp:
3415         (JSC::BytecodeGenerator::BytecodeGenerator):
3416         (JSC::BytecodeGenerator::newLabelScope):
3417         (JSC::BytecodeGenerator::emitProfileType):
3418         (JSC::BytecodeGenerator::pushLexicalScope):
3419         (JSC::BytecodeGenerator::popLexicalScope):
3420         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
3421         (JSC::BytecodeGenerator::resolveType):
3422         (JSC::BytecodeGenerator::emitResolveScope):
3423         (JSC::BytecodeGenerator::emitGetFromScope):
3424         (JSC::BytecodeGenerator::emitPutToScope):
3425         (JSC::BytecodeGenerator::emitPushWithScope):
3426         (JSC::BytecodeGenerator::emitGetParentScope):
3427         (JSC::BytecodeGenerator::emitPopScope):
3428         (JSC::BytecodeGenerator::emitPopWithOrCatchScope):
3429         (JSC::BytecodeGenerator::emitPopScopes):
3430         (JSC::BytecodeGenerator::calculateTargetScopeDepthForExceptionHandler):
3431         (JSC::BytecodeGenerator::localScopeDepth):
3432         (JSC::BytecodeGenerator::labelScopeDepth):
3433         (JSC::BytecodeGenerator::emitThrowReferenceError):
3434         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
3435         (JSC::BytecodeGenerator::pushScopedControlFlowContext):
3436         (JSC::BytecodeGenerator::popScopedControlFlowContext):
3437         (JSC::BytecodeGenerator::emitPushCatchScope):
3438         (JSC::BytecodeGenerator::currentScopeDepth): Deleted.
3439         * bytecompiler/BytecodeGenerator.h:
3440         (JSC::BytecodeGenerator::hasFinaliser):
3441         (JSC::BytecodeGenerator::scopeDepth): Deleted.
3442         * bytecompiler/NodesCodegen.cpp:
3443         (JSC::ContinueNode::trivialTarget):
3444         (JSC::BreakNode::trivialTarget):
3445         (JSC::ReturnNode::emitBytecode):
3446         (JSC::WithNode::emitBytecode):
3447         (JSC::TryNode::emitBytecode):
3448         * tests/stress/lexical-scoping-break-continue.js: Added.
3449         (assert):
3450         (.):
3451
3452 2015-07-17  Filip Pizlo  <fpizlo@apple.com>
3453
3454         DFG should have some obvious mitigations against watching structures that are unprofitable to watch
3455         https://bugs.webkit.org/show_bug.cgi?id=147034
3456
3457         Reviewed by Mark Lam and Michael Saboff.
3458         
3459         This implements two guards against the DFG watching structures that are likely to fire
3460         their watchpoints:
3461         
3462         - Don't watch dictionaries or any structure that had a dictionary in its past. Dictionaries
3463           can be flattened, and then they can transform back to dictionaries.
3464         
3465         - Don't watch structures whose past structures were transitioned-away from while their
3466           transition watchpoints were being watched. This property gives us monotonicity: if we
3467           recompile because we watched structure S1 of object O, then we won't make the same mistake
3468           again when object O has structure S2, S3, and so on.
3469         
3470         This is a 1.5% speed-up on Kraken. It does penalize some Octane tests, but it also seems to
3471         help some of them, so on Octane it's basically neutral.
3472
3473         * bytecode/Watchpoint.h:
3474         (JSC::WatchpointSet::invalidate):
3475         (JSC::WatchpointSet::isBeingWatched):
3476         (JSC::WatchpointSet::addressOfState):
3477         (JSC::WatchpointSet::addressOfSetIsNotEmpty):
3478         (JSC::InlineWatchpointSet::touch):
3479         (JSC::InlineWatchpointSet::isBeingWatched):
3480         * runtime/JSGlobalObject.h:
3481         (JSC::JSGlobalObject::createStructure):
3482         (JSC::JSGlobalObject::registerWeakMap):
3483         * runtime/Structure.cpp:
3484         (JSC::Structure::Structure):
3485         (JSC::Structure::toDictionaryTransition):
3486         (JSC::Structure::didTransitionFromThisStructure):
3487         * runtime/Structure.h:
3488
3489 2015-07-16  Filip Pizlo  <fpizlo@apple.com>
3490
3491         Remove DFG::DesiredWriteBarriers because it's just a very difficult way of saying "please barrier the machine code block owner"
3492         https://bugs.webkit.org/show_bug.cgi?id=147030
3493
3494         Reviewed by Andreas Kling.
3495         
3496         All of the users of DesiredWriteBarriers were just using it to request that Plan
3497         finalization executes a barrier on codeBlock->ownerExecutable. Indeed, that's the only
3498         owning cell in the heap that compilation affects. So, we might as well just have Plan
3499         unconditionally execute that barrier and then we don't need DesiredWriteBarriers at
3500         all.
3501
3502         * CMakeLists.txt:
3503         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3504         * JavaScriptCore.xcodeproj/project.pbxproj:
3505         * dfg/DFGByteCodeParser.cpp:
3506         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
3507         * dfg/DFGDesiredWriteBarriers.cpp: Removed.
3508         * dfg/DFGDesiredWriteBarriers.h: Removed.
3509         * dfg/DFGGraph.cpp:
3510         (JSC::DFG::Graph::registerFrozenValues):
3511         * dfg/DFGPlan.cpp:
3512         (JSC::DFG::Plan::reallyAdd):
3513         (JSC::DFG::Plan::notifyCompiling):
3514         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
3515         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
3516         (JSC::DFG::Plan::cancel):
3517         * dfg/DFGPlan.h:
3518
3519 2015-07-17  Yusuke Suzuki  <utatane.tea@gmail.com>
3520
3521         Integrate automatic microtask draining into JSC framework and re-enable Promise
3522         https://bugs.webkit.org/show_bug.cgi?id=146828
3523
3524         Reviewed by Sam Weinig.
3525
3526         Add automatic microtask draining system into JSC framework.
3527         When the depth of VM lock becomes 0, before this, we drain the queued microtasks.
3528         Enqueuing behavior can be injected by the JSGlobalObject's method table.
3529         It is utilized in WebCore to post the microtask to WebCore's event loop.
3530
3531         In the case of JSC interactive shell, VM depth is always greater than 0.
3532         So we manually drains the queued microtasks after evaluating the written line.
3533
3534         Since now JSC framework has the microtask queue, we can drain the queued microtasks.
3535         So re-enable the Promise in the JSC framework context.
3536
3537         * API/JSContextRef.cpp:
3538         (javaScriptRuntimeFlags): Deleted.
3539         * API/tests/testapi.c:
3540         (main):
3541         * API/tests/testapi.mm:
3542         (testObjectiveCAPIMain):
3543         * jsc.cpp:
3544         (runInteractive):
3545         * runtime/JSGlobalObject.cpp:
3546         (JSC::JSGlobalObject::queueMicrotask):
3547         * runtime/JSLock.cpp:
3548         (JSC::JSLock::willReleaseLock):
3549         * runtime/VM.cpp:
3550         (JSC::VM::queueMicrotask):
3551         (JSC::VM::drainMicrotasks):
3552         (JSC::QueuedTask::run):
3553         * runtime/VM.h:
3554         (JSC::QueuedTask::QueuedTask):
3555
3556 2015-07-17  Saam barati  <saambarati1@gmail.com>
3557
3558         Function parameters should be parsed in the same parser arena as the function body
3559         https://bugs.webkit.org/show_bug.cgi?id=145995
3560
3561         Reviewed by Yusuke Suzuki.
3562
3563         This patch changes how functions are parsed in JSC. A function's
3564         parameters are now parsed in the same arena as the function itself.
3565         This allows us to arena allocate all destructuring AST nodes and
3566         the FunctionParameters node. This will help make implementing ES6
3567         default parameter values sane.
3568
3569         A source code that represents a function now includes the text of the function's 
3570         parameters. The starting offset is at the opening parenthesis of the parameter
3571         list or at the starting character of the identifier for arrow functions that
3572         have single arguments and don't start with parenthesis.
3573
3574         For example:
3575
3576         "function (param1, param2) { ... }"
3577                                    ^
3578                                    | This offset used to be the starting offset of a function's SourceCode
3579                   ^
3580                   | This is the new starting offset for a function's SourceCode.
3581
3582         This requires us to change how some offsets are calculated
3583         and also requires us to report some different line numbers for internal
3584         metrics that use a SourceCode's starting line and column numbers.
3585
3586         This patch also does a bit of cleanup with regards to how
3587         functions are parsed in general (especially arrow functions).
3588         It removes some unnecessary #ifdefs and the likes for arrow
3589         to make things clearer and more deliberate.
3590
3591         * API/JSScriptRef.cpp:
3592         (parseScript):
3593         * builtins/BuiltinExecutables.cpp:
3594         (JSC::BuiltinExecutables::createExecutableInternal):
3595         * bytecode/UnlinkedCodeBlock.cpp:
3596         (JSC::generateFunctionCodeBlock):
3597         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3598         (JSC::UnlinkedFunctionExecutable::visitChildren):
3599         (JSC::UnlinkedFunctionExecutable::parameterCount): Deleted.
3600         * bytecode/UnlinkedCodeBlock.h:
3601         * bytecompiler/NodesCodegen.cpp:
3602         (JSC::DestructuringAssignmentNode::emitBytecode):
3603         (JSC::assignDefaultValueIfUndefined):
3604         (JSC::ArrayPatternNode::collectBoundIdentifiers):
3605         (JSC::DestructuringPatternNode::~DestructuringPatternNode): Deleted.
3606         * parser/ASTBuilder.h:
3607         (JSC::ASTBuilder::createClassExpr):
3608         (JSC::ASTBuilder::createFunctionExpr):
3609         (JSC::ASTBuilder::createFunctionBody):
3610         (JSC::ASTBuilder::createArrowFunctionExpr):
3611         (JSC::ASTBuilder::createGetterOrSetterProperty):
3612         (JSC::ASTBuilder::createElementList):
3613         (JSC::ASTBuilder::createFormalParameterList):
3614         (JSC::ASTBuilder::appendParameter):
3615         (JSC::ASTBuilder::createClause):
3616         (JSC::ASTBuilder::createClauseList):
3617         (JSC::ASTBuilder::createFuncDeclStatement):
3618         (JSC::ASTBuilder::createForInLoop):
3619         (JSC::ASTBuilder::createForOfLoop):
3620         (JSC::ASTBuilder::isResolve):
3621         (JSC::ASTBuilder::createDestructuringAssignment):
3622         (JSC::ASTBuilder::createArrayPattern):
3623         (JSC::ASTBuilder::appendArrayPatternSkipEntry):
3624         (JSC::ASTBuilder::appendArrayPatternEntry):
3625         (JSC::ASTBuilder::appendArrayPatternRestEntry):
3626         (JSC::ASTBuilder::finishArrayPattern):
3627         (JSC::ASTBuilder::createObjectPattern):
3628         (JSC::ASTBuilder::appendObjectPatternEntry):
3629         (JSC::ASTBuilder::createBindingLocation):
3630         (JSC::ASTBuilder::setEndOffset):
3631         * parser/Lexer.cpp:
3632         (JSC::Lexer<T>::Lexer):
3633         (JSC::Lexer<T>::nextTokenIsColon):
3634         (JSC::Lexer<T>::setTokenPosition):
3635         (JSC::Lexer<T>::lex):
3636         (JSC::Lexer<T>::clear):
3637         * parser/Lexer.h:
3638         (JSC::Lexer::setIsReparsingFunction):
3639         (JSC::Lexer::isReparsingFunction):
3640         (JSC::Lexer::lineNumber):
3641         (JSC::Lexer::setIsReparsing): Deleted.
3642         (JSC::Lexer::isReparsing): Deleted.
3643         * parser/NodeConstructors.h:
3644         (JSC::TryNode::TryNode):
3645         (JSC::FunctionParameters::FunctionParameters):
3646         (JSC::FuncExprNode::FuncExprNode):
3647         (JSC::FuncDeclNode::FuncDeclNode):
3648         (JSC::ArrayPatternNode::ArrayPatternNode):
3649         (JSC::ObjectPatternNode::ObjectPatternNode):
3650         (JSC::BindingNode::BindingNode):
3651         (JSC::DestructuringAssignmentNode::DestructuringAssignmentNode):
3652         (JSC::ParameterNode::ParameterNode): Deleted.
3653         (JSC::ArrayPatternNode::create): Deleted.
3654         (JSC::ObjectPatternNode::create): Deleted.
3655         (JSC::BindingNode::create): Deleted.
3656         * parser/Nodes.cpp:
3657         (JSC::ProgramNode::ProgramNode):
3658         (JSC::EvalNode::EvalNode):
3659         (JSC::FunctionBodyNode::FunctionBodyNode):
3660         (JSC::FunctionBodyNode::finishParsing):
3661         (JSC::FunctionNode::FunctionNode):
3662         (JSC::FunctionNode::finishParsing):
3663         (JSC::FunctionParameters::create): Deleted.
3664         (JSC::FunctionParameters::FunctionParameters): Deleted.
3665         (JSC::FunctionParameters::~FunctionParameters): Deleted.
3666         * parser/Nodes.h:
3667         (JSC::ProgramNode::startColumn):
3668         (JSC::ProgramNode::endColumn):
3669         (JSC::EvalNode::startColumn):
3670         (JSC::EvalNode::endColumn):
3671         (JSC::FunctionParameters::size):
3672         (JSC::FunctionParameters::at):
3673         (JSC::FunctionParameters::append):
3674         (JSC::FuncExprNode::body):
3675         (JSC::DestructuringPatternNode::~DestructuringPatternNode):
3676         (JSC::DestructuringPatternNode::isBindingNode):
3677         (JSC::DestructuringPatternNode::emitDirectBinding):
3678         (JSC::ArrayPatternNode::appendIndex):
3679         (JSC::ObjectPatternNode::appendEntry):
3680         (JSC::BindingNode::boundProperty):
3681         (JSC::BindingNode::divotStart):
3682         (JSC::BindingNode::divotEnd):
3683         (JSC::DestructuringAssignmentNode::bindings):
3684         (JSC::FuncDeclNode::body):
3685         (JSC::ParameterNode::pattern): Deleted.
3686         (JSC::ParameterNode::nextParam): Deleted.
3687         (JSC::FunctionParameters::patterns): Deleted.
3688         * parser/Parser.cpp:
3689         (JSC::Parser<LexerType>::Parser):
3690         (JSC::Parser<LexerType>::~Parser):
3691         (JSC::Parser<LexerType>::parseInner):
3692         (JSC::Parser<LexerType>::allowAutomaticSemicolon):
3693         (JSC::Parser<LexerType>::parseSourceElements):
3694         (JSC::Parser<LexerType>::createBindingPattern):
3695         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBodySourceElements):
3696         (JSC::Parser<LexerType>::tryParseDestructuringPatternExpression):
3697         (JSC::Parser<LexerType>::parseSwitchClauses):
3698         (JSC::Parser<LexerType>::parseSwitchDefaultClause):
3699         (JSC::Parser<LexerType>::parseBlockStatement):
3700         (JSC::Parser<LexerType>::parseStatement):
3701         (JSC::Parser<LexerType>::parseFormalParameters):
3702         (JSC::Parser<LexerType>::parseFunctionBody):
3703         (JSC::stringForFunctionMode):
3704         (JSC::Parser<LexerType>::parseFunctionParameters):
3705         (JSC::Parser<LexerType>::parseFunctionInfo):
3706         (JSC::Parser<LexerType>::parseFunctionDeclaration):
3707         (JSC::Parser<LexerType>::parseClass):
3708         (JSC::Parser<LexerType>::parsePrimaryExpression):
3709         (JSC::Parser<LexerType>::parseMemberExpression):
3710         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
3711         (JSC::operatorString):
3712         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBody): Deleted.
3713         * parser/Parser.h:
3714         (JSC::Parser::positionBeforeLastNewline):
3715         (JSC::Parser::locationBeforeLastToken):
3716         (JSC::Parser::findCachedFunctionInfo):
3717         (JSC::Parser::isofToken):
3718         (JSC::Parser::isEndOfArrowFunction):
3719         (JSC::Parser::isArrowFunctionParamters):
3720         (JSC::Parser::tokenStart):
3721         (JSC::Parser::isLETMaskedAsIDENT):
3722         (JSC::Parser::autoSemiColon):
3723         (JSC::Parser::setEndOfStatement):
3724         (JSC::Parser::canRecurse):
3725         (JSC::Parser<LexerType>::parse):
3726         (JSC::parse):
3727         * parser/ParserFunctionInfo.h:
3728         * parser/ParserModes.h:
3729         (JSC::functionNameIsInScope):
3730         * parser/SourceCode.h:
3731         (JSC::makeSource):
3732         (JSC::SourceCode::subExpression):
3733         (JSC::SourceCode::subArrowExpression): Deleted.
3734         * parser/SourceProviderCache.h:
3735         (JSC::SourceProviderCache::get):
3736         * parser/SourceProviderCacheItem.h:
3737         (JSC::SourceProviderCacheItem::endFunctionToken):
3738         (JSC::SourceProviderCacheItem::usedVariables):
3739         (JSC::SourceProviderCacheItem::writtenVariables):
3740         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
3741         * parser/SyntaxChecker.h:
3742         (JSC::SyntaxChecker::SyntaxChecker):
3743         (JSC::SyntaxChecker::createClassExpr):
3744         (JSC::SyntaxChecker::createFunctionExpr):
3745         (JSC::SyntaxChecker::createFunctionBody):
3746         (JSC::SyntaxChecker::createArrowFunctionExpr):
3747         (JSC::SyntaxChecker::setFunctionNameStart):
3748         (JSC::SyntaxChecker::createArguments):
3749         (JSC::SyntaxChecker::createPropertyList):
3750         (JSC::SyntaxChecker::createElementList):
3751         (JSC::SyntaxChecker::createFormalParameterList):
3752         (JSC::SyntaxChecker::appendParameter):
3753         (JSC::SyntaxChecker::createClause):
3754         (JSC::SyntaxChecker::createClauseList):
3755         * runtime/CodeCache.cpp:
3756         (JSC::CodeCache::getGlobalCodeBlock):
3757         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
3758         * runtime/Completion.cpp:
3759         (JSC::checkSyntax):
3760         * runtime/Executable.cpp:
3761         (JSC::ProgramExecutable::checkSyntax):
3762         * tests/controlFlowProfiler/conditional-expression.js:
3763         (testConditionalFunctionCall):
3764
3765 2015-07-16  Filip Pizlo  <fpizlo@apple.com>
3766
3767         Unreviewed, fix build for newer LLVMs.
3768
3769         * llvm/LLVMHeaders.h:
3770         * llvm/library/LLVMExports.cpp:
3771
3772 2015-07-16  Mark Lam  <mark.lam@apple.com>
3773
3774         RegExp::match() should set m_state to ByteCode if compilation fails.
3775         https://bugs.webkit.org/show_bug.cgi?id=147023
3776
3777         Reviewed by Michael Saboff.
3778
3779         A RegExp has a YarrCodeBlock that has 4 MacroAssemblerCodeRefs for compiled code.
3780         If one of these compilations succeeds, RegExp::m_state will be set to JITCode.
3781         Subsequently, if RegExp tries to compile another one of these but fails, m_state
3782         will be left untouched i.e. it still says JITCode.  As a result, when
3783         RegExp::match() later tries to execute the non-existant compiled code, it will
3784         crash.
3785
3786         The fix is to downgrade m_state to ByteCode if RegExp ever fails to compile.
3787         This failure should be rare.  We'll do the minimal work here to fix the issue and
3788         keep an eye on the perf bots.  If perf regresses, we can do some optimization work then.
3789
3790         This issue is difficult to test for since it either requires a low memory condition
3791         to trigger a failed RegExp compilation at the right moment, or for the RegExp to
3792         succeed compilation in the MatchedOnly mode but fail in IncludeSubpatterns mode.
3793         Instead, I manually tested it by instrumenting RegExp::compile() to fail once in every
3794         10 compilation attempts.
3795
3796         * runtime/RegExp.cpp:
3797         (JSC::RegExp::compile):
3798         (JSC::RegExp::compileMatchOnly):
3799
3800 2015-07-15  Brent Fulgham  <bfulgham@apple.com>
3801
3802         [Win] Fix armv7 build.
3803
3804         * jit/CCallHelpers.h:
3805         (JSC::CCallHelpers::setupArgumentsWithExecState): The 64-bit argument
3806         version of poke is not available on armv7 builds.
3807
3808 2015-07-15  Brent Fulgham  <bfulgham@apple.com>
3809
3810         [Win] 64-bit Build Failure
3811         https://bugs.webkit.org/show_bug.cgi?id=146989
3812
3813         Reviewed by Mark Lam.
3814
3815         * jit/CCallHelpers.h:
3816         (JSC::CCallHelpers::setupArgumentsWithExecState): Add missing
3817         declaration for 64-bit type on 4-argument register machines (like
3818         Windows).
3819
3820 2015-07-15  Saam barati  <saambarati1@gmail.com>
3821
3822         [ES6] implement block scoping to enable 'let'
3823         https://bugs.webkit.org/show_bug.cgi?id=142944
3824
3825         Reviewed by Filip Pizlo.
3826
3827         * CMakeLists.txt:
3828         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3829         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3830         * JavaScriptCore.xcodeproj/project.pbxproj:
3831         * builtins/BuiltinExecutables.cpp:
3832         (JSC::BuiltinExecutables::createExecutableInternal):
3833         * bytecode/BytecodeList.json:
3834         This patch adds a new opcode and removes op_pop_scope:
3835         1) op_get_parent_scope returns the parent scope but doesn't 
3836         implicitly write that scope into the scope register. op_pop_scope
3837         is now reduced to op_get_parent_scope followed by op_mov.
3838
3839         * bytecode/BytecodeUseDef.h:
3840         (JSC::computeUsesForBytecodeOffset):
3841         (JSC::computeDefsForBytecodeOffset):
3842         * bytecode/CodeBlock.cpp:
3843         (JSC::CodeBlock::dumpBytecode):
3844         (JSC::CodeBlock::CodeBlock):
3845         (JSC::CodeBlock::stronglyVisitStrongReferences):
3846         * bytecode/CodeBlock.h:
3847         (JSC::CodeBlock::addStringSwitchJumpTable):
3848         (JSC::CodeBlock::stringSwitchJumpTable):
3849         (JSC::CodeBlock::symbolTable):
3850         (JSC::CodeBlock::evalCodeCache):
3851         (JSC::CodeBlock::setConstantRegisters):
3852         (JSC::CodeBlock::replaceConstant):
3853         op_put_to_scope for LocalClosureVar now takes as an argument
3854         the constant index for the Symbol Table it will be putting into.
3855         This argument is only used to communicate from the BytecodeGenerator
3856         to CodeBlock linking time and it is not present in the linked bytecode.
3857
3858         op_put_to_scope for non LocalClosureVar takes, at the same index, an
3859         argument that represents the local scope depth which it uses for
3860         JSScope::abstractResolve to know how many scopes it needs to skip.
3861         Again, this is not in the linked code.
3862         op_get_from_scope and op_resolve_scope also take as an argument
3863         the local scope depth to use in JSScope::abstractResolve. Again,
3864         this is not used in the linked code.
3865
3866         * bytecode/EvalCodeCache.h:
3867         (JSC::EvalCodeCache::tryGet):
3868         (JSC::EvalCodeCache::getSlow):
3869         (JSC::EvalCodeCache::clear):
3870         (JSC::EvalCodeCache::isCacheable):
3871         When direct eval is called and passed a scope that 
3872         corresponds to a lexical scope, we can't safely cache 
3873         that code because we won't be able to guarantee
3874         that the cached code is always executed in the same scope.
3875         Consider this example:
3876         function foo() {
3877             let x = 20;
3878             eval("x;");
3879             if (b) {
3880                 let x = 30;
3881                 if (b) {
3882                     let y = 40;
3883                     eval("x;")
3884                 }
3885             }
3886         }
3887
3888         We can't reuse resolution depth when linking get_from_scope in evals.
3889
3890         * bytecode/UnlinkedCodeBlock.cpp:
3891         (JSC::generateFunctionCodeBlock):
3892         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3893         (JSC::UnlinkedFunctionExecutable::parameterCount):
3894         * bytecode/UnlinkedCodeBlock.h:
3895         Unlinked functions now know the variables that were under TDZ in their parent
3896         scope.
3897
3898         (JSC::UnlinkedCodeBlock::symbolTable):
3899         (JSC::UnlinkedCodeBlock::setSymbolTable):
3900         (JSC::UnlinkedCodeBlock::setSymbolTableConstantIndex):
3901         (JSC::UnlinkedCodeBlock::symbolTableConstantIndex):
3902         (JSC::UnlinkedCodeBlock::vm):
3903         * bytecompiler/BytecodeGenerator.cpp:
3904    &n