112aef740d3feaaf318da88dee945f8e027f6f20
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-07-06  Youenn Fablet  <youenn.fablet@crf.canon.fr>
2
3         [Streams API] Remove ReadableStream custom constructor
4         https://bugs.webkit.org/show_bug.cgi?id=146547
5
6         Reviewed by Darin Adler.
7
8         Adding helper function to throw range errors.
9
10         * runtime/Error.h:
11         (JSC::throwRangeError):
12         (JSC::throwVMRangeError):
13
14 2015-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
15
16         [ES6] Implement the latest Promise spec in JS
17         https://bugs.webkit.org/show_bug.cgi?id=146229
18
19         Reviewed by Sam Weinig.
20
21         Updated the Promise implementation to meet to the ES6 spec.
22         This patch
23         1. Implement ES6 Promise and related abstract operations in builtins JS
24         2. Expose @enqueueJob private function to JS world to post the microtask
25
26         Updated implementation has one-on-one correspondence to the ES6 spec description.
27         And keep the JSPromiseDeferred because it is the interface used from the WebCore.
28
29         * CMakeLists.txt:
30         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
31         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
32         * JavaScriptCore.xcodeproj/project.pbxproj:
33         * builtins/Array.prototype.js:
34         (reduce):
35         (reduceRight):
36         (every):
37         (forEach):
38         (filter):
39         (map):
40         (some):
41         (fill):
42         (find):
43         (findIndex):
44         (includes):
45         (copyWithin):
46         ToInteger / ToLength are renamed to toInteger and toLength.
47         * builtins/ArrayConstructor.js:
48         (from):
49         ToInteger / ToLength are renamed to toInteger and toLength.
50         * builtins/GlobalObject.js:
51         (toInteger):
52         (toLength):
53         (isObject):
54         (ToInteger): Deleted.
55         (ToLength): Deleted.
56         ToInteger / ToLength are renamed to toInteger and toLength.
57         Add new abstract operation, isObject.
58         * builtins/Operations.Promise.js: Added.
59         (isPromise):
60         (newPromiseReaction):
61         (newPromiseDeferred):
62         (newPromiseCapability.executor):
63         (newPromiseCapability):
64         (triggerPromiseReactions):
65         (rejectPromise):
66         (fulfillPromise):
67         (createResolvingFunctions.resolve):
68         (createResolvingFunctions.reject):
69         (createResolvingFunctions):
70         (promiseReactionJob):
71         (promiseResolveThenableJob):
72         (initializePromise):
73         Added Promise related abstract operations.
74         * builtins/Promise.prototype.js:
75         (catch):
76         (.onFulfilled):
77         (.onRejected):
78         (then):
79         Promise#then implementation in JS.
80         * builtins/PromiseConstructor.js: Added.
81         (all.newResolveElement):
82         (all):
83         (race):
84         (reject):
85         (resolve):
86         Promise static functions implementations in JS.
87         * builtins/StringConstructor.js:
88         (raw):
89         ToInteger / ToLength are renamed to toInteger and toLength.
90         * inspector/JSInjectedScriptHost.cpp:
91         (Inspector::JSInjectedScriptHost::getInternalProperties):
92         * runtime/CommonIdentifiers.h:
93         * runtime/JSGlobalObject.cpp:
94         (JSC::enqueueJob):
95         (JSC::JSGlobalObject::init):
96         (JSC::JSGlobalObject::visitChildren):
97         * runtime/JSGlobalObject.h:
98         (JSC::JSGlobalObject::initializePromiseFunction):
99         (JSC::JSGlobalObject::newPromiseDeferredFunction):
100         * runtime/JSJob.cpp: Renamed from Source/JavaScriptCore/runtime/JSPromiseReaction.h.
101         (JSC::createJSJob):
102         (JSC::JSJobMicrotask::run):
103         * runtime/JSJob.h: Renamed from Source/JavaScriptCore/runtime/JSPromiseFunctions.h.
104         * runtime/JSPromise.cpp:
105         (JSC::JSPromise::create):
106         (JSC::JSPromise::JSPromise):
107         (JSC::JSPromise::finishCreation):
108         (JSC::JSPromise::result):
109         (JSC::JSPromise::destroy): Deleted.
110         (JSC::JSPromise::visitChildren): Deleted.
111         (JSC::JSPromise::reject): Deleted.
112         (JSC::JSPromise::resolve): Deleted.
113         (JSC::JSPromise::appendResolveReaction): Deleted.
114         (JSC::JSPromise::appendRejectReaction): Deleted.
115         (JSC::triggerPromiseReactions): Deleted.
116         * runtime/JSPromise.h:
117         (JSC::JSPromise::status): Deleted.
118         (JSC::JSPromise::result): Deleted.
119         (JSC::JSPromise::constructor): Deleted.
120         * runtime/JSPromiseConstructor.cpp:
121         (JSC::constructPromise):
122         (JSC::JSPromiseConstructorFuncResolve): Deleted.
123         (JSC::JSPromiseConstructorFuncReject): Deleted.
124         (JSC::performPromiseRaceLoop): Deleted.
125         (JSC::JSPromiseConstructorFuncRace): Deleted.
126         (JSC::performPromiseAll): Deleted.
127         (JSC::JSPromiseConstructorFuncAll): Deleted.
128         * runtime/JSPromiseDeferred.cpp:
129         (JSC::JSPromiseDeferred::create):
130         (JSC::createJSPromiseDeferredFromConstructor): Deleted.
131         (JSC::updateDeferredFromPotentialThenable): Deleted.
132         (JSC::performDeferredResolve): Deleted.
133         (JSC::performDeferredReject): Deleted.
134         (JSC::abruptRejection): Deleted.
135         * runtime/JSPromiseDeferred.h:
136         * runtime/JSPromiseFunctions.cpp: Removed.
137         (JSC::deferredConstructionFunction): Deleted.
138         (JSC::createDeferredConstructionFunction): Deleted.
139         (JSC::identifyFunction): Deleted.
140         (JSC::createIdentifyFunction): Deleted.
141         (JSC::promiseAllCountdownFunction): Deleted.
142         (JSC::createPromiseAllCountdownFunction): Deleted.
143         (JSC::promiseResolutionHandlerFunction): Deleted.
144         (JSC::createPromiseResolutionHandlerFunction): Deleted.
145         (JSC::rejectPromiseFunction): Deleted.
146         (JSC::createRejectPromiseFunction): Deleted.
147         (JSC::resolvePromiseFunction): Deleted.
148         (JSC::createResolvePromiseFunction): Deleted.
149         (JSC::throwerFunction): Deleted.
150         (JSC::createThrowerFunction): Deleted.
151         * runtime/JSPromisePrototype.cpp:
152         (JSC::JSPromisePrototypeFuncThen): Deleted.
153         * runtime/JSPromiseReaction.cpp: Removed.
154         (JSC::createExecutePromiseReactionMicrotask): Deleted.
155         (JSC::ExecutePromiseReactionMicrotask::run): Deleted.
156         (JSC::JSPromiseReaction::create): Deleted.
157         (JSC::JSPromiseReaction::JSPromiseReaction): Deleted.
158         (JSC::JSPromiseReaction::finishCreation): Deleted.
159         (JSC::JSPromiseReaction::visitChildren): Deleted.
160         * runtime/VM.cpp:
161         (JSC::VM::VM): Deleted.
162         * runtime/VM.h:
163
164 2015-07-04  Chris Dumez  <cdumez@apple.com>
165
166         Drop RefPtr::clear() method
167         https://bugs.webkit.org/show_bug.cgi?id=146556
168
169         Reviewed by Brady Eidson.
170
171         Drop RefPtr::clear() method in favor of "= nullptr;" pattern.
172
173 2015-07-03  Dan Bernstein  <mitz@apple.com>
174
175         Just give up on -Wunreachable-code in JavaScriptCore.
176
177         * Configurations/Base.xcconfig:
178         * llint/LowLevelInterpreter.cpp:
179         (JSC::CLoop::execute):
180
181 2015-07-03  Dan Bernstein  <mitz@apple.com>
182
183         Fixed the LLINT CLoop build.
184
185         * llint/LowLevelInterpreter.cpp:
186         (JSC::CLoop::execute):
187
188 2015-07-03  Dan Bernstein  <mitz@apple.com>
189
190         [Xcode] Update some build settings as recommended by Xcode 7
191         https://bugs.webkit.org/show_bug.cgi?id=146597
192
193         Reviewed by Sam Weinig.
194
195         * Configurations/Base.xcconfig: Enabled CLANG_WARN_UNREACHABLE_CODE and
196         GCC_NO_COMMON_BLOCKS. Removed GCC_MODEL_TUNING.
197
198         * JavaScriptCore.xcodeproj/project.pbxproj: Updated LastUpgradeCheck.
199
200         * dfg/DFGGraph.h: Tweaked the definition of DFG_CRASH to suppress unreachable code warnings.
201
202 2015-07-03  Yusuke Suzuki  <utatane.tea@gmail.com>
203
204         Relax builtin JS restriction about try-catch
205         https://bugs.webkit.org/show_bug.cgi?id=146555
206
207         Reviewed by Sam Weinig.
208
209         When retrieving the captured variables from the full activated scope,
210         it swapped the given vector with the stored declared variables vector.
211         This is because retrieving the captured variables are executed in the
212         last sequence of the parser, so declared variables are no longer used.
213         However, in builtins functions case, after retrieving the captured
214         variables, we check the variables by using declared variables vector.
215         So at that time, the declared variables vector becomes empty and it
216         raises assertion failures when the builtins function contains the full
217         activated scope. try-catch's catch scope requires the upper scope full
218         activated, so JS code in the builtins cannot use the try-catch.
219
220         This patch relaxes this restriction. When retrieving the captured
221         variables from the scope, just copy to the given vector.
222
223         * parser/Parser.h:
224         (JSC::Scope::getCapturedVariables):
225
226 2015-07-02  Filip Pizlo  <fpizlo@apple.com>
227
228         DFG and FTL should have an OSR exit fuzzer
229         https://bugs.webkit.org/show_bug.cgi?id=146562
230
231         Reviewed by Benjamin Poulain.
232         
233         Adds a basic OSR exit fuzzer to JSC. This isn't hooked into any test harnesses yet, but I
234         spot-checked it on v8-earley-boyer.js and so far found no bugs. I'd like to figure out how
235         to harness this after I land it.
236         
237         Since it's turned off by default, it should have no effect on behavior.
238
239         * CMakeLists.txt:
240         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
241         * JavaScriptCore.xcodeproj/project.pbxproj:
242         * dfg/DFGOSRExitFuzz.cpp: Added.
243         (JSC::numberOfOSRExitFuzzChecks):
244         * dfg/DFGOSRExitFuzz.h: Added.
245         * dfg/DFGSpeculativeJIT.cpp:
246         (JSC::DFG::SpeculativeJIT::emitGetArgumentStart):
247         (JSC::DFG::SpeculativeJIT::emitOSRExitFuzzCheck):
248         (JSC::DFG::SpeculativeJIT::speculationCheck):
249         * dfg/DFGSpeculativeJIT.h:
250         * ftl/FTLLowerDFGToLLVM.cpp:
251         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
252         * jsc.cpp:
253         (jscmain):
254         * runtime/Options.h:
255         * runtime/TestRunnerUtils.h:
256
257 2015-07-02  Saam barati  <saambarati1@gmail.com>
258
259         Rename "Deconstruction" to "Destructuring" throughout JSC
260         https://bugs.webkit.org/show_bug.cgi?id=146100
261
262         Reviewed by Mark Lam.
263
264         It is good to use the same naming conventions as the ES6 
265         spec because it is the de facto way of speaking about these 
266         language features. This also has the benefit of improving JSC's
267         hackability because it improves code readability for newcomers 
268         to JSC or newcomers to this part of the code base.
269
270         * bytecompiler/BytecodeGenerator.cpp:
271         (JSC::BytecodeGenerator::generate):
272         (JSC::BytecodeGenerator::BytecodeGenerator):
273         (JSC::BytecodeGenerator::initializeNextParameter):
274         (JSC::BytecodeGenerator::visibleNameForParameter):
275         * bytecompiler/BytecodeGenerator.h:
276         (JSC::BytecodeGenerator::registerFor):
277         * bytecompiler/NodesCodegen.cpp:
278         (JSC::ForInNode::tryGetBoundLocal):
279         (JSC::ForInNode::emitLoopHeader):
280         (JSC::ForOfNode::emitBytecode):
281         (JSC::ClassExprNode::emitBytecode):
282         (JSC::DestructuringAssignmentNode::emitBytecode):
283         (JSC::DestructuringPatternNode::~DestructuringPatternNode):
284         (JSC::ArrayPatternNode::collectBoundIdentifiers):
285         (JSC::DeconstructingAssignmentNode::emitBytecode): Deleted.
286         (JSC::DeconstructionPatternNode::~DeconstructionPatternNode): Deleted.
287         * parser/ASTBuilder.h:
288         (JSC::ASTBuilder::createElementList):
289         (JSC::ASTBuilder::createFormalParameterList):
290         (JSC::ASTBuilder::createClause):
291         (JSC::ASTBuilder::createClauseList):
292         (JSC::ASTBuilder::createForInLoop):
293         (JSC::ASTBuilder::createForOfLoop):
294         (JSC::ASTBuilder::isBindingNode):
295         (JSC::ASTBuilder::isResolve):
296         (JSC::ASTBuilder::createDestructuringAssignment):
297         (JSC::ASTBuilder::createArrayPattern):
298         (JSC::ASTBuilder::appendArrayPatternSkipEntry):
299         (JSC::ASTBuilder::appendArrayPatternEntry):
300         (JSC::ASTBuilder::appendArrayPatternRestEntry):
301         (JSC::ASTBuilder::createObjectPattern):
302         (JSC::ASTBuilder::appendObjectPatternEntry):
303         (JSC::ASTBuilder::createDeconstructingAssignment): Deleted.
304         * parser/NodeConstructors.h:
305         (JSC::TryNode::TryNode):
306         (JSC::ParameterNode::ParameterNode):
307         (JSC::ForOfNode::ForOfNode):
308         (JSC::DestructuringPatternNode::DestructuringPatternNode):
309         (JSC::ArrayPatternNode::ArrayPatternNode):
310         (JSC::ArrayPatternNode::create):
311         (JSC::ObjectPatternNode::ObjectPatternNode):
312         (JSC::BindingNode::create):
313         (JSC::BindingNode::BindingNode):
314         (JSC::DestructuringAssignmentNode::DestructuringAssignmentNode):
315         (JSC::DeconstructionPatternNode::DeconstructionPatternNode): Deleted.
316         (JSC::DeconstructingAssignmentNode::DeconstructingAssignmentNode): Deleted.
317         * parser/Nodes.cpp:
318         (JSC::FunctionParameters::create):
319         * parser/Nodes.h:
320         (JSC::ExpressionNode::isResolveNode):
321         (JSC::ExpressionNode::isBracketAccessorNode):
322         (JSC::ExpressionNode::isDotAccessorNode):
323         (JSC::ExpressionNode::isDestructuringNode):
324         (JSC::ExpressionNode::isFuncExprNode):
325         (JSC::ExpressionNode::isCommaNode):
326         (JSC::ExpressionNode::isSimpleArray):
327         (JSC::ParameterNode::pattern):
328         (JSC::ParameterNode::nextParam):
329         (JSC::FunctionParameters::size):
330         (JSC::FunctionParameters::at):
331         (JSC::FunctionParameters::patterns):
332         (JSC::DestructuringPatternNode::isBindingNode):
333         (JSC::DestructuringPatternNode::emitDirectBinding):
334         (JSC::ArrayPatternNode::appendIndex):
335         (JSC::ObjectPatternNode::appendEntry):
336         (JSC::BindingNode::boundProperty):
337         (JSC::DestructuringAssignmentNode::bindings):
338         (JSC::ExpressionNode::isDeconstructionNode): Deleted.
339         (JSC::DeconstructionPatternNode::isBindingNode): Deleted.
340         (JSC::DeconstructionPatternNode::emitDirectBinding): Deleted.
341         (JSC::DeconstructingAssignmentNode::bindings): Deleted.
342         * parser/Parser.cpp:
343         (JSC::Parser<LexerType>::parseVarDeclaration):
344         (JSC::Parser<LexerType>::parseWhileStatement):
345         (JSC::Parser<LexerType>::parseVarDeclarationList):
346         (JSC::Parser<LexerType>::createBindingPattern):
347         (JSC::Parser<LexerType>::tryParseDestructuringPatternExpression):
348         (JSC::Parser<LexerType>::parseDestructuringPattern):
349         (JSC::Parser<LexerType>::parseDefaultValueForDestructuringPattern):
350         (JSC::Parser<LexerType>::parseForStatement):
351         (JSC::Parser<LexerType>::parseFormalParameters):
352         (JSC::Parser<LexerType>::parseFunctionParameters):
353         (JSC::Parser<LexerType>::parseAssignmentExpression):
354         (JSC::Parser<LexerType>::tryParseDeconstructionPatternExpression): Deleted.
355         (JSC::Parser<LexerType>::parseDeconstructionPattern): Deleted.
356         (JSC::Parser<LexerType>::parseDefaultValueForDeconstructionPattern): Deleted.
357         * parser/Parser.h:
358         (JSC::isEvalNode):
359         * parser/SyntaxChecker.h:
360         (JSC::SyntaxChecker::createPropertyList):
361         (JSC::SyntaxChecker::createElementList):
362         (JSC::SyntaxChecker::createFormalParameterList):
363         (JSC::SyntaxChecker::createClause):
364         (JSC::SyntaxChecker::createClauseList):
365         (JSC::SyntaxChecker::operatorStackPop):
366         * tests/stress/reserved-word-with-escape.js:
367         * tests/stress/rest-elements.js:
368
369 2015-07-02  Mark Lam  <mark.lam@apple.com>
370
371         Build fix for Win EWS bot.
372         https://bugs.webkit.org/show_bug.cgi?id=146551
373
374         Not reviewed.
375
376         * tools/JSDollarVMPrototype.cpp:
377         (JSC::functionCrash):
378
379 2015-07-02  Dan Bernstein  <mitz@apple.com>
380
381         <rdar://problem/21429613> [iOS] Stop making symlinks from PrivateFrameworks to Frameworks
382         https://bugs.webkit.org/show_bug.cgi?id=146542
383
384         Reviewed by Sam Weinig.
385
386         * JavaScriptCore.xcodeproj/project.pbxproj: Removed the build phase that makes the symlink.
387
388 2015-07-01  Joseph Pecoraro  <pecoraro@apple.com>
389
390         Web Inspector: Aggregate profile call information on the backend to drastically reduce profile sizes
391         https://bugs.webkit.org/show_bug.cgi?id=146536
392
393         Reviewed by Timothy Hatcher.
394
395         * inspector/protocol/Timeline.json:
396         Change a CPUProfile from sending a required "calls" param to sending a required
397         "callInfo" param which includes aggregated information about the calls.
398
399 2015-06-30  Filip Pizlo  <fpizlo@apple.com>
400
401         DFG::freezeFragile should register the frozen value's structure
402         https://bugs.webkit.org/show_bug.cgi?id=136055
403         rdar://problem/21042120
404
405         Reviewed by Mark Lam and Geoffrey Garen.
406         
407         This fixes weird concurrency bugs where the constant folding phase tries to convert
408         something to a constant but then crashes because the constant's structure wasn't
409         registered. The AI was registering the structure of any value it saw, but constant folding
410         wasn't - and that's fine so long as there ain't no concurrency.
411         
412         The best fix is to just make it impossible to introduce a constant into the IR without
413         registering its structure. That's what this change does. This is not only a great
414         concurrency fix - it also makes the compiler somewhat easier to hack on because it's one
415         less case of structure registering that you have to remember about.
416         
417         * dfg/DFGAbstractValue.cpp:
418         (JSC::DFG::AbstractValue::setOSREntryValue): No need to register.
419         (JSC::DFG::AbstractValue::set): We still call register, but just to get the watchpoint state.
420         * dfg/DFGGraph.cpp:
421         (JSC::DFG::Graph::freezeFragile): Register the structure.
422         * dfg/DFGStructureRegistrationPhase.cpp:
423         (JSC::DFG::StructureRegistrationPhase::run): Assert that these are all registered.
424
425 2015-07-01  Matthew Mirman  <mmirman@apple.com>
426
427         Unreviewed, rolling out r185889
428         https://bugs.webkit.org/show_bug.cgi?id=146528
429         rdar://problem/21573959
430
431         Patch breaks chromeexperiments.com
432         
433         Reverted changeset:
434         
435         * CMakeLists.txt:
436         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
437         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
438         * JavaScriptCore.xcodeproj/project.pbxproj:
439         * inspector/InjectedScriptSource.js:
440         (.):
441         * runtime/JSBoundSlotBaseFunction.cpp: Removed.
442         * runtime/JSBoundSlotBaseFunction.h: Removed.
443         * runtime/JSGlobalObject.cpp:
444         (JSC::JSGlobalObject::init): Deleted.
445         (JSC::JSGlobalObject::visitChildren): Deleted.
446         * runtime/JSGlobalObject.h:
447         (JSC::JSGlobalObject::boundSlotBaseFunctionStructure): Deleted.
448         * runtime/JSObject.cpp:
449         (JSC::JSObject::getOwnPropertyDescriptor):
450         (JSC::getBoundSlotBaseFunctionForGetterSetter): Deleted.
451         * runtime/VM.cpp:
452         (JSC::VM::VM): Deleted.
453         * runtime/VM.h:
454
455 2015-07-01  Dean Jackson  <dino@apple.com>
456
457         Disable the experimental WebGL2 implementation
458         https://bugs.webkit.org/show_bug.cgi?id=146526
459         <rdar://problem/21641235>
460
461         Reviewed by Myles Maxfield.
462
463         Add (and disable) an ENABLE_WEBGL2 flag.
464
465         * Configurations/FeatureDefines.xcconfig:
466
467 2015-07-01  Matthew Daiter  <mdaiter@apple.com>
468
469         Enable MEDIA_STREAM flag
470         https://bugs.webkit.org/show_bug.cgi?id=145947
471         <rdar://problem/21365829>
472
473         Reviewed by Eric Carlson.
474
475         * Configurations/FeatureDefines.xcconfig: Added MEDIA_STREAM flag
476
477 2015-06-30  Andy VanWagoner  <thetalecrafter@gmail.com>
478
479         Implement ECMAScript Internationalization API
480         https://bugs.webkit.org/show_bug.cgi?id=90906
481
482         Reviewed by Benjamin Poulain.
483
484         * CMakeLists.txt: add IntlObject.cpp
485         * Configurations/FeatureDefines.xcconfig: add ENABLE_INTL flag
486         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: add IntlObject
487         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: add IntlObject
488         * JavaScriptCore.xcodeproj/project.pbxproj: add IntlObject
489         * runtime/CommonIdentifiers.h: add "Intl" name
490         * runtime/IntlObject.cpp: Added.
491         (JSC::IntlObject::IntlObject):
492         (JSC::IntlObject::create):
493         (JSC::IntlObject::finishCreation):
494         (JSC::IntlObject::createStructure):
495         * runtime/IntlObject.h: Added.
496         * runtime/JSGlobalObject.cpp: Add global Intl
497         (JSC::JSGlobalObject::init):
498
499 2015-06-30  Basile Clement  <basile_clement@apple.com>
500
501         Allow object allocation sinking through GetScope, GetExecutable and SkipScope nodes
502         https://bugs.webkit.org/show_bug.cgi?id=146431
503
504         Reviewed by Filip Pizlo.
505
506         * dfg/DFGNode.h:
507         (JSC::DFG::Node::isFunctionAllocation):
508         (JSC::DFG::Node::isPhantomFunctionAllocation):
509         * dfg/DFGObjectAllocationSinkingPhase.cpp:
510         (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
511         * dfg/DFGPromoteHeapAccess.h:
512         (JSC::DFG::promoteHeapAccess):
513
514 2015-06-30  Matt Baker  <mattbaker@apple.com>
515
516         Web Inspector: Reduce rendering frames "Other" time by instrumenting compositing
517         https://bugs.webkit.org/show_bug.cgi?id=146168
518
519         Reviewed by Brian Burg.
520
521         * inspector/protocol/Timeline.json:
522         New timeline record type for compositing events.
523
524 2015-06-29  Dean Jackson  <dino@apple.com>
525
526         Temporarily disable PICTURE_SIZES
527         https://bugs.webkit.org/show_bug.cgi?id=146435
528         <rdar://problem/21087013>
529
530         Reviewed by Tim Horton.
531
532         Temporarily disable PICTURE_SIZES because it causes problems with out
533         of date <picture> polyfills.
534
535         * Configurations/FeatureDefines.xcconfig:
536
537 2015-06-29  Youenn Fablet  <youenn.fablet@crf.canon.fr>
538
539         Binding generator should allow using JSC::Value for "any" parameter in lieu of ScriptValue
540         https://bugs.webkit.org/show_bug.cgi?id=146403
541
542         Reviewed by Darin Adler.
543
544         * bindings/ScriptValue.h: Added implicit conversion to JSC::JSValue.
545
546 2015-06-28 Aleksandr Skachkov   <gskachkov@gmail.com>
547
548         [ES6] Implement ES6 arrow function syntax. No Line terminator between function parameters and =>
549         https://bugs.webkit.org/show_bug.cgi?id=146394
550
551         Reviewed by Yusuke Suzuki.
552
553         * parser/Parser.cpp:
554         (JSC::Parser<LexerType>::parseFunctionInfo):
555
556 2015-06-27  Darin Adler  <darin@apple.com>
557
558         Make converting JSString to StringView idiomatically safe
559         https://bugs.webkit.org/show_bug.cgi?id=146387
560
561         Reviewed by Anders Carlsson.
562
563         * jsc.cpp:
564         (functionPrint): Add explicit call to SafeView::get, needed since there
565         is no StringView temporary.
566         (functionDebug): Ditto.
567
568         * runtime/ArrayPrototype.cpp:
569         (JSC::holesMustForwardToPrototype): Refactored into helper function.
570         (JSC::join): Refactored so that StringView is a function argument, making
571         the lifetime simpler.
572         (JSC::arrayProtoFuncJoin): Ditto.
573         (JSC::arrayProtoFuncReverse): Use new holesMustForwardToPrototype helper.
574
575         * runtime/JSGlobalObjectFunctions.cpp:
576         (JSC::encode): Add explicit call to SafeView::get.
577
578         * runtime/JSString.h: Moved declarations of functions to the top of the
579         file instead of mixing them in with the function definitions. Changed
580         return type of the view function to return a JSString::SafeView so that
581         the JSString's lifetime will last as long as the StringView does in
582         typical coding idioms.
583         (JSC::JSString::getIndex): Use unsafeView so we can index into the
584         view; could also have used view.get but here in this class this seems fine.
585         (JSC::JSRopeString::unsafeView): Renamed existing view function to this.
586         (JSC::JSString::unsafeView): Ditto.
587         (JSC::JSString::SafeView::SafeView): Contains reference to an ExecState
588         and a JSString. The ExecState is needed to create the StringView, and the
589         JSString needs to be kept alive as long as the StringView is.
590         (JSC::JSString::SafeView::operator StringView): Call unsafeView.
591         (JSC::JSString::SafeView::get): Convenience for when we want to call
592         StringView member functions.
593         (JSC::JSString::view): Added. Returns a SafeView.
594
595         * runtime/StringPrototype.cpp:
596         (JSC::stringProtoFuncIndexOf): Add explicit call to SafeView::get.
597
598 2015-06-26  Csaba Osztrogonác  <ossy@webkit.org>
599
600         Remove ARMv7Assembler.cpp
601         https://bugs.webkit.org/show_bug.cgi?id=146340
602
603         Reviewed by Filip Pizlo.
604
605         * CMakeLists.txt:
606         * JavaScriptCore.xcodeproj/project.pbxproj:
607         * assembler/ARMv7Assembler.cpp: Removed.
608
609 2015-06-26  Csaba Osztrogonác  <ossy@webkit.org>
610
611         Fix the !ENABLE(ES6_ARROWFUNCTION_SYNTAX) build after r185989
612         https://bugs.webkit.org/show_bug.cgi?id=146344
613
614         Reviewed by Yusuke Suzuki.
615
616         * parser/Parser.cpp:
617         (JSC::Parser<LexerType>::parseSourceElements):
618
619 2015-06-26 Aleksandr Skachkov  <gskachkov@gmail.com>
620
621          [ES6] Implement ES6 arrow function syntax. Parser of arrow function with execution as common function. 
622          https://bugs.webkit.org/show_bug.cgi?id=144955
623
624          Reviewed by Yusuke Suzuki.
625
626          Added support of ES6 arrow function. Changes were made according to following spec http://wiki.ecmascript.org/doku.php?id=harmony:arrow_function_syntax. Patch does not include any arrow function specific behavior e.g. lexical bind this, arguments and etc.     
627         This patch implements the simplest cases of arrow function declaration:
628            parameters             () => 10 + 20
629            parameter               x => x + 20
630            parameters         (x, y) => x + y
631            function with block     x => { return x*10; }
632
633         Not implemented:
634            bind of the this, arguments, super and etc.
635            exception in case of trying to use 'new' with arrow function
636
637         * parser/ASTBuilder.h:
638         (JSC::ASTBuilder::createFunctionExpr):
639         (JSC::ASTBuilder::createArrowFunctionExpr):
640         (JSC::ASTBuilder::createGetterOrSetterProperty):
641         (JSC::ASTBuilder::createFuncDeclStatement):
642         * parser/Lexer.cpp:
643         (JSC::Lexer<T>::setTokenPosition):
644         (JSC::Lexer<T>::lex):
645         * parser/Lexer.h:
646         (JSC::Lexer::lastTokenLocation):
647         (JSC::Lexer::setTerminator):
648         * parser/Parser.cpp:
649         (JSC::Parser<LexerType>::parseInner):
650         (JSC::Parser<LexerType>::parseSourceElements):
651         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBody):
652         (JSC::Parser<LexerType>::parseSwitchClauses):
653         (JSC::Parser<LexerType>::parseSwitchDefaultClause):
654         (JSC::Parser<LexerType>::parseBlockStatement):
655         (JSC::Parser<LexerType>::parseFunctionBody):
656         (JSC::stringForFunctionMode):
657         (JSC::Parser<LexerType>::parseFunctionParameters):
658         (JSC::Parser<LexerType>::parseFunctionInfo):
659         (JSC::Parser<LexerType>::parseFunctionDeclaration):
660         (JSC::Parser<LexerType>::parseClass):
661         (JSC::Parser<LexerType>::parseAssignmentExpression):
662         (JSC::Parser<LexerType>::parsePropertyMethod):
663         (JSC::Parser<LexerType>::parseGetterSetter):
664         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
665         * parser/Parser.h:
666         (JSC::Parser::locationBeforeLastToken):
667         (JSC::Parser::isEndOfArrowFunction):
668         (JSC::Parser::isArrowFunctionParamters):
669         (JSC::Parser::setEndOfStatement):
670         * parser/ParserFunctionInfo.h:
671         * parser/ParserTokens.h:
672         * parser/SourceCode.h:
673         (JSC::SourceCode::subArrowExpression):
674         * parser/SourceProviderCacheItem.h:
675         (JSC::SourceProviderCacheItem::endFunctionToken):
676         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
677         * parser/SyntaxChecker.h:
678         (JSC::SyntaxChecker::createArrowFunctionExpr):
679         (JSC::SyntaxChecker::setFunctionNameStart):
680
681 2015-06-25  Yusuke Suzuki  <utatane.tea@gmail.com>
682
683         [ES6] Support rest element in destructuring assignments
684         https://bugs.webkit.org/show_bug.cgi?id=146206
685
686         Reviewed by Oliver Hunt.
687
688         This patch enables rest element (...rest) in array binding patterns.
689         It generates array from the iterables.
690         In variable declarations and parameters, `[...identifier]` form is only allowed,
691         while expressions can take `[...[...rest]]` pattern.
692
693         * bytecompiler/BytecodeGenerator.cpp:
694         (JSC::BytecodeGenerator::emitEnumeration):
695         (JSC::BytecodeGenerator::emitIteratorNext):
696         * bytecompiler/BytecodeGenerator.h:
697         * bytecompiler/NodesCodegen.cpp:
698         (JSC::ArrayPatternNode::bindValue):
699         (JSC::ArrayPatternNode::toString):
700         * parser/ASTBuilder.h:
701         (JSC::ASTBuilder::appendArrayPatternSkipEntry):
702         (JSC::ASTBuilder::appendArrayPatternEntry):
703         (JSC::ASTBuilder::appendArrayPatternRestEntry):
704         * parser/Nodes.h:
705         (JSC::ArrayPatternNode::appendIndex):
706         * parser/Parser.cpp:
707         (JSC::Parser<LexerType>::parseDeconstructionPattern):
708         * parser/SyntaxChecker.h:
709         (JSC::SyntaxChecker::operatorStackPop):
710         * tests/stress/rest-elements.js: Added.
711         (shouldBe):
712         (shouldThrow):
713
714 2015-06-25  Commit Queue  <commit-queue@webkit.org>
715
716         Unreviewed, rolling out r185956.
717         https://bugs.webkit.org/show_bug.cgi?id=146321
718
719         Causes massive crashes on test bots (Requested by bfulgham on
720         #webkit).
721
722         Reverted changeset:
723
724         "Enabling MEDIA_STREAM"
725         https://bugs.webkit.org/show_bug.cgi?id=145947
726         http://trac.webkit.org/changeset/185956
727
728 2015-06-25  Michael Saboff  <msaboff@apple.com>
729
730         Minor fix to idx bounds check after 185954
731
732         Rubber Stamped by Ryosuke Niwa.
733
734         Changed "idx > 1" to "idx > 0" in two places.
735
736         * runtime/ExceptionHelpers.cpp:
737         (JSC::functionCallBase):
738
739 2015-06-25  Keith Miller  <keith_miller@apple.com>
740
741         Address Sanitizer does not play well with memcpy in JSC::MachineThreads::tryCopyOtherThreadStack.
742         https://bugs.webkit.org/show_bug.cgi?id=146297
743
744         Reviewed by Filip Pizlo.
745
746         Since we cannot blacklist the system memcpy we must use our own naive implementation,
747         copyMemory. This is not a significant performance loss as tryCopyOtherThreadStack is
748         only called as part of an O(heapsize) operation. As the heap is generally much larger
749         than the stack the performance hit is minimal.
750
751         * heap/MachineStackMarker.cpp:
752         (JSC::copyMemory):
753         (JSC::MachineThreads::tryCopyOtherThreadStack):
754         (JSC::asanUnsafeMemcpy): Deleted.
755
756 2015-06-25  Matthew Daiter  <mdaiter@apple.com>
757
758         Enabling MEDIA_STREAM
759         https://bugs.webkit.org/show_bug.cgi?id=145947
760         <rdar://problem/21365829>
761
762         Reviewed by Brent Fulgham.
763
764         * Configurations/FeatureDefines.xcconfig:
765
766 2015-06-25  Michael Saboff  <msaboff@apple.com>
767
768         REGRESSION (r181889): basspro.com hangs on load under JSC::ErrorInstance::finishCreation(JSC::ExecState*, JSC::VM&, WTF::String const&, bool) + 2801 (JavaScriptCore + 3560689)
769         https://bugs.webkit.org/show_bug.cgi?id=146298
770
771         Reviewed by Mark Lam.
772
773         We were underflowing in ExceptionHelpers.cpp::functionCallBase() with a right to left
774         string index.  Added checks that idx stays within the string.  Also added a termination
775         condition when idx is 0.
776
777         * runtime/ExceptionHelpers.cpp:
778         (JSC::functionCallBase):
779
780 2015-06-24  Chris Dumez  <cdumez@apple.com>
781
782         Unreviewed, speculative build fix after r185942.
783
784         Add missing include for StrongInlines.h.
785
786         * runtime/ArrayPrototype.cpp:
787
788 2015-06-24  Darin Adler  <darin@apple.com>
789
790         Optimize Array.join and Array.reverse for high speed array types
791         https://bugs.webkit.org/show_bug.cgi?id=146275
792
793         Reviewed by Mark Lam.
794
795         This seems to yield another 17% speed improvement in the array
796         test from the Peacekeeper benchmark.
797
798         * runtime/ArrayPrototype.cpp:
799         (JSC::isHole): Added. Helper to check for holes.
800         (JSC::containsHole): Ditto.
801         (JSC::arrayProtoFuncJoin): Added special cases for the various types
802         of arrays that could be in a butterfly.
803         (JSC::arrayProtoFuncReverse): Ditto.
804
805         * runtime/JSStringJoiner.h: Made appendEmptyString public so we can
806         call it from the new parts of Array.join.
807
808 2015-06-24  Filip Pizlo  <fpizlo@apple.com>
809
810         DFG::SpeculativeJIT shouldn't use filter==Contradiction when it meant isClear
811         https://bugs.webkit.org/show_bug.cgi?id=146291
812         rdar://problem/21435366
813
814         Reviewed by Michael Saboff.
815         
816         The filter() method returns Contradiction only when a value *becomes* clear. This is
817         necessary for supporting the convention that non-JSValue nodes have a bottom proved
818         type. (We should fix that convention eventually, but for now let's just be consistent
819         about it.)
820         
821         * dfg/DFGFiltrationResult.h: Document the issue.
822         * dfg/DFGSpeculativeJIT32_64.cpp: Work around the issue.
823         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
824         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
825         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
826         * dfg/DFGSpeculativeJIT64.cpp: Work around the issue.
827         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
828         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
829         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
830         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
831
832 2015-06-24  Michael Saboff  <msaboff@apple.com>
833
834         Crash on gog.com due to PolymorphicCallNode's having stale references to CallLinkInfo
835         https://bugs.webkit.org/show_bug.cgi?id=146285
836
837         Reviewed by Filip Pizlo.
838
839         CallLinkInfo's contain a RefPtr to a PolymorphicCallStubRoutine, named stub, which contains
840         a collection of PolymorphicCallNode.  Those PolymorphicCallNodes have a reference back to the
841         CallLinkInfo.  When a CallLinkInfo replaces or clears "stub", the ref count of the
842         PolymorphicCallStubRoutine is decremented as expected, but since it inherits from
843         GCAwareJITStubRoutine, it isn't actually deleted until GC.  In the mean time, the original
844         CallLinkInfo can go away.  If PolymorphicCallNode::unlink() is called at that point,
845         it will try to unlink a now deleted CallLinkInfo and crash as a result.
846
847         The fix is to clear the CallLinkInfo references from any PolymorphicCallNode objects when
848         when we set a new stub or clear an existing stub for a CallLinkInfo.  This is done by
849         calling PolymorphicCallNode::clearCallNodesFor() on the old stub.
850
851         The prior code would only call clearCallNodesFor() from the CallLinkInfo destructor.
852         This only took care of the last PolymorphicCallStubRoutine held in the CallLinkInfo.
853         Any prior PolymorphicCallStubRoutine would still have a, now bad, reference to the CallLinkInfo.
854
855         In the process I refactored CallLinkInfo from a struct to a class with proper accessors and
856         made all the data elements private.
857
858         * bytecode/CallLinkInfo.cpp:
859         (JSC::CallLinkInfo::clearStub): Updated to call PolymorphicCallStubRoutine::clearCallNodesFor()
860         to clear the back references to this CallLinkInfo.
861         * bytecode/CallLinkInfo.h:
862         (JSC::CallLinkInfo::~CallLinkInfo): Moved clearCallNodesFor() call to clearStub().
863         (JSC::CallLinkInfo::setStub): Clear any prior stub before changing to the new stub.
864
865 2015-06-24  Michael Saboff  <msaboff@apple.com>
866
867         Refactor CallLinkInfo from a struct to a class
868         https://bugs.webkit.org/show_bug.cgi?id=146292
869
870         Rubber stamped by Filip Pizlo.
871
872         Refactored CallLinkInfo from a struct to a class with proper accessors and made all the
873         data elements private.
874
875         Done in preparation for fixing https://bugs.webkit.org/show_bug.cgi?id=146285.
876
877         * bytecode/CallLinkInfo.cpp:
878         (JSC::CallLinkInfo::clearStub):
879         (JSC::CallLinkInfo::unlink):
880         (JSC::CallLinkInfo::visitWeak):
881         * bytecode/CallLinkInfo.h:
882         (JSC::CallLinkInfo::callTypeFor):
883         (JSC::CallLinkInfo::CallLinkInfo):
884         (JSC::CallLinkInfo::~CallLinkInfo):
885         (JSC::CallLinkInfo::specializationKindFor):
886         (JSC::CallLinkInfo::specializationKind):
887         (JSC::CallLinkInfo::isLinked):
888         (JSC::CallLinkInfo::setUpCall):
889         (JSC::CallLinkInfo::setCallLocations):
890         (JSC::CallLinkInfo::setUpCallFromFTL):
891         (JSC::CallLinkInfo::callReturnLocation):
892         (JSC::CallLinkInfo::hotPathBegin):
893         (JSC::CallLinkInfo::hotPathOther):
894         (JSC::CallLinkInfo::setCallee):
895         (JSC::CallLinkInfo::clearCallee):
896         (JSC::CallLinkInfo::callee):
897         (JSC::CallLinkInfo::setLastSeenCallee):
898         (JSC::CallLinkInfo::clearLastSeenCallee):
899         (JSC::CallLinkInfo::lastSeenCallee):
900         (JSC::CallLinkInfo::haveLastSeenCallee):
901         (JSC::CallLinkInfo::setStub):
902         (JSC::CallLinkInfo::stub):
903         (JSC::CallLinkInfo::seenOnce):
904         (JSC::CallLinkInfo::clearSeen):
905         (JSC::CallLinkInfo::setSeen):
906         (JSC::CallLinkInfo::hasSeenClosure):
907         (JSC::CallLinkInfo::setHasSeenClosure):
908         (JSC::CallLinkInfo::clearedByGC):
909         (JSC::CallLinkInfo::setCallType):
910         (JSC::CallLinkInfo::callType):
911         (JSC::CallLinkInfo::addressOfMaxNumArguments):
912         (JSC::CallLinkInfo::maxNumArguments):
913         (JSC::CallLinkInfo::offsetOfSlowPathCount):
914         (JSC::CallLinkInfo::setCalleeGPR):
915         (JSC::CallLinkInfo::calleeGPR):
916         (JSC::CallLinkInfo::slowPathCount):
917         (JSC::CallLinkInfo::setCodeOrigin):
918         (JSC::CallLinkInfo::codeOrigin):
919         (JSC::getCallLinkInfoCodeOrigin):
920         * bytecode/CallLinkStatus.cpp:
921         (JSC::CallLinkStatus::computeFor):
922         (JSC::CallLinkStatus::computeFromCallLinkInfo):
923         (JSC::CallLinkStatus::computeDFGStatuses):
924         * bytecode/CallLinkStatus.h:
925         * bytecode/CodeBlock.cpp:
926         (JSC::CodeBlock::printCallOp):
927         (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
928         * dfg/DFGJITCompiler.cpp:
929         (JSC::DFG::JITCompiler::link):
930         * dfg/DFGOSRExitCompilerCommon.cpp:
931         (JSC::DFG::reifyInlinedCallFrames):
932         * dfg/DFGSpeculativeJIT32_64.cpp:
933         (JSC::DFG::SpeculativeJIT::emitCall):
934         * dfg/DFGSpeculativeJIT64.cpp:
935         (JSC::DFG::SpeculativeJIT::emitCall):
936         * ftl/FTLJSCallBase.cpp:
937         (JSC::FTL::JSCallBase::link):
938         * jit/AccessorCallJITStubRoutine.h:
939         * jit/JIT.cpp:
940         (JSC::JIT::privateCompile):
941         * jit/JIT.h:
942         * jit/JITCall.cpp:
943         (JSC::JIT::compileSetupVarargsFrame):
944         (JSC::JIT::compileOpCall):
945         * jit/JITCall32_64.cpp:
946         (JSC::JIT::compileSetupVarargsFrame):
947         (JSC::JIT::compileOpCall):
948         * jit/JITOperations.cpp:
949         * jit/PolymorphicCallStubRoutine.cpp:
950         (JSC::PolymorphicCallNode::unlink):
951         (JSC::PolymorphicCallNode::clearCallLinkInfo):
952         * jit/PolymorphicCallStubRoutine.h:
953         * jit/Repatch.cpp:
954         (JSC::generateByIdStub):
955         (JSC::linkSlowFor):
956         (JSC::linkFor):
957         (JSC::revertCall):
958         (JSC::unlinkFor):
959         (JSC::linkPolymorphicCall):
960         * jit/ThunkGenerators.cpp:
961         (JSC::virtualForThunkGenerator):
962
963 2015-06-24  Doug Russell  <d_russell@apple.com>
964
965         Bug 146177 - AX: AXObjectCache should try to use an unignored accessibilityObject 
966         when posting a selection notification when on the border between two accessibilityObjects
967         https://bugs.webkit.org/show_bug.cgi?id=146177
968
969         Add an adopt() function to simplify JSRetainPtr<JSStringRef> { Adopt, string } to adopt(string).
970
971         Reviewed by Darin Adler.
972
973         * API/JSRetainPtr.h:
974         (adopt):
975
976 2015-06-24  Keith Miller  <keith_miller@apple.com>
977
978         Strict Equality on objects should only check that one of the two sides is an object.
979         https://bugs.webkit.org/show_bug.cgi?id=145992
980
981         This patch adds a new optimization for checking strict equality on objects.
982         If we speculate that a strict equality comparison has an object on one side
983         we only need to type check that side. Equality is then determined by a pointer
984         comparison between the two values (although in the 32-bit case we must also check
985         that the other side is a cell). Once LICM hoists type checks out of a loop we
986         can be cleverer about how we choose the operand we type check if both are
987         speculated to be objects.
988
989         For testing I added the addressOf function, which returns the address
990         of a Cell to the runtime.
991
992         Reviewed by Mark Lam.
993
994         * dfg/DFGFixupPhase.cpp:
995         (JSC::DFG::FixupPhase::fixupNode):
996         * dfg/DFGSpeculativeJIT.cpp:
997         (JSC::DFG::SpeculativeJIT::compileStrictEq):
998         * dfg/DFGSpeculativeJIT.h:
999         * dfg/DFGSpeculativeJIT32_64.cpp:
1000         (JSC::DFG::SpeculativeJIT::compileObjectStrictEquality):
1001         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectStrictEquality):
1002         * dfg/DFGSpeculativeJIT64.cpp:
1003         (JSC::DFG::SpeculativeJIT::compileObjectStrictEquality):
1004         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectStrictEquality):
1005         * ftl/FTLCapabilities.cpp:
1006         (JSC::FTL::canCompile):
1007         * ftl/FTLLowerDFGToLLVM.cpp:
1008         (JSC::FTL::DFG::LowerDFGToLLVM::compileCompareStrictEq):
1009         * jsc.cpp:
1010         (GlobalObject::finishCreation):
1011         (functionAddressOf):
1012         * tests/stress/equality-type-checking.js: Added.
1013         (Foo):
1014         (checkStrictEq):
1015         (checkStrictEqOther):
1016
1017 2015-06-24  Mark Lam  <mark.lam@apple.com>
1018
1019         Fixed assertion in JSStringJoiner::join() (regression from r185899).
1020
1021         Not reviewed.
1022
1023         JSStringJoiner did not account for the case where the array being joined can
1024         have null or undefined elements.  As a result, its size may be less than
1025         its initially reserved capacity (which was estimated based on the array length).
1026
1027         * runtime/JSStringJoiner.cpp:
1028         (JSC::JSStringJoiner::join):
1029
1030 2015-06-24  Darin Adler  <darin@apple.com>
1031
1032         Fix Array.concat with RuntimeArray (regression from my last patch)
1033
1034         * runtime/ArrayPrototype.cpp:
1035         (JSC::arrayProtoFuncConcat): Use getLength instead of JSArray::length.
1036
1037         * runtime/JSArray.cpp:
1038         (JSC::JSArray::defineOwnProperty): Added comment about use of
1039         JSArray::length here that is incorrect (in a really non-obvious way).
1040         (JSC::JSArray::fillArgList): Ditto.
1041         (JSC::JSArray::copyToArguments): Ditto.
1042
1043         * runtime/JSArray.h: Added a comment explaining that it is not always
1044         safe to use JSArray::length.
1045
1046 2015-06-23  Mark Lam  <mark.lam@apple.com>
1047
1048         Gardening: Fixing 2 bad asserts from r185889.
1049         https://bugs.webkit.org/show_bug.cgi?id=140575
1050
1051         Not reviewed.
1052
1053         * runtime/JSBoundSlotBaseFunction.cpp:
1054         (JSC::JSBoundSlotBaseFunction::finishCreation):
1055
1056 2015-06-23  Dan Bernstein  <mitz@apple.com>
1057
1058         Fixed iOS production builds.
1059
1060         * JavaScriptCore.xcodeproj/project.pbxproj:
1061
1062 2015-06-22  Darin Adler  <darin@apple.com>
1063
1064         Make Array.join work directly on substrings without reifying them
1065         https://bugs.webkit.org/show_bug.cgi?id=146191
1066
1067         Reviewed by Andreas Kling.
1068
1069         Besides the Array.join change, this has other optimizations based on
1070         profiling the Peacekeeper array benchmark.
1071
1072         I measured a 14% speed improvement in the Peacekeeper array benchmark.
1073
1074         Still a lot of low hanging fruit in that test because so many of functions
1075         on the array prototype are not optimizing for simple cases. For example,
1076         the reverse function does individual get and put calls even when the array
1077         is entirely made up of integers in contiguous storage.
1078
1079         * runtime/ArrayPrototype.cpp:
1080         (JSC::getProperty): Use tryGetIndexQuickly first before getPropertySlot.
1081         (JSC::argumentClampedIndexFromStartOrEnd): Marked inline.
1082         (JSC::shift): Use the getProperty helper in this file instead of using
1083         getPropertySlot. Use putByIndexInline instead of calling putByIndex directly.
1084         In both cases this can yield a faster code path.
1085         (JSC::unshift): Ditto.
1086         (JSC::arrayProtoFuncToString): Updated to use the new JSStringJoiner
1087         interface. Changed local variable name to thisArray since it's not a
1088         JSObject*. Changed loop index to i instead of k.
1089         (JSC::arrayProtoFuncToLocaleString): Updated to use the new JSStringJoiner
1090         interface. Renamed thisObj to thisObject. Added a missing exception check
1091         after the toLocaleString function is called, but before toString is called
1092         the result of that function.
1093         (JSC::arrayProtoFuncJoin): Updated to use the new JSStringJointer interface.
1094         Added a missing exception check after calling toString on the separator
1095         but before calling get to get the first element in the array-like object
1096         being joined. Changed loop index to i instead of k. Added missing exception
1097         check after calling toString on each string from the array before calling
1098         get for the next element.
1099         (JSC::arrayProtoFuncConcat): Use JSArray::length instead of using the
1100         getLength function.
1101         (JSC::arrayProtoFuncReverse): Ditto. Also use putByIndexInline.
1102         (JSC::arrayProtoFuncShift): Ditto.
1103         (JSC::arrayProtoFuncSplice): Use getIndex instead of get, which includes some
1104         additional optimizations.
1105         (JSC::getOrHole): Deleted. Unused function.
1106         (JSC::arrayProtoFuncUnShift): Use putByIndexInline.
1107
1108         * runtime/ExceptionHelpers.cpp:
1109         (JSC::errorDescriptionForValue): Removed the duplicate copy of the the logic
1110         from JSValue::toString.
1111
1112         * runtime/JSCJSValue.cpp:
1113         (JSC::JSValue::toStringSlowCase): Improved the performance when converting a
1114         small integer to a single character string.
1115         (JSC::JSValue::toWTFStringSlowCase): Moved the contents of the
1116         inlineJSValueNotStringtoString function here.
1117         * runtime/JSCJSValue.h: Removed no longer used toWTFStringInline and fixed
1118         a comment with a typo.
1119
1120         * runtime/JSObject.h:
1121         (JSC::JSObject::putByIndexInline): Marked ALWAYS_INLINE because this was not
1122         getting inlined at some call sites.
1123         (JSC::JSObject::indexingData): Deleted. Unused function.
1124         (JSC::JSObject::currentIndexingData): Deleted. Unused function.
1125         (JSC::JSObject::getHolyIndexQuickly): Deleted. Unused function.
1126         (JSC::JSObject::relevantLength): Deleted. Unused function.
1127         (JSC::JSObject::currentRelevantLength): Deleted. Unused function.
1128
1129         * runtime/JSString.h: Added the StringViewWithUnderlyingString struct and
1130         the viewWithUnderlyingString function. Removed the inlineJSValueNotStringtoString
1131         and toWTFStringInline functions.
1132
1133         * runtime/JSStringJoiner.cpp:
1134         (JSC::appendStringToData): Changed this to be a template instead of writing
1135         it out, since StringView::getCharactersWithUpconvert does almsot exactly what
1136         this function was trying to do.
1137         (JSC::joinStrings): Rewrote this to use StringView.
1138         (JSC::JSStringJoiner::joinedLength): Added. Factored out from the join function.
1139         (JSC::JSStringJoiner::join): Rewrote to make it a bit simpler. Added an assertion
1140         that we entirely filled capacity, since we are now reserving capacity and using
1141         uncheckedAppend. Use String instead of RefPtr<StringImpl> because there was no
1142         particular value to using the impl directly.
1143
1144         * runtime/JSStringJoiner.h: Changed the interface to the class to use StringView.
1145         Also changed this class so it now has the responsibility to convert each JSValue
1146         into a string. This let us share more code between toString and join, and also
1147         lets us use the new viewWithUnderlyingString function, which could be confusing at
1148         all the call sites, but is easier to understand here.
1149
1150 2015-06-23  Matthew Mirman  <mmirman@apple.com>
1151
1152         Completes native binding descriptors with native getters and potentially setters.
1153         https://bugs.webkit.org/show_bug.cgi?id=140575
1154         rdar://problem/19506502
1155
1156         Reviewed by Mark Lam.
1157
1158         * CMakeLists.txt:  Added JSBoundSlotBaseFunction.cpp
1159         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1160         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1161         * JavaScriptCore.xcodeproj/project.pbxproj:
1162         * inspector/InjectedScriptSource.js: Added case for descriptor having a native getter.
1163         * runtime/JSBoundSlotBaseFunction.cpp: Added.
1164         (JSC::boundSlotBaseFunctionCall):
1165         (JSC::JSBoundSlotBaseFunction::JSBoundSlotBaseFunction):  
1166         Necessary wrapper for custom getters and setters as objects.
1167         (JSC::JSBoundSlotBaseFunction::create):
1168         (JSC::JSBoundSlotBaseFunction::visitChildren):
1169         (JSC::JSBoundSlotBaseFunction::finishCreation):
1170         * runtime/JSBoundSlotBaseFunction.h: Added.
1171         (JSC::JSBoundSlotBaseFunction::createStructure):
1172         (JSC::JSBoundSlotBaseFunction::boundSlotBase):
1173         (JSC::JSBoundSlotBaseFunction::customGetterSetter):
1174         (JSC::JSBoundSlotBaseFunction::isGetter):
1175         * runtime/JSGlobalObject.cpp:
1176         (JSC::JSGlobalObject::init): Added a globally initialized structure for JSBoundSlotBaseFunction
1177         (JSC::JSGlobalObject::visitChildren): visits that structure
1178         * runtime/JSGlobalObject.h:
1179         (JSC::JSGlobalObject::boundSlotBaseFunctionStructure): added a getter for that structure
1180         * runtime/JSObject.cpp:
1181         (JSC::JSObject::getOwnPropertyDescriptor): extends the case for CustomGetterSetter to 
1182         actually include GetterSetter as a JSBoundSlotBaseFunction
1183         * runtime/VM.cpp: Added initializer for customGetterSetterFunctionMap
1184         * runtime/VM.h: Added cache for JSBoundSlotBaseFunction
1185
1186 2015-06-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1187
1188         [ES6] Allow trailing comma in ArrayBindingPattern and ObjectBindingPattern
1189         https://bugs.webkit.org/show_bug.cgi?id=146192
1190
1191         Reviewed by Darin Adler.
1192
1193         According to the ES6 spec, trailing comma in ArrayBindingPattern and ObjectBindingPattern is allowed.
1194         And empty ArrayBindingPattern and ObjectBindingPattern is also allowed.
1195
1196         This patch allows trailing comma and empty binding patterns.
1197
1198         * bytecompiler/NodesCodegen.cpp:
1199         (JSC::ArrayPatternNode::bindValue):
1200         * parser/Parser.cpp:
1201         (JSC::Parser<LexerType>::parseDeconstructionPattern):
1202         * tests/stress/trailing-comma-in-patterns.js: Added.
1203         (shouldBe):
1204         (iterator):
1205
1206 2015-06-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1207
1208         [ES6] Destructuring assignment need to accept iterables
1209         https://bugs.webkit.org/show_bug.cgi?id=144111
1210
1211         Reviewed by Darin Adler.
1212
1213         This patch makes that destructuring assignments to array binding patterns accept iterables.
1214         Previously, it just access the indexed properties.
1215         After this patch, it iterates the given value by using ES6 iterator protocol.
1216
1217         The iteration becomes different from the for-of case.
1218         1. Since there's no break/continue case, finally scope is not necessary.
1219         2. When the error is raised, the close status of the iterator becomes true. So IteratorClose is not called for that.
1220         3. Since the array binding patterns requires a limited count of iterations (if there is no rest(...rest) case), IteratorClose is called when the iteration does not consume the all values of the iterator.
1221         4. Since the array binding patterns requires a specified count of iterations, iterator's next call is skipped when iterator becomes closed.
1222
1223         * bytecompiler/BytecodeGenerator.cpp:
1224         (JSC::BytecodeGenerator::emitIteratorClose):
1225         * bytecompiler/BytecodeGenerator.h:
1226         * bytecompiler/NodesCodegen.cpp:
1227         (JSC::ArrayPatternNode::bindValue):
1228         * parser/ASTBuilder.h:
1229         (JSC::ASTBuilder::finishArrayPattern):
1230         * parser/Nodes.h:
1231         * parser/Parser.cpp:
1232         (JSC::Parser<LexerType>::parseDeconstructionPattern):
1233         * parser/SyntaxChecker.h:
1234         (JSC::SyntaxChecker::operatorStackPop):
1235         * tests/stress/destructuring-assignment-accepts-iterables.js: Added.
1236         (shouldBe):
1237         (shouldThrow):
1238         (.set shouldThrow):
1239
1240 2015-06-19  Devin Rousso  <drousso@apple.com>
1241
1242         Web Inspector: Highlight currently edited CSS selector
1243         https://bugs.webkit.org/show_bug.cgi?id=145658
1244
1245         Reviewed by Joseph Pecoraro.
1246
1247         * inspector/protocol/DOM.json: Added highlightSelector to show highlight over multiple nodes.
1248
1249 2015-06-19  Mark Lam  <mark.lam@apple.com>
1250
1251         Gardening: fix build for EWS bots.
1252
1253         Not reviewed.
1254
1255         * runtime/JSArray.cpp:
1256         (JSC::JSArray::setLengthWithArrayStorage):
1257
1258 2015-06-19  Michael Saboff  <msaboff@apple.com>
1259
1260         Crash in com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::FTL::fixFunctionBasedOnStackMaps + 17225
1261         https://bugs.webkit.org/show_bug.cgi?id=146133
1262
1263         Reviewed by Geoffrey Garen.
1264
1265         When generating code to put in inline caching areas, if there isn't enough space,
1266         then create and link to an out of line area.  We connect the inline code to this
1267         out of line code area by planting a jump from the inline area to the out of line
1268         code and appending a jump at the end of the out of line code bck to the instruction
1269         following the inline area.  We fill the unused inline area with nops, primarily to 
1270         ensure the disassembler doesn't get confused.
1271
1272         * ftl/FTLCompile.cpp:
1273         (generateInlineIfPossibleOutOfLineIfNot): New function that determines if there is enough space
1274         in the inline code area for the code to link.  If so, it links inline, otherwise it links the
1275         code out of line and plants appropriate jumps to/from the out of line code.
1276         (generateICFastPath):
1277         (generateCheckInICFastPath):
1278         (fixFunctionBasedOnStackMaps):
1279         Use generateInlineIfPossibleOutOfLineIfNot() to link code intended for inline cache space.
1280
1281         * ftl/FTLJITFinalizer.cpp:
1282         (JSC::FTL::JITFinalizer::finalizeFunction):
1283         * ftl/FTLJITFinalizer.h:
1284         (JSC::FTL::OutOfLineCodeInfo::OutOfLineCodeInfo):
1285         Added code to finalize any out of line LinkBuffer created by generateInlineIfPossibleOutOfLineIfNot().
1286
1287 2015-06-19  Geoffrey Garen  <ggaren@apple.com>
1288
1289         WebKit crash while loading nytimes at JavaScriptCore: JSC::ExecutableAllocator::allocate + 276
1290         https://bugs.webkit.org/show_bug.cgi?id=146163
1291         <rdar://problem/20392986>
1292
1293         Reviewed by Michael Saboff.
1294
1295         There's no good way to test this in our test harness because we don't
1296         have a way to simulate executable memory pressure, and doing so would
1297         cause the cases that still use JITCompilationMustSucceed to crash.
1298
1299         Instead, I tested by manually forcing all regexp JIT compilation to
1300         fail and running the JavaScriptCore tests.
1301
1302         * yarr/YarrJIT.cpp:
1303         (JSC::Yarr::YarrGenerator::compile): Allow compilation to fail. We can
1304         fall back to the regexp interpreter if we need to.
1305
1306 2015-06-19  Mark Lam  <mark.lam@apple.com>
1307
1308         Employ explicit operator bool() instead of using the UnspecifiedBoolType workaround.
1309         https://bugs.webkit.org/show_bug.cgi?id=146154
1310
1311         Reviewed by Darin Adler.
1312
1313         * assembler/MacroAssemblerCodeRef.h:
1314         (JSC::MacroAssemblerCodePtr::dataLocation):
1315         (JSC::MacroAssemblerCodePtr::operator bool):
1316         (JSC::MacroAssemblerCodePtr::operator==):
1317         (JSC::MacroAssemblerCodeRef::tryToDisassemble):
1318         (JSC::MacroAssemblerCodeRef::operator bool):
1319         (JSC::MacroAssemblerCodeRef::dump):
1320         (JSC::MacroAssemblerCodePtr::operator UnspecifiedBoolType*): Deleted.
1321         (JSC::MacroAssemblerCodeRef::operator UnspecifiedBoolType*): Deleted.
1322
1323         * bytecode/CodeOrigin.cpp:
1324         (JSC::CodeOrigin::isApproximatelyEqualTo):
1325         - Fixed a bug here where we were expecting to compare Executable pointers, but
1326           ended up comparing a (UnspecifiedBoolType*)1 with another
1327           (UnspecifiedBoolType*)1.
1328
1329         * bytecode/LLIntCallLinkInfo.h:
1330         (JSC::LLIntCallLinkInfo::~LLIntCallLinkInfo):
1331         (JSC::LLIntCallLinkInfo::isLinked):
1332         (JSC::LLIntCallLinkInfo::unlink):
1333         * dfg/DFGBlockWorklist.h:
1334         (JSC::DFG::BlockWith::BlockWith):
1335         (JSC::DFG::BlockWith::operator bool):
1336         (JSC::DFG::BlockWithOrder::BlockWithOrder):
1337         (JSC::DFG::BlockWithOrder::operator bool):
1338         (JSC::DFG::BlockWith::operator UnspecifiedBoolType*): Deleted.
1339         (JSC::DFG::BlockWithOrder::operator UnspecifiedBoolType*): Deleted.
1340         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
1341         * dfg/DFGLazyNode.h:
1342         (JSC::DFG::LazyNode::operator!):
1343         (JSC::DFG::LazyNode::operator bool):
1344         (JSC::DFG::LazyNode::operator UnspecifiedBoolType*): Deleted.
1345         * heap/CopyWriteBarrier.h:
1346         (JSC::CopyWriteBarrier::operator!):
1347         (JSC::CopyWriteBarrier::operator bool):
1348         (JSC::CopyWriteBarrier::get):
1349         (JSC::CopyWriteBarrier::operator UnspecifiedBoolType*): Deleted.
1350         * heap/Handle.h:
1351         (JSC::HandleBase::operator!):
1352         (JSC::HandleBase::operator bool):
1353         (JSC::HandleBase::slot):
1354         (JSC::HandleBase::operator UnspecifiedBoolType*): Deleted.
1355         * heap/Strong.h:
1356         (JSC::Strong::operator!):
1357         (JSC::Strong::operator bool):
1358         (JSC::Strong::swap):
1359         (JSC::Strong::operator UnspecifiedBoolType*): Deleted.
1360         * jit/JITWriteBarrier.h:
1361         (JSC::JITWriteBarrierBase::operator bool):
1362         (JSC::JITWriteBarrierBase::operator!):
1363         (JSC::JITWriteBarrierBase::setFlagOnBarrier):
1364         (JSC::JITWriteBarrierBase::operator UnspecifiedBoolType*): Deleted.
1365         * runtime/JSArray.cpp:
1366         (JSC::JSArray::setLengthWithArrayStorage):
1367         * runtime/JSCJSValue.h:
1368         * runtime/JSCJSValueInlines.h:
1369         (JSC::JSValue::JSValue):
1370         (JSC::JSValue::operator bool):
1371         (JSC::JSValue::operator==):
1372         (JSC::JSValue::operator UnspecifiedBoolType*): Deleted.
1373         * runtime/JSObject.h:
1374         (JSC::JSObject::hasSparseMap):
1375         * runtime/PropertyDescriptor.h:
1376         (JSC::PropertyDescriptor::writablePresent):
1377         (JSC::PropertyDescriptor::enumerablePresent):
1378         (JSC::PropertyDescriptor::configurablePresent):
1379         (JSC::PropertyDescriptor::setterPresent):
1380         (JSC::PropertyDescriptor::getterPresent):
1381         * runtime/WriteBarrier.h:
1382         (JSC::WriteBarrierBase::slot):
1383         (JSC::WriteBarrierBase::operator bool):
1384         (JSC::WriteBarrierBase::operator!):
1385         (JSC::WriteBarrierBase<Unknown>::tagPointer):
1386         (JSC::WriteBarrierBase<Unknown>::payloadPointer):
1387         (JSC::WriteBarrierBase<Unknown>::operator bool):
1388         (JSC::WriteBarrierBase<Unknown>::operator!):
1389         (JSC::WriteBarrierBase::operator UnspecifiedBoolType*): Deleted.
1390         (JSC::WriteBarrierBase<Unknown>::operator UnspecifiedBoolType*): Deleted.
1391
1392 2015-06-19  Anders Carlsson  <andersca@apple.com>
1393
1394         Add a JSC symlink in /System/Library/PrivateFrameworks
1395         https://bugs.webkit.org/show_bug.cgi?id=146158
1396         rdar://problem/21465968
1397
1398         Reviewed by Dan Bernstein.
1399
1400         * JavaScriptCore.xcodeproj/project.pbxproj:
1401
1402 2015-06-19  Joseph Pecoraro  <pecoraro@apple.com>
1403
1404         Web Inspector: Avoid getOwnPropertyNames/Symbols on very large lists
1405         https://bugs.webkit.org/show_bug.cgi?id=146141
1406
1407         Reviewed by Timothy Hatcher.
1408
1409         * inspector/InjectedScriptSource.js:
1410         (InjectedScript.prototype._propertyDescriptors):
1411         Avoid calling getOwnPropertyNames/Symbols on very large lists. Instead
1412         just generate property descriptors for the first 100 indexes. Note
1413         this would behave poorly for sparse arrays with a length > 100, but
1414         general support for lists with more than 100 elements is poor. See:
1415         <https://webkit.org/b/143589> Web Inspector: Better handling for large collections in Object Trees
1416
1417 2015-06-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1418
1419         [DFG] Avoid OSR exit in the middle of string concatenation
1420         https://bugs.webkit.org/show_bug.cgi?id=145820
1421
1422         Reviewed by Filip Pizlo.
1423
1424         DFG attempt to compile ValueAdd with String type into MakeRope(left, ToString(ToPrimitive(right))).
1425
1426         So when right is speculated as SpecObject, ToPrimitive(SpecObject) is speculated as SpecString.
1427         It leads ToString to become Identity with a speculated type check.
1428
1429         However, ToPrimitive and ToString are originated from the same bytecode. And ToPrimitive may have
1430         an observable side effect when the given parameter is an object (calling object.{toString,valueOf}).
1431
1432         So when object.toString() returns a number (it is allowed in the ES spec), ToPrimitive performs
1433         observable `object.toString()` calling. But ToString is converted into a speculated type check for
1434         SpecString and it raises OSR exit. And we exit to the original ValueAdd's bytecode position and
1435         it redundantly performs an observable ToPrimitive execution.
1436
1437         To fix this, this patch avoid fixing up for newly introduced ToString node.
1438         Since fix up phase is not iterated repeatedly, by avoiding fixing up when generating the node,
1439         we can avoid conversion from ToString to Check.
1440
1441         * dfg/DFGFixupPhase.cpp:
1442         (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
1443         * tests/stress/toprimitive-speculated-types.js: Added.
1444         (shouldBe):
1445         (raw):
1446         (Counter):
1447
1448 2015-06-18  Brian J. Burg  <burg@cs.washington.edu>
1449
1450         Web Inspector: improve generated types for objects passed to backend commands
1451         https://bugs.webkit.org/show_bug.cgi?id=146091
1452
1453         Reviewed by Joseph Pecoraro.
1454
1455         The main change is that objects passed in will have a type like const T& or const T*,
1456         rather than const RefPtr<T>&&. These protocol objects are owned by the generated dispatcher
1457         methods and only exist to pass data to backend command implementations. So, there is no
1458         reason for callees to add a reference or take ownership of these inputs.
1459
1460         Some small improvements were made in the code generator to standardize how these
1461         expressions are generated for parameters. Optional in parameters are now prefixed with
1462         'opt_in_' to make the generated method signatures and implementations clearer.
1463
1464         * inspector/InspectorValues.cpp:
1465         (Inspector::InspectorArrayBase::get): Add const qualifier.
1466         * inspector/InspectorValues.h:
1467         * inspector/agents/InspectorDebuggerAgent.cpp:
1468         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
1469         (Inspector::parseLocation):
1470         (Inspector::InspectorDebuggerAgent::setBreakpoint):
1471         (Inspector::InspectorDebuggerAgent::continueToLocation):
1472         * inspector/agents/InspectorDebuggerAgent.h:
1473         * inspector/agents/InspectorRuntimeAgent.cpp:
1474         (Inspector::InspectorRuntimeAgent::callFunctionOn):
1475         (Inspector::InspectorRuntimeAgent::saveResult):
1476         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1477         * inspector/agents/InspectorRuntimeAgent.h:
1478
1479         * inspector/scripts/codegen/cpp_generator.py: Always generate PrimitiveType('array').
1480         (CppGenerator.cpp_type_for_unchecked_formal_in_parameter): Alter the type signature
1481         for an unchecked input to use pointers or references.
1482
1483         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
1484         (CppBackendDispatcherHeaderGenerator._generate_handler_declaration_for_command):
1485         (CppBackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command):
1486         Local variables for optional parameters now have the 'opt_' prefix.
1487
1488         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
1489         (CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
1490         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
1491         Local variables for optional parameters now have the 'opt_' prefix.
1492         Split parameterName and parameterKey into two separate template variables to avoid mixups.
1493
1494         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1495
1496 2015-06-18  Joseph Pecoraro  <pecoraro@apple.com>
1497
1498         Unreviewed. Rollout r185670 as it caused some tests to be flakey.
1499
1500         * debugger/Debugger.cpp:
1501
1502 2015-06-17  Alex Christensen  <achristensen@webkit.org>
1503
1504         [Content Extensions] Log blocked loads to the WebInspector console
1505         https://bugs.webkit.org/show_bug.cgi?id=146089
1506
1507         Reviewed by Joseph Pecoraro.
1508
1509         * inspector/ConsoleMessage.cpp:
1510         (Inspector::messageSourceValue):
1511         * inspector/protocol/Console.json:
1512         * runtime/ConsoleTypes.h:
1513         Add content blocker message source.
1514
1515 2015-06-18  Saam Barati  <saambarati1@gmail.com>
1516
1517         [ES6] support default values in deconstruction parameter nodes
1518         https://bugs.webkit.org/show_bug.cgi?id=142679
1519
1520         Reviewed by Darin Adler.
1521
1522         ES6 destructuring allows destructuring properties to assign 
1523         default values. A link to the spec: 
1524         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-destructuring-binding-patterns
1525
1526         This patch implements default values for all places where deconstruction
1527         is allowed besides function parameters. This is because function
1528         parameters are parsed in a separate parser arena than the function
1529         body itself and ExpresionNode's which are default values for
1530         deconstruction parameters will be deallocated by the time we parse the body
1531         of the function. I have opened a bug to address this problem:
1532         https://bugs.webkit.org/show_bug.cgi?id=145995
1533
1534         * bytecompiler/NodesCodegen.cpp:
1535         (JSC::DeconstructionPatternNode::~DeconstructionPatternNode):
1536         (JSC::assignDefaultValueIfUndefined):
1537         (JSC::ArrayPatternNode::bindValue):
1538         (JSC::ArrayPatternNode::emitDirectBinding):
1539         (JSC::ArrayPatternNode::toString):
1540         (JSC::ArrayPatternNode::collectBoundIdentifiers):
1541         (JSC::ObjectPatternNode::bindValue):
1542         * parser/ASTBuilder.h:
1543         (JSC::ASTBuilder::appendArrayPatternSkipEntry):
1544         (JSC::ASTBuilder::appendArrayPatternEntry):
1545         (JSC::ASTBuilder::createObjectPattern):
1546         (JSC::ASTBuilder::appendObjectPatternEntry):
1547         (JSC::ASTBuilder::createBindingLocation):
1548         * parser/Nodes.h:
1549         (JSC::ArrayPatternNode::appendIndex):
1550         (JSC::ObjectPatternNode::appendEntry):
1551         (JSC::ObjectPatternNode::Entry::Entry): Deleted.
1552         * parser/Parser.cpp:
1553         (JSC::Parser<LexerType>::parseDeconstructionPattern):
1554         (JSC::Parser<LexerType>::parseDefaultValueForDeconstructionPattern):
1555         (JSC::Parser<LexerType>::parseConstDeclarationList):
1556         * parser/Parser.h:
1557         * parser/SyntaxChecker.h:
1558         (JSC::SyntaxChecker::operatorStackPop):
1559
1560 2015-06-17  Joseph Pecoraro  <pecoraro@apple.com>
1561
1562         Web Inspector: Do not show JavaScriptCore builtins in inspector
1563         https://bugs.webkit.org/show_bug.cgi?id=146049
1564
1565         Reviewed by Timothy Hatcher.
1566
1567         * debugger/Debugger.cpp:
1568
1569 2015-06-17  Andreas Kling  <akling@apple.com>
1570
1571         [JSC] jsSubstring() should have a fast path for 0..baseLength "substrings."
1572         <https://webkit.org/b/146051>
1573
1574         Reviewed by Anders Carlsson.
1575
1576         If asked to make a substring that actually spans the entire base string,
1577         have jsSubstring() just return the base instead of allocating a new JSString.
1578
1579         3% speed-up on Octane/regexp.
1580
1581         * runtime/JSString.h:
1582         (JSC::jsSubstring):
1583
1584 2015-06-16  Alex Christensen  <achristensen@webkit.org>
1585
1586         32-bit build fix after r185640.
1587
1588         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
1589         Explicitly cast clamped int64_t to an int.
1590
1591 2015-06-09  Filip Pizlo  <fpizlo@apple.com>
1592
1593         FTL should eliminate array bounds checks in loops
1594         https://bugs.webkit.org/show_bug.cgi?id=145768
1595
1596         Reviewed by Benjamin Poulain.
1597         
1598         This adds a phase that does forward propagation of integer inequalities. This allows us
1599         to do the algebraic reasoning we need to eliminate array bounds checks in loops. It
1600         also eliminates overflow checks on ArithAdd with a constant.
1601         
1602         The phase's analysis produces results that are powerful enough to do speculative bounds
1603         check hoisting, but this phase currently only does elimination. We can implement
1604         hoisting later.
1605         
1606         On programs that just loop over an array like:
1607         
1608             for (var i = 0; i < array.length; ++i)
1609                 thingy += array[i]
1610         
1611         This change is a 60% speed-up.
1612         
1613         This is also a ~3% speed-up on Kraken, and it shows various speed-ups on individual
1614         tests in Octane.
1615
1616         * CMakeLists.txt:
1617         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1618         * JavaScriptCore.xcodeproj/project.pbxproj:
1619         * dfg/DFGIntegerRangeOptimizationPhase.cpp: Added.
1620         (JSC::DFG::performIntegerRangeOptimization):
1621         * dfg/DFGIntegerRangeOptimizationPhase.h: Added.
1622         * dfg/DFGPlan.cpp:
1623         (JSC::DFG::Plan::compileInThreadImpl):
1624         * tests/stress/add-overflows-after-not-equal.js: Added.
1625         * tests/stress/no-abc-skippy-loop.js: Added.
1626         * tests/stress/no-abc-skippy-paired-loop.js: Added.
1627         * tests/stress/sub-overflows-after-not-equal.js: Added.
1628
1629 2015-06-16  Andreas Kling  <akling@apple.com>
1630
1631         Remove unused template parameter InlineCapacity from SegmentedVector.
1632         <https://webkit.org/b/146044>
1633
1634         Reviewed by Anders Carlsson.
1635
1636         * bytecode/ArrayProfile.h:
1637         * dfg/DFGCommonData.h:
1638
1639 2015-06-16  Michael Saboff  <msaboff@apple.com>
1640
1641         Inlining in the DFG trashes ByteCodeParser::m_currentInstruction for the calling function
1642         https://bugs.webkit.org/show_bug.cgi?id=146029
1643
1644         Reviewed by Benjamin Poulain.
1645
1646         Save and restore m_currentInstruction around call to ByteCodeParser::inlineCall() as it will
1647         use m_currentInstruction during its own parsing.  This happens because inlineCall() parses the
1648         inlined callee's bytecodes by calling parseCodeBlock() which calls parseBlock() on each block.
1649         It is in parseBlock() that we set m_currentInstruction to an instruction before we parse it.
1650
1651         * dfg/DFGByteCodeParser.cpp:
1652         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
1653         (JSC::DFG::ByteCodeParser::parseBlock): Added an ASSERT to catch this issue.
1654
1655 2015-06-16  Filip Pizlo  <fpizlo@apple.com>
1656
1657         Unreviewed, roll out unintended JSC change from https://trac.webkit.org/changeset/185425.
1658
1659         * bytecode/CodeBlock.h:
1660         (JSC::CodeBlock::hasExitSite):
1661         (JSC::CodeBlock::exitProfile):
1662         (JSC::CodeBlock::numberOfExitSites): Deleted.
1663         * bytecode/DFGExitProfile.cpp:
1664         (JSC::DFG::ExitProfile::add):
1665         * bytecode/DFGExitProfile.h:
1666         (JSC::DFG::ExitProfile::hasExitSite):
1667         (JSC::DFG::ExitProfile::size): Deleted.
1668         * dfg/DFGByteCodeParser.cpp:
1669         (JSC::DFG::ByteCodeParser::inliningCost):
1670         * runtime/Options.h:
1671
1672 2015-06-16  Mark Lam  <mark.lam@apple.com>
1673
1674         Use NakedPtr<Exception>& to return exception results.
1675         https://bugs.webkit.org/show_bug.cgi?id=145870
1676
1677         Reviewed by Anders Carlsson and Filip Pizlo.
1678
1679         Before r185259, calls into the VM takes a JSValue* exception result argument for
1680         returning any uncaught exception that may have been thrown while executing JS code.
1681         As a result, clients of the VM functions will declare a local JSValue exception
1682         result which is automatically initialized to a null value (i.e. the empty value,
1683         not the JS null value).
1684
1685         With r185259, the VM functions were changed to take an Exception*& exception result
1686         instead, and the VM functions are responsible for initializing the exception result
1687         to null if no exception is thrown.
1688
1689         This introduces 2 issues:
1690
1691         1. the VM functions are vulnerable to modifications that may add early returns
1692            before the exception result is nullified.  This can result in the exception
1693            result being used without initialization.
1694
1695         2. Previously, a client could technically use the same exception result for more
1696            than one calls into the VM functions.  If an earlier call sets it to a thrown
1697            value, the thrown value will stick unless a subsequent call throws a different
1698            exception.
1699
1700            With the new Exception*& exception result, the VM functions will always clear
1701            the exception result before proceeding.  As a result, the client's exception
1702            result will be null after the second call even though the first call saw an
1703            exception thrown.  This is a change in the expected behavior.
1704
1705         To fix these issues, we'll introduce a NakedPtr smart pointer whose sole purpose
1706         is to guarantee that the pointer is initialized.  The VM functions will now take
1707         a NakedPtr<Exception>& instead of the Exception*&.  This ensures that the
1708         exception result is initialized.
1709
1710         The VM functions be also reverted to only set the exception result if a new
1711         exception is thrown.
1712
1713         * API/JSBase.cpp:
1714         (JSEvaluateScript):
1715         * API/JSScriptRef.cpp:
1716         * bindings/ScriptFunctionCall.cpp:
1717         (Deprecated::ScriptFunctionCall::call):
1718         * bindings/ScriptFunctionCall.h:
1719         * debugger/Debugger.cpp:
1720         (JSC::Debugger::hasBreakpoint):
1721         * debugger/Debugger.h:
1722         * debugger/DebuggerCallFrame.cpp:
1723         (JSC::DebuggerCallFrame::thisValue):
1724         (JSC::DebuggerCallFrame::evaluate):
1725         * debugger/DebuggerCallFrame.h:
1726         (JSC::DebuggerCallFrame::isValid):
1727         * inspector/InjectedScriptManager.cpp:
1728         (Inspector::InjectedScriptManager::createInjectedScript):
1729         * inspector/InspectorEnvironment.h:
1730         * inspector/JSJavaScriptCallFrame.cpp:
1731         (Inspector::JSJavaScriptCallFrame::evaluate):
1732         * inspector/JavaScriptCallFrame.h:
1733         (Inspector::JavaScriptCallFrame::vmEntryGlobalObject):
1734         (Inspector::JavaScriptCallFrame::thisValue):
1735         (Inspector::JavaScriptCallFrame::evaluate):
1736         * inspector/ScriptDebugServer.cpp:
1737         (Inspector::ScriptDebugServer::evaluateBreakpointAction):
1738         * jsc.cpp:
1739         (functionRun):
1740         (functionLoad):
1741         (runWithScripts):
1742         (runInteractive):
1743         * runtime/CallData.cpp:
1744         (JSC::call):
1745         * runtime/CallData.h:
1746         * runtime/Completion.cpp:
1747         (JSC::checkSyntax):
1748         (JSC::evaluate):
1749         * runtime/Completion.h:
1750         (JSC::evaluate):
1751
1752 2015-06-15  Filip Pizlo  <fpizlo@apple.com>
1753
1754         FTL boolify() UntypedUse is wrong in the masquerades-as-undefined case
1755         https://bugs.webkit.org/show_bug.cgi?id=146002
1756
1757         Reviewed by Darin Adler.
1758
1759         * ftl/FTLLowerDFGToLLVM.cpp: Put this in an anonymous namespace. We should have done that all along. It makes it easier to add debug code.
1760         (JSC::FTL::DFG::LowerDFGToLLVM::boolify): Fix the bug.
1761         * tests/stress/logical-not-masquerades.js: Added. This test creates a masquerader so that the watchpoint is invalid. Previously this would fail for the normal object cases.
1762         (foo):
1763
1764 2015-06-16  Andreas Kling  <akling@apple.com>
1765
1766         [JSC] Pre-bake final Structure for RegExp matches arrays.
1767         <https://webkit.org/b/146006>
1768
1769         Reviewed by Darin Adler.
1770
1771         Since we always add the "index" and "input" fields to RegExp matches arrays,
1772         cache a finished structure on the global object so we can create these arrays without
1773         starting from scratch with a bare array every time.
1774
1775         10% progression on Octane/regexp (on my MBP.)
1776
1777         * runtime/JSArray.h:
1778         (JSC::JSArray::create):
1779         (JSC::JSArray::tryCreateUninitialized):
1780         (JSC::JSArray::createWithButterfly): Factored out JSArray construction into a helper
1781         so we can call this from RegExpMatchesArray.cpp.
1782
1783         * runtime/JSGlobalObject.cpp:
1784         (JSC::JSGlobalObject::init):
1785         (JSC::JSGlobalObject::visitChildren):
1786         * runtime/JSGlobalObject.h:
1787         (JSC::JSGlobalObject::regExpMatchesArrayStructure): Add a cached Structure for RegExp
1788         subpattern matches arrays.
1789
1790         * runtime/JSObject.h:
1791         (JSC::JSNonFinalObject::finishCreation): Tweak assertion that used to check that
1792         JSNonFinalObjects always start out with zero capacity. Since RegExp matches arrays now
1793         start out with capacity for 2 properties, that won't work. Change it to check that we
1794         don't have inline storage instead, since that should only be used by final objects.
1795
1796         * runtime/RegExpMatchesArray.h:
1797         * runtime/RegExpMatchesArray.cpp:
1798         (JSC::tryCreateUninitializedRegExpMatchesArray): Helper to construct a JSArray with
1799         the cached Structure and a Butterfly with 2 slots of property storage.
1800
1801         (JSC::createRegExpMatchesArray):
1802         (JSC::createRegExpMatchesArrayStructure): Creates the array Structure that gets cached
1803         by the JSGlobalObject.
1804
1805 2015-06-16  Saam Barati  <saambarati1@gmail.com>
1806
1807         LLInt's code path for get_from_scope with case GlobalVarWithVarInjectionChecks has dead code
1808         https://bugs.webkit.org/show_bug.cgi?id=144268
1809
1810         Reviewed by Darin Adler.
1811
1812         The call to loadVariable(.) both for 32bit and 64bit is unnecessary. 
1813         It grabs a value that is immediately overwritten by a call to getGlobalVar(). 
1814
1815         * llint/LowLevelInterpreter32_64.asm:
1816         * llint/LowLevelInterpreter64.asm:
1817
1818 2015-06-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1819
1820         [ES6] Introduce %IteratorPrototype% and drop all XXXIteratorConstructor
1821         https://bugs.webkit.org/show_bug.cgi?id=145963
1822
1823         Reviewed by Darin Adler.
1824
1825         ES6 iterators inherit %IteratorPrototype%.
1826         And these prototype objects of derived iterators don't have @@iterator methods.
1827         Instead they use the %IteratorPrototype%[@@iterator] method.
1828
1829         To encourage inlining in for-of statement, we define this method in JS builtins.
1830
1831         And these iterator prototype objects don't have any constructor function.
1832         This patch drops them (like StringIteratorConstructor).
1833
1834         * CMakeLists.txt:
1835         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1836         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1837         * JavaScriptCore.xcodeproj/project.pbxproj:
1838         * builtins/Iterator.prototype.js: Renamed from Source/JavaScriptCore/runtime/StringIteratorConstructor.cpp.
1839         (SymbolIterator):
1840         * runtime/ArrayIteratorConstructor.cpp:
1841         (JSC::ArrayIteratorConstructor::finishCreation): Deleted.
1842         * runtime/ArrayIteratorConstructor.h: Removed.
1843         (JSC::ArrayIteratorConstructor::create): Deleted.
1844         (JSC::ArrayIteratorConstructor::createStructure): Deleted.
1845         (JSC::ArrayIteratorConstructor::ArrayIteratorConstructor): Deleted.
1846         * runtime/ArrayIteratorPrototype.cpp:
1847         (JSC::ArrayIteratorPrototype::finishCreation):
1848         (JSC::arrayIteratorProtoFuncIterator): Deleted.
1849         * runtime/IteratorPrototype.cpp: Renamed from Source/JavaScriptCore/runtime/ArrayIteratorConstructor.cpp.
1850         (JSC::IteratorPrototype::finishCreation):
1851         * runtime/IteratorPrototype.h: Renamed from Source/JavaScriptCore/runtime/SetIteratorConstructor.h.
1852         (JSC::IteratorPrototype::create):
1853         (JSC::IteratorPrototype::createStructure):
1854         (JSC::IteratorPrototype::IteratorPrototype):
1855         * runtime/JSFunction.cpp:
1856         (JSC::JSFunction::createBuiltinFunction):
1857         * runtime/JSFunction.h:
1858         * runtime/JSGlobalObject.cpp:
1859         (JSC::JSGlobalObject::init):
1860         (JSC::JSGlobalObject::visitChildren):
1861         * runtime/JSGlobalObject.h:
1862         (JSC::JSGlobalObject::iteratorPrototype):
1863         * runtime/MapIteratorConstructor.cpp: Removed.
1864         (JSC::MapIteratorConstructor::finishCreation): Deleted.
1865         * runtime/MapIteratorConstructor.h: Removed.
1866         (JSC::MapIteratorConstructor::create): Deleted.
1867         (JSC::MapIteratorConstructor::createStructure): Deleted.
1868         (JSC::MapIteratorConstructor::MapIteratorConstructor): Deleted.
1869         * runtime/MapIteratorPrototype.cpp:
1870         (JSC::MapIteratorPrototype::finishCreation): Deleted.
1871         (JSC::MapIteratorPrototypeFuncIterator): Deleted.
1872         * runtime/SetIteratorConstructor.cpp: Removed.
1873         (JSC::SetIteratorConstructor::finishCreation): Deleted.
1874         * runtime/SetIteratorConstructor.h:
1875         (JSC::SetIteratorConstructor::create): Deleted.
1876         (JSC::SetIteratorConstructor::createStructure): Deleted.
1877         (JSC::SetIteratorConstructor::SetIteratorConstructor): Deleted.
1878         * runtime/SetIteratorPrototype.cpp:
1879         (JSC::SetIteratorPrototype::finishCreation): Deleted.
1880         (JSC::SetIteratorPrototypeFuncIterator): Deleted.
1881         * runtime/StringIteratorConstructor.cpp:
1882         (JSC::StringIteratorConstructor::finishCreation): Deleted.
1883         * runtime/StringIteratorConstructor.h: Removed.
1884         (JSC::StringIteratorConstructor::create): Deleted.
1885         (JSC::StringIteratorConstructor::createStructure): Deleted.
1886         (JSC::StringIteratorConstructor::StringIteratorConstructor): Deleted.
1887         * runtime/StringIteratorPrototype.cpp:
1888         (JSC::StringIteratorPrototype::finishCreation):
1889         (JSC::stringIteratorPrototypeIterator): Deleted.
1890         * tests/stress/iterator-prototype.js: Added.
1891         (shouldBe):
1892         (inheritIteratorPrototype):
1893         (testChain):
1894
1895 2015-06-15  Michael Saboff  <msaboff@apple.com>
1896
1897         JIT bug - fails when inspector closed, works when open
1898         https://bugs.webkit.org/show_bug.cgi?id=145243
1899
1900         Reviewed by Oliver Hunt.
1901
1902         We need to provide the Arguments object as the base when creating the HeapLocation for
1903         GetFromArguments and PutToArguments.  Otherwise we endup creating a HeapLocation for
1904         any arguments object, not the one we need.
1905
1906         * dfg/DFGClobberize.h:
1907         (JSC::DFG::clobberize):
1908
1909 2015-06-13  Joseph Pecoraro  <pecoraro@apple.com>
1910
1911         Web Inspector: console.table() with a list of objects no longer works
1912         https://bugs.webkit.org/show_bug.cgi?id=145952
1913
1914         Reviewed by Timothy Hatcher.
1915
1916         * inspector/InjectedScriptSource.js:
1917         (InjectedScript.RemoteObject.prototype._generatePreview):
1918         Calling generatePreview again was actually starting with a preview
1919         of the current object instead of the sub-value. Go down the other
1920         path that correctly generates sub-previews. Leave filtering on the
1921         backend unimplemented, which we were already ignoring.
1922
1923 2015-06-13  Youenn Fablet  <youenn.fablet@crf.canon.fr>
1924
1925         [Streams API] ReadableJSStream should handle promises returned by JS source start callback
1926         https://bugs.webkit.org/show_bug.cgi?id=145792
1927
1928         Reviewed by Darin Adler.
1929
1930         Added support for JSFunction implemented by std::function.
1931
1932         * runtime/JSFunction.cpp:
1933         (JSC::getNativeExecutable): Refactored code to share it with the two JSFunction::create
1934         (JSC::JSFunction::create):
1935         (JSC::runStdFunction):
1936         * runtime/JSFunction.h: Added std::function based JSFunction::create prototype.
1937         * runtime.JSPromise.h:
1938
1939 2015-06-12  Gyuyoung Kim  <gyuyoung.kim@webkit.org>
1940
1941         Purge PassRefPtr in JavaScriptCore - 2
1942         https://bugs.webkit.org/show_bug.cgi?id=145834
1943
1944         Reviewed by Darin Adler.
1945
1946         As a step to remove PassRefPtr, this patch cleans up PassRefPtr as much as possible
1947         in JavaScriptCore.
1948
1949         * API/JSClassRef.cpp:
1950         (OpaqueJSClass::create):
1951         * API/JSClassRef.h:
1952         * debugger/DebuggerCallFrame.cpp:
1953         (JSC::DebuggerCallFrame::callerFrame):
1954         * debugger/DebuggerCallFrame.h:
1955         * dfg/DFGJITCompiler.h:
1956         (JSC::DFG::JITCompiler::jitCode):
1957         * inspector/ScriptCallStackFactory.cpp:
1958         (Inspector::createScriptCallStack):
1959         (Inspector::createScriptCallStackForConsole):
1960         (Inspector::createScriptCallStackFromException):
1961         (Inspector::createScriptArguments):
1962         * inspector/ScriptCallStackFactory.h:
1963         * jit/ExecutableAllocator.cpp:
1964         (JSC::ExecutableAllocator::allocate):
1965         * jit/ExecutableAllocator.h:
1966         * jit/ExecutableAllocatorFixedVMPool.cpp:
1967         (JSC::ExecutableAllocator::allocate):
1968         * profiler/LegacyProfiler.cpp:
1969         (JSC::LegacyProfiler::stopProfiling):
1970         * profiler/LegacyProfiler.h:
1971         * runtime/DateInstanceCache.h:
1972         * runtime/Executable.cpp:
1973         (JSC::ScriptExecutable::newCodeBlockFor):
1974         * runtime/Executable.h:
1975         * runtime/GenericTypedArrayView.h:
1976         * runtime/GenericTypedArrayViewInlines.h:
1977         (JSC::GenericTypedArrayView<Adaptor>::create):
1978         (JSC::GenericTypedArrayView<Adaptor>::createUninitialized):
1979
1980 2015-06-12  Darin Adler  <darin@apple.com>
1981
1982         Fix minor ES6 compliance issue in RegExp.prototype.toString and optimize performance a little
1983         https://bugs.webkit.org/show_bug.cgi?id=145935
1984
1985         Reviewed by Anders Carlsson.
1986
1987         Test: js/regexp-toString.html
1988
1989         * runtime/RegExpPrototype.cpp:
1990         (JSC::getFlags): Avoid memory allocation for the flags string by returning it in a character
1991         buffer instead of constructing a WTF::String for it.
1992         (JSC::regExpProtoFuncToString): Require only that the this value be an object; don't require
1993         that it is actually a regular expression object. This is covered in the ES6 specification.
1994         Also removed comment about the "/(?:)/" trick since that is now the repsonsibility of the
1995         getter for the "source" property. Updated to use getFlags so we do one less memory allocation.
1996         (JSC::regExpProtoGetterFlags): Chagned to use getFlags instead of the old flagsString.
1997
1998 2015-06-12  Basile Clement  <basile_clement@apple.com>
1999
2000         DFG Object Allocation Sinking should not consider GetClosureVar as escapes
2001         https://bugs.webkit.org/show_bug.cgi?id=145904
2002
2003         Reviewed by Filip Pizlo.
2004
2005         The object allocation sinking phase is currently able to sink
2006         CreateActivation nodes, but will consider any GetClosureVar node as
2007         escaping.
2008
2009         This is not problematic in general as most of the GetClosureVar nodes
2010         we would have been able to sink over will have been eliminated by CSE
2011         anyway. Still, this is an oversight that we should fix since the
2012         machinery is already in place.
2013
2014         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2015         (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
2016         * dfg/DFGPromoteHeapAccess.h:
2017         (JSC::DFG::promoteHeapAccess):
2018
2019 2015-06-11  Mark Lam  <mark.lam@apple.com>
2020
2021         WebCore::reportException() needs to be able to accept a raw thrown value in addition to Exception objects.
2022         https://bugs.webkit.org/show_bug.cgi?id=145872
2023
2024         Reviewed by Michael Saboff.
2025
2026         In r185259, we changed exception handling code inside the VM to work with
2027         Exception objects instead of the thrown JSValue.  The handling code will get the
2028         exception stack trace from the Exception object.
2029
2030         However, there is some code that cannot be updated to pass the Exception object.
2031         An example of this are the ObjC API functions.  Those functions are specified to
2032         return any thrown exception JSValue in a JSValueRef.  Since these APIs are
2033         public, we cannot arbitrarily change them to use the Exception object.
2034
2035         There are client code that calls these APIs and then passes the returned exception
2036         JSValue to WebCore::reportException() to be reported.  WebCore::reportException()
2037         previously relied on the VM::exceptionStackTrace() to provide a cache of the
2038         stack trace of the last thrown exception.  VM::exceptionStackTrace() no longer
2039         exists in the current code.
2040
2041         To restore this functionality, we will introduce VM::lastException() which
2042         caches the last thrown Exception object.  With this, if the exception passed to
2043         WebCore::reportException() to be reported isn't an Exception object (which has its
2044         own stack trace), reportException() can again use the cached exception stack trace
2045         which is available from VM::lastException().
2046
2047         * heap/Heap.cpp:
2048         (JSC::Heap::visitException):
2049         - visit VM::m_lastException on GCs.
2050
2051         * interpreter/CallFrame.h:
2052         (JSC::ExecState::lastException):
2053         (JSC::ExecState::clearLastException):
2054         - convenience functions to get and clear the last exception.
2055
2056         * runtime/Exception.cpp:
2057         (JSC::Exception::create):
2058         (JSC::Exception::finishCreation):
2059         - add support to create an Exception object without capturing the JS stack trace.
2060           This is needed for making an Exception object to wrap a thrown value that does
2061           not have a stack trace.
2062           Currently, this is only used by WebCore::reportException() when there is no
2063           Exception object and no last exception available to provide a stack trace.
2064
2065         * runtime/Exception.h:
2066         (JSC::Exception::cast): Deleted.  No longer needed.
2067
2068         * runtime/VM.h:
2069         (JSC::VM::clearLastException):
2070         (JSC::VM::setException):
2071         (JSC::VM::lastException):
2072         (JSC::VM::addressOfLastException):
2073         - Added support for VM::m_lastException.
2074           VM::m_lastException serves to cache the exception stack of the most recently
2075           thrown exception like VM::exceptionStackTrace() used to before r185259.
2076
2077         * runtime/VMEntryScope.cpp:
2078         (JSC::VMEntryScope::VMEntryScope):
2079         - Clear VM::m_lastException when we re-enter the VM.  Exceptions should have been
2080           handled before we re-enter the VM anyway.  So, this is a good place to release
2081           the cached last exception.
2082
2083           NOTE: this is also where the old code before r185259 clears the last exception
2084           stack trace.  So, we're just restoring the previous behavior here in terms of
2085           the lifecycle of the last exception stack.
2086
2087 2015-06-11  Andreas Kling  <akling@apple.com>
2088
2089         jsSubstring() should support creating substrings from substrings.
2090         <https://webkit.org/b/145427>
2091
2092         Reviewed by Geoffrey Garen
2093
2094         Tweak jsSubstring() to support base strings that are themselves substrings.
2095         They will now share the same grandparent base. This avoids creating a new StringImpl.
2096
2097         * runtime/JSString.h:
2098         (JSC::jsSubstring): Don't force rope resolution here. Instead do that in finishCreation()
2099         if the base string is a non-substring rope. Note that resolveRope() is the very last thing
2100         called, since it may allocate and the JSRopeString needs to be ready for marking.
2101
2102         (JSC::JSString::isSubstring): Added a helper to find out if a JSString is
2103         a substring. This is just for internal use, so you don't have to cast to
2104         JSRopeString for the real substringness flag.
2105
2106 2015-06-11  Commit Queue  <commit-queue@webkit.org>
2107
2108         Unreviewed, rolling out r185465.
2109         https://bugs.webkit.org/show_bug.cgi?id=145893
2110
2111         "This patch is breaking 32bit mac build" (Requested by youenn
2112         on #webkit).
2113
2114         Reverted changeset:
2115
2116         "[Streams API] ReadableJSStream should handle promises
2117         returned by JS source start callback"
2118         https://bugs.webkit.org/show_bug.cgi?id=145792
2119         http://trac.webkit.org/changeset/185465
2120
2121 2015-06-11  Youenn Fablet  <youenn.fablet@crf.canon.fr>
2122
2123         [Streams API] ReadableJSStream should handle promises returned by JS source start callback
2124         https://bugs.webkit.org/show_bug.cgi?id=145792
2125
2126         Reviewed by Darin Adler.
2127
2128         Added support for JSFunction implemented by std::function.
2129
2130         * runtime/JSFunction.cpp:
2131         (JSC::getNativeExecutable): Refactored code to share it with the two JSFunction::create
2132         (JSC::JSFunction::create):
2133         (JSC::runStdFunction):
2134         * runtime/JSFunction.h: Added std::function based JSFunction::create prototype.
2135         * runtime.JSPromise.h:
2136
2137 2015-06-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2138
2139         ASSERTION FAILED: s.length() > 1 on LayoutTests/js/regexp-flags.html
2140         https://bugs.webkit.org/show_bug.cgi?id=145599
2141
2142         Unreviewed, simple follow up patch.
2143
2144         use jsString instead of jsMakeNontrivialString
2145         since the flag string may be trivial (0 or 1 length).
2146
2147         * runtime/RegExpPrototype.cpp:
2148         (JSC::regExpProtoGetterFlags):
2149
2150 2015-06-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2151
2152         JavaScript: Drop the “escaped reserved words as identifiers” compatibility measure
2153         https://bugs.webkit.org/show_bug.cgi?id=90678
2154
2155         Reviewed by Darin Adler.
2156
2157         After ES6, escaped reserved words in identifiers are prohibited.
2158         After parsing Identifier, we should perform `m_buffer16.shrink(0)`.
2159
2160         * parser/Lexer.cpp:
2161         (JSC::Lexer<CharacterType>::parseIdentifierSlowCase):
2162         * tests/mozilla/ecma_3/Unicode/uc-003.js:
2163         (test): Deleted.
2164         * tests/stress/reserved-word-with-escape.js: Added.
2165         (testSyntax):
2166         (testSyntaxError):
2167
2168 2015-06-10  Jordan Harband  <ljharb@gmail.com>
2169
2170         Implement RegExp.prototype.flags
2171         https://bugs.webkit.org/show_bug.cgi?id=145599
2172
2173         Reviewed by Geoffrey Garen.
2174         Per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-get-regexp.prototype.flags
2175
2176         * runtime/CommonIdentifiers.h:
2177         * runtime/RegExpPrototype.cpp:
2178         (JSC::flagsString):
2179         (JSC::regExpProtoFuncToString):
2180         (JSC::regExpProtoGetterFlags):
2181         * tests/stress/static-getter-in-names.js:
2182
2183 2015-06-10  Filip Pizlo  <fpizlo@apple.com>
2184
2185         DFG ASSERTION FAILED: !iterate() on stress/singleton-scope-then-overwrite.js.ftl-eager
2186         https://bugs.webkit.org/show_bug.cgi?id=145853
2187
2188         Unreviewed, remove the assertion.
2189
2190         * dfg/DFGCSEPhase.cpp:
2191
2192 2015-06-10  Commit Queue  <commit-queue@webkit.org>
2193
2194         Unreviewed, rolling out r185414.
2195         https://bugs.webkit.org/show_bug.cgi?id=145844
2196
2197         broke debug and jsc tests (Requested by alexchristensen on
2198         #webkit).
2199
2200         Reverted changeset:
2201
2202         "JavaScript: Drop the “escaped reserved words as identifiers”
2203         compatibility measure"
2204         https://bugs.webkit.org/show_bug.cgi?id=90678
2205         http://trac.webkit.org/changeset/185414
2206
2207 2015-06-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2208
2209         JavaScript: Drop the “escaped reserved words as identifiers” compatibility measure
2210         https://bugs.webkit.org/show_bug.cgi?id=90678
2211
2212         Reviewed by Darin Adler.
2213
2214         After ES6, escaped reserved words in identifiers are prohibited.
2215
2216         * parser/Lexer.cpp:
2217         (JSC::Lexer<CharacterType>::parseIdentifierSlowCase):
2218         * tests/stress/reserved-word-with-escape.js: Added.
2219         (testSyntax):
2220         (testSyntaxError):
2221
2222 2015-06-10  Andreas Kling  <akling@apple.com>
2223
2224         [JSC] InlineCallFrame::arguments should be sized-to-fit.
2225         <https://webkit.org/b/145782>
2226
2227         Reviewed by Darin Adler.
2228
2229         I spotted this Vector<ValueRecovery> looking a bit chubby in Instruments,
2230         with 354 kB of memory allocated on cnet.com.
2231
2232         Use resizeToFit() instead of resize() since we know the final size up front.
2233
2234         * dfg/DFGByteCodeParser.cpp:
2235         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2236
2237 2015-06-09  Chris Dumez  <cdumez@apple.com>
2238
2239         Allow one sync GC per gcTimer interval on critical memory pressure warning
2240         https://bugs.webkit.org/show_bug.cgi?id=145773
2241
2242         Reviewed by Geoffrey Garen.
2243
2244         On critical memory pressure warning, we were calling GCController::garbageCollectSoon(),
2245         which does not offer any guarantee on when the garbage collection will actually take
2246         place.
2247
2248         On critical memory pressure, we need to free up memory as soon as possible to avoid
2249         getting killed so this is an issue. Also, the fact that we clear the PageCache on
2250         critical memory pressure means a GC would likely be useful, even if the last
2251         collection did not free much memory.
2252
2253         This patch adds a new GCController::garbageCollectNowIfNotDoneRecently() API that allows
2254         one synchronous GC per gcTimer interval on critical memory pressure warning. This makes
2255         us more responsive to critical memory pressure and avoids doing synchronous GCs too
2256         often.
2257
2258         * heap/FullGCActivityCallback.cpp:
2259         (JSC::FullGCActivityCallback::doCollection):
2260         * heap/FullGCActivityCallback.h:
2261         (JSC::GCActivityCallback::createFullTimer):
2262         * heap/GCActivityCallback.h:
2263         * heap/Heap.cpp:
2264         (JSC::Heap::collectAllGarbageIfNotDoneRecently):
2265         * heap/Heap.h:
2266
2267         * heap/IncrementalSweeper.cpp:
2268         (JSC::IncrementalSweeper::doWork): Deleted.
2269         * heap/IncrementalSweeper.h:
2270
2271         Drop fullSweep() API as it no longer seems useful. garbageCollectNow()
2272         already does a sweep after the full collection.
2273
2274 2015-06-09  Andreas Kling  <akling@apple.com>
2275
2276         [JSC] CodeBlock::m_constantRegisters should be sized-to-fit.
2277         <https://webkit.org/b/145784>
2278
2279         Reviewed by Darin Adler.
2280
2281         Spotted this Vector looking chubby on cnet.com, with 1.23 MB of memory
2282         allocated below CodeBlock::setConstantRegisters().
2283
2284         Use resizeToFit() instead since we know the final size up front.
2285         Also removed some unused functions that operated on this constants vector
2286         and the corresponding one in UnlinkedCodeBlock.
2287
2288         * bytecode/CodeBlock.cpp:
2289         (JSC::CodeBlock::addOrFindConstant): Deleted.
2290         (JSC::CodeBlock::findConstant): Deleted.
2291         * bytecode/CodeBlock.h:
2292         (JSC::CodeBlock::setConstantRegisters):
2293         (JSC::CodeBlock::numberOfConstantRegisters): Deleted.
2294         * bytecode/UnlinkedCodeBlock.cpp:
2295         (JSC::UnlinkedCodeBlock::addOrFindConstant): Deleted.
2296         * bytecode/UnlinkedCodeBlock.h:
2297         (JSC::UnlinkedCodeBlock::numberOfConstantRegisters): Deleted.
2298         (JSC::UnlinkedCodeBlock::getConstant): Deleted.
2299
2300 2015-06-09  Andreas Kling  <akling@apple.com>
2301
2302         [JSC] Polymorphic{Get,Put}ByIdList::addAccess() should optimize for size, not speed.
2303         <https://webkit.org/b/145786>
2304
2305         Reviewed by Darin Adler.
2306
2307         These functions already contained comments saying they optimize for size over speed,
2308         but they were using Vector::resize() which adds the usual slack for faster append().
2309
2310         Switch them over to using Vector::resizeToFit() instead, which makes the Vector
2311         allocate a perfectly sized backing store.
2312
2313         Spotted 670 kB of the GetById ones, and 165 kB of PutById on cnet.com, so these
2314         Vectors are definitely worth shrink-wrapping.
2315
2316         * bytecode/PolymorphicGetByIdList.cpp:
2317         (JSC::PolymorphicGetByIdList::addAccess):
2318         * bytecode/PolymorphicPutByIdList.cpp:
2319         (JSC::PolymorphicPutByIdList::addAccess):
2320
2321 2015-06-09  Andreas Kling  <akling@apple.com>
2322
2323         [JSC] JSPropertyNameEnumerator's property name vector should be sized-to-fit.
2324         <https://webkit.org/b/145787>
2325
2326         Reviewed by Darin Adler.
2327
2328         Saw 108 kB worth of JSPropertyNameEnumerator backing store Vectors on cnet.com.
2329         Use Vector::resizeToFit() since we know the perfect size up front.
2330
2331         * runtime/JSPropertyNameEnumerator.cpp:
2332         (JSC::JSPropertyNameEnumerator::finishCreation):
2333
2334 2015-06-09  Andreas Kling  <akling@apple.com>
2335
2336         FunctionExecutable::isCompiling() is weird and wrong.
2337         <https://webkit.org/b/145689>
2338
2339         Reviewed by Geoffrey Garen.
2340
2341         Remove FunctionExecutable::isCompiling() and the clearCodeIfNotCompiling() style
2342         functions that called it before throwing away code.
2343
2344         isCompiling() would consider the executable to be "compiling" if it had a CodeBlock
2345         but no JITCode. In practice, every executable gets a JITCode at the same time as it
2346         gets a CodeBlock, by way of prepareForExecutionImpl().
2347
2348         * debugger/Debugger.cpp:
2349         * heap/Heap.cpp:
2350         (JSC::Heap::deleteAllCompiledCode):
2351         (JSC::Heap::deleteAllUnlinkedFunctionCode):
2352         * inspector/agents/InspectorRuntimeAgent.cpp:
2353         (Inspector::TypeRecompiler::visit):
2354         * runtime/Executable.cpp:
2355         (JSC::FunctionExecutable::clearUnlinkedCodeForRecompilation):
2356         (JSC::FunctionExecutable::clearCodeIfNotCompiling): Deleted.
2357         (JSC::FunctionExecutable::clearUnlinkedCodeForRecompilationIfNotCompiling): Deleted.
2358         * runtime/Executable.h:
2359         * runtime/VM.cpp:
2360         (JSC::StackPreservingRecompiler::visit):
2361
2362 2015-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2363
2364         Introduce getter definition into static hash tables and use it for getters in RegExp.prototype.
2365         https://bugs.webkit.org/show_bug.cgi?id=145705
2366
2367         Reviewed by Darin Adler.
2368
2369         In this patch, we introduce Accessor type into property tables.
2370         With Accessor type, create_hash_table creates a static getter property.
2371         This getter property is reified as the same to the static functions.
2372
2373         In the mean time, we only support getter because `putEntry` and `lookupPut`
2374         only work with null setter currently. However, in the spec, there's
2375         no need to add static setter properties. So we will add it if it becomes
2376         necessary in the future.
2377
2378         And at the same time, this patch fixes the issue 145738. Before this patch,
2379         `putEntry` in `JSObject::deleteProperty` adds `undefined` property if
2380         `isValidOffset(...)` is false (deleted). As the result, deleting twice
2381         revives the property with `undefined` value.
2382
2383         If the static functions are reified and the entry is
2384         `BuiltinOrFunctionOrAccessor`, there's no need to execute `putEntry` with
2385         static hash table entry. They should be handled in the normal structure's
2386         looking up because they should be already reified. So added guard for this.
2387
2388         * CMakeLists.txt:
2389         * DerivedSources.make:
2390         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2391         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2392         * JavaScriptCore.xcodeproj/project.pbxproj:
2393         * create_hash_table:
2394         * runtime/JSObject.cpp:
2395         (JSC::getClassPropertyNames):
2396         (JSC::JSObject::put):
2397         (JSC::JSObject::deleteProperty):
2398         (JSC::JSObject::reifyStaticFunctionsForDelete):
2399         * runtime/Lookup.cpp:
2400         (JSC::reifyStaticAccessor):
2401         (JSC::setUpStaticFunctionSlot):
2402         * runtime/Lookup.h:
2403         (JSC::HashTableValue::propertyGetter):
2404         (JSC::HashTableValue::propertyPutter):
2405         (JSC::HashTableValue::accessorGetter):
2406         (JSC::HashTableValue::accessorSetter):
2407         (JSC::getStaticPropertySlot):
2408         (JSC::getStaticValueSlot):
2409         (JSC::putEntry):
2410         (JSC::reifyStaticProperties):
2411         * runtime/PropertySlot.h:
2412         * runtime/RegExpObject.cpp:
2413         (JSC::RegExpObject::getOwnPropertySlot):
2414         (JSC::regExpObjectGlobal): Deleted.
2415         (JSC::regExpObjectIgnoreCase): Deleted.
2416         (JSC::regExpObjectMultiline): Deleted.
2417         (JSC::appendLineTerminatorEscape<LChar>): Deleted.
2418         (JSC::appendLineTerminatorEscape<UChar>): Deleted.
2419         (JSC::regExpObjectSourceInternal): Deleted.
2420         (JSC::regExpObjectSource): Deleted.
2421         * runtime/RegExpPrototype.cpp:
2422         (JSC::RegExpPrototype::getOwnPropertySlot):
2423         (JSC::regExpProtoGetterGlobal):
2424         (JSC::regExpProtoGetterIgnoreCase):
2425         (JSC::regExpProtoGetterMultiline):
2426         (JSC::appendLineTerminatorEscape<LChar>):
2427         (JSC::appendLineTerminatorEscape<UChar>):
2428         (JSC::regExpProtoGetterSourceInternal):
2429         (JSC::regExpProtoGetterSource):
2430         * tests/stress/static-function-delete.js: Added.
2431         (shouldBe):
2432         * tests/stress/static-function-put.js: Added.
2433         (shouldBe):
2434         * tests/stress/static-getter-delete.js: Added.
2435         (shouldBe):
2436         (shouldThrow):
2437         * tests/stress/static-getter-descriptors.js: Added.
2438         (shouldBe):
2439         * tests/stress/static-getter-enumeration.js: Added.
2440         (shouldBe):
2441         * tests/stress/static-getter-get.js: Added.
2442         (shouldBe):
2443         * tests/stress/static-getter-in-names.js: Added.
2444         (shouldBe):
2445         * tests/stress/static-getter-names.js: Added.
2446         (shouldBe):
2447         * tests/stress/static-getter-put.js: Added.
2448         (shouldBe):
2449         (shouldThrow):
2450
2451 2015-06-09  Andreas Kling  <akling@apple.com>
2452
2453         [JSC] JSString::getIndex() should avoid reifying substrings.
2454         <https://webkit.org/b/145803>
2455
2456         Reviewed by Darin Adler.
2457
2458         Implement getIndex() using JSString::view(), which cuts it down to a one-liner
2459         and also avoids reifying substrings.
2460
2461         I saw 178 kB of reified substrings below operationGetByVal -> getIndex()
2462         on cnet.com, so this should help.
2463
2464         * runtime/JSString.cpp:
2465         (JSC::JSRopeString::getIndexSlowCase): Deleted.
2466         * runtime/JSString.h:
2467         (JSC::JSString::getIndex):
2468
2469 2015-06-09  Andreas Kling  <akling@apple.com>
2470
2471         [JSC] String.prototype.indexOf() should use StringView.
2472         <https://webkit.org/b/145351>
2473
2474         Reviewed by Darin Adler.
2475
2476         Use StringView::find() to implement String.prototype.indexOf().
2477         This avoids reifying the needle and haystack JSStrings in case they
2478         are substrings.
2479
2480         Reduces malloc memory by ~190 kB on cnet.com.
2481
2482         * runtime/StringPrototype.cpp:
2483         (JSC::stringProtoFuncIndexOf):
2484
2485 2015-06-09  Csaba Osztrogonác  <ossy@webkit.org>
2486
2487         [cmake] Fix the style issues in cmake project files
2488         https://bugs.webkit.org/show_bug.cgi?id=145755
2489
2490         Reviewed by Darin Adler.
2491
2492         * CMakeLists.txt:
2493
2494 2015-06-08  Gyuyoung Kim  <gyuyoung.kim@webkit.org>
2495
2496         Purge PassRefPtr in JavaScriptCore
2497         https://bugs.webkit.org/show_bug.cgi?id=145750
2498
2499         As a step to purge PassRefPtr, this patch replaces PassRefPtr with Ref or RefPtr.
2500
2501         Reviewed by Darin Adler.
2502
2503         * API/JSClassRef.cpp:
2504         (OpaqueJSClass::createNoAutomaticPrototype):
2505         * API/JSClassRef.h:
2506         * API/JSContextRef.cpp:
2507         * API/JSScriptRef.cpp:
2508         (OpaqueJSScript::create):
2509         * API/JSStringRef.cpp:
2510         (JSStringCreateWithCharacters):
2511         (JSStringCreateWithUTF8CString):
2512         * API/OpaqueJSString.cpp:
2513         (OpaqueJSString::create):
2514         * API/OpaqueJSString.h:
2515         (OpaqueJSString::create):
2516         * bytecompiler/StaticPropertyAnalysis.h:
2517         (JSC::StaticPropertyAnalysis::create):
2518         * debugger/DebuggerCallFrame.h:
2519         (JSC::DebuggerCallFrame::create):
2520         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
2521         (JSC::DFG::ToFTLDeferredCompilationCallback::create):
2522         * dfg/DFGToFTLDeferredCompilationCallback.h:
2523         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
2524         (JSC::DFG::Ref<ToFTLForOSREntryDeferredCompilationCallback>ToFTLForOSREntryDeferredCompilationCallback::create):
2525         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::create): Deleted.
2526         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h:
2527         * dfg/DFGWorklist.cpp:
2528         (JSC::DFG::Worklist::create):
2529         (JSC::DFG::ensureGlobalDFGWorklist):
2530         (JSC::DFG::ensureGlobalFTLWorklist):
2531         * dfg/DFGWorklist.h:
2532         * heap/EdenGCActivityCallback.h:
2533         (JSC::GCActivityCallback::createEdenTimer):
2534         * heap/FullGCActivityCallback.h:
2535         (JSC::GCActivityCallback::createFullTimer):
2536         * heap/GCActivityCallback.h:
2537         * inspector/InjectedScriptHost.h:
2538         * inspector/JavaScriptCallFrame.h:
2539         (Inspector::JavaScriptCallFrame::create):
2540         * inspector/ScriptArguments.cpp:
2541         (Inspector::ScriptArguments::create):
2542         * inspector/ScriptArguments.h:
2543         * jit/JITStubRoutine.h:
2544         (JSC::JITStubRoutine::createSelfManagedRoutine):
2545         * jit/JITToDFGDeferredCompilationCallback.cpp:
2546         (JSC::JITToDFGDeferredCompilationCallback::create):
2547         * jit/JITToDFGDeferredCompilationCallback.h:
2548         * jsc.cpp:
2549         (jscmain):
2550         * parser/NodeConstructors.h:
2551         (JSC::ArrayPatternNode::create):
2552         (JSC::ObjectPatternNode::create):
2553         (JSC::BindingNode::create):
2554         * parser/Nodes.cpp:
2555         (JSC::FunctionParameters::create):
2556         * parser/Nodes.h:
2557         * parser/SourceProvider.h:
2558         (JSC::StringSourceProvider::create):
2559         * profiler/Profile.cpp:
2560         (JSC::Profile::create):
2561         * profiler/Profile.h:
2562         * profiler/ProfileGenerator.cpp:
2563         (JSC::ProfileGenerator::create):
2564         * profiler/ProfileGenerator.h:
2565         * profiler/ProfileNode.h:
2566         (JSC::ProfileNode::create):
2567         * runtime/DataView.cpp:
2568         (JSC::DataView::create):
2569         * runtime/DataView.h:
2570         * runtime/DateInstanceCache.h:
2571         (JSC::DateInstanceData::create):
2572         * runtime/JSPromiseReaction.cpp:
2573         (JSC::createExecutePromiseReactionMicrotask):
2574         * runtime/JSPromiseReaction.h:
2575         * runtime/PropertyNameArray.h:
2576         (JSC::PropertyNameArrayData::create):
2577         * runtime/TypeSet.h:
2578         (JSC::StructureShape::create):
2579         (JSC::TypeSet::create):
2580         * runtime/TypedArrayBase.h:
2581         (JSC::TypedArrayBase::create):
2582         (JSC::TypedArrayBase::createUninitialized):
2583         (JSC::TypedArrayBase::subarrayImpl):
2584         * runtime/VM.cpp:
2585         (JSC::VM::createContextGroup):
2586         (JSC::VM::create):
2587         (JSC::VM::createLeaked):
2588         * runtime/VM.h:
2589         * yarr/RegularExpression.cpp:
2590         (JSC::Yarr::RegularExpression::Private::create):
2591
2592 2015-06-08  Filip Pizlo  <fpizlo@apple.com>
2593
2594         It should be possible to hoist all constants in DFG SSA
2595         https://bugs.webkit.org/show_bug.cgi?id=145769
2596
2597         Reviewed by Geoffrey Garen.
2598         
2599         It's sometimes somewhat more efficient, and convenient, to have all constants at the
2600         top of the root block. We don't require this as an IR invariant because too many phases
2601         want to be able to insert constants in weird places. But, this phase will be great for
2602         preparing for https://bugs.webkit.org/show_bug.cgi?id=145768.
2603
2604         * CMakeLists.txt:
2605         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2606         * JavaScriptCore.xcodeproj/project.pbxproj:
2607         * dfg/DFGConstantHoistingPhase.cpp: Added.
2608         (JSC::DFG::performConstantHoisting):
2609         * dfg/DFGConstantHoistingPhase.h: Added.
2610         * dfg/DFGPlan.cpp:
2611         (JSC::DFG::Plan::compileInThreadImpl):
2612
2613 2015-06-07  Filip Pizlo  <fpizlo@apple.com>
2614
2615         The tiny set magic in StructureSet should be available in WTF
2616         https://bugs.webkit.org/show_bug.cgi?id=145722
2617
2618         Reviewed by Geoffrey Garen.
2619         
2620         I moved the generic logic of small sets of pointers and moved it into WTF. Now,
2621         StructureSet is a subclass of TinyPtrSet<Structure*>. There shouldn't be any functional
2622         change.
2623
2624         * bytecode/StructureSet.cpp:
2625         (JSC::StructureSet::filter):
2626         (JSC::StructureSet::filterArrayModes):
2627         (JSC::StructureSet::speculationFromStructures):
2628         (JSC::StructureSet::arrayModesFromStructures):
2629         (JSC::StructureSet::dumpInContext):
2630         (JSC::StructureSet::dump):
2631         (JSC::StructureSet::clear): Deleted.
2632         (JSC::StructureSet::add): Deleted.
2633         (JSC::StructureSet::remove): Deleted.
2634         (JSC::StructureSet::contains): Deleted.
2635         (JSC::StructureSet::merge): Deleted.
2636         (JSC::StructureSet::exclude): Deleted.
2637         (JSC::StructureSet::isSubsetOf): Deleted.
2638         (JSC::StructureSet::overlaps): Deleted.
2639         (JSC::StructureSet::operator==): Deleted.
2640         (JSC::StructureSet::addOutOfLine): Deleted.
2641         (JSC::StructureSet::containsOutOfLine): Deleted.
2642         (JSC::StructureSet::copyFromOutOfLine): Deleted.
2643         (JSC::StructureSet::OutOfLineList::create): Deleted.
2644         (JSC::StructureSet::OutOfLineList::destroy): Deleted.
2645         * bytecode/StructureSet.h:
2646         (JSC::StructureSet::onlyStructure):
2647         (JSC::StructureSet::StructureSet): Deleted.
2648         (JSC::StructureSet::operator=): Deleted.
2649         (JSC::StructureSet::~StructureSet): Deleted.
2650         (JSC::StructureSet::isEmpty): Deleted.
2651         (JSC::StructureSet::genericFilter): Deleted.
2652         (JSC::StructureSet::isSupersetOf): Deleted.
2653         (JSC::StructureSet::size): Deleted.
2654         (JSC::StructureSet::at): Deleted.
2655         (JSC::StructureSet::operator[]): Deleted.
2656         (JSC::StructureSet::last): Deleted.
2657         (JSC::StructureSet::iterator::iterator): Deleted.
2658         (JSC::StructureSet::iterator::operator*): Deleted.
2659         (JSC::StructureSet::iterator::operator++): Deleted.
2660         (JSC::StructureSet::iterator::operator==): Deleted.
2661         (JSC::StructureSet::iterator::operator!=): Deleted.
2662         (JSC::StructureSet::begin): Deleted.
2663         (JSC::StructureSet::end): Deleted.
2664         (JSC::StructureSet::ContainsOutOfLine::ContainsOutOfLine): Deleted.
2665         (JSC::StructureSet::ContainsOutOfLine::operator()): Deleted.
2666         (JSC::StructureSet::copyFrom): Deleted.
2667         (JSC::StructureSet::OutOfLineList::list): Deleted.
2668         (JSC::StructureSet::OutOfLineList::OutOfLineList): Deleted.
2669         (JSC::StructureSet::deleteStructureListIfNecessary): Deleted.
2670         (JSC::StructureSet::isThin): Deleted.
2671         (JSC::StructureSet::pointer): Deleted.
2672         (JSC::StructureSet::singleStructure): Deleted.
2673         (JSC::StructureSet::structureList): Deleted.
2674         (JSC::StructureSet::set): Deleted.
2675         (JSC::StructureSet::setEmpty): Deleted.
2676         (JSC::StructureSet::getReservedFlag): Deleted.
2677         (JSC::StructureSet::setReservedFlag): Deleted.
2678         * dfg/DFGStructureAbstractValue.cpp:
2679         (JSC::DFG::StructureAbstractValue::clobber):
2680         (JSC::DFG::StructureAbstractValue::filter):
2681         (JSC::DFG::StructureAbstractValue::filterSlow):
2682         (JSC::DFG::StructureAbstractValue::contains):
2683         * dfg/DFGStructureAbstractValue.h:
2684         (JSC::DFG::StructureAbstractValue::makeTop):
2685
2686 2015-06-08  Csaba Osztrogonác  <ossy@webkit.org>
2687
2688         [ARM] Add the missing setupArgumentsWithExecState functions after r185240
2689         https://bugs.webkit.org/show_bug.cgi?id=145754
2690
2691         Reviewed by Benjamin Poulain.
2692
2693         * jit/CCallHelpers.h:
2694         (JSC::CCallHelpers::setupArgumentsWithExecState):
2695
2696 2015-06-08  Brady Eidson  <beidson@apple.com>
2697
2698         Completely remove all IDB properties/constructors when it is disabled at runtime.
2699         rdar://problem/18429374 and https://bugs.webkit.org/show_bug.cgi?id=137034
2700
2701         Reviewed by Geoffrey Garen.
2702
2703         * runtime/CommonIdentifiers.h:
2704
2705 2015-06-06  Mark Lam  <mark.lam@apple.com>
2706
2707         Returned Exception* values need to be initialized to nullptr when no exceptions are thrown.
2708         https://bugs.webkit.org/show_bug.cgi?id=145720
2709
2710         Reviewed by Dan Bernstein.
2711
2712         * debugger/DebuggerCallFrame.cpp:
2713         (JSC::DebuggerCallFrame::evaluate):
2714
2715 2015-06-05  Mark Lam  <mark.lam@apple.com>
2716
2717         Subclasses of JSNonFinalObject with gc'able children need to implement visitChildren().
2718         https://bugs.webkit.org/show_bug.cgi?id=145709
2719
2720         Reviewed by Geoffrey Garen.
2721
2722         * jsc.cpp:
2723         (functionSetElementRoot):
2724         - The Element class has a member of type Root which extends JSDestructibleObject.
2725           It should be stored in a WriteBarrier, and visited by visitChildren().  
2726
2727         * runtime/ClonedArguments.cpp:
2728         (JSC::ClonedArguments::materializeSpecialsIfNecessary):
2729         (JSC::ClonedArguments::visitChildren):
2730         * runtime/ClonedArguments.h:
2731         - Add missing visitChildren().
2732
2733         * tests/stress/cloned-arguments-should-visit-callee-during-gc.js: Added.
2734         (makeTransientFunction.transientFunc):
2735         (makeTransientFunction):
2736
2737 2015-06-05  Geoffrey Garen  <ggaren@apple.com>
2738
2739         DropAllLocks RELEASE_ASSERT on iOS
2740         https://bugs.webkit.org/show_bug.cgi?id=139654
2741
2742         Reviewed by Mark Lam.
2743
2744         * runtime/JSLock.cpp:
2745         (JSC::JSLock::dropAllLocks): Removed a comment because it duplicated
2746         the code beneath it. Removed a FIXME because we can't ASSERT that
2747         we're holding the lock. WebKit1 on iOS drops the lock before calling to
2748         delegates, not knowing whether it holds the lock or not.
2749
2750         (JSC::JSLock::DropAllLocks::DropAllLocks): Only ASSERT that we are not
2751         GC'ing if we hold the lock. If we do not hold the lock, it is perfectly
2752         valid for some other thread, which does hold the lock, to be GC'ing.
2753         What is not valid is to drop the lock in the middle of GC, since GC
2754         must be atomic.
2755
2756 2015-06-05  Filip Pizlo  <fpizlo@apple.com>
2757
2758         speculateRealNumber() should early exit if you're already a real number, not if you're already a real double.
2759
2760         Rubber stamped by Mark Lam.
2761         
2762         This was causing: https://build.webkit.org/results/Apple%20Yosemite%20Debug%20WK1%20(Tests)/r185261%20(5180)/webaudio/note-grain-on-timing-crash-log.txt
2763
2764         * dfg/DFGSpeculativeJIT.cpp:
2765         (JSC::DFG::SpeculativeJIT::speculateRealNumber):
2766
2767 2015-06-05  Mark Lam  <mark.lam@apple.com>
2768
2769         finally blocks should not set the exception stack trace when re-throwing the exception.
2770         https://bugs.webkit.org/show_bug.cgi?id=145525
2771
2772         Reviewed by Geoffrey Garen.
2773
2774         How exceptions presently work:
2775         =============================
2776         1. op_throw can throw any JSValue.
2777         2. the VM tries to capture the stack at the throw point and propagate that as needed.
2778         3. finally blocks are implemented using op_catch to catch the thrown value, and throws it again using op_throw.
2779
2780         What's wrong with how it presently works:
2781         ========================================
2782         1. finally's makes for bad exception throw line numbers in the Inspector console.
2783
2784            The op_throw in finally will throw the value anew i.e. it captures a stack from the re-throw point.
2785            As a result, the Inspector sees the finally block as the throw point.  The original stack is lost.
2786
2787         2. finally's breaks the Inspector's "Breaks on Uncaught Exception"
2788
2789            This is because finally blocks are indistinguishable from catch blocks.  As a result, a try-finally,
2790            which should break in the Inspector on the throw, does not because the Inspector thought the
2791            exception was "caught".
2792
2793         3. finally's yields confusing break points when the Inspector "Breaks on All Exceptions"
2794
2795            a. In a try-finally scenario, the Inspector breaks 2 times: 1 at the throw, 1 at the finally.
2796            b. In a for-of loop (which has synthesized finallys), the Inspector will do another break.
2797               Similarly for other cases of JS code which synthesize finallys.
2798            c. At VM re-entry boundaries (e.g. js throws & returns to native code, which returns to js),
2799               the Inspector will do another break if there's an uncaught exception.
2800
2801         How this patch fixes the issues:
2802         ===============================
2803         1. We introduce an Exception object that wraps the thrown value and the exception stack.
2804
2805            When throwing an exception, the VM will check if the thrown value is an Exception
2806            object or not.  If it is not an Exception object, then we must be throwing a new
2807            exception.  The VM will create an Exception object to wrap the thrown value and
2808            capture the current stack for it.
2809
2810            If the thrown value is already an Exception object, then the requested throw operation
2811            must be a re-throw.  The VM will not capture a new stack for it.
2812
2813         2. op_catch will now populate 2 locals: 1 for the Exception, 1 for the thrown JSValue.
2814
2815            The VM is aware of the Exception object and uses it for rethrows in finally blocks.
2816            JS source code is never aware of the Exception object.
2817
2818            JS code is aware of the thrown value.  If it throws the caught thrown value, that
2819            constitutes a new throw, and a new Exception object will be created for it.
2820
2821         3. The VM no longer tracks the thrown JSValue and the exception stack.  It will only
2822            track a m_exception field which is an Exception*.
2823
2824         4. The BytecodeGenerator has already been updated in a prior patch to distinguish
2825            between Catch, Finally, and SynthesizedFinally blocks.  The interpreter runtime will
2826            now report to the debugger whether we have a Catch handler, not just any handlers.
2827
2828            The debugger will use this detail to determine whether to break or not.  "Break on
2829            uncaught exceptions" will only break if no Catch handler was found.
2830
2831            This solves the issue of the debugger breaking at finally blocks, and for-of statements.
2832
2833         5. The Exception object will also have a flag to indicate whether the debugger has been
2834            notified of the Exception being thrown.  Once the Interpreter notifies the debugger
2835            of the Exception object, it will mark this flag and not repeat the notify the debugger
2836            again of the same Exception.
2837
2838            This solves the issue of the debugger breaking at VM re-entry points due to uncaught
2839            exceptions.
2840
2841         6. The life-cycle of the captured exception stack trace will now follow the life-cycle
2842            of the Exception object.
2843
2844         Other changes:
2845         7. Change all clients of the VM::exception() to expect an Exception* instead of JSValue.
2846
2847         8. Fixed a few bugs where thrown exceptions are not cleared before exiting the VM.
2848
2849         9. Also renamed some variables and classes to better describe what they are.
2850
2851         * API/JSBase.cpp:
2852         (JSEvaluateScript):
2853         (JSCheckScriptSyntax):
2854
2855         * API/JSObjectRef.cpp:
2856         (handleExceptionIfNeeded):
2857         - The functions below all do the same exception check.  Added this helper
2858           to simplify the code.
2859         (JSClassCreate):
2860         (JSObjectMakeFunction):
2861         (JSObjectMakeArray):
2862         (JSObjectMakeDate):
2863         (JSObjectMakeError):
2864         (JSObjectMakeRegExp):
2865         (JSObjectGetProperty):
2866         (JSObjectSetProperty):
2867         (JSObjectGetPropertyAtIndex):
2868         (JSObjectSetPropertyAtIndex):
2869         (JSObjectDeleteProperty):
2870         (JSObjectCallAsFunction):
2871         (JSObjectCallAsConstructor):
2872
2873         * API/JSScriptRef.cpp:
2874         * API/JSValue.mm:
2875         (JSContainerConvertor::take):
2876         (reportExceptionToInspector):
2877
2878         * API/JSValueRef.cpp:
2879         (handleExceptionIfNeeded):
2880         - The functions below all do the same exception check.  Added this helper
2881           to simplify the code.
2882         (evernoteHackNeeded):
2883         (JSValueIsEqual):
2884         (JSValueIsInstanceOfConstructor):
2885         (JSValueCreateJSONString):
2886         (JSValueToNumber):
2887         (JSValueToStringCopy):
2888         (JSValueToObject):
2889
2890         * CMakeLists.txt:
2891         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2892         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2893         * JavaScriptCore.xcodeproj/project.pbxproj:
2894         - Added new files Exception.h and Exception.cpp.
2895
2896         * bindings/ScriptFunctionCall.cpp:
2897         (Deprecated::ScriptFunctionCall::call):
2898         * bindings/ScriptFunctionCall.h:
2899
2900         * bytecode/BytecodeList.json:
2901         - op_catch now had 2 operands: the exception register, and the thrown value register.
2902
2903         * bytecode/BytecodeUseDef.h:
2904         (JSC::computeDefsForBytecodeOffset):
2905         * bytecode/CodeBlock.cpp:
2906         (JSC::CodeBlock::dumpBytecode):
2907         (JSC::CodeBlock::handlerForBytecodeOffset):
2908         * bytecode/CodeBlock.h:
2909         - handlerForBytecodeOffset() now can look for just Catch handlers only.
2910
2911         * bytecode/HandlerInfo.h:
2912         - Cleaned up some white space I accidentally added in a previous patch.
2913
2914         * bytecompiler/BytecodeGenerator.cpp:
2915         (JSC::BytecodeGenerator::pushTry):
2916         (JSC::BytecodeGenerator::popTryAndEmitCatch):
2917         (JSC::BytecodeGenerator::emitThrowReferenceError):
2918         (JSC::BytecodeGenerator::emitEnumeration):
2919         * bytecompiler/BytecodeGenerator.h:
2920         (JSC::BytecodeGenerator::emitThrow):
2921         * bytecompiler/NodesCodegen.cpp:
2922         (JSC::TryNode::emitBytecode):
2923         - Adding support for op_catch's 2 operands.
2924
2925         * debugger/Debugger.cpp:
2926         (JSC::Debugger::hasBreakpoint):
2927         (JSC::Debugger::pauseIfNeeded):
2928         (JSC::Debugger::exception):
2929         * debugger/Debugger.h:
2930         * debugger/DebuggerCallFrame.cpp:
2931         (JSC::DebuggerCallFrame::thisValue):
2932         (JSC::DebuggerCallFrame::evaluate):
2933         * debugger/DebuggerCallFrame.h:
2934         (JSC::DebuggerCallFrame::isValid):
2935         * inspector/InjectedScriptManager.cpp:
2936         (Inspector::InjectedScriptManager::createInjectedScript):
2937         * inspector/InspectorEnvironment.h:
2938         * inspector/JSGlobalObjectInspectorController.cpp:
2939         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
2940         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
2941         * inspector/JSGlobalObjectInspectorController.h:
2942         * inspector/JSGlobalObjectScriptDebugServer.h:
2943         * inspector/JSJavaScriptCallFrame.cpp:
2944         (Inspector::JSJavaScriptCallFrame::evaluate):
2945         * inspector/JavaScriptCallFrame.h:
2946         (Inspector::JavaScriptCallFrame::vmEntryGlobalObject):
2947         (Inspector::JavaScriptCallFrame::thisValue):
2948         (Inspector::JavaScriptCallFrame::evaluate):
2949         * inspector/ScriptCallStackFactory.cpp:
2950         (Inspector::extractSourceInformationFromException):
2951         (Inspector::createScriptCallStackFromException):
2952         * inspector/ScriptCallStackFactory.h:
2953         * inspector/ScriptDebugServer.cpp:
2954         (Inspector::ScriptDebugServer::evaluateBreakpointAction):
2955         (Inspector::ScriptDebugServer::handleBreakpointHit):
2956         (Inspector::ScriptDebugServer::handleExceptionInBreakpointCondition):
2957         * inspector/ScriptDebugServer.h:
2958         * interpreter/CallFrame.h:
2959         (JSC::ExecState::clearException):
2960         (JSC::ExecState::exception):
2961         (JSC::ExecState::hadException):
2962         (JSC::ExecState::atomicStringTable):
2963         (JSC::ExecState::propertyNames):
2964         (JSC::ExecState::clearSupplementaryExceptionInfo): Deleted.
2965
2966         * interpreter/Interpreter.cpp:
2967         (JSC::unwindCallFrame):
2968         (JSC::Interpreter::stackTraceAsString):
2969         (JSC::GetCatchHandlerFunctor::GetCatchHandlerFunctor):
2970         (JSC::GetCatchHandlerFunctor::operator()):
2971         (JSC::Interpreter::unwind):
2972         - Added a check for didNotifyInspectorOfThrow() here to prevent duplicate reports
2973           of the same Exception to the debugger.
2974
2975         (JSC::GetExceptionHandlerFunctor::GetExceptionHandlerFunctor): Deleted.
2976         (JSC::GetExceptionHandlerFunctor::operator()): Deleted.
2977         - Renamed GetExceptionHandlerFunctor to GetCatchHandlerFunctor since the debugger
2978           is only interested in knowing whether we have Catch handlers.
2979
2980         * interpreter/Interpreter.h:
2981         (JSC::SuspendExceptionScope::SuspendExceptionScope):
2982         (JSC::SuspendExceptionScope::~SuspendExceptionScope):
2983         (JSC::Interpreter::sampler):
2984         (JSC::ClearExceptionScope::ClearExceptionScope): Deleted.
2985         (JSC::ClearExceptionScope::~ClearExceptionScope): Deleted.
2986         - Renamed ClearExceptionScope to SuspendExceptionScope because "clear" implies that
2987           we're purging the exception.  Instead, we're merely suspending any handling of
2988           that exception for a period defined by the scope.
2989
2990         * jit/AssemblyHelpers.cpp:
2991         (JSC::AssemblyHelpers::emitExceptionCheck):
2992
2993         * jit/JITExceptions.cpp:
2994         (JSC::genericUnwind):
2995         - Removed the exception argument.  It is always the value in VM::exception() anyway.
2996           genericUnwind() can just get it from the VM, and save everyone some work.
2997
2998         * jit/JITExceptions.h:
2999         * jit/JITOpcodes.cpp:
3000         (JSC::JIT::emit_op_catch):
3001         * jit/JITOpcodes32_64.cpp:
3002         (JSC::JIT::privateCompileCTINativeCall):
3003         (JSC::JIT::emit_op_catch):
3004         - Add support for the new op_catch operands.
3005
3006         * jit/JITOperations.cpp:
3007         * jit/ThunkGenerators.cpp:
3008         (JSC::nativeForGenerator):
3009         * jsc.cpp:
3010         (functionRun):
3011         (functionLoad):
3012         (runWithScripts):
3013         (runInteractive):
3014         * llint/LLIntOffsetsExtractor.cpp:
3015         * llint/LLIntSlowPaths.cpp:
3016         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3017
3018         * llint/LowLevelInterpreter32_64.asm:
3019         * llint/LowLevelInterpreter64.asm:
3020         - Add support for the new op_catch operands.  Also update the code to handle
3021           VM::m_exception being an Exception pointer, not a JSValue.
3022
3023         * parser/NodeConstructors.h:
3024         (JSC::TryNode::TryNode):
3025         * parser/Nodes.h:
3026         * runtime/CallData.cpp:
3027         (JSC::call):
3028         * runtime/CallData.h:
3029
3030         * runtime/Completion.cpp:
3031         (JSC::evaluate):
3032         * runtime/Completion.h:
3033         (JSC::evaluate):
3034         - Change evaluate() to take a reference to the returned exception value instead
3035           of a pointer.  In all but 2 or 3 cases, we want the returned exception anyway.
3036           Might as well simplify the code by requiring the reference.
3037
3038         * runtime/Error.h:
3039         (JSC::throwVMError):
3040         (JSC::throwVMTypeError):
3041
3042         * runtime/Exception.cpp: Added.
3043         (JSC::Exception::create):
3044         (JSC::Exception::destroy):
3045         (JSC::Exception::createStructure):
3046         (JSC::Exception::visitChildren):
3047         (JSC::Exception::Exception):
3048         (JSC::Exception::~Exception):
3049         * runtime/Exception.h: Added.
3050         (JSC::Exception::valueOffset):
3051         (JSC::Exception::cast):
3052         (JSC::Exception::value):
3053         (JSC::Exception::stack):
3054         (JSC::Exception::didNotifyInspectorOfThrow):
3055         (JSC::Exception::setDidNotifyInspectorOfThrow):
3056
3057         * runtime/ExceptionHelpers.cpp:
3058         (JSC::createTerminatedExecutionException):
3059         (JSC::isTerminatedExecutionException):
3060         (JSC::createStackOverflowError):
3061         * runtime/ExceptionHelpers.h:
3062         * runtime/GetterSetter.cpp:
3063         (JSC::callGetter):
3064         * runtime/IteratorOperations.cpp:
3065         (JSC::iteratorClose):
3066         * runtime/JSObject.cpp:
3067         * runtime/JSPromiseConstructor.cpp:
3068         (JSC::constructPromise):
3069         * runtime/JSPromiseDeferred.cpp:
3070         (JSC::updateDeferredFromPotentialThenable):
3071         (JSC::abruptRejection):
3072         * runtime/JSPromiseReaction.cpp:
3073         (JSC::ExecutePromiseReactionMicrotask::run):
3074
3075         * runtime/VM.cpp:
3076         (JSC::VM::VM):
3077         (JSC::VM::releaseExecutableMemory):
3078         (JSC::VM::throwException):
3079         (JSC::VM::setStackPointerAtVMEntry):
3080         (JSC::VM::getExceptionInfo): Deleted.
3081         (JSC::VM::setExceptionInfo): Deleted.
3082         (JSC::VM::clearException): Deleted.
3083         (JSC::clearExceptionStack): Deleted.
3084         * runtime/VM.h:
3085         (JSC::VM::targetMachinePCForThrowOffset):
3086         (JSC::VM::clearException):
3087         (JSC::VM::setException):
3088         (JSC::VM::exception):
3089         (JSC::VM::addressOfException):
3090         (JSC::VM::exceptionStack): Deleted.
3091         * runtime/VMEntryScope.cpp:
3092         (JSC::VMEntryScope::VMEntryScope):
3093         (JSC::VMEntryScope::setEntryScopeDidPopListener):
3094
3095 2015-06-04  Benjamin Poulain  <bpoulain@apple.com>
3096
3097         [JSC] Always track out-of-bounds array access explicitly instead of relying on the slow case
3098         https://bugs.webkit.org/show_bug.cgi?id=145673
3099
3100         Reviewed by Geoffrey Garen.
3101
3102         Previously, we were deciding to use out-of-bounds speculation based on two informations:
3103         -Explicitly detected out-of-bounds accesses tracked on ArrayProfile.
3104         -The number of time we took the slow cases in the baseline JIT.
3105
3106         The heuristic based on slow cases was a little too fragile.
3107
3108         In some cases, we were running into that limit just because the indexing type changes between
3109         two values (typically Int32Array and DoubleArray). Sometimes we were just unlucky on what
3110         we used for the inline cache.
3111
3112         In Kraken, this was hurting us on "audio-beat-detection" and "audio-fft". The array types we see
3113         change between Int32 and Double. We run into the slow path a bit but never hit
3114         out-of-bounds.
3115
3116         By the time we compile in DFG, we have stable Double Arrays but we speculate out-of-bounds based
3117         on the number of slow cases we took. Because of that, we start boxing the double on GetByVal,
3118         using DoubleRep, etc. adding a ton of overhead over otherwise very simple operations.
3119
3120         WebXPRT was also suffering from this problem but the other way arround: we were missing
3121         the out-of-bounds accesses due to changes in indexing types, we were below the threshold
3122         of slow-path access, thus we predicted in-bounds accesses for code that was doing plenty
3123         of out-of-bands.
3124
3125
3126         This patch fixes the problem by tracking the out-of-bounds access explicitly any time we go
3127         into the slow path in baseline JIT. Since we no longer miss any out-of-bounds, we can remove
3128         the slow-path heuristic.
3129
3130         There is new additional special case in the C code regarding out-of-bounds: Arguments access.
3131         Mispredicting out-of-bounds accesses on arguments is a disaster for performance, so those are
3132         tracked in the way DFG expect it.
3133
3134
3135         There are a few important cases that are still not covered optimally:
3136         -PutByVal on Arguments.
3137         -Get/Put ByVal on TypedArray.
3138         Those are simply not used by DFG in any way. TypedArrays should probably be looked at in the future.
3139
3140         * bytecode/ArrayProfile.cpp:
3141         (JSC::ArrayProfile::computeUpdatedPrediction):
3142         The inline-cache repatch cases now update the ArrayProfile information. This has no value in baseline
3143         JIT but it helps avoiding one recompile in DFG for the missing ArrayProfile information.
3144
3145         * bytecode/ArrayProfile.h:
3146         (JSC::ArrayProfile::setOutOfBounds):
3147         * dfg/DFGByteCodeParser.cpp:
3148         (JSC::DFG::ByteCodeParser::getArrayMode):
3149         (JSC::DFG::ByteCodeParser::parseBlock):
3150         (JSC::DFG::ByteCodeParser::getArrayModeConsideringSlowPath): Deleted.
3151         * jit/CCallHelpers.h:
3152         (JSC::CCallHelpers::setupArgumentsWithExecState):
3153         * jit/JIT.h:
3154         * jit/JITInlines.h:
3155         (JSC::JIT::callOperation):
3156         * jit/JITOpcodes.cpp:
3157         (JSC::JIT::emitSlow_op_has_indexed_property):
3158         * jit/JITOpcodes32_64.cpp:
3159         (JSC::JIT::emitSlow_op_has_indexed_property):
3160         * jit/JITOperations.cpp:
3161         (JSC::canUseFastArgumentAccess):
3162         This is not my favorite part of this patch.
3163
3164         I tried having JSObject::canGetIndexQuickly() handle arguments which would put everything
3165         on the generic path. Unfortunately, that code is very performance sensitive and some benchmarks were
3166         impacted by over 10%
3167
3168         I left JSObject::canGetIndexQuickly() alone, and I added the canUseFastArgumentAccess() mirroring
3169         how DFG uses out-of-bounds for Arguments.
3170
3171         (JSC::getByVal):
3172         * jit/JITOperations.h:
3173         * jit/JITPropertyAccess.cpp:
3174         (JSC::JIT::emitSlow_op_get_by_val):
3175         (JSC::JIT::emitSlow_op_put_by_val):
3176         * jit/JITPropertyAccess32_64.cpp:
3177         (JSC::JIT::emitSlow_op_get_by_val):
3178         (JSC::JIT::emitSlow_op_put_by_val):
3179         * runtime/JSPromiseFunctions.cpp:
3180         * tests/stress/get-by-val-out-of-bounds-basics.js: Added.
3181         (opaqueGetByValOnInt32ArrayEarlyOutOfBounds):
3182         (testInt32ArrayEarlyOutOfBounds):
3183         (testIndexingTypeChangesOnInt32Array):
3184         (opaqueGetByValOnStringArrayHotOutOfBounds):
3185         (testStringArrayHotOutOfBounds):
3186         (testIndexingTypeChangesOnStringArray):
3187         (opaqueGetByValOnStringAndInt32ArrayHotOutOfBounds):
3188         (testStringAndInt32ArrayHotOutOfBounds):
3189         (opaqueGetByValOnDoubleArrayHotOutOfBounds):
3190         * tests/stress/put-by-val-out-of-bounds-basics.js: Added.
3191         (opaquePutByValOnInt32ArrayEarlyOutOfBounds):
3192         (testInt32ArrayEarlyOutOfBounds):
3193         (opaquePutByValOnStringArrayHotOutOfBounds):
3194         (testStringArrayHotOutOfBounds):
3195
3196 2015-06-03  Filip Pizlo  <fpizlo@apple.com>
3197
3198         Simplify unboxing of double JSValues known to be not NaN and not Int32
3199         https://bugs.webkit.org/show_bug.cgi?id=145618
3200
3201         Reviewed by Geoffrey Garen.
3202         
3203         In many cases we know that we most likely loaded a non-NaN double value from the heap.
3204         Prior to this patch, we would do two branches before unboxing the double. This patch
3205         reduces this to one branch in the common case. Before:
3206         
3207             if (is int32)
3208                 unbox int32 and convert to double
3209             else if (is number)
3210                 unbox double
3211             else
3212                 exit
3213         
3214         After:
3215
3216             tmp = unbox double
3217             if (tmp == tmp)
3218                 done
3219             else if (is int32)
3220                 unbox int32 and convert to double
3221             else
3222                 exit
3223         
3224         We only use the new style if we have profiling that tells us that we are unlikely to see
3225         either Int32 or NaN - since we will now exit on NaN and int32 requires an extra branch.
3226         
3227         This is a 8% speed-up on Octane/box2d. On one microbenchmark this is a 25% speed-up.
3228         
3229         Rolling this back in after I made DFG::SpeculativeJIT call a new version of unboxDouble()
3230         that doesn't assert that the JSValue is a double, since we are intentionally using it
3231         before doing the "is a double" test. This wasn't a problem on 32-bit since unboxDouble()
3232         does no such assertion on 32-bit.
3233
3234         * dfg/DFGAbstractInterpreterInlines.h:
3235         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3236         * dfg/DFGFixupPhase.cpp:
3237         (JSC::DFG::FixupPhase::observeUseKindOnNode):
3238         (JSC::DFG::FixupPhase::fixEdgeRepresentation):
3239         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
3240         * dfg/DFGNode.h:
3241         (JSC::DFG::Node::shouldSpeculateDouble):
3242         (JSC::DFG::Node::shouldSpeculateDoubleReal):
3243         (JSC::DFG::Node::shouldSpeculateNumber):
3244         * dfg/DFGSafeToExecute.h:
3245         (JSC::DFG::SafeToExecuteEdge::operator()):
3246         * dfg/DFGSpeculativeJIT.cpp:
3247         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
3248         (JSC::DFG::SpeculativeJIT::speculateNumber):
3249         (JSC::DFG::SpeculativeJIT::speculateRealNumber):
3250         (JSC::DFG::SpeculativeJIT::speculateDoubleRepReal):
3251         (JSC::DFG::SpeculativeJIT::speculate):
3252         (JSC::DFG::SpeculativeJIT::speculateDoubleReal): Deleted.
3253         * dfg/DFGSpeculativeJIT.h:
3254         * dfg/DFGUseKind.cpp:
3255         (WTF::printInternal):
3256         * dfg/DFGUseKind.h:
3257         (JSC::DFG::typeFilterFor):
3258         (JSC::DFG::isNumerical):
3259         * ftl/FTLCapabilities.cpp:
3260         (JSC::FTL::canCompile):
3261         * ftl/FTLLowerDFGToLLVM.cpp:
3262         (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
3263         (JSC::FTL::LowerDFGToLLVM::boxDouble):
3264         (JSC::FTL::LowerDFGToLLVM::jsValueToStrictInt52):
3265         (JSC::FTL::LowerDFGToLLVM::speculate):
3266         (JSC::FTL::LowerDFGToLLVM::speculateNumber):
3267         (JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
3268         (JSC::FTL::LowerDFGToLLVM::speculateDoubleRepReal):
3269         (JSC::FTL::LowerDFGToLLVM::jsValueToDouble): Deleted.
3270         (JSC::FTL::LowerDFGToLLVM::speculateDoubleReal): Deleted.
3271         * jit/AssemblyHelpers.h:
3272         (JSC::AssemblyHelpers::branchIfNotOther):
3273         (JSC::AssemblyHelpers::branchIfInt32):
3274         (JSC::AssemblyHelpers::branchIfNotInt32):
3275         (JSC::AssemblyHelpers::branchIfNumber):
3276
3277 2015-06-04  Joseph Pecoraro  <pecoraro@apple.com>
3278
3279         Web Inspector: Class constructor appearing as Object Tree property does not include parameters
3280         https://bugs.webkit.org/show_bug.cgi?id=145661
3281
3282         Reviewed by Timothy Hatcher.
3283
3284         * inspector/InjectedScriptSource.js:
3285         (InjectedScript.prototype._classPreview):
3286         (InjectedScript.RemoteObject.prototype._appendPropertyPreviews):
3287         The string we will return for previews of class constructor functions.
3288
3289         (InjectedScript.RemoteObject):
3290         (InjectedScript.RemoteObject.prototype._describe):
3291         No longer return the class name as the description string.
3292         Instead return the class name for the RemoteObject.className.
3293
3294 2015-06-04  Commit Queue  <commit-queue@webkit.org>
3295
3296         Unreviewed, rolling out r185216.
3297         https://bugs.webkit.org/show_bug.cgi?id=145666
3298
3299         it caused a bunch of debug crashes (Requested by pizlo on
3300         #webkit).
3301
3302         Reverted changeset:
3303
3304         "Simplify unboxing of double JSValues known to be not NaN and
3305         not Int32"
3306         https://bugs.webkit.org/show_bug.cgi?id=145618
3307         http://trac.webkit.org/changeset/185216
3308
3309 2015-06-03  Filip Pizlo  <fpizlo@apple.com>
3310
3311         Simplify unboxing of double JSValues known to be not NaN and not Int32
3312         https://bugs.webkit.org/show_bug.cgi?id=145618
3313
3314         Reviewed by Geoffrey Garen.
3315         
3316         In many cases we know that we most likely loaded a non-NaN double value from the heap.
3317         Prior to this patch, we would do two branches before unboxing the double. This patch
3318         reduces this to one branch in the common case. Before:
3319         
3320             if (is int32)
3321                 unbox int32 and convert to double
3322             else if (is number)
3323                 unbox double
3324             else
3325                 exit
3326         
3327         After:
3328
3329             tmp = unbox double
3330             if (tmp == tmp)
3331                 done
3332             else if (is int32)
3333                 unbox int32 and convert to double
3334             else
3335                 exit
3336         
3337         We only use the new style if we have profiling that tells us that we are unlikely to see
3338         either Int32 or NaN - since we will now exit on NaN and int32 requires an extra branch.
3339         
3340         This is a 8% speed-up on Octane/box2d. On one microbenchmark this is a 25% speed-up.
3341
3342         * dfg/DFGAbstractInterpreterInlines.h:
3343         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3344         * dfg/DFGFixupPhase.cpp:
3345         (JSC::DFG::FixupPhase::observeUseKindOnNode):
3346         (JSC::DFG::FixupPhase::fixEdgeRepresentation):
3347         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
3348         * dfg/DFGNode.h:
3349         (JSC::DFG::Node::shouldSpeculateDouble):
3350         (JSC::DFG::Node::shouldSpeculateDoubleReal):
3351         (JSC::DFG::Node::shouldSpeculateNumber):
3352         * dfg/DFGSafeToExecute.h:
3353         (JSC::DFG::SafeToExecuteEdge::operator()):
3354         * dfg/DFGSpeculativeJIT.cpp:
3355         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
3356         (JSC::DFG::SpeculativeJIT::speculateNumber):
3357         (JSC::DFG::SpeculativeJIT::speculateRealNumber):
3358         (JSC::DFG::SpeculativeJIT::speculateDoubleRepReal):
3359         (JSC::DFG::SpeculativeJIT::speculate):
3360         (JSC::DFG::SpeculativeJIT::speculateDoubleReal): Deleted.
3361         * dfg/DFGSpeculativeJIT.h:
3362         * dfg/DFGUseKind.cpp:
3363         (WTF::printInternal):
3364         * dfg/DFGUseKind.h:
3365         (JSC::DFG::typeFilterFor):
3366         (JSC::DFG::isNumerical):
3367         * ftl/FTLCapabilities.cpp:
3368         (JSC::FTL::canCompile):
3369         * ftl/FTLLowerDFGToLLVM.cpp:
3370         (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
3371         (JSC::FTL::LowerDFGToLLVM::boxDouble):
3372         (JSC::FTL::LowerDFGToLLVM::jsValueToStrictInt52):
3373         (JSC::FTL::LowerDFGToLLVM::speculate):
3374         (JSC::FTL::LowerDFGToLLVM::speculateNumber):
3375         (JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
3376         (JSC::FTL::LowerDFGToLLVM::speculateDoubleRepReal):
3377         (JSC::FTL::LowerDFGToLLVM::jsValueToDouble): Deleted.
3378         (JSC::FTL::LowerDFGToLLVM::speculateDoubleReal): Deleted.
3379         * jit/AssemblyHelpers.h:
3380         (JSC::AssemblyHelpers::branchIfNotOther):
3381         (JSC::AssemblyHelpers::branchIfInt32):
3382         (JSC::AssemblyHelpers::branchIfNotInt32):
3383         (JSC::AssemblyHelpers::branchIfNumber):
3384
3385 2015-06-04  Filip Pizlo  <fpizlo@apple.com>
3386
3387         SideState should be a distinct abstract heap from Heap and Stack
3388         https://bugs.webkit.org/show_bug.cgi?id=145653
3389
3390         Reviewed by Geoffrey Garen.
3391         
3392         Before, SideState fit into the hierarchy like so:
3393         
3394         World
3395            |
3396            +-- Stack
3397            |
3398            +-- Heap
3399                  |
3400                  +-- SideState
3401         
3402         Now we will have:
3403         
3404         World
3405            |
3406            +-- Stack
3407            |
3408            +-- Heap
3409            |
3410            +-- SideState
3411         
3412         This makes it easy to ask if a writing operation wrote to anything that is observable even
3413         if we don't exit. SideState is only observable if we exit.
3414
3415         * dfg/DFGAbstractHeap.h:
3416         (JSC::DFG::AbstractHeap::AbstractHeap):
3417         (JSC::DFG::AbstractHeap::supertype):
3418
3419 2015-06-04  Chris Dumez  <cdumez@apple.com>
3420
3421         [WK2] Prune more resources from the MemoryCache before process suspension
3422         https://bugs.webkit.org/show_bug.cgi?id=145633
3423
3424         Reviewed by Andreas Kling.
3425
3426         No longer move protect IncrementalSweeper::fullSweep() behind
3427         USE(CF) so we don't need #ifdefs at call sites, similarly to what is
3428         done for the rest of the IncrementalSweeper API.
3429
3430         * heap/IncrementalSweeper.cpp:
3431         (JSC::IncrementalSweeper::fullSweep):
3432         * heap/IncrementalSweeper.h:
3433
3434 2015-06-01  Filip Pizlo  <fpizlo@apple.com>
3435
3436         CallLinkStatus should return takesSlowPath if the GC often cleared the IC
3437         https://bugs.webkit.org/show_bug.cgi?id=145502
3438
3439         Reviewed by Geoffrey Garen.
3440         
3441         CallLinkInfo now remembers when it has been cleared by GC. This has some safeguards for when
3442         a call gets cleared by GC only because we hadn't converted it into a closure call; in that
3443         case the GC will just tell us that it should be a closure call. The DFG will not optimize
3444         a call that was cleared by GC, and the DFG will always prefer a closure call if the GC told
3445         us that the specific callee was dead but the executable wasn't.
3446         
3447         This guards us from some scenarios that came up in Speedometer. It's neutral on the pure JS
3448         benchmarks, most likely just because those benchmarks aren't real enough to have interesting
3449         GC of code.
3450
3451         * bytecode/CallLinkInfo.cpp:
3452         (JSC::CallLinkInfo::visitWeak):
3453         (JSC::CallLinkInfo::dummy):
3454         * bytecode/CallLinkInfo.h:
3455         (JSC::CallLinkInfo::CallLinkInfo):
3456         * bytecode/CallLinkStatus.cpp:
3457         (JSC::CallLinkStatus::computeFromCallLinkInfo):
3458
3459 2015-06-02  Filip Pizlo  <fpizlo@apple.com>
3460
3461         GetById and PutById profiling should be more precise about it takes slow path
3462         https://bugs.webkit.org/show_bug.cgi?id=145590
3463
3464         Reviewed by Geoffrey Garen.
3465         
3466         If a ById access ever takes slow path, we want the DFG and FTL to know this. Previously we
3467         were relying on slow path counts, which conflate slow paths taken due to a megamorphic
3468         access and slow paths taken due to IC building.
3469
3470         * bytecode/GetByIdStatus.cpp:
3471         (JSC::GetByIdStatus::computeFor):
3472         (JSC::GetByIdStatus::computeForStubInfo):
3473         * bytecode/PutByIdStatus.cpp:
3474         (JSC::PutByIdStatus::computeFor):
3475         (JSC::PutByIdStatus::computeForStubInfo):
3476         * bytecode/StructureStubInfo.h:
3477         (JSC::StructureStubInfo::StructureStubInfo):
3478         * ftl/FTLIntrinsicRepository.h:
3479         * ftl/FTLLowerDFGToLLVM.cpp:
3480         (JSC::FTL::LowerDFGToLLVM::compileGetById):
3481         * jit/JITOperations.cpp:
3482         * jit/JITOperations.h:
3483
3484 2015-06-03  Michael Saboff  <msaboff@apple.com>
3485
3486         Improve test coverage for changes made in 145527
3487         https://bugs.webkit.org/show_bug.cgi?id=145578
3488
3489         Reviewed by Geoffrey Garen.
3490
3491         Added more complexity to poly-setter-combo.js stress test to create more turmoil in the
3492         polymorphic get-by-id / put-by-id with getters and setters to exercise the code change in
3493         https://bugs.webkit.org/show_bug.cgi?id=145527.  By changing the objects that the main test
3494         function sees, we are able to test those paths.  Verified with temporary logging code.
3495
3496         * tests/stress/poly-setter-combo.js:
3497         (Cons2):
3498         (Cons3):
3499         (Cons4):
3500         (foo):
3501         (test):
3502         (runTestWithConstructors):
3503
3504 2015-06-02  Mark Lam  <mark.lam@apple.com>
3505
3506         Gardening: fix broken CLoop build.
3507
3508         Not reviewed.
3509
3510         * bytecode/CallLinkStatus.cpp:
3511         (JSC::CallLinkStatus::computeExitSiteData):
3512
3513 2015-06-02  Keith Miller  <keith_miller@apple.com>
3514
3515         JavaScriptCore: JSExport protocol with an NSInteger property converts negative values to 18446744073709552000
3516         https://bugs.webkit.org/show_bug.cgi?id=145563
3517
3518         Reviewed by Darin Adler.
3519
3520         The Objective-C bindings were improperly converting negative
3521         long long/NSIntegers to 18446744073709552000 because they
3522         were converted to unsigned numbers.
3523
3524         * API/ObjcRuntimeExtras.h:
3525         (parseObjCType):
3526         * API/tests/testapi.mm:
3527         (testObjectiveCAPIMain):
3528         (checkNegativeNSIntegers):
3529         (testObjectiveCAPI):
3530
3531 2015-06-02  Yusuke Suzuki  <utatane.tea@gmail.com>
3532
3533         Heap-use-after-free read of size 4 in JavaScriptCore: WTF::StringImpl::isSymbol() (StringImpl.h:496)
3534         https://bugs.webkit.org/show_bug.cgi?id=145532
3535
3536         Reviewed by Geoffrey Garen.
3537
3538         AtomicStringImpl::lookUp returns AtomicStringImpl*,
3539         it doesn't give any ownership to the caller.
3540         Originally, this is ok because the ownership is taken
3541         by AtomicStringImpl's table (& the register side).
3542
3543         But if we would like to use this returned AtomicStringImpl*,
3544         we should take its ownership immediately.
3545         Because if the register side releases its ownership (ref count),
3546         it will be destroyed.
3547
3548         In JSString::toExistingAtomicString, it returns AtomicStringImpl*.
3549         But it's not appropriate.
3550         If the owner of AtomicStringImpl* is always JSString*, it is ok.
3551         But it looks up the table-registered AtomicStringImpl* from
3552         the AtomicStringImpl table. So JSString* may not have the ownership
3553         of the returned AtomicStringImpl*.
3554
3555         The failure situation is the following.
3556
3557         1. A creates AtomicStringImpl. A has its ownership.
3558            And A registers it to AtomicStringImpl table.
3559         2. JSString looks up the AtomicStringImpl from the table.
3560            It gets AtomicStringImpl*. And JSString doesn't have its ownership.
3561            It returns the raw pointer immediately to the users
3562         3. A is released. There's no owner for AtomicStringImpl*.
3563            So it's also destroyed.
3564         4. Use looked up AtomicStringImpl in (2). It becomes use-after-free.
3565
3566         This patch fixes it by the following changes.
3567
3568         1. Change the signature of `AtomicStringImpl* AtomicStringImpl::lookUp(...)`
3569            to `RefPtr<AtomicStringImpl> AtomicStringImpl::lookUp(..)`.
3570            Use `RefPtr` because it may return `nullptr`.
3571         2. Change the signature of `AtomicStringImpl* JSString::toExistingAtomicString(...)`
3572            to `RefPtr<AtomicStringImpl> JSString::toExistingAtomicString(...)`.
3573            Using `RefPtr` is the same reason.
3574         3. Receive the result with `RefPtr<AtomicStringImpl>` in the caller side.
3575
3576         * dfg/DFGOperations.cpp:
3577         * jit/JITOperations.cpp:
3578         (JSC::getByVal):
3579         * llint/LLIntSlowPaths.cpp:
3580         (JSC::LLInt::getByVal):
3581         * runtime/JSString.cpp:
3582         (JSC::JSRopeString::resolveRopeToExistingAtomicString):
3583         * runtime/JSString.h:
3584         (JSC::JSString::toExistingAtomicString):
3585
3586 2015-05-30  Filip Pizlo  <fpizlo@apple.com>
3587
3588         Any exit from any JIT due to profiling for an inline cache should force all future compilations to be wary
3589         https://bugs.webkit.org/show_bug.cgi?id=145496
3590
3591         Reviewed by Geoffrey Garen.
3592         
3593         This pessimizes compilation a bit, but it reduces the likelihood of exiting from FTL. I
3594         couldn't find any convincing reason not to do this, and we know from Speedometer that this
3595         change is necessary for weirder code.
3596
3597         * bytecode/CallLinkStatus.cpp:
3598         (JSC::CallLinkStatus::computeFor):
3599         (JSC::CallLinkStatus::computeExitSiteData):
3600         (JSC::CallLinkStatus::computeDFGStatuses):
3601         * bytecode/CallLinkStatus.h:
3602         * bytecode/GetByIdStatus.cpp:
3603         (JSC::GetByIdStatus::appendVariant):
3604         (JSC::GetByIdStatus::hasExitSite):
3605         (JSC::GetByIdStatus::computeFor):
3606         * bytecode/GetByIdStatus.h:
3607         * bytecode/PutByIdStatus.cpp:
3608         (JSC::PutByIdStatus::appendVariant):
3609         (JSC::PutByIdStatus::hasExitSite):
3610         (JSC::PutByIdStatus::computeFor):
3611         * bytecode/PutByIdStatus.h:
3612
3613 2015-05-31  Filip Pizlo  <fpizlo@apple.com>
3614
3615         If a call has ever taken the virtual slow path, make sure that the DFG knows this
3616         https://bugs.webkit.org/show_bug.cgi?id=145501
3617
3618         Reviewed by Geoffrey Garen.
3619         
3620         Now now return higher fidelity information in the case of no polymorphic call stub. If the
3621         virtual slow path was ever taken, we note this, and we note either zero or one call variant
3622         based on the IC's last callee.
3623
3624         * bytecode/CallLinkStatus.cpp:
3625         (JSC::CallLinkStatus::computeFromCallLinkInfo):
3626         (JSC::CallLinkStatus::computeFor):
3627
3628 2015-06-01  Michael Saboff  <msaboff@apple.com>
3629
3630         Crash in com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::revertCall + 24
3631         https://bugs.webkit.org/show_bug.cgi?id=145527
3632
3633         Reviewed by Filip Pizlo.
3634
3635         If a CallLinkInfo is GC'ed, we need to notify any PolymorphicCallNode's that reference it.
3636         Added plumbling to clear the m_callLinkInfo of a PolymorphicCallNode when that CallLinkInfo
3637         is going away.
3638
3639         * bytecode/CallLinkInfo.h:
3640         (JSC::CallLinkInfo::~CallLinkInfo):
3641         * jit/PolymorphicCallStubRoutine.cpp:
3642         (JSC::PolymorphicCallNode::unlink):
3643         (JSC::PolymorphicCallNode::clearCallLinkInfo):
3644         (JSC::PolymorphicCallCase::dump):
3645         (JSC::PolymorphicCallStubRoutine::edges):
3646         (JSC::PolymorphicCallStubRoutine::clearCallNodesFor):
3647         (JSC::PolymorphicCallStubRoutine::visitWeak):
3648         * jit/PolymorphicCallStubRoutine.h:
3649         (JSC::PolymorphicCallNode::hasCallLinkInfo):
3650
3651 2015-06-01  Mark Lam  <mark.lam@apple.com>
3652
3653         Add the ability to tell between Catch and Finally blocks.
3654         https://bugs.webkit.org/show_bug.cgi?id=145524 
3655
3656         Reviewed by Michael Saboff.
3657
3658         ... and also SynthesizedFinally blocks too.  A SynthesizedFinally block
3659         is a finally block that is synthesized by the bytecode generator but
3660         does not actually correspond to any exception handling construct at the
3661         JS source code level.  An example of this is the "for ... of" statement
3662         where it needs to do some "final" clean up before passing on the
3663         exception.
3664
3665         Manually tested by inspecting the bytecode dump of functions with
3666         try-catch-finally blocks as well as for of statements which have
3667         synthesized finally blocks.  The bytecode dumps contains the exception
3668         handlers table which has these blocks labelled with their newly added
3669         types.  No automatic test because this type info is not visible to JS
3670         code.
3671
3672         * bytecode/CodeBlock.cpp:
3673         (JSC::CodeBlock::dumpBytecode):
3674         * bytecode/HandlerInfo.h:
3675         (JSC::HandlerInfoBase::type):
3676         (JSC::HandlerInfoBase::setType):
3677         (JSC::HandlerInfoBase::typeName):
3678         (JSC::HandlerInfoBase::isCatchHandler):
3679         (JSC::UnlinkedHandlerInfo::UnlinkedHandlerInfo):
3680         (JSC::HandlerInfo::initialize):
3681         * bytecompiler/BytecodeGenerator.cpp:
3682         (JSC::BytecodeGenerator::generate):
3683         (JSC::BytecodeGenerator::pushTry):
3684         (JSC::BytecodeGenerator::popTryAndEmitCatch):
3685         (JSC::BytecodeGenerator::emitEnumeration):
3686         * bytecompiler/BytecodeGenerator.h:
3687         (JSC::BytecodeGenerator::emitThrow):
3688         * bytecompiler/NodesCodegen.cpp:
3689         (JSC::TryNode::emitBytecode):
3690
3691 2015-05-29  Geoffrey Garen  <ggaren@apple.com>
3692
3693         REGRESSION: These sorting idioms used by Peacekeeper and Browsermark are ~20X slower
3694         https://bugs.webkit.org/show_bug.cgi?id=145412
3695
3696         Reviewed by Darin Adler.
3697
3698         Moar speedup.
3699
3700         Added a bucket sort for string sorting.
3701
3702         * builtins/Array.prototype.js:
3703         (sort.compactSparse):
3704         (sort.compactSlow):
3705         (sort.compact): Split out a compaction fast path for dense arrays. Without
3706         it, compaction can increase sort time by 2X for simple sorts.
3707
3708         (sort.bucketSort):
3709         (sort.stringSort): Use a bucket sorting algorithm if we know we're sorting
3710         strings. This makes average case string sorting O(N) with O(N) additional
3711         memory use.
3712
3713         The worst case bucket sort can require O(M * N) additional
3714         space. We avoid this by falling back to merge sort when things are
3715         simple or overly duplicative. These are the two cases that accumulate
3716         excessive -- and potentially pathological -- bucketing overhead.
3717
3718 2015-06-01  Mark Lam  <mark.lam@apple.com>
3719
3720         HandlerInfo::initialize() should not assume that CodeLocationLabel is available.
3721         https://bugs.webkit.org/show_bug.cgi?id=145515
3722
3723         Reviewed by Csaba Osztrogonác.
3724
3725         CodeLocationLabel is only defined for ENABLE(ASSEMBLER) builds.  r185022's
3726         attempt at simplifying code to increase readability failed to take this into
3727         account.  This patch fixes it.
3728
3729         * bytecode/CodeBlock.cpp:
3730         (JSC::CodeBlock::CodeBlock):
3731         * bytecode/HandlerInfo.h:
3732         (JSC::HandlerInfo::initialize):
3733
3734 2015-05-31  Filip Pizlo  <fpizlo@apple.com>
3735
3736         Unreviewed, add a FIXME referencing https://bugs.webkit.org/show_bug.cgi?id=145503.
3737
3738         * dfg/DFGByteCodeParser.cpp:
3739         (JSC::DFG::ByteCodeParser::inliningCost):
3740
3741 2015-05-31  Yusuke Suzuki  <utatane.tea@gmail.com>
3742
3743         [ES6] Drop WeakMap#clear
3744         https://bugs.webkit.org/show_bug.cgi?id=145489
3745
3746         Reviewed by Mark Lam.
3747
3748         ES6 spec intentionally drops the WeakMap#clear
3749         to allow engine to implement WeakMap as a per-object table.
3750
3751         This patch drops WeakMap.prototype.clear.
3752
3753         * runtime/WeakMapPrototype.cpp:
3754         (JSC::WeakMapPrototype::finishCreation): Deleted.
3755         (JSC::protoFuncWeakMapClear): Deleted.
3756
3757 2015-05-31  Jordan Harband  <ljharb@gmail.com>
3758
3759         Array#reduce and reduceRight don't follow ToLength
3760         https://bugs.webkit.org/show_bug.cgi?id=145364
3761         Per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-tolength
3762
3763         Reviewed by Yusuke Suzuki.
3764
3765         * builtins/Array.prototype.js:
3766         (reduce):
3767         (reduceRight):
3768         * runtime/ArrayPrototype.cpp:
3769         (JSC::ArrayPrototype::finishCreation):
3770         (JSC::arrayProtoFuncReduce): Deleted.
3771         (JSC::arrayProtoFuncReduceRight): Deleted.
3772
3773 2015-05-29  Filip Pizlo  <fpizlo@apple.com>
3774
3775         FTL codegen for MultiGetByOffset and MultiPutByOffset where the structure set is already proved should have an unreachable default case instead of an exit
3776         https://bugs.webkit.org/show_bug.cgi?id=145469
3777
3778         Reviewed by Geoffrey Garen.
3779         
3780         Omitting the speculation on the fail path when the speculation is guaranteed not to be
3781         taken hints to LLVM that the default case is impossible. This enables some useful
3782         optimizations.
3783
3784         * ftl/FTLLowerDFGToLLVM.cpp:
3785         (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
3786         (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
3787
3788 2015-05-29  Mark Lam  <mark.lam@apple.com>
3789
3790         Refactoring HandlerInfo and UnlinkedHandlerInfo.
3791         https://bugs.webkit.org/show_bug.cgi?id=145480
3792
3793         Reviewed by Benjamin Poulain.
3794
3795         HandlerInfo and UnlinkedHandlerInfo have common parts, but are not currently
3796         expressed as 2 unrelated structs that happen to have near identical fields.
3797         We can refactor them to better express their relationship.  We can also add
3798         some convenience functions to make the code that uses them a little more
3799         readable.
3800
3801         * bytecode/CodeBlock.cpp:
3802         (JSC::CodeBlock::dumpBytecode):
3803         (JSC::CodeBlock::CodeBlock):
3804         (JSC::CodeBlock::handlerForBytecodeOffset):
3805         * bytecode/HandlerInfo.h:
3806         (JSC::UnlinkedHandlerInfo::UnlinkedHandlerInfo):
3807         (JSC::HandlerInfo::initialize):
3808         - I chose to include CodeLocationLabel arg even though it is unused by
3809           by non-JIT builds.  This makes the call site cleaner to read.
3810
3811         * bytecode/UnlinkedCodeBlock.h:
3812         (JSC::UnlinkedSimpleJumpTable::add):
3813         (JSC::UnlinkedInstruction::UnlinkedInstruction):
3814         (JSC::UnlinkedCodeBlock::numberOfExceptionHandlers):
3815         (JSC::UnlinkedCodeBlock::addExceptionHandler):
3816         (JSC::UnlinkedCodeBlock::exceptionHandler):
3817         (JSC::UnlinkedCodeBlock::symbolTable):
3818         * bytecompiler/BytecodeGenerator.cpp:
3819         (JSC::BytecodeGenerator::generate):
3820
3821 2015-05-28  Filip Pizlo  <fpizlo@apple.com>
3822
3823         Non-speculative Branch should be fast in the FTL
3824         https://bugs.webkit.org/show_bug.cgi?id=145452
3825
3826         Reviewed by Andreas Kling.
3827         
3828         Inlines the code for convertJSValueToBoolean into the FTL. This also includes some other
3829         clean-ups that I found along the way.
3830         
3831         I found this by looking at the hottest functions in DeltaBlue. Despite having so many
3832         Branch specializations, apparently there was still a hot one that we missed that was going
3833         down the untyped path. It was either Int32 or Other. Maybe we could specialize for that
3834         combo, but it makes so much sense to just make all of this nonsense fast.
3835
3836         * dfg/DFGWatchpointCollectionPhase.cpp:
3837         (JSC::DFG::WatchpointCollectionPhase::handle): Need to watch the masquerades watchpoint on UntypedUse: forms of Branch now.
3838         * ftl/FTLLowerDFGToLLVM.cpp:
3839         (JSC::FTL::LowerDFGToLLVM::boolify): The actual fix.
3840         (JSC::FTL::LowerDFGToLLVM::int52ToStrictInt52):
3841         (JSC::FTL::LowerDFGToLLVM::isInt32):
3842         (JSC::FTL::LowerDFGToLLVM::isNotInt32):
3843         (JSC::FTL::LowerDFGToLLVM::unboxInt32):
3844         * runtime/JSCellInlines.h:
3845         (JSC::JSCell::toBoolean): Symbol is always true.
3846         (JSC::JSCell::pureToBoolean): Symbol is always true.
3847         * runtime/JSString.cpp:
3848         (JSC::JSString::getPrimitiveNumber):
3849         (JSC::JSString::toNumber):
3850         (JSC::JSString::toBoolean): Deleted. This is a tiny method. It doesn't need to be out-of-line.
3851         * runtime/JSString.h:
3852         (JSC::JSString::length):
3853         (JSC::JSString::toBoolean): This method shouldbe inline.
3854         * runtime/Symbol.cpp:
3855         (JSC::Symbol::toPrimitive):
3856         (JSC::Symbol::getPrimitiveNumber):
3857         (JSC::Symbol::toBoolean): Deleted. A Symbol is always true, so we don't need a method for this.
3858         * runtime/Symbol.h:
3859
3860 2015-05-29  Commit Queue  <commit-queue@webkit.org>
3861
3862         Unreviewed, rolling out r184860.
3863         https://bugs.webkit.org/show_bug.cgi?id=145456
3864
3865         May have caused ~1% Octane regression (Requested by kling on
3866         #webkit).
3867
3868         Reverted changeset:
3869
3870         "Try to use StringView when comparing JSStrings for equality."
3871         https://bugs.webkit.org/show_bug.cgi?id=145379
3872         http://trac.webkit.org/changeset/184860
3873
3874 2015-05-28  Michael Saboff  <msaboff@apple.com>
3875
3876         mozilla/js1_5/Array/regress-154338.js test causes ARM 32 bit iOS devices to run out of memory
3877         https://bugs.webkit.org/show_bug.cgi?id=145444
3878
3879         Reviewed by Geoffrey Garen.
3880
3881         Disabled mozilla/js1_5/Array/regress-154338.js when run on iOS ARM 32 bit devices and
3882         the --memory-limited option is passed to run-jsc-stress-tests.
3883
3884         * tests/mozilla/mozilla-tests.yaml:
3885
3886 2015-05-28  Benjamin Poulain  <benjamin@webkit.org>
3887
3888         [iOS8][ARMv7(s)] Optimized Object.create in 'use strict' context sometimes breaks.
3889         https://bugs.webkit.org/show_bug.cgi?id=138038
3890
3891         Reviewed by Michael Saboff.
3892
3893         TL;DR: sometimes the baseline JIT could accidentally nuke the tag before calling
3894                to C++, making put_by_id behave erratically.
3895
3896         The bug was that put_by_id would randomly not work correctly in 32bits. It happened
3897         in the baseline JIT if we were unlucky enough:
3898         -The code get hot enough and the structure is stable so we get a fast path for
3899          put_by_id.
3900         -We repatch the fast-path branch with a stub generated by
3901          emitPutTransitionStubAndGetOldStructure().
3902         -In emitPutTransitionStubAndGetOldStructure(), we only preserve the payload of the base
3903          register, the tag register is ignored.
3904         -emitPutTransitionStubAndGetOldStructure() allocate 2 to 3 registers. Any of those
3905          could be the one used for the base's tag before the fast path and the value is trashed.
3906         -If we hit one of the failure case, we fallback to the slow path, but we destroyed
3907          the tag pointer.
3908         -We now have unrelated bits in the tag, the most likely value type is now "double"
3909          and we fail the put_by_id because we try to set a property on a number.
3910
3911         The most obvious solution would be to change emitPutTransitionStubAndGetOldStructure()
3912         to preserve the tag register in addition to the value register.
3913         I decided against that option because of the added complexity. The DFG does not need
3914         that case, so I would have to add branches everywhere to distinguish the cases
3915         were we need to preserve the tag or not.
3916
3917         Instead, I just load the tag back from memory in the slow path. The function in the slow
3918         path is several order of magnitude slower than a&nbs