Avoid using hardcoded values for JSValue::Int32Tag, if possible.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-03-30  Per Arne Vollan  <peavo@outlook.com>
2
3         Avoid using hardcoded values for JSValue::Int32Tag, if possible.
4         https://bugs.webkit.org/show_bug.cgi?id=143134
5
6         Reviewed by Geoffrey Garen.
7
8         * jit/JSInterfaceJIT.h:
9         * jit/Repatch.cpp:
10         (JSC::tryCacheGetByID):
11
12 2015-03-30  Filip Pizlo  <fpizlo@apple.com>
13
14         REGRESSION: js/regress/inline-arguments-local-escape.html is flaky
15         https://bugs.webkit.org/show_bug.cgi?id=143104
16
17         Reviewed by Geoffrey Garen.
18         
19         Created a test that is a 100% repro of the flaky failure. This test is called
20         get-my-argument-by-val-for-inlined-escaped-arguments.js. It fails all of the time because it
21         always causes the compiler to emit a GetMyArgumentByVal of the arguments object returned by
22         the inlined function. Other than that, it's the same as inline-arguments-local-escape.
23         
24         Also created three more tests for three similar, but not identical, failures.
25         
26         Then fixed the bug: PreciseLocalClobberize was assuming that if we read(Stack) then we are
27         only reading those parts of the stack that are relevant to the current semantic code origin.
28         That's false after ArgumentsEliminationPhase - we might have operations on phantom arguments,
29         like GetMyArgumentByVal, ForwardVarargs, CallForwardVarargs, and ConstructForwardVarargs, that
30         read parts of the stack associated with the inline call frame for the phantom arguments. This
31         may not be subsumed by the current semantic origin's stack area in cases that the arguments
32         were allowed to "locally" escape.
33         
34         The higher-order lesson here is that in DFG SSA IR, the current semantic origin's stack area
35         is not really a meaningful concept anymore. It is only meaningful for nodes that will read
36         the stack due to function.arguments, but there are a bunch of other ways that we could also
37         read the stack and those operations may read any stack slot. I believe that this change makes
38         PreciseLocalClobberize right: it will refine a read(Stack) from Clobberize correctly by casing
39         on node type. In future, if we add a read(Stack) to Clobberize, we'll have to make sure that
40         readTop() in PreciseLocalClobberize does the right thing.
41
42         * dfg/DFGClobberize.h:
43         (JSC::DFG::clobberize):
44         * dfg/DFGPreciseLocalClobberize.h:
45         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
46         * dfg/DFGPutStackSinkingPhase.cpp:
47         * tests/stress/call-forward-varargs-for-inlined-escaped-arguments.js: Added.
48         * tests/stress/construct-forward-varargs-for-inlined-escaped-arguments.js: Added.
49         * tests/stress/forward-varargs-for-inlined-escaped-arguments.js: Added.
50         * tests/stress/get-my-argument-by-val-for-inlined-escaped-arguments.js: Added.
51         * tests/stress/real-forward-varargs-for-inlined-escaped-arguments.js: Added.
52
53 2015-03-30  Benjamin Poulain  <benjamin@webkit.org>
54
55         Start the features.json files
56         https://bugs.webkit.org/show_bug.cgi?id=143207
57
58         Reviewed by Darin Adler.
59
60         Start the features.json files to have something to experiment
61         with for the UI.
62
63         * features.json: Added.
64
65 2015-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
66
67         [Win] Addresing post-review comment after r182122
68         https://bugs.webkit.org/show_bug.cgi?id=143189
69
70         Unreviewed.
71
72 2015-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
73
74         [Win] Allow building JavaScriptCore without Cygwin
75         https://bugs.webkit.org/show_bug.cgi?id=143189
76
77         Reviewed by Brent Fulgham.
78
79         Paths like /usr/bin/ don't exist on Windows.
80         Hashbangs don't work on Windows. Instead we must explicitly call the executable.
81         Prefixing commands with environment variables doesn't work on Windows.
82         Windows doesn't have 'cmp'
83         Windows uses 'del' instead of 'rm'
84         Windows uses 'type NUL' intead of 'touch'
85
86         * DerivedSources.make:
87         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
88         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
89         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl:
90         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
91         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl:
92         * JavaScriptCore.vcxproj/build-generated-files.pl:
93         * UpdateContents.py: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl.
94
95 2015-03-28  Joseph Pecoraro  <pecoraro@apple.com>
96
97         Clean up JavaScriptCore/builtins
98         https://bugs.webkit.org/show_bug.cgi?id=143177
99
100         Reviewed by Ryosuke Niwa.
101
102         * builtins/ArrayConstructor.js:
103         (from):
104         - We can compare to undefined instead of using a typeof undefined check.
105         - Converge on double quoted strings everywhere.
106
107         * builtins/ArrayIterator.prototype.js:
108         (next):
109         * builtins/StringIterator.prototype.js:
110         (next):
111         - Use shorthand object construction to avoid duplication.
112         - Improve grammar in error messages.
113
114         * tests/stress/array-iterators-next-with-call.js:
115         * tests/stress/string-iterators.js:
116         - Update for new error message strings.
117
118 2015-03-28  Saam Barati  <saambarati1@gmail.com>
119
120         Web Inspector: ES6: Better support for Symbol types in Type Profiler
121         https://bugs.webkit.org/show_bug.cgi?id=141257
122
123         Reviewed by Joseph Pecoraro.
124
125         ES6 introduces the new primitive type Symbol. This patch makes JSC's 
126         type profiler support this new primitive type.
127
128         * dfg/DFGFixupPhase.cpp:
129         (JSC::DFG::FixupPhase::fixupNode):
130         * inspector/protocol/Runtime.json:
131         * runtime/RuntimeType.cpp:
132         (JSC::runtimeTypeForValue):
133         * runtime/RuntimeType.h:
134         (JSC::runtimeTypeIsPrimitive):
135         * runtime/TypeSet.cpp:
136         (JSC::TypeSet::addTypeInformation):
137         (JSC::TypeSet::dumpTypes):
138         (JSC::TypeSet::doesTypeConformTo):
139         (JSC::TypeSet::displayName):
140         (JSC::TypeSet::inspectorTypeSet):
141         (JSC::TypeSet::toJSONString):
142         * runtime/TypeSet.h:
143         (JSC::TypeSet::seenTypes):
144         * tests/typeProfiler/driver/driver.js:
145         * tests/typeProfiler/symbol.js: Added.
146         (wrapper.foo):
147         (wrapper.bar):
148         (wrapper.bar.bar.baz):
149         (wrapper):
150
151 2015-03-27  Saam Barati  <saambarati1@gmail.com>
152
153         Deconstruction parameters are bound too late
154         https://bugs.webkit.org/show_bug.cgi?id=143148
155
156         Reviewed by Filip Pizlo.
157
158         Currently, a deconstruction pattern named with the same
159         name as a function will shadow the function. This is
160         wrong. It should be the other way around.
161
162         * bytecompiler/BytecodeGenerator.cpp:
163         (JSC::BytecodeGenerator::generate):
164
165 2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>
166
167         parse doesn't initialize the 16-bit version of the JSC parser with defaultConstructorKind
168         https://bugs.webkit.org/show_bug.cgi?id=143170
169
170         Reviewed by Benjamin Poulain.
171
172         Assert that we never use 16-bit version of the parser to parse a default constructor
173         since both base and derived default constructors should be using a 8-bit string.
174
175         * parser/Parser.h:
176         (JSC::parse):
177
178 2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>
179
180         ES6 Classes: Runtime error in JIT'd class calling super() with arguments and superclass has default constructor
181         https://bugs.webkit.org/show_bug.cgi?id=142862
182
183         Reviewed by Benjamin Poulain.
184
185         Add a test that used to fail in DFG now that the bug has been fixed by r181993.
186
187         * tests/stress/class-syntax-derived-default-constructor.js: Added.
188
189 2015-03-27  Michael Saboff  <msaboff@apple.com>
190
191         load8Signed() and load16Signed() should be renamed to avoid confusion
192         https://bugs.webkit.org/show_bug.cgi?id=143168
193
194         Reviewed by Benjamin Poulain.
195
196         Renamed load8Signed() to load8SignedExtendTo32() and load16Signed() to load16SignedExtendTo32().
197
198         * assembler/MacroAssemblerARM.h:
199         (JSC::MacroAssemblerARM::load8SignedExtendTo32):
200         (JSC::MacroAssemblerARM::load16SignedExtendTo32):
201         (JSC::MacroAssemblerARM::load8Signed): Deleted.
202         (JSC::MacroAssemblerARM::load16Signed): Deleted.
203         * assembler/MacroAssemblerARM64.h:
204         (JSC::MacroAssemblerARM64::load16SignedExtendTo32):
205         (JSC::MacroAssemblerARM64::load8SignedExtendTo32):
206         (JSC::MacroAssemblerARM64::load16Signed): Deleted.
207         (JSC::MacroAssemblerARM64::load8Signed): Deleted.
208         * assembler/MacroAssemblerARMv7.h:
209         (JSC::MacroAssemblerARMv7::load16SignedExtendTo32):
210         (JSC::MacroAssemblerARMv7::load8SignedExtendTo32):
211         (JSC::MacroAssemblerARMv7::load16Signed): Deleted.
212         (JSC::MacroAssemblerARMv7::load8Signed): Deleted.
213         * assembler/MacroAssemblerMIPS.h:
214         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
215         (JSC::MacroAssemblerMIPS::load16SignedExtendTo32):
216         (JSC::MacroAssemblerMIPS::load8Signed): Deleted.
217         (JSC::MacroAssemblerMIPS::load16Signed): Deleted.
218         * assembler/MacroAssemblerSH4.h:
219         (JSC::MacroAssemblerSH4::load8SignedExtendTo32):
220         (JSC::MacroAssemblerSH4::load8):
221         (JSC::MacroAssemblerSH4::load16SignedExtendTo32):
222         (JSC::MacroAssemblerSH4::load16):
223         (JSC::MacroAssemblerSH4::load8Signed): Deleted.
224         (JSC::MacroAssemblerSH4::load16Signed): Deleted.
225         * assembler/MacroAssemblerX86Common.h:
226         (JSC::MacroAssemblerX86Common::load8SignedExtendTo32):
227         (JSC::MacroAssemblerX86Common::load16SignedExtendTo32):
228         (JSC::MacroAssemblerX86Common::load8Signed): Deleted.
229         (JSC::MacroAssemblerX86Common::load16Signed): Deleted.
230         * dfg/DFGSpeculativeJIT.cpp:
231         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
232         * jit/JITPropertyAccess.cpp:
233         (JSC::JIT::emitIntTypedArrayGetByVal):
234
235 2015-03-27  Michael Saboff  <msaboff@apple.com>
236
237         Fix flakey dfg-int8array.js and dfg-int16array.js tests for ARM64
238         https://bugs.webkit.org/show_bug.cgi?id=138390
239
240         Reviewed by Mark Lam.
241
242         Changed load8Signed() and load16Signed() to only sign extend the loaded value to 32 bits
243         instead of 64 bits.  This is what X86-64 does.
244
245         * assembler/MacroAssemblerARM64.h:
246         (JSC::MacroAssemblerARM64::load16Signed):
247         (JSC::MacroAssemblerARM64::load8Signed):
248
249 2015-03-27  Saam Barati  <saambarati1@gmail.com>
250
251         Add back previously broken assert from bug 141869
252         https://bugs.webkit.org/show_bug.cgi?id=143005
253
254         Reviewed by Michael Saboff.
255
256         * runtime/ExceptionHelpers.cpp:
257         (JSC::invalidParameterInSourceAppender):
258
259 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
260
261         Make some more objects use FastMalloc
262         https://bugs.webkit.org/show_bug.cgi?id=143122
263
264         Reviewed by Csaba Osztrogonác.
265
266         * API/JSCallbackObject.h:
267         * heap/IncrementalSweeper.h:
268         * jit/JITThunks.h:
269         * runtime/JSGlobalObjectDebuggable.h:
270         * runtime/RegExpCache.h:
271
272 2015-03-27  Michael Saboff  <msaboff@apple.com>
273
274         Objects with numeric properties intermittently get a phantom 'length' property
275         https://bugs.webkit.org/show_bug.cgi?id=142792
276
277         Reviewed by Csaba Osztrogonác.
278
279         Fixed a > (greater than) that should be a >> (right shift) in the code that disassembles
280         test and branch instructions.  This function is used for linking tbz/tbnz branches between
281         two seperately JIT'ed sections of code.  Sometime we'd create a bogus tbz instruction in
282         the failure case checks in the GetById array length stub created for "obj.length" access.
283         If the failure case code address was at a negative offset from the stub, we'd look for bit 1
284         being set when we should have been looking for bit 0.
285
286         * assembler/ARM64Assembler.h:
287         (JSC::ARM64Assembler::disassembleTestAndBranchImmediate):
288
289 2015-03-27  Yusuke Suzuki  <utatane.tea@gmail.com>
290
291         Insert exception check around toPropertyKey call
292         https://bugs.webkit.org/show_bug.cgi?id=142922
293
294         Reviewed by Geoffrey Garen.
295
296         In some places, exception check is missing after/before toPropertyKey.
297         However, since it calls toString, it's observable to users,
298
299         Missing exception checks in Object.prototype methods can be
300         observed since it would be overridden with toObject(null/undefined) errors.
301         We inserted exception checks after toPropertyKey.
302
303         Missing exception checks in GetById related code can be
304         observed since it would be overridden with toObject(null/undefined) errors.
305         In this case, we need to insert exception checks before/after toPropertyKey
306         since RequireObjectCoercible followed by toPropertyKey can cause exceptions.
307
308         JSValue::get checks null/undefined and raise an exception if |this| is null or undefined.
309         However, we need to check whether the baseValue is object coercible before executing JSValue::toPropertyKey.
310         According to the spec, we first perform RequireObjectCoercible and check the exception.
311         And second, we perform ToPropertyKey and check the exception.
312         Since JSValue::toPropertyKey can cause toString call, this is observable to users.
313         For example, if the target is not object coercible,
314         ToPropertyKey should not be executed, and toString should not be executed by ToPropertyKey.
315         So the order of observable actions (RequireObjectCoercible and ToPropertyKey) should be correct to the spec.
316
317         This patch introduces JSValue::requireObjectCoercible and use it because of the following 2 reasons.
318
319         1. Using toObject instead of requireObjectCoercible produces unnecessary wrapper object.
320
321         toObject converts primitive types into wrapper objects.
322         But it is not efficient since wrapper objects are not necessary
323         if we look up methods from primitive values's prototype. (using synthesizePrototype is better).
324
325         2. Using the result of toObject is not correct to the spec.
326
327         To align to the spec correctly, we cannot use JSObject::get
328         by using the wrapper object produced by the toObject suggested in (1).
329         If we use JSObject that is converted by toObject, getter will be called by using this JSObject as |this|.
330         It is not correct since getter should be called with the original |this| value that may be primitive types.
331
332         So in this patch, we use JSValue::requireObjectCoercible
333         to check the target is object coercible and raise an error if it's not.
334
335         * dfg/DFGOperations.cpp:
336         * jit/JITOperations.cpp:
337         (JSC::getByVal):
338         * llint/LLIntSlowPaths.cpp:
339         (JSC::LLInt::getByVal):
340         * runtime/CommonSlowPaths.cpp:
341         (JSC::SLOW_PATH_DECL):
342         * runtime/JSCJSValue.h:
343         * runtime/JSCJSValueInlines.h:
344         (JSC::JSValue::requireObjectCoercible):
345         * runtime/ObjectPrototype.cpp:
346         (JSC::objectProtoFuncHasOwnProperty):
347         (JSC::objectProtoFuncDefineGetter):
348         (JSC::objectProtoFuncDefineSetter):
349         (JSC::objectProtoFuncLookupGetter):
350         (JSC::objectProtoFuncLookupSetter):
351         (JSC::objectProtoFuncPropertyIsEnumerable):
352         * tests/stress/exception-in-to-property-key-should-be-handled-early-in-object-methods.js: Added.
353         (shouldThrow):
354         (if):
355         * tests/stress/exception-in-to-property-key-should-be-handled-early.js: Added.
356         (shouldThrow):
357         (.):
358
359 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
360
361         WebContent Crash when instantiating class with Type Profiling enabled
362         https://bugs.webkit.org/show_bug.cgi?id=143037
363
364         Reviewed by Ryosuke Niwa.
365
366         * bytecompiler/BytecodeGenerator.h:
367         * bytecompiler/BytecodeGenerator.cpp:
368         (JSC::BytecodeGenerator::BytecodeGenerator):
369         (JSC::BytecodeGenerator::emitMoveEmptyValue):
370         We cannot profile the type of an uninitialized empty JSValue.
371         Nor do we expect this to be necessary, since it is effectively
372         an unseen undefined value. So add a way to put the empty value
373         without profiling.
374
375         (JSC::BytecodeGenerator::emitMove):
376         Add an assert to try to catch this issue early on, and force
377         callers to explicitly use emitMoveEmptyValue instead.
378
379         * tests/typeProfiler/classes.js: Added.
380         (wrapper.Base):
381         (wrapper.Derived):
382         (wrapper):
383         Add test coverage both for this case and classes in general.
384
385 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
386
387         Web Inspector: ES6: Provide a better view for Classes in the console
388         https://bugs.webkit.org/show_bug.cgi?id=142999
389
390         Reviewed by Timothy Hatcher.
391
392         * inspector/protocol/Runtime.json:
393         Provide a new `subtype` enum "class". This is a subtype of `type`
394         "function", all other subtypes are subtypes of `object` types.
395         For a class, the frontend will immediately want to get the prototype
396         to enumerate its methods, so include the `classPrototype`.
397
398         * inspector/JSInjectedScriptHost.cpp:
399         (Inspector::JSInjectedScriptHost::subtype):
400         Denote class construction functions as "class" subtypes.
401
402         * inspector/InjectedScriptSource.js:
403         Handling for the new "class" type.
404
405         * bytecode/UnlinkedCodeBlock.h:
406         (JSC::UnlinkedFunctionExecutable::isClassConstructorFunction):
407         * runtime/Executable.h:
408         (JSC::FunctionExecutable::isClassConstructorFunction):
409         * runtime/JSFunction.h:
410         * runtime/JSFunctionInlines.h:
411         (JSC::JSFunction::isClassConstructorFunction):
412         Check if this function is a class constructor function. That information
413         is on the UnlinkedFunctionExecutable, so plumb it through to JSFunction.
414
415 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
416
417         Function.prototype.toString should not decompile the AST
418         https://bugs.webkit.org/show_bug.cgi?id=142853
419
420         Reviewed by Darin Adler.
421
422         Following up on Darin's review comments.
423
424         * runtime/FunctionConstructor.cpp:
425         (JSC::constructFunctionSkippingEvalEnabledCheck):
426
427 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
428
429         "lineNo" does not match WebKit coding style guidelines
430         https://bugs.webkit.org/show_bug.cgi?id=143119
431
432         Reviewed by Michael Saboff.
433
434         We can afford to use whole words.
435
436         * bytecode/CodeBlock.cpp:
437         (JSC::CodeBlock::lineNumberForBytecodeOffset):
438         (JSC::CodeBlock::expressionRangeForBytecodeOffset):
439         * bytecode/UnlinkedCodeBlock.cpp:
440         (JSC::UnlinkedFunctionExecutable::link):
441         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
442         * bytecode/UnlinkedCodeBlock.h:
443         * bytecompiler/NodesCodegen.cpp:
444         (JSC::WhileNode::emitBytecode):
445         * debugger/Debugger.cpp:
446         (JSC::Debugger::toggleBreakpoint):
447         * interpreter/Interpreter.cpp:
448         (JSC::StackFrame::computeLineAndColumn):
449         (JSC::GetStackTraceFunctor::operator()):
450         (JSC::Interpreter::execute):
451         * interpreter/StackVisitor.cpp:
452         (JSC::StackVisitor::Frame::computeLineAndColumn):
453         * parser/Nodes.h:
454         (JSC::Node::firstLine):
455         (JSC::Node::lineNo): Deleted.
456         (JSC::StatementNode::firstLine): Deleted.
457         * parser/ParserError.h:
458         (JSC::ParserError::toErrorObject):
459         * profiler/LegacyProfiler.cpp:
460         (JSC::createCallIdentifierFromFunctionImp):
461         * runtime/CodeCache.cpp:
462         (JSC::CodeCache::getGlobalCodeBlock):
463         * runtime/Executable.cpp:
464         (JSC::ScriptExecutable::ScriptExecutable):
465         (JSC::ScriptExecutable::newCodeBlockFor):
466         (JSC::FunctionExecutable::fromGlobalCode):
467         * runtime/Executable.h:
468         (JSC::ScriptExecutable::firstLine):
469         (JSC::ScriptExecutable::setOverrideLineNumber):
470         (JSC::ScriptExecutable::hasOverrideLineNumber):
471         (JSC::ScriptExecutable::overrideLineNumber):
472         (JSC::ScriptExecutable::lineNo): Deleted.
473         (JSC::ScriptExecutable::setOverrideLineNo): Deleted.
474         (JSC::ScriptExecutable::hasOverrideLineNo): Deleted.
475         (JSC::ScriptExecutable::overrideLineNo): Deleted.
476         * runtime/FunctionConstructor.cpp:
477         (JSC::constructFunctionSkippingEvalEnabledCheck):
478         * runtime/FunctionConstructor.h:
479         * tools/CodeProfile.cpp:
480         (JSC::CodeProfile::report):
481         * tools/CodeProfile.h:
482         (JSC::CodeProfile::CodeProfile):
483
484 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
485
486         Assertion firing in JavaScriptCore/parser/parser.h for statesman.com site
487         https://bugs.webkit.org/show_bug.cgi?id=142974
488
489         Reviewed by Joseph Pecoraro.
490
491         This patch does two things:
492
493         (1) Restore JavaScriptCore's sanitization of line and column numbers to
494         one-based values.
495
496         We need this because WebCore sometimes provides huge negative column
497         numbers.
498
499         (2) Solve the attribute event listener line numbering problem a different
500         way: Rather than offseting all line numbers by -1 in an attribute event
501         listener in order to arrange for a custom result, instead use an explicit
502         feature for saying "all errors in this code should map to this line number".
503
504         * bytecode/UnlinkedCodeBlock.cpp:
505         (JSC::UnlinkedFunctionExecutable::link):
506         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
507         * bytecode/UnlinkedCodeBlock.h:
508         * interpreter/Interpreter.cpp:
509         (JSC::StackFrame::computeLineAndColumn):
510         (JSC::GetStackTraceFunctor::operator()):
511         * interpreter/Interpreter.h:
512         * interpreter/StackVisitor.cpp:
513         (JSC::StackVisitor::Frame::computeLineAndColumn):
514         * parser/ParserError.h:
515         (JSC::ParserError::toErrorObject): Plumb through an override line number.
516         When a function has an override line number, all syntax and runtime
517         errors in the function will map to it. This is useful for attribute event
518         listeners.
519  
520         * parser/SourceCode.h:
521         (JSC::SourceCode::SourceCode): Restore the old sanitization of line and
522         column numbers to one-based integers. It was kind of a hack to remove this.
523
524         * runtime/Executable.cpp:
525         (JSC::ScriptExecutable::ScriptExecutable):
526         (JSC::FunctionExecutable::fromGlobalCode):
527         * runtime/Executable.h:
528         (JSC::ScriptExecutable::setOverrideLineNo):
529         (JSC::ScriptExecutable::hasOverrideLineNo):
530         (JSC::ScriptExecutable::overrideLineNo):
531         * runtime/FunctionConstructor.cpp:
532         (JSC::constructFunctionSkippingEvalEnabledCheck):
533         * runtime/FunctionConstructor.h: Plumb through an override line number.
534
535 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
536
537         If we're in code for accessing scoped arguments, we should probably check if the object is a scoped arguments rather than checking if it's a direct arguments.
538
539         Reviewed by Michael Saboff.
540
541         * jit/JITPropertyAccess.cpp:
542         (JSC::JIT::emitScopedArgumentsGetByVal):
543         * tests/stress/scoped-then-direct-arguments-get-by-val-in-baseline.js: Added.
544
545 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
546
547         FTL ScopedArguments GetArrayLength generates incorrect code and crashes in LLVM
548         https://bugs.webkit.org/show_bug.cgi?id=143098
549
550         Reviewed by Csaba Osztrogonác.
551
552         * ftl/FTLLowerDFGToLLVM.cpp:
553         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength): Fix a typo.
554         * tests/stress/scoped-arguments-array-length.js: Added. This test previously always crashed in ftl-no-cjit mode.
555
556 2015-03-26  Csaba Osztrogonác  <ossy@webkit.org>
557
558         Unreviewed gardening, skip failing tests on AArch64 Linux.
559
560         * tests/mozilla/mozilla-tests.yaml:
561         * tests/stress/cached-prototype-setter.js:
562
563 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
564
565         Unreviewed, fixes to silly things. While landing fixes to r181993, I introduced crashes. This fixes them.
566
567         * dfg/DFGConstantFoldingPhase.cpp:
568         (JSC::DFG::ConstantFoldingPhase::foldConstants): I landed a fix for a VS warning. It broke this. Now I'm fixing it.
569         * ftl/FTLCompile.cpp:
570         (JSC::FTL::compile): Make sure we pass the module when dumping. This makes FTL debugging possible again.
571         * ftl/FTLState.cpp:
572         (JSC::FTL::State::dumpState): New overload that takes a module, so that we can call this after FTL::compile() clears State's module.
573         * ftl/FTLState.h:
574
575 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
576
577         Unreviewed, fix obvious goof that was causing 32-bit debug crashes. The 64-bit version did it
578         right, so this just makes 32-bit do the same.
579
580         * dfg/DFGSpeculativeJIT32_64.cpp:
581         (JSC::DFG::SpeculativeJIT::emitCall):
582
583 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
584
585         Fix a typo that ggaren found but that I didn't fix before.
586
587         * runtime/DirectArgumentsOffset.h:
588
589 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
590
591         Unreviewed, VC found a bug. This fixes the bug.
592
593         * dfg/DFGConstantFoldingPhase.cpp:
594         (JSC::DFG::ConstantFoldingPhase::foldConstants):
595
596 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
597
598         Unreviewed, try to fix Windows build.
599
600         * runtime/ClonedArguments.cpp:
601         (JSC::ClonedArguments::createWithInlineFrame):
602
603 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
604
605         Unreviewed, fix debug build.
606
607         * bytecompiler/NodesCodegen.cpp:
608         (JSC::ConstDeclNode::emitCodeSingle):
609
610 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
611
612         Unreviewed, fix CLOOP build.
613
614         * dfg/DFGMinifiedID.h:
615
616 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
617
618         Heap variables shouldn't end up in the stack frame
619         https://bugs.webkit.org/show_bug.cgi?id=141174
620
621         Reviewed by Geoffrey Garen.
622         
623         This is a major change to how JavaScriptCore handles declared variables (i.e. "var"). It removes
624         any ambiguity about whether a variable should be in the heap or on the stack. A variable will no
625         longer move between heap and stack during its lifetime. This enables a bunch of optimizations and
626         simplifications:
627         
628         - Accesses to variables no longer need checks or indirections to determine where the variable is
629           at that moment in time. For example, loading a closure variable now takes just one load instead
630           of two. Loading an argument by index now takes a bounds check and a load in the fastest case
631           (when no arguments object allocation is required) while previously that same operation required
632           a "did I allocate arguments yet" check, a bounds check, and then the load.
633         
634         - Reasoning about the allocation of an activation or arguments object now follows the same simple
635           logic as the allocation of any other kind of object. Previously, those objects were lazily
636           allocated - so an allocation instruction wasn't the actual allocation site, since it might not
637           allocate anything at all. This made the implementation of traditional escape analyses really
638           awkward, and ultimately it meant that we missed important cases. Now, we can reason about the
639           arguments object using the usual SSA tricks which allows for more comprehensive removal.
640         
641         - The allocations of arguments objects, functions, and activations are now much faster. While
642           this patch generally expands our ability to eliminate arguments object allocations, an earlier
643           version of the patch - which lacked that functionality - was a progression on some arguments-
644           and closure-happy benchmarks because although no allocations were eliminated, all allocations
645           were faster.
646         
647         - There is no tear-off. The runtime no loner needs to know about where on the stack a frame keeps
648           its arguments objects or activations. The runtime doesn't have to do things to the arguments
649           objects and activations that a frame allocated, when the frame is unwound. We always had horrid
650           bugs in that code, so it's good to see it go. This removes *a ton* of machinery from the DFG,
651           FTL, CodeBlock, and other places. All of the things having to do with "captured variables" is
652           now gone. This also enables implementing block-scoping. Without this change, block-scope
653           support would require telling CodeBlock and all of the rest of the runtime about all of the
654           variables that store currently-live scopes. That would have been so disastrously hard that it
655           might as well be impossible. With this change, it's fair game for the bytecode generator to
656           simply allocate whatever activations it wants, wherever it wants, and to keep them live for
657           however long it wants. This all works, because after bytecode generation, an activation is just
658           an object and variables that refer to it are just normal variables.
659         
660         - SymbolTable can now tell you explicitly where a variable lives. The answer is in the form of a
661           VarOffset object, which has methods like isStack(), isScope(), etc. VirtualRegister is never
662           used for offsets of non-stack variables anymore. We now have shiny new objects for other kinds
663           of offsets - ScopeOffset for offsets into scopes, and DirectArgumentsOffset for offsets into
664           an arguments object.
665         
666         - Functions that create activations can now tier-up into the FTL. Previously they couldn't. Also,
667           using activations used to prevent inlining; now functions that use activations can be inlined
668           just fine.
669         
670         This is a >1% speed-up on Octane. This is a >2% speed-up on CompressionBench. This is a tiny
671         speed-up on AsmBench (~0.4% or something). This looks like it might be a speed-up on SunSpider.
672         It's only a slow-down on very short-running microbenchmarks we had previously written for our old
673         style of tear-off-based arguments optimization. Those benchmarks are not part of any major suite.
674         
675         The easiest way of understanding this change is to start by looking at the changes in runtime/,
676         and then the changes in bytecompiler/, and then sort of work your way up the compiler tiers.
677
678         * CMakeLists.txt:
679         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
680         * JavaScriptCore.xcodeproj/project.pbxproj:
681         * assembler/AbortReason.h:
682         * assembler/AbstractMacroAssembler.h:
683         (JSC::AbstractMacroAssembler::BaseIndex::withOffset):
684         * bytecode/ByValInfo.h:
685         (JSC::hasOptimizableIndexingForJSType):
686         (JSC::hasOptimizableIndexing):
687         (JSC::jitArrayModeForJSType):
688         (JSC::jitArrayModePermitsPut):
689         (JSC::jitArrayModeForStructure):
690         * bytecode/BytecodeKills.h: Added.
691         (JSC::BytecodeKills::BytecodeKills):
692         (JSC::BytecodeKills::operandIsKilled):
693         (JSC::BytecodeKills::forEachOperandKilledAt):
694         (JSC::BytecodeKills::KillSet::KillSet):
695         (JSC::BytecodeKills::KillSet::add):
696         (JSC::BytecodeKills::KillSet::forEachLocal):
697         (JSC::BytecodeKills::KillSet::contains):
698         * bytecode/BytecodeList.json:
699         * bytecode/BytecodeLivenessAnalysis.cpp:
700         (JSC::isValidRegisterForLiveness):
701         (JSC::stepOverInstruction):
702         (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint):
703         (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset):
704         (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset):
705         (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
706         (JSC::BytecodeLivenessAnalysis::computeKills):
707         (JSC::indexForOperand): Deleted.
708         (JSC::BytecodeLivenessAnalysis::getLivenessInfoForNonCapturedVarsAtBytecodeOffset): Deleted.
709         (JSC::getLivenessInfo): Deleted.
710         * bytecode/BytecodeLivenessAnalysis.h:
711         * bytecode/BytecodeLivenessAnalysisInlines.h:
712         (JSC::operandIsAlwaysLive):
713         (JSC::operandThatIsNotAlwaysLiveIsLive):
714         (JSC::operandIsLive):
715         * bytecode/BytecodeUseDef.h:
716         (JSC::computeUsesForBytecodeOffset):
717         (JSC::computeDefsForBytecodeOffset):
718         * bytecode/CodeBlock.cpp:
719         (JSC::CodeBlock::dumpBytecode):
720         (JSC::CodeBlock::CodeBlock):
721         (JSC::CodeBlock::nameForRegister):
722         (JSC::CodeBlock::validate):
723         (JSC::CodeBlock::isCaptured): Deleted.
724         (JSC::CodeBlock::framePointerOffsetToGetActivationRegisters): Deleted.
725         (JSC::CodeBlock::machineSlowArguments): Deleted.
726         * bytecode/CodeBlock.h:
727         (JSC::unmodifiedArgumentsRegister): Deleted.
728         (JSC::CodeBlock::setArgumentsRegister): Deleted.
729         (JSC::CodeBlock::argumentsRegister): Deleted.
730         (JSC::CodeBlock::uncheckedArgumentsRegister): Deleted.
731         (JSC::CodeBlock::usesArguments): Deleted.
732         (JSC::CodeBlock::captureCount): Deleted.
733         (JSC::CodeBlock::captureStart): Deleted.
734         (JSC::CodeBlock::captureEnd): Deleted.
735         (JSC::CodeBlock::argumentIndexAfterCapture): Deleted.
736         (JSC::CodeBlock::hasSlowArguments): Deleted.
737         (JSC::ExecState::argumentAfterCapture): Deleted.
738         * bytecode/CodeOrigin.h:
739         * bytecode/DataFormat.h:
740         (JSC::dataFormatToString):
741         * bytecode/FullBytecodeLiveness.h:
742         (JSC::FullBytecodeLiveness::getLiveness):
743         (JSC::FullBytecodeLiveness::operandIsLive):
744         (JSC::FullBytecodeLiveness::FullBytecodeLiveness): Deleted.
745         (JSC::FullBytecodeLiveness::getOut): Deleted.
746         * bytecode/Instruction.h:
747         (JSC::Instruction::Instruction):
748         * bytecode/Operands.h:
749         (JSC::Operands::virtualRegisterForIndex):
750         * bytecode/SpeculatedType.cpp:
751         (JSC::dumpSpeculation):
752         (JSC::speculationToAbbreviatedString):
753         (JSC::speculationFromClassInfo):
754         * bytecode/SpeculatedType.h:
755         (JSC::isDirectArgumentsSpeculation):
756         (JSC::isScopedArgumentsSpeculation):
757         (JSC::isActionableMutableArraySpeculation):
758         (JSC::isActionableArraySpeculation):
759         (JSC::isArgumentsSpeculation): Deleted.
760         * bytecode/UnlinkedCodeBlock.cpp:
761         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
762         * bytecode/UnlinkedCodeBlock.h:
763         (JSC::UnlinkedCodeBlock::setArgumentsRegister): Deleted.
764         (JSC::UnlinkedCodeBlock::usesArguments): Deleted.
765         (JSC::UnlinkedCodeBlock::argumentsRegister): Deleted.
766         * bytecode/ValueRecovery.cpp:
767         (JSC::ValueRecovery::dumpInContext):
768         * bytecode/ValueRecovery.h:
769         (JSC::ValueRecovery::directArgumentsThatWereNotCreated):
770         (JSC::ValueRecovery::outOfBandArgumentsThatWereNotCreated):
771         (JSC::ValueRecovery::nodeID):
772         (JSC::ValueRecovery::argumentsThatWereNotCreated): Deleted.
773         * bytecode/VirtualRegister.h:
774         (JSC::VirtualRegister::operator==):
775         (JSC::VirtualRegister::operator!=):
776         (JSC::VirtualRegister::operator<):
777         (JSC::VirtualRegister::operator>):
778         (JSC::VirtualRegister::operator<=):
779         (JSC::VirtualRegister::operator>=):
780         * bytecompiler/BytecodeGenerator.cpp:
781         (JSC::BytecodeGenerator::generate):
782         (JSC::BytecodeGenerator::BytecodeGenerator):
783         (JSC::BytecodeGenerator::initializeNextParameter):
784         (JSC::BytecodeGenerator::visibleNameForParameter):
785         (JSC::BytecodeGenerator::emitMove):
786         (JSC::BytecodeGenerator::variable):
787         (JSC::BytecodeGenerator::createVariable):
788         (JSC::BytecodeGenerator::emitResolveScope):
789         (JSC::BytecodeGenerator::emitGetFromScope):
790         (JSC::BytecodeGenerator::emitPutToScope):
791         (JSC::BytecodeGenerator::initializeVariable):
792         (JSC::BytecodeGenerator::emitInstanceOf):
793         (JSC::BytecodeGenerator::emitNewFunction):
794         (JSC::BytecodeGenerator::emitNewFunctionInternal):
795         (JSC::BytecodeGenerator::emitCall):
796         (JSC::BytecodeGenerator::emitReturn):
797         (JSC::BytecodeGenerator::emitConstruct):
798         (JSC::BytecodeGenerator::isArgumentNumber):
799         (JSC::BytecodeGenerator::emitEnumeration):
800         (JSC::BytecodeGenerator::addVar): Deleted.
801         (JSC::BytecodeGenerator::emitInitLazyRegister): Deleted.
802         (JSC::BytecodeGenerator::initializeCapturedVariable): Deleted.
803         (JSC::BytecodeGenerator::resolveCallee): Deleted.
804         (JSC::BytecodeGenerator::addCallee): Deleted.
805         (JSC::BytecodeGenerator::addParameter): Deleted.
806         (JSC::BytecodeGenerator::willResolveToArgumentsRegister): Deleted.
807         (JSC::BytecodeGenerator::uncheckedLocalArgumentsRegister): Deleted.
808         (JSC::BytecodeGenerator::createLazyRegisterIfNecessary): Deleted.
809         (JSC::BytecodeGenerator::isCaptured): Deleted.
810         (JSC::BytecodeGenerator::local): Deleted.
811         (JSC::BytecodeGenerator::constLocal): Deleted.
812         (JSC::BytecodeGenerator::emitResolveConstantLocal): Deleted.
813         (JSC::BytecodeGenerator::emitGetArgumentsLength): Deleted.
814         (JSC::BytecodeGenerator::emitGetArgumentByVal): Deleted.
815         (JSC::BytecodeGenerator::emitLazyNewFunction): Deleted.
816         (JSC::BytecodeGenerator::createArgumentsIfNecessary): Deleted.
817         * bytecompiler/BytecodeGenerator.h:
818         (JSC::Variable::Variable):
819         (JSC::Variable::isResolved):
820         (JSC::Variable::ident):
821         (JSC::Variable::offset):
822         (JSC::Variable::isLocal):
823         (JSC::Variable::local):
824         (JSC::Variable::isSpecial):
825         (JSC::BytecodeGenerator::argumentsRegister):
826         (JSC::BytecodeGenerator::emitNode):
827         (JSC::BytecodeGenerator::registerFor):
828         (JSC::Local::Local): Deleted.
829         (JSC::Local::operator bool): Deleted.
830         (JSC::Local::get): Deleted.
831         (JSC::Local::isSpecial): Deleted.
832         (JSC::ResolveScopeInfo::ResolveScopeInfo): Deleted.
833         (JSC::ResolveScopeInfo::isLocal): Deleted.
834         (JSC::ResolveScopeInfo::localIndex): Deleted.
835         (JSC::BytecodeGenerator::hasSafeLocalArgumentsRegister): Deleted.
836         (JSC::BytecodeGenerator::captureMode): Deleted.
837         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly): Deleted.
838         (JSC::BytecodeGenerator::shouldCreateArgumentsEagerly): Deleted.
839         (JSC::BytecodeGenerator::hasWatchableVariable): Deleted.
840         (JSC::BytecodeGenerator::watchableVariableIdentifier): Deleted.
841         * bytecompiler/NodesCodegen.cpp:
842         (JSC::ResolveNode::isPure):
843         (JSC::ResolveNode::emitBytecode):
844         (JSC::BracketAccessorNode::emitBytecode):
845         (JSC::DotAccessorNode::emitBytecode):
846         (JSC::EvalFunctionCallNode::emitBytecode):
847         (JSC::FunctionCallResolveNode::emitBytecode):
848         (JSC::CallFunctionCallDotNode::emitBytecode):
849         (JSC::ApplyFunctionCallDotNode::emitBytecode):
850         (JSC::PostfixNode::emitResolve):
851         (JSC::DeleteResolveNode::emitBytecode):
852         (JSC::TypeOfResolveNode::emitBytecode):
853         (JSC::PrefixNode::emitResolve):
854         (JSC::ReadModifyResolveNode::emitBytecode):
855         (JSC::AssignResolveNode::emitBytecode):
856         (JSC::ConstDeclNode::emitCodeSingle):
857         (JSC::EmptyVarExpression::emitBytecode):
858         (JSC::ForInNode::tryGetBoundLocal):
859         (JSC::ForInNode::emitLoopHeader):
860         (JSC::ForOfNode::emitBytecode):
861         (JSC::ArrayPatternNode::emitDirectBinding):
862         (JSC::BindingNode::bindValue):
863         (JSC::getArgumentByVal): Deleted.
864         * dfg/DFGAbstractHeap.h:
865         * dfg/DFGAbstractInterpreter.h:
866         * dfg/DFGAbstractInterpreterInlines.h:
867         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
868         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberWorld):
869         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberCapturedVars): Deleted.
870         * dfg/DFGAbstractValue.h:
871         * dfg/DFGArgumentPosition.h:
872         (JSC::DFG::ArgumentPosition::addVariable):
873         * dfg/DFGArgumentsEliminationPhase.cpp: Added.
874         (JSC::DFG::performArgumentsElimination):
875         * dfg/DFGArgumentsEliminationPhase.h: Added.
876         * dfg/DFGArgumentsSimplificationPhase.cpp: Removed.
877         * dfg/DFGArgumentsSimplificationPhase.h: Removed.
878         * dfg/DFGArgumentsUtilities.cpp: Added.
879         (JSC::DFG::argumentsInvolveStackSlot):
880         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
881         * dfg/DFGArgumentsUtilities.h: Added.
882         * dfg/DFGArrayMode.cpp:
883         (JSC::DFG::ArrayMode::refine):
884         (JSC::DFG::ArrayMode::alreadyChecked):
885         (JSC::DFG::arrayTypeToString):
886         * dfg/DFGArrayMode.h:
887         (JSC::DFG::ArrayMode::canCSEStorage):
888         (JSC::DFG::ArrayMode::modeForPut):
889         * dfg/DFGAvailabilityMap.cpp:
890         (JSC::DFG::AvailabilityMap::prune):
891         * dfg/DFGAvailabilityMap.h:
892         (JSC::DFG::AvailabilityMap::closeOverNodes):
893         (JSC::DFG::AvailabilityMap::closeStartingWithLocal):
894         * dfg/DFGBackwardsPropagationPhase.cpp:
895         (JSC::DFG::BackwardsPropagationPhase::propagate):
896         * dfg/DFGByteCodeParser.cpp:
897         (JSC::DFG::ByteCodeParser::newVariableAccessData):
898         (JSC::DFG::ByteCodeParser::getLocal):
899         (JSC::DFG::ByteCodeParser::setLocal):
900         (JSC::DFG::ByteCodeParser::getArgument):
901         (JSC::DFG::ByteCodeParser::setArgument):
902         (JSC::DFG::ByteCodeParser::flushDirect):
903         (JSC::DFG::ByteCodeParser::flush):
904         (JSC::DFG::ByteCodeParser::noticeArgumentsUse):
905         (JSC::DFG::ByteCodeParser::handleVarargsCall):
906         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
907         (JSC::DFG::ByteCodeParser::handleInlining):
908         (JSC::DFG::ByteCodeParser::parseBlock):
909         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
910         (JSC::DFG::ByteCodeParser::parseCodeBlock):
911         * dfg/DFGCPSRethreadingPhase.cpp:
912         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
913         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
914         * dfg/DFGCSEPhase.cpp:
915         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h: Added.
916         (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
917         * dfg/DFGCapabilities.cpp:
918         (JSC::DFG::isSupportedForInlining):
919         (JSC::DFG::capabilityLevel):
920         * dfg/DFGClobberize.h:
921         (JSC::DFG::clobberize):
922         * dfg/DFGCommon.h:
923         * dfg/DFGCommonData.h:
924         (JSC::DFG::CommonData::CommonData):
925         * dfg/DFGConstantFoldingPhase.cpp:
926         (JSC::DFG::ConstantFoldingPhase::foldConstants):
927         * dfg/DFGDCEPhase.cpp:
928         (JSC::DFG::DCEPhase::cleanVariables):
929         * dfg/DFGDisassembler.h:
930         * dfg/DFGDoesGC.cpp:
931         (JSC::DFG::doesGC):
932         * dfg/DFGFixupPhase.cpp:
933         (JSC::DFG::FixupPhase::fixupNode):
934         * dfg/DFGFlushFormat.cpp:
935         (WTF::printInternal):
936         * dfg/DFGFlushFormat.h:
937         (JSC::DFG::resultFor):
938         (JSC::DFG::useKindFor):
939         (JSC::DFG::dataFormatFor):
940         * dfg/DFGForAllKills.h: Added.
941         (JSC::DFG::forAllLiveNodesAtTail):
942         (JSC::DFG::forAllDirectlyKilledOperands):
943         (JSC::DFG::forAllKilledOperands):
944         (JSC::DFG::forAllKilledNodesAtNodeIndex):
945         (JSC::DFG::forAllKillsInBlock):
946         * dfg/DFGGraph.cpp:
947         (JSC::DFG::Graph::Graph):
948         (JSC::DFG::Graph::dump):
949         (JSC::DFG::Graph::substituteGetLocal):
950         (JSC::DFG::Graph::livenessFor):
951         (JSC::DFG::Graph::killsFor):
952         (JSC::DFG::Graph::tryGetConstantClosureVar):
953         (JSC::DFG::Graph::tryGetRegisters): Deleted.
954         * dfg/DFGGraph.h:
955         (JSC::DFG::Graph::symbolTableFor):
956         (JSC::DFG::Graph::uses):
957         (JSC::DFG::Graph::bytecodeRegisterForArgument): Deleted.
958         (JSC::DFG::Graph::capturedVarsFor): Deleted.
959         (JSC::DFG::Graph::usesArguments): Deleted.
960         (JSC::DFG::Graph::argumentsRegisterFor): Deleted.
961         (JSC::DFG::Graph::machineArgumentsRegisterFor): Deleted.
962         (JSC::DFG::Graph::uncheckedArgumentsRegisterFor): Deleted.
963         * dfg/DFGHeapLocation.cpp:
964         (WTF::printInternal):
965         * dfg/DFGHeapLocation.h:
966         * dfg/DFGInPlaceAbstractState.cpp:
967         (JSC::DFG::InPlaceAbstractState::initialize):
968         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
969         * dfg/DFGJITCompiler.cpp:
970         (JSC::DFG::JITCompiler::link):
971         * dfg/DFGMayExit.cpp:
972         (JSC::DFG::mayExit):
973         * dfg/DFGMinifiedID.h:
974         * dfg/DFGMinifiedNode.cpp:
975         (JSC::DFG::MinifiedNode::fromNode):
976         * dfg/DFGMinifiedNode.h:
977         (JSC::DFG::belongsInMinifiedGraph):
978         (JSC::DFG::MinifiedNode::hasInlineCallFrame):
979         (JSC::DFG::MinifiedNode::inlineCallFrame):
980         * dfg/DFGNode.cpp:
981         (JSC::DFG::Node::convertToIdentityOn):
982         * dfg/DFGNode.h:
983         (JSC::DFG::Node::hasConstant):
984         (JSC::DFG::Node::constant):
985         (JSC::DFG::Node::hasScopeOffset):
986         (JSC::DFG::Node::scopeOffset):
987         (JSC::DFG::Node::hasDirectArgumentsOffset):
988         (JSC::DFG::Node::capturedArgumentsOffset):
989         (JSC::DFG::Node::variablePointer):
990         (JSC::DFG::Node::hasCallVarargsData):
991         (JSC::DFG::Node::hasLoadVarargsData):
992         (JSC::DFG::Node::hasHeapPrediction):
993         (JSC::DFG::Node::hasCellOperand):
994         (JSC::DFG::Node::objectMaterializationData):
995         (JSC::DFG::Node::isPhantomAllocation):
996         (JSC::DFG::Node::willHaveCodeGenOrOSR):
997         (JSC::DFG::Node::shouldSpeculateDirectArguments):
998         (JSC::DFG::Node::shouldSpeculateScopedArguments):
999         (JSC::DFG::Node::isPhantomArguments): Deleted.
1000         (JSC::DFG::Node::hasVarNumber): Deleted.
1001         (JSC::DFG::Node::varNumber): Deleted.
1002         (JSC::DFG::Node::registerPointer): Deleted.
1003         (JSC::DFG::Node::shouldSpeculateArguments): Deleted.
1004         * dfg/DFGNodeType.h:
1005         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
1006         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
1007         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
1008         * dfg/DFGOSRExitCompiler.cpp:
1009         (JSC::DFG::OSRExitCompiler::emitRestoreArguments):
1010         * dfg/DFGOSRExitCompiler.h:
1011         (JSC::DFG::OSRExitCompiler::badIndex): Deleted.
1012         (JSC::DFG::OSRExitCompiler::initializePoisoned): Deleted.
1013         (JSC::DFG::OSRExitCompiler::poisonIndex): Deleted.
1014         * dfg/DFGOSRExitCompiler32_64.cpp:
1015         (JSC::DFG::OSRExitCompiler::compileExit):
1016         * dfg/DFGOSRExitCompiler64.cpp:
1017         (JSC::DFG::OSRExitCompiler::compileExit):
1018         * dfg/DFGOSRExitCompilerCommon.cpp:
1019         (JSC::DFG::reifyInlinedCallFrames):
1020         (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator): Deleted.
1021         (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator): Deleted.
1022         (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): Deleted.
1023         * dfg/DFGOSRExitCompilerCommon.h:
1024         * dfg/DFGOperations.cpp:
1025         * dfg/DFGOperations.h:
1026         * dfg/DFGPlan.cpp:
1027         (JSC::DFG::Plan::compileInThreadImpl):
1028         * dfg/DFGPreciseLocalClobberize.h:
1029         (JSC::DFG::PreciseLocalClobberizeAdaptor::read):
1030         (JSC::DFG::PreciseLocalClobberizeAdaptor::write):
1031         (JSC::DFG::PreciseLocalClobberizeAdaptor::def):
1032         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1033         (JSC::DFG::preciseLocalClobberize):
1034         (JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop): Deleted.
1035         (JSC::DFG::forEachLocalReadByUnwind): Deleted.
1036         * dfg/DFGPredictionPropagationPhase.cpp:
1037         (JSC::DFG::PredictionPropagationPhase::run):
1038         (JSC::DFG::PredictionPropagationPhase::propagate):
1039         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
1040         (JSC::DFG::PredictionPropagationPhase::propagateThroughArgumentPositions):
1041         * dfg/DFGPromoteHeapAccess.h:
1042         (JSC::DFG::promoteHeapAccess):
1043         * dfg/DFGPromotedHeapLocation.cpp:
1044         (WTF::printInternal):
1045         * dfg/DFGPromotedHeapLocation.h:
1046         * dfg/DFGSSAConversionPhase.cpp:
1047         (JSC::DFG::SSAConversionPhase::run):
1048         * dfg/DFGSafeToExecute.h:
1049         (JSC::DFG::safeToExecute):
1050         * dfg/DFGSpeculativeJIT.cpp:
1051         (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
1052         (JSC::DFG::SpeculativeJIT::emitGetLength):
1053         (JSC::DFG::SpeculativeJIT::emitGetCallee):
1054         (JSC::DFG::SpeculativeJIT::emitGetArgumentStart):
1055         (JSC::DFG::SpeculativeJIT::checkArray):
1056         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
1057         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1058         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
1059         (JSC::DFG::SpeculativeJIT::compileNewFunction):
1060         (JSC::DFG::SpeculativeJIT::compileForwardVarargs):
1061         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
1062         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
1063         (JSC::DFG::SpeculativeJIT::compileGetFromArguments):
1064         (JSC::DFG::SpeculativeJIT::compilePutToArguments):
1065         (JSC::DFG::SpeculativeJIT::compileCreateScopedArguments):
1066         (JSC::DFG::SpeculativeJIT::compileCreateClonedArguments):
1067         (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Deleted.
1068         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments): Deleted.
1069         (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength): Deleted.
1070         (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck): Deleted.
1071         (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression): Deleted.
1072         * dfg/DFGSpeculativeJIT.h:
1073         (JSC::DFG::SpeculativeJIT::callOperation):
1074         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
1075         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
1076         (JSC::DFG::SpeculativeJIT::framePointerOffsetToGetActivationRegisters): Deleted.
1077         * dfg/DFGSpeculativeJIT32_64.cpp:
1078         (JSC::DFG::SpeculativeJIT::emitCall):
1079         (JSC::DFG::SpeculativeJIT::compile):
1080         * dfg/DFGSpeculativeJIT64.cpp:
1081         (JSC::DFG::SpeculativeJIT::emitCall):
1082         (JSC::DFG::SpeculativeJIT::compile):
1083         * dfg/DFGStackLayoutPhase.cpp:
1084         (JSC::DFG::StackLayoutPhase::run):
1085         * dfg/DFGStrengthReductionPhase.cpp:
1086         (JSC::DFG::StrengthReductionPhase::handleNode):
1087         * dfg/DFGStructureRegistrationPhase.cpp:
1088         (JSC::DFG::StructureRegistrationPhase::run):
1089         * dfg/DFGUnificationPhase.cpp:
1090         (JSC::DFG::UnificationPhase::run):
1091         * dfg/DFGValidate.cpp:
1092         (JSC::DFG::Validate::validateCPS):
1093         * dfg/DFGValueSource.cpp:
1094         (JSC::DFG::ValueSource::dump):
1095         * dfg/DFGValueSource.h:
1096         (JSC::DFG::dataFormatToValueSourceKind):
1097         (JSC::DFG::valueSourceKindToDataFormat):
1098         (JSC::DFG::ValueSource::ValueSource):
1099         (JSC::DFG::ValueSource::forFlushFormat):
1100         (JSC::DFG::ValueSource::valueRecovery):
1101         * dfg/DFGVarargsForwardingPhase.cpp: Added.
1102         (JSC::DFG::performVarargsForwarding):
1103         * dfg/DFGVarargsForwardingPhase.h: Added.
1104         * dfg/DFGVariableAccessData.cpp:
1105         (JSC::DFG::VariableAccessData::VariableAccessData):
1106         (JSC::DFG::VariableAccessData::flushFormat):
1107         (JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted.
1108         * dfg/DFGVariableAccessData.h:
1109         (JSC::DFG::VariableAccessData::shouldNeverUnbox):
1110         (JSC::DFG::VariableAccessData::shouldUseDoubleFormat):
1111         (JSC::DFG::VariableAccessData::isCaptured): Deleted.
1112         (JSC::DFG::VariableAccessData::mergeIsArgumentsAlias): Deleted.
1113         (JSC::DFG::VariableAccessData::isArgumentsAlias): Deleted.
1114         * dfg/DFGVariableAccessDataDump.cpp:
1115         (JSC::DFG::VariableAccessDataDump::dump):
1116         * dfg/DFGVariableAccessDataDump.h:
1117         * dfg/DFGVariableEventStream.cpp:
1118         (JSC::DFG::VariableEventStream::tryToSetConstantRecovery):
1119         * dfg/DFGVariableEventStream.h:
1120         * ftl/FTLAbstractHeap.cpp:
1121         (JSC::FTL::AbstractHeap::dump):
1122         (JSC::FTL::AbstractField::dump):
1123         (JSC::FTL::IndexedAbstractHeap::dump):
1124         (JSC::FTL::NumberedAbstractHeap::dump):
1125         (JSC::FTL::AbsoluteAbstractHeap::dump):
1126         * ftl/FTLAbstractHeap.h:
1127         * ftl/FTLAbstractHeapRepository.cpp:
1128         * ftl/FTLAbstractHeapRepository.h:
1129         * ftl/FTLCapabilities.cpp:
1130         (JSC::FTL::canCompile):
1131         * ftl/FTLCompile.cpp:
1132         (JSC::FTL::mmAllocateDataSection):
1133         * ftl/FTLExitArgument.cpp:
1134         (JSC::FTL::ExitArgument::dump):
1135         * ftl/FTLExitPropertyValue.cpp:
1136         (JSC::FTL::ExitPropertyValue::withLocalsOffset):
1137         * ftl/FTLExitPropertyValue.h:
1138         * ftl/FTLExitTimeObjectMaterialization.cpp:
1139         (JSC::FTL::ExitTimeObjectMaterialization::ExitTimeObjectMaterialization):
1140         (JSC::FTL::ExitTimeObjectMaterialization::accountForLocalsOffset):
1141         * ftl/FTLExitTimeObjectMaterialization.h:
1142         (JSC::FTL::ExitTimeObjectMaterialization::origin):
1143         * ftl/FTLExitValue.cpp:
1144         (JSC::FTL::ExitValue::withLocalsOffset):
1145         (JSC::FTL::ExitValue::valueFormat):
1146         (JSC::FTL::ExitValue::dumpInContext):
1147         * ftl/FTLExitValue.h:
1148         (JSC::FTL::ExitValue::isArgument):
1149         (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated): Deleted.
1150         (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated): Deleted.
1151         (JSC::FTL::ExitValue::valueFormat): Deleted.
1152         * ftl/FTLInlineCacheSize.cpp:
1153         (JSC::FTL::sizeOfCallForwardVarargs):
1154         (JSC::FTL::sizeOfConstructForwardVarargs):
1155         (JSC::FTL::sizeOfICFor):
1156         * ftl/FTLInlineCacheSize.h:
1157         * ftl/FTLIntrinsicRepository.h:
1158         * ftl/FTLJSCallVarargs.cpp:
1159         (JSC::FTL::JSCallVarargs::JSCallVarargs):
1160         (JSC::FTL::JSCallVarargs::emit):
1161         * ftl/FTLJSCallVarargs.h:
1162         * ftl/FTLLowerDFGToLLVM.cpp:
1163         (JSC::FTL::LowerDFGToLLVM::lower):
1164         (JSC::FTL::LowerDFGToLLVM::compileNode):
1165         (JSC::FTL::LowerDFGToLLVM::compilePutStack):
1166         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
1167         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
1168         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
1169         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
1170         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
1171         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
1172         (JSC::FTL::LowerDFGToLLVM::compileCreateActivation):
1173         (JSC::FTL::LowerDFGToLLVM::compileNewFunction):
1174         (JSC::FTL::LowerDFGToLLVM::compileCreateDirectArguments):
1175         (JSC::FTL::LowerDFGToLLVM::compileCreateScopedArguments):
1176         (JSC::FTL::LowerDFGToLLVM::compileCreateClonedArguments):
1177         (JSC::FTL::LowerDFGToLLVM::compileStringCharAt):
1178         (JSC::FTL::LowerDFGToLLVM::compileStringCharCodeAt):
1179         (JSC::FTL::LowerDFGToLLVM::compileGetGlobalVar):
1180         (JSC::FTL::LowerDFGToLLVM::compilePutGlobalVar):
1181         (JSC::FTL::LowerDFGToLLVM::compileGetArgumentCount):
1182         (JSC::FTL::LowerDFGToLLVM::compileGetClosureVar):
1183         (JSC::FTL::LowerDFGToLLVM::compilePutClosureVar):
1184         (JSC::FTL::LowerDFGToLLVM::compileGetFromArguments):
1185         (JSC::FTL::LowerDFGToLLVM::compilePutToArguments):
1186         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs):
1187         (JSC::FTL::LowerDFGToLLVM::compileForwardVarargs):
1188         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname):
1189         (JSC::FTL::LowerDFGToLLVM::ArgumentsLength::ArgumentsLength):
1190         (JSC::FTL::LowerDFGToLLVM::getArgumentsLength):
1191         (JSC::FTL::LowerDFGToLLVM::getCurrentCallee):
1192         (JSC::FTL::LowerDFGToLLVM::getArgumentsStart):
1193         (JSC::FTL::LowerDFGToLLVM::baseIndex):
1194         (JSC::FTL::LowerDFGToLLVM::allocateObject):
1195         (JSC::FTL::LowerDFGToLLVM::allocateVariableSizedObject):
1196         (JSC::FTL::LowerDFGToLLVM::isArrayType):
1197         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
1198         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
1199         (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
1200         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
1201         (JSC::FTL::LowerDFGToLLVM::loadStructure):
1202         (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments): Deleted.
1203         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength): Deleted.
1204         (JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters): Deleted.
1205         (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated): Deleted.
1206         (JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated): Deleted.
1207         * ftl/FTLOSRExitCompiler.cpp:
1208         (JSC::FTL::compileRecovery):
1209         (JSC::FTL::compileStub):
1210         * ftl/FTLOperations.cpp:
1211         (JSC::FTL::operationMaterializeObjectInOSR):
1212         * ftl/FTLOutput.h:
1213         (JSC::FTL::Output::aShr):
1214         (JSC::FTL::Output::lShr):
1215         (JSC::FTL::Output::zeroExtPtr):
1216         * heap/CopyToken.h:
1217         * interpreter/CallFrame.h:
1218         (JSC::ExecState::getArgumentUnsafe):
1219         * interpreter/Interpreter.cpp:
1220         (JSC::sizeOfVarargs):
1221         (JSC::sizeFrameForVarargs):
1222         (JSC::loadVarargs):
1223         (JSC::unwindCallFrame):
1224         * interpreter/Interpreter.h:
1225         * interpreter/StackVisitor.cpp:
1226         (JSC::StackVisitor::Frame::createArguments):
1227         (JSC::StackVisitor::Frame::existingArguments): Deleted.
1228         * interpreter/StackVisitor.h:
1229         * jit/AssemblyHelpers.h:
1230         (JSC::AssemblyHelpers::storeValue):
1231         (JSC::AssemblyHelpers::loadValue):
1232         (JSC::AssemblyHelpers::storeTrustedValue):
1233         (JSC::AssemblyHelpers::branchIfNotCell):
1234         (JSC::AssemblyHelpers::branchIsEmpty):
1235         (JSC::AssemblyHelpers::argumentsStart):
1236         (JSC::AssemblyHelpers::baselineArgumentsRegisterFor): Deleted.
1237         (JSC::AssemblyHelpers::offsetOfLocals): Deleted.
1238         (JSC::AssemblyHelpers::offsetOfArguments): Deleted.
1239         * jit/CCallHelpers.h:
1240         (JSC::CCallHelpers::setupArgument):
1241         * jit/GPRInfo.h:
1242         (JSC::JSValueRegs::withTwoAvailableRegs):
1243         * jit/JIT.cpp:
1244         (JSC::JIT::privateCompileMainPass):
1245         (JSC::JIT::privateCompileSlowCases):
1246         * jit/JIT.h:
1247         * jit/JITCall.cpp:
1248         (JSC::JIT::compileSetupVarargsFrame):
1249         * jit/JITCall32_64.cpp:
1250         (JSC::JIT::compileSetupVarargsFrame):
1251         * jit/JITInlines.h:
1252         (JSC::JIT::callOperation):
1253         * jit/JITOpcodes.cpp:
1254         (JSC::JIT::emit_op_create_lexical_environment):
1255         (JSC::JIT::emit_op_new_func):
1256         (JSC::JIT::emit_op_create_direct_arguments):
1257         (JSC::JIT::emit_op_create_scoped_arguments):
1258         (JSC::JIT::emit_op_create_out_of_band_arguments):
1259         (JSC::JIT::emit_op_tear_off_arguments): Deleted.
1260         (JSC::JIT::emit_op_create_arguments): Deleted.
1261         (JSC::JIT::emit_op_init_lazy_reg): Deleted.
1262         (JSC::JIT::emit_op_get_arguments_length): Deleted.
1263         (JSC::JIT::emitSlow_op_get_arguments_length): Deleted.
1264         (JSC::JIT::emit_op_get_argument_by_val): Deleted.
1265         (JSC::JIT::emitSlow_op_get_argument_by_val): Deleted.
1266         * jit/JITOpcodes32_64.cpp:
1267         (JSC::JIT::emit_op_create_lexical_environment):
1268         (JSC::JIT::emit_op_tear_off_arguments): Deleted.
1269         (JSC::JIT::emit_op_create_arguments): Deleted.
1270         (JSC::JIT::emit_op_init_lazy_reg): Deleted.
1271         (JSC::JIT::emit_op_get_arguments_length): Deleted.
1272         (JSC::JIT::emitSlow_op_get_arguments_length): Deleted.
1273         (JSC::JIT::emit_op_get_argument_by_val): Deleted.
1274         (JSC::JIT::emitSlow_op_get_argument_by_val): Deleted.
1275         * jit/JITOperations.cpp:
1276         * jit/JITOperations.h:
1277         * jit/JITPropertyAccess.cpp:
1278         (JSC::JIT::emitGetClosureVar):
1279         (JSC::JIT::emitPutClosureVar):
1280         (JSC::JIT::emit_op_get_from_arguments):
1281         (JSC::JIT::emit_op_put_to_arguments):
1282         (JSC::JIT::emit_op_init_global_const):
1283         (JSC::JIT::privateCompileGetByVal):
1284         (JSC::JIT::emitDirectArgumentsGetByVal):
1285         (JSC::JIT::emitScopedArgumentsGetByVal):
1286         * jit/JITPropertyAccess32_64.cpp:
1287         (JSC::JIT::emitGetClosureVar):
1288         (JSC::JIT::emitPutClosureVar):
1289         (JSC::JIT::emit_op_get_from_arguments):
1290         (JSC::JIT::emit_op_put_to_arguments):
1291         (JSC::JIT::emit_op_init_global_const):
1292         * jit/SetupVarargsFrame.cpp:
1293         (JSC::emitSetupVarargsFrameFastCase):
1294         * llint/LLIntOffsetsExtractor.cpp:
1295         * llint/LLIntSlowPaths.cpp:
1296         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1297         * llint/LowLevelInterpreter.asm:
1298         * llint/LowLevelInterpreter32_64.asm:
1299         * llint/LowLevelInterpreter64.asm:
1300         * parser/Nodes.h:
1301         (JSC::ScopeNode::captures):
1302         * runtime/Arguments.cpp: Removed.
1303         * runtime/Arguments.h: Removed.
1304         * runtime/ArgumentsMode.h: Added.
1305         * runtime/DirectArgumentsOffset.cpp: Added.
1306         (JSC::DirectArgumentsOffset::dump):
1307         * runtime/DirectArgumentsOffset.h: Added.
1308         (JSC::DirectArgumentsOffset::DirectArgumentsOffset):
1309         * runtime/CommonSlowPaths.cpp:
1310         (JSC::SLOW_PATH_DECL):
1311         * runtime/CommonSlowPaths.h:
1312         * runtime/ConstantMode.cpp: Added.
1313         (WTF::printInternal):
1314         * runtime/ConstantMode.h:
1315         (JSC::modeForIsConstant):
1316         * runtime/DirectArguments.cpp: Added.
1317         (JSC::DirectArguments::DirectArguments):
1318         (JSC::DirectArguments::createUninitialized):
1319         (JSC::DirectArguments::create):
1320         (JSC::DirectArguments::createByCopying):
1321         (JSC::DirectArguments::visitChildren):
1322         (JSC::DirectArguments::copyBackingStore):
1323         (JSC::DirectArguments::createStructure):
1324         (JSC::DirectArguments::overrideThings):
1325         (JSC::DirectArguments::overrideThingsIfNecessary):
1326         (JSC::DirectArguments::overrideArgument):
1327         (JSC::DirectArguments::copyToArguments):
1328         (JSC::DirectArguments::overridesSize):
1329         * runtime/DirectArguments.h: Added.
1330         (JSC::DirectArguments::internalLength):
1331         (JSC::DirectArguments::length):
1332         (JSC::DirectArguments::canAccessIndexQuickly):
1333         (JSC::DirectArguments::getIndexQuickly):
1334         (JSC::DirectArguments::setIndexQuickly):
1335         (JSC::DirectArguments::callee):
1336         (JSC::DirectArguments::argument):
1337         (JSC::DirectArguments::overrodeThings):
1338         (JSC::DirectArguments::offsetOfCallee):
1339         (JSC::DirectArguments::offsetOfLength):
1340         (JSC::DirectArguments::offsetOfMinCapacity):
1341         (JSC::DirectArguments::offsetOfOverrides):
1342         (JSC::DirectArguments::storageOffset):
1343         (JSC::DirectArguments::offsetOfSlot):
1344         (JSC::DirectArguments::allocationSize):
1345         (JSC::DirectArguments::storage):
1346         * runtime/FunctionPrototype.cpp:
1347         * runtime/GenericArguments.h: Added.
1348         (JSC::GenericArguments::GenericArguments):
1349         * runtime/GenericArgumentsInlines.h: Added.
1350         (JSC::GenericArguments<Type>::getOwnPropertySlot):
1351         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
1352         (JSC::GenericArguments<Type>::getOwnPropertyNames):
1353         (JSC::GenericArguments<Type>::put):
1354         (JSC::GenericArguments<Type>::putByIndex):
1355         (JSC::GenericArguments<Type>::deleteProperty):
1356         (JSC::GenericArguments<Type>::deletePropertyByIndex):
1357         (JSC::GenericArguments<Type>::defineOwnProperty):
1358         (JSC::GenericArguments<Type>::copyToArguments):
1359         * runtime/GenericOffset.h: Added.
1360         (JSC::GenericOffset::GenericOffset):
1361         (JSC::GenericOffset::operator!):
1362         (JSC::GenericOffset::offsetUnchecked):
1363         (JSC::GenericOffset::offset):
1364         (JSC::GenericOffset::operator==):
1365         (JSC::GenericOffset::operator!=):
1366         (JSC::GenericOffset::operator<):
1367         (JSC::GenericOffset::operator>):
1368         (JSC::GenericOffset::operator<=):
1369         (JSC::GenericOffset::operator>=):
1370         (JSC::GenericOffset::operator+):
1371         (JSC::GenericOffset::operator-):
1372         (JSC::GenericOffset::operator+=):
1373         (JSC::GenericOffset::operator-=):
1374         * runtime/JSArgumentsIterator.cpp:
1375         (JSC::JSArgumentsIterator::finishCreation):
1376         (JSC::argumentsFuncIterator):
1377         * runtime/JSArgumentsIterator.h:
1378         (JSC::JSArgumentsIterator::create):
1379         (JSC::JSArgumentsIterator::next):
1380         * runtime/JSEnvironmentRecord.cpp:
1381         (JSC::JSEnvironmentRecord::visitChildren):
1382         * runtime/JSEnvironmentRecord.h:
1383         (JSC::JSEnvironmentRecord::variables):
1384         (JSC::JSEnvironmentRecord::isValid):
1385         (JSC::JSEnvironmentRecord::variableAt):
1386         (JSC::JSEnvironmentRecord::offsetOfVariables):
1387         (JSC::JSEnvironmentRecord::offsetOfVariable):
1388         (JSC::JSEnvironmentRecord::allocationSizeForScopeSize):
1389         (JSC::JSEnvironmentRecord::allocationSize):
1390         (JSC::JSEnvironmentRecord::JSEnvironmentRecord):
1391         (JSC::JSEnvironmentRecord::finishCreationUninitialized):
1392         (JSC::JSEnvironmentRecord::finishCreation):
1393         (JSC::JSEnvironmentRecord::registers): Deleted.
1394         (JSC::JSEnvironmentRecord::registerAt): Deleted.
1395         (JSC::JSEnvironmentRecord::addressOfRegisters): Deleted.
1396         (JSC::JSEnvironmentRecord::offsetOfRegisters): Deleted.
1397         * runtime/JSFunction.cpp:
1398         * runtime/JSGlobalObject.cpp:
1399         (JSC::JSGlobalObject::init):
1400         (JSC::JSGlobalObject::addGlobalVar):
1401         (JSC::JSGlobalObject::addFunction):
1402         (JSC::JSGlobalObject::visitChildren):
1403         (JSC::JSGlobalObject::addStaticGlobals):
1404         * runtime/JSGlobalObject.h:
1405         (JSC::JSGlobalObject::directArgumentsStructure):
1406         (JSC::JSGlobalObject::scopedArgumentsStructure):
1407         (JSC::JSGlobalObject::outOfBandArgumentsStructure):
1408         (JSC::JSGlobalObject::argumentsStructure): Deleted.
1409         * runtime/JSLexicalEnvironment.cpp:
1410         (JSC::JSLexicalEnvironment::symbolTableGet):
1411         (JSC::JSLexicalEnvironment::symbolTablePut):
1412         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
1413         (JSC::JSLexicalEnvironment::symbolTablePutWithAttributes):
1414         (JSC::JSLexicalEnvironment::visitChildren): Deleted.
1415         * runtime/JSLexicalEnvironment.h:
1416         (JSC::JSLexicalEnvironment::create):
1417         (JSC::JSLexicalEnvironment::JSLexicalEnvironment):
1418         (JSC::JSLexicalEnvironment::registersOffset): Deleted.
1419         (JSC::JSLexicalEnvironment::storageOffset): Deleted.
1420         (JSC::JSLexicalEnvironment::storage): Deleted.
1421         (JSC::JSLexicalEnvironment::allocationSize): Deleted.
1422         (JSC::JSLexicalEnvironment::isValidIndex): Deleted.
1423         (JSC::JSLexicalEnvironment::isValid): Deleted.
1424         (JSC::JSLexicalEnvironment::registerAt): Deleted.
1425         * runtime/JSNameScope.cpp:
1426         (JSC::JSNameScope::visitChildren): Deleted.
1427         * runtime/JSNameScope.h:
1428         (JSC::JSNameScope::create):
1429         (JSC::JSNameScope::value):
1430         (JSC::JSNameScope::finishCreation):
1431         (JSC::JSNameScope::JSNameScope):
1432         * runtime/JSScope.cpp:
1433         (JSC::abstractAccess):
1434         * runtime/JSSegmentedVariableObject.cpp:
1435         (JSC::JSSegmentedVariableObject::findVariableIndex):
1436         (JSC::JSSegmentedVariableObject::addVariables):
1437         (JSC::JSSegmentedVariableObject::visitChildren):
1438         (JSC::JSSegmentedVariableObject::findRegisterIndex): Deleted.
1439         (JSC::JSSegmentedVariableObject::addRegisters): Deleted.
1440         * runtime/JSSegmentedVariableObject.h:
1441         (JSC::JSSegmentedVariableObject::variableAt):
1442         (JSC::JSSegmentedVariableObject::assertVariableIsInThisObject):
1443         (JSC::JSSegmentedVariableObject::registerAt): Deleted.
1444         (JSC::JSSegmentedVariableObject::assertRegisterIsInThisObject): Deleted.
1445         * runtime/JSSymbolTableObject.h:
1446         (JSC::JSSymbolTableObject::offsetOfSymbolTable):
1447         (JSC::symbolTableGet):
1448         (JSC::symbolTablePut):
1449         (JSC::symbolTablePutWithAttributes):
1450         * runtime/JSType.h:
1451         * runtime/Options.h:
1452         * runtime/ClonedArguments.cpp: Added.
1453         (JSC::ClonedArguments::ClonedArguments):
1454         (JSC::ClonedArguments::createEmpty):
1455         (JSC::ClonedArguments::createWithInlineFrame):
1456         (JSC::ClonedArguments::createWithMachineFrame):
1457         (JSC::ClonedArguments::createByCopyingFrom):
1458         (JSC::ClonedArguments::createStructure):
1459         (JSC::ClonedArguments::getOwnPropertySlot):
1460         (JSC::ClonedArguments::getOwnPropertyNames):
1461         (JSC::ClonedArguments::put):
1462         (JSC::ClonedArguments::deleteProperty):
1463         (JSC::ClonedArguments::defineOwnProperty):
1464         (JSC::ClonedArguments::materializeSpecials):
1465         (JSC::ClonedArguments::materializeSpecialsIfNecessary):
1466         * runtime/ClonedArguments.h: Added.
1467         (JSC::ClonedArguments::specialsMaterialized):
1468         * runtime/ScopeOffset.cpp: Added.
1469         (JSC::ScopeOffset::dump):
1470         * runtime/ScopeOffset.h: Added.
1471         (JSC::ScopeOffset::ScopeOffset):
1472         * runtime/ScopedArguments.cpp: Added.
1473         (JSC::ScopedArguments::ScopedArguments):
1474         (JSC::ScopedArguments::finishCreation):
1475         (JSC::ScopedArguments::createUninitialized):
1476         (JSC::ScopedArguments::create):
1477         (JSC::ScopedArguments::createByCopying):
1478         (JSC::ScopedArguments::createByCopyingFrom):
1479         (JSC::ScopedArguments::visitChildren):
1480         (JSC::ScopedArguments::createStructure):
1481         (JSC::ScopedArguments::overrideThings):
1482         (JSC::ScopedArguments::overrideThingsIfNecessary):
1483         (JSC::ScopedArguments::overrideArgument):
1484         (JSC::ScopedArguments::copyToArguments):
1485         * runtime/ScopedArguments.h: Added.
1486         (JSC::ScopedArguments::internalLength):
1487         (JSC::ScopedArguments::length):
1488         (JSC::ScopedArguments::canAccessIndexQuickly):
1489         (JSC::ScopedArguments::getIndexQuickly):
1490         (JSC::ScopedArguments::setIndexQuickly):
1491         (JSC::ScopedArguments::callee):
1492         (JSC::ScopedArguments::overrodeThings):
1493         (JSC::ScopedArguments::offsetOfOverrodeThings):
1494         (JSC::ScopedArguments::offsetOfTotalLength):
1495         (JSC::ScopedArguments::offsetOfTable):
1496         (JSC::ScopedArguments::offsetOfScope):
1497         (JSC::ScopedArguments::overflowStorageOffset):
1498         (JSC::ScopedArguments::allocationSize):
1499         (JSC::ScopedArguments::overflowStorage):
1500         * runtime/ScopedArgumentsTable.cpp: Added.
1501         (JSC::ScopedArgumentsTable::ScopedArgumentsTable):
1502         (JSC::ScopedArgumentsTable::~ScopedArgumentsTable):
1503         (JSC::ScopedArgumentsTable::destroy):
1504         (JSC::ScopedArgumentsTable::create):
1505         (JSC::ScopedArgumentsTable::clone):
1506         (JSC::ScopedArgumentsTable::setLength):
1507         (JSC::ScopedArgumentsTable::set):
1508         (JSC::ScopedArgumentsTable::createStructure):
1509         * runtime/ScopedArgumentsTable.h: Added.
1510         (JSC::ScopedArgumentsTable::length):
1511         (JSC::ScopedArgumentsTable::get):
1512         (JSC::ScopedArgumentsTable::lock):
1513         (JSC::ScopedArgumentsTable::offsetOfLength):
1514         (JSC::ScopedArgumentsTable::offsetOfArguments):
1515         (JSC::ScopedArgumentsTable::at):
1516         * runtime/SymbolTable.cpp:
1517         (JSC::SymbolTableEntry::prepareToWatch):
1518         (JSC::SymbolTable::SymbolTable):
1519         (JSC::SymbolTable::visitChildren):
1520         (JSC::SymbolTable::localToEntry):
1521         (JSC::SymbolTable::entryFor):
1522         (JSC::SymbolTable::cloneScopePart):
1523         (JSC::SymbolTable::prepareForTypeProfiling):
1524         (JSC::SymbolTable::uniqueIDForOffset):
1525         (JSC::SymbolTable::globalTypeSetForOffset):
1526         (JSC::SymbolTable::cloneCapturedNames): Deleted.
1527         (JSC::SymbolTable::uniqueIDForRegister): Deleted.
1528         (JSC::SymbolTable::globalTypeSetForRegister): Deleted.
1529         * runtime/SymbolTable.h:
1530         (JSC::SymbolTableEntry::varOffsetFromBits):
1531         (JSC::SymbolTableEntry::scopeOffsetFromBits):
1532         (JSC::SymbolTableEntry::Fast::varOffset):
1533         (JSC::SymbolTableEntry::Fast::scopeOffset):
1534         (JSC::SymbolTableEntry::Fast::isDontEnum):
1535         (JSC::SymbolTableEntry::Fast::getAttributes):
1536         (JSC::SymbolTableEntry::SymbolTableEntry):
1537         (JSC::SymbolTableEntry::varOffset):
1538         (JSC::SymbolTableEntry::isWatchable):
1539         (JSC::SymbolTableEntry::scopeOffset):
1540         (JSC::SymbolTableEntry::setAttributes):
1541         (JSC::SymbolTableEntry::constantMode):
1542         (JSC::SymbolTableEntry::isDontEnum):
1543         (JSC::SymbolTableEntry::disableWatching):
1544         (JSC::SymbolTableEntry::pack):
1545         (JSC::SymbolTableEntry::isValidVarOffset):
1546         (JSC::SymbolTable::createNameScopeTable):
1547         (JSC::SymbolTable::maxScopeOffset):
1548         (JSC::SymbolTable::didUseScopeOffset):
1549         (JSC::SymbolTable::didUseVarOffset):
1550         (JSC::SymbolTable::scopeSize):
1551         (JSC::SymbolTable::nextScopeOffset):
1552         (JSC::SymbolTable::takeNextScopeOffset):
1553         (JSC::SymbolTable::add):
1554         (JSC::SymbolTable::set):
1555         (JSC::SymbolTable::argumentsLength):
1556         (JSC::SymbolTable::setArgumentsLength):
1557         (JSC::SymbolTable::argumentOffset):
1558         (JSC::SymbolTable::setArgumentOffset):
1559         (JSC::SymbolTable::arguments):
1560         (JSC::SlowArgument::SlowArgument): Deleted.
1561         (JSC::SymbolTableEntry::Fast::getIndex): Deleted.
1562         (JSC::SymbolTableEntry::getIndex): Deleted.
1563         (JSC::SymbolTableEntry::isValidIndex): Deleted.
1564         (JSC::SymbolTable::captureStart): Deleted.
1565         (JSC::SymbolTable::setCaptureStart): Deleted.
1566         (JSC::SymbolTable::captureEnd): Deleted.
1567         (JSC::SymbolTable::setCaptureEnd): Deleted.
1568         (JSC::SymbolTable::captureCount): Deleted.
1569         (JSC::SymbolTable::isCaptured): Deleted.
1570         (JSC::SymbolTable::parameterCount): Deleted.
1571         (JSC::SymbolTable::parameterCountIncludingThis): Deleted.
1572         (JSC::SymbolTable::setParameterCountIncludingThis): Deleted.
1573         (JSC::SymbolTable::slowArguments): Deleted.
1574         (JSC::SymbolTable::setSlowArguments): Deleted.
1575         * runtime/VM.cpp:
1576         (JSC::VM::VM):
1577         * runtime/VM.h:
1578         * runtime/VarOffset.cpp: Added.
1579         (JSC::VarOffset::dump):
1580         (WTF::printInternal):
1581         * runtime/VarOffset.h: Added.
1582         (JSC::VarOffset::VarOffset):
1583         (JSC::VarOffset::assemble):
1584         (JSC::VarOffset::isValid):
1585         (JSC::VarOffset::operator!):
1586         (JSC::VarOffset::kind):
1587         (JSC::VarOffset::isStack):
1588         (JSC::VarOffset::isScope):
1589         (JSC::VarOffset::isDirectArgument):
1590         (JSC::VarOffset::stackOffsetUnchecked):
1591         (JSC::VarOffset::scopeOffsetUnchecked):
1592         (JSC::VarOffset::capturedArgumentsOffsetUnchecked):
1593         (JSC::VarOffset::stackOffset):
1594         (JSC::VarOffset::scopeOffset):
1595         (JSC::VarOffset::capturedArgumentsOffset):
1596         (JSC::VarOffset::rawOffset):
1597         (JSC::VarOffset::checkSanity):
1598         (JSC::VarOffset::operator==):
1599         (JSC::VarOffset::operator!=):
1600         (JSC::VarOffset::hash):
1601         (JSC::VarOffset::isHashTableDeletedValue):
1602         (JSC::VarOffsetHash::hash):
1603         (JSC::VarOffsetHash::equal):
1604         * tests/stress/arguments-exit-strict-mode.js: Added.
1605         * tests/stress/arguments-exit.js: Added.
1606         * tests/stress/arguments-inlined-exit-strict-mode-fixed.js: Added.
1607         * tests/stress/arguments-inlined-exit-strict-mode.js: Added.
1608         * tests/stress/arguments-inlined-exit.js: Added.
1609         * tests/stress/arguments-interference.js: Added.
1610         * tests/stress/arguments-interference-cfg.js: Added.
1611         * tests/stress/dead-get-closure-var.js: Added.
1612         * tests/stress/get-declared-unpassed-argument-in-direct-arguments.js: Added.
1613         * tests/stress/get-declared-unpassed-argument-in-scoped-arguments.js: Added.
1614         * tests/stress/varargs-closure-inlined-exit-strict-mode.js: Added.
1615         * tests/stress/varargs-closure-inlined-exit.js: Added.
1616         * tests/stress/varargs-exit.js: Added.
1617         * tests/stress/varargs-inlined-exit.js: Added.
1618         * tests/stress/varargs-inlined-simple-exit-aliasing-weird-reversed-args.js: Added.
1619         * tests/stress/varargs-inlined-simple-exit-aliasing-weird.js: Added.
1620         * tests/stress/varargs-inlined-simple-exit-aliasing.js: Added.
1621         * tests/stress/varargs-inlined-simple-exit.js: Added.
1622         * tests/stress/varargs-too-few-arguments.js: Added.
1623         * tests/stress/varargs-varargs-closure-inlined-exit.js: Added.
1624         * tests/stress/varargs-varargs-inlined-exit-strict-mode.js: Added.
1625         * tests/stress/varargs-varargs-inlined-exit.js: Added.
1626
1627 2015-03-25  Andy Estes  <aestes@apple.com>
1628
1629         [Cocoa] RemoteInspectorXPCConnection::deserializeMessage() leaks a NSDictionary under Objective-C GC
1630         https://bugs.webkit.org/show_bug.cgi?id=143068
1631
1632         Reviewed by Dan Bernstein.
1633
1634         * inspector/remote/RemoteInspectorXPCConnection.mm:
1635         (Inspector::RemoteInspectorXPCConnection::deserializeMessage): Used RetainPtr::autorelease(), which does the right thing under GC.
1636
1637 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1638
1639         Use JITCompilationCanFail in more places, and make the fail path of JITCompilationMustSucceed a crash instead of attempting GC
1640         https://bugs.webkit.org/show_bug.cgi?id=142993
1641
1642         Reviewed by Geoffrey Garen and Mark Lam.
1643         
1644         This changes the most commonly invoked paths that relied on JITCompilationMustSucceed
1645         into using JITCompilationCanFail and having a legit fallback path. This mostly involves
1646         having the FTL JIT do the same trick as the DFG JIT in case of any memory allocation
1647         failure, but also involves adding the same kind of thing to the stub generators in
1648         Repatch.
1649         
1650         Because of that change, there are relatively few uses of JITCompilationMustSucceed. Most
1651         of those uses cannot handle a GC, and so cannot do releaseExecutableMemory(). Only a few,
1652         like host call stub generation, could handle a GC, but those get invoked very rarely. So,
1653         this patch changes the releaseExecutableMemory() call into a crash with some diagnostic
1654         printout.
1655         
1656         Also add a way of inducing executable allocation failure, so that we can test this.
1657
1658         * CMakeLists.txt:
1659         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1660         * JavaScriptCore.xcodeproj/project.pbxproj:
1661         * dfg/DFGJITCompiler.cpp:
1662         (JSC::DFG::JITCompiler::compile):
1663         (JSC::DFG::JITCompiler::compileFunction):
1664         (JSC::DFG::JITCompiler::link): Deleted.
1665         (JSC::DFG::JITCompiler::linkFunction): Deleted.
1666         * dfg/DFGJITCompiler.h:
1667         * dfg/DFGPlan.cpp:
1668         (JSC::DFG::Plan::compileInThreadImpl):
1669         * ftl/FTLCompile.cpp:
1670         (JSC::FTL::mmAllocateCodeSection):
1671         (JSC::FTL::mmAllocateDataSection):
1672         * ftl/FTLLink.cpp:
1673         (JSC::FTL::link):
1674         * ftl/FTLState.h:
1675         * jit/ArityCheckFailReturnThunks.cpp:
1676         (JSC::ArityCheckFailReturnThunks::returnPCsFor):
1677         * jit/ExecutableAllocationFuzz.cpp: Added.
1678         (JSC::numberOfExecutableAllocationFuzzChecks):
1679         (JSC::doExecutableAllocationFuzzing):
1680         * jit/ExecutableAllocationFuzz.h: Added.
1681         (JSC::doExecutableAllocationFuzzingIfEnabled):
1682         * jit/ExecutableAllocatorFixedVMPool.cpp:
1683         (JSC::ExecutableAllocator::allocate):
1684         * jit/JIT.cpp:
1685         (JSC::JIT::privateCompile):
1686         * jit/JITCompilationEffort.h:
1687         * jit/Repatch.cpp:
1688         (JSC::generateByIdStub):
1689         (JSC::tryCacheGetByID):
1690         (JSC::tryBuildGetByIDList):
1691         (JSC::emitPutReplaceStub):
1692         (JSC::emitPutTransitionStubAndGetOldStructure):
1693         (JSC::tryCachePutByID):
1694         (JSC::tryBuildPutByIdList):
1695         (JSC::tryRepatchIn):
1696         (JSC::linkPolymorphicCall):
1697         * jsc.cpp:
1698         (jscmain):
1699         * runtime/Options.h:
1700         * runtime/TestRunnerUtils.h:
1701         * runtime/VM.cpp:
1702         * tests/executableAllocationFuzz: Added.
1703         * tests/executableAllocationFuzz.yaml: Added.
1704         * tests/executableAllocationFuzz/v8-raytrace.js: Added.
1705
1706 2015-03-25  Mark Lam  <mark.lam@apple.com>
1707
1708         REGRESSION(169139): LLINT intermittently fails JSC testapi tests.
1709         <https://webkit.org/b/135719>
1710
1711         Reviewed by Geoffrey Garen.
1712
1713         This is a regression introduced in http://trac.webkit.org/changeset/169139 which
1714         changed VM::watchdog from an embedded field into a std::unique_ptr, but did not
1715         update the LLINT to access it as such.
1716
1717         The issue has only manifested so far on the CLoop tests because those are LLINT
1718         only.  In the non-CLoop cases, the JIT kicks in and does the right thing, thereby
1719         hiding the bug in the LLINT.
1720
1721         * API/JSContextRef.cpp:
1722         (createWatchdogIfNeeded):
1723         (JSContextGroupSetExecutionTimeLimit):
1724         (JSContextGroupClearExecutionTimeLimit):
1725         * llint/LowLevelInterpreter.asm:
1726
1727 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1728
1729         Change Atomic methods from using the_wrong_naming_conventions to using theRightNamingConventions. Also make seq_cst the default.
1730
1731         Rubber stamped by Geoffrey Garen.
1732
1733         * bytecode/CodeBlock.cpp:
1734         (JSC::CodeBlock::visitAggregate):
1735
1736 2015-03-25  Joseph Pecoraro  <pecoraro@apple.com>
1737
1738         Fix formatting in BuiltinExecutables
1739         https://bugs.webkit.org/show_bug.cgi?id=143061
1740
1741         Reviewed by Ryosuke Niwa.
1742
1743         * builtins/BuiltinExecutables.cpp:
1744         (JSC::BuiltinExecutables::createExecutableInternal):
1745
1746 2015-03-25  Joseph Pecoraro  <pecoraro@apple.com>
1747
1748         ES6: Classes: Program level class statement throws exception in strict mode
1749         https://bugs.webkit.org/show_bug.cgi?id=143038
1750
1751         Reviewed by Ryosuke Niwa.
1752
1753         Classes expose a name to the current lexical environment. This treats
1754         "class X {}" like "var X = class X {}". Ideally it would be "let X = class X {}".
1755         Also, improve error messages for class statements where the class is missing a name.
1756
1757         * parser/Parser.h:
1758         * parser/Parser.cpp:
1759         (JSC::Parser<LexerType>::parseClass):
1760         Fill name in info parameter if needed. Better error message if name is needed and missing.
1761
1762         (JSC::Parser<LexerType>::parseClassDeclaration):
1763         Pass info parameter to get name, and expose the name as a variable name.
1764
1765         (JSC::Parser<LexerType>::parsePrimaryExpression):
1766         Pass info parameter that is ignored.
1767
1768         * parser/ParserFunctionInfo.h:
1769         Add a parser info for class, to extract the name.
1770
1771 2015-03-25  Yusuke Suzuki  <utatane.tea@gmail.com>
1772
1773         New map and set modification tests in r181922 fails
1774         https://bugs.webkit.org/show_bug.cgi?id=143031
1775
1776         Reviewed and tweaked by Geoffrey Garen.
1777
1778         When packing Map/Set backing store, we need to decrement Map/Set iterator's m_index
1779         to adjust for the packed backing store.
1780
1781         Consider the following map data.
1782
1783         x: deleted, o: exists
1784         0 1 2 3 4
1785         x x x x o
1786
1787         And iterator with m_index 3.
1788
1789         When packing the map data, map data will become,
1790
1791         0
1792         o
1793
1794         At that time, we perfom didRemoveEntry 4 times on iterators.
1795         times => m_index/index/result
1796         1 => 3/0/dec
1797         2 => 2/1/dec
1798         3 => 1/2/nothing
1799         4 => 1/3/nothing
1800
1801         After iteration, iterator's m_index becomes 1. But we expected that becomes 0.
1802         This is because if we use decremented m_index for comparison,
1803         while provided deletedIndex is the index in old storage, m_index is the index in partially packed storage.
1804
1805         In this patch, we compare against the packed index instead.
1806         times => m_index/packedIndex/result
1807         1 => 3/0/dec
1808         2 => 2/0/dec
1809         3 => 1/0/dec
1810         4 => 0/0/nothing
1811
1812         So m_index becomes 0 as expected.
1813
1814         And according to the spec, once the iterator is closed (becomes done: true),
1815         its internal [[Map]]/[[Set]] is set to undefined.
1816         So after the iterator is finished, we don't revive the iterator (e.g. by clearing m_index = 0).
1817
1818         In this patch, we change 2 things.
1819         1.
1820         Compare an iterator's index against the packed index when removing an entry.
1821
1822         2.
1823         If the iterator is closed (isFinished()), we don't apply adjustment to the iterator.
1824
1825         * runtime/MapData.h:
1826         (JSC::MapDataImpl::IteratorData::finish):
1827         (JSC::MapDataImpl::IteratorData::isFinished):
1828         (JSC::MapDataImpl::IteratorData::didRemoveEntry):
1829         (JSC::MapDataImpl::IteratorData::didRemoveAllEntries):
1830         (JSC::MapDataImpl::IteratorData::startPackBackingStore):
1831         * runtime/MapDataInlines.h:
1832         (JSC::JSIterator>::replaceAndPackBackingStore):
1833         * tests/stress/modify-map-during-iteration.js:
1834         * tests/stress/modify-set-during-iteration.js:
1835
1836 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
1837
1838         Setter should have a single formal parameter, Getter no parameters
1839         https://bugs.webkit.org/show_bug.cgi?id=142903
1840
1841         Reviewed by Geoffrey Garen.
1842
1843         * parser/Parser.cpp:
1844         (JSC::Parser<LexerType>::parseFunctionInfo):
1845         Enforce no parameters for getters and a single parameter
1846         for setters, with informational error messages.
1847
1848 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
1849
1850         ES6: Classes: Early return in sub-class constructor results in returning undefined instead of instance
1851         https://bugs.webkit.org/show_bug.cgi?id=143012
1852
1853         Reviewed by Ryosuke Niwa.
1854
1855         * bytecompiler/BytecodeGenerator.cpp:
1856         (JSC::BytecodeGenerator::emitReturn):
1857         Fix handling of "undefined" when returned from a Derived class. It was
1858         returning "undefined" when it should have returned "this".
1859
1860 2015-03-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1861
1862         REGRESSION (r181458): Heap use-after-free in JSSetIterator destructor
1863         https://bugs.webkit.org/show_bug.cgi?id=142696
1864
1865         Reviewed and tweaked by Geoffrey Garen.
1866
1867         Before r142556, JSSetIterator::destroy was not defined.
1868         So accidentally MapData::const_iterator in JSSet was never destroyed.
1869         But it had non trivial destructor, decrementing MapData->m_iteratorCount.
1870
1871         After r142556, JSSetIterator::destroy works.
1872         It correctly destruct MapData::const_iterator and m_iteratorCount partially works.
1873         But JSSetIterator::~JSSetIterator requires owned JSSet since it mutates MapData->m_iteratorCount.
1874
1875         It is guaranteed that JSSet is live since JSSetIterator has a reference to JSSet
1876         and marks it in visitChildren (WriteBarrier<Unknown>).
1877         However, the order of destructions is not guaranteed in GC-ed system.
1878
1879         Consider the following case,
1880         allocate JSSet and subsequently allocate JSSetIterator.
1881         And they resides in the separated MarkedBlock, <1> and <2>.
1882
1883         JSSet<1> <- JSSetIterator<2>
1884
1885         And after that, when performing GC, Marker decides that the above 2 objects are not marked.
1886         And Marker also decides MarkedBlocks <1> and <2> can be sweeped.
1887
1888         First Sweeper sweep <1>, destruct JSSet<1> and free MarkedBlock<1>.
1889         Second Sweeper sweep <2>, attempt to destruct JSSetIterator<2>.
1890         However, JSSetIterator<2>'s destructor,
1891         JSSetIterator::~JSSetIterator requires live JSSet<1>, it causes use-after-free.
1892
1893         In this patch, we introduce WeakGCMap into JSMap/JSSet to track live iterators.
1894         When packing the removed elements in JSSet/JSMap, we apply the change to all live
1895         iterators tracked by WeakGCMap.
1896
1897         WeakGCMap can only track JSCell since they are managed by GC.
1898         So we drop JSSet/JSMap C++ style iterators. Instead of C++ style iterator, this patch
1899         introduces JS style iterator signatures into C++ class IteratorData.
1900         If we need to iterate over JSMap/JSSet, use JSSetIterator/JSMapIterator instead of using
1901         IteratorData directly.
1902
1903         * runtime/JSMap.cpp:
1904         (JSC::JSMap::destroy):
1905         * runtime/JSMap.h:
1906         (JSC::JSMap::JSMap):
1907         (JSC::JSMap::begin): Deleted.
1908         (JSC::JSMap::end): Deleted.
1909         * runtime/JSMapIterator.cpp:
1910         (JSC::JSMapIterator::destroy):
1911         * runtime/JSMapIterator.h:
1912         (JSC::JSMapIterator::next):
1913         (JSC::JSMapIterator::nextKeyValue):
1914         (JSC::JSMapIterator::iteratorData):
1915         (JSC::JSMapIterator::JSMapIterator):
1916         * runtime/JSSet.cpp:
1917         (JSC::JSSet::destroy):
1918         * runtime/JSSet.h:
1919         (JSC::JSSet::JSSet):
1920         (JSC::JSSet::begin): Deleted.
1921         (JSC::JSSet::end): Deleted.
1922         * runtime/JSSetIterator.cpp:
1923         (JSC::JSSetIterator::destroy):
1924         * runtime/JSSetIterator.h:
1925         (JSC::JSSetIterator::next):
1926         (JSC::JSSetIterator::iteratorData):
1927         (JSC::JSSetIterator::JSSetIterator):
1928         * runtime/MapData.h:
1929         (JSC::MapDataImpl::IteratorData::finish):
1930         (JSC::MapDataImpl::IteratorData::isFinished):
1931         (JSC::MapDataImpl::shouldPack):
1932         (JSC::JSIterator>::MapDataImpl):
1933         (JSC::JSIterator>::KeyType::KeyType):
1934         (JSC::JSIterator>::IteratorData::IteratorData):
1935         (JSC::JSIterator>::IteratorData::next):
1936         (JSC::JSIterator>::IteratorData::ensureSlot):
1937         (JSC::JSIterator>::IteratorData::applyMapDataPatch):
1938         (JSC::JSIterator>::IteratorData::refreshCursor):
1939         (JSC::MapDataImpl::const_iterator::key): Deleted.
1940         (JSC::MapDataImpl::const_iterator::value): Deleted.
1941         (JSC::MapDataImpl::const_iterator::operator++): Deleted.
1942         (JSC::MapDataImpl::const_iterator::finish): Deleted.
1943         (JSC::MapDataImpl::const_iterator::atEnd): Deleted.
1944         (JSC::MapDataImpl::begin): Deleted.
1945         (JSC::MapDataImpl::end): Deleted.
1946         (JSC::MapDataImpl<Entry>::MapDataImpl): Deleted.
1947         (JSC::MapDataImpl<Entry>::clear): Deleted.
1948         (JSC::MapDataImpl<Entry>::KeyType::KeyType): Deleted.
1949         (JSC::MapDataImpl<Entry>::const_iterator::internalIncrement): Deleted.
1950         (JSC::MapDataImpl<Entry>::const_iterator::ensureSlot): Deleted.
1951         (JSC::MapDataImpl<Entry>::const_iterator::const_iterator): Deleted.
1952         (JSC::MapDataImpl<Entry>::const_iterator::~const_iterator): Deleted.
1953         (JSC::MapDataImpl<Entry>::const_iterator::operator): Deleted.
1954         (JSC::=): Deleted.
1955         * runtime/MapDataInlines.h:
1956         (JSC::JSIterator>::clear):
1957         (JSC::JSIterator>::find):
1958         (JSC::JSIterator>::contains):
1959         (JSC::JSIterator>::add):
1960         (JSC::JSIterator>::set):
1961         (JSC::JSIterator>::get):
1962         (JSC::JSIterator>::remove):
1963         (JSC::JSIterator>::replaceAndPackBackingStore):
1964         (JSC::JSIterator>::replaceBackingStore):
1965         (JSC::JSIterator>::ensureSpaceForAppend):
1966         (JSC::JSIterator>::visitChildren):
1967         (JSC::JSIterator>::copyBackingStore):
1968         (JSC::JSIterator>::applyMapDataPatch):
1969         (JSC::MapDataImpl<Entry>::find): Deleted.
1970         (JSC::MapDataImpl<Entry>::contains): Deleted.
1971         (JSC::MapDataImpl<Entry>::add): Deleted.
1972         (JSC::MapDataImpl<Entry>::set): Deleted.
1973         (JSC::MapDataImpl<Entry>::get): Deleted.
1974         (JSC::MapDataImpl<Entry>::remove): Deleted.
1975         (JSC::MapDataImpl<Entry>::replaceAndPackBackingStore): Deleted.
1976         (JSC::MapDataImpl<Entry>::replaceBackingStore): Deleted.
1977         (JSC::MapDataImpl<Entry>::ensureSpaceForAppend): Deleted.
1978         (JSC::MapDataImpl<Entry>::visitChildren): Deleted.
1979         (JSC::MapDataImpl<Entry>::copyBackingStore): Deleted.
1980         * runtime/MapPrototype.cpp:
1981         (JSC::mapProtoFuncForEach):
1982         * runtime/SetPrototype.cpp:
1983         (JSC::setProtoFuncForEach):
1984         * runtime/WeakGCMap.h:
1985         (JSC::WeakGCMap::forEach):
1986         * tests/stress/modify-map-during-iteration.js: Added.
1987         (testValue):
1988         (identityPairs):
1989         (.set if):
1990         (var):
1991         (set map):
1992         * tests/stress/modify-set-during-iteration.js: Added.
1993         (testValue):
1994         (set forEach):
1995         (set delete):
1996
1997 2015-03-24  Mark Lam  <mark.lam@apple.com>
1998
1999         The ExecutionTimeLimit test should use its own JSGlobalContextRef.
2000         <https://webkit.org/b/143024>
2001
2002         Reviewed by Geoffrey Garen.
2003
2004         Currently, the ExecutionTimeLimit test is using a JSGlobalContextRef
2005         passed in from testapi.c.  It should create its own for better
2006         encapsulation of the test.
2007
2008         * API/tests/ExecutionTimeLimitTest.cpp:
2009         (currentCPUTimeAsJSFunctionCallback):
2010         (testExecutionTimeLimit):
2011         * API/tests/ExecutionTimeLimitTest.h:
2012         * API/tests/testapi.c:
2013         (main):
2014
2015 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
2016
2017         ES6: Object Literal Methods toString is missing method name
2018         https://bugs.webkit.org/show_bug.cgi?id=142992
2019
2020         Reviewed by Geoffrey Garen.
2021
2022         Always stringify functions in the pattern:
2023
2024           "function " + <function name> + <text from opening parenthesis to closing brace>.
2025
2026         * runtime/FunctionPrototype.cpp:
2027         (JSC::functionProtoFuncToString):
2028         Update the path that was not stringifying in this pattern.
2029
2030         * bytecode/UnlinkedCodeBlock.cpp:
2031         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2032         * bytecode/UnlinkedCodeBlock.h:
2033         (JSC::UnlinkedFunctionExecutable::parametersStartOffset):
2034         * parser/Nodes.h:
2035         * runtime/Executable.cpp:
2036         (JSC::FunctionExecutable::FunctionExecutable):
2037         * runtime/Executable.h:
2038         (JSC::FunctionExecutable::parametersStartOffset):
2039         Pass the already known function parameter opening parenthesis
2040         start offset through to the FunctionExecutable. 
2041
2042         * tests/mozilla/js1_5/Scope/regress-185485.js:
2043         (with.g):
2044         Add back original space in this test that was removed by r181810
2045         now that we have the space again in stringification.
2046
2047 2015-03-24  Michael Saboff  <msaboff@apple.com>
2048
2049         REGRESSION (172175-172177): Change in for...in processing causes properties added in loop to be enumerated
2050         https://bugs.webkit.org/show_bug.cgi?id=142856
2051
2052         Reviewed by Filip Pizlo.
2053
2054         Refactored the way the for .. in enumeration over objects is done.  We used to make three C++ calls to
2055         get info for three loops to iterate over indexed properties, structure properties and other properties,
2056         respectively.  We still have the three loops, but now we make one C++ call to get all the info needed
2057         for all loops before we exectue any enumeration.
2058
2059         The JSPropertyEnumerator has a count of the indexed properties and a list of named properties.
2060         The named properties are one list, with structured properties in the range [0,m_endStructurePropertyIndex)
2061         and the generic properties in the range [m_endStructurePropertyIndex, m_endGenericPropertyIndex);
2062
2063         Eliminated the bytecodes op_get_structure_property_enumerator, op_get_generic_property_enumerator and
2064         op_next_enumerator_pname.
2065         Added the bytecodes op_get_property_enumerator, op_enumerator_structure_pname and op_enumerator_generic_pname.
2066         The bytecodes op_enumerator_structure_pname and op_enumerator_generic_pname are similar except for what
2067         end value we stop iterating on.
2068
2069         Made corresponding node changes to the DFG and FTL for the bytecode changes.
2070
2071         * bytecode/BytecodeList.json:
2072         * bytecode/BytecodeUseDef.h:
2073         (JSC::computeUsesForBytecodeOffset):
2074         (JSC::computeDefsForBytecodeOffset):
2075         * bytecode/CodeBlock.cpp:
2076         (JSC::CodeBlock::dumpBytecode):
2077         * bytecompiler/BytecodeGenerator.cpp:
2078         (JSC::BytecodeGenerator::emitGetPropertyEnumerator):
2079         (JSC::BytecodeGenerator::emitEnumeratorStructurePropertyName):
2080         (JSC::BytecodeGenerator::emitEnumeratorGenericPropertyName):
2081         (JSC::BytecodeGenerator::emitGetStructurePropertyEnumerator): Deleted.
2082         (JSC::BytecodeGenerator::emitGetGenericPropertyEnumerator): Deleted.
2083         (JSC::BytecodeGenerator::emitNextEnumeratorPropertyName): Deleted.
2084         * bytecompiler/BytecodeGenerator.h:
2085         * bytecompiler/NodesCodegen.cpp:
2086         (JSC::ForInNode::emitMultiLoopBytecode):
2087         * dfg/DFGAbstractInterpreterInlines.h:
2088         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2089         * dfg/DFGByteCodeParser.cpp:
2090         (JSC::DFG::ByteCodeParser::parseBlock):
2091         * dfg/DFGCapabilities.cpp:
2092         (JSC::DFG::capabilityLevel):
2093         * dfg/DFGClobberize.h:
2094         (JSC::DFG::clobberize):
2095         * dfg/DFGDoesGC.cpp:
2096         (JSC::DFG::doesGC):
2097         * dfg/DFGFixupPhase.cpp:
2098         (JSC::DFG::FixupPhase::fixupNode):
2099         * dfg/DFGNodeType.h:
2100         * dfg/DFGPredictionPropagationPhase.cpp:
2101         (JSC::DFG::PredictionPropagationPhase::propagate):
2102         * dfg/DFGSafeToExecute.h:
2103         (JSC::DFG::safeToExecute):
2104         * dfg/DFGSpeculativeJIT32_64.cpp:
2105         (JSC::DFG::SpeculativeJIT::compile):
2106         * dfg/DFGSpeculativeJIT64.cpp:
2107         (JSC::DFG::SpeculativeJIT::compile):
2108         * ftl/FTLAbstractHeapRepository.h:
2109         * ftl/FTLCapabilities.cpp:
2110         (JSC::FTL::canCompile):
2111         * ftl/FTLLowerDFGToLLVM.cpp:
2112         (JSC::FTL::LowerDFGToLLVM::compileNode):
2113         (JSC::FTL::LowerDFGToLLVM::compileGetEnumerableLength):
2114         (JSC::FTL::LowerDFGToLLVM::compileGetPropertyEnumerator):
2115         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorStructurePname):
2116         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorGenericPname):
2117         (JSC::FTL::LowerDFGToLLVM::compileGetStructurePropertyEnumerator): Deleted.
2118         (JSC::FTL::LowerDFGToLLVM::compileGetGenericPropertyEnumerator): Deleted.
2119         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname): Deleted.
2120         * jit/JIT.cpp:
2121         (JSC::JIT::privateCompileMainPass):
2122         * jit/JIT.h:
2123         * jit/JITOpcodes.cpp:
2124         (JSC::JIT::emit_op_enumerator_structure_pname):
2125         (JSC::JIT::emit_op_enumerator_generic_pname):
2126         (JSC::JIT::emit_op_get_property_enumerator):
2127         (JSC::JIT::emit_op_next_enumerator_pname): Deleted.
2128         (JSC::JIT::emit_op_get_structure_property_enumerator): Deleted.
2129         (JSC::JIT::emit_op_get_generic_property_enumerator): Deleted.
2130         * jit/JITOpcodes32_64.cpp:
2131         (JSC::JIT::emit_op_enumerator_structure_pname):
2132         (JSC::JIT::emit_op_enumerator_generic_pname):
2133         (JSC::JIT::emit_op_next_enumerator_pname): Deleted.
2134         * jit/JITOperations.cpp:
2135         * jit/JITOperations.h:
2136         * llint/LowLevelInterpreter.asm:
2137         * runtime/CommonSlowPaths.cpp:
2138         (JSC::SLOW_PATH_DECL):
2139         * runtime/CommonSlowPaths.h:
2140         * runtime/JSPropertyNameEnumerator.cpp:
2141         (JSC::JSPropertyNameEnumerator::create):
2142         (JSC::JSPropertyNameEnumerator::finishCreation):
2143         * runtime/JSPropertyNameEnumerator.h:
2144         (JSC::JSPropertyNameEnumerator::indexedLength):
2145         (JSC::JSPropertyNameEnumerator::endStructurePropertyIndex):
2146         (JSC::JSPropertyNameEnumerator::endGenericPropertyIndex):
2147         (JSC::JSPropertyNameEnumerator::indexedLengthOffset):
2148         (JSC::JSPropertyNameEnumerator::endStructurePropertyIndexOffset):
2149         (JSC::JSPropertyNameEnumerator::endGenericPropertyIndexOffset):
2150         (JSC::JSPropertyNameEnumerator::cachedInlineCapacityOffset):
2151         (JSC::propertyNameEnumerator):
2152         (JSC::JSPropertyNameEnumerator::cachedPropertyNamesLengthOffset): Deleted.
2153         (JSC::structurePropertyNameEnumerator): Deleted.
2154         (JSC::genericPropertyNameEnumerator): Deleted.
2155         * runtime/Structure.cpp:
2156         (JSC::Structure::setCachedPropertyNameEnumerator):
2157         (JSC::Structure::cachedPropertyNameEnumerator):
2158         (JSC::Structure::canCachePropertyNameEnumerator):
2159         (JSC::Structure::setCachedStructurePropertyNameEnumerator): Deleted.
2160         (JSC::Structure::cachedStructurePropertyNameEnumerator): Deleted.
2161         (JSC::Structure::setCachedGenericPropertyNameEnumerator): Deleted.
2162         (JSC::Structure::cachedGenericPropertyNameEnumerator): Deleted.
2163         (JSC::Structure::canCacheStructurePropertyNameEnumerator): Deleted.
2164         (JSC::Structure::canCacheGenericPropertyNameEnumerator): Deleted.
2165         * runtime/Structure.h:
2166         * runtime/StructureRareData.cpp:
2167         (JSC::StructureRareData::visitChildren):
2168         (JSC::StructureRareData::cachedPropertyNameEnumerator):
2169         (JSC::StructureRareData::setCachedPropertyNameEnumerator):
2170         (JSC::StructureRareData::cachedStructurePropertyNameEnumerator): Deleted.
2171         (JSC::StructureRareData::setCachedStructurePropertyNameEnumerator): Deleted.
2172         (JSC::StructureRareData::cachedGenericPropertyNameEnumerator): Deleted.
2173         (JSC::StructureRareData::setCachedGenericPropertyNameEnumerator): Deleted.
2174         * runtime/StructureRareData.h:
2175         * tests/stress/for-in-delete-during-iteration.js:
2176
2177 2015-03-24  Michael Saboff  <msaboff@apple.com>
2178
2179         Unreviewed build fix for debug builds.
2180
2181         * runtime/ExceptionHelpers.cpp:
2182         (JSC::invalidParameterInSourceAppender):
2183
2184 2015-03-24  Saam Barati  <saambarati1@gmail.com>
2185
2186         Improve error messages in JSC
2187         https://bugs.webkit.org/show_bug.cgi?id=141869
2188
2189         Reviewed by Geoffrey Garen.
2190
2191         JavaScriptCore has some unintuitive error messages associated
2192         with certain common errors. This patch changes some specific
2193         error messages to be more understandable and also creates a
2194         mechanism that will allow for easy modification of error messages
2195         in the future. The specific errors we change are not a function
2196         errors and invalid parameter errors.
2197
2198         * CMakeLists.txt:
2199         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2200         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2201         * JavaScriptCore.xcodeproj/project.pbxproj:
2202         * interpreter/Interpreter.cpp:
2203         (JSC::sizeOfVarargs):
2204         * jit/JITOperations.cpp:
2205         op_throw_static_error always has a JSString as its argument.
2206         There is no need to dance around this, and we should assert
2207         that this always holds. This JSString represents the error 
2208         message we want to display to the user, so there is no need
2209         to pass it into errorDescriptionForValue which will now place
2210         quotes around the string.
2211
2212         * llint/LLIntSlowPaths.cpp:
2213         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2214         * runtime/CommonSlowPaths.h:
2215         (JSC::CommonSlowPaths::opIn):
2216         * runtime/ErrorInstance.cpp:
2217         (JSC::ErrorInstance::ErrorInstance):
2218         * runtime/ErrorInstance.h:
2219         (JSC::ErrorInstance::hasSourceAppender):
2220         (JSC::ErrorInstance::sourceAppender):
2221         (JSC::ErrorInstance::setSourceAppender):
2222         (JSC::ErrorInstance::clearSourceAppender):
2223         (JSC::ErrorInstance::setRuntimeTypeForCause):
2224         (JSC::ErrorInstance::runtimeTypeForCause):
2225         (JSC::ErrorInstance::clearRuntimeTypeForCause):
2226         (JSC::ErrorInstance::appendSourceToMessage): Deleted.
2227         (JSC::ErrorInstance::setAppendSourceToMessage): Deleted.
2228         (JSC::ErrorInstance::clearAppendSourceToMessage): Deleted.
2229         * runtime/ExceptionHelpers.cpp:
2230         (JSC::errorDescriptionForValue):
2231         (JSC::defaultApproximateSourceError):
2232         (JSC::defaultSourceAppender):
2233         (JSC::functionCallBase):
2234         (JSC::notAFunctionSourceAppender):
2235         (JSC::invalidParameterInSourceAppender):
2236         (JSC::invalidParameterInstanceofSourceAppender):
2237         (JSC::createError):
2238         (JSC::createInvalidFunctionApplyParameterError):
2239         (JSC::createInvalidInParameterError):
2240         (JSC::createInvalidInstanceofParameterError):
2241         (JSC::createNotAConstructorError):
2242         (JSC::createNotAFunctionError):
2243         (JSC::createNotAnObjectError):
2244         (JSC::createInvalidParameterError): Deleted.
2245         * runtime/ExceptionHelpers.h:
2246         * runtime/JSObject.cpp:
2247         (JSC::JSObject::hasInstance):
2248         * runtime/RuntimeType.cpp: Added.
2249         (JSC::runtimeTypeForValue):
2250         (JSC::runtimeTypeAsString):
2251         * runtime/RuntimeType.h: Added.
2252         * runtime/TypeProfilerLog.cpp:
2253         (JSC::TypeProfilerLog::processLogEntries):
2254         * runtime/TypeSet.cpp:
2255         (JSC::TypeSet::getRuntimeTypeForValue): Deleted.
2256         * runtime/TypeSet.h:
2257         * runtime/VM.cpp:
2258         (JSC::appendSourceToError):
2259         (JSC::VM::throwException):
2260
2261 2015-03-23  Filip Pizlo  <fpizlo@apple.com>
2262
2263         JSC should have a low-cost asynchronous disassembler
2264         https://bugs.webkit.org/show_bug.cgi?id=142997
2265
2266         Reviewed by Mark Lam.
2267         
2268         This adds a JSC_asyncDisassembly option that disassembles on a thread. Disassembly
2269         doesn't block execution. Some code will live a little longer because of this, since the
2270         work tasks hold a ref to the code, but other than that there is basically no overhead.
2271         
2272         At present, this isn't really a replacement for JSC_showDisassembly, since it doesn't
2273         provide contextual IR information for Baseline and DFG disassemblies, and it doesn't do
2274         the separate IR dumps for FTL. Using JSC_showDisassembly and friends along with
2275         JSC_asyncDisassembly has bizarre behavior - so just choose one.
2276         
2277         A simple way of understanding how great this is, is to run a small benchmark like
2278         V8Spider/earley-boyer.
2279         
2280         Performance without any disassembly flags: 60ms
2281         Performance with JSC_showDisassembly=true: 477ms
2282         Performance with JSC_asyncDisassembly=true: 65ms
2283         
2284         So, the overhead of disassembly goes from 8x to 8%.
2285         
2286         Note that JSC_asyncDisassembly=true does make it incorrect to run "time" as a way of
2287         measuring benchmark performance. This is because at VM exit, we wait for all async
2288         disassembly requests to finish. For example, for earley-boyer, we spend an extra ~130ms
2289         after the benchmark completely finishes to finish the disassemblies. This small weirdness
2290         should be OK for the intended use-cases, since all you have to do to get around it is to
2291         measure the execution time of the benchmark payload rather than the end-to-end time of
2292         launching the VM.
2293
2294         * assembler/LinkBuffer.cpp:
2295         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
2296         * assembler/LinkBuffer.h:
2297         (JSC::LinkBuffer::wasAlreadyDisassembled):
2298         (JSC::LinkBuffer::didAlreadyDisassemble):
2299         * dfg/DFGJITCompiler.cpp:
2300         (JSC::DFG::JITCompiler::disassemble):
2301         * dfg/DFGJITFinalizer.cpp:
2302         (JSC::DFG::JITFinalizer::finalize):
2303         (JSC::DFG::JITFinalizer::finalizeFunction):
2304         * disassembler/Disassembler.cpp:
2305         (JSC::disassembleAsynchronously):
2306         (JSC::waitForAsynchronousDisassembly):
2307         * disassembler/Disassembler.h:
2308         * ftl/FTLCompile.cpp:
2309         (JSC::FTL::mmAllocateDataSection):
2310         * ftl/FTLLink.cpp:
2311         (JSC::FTL::link):
2312         * jit/JIT.cpp:
2313         (JSC::JIT::privateCompile):
2314         * jsc.cpp:
2315         * runtime/Options.h:
2316         * runtime/VM.cpp:
2317         (JSC::VM::~VM):
2318
2319 2015-03-23  Dean Jackson  <dino@apple.com>
2320
2321         ES7: Implement Array.prototype.includes
2322         https://bugs.webkit.org/show_bug.cgi?id=142707
2323
2324         Reviewed by Geoffrey Garen.
2325
2326         Add support for the ES7 includes method on Arrays.
2327         https://github.com/tc39/Array.prototype.includes
2328
2329         * builtins/Array.prototype.js:
2330         (includes): Implementation in JS.
2331         * runtime/ArrayPrototype.cpp: Add 'includes' to the lookup table.
2332
2333 2015-03-23  Joseph Pecoraro  <pecoraro@apple.com>
2334
2335         __defineGetter__/__defineSetter__ should throw exceptions
2336         https://bugs.webkit.org/show_bug.cgi?id=142934
2337
2338         Reviewed by Geoffrey Garen.
2339
2340         * runtime/ObjectPrototype.cpp:
2341         (JSC::objectProtoFuncDefineGetter):
2342         (JSC::objectProtoFuncDefineSetter):
2343         Throw exceptions when these functions are used directly.
2344
2345 2015-03-23  Joseph Pecoraro  <pecoraro@apple.com>
2346
2347         Fix DO_PROPERTYMAP_CONSTENCY_CHECK enabled build
2348         https://bugs.webkit.org/show_bug.cgi?id=142952
2349
2350         Reviewed by Geoffrey Garen.
2351
2352         * runtime/Structure.cpp:
2353         (JSC::PropertyTable::checkConsistency):
2354         The check offset method doesn't exist in PropertyTable, it exists in Structure.
2355
2356         (JSC::Structure::checkConsistency):
2357         So move it here, and always put it at the start to match normal behavior.
2358
2359 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
2360
2361         Remove DFG::ValueRecoveryOverride; it's been dead since we removed forward speculations
2362         https://bugs.webkit.org/show_bug.cgi?id=142956
2363
2364         Rubber stamped by Gyuyoung Kim.
2365         
2366         Just removing dead code.
2367
2368         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2369         * JavaScriptCore.xcodeproj/project.pbxproj:
2370         * dfg/DFGOSRExit.h:
2371         * dfg/DFGOSRExitCompiler.cpp:
2372         * dfg/DFGValueRecoveryOverride.h: Removed.
2373
2374 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
2375
2376         DFG OSR exit shouldn't assume that the frame count for exit is greater than the frame count in DFG
2377         https://bugs.webkit.org/show_bug.cgi?id=142948
2378
2379         Reviewed by Sam Weinig.
2380         
2381         It's necessary to ensure that the stack pointer accounts for the extent of our stack usage
2382         since a signal may clobber the area below the stack pointer. When the DFG is executing,
2383         the stack pointer accounts for the DFG's worst-case stack usage. When we OSR exit back to
2384         baseline, we will use a different amount of stack. This is because baseline is a different
2385         compiler. It will make different decisions. So it will use a different amount of stack.
2386         
2387         This gets tricky when we are in the process of doing an OSR exit, because we are sort of
2388         incrementally transforming the stack from how it looked in the DFG to how it will look in
2389         baseline. The most conservative approach would be to set the stack pointer to the max of
2390         DFG and baseline.
2391         
2392         When this code was written, a reckless assumption was made: that the stack usage in
2393         baseline is always at least as large as the stack usage in DFG. Based on this incorrect
2394         assumption, the code first adjusts the stack pointer to account for the baseline stack
2395         usage. This sort of usually works, because usually baseline does happen to use more stack.
2396         But that's not an invariant. Nobody guarantees this. We will never make any changes that
2397         would make this be guaranteed, because that would be antithetical to how optimizing
2398         compilers work. The DFG should be allowed to use however much stack it decides that it
2399         should use in order to get good performance, and it shouldn't try to guarantee that it
2400         always uses less stack than baseline.
2401         
2402         As such, we must always assume that the frame size for DFG execution (i.e.
2403         frameRegisterCount) and the frame size in baseline once we exit (i.e.
2404         requiredRegisterCountForExit) are two independent quantities and they have no
2405         relationship.
2406         
2407         Fortunately, though, this code can be made correct by just moving the stack adjustment to
2408         just before we do conversions. This is because we have since changed the OSR exit
2409         algorithm to first lift up all state from the DFG state into a scratch buffer, and then to
2410         drop it out of the scratch buffer and into the stack according to the baseline layout. The
2411         point just before conversions is the point where we have finished reading the DFG frame
2412         and will not read it anymore, and we haven't started writing the baseline frame. So, at
2413         this point it is safe to set the stack pointer to account for the frame size at exit.
2414         
2415         This is benign because baseline happens to create larger frames than DFG.
2416
2417         * dfg/DFGOSRExitCompiler32_64.cpp:
2418         (JSC::DFG::OSRExitCompiler::compileExit):
2419         * dfg/DFGOSRExitCompiler64.cpp:
2420         (JSC::DFG::OSRExitCompiler::compileExit):
2421         * dfg/DFGOSRExitCompilerCommon.cpp:
2422         (JSC::DFG::adjustAndJumpToTarget):
2423
2424 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
2425
2426         Shorten the number of iterations to 10,000 since that's enough to test all tiers.
2427
2428         Rubber stamped by Sam Weinig.
2429
2430         * tests/stress/equals-masquerader.js:
2431
2432 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
2433
2434         tests/stress/*tdz* tests do 10x more iterations than necessary
2435         https://bugs.webkit.org/show_bug.cgi?id=142946
2436
2437         Reviewed by Ryosuke Niwa.
2438         
2439         The stress test harness runs all of these tests in various configurations. This includes
2440         no-cjit, which has tier-up heuristics locked in such a way that 10,000 iterations is
2441         enough to get to the highest tier. The only exceptions are very large functions or
2442         functions that have some reoptimizations. That happens rarely, and when it does happen,
2443         usually 20,000 iterations is enough.
2444         
2445         Therefore, these tests use 10x too many iterations. This is bad, since these tests
2446         allocate on each iteration, and so they run very slowly in debug mode.
2447
2448         * tests/stress/class-syntax-no-loop-tdz.js:
2449         * tests/stress/class-syntax-no-tdz-in-catch.js:
2450         * tests/stress/class-syntax-no-tdz-in-conditional.js:
2451         * tests/stress/class-syntax-no-tdz-in-loop-no-inline-super.js:
2452         * tests/stress/class-syntax-no-tdz-in-loop.js:
2453         * tests/stress/class-syntax-no-tdz.js:
2454         * tests/stress/class-syntax-tdz-in-catch.js:
2455         * tests/stress/class-syntax-tdz-in-conditional.js:
2456         * tests/stress/class-syntax-tdz-in-loop.js:
2457         * tests/stress/class-syntax-tdz.js:
2458
2459 2015-03-21  Joseph Pecoraro  <pecoraro@apple.com>
2460
2461         Fix a typo in Parser error message
2462         https://bugs.webkit.org/show_bug.cgi?id=142942
2463
2464         Reviewed by Alexey Proskuryakov.
2465
2466         * jit/JITPropertyAccess.cpp:
2467         (JSC::JIT::emitSlow_op_resolve_scope):
2468         * jit/JITPropertyAccess32_64.cpp:
2469         (JSC::JIT::emitSlow_op_resolve_scope):
2470         * parser/Parser.cpp:
2471         (JSC::Parser<LexerType>::parseClass):
2472         Fix a common identifier typo.
2473
2474 2015-03-21  Joseph Pecoraro  <pecoraro@apple.com>
2475
2476         Computed Property names should allow only AssignmentExpressions not any Expression
2477         https://bugs.webkit.org/show_bug.cgi?id=142902
2478
2479         Reviewed by Ryosuke Niwa.
2480
2481         * parser/Parser.cpp:
2482         (JSC::Parser<LexerType>::parseProperty):
2483         Limit computed expressions to just assignment expressions instead of
2484         any expression (which allowed comma expressions).
2485
2486 2015-03-21  Andreas Kling  <akling@apple.com>
2487
2488         Make UnlinkedFunctionExecutable fit in a 128-byte cell.
2489         <https://webkit.org/b/142939>
2490
2491         Reviewed by Mark Hahnenberg.
2492
2493         Re-arrange the members of UnlinkedFunctionExecutable so it can fit inside
2494         a 128-byte heap cell instead of requiring a 256-byte one.
2495
2496         Threw in a static_assert to catch anyone pushing it over the limit again.
2497
2498         * bytecode/UnlinkedCodeBlock.cpp:
2499         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2500         * bytecode/UnlinkedCodeBlock.h:
2501         (JSC::UnlinkedFunctionExecutable::functionMode):
2502
2503 2015-03-20  Mark Hahnenberg  <mhahnenb@gmail.com>
2504
2505         GCTimer should know keep track of nested GC phases
2506         https://bugs.webkit.org/show_bug.cgi?id=142675
2507
2508         Reviewed by Darin Adler.
2509
2510         This improves the GC phase timing output in Heap.cpp by linking
2511         phases nested inside other phases together, allowing tools
2512         to compute how much time we're spending in various nested phases.
2513
2514         * heap/Heap.cpp:
2515
2516 2015-03-20  Geoffrey Garen  <ggaren@apple.com>
2517
2518         FunctionBodyNode should known where its parameters started
2519         https://bugs.webkit.org/show_bug.cgi?id=142926
2520
2521         Reviewed by Ryosuke Niwa.
2522
2523         This will allow us to re-parse parameters instead of keeping the
2524         parameters piece of the AST around forever.
2525
2526         I also took the opportunity to initialize most FunctionBodyNode data
2527         members at construction time, to help clarify that they are set right.
2528
2529         * parser/ASTBuilder.h:
2530         (JSC::ASTBuilder::createFunctionExpr): No need to pass
2531         functionKeywordStart here; we now provide it at FunctionBodyNode
2532         creation time.
2533
2534         (JSC::ASTBuilder::createFunctionBody): Require everything we need at
2535         construction time, including the start of our parameters.
2536
2537         (JSC::ASTBuilder::createGetterOrSetterProperty):
2538         (JSC::ASTBuilder::createFuncDeclStatement):  No need to pass
2539         functionKeywordStart here; we now provide it at FunctionBodyNode
2540         creation time.
2541
2542         (JSC::ASTBuilder::setFunctionNameStart): Deleted.
2543
2544         * parser/Nodes.cpp:
2545         (JSC::FunctionBodyNode::FunctionBodyNode): Initialize everything at
2546         construction time.
2547
2548         * parser/Nodes.h: Added a field for the location of our parameters.
2549
2550         * parser/Parser.cpp:
2551         (JSC::Parser<LexerType>::parseFunctionBody):
2552         (JSC::Parser<LexerType>::parseFunctionInfo):
2553         (JSC::Parser<LexerType>::parseFunctionDeclaration):
2554         (JSC::Parser<LexerType>::parseClass):
2555         (JSC::Parser<LexerType>::parsePropertyMethod):
2556         (JSC::Parser<LexerType>::parseGetterSetter):
2557         (JSC::Parser<LexerType>::parsePrimaryExpression):
2558         * parser/Parser.h: Refactored to match above interface changes.
2559
2560         * parser/SyntaxChecker.h:
2561         (JSC::SyntaxChecker::createFunctionExpr):
2562         (JSC::SyntaxChecker::createFunctionBody):
2563         (JSC::SyntaxChecker::createFuncDeclStatement):
2564         (JSC::SyntaxChecker::createGetterOrSetterProperty): Refactored to match
2565         above interface changes.
2566
2567         (JSC::SyntaxChecker::setFunctionNameStart): Deleted.
2568
2569 2015-03-20  Filip Pizlo  <fpizlo@apple.com>
2570
2571         Observably effectful nodes in DFG IR should come last in their bytecode instruction (i.e. forExit section), except for Hint nodes
2572         https://bugs.webkit.org/show_bug.cgi?id=142920
2573
2574         Reviewed by Oliver Hunt, Geoffrey Garen, and Mark Lam.
2575         
2576         Observably effectful, n.: If we reexecute the bytecode instruction after this node has
2577         executed, then something other than the bytecode instruction's specified outcome will
2578         happen.
2579
2580         We almost never had observably effectful nodes except at the end of the bytecode
2581         instruction.  The exception is a lowered transitioning PutById:
2582
2583         PutStructure(@o, S1 -> S2)
2584         PutByOffset(@o, @o, @v)
2585
2586         The PutStructure is observably effectful: if you try to reexecute the bytecode after
2587         doing the PutStructure, then we'll most likely crash.  The generic PutById handling means
2588         first checking what the old structure of the object is; but if we reexecute, the old
2589         structure will seem to be the new structure.  But the property ensured by the new
2590         structure hasn't been stored yet, so any attempt to load it or scan it will crash.
2591
2592         Intriguingly, however, none of the other operations involved in the PutById are
2593         observably effectful.  Consider this example:
2594
2595         PutByOffset(@o, @o, @v)
2596         PutStructure(@o, S1 -> S2)
2597
2598         Note that the PutStructure node doesn't reallocate property storage; see further below
2599         for an example that does that. Because no property storage is happening, we know that we
2600         already had room for the new property.  This means that the PutByOffset is no observable
2601         until the PutStructure executes and "reveals" the property.  Hence, PutByOffset is not
2602         observably effectful.
2603
2604         Now consider this:
2605
2606         b: AllocatePropertyStorage(@o)
2607         PutByOffset(@b, @o, @v)
2608         PutStructure(@o, S1 -> S2)
2609
2610         Surprisingly, this is also safe, because the AllocatePropertyStorage is not observably
2611         effectful. It *does* reallocate the property storage and the new property storage pointer
2612         is stored into the object. But until the PutStructure occurs, the world will just think
2613         that the reallocation didn't happen, in the sense that we'll think that the property
2614         storage is using less memory than what we just allocated. That's harmless.
2615
2616         The AllocatePropertyStorage is safe in other ways, too. Even if we GC'd after the
2617         AllocatePropertyStorage but before the PutByOffset (or before the PutStructure),
2618         everything could be expected to be fine, so long as all of @o, @v and @b are on the
2619         stack. If they are all on the stack, then the GC will leave the property storage alone
2620         (so the extra memory we just allocated would be safe). The GC will not scan the part of
2621         the property storage that contains @v, but that's fine, so long as @v is on the stack.
2622         
2623         The better long-term solution is probably bug 142921.
2624         
2625         But for now, this:
2626         
2627         - Fixes an object materialization bug, exemplified by the two tests, that previously
2628           crashed 100% of the time with FTL enabled and concurrent JIT disabled.
2629         
2630         - Allows us to remove the workaround introduced in r174856.
2631
2632         * dfg/DFGByteCodeParser.cpp:
2633         (JSC::DFG::ByteCodeParser::handlePutById):
2634         * dfg/DFGConstantFoldingPhase.cpp:
2635         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
2636         * dfg/DFGFixupPhase.cpp:
2637         (JSC::DFG::FixupPhase::insertCheck):
2638         (JSC::DFG::FixupPhase::indexOfNode): Deleted.
2639         (JSC::DFG::FixupPhase::indexOfFirstNodeOfExitOrigin): Deleted.
2640         * dfg/DFGInsertionSet.h:
2641         (JSC::DFG::InsertionSet::insertOutOfOrder): Deleted.
2642         (JSC::DFG::InsertionSet::insertOutOfOrderNode): Deleted.
2643         * tests/stress/materialize-past-butterfly-allocation.js: Added.
2644         (bar):
2645         (foo0):
2646         (foo1):
2647         (foo2):
2648         (foo3):
2649         (foo4):
2650         * tests/stress/materialize-past-put-structure.js: Added.
2651         (foo):
2652
2653 2015-03-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2654
2655         REGRESSION (r179429): Potential Use after free in JavaScriptCore`WTF::StringImpl::ref + 83
2656         https://bugs.webkit.org/show_bug.cgi?id=142410
2657
2658         Reviewed by Geoffrey Garen.
2659
2660         Before this patch, added function JSValue::toPropertyKey returns PropertyName.
2661         Since PropertyName doesn't have AtomicStringImpl ownership,
2662         if Identifier is implicitly converted to PropertyName and Identifier is destructed,
2663         PropertyName may refer freed AtomicStringImpl*.
2664
2665         This patch changes the result type of JSValue::toPropertyName from PropertyName to Identifier,
2666         to keep AtomicStringImpl* ownership after the toPropertyName call is done.
2667         And receive the result value as Identifier type to keep ownership in the caller side.
2668
2669         To catch the result of toPropertyKey as is, we catch the result of toPropertyName as auto.
2670
2671         However, now we don't need to have both Identifier and PropertyName.
2672         So we'll merge PropertyName to Identifier in the subsequent patch.
2673
2674         * dfg/DFGOperations.cpp:
2675         (JSC::DFG::operationPutByValInternal):
2676         * jit/JITOperations.cpp:
2677         (JSC::getByVal):
2678         * llint/LLIntSlowPaths.cpp:
2679         (JSC::LLInt::getByVal):
2680         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2681         * runtime/CommonSlowPaths.cpp:
2682         (JSC::SLOW_PATH_DECL):
2683         * runtime/CommonSlowPaths.h:
2684         (JSC::CommonSlowPaths::opIn):
2685         * runtime/JSCJSValue.h:
2686         * runtime/JSCJSValueInlines.h:
2687         (JSC::JSValue::toPropertyKey):
2688         * runtime/ObjectConstructor.cpp:
2689         (JSC::objectConstructorGetOwnPropertyDescriptor):
2690         (JSC::objectConstructorDefineProperty):
2691         * runtime/ObjectPrototype.cpp:
2692         (JSC::objectProtoFuncPropertyIsEnumerable):
2693
2694 2015-03-18  Geoffrey Garen  <ggaren@apple.com>
2695
2696         Function.prototype.toString should not decompile the AST
2697         https://bugs.webkit.org/show_bug.cgi?id=142853
2698
2699         Reviewed by Sam Weinig.
2700
2701         To recover the function parameter string, Function.prototype.toString
2702         decompiles the function parameters from the AST. This is bad for a few
2703         reasons:
2704
2705         (1) It requires us to keep pieces of the AST live forever. This is an
2706         awkward design and a waste of memory.
2707
2708         (2) It doesn't match Firefox or Chrome (because it changes whitespace
2709         and ES6 destructuring expressions).
2710
2711         (3) It doesn't scale to ES6 default argument parameters, which require
2712         arbitrarily complex decompilation.
2713
2714         (4) It can counterfeit all the line numbers in a function (because
2715         whitespace can include newlines).
2716
2717         (5) It's expensive, and we've seen cases where websites invoke
2718         Function.prototype.toString a lot by accident.
2719
2720         The fix is to do what we do for the rest of the function: Just quote the
2721         original source text.
2722
2723         Since this change inevitably changes some function stringification, I
2724         took the opportunity to make our stringification match Firefox's and
2725         Chrome's.
2726
2727         * API/tests/testapi.c:
2728         (assertEqualsAsUTF8String): Be more informative when this fails.
2729
2730         (main): Updated to match new stringification rules.
2731
2732         * bytecode/UnlinkedCodeBlock.cpp:
2733         (JSC::UnlinkedFunctionExecutable::paramString): Deleted. Yay!
2734         * bytecode/UnlinkedCodeBlock.h:
2735
2736         * parser/Nodes.h:
2737         (JSC::StatementNode::isFuncDeclNode): New helper for constructing
2738         anonymous functions.
2739
2740         * parser/SourceCode.h:
2741         (JSC::SourceCode::SourceCode): Allow zero because WebCore wants it.
2742
2743         * runtime/CodeCache.cpp:
2744         (JSC::CodeCache::getFunctionExecutableFromGlobalCode): Updated for use
2745         of function declaration over function expression.
2746
2747         * runtime/Executable.cpp:
2748         (JSC::FunctionExecutable::paramString): Deleted. Yay!
2749         * runtime/Executable.h:
2750         (JSC::FunctionExecutable::parameterCount):
2751
2752         * runtime/FunctionConstructor.cpp:
2753         (JSC::constructFunctionSkippingEvalEnabledCheck): Added a newline after
2754         the opening brace to match Firefox and Chrome, and a space after the comma
2755         to match Firefox and WebKit coding style. Added the function name to
2756         the text of the function so it would look right when stringify-ing. Switched
2757         from parentheses to braces to produce a function declaration instead of
2758         a function expression because we are required to exclude the function's
2759         name from its scope, and that's what a function declaration does.
2760
2761         * runtime/FunctionPrototype.cpp:
2762         (JSC::functionProtoFuncToString): Removed an old workaround because the
2763         library it worked around doesn't really exist anymore, and the behavior
2764         doesn't match Firefox or Chrome. Use type profiling offsets instead of
2765         function body offsets because we want to include the function name and
2766         the parameter string, rather than stitching them in manually by
2767         decompiling the AST.
2768
2769         (JSC::insertSemicolonIfNeeded): Deleted.
2770
2771         * tests/mozilla/js1_2/function/tostring-1.js:
2772         * tests/mozilla/js1_5/Scope/regress-185485.js:
2773         (with.g): Updated these test results for formatting changes.
2774
2775 2015-03-20  Joseph Pecoraro  <pecoraro@apple.com>
2776
2777         SyntaxChecker assertion is trapped with computed property name and getter
2778         https://bugs.webkit.org/show_bug.cgi?id=142863
2779
2780         Reviewed by Ryosuke Niwa.
2781
2782         * parser/SyntaxChecker.h:
2783         (JSC::SyntaxChecker::getName):
2784         Remove invalid assert. Computed properties will not have a name
2785         and the calling code is checking for null expecting it. The
2786         AST path (non-CheckingPath) already does this without the assert
2787         so it is well tested.
2788
2789 2015-03-19  Mark Lam  <mark.lam@apple.com>
2790
2791         JSCallbackObject<JSGlobalObject> should not destroy its JSCallbackObjectData before all its finalizers have been called.
2792         <https://webkit.org/b/142846>
2793
2794         Reviewed by Geoffrey Garen.
2795
2796         Currently, JSCallbackObject<JSGlobalObject> registers weak finalizers via 2 mechanisms:
2797         1. JSCallbackObject<Parent>::init() registers a weak finalizer for all JSClassRef
2798            that a JSCallbackObject references.
2799         2. JSCallbackObject<JSGlobalObject>::create() registers a finalizer via
2800            vm.heap.addFinalizer() which destroys the JSCallbackObject.
2801
2802         The first finalizer is implemented as a virtual function of a JSCallbackObjectData
2803         instance that will be destructed if the 2nd finalizer is called.  Hence, if the
2804         2nd finalizer if called first, the later invocation of the 1st finalizer will
2805         result in a crash.
2806
2807         This patch fixes the issue by eliminating the finalizer registration in init().
2808         Instead, we'll have the JSCallbackObject destructor call all the JSClassRef finalizers
2809         if needed.  This ensures that these finalizers are called before the JSCallbackObject
2810         is destructor.
2811
2812         Also added assertions to a few Heap functions because JSCell::classInfo() expects
2813         all objects that are allocated from MarkedBlock::Normal blocks to be derived from
2814         JSDestructibleObject.  These assertions will help us catch violations of this
2815         expectation earlier.
2816
2817         * API/JSCallbackObject.cpp:
2818         (JSC::JSCallbackObjectData::finalize): Deleted.
2819         * API/JSCallbackObject.h:
2820         (JSC::JSCallbackObjectData::~JSCallbackObjectData):
2821         * API/JSCallbackObjectFunctions.h:
2822         (JSC::JSCallbackObject<Parent>::~JSCallbackObject):
2823         (JSC::JSCallbackObject<Parent>::init):
2824         * API/tests/GlobalContextWithFinalizerTest.cpp: Added.
2825         (finalize):
2826         (testGlobalContextWithFinalizer):
2827         * API/tests/GlobalContextWithFinalizerTest.h: Added.
2828         * API/tests/testapi.c:
2829         (main):
2830         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
2831         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters:
2832         * JavaScriptCore.xcodeproj/project.pbxproj:
2833         * heap/HeapInlines.h:
2834         (JSC::Heap::allocateObjectOfType):
2835         (JSC::Heap::subspaceForObjectOfType):
2836         (JSC::Heap::allocatorForObjectOfType):
2837
2838 2015-03-19  Andreas Kling  <akling@apple.com>
2839
2840         JSCallee unnecessarily overrides a bunch of things in the method table.
2841         <https://webkit.org/b/142855>
2842
2843         Reviewed by Geoffrey Garen.
2844
2845         Remove JSCallee method table overrides that simply call to base class.
2846         This makes JSFunction property slot lookups slightly more efficient since
2847         they can take the fast path when passing over JSCallee in the base class chain.
2848
2849         * runtime/JSCallee.cpp:
2850         (JSC::JSCallee::getOwnPropertySlot): Deleted.
2851         (JSC::JSCallee::getOwnNonIndexPropertyNames): Deleted.
2852         (JSC::JSCallee::put): Deleted.
2853         (JSC::JSCallee::deleteProperty): Deleted.
2854         (JSC::JSCallee::defineOwnProperty): Deleted.
2855         * runtime/JSCallee.h:
2856
2857 2015-03-19  Andreas Kling  <akling@apple.com>
2858
2859         DFGAllocator should use bmalloc's aligned allocator.
2860         <https://webkit.org/b/142871>
2861
2862         Reviewed by Geoffrey Garen.
2863
2864         Switch DFGAllocator to using bmalloc through fastAlignedMalloc().
2865
2866         * dfg/DFGAllocator.h:
2867         (JSC::DFG::Allocator<T>::allocateSlow):
2868         (JSC::DFG::Allocator<T>::freeRegionsStartingAt):
2869         * heap/CopiedSpace.h:
2870         * heap/MarkedBlock.h:
2871         * heap/MarkedSpace.h:
2872
2873 2015-03-18  Joseph Pecoraro  <pecoraro@apple.com>
2874
2875         ES6 Classes: Extends should accept an expression without parenthesis
2876         https://bugs.webkit.org/show_bug.cgi?id=142840
2877
2878         Reviewed by Ryosuke Niwa.
2879
2880         * parser/Parser.cpp:
2881         (JSC::Parser<LexerType>::parseClass):
2882         "extends" allows a LeftHandExpression (new expression / call expression,
2883         which includes a member expression), not a primary expression. Our
2884         parseMemberExpression does all of these.
2885
2886 2015-03-18  Joseph Pecoraro  <pecoraro@apple.com>
2887
2888         Web Inspector: Debugger Popovers and Probes should use FormattedValue/ObjectTreeView instead of Custom/ObjectPropertiesSection
2889         https://bugs.webkit.org/show_bug.cgi?id=142830
2890
2891         Reviewed by Timothy Hatcher.
2892
2893         * inspector/agents/InspectorDebuggerAgent.cpp:
2894         (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
2895         Give Probe Samples object previews.
2896
2897 2015-03-17  Ryuan Choi  <ryuan.choi@navercorp.com>
2898
2899         [EFL] Expose JavaScript binding interface through ewk_extension
2900         https://bugs.webkit.org/show_bug.cgi?id=142033
2901
2902         Reviewed by Gyuyoung Kim.
2903
2904         * PlatformEfl.cmake: Install Javascript APIs.
2905
2906 2015-03-17  Geoffrey Garen  <ggaren@apple.com>
2907
2908         Function bodies should always include braces
2909         https://bugs.webkit.org/show_bug.cgi?id=142795
2910
2911         Reviewed by Michael Saboff.
2912
2913         Having a mode for excluding the opening and closing braces from a function
2914         body was unnecessary and confusing.
2915
2916         * bytecode/CodeBlock.cpp:
2917         (JSC::CodeBlock::CodeBlock): Adopt the new one true linking function.
2918
2919         * bytecode/UnlinkedCodeBlock.cpp:
2920         (JSC::generateFunctionCodeBlock):
2921         (JSC::UnlinkedFunctionExecutable::link):
2922         (JSC::UnlinkedFunctionExecutable::codeBlockFor): No need to pass through
2923         a boolean: there is only one kind of function now.
2924
2925         (JSC::UnlinkedFunctionExecutable::linkInsideExecutable): Deleted.
2926         (JSC::UnlinkedFunctionExecutable::linkGlobalCode): Deleted. Let's only
2927         have one way to do things. This removes the old mode that would pretend
2928         that a function always started at column 1. That pretense was not true:
2929         an attribute event listener does not necessarily start at column 1.
2930
2931         * bytecode/UnlinkedCodeBlock.h:
2932         * generate-js-builtins: Adopt the new one true linking function.
2933
2934         * parser/Parser.h:
2935         (JSC::Parser<LexerType>::parse):
2936         (JSC::parse): needsReparsingAdjustment is always true now, so I removed it.
2937
2938         * runtime/Executable.cpp:
2939         (JSC::ScriptExecutable::newCodeBlockFor):
2940         (JSC::FunctionExecutable::FunctionExecutable):
2941         (JSC::ProgramExecutable::initializeGlobalProperties):
2942         (JSC::FunctionExecutable::fromGlobalCode):
2943         * runtime/Executable.h:
2944         (JSC::FunctionExecutable::create):
2945         (JSC::FunctionExecutable::bodyIncludesBraces): Deleted. Removed unused stuff.
2946
2947         * runtime/FunctionConstructor.cpp:
2948         (JSC::constructFunctionSkippingEvalEnabledCheck): Always provide a
2949         leading space because that's what this function's comment says is required
2950         for web compatibility. We used to fake this up after the fact when
2951         stringifying, based on the bodyIncludesBraces flag, but that flag is gone now.
2952
2953         * runtime/FunctionPrototype.cpp:
2954         (JSC::insertSemicolonIfNeeded):
2955         (JSC::functionProtoFuncToString): No need to add braces and/or a space
2956         after the fact -- we always have them now.
2957
2958 2015-03-17  Mark Lam  <mark.lam@apple.com>
2959
2960         Refactor execution time limit tests out of testapi.c.
2961         <https://webkit.org/b/142798>
2962
2963         Rubber stamped by Michael Saboff.
2964
2965         These tests were sometimes failing to time out on C loop builds.  Let's
2966         refactor them out of the big monolith that is testapi.c so that we can
2967         reason more easily about them and make adjustments if needed.
2968
2969         * API/tests/ExecutionTimeLimitTest.cpp: Added.
2970         (currentCPUTime):
2971         (currentCPUTimeAsJSFunctionCallback):
2972         (shouldTerminateCallback):
2973         (cancelTerminateCallback):
2974         (extendTerminateCallback):
2975         (testExecutionTimeLimit):
2976         * API/tests/ExecutionTimeLimitTest.h: Added.
2977         * API/tests/testapi.c:
2978         (main):
2979         (currentCPUTime): Deleted.
2980         (currentCPUTime_callAsFunction): Deleted.
2981         (shouldTerminateCallback): Deleted.
2982         (cancelTerminateCallback): Deleted.
2983         (extendTerminateCallback): Deleted.
2984         * JavaScriptCore.xcodeproj/project.pbxproj:
2985
2986 2015-03-17  Geoffrey Garen  <ggaren@apple.com>
2987
2988         Built-in functions should know that they use strict mode
2989         https://bugs.webkit.org/show_bug.cgi?id=142788
2990
2991         Reviewed by Mark Lam.
2992
2993         Even though all of our builtin functions use strict mode, the parser
2994         thinks that they don't. This is because Executable::toStrictness treats
2995         builtin-ness and strict-ness as mutually exclusive.
2996
2997         The fix is to disambiguate builtin-ness from strict-ness.
2998
2999         This bug is currently unobservable because of some other parser bugs. But
3000         it causes lots of test failures once those other bugs are fixed.
3001
3002         * API/JSScriptRef.cpp:
3003         (parseScript):
3004         * builtins/BuiltinExecutables.cpp:
3005         (JSC::BuiltinExecutables::createBuiltinExecutable): Adopt the new API
3006         for a separate value to indicate builtin-ness vs strict-ness.
3007
3008         * bytecode/UnlinkedCodeBlock.cpp:
3009         (JSC::generateFunctionCodeBlock):
3010         (JSC::UnlinkedFunctionExecutable::codeBlockFor): Ditto.
3011
3012         * bytecode/UnlinkedCodeBlock.h:
3013         (JSC::UnlinkedFunctionExecutable::toStrictness): Deleted. This function
3014         was misleading since it pretended that no builtin function was ever
3015         strict, which is the opposite of true.
3016
3017         * parser/Lexer.cpp:
3018         (JSC::Lexer<T>::Lexer):
3019         * parser/Lexer.h:
3020         * parser/Parser.cpp:
3021         (JSC::Parser<LexerType>::Parser):
3022         * parser/Parser.h:
3023         (JSC::parse): Adopt the new API.
3024
3025         * parser/ParserModes.h: Added JSParserBuiltinMode, and tried to give
3026         existing modes clearer names.
3027
3028         * runtime/CodeCache.cpp:
3029         (JSC::CodeCache::getGlobalCodeBlock):
3030         (JSC::CodeCache::getProgramCodeBlock):
3031         (JSC::CodeCache::getEvalCodeBlock):
3032         (JSC::CodeCache::getFunctionExecutableFromGlobalCode): Adopt the new API.
3033
3034         * runtime/CodeCache.h:
3035         (JSC::SourceCodeKey::SourceCodeKey): Be sure to treat strict-ness and
3036         bulitin-ness as separate pieces of the code cache key. We would not want
3037         a user function to match a built-in function in the cache, even if they
3038         agreed about strictness, since builtin functions have different lexing
3039         rules.
3040
3041         * runtime/Completion.cpp:
3042         (JSC::checkSyntax):
3043         * runtime/Executable.cpp:
3044         (JSC::FunctionExecutable::FunctionExecutable):
3045         (JSC::ProgramExecutable::checkSyntax):
3046         * runtime/Executable.h:
3047         (JSC::FunctionExecutable::create):
3048         * runtime/JSGlobalObject.cpp:
3049         (JSC::JSGlobalObject::createProgramCodeBlock):
3050         (JSC::JSGlobalObject::createEvalCodeBlock): Adopt the new API.
3051
3052 2015-03-16  Filip Pizlo  <fpizlo@apple.com>
3053
3054         DFG IR shouldn't have a separate node for every kind of put hint that could be described using PromotedLocationDescriptor
3055         https://bugs.webkit.org/show_bug.cgi?id=142769
3056
3057         Reviewed by Michael Saboff.
3058         
3059         When we sink an object allocation, we need to have some way of tracking what stores would
3060         have happened had the allocation not been sunk, so that we know how to rematerialize the
3061         object on OSR exit. Prior to this change, trunk had two ways of describing such a "put
3062         hint":
3063         
3064         - The PutStrutureHint and PutByOffsetHint node types.
3065         - The PromotedLocationDescriptor class, which has an enum with cases StructurePLoc and
3066           NamedPropertyPLoc.
3067         
3068         We also had ways of converting from a Node with those two node types to a
3069         PromotedLocationDescriptor, and we had a way of converting a PromotedLocationDescriptor to
3070         a Node.
3071         
3072         This change removes the redundancy. We now have just one node type that corresponds to a
3073         put hint, and it's called PutHint. It has a PromotedLocationDescriptor as metadata.
3074         Converting between a PutHint node and a PromotedLocationDescriptor and vice-versa is now
3075         trivial.
3076         
3077         This means that if we add new kinds of sunken objects, we'll have less pro-forma to write
3078         for the put hints to those objects. This is mainly to simplify the implementation of
3079         arguments elimination in bug 141174.
3080
3081         * dfg/DFGAbstractInterpreterInlines.h:
3082         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3083         * dfg/DFGClobberize.h:
3084         (JSC::DFG::clobberize):
3085         * dfg/DFGDoesGC.cpp:
3086         (JSC::DFG::doesGC):
3087         * dfg/DFGFixupPhase.cpp:
3088         (JSC::DFG::FixupPhase::fixupNode):
3089         * dfg/DFGGraph.cpp:
3090         (JSC::DFG::Graph::dump):
3091         (JSC::DFG::Graph::mergeRelevantToOSR):
3092         * dfg/DFGMayExit.cpp:
3093         (JSC::DFG::mayExit):
3094         * dfg/DFGNode.cpp:
3095         (JSC::DFG::Node::convertToPutHint):
3096         (JSC::DFG::Node::convertToPutStructureHint):
3097         (JSC::DFG::Node::convertToPutByOffsetHint):
3098         (JSC::DFG::Node::promotedLocationDescriptor):
3099         * dfg/DFGNode.h:
3100         (JSC::DFG::Node::hasIdentifier):
3101         (JSC::DFG::Node::hasPromotedLocationDescriptor):
3102         (JSC::DFG::Node::convertToPutByOffsetHint): Deleted.
3103         (JSC::DFG::Node::convertToPutStructureHint): Deleted.
3104         * dfg/DFGNodeType.h:
3105         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
3106         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
3107         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3108         (JSC::DFG::ObjectAllocationSinkingPhase::run):
3109         (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations):
3110         (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
3111         * dfg/DFGPredictionPropagationPhase.cpp:
3112         (JSC::DFG::PredictionPropagationPhase::propagate):
3113         * dfg/DFGPromoteHeapAccess.h:
3114         (JSC::DFG::promoteHeapAccess):
3115         * dfg/DFGPromotedHeapLocation.cpp:
3116         (JSC::DFG::PromotedHeapLocation::createHint):
3117         * dfg/DFGPromotedHeapLocation.h:
3118         (JSC::DFG::PromotedLocationDescriptor::imm1):
3119         (JSC::DFG::PromotedLocationDescriptor::imm2):
3120         * dfg/DFGSafeToExecute.h:
3121         (JSC::DFG::safeToExecute):
3122         * dfg/DFGSpeculativeJIT32_64.cpp:
3123         (JSC::DFG::SpeculativeJIT::compile):
3124         * dfg/DFGSpeculativeJIT64.cpp:
3125         (JSC::DFG::SpeculativeJIT::compile):
3126         * dfg/DFGValidate.cpp:
3127         (JSC::DFG::Validate::validateCPS):
3128         * ftl/FTLCapabilities.cpp:
3129         (JSC::FTL::canCompile):
3130         * ftl/FTLLowerDFGToLLVM.cpp:
3131         (JSC::FTL::LowerDFGToLLVM::compileNode):
3132
3133 2015-03-17  Michael Saboff  <msaboff@apple.com>
3134
3135         Windows X86-64 should use the fixed executable allocator
3136         https://bugs.webkit.org/show_bug.cgi?id=142749
3137
3138         Reviewed by Filip Pizlo.
3139
3140         Added jit/ExecutableAllocatorFixedVMPool.cpp to Windows build.
3141
3142         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3143         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3144         * jit/ExecutableAllocatorFixedVMPool.cpp: Don't include unistd.h on Windows.
3145
3146 2015-03-17  Matt Baker  <mattbaker@apple.com>
3147
3148         Web Inspector: Show rendering frames (and FPS) in Layout and Rendering timeline
3149         https://bugs.webkit.org/show_bug.cgi?id=142029
3150
3151         Reviewed by Timothy Hatcher.
3152
3153         * inspector/protocol/Timeline.json:
3154         Added new event type for runloop timeline records.
3155
3156 2015-03-16  Ryosuke Niwa  <rniwa@webkit.org>
3157
3158         Enable ES6 classes by default
3159         https://bugs.webkit.org/show_bug.cgi?id=142774
3160
3161         Reviewed by Gavin Barraclough.
3162
3163         Enabled the feature and unskipped tests.
3164
3165         * Configurations/FeatureDefines.xcconfig:
3166         * tests/stress/class-syntax-no-loop-tdz.js:
3167         * tests/stress/class-syntax-no-tdz-in-catch.js:
3168         * tests/stress/class-syntax-no-tdz-in-conditional.js:
3169         * tests/stress/class-syntax-no-tdz-in-loop-no-inline-super.js:
3170         * tests/stress/class-syntax-no-tdz-in-loop.js:
3171         * tests/stress/class-syntax-no-tdz.js:
3172         * tests/stress/class-syntax-tdz-in-catch.js:
3173         * tests/stress/class-syntax-tdz-in-conditional.js:
3174         * tests/stress/class-syntax-tdz-in-loop.js:
3175         * tests/stress/class-syntax-tdz.js:
3176
3177 2015-03-16  Joseph Pecoraro  <pecoraro@apple.com>
3178
3179         Web Inspector: Better Console Previews for Arrays / Small Objects
3180         https://bugs.webkit.org/show_bug.cgi?id=142322
3181
3182         Reviewed by Timothy Hatcher.
3183
3184         * inspector/InjectedScriptSource.js:
3185         Create deep valuePreviews for simple previewable objects,
3186         such as arrays with 5 values, or basic objects with
3187         3 properties.
3188
3189 2015-03-16  Ryosuke Niwa  <rniwa@webkit.org>
3190
3191         Add support for default constructor
3192         https://bugs.webkit.org/show_bug.cgi?id=142388
3193
3194         Reviewed by Filip Pizlo.
3195
3196         Added the support for default constructors. They're generated by ClassExprNode::emitBytecode
3197         via BuiltinExecutables::createDefaultConstructor.
3198
3199         UnlinkedFunctionExecutable now has the ability to override SourceCode provided by the owner
3200         executable. We can't make store SourceCode in UnlinkedFunctionExecutable since CodeCache can use
3201         the same UnlinkedFunctionExecutable to generate code blocks for multiple functions.
3202
3203         Parser now has the ability to treat any function expression as a constructor of the kind specified
3204         by m_defaultConstructorKind member variable.
3205
3206         * builtins/BuiltinExecutables.cpp:
3207         (JSC::BuiltinExecutables::createDefaultConstructor): Added.
3208         (JSC::BuiltinExecutables::createExecutableInternal): Generalized from createBuiltinExecutable.
3209         Parse default constructors as normal non-builtin functions. Override SourceCode in the unlinked
3210         function executable since the Miranda function's code is definitely not in the owner executable's
3211         source code. That's the whole point.
3212         * builtins/BuiltinExecutables.h:
3213         (UnlinkedFunctionExecutable::createBuiltinExecutable): Added. Wraps createExecutableInternal.
3214         * bytecode/UnlinkedCodeBlock.cpp:
3215         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3216         (JSC::UnlinkedFunctionExecutable::linkInsideExecutable):
3217         (JSC::UnlinkedFunctionExecutable::linkGlobalCode):
3218         * bytecode/UnlinkedCodeBlock.h:
3219         (JSC::UnlinkedFunctionExecutable::create):
3220         (JSC::UnlinkedFunctionExecutable::symbolTable): Deleted.
3221         * bytecompiler/BytecodeGenerator.cpp:
3222         (JSC::BytecodeGenerator::emitNewDefaultConstructor): Added.
3223         * bytecompiler/BytecodeGenerator.h:
3224         * bytecompiler/NodesCodegen.cpp:
3225         (JSC::ClassExprNode::emitBytecode): Generate the default constructor if needed.
3226         * parser/Parser.cpp:
3227         (JSC::Parser<LexerType>::Parser):
3228         (JSC::Parser<LexerType>::parseFunctionInfo): Override ownerClassKind and assume the function as
3229         a constructor if we're parsing a default constructor.
3230         (JSC::Parser<LexerType>::parseClass): Allow omission of the class constructor.
3231         * parser/Parser.h:
3232         (JSC::parse):
3233
3234 2015-03-16  Alex Christensen  <achristensen@webkit.org>
3235
3236         Progress towards CMake on Mac
3237         https://bugs.webkit.org/show_bug.cgi?id=142747
3238
3239         Reviewed by Chris Dumez.
3240
3241         * CMakeLists.txt:
3242         Include AugmentableInspectorController.h in CMake build.
3243
3244 2015-03-16  Csaba Osztrogonác  <ossy@webkit.org>
3245
3246         [ARM] Enable generating idiv instructions if it is supported
3247         https://bugs.webkit.org/show_bug.cgi?id=142725
3248
3249         Reviewed by Michael Saboff.
3250
3251         * assembler/ARMAssembler.h: Added sdiv and udiv implementation for ARM Traditional instruction set.
3252         (JSC::ARMAssembler::sdiv):
3253         (JSC::ARMAssembler::udiv):
3254         * assembler/ARMv7Assembler.h: Use HAVE(ARM_IDIV_INSTRUCTIONS) instead of CPU(APPLE_ARMV7S).
3255         * assembler/AbstractMacroAssembler.h:
3256         (JSC::isARMv7IDIVSupported):
3257         (JSC::optimizeForARMv7IDIVSupported):
3258         (JSC::isARMv7s): Renamed to isARMv7IDIVSupported().
3259         (JSC::optimizeForARMv7s): Renamed to optimizeForARMv7IDIVSupported().
3260         * dfg/DFGFixupPhase.cpp:
3261         (JSC::DFG::FixupPhase::fixupNode):
3262         * dfg/DFGSpeculativeJIT.cpp:
3263         (JSC::DFG::SpeculativeJIT::compileArithDiv):
3264         (JSC::DFG::SpeculativeJIT::compileArithMod):
3265
3266 2015-03-15  Filip Pizlo  <fpizlo@apple.com>
3267
3268         DFG::PutStackSinkingPhase should eliminate GetStacks that have an obviously known source, and emit GetStacks when the stack's value is needed and none is deferred
3269         https://bugs.webkit.org/show_bug.cgi?id=141624
3270
3271         Reviewed by Geoffrey Garen.
3272
3273         Not eliminating GetStacks was an obvious omission from the original PutStackSinkingPhase.
3274         Previously, we would treat GetStacks conservatively and assume that the stack slot
3275         escaped. That's pretty dumb, since a GetStack is a local load of the stack. This change
3276         makes GetStack a no-op from the standpoint of this phase's deferral analysis. At the end
3277         we either keep the GetStack (if there was no concrete deferral) or we replace it with an
3278         identity over the value that would have been stored by the deferred PutStack. Note that
3279         this might be a Phi that the phase creates, so this is strictly stronger than what GCSE
3280         could do.
3281         
3282         But this change revealed the fact that this phase never correctly handled side effects in
3283         case that we had done a GetStack, then a side-effect, and then found ourselves wanting the
3284         value on the stack due to (for example) a Phi on a deferred PutStack and that GetStack.
3285         Basically, it's only correct to use the SSA converter's incoming value mapping if we have
3286         a concrete deferral - since anything but a concrete deferral may imply that the value has
3287         been clobbered.
3288         
3289         This has no performance change. I believe that the bug was previously benign because we
3290         have so few operations that clobber the stack anymore, and most of those get used in a
3291         very idiomatic way. The GetStack elimination will be very useful for the varargs
3292         simplification that is part of bug 141174.
3293         
3294         This includes a test for the case that Speedometer hit, plus tests for the other cases I
3295         thought of once I realized the deeper issue.
3296
3297         * dfg/DFGPutStackSinkingPhase.cpp:
3298         * tests/stress/get-stack-identity-due-to-sinking.js: Added.
3299         (foo):
3300         (bar):
3301         * tests/stress/get-stack-mapping-with-dead-get-stack.js: Added.
3302         (bar):
3303         (foo):
3304         * tests/stress/get-stack-mapping.js: Added.
3305         (bar):
3306         (foo):
3307         * tests/stress/weird-put-stack-varargs.js: Added.
3308         (baz):
3309         (foo):
3310         (fuzz):
3311         (bar):
3312
3313 2015-03-16  Joseph Pecoraro  <pecoraro@apple.com>
3314
3315         Update Map/Set to treat -0 and 0 as the same value
3316         https://bugs.webkit.org/show_bug.cgi?id=142709
3317
3318         Reviewed by Csaba Osztrogonác.
3319
3320         * runtime/MapData.h:
3321         (JSC::MapDataImpl<Entry>::KeyType::KeyType):
3322         No longer special case -0. It will be treated as the same as 0.
3323
3324 2015-03-15  Joseph Pecoraro  <pecoraro@apple.com>
3325
3326         Web Inspector: Better handle displaying -0
3327         https://bugs.webkit.org/show_bug.cgi?id=142708
3328
3329         Reviewed by Timothy Hatcher.<