Swipe snapshot removed too early (jumps around) on arstechnica and NYT
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-03-30  Filip Pizlo  <fpizlo@apple.com>
2
3         REGRESSION: js/regress/inline-arguments-local-escape.html is flaky
4         https://bugs.webkit.org/show_bug.cgi?id=143104
5
6         Reviewed by Geoffrey Garen.
7         
8         Created a test that is a 100% repro of the flaky failure. This test is called
9         get-my-argument-by-val-for-inlined-escaped-arguments.js. It fails all of the time because it
10         always causes the compiler to emit a GetMyArgumentByVal of the arguments object returned by
11         the inlined function. Other than that, it's the same as inline-arguments-local-escape.
12         
13         Also created three more tests for three similar, but not identical, failures.
14         
15         Then fixed the bug: PreciseLocalClobberize was assuming that if we read(Stack) then we are
16         only reading those parts of the stack that are relevant to the current semantic code origin.
17         That's false after ArgumentsEliminationPhase - we might have operations on phantom arguments,
18         like GetMyArgumentByVal, ForwardVarargs, CallForwardVarargs, and ConstructForwardVarargs, that
19         read parts of the stack associated with the inline call frame for the phantom arguments. This
20         may not be subsumed by the current semantic origin's stack area in cases that the arguments
21         were allowed to "locally" escape.
22         
23         The higher-order lesson here is that in DFG SSA IR, the current semantic origin's stack area
24         is not really a meaningful concept anymore. It is only meaningful for nodes that will read
25         the stack due to function.arguments, but there are a bunch of other ways that we could also
26         read the stack and those operations may read any stack slot. I believe that this change makes
27         PreciseLocalClobberize right: it will refine a read(Stack) from Clobberize correctly by casing
28         on node type. In future, if we add a read(Stack) to Clobberize, we'll have to make sure that
29         readTop() in PreciseLocalClobberize does the right thing.
30
31         * dfg/DFGClobberize.h:
32         (JSC::DFG::clobberize):
33         * dfg/DFGPreciseLocalClobberize.h:
34         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
35         * dfg/DFGPutStackSinkingPhase.cpp:
36         * tests/stress/call-forward-varargs-for-inlined-escaped-arguments.js: Added.
37         * tests/stress/construct-forward-varargs-for-inlined-escaped-arguments.js: Added.
38         * tests/stress/forward-varargs-for-inlined-escaped-arguments.js: Added.
39         * tests/stress/get-my-argument-by-val-for-inlined-escaped-arguments.js: Added.
40         * tests/stress/real-forward-varargs-for-inlined-escaped-arguments.js: Added.
41
42 2015-03-30  Benjamin Poulain  <benjamin@webkit.org>
43
44         Start the features.json files
45         https://bugs.webkit.org/show_bug.cgi?id=143207
46
47         Reviewed by Darin Adler.
48
49         Start the features.json files to have something to experiment
50         with for the UI.
51
52         * features.json: Added.
53
54 2015-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
55
56         [Win] Addresing post-review comment after r182122
57         https://bugs.webkit.org/show_bug.cgi?id=143189
58
59         Unreviewed.
60
61 2015-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
62
63         [Win] Allow building JavaScriptCore without Cygwin
64         https://bugs.webkit.org/show_bug.cgi?id=143189
65
66         Reviewed by Brent Fulgham.
67
68         Paths like /usr/bin/ don't exist on Windows.
69         Hashbangs don't work on Windows. Instead we must explicitly call the executable.
70         Prefixing commands with environment variables doesn't work on Windows.
71         Windows doesn't have 'cmp'
72         Windows uses 'del' instead of 'rm'
73         Windows uses 'type NUL' intead of 'touch'
74
75         * DerivedSources.make:
76         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
77         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
78         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl:
79         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
80         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl:
81         * JavaScriptCore.vcxproj/build-generated-files.pl:
82         * UpdateContents.py: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl.
83
84 2015-03-28  Joseph Pecoraro  <pecoraro@apple.com>
85
86         Clean up JavaScriptCore/builtins
87         https://bugs.webkit.org/show_bug.cgi?id=143177
88
89         Reviewed by Ryosuke Niwa.
90
91         * builtins/ArrayConstructor.js:
92         (from):
93         - We can compare to undefined instead of using a typeof undefined check.
94         - Converge on double quoted strings everywhere.
95
96         * builtins/ArrayIterator.prototype.js:
97         (next):
98         * builtins/StringIterator.prototype.js:
99         (next):
100         - Use shorthand object construction to avoid duplication.
101         - Improve grammar in error messages.
102
103         * tests/stress/array-iterators-next-with-call.js:
104         * tests/stress/string-iterators.js:
105         - Update for new error message strings.
106
107 2015-03-28  Saam Barati  <saambarati1@gmail.com>
108
109         Web Inspector: ES6: Better support for Symbol types in Type Profiler
110         https://bugs.webkit.org/show_bug.cgi?id=141257
111
112         Reviewed by Joseph Pecoraro.
113
114         ES6 introduces the new primitive type Symbol. This patch makes JSC's 
115         type profiler support this new primitive type.
116
117         * dfg/DFGFixupPhase.cpp:
118         (JSC::DFG::FixupPhase::fixupNode):
119         * inspector/protocol/Runtime.json:
120         * runtime/RuntimeType.cpp:
121         (JSC::runtimeTypeForValue):
122         * runtime/RuntimeType.h:
123         (JSC::runtimeTypeIsPrimitive):
124         * runtime/TypeSet.cpp:
125         (JSC::TypeSet::addTypeInformation):
126         (JSC::TypeSet::dumpTypes):
127         (JSC::TypeSet::doesTypeConformTo):
128         (JSC::TypeSet::displayName):
129         (JSC::TypeSet::inspectorTypeSet):
130         (JSC::TypeSet::toJSONString):
131         * runtime/TypeSet.h:
132         (JSC::TypeSet::seenTypes):
133         * tests/typeProfiler/driver/driver.js:
134         * tests/typeProfiler/symbol.js: Added.
135         (wrapper.foo):
136         (wrapper.bar):
137         (wrapper.bar.bar.baz):
138         (wrapper):
139
140 2015-03-27  Saam Barati  <saambarati1@gmail.com>
141
142         Deconstruction parameters are bound too late
143         https://bugs.webkit.org/show_bug.cgi?id=143148
144
145         Reviewed by Filip Pizlo.
146
147         Currently, a deconstruction pattern named with the same
148         name as a function will shadow the function. This is
149         wrong. It should be the other way around.
150
151         * bytecompiler/BytecodeGenerator.cpp:
152         (JSC::BytecodeGenerator::generate):
153
154 2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>
155
156         parse doesn't initialize the 16-bit version of the JSC parser with defaultConstructorKind
157         https://bugs.webkit.org/show_bug.cgi?id=143170
158
159         Reviewed by Benjamin Poulain.
160
161         Assert that we never use 16-bit version of the parser to parse a default constructor
162         since both base and derived default constructors should be using a 8-bit string.
163
164         * parser/Parser.h:
165         (JSC::parse):
166
167 2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>
168
169         ES6 Classes: Runtime error in JIT'd class calling super() with arguments and superclass has default constructor
170         https://bugs.webkit.org/show_bug.cgi?id=142862
171
172         Reviewed by Benjamin Poulain.
173
174         Add a test that used to fail in DFG now that the bug has been fixed by r181993.
175
176         * tests/stress/class-syntax-derived-default-constructor.js: Added.
177
178 2015-03-27  Michael Saboff  <msaboff@apple.com>
179
180         load8Signed() and load16Signed() should be renamed to avoid confusion
181         https://bugs.webkit.org/show_bug.cgi?id=143168
182
183         Reviewed by Benjamin Poulain.
184
185         Renamed load8Signed() to load8SignedExtendTo32() and load16Signed() to load16SignedExtendTo32().
186
187         * assembler/MacroAssemblerARM.h:
188         (JSC::MacroAssemblerARM::load8SignedExtendTo32):
189         (JSC::MacroAssemblerARM::load16SignedExtendTo32):
190         (JSC::MacroAssemblerARM::load8Signed): Deleted.
191         (JSC::MacroAssemblerARM::load16Signed): Deleted.
192         * assembler/MacroAssemblerARM64.h:
193         (JSC::MacroAssemblerARM64::load16SignedExtendTo32):
194         (JSC::MacroAssemblerARM64::load8SignedExtendTo32):
195         (JSC::MacroAssemblerARM64::load16Signed): Deleted.
196         (JSC::MacroAssemblerARM64::load8Signed): Deleted.
197         * assembler/MacroAssemblerARMv7.h:
198         (JSC::MacroAssemblerARMv7::load16SignedExtendTo32):
199         (JSC::MacroAssemblerARMv7::load8SignedExtendTo32):
200         (JSC::MacroAssemblerARMv7::load16Signed): Deleted.
201         (JSC::MacroAssemblerARMv7::load8Signed): Deleted.
202         * assembler/MacroAssemblerMIPS.h:
203         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
204         (JSC::MacroAssemblerMIPS::load16SignedExtendTo32):
205         (JSC::MacroAssemblerMIPS::load8Signed): Deleted.
206         (JSC::MacroAssemblerMIPS::load16Signed): Deleted.
207         * assembler/MacroAssemblerSH4.h:
208         (JSC::MacroAssemblerSH4::load8SignedExtendTo32):
209         (JSC::MacroAssemblerSH4::load8):
210         (JSC::MacroAssemblerSH4::load16SignedExtendTo32):
211         (JSC::MacroAssemblerSH4::load16):
212         (JSC::MacroAssemblerSH4::load8Signed): Deleted.
213         (JSC::MacroAssemblerSH4::load16Signed): Deleted.
214         * assembler/MacroAssemblerX86Common.h:
215         (JSC::MacroAssemblerX86Common::load8SignedExtendTo32):
216         (JSC::MacroAssemblerX86Common::load16SignedExtendTo32):
217         (JSC::MacroAssemblerX86Common::load8Signed): Deleted.
218         (JSC::MacroAssemblerX86Common::load16Signed): Deleted.
219         * dfg/DFGSpeculativeJIT.cpp:
220         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
221         * jit/JITPropertyAccess.cpp:
222         (JSC::JIT::emitIntTypedArrayGetByVal):
223
224 2015-03-27  Michael Saboff  <msaboff@apple.com>
225
226         Fix flakey dfg-int8array.js and dfg-int16array.js tests for ARM64
227         https://bugs.webkit.org/show_bug.cgi?id=138390
228
229         Reviewed by Mark Lam.
230
231         Changed load8Signed() and load16Signed() to only sign extend the loaded value to 32 bits
232         instead of 64 bits.  This is what X86-64 does.
233
234         * assembler/MacroAssemblerARM64.h:
235         (JSC::MacroAssemblerARM64::load16Signed):
236         (JSC::MacroAssemblerARM64::load8Signed):
237
238 2015-03-27  Saam Barati  <saambarati1@gmail.com>
239
240         Add back previously broken assert from bug 141869
241         https://bugs.webkit.org/show_bug.cgi?id=143005
242
243         Reviewed by Michael Saboff.
244
245         * runtime/ExceptionHelpers.cpp:
246         (JSC::invalidParameterInSourceAppender):
247
248 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
249
250         Make some more objects use FastMalloc
251         https://bugs.webkit.org/show_bug.cgi?id=143122
252
253         Reviewed by Csaba Osztrogonác.
254
255         * API/JSCallbackObject.h:
256         * heap/IncrementalSweeper.h:
257         * jit/JITThunks.h:
258         * runtime/JSGlobalObjectDebuggable.h:
259         * runtime/RegExpCache.h:
260
261 2015-03-27  Michael Saboff  <msaboff@apple.com>
262
263         Objects with numeric properties intermittently get a phantom 'length' property
264         https://bugs.webkit.org/show_bug.cgi?id=142792
265
266         Reviewed by Csaba Osztrogonác.
267
268         Fixed a > (greater than) that should be a >> (right shift) in the code that disassembles
269         test and branch instructions.  This function is used for linking tbz/tbnz branches between
270         two seperately JIT'ed sections of code.  Sometime we'd create a bogus tbz instruction in
271         the failure case checks in the GetById array length stub created for "obj.length" access.
272         If the failure case code address was at a negative offset from the stub, we'd look for bit 1
273         being set when we should have been looking for bit 0.
274
275         * assembler/ARM64Assembler.h:
276         (JSC::ARM64Assembler::disassembleTestAndBranchImmediate):
277
278 2015-03-27  Yusuke Suzuki  <utatane.tea@gmail.com>
279
280         Insert exception check around toPropertyKey call
281         https://bugs.webkit.org/show_bug.cgi?id=142922
282
283         Reviewed by Geoffrey Garen.
284
285         In some places, exception check is missing after/before toPropertyKey.
286         However, since it calls toString, it's observable to users,
287
288         Missing exception checks in Object.prototype methods can be
289         observed since it would be overridden with toObject(null/undefined) errors.
290         We inserted exception checks after toPropertyKey.
291
292         Missing exception checks in GetById related code can be
293         observed since it would be overridden with toObject(null/undefined) errors.
294         In this case, we need to insert exception checks before/after toPropertyKey
295         since RequireObjectCoercible followed by toPropertyKey can cause exceptions.
296
297         JSValue::get checks null/undefined and raise an exception if |this| is null or undefined.
298         However, we need to check whether the baseValue is object coercible before executing JSValue::toPropertyKey.
299         According to the spec, we first perform RequireObjectCoercible and check the exception.
300         And second, we perform ToPropertyKey and check the exception.
301         Since JSValue::toPropertyKey can cause toString call, this is observable to users.
302         For example, if the target is not object coercible,
303         ToPropertyKey should not be executed, and toString should not be executed by ToPropertyKey.
304         So the order of observable actions (RequireObjectCoercible and ToPropertyKey) should be correct to the spec.
305
306         This patch introduces JSValue::requireObjectCoercible and use it because of the following 2 reasons.
307
308         1. Using toObject instead of requireObjectCoercible produces unnecessary wrapper object.
309
310         toObject converts primitive types into wrapper objects.
311         But it is not efficient since wrapper objects are not necessary
312         if we look up methods from primitive values's prototype. (using synthesizePrototype is better).
313
314         2. Using the result of toObject is not correct to the spec.
315
316         To align to the spec correctly, we cannot use JSObject::get
317         by using the wrapper object produced by the toObject suggested in (1).
318         If we use JSObject that is converted by toObject, getter will be called by using this JSObject as |this|.
319         It is not correct since getter should be called with the original |this| value that may be primitive types.
320
321         So in this patch, we use JSValue::requireObjectCoercible
322         to check the target is object coercible and raise an error if it's not.
323
324         * dfg/DFGOperations.cpp:
325         * jit/JITOperations.cpp:
326         (JSC::getByVal):
327         * llint/LLIntSlowPaths.cpp:
328         (JSC::LLInt::getByVal):
329         * runtime/CommonSlowPaths.cpp:
330         (JSC::SLOW_PATH_DECL):
331         * runtime/JSCJSValue.h:
332         * runtime/JSCJSValueInlines.h:
333         (JSC::JSValue::requireObjectCoercible):
334         * runtime/ObjectPrototype.cpp:
335         (JSC::objectProtoFuncHasOwnProperty):
336         (JSC::objectProtoFuncDefineGetter):
337         (JSC::objectProtoFuncDefineSetter):
338         (JSC::objectProtoFuncLookupGetter):
339         (JSC::objectProtoFuncLookupSetter):
340         (JSC::objectProtoFuncPropertyIsEnumerable):
341         * tests/stress/exception-in-to-property-key-should-be-handled-early-in-object-methods.js: Added.
342         (shouldThrow):
343         (if):
344         * tests/stress/exception-in-to-property-key-should-be-handled-early.js: Added.
345         (shouldThrow):
346         (.):
347
348 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
349
350         WebContent Crash when instantiating class with Type Profiling enabled
351         https://bugs.webkit.org/show_bug.cgi?id=143037
352
353         Reviewed by Ryosuke Niwa.
354
355         * bytecompiler/BytecodeGenerator.h:
356         * bytecompiler/BytecodeGenerator.cpp:
357         (JSC::BytecodeGenerator::BytecodeGenerator):
358         (JSC::BytecodeGenerator::emitMoveEmptyValue):
359         We cannot profile the type of an uninitialized empty JSValue.
360         Nor do we expect this to be necessary, since it is effectively
361         an unseen undefined value. So add a way to put the empty value
362         without profiling.
363
364         (JSC::BytecodeGenerator::emitMove):
365         Add an assert to try to catch this issue early on, and force
366         callers to explicitly use emitMoveEmptyValue instead.
367
368         * tests/typeProfiler/classes.js: Added.
369         (wrapper.Base):
370         (wrapper.Derived):
371         (wrapper):
372         Add test coverage both for this case and classes in general.
373
374 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
375
376         Web Inspector: ES6: Provide a better view for Classes in the console
377         https://bugs.webkit.org/show_bug.cgi?id=142999
378
379         Reviewed by Timothy Hatcher.
380
381         * inspector/protocol/Runtime.json:
382         Provide a new `subtype` enum "class". This is a subtype of `type`
383         "function", all other subtypes are subtypes of `object` types.
384         For a class, the frontend will immediately want to get the prototype
385         to enumerate its methods, so include the `classPrototype`.
386
387         * inspector/JSInjectedScriptHost.cpp:
388         (Inspector::JSInjectedScriptHost::subtype):
389         Denote class construction functions as "class" subtypes.
390
391         * inspector/InjectedScriptSource.js:
392         Handling for the new "class" type.
393
394         * bytecode/UnlinkedCodeBlock.h:
395         (JSC::UnlinkedFunctionExecutable::isClassConstructorFunction):
396         * runtime/Executable.h:
397         (JSC::FunctionExecutable::isClassConstructorFunction):
398         * runtime/JSFunction.h:
399         * runtime/JSFunctionInlines.h:
400         (JSC::JSFunction::isClassConstructorFunction):
401         Check if this function is a class constructor function. That information
402         is on the UnlinkedFunctionExecutable, so plumb it through to JSFunction.
403
404 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
405
406         Function.prototype.toString should not decompile the AST
407         https://bugs.webkit.org/show_bug.cgi?id=142853
408
409         Reviewed by Darin Adler.
410
411         Following up on Darin's review comments.
412
413         * runtime/FunctionConstructor.cpp:
414         (JSC::constructFunctionSkippingEvalEnabledCheck):
415
416 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
417
418         "lineNo" does not match WebKit coding style guidelines
419         https://bugs.webkit.org/show_bug.cgi?id=143119
420
421         Reviewed by Michael Saboff.
422
423         We can afford to use whole words.
424
425         * bytecode/CodeBlock.cpp:
426         (JSC::CodeBlock::lineNumberForBytecodeOffset):
427         (JSC::CodeBlock::expressionRangeForBytecodeOffset):
428         * bytecode/UnlinkedCodeBlock.cpp:
429         (JSC::UnlinkedFunctionExecutable::link):
430         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
431         * bytecode/UnlinkedCodeBlock.h:
432         * bytecompiler/NodesCodegen.cpp:
433         (JSC::WhileNode::emitBytecode):
434         * debugger/Debugger.cpp:
435         (JSC::Debugger::toggleBreakpoint):
436         * interpreter/Interpreter.cpp:
437         (JSC::StackFrame::computeLineAndColumn):
438         (JSC::GetStackTraceFunctor::operator()):
439         (JSC::Interpreter::execute):
440         * interpreter/StackVisitor.cpp:
441         (JSC::StackVisitor::Frame::computeLineAndColumn):
442         * parser/Nodes.h:
443         (JSC::Node::firstLine):
444         (JSC::Node::lineNo): Deleted.
445         (JSC::StatementNode::firstLine): Deleted.
446         * parser/ParserError.h:
447         (JSC::ParserError::toErrorObject):
448         * profiler/LegacyProfiler.cpp:
449         (JSC::createCallIdentifierFromFunctionImp):
450         * runtime/CodeCache.cpp:
451         (JSC::CodeCache::getGlobalCodeBlock):
452         * runtime/Executable.cpp:
453         (JSC::ScriptExecutable::ScriptExecutable):
454         (JSC::ScriptExecutable::newCodeBlockFor):
455         (JSC::FunctionExecutable::fromGlobalCode):
456         * runtime/Executable.h:
457         (JSC::ScriptExecutable::firstLine):
458         (JSC::ScriptExecutable::setOverrideLineNumber):
459         (JSC::ScriptExecutable::hasOverrideLineNumber):
460         (JSC::ScriptExecutable::overrideLineNumber):
461         (JSC::ScriptExecutable::lineNo): Deleted.
462         (JSC::ScriptExecutable::setOverrideLineNo): Deleted.
463         (JSC::ScriptExecutable::hasOverrideLineNo): Deleted.
464         (JSC::ScriptExecutable::overrideLineNo): Deleted.
465         * runtime/FunctionConstructor.cpp:
466         (JSC::constructFunctionSkippingEvalEnabledCheck):
467         * runtime/FunctionConstructor.h:
468         * tools/CodeProfile.cpp:
469         (JSC::CodeProfile::report):
470         * tools/CodeProfile.h:
471         (JSC::CodeProfile::CodeProfile):
472
473 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
474
475         Assertion firing in JavaScriptCore/parser/parser.h for statesman.com site
476         https://bugs.webkit.org/show_bug.cgi?id=142974
477
478         Reviewed by Joseph Pecoraro.
479
480         This patch does two things:
481
482         (1) Restore JavaScriptCore's sanitization of line and column numbers to
483         one-based values.
484
485         We need this because WebCore sometimes provides huge negative column
486         numbers.
487
488         (2) Solve the attribute event listener line numbering problem a different
489         way: Rather than offseting all line numbers by -1 in an attribute event
490         listener in order to arrange for a custom result, instead use an explicit
491         feature for saying "all errors in this code should map to this line number".
492
493         * bytecode/UnlinkedCodeBlock.cpp:
494         (JSC::UnlinkedFunctionExecutable::link):
495         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
496         * bytecode/UnlinkedCodeBlock.h:
497         * interpreter/Interpreter.cpp:
498         (JSC::StackFrame::computeLineAndColumn):
499         (JSC::GetStackTraceFunctor::operator()):
500         * interpreter/Interpreter.h:
501         * interpreter/StackVisitor.cpp:
502         (JSC::StackVisitor::Frame::computeLineAndColumn):
503         * parser/ParserError.h:
504         (JSC::ParserError::toErrorObject): Plumb through an override line number.
505         When a function has an override line number, all syntax and runtime
506         errors in the function will map to it. This is useful for attribute event
507         listeners.
508  
509         * parser/SourceCode.h:
510         (JSC::SourceCode::SourceCode): Restore the old sanitization of line and
511         column numbers to one-based integers. It was kind of a hack to remove this.
512
513         * runtime/Executable.cpp:
514         (JSC::ScriptExecutable::ScriptExecutable):
515         (JSC::FunctionExecutable::fromGlobalCode):
516         * runtime/Executable.h:
517         (JSC::ScriptExecutable::setOverrideLineNo):
518         (JSC::ScriptExecutable::hasOverrideLineNo):
519         (JSC::ScriptExecutable::overrideLineNo):
520         * runtime/FunctionConstructor.cpp:
521         (JSC::constructFunctionSkippingEvalEnabledCheck):
522         * runtime/FunctionConstructor.h: Plumb through an override line number.
523
524 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
525
526         If we're in code for accessing scoped arguments, we should probably check if the object is a scoped arguments rather than checking if it's a direct arguments.
527
528         Reviewed by Michael Saboff.
529
530         * jit/JITPropertyAccess.cpp:
531         (JSC::JIT::emitScopedArgumentsGetByVal):
532         * tests/stress/scoped-then-direct-arguments-get-by-val-in-baseline.js: Added.
533
534 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
535
536         FTL ScopedArguments GetArrayLength generates incorrect code and crashes in LLVM
537         https://bugs.webkit.org/show_bug.cgi?id=143098
538
539         Reviewed by Csaba Osztrogonác.
540
541         * ftl/FTLLowerDFGToLLVM.cpp:
542         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength): Fix a typo.
543         * tests/stress/scoped-arguments-array-length.js: Added. This test previously always crashed in ftl-no-cjit mode.
544
545 2015-03-26  Csaba Osztrogonác  <ossy@webkit.org>
546
547         Unreviewed gardening, skip failing tests on AArch64 Linux.
548
549         * tests/mozilla/mozilla-tests.yaml:
550         * tests/stress/cached-prototype-setter.js:
551
552 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
553
554         Unreviewed, fixes to silly things. While landing fixes to r181993, I introduced crashes. This fixes them.
555
556         * dfg/DFGConstantFoldingPhase.cpp:
557         (JSC::DFG::ConstantFoldingPhase::foldConstants): I landed a fix for a VS warning. It broke this. Now I'm fixing it.
558         * ftl/FTLCompile.cpp:
559         (JSC::FTL::compile): Make sure we pass the module when dumping. This makes FTL debugging possible again.
560         * ftl/FTLState.cpp:
561         (JSC::FTL::State::dumpState): New overload that takes a module, so that we can call this after FTL::compile() clears State's module.
562         * ftl/FTLState.h:
563
564 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
565
566         Unreviewed, fix obvious goof that was causing 32-bit debug crashes. The 64-bit version did it
567         right, so this just makes 32-bit do the same.
568
569         * dfg/DFGSpeculativeJIT32_64.cpp:
570         (JSC::DFG::SpeculativeJIT::emitCall):
571
572 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
573
574         Fix a typo that ggaren found but that I didn't fix before.
575
576         * runtime/DirectArgumentsOffset.h:
577
578 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
579
580         Unreviewed, VC found a bug. This fixes the bug.
581
582         * dfg/DFGConstantFoldingPhase.cpp:
583         (JSC::DFG::ConstantFoldingPhase::foldConstants):
584
585 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
586
587         Unreviewed, try to fix Windows build.
588
589         * runtime/ClonedArguments.cpp:
590         (JSC::ClonedArguments::createWithInlineFrame):
591
592 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
593
594         Unreviewed, fix debug build.
595
596         * bytecompiler/NodesCodegen.cpp:
597         (JSC::ConstDeclNode::emitCodeSingle):
598
599 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
600
601         Unreviewed, fix CLOOP build.
602
603         * dfg/DFGMinifiedID.h:
604
605 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
606
607         Heap variables shouldn't end up in the stack frame
608         https://bugs.webkit.org/show_bug.cgi?id=141174
609
610         Reviewed by Geoffrey Garen.
611         
612         This is a major change to how JavaScriptCore handles declared variables (i.e. "var"). It removes
613         any ambiguity about whether a variable should be in the heap or on the stack. A variable will no
614         longer move between heap and stack during its lifetime. This enables a bunch of optimizations and
615         simplifications:
616         
617         - Accesses to variables no longer need checks or indirections to determine where the variable is
618           at that moment in time. For example, loading a closure variable now takes just one load instead
619           of two. Loading an argument by index now takes a bounds check and a load in the fastest case
620           (when no arguments object allocation is required) while previously that same operation required
621           a "did I allocate arguments yet" check, a bounds check, and then the load.
622         
623         - Reasoning about the allocation of an activation or arguments object now follows the same simple
624           logic as the allocation of any other kind of object. Previously, those objects were lazily
625           allocated - so an allocation instruction wasn't the actual allocation site, since it might not
626           allocate anything at all. This made the implementation of traditional escape analyses really
627           awkward, and ultimately it meant that we missed important cases. Now, we can reason about the
628           arguments object using the usual SSA tricks which allows for more comprehensive removal.
629         
630         - The allocations of arguments objects, functions, and activations are now much faster. While
631           this patch generally expands our ability to eliminate arguments object allocations, an earlier
632           version of the patch - which lacked that functionality - was a progression on some arguments-
633           and closure-happy benchmarks because although no allocations were eliminated, all allocations
634           were faster.
635         
636         - There is no tear-off. The runtime no loner needs to know about where on the stack a frame keeps
637           its arguments objects or activations. The runtime doesn't have to do things to the arguments
638           objects and activations that a frame allocated, when the frame is unwound. We always had horrid
639           bugs in that code, so it's good to see it go. This removes *a ton* of machinery from the DFG,
640           FTL, CodeBlock, and other places. All of the things having to do with "captured variables" is
641           now gone. This also enables implementing block-scoping. Without this change, block-scope
642           support would require telling CodeBlock and all of the rest of the runtime about all of the
643           variables that store currently-live scopes. That would have been so disastrously hard that it
644           might as well be impossible. With this change, it's fair game for the bytecode generator to
645           simply allocate whatever activations it wants, wherever it wants, and to keep them live for
646           however long it wants. This all works, because after bytecode generation, an activation is just
647           an object and variables that refer to it are just normal variables.
648         
649         - SymbolTable can now tell you explicitly where a variable lives. The answer is in the form of a
650           VarOffset object, which has methods like isStack(), isScope(), etc. VirtualRegister is never
651           used for offsets of non-stack variables anymore. We now have shiny new objects for other kinds
652           of offsets - ScopeOffset for offsets into scopes, and DirectArgumentsOffset for offsets into
653           an arguments object.
654         
655         - Functions that create activations can now tier-up into the FTL. Previously they couldn't. Also,
656           using activations used to prevent inlining; now functions that use activations can be inlined
657           just fine.
658         
659         This is a >1% speed-up on Octane. This is a >2% speed-up on CompressionBench. This is a tiny
660         speed-up on AsmBench (~0.4% or something). This looks like it might be a speed-up on SunSpider.
661         It's only a slow-down on very short-running microbenchmarks we had previously written for our old
662         style of tear-off-based arguments optimization. Those benchmarks are not part of any major suite.
663         
664         The easiest way of understanding this change is to start by looking at the changes in runtime/,
665         and then the changes in bytecompiler/, and then sort of work your way up the compiler tiers.
666
667         * CMakeLists.txt:
668         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
669         * JavaScriptCore.xcodeproj/project.pbxproj:
670         * assembler/AbortReason.h:
671         * assembler/AbstractMacroAssembler.h:
672         (JSC::AbstractMacroAssembler::BaseIndex::withOffset):
673         * bytecode/ByValInfo.h:
674         (JSC::hasOptimizableIndexingForJSType):
675         (JSC::hasOptimizableIndexing):
676         (JSC::jitArrayModeForJSType):
677         (JSC::jitArrayModePermitsPut):
678         (JSC::jitArrayModeForStructure):
679         * bytecode/BytecodeKills.h: Added.
680         (JSC::BytecodeKills::BytecodeKills):
681         (JSC::BytecodeKills::operandIsKilled):
682         (JSC::BytecodeKills::forEachOperandKilledAt):
683         (JSC::BytecodeKills::KillSet::KillSet):
684         (JSC::BytecodeKills::KillSet::add):
685         (JSC::BytecodeKills::KillSet::forEachLocal):
686         (JSC::BytecodeKills::KillSet::contains):
687         * bytecode/BytecodeList.json:
688         * bytecode/BytecodeLivenessAnalysis.cpp:
689         (JSC::isValidRegisterForLiveness):
690         (JSC::stepOverInstruction):
691         (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint):
692         (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset):
693         (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset):
694         (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
695         (JSC::BytecodeLivenessAnalysis::computeKills):
696         (JSC::indexForOperand): Deleted.
697         (JSC::BytecodeLivenessAnalysis::getLivenessInfoForNonCapturedVarsAtBytecodeOffset): Deleted.
698         (JSC::getLivenessInfo): Deleted.
699         * bytecode/BytecodeLivenessAnalysis.h:
700         * bytecode/BytecodeLivenessAnalysisInlines.h:
701         (JSC::operandIsAlwaysLive):
702         (JSC::operandThatIsNotAlwaysLiveIsLive):
703         (JSC::operandIsLive):
704         * bytecode/BytecodeUseDef.h:
705         (JSC::computeUsesForBytecodeOffset):
706         (JSC::computeDefsForBytecodeOffset):
707         * bytecode/CodeBlock.cpp:
708         (JSC::CodeBlock::dumpBytecode):
709         (JSC::CodeBlock::CodeBlock):
710         (JSC::CodeBlock::nameForRegister):
711         (JSC::CodeBlock::validate):
712         (JSC::CodeBlock::isCaptured): Deleted.
713         (JSC::CodeBlock::framePointerOffsetToGetActivationRegisters): Deleted.
714         (JSC::CodeBlock::machineSlowArguments): Deleted.
715         * bytecode/CodeBlock.h:
716         (JSC::unmodifiedArgumentsRegister): Deleted.
717         (JSC::CodeBlock::setArgumentsRegister): Deleted.
718         (JSC::CodeBlock::argumentsRegister): Deleted.
719         (JSC::CodeBlock::uncheckedArgumentsRegister): Deleted.
720         (JSC::CodeBlock::usesArguments): Deleted.
721         (JSC::CodeBlock::captureCount): Deleted.
722         (JSC::CodeBlock::captureStart): Deleted.
723         (JSC::CodeBlock::captureEnd): Deleted.
724         (JSC::CodeBlock::argumentIndexAfterCapture): Deleted.
725         (JSC::CodeBlock::hasSlowArguments): Deleted.
726         (JSC::ExecState::argumentAfterCapture): Deleted.
727         * bytecode/CodeOrigin.h:
728         * bytecode/DataFormat.h:
729         (JSC::dataFormatToString):
730         * bytecode/FullBytecodeLiveness.h:
731         (JSC::FullBytecodeLiveness::getLiveness):
732         (JSC::FullBytecodeLiveness::operandIsLive):
733         (JSC::FullBytecodeLiveness::FullBytecodeLiveness): Deleted.
734         (JSC::FullBytecodeLiveness::getOut): Deleted.
735         * bytecode/Instruction.h:
736         (JSC::Instruction::Instruction):
737         * bytecode/Operands.h:
738         (JSC::Operands::virtualRegisterForIndex):
739         * bytecode/SpeculatedType.cpp:
740         (JSC::dumpSpeculation):
741         (JSC::speculationToAbbreviatedString):
742         (JSC::speculationFromClassInfo):
743         * bytecode/SpeculatedType.h:
744         (JSC::isDirectArgumentsSpeculation):
745         (JSC::isScopedArgumentsSpeculation):
746         (JSC::isActionableMutableArraySpeculation):
747         (JSC::isActionableArraySpeculation):
748         (JSC::isArgumentsSpeculation): Deleted.
749         * bytecode/UnlinkedCodeBlock.cpp:
750         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
751         * bytecode/UnlinkedCodeBlock.h:
752         (JSC::UnlinkedCodeBlock::setArgumentsRegister): Deleted.
753         (JSC::UnlinkedCodeBlock::usesArguments): Deleted.
754         (JSC::UnlinkedCodeBlock::argumentsRegister): Deleted.
755         * bytecode/ValueRecovery.cpp:
756         (JSC::ValueRecovery::dumpInContext):
757         * bytecode/ValueRecovery.h:
758         (JSC::ValueRecovery::directArgumentsThatWereNotCreated):
759         (JSC::ValueRecovery::outOfBandArgumentsThatWereNotCreated):
760         (JSC::ValueRecovery::nodeID):
761         (JSC::ValueRecovery::argumentsThatWereNotCreated): Deleted.
762         * bytecode/VirtualRegister.h:
763         (JSC::VirtualRegister::operator==):
764         (JSC::VirtualRegister::operator!=):
765         (JSC::VirtualRegister::operator<):
766         (JSC::VirtualRegister::operator>):
767         (JSC::VirtualRegister::operator<=):
768         (JSC::VirtualRegister::operator>=):
769         * bytecompiler/BytecodeGenerator.cpp:
770         (JSC::BytecodeGenerator::generate):
771         (JSC::BytecodeGenerator::BytecodeGenerator):
772         (JSC::BytecodeGenerator::initializeNextParameter):
773         (JSC::BytecodeGenerator::visibleNameForParameter):
774         (JSC::BytecodeGenerator::emitMove):
775         (JSC::BytecodeGenerator::variable):
776         (JSC::BytecodeGenerator::createVariable):
777         (JSC::BytecodeGenerator::emitResolveScope):
778         (JSC::BytecodeGenerator::emitGetFromScope):
779         (JSC::BytecodeGenerator::emitPutToScope):
780         (JSC::BytecodeGenerator::initializeVariable):
781         (JSC::BytecodeGenerator::emitInstanceOf):
782         (JSC::BytecodeGenerator::emitNewFunction):
783         (JSC::BytecodeGenerator::emitNewFunctionInternal):
784         (JSC::BytecodeGenerator::emitCall):
785         (JSC::BytecodeGenerator::emitReturn):
786         (JSC::BytecodeGenerator::emitConstruct):
787         (JSC::BytecodeGenerator::isArgumentNumber):
788         (JSC::BytecodeGenerator::emitEnumeration):
789         (JSC::BytecodeGenerator::addVar): Deleted.
790         (JSC::BytecodeGenerator::emitInitLazyRegister): Deleted.
791         (JSC::BytecodeGenerator::initializeCapturedVariable): Deleted.
792         (JSC::BytecodeGenerator::resolveCallee): Deleted.
793         (JSC::BytecodeGenerator::addCallee): Deleted.
794         (JSC::BytecodeGenerator::addParameter): Deleted.
795         (JSC::BytecodeGenerator::willResolveToArgumentsRegister): Deleted.
796         (JSC::BytecodeGenerator::uncheckedLocalArgumentsRegister): Deleted.
797         (JSC::BytecodeGenerator::createLazyRegisterIfNecessary): Deleted.
798         (JSC::BytecodeGenerator::isCaptured): Deleted.
799         (JSC::BytecodeGenerator::local): Deleted.
800         (JSC::BytecodeGenerator::constLocal): Deleted.
801         (JSC::BytecodeGenerator::emitResolveConstantLocal): Deleted.
802         (JSC::BytecodeGenerator::emitGetArgumentsLength): Deleted.
803         (JSC::BytecodeGenerator::emitGetArgumentByVal): Deleted.
804         (JSC::BytecodeGenerator::emitLazyNewFunction): Deleted.
805         (JSC::BytecodeGenerator::createArgumentsIfNecessary): Deleted.
806         * bytecompiler/BytecodeGenerator.h:
807         (JSC::Variable::Variable):
808         (JSC::Variable::isResolved):
809         (JSC::Variable::ident):
810         (JSC::Variable::offset):
811         (JSC::Variable::isLocal):
812         (JSC::Variable::local):
813         (JSC::Variable::isSpecial):
814         (JSC::BytecodeGenerator::argumentsRegister):
815         (JSC::BytecodeGenerator::emitNode):
816         (JSC::BytecodeGenerator::registerFor):
817         (JSC::Local::Local): Deleted.
818         (JSC::Local::operator bool): Deleted.
819         (JSC::Local::get): Deleted.
820         (JSC::Local::isSpecial): Deleted.
821         (JSC::ResolveScopeInfo::ResolveScopeInfo): Deleted.
822         (JSC::ResolveScopeInfo::isLocal): Deleted.
823         (JSC::ResolveScopeInfo::localIndex): Deleted.
824         (JSC::BytecodeGenerator::hasSafeLocalArgumentsRegister): Deleted.
825         (JSC::BytecodeGenerator::captureMode): Deleted.
826         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly): Deleted.
827         (JSC::BytecodeGenerator::shouldCreateArgumentsEagerly): Deleted.
828         (JSC::BytecodeGenerator::hasWatchableVariable): Deleted.
829         (JSC::BytecodeGenerator::watchableVariableIdentifier): Deleted.
830         * bytecompiler/NodesCodegen.cpp:
831         (JSC::ResolveNode::isPure):
832         (JSC::ResolveNode::emitBytecode):
833         (JSC::BracketAccessorNode::emitBytecode):
834         (JSC::DotAccessorNode::emitBytecode):
835         (JSC::EvalFunctionCallNode::emitBytecode):
836         (JSC::FunctionCallResolveNode::emitBytecode):
837         (JSC::CallFunctionCallDotNode::emitBytecode):
838         (JSC::ApplyFunctionCallDotNode::emitBytecode):
839         (JSC::PostfixNode::emitResolve):
840         (JSC::DeleteResolveNode::emitBytecode):
841         (JSC::TypeOfResolveNode::emitBytecode):
842         (JSC::PrefixNode::emitResolve):
843         (JSC::ReadModifyResolveNode::emitBytecode):
844         (JSC::AssignResolveNode::emitBytecode):
845         (JSC::ConstDeclNode::emitCodeSingle):
846         (JSC::EmptyVarExpression::emitBytecode):
847         (JSC::ForInNode::tryGetBoundLocal):
848         (JSC::ForInNode::emitLoopHeader):
849         (JSC::ForOfNode::emitBytecode):
850         (JSC::ArrayPatternNode::emitDirectBinding):
851         (JSC::BindingNode::bindValue):
852         (JSC::getArgumentByVal): Deleted.
853         * dfg/DFGAbstractHeap.h:
854         * dfg/DFGAbstractInterpreter.h:
855         * dfg/DFGAbstractInterpreterInlines.h:
856         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
857         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberWorld):
858         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberCapturedVars): Deleted.
859         * dfg/DFGAbstractValue.h:
860         * dfg/DFGArgumentPosition.h:
861         (JSC::DFG::ArgumentPosition::addVariable):
862         * dfg/DFGArgumentsEliminationPhase.cpp: Added.
863         (JSC::DFG::performArgumentsElimination):
864         * dfg/DFGArgumentsEliminationPhase.h: Added.
865         * dfg/DFGArgumentsSimplificationPhase.cpp: Removed.
866         * dfg/DFGArgumentsSimplificationPhase.h: Removed.
867         * dfg/DFGArgumentsUtilities.cpp: Added.
868         (JSC::DFG::argumentsInvolveStackSlot):
869         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
870         * dfg/DFGArgumentsUtilities.h: Added.
871         * dfg/DFGArrayMode.cpp:
872         (JSC::DFG::ArrayMode::refine):
873         (JSC::DFG::ArrayMode::alreadyChecked):
874         (JSC::DFG::arrayTypeToString):
875         * dfg/DFGArrayMode.h:
876         (JSC::DFG::ArrayMode::canCSEStorage):
877         (JSC::DFG::ArrayMode::modeForPut):
878         * dfg/DFGAvailabilityMap.cpp:
879         (JSC::DFG::AvailabilityMap::prune):
880         * dfg/DFGAvailabilityMap.h:
881         (JSC::DFG::AvailabilityMap::closeOverNodes):
882         (JSC::DFG::AvailabilityMap::closeStartingWithLocal):
883         * dfg/DFGBackwardsPropagationPhase.cpp:
884         (JSC::DFG::BackwardsPropagationPhase::propagate):
885         * dfg/DFGByteCodeParser.cpp:
886         (JSC::DFG::ByteCodeParser::newVariableAccessData):
887         (JSC::DFG::ByteCodeParser::getLocal):
888         (JSC::DFG::ByteCodeParser::setLocal):
889         (JSC::DFG::ByteCodeParser::getArgument):
890         (JSC::DFG::ByteCodeParser::setArgument):
891         (JSC::DFG::ByteCodeParser::flushDirect):
892         (JSC::DFG::ByteCodeParser::flush):
893         (JSC::DFG::ByteCodeParser::noticeArgumentsUse):
894         (JSC::DFG::ByteCodeParser::handleVarargsCall):
895         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
896         (JSC::DFG::ByteCodeParser::handleInlining):
897         (JSC::DFG::ByteCodeParser::parseBlock):
898         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
899         (JSC::DFG::ByteCodeParser::parseCodeBlock):
900         * dfg/DFGCPSRethreadingPhase.cpp:
901         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
902         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
903         * dfg/DFGCSEPhase.cpp:
904         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h: Added.
905         (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
906         * dfg/DFGCapabilities.cpp:
907         (JSC::DFG::isSupportedForInlining):
908         (JSC::DFG::capabilityLevel):
909         * dfg/DFGClobberize.h:
910         (JSC::DFG::clobberize):
911         * dfg/DFGCommon.h:
912         * dfg/DFGCommonData.h:
913         (JSC::DFG::CommonData::CommonData):
914         * dfg/DFGConstantFoldingPhase.cpp:
915         (JSC::DFG::ConstantFoldingPhase::foldConstants):
916         * dfg/DFGDCEPhase.cpp:
917         (JSC::DFG::DCEPhase::cleanVariables):
918         * dfg/DFGDisassembler.h:
919         * dfg/DFGDoesGC.cpp:
920         (JSC::DFG::doesGC):
921         * dfg/DFGFixupPhase.cpp:
922         (JSC::DFG::FixupPhase::fixupNode):
923         * dfg/DFGFlushFormat.cpp:
924         (WTF::printInternal):
925         * dfg/DFGFlushFormat.h:
926         (JSC::DFG::resultFor):
927         (JSC::DFG::useKindFor):
928         (JSC::DFG::dataFormatFor):
929         * dfg/DFGForAllKills.h: Added.
930         (JSC::DFG::forAllLiveNodesAtTail):
931         (JSC::DFG::forAllDirectlyKilledOperands):
932         (JSC::DFG::forAllKilledOperands):
933         (JSC::DFG::forAllKilledNodesAtNodeIndex):
934         (JSC::DFG::forAllKillsInBlock):
935         * dfg/DFGGraph.cpp:
936         (JSC::DFG::Graph::Graph):
937         (JSC::DFG::Graph::dump):
938         (JSC::DFG::Graph::substituteGetLocal):
939         (JSC::DFG::Graph::livenessFor):
940         (JSC::DFG::Graph::killsFor):
941         (JSC::DFG::Graph::tryGetConstantClosureVar):
942         (JSC::DFG::Graph::tryGetRegisters): Deleted.
943         * dfg/DFGGraph.h:
944         (JSC::DFG::Graph::symbolTableFor):
945         (JSC::DFG::Graph::uses):
946         (JSC::DFG::Graph::bytecodeRegisterForArgument): Deleted.
947         (JSC::DFG::Graph::capturedVarsFor): Deleted.
948         (JSC::DFG::Graph::usesArguments): Deleted.
949         (JSC::DFG::Graph::argumentsRegisterFor): Deleted.
950         (JSC::DFG::Graph::machineArgumentsRegisterFor): Deleted.
951         (JSC::DFG::Graph::uncheckedArgumentsRegisterFor): Deleted.
952         * dfg/DFGHeapLocation.cpp:
953         (WTF::printInternal):
954         * dfg/DFGHeapLocation.h:
955         * dfg/DFGInPlaceAbstractState.cpp:
956         (JSC::DFG::InPlaceAbstractState::initialize):
957         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
958         * dfg/DFGJITCompiler.cpp:
959         (JSC::DFG::JITCompiler::link):
960         * dfg/DFGMayExit.cpp:
961         (JSC::DFG::mayExit):
962         * dfg/DFGMinifiedID.h:
963         * dfg/DFGMinifiedNode.cpp:
964         (JSC::DFG::MinifiedNode::fromNode):
965         * dfg/DFGMinifiedNode.h:
966         (JSC::DFG::belongsInMinifiedGraph):
967         (JSC::DFG::MinifiedNode::hasInlineCallFrame):
968         (JSC::DFG::MinifiedNode::inlineCallFrame):
969         * dfg/DFGNode.cpp:
970         (JSC::DFG::Node::convertToIdentityOn):
971         * dfg/DFGNode.h:
972         (JSC::DFG::Node::hasConstant):
973         (JSC::DFG::Node::constant):
974         (JSC::DFG::Node::hasScopeOffset):
975         (JSC::DFG::Node::scopeOffset):
976         (JSC::DFG::Node::hasDirectArgumentsOffset):
977         (JSC::DFG::Node::capturedArgumentsOffset):
978         (JSC::DFG::Node::variablePointer):
979         (JSC::DFG::Node::hasCallVarargsData):
980         (JSC::DFG::Node::hasLoadVarargsData):
981         (JSC::DFG::Node::hasHeapPrediction):
982         (JSC::DFG::Node::hasCellOperand):
983         (JSC::DFG::Node::objectMaterializationData):
984         (JSC::DFG::Node::isPhantomAllocation):
985         (JSC::DFG::Node::willHaveCodeGenOrOSR):
986         (JSC::DFG::Node::shouldSpeculateDirectArguments):
987         (JSC::DFG::Node::shouldSpeculateScopedArguments):
988         (JSC::DFG::Node::isPhantomArguments): Deleted.
989         (JSC::DFG::Node::hasVarNumber): Deleted.
990         (JSC::DFG::Node::varNumber): Deleted.
991         (JSC::DFG::Node::registerPointer): Deleted.
992         (JSC::DFG::Node::shouldSpeculateArguments): Deleted.
993         * dfg/DFGNodeType.h:
994         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
995         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
996         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
997         * dfg/DFGOSRExitCompiler.cpp:
998         (JSC::DFG::OSRExitCompiler::emitRestoreArguments):
999         * dfg/DFGOSRExitCompiler.h:
1000         (JSC::DFG::OSRExitCompiler::badIndex): Deleted.
1001         (JSC::DFG::OSRExitCompiler::initializePoisoned): Deleted.
1002         (JSC::DFG::OSRExitCompiler::poisonIndex): Deleted.
1003         * dfg/DFGOSRExitCompiler32_64.cpp:
1004         (JSC::DFG::OSRExitCompiler::compileExit):
1005         * dfg/DFGOSRExitCompiler64.cpp:
1006         (JSC::DFG::OSRExitCompiler::compileExit):
1007         * dfg/DFGOSRExitCompilerCommon.cpp:
1008         (JSC::DFG::reifyInlinedCallFrames):
1009         (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator): Deleted.
1010         (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator): Deleted.
1011         (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): Deleted.
1012         * dfg/DFGOSRExitCompilerCommon.h:
1013         * dfg/DFGOperations.cpp:
1014         * dfg/DFGOperations.h:
1015         * dfg/DFGPlan.cpp:
1016         (JSC::DFG::Plan::compileInThreadImpl):
1017         * dfg/DFGPreciseLocalClobberize.h:
1018         (JSC::DFG::PreciseLocalClobberizeAdaptor::read):
1019         (JSC::DFG::PreciseLocalClobberizeAdaptor::write):
1020         (JSC::DFG::PreciseLocalClobberizeAdaptor::def):
1021         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1022         (JSC::DFG::preciseLocalClobberize):
1023         (JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop): Deleted.
1024         (JSC::DFG::forEachLocalReadByUnwind): Deleted.
1025         * dfg/DFGPredictionPropagationPhase.cpp:
1026         (JSC::DFG::PredictionPropagationPhase::run):
1027         (JSC::DFG::PredictionPropagationPhase::propagate):
1028         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
1029         (JSC::DFG::PredictionPropagationPhase::propagateThroughArgumentPositions):
1030         * dfg/DFGPromoteHeapAccess.h:
1031         (JSC::DFG::promoteHeapAccess):
1032         * dfg/DFGPromotedHeapLocation.cpp:
1033         (WTF::printInternal):
1034         * dfg/DFGPromotedHeapLocation.h:
1035         * dfg/DFGSSAConversionPhase.cpp:
1036         (JSC::DFG::SSAConversionPhase::run):
1037         * dfg/DFGSafeToExecute.h:
1038         (JSC::DFG::safeToExecute):
1039         * dfg/DFGSpeculativeJIT.cpp:
1040         (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
1041         (JSC::DFG::SpeculativeJIT::emitGetLength):
1042         (JSC::DFG::SpeculativeJIT::emitGetCallee):
1043         (JSC::DFG::SpeculativeJIT::emitGetArgumentStart):
1044         (JSC::DFG::SpeculativeJIT::checkArray):
1045         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
1046         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1047         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
1048         (JSC::DFG::SpeculativeJIT::compileNewFunction):
1049         (JSC::DFG::SpeculativeJIT::compileForwardVarargs):
1050         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
1051         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
1052         (JSC::DFG::SpeculativeJIT::compileGetFromArguments):
1053         (JSC::DFG::SpeculativeJIT::compilePutToArguments):
1054         (JSC::DFG::SpeculativeJIT::compileCreateScopedArguments):
1055         (JSC::DFG::SpeculativeJIT::compileCreateClonedArguments):
1056         (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Deleted.
1057         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments): Deleted.
1058         (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength): Deleted.
1059         (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck): Deleted.
1060         (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression): Deleted.
1061         * dfg/DFGSpeculativeJIT.h:
1062         (JSC::DFG::SpeculativeJIT::callOperation):
1063         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
1064         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
1065         (JSC::DFG::SpeculativeJIT::framePointerOffsetToGetActivationRegisters): Deleted.
1066         * dfg/DFGSpeculativeJIT32_64.cpp:
1067         (JSC::DFG::SpeculativeJIT::emitCall):
1068         (JSC::DFG::SpeculativeJIT::compile):
1069         * dfg/DFGSpeculativeJIT64.cpp:
1070         (JSC::DFG::SpeculativeJIT::emitCall):
1071         (JSC::DFG::SpeculativeJIT::compile):
1072         * dfg/DFGStackLayoutPhase.cpp:
1073         (JSC::DFG::StackLayoutPhase::run):
1074         * dfg/DFGStrengthReductionPhase.cpp:
1075         (JSC::DFG::StrengthReductionPhase::handleNode):
1076         * dfg/DFGStructureRegistrationPhase.cpp:
1077         (JSC::DFG::StructureRegistrationPhase::run):
1078         * dfg/DFGUnificationPhase.cpp:
1079         (JSC::DFG::UnificationPhase::run):
1080         * dfg/DFGValidate.cpp:
1081         (JSC::DFG::Validate::validateCPS):
1082         * dfg/DFGValueSource.cpp:
1083         (JSC::DFG::ValueSource::dump):
1084         * dfg/DFGValueSource.h:
1085         (JSC::DFG::dataFormatToValueSourceKind):
1086         (JSC::DFG::valueSourceKindToDataFormat):
1087         (JSC::DFG::ValueSource::ValueSource):
1088         (JSC::DFG::ValueSource::forFlushFormat):
1089         (JSC::DFG::ValueSource::valueRecovery):
1090         * dfg/DFGVarargsForwardingPhase.cpp: Added.
1091         (JSC::DFG::performVarargsForwarding):
1092         * dfg/DFGVarargsForwardingPhase.h: Added.
1093         * dfg/DFGVariableAccessData.cpp:
1094         (JSC::DFG::VariableAccessData::VariableAccessData):
1095         (JSC::DFG::VariableAccessData::flushFormat):
1096         (JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted.
1097         * dfg/DFGVariableAccessData.h:
1098         (JSC::DFG::VariableAccessData::shouldNeverUnbox):
1099         (JSC::DFG::VariableAccessData::shouldUseDoubleFormat):
1100         (JSC::DFG::VariableAccessData::isCaptured): Deleted.
1101         (JSC::DFG::VariableAccessData::mergeIsArgumentsAlias): Deleted.
1102         (JSC::DFG::VariableAccessData::isArgumentsAlias): Deleted.
1103         * dfg/DFGVariableAccessDataDump.cpp:
1104         (JSC::DFG::VariableAccessDataDump::dump):
1105         * dfg/DFGVariableAccessDataDump.h:
1106         * dfg/DFGVariableEventStream.cpp:
1107         (JSC::DFG::VariableEventStream::tryToSetConstantRecovery):
1108         * dfg/DFGVariableEventStream.h:
1109         * ftl/FTLAbstractHeap.cpp:
1110         (JSC::FTL::AbstractHeap::dump):
1111         (JSC::FTL::AbstractField::dump):
1112         (JSC::FTL::IndexedAbstractHeap::dump):
1113         (JSC::FTL::NumberedAbstractHeap::dump):
1114         (JSC::FTL::AbsoluteAbstractHeap::dump):
1115         * ftl/FTLAbstractHeap.h:
1116         * ftl/FTLAbstractHeapRepository.cpp:
1117         * ftl/FTLAbstractHeapRepository.h:
1118         * ftl/FTLCapabilities.cpp:
1119         (JSC::FTL::canCompile):
1120         * ftl/FTLCompile.cpp:
1121         (JSC::FTL::mmAllocateDataSection):
1122         * ftl/FTLExitArgument.cpp:
1123         (JSC::FTL::ExitArgument::dump):
1124         * ftl/FTLExitPropertyValue.cpp:
1125         (JSC::FTL::ExitPropertyValue::withLocalsOffset):
1126         * ftl/FTLExitPropertyValue.h:
1127         * ftl/FTLExitTimeObjectMaterialization.cpp:
1128         (JSC::FTL::ExitTimeObjectMaterialization::ExitTimeObjectMaterialization):
1129         (JSC::FTL::ExitTimeObjectMaterialization::accountForLocalsOffset):
1130         * ftl/FTLExitTimeObjectMaterialization.h:
1131         (JSC::FTL::ExitTimeObjectMaterialization::origin):
1132         * ftl/FTLExitValue.cpp:
1133         (JSC::FTL::ExitValue::withLocalsOffset):
1134         (JSC::FTL::ExitValue::valueFormat):
1135         (JSC::FTL::ExitValue::dumpInContext):
1136         * ftl/FTLExitValue.h:
1137         (JSC::FTL::ExitValue::isArgument):
1138         (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated): Deleted.
1139         (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated): Deleted.
1140         (JSC::FTL::ExitValue::valueFormat): Deleted.
1141         * ftl/FTLInlineCacheSize.cpp:
1142         (JSC::FTL::sizeOfCallForwardVarargs):
1143         (JSC::FTL::sizeOfConstructForwardVarargs):
1144         (JSC::FTL::sizeOfICFor):
1145         * ftl/FTLInlineCacheSize.h:
1146         * ftl/FTLIntrinsicRepository.h:
1147         * ftl/FTLJSCallVarargs.cpp:
1148         (JSC::FTL::JSCallVarargs::JSCallVarargs):
1149         (JSC::FTL::JSCallVarargs::emit):
1150         * ftl/FTLJSCallVarargs.h:
1151         * ftl/FTLLowerDFGToLLVM.cpp:
1152         (JSC::FTL::LowerDFGToLLVM::lower):
1153         (JSC::FTL::LowerDFGToLLVM::compileNode):
1154         (JSC::FTL::LowerDFGToLLVM::compilePutStack):
1155         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
1156         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
1157         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
1158         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
1159         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
1160         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
1161         (JSC::FTL::LowerDFGToLLVM::compileCreateActivation):
1162         (JSC::FTL::LowerDFGToLLVM::compileNewFunction):
1163         (JSC::FTL::LowerDFGToLLVM::compileCreateDirectArguments):
1164         (JSC::FTL::LowerDFGToLLVM::compileCreateScopedArguments):
1165         (JSC::FTL::LowerDFGToLLVM::compileCreateClonedArguments):
1166         (JSC::FTL::LowerDFGToLLVM::compileStringCharAt):
1167         (JSC::FTL::LowerDFGToLLVM::compileStringCharCodeAt):
1168         (JSC::FTL::LowerDFGToLLVM::compileGetGlobalVar):
1169         (JSC::FTL::LowerDFGToLLVM::compilePutGlobalVar):
1170         (JSC::FTL::LowerDFGToLLVM::compileGetArgumentCount):
1171         (JSC::FTL::LowerDFGToLLVM::compileGetClosureVar):
1172         (JSC::FTL::LowerDFGToLLVM::compilePutClosureVar):
1173         (JSC::FTL::LowerDFGToLLVM::compileGetFromArguments):
1174         (JSC::FTL::LowerDFGToLLVM::compilePutToArguments):
1175         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs):
1176         (JSC::FTL::LowerDFGToLLVM::compileForwardVarargs):
1177         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname):
1178         (JSC::FTL::LowerDFGToLLVM::ArgumentsLength::ArgumentsLength):
1179         (JSC::FTL::LowerDFGToLLVM::getArgumentsLength):
1180         (JSC::FTL::LowerDFGToLLVM::getCurrentCallee):
1181         (JSC::FTL::LowerDFGToLLVM::getArgumentsStart):
1182         (JSC::FTL::LowerDFGToLLVM::baseIndex):
1183         (JSC::FTL::LowerDFGToLLVM::allocateObject):
1184         (JSC::FTL::LowerDFGToLLVM::allocateVariableSizedObject):
1185         (JSC::FTL::LowerDFGToLLVM::isArrayType):
1186         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
1187         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
1188         (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
1189         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
1190         (JSC::FTL::LowerDFGToLLVM::loadStructure):
1191         (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments): Deleted.
1192         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength): Deleted.
1193         (JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters): Deleted.
1194         (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated): Deleted.
1195         (JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated): Deleted.
1196         * ftl/FTLOSRExitCompiler.cpp:
1197         (JSC::FTL::compileRecovery):
1198         (JSC::FTL::compileStub):
1199         * ftl/FTLOperations.cpp:
1200         (JSC::FTL::operationMaterializeObjectInOSR):
1201         * ftl/FTLOutput.h:
1202         (JSC::FTL::Output::aShr):
1203         (JSC::FTL::Output::lShr):
1204         (JSC::FTL::Output::zeroExtPtr):
1205         * heap/CopyToken.h:
1206         * interpreter/CallFrame.h:
1207         (JSC::ExecState::getArgumentUnsafe):
1208         * interpreter/Interpreter.cpp:
1209         (JSC::sizeOfVarargs):
1210         (JSC::sizeFrameForVarargs):
1211         (JSC::loadVarargs):
1212         (JSC::unwindCallFrame):
1213         * interpreter/Interpreter.h:
1214         * interpreter/StackVisitor.cpp:
1215         (JSC::StackVisitor::Frame::createArguments):
1216         (JSC::StackVisitor::Frame::existingArguments): Deleted.
1217         * interpreter/StackVisitor.h:
1218         * jit/AssemblyHelpers.h:
1219         (JSC::AssemblyHelpers::storeValue):
1220         (JSC::AssemblyHelpers::loadValue):
1221         (JSC::AssemblyHelpers::storeTrustedValue):
1222         (JSC::AssemblyHelpers::branchIfNotCell):
1223         (JSC::AssemblyHelpers::branchIsEmpty):
1224         (JSC::AssemblyHelpers::argumentsStart):
1225         (JSC::AssemblyHelpers::baselineArgumentsRegisterFor): Deleted.
1226         (JSC::AssemblyHelpers::offsetOfLocals): Deleted.
1227         (JSC::AssemblyHelpers::offsetOfArguments): Deleted.
1228         * jit/CCallHelpers.h:
1229         (JSC::CCallHelpers::setupArgument):
1230         * jit/GPRInfo.h:
1231         (JSC::JSValueRegs::withTwoAvailableRegs):
1232         * jit/JIT.cpp:
1233         (JSC::JIT::privateCompileMainPass):
1234         (JSC::JIT::privateCompileSlowCases):
1235         * jit/JIT.h:
1236         * jit/JITCall.cpp:
1237         (JSC::JIT::compileSetupVarargsFrame):
1238         * jit/JITCall32_64.cpp:
1239         (JSC::JIT::compileSetupVarargsFrame):
1240         * jit/JITInlines.h:
1241         (JSC::JIT::callOperation):
1242         * jit/JITOpcodes.cpp:
1243         (JSC::JIT::emit_op_create_lexical_environment):
1244         (JSC::JIT::emit_op_new_func):
1245         (JSC::JIT::emit_op_create_direct_arguments):
1246         (JSC::JIT::emit_op_create_scoped_arguments):
1247         (JSC::JIT::emit_op_create_out_of_band_arguments):
1248         (JSC::JIT::emit_op_tear_off_arguments): Deleted.
1249         (JSC::JIT::emit_op_create_arguments): Deleted.
1250         (JSC::JIT::emit_op_init_lazy_reg): Deleted.
1251         (JSC::JIT::emit_op_get_arguments_length): Deleted.
1252         (JSC::JIT::emitSlow_op_get_arguments_length): Deleted.
1253         (JSC::JIT::emit_op_get_argument_by_val): Deleted.
1254         (JSC::JIT::emitSlow_op_get_argument_by_val): Deleted.
1255         * jit/JITOpcodes32_64.cpp:
1256         (JSC::JIT::emit_op_create_lexical_environment):
1257         (JSC::JIT::emit_op_tear_off_arguments): Deleted.
1258         (JSC::JIT::emit_op_create_arguments): Deleted.
1259         (JSC::JIT::emit_op_init_lazy_reg): Deleted.
1260         (JSC::JIT::emit_op_get_arguments_length): Deleted.
1261         (JSC::JIT::emitSlow_op_get_arguments_length): Deleted.
1262         (JSC::JIT::emit_op_get_argument_by_val): Deleted.
1263         (JSC::JIT::emitSlow_op_get_argument_by_val): Deleted.
1264         * jit/JITOperations.cpp:
1265         * jit/JITOperations.h:
1266         * jit/JITPropertyAccess.cpp:
1267         (JSC::JIT::emitGetClosureVar):
1268         (JSC::JIT::emitPutClosureVar):
1269         (JSC::JIT::emit_op_get_from_arguments):
1270         (JSC::JIT::emit_op_put_to_arguments):
1271         (JSC::JIT::emit_op_init_global_const):
1272         (JSC::JIT::privateCompileGetByVal):
1273         (JSC::JIT::emitDirectArgumentsGetByVal):
1274         (JSC::JIT::emitScopedArgumentsGetByVal):
1275         * jit/JITPropertyAccess32_64.cpp:
1276         (JSC::JIT::emitGetClosureVar):
1277         (JSC::JIT::emitPutClosureVar):
1278         (JSC::JIT::emit_op_get_from_arguments):
1279         (JSC::JIT::emit_op_put_to_arguments):
1280         (JSC::JIT::emit_op_init_global_const):
1281         * jit/SetupVarargsFrame.cpp:
1282         (JSC::emitSetupVarargsFrameFastCase):
1283         * llint/LLIntOffsetsExtractor.cpp:
1284         * llint/LLIntSlowPaths.cpp:
1285         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1286         * llint/LowLevelInterpreter.asm:
1287         * llint/LowLevelInterpreter32_64.asm:
1288         * llint/LowLevelInterpreter64.asm:
1289         * parser/Nodes.h:
1290         (JSC::ScopeNode::captures):
1291         * runtime/Arguments.cpp: Removed.
1292         * runtime/Arguments.h: Removed.
1293         * runtime/ArgumentsMode.h: Added.
1294         * runtime/DirectArgumentsOffset.cpp: Added.
1295         (JSC::DirectArgumentsOffset::dump):
1296         * runtime/DirectArgumentsOffset.h: Added.
1297         (JSC::DirectArgumentsOffset::DirectArgumentsOffset):
1298         * runtime/CommonSlowPaths.cpp:
1299         (JSC::SLOW_PATH_DECL):
1300         * runtime/CommonSlowPaths.h:
1301         * runtime/ConstantMode.cpp: Added.
1302         (WTF::printInternal):
1303         * runtime/ConstantMode.h:
1304         (JSC::modeForIsConstant):
1305         * runtime/DirectArguments.cpp: Added.
1306         (JSC::DirectArguments::DirectArguments):
1307         (JSC::DirectArguments::createUninitialized):
1308         (JSC::DirectArguments::create):
1309         (JSC::DirectArguments::createByCopying):
1310         (JSC::DirectArguments::visitChildren):
1311         (JSC::DirectArguments::copyBackingStore):
1312         (JSC::DirectArguments::createStructure):
1313         (JSC::DirectArguments::overrideThings):
1314         (JSC::DirectArguments::overrideThingsIfNecessary):
1315         (JSC::DirectArguments::overrideArgument):
1316         (JSC::DirectArguments::copyToArguments):
1317         (JSC::DirectArguments::overridesSize):
1318         * runtime/DirectArguments.h: Added.
1319         (JSC::DirectArguments::internalLength):
1320         (JSC::DirectArguments::length):
1321         (JSC::DirectArguments::canAccessIndexQuickly):
1322         (JSC::DirectArguments::getIndexQuickly):
1323         (JSC::DirectArguments::setIndexQuickly):
1324         (JSC::DirectArguments::callee):
1325         (JSC::DirectArguments::argument):
1326         (JSC::DirectArguments::overrodeThings):
1327         (JSC::DirectArguments::offsetOfCallee):
1328         (JSC::DirectArguments::offsetOfLength):
1329         (JSC::DirectArguments::offsetOfMinCapacity):
1330         (JSC::DirectArguments::offsetOfOverrides):
1331         (JSC::DirectArguments::storageOffset):
1332         (JSC::DirectArguments::offsetOfSlot):
1333         (JSC::DirectArguments::allocationSize):
1334         (JSC::DirectArguments::storage):
1335         * runtime/FunctionPrototype.cpp:
1336         * runtime/GenericArguments.h: Added.
1337         (JSC::GenericArguments::GenericArguments):
1338         * runtime/GenericArgumentsInlines.h: Added.
1339         (JSC::GenericArguments<Type>::getOwnPropertySlot):
1340         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
1341         (JSC::GenericArguments<Type>::getOwnPropertyNames):
1342         (JSC::GenericArguments<Type>::put):
1343         (JSC::GenericArguments<Type>::putByIndex):
1344         (JSC::GenericArguments<Type>::deleteProperty):
1345         (JSC::GenericArguments<Type>::deletePropertyByIndex):
1346         (JSC::GenericArguments<Type>::defineOwnProperty):
1347         (JSC::GenericArguments<Type>::copyToArguments):
1348         * runtime/GenericOffset.h: Added.
1349         (JSC::GenericOffset::GenericOffset):
1350         (JSC::GenericOffset::operator!):
1351         (JSC::GenericOffset::offsetUnchecked):
1352         (JSC::GenericOffset::offset):
1353         (JSC::GenericOffset::operator==):
1354         (JSC::GenericOffset::operator!=):
1355         (JSC::GenericOffset::operator<):
1356         (JSC::GenericOffset::operator>):
1357         (JSC::GenericOffset::operator<=):
1358         (JSC::GenericOffset::operator>=):
1359         (JSC::GenericOffset::operator+):
1360         (JSC::GenericOffset::operator-):
1361         (JSC::GenericOffset::operator+=):
1362         (JSC::GenericOffset::operator-=):
1363         * runtime/JSArgumentsIterator.cpp:
1364         (JSC::JSArgumentsIterator::finishCreation):
1365         (JSC::argumentsFuncIterator):
1366         * runtime/JSArgumentsIterator.h:
1367         (JSC::JSArgumentsIterator::create):
1368         (JSC::JSArgumentsIterator::next):
1369         * runtime/JSEnvironmentRecord.cpp:
1370         (JSC::JSEnvironmentRecord::visitChildren):
1371         * runtime/JSEnvironmentRecord.h:
1372         (JSC::JSEnvironmentRecord::variables):
1373         (JSC::JSEnvironmentRecord::isValid):
1374         (JSC::JSEnvironmentRecord::variableAt):
1375         (JSC::JSEnvironmentRecord::offsetOfVariables):
1376         (JSC::JSEnvironmentRecord::offsetOfVariable):
1377         (JSC::JSEnvironmentRecord::allocationSizeForScopeSize):
1378         (JSC::JSEnvironmentRecord::allocationSize):
1379         (JSC::JSEnvironmentRecord::JSEnvironmentRecord):
1380         (JSC::JSEnvironmentRecord::finishCreationUninitialized):
1381         (JSC::JSEnvironmentRecord::finishCreation):
1382         (JSC::JSEnvironmentRecord::registers): Deleted.
1383         (JSC::JSEnvironmentRecord::registerAt): Deleted.
1384         (JSC::JSEnvironmentRecord::addressOfRegisters): Deleted.
1385         (JSC::JSEnvironmentRecord::offsetOfRegisters): Deleted.
1386         * runtime/JSFunction.cpp:
1387         * runtime/JSGlobalObject.cpp:
1388         (JSC::JSGlobalObject::init):
1389         (JSC::JSGlobalObject::addGlobalVar):
1390         (JSC::JSGlobalObject::addFunction):
1391         (JSC::JSGlobalObject::visitChildren):
1392         (JSC::JSGlobalObject::addStaticGlobals):
1393         * runtime/JSGlobalObject.h:
1394         (JSC::JSGlobalObject::directArgumentsStructure):
1395         (JSC::JSGlobalObject::scopedArgumentsStructure):
1396         (JSC::JSGlobalObject::outOfBandArgumentsStructure):
1397         (JSC::JSGlobalObject::argumentsStructure): Deleted.
1398         * runtime/JSLexicalEnvironment.cpp:
1399         (JSC::JSLexicalEnvironment::symbolTableGet):
1400         (JSC::JSLexicalEnvironment::symbolTablePut):
1401         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
1402         (JSC::JSLexicalEnvironment::symbolTablePutWithAttributes):
1403         (JSC::JSLexicalEnvironment::visitChildren): Deleted.
1404         * runtime/JSLexicalEnvironment.h:
1405         (JSC::JSLexicalEnvironment::create):
1406         (JSC::JSLexicalEnvironment::JSLexicalEnvironment):
1407         (JSC::JSLexicalEnvironment::registersOffset): Deleted.
1408         (JSC::JSLexicalEnvironment::storageOffset): Deleted.
1409         (JSC::JSLexicalEnvironment::storage): Deleted.
1410         (JSC::JSLexicalEnvironment::allocationSize): Deleted.
1411         (JSC::JSLexicalEnvironment::isValidIndex): Deleted.
1412         (JSC::JSLexicalEnvironment::isValid): Deleted.
1413         (JSC::JSLexicalEnvironment::registerAt): Deleted.
1414         * runtime/JSNameScope.cpp:
1415         (JSC::JSNameScope::visitChildren): Deleted.
1416         * runtime/JSNameScope.h:
1417         (JSC::JSNameScope::create):
1418         (JSC::JSNameScope::value):
1419         (JSC::JSNameScope::finishCreation):
1420         (JSC::JSNameScope::JSNameScope):
1421         * runtime/JSScope.cpp:
1422         (JSC::abstractAccess):
1423         * runtime/JSSegmentedVariableObject.cpp:
1424         (JSC::JSSegmentedVariableObject::findVariableIndex):
1425         (JSC::JSSegmentedVariableObject::addVariables):
1426         (JSC::JSSegmentedVariableObject::visitChildren):
1427         (JSC::JSSegmentedVariableObject::findRegisterIndex): Deleted.
1428         (JSC::JSSegmentedVariableObject::addRegisters): Deleted.
1429         * runtime/JSSegmentedVariableObject.h:
1430         (JSC::JSSegmentedVariableObject::variableAt):
1431         (JSC::JSSegmentedVariableObject::assertVariableIsInThisObject):
1432         (JSC::JSSegmentedVariableObject::registerAt): Deleted.
1433         (JSC::JSSegmentedVariableObject::assertRegisterIsInThisObject): Deleted.
1434         * runtime/JSSymbolTableObject.h:
1435         (JSC::JSSymbolTableObject::offsetOfSymbolTable):
1436         (JSC::symbolTableGet):
1437         (JSC::symbolTablePut):
1438         (JSC::symbolTablePutWithAttributes):
1439         * runtime/JSType.h:
1440         * runtime/Options.h:
1441         * runtime/ClonedArguments.cpp: Added.
1442         (JSC::ClonedArguments::ClonedArguments):
1443         (JSC::ClonedArguments::createEmpty):
1444         (JSC::ClonedArguments::createWithInlineFrame):
1445         (JSC::ClonedArguments::createWithMachineFrame):
1446         (JSC::ClonedArguments::createByCopyingFrom):
1447         (JSC::ClonedArguments::createStructure):
1448         (JSC::ClonedArguments::getOwnPropertySlot):
1449         (JSC::ClonedArguments::getOwnPropertyNames):
1450         (JSC::ClonedArguments::put):
1451         (JSC::ClonedArguments::deleteProperty):
1452         (JSC::ClonedArguments::defineOwnProperty):
1453         (JSC::ClonedArguments::materializeSpecials):
1454         (JSC::ClonedArguments::materializeSpecialsIfNecessary):
1455         * runtime/ClonedArguments.h: Added.
1456         (JSC::ClonedArguments::specialsMaterialized):
1457         * runtime/ScopeOffset.cpp: Added.
1458         (JSC::ScopeOffset::dump):
1459         * runtime/ScopeOffset.h: Added.
1460         (JSC::ScopeOffset::ScopeOffset):
1461         * runtime/ScopedArguments.cpp: Added.
1462         (JSC::ScopedArguments::ScopedArguments):
1463         (JSC::ScopedArguments::finishCreation):
1464         (JSC::ScopedArguments::createUninitialized):
1465         (JSC::ScopedArguments::create):
1466         (JSC::ScopedArguments::createByCopying):
1467         (JSC::ScopedArguments::createByCopyingFrom):
1468         (JSC::ScopedArguments::visitChildren):
1469         (JSC::ScopedArguments::createStructure):
1470         (JSC::ScopedArguments::overrideThings):
1471         (JSC::ScopedArguments::overrideThingsIfNecessary):
1472         (JSC::ScopedArguments::overrideArgument):
1473         (JSC::ScopedArguments::copyToArguments):
1474         * runtime/ScopedArguments.h: Added.
1475         (JSC::ScopedArguments::internalLength):
1476         (JSC::ScopedArguments::length):
1477         (JSC::ScopedArguments::canAccessIndexQuickly):
1478         (JSC::ScopedArguments::getIndexQuickly):
1479         (JSC::ScopedArguments::setIndexQuickly):
1480         (JSC::ScopedArguments::callee):
1481         (JSC::ScopedArguments::overrodeThings):
1482         (JSC::ScopedArguments::offsetOfOverrodeThings):
1483         (JSC::ScopedArguments::offsetOfTotalLength):
1484         (JSC::ScopedArguments::offsetOfTable):
1485         (JSC::ScopedArguments::offsetOfScope):
1486         (JSC::ScopedArguments::overflowStorageOffset):
1487         (JSC::ScopedArguments::allocationSize):
1488         (JSC::ScopedArguments::overflowStorage):
1489         * runtime/ScopedArgumentsTable.cpp: Added.
1490         (JSC::ScopedArgumentsTable::ScopedArgumentsTable):
1491         (JSC::ScopedArgumentsTable::~ScopedArgumentsTable):
1492         (JSC::ScopedArgumentsTable::destroy):
1493         (JSC::ScopedArgumentsTable::create):
1494         (JSC::ScopedArgumentsTable::clone):
1495         (JSC::ScopedArgumentsTable::setLength):
1496         (JSC::ScopedArgumentsTable::set):
1497         (JSC::ScopedArgumentsTable::createStructure):
1498         * runtime/ScopedArgumentsTable.h: Added.
1499         (JSC::ScopedArgumentsTable::length):
1500         (JSC::ScopedArgumentsTable::get):
1501         (JSC::ScopedArgumentsTable::lock):
1502         (JSC::ScopedArgumentsTable::offsetOfLength):
1503         (JSC::ScopedArgumentsTable::offsetOfArguments):
1504         (JSC::ScopedArgumentsTable::at):
1505         * runtime/SymbolTable.cpp:
1506         (JSC::SymbolTableEntry::prepareToWatch):
1507         (JSC::SymbolTable::SymbolTable):
1508         (JSC::SymbolTable::visitChildren):
1509         (JSC::SymbolTable::localToEntry):
1510         (JSC::SymbolTable::entryFor):
1511         (JSC::SymbolTable::cloneScopePart):
1512         (JSC::SymbolTable::prepareForTypeProfiling):
1513         (JSC::SymbolTable::uniqueIDForOffset):
1514         (JSC::SymbolTable::globalTypeSetForOffset):
1515         (JSC::SymbolTable::cloneCapturedNames): Deleted.
1516         (JSC::SymbolTable::uniqueIDForRegister): Deleted.
1517         (JSC::SymbolTable::globalTypeSetForRegister): Deleted.
1518         * runtime/SymbolTable.h:
1519         (JSC::SymbolTableEntry::varOffsetFromBits):
1520         (JSC::SymbolTableEntry::scopeOffsetFromBits):
1521         (JSC::SymbolTableEntry::Fast::varOffset):
1522         (JSC::SymbolTableEntry::Fast::scopeOffset):
1523         (JSC::SymbolTableEntry::Fast::isDontEnum):
1524         (JSC::SymbolTableEntry::Fast::getAttributes):
1525         (JSC::SymbolTableEntry::SymbolTableEntry):
1526         (JSC::SymbolTableEntry::varOffset):
1527         (JSC::SymbolTableEntry::isWatchable):
1528         (JSC::SymbolTableEntry::scopeOffset):
1529         (JSC::SymbolTableEntry::setAttributes):
1530         (JSC::SymbolTableEntry::constantMode):
1531         (JSC::SymbolTableEntry::isDontEnum):
1532         (JSC::SymbolTableEntry::disableWatching):
1533         (JSC::SymbolTableEntry::pack):
1534         (JSC::SymbolTableEntry::isValidVarOffset):
1535         (JSC::SymbolTable::createNameScopeTable):
1536         (JSC::SymbolTable::maxScopeOffset):
1537         (JSC::SymbolTable::didUseScopeOffset):
1538         (JSC::SymbolTable::didUseVarOffset):
1539         (JSC::SymbolTable::scopeSize):
1540         (JSC::SymbolTable::nextScopeOffset):
1541         (JSC::SymbolTable::takeNextScopeOffset):
1542         (JSC::SymbolTable::add):
1543         (JSC::SymbolTable::set):
1544         (JSC::SymbolTable::argumentsLength):
1545         (JSC::SymbolTable::setArgumentsLength):
1546         (JSC::SymbolTable::argumentOffset):
1547         (JSC::SymbolTable::setArgumentOffset):
1548         (JSC::SymbolTable::arguments):
1549         (JSC::SlowArgument::SlowArgument): Deleted.
1550         (JSC::SymbolTableEntry::Fast::getIndex): Deleted.
1551         (JSC::SymbolTableEntry::getIndex): Deleted.
1552         (JSC::SymbolTableEntry::isValidIndex): Deleted.
1553         (JSC::SymbolTable::captureStart): Deleted.
1554         (JSC::SymbolTable::setCaptureStart): Deleted.
1555         (JSC::SymbolTable::captureEnd): Deleted.
1556         (JSC::SymbolTable::setCaptureEnd): Deleted.
1557         (JSC::SymbolTable::captureCount): Deleted.
1558         (JSC::SymbolTable::isCaptured): Deleted.
1559         (JSC::SymbolTable::parameterCount): Deleted.
1560         (JSC::SymbolTable::parameterCountIncludingThis): Deleted.
1561         (JSC::SymbolTable::setParameterCountIncludingThis): Deleted.
1562         (JSC::SymbolTable::slowArguments): Deleted.
1563         (JSC::SymbolTable::setSlowArguments): Deleted.
1564         * runtime/VM.cpp:
1565         (JSC::VM::VM):
1566         * runtime/VM.h:
1567         * runtime/VarOffset.cpp: Added.
1568         (JSC::VarOffset::dump):
1569         (WTF::printInternal):
1570         * runtime/VarOffset.h: Added.
1571         (JSC::VarOffset::VarOffset):
1572         (JSC::VarOffset::assemble):
1573         (JSC::VarOffset::isValid):
1574         (JSC::VarOffset::operator!):
1575         (JSC::VarOffset::kind):
1576         (JSC::VarOffset::isStack):
1577         (JSC::VarOffset::isScope):
1578         (JSC::VarOffset::isDirectArgument):
1579         (JSC::VarOffset::stackOffsetUnchecked):
1580         (JSC::VarOffset::scopeOffsetUnchecked):
1581         (JSC::VarOffset::capturedArgumentsOffsetUnchecked):
1582         (JSC::VarOffset::stackOffset):
1583         (JSC::VarOffset::scopeOffset):
1584         (JSC::VarOffset::capturedArgumentsOffset):
1585         (JSC::VarOffset::rawOffset):
1586         (JSC::VarOffset::checkSanity):
1587         (JSC::VarOffset::operator==):
1588         (JSC::VarOffset::operator!=):
1589         (JSC::VarOffset::hash):
1590         (JSC::VarOffset::isHashTableDeletedValue):
1591         (JSC::VarOffsetHash::hash):
1592         (JSC::VarOffsetHash::equal):
1593         * tests/stress/arguments-exit-strict-mode.js: Added.
1594         * tests/stress/arguments-exit.js: Added.
1595         * tests/stress/arguments-inlined-exit-strict-mode-fixed.js: Added.
1596         * tests/stress/arguments-inlined-exit-strict-mode.js: Added.
1597         * tests/stress/arguments-inlined-exit.js: Added.
1598         * tests/stress/arguments-interference.js: Added.
1599         * tests/stress/arguments-interference-cfg.js: Added.
1600         * tests/stress/dead-get-closure-var.js: Added.
1601         * tests/stress/get-declared-unpassed-argument-in-direct-arguments.js: Added.
1602         * tests/stress/get-declared-unpassed-argument-in-scoped-arguments.js: Added.
1603         * tests/stress/varargs-closure-inlined-exit-strict-mode.js: Added.
1604         * tests/stress/varargs-closure-inlined-exit.js: Added.
1605         * tests/stress/varargs-exit.js: Added.
1606         * tests/stress/varargs-inlined-exit.js: Added.
1607         * tests/stress/varargs-inlined-simple-exit-aliasing-weird-reversed-args.js: Added.
1608         * tests/stress/varargs-inlined-simple-exit-aliasing-weird.js: Added.
1609         * tests/stress/varargs-inlined-simple-exit-aliasing.js: Added.
1610         * tests/stress/varargs-inlined-simple-exit.js: Added.
1611         * tests/stress/varargs-too-few-arguments.js: Added.
1612         * tests/stress/varargs-varargs-closure-inlined-exit.js: Added.
1613         * tests/stress/varargs-varargs-inlined-exit-strict-mode.js: Added.
1614         * tests/stress/varargs-varargs-inlined-exit.js: Added.
1615
1616 2015-03-25  Andy Estes  <aestes@apple.com>
1617
1618         [Cocoa] RemoteInspectorXPCConnection::deserializeMessage() leaks a NSDictionary under Objective-C GC
1619         https://bugs.webkit.org/show_bug.cgi?id=143068
1620
1621         Reviewed by Dan Bernstein.
1622
1623         * inspector/remote/RemoteInspectorXPCConnection.mm:
1624         (Inspector::RemoteInspectorXPCConnection::deserializeMessage): Used RetainPtr::autorelease(), which does the right thing under GC.
1625
1626 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1627
1628         Use JITCompilationCanFail in more places, and make the fail path of JITCompilationMustSucceed a crash instead of attempting GC
1629         https://bugs.webkit.org/show_bug.cgi?id=142993
1630
1631         Reviewed by Geoffrey Garen and Mark Lam.
1632         
1633         This changes the most commonly invoked paths that relied on JITCompilationMustSucceed
1634         into using JITCompilationCanFail and having a legit fallback path. This mostly involves
1635         having the FTL JIT do the same trick as the DFG JIT in case of any memory allocation
1636         failure, but also involves adding the same kind of thing to the stub generators in
1637         Repatch.
1638         
1639         Because of that change, there are relatively few uses of JITCompilationMustSucceed. Most
1640         of those uses cannot handle a GC, and so cannot do releaseExecutableMemory(). Only a few,
1641         like host call stub generation, could handle a GC, but those get invoked very rarely. So,
1642         this patch changes the releaseExecutableMemory() call into a crash with some diagnostic
1643         printout.
1644         
1645         Also add a way of inducing executable allocation failure, so that we can test this.
1646
1647         * CMakeLists.txt:
1648         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1649         * JavaScriptCore.xcodeproj/project.pbxproj:
1650         * dfg/DFGJITCompiler.cpp:
1651         (JSC::DFG::JITCompiler::compile):
1652         (JSC::DFG::JITCompiler::compileFunction):
1653         (JSC::DFG::JITCompiler::link): Deleted.
1654         (JSC::DFG::JITCompiler::linkFunction): Deleted.
1655         * dfg/DFGJITCompiler.h:
1656         * dfg/DFGPlan.cpp:
1657         (JSC::DFG::Plan::compileInThreadImpl):
1658         * ftl/FTLCompile.cpp:
1659         (JSC::FTL::mmAllocateCodeSection):
1660         (JSC::FTL::mmAllocateDataSection):
1661         * ftl/FTLLink.cpp:
1662         (JSC::FTL::link):
1663         * ftl/FTLState.h:
1664         * jit/ArityCheckFailReturnThunks.cpp:
1665         (JSC::ArityCheckFailReturnThunks::returnPCsFor):
1666         * jit/ExecutableAllocationFuzz.cpp: Added.
1667         (JSC::numberOfExecutableAllocationFuzzChecks):
1668         (JSC::doExecutableAllocationFuzzing):
1669         * jit/ExecutableAllocationFuzz.h: Added.
1670         (JSC::doExecutableAllocationFuzzingIfEnabled):
1671         * jit/ExecutableAllocatorFixedVMPool.cpp:
1672         (JSC::ExecutableAllocator::allocate):
1673         * jit/JIT.cpp:
1674         (JSC::JIT::privateCompile):
1675         * jit/JITCompilationEffort.h:
1676         * jit/Repatch.cpp:
1677         (JSC::generateByIdStub):
1678         (JSC::tryCacheGetByID):
1679         (JSC::tryBuildGetByIDList):
1680         (JSC::emitPutReplaceStub):
1681         (JSC::emitPutTransitionStubAndGetOldStructure):
1682         (JSC::tryCachePutByID):
1683         (JSC::tryBuildPutByIdList):
1684         (JSC::tryRepatchIn):
1685         (JSC::linkPolymorphicCall):
1686         * jsc.cpp:
1687         (jscmain):
1688         * runtime/Options.h:
1689         * runtime/TestRunnerUtils.h:
1690         * runtime/VM.cpp:
1691         * tests/executableAllocationFuzz: Added.
1692         * tests/executableAllocationFuzz.yaml: Added.
1693         * tests/executableAllocationFuzz/v8-raytrace.js: Added.
1694
1695 2015-03-25  Mark Lam  <mark.lam@apple.com>
1696
1697         REGRESSION(169139): LLINT intermittently fails JSC testapi tests.
1698         <https://webkit.org/b/135719>
1699
1700         Reviewed by Geoffrey Garen.
1701
1702         This is a regression introduced in http://trac.webkit.org/changeset/169139 which
1703         changed VM::watchdog from an embedded field into a std::unique_ptr, but did not
1704         update the LLINT to access it as such.
1705
1706         The issue has only manifested so far on the CLoop tests because those are LLINT
1707         only.  In the non-CLoop cases, the JIT kicks in and does the right thing, thereby
1708         hiding the bug in the LLINT.
1709
1710         * API/JSContextRef.cpp:
1711         (createWatchdogIfNeeded):
1712         (JSContextGroupSetExecutionTimeLimit):
1713         (JSContextGroupClearExecutionTimeLimit):
1714         * llint/LowLevelInterpreter.asm:
1715
1716 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1717
1718         Change Atomic methods from using the_wrong_naming_conventions to using theRightNamingConventions. Also make seq_cst the default.
1719
1720         Rubber stamped by Geoffrey Garen.
1721
1722         * bytecode/CodeBlock.cpp:
1723         (JSC::CodeBlock::visitAggregate):
1724
1725 2015-03-25  Joseph Pecoraro  <pecoraro@apple.com>
1726
1727         Fix formatting in BuiltinExecutables
1728         https://bugs.webkit.org/show_bug.cgi?id=143061
1729
1730         Reviewed by Ryosuke Niwa.
1731
1732         * builtins/BuiltinExecutables.cpp:
1733         (JSC::BuiltinExecutables::createExecutableInternal):
1734
1735 2015-03-25  Joseph Pecoraro  <pecoraro@apple.com>
1736
1737         ES6: Classes: Program level class statement throws exception in strict mode
1738         https://bugs.webkit.org/show_bug.cgi?id=143038
1739
1740         Reviewed by Ryosuke Niwa.
1741
1742         Classes expose a name to the current lexical environment. This treats
1743         "class X {}" like "var X = class X {}". Ideally it would be "let X = class X {}".
1744         Also, improve error messages for class statements where the class is missing a name.
1745
1746         * parser/Parser.h:
1747         * parser/Parser.cpp:
1748         (JSC::Parser<LexerType>::parseClass):
1749         Fill name in info parameter if needed. Better error message if name is needed and missing.
1750
1751         (JSC::Parser<LexerType>::parseClassDeclaration):
1752         Pass info parameter to get name, and expose the name as a variable name.
1753
1754         (JSC::Parser<LexerType>::parsePrimaryExpression):
1755         Pass info parameter that is ignored.
1756
1757         * parser/ParserFunctionInfo.h:
1758         Add a parser info for class, to extract the name.
1759
1760 2015-03-25  Yusuke Suzuki  <utatane.tea@gmail.com>
1761
1762         New map and set modification tests in r181922 fails
1763         https://bugs.webkit.org/show_bug.cgi?id=143031
1764
1765         Reviewed and tweaked by Geoffrey Garen.
1766
1767         When packing Map/Set backing store, we need to decrement Map/Set iterator's m_index
1768         to adjust for the packed backing store.
1769
1770         Consider the following map data.
1771
1772         x: deleted, o: exists
1773         0 1 2 3 4
1774         x x x x o
1775
1776         And iterator with m_index 3.
1777
1778         When packing the map data, map data will become,
1779
1780         0
1781         o
1782
1783         At that time, we perfom didRemoveEntry 4 times on iterators.
1784         times => m_index/index/result
1785         1 => 3/0/dec
1786         2 => 2/1/dec
1787         3 => 1/2/nothing
1788         4 => 1/3/nothing
1789
1790         After iteration, iterator's m_index becomes 1. But we expected that becomes 0.
1791         This is because if we use decremented m_index for comparison,
1792         while provided deletedIndex is the index in old storage, m_index is the index in partially packed storage.
1793
1794         In this patch, we compare against the packed index instead.
1795         times => m_index/packedIndex/result
1796         1 => 3/0/dec
1797         2 => 2/0/dec
1798         3 => 1/0/dec
1799         4 => 0/0/nothing
1800
1801         So m_index becomes 0 as expected.
1802
1803         And according to the spec, once the iterator is closed (becomes done: true),
1804         its internal [[Map]]/[[Set]] is set to undefined.
1805         So after the iterator is finished, we don't revive the iterator (e.g. by clearing m_index = 0).
1806
1807         In this patch, we change 2 things.
1808         1.
1809         Compare an iterator's index against the packed index when removing an entry.
1810
1811         2.
1812         If the iterator is closed (isFinished()), we don't apply adjustment to the iterator.
1813
1814         * runtime/MapData.h:
1815         (JSC::MapDataImpl::IteratorData::finish):
1816         (JSC::MapDataImpl::IteratorData::isFinished):
1817         (JSC::MapDataImpl::IteratorData::didRemoveEntry):
1818         (JSC::MapDataImpl::IteratorData::didRemoveAllEntries):
1819         (JSC::MapDataImpl::IteratorData::startPackBackingStore):
1820         * runtime/MapDataInlines.h:
1821         (JSC::JSIterator>::replaceAndPackBackingStore):
1822         * tests/stress/modify-map-during-iteration.js:
1823         * tests/stress/modify-set-during-iteration.js:
1824
1825 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
1826
1827         Setter should have a single formal parameter, Getter no parameters
1828         https://bugs.webkit.org/show_bug.cgi?id=142903
1829
1830         Reviewed by Geoffrey Garen.
1831
1832         * parser/Parser.cpp:
1833         (JSC::Parser<LexerType>::parseFunctionInfo):
1834         Enforce no parameters for getters and a single parameter
1835         for setters, with informational error messages.
1836
1837 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
1838
1839         ES6: Classes: Early return in sub-class constructor results in returning undefined instead of instance
1840         https://bugs.webkit.org/show_bug.cgi?id=143012
1841
1842         Reviewed by Ryosuke Niwa.
1843
1844         * bytecompiler/BytecodeGenerator.cpp:
1845         (JSC::BytecodeGenerator::emitReturn):
1846         Fix handling of "undefined" when returned from a Derived class. It was
1847         returning "undefined" when it should have returned "this".
1848
1849 2015-03-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1850
1851         REGRESSION (r181458): Heap use-after-free in JSSetIterator destructor
1852         https://bugs.webkit.org/show_bug.cgi?id=142696
1853
1854         Reviewed and tweaked by Geoffrey Garen.
1855
1856         Before r142556, JSSetIterator::destroy was not defined.
1857         So accidentally MapData::const_iterator in JSSet was never destroyed.
1858         But it had non trivial destructor, decrementing MapData->m_iteratorCount.
1859
1860         After r142556, JSSetIterator::destroy works.
1861         It correctly destruct MapData::const_iterator and m_iteratorCount partially works.
1862         But JSSetIterator::~JSSetIterator requires owned JSSet since it mutates MapData->m_iteratorCount.
1863
1864         It is guaranteed that JSSet is live since JSSetIterator has a reference to JSSet
1865         and marks it in visitChildren (WriteBarrier<Unknown>).
1866         However, the order of destructions is not guaranteed in GC-ed system.
1867
1868         Consider the following case,
1869         allocate JSSet and subsequently allocate JSSetIterator.
1870         And they resides in the separated MarkedBlock, <1> and <2>.
1871
1872         JSSet<1> <- JSSetIterator<2>
1873
1874         And after that, when performing GC, Marker decides that the above 2 objects are not marked.
1875         And Marker also decides MarkedBlocks <1> and <2> can be sweeped.
1876
1877         First Sweeper sweep <1>, destruct JSSet<1> and free MarkedBlock<1>.
1878         Second Sweeper sweep <2>, attempt to destruct JSSetIterator<2>.
1879         However, JSSetIterator<2>'s destructor,
1880         JSSetIterator::~JSSetIterator requires live JSSet<1>, it causes use-after-free.
1881
1882         In this patch, we introduce WeakGCMap into JSMap/JSSet to track live iterators.
1883         When packing the removed elements in JSSet/JSMap, we apply the change to all live
1884         iterators tracked by WeakGCMap.
1885
1886         WeakGCMap can only track JSCell since they are managed by GC.
1887         So we drop JSSet/JSMap C++ style iterators. Instead of C++ style iterator, this patch
1888         introduces JS style iterator signatures into C++ class IteratorData.
1889         If we need to iterate over JSMap/JSSet, use JSSetIterator/JSMapIterator instead of using
1890         IteratorData directly.
1891
1892         * runtime/JSMap.cpp:
1893         (JSC::JSMap::destroy):
1894         * runtime/JSMap.h:
1895         (JSC::JSMap::JSMap):
1896         (JSC::JSMap::begin): Deleted.
1897         (JSC::JSMap::end): Deleted.
1898         * runtime/JSMapIterator.cpp:
1899         (JSC::JSMapIterator::destroy):
1900         * runtime/JSMapIterator.h:
1901         (JSC::JSMapIterator::next):
1902         (JSC::JSMapIterator::nextKeyValue):
1903         (JSC::JSMapIterator::iteratorData):
1904         (JSC::JSMapIterator::JSMapIterator):
1905         * runtime/JSSet.cpp:
1906         (JSC::JSSet::destroy):
1907         * runtime/JSSet.h:
1908         (JSC::JSSet::JSSet):
1909         (JSC::JSSet::begin): Deleted.
1910         (JSC::JSSet::end): Deleted.
1911         * runtime/JSSetIterator.cpp:
1912         (JSC::JSSetIterator::destroy):
1913         * runtime/JSSetIterator.h:
1914         (JSC::JSSetIterator::next):
1915         (JSC::JSSetIterator::iteratorData):
1916         (JSC::JSSetIterator::JSSetIterator):
1917         * runtime/MapData.h:
1918         (JSC::MapDataImpl::IteratorData::finish):
1919         (JSC::MapDataImpl::IteratorData::isFinished):
1920         (JSC::MapDataImpl::shouldPack):
1921         (JSC::JSIterator>::MapDataImpl):
1922         (JSC::JSIterator>::KeyType::KeyType):
1923         (JSC::JSIterator>::IteratorData::IteratorData):
1924         (JSC::JSIterator>::IteratorData::next):
1925         (JSC::JSIterator>::IteratorData::ensureSlot):
1926         (JSC::JSIterator>::IteratorData::applyMapDataPatch):
1927         (JSC::JSIterator>::IteratorData::refreshCursor):
1928         (JSC::MapDataImpl::const_iterator::key): Deleted.
1929         (JSC::MapDataImpl::const_iterator::value): Deleted.
1930         (JSC::MapDataImpl::const_iterator::operator++): Deleted.
1931         (JSC::MapDataImpl::const_iterator::finish): Deleted.
1932         (JSC::MapDataImpl::const_iterator::atEnd): Deleted.
1933         (JSC::MapDataImpl::begin): Deleted.
1934         (JSC::MapDataImpl::end): Deleted.
1935         (JSC::MapDataImpl<Entry>::MapDataImpl): Deleted.
1936         (JSC::MapDataImpl<Entry>::clear): Deleted.
1937         (JSC::MapDataImpl<Entry>::KeyType::KeyType): Deleted.
1938         (JSC::MapDataImpl<Entry>::const_iterator::internalIncrement): Deleted.
1939         (JSC::MapDataImpl<Entry>::const_iterator::ensureSlot): Deleted.
1940         (JSC::MapDataImpl<Entry>::const_iterator::const_iterator): Deleted.
1941         (JSC::MapDataImpl<Entry>::const_iterator::~const_iterator): Deleted.
1942         (JSC::MapDataImpl<Entry>::const_iterator::operator): Deleted.
1943         (JSC::=): Deleted.
1944         * runtime/MapDataInlines.h:
1945         (JSC::JSIterator>::clear):
1946         (JSC::JSIterator>::find):
1947         (JSC::JSIterator>::contains):
1948         (JSC::JSIterator>::add):
1949         (JSC::JSIterator>::set):
1950         (JSC::JSIterator>::get):
1951         (JSC::JSIterator>::remove):
1952         (JSC::JSIterator>::replaceAndPackBackingStore):
1953         (JSC::JSIterator>::replaceBackingStore):
1954         (JSC::JSIterator>::ensureSpaceForAppend):
1955         (JSC::JSIterator>::visitChildren):
1956         (JSC::JSIterator>::copyBackingStore):
1957         (JSC::JSIterator>::applyMapDataPatch):
1958         (JSC::MapDataImpl<Entry>::find): Deleted.
1959         (JSC::MapDataImpl<Entry>::contains): Deleted.
1960         (JSC::MapDataImpl<Entry>::add): Deleted.
1961         (JSC::MapDataImpl<Entry>::set): Deleted.
1962         (JSC::MapDataImpl<Entry>::get): Deleted.
1963         (JSC::MapDataImpl<Entry>::remove): Deleted.
1964         (JSC::MapDataImpl<Entry>::replaceAndPackBackingStore): Deleted.
1965         (JSC::MapDataImpl<Entry>::replaceBackingStore): Deleted.
1966         (JSC::MapDataImpl<Entry>::ensureSpaceForAppend): Deleted.
1967         (JSC::MapDataImpl<Entry>::visitChildren): Deleted.
1968         (JSC::MapDataImpl<Entry>::copyBackingStore): Deleted.
1969         * runtime/MapPrototype.cpp:
1970         (JSC::mapProtoFuncForEach):
1971         * runtime/SetPrototype.cpp:
1972         (JSC::setProtoFuncForEach):
1973         * runtime/WeakGCMap.h:
1974         (JSC::WeakGCMap::forEach):
1975         * tests/stress/modify-map-during-iteration.js: Added.
1976         (testValue):
1977         (identityPairs):
1978         (.set if):
1979         (var):
1980         (set map):
1981         * tests/stress/modify-set-during-iteration.js: Added.
1982         (testValue):
1983         (set forEach):
1984         (set delete):
1985
1986 2015-03-24  Mark Lam  <mark.lam@apple.com>
1987
1988         The ExecutionTimeLimit test should use its own JSGlobalContextRef.
1989         <https://webkit.org/b/143024>
1990
1991         Reviewed by Geoffrey Garen.
1992
1993         Currently, the ExecutionTimeLimit test is using a JSGlobalContextRef
1994         passed in from testapi.c.  It should create its own for better
1995         encapsulation of the test.
1996
1997         * API/tests/ExecutionTimeLimitTest.cpp:
1998         (currentCPUTimeAsJSFunctionCallback):
1999         (testExecutionTimeLimit):
2000         * API/tests/ExecutionTimeLimitTest.h:
2001         * API/tests/testapi.c:
2002         (main):
2003
2004 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
2005
2006         ES6: Object Literal Methods toString is missing method name
2007         https://bugs.webkit.org/show_bug.cgi?id=142992
2008
2009         Reviewed by Geoffrey Garen.
2010
2011         Always stringify functions in the pattern:
2012
2013           "function " + <function name> + <text from opening parenthesis to closing brace>.
2014
2015         * runtime/FunctionPrototype.cpp:
2016         (JSC::functionProtoFuncToString):
2017         Update the path that was not stringifying in this pattern.
2018
2019         * bytecode/UnlinkedCodeBlock.cpp:
2020         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2021         * bytecode/UnlinkedCodeBlock.h:
2022         (JSC::UnlinkedFunctionExecutable::parametersStartOffset):
2023         * parser/Nodes.h:
2024         * runtime/Executable.cpp:
2025         (JSC::FunctionExecutable::FunctionExecutable):
2026         * runtime/Executable.h:
2027         (JSC::FunctionExecutable::parametersStartOffset):
2028         Pass the already known function parameter opening parenthesis
2029         start offset through to the FunctionExecutable. 
2030
2031         * tests/mozilla/js1_5/Scope/regress-185485.js:
2032         (with.g):
2033         Add back original space in this test that was removed by r181810
2034         now that we have the space again in stringification.
2035
2036 2015-03-24  Michael Saboff  <msaboff@apple.com>
2037
2038         REGRESSION (172175-172177): Change in for...in processing causes properties added in loop to be enumerated
2039         https://bugs.webkit.org/show_bug.cgi?id=142856
2040
2041         Reviewed by Filip Pizlo.
2042
2043         Refactored the way the for .. in enumeration over objects is done.  We used to make three C++ calls to
2044         get info for three loops to iterate over indexed properties, structure properties and other properties,
2045         respectively.  We still have the three loops, but now we make one C++ call to get all the info needed
2046         for all loops before we exectue any enumeration.
2047
2048         The JSPropertyEnumerator has a count of the indexed properties and a list of named properties.
2049         The named properties are one list, with structured properties in the range [0,m_endStructurePropertyIndex)
2050         and the generic properties in the range [m_endStructurePropertyIndex, m_endGenericPropertyIndex);
2051
2052         Eliminated the bytecodes op_get_structure_property_enumerator, op_get_generic_property_enumerator and
2053         op_next_enumerator_pname.
2054         Added the bytecodes op_get_property_enumerator, op_enumerator_structure_pname and op_enumerator_generic_pname.
2055         The bytecodes op_enumerator_structure_pname and op_enumerator_generic_pname are similar except for what
2056         end value we stop iterating on.
2057
2058         Made corresponding node changes to the DFG and FTL for the bytecode changes.
2059
2060         * bytecode/BytecodeList.json:
2061         * bytecode/BytecodeUseDef.h:
2062         (JSC::computeUsesForBytecodeOffset):
2063         (JSC::computeDefsForBytecodeOffset):
2064         * bytecode/CodeBlock.cpp:
2065         (JSC::CodeBlock::dumpBytecode):
2066         * bytecompiler/BytecodeGenerator.cpp:
2067         (JSC::BytecodeGenerator::emitGetPropertyEnumerator):
2068         (JSC::BytecodeGenerator::emitEnumeratorStructurePropertyName):
2069         (JSC::BytecodeGenerator::emitEnumeratorGenericPropertyName):
2070         (JSC::BytecodeGenerator::emitGetStructurePropertyEnumerator): Deleted.
2071         (JSC::BytecodeGenerator::emitGetGenericPropertyEnumerator): Deleted.
2072         (JSC::BytecodeGenerator::emitNextEnumeratorPropertyName): Deleted.
2073         * bytecompiler/BytecodeGenerator.h:
2074         * bytecompiler/NodesCodegen.cpp:
2075         (JSC::ForInNode::emitMultiLoopBytecode):
2076         * dfg/DFGAbstractInterpreterInlines.h:
2077         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2078         * dfg/DFGByteCodeParser.cpp:
2079         (JSC::DFG::ByteCodeParser::parseBlock):
2080         * dfg/DFGCapabilities.cpp:
2081         (JSC::DFG::capabilityLevel):
2082         * dfg/DFGClobberize.h:
2083         (JSC::DFG::clobberize):
2084         * dfg/DFGDoesGC.cpp:
2085         (JSC::DFG::doesGC):
2086         * dfg/DFGFixupPhase.cpp:
2087         (JSC::DFG::FixupPhase::fixupNode):
2088         * dfg/DFGNodeType.h:
2089         * dfg/DFGPredictionPropagationPhase.cpp:
2090         (JSC::DFG::PredictionPropagationPhase::propagate):
2091         * dfg/DFGSafeToExecute.h:
2092         (JSC::DFG::safeToExecute):
2093         * dfg/DFGSpeculativeJIT32_64.cpp:
2094         (JSC::DFG::SpeculativeJIT::compile):
2095         * dfg/DFGSpeculativeJIT64.cpp:
2096         (JSC::DFG::SpeculativeJIT::compile):
2097         * ftl/FTLAbstractHeapRepository.h:
2098         * ftl/FTLCapabilities.cpp:
2099         (JSC::FTL::canCompile):
2100         * ftl/FTLLowerDFGToLLVM.cpp:
2101         (JSC::FTL::LowerDFGToLLVM::compileNode):
2102         (JSC::FTL::LowerDFGToLLVM::compileGetEnumerableLength):
2103         (JSC::FTL::LowerDFGToLLVM::compileGetPropertyEnumerator):
2104         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorStructurePname):
2105         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorGenericPname):
2106         (JSC::FTL::LowerDFGToLLVM::compileGetStructurePropertyEnumerator): Deleted.
2107         (JSC::FTL::LowerDFGToLLVM::compileGetGenericPropertyEnumerator): Deleted.
2108         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname): Deleted.
2109         * jit/JIT.cpp:
2110         (JSC::JIT::privateCompileMainPass):
2111         * jit/JIT.h:
2112         * jit/JITOpcodes.cpp:
2113         (JSC::JIT::emit_op_enumerator_structure_pname):
2114         (JSC::JIT::emit_op_enumerator_generic_pname):
2115         (JSC::JIT::emit_op_get_property_enumerator):
2116         (JSC::JIT::emit_op_next_enumerator_pname): Deleted.
2117         (JSC::JIT::emit_op_get_structure_property_enumerator): Deleted.
2118         (JSC::JIT::emit_op_get_generic_property_enumerator): Deleted.
2119         * jit/JITOpcodes32_64.cpp:
2120         (JSC::JIT::emit_op_enumerator_structure_pname):
2121         (JSC::JIT::emit_op_enumerator_generic_pname):
2122         (JSC::JIT::emit_op_next_enumerator_pname): Deleted.
2123         * jit/JITOperations.cpp:
2124         * jit/JITOperations.h:
2125         * llint/LowLevelInterpreter.asm:
2126         * runtime/CommonSlowPaths.cpp:
2127         (JSC::SLOW_PATH_DECL):
2128         * runtime/CommonSlowPaths.h:
2129         * runtime/JSPropertyNameEnumerator.cpp:
2130         (JSC::JSPropertyNameEnumerator::create):
2131         (JSC::JSPropertyNameEnumerator::finishCreation):
2132         * runtime/JSPropertyNameEnumerator.h:
2133         (JSC::JSPropertyNameEnumerator::indexedLength):
2134         (JSC::JSPropertyNameEnumerator::endStructurePropertyIndex):
2135         (JSC::JSPropertyNameEnumerator::endGenericPropertyIndex):
2136         (JSC::JSPropertyNameEnumerator::indexedLengthOffset):
2137         (JSC::JSPropertyNameEnumerator::endStructurePropertyIndexOffset):
2138         (JSC::JSPropertyNameEnumerator::endGenericPropertyIndexOffset):
2139         (JSC::JSPropertyNameEnumerator::cachedInlineCapacityOffset):
2140         (JSC::propertyNameEnumerator):
2141         (JSC::JSPropertyNameEnumerator::cachedPropertyNamesLengthOffset): Deleted.
2142         (JSC::structurePropertyNameEnumerator): Deleted.
2143         (JSC::genericPropertyNameEnumerator): Deleted.
2144         * runtime/Structure.cpp:
2145         (JSC::Structure::setCachedPropertyNameEnumerator):
2146         (JSC::Structure::cachedPropertyNameEnumerator):
2147         (JSC::Structure::canCachePropertyNameEnumerator):
2148         (JSC::Structure::setCachedStructurePropertyNameEnumerator): Deleted.
2149         (JSC::Structure::cachedStructurePropertyNameEnumerator): Deleted.
2150         (JSC::Structure::setCachedGenericPropertyNameEnumerator): Deleted.
2151         (JSC::Structure::cachedGenericPropertyNameEnumerator): Deleted.
2152         (JSC::Structure::canCacheStructurePropertyNameEnumerator): Deleted.
2153         (JSC::Structure::canCacheGenericPropertyNameEnumerator): Deleted.
2154         * runtime/Structure.h:
2155         * runtime/StructureRareData.cpp:
2156         (JSC::StructureRareData::visitChildren):
2157         (JSC::StructureRareData::cachedPropertyNameEnumerator):
2158         (JSC::StructureRareData::setCachedPropertyNameEnumerator):
2159         (JSC::StructureRareData::cachedStructurePropertyNameEnumerator): Deleted.
2160         (JSC::StructureRareData::setCachedStructurePropertyNameEnumerator): Deleted.
2161         (JSC::StructureRareData::cachedGenericPropertyNameEnumerator): Deleted.
2162         (JSC::StructureRareData::setCachedGenericPropertyNameEnumerator): Deleted.
2163         * runtime/StructureRareData.h:
2164         * tests/stress/for-in-delete-during-iteration.js:
2165
2166 2015-03-24  Michael Saboff  <msaboff@apple.com>
2167
2168         Unreviewed build fix for debug builds.
2169
2170         * runtime/ExceptionHelpers.cpp:
2171         (JSC::invalidParameterInSourceAppender):
2172
2173 2015-03-24  Saam Barati  <saambarati1@gmail.com>
2174
2175         Improve error messages in JSC
2176         https://bugs.webkit.org/show_bug.cgi?id=141869
2177
2178         Reviewed by Geoffrey Garen.
2179
2180         JavaScriptCore has some unintuitive error messages associated
2181         with certain common errors. This patch changes some specific
2182         error messages to be more understandable and also creates a
2183         mechanism that will allow for easy modification of error messages
2184         in the future. The specific errors we change are not a function
2185         errors and invalid parameter errors.
2186
2187         * CMakeLists.txt:
2188         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2189         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2190         * JavaScriptCore.xcodeproj/project.pbxproj:
2191         * interpreter/Interpreter.cpp:
2192         (JSC::sizeOfVarargs):
2193         * jit/JITOperations.cpp:
2194         op_throw_static_error always has a JSString as its argument.
2195         There is no need to dance around this, and we should assert
2196         that this always holds. This JSString represents the error 
2197         message we want to display to the user, so there is no need
2198         to pass it into errorDescriptionForValue which will now place
2199         quotes around the string.
2200
2201         * llint/LLIntSlowPaths.cpp:
2202         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2203         * runtime/CommonSlowPaths.h:
2204         (JSC::CommonSlowPaths::opIn):
2205         * runtime/ErrorInstance.cpp:
2206         (JSC::ErrorInstance::ErrorInstance):
2207         * runtime/ErrorInstance.h:
2208         (JSC::ErrorInstance::hasSourceAppender):
2209         (JSC::ErrorInstance::sourceAppender):
2210         (JSC::ErrorInstance::setSourceAppender):
2211         (JSC::ErrorInstance::clearSourceAppender):
2212         (JSC::ErrorInstance::setRuntimeTypeForCause):
2213         (JSC::ErrorInstance::runtimeTypeForCause):
2214         (JSC::ErrorInstance::clearRuntimeTypeForCause):
2215         (JSC::ErrorInstance::appendSourceToMessage): Deleted.
2216         (JSC::ErrorInstance::setAppendSourceToMessage): Deleted.
2217         (JSC::ErrorInstance::clearAppendSourceToMessage): Deleted.
2218         * runtime/ExceptionHelpers.cpp:
2219         (JSC::errorDescriptionForValue):
2220         (JSC::defaultApproximateSourceError):
2221         (JSC::defaultSourceAppender):
2222         (JSC::functionCallBase):
2223         (JSC::notAFunctionSourceAppender):
2224         (JSC::invalidParameterInSourceAppender):
2225         (JSC::invalidParameterInstanceofSourceAppender):
2226         (JSC::createError):
2227         (JSC::createInvalidFunctionApplyParameterError):
2228         (JSC::createInvalidInParameterError):
2229         (JSC::createInvalidInstanceofParameterError):
2230         (JSC::createNotAConstructorError):
2231         (JSC::createNotAFunctionError):
2232         (JSC::createNotAnObjectError):
2233         (JSC::createInvalidParameterError): Deleted.
2234         * runtime/ExceptionHelpers.h:
2235         * runtime/JSObject.cpp:
2236         (JSC::JSObject::hasInstance):
2237         * runtime/RuntimeType.cpp: Added.
2238         (JSC::runtimeTypeForValue):
2239         (JSC::runtimeTypeAsString):
2240         * runtime/RuntimeType.h: Added.
2241         * runtime/TypeProfilerLog.cpp:
2242         (JSC::TypeProfilerLog::processLogEntries):
2243         * runtime/TypeSet.cpp:
2244         (JSC::TypeSet::getRuntimeTypeForValue): Deleted.
2245         * runtime/TypeSet.h:
2246         * runtime/VM.cpp:
2247         (JSC::appendSourceToError):
2248         (JSC::VM::throwException):
2249
2250 2015-03-23  Filip Pizlo  <fpizlo@apple.com>
2251
2252         JSC should have a low-cost asynchronous disassembler
2253         https://bugs.webkit.org/show_bug.cgi?id=142997
2254
2255         Reviewed by Mark Lam.
2256         
2257         This adds a JSC_asyncDisassembly option that disassembles on a thread. Disassembly
2258         doesn't block execution. Some code will live a little longer because of this, since the
2259         work tasks hold a ref to the code, but other than that there is basically no overhead.
2260         
2261         At present, this isn't really a replacement for JSC_showDisassembly, since it doesn't
2262         provide contextual IR information for Baseline and DFG disassemblies, and it doesn't do
2263         the separate IR dumps for FTL. Using JSC_showDisassembly and friends along with
2264         JSC_asyncDisassembly has bizarre behavior - so just choose one.
2265         
2266         A simple way of understanding how great this is, is to run a small benchmark like
2267         V8Spider/earley-boyer.
2268         
2269         Performance without any disassembly flags: 60ms
2270         Performance with JSC_showDisassembly=true: 477ms
2271         Performance with JSC_asyncDisassembly=true: 65ms
2272         
2273         So, the overhead of disassembly goes from 8x to 8%.
2274         
2275         Note that JSC_asyncDisassembly=true does make it incorrect to run "time" as a way of
2276         measuring benchmark performance. This is because at VM exit, we wait for all async
2277         disassembly requests to finish. For example, for earley-boyer, we spend an extra ~130ms
2278         after the benchmark completely finishes to finish the disassemblies. This small weirdness
2279         should be OK for the intended use-cases, since all you have to do to get around it is to
2280         measure the execution time of the benchmark payload rather than the end-to-end time of
2281         launching the VM.
2282
2283         * assembler/LinkBuffer.cpp:
2284         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
2285         * assembler/LinkBuffer.h:
2286         (JSC::LinkBuffer::wasAlreadyDisassembled):
2287         (JSC::LinkBuffer::didAlreadyDisassemble):
2288         * dfg/DFGJITCompiler.cpp:
2289         (JSC::DFG::JITCompiler::disassemble):
2290         * dfg/DFGJITFinalizer.cpp:
2291         (JSC::DFG::JITFinalizer::finalize):
2292         (JSC::DFG::JITFinalizer::finalizeFunction):
2293         * disassembler/Disassembler.cpp:
2294         (JSC::disassembleAsynchronously):
2295         (JSC::waitForAsynchronousDisassembly):
2296         * disassembler/Disassembler.h:
2297         * ftl/FTLCompile.cpp:
2298         (JSC::FTL::mmAllocateDataSection):
2299         * ftl/FTLLink.cpp:
2300         (JSC::FTL::link):
2301         * jit/JIT.cpp:
2302         (JSC::JIT::privateCompile):
2303         * jsc.cpp:
2304         * runtime/Options.h:
2305         * runtime/VM.cpp:
2306         (JSC::VM::~VM):
2307
2308 2015-03-23  Dean Jackson  <dino@apple.com>
2309
2310         ES7: Implement Array.prototype.includes
2311         https://bugs.webkit.org/show_bug.cgi?id=142707
2312
2313         Reviewed by Geoffrey Garen.
2314
2315         Add support for the ES7 includes method on Arrays.
2316         https://github.com/tc39/Array.prototype.includes
2317
2318         * builtins/Array.prototype.js:
2319         (includes): Implementation in JS.
2320         * runtime/ArrayPrototype.cpp: Add 'includes' to the lookup table.
2321
2322 2015-03-23  Joseph Pecoraro  <pecoraro@apple.com>
2323
2324         __defineGetter__/__defineSetter__ should throw exceptions
2325         https://bugs.webkit.org/show_bug.cgi?id=142934
2326
2327         Reviewed by Geoffrey Garen.
2328
2329         * runtime/ObjectPrototype.cpp:
2330         (JSC::objectProtoFuncDefineGetter):
2331         (JSC::objectProtoFuncDefineSetter):
2332         Throw exceptions when these functions are used directly.
2333
2334 2015-03-23  Joseph Pecoraro  <pecoraro@apple.com>
2335
2336         Fix DO_PROPERTYMAP_CONSTENCY_CHECK enabled build
2337         https://bugs.webkit.org/show_bug.cgi?id=142952
2338
2339         Reviewed by Geoffrey Garen.
2340
2341         * runtime/Structure.cpp:
2342         (JSC::PropertyTable::checkConsistency):
2343         The check offset method doesn't exist in PropertyTable, it exists in Structure.
2344
2345         (JSC::Structure::checkConsistency):
2346         So move it here, and always put it at the start to match normal behavior.
2347
2348 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
2349
2350         Remove DFG::ValueRecoveryOverride; it's been dead since we removed forward speculations
2351         https://bugs.webkit.org/show_bug.cgi?id=142956
2352
2353         Rubber stamped by Gyuyoung Kim.
2354         
2355         Just removing dead code.
2356
2357         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2358         * JavaScriptCore.xcodeproj/project.pbxproj:
2359         * dfg/DFGOSRExit.h:
2360         * dfg/DFGOSRExitCompiler.cpp:
2361         * dfg/DFGValueRecoveryOverride.h: Removed.
2362
2363 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
2364
2365         DFG OSR exit shouldn't assume that the frame count for exit is greater than the frame count in DFG
2366         https://bugs.webkit.org/show_bug.cgi?id=142948
2367
2368         Reviewed by Sam Weinig.
2369         
2370         It's necessary to ensure that the stack pointer accounts for the extent of our stack usage
2371         since a signal may clobber the area below the stack pointer. When the DFG is executing,
2372         the stack pointer accounts for the DFG's worst-case stack usage. When we OSR exit back to
2373         baseline, we will use a different amount of stack. This is because baseline is a different
2374         compiler. It will make different decisions. So it will use a different amount of stack.
2375         
2376         This gets tricky when we are in the process of doing an OSR exit, because we are sort of
2377         incrementally transforming the stack from how it looked in the DFG to how it will look in
2378         baseline. The most conservative approach would be to set the stack pointer to the max of
2379         DFG and baseline.
2380         
2381         When this code was written, a reckless assumption was made: that the stack usage in
2382         baseline is always at least as large as the stack usage in DFG. Based on this incorrect
2383         assumption, the code first adjusts the stack pointer to account for the baseline stack
2384         usage. This sort of usually works, because usually baseline does happen to use more stack.
2385         But that's not an invariant. Nobody guarantees this. We will never make any changes that
2386         would make this be guaranteed, because that would be antithetical to how optimizing
2387         compilers work. The DFG should be allowed to use however much stack it decides that it
2388         should use in order to get good performance, and it shouldn't try to guarantee that it
2389         always uses less stack than baseline.
2390         
2391         As such, we must always assume that the frame size for DFG execution (i.e.
2392         frameRegisterCount) and the frame size in baseline once we exit (i.e.
2393         requiredRegisterCountForExit) are two independent quantities and they have no
2394         relationship.
2395         
2396         Fortunately, though, this code can be made correct by just moving the stack adjustment to
2397         just before we do conversions. This is because we have since changed the OSR exit
2398         algorithm to first lift up all state from the DFG state into a scratch buffer, and then to
2399         drop it out of the scratch buffer and into the stack according to the baseline layout. The
2400         point just before conversions is the point where we have finished reading the DFG frame
2401         and will not read it anymore, and we haven't started writing the baseline frame. So, at
2402         this point it is safe to set the stack pointer to account for the frame size at exit.
2403         
2404         This is benign because baseline happens to create larger frames than DFG.
2405
2406         * dfg/DFGOSRExitCompiler32_64.cpp:
2407         (JSC::DFG::OSRExitCompiler::compileExit):
2408         * dfg/DFGOSRExitCompiler64.cpp:
2409         (JSC::DFG::OSRExitCompiler::compileExit):
2410         * dfg/DFGOSRExitCompilerCommon.cpp:
2411         (JSC::DFG::adjustAndJumpToTarget):
2412
2413 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
2414
2415         Shorten the number of iterations to 10,000 since that's enough to test all tiers.
2416
2417         Rubber stamped by Sam Weinig.
2418
2419         * tests/stress/equals-masquerader.js:
2420
2421 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
2422
2423         tests/stress/*tdz* tests do 10x more iterations than necessary
2424         https://bugs.webkit.org/show_bug.cgi?id=142946
2425
2426         Reviewed by Ryosuke Niwa.
2427         
2428         The stress test harness runs all of these tests in various configurations. This includes
2429         no-cjit, which has tier-up heuristics locked in such a way that 10,000 iterations is
2430         enough to get to the highest tier. The only exceptions are very large functions or
2431         functions that have some reoptimizations. That happens rarely, and when it does happen,
2432         usually 20,000 iterations is enough.
2433         
2434         Therefore, these tests use 10x too many iterations. This is bad, since these tests
2435         allocate on each iteration, and so they run very slowly in debug mode.
2436
2437         * tests/stress/class-syntax-no-loop-tdz.js:
2438         * tests/stress/class-syntax-no-tdz-in-catch.js:
2439         * tests/stress/class-syntax-no-tdz-in-conditional.js:
2440         * tests/stress/class-syntax-no-tdz-in-loop-no-inline-super.js:
2441         * tests/stress/class-syntax-no-tdz-in-loop.js:
2442         * tests/stress/class-syntax-no-tdz.js:
2443         * tests/stress/class-syntax-tdz-in-catch.js:
2444         * tests/stress/class-syntax-tdz-in-conditional.js:
2445         * tests/stress/class-syntax-tdz-in-loop.js:
2446         * tests/stress/class-syntax-tdz.js:
2447
2448 2015-03-21  Joseph Pecoraro  <pecoraro@apple.com>
2449
2450         Fix a typo in Parser error message
2451         https://bugs.webkit.org/show_bug.cgi?id=142942
2452
2453         Reviewed by Alexey Proskuryakov.
2454
2455         * jit/JITPropertyAccess.cpp:
2456         (JSC::JIT::emitSlow_op_resolve_scope):
2457         * jit/JITPropertyAccess32_64.cpp:
2458         (JSC::JIT::emitSlow_op_resolve_scope):
2459         * parser/Parser.cpp:
2460         (JSC::Parser<LexerType>::parseClass):
2461         Fix a common identifier typo.
2462
2463 2015-03-21  Joseph Pecoraro  <pecoraro@apple.com>
2464
2465         Computed Property names should allow only AssignmentExpressions not any Expression
2466         https://bugs.webkit.org/show_bug.cgi?id=142902
2467
2468         Reviewed by Ryosuke Niwa.
2469
2470         * parser/Parser.cpp:
2471         (JSC::Parser<LexerType>::parseProperty):
2472         Limit computed expressions to just assignment expressions instead of
2473         any expression (which allowed comma expressions).
2474
2475 2015-03-21  Andreas Kling  <akling@apple.com>
2476
2477         Make UnlinkedFunctionExecutable fit in a 128-byte cell.
2478         <https://webkit.org/b/142939>
2479
2480         Reviewed by Mark Hahnenberg.
2481
2482         Re-arrange the members of UnlinkedFunctionExecutable so it can fit inside
2483         a 128-byte heap cell instead of requiring a 256-byte one.
2484
2485         Threw in a static_assert to catch anyone pushing it over the limit again.
2486
2487         * bytecode/UnlinkedCodeBlock.cpp:
2488         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2489         * bytecode/UnlinkedCodeBlock.h:
2490         (JSC::UnlinkedFunctionExecutable::functionMode):
2491
2492 2015-03-20  Mark Hahnenberg  <mhahnenb@gmail.com>
2493
2494         GCTimer should know keep track of nested GC phases
2495         https://bugs.webkit.org/show_bug.cgi?id=142675
2496
2497         Reviewed by Darin Adler.
2498
2499         This improves the GC phase timing output in Heap.cpp by linking
2500         phases nested inside other phases together, allowing tools
2501         to compute how much time we're spending in various nested phases.
2502
2503         * heap/Heap.cpp:
2504
2505 2015-03-20  Geoffrey Garen  <ggaren@apple.com>
2506
2507         FunctionBodyNode should known where its parameters started
2508         https://bugs.webkit.org/show_bug.cgi?id=142926
2509
2510         Reviewed by Ryosuke Niwa.
2511
2512         This will allow us to re-parse parameters instead of keeping the
2513         parameters piece of the AST around forever.
2514
2515         I also took the opportunity to initialize most FunctionBodyNode data
2516         members at construction time, to help clarify that they are set right.
2517
2518         * parser/ASTBuilder.h:
2519         (JSC::ASTBuilder::createFunctionExpr): No need to pass
2520         functionKeywordStart here; we now provide it at FunctionBodyNode
2521         creation time.
2522
2523         (JSC::ASTBuilder::createFunctionBody): Require everything we need at
2524         construction time, including the start of our parameters.
2525
2526         (JSC::ASTBuilder::createGetterOrSetterProperty):
2527         (JSC::ASTBuilder::createFuncDeclStatement):  No need to pass
2528         functionKeywordStart here; we now provide it at FunctionBodyNode
2529         creation time.
2530
2531         (JSC::ASTBuilder::setFunctionNameStart): Deleted.
2532
2533         * parser/Nodes.cpp:
2534         (JSC::FunctionBodyNode::FunctionBodyNode): Initialize everything at
2535         construction time.
2536
2537         * parser/Nodes.h: Added a field for the location of our parameters.
2538
2539         * parser/Parser.cpp:
2540         (JSC::Parser<LexerType>::parseFunctionBody):
2541         (JSC::Parser<LexerType>::parseFunctionInfo):
2542         (JSC::Parser<LexerType>::parseFunctionDeclaration):
2543         (JSC::Parser<LexerType>::parseClass):
2544         (JSC::Parser<LexerType>::parsePropertyMethod):
2545         (JSC::Parser<LexerType>::parseGetterSetter):
2546         (JSC::Parser<LexerType>::parsePrimaryExpression):
2547         * parser/Parser.h: Refactored to match above interface changes.
2548
2549         * parser/SyntaxChecker.h:
2550         (JSC::SyntaxChecker::createFunctionExpr):
2551         (JSC::SyntaxChecker::createFunctionBody):
2552         (JSC::SyntaxChecker::createFuncDeclStatement):
2553         (JSC::SyntaxChecker::createGetterOrSetterProperty): Refactored to match
2554         above interface changes.
2555
2556         (JSC::SyntaxChecker::setFunctionNameStart): Deleted.
2557
2558 2015-03-20  Filip Pizlo  <fpizlo@apple.com>
2559
2560         Observably effectful nodes in DFG IR should come last in their bytecode instruction (i.e. forExit section), except for Hint nodes
2561         https://bugs.webkit.org/show_bug.cgi?id=142920
2562
2563         Reviewed by Oliver Hunt, Geoffrey Garen, and Mark Lam.
2564         
2565         Observably effectful, n.: If we reexecute the bytecode instruction after this node has
2566         executed, then something other than the bytecode instruction's specified outcome will
2567         happen.
2568
2569         We almost never had observably effectful nodes except at the end of the bytecode
2570         instruction.  The exception is a lowered transitioning PutById:
2571
2572         PutStructure(@o, S1 -> S2)
2573         PutByOffset(@o, @o, @v)
2574
2575         The PutStructure is observably effectful: if you try to reexecute the bytecode after
2576         doing the PutStructure, then we'll most likely crash.  The generic PutById handling means
2577         first checking what the old structure of the object is; but if we reexecute, the old
2578         structure will seem to be the new structure.  But the property ensured by the new
2579         structure hasn't been stored yet, so any attempt to load it or scan it will crash.
2580
2581         Intriguingly, however, none of the other operations involved in the PutById are
2582         observably effectful.  Consider this example:
2583
2584         PutByOffset(@o, @o, @v)
2585         PutStructure(@o, S1 -> S2)
2586
2587         Note that the PutStructure node doesn't reallocate property storage; see further below
2588         for an example that does that. Because no property storage is happening, we know that we
2589         already had room for the new property.  This means that the PutByOffset is no observable
2590         until the PutStructure executes and "reveals" the property.  Hence, PutByOffset is not
2591         observably effectful.
2592
2593         Now consider this:
2594
2595         b: AllocatePropertyStorage(@o)
2596         PutByOffset(@b, @o, @v)
2597         PutStructure(@o, S1 -> S2)
2598
2599         Surprisingly, this is also safe, because the AllocatePropertyStorage is not observably
2600         effectful. It *does* reallocate the property storage and the new property storage pointer
2601         is stored into the object. But until the PutStructure occurs, the world will just think
2602         that the reallocation didn't happen, in the sense that we'll think that the property
2603         storage is using less memory than what we just allocated. That's harmless.
2604
2605         The AllocatePropertyStorage is safe in other ways, too. Even if we GC'd after the
2606         AllocatePropertyStorage but before the PutByOffset (or before the PutStructure),
2607         everything could be expected to be fine, so long as all of @o, @v and @b are on the
2608         stack. If they are all on the stack, then the GC will leave the property storage alone
2609         (so the extra memory we just allocated would be safe). The GC will not scan the part of
2610         the property storage that contains @v, but that's fine, so long as @v is on the stack.
2611         
2612         The better long-term solution is probably bug 142921.
2613         
2614         But for now, this:
2615         
2616         - Fixes an object materialization bug, exemplified by the two tests, that previously
2617           crashed 100% of the time with FTL enabled and concurrent JIT disabled.
2618         
2619         - Allows us to remove the workaround introduced in r174856.
2620
2621         * dfg/DFGByteCodeParser.cpp:
2622         (JSC::DFG::ByteCodeParser::handlePutById):
2623         * dfg/DFGConstantFoldingPhase.cpp:
2624         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
2625         * dfg/DFGFixupPhase.cpp:
2626         (JSC::DFG::FixupPhase::insertCheck):
2627         (JSC::DFG::FixupPhase::indexOfNode): Deleted.
2628         (JSC::DFG::FixupPhase::indexOfFirstNodeOfExitOrigin): Deleted.
2629         * dfg/DFGInsertionSet.h:
2630         (JSC::DFG::InsertionSet::insertOutOfOrder): Deleted.
2631         (JSC::DFG::InsertionSet::insertOutOfOrderNode): Deleted.
2632         * tests/stress/materialize-past-butterfly-allocation.js: Added.
2633         (bar):
2634         (foo0):
2635         (foo1):
2636         (foo2):
2637         (foo3):
2638         (foo4):
2639         * tests/stress/materialize-past-put-structure.js: Added.
2640         (foo):
2641
2642 2015-03-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2643
2644         REGRESSION (r179429): Potential Use after free in JavaScriptCore`WTF::StringImpl::ref + 83
2645         https://bugs.webkit.org/show_bug.cgi?id=142410
2646
2647         Reviewed by Geoffrey Garen.
2648
2649         Before this patch, added function JSValue::toPropertyKey returns PropertyName.
2650         Since PropertyName doesn't have AtomicStringImpl ownership,
2651         if Identifier is implicitly converted to PropertyName and Identifier is destructed,
2652         PropertyName may refer freed AtomicStringImpl*.
2653
2654         This patch changes the result type of JSValue::toPropertyName from PropertyName to Identifier,
2655         to keep AtomicStringImpl* ownership after the toPropertyName call is done.
2656         And receive the result value as Identifier type to keep ownership in the caller side.
2657
2658         To catch the result of toPropertyKey as is, we catch the result of toPropertyName as auto.
2659
2660         However, now we don't need to have both Identifier and PropertyName.
2661         So we'll merge PropertyName to Identifier in the subsequent patch.
2662
2663         * dfg/DFGOperations.cpp:
2664         (JSC::DFG::operationPutByValInternal):
2665         * jit/JITOperations.cpp:
2666         (JSC::getByVal):
2667         * llint/LLIntSlowPaths.cpp:
2668         (JSC::LLInt::getByVal):
2669         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2670         * runtime/CommonSlowPaths.cpp:
2671         (JSC::SLOW_PATH_DECL):
2672         * runtime/CommonSlowPaths.h:
2673         (JSC::CommonSlowPaths::opIn):
2674         * runtime/JSCJSValue.h:
2675         * runtime/JSCJSValueInlines.h:
2676         (JSC::JSValue::toPropertyKey):
2677         * runtime/ObjectConstructor.cpp:
2678         (JSC::objectConstructorGetOwnPropertyDescriptor):
2679         (JSC::objectConstructorDefineProperty):
2680         * runtime/ObjectPrototype.cpp:
2681         (JSC::objectProtoFuncPropertyIsEnumerable):
2682
2683 2015-03-18  Geoffrey Garen  <ggaren@apple.com>
2684
2685         Function.prototype.toString should not decompile the AST
2686         https://bugs.webkit.org/show_bug.cgi?id=142853
2687
2688         Reviewed by Sam Weinig.
2689
2690         To recover the function parameter string, Function.prototype.toString
2691         decompiles the function parameters from the AST. This is bad for a few
2692         reasons:
2693
2694         (1) It requires us to keep pieces of the AST live forever. This is an
2695         awkward design and a waste of memory.
2696
2697         (2) It doesn't match Firefox or Chrome (because it changes whitespace
2698         and ES6 destructuring expressions).
2699
2700         (3) It doesn't scale to ES6 default argument parameters, which require
2701         arbitrarily complex decompilation.
2702
2703         (4) It can counterfeit all the line numbers in a function (because
2704         whitespace can include newlines).
2705
2706         (5) It's expensive, and we've seen cases where websites invoke
2707         Function.prototype.toString a lot by accident.
2708
2709         The fix is to do what we do for the rest of the function: Just quote the
2710         original source text.
2711
2712         Since this change inevitably changes some function stringification, I
2713         took the opportunity to make our stringification match Firefox's and
2714         Chrome's.
2715
2716         * API/tests/testapi.c:
2717         (assertEqualsAsUTF8String): Be more informative when this fails.
2718
2719         (main): Updated to match new stringification rules.
2720
2721         * bytecode/UnlinkedCodeBlock.cpp:
2722         (JSC::UnlinkedFunctionExecutable::paramString): Deleted. Yay!
2723         * bytecode/UnlinkedCodeBlock.h:
2724
2725         * parser/Nodes.h:
2726         (JSC::StatementNode::isFuncDeclNode): New helper for constructing
2727         anonymous functions.
2728
2729         * parser/SourceCode.h:
2730         (JSC::SourceCode::SourceCode): Allow zero because WebCore wants it.
2731
2732         * runtime/CodeCache.cpp:
2733         (JSC::CodeCache::getFunctionExecutableFromGlobalCode): Updated for use
2734         of function declaration over function expression.
2735
2736         * runtime/Executable.cpp:
2737         (JSC::FunctionExecutable::paramString): Deleted. Yay!
2738         * runtime/Executable.h:
2739         (JSC::FunctionExecutable::parameterCount):
2740
2741         * runtime/FunctionConstructor.cpp:
2742         (JSC::constructFunctionSkippingEvalEnabledCheck): Added a newline after
2743         the opening brace to match Firefox and Chrome, and a space after the comma
2744         to match Firefox and WebKit coding style. Added the function name to
2745         the text of the function so it would look right when stringify-ing. Switched
2746         from parentheses to braces to produce a function declaration instead of
2747         a function expression because we are required to exclude the function's
2748         name from its scope, and that's what a function declaration does.
2749
2750         * runtime/FunctionPrototype.cpp:
2751         (JSC::functionProtoFuncToString): Removed an old workaround because the
2752         library it worked around doesn't really exist anymore, and the behavior
2753         doesn't match Firefox or Chrome. Use type profiling offsets instead of
2754         function body offsets because we want to include the function name and
2755         the parameter string, rather than stitching them in manually by
2756         decompiling the AST.
2757
2758         (JSC::insertSemicolonIfNeeded): Deleted.
2759
2760         * tests/mozilla/js1_2/function/tostring-1.js:
2761         * tests/mozilla/js1_5/Scope/regress-185485.js:
2762         (with.g): Updated these test results for formatting changes.
2763
2764 2015-03-20  Joseph Pecoraro  <pecoraro@apple.com>
2765
2766         SyntaxChecker assertion is trapped with computed property name and getter
2767         https://bugs.webkit.org/show_bug.cgi?id=142863
2768
2769         Reviewed by Ryosuke Niwa.
2770
2771         * parser/SyntaxChecker.h:
2772         (JSC::SyntaxChecker::getName):
2773         Remove invalid assert. Computed properties will not have a name
2774         and the calling code is checking for null expecting it. The
2775         AST path (non-CheckingPath) already does this without the assert
2776         so it is well tested.
2777
2778 2015-03-19  Mark Lam  <mark.lam@apple.com>
2779
2780         JSCallbackObject<JSGlobalObject> should not destroy its JSCallbackObjectData before all its finalizers have been called.
2781         <https://webkit.org/b/142846>
2782
2783         Reviewed by Geoffrey Garen.
2784
2785         Currently, JSCallbackObject<JSGlobalObject> registers weak finalizers via 2 mechanisms:
2786         1. JSCallbackObject<Parent>::init() registers a weak finalizer for all JSClassRef
2787            that a JSCallbackObject references.
2788         2. JSCallbackObject<JSGlobalObject>::create() registers a finalizer via
2789            vm.heap.addFinalizer() which destroys the JSCallbackObject.
2790
2791         The first finalizer is implemented as a virtual function of a JSCallbackObjectData
2792         instance that will be destructed if the 2nd finalizer is called.  Hence, if the
2793         2nd finalizer if called first, the later invocation of the 1st finalizer will
2794         result in a crash.
2795
2796         This patch fixes the issue by eliminating the finalizer registration in init().
2797         Instead, we'll have the JSCallbackObject destructor call all the JSClassRef finalizers
2798         if needed.  This ensures that these finalizers are called before the JSCallbackObject
2799         is destructor.
2800
2801         Also added assertions to a few Heap functions because JSCell::classInfo() expects
2802         all objects that are allocated from MarkedBlock::Normal blocks to be derived from
2803         JSDestructibleObject.  These assertions will help us catch violations of this
2804         expectation earlier.
2805
2806         * API/JSCallbackObject.cpp:
2807         (JSC::JSCallbackObjectData::finalize): Deleted.
2808         * API/JSCallbackObject.h:
2809         (JSC::JSCallbackObjectData::~JSCallbackObjectData):
2810         * API/JSCallbackObjectFunctions.h:
2811         (JSC::JSCallbackObject<Parent>::~JSCallbackObject):
2812         (JSC::JSCallbackObject<Parent>::init):
2813         * API/tests/GlobalContextWithFinalizerTest.cpp: Added.
2814         (finalize):
2815         (testGlobalContextWithFinalizer):
2816         * API/tests/GlobalContextWithFinalizerTest.h: Added.
2817         * API/tests/testapi.c:
2818         (main):
2819         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
2820         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters:
2821         * JavaScriptCore.xcodeproj/project.pbxproj:
2822         * heap/HeapInlines.h:
2823         (JSC::Heap::allocateObjectOfType):
2824         (JSC::Heap::subspaceForObjectOfType):
2825         (JSC::Heap::allocatorForObjectOfType):
2826
2827 2015-03-19  Andreas Kling  <akling@apple.com>
2828
2829         JSCallee unnecessarily overrides a bunch of things in the method table.
2830         <https://webkit.org/b/142855>
2831
2832         Reviewed by Geoffrey Garen.
2833
2834         Remove JSCallee method table overrides that simply call to base class.
2835         This makes JSFunction property slot lookups slightly more efficient since
2836         they can take the fast path when passing over JSCallee in the base class chain.
2837
2838         * runtime/JSCallee.cpp:
2839         (JSC::JSCallee::getOwnPropertySlot): Deleted.
2840         (JSC::JSCallee::getOwnNonIndexPropertyNames): Deleted.
2841         (JSC::JSCallee::put): Deleted.
2842         (JSC::JSCallee::deleteProperty): Deleted.
2843         (JSC::JSCallee::defineOwnProperty): Deleted.
2844         * runtime/JSCallee.h:
2845
2846 2015-03-19  Andreas Kling  <akling@apple.com>
2847
2848         DFGAllocator should use bmalloc's aligned allocator.
2849         <https://webkit.org/b/142871>
2850
2851         Reviewed by Geoffrey Garen.
2852
2853         Switch DFGAllocator to using bmalloc through fastAlignedMalloc().
2854
2855         * dfg/DFGAllocator.h:
2856         (JSC::DFG::Allocator<T>::allocateSlow):
2857         (JSC::DFG::Allocator<T>::freeRegionsStartingAt):
2858         * heap/CopiedSpace.h:
2859         * heap/MarkedBlock.h:
2860         * heap/MarkedSpace.h:
2861
2862 2015-03-18  Joseph Pecoraro  <pecoraro@apple.com>
2863
2864         ES6 Classes: Extends should accept an expression without parenthesis
2865         https://bugs.webkit.org/show_bug.cgi?id=142840
2866
2867         Reviewed by Ryosuke Niwa.
2868
2869         * parser/Parser.cpp:
2870         (JSC::Parser<LexerType>::parseClass):
2871         "extends" allows a LeftHandExpression (new expression / call expression,
2872         which includes a member expression), not a primary expression. Our
2873         parseMemberExpression does all of these.
2874
2875 2015-03-18  Joseph Pecoraro  <pecoraro@apple.com>
2876
2877         Web Inspector: Debugger Popovers and Probes should use FormattedValue/ObjectTreeView instead of Custom/ObjectPropertiesSection
2878         https://bugs.webkit.org/show_bug.cgi?id=142830
2879
2880         Reviewed by Timothy Hatcher.
2881
2882         * inspector/agents/InspectorDebuggerAgent.cpp:
2883         (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
2884         Give Probe Samples object previews.
2885
2886 2015-03-17  Ryuan Choi  <ryuan.choi@navercorp.com>
2887
2888         [EFL] Expose JavaScript binding interface through ewk_extension
2889         https://bugs.webkit.org/show_bug.cgi?id=142033
2890
2891         Reviewed by Gyuyoung Kim.
2892
2893         * PlatformEfl.cmake: Install Javascript APIs.
2894
2895 2015-03-17  Geoffrey Garen  <ggaren@apple.com>
2896
2897         Function bodies should always include braces
2898         https://bugs.webkit.org/show_bug.cgi?id=142795
2899
2900         Reviewed by Michael Saboff.
2901
2902         Having a mode for excluding the opening and closing braces from a function
2903         body was unnecessary and confusing.
2904
2905         * bytecode/CodeBlock.cpp:
2906         (JSC::CodeBlock::CodeBlock): Adopt the new one true linking function.
2907
2908         * bytecode/UnlinkedCodeBlock.cpp:
2909         (JSC::generateFunctionCodeBlock):
2910         (JSC::UnlinkedFunctionExecutable::link):
2911         (JSC::UnlinkedFunctionExecutable::codeBlockFor): No need to pass through
2912         a boolean: there is only one kind of function now.
2913
2914         (JSC::UnlinkedFunctionExecutable::linkInsideExecutable): Deleted.
2915         (JSC::UnlinkedFunctionExecutable::linkGlobalCode): Deleted. Let's only
2916         have one way to do things. This removes the old mode that would pretend
2917         that a function always started at column 1. That pretense was not true:
2918         an attribute event listener does not necessarily start at column 1.
2919
2920         * bytecode/UnlinkedCodeBlock.h:
2921         * generate-js-builtins: Adopt the new one true linking function.
2922
2923         * parser/Parser.h:
2924         (JSC::Parser<LexerType>::parse):
2925         (JSC::parse): needsReparsingAdjustment is always true now, so I removed it.
2926
2927         * runtime/Executable.cpp:
2928         (JSC::ScriptExecutable::newCodeBlockFor):
2929         (JSC::FunctionExecutable::FunctionExecutable):
2930         (JSC::ProgramExecutable::initializeGlobalProperties):
2931         (JSC::FunctionExecutable::fromGlobalCode):
2932         * runtime/Executable.h:
2933         (JSC::FunctionExecutable::create):
2934         (JSC::FunctionExecutable::bodyIncludesBraces): Deleted. Removed unused stuff.
2935
2936         * runtime/FunctionConstructor.cpp:
2937         (JSC::constructFunctionSkippingEvalEnabledCheck): Always provide a
2938         leading space because that's what this function's comment says is required
2939         for web compatibility. We used to fake this up after the fact when
2940         stringifying, based on the bodyIncludesBraces flag, but that flag is gone now.
2941
2942         * runtime/FunctionPrototype.cpp:
2943         (JSC::insertSemicolonIfNeeded):
2944         (JSC::functionProtoFuncToString): No need to add braces and/or a space
2945         after the fact -- we always have them now.
2946
2947 2015-03-17  Mark Lam  <mark.lam@apple.com>
2948
2949         Refactor execution time limit tests out of testapi.c.
2950         <https://webkit.org/b/142798>
2951
2952         Rubber stamped by Michael Saboff.
2953
2954         These tests were sometimes failing to time out on C loop builds.  Let's
2955         refactor them out of the big monolith that is testapi.c so that we can
2956         reason more easily about them and make adjustments if needed.
2957
2958         * API/tests/ExecutionTimeLimitTest.cpp: Added.
2959         (currentCPUTime):
2960         (currentCPUTimeAsJSFunctionCallback):
2961         (shouldTerminateCallback):
2962         (cancelTerminateCallback):
2963         (extendTerminateCallback):
2964         (testExecutionTimeLimit):
2965         * API/tests/ExecutionTimeLimitTest.h: Added.
2966         * API/tests/testapi.c:
2967         (main):
2968         (currentCPUTime): Deleted.
2969         (currentCPUTime_callAsFunction): Deleted.
2970         (shouldTerminateCallback): Deleted.
2971         (cancelTerminateCallback): Deleted.
2972         (extendTerminateCallback): Deleted.
2973         * JavaScriptCore.xcodeproj/project.pbxproj:
2974
2975 2015-03-17  Geoffrey Garen  <ggaren@apple.com>
2976
2977         Built-in functions should know that they use strict mode
2978         https://bugs.webkit.org/show_bug.cgi?id=142788
2979
2980         Reviewed by Mark Lam.
2981
2982         Even though all of our builtin functions use strict mode, the parser
2983         thinks that they don't. This is because Executable::toStrictness treats
2984         builtin-ness and strict-ness as mutually exclusive.
2985
2986         The fix is to disambiguate builtin-ness from strict-ness.
2987
2988         This bug is currently unobservable because of some other parser bugs. But
2989         it causes lots of test failures once those other bugs are fixed.
2990
2991         * API/JSScriptRef.cpp:
2992         (parseScript):
2993         * builtins/BuiltinExecutables.cpp:
2994         (JSC::BuiltinExecutables::createBuiltinExecutable): Adopt the new API
2995         for a separate value to indicate builtin-ness vs strict-ness.
2996
2997         * bytecode/UnlinkedCodeBlock.cpp:
2998         (JSC::generateFunctionCodeBlock):
2999         (JSC::UnlinkedFunctionExecutable::codeBlockFor): Ditto.
3000
3001         * bytecode/UnlinkedCodeBlock.h:
3002         (JSC::UnlinkedFunctionExecutable::toStrictness): Deleted. This function
3003         was misleading since it pretended that no builtin function was ever
3004         strict, which is the opposite of true.
3005
3006         * parser/Lexer.cpp:
3007         (JSC::Lexer<T>::Lexer):
3008         * parser/Lexer.h:
3009         * parser/Parser.cpp:
3010         (JSC::Parser<LexerType>::Parser):
3011         * parser/Parser.h:
3012         (JSC::parse): Adopt the new API.
3013
3014         * parser/ParserModes.h: Added JSParserBuiltinMode, and tried to give
3015         existing modes clearer names.
3016
3017         * runtime/CodeCache.cpp:
3018         (JSC::CodeCache::getGlobalCodeBlock):
3019         (JSC::CodeCache::getProgramCodeBlock):
3020         (JSC::CodeCache::getEvalCodeBlock):
3021         (JSC::CodeCache::getFunctionExecutableFromGlobalCode): Adopt the new API.
3022
3023         * runtime/CodeCache.h:
3024         (JSC::SourceCodeKey::SourceCodeKey): Be sure to treat strict-ness and
3025         bulitin-ness as separate pieces of the code cache key. We would not want
3026         a user function to match a built-in function in the cache, even if they
3027         agreed about strictness, since builtin functions have different lexing
3028         rules.
3029
3030         * runtime/Completion.cpp:
3031         (JSC::checkSyntax):
3032         * runtime/Executable.cpp:
3033         (JSC::FunctionExecutable::FunctionExecutable):
3034         (JSC::ProgramExecutable::checkSyntax):
3035         * runtime/Executable.h:
3036         (JSC::FunctionExecutable::create):
3037         * runtime/JSGlobalObject.cpp:
3038         (JSC::JSGlobalObject::createProgramCodeBlock):
3039         (JSC::JSGlobalObject::createEvalCodeBlock): Adopt the new API.
3040
3041 2015-03-16  Filip Pizlo  <fpizlo@apple.com>
3042
3043         DFG IR shouldn't have a separate node for every kind of put hint that could be described using PromotedLocationDescriptor
3044         https://bugs.webkit.org/show_bug.cgi?id=142769
3045
3046         Reviewed by Michael Saboff.
3047         
3048         When we sink an object allocation, we need to have some way of tracking what stores would
3049         have happened had the allocation not been sunk, so that we know how to rematerialize the
3050         object on OSR exit. Prior to this change, trunk had two ways of describing such a "put
3051         hint":
3052         
3053         - The PutStrutureHint and PutByOffsetHint node types.
3054         - The PromotedLocationDescriptor class, which has an enum with cases StructurePLoc and
3055           NamedPropertyPLoc.
3056         
3057         We also had ways of converting from a Node with those two node types to a
3058         PromotedLocationDescriptor, and we had a way of converting a PromotedLocationDescriptor to
3059         a Node.
3060         
3061         This change removes the redundancy. We now have just one node type that corresponds to a
3062         put hint, and it's called PutHint. It has a PromotedLocationDescriptor as metadata.
3063         Converting between a PutHint node and a PromotedLocationDescriptor and vice-versa is now
3064         trivial.
3065         
3066         This means that if we add new kinds of sunken objects, we'll have less pro-forma to write
3067         for the put hints to those objects. This is mainly to simplify the implementation of
3068         arguments elimination in bug 141174.
3069
3070         * dfg/DFGAbstractInterpreterInlines.h:
3071         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3072         * dfg/DFGClobberize.h:
3073         (JSC::DFG::clobberize):
3074         * dfg/DFGDoesGC.cpp:
3075         (JSC::DFG::doesGC):
3076         * dfg/DFGFixupPhase.cpp:
3077         (JSC::DFG::FixupPhase::fixupNode):
3078         * dfg/DFGGraph.cpp:
3079         (JSC::DFG::Graph::dump):
3080         (JSC::DFG::Graph::mergeRelevantToOSR):
3081         * dfg/DFGMayExit.cpp:
3082         (JSC::DFG::mayExit):
3083         * dfg/DFGNode.cpp:
3084         (JSC::DFG::Node::convertToPutHint):
3085         (JSC::DFG::Node::convertToPutStructureHint):
3086         (JSC::DFG::Node::convertToPutByOffsetHint):
3087         (JSC::DFG::Node::promotedLocationDescriptor):
3088         * dfg/DFGNode.h:
3089         (JSC::DFG::Node::hasIdentifier):
3090         (JSC::DFG::Node::hasPromotedLocationDescriptor):
3091         (JSC::DFG::Node::convertToPutByOffsetHint): Deleted.
3092         (JSC::DFG::Node::convertToPutStructureHint): Deleted.
3093         * dfg/DFGNodeType.h:
3094         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
3095         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
3096         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3097         (JSC::DFG::ObjectAllocationSinkingPhase::run):
3098         (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations):
3099         (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
3100         * dfg/DFGPredictionPropagationPhase.cpp:
3101         (JSC::DFG::PredictionPropagationPhase::propagate):
3102         * dfg/DFGPromoteHeapAccess.h:
3103         (JSC::DFG::promoteHeapAccess):
3104         * dfg/DFGPromotedHeapLocation.cpp:
3105         (JSC::DFG::PromotedHeapLocation::createHint):
3106         * dfg/DFGPromotedHeapLocation.h:
3107         (JSC::DFG::PromotedLocationDescriptor::imm1):
3108         (JSC::DFG::PromotedLocationDescriptor::imm2):
3109         * dfg/DFGSafeToExecute.h:
3110         (JSC::DFG::safeToExecute):
3111         * dfg/DFGSpeculativeJIT32_64.cpp:
3112         (JSC::DFG::SpeculativeJIT::compile):
3113         * dfg/DFGSpeculativeJIT64.cpp:
3114         (JSC::DFG::SpeculativeJIT::compile):
3115         * dfg/DFGValidate.cpp:
3116         (JSC::DFG::Validate::validateCPS):
3117         * ftl/FTLCapabilities.cpp:
3118         (JSC::FTL::canCompile):
3119         * ftl/FTLLowerDFGToLLVM.cpp:
3120         (JSC::FTL::LowerDFGToLLVM::compileNode):
3121
3122 2015-03-17  Michael Saboff  <msaboff@apple.com>
3123
3124         Windows X86-64 should use the fixed executable allocator
3125         https://bugs.webkit.org/show_bug.cgi?id=142749
3126
3127         Reviewed by Filip Pizlo.
3128
3129         Added jit/ExecutableAllocatorFixedVMPool.cpp to Windows build.
3130
3131         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3132         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3133         * jit/ExecutableAllocatorFixedVMPool.cpp: Don't include unistd.h on Windows.
3134
3135 2015-03-17  Matt Baker  <mattbaker@apple.com>
3136
3137         Web Inspector: Show rendering frames (and FPS) in Layout and Rendering timeline
3138         https://bugs.webkit.org/show_bug.cgi?id=142029
3139
3140         Reviewed by Timothy Hatcher.
3141
3142         * inspector/protocol/Timeline.json:
3143         Added new event type for runloop timeline records.
3144
3145 2015-03-16  Ryosuke Niwa  <rniwa@webkit.org>
3146
3147         Enable ES6 classes by default
3148         https://bugs.webkit.org/show_bug.cgi?id=142774
3149
3150         Reviewed by Gavin Barraclough.
3151
3152         Enabled the feature and unskipped tests.
3153
3154         * Configurations/FeatureDefines.xcconfig:
3155         * tests/stress/class-syntax-no-loop-tdz.js:
3156         * tests/stress/class-syntax-no-tdz-in-catch.js:
3157         * tests/stress/class-syntax-no-tdz-in-conditional.js:
3158         * tests/stress/class-syntax-no-tdz-in-loop-no-inline-super.js:
3159         * tests/stress/class-syntax-no-tdz-in-loop.js:
3160         * tests/stress/class-syntax-no-tdz.js:
3161         * tests/stress/class-syntax-tdz-in-catch.js:
3162         * tests/stress/class-syntax-tdz-in-conditional.js:
3163         * tests/stress/class-syntax-tdz-in-loop.js:
3164         * tests/stress/class-syntax-tdz.js:
3165
3166 2015-03-16  Joseph Pecoraro  <pecoraro@apple.com>
3167
3168         Web Inspector: Better Console Previews for Arrays / Small Objects
3169         https://bugs.webkit.org/show_bug.cgi?id=142322
3170
3171         Reviewed by Timothy Hatcher.
3172
3173         * inspector/InjectedScriptSource.js:
3174         Create deep valuePreviews for simple previewable objects,
3175         such as arrays with 5 values, or basic objects with
3176         3 properties.
3177
3178 2015-03-16  Ryosuke Niwa  <rniwa@webkit.org>
3179
3180         Add support for default constructor
3181         https://bugs.webkit.org/show_bug.cgi?id=142388
3182
3183         Reviewed by Filip Pizlo.
3184
3185         Added the support for default constructors. They're generated by ClassExprNode::emitBytecode
3186         via BuiltinExecutables::createDefaultConstructor.
3187
3188         UnlinkedFunctionExecutable now has the ability to override SourceCode provided by the owner
3189         executable. We can't make store SourceCode in UnlinkedFunctionExecutable since CodeCache can use
3190         the same UnlinkedFunctionExecutable to generate code blocks for multiple functions.
3191
3192         Parser now has the ability to treat any function expression as a constructor of the kind specified
3193         by m_defaultConstructorKind member variable.
3194
3195         * builtins/BuiltinExecutables.cpp:
3196         (JSC::BuiltinExecutables::createDefaultConstructor): Added.
3197         (JSC::BuiltinExecutables::createExecutableInternal): Generalized from createBuiltinExecutable.
3198         Parse default constructors as normal non-builtin functions. Override SourceCode in the unlinked
3199         function executable since the Miranda function's code is definitely not in the owner executable's
3200         source code. That's the whole point.
3201         * builtins/BuiltinExecutables.h:
3202         (UnlinkedFunctionExecutable::createBuiltinExecutable): Added. Wraps createExecutableInternal.
3203         * bytecode/UnlinkedCodeBlock.cpp:
3204         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3205         (JSC::UnlinkedFunctionExecutable::linkInsideExecutable):
3206         (JSC::UnlinkedFunctionExecutable::linkGlobalCode):
3207         * bytecode/UnlinkedCodeBlock.h:
3208         (JSC::UnlinkedFunctionExecutable::create):
3209         (JSC::UnlinkedFunctionExecutable::symbolTable): Deleted.
3210         * bytecompiler/BytecodeGenerator.cpp:
3211         (JSC::BytecodeGenerator::emitNewDefaultConstructor): Added.
3212         * bytecompiler/BytecodeGenerator.h:
3213         * bytecompiler/NodesCodegen.cpp:
3214         (JSC::ClassExprNode::emitBytecode): Generate the default constructor if needed.
3215         * parser/Parser.cpp:
3216         (JSC::Parser<LexerType>::Parser):
3217         (JSC::Parser<LexerType>::parseFunctionInfo): Override ownerClassKind and assume the function as
3218         a constructor if we're parsing a default constructor.
3219         (JSC::Parser<LexerType>::parseClass): Allow omission of the class constructor.
3220         * parser/Parser.h:
3221         (JSC::parse):
3222
3223 2015-03-16  Alex Christensen  <achristensen@webkit.org>
3224
3225         Progress towards CMake on Mac
3226         https://bugs.webkit.org/show_bug.cgi?id=142747
3227
3228         Reviewed by Chris Dumez.
3229
3230         * CMakeLists.txt:
3231         Include AugmentableInspectorController.h in CMake build.
3232
3233 2015-03-16  Csaba Osztrogonác  <ossy@webkit.org>
3234
3235         [ARM] Enable generating idiv instructions if it is supported
3236         https://bugs.webkit.org/show_bug.cgi?id=142725
3237
3238         Reviewed by Michael Saboff.
3239
3240         * assembler/ARMAssembler.h: Added sdiv and udiv implementation for ARM Traditional instruction set.
3241         (JSC::ARMAssembler::sdiv):
3242         (JSC::ARMAssembler::udiv):
3243         * assembler/ARMv7Assembler.h: Use HAVE(ARM_IDIV_INSTRUCTIONS) instead of CPU(APPLE_ARMV7S).
3244         * assembler/AbstractMacroAssembler.h:
3245         (JSC::isARMv7IDIVSupported):
3246         (JSC::optimizeForARMv7IDIVSupported):
3247         (JSC::isARMv7s): Renamed to isARMv7IDIVSupported().
3248         (JSC::optimizeForARMv7s): Renamed to optimizeForARMv7IDIVSupported().
3249         * dfg/DFGFixupPhase.cpp:
3250         (JSC::DFG::FixupPhase::fixupNode):
3251         * dfg/DFGSpeculativeJIT.cpp:
3252         (JSC::DFG::SpeculativeJIT::compileArithDiv):
3253         (JSC::DFG::SpeculativeJIT::compileArithMod):
3254
3255 2015-03-15  Filip Pizlo  <fpizlo@apple.com>
3256
3257         DFG::PutStackSinkingPhase should eliminate GetStacks that have an obviously known source, and emit GetStacks when the stack's value is needed and none is deferred
3258         https://bugs.webkit.org/show_bug.cgi?id=141624
3259
3260         Reviewed by Geoffrey Garen.
3261
3262         Not eliminating GetStacks was an obvious omission from the original PutStackSinkingPhase.
3263         Previously, we would treat GetStacks conservatively and assume that the stack slot
3264         escaped. That's pretty dumb, since a GetStack is a local load of the stack. This change
3265         makes GetStack a no-op from the standpoint of this phase's deferral analysis. At the end
3266         we either keep the GetStack (if there was no concrete deferral) or we replace it with an
3267         identity over the value that would have been stored by the deferred PutStack. Note that
3268         this might be a Phi that the phase creates, so this is strictly stronger than what GCSE
3269         could do.
3270         
3271         But this change revealed the fact that this phase never correctly handled side effects in
3272         case that we had done a GetStack, then a side-effect, and then found ourselves wanting the
3273         value on the stack due to (for example) a Phi on a deferred PutStack and that GetStack.
3274         Basically, it's only correct to use the SSA converter's incoming value mapping if we have
3275         a concrete deferral - since anything but a concrete deferral may imply that the value has
3276         been clobbered.
3277         
3278         This has no performance change. I believe that the bug was previously benign because we
3279         have so few operations that clobber the stack anymore, and most of those get used in a
3280         very idiomatic way. The GetStack elimination will be very useful for the varargs
3281         simplification that is part of bug 141174.
3282         
3283         This includes a test for the case that Speedometer hit, plus tests for the other cases I
3284         thought of once I realized the deeper issue.
3285
3286         * dfg/DFGPutStackSinkingPhase.cpp:
3287         * tests/stress/get-stack-identity-due-to-sinking.js: Added.
3288         (foo):
3289         (bar):
3290         * tests/stress/get-stack-mapping-with-dead-get-stack.js: Added.
3291         (bar):
3292         (foo):
3293         * tests/stress/get-stack-mapping.js: Added.
3294         (bar):
3295         (foo):
3296         * tests/stress/weird-put-stack-varargs.js: Added.
3297         (baz):
3298         (foo):
3299         (fuzz):
3300         (bar):
3301
3302 2015-03-16  Joseph Pecoraro  <pecoraro@apple.com>
3303
3304         Update Map/Set to treat -0 and 0 as the same value
3305         https://bugs.webkit.org/show_bug.cgi?id=142709
3306
3307         Reviewed by Csaba Osztrogonác.
3308
3309         * runtime/MapData.h:
3310         (JSC::MapDataImpl<Entry>::KeyType::KeyType):
3311         No longer special case -0. It will be treated as the same as 0.
3312
3313 2015-03-15  Joseph Pecoraro  <pecoraro@apple.com>
3314
3315         Web Inspector: Better handle displaying -0
3316         https://bugs.webkit.org/show_bug.cgi?id=142708
3317
3318         Reviewed by Timothy Hatcher.
3319
3320         Modeled after a blink change:
3321
3322         Patch by <aandrey@chromium.org>
3323         DevTools: DevTools: Show -0 for negative zero in console
3324         https://src.chromium.org/viewvc/blink?revision=162605&view=revision
3325
3326         * inspector/InjectedScriptSource.js:
3327         When creating a description string, or preview value string
3328         for -0, be sure the string is "-0" and not "0&qu