Web Inspector: We should have a way to capture heap snapshots programatically.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-03-29  Joseph Pecoraro  <pecoraro@apple.com>
2
3         Web Inspector: We should have a way to capture heap snapshots programatically.
4         https://bugs.webkit.org/show_bug.cgi?id=154407
5         <rdar://problem/24726292>
6
7         Reviewed by Timothy Hatcher.
8
9         * inspector/protocol/Console.json:
10         Add a new Console.heapSnapshot event for when a heap snapshot is taken.
11
12         * runtime/ConsolePrototype.cpp:
13         (JSC::ConsolePrototype::finishCreation):
14         (JSC::consoleProtoFuncProfile):
15         (JSC::consoleProtoFuncProfileEnd):
16         (JSC::consoleProtoFuncTakeHeapSnapshot):
17         * runtime/ConsoleClient.h:
18         Add the console.takeHeapSnapshot method and dispatch to the ConsoleClient.
19
20         * inspector/JSGlobalObjectConsoleClient.cpp:
21         (Inspector::JSGlobalObjectConsoleClient::takeHeapSnapshot):
22         * inspector/JSGlobalObjectConsoleClient.h:
23         Have the InspectorConsoleAgent handle this.
24
25         * inspector/JSGlobalObjectInspectorController.cpp:
26         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
27         * inspector/agents/InspectorConsoleAgent.cpp:
28         (Inspector::InspectorConsoleAgent::InspectorConsoleAgent):
29         (Inspector::InspectorConsoleAgent::takeHeapSnapshot):
30         * inspector/agents/InspectorConsoleAgent.h:
31         * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
32         (Inspector::JSGlobalObjectConsoleAgent::JSGlobalObjectConsoleAgent):
33         * inspector/agents/JSGlobalObjectConsoleAgent.h:
34         Give the ConsoleAgent a HeapAgent pointer so that it can have the HeapAgent
35         perform the snapshot building work like it normally does.
36
37 2016-03-29  Yusuke Suzuki  <utatane.tea@gmail.com>
38
39         REGRESSION(r192914): 10% regression on Sunspider's date-format-tofte
40         https://bugs.webkit.org/show_bug.cgi?id=155559
41
42         Reviewed by Saam Barati.
43
44         The fast path of the eval function is the super hot path in date-format-tofte.
45         Any performance regression is not allowed here.
46         Before this patch, we allocated SourceCode in the fast path.
47         This allocation incurs 10% performance regression.
48
49         This patch removes this allocation in the fast path.
50         And change the key of the EvalCodeCache to EvalCodeCache::CacheKey.
51         It combines RefPtr<StringImpl> and isArrowFunctionContext.
52         Since EvalCodeCache does not cache any eval code evaluated under the strict mode,
53         it is unnecessary to include several options (ThisTDZMode, and DerivedContextType) in the cache map's key.
54         But isArrowFunctionContext is necessary since the sloppy mode arrow function exists.
55
56         To validate this change, we add a new test that evaluates the same code
57         under the non-arrow function context and the arrow function context.
58
59         After introducing CacheKey, we observed 1% regression compared to the RefPtr<StringImpl> keyed case.
60         This is because HashMap<RefPtr<T>, ...>::get(T*) is specially optimized; this path is inlined while the normal ::get() is not inlined.
61         To avoid this performance regression, we introduce HashMap::fastGet, that aggressively encourages inlining.
62         The relationship between fastGet() and get() is similar to fastAdd() and add().
63         After applying this change, the evaluation shows no performance regression in comparison with the RefPtr<StringImpl> keyed case.
64
65         * bytecode/EvalCodeCache.h:
66         (JSC::EvalCodeCache::CacheKey::CacheKey):
67         (JSC::EvalCodeCache::CacheKey::hash):
68         (JSC::EvalCodeCache::CacheKey::isEmptyValue):
69         (JSC::EvalCodeCache::CacheKey::operator==):
70         (JSC::EvalCodeCache::CacheKey::isHashTableDeletedValue):
71         (JSC::EvalCodeCache::CacheKey::Hash::hash):
72         (JSC::EvalCodeCache::CacheKey::Hash::equal):
73         (JSC::EvalCodeCache::tryGet):
74         (JSC::EvalCodeCache::getSlow):
75         (JSC::EvalCodeCache::isCacheable):
76         * interpreter/Interpreter.cpp:
77         (JSC::eval):
78         * tests/stress/eval-in-arrow-function.js: Added.
79         (shouldBe):
80         (i):
81
82 2016-03-29  Joseph Pecoraro  <pecoraro@apple.com>
83
84         Audit WebCore builtins for user overridable code
85         https://bugs.webkit.org/show_bug.cgi?id=155923
86
87         Reviewed by Youenn Fablet.
88
89         * runtime/CommonIdentifiers.h:
90         * runtime/ObjectConstructor.cpp:
91         (JSC::ObjectConstructor::finishCreation):
92         Expose @Object.@defineProperty to built-ins.
93
94 2016-03-28  Benjamin Poulain  <bpoulain@apple.com>
95
96         [JSC] ArithSub should not propagate "UsesAsOther"
97         https://bugs.webkit.org/show_bug.cgi?id=155932
98
99         Reviewed by Mark Lam.
100
101         The node ArithSub was backpropagating UsesAsOther.
102         This causes any GetByVal on a Double Array to have an extra
103         hole check if it flows into an ArithSub.
104
105         The definition of ArithSub (12.8.4.1) has both operands go
106         through ToNumber(). ToNumber() on "undefined" always produces
107         NaN. It is safe to ignore the NaN marker from hole when
108         the DAG flows into ArithSub.
109
110         This patch also adds this change and test coverage to ArithAdd.
111         ArithAdd was not a problem in practice because it is only
112         generated before Fixup if both operands are known to be numerical.
113         The change to ArithAdd is there to protect us of the ArithSub-like
114         problems if we ever improve our support of arithmetic operators.
115
116         * dfg/DFGBackwardsPropagationPhase.cpp:
117         (JSC::DFG::BackwardsPropagationPhase::propagate):
118         * tests/stress/arith-add-on-double-array-with-holes.js: Added.
119         (let.testCase.of.testCases.eval.nonObservableHoleOnLhs):
120         (let.testCase.of.testCases.observableHoleOnLhs):
121         (let.testCase.of.testCases.nonObservableHoleOnRhs):
122         (let.testCase.of.testCases.observableHoleOnRhs):
123         * tests/stress/arith-sub-on-double-array-with-holes.js: Added.
124         (let.testCase.of.testCases.eval.nonObservableHoleOnLhs):
125         (let.testCase.of.testCases.observableHoleOnLhs):
126         (let.testCase.of.testCases.nonObservableHoleOnRhs):
127         (let.testCase.of.testCases.observableHoleOnRhs):
128         * tests/stress/value-add-on-double-array-with-holes.js: Added.
129         (let.testCase.of.testCases.eval.nonObservableHoleOnLhs):
130         (let.testCase.of.testCases.observableHoleOnLhs):
131         (let.testCase.of.testCases.nonObservableHoleOnRhs):
132         (let.testCase.of.testCases.observableHoleOnRhs):
133
134 2016-03-28  Brian Burg  <bburg@apple.com>
135
136         Web Inspector: protocol generator should generate C++ string-to-enum helper functions
137         https://bugs.webkit.org/show_bug.cgi?id=155691
138         <rdar://problem/25258078>
139
140         Reviewed by Timothy Hatcher.
141
142         There's a lot of code throughout the Inspector agents and automation code
143         that needs to convert a raw string into a typed protocol enum. Generate
144         some helpers that do this conversion so clients can move over to using it.
145
146         These helpers are necessary for when we eventually switch to calling backend
147         dispatcher handlers with typed arguments instead of untyped JSON objects.
148
149         To correctly generate a conversion function for an anonymous enum, the
150         generator needs to be able to get the containing object type's declaration.
151         Since the model's Type object each have only one instance, there is a
152         one-to-one association between type and its declaration.
153
154         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
155         (CppProtocolTypesHeaderGenerator.generate_output):
156         (CppProtocolTypesHeaderGenerator._generate_forward_declarations):
157         Clean up this method to use methodcaller to sort types by raw name.
158
159         (_generate_declarations_for_enum_conversion_methods):
160         (_generate_declarations_for_enum_conversion_methods.return_type_with_export_macro):
161         (_generate_declarations_for_enum_conversion_methods.type_member_is_anonymous_enum_type):
162         Added. Generates a new section with an unfilled template and specializations of
163         the template for every named and anonymous enum in every domain. Guards for
164         domains wrap the forward declarations. This is added to the end of the header
165         file so that specializations for both types of enums are in the same place.
166
167         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
168         (CppProtocolTypesImplementationGenerator.generate_output):
169         (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain):
170         (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain.type_member_is_anonymous_enum_type):
171         (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain.generate_conversion_method_body):
172         Added. Generate a static array of offsets into the enum constant value array.
173         Then, loop over this array of offsets and do string comparisons against the
174         provided string and enum constant values at the relevant offsets for this enum.
175
176         * inspector/scripts/codegen/generator_templates.py:
177         (GeneratorTemplates): Update copyright year in generated files.
178
179         * inspector/scripts/codegen/models.py:
180         (AliasedType.__init__):
181         (EnumType.__init__):
182         (EnumType.enum_values):
183         (EnumType.declaration):
184         (ArrayType.__init__):
185         (ArrayType.declaration):
186         (ObjectType.__init__):
187         (ObjectType.declaration):
188         (Protocol.resolve_types):
189         (Protocol.lookup_type_reference):
190         Pass the type declaration to Type constructors if available. If not,
191         fill in a placeholder name for the type in the constructor instead of caller.
192
193         Rebaseline all the things, mostly for copyright block changes.
194
195         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
196         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
197         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
198         * inspector/scripts/tests/expected/enum-values.json-result:
199         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
200         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
201         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
202         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
203         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
204         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
205         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
206         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
207         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
208
209 2016-03-25  Joseph Pecoraro  <pecoraro@apple.com>
210
211         Misc. JavaScriptCore built-ins cleanups
212         https://bugs.webkit.org/show_bug.cgi?id=155920
213
214         Reviewed by Mark Lam.
215
216         * builtins/RegExpPrototype.js:
217         (match):
218         No need for an else after an if that always returns.
219
220         * builtins/TypedArrayConstructor.js:
221         (of):
222         Fix error message to use the correct function name.
223
224         (allocateInt8Array):
225         (allocateInt16Array):
226         (allocateInt32Array):
227         (allocateUint32Array):
228         (allocateUint16Array):
229         (allocateUint8Array):
230         (allocateUint8ClampedArray):
231         (allocateFloat32Array):
232         (allocateFloat64Array):
233         Cleanup style to be like all the other code.
234
235         * tests/stress/typedarray-of.js:
236         Test the exception message.
237
238 2016-03-25  Joseph Pecoraro  <pecoraro@apple.com>
239
240         Date.prototype.toLocaleDateString uses overridable Object.create
241         https://bugs.webkit.org/show_bug.cgi?id=155917
242
243         Reviewed by Mark Lam.
244
245         * builtins/DatePrototype.js:
246         (toLocaleString.toDateTimeOptionsAnyAll):
247         (toLocaleDateString.toDateTimeOptionsDateDate):
248         (toLocaleTimeString.toDateTimeOptionsTimeTime):
249         Switch from @Object.create to @Object.@create to guarentee we are
250         using the built-in create method and not user defined code.
251
252         * runtime/CommonIdentifiers.h:
253         * runtime/ObjectConstructor.cpp:
254         (JSC::ObjectConstructor::finishCreation):
255         Setup the @create private symbol.
256
257 2016-03-25  Benjamin Poulain  <bpoulain@apple.com>
258
259         [JSC] Put the x86 Assembler on a binary diet
260         https://bugs.webkit.org/show_bug.cgi?id=155683
261
262         Reviewed by Darin Adler.
263
264         The MacroAssemblers are heavily inlined. This is unfortunately
265         important for baseline JIT where many branches can be eliminated
266         at compile time.
267
268         This inlining causes a lot of binary bloat. The phases
269         lowering to ASM are massively large.
270
271         This patch improves the situation a bit for x86 through
272         many small improvements:
273
274         -Every instruction starts with ensureSpace(). The slow
275          path realloc the buffer.
276          From that slow path, only fastRealloc() was a function
277          call. What is around does not need to be fast, I moved
278          the whole grow() function out of line for those cases.
279
280         -When testing multiple registers for REX requirements,
281          we had something like this:
282              byteRegRequiresRex(reg) || byteRegRequiresRex(rm)
283              regRequiresRex(index) || regRequiresRex(base)
284          Those were producing multiple test-and-branch. Those branches
285          are effectively random so we don't have to care about individual
286          branches being predictable.
287
288          The new code effectively does:
289              byteRegRequiresRex(reg | rm)
290              regRequiresRex(index | base)
291
292         -Change "ModRmMode" to have the value we can OR directly
293          to the generated ModRm.
294          This is important because some ModRM code is so large
295          that is goes out of line;
296
297         -Finally, a big change on how we write to the AssemblerBuffer.
298
299          Previously, instructions were written byte by byte into
300          the assembler buffer of the MacroAssembler.
301
302          The problem with that is the compiler cannot prove that
303          the buffer pointer and the AssemblerBuffer are not pointing
304          to the same memory.
305
306          Because of that, before any write, all the local register
307          were pushed back to the AssemblerBuffer memory, then everything
308          was read back after the write to compute the next write.
309
310          I attempted to use the "restrict" keyword and wrapper types
311          to help Clang with that but nothing worked.
312
313          The current solution is to keep a local copy of the index
314          and the buffer pointer in the scope of each instruction.
315          That is done by AssemblerBuffer::LocalWriter.
316
317          Since LocalWriter only exists locally, it stays in
318          register and we don't have all the memory churn between
319          each byte writing. This also allows clang to combine
320          obvious cases since there are no longer observable side
321          effects between bytes.
322
323         This patch reduces the binary size by 66k. It is a small
324         speed-up on Sunspider.
325
326         * assembler/AssemblerBuffer.h:
327         (JSC::AssemblerBuffer::ensureSpace):
328         (JSC::AssemblerBuffer::LocalWriter::LocalWriter):
329         (JSC::AssemblerBuffer::LocalWriter::~LocalWriter):
330         (JSC::AssemblerBuffer::LocalWriter::putByteUnchecked):
331         (JSC::AssemblerBuffer::LocalWriter::putShortUnchecked):
332         (JSC::AssemblerBuffer::LocalWriter::putIntUnchecked):
333         (JSC::AssemblerBuffer::LocalWriter::putInt64Unchecked):
334         (JSC::AssemblerBuffer::LocalWriter::putIntegralUnchecked):
335         (JSC::AssemblerBuffer::putIntegral):
336         (JSC::AssemblerBuffer::outOfLineGrow):
337         * assembler/MacroAssemblerX86Common.h:
338         * assembler/X86Assembler.h:
339         (JSC::X86Assembler::X86InstructionFormatter::byteRegRequiresRex):
340         (JSC::X86Assembler::X86InstructionFormatter::regRequiresRex):
341         (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::LocalBufferWriter):
342         (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::emitRex):
343         (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::emitRexW):
344         (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::emitRexIf):
345         (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::emitRexIfNeeded):
346         (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::putModRm):
347         (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::putModRmSib):
348         (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::registerModRM):
349         (JSC::X86Assembler::X86InstructionFormatter::LocalBufferWriter::memoryModRM):
350         (JSC::X86Assembler::X86InstructionFormatter::oneByteOp): Deleted.
351         (JSC::X86Assembler::X86InstructionFormatter::oneByteOp_disp32): Deleted.
352         (JSC::X86Assembler::X86InstructionFormatter::oneByteOp_disp8): Deleted.
353         (JSC::X86Assembler::X86InstructionFormatter::twoByteOp): Deleted.
354         (JSC::X86Assembler::X86InstructionFormatter::threeByteOp): Deleted.
355         (JSC::X86Assembler::X86InstructionFormatter::oneByteOp64): Deleted.
356         (JSC::X86Assembler::X86InstructionFormatter::oneByteOp64_disp32): Deleted.
357         (JSC::X86Assembler::X86InstructionFormatter::oneByteOp64_disp8): Deleted.
358         (JSC::X86Assembler::X86InstructionFormatter::twoByteOp64): Deleted.
359         (JSC::X86Assembler::X86InstructionFormatter::oneByteOp8): Deleted.
360         (JSC::X86Assembler::X86InstructionFormatter::twoByteOp8): Deleted.
361         (JSC::X86Assembler::X86InstructionFormatter::emitRex): Deleted.
362         (JSC::X86Assembler::X86InstructionFormatter::emitRexW): Deleted.
363         (JSC::X86Assembler::X86InstructionFormatter::emitRexIf): Deleted.
364         (JSC::X86Assembler::X86InstructionFormatter::emitRexIfNeeded): Deleted.
365         (JSC::X86Assembler::X86InstructionFormatter::putModRm): Deleted.
366         (JSC::X86Assembler::X86InstructionFormatter::putModRmSib): Deleted.
367         (JSC::X86Assembler::X86InstructionFormatter::registerModRM): Deleted.
368         (JSC::X86Assembler::X86InstructionFormatter::memoryModRM): Deleted.
369
370 2016-03-25  Saam barati  <sbarati@apple.com>
371
372         RegExp.prototype.test should be an intrinsic again
373         https://bugs.webkit.org/show_bug.cgi?id=155861
374
375         Reviewed by Yusuke Suzuki.
376
377         * runtime/RegExpPrototype.cpp:
378         (JSC::RegExpPrototype::finishCreation):
379
380 2016-03-25  Mark Lam  <mark.lam@apple.com>
381
382         ES6's throwing of TypeErrors on access of RegExp.prototype flag properties breaks websites.
383         https://bugs.webkit.org/show_bug.cgi?id=155904
384
385         Reviewed by Geoffrey Garen.
386
387         There exists a JS library XRegExp (see http://xregexp.com) that extends the regexp
388         implementation.  XRegExp does feature testing by comparing RegExp.prototype.sticky
389         to undefined.  See:
390
391         Example 1. https://github.com/slevithan/xregexp/blob/28a2b033c5951477bed8c7c867ddf7e89c431cd4/tests/perf/index.html
392             ...
393             } else if (knownVersion[version]) {
394                 // Hack around ES6 incompatibility in XRegExp versions prior to 3.0.0
395                 if (parseInt(version, 10) < 3) {
396                     delete RegExp.prototype.sticky;
397             }
398             ...
399
400         Example 2. https://github.com/slevithan/xregexp/blob/d0e665d4068cec4d15919215b098b2373f1f12e9/tests/perf/versions/xregexp-all-v2.0.0.js
401             ...
402             // Check for flag y support (Firefox 3+)
403                 hasNativeY = RegExp.prototype.sticky !== undef,
404             ...
405
406         The ES6 spec states that we should throw a TypeError here because RegExp.prototype
407         is not a RegExp object, and the sticky getter is only allowed to be called on
408         RegExp objects.  See https://tc39.github.io/ecma262/2016/#sec-get-regexp.prototype.sticky.
409         As a result, websites that uses XRegExp can break (e.g. some Atlassian tools).
410
411         As a workaround, we'll return undefined instead of throwing on access of these
412         flag properties that may be used for feature testing.
413
414         * runtime/RegExpPrototype.cpp:
415         (JSC::regExpProtoGetterGlobal):
416         (JSC::regExpProtoGetterIgnoreCase):
417         (JSC::regExpProtoGetterMultiline):
418         (JSC::regExpProtoGetterSticky):
419         (JSC::regExpProtoGetterUnicode):
420
421 2016-03-25  Caitlin Potter  <caitp@igalia.com>
422
423         [JSC] fix divide-by-zero in String.prototype.padStart/padEnd
424         https://bugs.webkit.org/show_bug.cgi?id=155903
425
426         Reviewed by Filip Pizlo.
427
428         * runtime/StringPrototype.cpp:
429         (JSC::padString):
430
431 2016-03-25  Benjamin Poulain  <benjamin@webkit.org>
432
433         [JSC] materialize-past-butterfly-allocation.js time out in debug
434
435         * tests/stress/materialize-past-butterfly-allocation.js:
436         The test times out on the debug bots. We suspect there is nothing
437         wrong, just overkill loops.
438
439 2016-03-25  Brian Burg  <bburg@apple.com>
440
441         Web Inspector: protocol generator should prefix C++ filenames with the protocol group
442         https://bugs.webkit.org/show_bug.cgi?id=155859
443         <rdar://problem/25349859>
444
445         Reviewed by Alex Christensen and Joseph Pecoraro.
446
447         Like for generated Objective-C files, we should use the 'protocol group' name
448         as the prefix for generated C++ files so that headers from different protocol
449         groups have unambiguous names.
450
451         * inspector/scripts/codegen/cpp_generator.py:
452         (CppGenerator):
453         (CppGenerator.__init__):
454         (CppGenerator.protocol_name):
455         Make all C++ code generators extend the CppGenerator python class and use the
456         protocol_name() instance method. This matches a recent change to the ObjC generator.
457
458         * inspector/scripts/codegen/cpp_generator_templates.py:
459         (CppGeneratorTemplates):
460         Drive-by cleanup to use #pragma once instead of header guards.
461
462         * inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py:
463         (CppAlternateBackendDispatcherHeaderGenerator):
464         (CppAlternateBackendDispatcherHeaderGenerator.__init__):
465         (CppAlternateBackendDispatcherHeaderGenerator.output_filename):
466         (CppAlternateBackendDispatcherHeaderGenerator.generate_output):
467         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
468         (CppBackendDispatcherHeaderGenerator):
469         (CppBackendDispatcherHeaderGenerator.__init__):
470         (CppBackendDispatcherHeaderGenerator.output_filename):
471         (CppBackendDispatcherHeaderGenerator.generate_output):
472         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
473         (CppBackendDispatcherImplementationGenerator):
474         (CppBackendDispatcherImplementationGenerator.__init__):
475         (CppBackendDispatcherImplementationGenerator.output_filename):
476         (CppBackendDispatcherImplementationGenerator.generate_output):
477         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
478         (CppFrontendDispatcherHeaderGenerator):
479         (CppFrontendDispatcherHeaderGenerator.__init__):
480         (CppFrontendDispatcherHeaderGenerator.output_filename):
481         (CppFrontendDispatcherHeaderGenerator.generate_output):
482         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
483         (CppFrontendDispatcherImplementationGenerator):
484         (CppFrontendDispatcherImplementationGenerator.__init__):
485         (CppFrontendDispatcherImplementationGenerator.output_filename):
486         (CppFrontendDispatcherImplementationGenerator.generate_output):
487         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
488         (CppProtocolTypesHeaderGenerator):
489         (CppProtocolTypesHeaderGenerator.__init__):
490         (CppProtocolTypesHeaderGenerator.output_filename):
491         (CppProtocolTypesHeaderGenerator.generate_output):
492         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
493         (CppProtocolTypesImplementationGenerator):
494         (CppProtocolTypesImplementationGenerator.__init__):
495         (CppProtocolTypesImplementationGenerator.output_filename):
496         (CppProtocolTypesImplementationGenerator.generate_output):
497         Use the protocol_name() instance method to compute generated protocol file names.
498
499         * inspector/scripts/codegen/models.py:
500         Explicitly set the 'protocol_group' for the Inspector protocol.
501
502         Rebaseline generator test results.
503
504         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
505         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
506         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
507         * inspector/scripts/tests/expected/enum-values.json-result:
508         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
509         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
510         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
511         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
512         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
513         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
514         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
515         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
516         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
517
518 2016-03-25  Keith Miller  <keith_miller@apple.com>
519
520         putByIndexBeyondVectorLengthWithoutAttributes should not crash if it can't ensureLength
521         https://bugs.webkit.org/show_bug.cgi?id=155730
522
523         Reviewed by Saam Barati.
524
525         This patch makes ensureLength return a boolean indicating if it was able to set the length.
526         ensureLength also no longer sets the butterfly to null if the allocation of the butterfly
527         fails. All of ensureLengths callers including putByIndexBeyondVectorLengthWithoutAttributes
528         have been adapted to throw an out of memory error if ensureLength fails.
529
530         * runtime/JSArray.cpp:
531         (JSC::JSArray::setLength):
532         (JSC::JSArray::unshiftCountWithAnyIndexingType):
533         * runtime/JSObject.cpp:
534         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
535         (JSC::JSObject::ensureLengthSlow):
536         * runtime/JSObject.h:
537         (JSC::JSObject::ensureLength):
538
539 2016-03-25  Caitlin Potter  <caitp@igalia.com>
540
541         [JSC] implement String.prototype.padStart() and String.prototype.padEnd() proposal
542         https://bugs.webkit.org/show_bug.cgi?id=155795
543
544         Reviewed by Darin Adler.
545
546         Implements ECMAScript proposal http://tc39.github.io/proposal-string-pad-start-end/
547         Currently at Stage 3.
548
549         * runtime/JSString.h:
550         * runtime/StringPrototype.cpp:
551         (JSC::StringPrototype::finishCreation):
552         (JSC::repeatCharacter):
553         (JSC::repeatStringPattern):
554         (JSC::padString):
555         (JSC::stringProtoFuncPadEnd):
556         (JSC::stringProtoFuncPadStart):
557         * tests/es6.yaml:
558         * tests/es6/String.prototype_methods_String.prototype.padEnd.js: Added.
559         * tests/es6/String.prototype_methods_String.prototype.padStart.js: Added.
560
561 2016-03-24  Alex Christensen  <achristensen@webkit.org>
562
563         Fix Mac CMake build.
564
565         * PlatformMac.cmake:
566         Link to Security framework.
567
568 2016-03-24  Saam barati  <sbarati@apple.com>
569
570         ES6: Implement IsRegExp function and use where needed in String.prototype.* methods
571         https://bugs.webkit.org/show_bug.cgi?id=155854
572
573         Reviewed by Mark Lam.
574
575         This patch is a straight forward implementation of IsRegExp
576         in the ES6 spec:
577         https://tc39.github.io/ecma262/#sec-isregexp
578         We now use this IsRegExp function inside String.prototype.(startsWith | endsWith | includes)
579         as is dictated by the spec.
580
581         * runtime/RegExpConstructor.h:
582         (JSC::RegExpConstructor::recordMatch):
583         (JSC::isRegExp):
584         * runtime/StringPrototype.cpp:
585         (JSC::stringProtoFuncStartsWith):
586         (JSC::stringProtoFuncEndsWith):
587         (JSC::stringProtoFuncIncludes):
588         * tests/es6.yaml:
589         * tests/es6/well-known_symbols_Symbol.match_String.prototype.endsWith.js: Added.
590         (test):
591         * tests/es6/well-known_symbols_Symbol.match_String.prototype.includes.js: Added.
592         (test):
593         * tests/es6/well-known_symbols_Symbol.match_String.prototype.startsWith.js: Added.
594         (test):
595         * tests/stress/string-prototype-methods-endsWith-startsWith-includes-correctness.js: Added.
596         (assert):
597         (test):
598         (test.get let):
599         (get let):
600
601 2016-03-24  Saam barati  <sbarati@apple.com>
602
603         Web Inspector: Separate Debugger enable state from the debugger breakpoints enabled state
604         https://bugs.webkit.org/show_bug.cgi?id=152193
605         <rdar://problem/23867520>
606
607         Reviewed by Joseph Pecoraro.
608
609         When all breakpoints are disabled, we can recompile all JS
610         code and remove the necessary debugging code that is emitted.
611         This allows for the code that is executing to be almost as fast
612         as it is with the debugger completely disabled. This is in preparation for:
613         https://bugs.webkit.org/show_bug.cgi?id=155809
614         which will introduce a high fidelity profiler. That profiler
615         could be built off the principle that breakpoints are disabled
616         when we're performing a high fidelity profile. Doing so, for example,
617         allows the sampling profiler to better measure the real performance
618         of the JS of a particular application.
619
620         * debugger/Debugger.cpp:
621         (JSC::Debugger::setBreakpointsActivated):
622         (JSC::Debugger::setPauseOnExceptionsState):
623         * debugger/Debugger.h:
624         * dfg/DFGGraph.cpp:
625         (JSC::DFG::Graph::Graph):
626         * inspector/JSGlobalObjectScriptDebugServer.cpp:
627         (Inspector::JSGlobalObjectScriptDebugServer::attachDebugger):
628         (Inspector::JSGlobalObjectScriptDebugServer::detachDebugger):
629         * inspector/agents/InspectorDebuggerAgent.cpp:
630         (Inspector::InspectorDebuggerAgent::enable):
631         * runtime/Executable.cpp:
632         (JSC::ScriptExecutable::newCodeBlockFor):
633         * runtime/JSGlobalObject.cpp:
634         (JSC::JSGlobalObject::createProgramCodeBlock):
635         (JSC::JSGlobalObject::createEvalCodeBlock):
636         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
637         (JSC::JSGlobalObject::queueMicrotask):
638         (JSC::JSGlobalObject::hasDebugger):
639         (JSC::JSGlobalObject::hasInteractiveDebugger):
640         * runtime/JSGlobalObject.h:
641         (JSC::JSGlobalObject::runtimeFlags):
642         (JSC::JSGlobalObject::hasDebugger): Deleted.
643
644 2016-03-24  Michael Saboff  <msaboff@apple.com>
645
646         Create private builtin helper advanceStringIndexUnicode() for use by RegExp builtins
647         https://bugs.webkit.org/show_bug.cgi?id=155855
648
649         Reviewed by Mark Lam.
650
651         Moved advanceStringIndexUnicode() as a separate helper.  Added it as a private builtin
652         to the GlobalObject like other private builtins.
653
654         * builtins/RegExpPrototype.js:
655         (advanceStringIndexUnicode):
656         (match):
657         (match.advanceStringIndexUnicode): Deleted.
658         * runtime/JSGlobalObject.cpp:
659         (JSC::JSGlobalObject::init):
660
661 2016-03-24  Michael Saboff  <msaboff@apple.com>
662
663         [ES6] Add Proxy based tests for RegExp.prototype[@@match]
664         https://bugs.webkit.org/show_bug.cgi?id=155807
665
666         Reviewed by Saam Barati.
667
668         Added new test that uses Proxy to verify RegExp.prototype[@@match] processing
669         conforms to the ES6 standard
670
671         Modified builtin RegExp.prototype[@@match] to be ES6 spec conformant.
672
673         Updated es6.yaml as Proxy_internal_get_calls_RegExp.prototype[Symbol.match].js now passes.
674
675         * builtins/RegExpPrototype.js:
676         (match):
677         * tests/es6.yaml: Updated.
678         * tests/stress/regexp-match-proxy.js: Added.
679         (assert):
680         (let.getProxyNullExec.new.Proxy):
681         (let.getSetProxyNullExec.new.Proxy):
682         (get resetTracking):
683         (let.getSetProxyMatches_s.new.Proxy):
684         (set get getSetProxyNullExec):
685         (let.getSetProxyMatches_tx_Greedy.new.Proxy):
686         (set get getSetProxyMatches_s):
687         (let.getSetProxyMatchesUnicode_digit_nonGreedy.new.Proxy):
688         (set get getSetProxyMatches_tx_Greedy):
689
690 2016-03-24  Michael Saboff  <msaboff@apple.com>
691
692         [ES6] Greedy unicode RegExp's don't properly backtrack past non BMP characters
693         https://bugs.webkit.org/show_bug.cgi?id=155829
694
695         Reviewed by Saam Barati.
696
697         When we backup when matching part of a unicode pattern, we can't just backup one character.
698         Instead we need to save our start position before trying to match a character and
699         restore the position if the match fails.  This was done in other places, but wasn't
700         done for all greedy types.
701
702         Fixed matchGlobal() to properly handle advancing past non BMP characters.
703
704         * runtime/RegExpObject.cpp:
705         (JSC::RegExpObject::matchGlobal):
706         * runtime/RegExpObjectInlines.h:
707         (JSC::RegExpObject::advanceStringUnicode):
708         * yarr/YarrInterpreter.cpp:
709         (JSC::Yarr::Interpreter::matchCharacterClass):
710         (JSC::Yarr::Interpreter::matchDisjunction):
711
712 2016-03-24  Benjamin Poulain  <bpoulain@apple.com>
713
714         [JSC] In some cases, the integer range optimization phase never converges
715         https://bugs.webkit.org/show_bug.cgi?id=155828
716         rdar://problem/25155460
717
718         Reviewed by Filip Pizlo.
719
720         In certain conditions, the integer range optimization phase continuously
721         changes the representation of the same truth, preventing it from
722         converging to a stable state.
723
724         The bug starts by having the same ground truth incomming into a block
725         in different valid forms. For example, you can have x < 42 coming as:
726             1) x < 42
727             2) x < 41 + 1
728             3) x < 43 - 1
729
730         Having those 3 alone coming from predecessors would be okay, we would
731         just accumulate them. The problem is when you have a combination
732         of rule that filter out the previously obtained truth, then add a new
733         form of the same truth.
734
735         Let's use the test case as an example. We have two incoming blocks:
736             Block #1:
737               -i < 42
738               -i != 41
739             Block #2:
740               -i < 41
741               -i == 42 - 42 (i == 0 refining the rule above).
742
743         Let say that our conditions at head are now [i < 41, i < 42 - 1].
744
745         If we merge block #2:
746               -i < 42 and i < 41      -> i < 42
747               -i < 42 and i < 42 - 1  -> i < 42
748               -i != 41 and i < 41     -> i < 41
749               -i != 41 and i < 42 - 1 -> nothing
750
751         The new head is: [i < 41, i < 42]
752
753         If we merge block #1:
754               -i < 41 and i < 41       -> i < 41
755               -i < 41 and i < 42       -> i < 42
756               -i == 42 - 42 and i < 41 -> (i < 41 and i < 42 - 1)
757               -i == 42 - 42 and i < 42 -> i < 42
758
759         After filter, we are back to [i < 41, i < 42 - 1].
760
761         There are several variations of this idea where the same truth
762         rotate different forms with each merge().
763
764         One possible solution is to make filter() more aggressive
765         to avoid the better form occuring at merge(). I'll probably
766         do that at some point but that seems fragile since the same
767         problem could reappear if merge() is later improved.
768
769         For this patch, I went with a more generic solution after
770         merge(): if the generated form is equivalent to one that
771         previously existed at head, pick the existing form.
772
773         In the previous example, what happens is we only have
774         either [i < 41] or [i < 42 - 1] but never both simultaneously.
775
776         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
777         * tests/stress/integer-range-optimization-constant-representation-1.js: Added.
778         * tests/stress/integer-range-optimization-constant-representation-2.js: Added.
779         Two variation. One timeout in release because of the additional flags.
780         The other is gets more type of run but only assert in debug.
781
782 2016-03-23  Commit Queue  <commit-queue@webkit.org>
783
784         Unreviewed, rolling out r198582.
785         https://bugs.webkit.org/show_bug.cgi?id=155812
786
787         "It broke debugging in the web inspector" (Requested by
788         saamyjoon on #webkit).
789
790         Reverted changeset:
791
792         "We should not disable inlining when the debugger is enabled"
793         https://bugs.webkit.org/show_bug.cgi?id=155741
794         http://trac.webkit.org/changeset/198582
795
796 2016-03-23  Michael Saboff  <msaboff@apple.com>
797
798         JavaScriptCore ArrayPrototype::join shouldn't cache butterfly when it makes effectful calls
799         https://bugs.webkit.org/show_bug.cgi?id=155776
800
801         Reviewed by Saam Barati.
802
803         Array.join ends up calling toString, possibly on some object.  Since these calls
804         could be effectful and could change the array itself, we can't hold the butterfly
805         pointer while making effectful calls.  Changed the code to fall back to the general
806         case when an effectful toString() call might be made.
807
808         * runtime/ArrayPrototype.cpp:
809         (JSC::join):
810         * runtime/JSStringJoiner.h:
811         (JSC::JSStringJoiner::appendWithoutSideEffects): New helper that doesn't make effectful
812         toString() calls.
813         (JSC::JSStringJoiner::append): Built upon appendWithoutSideEffects.
814
815 2016-03-23  Keith Miller  <keith_miller@apple.com>
816
817         Array.prototype native functions' species constructors should work with proxies
818         https://bugs.webkit.org/show_bug.cgi?id=155798
819
820         Reviewed by Mark Lam.
821
822         Before native the species constructors were checking if the this value was a JSArray.
823         Instead they should look check that the this value returns true on Array.isArray.
824
825         * runtime/ArrayPrototype.cpp:
826         (JSC::speciesConstructArray):
827         * tests/es6.yaml:
828         * tests/stress/proxy-array-prototype-methods.js:
829
830 2016-03-23  Saam barati  <sbarati@apple.com>
831
832         We should not disable inlining when the debugger is enabled
833         https://bugs.webkit.org/show_bug.cgi?id=155741
834
835         Reviewed by Oliver Hunt.
836
837         We can enable inlining when the debugger is enabled as long
838         as we make sure we still jettison the proper CodeBlocks when
839         a breakpoint is set. This means that for any optimized CodeBlock,
840         we must ask if any of its inlinees contain the breakpoint that
841         is being set. If any inlinees do contain the breakpoint, we must
842         jettison the machine code block that they are a part of.
843
844         * debugger/Debugger.cpp:
845         (JSC::Debugger::toggleBreakpoint):
846         (JSC::Debugger::applyBreakpoints):
847         * dfg/DFGByteCodeParser.cpp:
848         (JSC::DFG::ByteCodeParser::ByteCodeParser):
849         (JSC::DFG::ByteCodeParser::setLocal):
850         (JSC::DFG::ByteCodeParser::flush):
851         (JSC::DFG::ByteCodeParser::flushForTerminal):
852         (JSC::DFG::ByteCodeParser::inliningCost):
853         * dfg/DFGGraph.cpp:
854         (JSC::DFG::Graph::Graph):
855         (JSC::DFG::Graph::~Graph):
856         * dfg/DFGGraph.h:
857         (JSC::DFG::Graph::hasDebuggerEnabled): Deleted.
858         * dfg/DFGStackLayoutPhase.cpp:
859         (JSC::DFG::StackLayoutPhase::run):
860         * ftl/FTLCompile.cpp:
861         (JSC::FTL::compile):
862
863 2016-03-23  Yusuke Suzuki  <utatane.tea@gmail.com>
864
865         [ES6] Allow undefined/null for Symbol.search and Symbol.match
866         https://bugs.webkit.org/show_bug.cgi?id=155785
867
868         Reviewed by Saam Barati.
869
870         Undefined and null for Symbol.search and Symbol.match properties of the given RegExp (like) object are allowed.
871         When they are specified, we go to the fallback path; creating the RegExp with the given object and matching.
872
873         * builtins/StringPrototype.js:
874         (match):
875         (search):
876         * tests/stress/string-symbol-customization.js: Added.
877         (shouldBe):
878         (shouldThrow):
879
880 2016-03-22  Caitlin Potter  <caitp@igalia.com>
881
882         [JSC] correctly handle indexed properties in Object.getOwnPropertyDescriptors
883         https://bugs.webkit.org/show_bug.cgi?id=155563
884
885         Reviewed by Saam Barati.
886
887         * runtime/JSObject.h:
888         (JSC::JSObject::putOwnDataPropertyMayBeIndex):
889         * runtime/ObjectConstructor.cpp:
890         (JSC::objectConstructorGetOwnPropertyDescriptors):
891
892 2016-03-22  Saam Barati  <sbarati@apple.com>
893
894         We should FTL compile code when the debugger is enabled
895         https://bugs.webkit.org/show_bug.cgi?id=155740
896
897         Reviewed by Oliver Hunt.
898
899         There was no fundamental reason why we didn't support debugging
900         with the FTL. It looks like this was just an oversight. We had
901         a Breakpoint node in the DFG that amounted to a nop. By removing
902         this node, we now support debugging in the FTL. Anytime a breakpoint
903         is set, we will jettison any DFG/FTL CodeBlocks that contain the breakpoint
904         that was set.
905
906         * dfg/DFGAbstractInterpreterInlines.h:
907         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
908         * dfg/DFGByteCodeParser.cpp:
909         (JSC::DFG::ByteCodeParser::parseBlock):
910         * dfg/DFGClobberize.h:
911         (JSC::DFG::clobberize):
912         * dfg/DFGDoesGC.cpp:
913         (JSC::DFG::doesGC):
914         * dfg/DFGFixupPhase.cpp:
915         (JSC::DFG::FixupPhase::fixupNode):
916         * dfg/DFGNodeType.h:
917         * dfg/DFGPredictionPropagationPhase.cpp:
918         (JSC::DFG::PredictionPropagationPhase::propagate):
919         * dfg/DFGSafeToExecute.h:
920         (JSC::DFG::safeToExecute):
921         * dfg/DFGSpeculativeJIT32_64.cpp:
922         (JSC::DFG::SpeculativeJIT::compile):
923         * dfg/DFGSpeculativeJIT64.cpp:
924         (JSC::DFG::SpeculativeJIT::compile):
925
926 2016-03-22  Keith Miller  <keith_miller@apple.com>
927
928         REGRESSION(r197543): Use-after-free on storage/indexeddb/transaction-abort-private.html
929         https://bugs.webkit.org/show_bug.cgi?id=155067
930
931         Reviewed by Filip Pizlo.
932
933         GCIncommingRefCountedSets need to be finalized before we start
934         destructing members of the Heap object. Previously, we would
935         clear all our ArrayBuffer objects when the GCIncommingRefCountedSet
936         holding them was destroyed. However, ArrayBuffers have a weak
937         reference to their wrappers. When we would attempt to destroy the
938         ArrayBuffer object we would end up accessing the WeakImpl for
939         the weak reference, which had already been freed as we destroyed
940         our weak block. The solution to this is to move the old
941         GCIncommingRefCountedSet destructor functionality to a new
942         function lastChanceToFinalize. This function is called when
943         we finalize our other objects on Heap destruction.
944
945         * heap/GCIncomingRefCountedSet.h:
946         * heap/GCIncomingRefCountedSetInlines.h:
947         (JSC::GCIncomingRefCountedSet<T>::lastChanceToFinalize):
948         (JSC::GCIncomingRefCountedSet<T>::~GCIncomingRefCountedSet): Deleted.
949         * heap/Heap.cpp:
950         (JSC::Heap::lastChanceToFinalize):
951
952 2016-03-22  Per Arne Vollan  <peavo@outlook.com>
953
954         [Win] [64-bit] Remove MSVC 2013 FMA3 Bug Workaround
955         https://bugs.webkit.org/show_bug.cgi?id=141499
956
957         Reviewed by Brent Fulgham.
958
959         As we have moved on to VS2015, this workaround is no longer needed.
960
961         * API/tests/testapi.c:
962         (main):
963         * JavaScriptCore.vcxproj/jsc/DLLLauncherMain.cpp:
964         (wWinMain):
965         * jsc.cpp:
966         (main):
967         * testRegExp.cpp:
968         (main):
969
970 2016-03-22  Michael Saboff  <msaboff@apple.com>
971
972         [ES6] Implement RegExp.prototype[@@match]
973         https://bugs.webkit.org/show_bug.cgi?id=155711
974
975         Reviewed by Filip Pizlo.
976
977         Implemented ES6 spec for String.prototype.match and RegExp.prototype[@@match].
978         Implemented both as builtins, with String.prototype.match calling 
979         RegExp.prototype[@@match].
980
981         For performance reasons, RegExp.prototype[@@match] has a C++ fast path when
982         RegExp.prototype.exec has not been overridden.  This fast path,
983         RegExpObject::matchGlobal, was taken from the prior StringPrototype::match.
984         It only handles global matches.
985
986         Added new test, stress/regexp-match.js.
987
988         Updated various tests for changes exception string and now passing ES6 behavior.
989
990         * CMakeLists.txt: 
991         * DerivedSources.make:
992         * JavaScriptCore.xcodeproj/project.pbxproj:
993         Added builtins/RegExpPrototype.js and eliminated RegExpPrototype.lut.h.
994
995         * builtins/RegExpPrototype.js: Added.
996         (match.advanceStringIndexUnicode): Helper.
997         (match): Implements RegExp.prototype[@@match].
998         * builtins/StringPrototype.js:
999         (match): Implements String.prototype.match.
1000
1001         * bytecode/BytecodeIntrinsicRegistry.cpp:
1002         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1003         (JSC::BytecodeIntrinsicRegistry::lookup):
1004         * bytecode/BytecodeIntrinsicRegistry.h:
1005         * runtime/CommonIdentifiers.h:
1006         Added Symbol.match and builtins @match and @exec.
1007
1008         * runtime/RegExpObject.cpp:
1009         * runtime/RegExpObject.h:
1010         * runtime/RegExpObjectInlines.h:
1011         (JSC::RegExpObject::matchGlobal): Added.
1012         (JSC::RegExpObject::advanceStringUnicode): Added helper.
1013
1014         * runtime/RegExpPrototype.cpp:
1015         * runtime/RegExpPrototype.h:
1016         (JSC::RegExpPrototype::RegExpPrototype):
1017         (JSC::RegExpPrototype::finishCreation):
1018         (JSC::RegExpPrototype::visitChildren):
1019         (JSC::regExpProtoFuncMatchPrivate):
1020         (JSC::RegExpPrototype::getOwnPropertySlot): Deleted.
1021         (JSC::RegExpPrototype::create):
1022         Restructured to create properties explicitly due to having two names for native regExpProtoFuncExec.
1023
1024         * runtime/StringPrototype.cpp:
1025         (JSC::StringPrototype::finishCreation):
1026         Made match a builtin.
1027         Removed unused declaration of stringProtoFuncSearch() since it was made a builtin.
1028
1029         * tests/es6.yaml:
1030         * tests/stress/regexp-match.js: Added.
1031         (shouldBe):
1032         (shouldThrow):
1033         (errorKey.toString):
1034         (primitive.of.primitives.shouldThrow):
1035         (testRegExpMatch):
1036         (testMatch):
1037         (testBoth):
1038         (alwaysUnmatch):
1039
1040 2016-03-22  Caitlin Potter  <caitp@igalia.com>
1041
1042         [JSC] allow duplicate property names returned from Proxy ownKeys() trap
1043         https://bugs.webkit.org/show_bug.cgi?id=155560
1044
1045         Reviewed by Darin Adler.
1046
1047         Specification allows duplicate property names to be reported by the
1048         Proxy ownKeys() trap --- and this is observable in any API which
1049         operates on the returned list, such as Object.keys(),
1050         Object.getOwnPropertyNames(), Object.getOwnPropertySymbols(), or
1051         Object.getOwnPropertyDescriptors().
1052
1053         * runtime/PropertyNameArray.h:
1054         (JSC::PropertyNameArray::addUnchecked):
1055         (JSC::PropertyNameArray::add):
1056         (JSC::PropertyNameArray::addKnownUnique): Deleted.
1057         * runtime/ProxyObject.cpp:
1058         (JSC::ProxyObject::performGetOwnPropertyNames):
1059         * runtime/Structure.cpp:
1060         (JSC::Structure::getPropertyNamesFromStructure):
1061
1062 2016-03-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1063
1064         [JSC] Clean up Math.floor thunk and use SSE round instruction
1065         https://bugs.webkit.org/show_bug.cgi?id=155705
1066
1067         Reviewed by Geoffrey Garen.
1068
1069         SSE now allow us to use round instruction to implement Math.floor.
1070         MacroAssembler's floorDouble is now only used in ARM64, but it can be allowed in x86 SSE.
1071
1072         * jit/ThunkGenerators.cpp:
1073         (JSC::floorThunkGenerator):
1074
1075 2016-03-21  Konstantin Tokarev  <annulen@yandex.ru>
1076
1077         Fixed compilation with GCC 4.8.
1078         https://bugs.webkit.org/show_bug.cgi?id=155698
1079
1080         Reviewed by Alexey Proskuryakov.
1081
1082         GCC 4.8 does not allow aggregate initialization for type with deleted
1083         constructor, see https://gcc.gnu.org/bugzilla/show_bug.cgi?id=52707.
1084
1085         * dfg/DFGCSEPhase.cpp: Added ctor for ImpureDataSlot.
1086
1087 2016-03-21  Joonghun Park  <jh718.park@samsung.com>
1088
1089         [JSC] Add ArrayBuffer::tryCreate and change the callsites where it is needed
1090         https://bugs.webkit.org/show_bug.cgi?id=155328
1091
1092         Reviewed by Darin Adler.
1093
1094         * API/JSTypedArray.cpp:
1095         (JSObjectMakeTypedArray):
1096         (JSObjectMakeArrayBufferWithBytesNoCopy):
1097         * runtime/ArrayBuffer.h:
1098         (JSC::ArrayBuffer::create):
1099         (JSC::ArrayBuffer::tryCreate):
1100         (JSC::ArrayBuffer::createUninitialized):
1101         (JSC::ArrayBuffer::tryCreateUninitialized):
1102         (JSC::ArrayBuffer::createInternal):
1103         * runtime/GenericTypedArrayViewInlines.h:
1104         (JSC::GenericTypedArrayView<Adaptor>::create):
1105         (JSC::GenericTypedArrayView<Adaptor>::createUninitialized):
1106         * runtime/JSArrayBufferConstructor.cpp:
1107         (JSC::constructArrayBuffer):
1108
1109 2016-03-20  Dan Bernstein  <mitz@apple.com>
1110
1111         [Mac] Determine TARGET_MAC_OS_X_VERSION_MAJOR from MACOSX_DEPLOYMENT_TARGET rather than from MAC_OS_X_VERSION_MAJOR
1112         https://bugs.webkit.org/show_bug.cgi?id=155707
1113         <rdar://problem/24980691>
1114
1115         Reviewed by Darin Adler.
1116
1117         * Configurations/Base.xcconfig: Set TARGET_MAC_OS_X_VERSION_MAJOR based on the last
1118           component of MACOSX_DEPLOYMENT_TARGET.
1119         * Configurations/DebugRelease.xcconfig: For engineering builds, preserve the behavior of
1120           TARGET_MAC_OS_X_VERSION_MAJOR being the host’s OS version.
1121
1122 2016-03-20  Michael Saboff  <msaboff@apple.com>
1123
1124         Crash in stress/regexp-matches-array-slow-put.js due to stomping on memory when having bad time
1125         https://bugs.webkit.org/show_bug.cgi?id=155679
1126
1127         Reviewed by Saam Barati.
1128
1129         Allocate out of line storage based on what the structure says it needs
1130         in JSArray::tryCreateUninitialized.
1131
1132         * runtime/JSArray.h:
1133         (JSC::JSArray::tryCreateUninitialized):
1134
1135 2016-03-20  Joseph Pecoraro  <pecoraro@apple.com>
1136
1137         Crash on DFG::WorkList thread in JSC::Heap::isCollecting for destroyed Web Worker
1138         https://bugs.webkit.org/show_bug.cgi?id=155678
1139         <rdar://problem/25251439>
1140
1141         Reviewed by Filip Pizlo.
1142
1143         This fixes a crash that we saw with GuardMalloc. If the Plan was
1144         Cancelled it may not be safe to access the VM. If the Plan was
1145         cancelled we are just going to bail anyways, so keep the ASSERT but
1146         short-circuit if the plan was Cancelled.
1147
1148         * dfg/DFGWorklist.cpp:
1149         (JSC::DFG::Worklist::runThread):
1150
1151 2016-03-20  Dan Bernstein  <mitz@apple.com>
1152
1153         Update build settings
1154
1155         Rubber-stamped by Andy Estes.
1156
1157         * Configurations/DebugRelease.xcconfig:
1158         * Configurations/FeatureDefines.xcconfig:
1159         * Configurations/Version.xcconfig:
1160
1161 2016-03-19  Skachkov Oleksandr  <gskachkov@gmail.com>
1162
1163         [ES6] Arrow function syntax. Update syntax error text 'super is only valid inside functions' to more suitable
1164         https://bugs.webkit.org/show_bug.cgi?id=155491
1165
1166         Reviewed by Saam Barati.
1167
1168         Current message 'super is only valid inside of funcitons' is not correct 
1169         after patch for https://bugs.webkit.org/show_bug.cgi?id=153864 because 
1170         it is allow to use 'super' in eval. Current patch replace old message by
1171         'Super is only valid inside functions or 'eval' inside a function' and 
1172         fix tests that rely on this message.
1173
1174         * parser/Parser.cpp:
1175         (JSC::Parser<LexerType>::parseMemberExpression):
1176         * tests/stress/generator-with-super.js:
1177         (shouldThrow):
1178         * tests/stress/modules-syntax-error.js:
1179         * tests/stress/super-in-lexical-scope.js:
1180         * tests/stress/tagged-templates-syntax.js:
1181
1182 2016-03-19  Mark Lam  <mark.lam@apple.com>
1183
1184         ES6 spec requires that ErrorPrototype not be an Error object.
1185         https://bugs.webkit.org/show_bug.cgi?id=155680
1186
1187         Reviewed by Michael Saboff.
1188
1189         The ES6 spec states that Error.prototype should not be an instance of Error:
1190         https://tc39.github.io/ecma262/#sec-properties-of-the-error-prototype-object
1191
1192         "The Error prototype object is an ordinary object. It is not an Error instance
1193         and does not have an [[ErrorData]] internal slot."
1194
1195         This patch changes ErrorPrototype to conform to the above specification.
1196
1197         * runtime/ErrorConstructor.cpp:
1198         (JSC::ErrorConstructor::finishCreation):
1199         * runtime/ErrorPrototype.cpp:
1200         (JSC::ErrorPrototype::ErrorPrototype):
1201         (JSC::ErrorPrototype::finishCreation):
1202         (JSC::ErrorPrototype::getOwnPropertySlot):
1203         * runtime/ErrorPrototype.h:
1204         (JSC::ErrorPrototype::create):
1205
1206         * runtime/NativeErrorConstructor.cpp:
1207         (JSC::NativeErrorConstructor::finishCreation):
1208         * runtime/NativeErrorPrototype.cpp:
1209         (JSC::NativeErrorPrototype::NativeErrorPrototype):
1210         (JSC::NativeErrorPrototype::finishCreation):
1211         * runtime/NativeErrorPrototype.h:
1212         (JSC::NativeErrorPrototype::create):
1213         - updated to no longer need a JSGlobalObject argument.
1214
1215         * tests/es6/miscellaneous_built-in_prototypes_are_not_instances.js:
1216         - updated to match the kangax version of this test.
1217
1218 2016-03-18  Benjamin Poulain  <bpoulain@apple.com>
1219
1220         [JSC] Limit DFG's Validate symbols to its compilation unit
1221         https://bugs.webkit.org/show_bug.cgi?id=155670
1222
1223         Reviewed by Filip Pizlo.
1224
1225         * dfg/DFGValidate.cpp:
1226
1227 2016-03-18  Mark Lam  <mark.lam@apple.com>
1228
1229         ES6 spec requires that RegExpPrototype not be a RegExp object.
1230         https://bugs.webkit.org/show_bug.cgi?id=155654
1231
1232         Reviewed by Filip Pizlo.
1233
1234         The ES6 spec states that RegExp.prototype should not be an instance of RegExp:
1235         https://tc39.github.io/ecma262/#sec-properties-of-the-regexp-prototype-object
1236
1237         "The RegExp prototype object is an ordinary object. It is not a RegExp instance
1238         and does not have a [[RegExpMatcher]] internal slot or any of the other internal
1239         slots of RegExp instance objects."
1240
1241         This patch changes RegExpPrototype to conform to the above specifications.
1242
1243         * runtime/JSGlobalObject.cpp:
1244         (JSC::JSGlobalObject::init):
1245         * runtime/RegExpConstructor.cpp:
1246         (JSC::RegExpConstructor::RegExpConstructor):
1247         (JSC::RegExpConstructor::finishCreation):
1248         * runtime/RegExpPrototype.cpp:
1249         (JSC::RegExpPrototype::RegExpPrototype):
1250         (JSC::RegExpPrototype::finishCreation):
1251         (JSC::RegExpPrototype::getOwnPropertySlot):
1252         (JSC::RegExpPrototype::visitChildren):
1253         (JSC::regExpProtoFuncTest):
1254         * runtime/RegExpPrototype.h:
1255         (JSC::RegExpPrototype::create):
1256         (JSC::RegExpPrototype::createStructure):
1257         (JSC::RegExpPrototype::emptyRegExp):
1258
1259         * tests/es6.yaml:
1260         - This patch makes the es6/miscellaneous_built-in_prototypes_are_not_instances.js
1261           test now pass.  However, the kangax version of this test still fails because
1262           it also checks Error objects (which will be fixed in a subsequent patch).
1263
1264         * tests/mozilla/ecma_2/shell.js:
1265         (stringify):
1266         (test):
1267         (getFailedCases):
1268         (err):
1269         * tests/stress/static-getter-in-names.js:
1270         (shouldBe):
1271
1272 2016-03-18  Keith Miller  <keith_miller@apple.com>
1273
1274         DataView should use an accessor for its length and buffer properties
1275         https://bugs.webkit.org/show_bug.cgi?id=155625
1276
1277         Reviewed by Michael Saboff.
1278
1279         The DataView object should use an accessor on DataView.prototype for its
1280         byteLength, byteOffset, and buffer properties. This patch also, moves the
1281         buffer property off the TypedArray object itself and onto the prototype
1282         along with the other accessors. Since the .buffer property is no longer on
1283         the object, JSArrayBufferView no longer needs to intercept accesses to
1284         properties. Finally, this patch also fixes the length property on all the
1285         existing DataView.prototype functions.
1286
1287         * runtime/JSArrayBufferView.cpp:
1288         (JSC::JSArrayBufferView::getOwnPropertySlot): Deleted.
1289         (JSC::JSArrayBufferView::put): Deleted.
1290         (JSC::JSArrayBufferView::defineOwnProperty): Deleted.
1291         (JSC::JSArrayBufferView::deleteProperty): Deleted.
1292         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames): Deleted.
1293         * runtime/JSArrayBufferView.h:
1294         (JSC::JSArrayBufferView::jsBuffer):
1295         * runtime/JSDataViewPrototype.cpp:
1296         (JSC::dataViewProtoGetterBuffer):
1297         (JSC::dataViewProtoGetterByteLength):
1298         (JSC::dataViewProtoGetterByteOffset):
1299         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1300         (JSC::genericTypedArrayViewProtoGetterFuncBuffer):
1301         * runtime/JSTypedArrayViewPrototype.cpp:
1302         (JSC::typedArrayViewProtoGetterFuncBuffer):
1303         (JSC::JSTypedArrayViewPrototype::finishCreation):
1304
1305 2016-03-18  Csaba Osztrogonác  <ossy@webkit.org>
1306
1307         Unreviewed speculative cloop buildfix after r198364.
1308
1309         * bytecode/SuperSampler.cpp:
1310
1311 2016-03-17  Benjamin Poulain  <bpoulain@apple.com>
1312
1313         [JSC] Make CSE's ImpureData faster when dealing with large blocks
1314         https://bugs.webkit.org/show_bug.cgi?id=155594
1315
1316         Reviewed by Filip Pizlo.
1317
1318         In some tests with large blocks, the time spent in DFG's LocalCSE
1319         can be over 10% of the total compile time.
1320         In those cases, LocalCSE is completely dominated by handling large
1321         blocks.
1322
1323         This patch addresses the most obvious hot spots ImpureData's handling.
1324
1325         Initially, most of the time was going into HashTable::rehash().
1326         The reason is the buckets are <HeapLocation, LazyNode> gigantic.
1327         The hash table would easily get into several kilobytes and the CPU
1328         was spending more time dealing with memory than anything.
1329
1330         To solve that, I moved the pairs lazily to the heap. The table itself
1331         just contains the unique_ptr to those values. This makes the table
1332         reasonably small and the alloc/dealloc are paid for by the fast rehash().
1333
1334         Once addImpure() was better, the next big bottleneck was clobber().
1335         For each clobber(), we need to go over the entire map and test each value.
1336         That loop was where most of the time was going.
1337
1338         Most calls to clobber() come from two kinds: SideState and Stack.
1339
1340         SideState is easy: it is never def'ed so we can always skip it.
1341
1342         Stack is disjoint from Heap too so we can also put it separately.
1343
1344         Splitting the map into 2 helped reduce the overhead. The maps are:
1345         -Stack
1346         -Heap
1347
1348         Having Stack alone was not enough for many blocks. In some cases,
1349         you have a ton of SetLocal/GetLocal and having Stack separately
1350         makes no difference.
1351
1352         To solve that, I split Stack in two: a map addressed by AbstractHeap
1353         + unique HeapLocation and a fallback map for everything else.
1354         Since most Stack are not TOP and are unique per AbstractHeap,
1355         I get O(1) clobber in most cases.
1356
1357         I could achieve the same result with a custom hash structure.
1358         I don't think it is worth the effort, in most cases, m_fallbackStackMap
1359         has a size of zero or one.
1360
1361         This patch introduces a lot of coupling between CSE and AbstractHeap.
1362         To reduce the risk of bugs, the old map is still maintained in debug
1363         and each step checks that the results are the same as the new implementation.
1364
1365         A new validation step also verify the strong assumptions made by CSE:
1366         -SideState and World are never def().
1367         -We never write HEAP TOP, we only write specific heap location.
1368
1369         * dfg/DFGCSEPhase.cpp:
1370         * dfg/DFGHeapLocation.h:
1371         * dfg/DFGLazyNode.h:
1372         (JSC::DFG::LazyNode::hash):
1373
1374 2016-03-17  Saam barati  <sbarati@apple.com>
1375
1376         Implement SmallPtrSet and integrate it into the Parser
1377         https://bugs.webkit.org/show_bug.cgi?id=155552
1378
1379         Reviewed by Filip Pizlo.
1380
1381         Using SmallPtrSet instead of HashSet really helps speed
1382         up the parser. What saves us most is not needing to always
1383         malloc/free memory in the HashSet.
1384
1385         * parser/Parser.cpp:
1386         (JSC::Parser<LexerType>::parseInner):
1387         * parser/Parser.h:
1388         (JSC::Scope::Scope):
1389         (JSC::Scope::startSwitch):
1390         (JSC::Scope::endSwitch):
1391         (JSC::Scope::startLoop):
1392         (JSC::Scope::hasDeclaredParameter):
1393         (JSC::Scope::declareWrite):
1394         (JSC::Scope::declareParameter):
1395         (JSC::Scope::usedVariablesContains):
1396         (JSC::Scope::useVariable):
1397         (JSC::Scope::collectFreeVariables):
1398         (JSC::Scope::getCapturedVars):
1399         (JSC::Scope::isValidStrictMode):
1400         (JSC::Scope::shadowsArguments):
1401         (JSC::Scope::copyCapturedVariablesToVector):
1402         (JSC::Scope::setIsModule):
1403         (JSC::Parser::pushScope):
1404         (JSC::Scope::getUsedVariables): Deleted.
1405
1406 2016-03-17  Brian Burg  <bburg@apple.com>
1407
1408         Web Inspector: protocol generator shouldn't generate enums for parameters with non-anonymous enum types
1409         https://bugs.webkit.org/show_bug.cgi?id=155610
1410         <rdar://problem/25229878>
1411
1412         Reviewed by Joseph Pecoraro.
1413
1414         If a command parameter has an anonymous enum type, the backend dispatcher generator
1415         makes a C++ enum for the parameter. However, if the parameter references a named enum
1416         type specified in a domain's 'type' section, then there's no need to generate an enum.
1417
1418         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
1419         (CppBackendDispatcherHeaderGenerator._generate_handler_declaration_for_command):
1420         Add a missing check for the is_anonymous flag. Type references to named enums are resolved
1421         to the underlying aliased EnumType instead of an AliasedType, so we have to check the flag.
1422
1423         Rebaseline tests.
1424
1425         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1426         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1427
1428 2016-03-17  Filip Pizlo  <fpizlo@apple.com>
1429
1430         Replace all of the various non-working and non-compiling sampling profiler hacks with a single super hack
1431         https://bugs.webkit.org/show_bug.cgi?id=155561
1432
1433         Reviewed by Saam Barati.
1434
1435         A VM needs some internal profiling hacks in addition to the profiler(s) that the user sees, because
1436         you can squeeze out more fidelity if you're willing to make some kind of deal with the devil. Prior
1437         to this change JSC had a bunch of these:
1438
1439         - CodeBlock sampling profiler
1440         - Bytecode sampling profiler
1441         - Sampling flags
1442         - Sampling regions
1443         - Some other stuff
1444
1445         I tried using these recently. They didn't even build. Initially I fixed that, but then I found that
1446         these profilers had some serious bugs that made them report bogus results - like underreporting the
1447         time spent in regions of code by more than 2x.
1448
1449         Part of the problem here is that a profiler loses fidelity as it gains power. The more general it
1450         tries to be, the more code gets executed on the hot path for the profiler, which increasingly
1451         perturbs the results. I believe that's the reason for the underreporting - code ran sufficiently
1452         slower, and in a sufficiently different way when profiling, that the results were just wrong.
1453
1454         This change attacks this problem directly by replacing all of the diverse profiling hacks with just
1455         one, which I call the SuperSampler. It consists of exactly one counter. When enabled, the sampler
1456         will periodically print (via dataLog()) the percentage of samples that saw a non-zero count. Because
1457         it's so simple, it gives better accuracy. This comes about in two ways:
1458
1459         - It runs at a lower rate. That's fine since it's only checking one flag. You don't need a high rate
1460           for just one flag.
1461         
1462         - The fact that there is only *one* flag means that the user must choose a hypothesis about what is
1463           slow. This turns the problem of profiling into a hypothesis testing problem, which is an inherently
1464           less flaky kind of experiment to run.
1465         
1466         The SuperSampler is enabled with a runtime flag rather than a compile-time flag, so it's much less
1467         likely to break. That also means that you can enable it without rebuilding the universe. The old
1468         samplers all had ENABLE flags in Platform.h, which was rather unfortunate for compile times.
1469
1470         SuperSampler supports both JIT and C++ users. C++ users should use SuperSamplerScope. The default
1471         idiom is to create one and pass "true" to it. You can disable a scope by passing "false" instead.
1472         This patch puts a bunch of scopes in places I care about. I think it's probably OK if people check in
1473         these deactivated scopes. That makes it convenient to retest things we've tested previously.
1474
1475         * CMakeLists.txt:
1476         * JavaScriptCore.xcodeproj/project.pbxproj:
1477         * bytecode/SamplingTool.cpp: Removed.
1478         * bytecode/SamplingTool.h: Removed.
1479         * bytecode/SuperSampler.cpp: Added.
1480         (JSC::initializeSuperSampler):
1481         (JSC::printSuperSamplerState):
1482         * bytecode/SuperSampler.h: Added.
1483         (JSC::SuperSamplerScope::SuperSamplerScope):
1484         (JSC::SuperSamplerScope::~SuperSamplerScope):
1485         * bytecompiler/BytecodeGenerator.cpp:
1486         (JSC::BytecodeGenerator::generate):
1487         * bytecompiler/NodesCodegen.cpp:
1488         * dfg/DFGAbstractInterpreterInlines.h:
1489         (JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues):
1490         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures):
1491         * dfg/DFGArgumentsEliminationPhase.cpp:
1492         (JSC::DFG::performArgumentsElimination):
1493         * dfg/DFGBackwardsPropagationPhase.cpp:
1494         (JSC::DFG::performBackwardsPropagation):
1495         * dfg/DFGByteCodeParser.cpp:
1496         (JSC::DFG::parse):
1497         * dfg/DFGCFAPhase.cpp:
1498         (JSC::DFG::performCFA):
1499         * dfg/DFGCFGSimplificationPhase.cpp:
1500         (JSC::DFG::performCFGSimplification):
1501         * dfg/DFGCPSRethreadingPhase.cpp:
1502         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
1503         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlocks):
1504         (JSC::DFG::CPSRethreadingPhase::propagatePhis):
1505         (JSC::DFG::performCPSRethreading):
1506         * dfg/DFGCSEPhase.cpp:
1507         (JSC::DFG::performLocalCSE):
1508         (JSC::DFG::performGlobalCSE):
1509         * dfg/DFGCleanUpPhase.cpp:
1510         (JSC::DFG::performCleanUp):
1511         * dfg/DFGConstantFoldingPhase.cpp:
1512         (JSC::DFG::performConstantFolding):
1513         * dfg/DFGConstantHoistingPhase.cpp:
1514         (JSC::DFG::performConstantHoisting):
1515         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
1516         (JSC::DFG::performCriticalEdgeBreaking):
1517         * dfg/DFGDCEPhase.cpp:
1518         (JSC::DFG::performDCE):
1519         * dfg/DFGDriver.cpp:
1520         (JSC::DFG::compileImpl):
1521         * dfg/DFGFixupPhase.cpp:
1522         (JSC::DFG::performFixup):
1523         * dfg/DFGGraph.cpp:
1524         (JSC::DFG::Graph::dethread):
1525         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1526         (JSC::DFG::performIntegerCheckCombining):
1527         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
1528         (JSC::DFG::performIntegerRangeOptimization):
1529         * dfg/DFGInvalidationPointInjectionPhase.cpp:
1530         (JSC::DFG::performInvalidationPointInjection):
1531         * dfg/DFGJITCompiler.cpp:
1532         (JSC::DFG::JITCompiler::compile):
1533         (JSC::DFG::JITCompiler::compileFunction):
1534         * dfg/DFGLICMPhase.cpp:
1535         (JSC::DFG::performLICM):
1536         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
1537         (JSC::DFG::performLiveCatchVariablePreservationPhase):
1538         * dfg/DFGLivenessAnalysisPhase.cpp:
1539         (JSC::DFG::performLivenessAnalysis):
1540         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
1541         (JSC::DFG::performLoopPreHeaderCreation):
1542         * dfg/DFGMaximalFlushInsertionPhase.cpp:
1543         (JSC::DFG::performMaximalFlushInsertion):
1544         * dfg/DFGMovHintRemovalPhase.cpp:
1545         (JSC::DFG::performMovHintRemoval):
1546         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
1547         (JSC::DFG::performOSRAvailabilityAnalysis):
1548         * dfg/DFGOSREntrypointCreationPhase.cpp:
1549         (JSC::DFG::performOSREntrypointCreation):
1550         * dfg/DFGOSRExitCompiler.cpp:
1551         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1552         (JSC::DFG::performObjectAllocationSinking):
1553         * dfg/DFGOperations.cpp:
1554         * dfg/DFGPhantomInsertionPhase.cpp:
1555         (JSC::DFG::performPhantomInsertion):
1556         * dfg/DFGPlan.cpp:
1557         (JSC::DFG::Plan::compileInThread):
1558         * dfg/DFGPredictionInjectionPhase.cpp:
1559         (JSC::DFG::performPredictionInjection):
1560         * dfg/DFGPredictionPropagationPhase.cpp:
1561         (JSC::DFG::performPredictionPropagation):
1562         * dfg/DFGPutStackSinkingPhase.cpp:
1563         (JSC::DFG::performPutStackSinking):
1564         * dfg/DFGSSAConversionPhase.cpp:
1565         (JSC::DFG::performSSAConversion):
1566         * dfg/DFGSSALoweringPhase.cpp:
1567         (JSC::DFG::performSSALowering):
1568         * dfg/DFGSpeculativeJIT64.cpp:
1569         (JSC::DFG::SpeculativeJIT::compile):
1570         * dfg/DFGStackLayoutPhase.cpp:
1571         (JSC::DFG::performStackLayout):
1572         * dfg/DFGStaticExecutionCountEstimationPhase.cpp:
1573         (JSC::DFG::performStaticExecutionCountEstimation):
1574         * dfg/DFGStoreBarrierInsertionPhase.cpp:
1575         (JSC::DFG::performFastStoreBarrierInsertion):
1576         (JSC::DFG::performGlobalStoreBarrierInsertion):
1577         * dfg/DFGStrengthReductionPhase.cpp:
1578         (JSC::DFG::performStrengthReduction):
1579         * dfg/DFGStructureAbstractValue.cpp:
1580         (JSC::DFG::StructureAbstractValue::assertIsRegistered):
1581         (JSC::DFG::StructureAbstractValue::clobber):
1582         (JSC::DFG::StructureAbstractValue::observeTransition):
1583         (JSC::DFG::StructureAbstractValue::observeTransitions):
1584         (JSC::DFG::StructureAbstractValue::add):
1585         (JSC::DFG::StructureAbstractValue::merge):
1586         (JSC::DFG::StructureAbstractValue::mergeSlow):
1587         (JSC::DFG::StructureAbstractValue::mergeNotTop):
1588         (JSC::DFG::StructureAbstractValue::filter):
1589         (JSC::DFG::StructureAbstractValue::filterSlow):
1590         (JSC::DFG::StructureAbstractValue::contains):
1591         (JSC::DFG::StructureAbstractValue::isSubsetOf):
1592         (JSC::DFG::StructureAbstractValue::isSupersetOf):
1593         (JSC::DFG::StructureAbstractValue::overlaps):
1594         (JSC::DFG::StructureAbstractValue::equalsSlow):
1595         * dfg/DFGStructureRegistrationPhase.cpp:
1596         (JSC::DFG::performStructureRegistration):
1597         * dfg/DFGTierUpCheckInjectionPhase.cpp:
1598         (JSC::DFG::performTierUpCheckInjection):
1599         * dfg/DFGTypeCheckHoistingPhase.cpp:
1600         (JSC::DFG::performTypeCheckHoisting):
1601         * dfg/DFGUnificationPhase.cpp:
1602         (JSC::DFG::performUnification):
1603         * dfg/DFGVarargsForwardingPhase.cpp:
1604         (JSC::DFG::performVarargsForwarding):
1605         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
1606         (JSC::DFG::performVirtualRegisterAllocation):
1607         * dfg/DFGWatchpointCollectionPhase.cpp:
1608         (JSC::DFG::performWatchpointCollection):
1609         * dynbench.cpp:
1610         * ftl/FTLLowerDFGToB3.cpp:
1611         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExec):
1612         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpTest):
1613         (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):
1614         (JSC::FTL::DFG::LowerDFGToB3::compileGetRegExpObjectLastIndex):
1615         * ftl/FTLOSRExitCompiler.cpp:
1616         (JSC::FTL::compileFTLOSRExit):
1617         * ftl/FTLOutput.cpp:
1618         (JSC::FTL::Output::store):
1619         (JSC::FTL::Output::absolute):
1620         (JSC::FTL::Output::incrementSuperSamplerCount):
1621         (JSC::FTL::Output::decrementSuperSamplerCount):
1622         * ftl/FTLOutput.h:
1623         (JSC::FTL::Output::baseIndex):
1624         (JSC::FTL::Output::load8SignExt32):
1625         (JSC::FTL::Output::load8ZeroExt32):
1626         (JSC::FTL::Output::anchor):
1627         (JSC::FTL::Output::absolute): Deleted.
1628         * heap/Heap.cpp:
1629         (JSC::Heap::markRoots):
1630         (JSC::Heap::collectAndSweep):
1631         (JSC::Heap::collectImpl):
1632         (JSC::Heap::zombifyDeadObjects):
1633         * heap/MarkedBlock.cpp:
1634         (JSC::MarkedBlock::specializedSweep):
1635         * interpreter/Interpreter.cpp:
1636         (JSC::setupVarargsFrameAndSetThis):
1637         (JSC::Interpreter::Interpreter):
1638         (JSC::Interpreter::initialize):
1639         (JSC::checkedReturn):
1640         (JSC::Interpreter::execute):
1641         (JSC::Interpreter::executeCall):
1642         (JSC::Interpreter::executeConstruct):
1643         (JSC::Interpreter::debug):
1644         (JSC::SamplingScope::SamplingScope): Deleted.
1645         (JSC::SamplingScope::~SamplingScope): Deleted.
1646         (JSC::Interpreter::enableSampler): Deleted.
1647         (JSC::Interpreter::dumpSampleData): Deleted.
1648         (JSC::Interpreter::startSampling): Deleted.
1649         (JSC::Interpreter::stopSampling): Deleted.
1650         * interpreter/Interpreter.h:
1651         (JSC::Interpreter::isCallBytecode):
1652         (JSC::Interpreter::sampler): Deleted.
1653         * jit/AssemblyHelpers.cpp:
1654         (JSC::AssemblyHelpers::branchIfNotFastTypedArray):
1655         (JSC::AssemblyHelpers::incrementSuperSamplerCount):
1656         (JSC::AssemblyHelpers::decrementSuperSamplerCount):
1657         (JSC::AssemblyHelpers::purifyNaN):
1658         * jit/AssemblyHelpers.h:
1659         * jit/JIT.cpp:
1660         * jit/JIT.h:
1661         * jit/JITArithmetic.cpp:
1662         * jit/JITArithmetic32_64.cpp:
1663         * jit/JITCall.cpp:
1664         * jit/JITCall32_64.cpp:
1665         * jit/JITOperations.cpp:
1666         * jit/JITPropertyAccess.cpp:
1667         * jit/JITPropertyAccess32_64.cpp:
1668         * jsc.cpp:
1669         (runWithScripts):
1670         (jscmain):
1671         * parser/Nodes.cpp:
1672         * parser/Parser.h:
1673         (JSC::parse):
1674         * runtime/Executable.h:
1675         * runtime/InitializeThreading.cpp:
1676         (JSC::initializeThreading):
1677         * runtime/Options.h:
1678         * runtime/RegExpCachedResult.h:
1679         * runtime/RegExpMatchesArray.h:
1680         (JSC::createRegExpMatchesArray):
1681         * runtime/StringPrototype.cpp:
1682         (JSC::removeUsingRegExpSearch):
1683         (JSC::stringProtoFuncSubstring):
1684         * runtime/VM.cpp:
1685         (JSC::VM::resetDateCache):
1686         (JSC::VM::whenIdle):
1687         (JSC::VM::deleteAllCode):
1688         (JSC::VM::addSourceProviderCache):
1689         (JSC::VM::startSampling): Deleted.
1690         (JSC::VM::stopSampling): Deleted.
1691         (JSC::VM::dumpSampleData): Deleted.
1692         * runtime/VM.h:
1693         (JSC::VM::regExpCache):
1694         * testRegExp.cpp:
1695         (runFromFiles):
1696         * yarr/YarrInterpreter.cpp:
1697         (JSC::Yarr::interpret):
1698
1699 2016-03-17  Saam barati  <sbarati@apple.com>
1700
1701         [ES6] Make GetProperty(.) inside ArrayPrototype.cpp spec compatible.
1702         https://bugs.webkit.org/show_bug.cgi?id=155575
1703
1704         Reviewed by Filip Pizlo and Mark Lam.
1705
1706         This patch makes various Array.prototype.(shift | unshift | splice)
1707         spec compliant. Before, they were performing Get and HasProperty as one 
1708         operation. Instead, they need to be performed as two distinct operations
1709         when it would be observable.
1710
1711         * runtime/ArrayPrototype.cpp:
1712         (JSC::getProperty):
1713         * runtime/PropertySlot.h:
1714         (JSC::PropertySlot::PropertySlot):
1715         (JSC::PropertySlot::isCacheableValue):
1716         (JSC::PropertySlot::isCacheableGetter):
1717         (JSC::PropertySlot::isCacheableCustom):
1718         (JSC::PropertySlot::setIsTaintedByProxy):
1719         (JSC::PropertySlot::isTaintedByProxy):
1720         (JSC::PropertySlot::internalMethodType):
1721         (JSC::PropertySlot::getValue):
1722         * runtime/ProxyObject.cpp:
1723         (JSC::ProxyObject::getOwnPropertySlotCommon):
1724         * tests/es6.yaml:
1725         * tests/stress/proxy-array-prototype-methods.js: Added.
1726         (assert):
1727         (test):
1728         (shallowEq):
1729
1730 2016-03-17  Mark Lam  <mark.lam@apple.com>
1731
1732         Make FunctionMode an enum class.
1733         https://bugs.webkit.org/show_bug.cgi?id=155587
1734
1735         Reviewed by Saam Barati.
1736
1737         * bytecode/UnlinkedFunctionExecutable.cpp:
1738         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1739         * parser/NodeConstructors.h:
1740         (JSC::BaseFuncExprNode::BaseFuncExprNode):
1741         (JSC::FuncExprNode::FuncExprNode):
1742         (JSC::FuncDeclNode::FuncDeclNode):
1743         (JSC::ArrowFuncExprNode::ArrowFuncExprNode):
1744         (JSC::MethodDefinitionNode::MethodDefinitionNode):
1745         * parser/ParserModes.h:
1746         (JSC::functionNameIsInScope):
1747
1748 2016-03-17  Michael Saboff  <msaboff@apple.com>
1749
1750         [ES6] Getters and Setters should be prefixed appropriately
1751         https://bugs.webkit.org/show_bug.cgi?id=155593
1752
1753         Reviewed by Mark Lam.
1754
1755         Changed the putDirectNativeIntrinsicGetter() to prepend "get " to the funtion name.
1756
1757         Updated places that had their own macro or hand constructed a getter function to use
1758         the JSC_NATIVE_GETTER macro which will properly append "get ".
1759
1760         Prepended "get " and "set " to the __proto__ accessor created on the Object prototype.
1761
1762         When we create the Symbol.species getter, added an explicit function name of "get [Symbol.species]".
1763
1764         * inspector/JSInjectedScriptHostPrototype.cpp:
1765         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
1766         (Inspector::jsInjectedScriptHostPrototypeAttributeEvaluate):
1767         * inspector/JSJavaScriptCallFramePrototype.cpp:
1768         (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
1769         (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluate):
1770         * runtime/JSGlobalObject.cpp:
1771         (JSC::JSGlobalObject::init):
1772         * runtime/JSObject.cpp:
1773         (JSC::JSObject::putDirectNativeIntrinsicGetter):
1774         * runtime/MapPrototype.cpp:
1775         (JSC::MapPrototype::finishCreation):
1776         (JSC::MapPrototype::getOwnPropertySlot):
1777         * runtime/SetPrototype.cpp:
1778         (JSC::SetPrototype::finishCreation):
1779         (JSC::SetPrototype::getOwnPropertySlot):
1780         * tests/stress/accessors-get-set-prefix.js: Added.
1781         (tryGetOwnPropertyDescriptorGetName):
1782
1783 2016-03-16  Mark Lam  <mark.lam@apple.com>
1784
1785         Method names should not appear in the lexical scope of the method's body.
1786         https://bugs.webkit.org/show_bug.cgi?id=155568
1787
1788         Reviewed by Saam Barati.
1789
1790         Consider this scenario:
1791
1792             var f = "foo";
1793             var result = ({
1794                 f() {
1795                     return f; // f should be the string "foo", not this method f.
1796                 }
1797             }).f();
1798             result === "foo"; // Should be true.
1799
1800         The reason this is not current working is because the parser does not yet
1801         distinguish between FunctionExpressions and MethodDefinitions.  The ES6 spec
1802         explicitly distinguishes between the 2, and we should do the same.
1803         
1804         This patch changes all methods (and getters and setters which are also methods)
1805         to have a FunctionMode of MethodDefinition (instead of FunctionExpression).
1806         functionNameIsInScope() is responsible for determining whether a function's name
1807         should be in its scope or not.  It already returns false for any function
1808         whose FunctionMode is not FunctionExpression.  Giving methods the MethodDefinition
1809         FunctionMode gets us the correct behavior ES6 expects.
1810
1811         * bytecode/UnlinkedFunctionExecutable.cpp:
1812         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1813         * bytecode/UnlinkedFunctionExecutable.h:
1814         * bytecompiler/BytecodeGenerator.cpp:
1815         (JSC::BytecodeGenerator::emitNewArrowFunctionExpression):
1816         (JSC::BytecodeGenerator::emitNewMethodDefinition):
1817         * bytecompiler/BytecodeGenerator.h:
1818         * bytecompiler/NodesCodegen.cpp:
1819         (JSC::ArrowFuncExprNode::emitBytecode):
1820         (JSC::MethodDefinitionNode::emitBytecode):
1821         (JSC::YieldExprNode::emitBytecode):
1822         * parser/ASTBuilder.h:
1823         (JSC::ASTBuilder::createFunctionExpr):
1824         (JSC::ASTBuilder::createMethodDefinition):
1825         (JSC::ASTBuilder::createFunctionMetadata):
1826         (JSC::ASTBuilder::createGetterOrSetterProperty):
1827         (JSC::ASTBuilder::createArguments):
1828         * parser/NodeConstructors.h:
1829         (JSC::FunctionParameters::FunctionParameters):
1830         (JSC::BaseFuncExprNode::BaseFuncExprNode):
1831         (JSC::FuncExprNode::FuncExprNode):
1832         (JSC::FuncDeclNode::FuncDeclNode):
1833         (JSC::ArrowFuncExprNode::ArrowFuncExprNode):
1834         (JSC::MethodDefinitionNode::MethodDefinitionNode):
1835         (JSC::YieldExprNode::YieldExprNode):
1836         * parser/Nodes.h:
1837         (JSC::BaseFuncExprNode::metadata):
1838         * parser/Parser.cpp:
1839         (JSC::Parser<LexerType>::parseClass):
1840         (JSC::Parser<LexerType>::parsePropertyMethod):
1841         * parser/ParserModes.h:
1842         * parser/SyntaxChecker.h:
1843         (JSC::SyntaxChecker::createFunctionExpr):
1844         (JSC::SyntaxChecker::createFunctionMetadata):
1845         (JSC::SyntaxChecker::createArrowFunctionExpr):
1846         (JSC::SyntaxChecker::createMethodDefinition):
1847         (JSC::SyntaxChecker::setFunctionNameStart):
1848         (JSC::SyntaxChecker::createArguments):
1849         * tests/es6.yaml:
1850
1851 2016-03-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1852
1853         REGRESSION(r197380): Build fails with new GCC and Clang
1854         https://bugs.webkit.org/show_bug.cgi?id=155044
1855
1856         Reviewed by Michael Catanzaro.
1857
1858         In C++, std math functions ceil and floor are overloaded for double and float.
1859         Without explicit cast or function pointer assignment, compilers cannot
1860         determine which function address is used in the given context.
1861
1862         * b3/B3LowerMacrosAfterOptimizations.cpp:
1863
1864 2016-03-17  Skachkov Oleksandr  <gskachkov@gmail.com>
1865
1866         Invoking super()/super inside of the eval should not lead to SyntaxError
1867         https://bugs.webkit.org/show_bug.cgi?id=153864
1868
1869         Reviewed by Saam Barati.
1870
1871         Added support of the invoking super/super() inside of the eval within class.
1872         Also support cases when eval is invoked in constructor, class method directly 
1873         or via arrow function. Access to the new.target in eval is not part of this patch
1874         and will be implemented in https://bugs.webkit.org/show_bug.cgi?id=155545
1875
1876         * bytecompiler/BytecodeGenerator.cpp:
1877         (JSC::BytecodeGenerator::BytecodeGenerator):
1878         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
1879         (JSC::BytecodeGenerator::isThisUsedInInnerArrowFunction):
1880         (JSC::BytecodeGenerator::isNewTargetUsedInInnerArrowFunction):
1881         (JSC::BytecodeGenerator::isSuperUsedInInnerArrowFunction):
1882         (JSC::BytecodeGenerator::isSuperCallUsedInInnerArrowFunction):
1883         (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope):
1884         * interpreter/Interpreter.cpp:
1885         (JSC::eval):
1886         * parser/Parser.cpp:
1887         (JSC::Parser<LexerType>::Parser):
1888         (JSC::Parser<LexerType>::parseFunctionInfo):
1889         (JSC::Parser<LexerType>::parseMemberExpression):
1890         * parser/Parser.h:
1891         (JSC::Scope::Scope):
1892         (JSC::Scope::isEvalContext):
1893         (JSC::Scope::setIsEvalContext):
1894         (JSC::parse):
1895         * runtime/CodeCache.cpp:
1896         (JSC::CodeCache::getGlobalCodeBlock):
1897         * tests/stress/arrowfunction-lexical-bind-supercall-4.js:
1898         * tests/stress/arrowfunction-lexical-bind-superproperty.js:
1899         * tests/stress/class-syntax-super-in-eval.js: Added.
1900         * tests/stress/generator-with-super.js:
1901
1902 2016-03-15  Filip Pizlo  <fpizlo@apple.com>
1903
1904         ASSERTION FAILED: !edge->isPhantomAllocation() in regress/script-tests/sink-huge-activation.js.ftl-eager in debug mode
1905         https://bugs.webkit.org/show_bug.cgi?id=153805
1906
1907         Reviewed by Mark Lam.
1908
1909         The object allocation sinking phase uses InferredValue::isStillValid() in the opposite
1910         way from most clients: it will do an *extra* optimization if it returns false. The
1911         phase will first compute sink candidates and then it will compute materialization
1912         points. If something is a sink candidate then it is not a materialization point. A
1913         NewFunction node may appear as not being a sink candidate during the first pass, so it's
1914         not added to the set of things that will turn into PhantomNewFunction. But on the second
1915         pass where we add materializations, we check isStillValid() again. Now this may become
1916         false, so that second pass thinks that NewFunction is a sink candidate (even though it's
1917         not in the sink candidates set) and so is not a materialization point.
1918
1919         This manifests as the NewFunction referring to a PhantomCreateActivation or whatever.
1920
1921         The solution is to have the phase cache results of calls to isStillValid(). It's OK if
1922         we just remember the result of the first call and assume that it's not a sink candidate.
1923         That's the worst that can happen.
1924
1925         No new tests since this is a super hard race and sink-huge-activation seemed to already
1926         be catching it.
1927
1928         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1929
1930 2016-03-16  Saam Barati  <sbarati@apple.com>
1931
1932         [ES6] Make Array.prototype.reverse spec compatible.
1933         https://bugs.webkit.org/show_bug.cgi?id=155528
1934
1935         Reviewed by Michael Saboff.
1936
1937         This patch make Array.prototype.reverse spec compatible.
1938         Before, we weren't performing a HasProperty of each index
1939         before performing a Get on that index.  We now do that on
1940         the slow path.
1941
1942         * runtime/ArrayPrototype.cpp:
1943         (JSC::arrayProtoFuncReverse):
1944         * tests/stress/array-reverse-proxy.js: Added.
1945         (assert):
1946         (test):
1947         (shallowCopy):
1948         (shallowEqual):
1949         (let.handler.get getSet):
1950         (test.let.handler.get getSet):
1951
1952 2016-03-16  Chris Dumez  <cdumez@apple.com>
1953
1954         Unreviewed, rolling out r198235, r198240, r198241, and
1955         r198252.
1956
1957         Causing crashes on ARM
1958
1959         Reverted changesets:
1960
1961         "Remove compile time define for SEPARATED_HEAP"
1962         https://bugs.webkit.org/show_bug.cgi?id=155508
1963         http://trac.webkit.org/changeset/198235
1964
1965         "Gardening: build fix after r198235."
1966         http://trac.webkit.org/changeset/198240
1967
1968         "Build fix."
1969         http://trac.webkit.org/changeset/198241
1970
1971         "Rename performJITMemcpy to something more inline with our
1972         normal webkit function names"
1973         https://bugs.webkit.org/show_bug.cgi?id=155525
1974         http://trac.webkit.org/changeset/198252
1975
1976 2016-03-16  Brian Burg <bburg@apple.com>
1977
1978         Unreviewed, rolling out r198257.
1979         https://bugs.webkit.org/show_bug.cgi?id=155553
1980
1981         This change is unnecessary, clients can instead compile the
1982         file with ARC enabled (Requested by brrian on #webkit).
1983
1984         Reverted changeset:
1985
1986         "REGRESSION(r198077): generated Objective-C protocol object
1987         getters leak their wrappers"
1988         https://bugs.webkit.org/show_bug.cgi?id=155523
1989         http://trac.webkit.org/changeset/198257
1990
1991 2016-03-16  Mark Lam  <mark.lam@apple.com>
1992
1993         Add support for setting Function.name from computed properties.
1994         https://bugs.webkit.org/show_bug.cgi?id=155437
1995
1996         Reviewed by Filip Pizlo.
1997
1998         In JS code, we can have initialization of computed properties with function and
1999         class objects e.g.
2000
2001             var o = {
2002                 [x]: function() {},
2003                 [y]: class {}
2004             }
2005
2006         The ES6 spec states that the function and class in the example above (being
2007         anonymous) should take on the value of x and y respectively as their names:
2008
2009             o[x].name; // should be the "stringified" value of x.
2010             o[y].name; // should be the "stringified" value of y.
2011
2012         To achieve this, we will now inject an op_set_function_name bytecode at property
2013         initialization sites if:
2014
2015         1. the property assigned value is a function or class, and
2016         2. the function and class is anonymous, and
2017         3. if property assigned value is a class, it doesn't have a static method
2018            that is statically named "name".
2019
2020         The op_set_function_name will result in JSFunction::setFunctionName() being
2021         called on the target function / class before it is assigned to the property.
2022         JSFunction::setFunctionName() will take care of:
2023
2024         1. computing the name to use from the value of the computed property name
2025            e.g. x and y in the example above.
2026
2027            If the computed property name is not a symbol, then the function / class name
2028            should be the toString() value of that computed property name.
2029
2030            If the computed property name is a symbol, then ...
2031            a. if the Symbol has a defined description (e.g. Symbol("foo")), then the
2032               function / class name should be "[<symbol description>]" e.g. "[foo]".
2033            b. if the Symbol has an undefined description (e.g. Symbol()), then the
2034               function / class name should be "".
2035
2036            Note: Symbol("") is not the same as Symbol().  The former has a defined
2037            descriptor "", and hence, yields a function / class name of "[]".  The latter
2038            yields a function / class name of "".
2039
2040         2. reifying the lazy name property with this function / class name.
2041
2042         op_set_function_name is named after the SetFunctionName internal function
2043         in the ES6 spec that performs the above operation.
2044
2045         It is behaviorally correct to use op_set_function_name at every property
2046         initialization site with computed property names.  However, we choose to not
2047         emit the op_set_function_name bytecode when we already know that it will do
2048         nothing i.e. when the target function / class is proven to already have a name or
2049         name property.  This is done as an optimization to avoid unnecessary calls to
2050         JSFunction::setFunctionName().
2051
2052         Note: we could further check if the class has a static method with a computed
2053         name that is a constant string "name" and elide op_set_function_name there too.
2054         However, we don't bother because this should be rare.  JSFunction::setFunctionName()
2055         will still do the right thing.
2056
2057         * bytecode/BytecodeList.json:
2058         * bytecode/BytecodeUseDef.h:
2059         (JSC::computeUsesForBytecodeOffset):
2060         (JSC::computeDefsForBytecodeOffset):
2061         * bytecode/CodeBlock.cpp:
2062         (JSC::CodeBlock::dumpBytecode):
2063         * bytecompiler/BytecodeGenerator.cpp:
2064         (JSC::BytecodeGenerator::emitNewFunction):
2065         (JSC::BytecodeGenerator::emitSetFunctionNameIfNeeded):
2066         (JSC::BytecodeGenerator::emitCall):
2067         * bytecompiler/BytecodeGenerator.h:
2068         * bytecompiler/NodesCodegen.cpp:
2069         (JSC::PropertyListNode::emitBytecode):
2070         (JSC::PropertyListNode::emitPutConstantProperty):
2071         * dfg/DFGAbstractInterpreterInlines.h:
2072         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2073         * dfg/DFGByteCodeParser.cpp:
2074         (JSC::DFG::ByteCodeParser::parseBlock):
2075         * dfg/DFGCapabilities.cpp:
2076         (JSC::DFG::capabilityLevel):
2077         * dfg/DFGClobberize.h:
2078         (JSC::DFG::clobberize):
2079         * dfg/DFGDoesGC.cpp:
2080         (JSC::DFG::doesGC):
2081         * dfg/DFGFixupPhase.cpp:
2082         (JSC::DFG::FixupPhase::fixupNode):
2083         * dfg/DFGNodeType.h:
2084         * dfg/DFGPredictionPropagationPhase.cpp:
2085         (JSC::DFG::PredictionPropagationPhase::propagate):
2086         * dfg/DFGSafeToExecute.h:
2087         (JSC::DFG::safeToExecute):
2088         * dfg/DFGSpeculativeJIT.cpp:
2089         (JSC::DFG::SpeculativeJIT::compileNewFunction):
2090         (JSC::DFG::SpeculativeJIT::compileSetFunctionName):
2091         (JSC::DFG::SpeculativeJIT::compileForwardVarargs):
2092         * dfg/DFGSpeculativeJIT.h:
2093         (JSC::DFG::SpeculativeJIT::callOperation):
2094         * dfg/DFGSpeculativeJIT32_64.cpp:
2095         (JSC::DFG::SpeculativeJIT::compile):
2096         * dfg/DFGSpeculativeJIT64.cpp:
2097         (JSC::DFG::SpeculativeJIT::compile):
2098         * dfg/DFGStoreBarrierInsertionPhase.cpp:
2099         * ftl/FTLCapabilities.cpp:
2100         (JSC::FTL::canCompile):
2101         * ftl/FTLLowerDFGToB3.cpp:
2102         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2103         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
2104         (JSC::FTL::DFG::LowerDFGToB3::compileSetFunctionName):
2105         (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):
2106         * jit/JIT.cpp:
2107         (JSC::JIT::privateCompileMainPass):
2108         * jit/JIT.h:
2109         * jit/JITInlines.h:
2110         (JSC::JIT::callOperation):
2111         * jit/JITOpcodes.cpp:
2112         (JSC::JIT::emit_op_to_primitive):
2113         (JSC::JIT::emit_op_set_function_name):
2114         (JSC::JIT::emit_op_strcat):
2115         * jit/JITOpcodes32_64.cpp:
2116         (JSC::JIT::emitSlow_op_to_primitive):
2117         (JSC::JIT::emit_op_set_function_name):
2118         (JSC::JIT::emit_op_strcat):
2119         * jit/JITOperations.cpp:
2120         * jit/JITOperations.h:
2121         * llint/LLIntSlowPaths.cpp:
2122         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2123         (JSC::LLInt::handleHostCall):
2124         * llint/LLIntSlowPaths.h:
2125         * llint/LowLevelInterpreter.asm:
2126         * parser/Nodes.cpp:
2127         (JSC::FunctionNode::finishParsing):
2128         (JSC::PropertyListNode::hasStaticallyNamedProperty):
2129         (JSC::VariableEnvironmentNode::VariableEnvironmentNode):
2130         * parser/Nodes.h:
2131         * runtime/JSFunction.cpp:
2132         (JSC::getCalculatedDisplayName):
2133         (JSC::JSFunction::setFunctionName):
2134         (JSC::JSFunction::reifyLength):
2135         (JSC::JSFunction::reifyName):
2136         * runtime/JSFunction.h:
2137         * tests/es6.yaml:
2138         * tests/stress/computed-function-names.js: Added.
2139         (toKeyString):
2140         (toFuncName):
2141         (shouldBe):
2142         (return.propKey):
2143
2144 2016-03-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2145
2146         [ES6] Reflect.set with receiver
2147         https://bugs.webkit.org/show_bug.cgi?id=155294
2148
2149         Reviewed by Saam Barati.
2150
2151         This patch introduces the receiver parameter support for Reflect.set.
2152         Reflect.set can alter the receiver with arbitrary values.
2153         Each property descriptor uses the receiver in [[Set]].
2154
2155         1) In the accessor descriptor case, the receiver is used as |this| value for setter calls.
2156         2) In the data descriptor case, the actual property will be set onto the receiver objects.
2157
2158         The current put operation does not support the receiver that is different from the base object.
2159         In particular, (2) case is not supported.
2160         The naive implementation adds one more [[GetOwnProperty]] for the receiver per [[Set]] (9.1.9.1-4-c [1]), and it is unacceptable.
2161         To keep the fast path efficiently, we fall back to the slow but generic implementation (ordinarySetSlow)
2162         only when the receiver is altered.
2163
2164         We need not to change any JIT part, because the JS code cannot alter the receiver without Reflect.set.
2165         The property accesses generated by the JIT code always have the receiver that is the same to the base object.
2166         ProxyObject can alter the receiver, but this situation has no problem because ProxyObject disables Inline Caching.
2167         NOTE: Generating Inline Caching for JSProxy (that is used for the Window proxy) is already disabled before this change.
2168
2169         [1]: https://tc39.github.io/ecma262/#sec-ordinaryset
2170
2171         * jsc.cpp:
2172         (functionCreateProxy):
2173         * runtime/GenericArgumentsInlines.h:
2174         (JSC::GenericArguments<Type>::put):
2175         * runtime/JSArray.cpp:
2176         (JSC::JSArray::put):
2177         * runtime/JSArrayBuffer.cpp:
2178         (JSC::JSArrayBuffer::put):
2179         * runtime/JSArrayBufferView.cpp:
2180         (JSC::JSArrayBufferView::put):
2181         * runtime/JSCJSValue.h:
2182         * runtime/JSCJSValueInlines.h:
2183         (JSC::isThisValueAltered):
2184         * runtime/JSDataView.cpp:
2185         (JSC::JSDataView::put):
2186         * runtime/JSFunction.cpp:
2187         (JSC::JSFunction::put):
2188         * runtime/JSGenericTypedArrayViewInlines.h:
2189         (JSC::JSGenericTypedArrayView<Adaptor>::put):
2190         * runtime/JSGlobalObject.cpp:
2191         (JSC::JSGlobalObject::put):
2192         * runtime/JSObject.cpp:
2193         (JSC::ordinarySetSlow):
2194         (JSC::JSObject::putInlineSlow):
2195         * runtime/JSObject.h:
2196         * runtime/JSObjectInlines.h:
2197         (JSC::JSObject::putInline):
2198         * runtime/JSProxy.h:
2199         (JSC::JSProxy::createStructure):
2200         * runtime/Lookup.h:
2201         (JSC::putEntry):
2202         * runtime/PropertySlot.h:
2203         * runtime/ProxyObject.cpp:
2204         (JSC::ProxyObject::put):
2205         * runtime/PutPropertySlot.h:
2206         (JSC::PutPropertySlot::PutPropertySlot):
2207         (JSC::PutPropertySlot::isCacheablePut):
2208         (JSC::PutPropertySlot::isCacheableSetter):
2209         (JSC::PutPropertySlot::isCacheableCustom):
2210         (JSC::PutPropertySlot::isCustomAccessor):
2211         (JSC::PutPropertySlot::disableCaching):
2212         (JSC::PutPropertySlot::isCacheable):
2213         * runtime/ReflectObject.cpp:
2214         (JSC::reflectObjectSet):
2215         * runtime/RegExpObject.cpp:
2216         (JSC::RegExpObject::put):
2217         (JSC::reject): Deleted.
2218         * runtime/StringObject.cpp:
2219         (JSC::StringObject::put):
2220         * tests/es6.yaml:
2221         * tests/stress/ordinary-set-exceptions.js: Added.
2222         (shouldBe):
2223         (shouldThrow):
2224         (shouldThrow.set get var):
2225         * tests/stress/proxy-set.js:
2226         * tests/stress/reflect-set-proxy-set.js: Copied from Source/JavaScriptCore/tests/stress/proxy-set.js.
2227         (shouldBe):
2228         (unreachable):
2229         (assert):
2230         (throw.new.Error.let.handler.set 45):
2231         (throw.new.Error):
2232         (let.target.set x):
2233         (let.target.get x):
2234         (set let):
2235         * tests/stress/reflect-set-receiver-proxy-set.js: Added.
2236         (shouldBe):
2237         (unreachable):
2238         (assert):
2239         (let.handler.set 45):
2240         (catch):
2241         (let.target.set x):
2242         (let.target.get x):
2243         (set let):
2244         * tests/stress/reflect-set-with-global-proxy.js: Added.
2245         (shouldBe):
2246         (unreachable):
2247         (get shouldBe):
2248         (set shouldBe):
2249         (set test1):
2250         (set test2):
2251         (set test3):
2252         * tests/stress/reflect-set.js:
2253         (shouldThrow):
2254         (unreachable):
2255         (get shouldBe):
2256         (set shouldBe):
2257         (receiverTestIndexed):
2258         (set get Uint8Array):
2259         (receiverCase): Deleted.
2260         (proxyCase): Deleted.
2261         (stringObjectCase.set get shouldBe): Deleted.
2262         (regExpLastIndex): Deleted.
2263
2264 2016-03-15  Benjamin Poulain  <bpoulain@apple.com>
2265
2266         [JSC] Remove hint from SlowCaseEntry
2267         https://bugs.webkit.org/show_bug.cgi?id=155530
2268
2269         Reviewed by Alex Christensen.
2270
2271         * jit/JIT.h:
2272         (JSC::SlowCaseEntry::SlowCaseEntry):
2273
2274 2016-03-15  Brian Burg  <bburg@apple.com>
2275
2276         REGRESSION(r198077): generated Objective-C protocol object getters leak their wrappers
2277         https://bugs.webkit.org/show_bug.cgi?id=155523
2278         <rdar://problem/25181764>
2279
2280         Reviewed by Joseph Pecoraro.
2281
2282         Since the code may not be compiled with ARC, autorelease the returned wrapper.
2283
2284         * inspector/scripts/codegen/objc_generator.py:
2285         (ObjCGenerator.protocol_to_objc_expression_for_member):
2286         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2287         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2288
2289 2016-03-15  Benjamin Poulain  <bpoulain@apple.com>
2290
2291         [JSC] Help clang generate better code on arrayProtoFuncToString()
2292         https://bugs.webkit.org/show_bug.cgi?id=155512
2293
2294         Reviewed by Mark Lam.
2295
2296         3d-raytrace hits Array.toString() hard with small arrays.
2297         Half of the time is going into overhead around the StringJoiner.
2298         This patch makes the function shorter and the layout better.
2299
2300         * runtime/ArrayPrototype.cpp:
2301         (JSC::arrayProtoFuncToString):
2302         Add "UNLIKELY" on rare cases. Clang pushes that code to the tail.
2303
2304         Factor the code of jsMakeNontrivialString() so that the operation
2305         is not duplicated in the function.
2306
2307         * runtime/JSStringBuilder.h:
2308         (JSC::jsMakeNontrivialString):
2309         jsNontrivialString() supports r-value reference.
2310         Move the result string into jsNontrivialString(), this removes
2311         the deref+destructor from the function.
2312
2313         * runtime/JSStringJoiner.cpp:
2314         (JSC::JSStringJoiner::~JSStringJoiner):
2315         The destructor is pretty large. No point in inlining it.
2316
2317         (JSC::joinStrings):
2318         * runtime/JSStringJoiner.h:
2319         (JSC::JSStringJoiner::JSStringJoiner):
2320         (JSC::JSStringJoiner::append):
2321         The calls were duplicated. That's unnecessary.
2322
2323         * runtime/NumericStrings.h:
2324         (JSC::NumericStrings::add):
2325         Return a reference in all cases.
2326         This removes a deref+destructor.
2327
2328 2016-03-15  Joseph Pecoraro  <pecoraro@apple.com>
2329
2330         Remove stale ArrayPrototype declarations
2331         https://bugs.webkit.org/show_bug.cgi?id=155520
2332
2333         Reviewed by Mark Lam.
2334
2335         * runtime/ArrayPrototype.cpp:
2336         The implementations went away when the methods were moved to builtins
2337         but the declarations were left behind.
2338
2339 2016-03-15  Oliver Hunt  <oliver@apple.com>
2340
2341         Rename performJITMemcpy to something more inline with our normal webkit function names
2342         https://bugs.webkit.org/show_bug.cgi?id=155525
2343
2344         Reviewed by Saam Barati.
2345
2346         Simple bulk search/replace with a better name.
2347
2348         * assembler/ARM64Assembler.h:
2349         (JSC::ARM64Assembler::fillNops):
2350         (JSC::ARM64Assembler::replaceWithJump):
2351         (JSC::ARM64Assembler::replaceWithLoad):
2352         (JSC::ARM64Assembler::replaceWithAddressComputation):
2353         (JSC::ARM64Assembler::setPointer):
2354         (JSC::ARM64Assembler::repatchInt32):
2355         (JSC::ARM64Assembler::repatchCompact):
2356         (JSC::ARM64Assembler::linkJumpOrCall):
2357         (JSC::ARM64Assembler::linkCompareAndBranch):
2358         (JSC::ARM64Assembler::linkConditionalBranch):
2359         (JSC::ARM64Assembler::linkTestAndBranch):
2360         * assembler/LinkBuffer.cpp:
2361         (JSC::LinkBuffer::copyCompactAndLinkCode):
2362         * jit/ExecutableAllocator.h:
2363         (JSC::writeToExecutableRegion):
2364         (JSC::performJITMemcpy): Deleted.
2365
2366 2016-03-15  Oliver Hunt  <oliver@apple.com>
2367
2368         Build fix.
2369
2370         * jit/ExecutableAllocatorFixedVMPool.cpp:
2371
2372 2016-03-15  Mark Lam  <mark.lam@apple.com>
2373
2374         Gardening: build fix after r198235.
2375
2376         Not Reviewed.
2377
2378         * jit/ExecutableAllocatorFixedVMPool.cpp:
2379         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
2380
2381 2016-03-15  Oliver Hunt  <oliver@apple.com>
2382
2383         Remove compile time define for SEPARATED_HEAP
2384         https://bugs.webkit.org/show_bug.cgi?id=155508
2385
2386         Reviewed by Mark Lam.
2387
2388         This removes the compile time define for the SEPARATED_HEAP
2389         feature, and moves to a default-off runtime preference.
2390
2391         This happily also removes the need for world rebuilds while
2392         bringing it up on different platforms.
2393
2394         * Configurations/FeatureDefines.xcconfig:
2395         * assembler/LinkBuffer.cpp:
2396         (JSC::LinkBuffer::copyCompactAndLinkCode):
2397         * jit/ExecutableAllocator.h:
2398         (JSC::performJITMemcpy):
2399         * jit/ExecutableAllocatorFixedVMPool.cpp:
2400         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
2401         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
2402         (JSC::FixedVMPoolExecutableAllocator::genericWriteToJITRegion):
2403         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): Deleted.
2404         * runtime/Options.cpp:
2405         (JSC::recomputeDependentOptions):
2406         * runtime/Options.h:
2407
2408 2016-03-15  Commit Queue  <commit-queue@webkit.org>
2409
2410         Unreviewed, rolling out r198148.
2411         https://bugs.webkit.org/show_bug.cgi?id=155518
2412
2413         "Lets do this patch at a later time" (Requested by saamyjoon
2414         on #webkit).
2415
2416         Reverted changeset:
2417
2418         "[ES6] Disallow var assignments in for-in loops"
2419         https://bugs.webkit.org/show_bug.cgi?id=155451
2420         http://trac.webkit.org/changeset/198148
2421
2422 2016-03-15  Joseph Pecoraro  <pecoraro@apple.com>
2423
2424         REGRESSION: ASSERTION FAILED: !m_lastActiveBlock on js/function-apply.html
2425         https://bugs.webkit.org/show_bug.cgi?id=155411
2426         <rdar://problem/25134537>
2427
2428         Reviewed by Mark Lam.
2429
2430         * heap/Heap.cpp:
2431         (JSC::Heap::collectImpl):
2432         (JSC::Heap::didFinishCollection):
2433         During collection allocators are stop/reset. The HeapProfiler tasks
2434         were using HeapIterationScope (to satisfy MarkedSpace forEachCell API
2435         contracts) which was doing its own stop/resume of allocators. Doing a
2436         stop/resume in between the normal stop/reset of collection is unexpected.
2437
2438         Move this to didFinishCollection, alongside other heap iterations
2439         like zombies and immortal objects. Putting this after those tasks
2440         also means the heap snapshots will respect the zombies/immortal options
2441         when deciding if the cell is alive or not.
2442
2443 2016-03-15  Saam Barati  <sbarati@apple.com>
2444
2445         We should have different JSTypes for JSGlobalLexicalEnvironment and JSLexicalEnvironment and JSModuleEnvironment
2446         https://bugs.webkit.org/show_bug.cgi?id=152406
2447
2448         Reviewed by Mark Lam.
2449
2450         This makes testing for a JSGlobalLexicalEnvironment faster
2451         because we can just check the Cell's type instead of using
2452         jsDynamicCast. I also changed code that does jsDynamicCast<JSGlobalObject*>
2453         instead of isGlobalObject().
2454
2455         * interpreter/Interpreter.cpp:
2456         (JSC::Interpreter::execute):
2457         * jit/JITOperations.cpp:
2458         * llint/LLIntSlowPaths.cpp:
2459         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2460         * runtime/CommonSlowPaths.cpp:
2461         (JSC::SLOW_PATH_DECL):
2462         * runtime/CommonSlowPaths.h:
2463         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
2464         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
2465         * runtime/JSGlobalLexicalEnvironment.h:
2466         (JSC::JSGlobalLexicalEnvironment::createStructure):
2467         * runtime/JSLexicalEnvironment.h:
2468         (JSC::JSLexicalEnvironment::createStructure):
2469         (JSC::JSLexicalEnvironment::JSLexicalEnvironment):
2470         * runtime/JSModuleEnvironment.h:
2471         (JSC::JSModuleEnvironment::createStructure):
2472         (JSC::JSModuleEnvironment::offsetOfModuleRecord):
2473         * runtime/JSObject.h:
2474         (JSC::JSObject::isGlobalObject):
2475         (JSC::JSObject::isJSLexicalEnvironment):
2476         (JSC::JSObject::isGlobalLexicalEnvironment):
2477         (JSC::JSObject::isErrorInstance):
2478         * runtime/JSScope.cpp:
2479         (JSC::abstractAccess):
2480         (JSC::isUnscopable):
2481         (JSC::JSScope::resolve):
2482         (JSC::JSScope::collectVariablesUnderTDZ):
2483         (JSC::JSScope::isVarScope):
2484         (JSC::JSScope::isLexicalScope):
2485         (JSC::JSScope::isModuleScope):
2486         (JSC::JSScope::isCatchScope):
2487         (JSC::JSScope::isFunctionNameScopeObject):
2488         (JSC::JSScope::isNestedLexicalScope):
2489         (JSC::JSScope::constantScopeForCodeBlock):
2490         (JSC::isScopeType): Deleted.
2491         (JSC::JSScope::isGlobalLexicalEnvironment): Deleted.
2492         * runtime/JSScope.h:
2493         * runtime/JSType.h:
2494
2495 2016-03-15  Filip Pizlo  <fpizlo@apple.com>
2496
2497         Remove the Baker barrier from JSC
2498         https://bugs.webkit.org/show_bug.cgi?id=155479
2499
2500         Reviewed by Saam Barati.
2501
2502         It's been a while since I added a Baker barrier, but I never followed it up with an actual
2503         concurrent GC. While thinking about the GC, I became convinced that the right path forward
2504         is to do a non-copying concurrent GC. That is, remove the copied space and just use the
2505         marked space. The downside of using marked space cannot be more than the overhead of the
2506         Baker barrier, so concurrent non-copying GC is definitely better than copying
2507         non-concurrent GC. I also suspect that just plain non-copying non-concurrent GC is going to
2508         be fine also, so the path forward will probably be to first just remove CopiedSpace.
2509
2510         Anyway, for now this patch just removes the Baker barrier. It was a cute implementation but
2511         it just cost performance and I don't think we'll ever use it.
2512
2513         * CMakeLists.txt:
2514         * JavaScriptCore.xcodeproj/project.pbxproj:
2515         * bytecode/PolymorphicAccess.cpp:
2516         (JSC::AccessCase::generate):
2517         * dfg/DFGAbstractInterpreterInlines.h:
2518         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2519         * dfg/DFGArgumentsEliminationPhase.cpp:
2520         * dfg/DFGClobberize.h:
2521         (JSC::DFG::clobberize):
2522         * dfg/DFGCopyBarrierOptimizationPhase.cpp: Removed.
2523         * dfg/DFGCopyBarrierOptimizationPhase.h: Removed.
2524         * dfg/DFGDoesGC.cpp:
2525         (JSC::DFG::doesGC):
2526         * dfg/DFGFixupPhase.cpp:
2527         (JSC::DFG::FixupPhase::fixupNode):
2528         * dfg/DFGHeapLocation.cpp:
2529         (WTF::printInternal):
2530         * dfg/DFGHeapLocation.h:
2531         * dfg/DFGNodeType.h:
2532         * dfg/DFGOperations.cpp:
2533         * dfg/DFGOperations.h:
2534         * dfg/DFGPlan.cpp:
2535         (JSC::DFG::Plan::compileInThreadImpl):
2536         * dfg/DFGPredictionPropagationPhase.cpp:
2537         (JSC::DFG::PredictionPropagationPhase::propagate):
2538         * dfg/DFGSafeToExecute.h:
2539         (JSC::DFG::safeToExecute):
2540         * dfg/DFGSpeculativeJIT.cpp:
2541         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
2542         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
2543         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
2544         * dfg/DFGSpeculativeJIT32_64.cpp:
2545         (JSC::DFG::SpeculativeJIT::compile):
2546         * dfg/DFGSpeculativeJIT64.cpp:
2547         (JSC::DFG::SpeculativeJIT::compile):
2548         * dfg/DFGTypeCheckHoistingPhase.cpp:
2549         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
2550         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
2551         * ftl/FTLCapabilities.cpp:
2552         (JSC::FTL::canCompile):
2553         * ftl/FTLLowerDFGToB3.cpp:
2554         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2555         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
2556         (JSC::FTL::DFG::LowerDFGToB3::compileConstantStoragePointer):
2557         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
2558         (JSC::FTL::DFG::LowerDFGToB3::compileCheckArray):
2559         (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
2560         (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
2561         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
2562         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
2563         (JSC::FTL::DFG::LowerDFGToB3::storageForTransition):
2564         (JSC::FTL::DFG::LowerDFGToB3::getById):
2565         (JSC::FTL::DFG::LowerDFGToB3::isFastTypedArray):
2566         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterflyReadOnly): Deleted.
2567         (JSC::FTL::DFG::LowerDFGToB3::loadButterflyWithBarrier): Deleted.
2568         (JSC::FTL::DFG::LowerDFGToB3::loadVectorWithBarrier): Deleted.
2569         (JSC::FTL::DFG::LowerDFGToB3::copyBarrier): Deleted.
2570         (JSC::FTL::DFG::LowerDFGToB3::isInToSpace): Deleted.
2571         (JSC::FTL::DFG::LowerDFGToB3::loadButterflyReadOnly): Deleted.
2572         (JSC::FTL::DFG::LowerDFGToB3::loadVectorReadOnly): Deleted.
2573         (JSC::FTL::DFG::LowerDFGToB3::removeSpaceBits): Deleted.
2574         * heap/CopyBarrier.h:
2575         (JSC::CopyBarrierBase::CopyBarrierBase):
2576         (JSC::CopyBarrierBase::operator bool):
2577         (JSC::CopyBarrierBase::get):
2578         (JSC::CopyBarrierBase::clear):
2579         (JSC::CopyBarrierBase::setWithoutBarrier):
2580         (JSC::CopyBarrier::CopyBarrier):
2581         (JSC::CopyBarrier::get):
2582         (JSC::CopyBarrier::set):
2583         (JSC::CopyBarrier::setWithoutBarrier):
2584         (JSC::CopyBarrierBase::operator!): Deleted.
2585         (JSC::CopyBarrierBase::getWithoutBarrier): Deleted.
2586         (JSC::CopyBarrierBase::getPredicated): Deleted.
2587         (JSC::CopyBarrierBase::copyState): Deleted.
2588         (JSC::CopyBarrierBase::setCopyState): Deleted.
2589         (JSC::CopyBarrierBase::weakCASWithoutBarrier): Deleted.
2590         (JSC::CopyBarrier::getWithoutBarrier): Deleted.
2591         (JSC::CopyBarrier::getPredicated): Deleted.
2592         (JSC::CopyBarrier::weakCASWithoutBarrier): Deleted.
2593         * heap/Heap.cpp:
2594         (JSC::Heap::addToRememberedSet):
2595         (JSC::Heap::collectAndSweep):
2596         (JSC::Heap::copyBarrier): Deleted.
2597         * heap/Heap.h:
2598         (JSC::Heap::writeBarrierBuffer):
2599         * jit/AssemblyHelpers.cpp:
2600         (JSC::AssemblyHelpers::branchIfNotFastTypedArray):
2601         (JSC::AssemblyHelpers::purifyNaN):
2602         (JSC::AssemblyHelpers::loadTypedArrayVector): Deleted.
2603         * jit/AssemblyHelpers.h:
2604         (JSC::AssemblyHelpers::branchStructure):
2605         (JSC::AssemblyHelpers::addressForByteOffset):
2606         (JSC::AssemblyHelpers::branchIfToSpace): Deleted.
2607         (JSC::AssemblyHelpers::branchIfNotToSpace): Deleted.
2608         (JSC::AssemblyHelpers::removeSpaceBits): Deleted.
2609         * jit/JIT.cpp:
2610         (JSC::JIT::privateCompileMainPass):
2611         (JSC::JIT::privateCompile):
2612         * jit/JITOpcodes.cpp:
2613         (JSC::JIT::emitSlow_op_has_indexed_property):
2614         (JSC::JIT::emit_op_get_direct_pname):
2615         (JSC::JIT::emitSlow_op_get_direct_pname):
2616         * jit/JITOpcodes32_64.cpp:
2617         (JSC::JIT::emit_op_get_direct_pname):
2618         (JSC::JIT::emitSlow_op_get_direct_pname):
2619         * jit/JITPropertyAccess.cpp:
2620         (JSC::JIT::emitDoubleLoad):
2621         (JSC::JIT::emitContiguousLoad):
2622         (JSC::JIT::emitArrayStorageLoad):
2623         (JSC::JIT::emitSlow_op_get_by_val):
2624         (JSC::JIT::emitGenericContiguousPutByVal):
2625         (JSC::JIT::emitArrayStoragePutByVal):
2626         (JSC::JIT::emitSlow_op_put_by_val):
2627         (JSC::JIT::emit_op_get_from_scope):
2628         (JSC::JIT::emitSlow_op_get_from_scope):
2629         (JSC::JIT::emit_op_put_to_scope):
2630         (JSC::JIT::emitSlow_op_put_to_scope):
2631         (JSC::JIT::emitIntTypedArrayGetByVal):
2632         (JSC::JIT::emitFloatTypedArrayGetByVal):
2633         (JSC::JIT::emitIntTypedArrayPutByVal):
2634         (JSC::JIT::emitFloatTypedArrayPutByVal):
2635         * llint/LowLevelInterpreter.asm:
2636         * llint/LowLevelInterpreter64.asm:
2637         * runtime/DirectArguments.cpp:
2638         (JSC::DirectArguments::visitChildren):
2639         (JSC::DirectArguments::copyBackingStore):
2640         (JSC::DirectArguments::overrideArgument):
2641         (JSC::DirectArguments::copyToArguments):
2642         * runtime/DirectArguments.h:
2643         (JSC::DirectArguments::canAccessIndexQuickly):
2644         (JSC::DirectArguments::canAccessArgumentIndexQuicklyInDFG):
2645         * runtime/JSArray.cpp:
2646         (JSC::JSArray::setLength):
2647         (JSC::JSArray::pop):
2648         (JSC::JSArray::push):
2649         (JSC::JSArray::fastSlice):
2650         (JSC::JSArray::fastConcatWith):
2651         (JSC::JSArray::shiftCountWithArrayStorage):
2652         (JSC::JSArray::shiftCountWithAnyIndexingType):
2653         (JSC::JSArray::unshiftCountWithAnyIndexingType):
2654         (JSC::JSArray::fillArgList):
2655         (JSC::JSArray::copyToArguments):
2656         * runtime/JSArrayBufferView.cpp:
2657         (JSC::JSArrayBufferView::finalize):
2658         * runtime/JSArrayBufferView.h:
2659         (JSC::JSArrayBufferView::isNeutered):
2660         (JSC::JSArrayBufferView::vector):
2661         (JSC::JSArrayBufferView::length):
2662         * runtime/JSGenericTypedArrayViewInlines.h:
2663         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
2664         (JSC::JSGenericTypedArrayView<Adaptor>::copyBackingStore):
2665         * runtime/JSObject.cpp:
2666         (JSC::JSObject::visitChildren):
2667         (JSC::JSObject::copyBackingStore):
2668         (JSC::JSObject::heapSnapshot):
2669         (JSC::JSObject::getOwnPropertySlotByIndex):
2670         (JSC::JSObject::putByIndex):
2671         (JSC::JSObject::enterDictionaryIndexingMode):
2672         (JSC::JSObject::createInitialIndexedStorage):
2673         (JSC::JSObject::createArrayStorage):
2674         (JSC::JSObject::convertUndecidedToInt32):
2675         (JSC::JSObject::convertUndecidedToDouble):
2676         (JSC::JSObject::convertUndecidedToContiguous):
2677         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
2678         (JSC::JSObject::convertUndecidedToArrayStorage):
2679         (JSC::JSObject::convertInt32ToDouble):
2680         (JSC::JSObject::convertInt32ToContiguous):
2681         (JSC::JSObject::convertInt32ToArrayStorage):
2682         (JSC::JSObject::convertDoubleToContiguous):
2683         (JSC::JSObject::convertDoubleToArrayStorage):
2684         (JSC::JSObject::convertContiguousToArrayStorage):
2685         (JSC::JSObject::setIndexQuicklyToUndecided):
2686         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
2687         (JSC::JSObject::deletePropertyByIndex):
2688         (JSC::JSObject::getOwnPropertyNames):
2689         (JSC::JSObject::putIndexedDescriptor):
2690         (JSC::JSObject::defineOwnIndexedProperty):
2691         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2692         (JSC::JSObject::putDirectIndexBeyondVectorLength):
2693         (JSC::JSObject::getNewVectorLength):
2694         (JSC::JSObject::ensureLengthSlow):
2695         (JSC::JSObject::reallocateAndShrinkButterfly):
2696         (JSC::JSObject::growOutOfLineStorage):
2697         (JSC::getBoundSlotBaseFunctionForGetterSetter):
2698         (JSC::JSObject::getEnumerableLength):
2699         * runtime/JSObject.h:
2700         (JSC::JSObject::getArrayLength):
2701         (JSC::JSObject::getVectorLength):
2702         (JSC::JSObject::canGetIndexQuickly):
2703         (JSC::JSObject::getIndexQuickly):
2704         (JSC::JSObject::tryGetIndexQuickly):
2705         (JSC::JSObject::canSetIndexQuickly):
2706         (JSC::JSObject::canSetIndexQuicklyForPutDirect):
2707         (JSC::JSObject::setIndexQuickly):
2708         (JSC::JSObject::initializeIndex):
2709         (JSC::JSObject::hasSparseMap):
2710         (JSC::JSObject::inSparseIndexingMode):
2711         (JSC::JSObject::inlineStorage):
2712         (JSC::JSObject::butterfly):
2713         (JSC::JSObject::outOfLineStorage):
2714         (JSC::JSObject::locationForOffset):
2715         (JSC::JSObject::ensureInt32):
2716         (JSC::JSObject::ensureDouble):
2717         (JSC::JSObject::ensureContiguous):
2718         (JSC::JSObject::ensureArrayStorage):
2719         (JSC::JSObject::arrayStorage):
2720         (JSC::JSObject::arrayStorageOrNull):
2721         (JSC::JSObject::ensureLength):
2722         (JSC::JSObject::putDirectWithoutTransition):
2723         * runtime/MapData.h:
2724         (JSC::JSIterator>::IteratorData::next):
2725         (JSC::JSIterator>::IteratorData::refreshCursor):
2726         * runtime/MapDataInlines.h:
2727         (JSC::JSIterator>::find):
2728         (JSC::JSIterator>::add):
2729         (JSC::JSIterator>::remove):
2730         (JSC::JSIterator>::replaceAndPackBackingStore):
2731         (JSC::JSIterator>::replaceBackingStore):
2732         (JSC::JSIterator>::ensureSpaceForAppend):
2733         (JSC::JSIterator>::visitChildren):
2734         (JSC::JSIterator>::copyBackingStore):
2735         * runtime/Options.h:
2736
2737 2016-03-15  Saam barati  <sbarati@apple.com>
2738
2739         Destructuring parameters are evaluated in the wrong scope
2740         https://bugs.webkit.org/show_bug.cgi?id=155454
2741
2742         Reviewed by Geoffrey Garen.
2743
2744         This patch makes our engine compatible with how parameter
2745         lists are evaluated in ES6. A parameter list that contains
2746         a rest parameter, any destructuring patterns, or default parameter values, 
2747         is classified as being non-simple. Non-simple parameter lists
2748         must get their own scope to live in, and the variables in the
2749         scope are under TDZ. This means that functions evaluated in the
2750         parameter list don't have access to variables inside the function
2751         body. Also, non-simple parameter lists get the strict-mode arguments object.
2752
2753         * bytecompiler/BytecodeGenerator.cpp:
2754         (JSC::BytecodeGenerator::BytecodeGenerator):
2755         (JSC::BytecodeGenerator::~BytecodeGenerator):
2756         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
2757         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
2758         * bytecompiler/BytecodeGenerator.h:
2759         * parser/Nodes.h:
2760         (JSC::FunctionParameters::size):
2761         (JSC::FunctionParameters::at):
2762         (JSC::FunctionParameters::append):
2763         (JSC::FunctionParameters::hasDefaultParameterValues): Deleted.
2764         * tests/es6.yaml:
2765         * tests/stress/parameter-scoping.js: Added.
2766         (assert):
2767         (test):
2768         (test.foo):
2769         (test.):
2770
2771 2016-03-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2772
2773         [JSC] Don't reference the properties of @Reflect directly
2774         https://bugs.webkit.org/show_bug.cgi?id=155436
2775
2776         Reviewed by Geoffrey Garen.
2777
2778         Reflect.ownKeys and Reflect.getOwnPropertyDescriptor can be altered with the user-crafted values.
2779         Instead of referencing them directly, let's reference them through private names.
2780
2781         * builtins/ObjectConstructor.js:
2782         (assign):
2783         * runtime/CommonIdentifiers.h:
2784         * runtime/ObjectConstructor.cpp:
2785         (JSC::ObjectConstructor::finishCreation): Deleted.
2786         * runtime/ReflectObject.cpp:
2787         (JSC::ReflectObject::finishCreation):
2788         * tests/stress/object-assign-correctness.js:
2789         (runTests.):
2790         (runTests.get let):
2791         (Reflect.ownKeys):
2792         (Reflect.getOwnPropertyDescriptor):
2793         (test.let.handler.switch.case.string_appeared_here.return.get enumerable): Deleted.
2794         (test.let.handler.getOwnPropertyDescriptor): Deleted.
2795         (test.let.handler.ownKeys): Deleted.
2796         (test.let.handler.get getProps): Deleted.
2797         (test.let.handler): Deleted.
2798         (test): Deleted.
2799
2800 2016-03-14  Daniel Bates  <dabates@apple.com>
2801
2802         Web Inspector: Display Content Security Policy hash in details sidebar for script and style elements
2803         https://bugs.webkit.org/show_bug.cgi?id=155466
2804         <rdar://problem/25152480>
2805
2806         Reviewed by Joseph Pecoraro and Timothy Hatcher.
2807
2808         Add property contentSecurityPolicyHash to store the CSP hash for an HTML style element or an
2809         applicable HTML script element.
2810
2811         * inspector/protocol/DOM.json:
2812
2813 2016-03-14  Joonghun Park  <jh718.park@samsung.com>
2814
2815         Purge PassRefPtr from ArrayBuffer, ArchiveResource, Pasteboard, LegacyWebArchive and DataObjectGtk
2816         https://bugs.webkit.org/show_bug.cgi?id=150497
2817
2818         Reviewed by Darin Adler.
2819
2820         * runtime/ArrayBuffer.h:
2821         (JSC::ArrayBuffer::create):
2822         (JSC::ArrayBuffer::createAdopted):
2823         (JSC::ArrayBuffer::createFromBytes):
2824         (JSC::ArrayBuffer::createUninitialized):
2825         (JSC::ArrayBuffer::slice):
2826         (JSC::ArrayBuffer::sliceImpl):
2827
2828 2016-03-14  Benjamin Poulain  <bpoulain@apple.com>
2829
2830         Andy VanWagoner no longer has time to own Intl
2831
2832         * features.json:
2833         Andy is busy with other things.
2834
2835         Andy, thanks for your amazing work on Intl and your dedication
2836         to making things right.
2837
2838 2016-03-14  Julien Brianceau  <jbriance@cisco.com>
2839
2840         [mips] Fix unaligned access in LLINT.
2841         https://bugs.webkit.org/show_bug.cgi?id=153228
2842
2843         Address loads used with btbxx opcodes were wrongly converted to lw
2844         instruction instead of lbu, leading to unaligned access on mips
2845         platforms. This is not a bug as it's silently fixed up by kernel,
2846         but it's more efficient to avoid unaligned accesses for mips.
2847
2848         Reviewed by Geoffrey Garen.
2849
2850         * offlineasm/mips.rb:
2851
2852 2016-03-14  Filip Pizlo  <fpizlo@apple.com>
2853
2854         REGRESSION(r194394): >2x slow-down on CDjs
2855         https://bugs.webkit.org/show_bug.cgi?id=155471
2856
2857         Unreviewed (rollout).
2858
2859         This revision changes localeCompare() so that it's *much* slower than before. It's
2860         understandable that sometimes things will get a tiny bit slower when implementing new
2861         language features, but more than 2x regression on a major benchmark is not OK.
2862
2863         This rolls out that change. We can reland it once we think about how to do it in a
2864         performant way.
2865
2866         * builtins/StringPrototype.js:
2867         (search):
2868         (localeCompare): Deleted.
2869         * runtime/StringPrototype.cpp:
2870         (JSC::StringPrototype::finishCreation):
2871
2872 2016-03-14  Mark Lam  <mark.lam@apple.com>
2873
2874         Need to distinguish between Symbol() and Symbol("").
2875         https://bugs.webkit.org/show_bug.cgi?id=155438
2876
2877         Reviewed by Saam Barati.
2878
2879         * runtime/PrivateName.h:
2880         (JSC::PrivateName::PrivateName):
2881
2882 2016-03-14  Oliver Hunt  <oliver@apple.com>
2883
2884         Temporarily disable the separated heap.
2885         https://bugs.webkit.org/show_bug.cgi?id=155472
2886
2887         Reviewed by Geoffrey Garen.
2888
2889         Temporarily disable this.
2890
2891         * Configurations/FeatureDefines.xcconfig:
2892
2893 2016-03-14  Joseph Pecoraro  <pecoraro@apple.com>
2894
2895         Reduce generated JSON HeapSnapshot size
2896         https://bugs.webkit.org/show_bug.cgi?id=155460
2897
2898         Reviewed by Geoffrey Garen.
2899
2900         Adjust the HeapSnapshot JSON to better reduce its size.
2901         Changes include:
2902
2903           - avoid inner array groups and instead just have a large array for
2904             nodes/edges. This removes lots of small array allocations.
2905           - eliminate duplicate edges
2906           - avoid duplicating edge names by including them in their own table;
2907           - now both the nodes and edges lists hold only integers
2908
2909         * heap/HeapSnapshotBuilder.cpp:
2910         (JSC::HeapSnapshotBuilder::json):
2911         Add some more documentation for the slightly modified format.
2912         While generating, clear data structures as early as possible.
2913
2914         * heap/HeapSnapshotBuilder.h:
2915         (JSC::HeapSnapshotEdge::HeapSnapshotEdge):
2916         During JSON building, the edge's cell pointers are converted to the
2917         identifier they point to. This avoids having to re-lookup the identifier.
2918
2919         * tests/heapProfiler/driver/driver.js:
2920         (CheapHeapSnapshotEdge):
2921         (CheapHeapSnapshot):
2922         (CheapHeapSnapshot.prototype.edgeNameFromTableIndex):
2923         (HeapSnapshot):
2924         Update test driver for slightly different snapshot format.
2925
2926 2016-03-14  Keith Miller  <keith_miller@apple.com>
2927
2928         We should be able to eliminate cloned arguments objects that use the length property
2929         https://bugs.webkit.org/show_bug.cgi?id=155391
2930
2931         Reviewed by Geoffrey Garen.
2932
2933         Previously if a programmer tried to use arguments.length in a strict function we would not eliminate the
2934         arguments object. We were unable to eliminate the arguments object because the user would get a cloned arguments
2935         object, which does not special case the length property. Thus, in order to get arguments elimination for cloned
2936         we need to add a special case. There are two things that need to happen for the elimination to succeed.
2937
2938         First, we need to eliminate the CheckStructure blocking the GetByOffset for the length property. In order to
2939         eliminate the check structure we need to prove to the Abstract Interpreter that this structure check is
2940         unnesssary. This didn't occur before for two reasons: 1) CreateClonedArguments did not set the structure it
2941         produced. 2) Even if CreateClonedArguments provided the global object's cloned arguments structure we would
2942         transition the new argements object when we added the length property during construction. To fix the second
2943         problem we now pre-assign a slot on clonedArgumentsStructure for the length property. Additionally, in order to
2944         prevent future transitions of the structure we need to choose an indexing type for the structure. Since, not
2945         eliminating the arguments object is so expensive we choose to have all cloned arguments start with continuous
2946         indexing type, this avoids transitioning when otherwise we would not have to. In the future we should be smarter
2947         about choosing the indexing type but since its relatively rare to have a arguments object escape we don't worry
2948         about this for now.
2949
2950         Additionally, this patch renames all former references of outOfBandArguments to clonedArguments and adds
2951         extra instrumentation to DFGArgumentsEliminationPhase.
2952
2953         * bytecode/BytecodeList.json:
2954         * bytecode/BytecodeUseDef.h:
2955         (JSC::computeUsesForBytecodeOffset):
2956         (JSC::computeDefsForBytecodeOffset):
2957         * bytecode/CodeBlock.cpp:
2958         (JSC::CodeBlock::dumpBytecode):
2959         * bytecode/ValueRecovery.h:
2960         (JSC::ValueRecovery::clonedArgumentsThatWereNotCreated):
2961         (JSC::ValueRecovery::outOfBandArgumentsThatWereNotCreated): Deleted.
2962         * bytecompiler/BytecodeGenerator.cpp:
2963         (JSC::BytecodeGenerator::BytecodeGenerator):
2964         * dfg/DFGAbstractInterpreterInlines.h:
2965         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2966         * dfg/DFGArgumentsEliminationPhase.cpp:
2967         * dfg/DFGByteCodeParser.cpp:
2968         (JSC::DFG::ByteCodeParser::parseBlock):
2969         * dfg/DFGCapabilities.cpp:
2970         (JSC::DFG::capabilityLevel):
2971         * dfg/DFGOperations.cpp:
2972         * dfg/DFGSpeculativeJIT.cpp:
2973         (JSC::DFG::SpeculativeJIT::compileCreateClonedArguments):
2974         * dfg/DFGStructureRegistrationPhase.cpp:
2975         (JSC::DFG::StructureRegistrationPhase::run):
2976         * dfg/DFGVariableEventStream.cpp:
2977         (JSC::DFG::VariableEventStream::tryToSetConstantRecovery):
2978         * ftl/FTLLowerDFGToB3.cpp:
2979         (JSC::FTL::DFG::LowerDFGToB3::compileCreateClonedArguments):
2980         * ftl/FTLOperations.cpp:
2981         (JSC::FTL::operationMaterializeObjectInOSR):
2982         * jit/JIT.cpp:
2983         (JSC::JIT::privateCompileMainPass):
2984         * jit/JIT.h:
2985         * jit/JITOpcodes.cpp:
2986         (JSC::JIT::emit_op_create_cloned_arguments):
2987         (JSC::JIT::emit_op_create_out_of_band_arguments): Deleted.
2988         * llint/LowLevelInterpreter.asm:
2989         * runtime/ClonedArguments.cpp:
2990         (JSC::ClonedArguments::ClonedArguments):
2991         (JSC::ClonedArguments::createEmpty):
2992         (JSC::ClonedArguments::createWithInlineFrame):
2993         (JSC::ClonedArguments::createByCopyingFrom):
2994         (JSC::ClonedArguments::createStructure):
2995         * runtime/ClonedArguments.h:
2996         * runtime/JSGlobalObject.cpp:
2997         (JSC::JSGlobalObject::init):
2998         (JSC::JSGlobalObject::visitChildren):
2999         * runtime/JSGlobalObject.h:
3000         (JSC::JSGlobalObject::clonedArgumentsStructure):
3001         (JSC::JSGlobalObject::outOfBandArgumentsStructure): Deleted.
3002
3003 2016-03-14  Saam barati  <sbarati@apple.com>
3004
3005         [ES6] Make JSON.stringify ES6 compatible
3006         https://bugs.webkit.org/show_bug.cgi?id=155448
3007
3008         Reviewed by Sam Weinig and Mark Lam.
3009
3010         We weren't following the spec with respect to the "toJSON" property
3011         of the thing being stringified. We were perform hasProperty(.)
3012         on "toJSON" instead of get(.). This patch changes it our
3013         implementation to perform get(value, "toJSON").
3014
3015         * runtime/JSCJSValue.h:
3016         * runtime/JSCJSValueInlines.h:
3017         (JSC::JSValue::isFunction):
3018         (JSC::JSValue::isCallable):
3019         * runtime/JSONObject.cpp:
3020         (JSC::Stringifier::toJSON):
3021         (JSC::Stringifier::toJSONImpl):
3022         (JSC::Stringifier::appendStringifiedValue):
3023         * tests/es6.yaml:
3024         * tests/stress/proxy-json.js:
3025         (test):
3026         (test.let.handler.get assert):
3027         (test.let.handler):
3028
3029 2016-03-14  Saam barati  <sbarati@apple.com>
3030
3031         [ES6] Disallow var assignments in for-in loops
3032         https://bugs.webkit.org/show_bug.cgi?id=155451
3033
3034         Reviewed by Mark Lam.
3035
3036         We're doing this in its own patch instead of the patch for https://bugs.webkit.org/show_bug.cgi?id=155384
3037         because last time we made this change it broke some websites. Lets try making
3038         it again because it's what the ES6 mandates. If it still breaks things we will
3039         roll it out.
3040
3041         * parser/Parser.cpp:
3042         (JSC::Parser<LexerType>::parseForStatement):
3043
3044 2016-03-14  Saam barati  <sbarati@apple.com>
3045
3046         assignments in for-in/for-of header not allowed
3047         https://bugs.webkit.org/show_bug.cgi?id=155384
3048
3049         Reviewed by Darin Adler.
3050
3051         This patch prevents assignments to the loop variable
3052         in for in/of loops in all but one situation. The following
3053         syntax is still allowed even though the spec prevents it:
3054         ```
3055         for (var i = X in blah) ;
3056         ```
3057         If the loop contains let/const, destructuring, or is a for-of
3058         loop, we always throw a syntax error if there is an assignment.
3059         We can do this with full backwards compatibility.
3060         We only allow the above type of for-in loops because Oliver told
3061         me that when he tried to make such programs illegal he ran
3062         into real websites breaking.
3063
3064         This patch also removed the !::CreatesAST compile-time branch when checking
3065         assignments to new.target. This was a dangerous thing for me
3066         to introduce into our parser. There are times where ::CreatesAST
3067         is true but we also want to check for syntax errors. For example,
3068         when parsing the top-level AST of a program. Though this check
3069         was technically correct, it's dangerous to have. It was correct
3070         because we would always be reparsing the new.target assignment
3071         because new.target is only allowed inside a function. That made it
3072         so that (!::CreatesAST <=> we care about new.target assignment syntax errors).
3073         But, (!::CreatesAST <=> we care about syntax error X) is not true in general.
3074         I think it's safer to remove such code.
3075
3076         * parser/ASTBuilder.h:
3077         (JSC::ASTBuilder::createNewTargetExpr):
3078         (JSC::ASTBuilder::isNewTarget):
3079         (JSC::ASTBuilder::createResolve):
3080         * parser/Nodes.h:
3081         (JSC::ExpressionNode::isBoolean):
3082         (JSC::ExpressionNode::isSpreadExpression):
3083         (JSC::ExpressionNode::isSuperNode):
3084         (JSC::ExpressionNode::isNewTarget):
3085         (JSC::ExpressionNode::isBytecodeIntrinsicNode):
3086         * parser/Parser.cpp:
3087         (JSC::Parser<LexerType>::parseForStatement):
3088         (JSC::Parser<LexerType>::parseAssignmentExpression):
3089         (JSC::Parser<LexerType>::parseUnaryExpression):
3090
3091 2016-03-13  Joseph Pecoraro  <pecoraro@apple.com>
3092
3093         Remove ENABLE(ES6_TEMPLATE_LITERAL_SYNTAX) guards
3094         https://bugs.webkit.org/show_bug.cgi?id=155417
3095
3096         Reviewed by Yusuke Suzuki.
3097
3098         * Configurations/FeatureDefines.xcconfig:
3099         * parser/Parser.cpp:
3100         (JSC::Parser<LexerType>::parsePrimaryExpression): Deleted.
3101         (JSC::Parser<LexerType>::parseMemberExpression): Deleted.
3102
3103 2016-03-13  Konstantin Tokarev  <annulen@yandex.ru>
3104
3105         Added new port JSCOnly.
3106         https://bugs.webkit.org/show_bug.cgi?id=154512
3107
3108         Reviewed by Michael Catanzaro.
3109
3110         This port allows to build JavaScriptCore engine with minimal
3111         dependencies.
3112
3113         * PlatformJSCOnly.cmake: Added.
3114
3115 2016-03-12  Mark Lam  <mark.lam@apple.com>
3116
3117         http://kangax.github.io/compat-table/esnext/ crashes reliably.
3118         https://bugs.webkit.org/show_bug.cgi?id=155404
3119
3120         Reviewed by Yusuke Suzuki.
3121
3122         constructObjectFromPropertyDescriptor() was incorrectly assuming that either
3123         both getter and setter will be set or unset.  It did not consider that only one
3124         of the getter or setter may be set.  This patch fixes that.
3125
3126         * runtime/ObjectConstructor.h:
3127         (JSC::constructObjectFromPropertyDescriptor):
3128         * tests/stress/proxy-with-unbalanced-getter-setter.js: Added.
3129         (assert):
3130         (let.handler.defineProperty):
3131         (i.):
3132         (i.assert):
3133         (i.get assert):
3134         (set assert):
3135
3136 2016-03-12  Brian Burg  <bburg@apple.com>
3137
3138         When generating Objective-C protocol types, getters for objects need to synthesize a new object instance
3139         https://bugs.webkit.org/show_bug.cgi?id=155389
3140         <rdar://problem/25125821>
3141
3142         Reviewed by Timothy Hatcher.
3143
3144         Currently, in object property getters for Objective-C protocol types, we use
3145         a C-style cast of the member's RWIProtocolJSONObject * to the type of the property.
3146         However, at runtime the class of `self` is going to be RWIProtocolJSONObject *,
3147         not MemberType *, so any subsequent calls to MemberType properties on the return value
3148         will fail as the selectors will not be recognized.
3149
3150         Instead of doing a C-style pointer cast, we need to create a new MemberType object
3151         that's backed by the InspectorObject retrieved from the parent object by key.
3152         This requires a new initWithJSONObject initializer for each object protocol type.
3153
3154         * inspector/scripts/codegen/generate_objc_header.py:
3155         (ObjCHeaderGenerator._generate_type_interface): Add new declaration.
3156
3157         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
3158         (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
3159         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_json_object): Added.
3160         Forward through to the super class initializer who assigns the underlying InspectorObject.
3161
3162         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members):
3163         Drive-by cleanup to use the more compact [super init] form.
3164
3165         * inspector/scripts/codegen/objc_generator.py:
3166         (ObjCGenerator.protocol_to_objc_expression_for_member):
3167         For property getters of objects, use initWithJSONObject: rather than a C-style cast.
3168
3169         Rebaseline relevant test results.
3170
3171         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
3172         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
3173         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
3174         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
3175         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
3176         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
3177         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
3178
3179 2016-03-12  Konstantin Tokarev  <annulen@yandex.ru>
3180
3181         Removed variable names from default constructor declarations.
3182         https://bugs.webkit.org/show_bug.cgi?id=155397
3183
3184         Reviewed by Mark Lam.
3185
3186         They carry no information and generate unused variable warning with GCC
3187         4.8 in a lot of source files.
3188
3189         * parser/VariableEnvironment.h:
3190
3191 2016-03-12  Myles C. Maxfield  <mmaxfield@apple.com>
3192
3193         Delete dead SVG Font code
3194         https://bugs.webkit.org/show_bug.cgi?id=154718
3195
3196         Reviewed by Antti Koivisto.
3197
3198         * Configurations/FeatureDefines.xcconfig:
3199
3200 2016-03-11  Benjamin Poulain  <bpoulain@apple.com>
3201
3202         [JSC] Remove a few jumps from DFG
3203         https://bugs.webkit.org/show_bug.cgi?id=155347
3204
3205         Reviewed by Mark Lam.
3206
3207         Usually, setting ValueTrue or ValueFalse is set
3208         by Compare+Or. There are 3 places in DFG with branches instead.
3209
3210         This patch changes them to the usual pattern.
3211
3212         * dfg/DFGSpeculativeJIT64.cpp:
3213         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
3214         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
3215
3216 2016-03-11  Saam barati  <sbarati@apple.com>
3217
3218         [ES6] Make Object.assign spec compliant
3219         https://bugs.webkit.org/show_bug.cgi?id=155375
3220
3221         Reviewed by Michael Saboff.
3222
3223         This is a straight forward implementation of Object.assign
3224         in the spec.
3225         https://tc39.github.io/ecma262/#sec-object.assign
3226         Before, weren't performing all of the specified operations.
3227         Now, we are.
3228
3229         * builtins/ObjectConstructor.js:
3230         (assign):
3231         * runtime/CommonIdentifiers.h:
3232         * runtime/JSGlobalObject.cpp:
3233         (JSC::JSGlobalObject::init):
3234         * tests/es6.yaml:
3235
3236 2016-03-11  Mark Lam  <mark.lam@apple.com>
3237
3238         Implement Function.name and Function#toString for ES6 class.
3239         https://bugs.webkit.org/show_bug.cgi?id=155336
3240
3241         Reviewed by Geoffrey Garen.
3242
3243         The only thing that the ES6 spec says about toString with regards to class
3244         objects is:
3245
3246         "The string representation must have the syntax of a FunctionDeclaration,
3247         FunctionExpression, GeneratorDeclaration, GeneratorExpression, ClassDeclaration,
3248         ClassExpression, ArrowFunction, MethodDefinition, or GeneratorMethod depending
3249         upon the actual characteristics of the object."
3250
3251         Previously, invoking toString() on a class object will return the function
3252         source string of the class' constructor function.  This does not conform to the
3253         spec in that the toString string for a class does not have the syntax of a
3254         ClassDeclaration or ClassExpression.
3255
3256         This is now fixed by doing the following:
3257
3258         1. Added "m_classSource" to FunctionExecutable (and correspondingly to
3259            UnlinkedFunctionExecutable, FunctionMetadataNode, and ClassExprNode).
3260            m_classSource is the SourceCode for the code range "class ... { ... }".
3261
3262            Since the class constructor function is the in memory representation of the
3263            class object, only class constructor functions will have its m_classSource
3264            set.  m_classSource will be "null" (by default) for all other functions.
3265            This is how we know if a FunctionExecutable is for a class.
3266
3267            Note: FunctionExecutable does not have its own m_classSource.  It always gets
3268            it from its UnlinkedFunctionExecutable.  This is ok to do because our CodeCache
3269            currently does not cache UnlinkedFunctionExecutables for class constructors.
3270
3271         2. The ClassExprNode now tracks the SourceCode range for the class expression.
3272            This is used to set m_classSource in the UnlinkedFunctionExecutable at
3273            bytecode generation time, and the FunctionExecutable later at bytecode
3274            linking time.
3275
3276         3. Function.prototype.toString() now checks if the function is for a class.
3277            If so, it returns the string for the class source instead of just the
3278            function source for the class constructor.
3279
3280            Note: the class source is static from the time the class was parsed.  This
3281            can introduces some weirdness at runtime.  Consider the following:
3282
3283                var v1 = class {}
3284                v1.toString(); // yields "class {}".
3285
3286                class c2 extends v1 {}
3287
3288                c2.__proto__ === v1; // yields true i.e. c2 extends v1.
3289                c2.toString(); // yields "class c2 extends v1 {}" which is fine.
3290
3291                v1 = {}; // point v1 to something else now.
3292
3293                c2.__proto__ === v1; // now yields false i.e. c2 no longer extends v1.
3294                                     // c2 actually extends the class that v1 used to
3295                                     // point to, but ...
3296                c2.toString(); // still yields "class c2 extends v1 {}" which is no longer true.
3297
3298            It is unclear how we can best implement toString() to avoid this issue.
3299            The above behavior is how Chrome (Version 51.0.2671.0 canary (64-bit))
3300            currently implements toString() of a class, and we do the same in this patch.
3301            In Firefox (45.0), toString() of a class will yield the function source of it
3302            constructor function, which is not better.
3303
3304         In this patch, we also added ES6 compliance for Function.name on class objects:
3305
3306         4. The ClassExprNode now has a m_ecmaName string for tracking the inferred
3307            name of a class according to the ES6 spec.  The ASTBuilder now mirrors its
3308            handling of FuncExprNodes to ClassExprNodes in setting the nodes' m_ecmaName
3309            where relevant.
3310
3311            The m_ecmaName is later used to set the m_ecmaName of the FunctionExecutable
3312            of the class constructor, which in turn is used to populate the initial value
3313            of the Function.name property.
3314
3315         5. Also renamed some variable names (/m_metadata/metadata/) to be consistent with
3316            webkit naming convention.
3317
3318         * bytecode/UnlinkedFunctionExecutable.cpp:
3319         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3320         * bytecode/UnlinkedFunctionExecutable.h:
3321         * bytecompiler/BytecodeGenerator.cpp:
3322         (JSC::BytecodeGenerator::emitNewArrowFunctionExpression):
3323         (JSC::BytecodeGenerator::emitNewDefaultConstructor):
3324         * bytecompiler/BytecodeGenerator.h:
3325         * bytecompiler/NodesCodegen.cpp:
3326         (JSC::ClassExprNode::emitBytecode):
3327         * parser/ASTBuilder.h:
3328         (JSC::ASTBuilder::createAssignResolve):
3329         (JSC::ASTBuilder::createYield):
3330         (JSC::ASTBuilder::createClassExpr):
3331         (JSC::ASTBuilder::createFunctionExpr):
3332         (JSC::ASTBuilder::createProperty):
3333         (JSC::ASTBuilder::makeAssignNode):
3334         * parser/NodeConstructors.h:
3335         (JSC::FunctionParameters::FunctionParameters):
3336         (JSC::BaseFuncExprNode::BaseFuncExprNode):
3337         (JSC::FuncExprNode::FuncExprNode):
3338         (JSC::FuncDeclNode::FuncDeclNode):
3339         (JSC::ArrowFuncExprNode::ArrowFuncExprNode):
3340         (JSC::ClassDeclNode::ClassDeclNode):
3341         (JSC::ClassExprNode::ClassExprNode):
3342         * parser/Nodes.h:
3343         (JSC::ExpressionNode::isDestructuringNode):
3344         (JSC::ExpressionNode::isFuncExprNode):
3345         (JSC::ExpressionNode::isArrowFuncExprNode):
3346         (JSC::ExpressionNode::isClassExprNode):
3347         (JSC::ExpressionNode::isCommaNode):
3348         (JSC::ExpressionNode::isSimpleArray):
3349         (JSC::ExpressionNode::isAdd):
3350         * parser/Parser.cpp: