1e4784436737ef8be2ceeff3969a3da68b0455ef
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-04-17  Basile Clement  <basile_clement@apple.com>
2
3         Inline JSFunction allocation in DFG
4         https://bugs.webkit.org/show_bug.cgi?id=143858
5
6         Reviewed by Filip Pizlo.
7
8         Followup to my previous patch which inlines JSFunction allocation when
9         using FTL, now also enabled in DFG.
10
11         * dfg/DFGSpeculativeJIT.cpp:
12         (JSC::DFG::SpeculativeJIT::compileNewFunction):
13
14 2015-04-16  Jordan Harband  <ljharb@gmail.com>
15
16         Number.parseInt is not === global parseInt in nightly r182673
17         https://bugs.webkit.org/show_bug.cgi?id=143799
18
19         Reviewed by Darin Adler.
20
21         Ensuring parseInt === Number.parseInt, per spec
22         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-number.parseint
23
24         * runtime/CommonIdentifiers.h:
25         * runtime/JSGlobalObject.cpp:
26         (JSC::JSGlobalObject::init):
27         * runtime/JSGlobalObject.h:
28         (JSC::JSGlobalObject::parseIntFunction):
29         * runtime/NumberConstructor.cpp:
30         (JSC::NumberConstructor::finishCreation):
31
32 2015-04-16  Mark Lam  <mark.lam@apple.com>
33
34         Gardening: fix CLOOP build after r182927.
35
36         Not reviewed.
37
38         * interpreter/StackVisitor.cpp:
39         (JSC::StackVisitor::Frame::print):
40
41 2015-04-16  Basile Clement  <basile_clement@apple.com>
42
43         Inline JSFunction allocation in FTL
44         https://bugs.webkit.org/show_bug.cgi?id=143851
45
46         Reviewed by Filip Pizlo.
47
48         JSFunction allocation is a simple operation that should be inlined when possible.
49
50         * ftl/FTLAbstractHeapRepository.h:
51         * ftl/FTLLowerDFGToLLVM.cpp:
52         (JSC::FTL::LowerDFGToLLVM::compileNewFunction):
53         * runtime/JSFunction.h:
54         (JSC::JSFunction::allocationSize):
55
56 2015-04-16  Mark Lam  <mark.lam@apple.com>
57
58         Add $vm debugging tool.
59         https://bugs.webkit.org/show_bug.cgi?id=143809
60
61         Reviewed by Geoffrey Garen.
62
63         For debugging VM bugs, it would be useful to be able to dump VM data structures
64         from JS code that we instrument.  To this end, let's introduce a
65         JS_enableDollarVM option that, if true, installs an $vm property into each JS
66         global object at creation time.  The $vm property refers to an object that
67         provides a collection of useful utility functions.  For this initial
68         implementation, $vm will have the following:
69
70             crash() - trigger an intentional crash.
71
72             dfgTrue() - returns true if the current function is DFG compiled, else returns false.
73             jitTrue() - returns true if the current function is compiled by the baseline JIT, else returns false.
74             llintTrue() - returns true if the current function is interpreted by the LLINT, else returns false.
75
76             gc() - runs a full GC.
77             edenGC() - runs an eden GC.
78
79             codeBlockForFrame(frameNumber) - gets the codeBlock at the specified frame (0 = current, 1 = caller, etc).
80             printSourceFor(codeBlock) - prints the source code for the codeBlock.
81             printByteCodeFor(codeBlock) - prints the bytecode for the codeBlock.
82
83             print(str) - prints a string to dataLog output.
84             printCallFrame() - prints the current CallFrame.
85             printStack() - prints the JS stack.
86             printInternal(value) - prints the JSC internal info for the specified value.
87
88         With JS_enableDollarVM=true, JS code can use the above functions like so:
89
90             $vm.print("Using $vm features\n");
91
92         * CMakeLists.txt:
93         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
94         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
95         * JavaScriptCore.xcodeproj/project.pbxproj:
96         * bytecode/CodeBlock.cpp:
97         (JSC::CodeBlock::printCallOp):
98         - FTL compiled functions don't like it when we try to compute the CallLinkStatus.
99           Hence, we skip this step if we're dumping an FTL codeBlock.
100
101         * heap/Heap.cpp:
102         (JSC::Heap::collectAndSweep):
103         (JSC::Heap::collectAllGarbage): Deleted.
104         * heap/Heap.h:
105         (JSC::Heap::collectAllGarbage):
106         - Add ability to do an Eden collection and sweep.
107
108         * interpreter/StackVisitor.cpp:
109         (JSC::printIndents):
110         (JSC::log):
111         (JSC::logF):
112         (JSC::StackVisitor::Frame::print):
113         (JSC::jitTypeName): Deleted.
114         (JSC::printif): Deleted.
115         - Modernize the implementation of StackVisitor::Frame::print(), and remove some
116           now redundant code.
117         - Also fix it so that it downgrades gracefully when encountering inlined DFG
118           and compiled FTL functions.
119
120         (DebugPrintFrameFunctor::DebugPrintFrameFunctor): Deleted.
121         (DebugPrintFrameFunctor::operator()): Deleted.
122         (debugPrintCallFrame): Deleted.
123         (debugPrintStack): Deleted.
124         - these have been moved into JSDollarVMPrototype.cpp. 
125
126         * interpreter/StackVisitor.h:
127         - StackVisitor::Frame::print() is now enabled for release builds as well so that
128           we can call it from $vm.
129
130         * runtime/JSGlobalObject.cpp:
131         (JSC::JSGlobalObject::init):
132         (JSC::JSGlobalObject::visitChildren):
133         * runtime/JSGlobalObject.h:
134         - Added the $vm instance to global objects conditional on the JSC_enableDollarVM
135           option.
136
137         * runtime/Options.h:
138         - Added the JSC_enableDollarVM option.
139
140         * tools/JSDollarVM.cpp: Added.
141         * tools/JSDollarVM.h: Added.
142         (JSC::JSDollarVM::createStructure):
143         (JSC::JSDollarVM::create):
144         (JSC::JSDollarVM::JSDollarVM):
145
146         * tools/JSDollarVMPrototype.cpp: Added.
147         - This file contains 2 sets of functions:
148
149           a. a C++ implementation of debugging utility functions that are callable when
150              doing debugging from lldb.  To the extent possible, these functions try to
151              be cautious and not cause unintended crashes should the user call them with
152              the wrong info.  Hence, they are designed to be robust rather than speedy.
153
154           b. the native implementations of JS functions in the $vm object.  Where there
155              is overlapping functionality, these are built on top of the C++ functions
156              above to do the work.
157
158           Note: it does not make sense for all of the $vm functions to have a C++
159           counterpart for lldb debugging.  For example, the $vm.dfgTrue() function is
160           only useful for JS code, and works via the DFG intrinsics mechanism.
161           When doing debugging via lldb, the optimization level of the currently
162           executing JS function can be gotten by dumping the current CallFrame instead.
163
164         (JSC::currentThreadOwnsJSLock):
165         (JSC::ensureCurrentThreadOwnsJSLock):
166         (JSC::JSDollarVMPrototype::addFunction):
167         (JSC::functionCrash): - $vm.crash()
168         (JSC::functionDFGTrue): - $vm.dfgTrue()
169         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
170         (JSC::CallerFrameJITTypeFunctor::operator()):
171         (JSC::CallerFrameJITTypeFunctor::jitType):
172         (JSC::functionLLintTrue): - $vm.llintTrue()
173         (JSC::functionJITTrue): - $vm.jitTrue()
174         (JSC::gc):
175         (JSC::functionGC): - $vm.gc()
176         (JSC::edenGC):
177         (JSC::functionEdenGC): - $vm.edenGC()
178         (JSC::isValidCodeBlock):
179         (JSC::codeBlockForFrame):
180         (JSC::functionCodeBlockForFrame): - $vm.codeBlockForFrame(frameNumber)
181         (JSC::codeBlockFromArg):
182         (JSC::functionPrintSourceFor): - $vm.printSourceFor(codeBlock)
183         (JSC::functionPrintByteCodeFor): - $vm.printBytecodeFor(codeBlock)
184         (JSC::functionPrint): - $vm.print(str)
185         (JSC::PrintFrameFunctor::PrintFrameFunctor):
186         (JSC::PrintFrameFunctor::operator()):
187         (JSC::printCallFrame):
188         (JSC::printStack):
189         (JSC::functionPrintCallFrame): - $vm.printCallFrame()
190         (JSC::functionPrintStack): - $vm.printStack()
191         (JSC::printValue):
192         (JSC::functionPrintValue): - $vm.printValue()
193         (JSC::JSDollarVMPrototype::finishCreation):
194         * tools/JSDollarVMPrototype.h: Added.
195         (JSC::JSDollarVMPrototype::create):
196         (JSC::JSDollarVMPrototype::createStructure):
197         (JSC::JSDollarVMPrototype::JSDollarVMPrototype):
198
199 2015-04-16  Geoffrey Garen  <ggaren@apple.com>
200
201         Speculative fix after r182915
202         https://bugs.webkit.org/show_bug.cgi?id=143404
203
204         Reviewed by Alexey Proskuryakov.
205
206         * runtime/SymbolConstructor.h:
207
208 2015-04-16  Mark Lam  <mark.lam@apple.com>
209
210         Fixed some typos in a comment.
211
212         Not reviewed.
213
214         * dfg/DFGGenerationInfo.h:
215
216 2015-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
217
218         [ES6] Implement Symbol.for and Symbol.keyFor
219         https://bugs.webkit.org/show_bug.cgi?id=143404
220
221         Reviewed by Geoffrey Garen.
222
223         This patch implements Symbol.for and Symbol.keyFor.
224         SymbolRegistry maintains registered StringImpl* symbols.
225         And to make this mapping enabled over realms,
226         VM owns this mapping (not JSGlobalObject).
227
228         While there's Default AtomicStringTable per thread,
229         SymbolRegistry should not exist over VMs.
230         So everytime VM is created, SymbolRegistry is also created.
231
232         In SymbolRegistry implementation, we don't leverage WeakGCMap (or weak reference design).
233         Theres are several reasons.
234         1. StringImpl* which represents identity of Symbols is not GC-managed object.
235            So we cannot use WeakGCMap directly.
236            While Symbol* is GC-managed object, holding weak reference to Symbol* doesn't maintain JS symbols (exposed primitive values to users) liveness,
237            because distinct Symbol* can exist.
238            Distinct Symbol* means the Symbol* object that pointer value (Symbol*) is different from weakly referenced Symbol* but held StringImpl* is the same.
239
240         2. We don't use WTF::WeakPtr. If we add WeakPtrFactory into StringImpl's member, we can track StringImpl*'s liveness by WeakPtr.
241            However there's problem about when we prune staled entries in SymbolRegistry.
242            Since the memory allocated for the Symbol is typically occupied by allocated symbolized StringImpl*'s content,
243            and it is not in GC-heap.
244            While heavily registering Symbols and storing StringImpl* into SymbolRegistry, Heap's EdenSpace is not so occupied.
245            So GC typically attempt to perform EdenCollection, and it doesn't call WeakGCMap's pruleStaleEntries callback.
246            As a result, before pruning staled entries in SymbolRegistry, fast malloc-ed memory fills up the system memory.
247
248         So instead of using Weak reference, we take relatively easy design.
249         When we register symbolized StringImpl* into SymbolRegistry, symbolized StringImpl* is aware of that.
250         And when destructing it, it removes its reference from SymbolRegistry as if atomic StringImpl do so with AtomicStringTable.
251
252         * CMakeLists.txt:
253         * DerivedSources.make:
254         * runtime/SymbolConstructor.cpp:
255         (JSC::SymbolConstructor::getOwnPropertySlot):
256         (JSC::symbolConstructorFor):
257         (JSC::symbolConstructorKeyFor):
258         * runtime/SymbolConstructor.h:
259         * runtime/VM.cpp:
260         * runtime/VM.h:
261         (JSC::VM::symbolRegistry):
262         * tests/stress/symbol-registry.js: Added.
263         (test):
264
265 2015-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
266
267         [ES6] Use specific functions for @@iterator functions
268         https://bugs.webkit.org/show_bug.cgi?id=143838
269
270         Reviewed by Geoffrey Garen.
271
272         In ES6, some methods are defined with the different names.
273
274         For example,
275
276         Map.prototype[Symbol.iterator] === Map.prototype.entries
277         Set.prototype[Symbol.iterator] === Set.prototype.values
278         Array.prototype[Symbol.iterator] === Array.prototype.values
279         %Arguments%[Symbol.iterator] === Array.prototype.values
280
281         However, current implementation creates different function objects per name.
282         This patch fixes it by setting the object that is used for the other method to @@iterator.
283         e.g. Setting Array.prototype.values function object to Array.prototype[Symbol.iterator].
284
285         And we drop Arguments' iterator implementation and replace Argument[@@iterator] implementation
286         with Array.prototype.values to conform to the spec.
287
288         * CMakeLists.txt:
289         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
290         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
291         * JavaScriptCore.xcodeproj/project.pbxproj:
292         * inspector/JSInjectedScriptHost.cpp:
293         (Inspector::JSInjectedScriptHost::subtype):
294         (Inspector::JSInjectedScriptHost::getInternalProperties):
295         (Inspector::JSInjectedScriptHost::iteratorEntries):
296         * runtime/ArgumentsIteratorConstructor.cpp: Removed.
297         * runtime/ArgumentsIteratorConstructor.h: Removed.
298         * runtime/ArgumentsIteratorPrototype.cpp: Removed.
299         * runtime/ArgumentsIteratorPrototype.h: Removed.
300         * runtime/ArrayPrototype.cpp:
301         (JSC::ArrayPrototype::finishCreation):
302         * runtime/ArrayPrototype.h:
303         * runtime/ClonedArguments.cpp:
304         (JSC::ClonedArguments::getOwnPropertySlot):
305         (JSC::ClonedArguments::put):
306         (JSC::ClonedArguments::deleteProperty):
307         (JSC::ClonedArguments::defineOwnProperty):
308         (JSC::ClonedArguments::materializeSpecials):
309         * runtime/ClonedArguments.h:
310         * runtime/CommonIdentifiers.h:
311         * runtime/DirectArguments.cpp:
312         (JSC::DirectArguments::overrideThings):
313         * runtime/GenericArgumentsInlines.h:
314         (JSC::GenericArguments<Type>::getOwnPropertySlot):
315         (JSC::GenericArguments<Type>::getOwnPropertyNames):
316         (JSC::GenericArguments<Type>::put):
317         (JSC::GenericArguments<Type>::deleteProperty):
318         (JSC::GenericArguments<Type>::defineOwnProperty):
319         * runtime/JSArgumentsIterator.cpp: Removed.
320         * runtime/JSArgumentsIterator.h: Removed.
321         * runtime/JSGlobalObject.cpp:
322         (JSC::JSGlobalObject::init):
323         (JSC::JSGlobalObject::visitChildren):
324         * runtime/JSGlobalObject.h:
325         (JSC::JSGlobalObject::arrayProtoValuesFunction):
326         * runtime/MapPrototype.cpp:
327         (JSC::MapPrototype::finishCreation):
328         * runtime/ScopedArguments.cpp:
329         (JSC::ScopedArguments::overrideThings):
330         * runtime/SetPrototype.cpp:
331         (JSC::SetPrototype::finishCreation):
332         * tests/stress/arguments-iterator.js: Added.
333         (test):
334         (testArguments):
335         * tests/stress/iterator-functions.js: Added.
336         (test):
337         (argumentsTests):
338
339 2015-04-14  Mark Lam  <mark.lam@apple.com>
340
341         Add JSC_functionOverrides=<overrides file> debugging tool.
342         https://bugs.webkit.org/show_bug.cgi?id=143717
343
344         Reviewed by Geoffrey Garen.
345
346         This tool allows us to do runtime replacement of function bodies with alternatives
347         for debugging purposes.  For example, this is useful when we need to debug VM bugs
348         which manifest in scripts executing in webpages downloaded from remote servers
349         that we don't control.  The tool allows us to augment those scripts with logging
350         or test code to help isolate the bugs.
351
352         This tool works by substituting the SourceCode at FunctionExecutable creation
353         time.  It identifies which SourceCode to substitute by comparing the source
354         string against keys in a set of key value pairs.
355
356         The keys are function body strings defined by 'override' clauses in the overrides
357         file specified by in the JSC_functionOverrides option.  The values are function
358         body strings defines by 'with' clauses in the overrides file.
359         See comment blob at top of FunctionOverrides.cpp on the formatting
360         of the overrides file.
361
362         At FunctionExecutable creation time, if the SourceCode string matches one of the
363         'override' keys from the overrides file, the tool will replace the SourceCode with
364         a new one based on the corresponding 'with' value string.  The FunctionExecutable
365         will then be created with the new SourceCode instead.
366
367         Some design decisions:
368         1. We opted to require that the 'with' clause appear on a separate line than the
369            'override' clause because this makes it easier to read and write when the
370            'override' clause's function body is single lined and long.
371
372         2. The user can use any sequence of characters for the delimiter (except for '{',
373            '}' and white space characters) because this ensures that there can always be
374            some delimiter pattern that does not appear in the function body in the clause
375            e.g. in the body of strings in the JS code.
376
377            '{' and '}' are disallowed because they are used to mark the boundaries of the
378            function body string.  White space characters are disallowed because they can
379            be error prone (the user may not be able to tell between spaces and tabs).
380
381         3. The start and end delimiter must be an identical sequence of characters.
382
383            I had considered allowing the use of complementary characters like <>, [], and
384            () for making delimiter pairs like:
385                [[[[ ... ]]]]
386                <[([( ... )])]>
387
388            But in the end, decided against it because:
389            a. These sequences of complementary characters can exists in JS code.
390               In contrast, a repeating delimiter like %%%% is unlikely to appear in JS
391               code.
392            b. It can be error prone for the user to have to type the exact complement
393               character for the end delimiter in reverse order.
394               In contrast, a repeating delimiter like %%%% is much easier to type and
395               less error prone.  Even a sequence like @#$%^ is less error prone than
396               a complementary sequence because it can be copy-pasted, and need not be
397               typed in reverse order.
398            c. It is easier to parse for the same delimiter string for both start and end.
399
400         4. The tool does a lot of checks for syntax errors in the overrides file because
401            we don't want any overrides to fail silently.  If a syntax error is detected,
402            the tool will print an error message and call exit().  This avoids the user
403            wasting time doing debugging only to be surprised later that their specified
404            overrides did not take effect because of some unnoticed typo.
405
406         * CMakeLists.txt:
407         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
408         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
409         * JavaScriptCore.xcodeproj/project.pbxproj:
410         * bytecode/UnlinkedCodeBlock.cpp:
411         (JSC::UnlinkedFunctionExecutable::link):
412         * runtime/Executable.h:
413         * runtime/Options.h:
414         * tools/FunctionOverrides.cpp: Added.
415         (JSC::FunctionOverrides::overrides):
416         (JSC::FunctionOverrides::FunctionOverrides):
417         (JSC::initializeOverrideInfo):
418         (JSC::FunctionOverrides::initializeOverrideFor):
419         (JSC::hasDisallowedCharacters):
420         (JSC::parseClause):
421         (JSC::FunctionOverrides::parseOverridesInFile):
422         * tools/FunctionOverrides.h: Added.
423
424 2015-04-16  Basile Clement  <basile_clement@apple.com>
425  
426         Extract the allocation profile from JSFunction into a rare object
427         https://bugs.webkit.org/show_bug.cgi?id=143807
428  
429         Reviewed by Filip Pizlo.
430  
431         The allocation profile is only needed for those functions that are used
432         to create objects with [new].
433         Extracting it into its own JSCell removes the need for JSFunction and
434         JSCallee to be JSDestructibleObjects, which should improve performances in most
435         cases at the cost of an extra pointer dereference when the allocation profile
436         is actually needed.
437  
438         * CMakeLists.txt:
439         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
440         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
441         * JavaScriptCore.xcodeproj/project.pbxproj:
442         * dfg/DFGOperations.cpp:
443         * dfg/DFGSpeculativeJIT32_64.cpp:
444         (JSC::DFG::SpeculativeJIT::compile):
445         * dfg/DFGSpeculativeJIT64.cpp:
446         (JSC::DFG::SpeculativeJIT::compile):
447         * jit/JITOpcodes.cpp:
448         (JSC::JIT::emit_op_create_this):
449         * jit/JITOpcodes32_64.cpp:
450         (JSC::JIT::emit_op_create_this):
451         * llint/LowLevelInterpreter32_64.asm:
452         * llint/LowLevelInterpreter64.asm:
453         * runtime/CommonSlowPaths.cpp:
454         (JSC::SLOW_PATH_DECL):
455         * runtime/FunctionRareData.cpp: Added.
456         (JSC::FunctionRareData::create):
457         (JSC::FunctionRareData::destroy):
458         (JSC::FunctionRareData::createStructure):
459         (JSC::FunctionRareData::visitChildren):
460         (JSC::FunctionRareData::FunctionRareData):
461         (JSC::FunctionRareData::~FunctionRareData):
462         (JSC::FunctionRareData::finishCreation):
463         * runtime/FunctionRareData.h: Added.
464         (JSC::FunctionRareData::offsetOfAllocationProfile):
465         (JSC::FunctionRareData::allocationProfile):
466         (JSC::FunctionRareData::allocationStructure):
467         (JSC::FunctionRareData::allocationProfileWatchpointSet):
468         * runtime/JSBoundFunction.cpp:
469         (JSC::JSBoundFunction::destroy): Deleted.
470         * runtime/JSBoundFunction.h:
471         * runtime/JSCallee.cpp:
472         (JSC::JSCallee::destroy): Deleted.
473         * runtime/JSCallee.h:
474         * runtime/JSFunction.cpp:
475         (JSC::JSFunction::JSFunction):
476         (JSC::JSFunction::createRareData):
477         (JSC::JSFunction::visitChildren):
478         (JSC::JSFunction::put):
479         (JSC::JSFunction::defineOwnProperty):
480         (JSC::JSFunction::destroy): Deleted.
481         (JSC::JSFunction::createAllocationProfile): Deleted.
482         * runtime/JSFunction.h:
483         (JSC::JSFunction::offsetOfRareData):
484         (JSC::JSFunction::rareData):
485         (JSC::JSFunction::allocationStructure):
486         (JSC::JSFunction::allocationProfileWatchpointSet):
487         (JSC::JSFunction::offsetOfAllocationProfile): Deleted.
488         (JSC::JSFunction::allocationProfile): Deleted.
489         * runtime/JSFunctionInlines.h:
490         (JSC::JSFunction::JSFunction):
491         * runtime/VM.cpp:
492         (JSC::VM::VM):
493         * runtime/VM.h:
494  
495 2015-04-16  Csaba Osztrogonác  <ossy@webkit.org>
496
497         Remove the unnecessary WTF_CHANGES define
498         https://bugs.webkit.org/show_bug.cgi?id=143825
499
500         Reviewed by Andreas Kling.
501
502         * config.h:
503
504 2015-04-15  Andreas Kling  <akling@apple.com>
505
506         Make MarkedBlock and WeakBlock 4x smaller.
507         <https://webkit.org/b/143802>
508
509         Reviewed by Mark Hahnenberg.
510
511         To reduce GC heap fragmentation and generally use less memory, reduce the size of MarkedBlock
512         and its buddy WeakBlock by 4x, bringing them from 64kB+4kB to 16kB+1kB.
513
514         In a sampling of cool web sites, I'm seeing ~8% average reduction in overall GC heap size.
515         Some examples:
516
517                    apple.com:  6.3MB ->  5.5MB (14.5% smaller)
518                   reddit.com:  4.5MB ->  4.1MB ( 9.7% smaller)
519                  twitter.com: 23.2MB -> 21.4MB ( 8.4% smaller)
520             cuteoverload.com: 24.5MB -> 23.6MB ( 3.8% smaller)
521
522         Benchmarks look mostly neutral.
523         Some small slowdowns on Octane, some slightly bigger speedups on Kraken and SunSpider.
524
525         * heap/MarkedBlock.h:
526         * heap/WeakBlock.h:
527         * llint/LLIntData.cpp:
528         (JSC::LLInt::Data::performAssertions):
529         * llint/LowLevelInterpreter.asm:
530
531 2015-04-15  Jordan Harband  <ljharb@gmail.com>
532
533         String.prototype.startsWith/endsWith/includes have wrong length in r182673
534         https://bugs.webkit.org/show_bug.cgi?id=143659
535
536         Reviewed by Benjamin Poulain.
537
538         Fix lengths of String.prototype.{includes,startsWith,endsWith} per spec
539         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.includes
540         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.startswith
541         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.endswith
542
543         * runtime/StringPrototype.cpp:
544         (JSC::StringPrototype::finishCreation):
545
546 2015-04-15  Mark Lam  <mark.lam@apple.com>
547
548         Remove obsolete VMInspector debugging tool.
549         https://bugs.webkit.org/show_bug.cgi?id=143798
550
551         Reviewed by Michael Saboff.
552
553         I added the VMInspector tool 3 years ago to aid in VM hacking work.  Some of it
554         has bit rotted, and now the VM also has better ways to achieve its functionality.
555         Hence this code is now obsolete and should be removed.
556
557         * CMakeLists.txt:
558         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
559         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
560         * JavaScriptCore.xcodeproj/project.pbxproj:
561         * interpreter/CallFrame.h:
562         * interpreter/VMInspector.cpp: Removed.
563         * interpreter/VMInspector.h: Removed.
564         * llint/LowLevelInterpreter.cpp:
565
566 2015-04-15  Jordan Harband  <ljharb@gmail.com>
567
568         Math.imul has wrong length in Safari 8.0.4
569         https://bugs.webkit.org/show_bug.cgi?id=143658
570
571         Reviewed by Benjamin Poulain.
572
573         Correcting function length from 1, to 2, to match spec
574         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-math.imul
575
576         * runtime/MathObject.cpp:
577         (JSC::MathObject::finishCreation):
578
579 2015-04-15  Jordan Harband  <ljharb@gmail.com>
580
581         Number.parseInt in nightly r182673 has wrong length
582         https://bugs.webkit.org/show_bug.cgi?id=143657
583
584         Reviewed by Benjamin Poulain.
585
586         Correcting function length from 1, to 2, to match spec
587         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-number.parseint
588
589         * runtime/NumberConstructor.cpp:
590         (JSC::NumberConstructor::finishCreation):
591
592 2015-04-15  Filip Pizlo  <fpizlo@apple.com>
593
594         Harden DFGForAllKills
595         https://bugs.webkit.org/show_bug.cgi?id=143792
596
597         Reviewed by Geoffrey Garen.
598         
599         Unfortunately, we don't have a good way to test this yet - but it will be needed to prevent
600         bugs in https://bugs.webkit.org/show_bug.cgi?id=143734.
601         
602         Previously ForAllKills used the bytecode kill analysis. That seemed like a good idea because
603         that analysis is cheaper than the full liveness analysis. Unfortunately, it's probably wrong:
604         
605         - It looks for kill sites at forExit origin boundaries. But, something might have been killed
606           by an operation that was logically in between the forExit origins at the boundary, but was
607           removed from the DFG for whatever reason. The DFG is allowed to have bytecode instruction
608           gaps.
609         
610         - It overlooked the fact that a MovHint that addresses a local that is always live kills that
611           local. For example, storing to an argument means that the prior value of the argument is
612           killed.
613         
614         This fixes the analysis by making it handle MovHints directly, and making it define kills in
615         the most conservative way possible: it asks if you were live before but dead after. If we
616         have the compile time budget to afford this more direct approach, then it's definitel a good
617         idea since it's so fool-proof.
618
619         * dfg/DFGArgumentsEliminationPhase.cpp:
620         * dfg/DFGForAllKills.h:
621         (JSC::DFG::forAllKilledOperands):
622         (JSC::DFG::forAllKilledNodesAtNodeIndex):
623         (JSC::DFG::forAllDirectlyKilledOperands): Deleted.
624
625 2015-04-15  Joseph Pecoraro  <pecoraro@apple.com>
626
627         Provide SPI to allow changing whether JSContexts are remote debuggable by default
628         https://bugs.webkit.org/show_bug.cgi?id=143681
629
630         Reviewed by Darin Adler.
631
632         * API/JSRemoteInspector.h:
633         * API/JSRemoteInspector.cpp:
634         (JSRemoteInspectorGetInspectionEnabledByDefault):
635         (JSRemoteInspectorSetInspectionEnabledByDefault):
636         Provide SPI to toggle the default enabled inspection state of debuggables.
637
638         * API/JSContextRef.cpp:
639         (JSGlobalContextCreateInGroup):
640         Respect the default setting.
641
642 2015-04-15  Joseph Pecoraro  <pecoraro@apple.com>
643
644         JavaScriptCore: Use kCFAllocatorDefault where possible
645         https://bugs.webkit.org/show_bug.cgi?id=143747
646
647         Reviewed by Darin Adler.
648
649         * heap/HeapTimer.cpp:
650         (JSC::HeapTimer::HeapTimer):
651         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
652         (Inspector::RemoteInspectorInitializeGlobalQueue):
653         (Inspector::RemoteInspectorDebuggableConnection::setupRunLoop):
654         For consistency and readability use the constant instead of
655         different representations of null.
656
657 2015-04-14  Michael Saboff  <msaboff@apple.com>
658
659         Remove JavaScriptCoreUseJIT default from JavaScriptCore
660         https://bugs.webkit.org/show_bug.cgi?id=143746
661
662         Reviewed by Mark Lam.
663
664         * runtime/VM.cpp:
665         (JSC::enableAssembler):
666
667 2015-04-14  Chris Dumez  <cdumez@apple.com>
668
669         Regression(r180020): Web Inspector crashes on pages that have a stylesheet with an invalid MIME type
670         https://bugs.webkit.org/show_bug.cgi?id=143745
671         <rdar://problem/20243916>
672
673         Reviewed by Joseph Pecoraro.
674
675         Add assertion in ContentSearchUtilities::findMagicComment() to make
676         sure the content String is not null or we would crash in
677         JSC::Yarr::interpret() later.
678
679         * inspector/ContentSearchUtilities.cpp:
680         (Inspector::ContentSearchUtilities::findMagicComment):
681
682 2015-04-14  Michael Saboff  <msaboff@apple.com>
683
684         DFG register fillSpeculate*() functions should validate incoming spill format is compatible with requested fill format
685         https://bugs.webkit.org/show_bug.cgi?id=143727
686
687         Reviewed by Geoffrey Garen.
688
689         Used the result of AbstractInterpreter<>::filter() to check that the current spill format is compatible
690         with the requested fill format.  If filter() reports a contradiction, then we force an OSR exit.
691         Removed individual checks made redundant by the new check.
692
693         * dfg/DFGSpeculativeJIT32_64.cpp:
694         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
695         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
696         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
697         * dfg/DFGSpeculativeJIT64.cpp:
698         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
699         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
700         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
701         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
702
703 2015-04-14  Joseph Pecoraro  <pecoraro@apple.com>
704
705         Replace JavaScriptCoreOutputConsoleMessagesToSystemConsole default with an SPI
706         https://bugs.webkit.org/show_bug.cgi?id=143691
707
708         Reviewed by Geoffrey Garen.
709
710         * API/JSRemoteInspector.h:
711         * API/JSRemoteInspector.cpp:
712         (JSRemoteInspectorSetLogToSystemConsole):
713         Add SPI to enable/disable logging to the system console.
714         This only affects JSContext `console` logs and warnings.
715
716         * inspector/JSGlobalObjectConsoleClient.h:
717         * inspector/JSGlobalObjectConsoleClient.cpp:
718         (Inspector::JSGlobalObjectConsoleClient::logToSystemConsole):
719         (Inspector::JSGlobalObjectConsoleClient::setLogToSystemConsole):
720         (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
721         (Inspector::JSGlobalObjectConsoleClient::initializeLogToSystemConsole): Deleted.
722         Simplify access to the setting now that it doesn't need to
723         initialize its value from preferences.
724
725 2015-04-14  Joseph Pecoraro  <pecoraro@apple.com>
726
727         Web Inspector: Auto-attach fails after r179562, initialization too late after dispatch
728         https://bugs.webkit.org/show_bug.cgi?id=143682
729
730         Reviewed by Timothy Hatcher.
731
732         * inspector/remote/RemoteInspector.mm:
733         (Inspector::RemoteInspector::singleton):
734         If we are on the main thread, run the initialization immediately.
735         Otherwise dispatch to the main thread. This way if the first JSContext
736         was created on the main thread it can get auto-attached if applicable.
737
738 2015-04-14  Joseph Pecoraro  <pecoraro@apple.com>
739
740         Unreviewed build fix for Mavericks.
741
742         Mavericks includes this file but does not enable ENABLE_REMOTE_INSPECTOR
743         so the Inspector namespace is not available when compiling this file.
744
745         * API/JSRemoteInspector.cpp:
746
747 2015-04-14  Joseph Pecoraro  <pecoraro@apple.com>
748
749         Web Inspector: Expose private APIs to interact with RemoteInspector instead of going through WebKit
750         https://bugs.webkit.org/show_bug.cgi?id=143729
751
752         Reviewed by Timothy Hatcher.
753
754         * API/JSRemoteInspector.h: Added.
755         * API/JSRemoteInspector.cpp: Added.
756         (JSRemoteInspectorDisableAutoStart):
757         (JSRemoteInspectorStart):
758         (JSRemoteInspectorSetParentProcessInformation):
759         Add the new SPIs for basic remote inspection behavior.
760
761         * JavaScriptCore.xcodeproj/project.pbxproj:
762         Add the new files to Mac only, since remote inspection is only
763         enabled there anyways.
764
765 2015-04-14  Mark Lam  <mark.lam@apple.com>
766
767         Rename JSC_dfgFunctionWhitelistFile to JSC_dfgWhitelist.
768         https://bugs.webkit.org/show_bug.cgi?id=143722
769
770         Reviewed by Michael Saboff.
771
772         Renaming JSC_dfgFunctionWhitelistFile to JSC_dfgWhitelist so that it is
773         shorter, and easier to remember (without having to look it up) and to
774         type.  JSC options now support descriptions, and one can always look up
775         the description if the option's purpose is not already obvious.
776
777         * dfg/DFGFunctionWhitelist.cpp:
778         (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
779         (JSC::DFG::FunctionWhitelist::contains):
780         * runtime/Options.h:
781
782 2015-04-13  Filip Pizlo  <fpizlo@apple.com>
783
784         Unreviewed, fix Windows build. Windows doesn't take kindly to private classes that use FAST_ALLOCATED.
785
786         * runtime/InferredValue.h:
787
788 2015-04-13  Filip Pizlo  <fpizlo@apple.com>
789
790         Unreviewed, fix build. I introduced a new cell type at the same time as kling changed how new cell types are written.
791
792         * runtime/InferredValue.h:
793
794 2015-04-08  Filip Pizlo  <fpizlo@apple.com>
795
796         JSC should detect singleton functions
797         https://bugs.webkit.org/show_bug.cgi?id=143232
798
799         Reviewed by Geoffrey Garen.
800         
801         This started out as an attempt to make constructors faster by detecting when a constructor is a
802         singleton. The idea is that each FunctionExecutable has a VariableWatchpointSet - a watchpoint
803         along with an inferred value - that detects if only one JSFunction has been allocated for that
804         executable, and if so, what that JSFunction is. Then, inside the code for the FunctionExecutable,
805         if the watchpoint set has an inferred value (i.e. it's been initialized and it is still valid),
806         we can constant-fold GetCallee.
807         
808         Unfortunately, constructors don't use GetCallee anymore, so that didn't pan out. But in the
809         process I realized a bunch of things:
810         
811         - This allows us to completely eliminate the GetCallee/GetScope sequence that we still sometimes
812           had even in code where our singleton-closure detection worked. That's because singleton-closure
813           inference worked at the op_resolve_scope, and that op_resolve_scope still needed to keep alive
814           the incoming scope in case we OSR exit. But by constant-folding GetCallee, that sequence
815           disappears. OSR exit can rematerialize the callee or the scope by just knowing their constant
816           values.
817           
818         - Singleton detection should be a reusable thing. So, I got rid of VariableWatchpointSet and
819           created InferredValue. InferredValue is a cell, so it can handle its own GC magic.
820           FunctionExecutable uses an InferredValue to tell you about singleton JSFunctions.
821         
822         - The old singleton-scope detection in op_resolve_scope is better abstracted as a SymbolTable
823           detecting a singleton JSSymbolTableObject. So, SymbolTable uses an InferredValue to tell you
824           about singleton JSSymbolTableObjects. It's curious that we want to have singleton detection in
825           SymbolTable if we already have it in FunctionExecutable. This comes into play in two ways.
826           First, it means that the DFG can realize sooner that a resolve_scope resolves to a constant
827           scope. Ths saves compile times and it allows prediction propagation to benefit from the
828           constant folding. Second, it means that we will detect a singleton scope even if it is
829           referenced from a non-singleton scope that is nearer to us in the scope chain. This refactoring
830           allows us to eliminate the function reentry watchpoint.
831         
832         - This allows us to use a normal WatchpointSet, instead of a VariableWatchpointSet, for inferring
833           constant values in scopes. Previously when the DFG inferred that a closure variable was
834           constant, it wouldn't know which closure that variable was in and so it couldn't just load that
835           value. But now we are first inferring that the function is a singleton, which means that we
836           know exactly what scope it points to, and we can load the value from the scope. Using a
837           WatchpointSet instead of a VariableWatchpointSet saves some memory and simplifies a bunch of
838           code. This also means that now, the only user of VariableWatchpointSet is FunctionExecutable.
839           I've tweaked the code of VariableWatchpointSet to reduce its power to just be what
840           FunctionExecutable wants.
841         
842         This also has the effect of simplifying the implementation of block scoping. Prior to this
843         change, block scoping would have needed to have some story for the function reentry watchpoint on
844         any nested symbol table. That's totally weird to think about; it's not really a function reentry
845         but a scope reentry. Now we don't have to think about this. Constant inference on nested scopes
846         will "just work": if we prove that we know the constant value of the scope then the machinery
847         kicks in, otherwise it doesn't.
848         
849         This is a small Octane and AsmBench speed-up. AsmBench sees 1% while Octane sees sub-1%.
850
851         * CMakeLists.txt:
852         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
853         * JavaScriptCore.xcodeproj/project.pbxproj:
854         * bytecode/BytecodeList.json:
855         * bytecode/BytecodeUseDef.h:
856         (JSC::computeUsesForBytecodeOffset):
857         (JSC::computeDefsForBytecodeOffset):
858         * bytecode/CodeBlock.cpp:
859         (JSC::CodeBlock::dumpBytecode):
860         (JSC::CodeBlock::CodeBlock):
861         (JSC::CodeBlock::finalizeUnconditionally):
862         (JSC::CodeBlock::valueProfileForBytecodeOffset):
863         * bytecode/CodeBlock.h:
864         (JSC::CodeBlock::valueProfileForBytecodeOffset): Deleted.
865         * bytecode/CodeOrigin.cpp:
866         (JSC::InlineCallFrame::calleeConstant):
867         (JSC::InlineCallFrame::visitAggregate):
868         * bytecode/CodeOrigin.h:
869         (JSC::InlineCallFrame::calleeConstant): Deleted.
870         (JSC::InlineCallFrame::visitAggregate): Deleted.
871         * bytecode/Instruction.h:
872         * bytecode/VariableWatchpointSet.cpp: Removed.
873         * bytecode/VariableWatchpointSet.h: Removed.
874         * bytecode/VariableWatchpointSetInlines.h: Removed.
875         * bytecode/VariableWriteFireDetail.cpp: Added.
876         (JSC::VariableWriteFireDetail::dump):
877         (JSC::VariableWriteFireDetail::touch):
878         * bytecode/VariableWriteFireDetail.h: Added.
879         (JSC::VariableWriteFireDetail::VariableWriteFireDetail):
880         * bytecode/Watchpoint.h:
881         (JSC::WatchpointSet::stateOnJSThread):
882         (JSC::WatchpointSet::startWatching):
883         (JSC::WatchpointSet::fireAll):
884         (JSC::WatchpointSet::touch):
885         (JSC::WatchpointSet::invalidate):
886         (JSC::InlineWatchpointSet::stateOnJSThread):
887         (JSC::InlineWatchpointSet::state):
888         (JSC::InlineWatchpointSet::hasBeenInvalidated):
889         (JSC::InlineWatchpointSet::invalidate):
890         (JSC::InlineWatchpointSet::touch):
891         * bytecompiler/BytecodeGenerator.cpp:
892         (JSC::BytecodeGenerator::BytecodeGenerator):
893         * dfg/DFGAbstractInterpreterInlines.h:
894         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
895         * dfg/DFGByteCodeParser.cpp:
896         (JSC::DFG::ByteCodeParser::get):
897         (JSC::DFG::ByteCodeParser::parseBlock):
898         (JSC::DFG::ByteCodeParser::getScope): Deleted.
899         * dfg/DFGCapabilities.cpp:
900         (JSC::DFG::capabilityLevel):
901         * dfg/DFGClobberize.h:
902         (JSC::DFG::clobberize):
903         * dfg/DFGDesiredWatchpoints.cpp:
904         (JSC::DFG::InferredValueAdaptor::add):
905         (JSC::DFG::DesiredWatchpoints::addLazily):
906         (JSC::DFG::DesiredWatchpoints::reallyAdd):
907         (JSC::DFG::DesiredWatchpoints::areStillValid):
908         * dfg/DFGDesiredWatchpoints.h:
909         (JSC::DFG::InferredValueAdaptor::hasBeenInvalidated):
910         (JSC::DFG::DesiredWatchpoints::isWatched):
911         * dfg/DFGGraph.cpp:
912         (JSC::DFG::Graph::dump):
913         (JSC::DFG::Graph::tryGetConstantClosureVar):
914         * dfg/DFGNode.h:
915         (JSC::DFG::Node::hasWatchpointSet):
916         (JSC::DFG::Node::watchpointSet):
917         (JSC::DFG::Node::hasVariableWatchpointSet): Deleted.
918         (JSC::DFG::Node::variableWatchpointSet): Deleted.
919         * dfg/DFGOperations.cpp:
920         * dfg/DFGOperations.h:
921         * dfg/DFGSpeculativeJIT.cpp:
922         (JSC::DFG::SpeculativeJIT::compileNewFunction):
923         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
924         (JSC::DFG::SpeculativeJIT::compileNotifyWrite):
925         * dfg/DFGSpeculativeJIT.h:
926         (JSC::DFG::SpeculativeJIT::callOperation):
927         * dfg/DFGSpeculativeJIT32_64.cpp:
928         (JSC::DFG::SpeculativeJIT::compile):
929         * dfg/DFGSpeculativeJIT64.cpp:
930         (JSC::DFG::SpeculativeJIT::compile):
931         * dfg/DFGVarargsForwardingPhase.cpp:
932         * ftl/FTLIntrinsicRepository.h:
933         * ftl/FTLLowerDFGToLLVM.cpp:
934         (JSC::FTL::LowerDFGToLLVM::compileCreateActivation):
935         (JSC::FTL::LowerDFGToLLVM::compileNewFunction):
936         (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
937         * interpreter/Interpreter.cpp:
938         (JSC::StackFrame::friendlySourceURL):
939         (JSC::StackFrame::friendlyFunctionName):
940         * interpreter/Interpreter.h:
941         (JSC::StackFrame::friendlySourceURL): Deleted.
942         (JSC::StackFrame::friendlyFunctionName): Deleted.
943         * jit/JIT.cpp:
944         (JSC::JIT::emitNotifyWrite):
945         (JSC::JIT::privateCompileMainPass):
946         * jit/JIT.h:
947         * jit/JITOpcodes.cpp:
948         (JSC::JIT::emit_op_touch_entry): Deleted.
949         * jit/JITOperations.cpp:
950         * jit/JITOperations.h:
951         * jit/JITPropertyAccess.cpp:
952         (JSC::JIT::emitPutGlobalVar):
953         (JSC::JIT::emitPutClosureVar):
954         (JSC::JIT::emitNotifyWrite): Deleted.
955         * jit/JITPropertyAccess32_64.cpp:
956         (JSC::JIT::emitPutGlobalVar):
957         (JSC::JIT::emitPutClosureVar):
958         (JSC::JIT::emitNotifyWrite): Deleted.
959         * llint/LLIntSlowPaths.cpp:
960         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
961         * llint/LowLevelInterpreter.asm:
962         * llint/LowLevelInterpreter32_64.asm:
963         * llint/LowLevelInterpreter64.asm:
964         * runtime/CommonSlowPaths.cpp:
965         (JSC::SLOW_PATH_DECL): Deleted.
966         * runtime/CommonSlowPaths.h:
967         * runtime/Executable.cpp:
968         (JSC::FunctionExecutable::finishCreation):
969         (JSC::FunctionExecutable::visitChildren):
970         * runtime/Executable.h:
971         (JSC::FunctionExecutable::singletonFunction):
972         * runtime/InferredValue.cpp: Added.
973         (JSC::InferredValue::create):
974         (JSC::InferredValue::destroy):
975         (JSC::InferredValue::createStructure):
976         (JSC::InferredValue::visitChildren):
977         (JSC::InferredValue::InferredValue):
978         (JSC::InferredValue::~InferredValue):
979         (JSC::InferredValue::notifyWriteSlow):
980         (JSC::InferredValue::ValueCleanup::ValueCleanup):
981         (JSC::InferredValue::ValueCleanup::~ValueCleanup):
982         (JSC::InferredValue::ValueCleanup::finalizeUnconditionally):
983         * runtime/InferredValue.h: Added.
984         (JSC::InferredValue::inferredValue):
985         (JSC::InferredValue::state):
986         (JSC::InferredValue::isStillValid):
987         (JSC::InferredValue::hasBeenInvalidated):
988         (JSC::InferredValue::add):
989         (JSC::InferredValue::notifyWrite):
990         (JSC::InferredValue::invalidate):
991         * runtime/JSEnvironmentRecord.cpp:
992         (JSC::JSEnvironmentRecord::visitChildren):
993         * runtime/JSEnvironmentRecord.h:
994         (JSC::JSEnvironmentRecord::isValid):
995         (JSC::JSEnvironmentRecord::finishCreation):
996         * runtime/JSFunction.cpp:
997         (JSC::JSFunction::create):
998         * runtime/JSFunction.h:
999         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
1000         (JSC::JSFunction::createImpl):
1001         (JSC::JSFunction::create): Deleted.
1002         * runtime/JSGlobalObject.cpp:
1003         (JSC::JSGlobalObject::addGlobalVar):
1004         (JSC::JSGlobalObject::addFunction):
1005         * runtime/JSGlobalObject.h:
1006         * runtime/JSLexicalEnvironment.cpp:
1007         (JSC::JSLexicalEnvironment::symbolTablePut):
1008         * runtime/JSScope.h:
1009         (JSC::ResolveOp::ResolveOp):
1010         * runtime/JSSegmentedVariableObject.h:
1011         (JSC::JSSegmentedVariableObject::finishCreation):
1012         * runtime/JSSymbolTableObject.h:
1013         (JSC::JSSymbolTableObject::JSSymbolTableObject):
1014         (JSC::JSSymbolTableObject::setSymbolTable):
1015         (JSC::symbolTablePut):
1016         (JSC::symbolTablePutWithAttributes):
1017         * runtime/PutPropertySlot.h:
1018         * runtime/SymbolTable.cpp:
1019         (JSC::SymbolTableEntry::prepareToWatch):
1020         (JSC::SymbolTable::SymbolTable):
1021         (JSC::SymbolTable::finishCreation):
1022         (JSC::SymbolTable::visitChildren):
1023         (JSC::SymbolTableEntry::inferredValue): Deleted.
1024         (JSC::SymbolTableEntry::notifyWriteSlow): Deleted.
1025         (JSC::SymbolTable::WatchpointCleanup::WatchpointCleanup): Deleted.
1026         (JSC::SymbolTable::WatchpointCleanup::~WatchpointCleanup): Deleted.
1027         (JSC::SymbolTable::WatchpointCleanup::finalizeUnconditionally): Deleted.
1028         * runtime/SymbolTable.h:
1029         (JSC::SymbolTableEntry::disableWatching):
1030         (JSC::SymbolTableEntry::watchpointSet):
1031         (JSC::SymbolTable::singletonScope):
1032         (JSC::SymbolTableEntry::notifyWrite): Deleted.
1033         * runtime/TypeProfiler.cpp:
1034         * runtime/VM.cpp:
1035         (JSC::VM::VM):
1036         * runtime/VM.h:
1037         * tests/stress/infer-uninitialized-closure-var.js: Added.
1038         (foo.f):
1039         (foo):
1040         * tests/stress/singleton-scope-then-overwrite.js: Added.
1041         (foo.f):
1042         (foo):
1043         * tests/stress/singleton-scope-then-realloc-and-overwrite.js: Added.
1044         (foo):
1045         * tests/stress/singleton-scope-then-realloc.js: Added.
1046         (foo):
1047
1048 2015-04-13  Andreas Kling  <akling@apple.com>
1049
1050         Don't segregate heap objects based on Structure immortality.
1051         <https://webkit.org/b/143638>
1052
1053         Reviewed by Darin Adler.
1054
1055         Put all objects that need a destructor call into the same MarkedBlock.
1056         This reduces memory consumption in many situations, while improving locality,
1057         since much more of the MarkedBlock space can be shared.
1058
1059         Instead of branching on the MarkedBlock type, we now check a bit in the
1060         JSCell's inline type flags (StructureIsImmortal) to see whether it's safe
1061         to access the cell's Structure during destruction or not.
1062
1063         Performance benchmarks look mostly neutral. Maybe a small regression on
1064         SunSpider's date objects.
1065
1066         On the amazon.com landing page, this saves us 50 MarkedBlocks (3200kB) along
1067         with a bunch of WeakBlocks that were hanging off of them. That's on the higher
1068         end of savings we can get from this, but still a very real improvement.
1069
1070         Most of this patch is removing the "hasImmortalStructure" constant from JSCell
1071         derived classes and passing that responsibility to the StructureIsImmortal flag.
1072         StructureFlags is made public so that it's accessible from non-member functions.
1073         I made sure to declare it everywhere and make classes final to try to make it
1074         explicit what each class is doing to its inherited flags.
1075
1076         * API/JSCallbackConstructor.h:
1077         * API/JSCallbackObject.h:
1078         * bytecode/UnlinkedCodeBlock.h:
1079         * debugger/DebuggerScope.h:
1080         * dfg/DFGSpeculativeJIT.cpp:
1081         (JSC::DFG::SpeculativeJIT::compileMakeRope):
1082         * ftl/FTLLowerDFGToLLVM.cpp:
1083         (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
1084         * heap/Heap.h:
1085         (JSC::Heap::subspaceForObjectDestructor):
1086         (JSC::Heap::allocatorForObjectWithDestructor):
1087         (JSC::Heap::subspaceForObjectNormalDestructor): Deleted.
1088         (JSC::Heap::subspaceForObjectsWithImmortalStructure): Deleted.
1089         (JSC::Heap::allocatorForObjectWithNormalDestructor): Deleted.
1090         (JSC::Heap::allocatorForObjectWithImmortalStructureDestructor): Deleted.
1091         * heap/HeapInlines.h:
1092         (JSC::Heap::allocateWithDestructor):
1093         (JSC::Heap::allocateObjectOfType):
1094         (JSC::Heap::subspaceForObjectOfType):
1095         (JSC::Heap::allocatorForObjectOfType):
1096         (JSC::Heap::allocateWithNormalDestructor): Deleted.
1097         (JSC::Heap::allocateWithImmortalStructureDestructor): Deleted.
1098         * heap/MarkedAllocator.cpp:
1099         (JSC::MarkedAllocator::allocateBlock):
1100         * heap/MarkedAllocator.h:
1101         (JSC::MarkedAllocator::needsDestruction):
1102         (JSC::MarkedAllocator::MarkedAllocator):
1103         (JSC::MarkedAllocator::init):
1104         (JSC::MarkedAllocator::destructorType): Deleted.
1105         * heap/MarkedBlock.cpp:
1106         (JSC::MarkedBlock::create):
1107         (JSC::MarkedBlock::MarkedBlock):
1108         (JSC::MarkedBlock::callDestructor):
1109         (JSC::MarkedBlock::specializedSweep):
1110         (JSC::MarkedBlock::sweep):
1111         (JSC::MarkedBlock::sweepHelper):
1112         * heap/MarkedBlock.h:
1113         (JSC::MarkedBlock::needsDestruction):
1114         (JSC::MarkedBlock::destructorType): Deleted.
1115         * heap/MarkedSpace.cpp:
1116         (JSC::MarkedSpace::MarkedSpace):
1117         (JSC::MarkedSpace::resetAllocators):
1118         (JSC::MarkedSpace::forEachAllocator):
1119         (JSC::MarkedSpace::isPagedOut):
1120         (JSC::MarkedSpace::clearNewlyAllocated):
1121         * heap/MarkedSpace.h:
1122         (JSC::MarkedSpace::subspaceForObjectsWithDestructor):
1123         (JSC::MarkedSpace::destructorAllocatorFor):
1124         (JSC::MarkedSpace::allocateWithDestructor):
1125         (JSC::MarkedSpace::forEachBlock):
1126         (JSC::MarkedSpace::subspaceForObjectsWithNormalDestructor): Deleted.
1127         (JSC::MarkedSpace::subspaceForObjectsWithImmortalStructure): Deleted.
1128         (JSC::MarkedSpace::immortalStructureDestructorAllocatorFor): Deleted.
1129         (JSC::MarkedSpace::normalDestructorAllocatorFor): Deleted.
1130         (JSC::MarkedSpace::allocateWithImmortalStructureDestructor): Deleted.
1131         (JSC::MarkedSpace::allocateWithNormalDestructor): Deleted.
1132         * inspector/JSInjectedScriptHost.h:
1133         * inspector/JSInjectedScriptHostPrototype.h:
1134         * inspector/JSJavaScriptCallFrame.h:
1135         * inspector/JSJavaScriptCallFramePrototype.h:
1136         * jsc.cpp:
1137         * runtime/ArrayBufferNeuteringWatchpoint.h:
1138         * runtime/ArrayConstructor.h:
1139         * runtime/ArrayIteratorPrototype.h:
1140         * runtime/BooleanPrototype.h:
1141         * runtime/ClonedArguments.h:
1142         * runtime/CustomGetterSetter.h:
1143         * runtime/DateConstructor.h:
1144         * runtime/DatePrototype.h:
1145         * runtime/ErrorPrototype.h:
1146         * runtime/ExceptionHelpers.h:
1147         * runtime/Executable.h:
1148         * runtime/GenericArguments.h:
1149         * runtime/GetterSetter.h:
1150         * runtime/InternalFunction.h:
1151         * runtime/JSAPIValueWrapper.h:
1152         * runtime/JSArgumentsIterator.h:
1153         * runtime/JSArray.h:
1154         * runtime/JSArrayBuffer.h:
1155         * runtime/JSArrayBufferView.h:
1156         * runtime/JSBoundFunction.h:
1157         * runtime/JSCallee.h:
1158         * runtime/JSCell.h:
1159         * runtime/JSCellInlines.h:
1160         (JSC::JSCell::classInfo):
1161         * runtime/JSDataViewPrototype.h:
1162         * runtime/JSEnvironmentRecord.h:
1163         * runtime/JSFunction.h:
1164         * runtime/JSGenericTypedArrayView.h:
1165         * runtime/JSGlobalObject.h:
1166         * runtime/JSLexicalEnvironment.h:
1167         * runtime/JSNameScope.h:
1168         * runtime/JSNotAnObject.h:
1169         * runtime/JSONObject.h:
1170         * runtime/JSObject.h:
1171         (JSC::JSFinalObject::JSFinalObject):
1172         * runtime/JSPromiseConstructor.h:
1173         * runtime/JSPromiseDeferred.h:
1174         * runtime/JSPromisePrototype.h:
1175         * runtime/JSPromiseReaction.h:
1176         * runtime/JSPropertyNameEnumerator.h:
1177         * runtime/JSProxy.h:
1178         * runtime/JSScope.h:
1179         * runtime/JSString.h:
1180         * runtime/JSSymbolTableObject.h:
1181         * runtime/JSTypeInfo.h:
1182         (JSC::TypeInfo::structureIsImmortal):
1183         * runtime/MathObject.h:
1184         * runtime/NumberConstructor.h:
1185         * runtime/NumberPrototype.h:
1186         * runtime/ObjectConstructor.h:
1187         * runtime/PropertyMapHashTable.h:
1188         * runtime/RegExp.h:
1189         * runtime/RegExpConstructor.h:
1190         * runtime/RegExpObject.h:
1191         * runtime/RegExpPrototype.h:
1192         * runtime/ScopedArgumentsTable.h:
1193         * runtime/SparseArrayValueMap.h:
1194         * runtime/StrictEvalActivation.h:
1195         * runtime/StringConstructor.h:
1196         * runtime/StringIteratorPrototype.h:
1197         * runtime/StringObject.h:
1198         * runtime/StringPrototype.h:
1199         * runtime/Structure.cpp:
1200         (JSC::Structure::Structure):
1201         * runtime/Structure.h:
1202         * runtime/StructureChain.h:
1203         * runtime/StructureRareData.h:
1204         * runtime/Symbol.h:
1205         * runtime/SymbolPrototype.h:
1206         * runtime/SymbolTable.h:
1207         * runtime/WeakMapData.h:
1208
1209 2015-04-13  Mark Lam  <mark.lam@apple.com>
1210
1211         DFG inlining of op_call_varargs should keep the callee alive in case of OSR exit.
1212         https://bugs.webkit.org/show_bug.cgi?id=143407
1213
1214         Reviewed by Filip Pizlo.
1215
1216         DFG inlining of a varargs call / construct needs to keep the local
1217         containing the callee alive with a Phantom node because the LoadVarargs
1218         node may OSR exit.  After the OSR exit, the baseline JIT executes the
1219         op_call_varargs with that callee in the local.
1220
1221         Previously, because that callee local was not explicitly kept alive,
1222         the op_call_varargs case can OSR exit a DFG function and leave an
1223         undefined value in that local.  As a result, the baseline observes the
1224         side effect of an op_call_varargs on an undefined value instead of the
1225         function it expected.
1226
1227         Note: this issue does not manifest with op_construct_varargs because
1228         the inlined constructor will have an op_create_this which operates on
1229         the incoming callee value, thereby keeping it alive.
1230
1231         * dfg/DFGByteCodeParser.cpp:
1232         (JSC::DFG::ByteCodeParser::handleInlining):
1233         * tests/stress/call-varargs-with-different-arguments-length-after-warmup.js: Added.
1234         (foo):
1235         (Foo):
1236         (doTest):
1237
1238 2015-04-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1239
1240         [ES6] Implement Array.prototype.values
1241         https://bugs.webkit.org/show_bug.cgi?id=143633
1242
1243         Reviewed by Darin Adler.
1244
1245         Symbol.unscopables is implemented, so we can implement Array.prototype.values
1246         without largely breaking the web. The following script passes.
1247
1248         var array = [];
1249         var values = 42;
1250         with (array) {
1251             assert(values, 42);
1252         }
1253
1254         * runtime/ArrayPrototype.cpp:
1255         * tests/stress/array-iterators-next.js:
1256         * tests/stress/map-iterators-next.js:
1257         * tests/stress/set-iterators-next.js:
1258         * tests/stress/values-unscopables.js: Added.
1259         (test):
1260
1261 2015-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1262
1263         Run flaky conservative GC related test first before polluting stack and registers
1264         https://bugs.webkit.org/show_bug.cgi?id=143634
1265
1266         Reviewed by Ryosuke Niwa.
1267
1268         After r182653, JSC API tests fail. However, it's not related to the change.
1269         After investigating the cause of this failure, I've found that the failed test is flaky
1270         because JSC's GC is conservative. If previously allocated JSGlobalObject is accidentally alive
1271         due to conservative roots in C stack and registers, this test fails.
1272
1273         Since GC marks C stack and registers as roots conservatively,
1274         objects not referenced logically can be accidentally marked and alive.
1275         To avoid this situation as possible as we can,
1276         1. run this test first before stack is polluted,
1277         2. extract this test as a function to suppress stack height.
1278
1279         * API/tests/testapi.mm:
1280         (testWeakValue):
1281         (testObjectiveCAPIMain):
1282         (testObjectiveCAPI):
1283
1284 2015-04-11  Matt Baker  <mattbaker@apple.com>
1285
1286         Web Inspector: create content view and details sidebar for Frames timeline
1287         https://bugs.webkit.org/show_bug.cgi?id=143533
1288
1289         Reviewed by Timothy Hatcher.
1290
1291         Refactoring: RunLoop prefix changed to RenderingFrame.
1292
1293         * inspector/protocol/Timeline.json:
1294
1295 2015-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1296
1297         [ES6] Enable Symbol in web pages
1298         https://bugs.webkit.org/show_bug.cgi?id=143375
1299
1300         Reviewed by Ryosuke Niwa.
1301
1302         Expose Symbol to web pages.
1303         Symbol was exposed, but it was hidden since it breaks Facebook comments.
1304         This is because at that time Symbol is implemented,
1305         but methods for Symbol.iterator and Object.getOwnPropertySymbols are not implemented yet
1306         and it breaks React.js and immutable.js.
1307
1308         Now methods for Symbol.iterator and Object.getOwnPropertySymbols are implemented
1309         and make sure that Facebook comment input functionality is not broken with exposed Symbol.
1310
1311         So this patch replaces runtime flags SymbolEnabled to SymbolDisabled
1312         and makes enabling symbols by default.
1313
1314         * runtime/ArrayPrototype.cpp:
1315         (JSC::ArrayPrototype::finishCreation):
1316         * runtime/CommonIdentifiers.h:
1317         * runtime/JSGlobalObject.cpp:
1318         (JSC::JSGlobalObject::init):
1319         * runtime/ObjectConstructor.cpp:
1320         (JSC::ObjectConstructor::finishCreation):
1321         * runtime/RuntimeFlags.h:
1322
1323 2015-04-10  Yusuke Suzuki  <utatane.tea@gmail.com>
1324
1325         ES6: Iterator toString names should be consistent
1326         https://bugs.webkit.org/show_bug.cgi?id=142424
1327
1328         Reviewed by Geoffrey Garen.
1329
1330         Iterator Object Names in the spec right now have spaces.
1331         In our implementation some do and some don't.
1332         This patch aligns JSC to the spec.
1333
1334         * runtime/JSArrayIterator.cpp:
1335         * runtime/JSStringIterator.cpp:
1336         * tests/stress/iterator-names.js: Added.
1337         (test):
1338         (iter):
1339         (check):
1340
1341 2015-04-10  Michael Saboff  <msaboff@apple.com>
1342
1343         REGRESSION (182567): regress/script-tests/sorting-benchmark.js fails on 32 bit dfg-eager tests
1344         https://bugs.webkit.org/show_bug.cgi?id=143582
1345
1346         Reviewed by Mark Lam.
1347
1348         For 32 bit builds, we favor spilling unboxed values.  The ASSERT at the root of this bug doesn't
1349         fire for 64 bit builds, because we spill an "Other" value as a full JS value (DataFormatJS).
1350         For 32 bit builds however, if we are able, we spill Other values as JSCell* (DataFormatCell).
1351         The fix is to add a check in fillSpeculateInt32Internal() before the ASSERT that always OSR exits
1352         if the spillFormat is DataFormatCell.  Had we spilled in DataFormatJS and the value was a JSCell*,
1353         we would still OSR exit after the speculation check.
1354
1355         * dfg/DFGFixupPhase.cpp:
1356         (JSC::DFG::FixupPhase::fixupNode): Fixed an error in a comment while debugging.
1357         * dfg/DFGSpeculativeJIT32_64.cpp:
1358         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
1359
1360 2015-04-10  Milan Crha  <mcrha@redhat.com>
1361
1362         Disable Linux-specific code in a Windows build
1363         https://bugs.webkit.org/show_bug.cgi?id=137973
1364
1365         Reviewed by Joseph Pecoraro.
1366
1367         * inspector/JSGlobalObjectInspectorController.cpp:
1368         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
1369
1370 2015-04-10  Csaba Osztrogonác  <ossy@webkit.org>
1371
1372         [ARM] Fix calleeSaveRegisters() on non iOS platforms after r180516
1373         https://bugs.webkit.org/show_bug.cgi?id=143368
1374
1375         Reviewed by Michael Saboff.
1376
1377         * jit/RegisterSet.cpp:
1378         (JSC::RegisterSet::calleeSaveRegisters):
1379
1380 2015-04-08  Joseph Pecoraro  <pecoraro@apple.com>
1381
1382         Use jsNontrivialString in more places if the string is guaranteed to be 2 or more characters
1383         https://bugs.webkit.org/show_bug.cgi?id=143430
1384
1385         Reviewed by Darin Adler.
1386
1387         * runtime/ExceptionHelpers.cpp:
1388         (JSC::errorDescriptionForValue):
1389         * runtime/NumberPrototype.cpp:
1390         (JSC::numberProtoFuncToExponential):
1391         (JSC::numberProtoFuncToPrecision):
1392         (JSC::numberProtoFuncToString):
1393         * runtime/SymbolPrototype.cpp:
1394         (JSC::symbolProtoFuncToString):
1395
1396 2015-04-08  Filip Pizlo  <fpizlo@apple.com>
1397
1398         JSArray::sortNumeric should handle ArrayWithUndecided
1399         https://bugs.webkit.org/show_bug.cgi?id=143535
1400
1401         Reviewed by Geoffrey Garen.
1402         
1403         ArrayWithUndecided is what you get if you haven't stored anything into the array yet. We need to handle it.
1404
1405         * runtime/JSArray.cpp:
1406         (JSC::JSArray::sortNumeric):
1407         * tests/stress/sort-array-with-undecided.js: Added.
1408
1409 2015-04-08  Filip Pizlo  <fpizlo@apple.com>
1410
1411         DFG::IntegerCheckCombiningPhase's wrap-around check shouldn't trigger C++ undef behavior on wrap-around
1412         https://bugs.webkit.org/show_bug.cgi?id=143532
1413
1414         Reviewed by Gavin Barraclough.
1415         
1416         Oh the irony!  We were protecting an optimization that only worked if there was no wrap-around in JavaScript.
1417         But the C++ code had wrap-around, which is undef in C++.  So, if the compiler was smart enough, our compiler
1418         would think that there never was wrap-around.
1419         
1420         This fixes a failure in stress/tricky-array-boiunds-checks.js when JSC is compiled with bleeding-edge clang.
1421
1422         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1423         (JSC::DFG::IntegerCheckCombiningPhase::isValid):
1424
1425 2015-04-07  Michael Saboff  <msaboff@apple.com>
1426
1427         Lazily initialize LogToSystemConsole flag to reduce memory usage
1428         https://bugs.webkit.org/show_bug.cgi?id=143506
1429
1430         Reviewed by Mark Lam.
1431
1432         Only call into CF preferences code when we need to in order to reduce memory usage.
1433
1434         * inspector/JSGlobalObjectConsoleClient.cpp:
1435         (Inspector::JSGlobalObjectConsoleClient::logToSystemConsole):
1436         (Inspector::JSGlobalObjectConsoleClient::setLogToSystemConsole):
1437         (Inspector::JSGlobalObjectConsoleClient::initializeLogToSystemConsole):
1438         (Inspector::JSGlobalObjectConsoleClient::JSGlobalObjectConsoleClient):
1439
1440 2015-04-07  Benjamin Poulain  <benjamin@webkit.org>
1441
1442         Get the features.json files ready for open contributions
1443         https://bugs.webkit.org/show_bug.cgi?id=143436
1444
1445         Reviewed by Darin Adler.
1446
1447         * features.json:
1448
1449 2015-04-07  Filip Pizlo  <fpizlo@apple.com>
1450
1451         Constant folding of typed array properties should be handled by AI rather than strength reduction
1452         https://bugs.webkit.org/show_bug.cgi?id=143496
1453
1454         Reviewed by Geoffrey Garen.
1455         
1456         Handling constant folding in AI is better because it precludes us from having to fixpoint the CFA
1457         phase and whatever other phase did the folding in order to find all constants.
1458         
1459         This also removes the TypedArrayWatchpoint node type because we can just set the watchpoint
1460         directly.
1461         
1462         This also fixes a bug in FTL lowering of GetTypedArrayByteOffset. The bug was previously not
1463         found because all of the tests for it involved the property getting constant folded. I found that
1464         the codegen was bad because an earlier version of the patch broke that constant folding. This
1465         adds a new test for that node type, which makes constant folding impossible by allocating a new
1466         typed array every type. The lesson here is: if you write a test for something, run the test with
1467         full IR dumps to make sure it's actually testing the thing you want it to test.
1468
1469         * dfg/DFGAbstractInterpreterInlines.h:
1470         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1471         * dfg/DFGClobberize.h:
1472         (JSC::DFG::clobberize):
1473         * dfg/DFGConstantFoldingPhase.cpp:
1474         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1475         * dfg/DFGDoesGC.cpp:
1476         (JSC::DFG::doesGC):
1477         * dfg/DFGFixupPhase.cpp:
1478         (JSC::DFG::FixupPhase::fixupNode):
1479         * dfg/DFGGraph.cpp:
1480         (JSC::DFG::Graph::dump):
1481         (JSC::DFG::Graph::tryGetFoldableView):
1482         (JSC::DFG::Graph::tryGetFoldableViewForChild1): Deleted.
1483         * dfg/DFGGraph.h:
1484         * dfg/DFGNode.h:
1485         (JSC::DFG::Node::hasTypedArray): Deleted.
1486         (JSC::DFG::Node::typedArray): Deleted.
1487         * dfg/DFGNodeType.h:
1488         * dfg/DFGPredictionPropagationPhase.cpp:
1489         (JSC::DFG::PredictionPropagationPhase::propagate):
1490         * dfg/DFGSafeToExecute.h:
1491         (JSC::DFG::safeToExecute):
1492         * dfg/DFGSpeculativeJIT.cpp:
1493         (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
1494         * dfg/DFGSpeculativeJIT32_64.cpp:
1495         (JSC::DFG::SpeculativeJIT::compile):
1496         * dfg/DFGSpeculativeJIT64.cpp:
1497         (JSC::DFG::SpeculativeJIT::compile):
1498         * dfg/DFGStrengthReductionPhase.cpp:
1499         (JSC::DFG::StrengthReductionPhase::handleNode):
1500         (JSC::DFG::StrengthReductionPhase::foldTypedArrayPropertyToConstant): Deleted.
1501         (JSC::DFG::StrengthReductionPhase::prepareToFoldTypedArray): Deleted.
1502         * dfg/DFGWatchpointCollectionPhase.cpp:
1503         (JSC::DFG::WatchpointCollectionPhase::handle):
1504         (JSC::DFG::WatchpointCollectionPhase::addLazily):
1505         * ftl/FTLCapabilities.cpp:
1506         (JSC::FTL::canCompile):
1507         * ftl/FTLLowerDFGToLLVM.cpp:
1508         (JSC::FTL::LowerDFGToLLVM::compileNode):
1509         (JSC::FTL::LowerDFGToLLVM::compileGetTypedArrayByteOffset):
1510         (JSC::FTL::LowerDFGToLLVM::typedArrayLength):
1511         * tests/stress/fold-typed-array-properties.js:
1512         (foo):
1513         * tests/stress/typed-array-byte-offset.js: Added.
1514         (foo):
1515
1516 2015-04-07  Matthew Mirman  <mmirman@apple.com>
1517
1518         Source and stack information should get appended only to native errors
1519         and should be added directly after construction rather than when thrown. 
1520         This fixes frozen objects being unfrozen when thrown while conforming to 
1521         ecma script standard and other browser behavior.
1522         rdar://problem/19927293
1523         https://bugs.webkit.org/show_bug.cgi?id=141871
1524         
1525         Reviewed by Geoffrey Garen.
1526
1527         Appending stack, source, line, and column information to an object whenever that object is thrown 
1528         is incorrect because it violates the ecma script standard for the behavior of throw.  Suppose for example
1529         that the object being thrown already has one of these properties or is frozen.  Adding the properties 
1530         would then violate the frozen contract or overwrite those properties.  Other browsers do not do this,
1531         and doing this causes unnecessary performance hits in code with heavy use of the throw construct as
1532         a control flow construct rather than just an error reporting mechanism.  
1533         
1534         Because WebCore adds "native" errors which do not inherit from any JSC native error, 
1535         appending the error properties as a seperate call after construction of the error is required 
1536         to avoid having to manually truncate the stack and gather local source information due to 
1537         the stack being extended by a nested call to construct one of the native jsc error.
1538         
1539         * interpreter/Interpreter.cpp:
1540         (JSC::Interpreter::execute):
1541         * interpreter/Interpreter.h:
1542         * parser/ParserError.h:
1543         (JSC::ParserError::toErrorObject):
1544         * runtime/CommonIdentifiers.h:
1545         * runtime/Error.cpp:
1546         (JSC::createError):
1547         (JSC::createEvalError):
1548         (JSC::createRangeError):
1549         (JSC::createReferenceError):
1550         (JSC::createSyntaxError):
1551         (JSC::createTypeError):
1552         (JSC::createNotEnoughArgumentsError):
1553         (JSC::createURIError):
1554         (JSC::createOutOfMemoryError):
1555         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor):
1556         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()):
1557         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame):
1558         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index):
1559         (JSC::addErrorInfoAndGetBytecodeOffset):  Added.
1560         (JSC::addErrorInfo): Added special case for appending complete error info 
1561         to a newly constructed error object.
1562         * runtime/Error.h:
1563         * runtime/ErrorConstructor.cpp:
1564         (JSC::Interpreter::constructWithErrorConstructor):
1565         (JSC::Interpreter::callErrorConstructor):
1566         * runtime/ErrorInstance.cpp:
1567         (JSC::appendSourceToError): Moved from VM.cpp
1568         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor):
1569         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()):
1570         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame):
1571         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index):
1572         (JSC::addErrorInfoAndGetBytecodeOffset):
1573         (JSC::ErrorInstance::finishCreation):
1574         * runtime/ErrorInstance.h:
1575         (JSC::ErrorInstance::create):
1576         * runtime/ErrorPrototype.cpp:
1577         (JSC::ErrorPrototype::finishCreation):
1578         * runtime/ExceptionFuzz.cpp:
1579         (JSC::doExceptionFuzzing):
1580         * runtime/ExceptionHelpers.cpp:
1581         (JSC::createError):
1582         (JSC::createInvalidFunctionApplyParameterError):
1583         (JSC::createInvalidInParameterError):
1584         (JSC::createInvalidInstanceofParameterError):
1585         (JSC::createNotAConstructorError):
1586         (JSC::createNotAFunctionError):
1587         (JSC::createNotAnObjectError):
1588         (JSC::throwOutOfMemoryError):
1589         (JSC::createStackOverflowError): Deleted.
1590         (JSC::createOutOfMemoryError): Deleted.
1591         * runtime/ExceptionHelpers.h:
1592         * runtime/JSArrayBufferConstructor.cpp:
1593         (JSC::constructArrayBuffer):
1594         * runtime/JSArrayBufferPrototype.cpp:
1595         (JSC::arrayBufferProtoFuncSlice):
1596         * runtime/JSGenericTypedArrayViewInlines.h:
1597         (JSC::JSGenericTypedArrayView<Adaptor>::create):
1598         (JSC::JSGenericTypedArrayView<Adaptor>::createUninitialized):
1599         * runtime/NativeErrorConstructor.cpp:
1600         (JSC::Interpreter::constructWithNativeErrorConstructor):
1601         (JSC::Interpreter::callNativeErrorConstructor):
1602         * runtime/VM.cpp:
1603         (JSC::VM::throwException):
1604         (JSC::appendSourceToError): Moved to Error.cpp
1605         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor): Deleted.
1606         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()): Deleted.
1607         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame): Deleted.
1608         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index): Deleted.
1609         * tests/stress/freeze_leek.js: Added.
1610
1611 2015-04-07  Joseph Pecoraro  <pecoraro@apple.com>
1612
1613         Web Inspector: ES6: Show Symbol properties on Objects
1614         https://bugs.webkit.org/show_bug.cgi?id=141279
1615
1616         Reviewed by Timothy Hatcher.
1617
1618         * inspector/protocol/Runtime.json:
1619         Give PropertyDescriptor a reference to the Symbol RemoteObject
1620         if the property is a symbol property.
1621
1622         * inspector/InjectedScriptSource.js:
1623         Enumerate symbol properties on objects.
1624
1625 2015-04-07  Filip Pizlo  <fpizlo@apple.com>
1626
1627         Make it possible to enable LLVM FastISel
1628         https://bugs.webkit.org/show_bug.cgi?id=143489
1629
1630         Reviewed by Michael Saboff.
1631
1632         The decision to enable FastISel is made by Options.h|cpp, but the LLVM library can disable it if it finds that it is built
1633         against a version of LLVM that doesn't support it. Thereafter, JSC::enableLLVMFastISel is the flag that tells the system
1634         if we should enable it.
1635
1636         * ftl/FTLCompile.cpp:
1637         (JSC::FTL::mmAllocateDataSection):
1638         * llvm/InitializeLLVM.cpp:
1639         (JSC::initializeLLVMImpl):
1640         * llvm/InitializeLLVM.h:
1641         * llvm/InitializeLLVMLinux.cpp:
1642         (JSC::getLLVMInitializerFunction):
1643         (JSC::initializeLLVMImpl): Deleted.
1644         * llvm/InitializeLLVMMac.cpp:
1645         (JSC::getLLVMInitializerFunction):
1646         (JSC::initializeLLVMImpl): Deleted.
1647         * llvm/InitializeLLVMPOSIX.cpp:
1648         (JSC::getLLVMInitializerFunctionPOSIX):
1649         (JSC::initializeLLVMPOSIX): Deleted.
1650         * llvm/InitializeLLVMPOSIX.h:
1651         * llvm/InitializeLLVMWin.cpp:
1652         (JSC::getLLVMInitializerFunction):
1653         (JSC::initializeLLVMImpl): Deleted.
1654         * llvm/LLVMAPI.cpp:
1655         * llvm/LLVMAPI.h:
1656         * llvm/library/LLVMExports.cpp:
1657         (initCommandLine):
1658         (initializeAndGetJSCLLVMAPI):
1659         * runtime/Options.cpp:
1660         (JSC::Options::initialize):
1661
1662 2015-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1663
1664         put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex
1665         https://bugs.webkit.org/show_bug.cgi?id=140426
1666
1667         Reviewed by Darin Adler.
1668
1669         In the put_by_val_direct operation, we use JSObject::putDirect.
1670         However, it only accepts non-index property. For index property, we need to use JSObject::putDirectIndex.
1671         This patch checks toString-ed Identifier is index or not to choose putDirect / putDirectIndex.
1672
1673         * dfg/DFGOperations.cpp:
1674         (JSC::DFG::putByVal):
1675         (JSC::DFG::operationPutByValInternal):
1676         * jit/JITOperations.cpp:
1677         * llint/LLIntSlowPaths.cpp:
1678         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1679         * runtime/Identifier.h:
1680         (JSC::isIndex):
1681         (JSC::parseIndex):
1682         * tests/stress/dfg-put-by-val-direct-with-edge-numbers.js: Added.
1683         (lookupWithKey):
1684         (toStringThrowsError.toString):
1685
1686 2015-04-06  Alberto Garcia  <berto@igalia.com>
1687
1688         [GTK] Fix HPPA build
1689         https://bugs.webkit.org/show_bug.cgi?id=143453
1690
1691         Reviewed by Darin Adler.
1692
1693         Add HPPA to the list of supported CPUs.
1694
1695         * CMakeLists.txt:
1696
1697 2015-04-06  Mark Lam  <mark.lam@apple.com>
1698
1699         In the 64-bit DFG and FTL, Array::Double case for HasIndexedProperty should set its result to true when all is well.
1700         <https://webkit.org/b/143396>
1701
1702         Reviewed by Filip Pizlo.
1703
1704         The DFG was neglecting to set the result boolean.  The FTL was setting it with
1705         an inverted value.  Both of these are now resolved.
1706
1707         * dfg/DFGSpeculativeJIT64.cpp:
1708         (JSC::DFG::SpeculativeJIT::compile):
1709         * ftl/FTLLowerDFGToLLVM.cpp:
1710         (JSC::FTL::LowerDFGToLLVM::compileHasIndexedProperty):
1711         * tests/stress/for-in-array-mode.js: Added.
1712         (.):
1713         (test):
1714
1715 2015-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1716
1717         [ES6] DFG and FTL should be aware of that StringConstructor behavior for symbols becomes different from ToString
1718         https://bugs.webkit.org/show_bug.cgi?id=143424
1719
1720         Reviewed by Geoffrey Garen.
1721
1722         In ES6, StringConstructor behavior becomes different from ToString abstract operations in the spec. (and JSValue::toString).
1723
1724         ToString(symbol) throws a type error.
1725         However, String(symbol) produces SymbolDescriptiveString(symbol).
1726
1727         So, in DFG and FTL phase, they should not inline StringConstructor to ToString.
1728
1729         Now, in the template literals patch, ToString DFG operation is planned to be used.
1730         And current ToString behavior is aligned to the spec (and JSValue::toString) and it's better.
1731         So intead of changing ToString behavior, this patch adds CallStringConstructor operation into DFG and FTL.
1732         In CallStringConstructor, all behavior in DFG analysis is the same.
1733         Only the difference from ToString is, when calling DFG operation functions, it calls
1734         operationCallStringConstructorOnCell and operationCallStringConstructor instead of
1735         operationToStringOnCell and operationToString.
1736
1737         * dfg/DFGAbstractInterpreterInlines.h:
1738         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1739         * dfg/DFGBackwardsPropagationPhase.cpp:
1740         (JSC::DFG::BackwardsPropagationPhase::propagate):
1741         * dfg/DFGByteCodeParser.cpp:
1742         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1743         * dfg/DFGClobberize.h:
1744         (JSC::DFG::clobberize):
1745         * dfg/DFGDoesGC.cpp:
1746         (JSC::DFG::doesGC):
1747         * dfg/DFGFixupPhase.cpp:
1748         (JSC::DFG::FixupPhase::fixupNode):
1749         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
1750         (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
1751         (JSC::DFG::FixupPhase::fixupToString): Deleted.
1752         * dfg/DFGNodeType.h:
1753         * dfg/DFGOperations.cpp:
1754         * dfg/DFGOperations.h:
1755         * dfg/DFGPredictionPropagationPhase.cpp:
1756         (JSC::DFG::PredictionPropagationPhase::propagate):
1757         * dfg/DFGSafeToExecute.h:
1758         (JSC::DFG::safeToExecute):
1759         * dfg/DFGSpeculativeJIT.cpp:
1760         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnCell):
1761         (JSC::DFG::SpeculativeJIT::compileToStringOnCell): Deleted.
1762         * dfg/DFGSpeculativeJIT.h:
1763         * dfg/DFGSpeculativeJIT32_64.cpp:
1764         (JSC::DFG::SpeculativeJIT::compile):
1765         * dfg/DFGSpeculativeJIT64.cpp:
1766         (JSC::DFG::SpeculativeJIT::compile):
1767         * dfg/DFGStructureRegistrationPhase.cpp:
1768         (JSC::DFG::StructureRegistrationPhase::run):
1769         * ftl/FTLCapabilities.cpp:
1770         (JSC::FTL::canCompile):
1771         * ftl/FTLLowerDFGToLLVM.cpp:
1772         (JSC::FTL::LowerDFGToLLVM::compileNode):
1773         (JSC::FTL::LowerDFGToLLVM::compileToStringOrCallStringConstructor):
1774         (JSC::FTL::LowerDFGToLLVM::compileToString): Deleted.
1775         * runtime/StringConstructor.cpp:
1776         (JSC::stringConstructor):
1777         (JSC::callStringConstructor):
1778         * runtime/StringConstructor.h:
1779         * tests/stress/symbol-and-string-constructor.js: Added.
1780         (performString):
1781
1782 2015-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1783
1784         Return Optional<uint32_t> from PropertyName::asIndex
1785         https://bugs.webkit.org/show_bug.cgi?id=143422
1786
1787         Reviewed by Darin Adler.
1788
1789         PropertyName::asIndex returns uint32_t and use UINT_MAX as NotAnIndex.
1790         But it's not obvious to callers.
1791
1792         This patch changes
1793         1. PropertyName::asIndex() to return Optional<uint32_t> and
1794         2. function name `asIndex()` to `parseIndex()`.
1795         It forces callers to check the value is index or not explicitly.
1796
1797         * bytecode/GetByIdStatus.cpp:
1798         (JSC::GetByIdStatus::computeFor):
1799         * bytecode/PutByIdStatus.cpp:
1800         (JSC::PutByIdStatus::computeFor):
1801         * bytecompiler/BytecodeGenerator.cpp:
1802         (JSC::BytecodeGenerator::emitDirectPutById):
1803         * jit/Repatch.cpp:
1804         (JSC::emitPutTransitionStubAndGetOldStructure):
1805         * jsc.cpp:
1806         * runtime/ArrayPrototype.cpp:
1807         (JSC::arrayProtoFuncSort):
1808         * runtime/GenericArgumentsInlines.h:
1809         (JSC::GenericArguments<Type>::getOwnPropertySlot):
1810         (JSC::GenericArguments<Type>::put):
1811         (JSC::GenericArguments<Type>::deleteProperty):
1812         (JSC::GenericArguments<Type>::defineOwnProperty):
1813         * runtime/Identifier.h:
1814         (JSC::parseIndex):
1815         (JSC::Identifier::isSymbol):
1816         * runtime/JSArray.cpp:
1817         (JSC::JSArray::defineOwnProperty):
1818         * runtime/JSCJSValue.cpp:
1819         (JSC::JSValue::putToPrimitive):
1820         * runtime/JSGenericTypedArrayViewInlines.h:
1821         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
1822         (JSC::JSGenericTypedArrayView<Adaptor>::put):
1823         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
1824         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
1825         * runtime/JSObject.cpp:
1826         (JSC::JSObject::put):
1827         (JSC::JSObject::putDirectAccessor):
1828         (JSC::JSObject::putDirectCustomAccessor):
1829         (JSC::JSObject::deleteProperty):
1830         (JSC::JSObject::putDirectMayBeIndex):
1831         (JSC::JSObject::defineOwnProperty):
1832         * runtime/JSObject.h:
1833         (JSC::JSObject::getOwnPropertySlot):
1834         (JSC::JSObject::getPropertySlot):
1835         (JSC::JSObject::putDirectInternal):
1836         * runtime/JSString.cpp:
1837         (JSC::JSString::getStringPropertyDescriptor):
1838         * runtime/JSString.h:
1839         (JSC::JSString::getStringPropertySlot):
1840         * runtime/LiteralParser.cpp:
1841         (JSC::LiteralParser<CharType>::parse):
1842         * runtime/PropertyName.h:
1843         (JSC::parseIndex):
1844         (JSC::toUInt32FromCharacters): Deleted.
1845         (JSC::toUInt32FromStringImpl): Deleted.
1846         (JSC::PropertyName::asIndex): Deleted.
1847         * runtime/PropertyNameArray.cpp:
1848         (JSC::PropertyNameArray::add):
1849         * runtime/StringObject.cpp:
1850         (JSC::StringObject::deleteProperty):
1851         * runtime/Structure.cpp:
1852         (JSC::Structure::prototypeChainMayInterceptStoreTo):
1853
1854 2015-04-05  Andreas Kling  <akling@apple.com>
1855
1856         URI encoding/escaping should use efficient string building instead of calling snprintf().
1857         <https://webkit.org/b/143426>
1858
1859         Reviewed by Gavin Barraclough.
1860
1861         I saw 0.5% of main thread time in snprintf() on <http://polymerlabs.github.io/benchmarks/>
1862         which seemed pretty silly. This change gets that down to nothing in favor of using our
1863         existing JSStringBuilder and HexNumber.h facilities.
1864
1865         These APIs are well-exercised by our existing test suite.
1866
1867         * runtime/JSGlobalObjectFunctions.cpp:
1868         (JSC::encode):
1869         (JSC::globalFuncEscape):
1870
1871 2015-04-05  Masataka Yakura  <masataka.yakura@gmail.com>
1872
1873         documentation for ES Promises points to the wrong one
1874         https://bugs.webkit.org/show_bug.cgi?id=143263
1875
1876         Reviewed by Darin Adler.
1877
1878         * features.json:
1879
1880 2015-04-05  Simon Fraser  <simon.fraser@apple.com>
1881
1882         Remove "go ahead and" from comments
1883         https://bugs.webkit.org/show_bug.cgi?id=143421
1884
1885         Reviewed by Darin Adler, Benjamin Poulain.
1886
1887         Remove the phrase "go ahead and" from comments where it doesn't add
1888         anything (which is almost all of them).
1889
1890         * interpreter/JSStack.cpp:
1891         (JSC::JSStack::growSlowCase):
1892
1893 2015-04-04  Andreas Kling  <akling@apple.com>
1894
1895         Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely.
1896         <https://webkit.org/b/143210>
1897
1898         Reviewed by Geoffrey Garen.
1899
1900         Since a MarkedBlock cannot be destroyed until all the WeakBlocks pointing into it are gone,
1901         we had a little problem where WeakBlocks with only null pointers would still keep their
1902         MarkedBlock alive.
1903
1904         This patch fixes that by detaching WeakBlocks from their MarkedBlock once a sweep discovers
1905         that the WeakBlock contains no pointers to live objects. Ownership of the WeakBlock is passed
1906         to the Heap, which will sweep the list of these detached WeakBlocks as part of a full GC,
1907         destroying them once they're fully dead.
1908
1909         This allows the garbage collector to reclaim the 64kB MarkedBlocks much sooner, and resolves
1910         a mysterious issue where doing two full garbage collections back-to-back would free additional
1911         memory in the second collection.
1912
1913         Management of detached WeakBlocks is implemented as a Vector<WeakBlock*> in Heap, along with
1914         an index of the next block in that vector that needs to be swept. The IncrementalSweeper then
1915         calls into Heap::sweepNextLogicallyEmptyWeakBlock() to sweep one block at a time.
1916
1917         * heap/Heap.h:
1918         * heap/Heap.cpp:
1919         (JSC::Heap::collectAllGarbage): Add a final pass where we sweep the logically empty WeakBlocks
1920         owned by Heap, after everything else has been swept.
1921
1922         (JSC::Heap::notifyIncrementalSweeper): Set up an incremental sweep of logically empty WeakBlocks
1923         after a full garbage collection ends. Note that we don't do this after Eden collections, since
1924         they are unlikely to cause entire WeakBlocks to go empty.
1925
1926         (JSC::Heap::addLogicallyEmptyWeakBlock): Added. Interface for passing ownership of a WeakBlock
1927         to the Heap when it's detached from a WeakSet.
1928
1929         (JSC::Heap::sweepAllLogicallyEmptyWeakBlocks): Helper for collectAllGarbage() that sweeps all
1930         of the logically empty WeakBlocks owned by Heap.
1931
1932         (JSC::Heap::sweepNextLogicallyEmptyWeakBlock): Sweeps one logically empty WeakBlock if needed
1933         and updates the next-logically-empty-weak-block-to-sweep index.
1934
1935         (JSC::Heap::lastChanceToFinalize): call sweepAllLogicallyEmptyWeakBlocks() here, since there
1936         won't be another chance after this.
1937
1938         * heap/IncrementalSweeper.h:
1939         (JSC::IncrementalSweeper::hasWork): Deleted.
1940
1941         * heap/IncrementalSweeper.cpp:
1942         (JSC::IncrementalSweeper::fullSweep):
1943         (JSC::IncrementalSweeper::doSweep):
1944         (JSC::IncrementalSweeper::sweepNextBlock): Restructured IncrementalSweeper a bit to simplify
1945         adding a new sweeping stage for the Heap's logically empty WeakBlocks. sweepNextBlock() is
1946         changed to return a bool (true if there's more work to be done.)
1947
1948         * heap/WeakBlock.cpp:
1949         (JSC::WeakBlock::sweep): This now figures out if the WeakBlock is logically empty, i.e doesn't
1950         contain any pointers to live objects. The answer is stored in a new SweepResult member.
1951
1952         * heap/WeakBlock.h:
1953         (JSC::WeakBlock::isLogicallyEmptyButNotFree): Added. Can be queried after a sweep to determine
1954         if the WeakBlock could be detached from the MarkedBlock.
1955
1956         (JSC::WeakBlock::SweepResult::SweepResult): Deleted in favor of initializing member variables
1957         when declaring them.
1958
1959 2015-04-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1960
1961         Implement ES6 Object.getOwnPropertySymbols
1962         https://bugs.webkit.org/show_bug.cgi?id=141106
1963
1964         Reviewed by Geoffrey Garen.
1965
1966         This patch implements `Object.getOwnPropertySymbols`.
1967         One technical issue is that, since we use private symbols (such as `@Object`) in the
1968         privileged JS code in `builtins/`, they should not be exposed.
1969         To distinguish them from the usual symbols, check the target `StringImpl*` is a not private name
1970         before adding it into PropertyNameArray.
1971
1972         To check the target `StringImpl*` is a private name, we leverage privateToPublic map in `BuiltinNames`
1973         since all private symbols are held in this map.
1974
1975         * builtins/BuiltinExecutables.cpp:
1976         (JSC::BuiltinExecutables::createExecutableInternal):
1977         * builtins/BuiltinNames.h:
1978         (JSC::BuiltinNames::isPrivateName):
1979         * runtime/CommonIdentifiers.cpp:
1980         (JSC::CommonIdentifiers::isPrivateName):
1981         * runtime/CommonIdentifiers.h:
1982         * runtime/EnumerationMode.h:
1983         (JSC::EnumerationMode::EnumerationMode):
1984         (JSC::EnumerationMode::includeSymbolProperties):
1985         * runtime/ExceptionHelpers.cpp:
1986         (JSC::createUndefinedVariableError):
1987         * runtime/JSGlobalObject.cpp:
1988         (JSC::JSGlobalObject::init):
1989         * runtime/JSLexicalEnvironment.cpp:
1990         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
1991         * runtime/JSSymbolTableObject.cpp:
1992         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
1993         * runtime/ObjectConstructor.cpp:
1994         (JSC::ObjectConstructor::finishCreation):
1995         (JSC::objectConstructorGetOwnPropertySymbols):
1996         (JSC::defineProperties):
1997         (JSC::objectConstructorSeal):
1998         (JSC::objectConstructorFreeze):
1999         (JSC::objectConstructorIsSealed):
2000         (JSC::objectConstructorIsFrozen):
2001         * runtime/ObjectConstructor.h:
2002         (JSC::ObjectConstructor::create):
2003         * runtime/Structure.cpp:
2004         (JSC::Structure::getPropertyNamesFromStructure):
2005         * tests/stress/object-get-own-property-symbols-perform-to-object.js: Added.
2006         (compare):
2007         * tests/stress/object-get-own-property-symbols.js: Added.
2008         (forIn):
2009         * tests/stress/symbol-define-property.js: Added.
2010         (testSymbol):
2011         * tests/stress/symbol-seal-and-freeze.js: Added.
2012         * tests/stress/symbol-with-json.js: Added.
2013
2014 2015-04-03  Mark Lam  <mark.lam@apple.com>
2015
2016         Add Options::jitPolicyScale() as a single knob to make all compilations happen sooner.
2017         <https://webkit.org/b/143385>
2018
2019         Reviewed by Geoffrey Garen.
2020
2021         For debugging purposes, sometimes, we want to be able to make compilation happen
2022         sooner to see if we can accelerate the manifestation of certain events / bugs.
2023         Currently, in order to achieve this, we'll have to tweak multiple JIT thresholds
2024         which make up the compilation policy.  Let's add a single knob that can tune all
2025         the thresholds up / down in one go proportionately so that we can easily tweak
2026         how soon compilation occurs.
2027
2028         * runtime/Options.cpp:
2029         (JSC::scaleJITPolicy):
2030         (JSC::recomputeDependentOptions):
2031         * runtime/Options.h:
2032
2033 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
2034
2035         is* API methods should be @properties
2036         https://bugs.webkit.org/show_bug.cgi?id=143388
2037
2038         Reviewed by Mark Lam.
2039
2040         This appears to be the preferred idiom in WebKit, CA, AppKit, and
2041         Foundation.
2042
2043         * API/JSValue.h: Be @properties.
2044
2045         * API/tests/testapi.mm:
2046         (testObjectiveCAPI): Use the @properties.
2047
2048 2015-04-03  Mark Lam  <mark.lam@apple.com>
2049
2050         Some JSC Options refactoring and enhancements.
2051         <https://webkit.org/b/143384>
2052
2053         Rubber stamped by Benjamin Poulain.
2054
2055         Create a better encapsulated Option class to make working with options easier.  This
2056         is a building block towards a JIT policy scaling debugging option I will introduce later.
2057
2058         This work entails:
2059         1. Convert Options::Option into a public class Option (who works closely with Options).
2060         2. Convert Options::EntryType into an enum class Options::Type and make it public.
2061         3. Renamed Options::OPT_<option name> to Options::<option name>ID because it reads better.
2062         4. Add misc methods to class Option to make it more useable.
2063
2064         * runtime/Options.cpp:
2065         (JSC::Options::dumpOption):
2066         (JSC::Option::dump):
2067         (JSC::Option::operator==):
2068         (JSC::Options::Option::dump): Deleted.
2069         (JSC::Options::Option::operator==): Deleted.
2070         * runtime/Options.h:
2071         (JSC::Option::Option):
2072         (JSC::Option::operator!=):
2073         (JSC::Option::name):
2074         (JSC::Option::description):
2075         (JSC::Option::type):
2076         (JSC::Option::isOverridden):
2077         (JSC::Option::defaultOption):
2078         (JSC::Option::boolVal):
2079         (JSC::Option::unsignedVal):
2080         (JSC::Option::doubleVal):
2081         (JSC::Option::int32Val):
2082         (JSC::Option::optionRangeVal):
2083         (JSC::Option::optionStringVal):
2084         (JSC::Option::gcLogLevelVal):
2085         (JSC::Options::Option::Option): Deleted.
2086         (JSC::Options::Option::operator!=): Deleted.
2087
2088 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
2089
2090         JavaScriptCore API should support type checking for Array and Date
2091         https://bugs.webkit.org/show_bug.cgi?id=143324
2092
2093         Follow-up to address a comment by Dan.
2094
2095         * API/WebKitAvailability.h: __MAC_OS_X_VERSION_MIN_REQUIRED <= 101100
2096         is wrong, since this API is available when __MAC_OS_X_VERSION_MIN_REQUIRED
2097         is equal to 101100.
2098
2099 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
2100
2101         JavaScriptCore API should support type checking for Array and Date
2102         https://bugs.webkit.org/show_bug.cgi?id=143324
2103
2104         Follow-up to address a comment by Dan.
2105
2106         * API/WebKitAvailability.h: Do use 10.0 because it was right all along.
2107         Added a comment explaining why.
2108
2109 2015-04-03  Csaba Osztrogonác  <ossy@webkit.org>
2110
2111         FTL JIT tests should fail if LLVM library isn't available
2112         https://bugs.webkit.org/show_bug.cgi?id=143374
2113
2114         Reviewed by Mark Lam.
2115
2116         * dfg/DFGPlan.cpp:
2117         (JSC::DFG::Plan::compileInThreadImpl):
2118         * runtime/Options.h:
2119
2120 2015-04-03  Zan Dobersek  <zdobersek@igalia.com>
2121
2122         Fix the EFL and GTK build after r182243
2123         https://bugs.webkit.org/show_bug.cgi?id=143361
2124
2125         Reviewed by Csaba Osztrogonác.
2126
2127         * CMakeLists.txt: InspectorBackendCommands.js is generated in the
2128         DerivedSources/JavaScriptCore/inspector/ directory.
2129
2130 2015-04-03  Zan Dobersek  <zdobersek@igalia.com>
2131
2132         Unreviewed, fixing Clang builds of the GTK port on Linux.
2133
2134         * runtime/Options.cpp:
2135         Include the <math.h> header for isnan().
2136
2137 2015-04-02  Mark Lam  <mark.lam@apple.com>
2138
2139         Enhance ability to dump JSC Options.
2140         <https://webkit.org/b/143357>
2141
2142         Reviewed by Benjamin Poulain.
2143
2144         Some enhancements to how the JSC options work:
2145
2146         1. Add a JSC_showOptions option which take values: 0 = None, 1 = Overridden only,
2147            2 = All, 3 = Verbose.
2148
2149            The default is 0 (None).  This dumps nothing.
2150            With the Overridden setting, at VM initialization time, we will dump all
2151            option values that have been changed from their default.
2152            With the All setting, at VM initialization time, we will dump all option values.
2153            With the Verbose setting, at VM initialization time, we will dump all option
2154            values along with their descriptions (if available).
2155
2156         2. We now store a copy of the default option values.
2157
2158            We later use this for comparison to tell if an option has been overridden, and
2159            print the default value for reference.  As a result, we no longer need the
2160            didOverride flag since we can compute whether the option is overridden at any time.
2161
2162         3. Added description strings to some options to be printed when JSC_showOptions=3 (Verbose).
2163
2164            This will come in handy later when we want to rename some of the options to more sane
2165            names that are easier to remember.  For example, we can change
2166            Options::dfgFunctionWhitelistFile() to Options::dfgWhiteList(), and
2167            Options::slowPathAllocsBetweenGCs() to Options::forcedGcRate().  With the availability
2168            of the description, we can afford to use shorter and less descriptive option names,
2169            but they will be easier to remember and use for day to day debugging work.
2170
2171            In this patch, I did not change the names of any of the options yet.  I only added
2172            description strings for options that I know about, and where I think the option name
2173            isn't already descriptive enough.
2174
2175         4. Also deleted some unused code.
2176
2177         * jsc.cpp:
2178         (CommandLine::parseArguments):
2179         * runtime/Options.cpp:
2180         (JSC::Options::initialize):
2181         (JSC::Options::setOption):
2182         (JSC::Options::dumpAllOptions):
2183         (JSC::Options::dumpOption):
2184         (JSC::Options::Option::dump):
2185         (JSC::Options::Option::operator==):
2186         * runtime/Options.h:
2187         (JSC::OptionRange::rangeString):
2188         (JSC::Options::Option::Option):
2189         (JSC::Options::Option::operator!=):
2190
2191 2015-04-02  Geoffrey Garen  <ggaren@apple.com>
2192
2193         JavaScriptCore API should support type checking for Array and Date
2194         https://bugs.webkit.org/show_bug.cgi?id=143324
2195
2196         Reviewed by Darin Adler, Sam Weinig, Dan Bernstein.
2197
2198         * API/JSValue.h:
2199         * API/JSValue.mm:
2200         (-[JSValue isArray]):
2201         (-[JSValue isDate]): Added an ObjC API.
2202
2203         * API/JSValueRef.cpp:
2204         (JSValueIsArray):
2205         (JSValueIsDate):
2206         * API/JSValueRef.h: Added a C API.
2207
2208         * API/WebKitAvailability.h: Brought our availability macros up to date
2209         and fixed a harmless bug where "10_10" translated to "10.0".
2210
2211         * API/tests/testapi.c:
2212         (main): Added a test and corrected a pre-existing leak.
2213
2214         * API/tests/testapi.mm:
2215         (testObjectiveCAPI): Added a test.
2216
2217 2015-04-02  Mark Lam  <mark.lam@apple.com>
2218
2219         Add Options::dumpSourceAtDFGTime().
2220         <https://webkit.org/b/143349>
2221
2222         Reviewed by Oliver Hunt, and Michael Saboff.
2223
2224         Sometimes, we will want to see the JS source code that we're compiling, and it
2225         would be nice to be able to do this without having to jump thru a lot of hoops.
2226         So, let's add a Options::dumpSourceAtDFGTime() option just like we have a
2227         Options::dumpBytecodeAtDFGTime() option.
2228
2229         Also added versions of CodeBlock::dumpSource() and CodeBlock::dumpBytecode()
2230         that explicitly take no arguments (instead of relying on the version that takes
2231         the default argument).  These versions are friendlier to use when we want to call
2232         them from an interactive debugging session.
2233
2234         * bytecode/CodeBlock.cpp:
2235         (JSC::CodeBlock::dumpSource):
2236         (JSC::CodeBlock::dumpBytecode):
2237         * bytecode/CodeBlock.h:
2238         * dfg/DFGByteCodeParser.cpp:
2239         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2240         * runtime/Options.h:
2241
2242 2015-04-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2243
2244         Clean up EnumerationMode to easily extend
2245         https://bugs.webkit.org/show_bug.cgi?id=143276
2246
2247         Reviewed by Geoffrey Garen.
2248
2249         To make the followings easily,
2250         1. Adding new flag Include/ExcludeSymbols in the Object.getOwnPropertySymbols patch
2251         2. Make ExcludeSymbols implicitly default for the existing flags
2252         we encapsulate EnumerationMode flags into EnumerationMode class.
2253
2254         And this class manages 2 flags. Later it will be extended to 3.
2255         1. DontEnumPropertiesMode (default is Exclude)
2256         2. JSObjectPropertiesMode (default is Include)
2257         3. SymbolPropertiesMode (default is Exclude)
2258             SymbolPropertiesMode will be added in Object.getOwnPropertySymbols patch.
2259
2260         This patch replaces places using ExcludeDontEnumProperties
2261         to EnumerationMode() value which represents default mode.
2262
2263         * API/JSCallbackObjectFunctions.h:
2264         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
2265         * API/JSObjectRef.cpp:
2266         (JSObjectCopyPropertyNames):
2267         * bindings/ScriptValue.cpp:
2268         (Deprecated::jsToInspectorValue):
2269         * bytecode/ObjectAllocationProfile.h:
2270         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
2271         * runtime/ArrayPrototype.cpp:
2272         (JSC::arrayProtoFuncSort):
2273         * runtime/EnumerationMode.h:
2274         (JSC::EnumerationMode::EnumerationMode):
2275         (JSC::EnumerationMode::includeDontEnumProperties):
2276         (JSC::EnumerationMode::includeJSObjectProperties):
2277         (JSC::shouldIncludeDontEnumProperties): Deleted.
2278         (JSC::shouldExcludeDontEnumProperties): Deleted.
2279         (JSC::shouldIncludeJSObjectPropertyNames): Deleted.
2280         (JSC::modeThatSkipsJSObject): Deleted.
2281         * runtime/GenericArgumentsInlines.h:
2282         (JSC::GenericArguments<Type>::getOwnPropertyNames):
2283         * runtime/JSArray.cpp:
2284         (JSC::JSArray::getOwnNonIndexPropertyNames):
2285         * runtime/JSArrayBuffer.cpp:
2286         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
2287         * runtime/JSArrayBufferView.cpp:
2288         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
2289         * runtime/JSFunction.cpp:
2290         (JSC::JSFunction::getOwnNonIndexPropertyNames):
2291         * runtime/JSFunction.h:
2292         * runtime/JSGenericTypedArrayViewInlines.h:
2293         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnNonIndexPropertyNames):
2294         * runtime/JSLexicalEnvironment.cpp:
2295         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
2296         * runtime/JSONObject.cpp:
2297         (JSC::Stringifier::Holder::appendNextProperty):
2298         (JSC::Walker::walk):
2299         * runtime/JSObject.cpp:
2300         (JSC::getClassPropertyNames):
2301         (JSC::JSObject::getOwnPropertyNames):
2302         (JSC::JSObject::getOwnNonIndexPropertyNames):
2303         (JSC::JSObject::getGenericPropertyNames):
2304         * runtime/JSPropertyNameEnumerator.h:
2305         (JSC::propertyNameEnumerator):
2306         * runtime/JSSymbolTableObject.cpp:
2307         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
2308         * runtime/ObjectConstructor.cpp:
2309         (JSC::objectConstructorGetOwnPropertyNames):
2310         (JSC::objectConstructorKeys):
2311         (JSC::defineProperties):
2312         (JSC::objectConstructorSeal):
2313         (JSC::objectConstructorFreeze):
2314         (JSC::objectConstructorIsSealed):
2315         (JSC::objectConstructorIsFrozen):
2316         * runtime/RegExpObject.cpp:
2317         (JSC::RegExpObject::getOwnNonIndexPropertyNames):
2318         (JSC::RegExpObject::getPropertyNames):
2319         (JSC::RegExpObject::getGenericPropertyNames):
2320         * runtime/StringObject.cpp:
2321         (JSC::StringObject::getOwnPropertyNames):
2322         * runtime/Structure.cpp:
2323         (JSC::Structure::getPropertyNamesFromStructure):
2324
2325 2015-04-01  Alex Christensen  <achristensen@webkit.org>
2326
2327         Progress towards CMake on Windows and Mac.
2328         https://bugs.webkit.org/show_bug.cgi?id=143293
2329
2330         Reviewed by Filip Pizlo.
2331
2332         * CMakeLists.txt:
2333         Enabled using assembly on Windows.
2334         Replaced unix commands with CMake commands.
2335         * PlatformMac.cmake:
2336         Tell open source builders where to find unicode headers.
2337
2338 2015-04-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2339
2340         IteratorClose should be called when jumping over the target for-of loop
2341         https://bugs.webkit.org/show_bug.cgi?id=143140
2342
2343         Reviewed by Geoffrey Garen.
2344
2345         This patch fixes labeled break/continue behaviors with for-of and iterators.
2346
2347         1. Support IteratorClose beyond multiple loop contexts
2348         Previously, IteratorClose is only executed in for-of's breakTarget().
2349         However, this misses IteratorClose execution when statement roll-ups multiple control flow contexts.
2350         For example,
2351         outer: for (var e1 of outer) {
2352             inner: for (var e2 of inner) {
2353                 break outer;
2354             }
2355         }
2356         In this case, return method of inner should be called.
2357         We leverage the existing system for `finally` to execute inner.return method correctly.
2358         Leveraging `finally` system fixes `break`, `continue` and `return` cases.
2359         `throw` case is already supported by emitting try-catch handlers in for-of.
2360
2361         2. Incorrect LabelScope creation is done in ForOfNode
2362         ForOfNode creates duplicated LabelScope.
2363         It causes infinite loop when executing the following program that contains
2364         explicitly labeled for-of loop.
2365         For example,
2366         inner: for (var elm of array) {
2367             continue inner;
2368         }
2369
2370         * bytecompiler/BytecodeGenerator.cpp:
2371         (JSC::BytecodeGenerator::pushFinallyContext):
2372         (JSC::BytecodeGenerator::pushIteratorCloseContext):
2373         (JSC::BytecodeGenerator::popFinallyContext):
2374         (JSC::BytecodeGenerator::popIteratorCloseContext):
2375         (JSC::BytecodeGenerator::emitComplexPopScopes):
2376         (JSC::BytecodeGenerator::emitEnumeration):
2377         (JSC::BytecodeGenerator::emitIteratorClose):
2378         * bytecompiler/BytecodeGenerator.h:
2379         * bytecompiler/NodesCodegen.cpp:
2380         (JSC::ForOfNode::emitBytecode):
2381         * tests/stress/iterator-return-beyond-multiple-iteration-scopes.js: Added.
2382         (createIterator.iterator.return):
2383         (createIterator):
2384         * tests/stress/raise-error-in-iterator-close.js: Added.
2385         (createIterator.iterator.return):
2386         (createIterator):
2387
2388 2015-04-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2389
2390         [ES6] Implement Symbol.unscopables
2391         https://bugs.webkit.org/show_bug.cgi?id=142829
2392
2393         Reviewed by Geoffrey Garen.
2394
2395         This patch introduces Symbol.unscopables functionality.
2396         In ES6, some generic names (like keys, values) are introduced
2397         as Array's method name. And this breaks the web since some web sites
2398         use like the following code.
2399
2400         var values = ...;
2401         with (array) {
2402             values;  // This values is trapped by array's method "values".
2403         }
2404
2405         To fix this, Symbol.unscopables introduces blacklist
2406         for with scope's trapping. When resolving scope,
2407         if name is found in the target scope and the target scope is with scope,
2408         we check Symbol.unscopables object to filter generic names.
2409
2410         This functionality is only active for with scopes.
2411         Global scope does not have unscopables functionality.
2412
2413         And since
2414         1) op_resolve_scope for with scope always return Dynamic resolve type,
2415         2) in that case, JSScope::resolve is always used in JIT and LLInt,
2416         3) the code which contains op_resolve_scope that returns Dynamic cannot be compiled with DFG and FTL,
2417         to implement this functionality, we just change JSScope::resolve and no need to change JIT code.
2418         So performance regression is only visible in Dynamic resolving case, and it is already much slow.
2419
2420         * runtime/ArrayPrototype.cpp:
2421         (JSC::ArrayPrototype::finishCreation):
2422         * runtime/CommonIdentifiers.h:
2423         * runtime/JSGlobalObject.h:
2424         (JSC::JSGlobalObject::runtimeFlags):
2425         * runtime/JSScope.cpp:
2426         (JSC::isUnscopable):
2427         (JSC::JSScope::resolve):
2428         * runtime/JSScope.h:
2429         (JSC::ScopeChainIterator::scope):
2430         * tests/stress/global-environment-does-not-trap-unscopables.js: Added.
2431         (test):
2432         * tests/stress/unscopables.js: Added.
2433         (test):
2434         (.):
2435
2436 2015-03-31  Ryosuke Niwa  <rniwa@webkit.org>
2437
2438         ES6 class syntax should allow static setters and getters
2439         https://bugs.webkit.org/show_bug.cgi?id=143180
2440
2441         Reviewed by Filip Pizlo
2442
2443         Apparently I misread the spec when I initially implemented parseClass.
2444         ES6 class syntax allows static getters and setters so just allow that.
2445
2446         * parser/Parser.cpp:
2447         (JSC::Parser<LexerType>::parseClass):
2448
2449 2015-03-31  Filip Pizlo  <fpizlo@apple.com>
2450
2451         PutClosureVar CSE def() rule has a wrong base
2452         https://bugs.webkit.org/show_bug.cgi?id=143280
2453
2454         Reviewed by Michael Saboff.
2455         
2456         I think that this code was incorrect in a benign way, since the base of a
2457         PutClosureVar is not a JS-visible object. But it was preventing some optimizations.
2458
2459         * dfg/DFGClobberize.h:
2460         (JSC::DFG::clobberize):
2461
2462 2015-03-31  Commit Queue  <commit-queue@webkit.org>
2463
2464         Unreviewed, rolling out r182200.
2465         https://bugs.webkit.org/show_bug.cgi?id=143279
2466
2467         Probably causing assertion extravaganza on bots. (Requested by
2468         kling on #webkit).
2469
2470         Reverted changeset:
2471
2472         "Logically empty WeakBlocks should not pin down their
2473         MarkedBlocks indefinitely."
2474         https://bugs.webkit.org/show_bug.cgi?id=143210
2475         http://trac.webkit.org/changeset/182200
2476
2477 2015-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2478
2479         Clean up Identifier factories to clarify the meaning of StringImpl*
2480         https://bugs.webkit.org/show_bug.cgi?id=143146
2481
2482         Reviewed by Filip Pizlo.
2483
2484         In the a lot of places, `Identifier(VM*/ExecState*, StringImpl*)` constructor is used.
2485         However, it's ambiguous because `StringImpl*` has 2 different meanings.
2486         1) normal string, it is replacable with `WTFString` and
2487         2) `uid`, which holds `isSymbol` information to represent Symbols.
2488         So we dropped Identifier constructors for strings and instead, introduced 2 factory functions.
2489         + `Identifier::fromString(VM*/ExecState*, const String&)`.
2490         Just construct Identifier from strings. The symbol-ness of StringImpl* is not kept.
2491         + `Identifier::fromUid(VM*/ExecState*, StringImpl*)`.
2492         This function is used for 2) `uid`. So symbol-ness of `StringImpl*` is kept.
2493
2494         And to clean up `StringImpl` which is used as uid,
2495         we introduce `StringKind` into `StringImpl`. There's 3 kinds
2496         1. StringNormal (non-atomic, non-symbol)
2497         2. StringAtomic (atomic, non-symbol)
2498         3. StringSymbol (non-atomic, symbol)
2499         They are mutually exclusive. And (atomic, symbol) case should not exist.
2500
2501         * API/JSCallbackObjectFunctions.h:
2502         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
2503         * API/JSObjectRef.cpp:
2504         (JSObjectMakeFunction):
2505         * API/OpaqueJSString.cpp:
2506         (OpaqueJSString::identifier):
2507         * bindings/ScriptFunctionCall.cpp:
2508         (Deprecated::ScriptFunctionCall::call):
2509         * builtins/BuiltinExecutables.cpp:
2510         (JSC::BuiltinExecutables::createExecutableInternal):
2511         * builtins/BuiltinNames.h:
2512         (JSC::BuiltinNames::BuiltinNames):
2513         * bytecompiler/BytecodeGenerator.cpp:
2514         (JSC::BytecodeGenerator::BytecodeGenerator):
2515         (JSC::BytecodeGenerator::emitThrowReferenceError):
2516         (JSC::BytecodeGenerator::emitThrowTypeError):
2517         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
2518         (JSC::BytecodeGenerator::emitEnumeration):
2519         * dfg/DFGDesiredIdentifiers.cpp:
2520         (JSC::DFG::DesiredIdentifiers::reallyAdd):
2521         * inspector/JSInjectedScriptHost.cpp:
2522         (Inspector::JSInjectedScriptHost::functionDetails):
2523         (Inspector::constructInternalProperty):
2524         (Inspector::JSInjectedScriptHost::weakMapEntries):
2525         (Inspector::JSInjectedScriptHost::iteratorEntries):
2526         * inspector/JSInjectedScriptHostPrototype.cpp:
2527         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
2528         * inspector/JSJavaScriptCallFramePrototype.cpp:
2529         * inspector/ScriptCallStackFactory.cpp:
2530         (Inspector::extractSourceInformationFromException):
2531         * jit/JITOperations.cpp:
2532         * jsc.cpp:
2533         (GlobalObject::finishCreation):
2534         (GlobalObject::addFunction):
2535         (GlobalObject::addConstructableFunction):
2536         (functionRun):
2537         (runWithScripts):
2538         * llint/LLIntData.cpp:
2539         (JSC::LLInt::Data::performAssertions):
2540         * llint/LowLevelInterpreter.asm:
2541         * parser/ASTBuilder.h:
2542         (JSC::ASTBuilder::addVar):
2543         * parser/Parser.cpp:
2544         (JSC::Parser<LexerType>::parseInner):
2545         (JSC::Parser<LexerType>::createBindingPattern):
2546         * parser/ParserArena.h:
2547         (JSC::IdentifierArena::makeIdentifier):
2548         (JSC::IdentifierArena::makeIdentifierLCharFromUChar):
2549         (JSC::IdentifierArena::makeNumericIdentifier):
2550         * runtime/ArgumentsIteratorPrototype.cpp:
2551         (JSC::ArgumentsIteratorPrototype::finishCreation):
2552         * runtime/ArrayIteratorPrototype.cpp:
2553         (JSC::ArrayIteratorPrototype::finishCreation):
2554         * runtime/ArrayPrototype.cpp:
2555         (JSC::ArrayPrototype::finishCreation):
2556         (JSC::arrayProtoFuncPush):
2557         * runtime/ClonedArguments.cpp:
2558         (JSC::ClonedArguments::getOwnPropertySlot):
2559         * runtime/CommonIdentifiers.cpp:
2560         (JSC::CommonIdentifiers::CommonIdentifiers):
2561         * runtime/CommonIdentifiers.h:
2562         * runtime/Error.cpp:
2563         (JSC::addErrorInfo):
2564         (JSC::hasErrorInfo):
2565         * runtime/ExceptionHelpers.cpp:
2566         (JSC::createUndefinedVariableError):
2567         * runtime/GenericArgumentsInlines.h:
2568         (JSC::GenericArguments<Type>::getOwnPropertySlot):
2569         * runtime/Identifier.h:
2570         (JSC::Identifier::isSymbol):
2571         (JSC::Identifier::Identifier):
2572         (JSC::Identifier::from): Deleted.
2573         * runtime/IdentifierInlines.h:
2574         (JSC::Identifier::Identifier):
2575         (JSC::Identifier::fromUid):
2576         (JSC::Identifier::fromString):
2577         * runtime/JSCJSValue.cpp:
2578         (JSC::JSValue::dumpInContextAssumingStructure):
2579         * runtime/JSCJSValueInlines.h:
2580         (JSC::JSValue::toPropertyKey):
2581         * runtime/JSGlobalObject.cpp:
2582         (JSC::JSGlobalObject::init):
2583         * runtime/JSLexicalEnvironment.cpp:
2584         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
2585         * runtime/JSObject.cpp:
2586         (JSC::getClassPropertyNames):
2587         (JSC::JSObject::reifyStaticFunctionsForDelete):
2588         * runtime/JSObject.h:
2589         (JSC::makeIdentifier):
2590         * runtime/JSPromiseConstructor.cpp:
2591         (JSC::JSPromiseConstructorFuncRace):
2592         (JSC::JSPromiseConstructorFuncAll):
2593         * runtime/JSString.h:
2594         (JSC::JSString::toIdentifier):
2595         * runtime/JSSymbolTableObject.cpp:
2596         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
2597         * runtime/LiteralParser.cpp:
2598         (JSC::LiteralParser<CharType>::tryJSONPParse):
2599         (JSC::LiteralParser<CharType>::makeIdentifier):
2600         * runtime/Lookup.h:
2601         (JSC::reifyStaticProperties):
2602         * runtime/MapConstructor.cpp:
2603         (JSC::constructMap):
2604         * runtime/MapIteratorPrototype.cpp:
2605         (JSC::MapIteratorPrototype::finishCreation):
2606         * runtime/MapPrototype.cpp:
2607         (JSC::MapPrototype::finishCreation):
2608         * runtime/MathObject.cpp:
2609         (JSC::MathObject::finishCreation):
2610         * runtime/NumberConstructor.cpp:
2611         (JSC::NumberConstructor::finishCreation):
2612         * runtime/ObjectConstructor.cpp:
2613         (JSC::ObjectConstructor::finishCreation):
2614         * runtime/PrivateName.h:
2615         (JSC::PrivateName::PrivateName):
2616         * runtime/PropertyMapHashTable.h:
2617         (JSC::PropertyTable::find):
2618         (JSC::PropertyTable::get):
2619         * runtime/PropertyName.h:
2620         (JSC::PropertyName::PropertyName):
2621         (JSC::PropertyName::publicName):
2622         (JSC::PropertyName::asIndex):
2623         * runtime/PropertyNameArray.cpp:
2624         (JSC::PropertyNameArray::add):
2625         * runtime/PropertyNameArray.h:
2626         (JSC::PropertyNameArray::addKnownUnique):
2627         * runtime/RegExpConstructor.cpp:
2628         (JSC::RegExpConstructor::finishCreation):
2629         * runtime/SetConstructor.cpp:
2630         (JSC::constructSet):
2631         * runtime/SetIteratorPrototype.cpp:
2632         (JSC::SetIteratorPrototype::finishCreation):
2633         * runtime/SetPrototype.cpp:
2634         (JSC::SetPrototype::finishCreation):
2635         * runtime/StringIteratorPrototype.cpp:
2636         (JSC::StringIteratorPrototype::finishCreation):
2637         * runtime/StringPrototype.cpp:
2638         (JSC::StringPrototype::finishCreation):
2639         * runtime/Structure.cpp:
2640         (JSC::Structure::getPropertyNamesFromStructure):
2641         * runtime/SymbolConstructor.cpp:
2642         * runtime/VM.cpp:
2643         (JSC::VM::throwException):
2644         * runtime/WeakMapConstructor.cpp:
2645         (JSC::constructWeakMap):
2646
2647 2015-03-31  Andreas Kling  <akling@apple.com>
2648
2649         Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely.
2650         <https://webkit.org/b/143210>
2651
2652         Reviewed by Geoffrey Garen.
2653
2654         Since a MarkedBlock cannot be destroyed until all the WeakBlocks pointing into it are gone,
2655         we had a little problem where WeakBlocks with only null pointers would still keep their
2656         MarkedBlock alive.
2657
2658         This patch fixes that by detaching WeakBlocks from their MarkedBlock once a sweep discovers
2659         that the WeakBlock contains no pointers to live objects. Ownership of the WeakBlock is passed
2660         to the Heap, which will sweep the list of these detached WeakBlocks as part of a full GC,
2661         destroying them once they're fully dead.
2662
2663         This allows the garbage collector to reclaim the 64kB MarkedBlocks much sooner, and resolves
2664         a mysterious issue where doing two full garbage collections back-to-back would free additional
2665         memory in the second collection.
2666
2667         Management of detached WeakBlocks is implemented as a Vector<WeakBlock*> in Heap, along with
2668         an index of the next block in that vector that needs to be swept. The IncrementalSweeper then
2669         calls into Heap::sweepNextLogicallyEmptyWeakBlock() to sweep one block at a time.
2670
2671         * heap/Heap.h:
2672         * heap/Heap.cpp:
2673         (JSC::Heap::collectAllGarbage): Add a final pass where we sweep the logically empty WeakBlocks
2674         owned by Heap, after everything else has been swept.
2675
2676         (JSC::Heap::notifyIncrementalSweeper): Set up an incremental sweep of logically empty WeakBlocks
2677         after a full garbage collection ends. Note that we don't do this after Eden collections, since
2678         they are unlikely to cause entire WeakBlocks to go empty.
2679
2680         (JSC::Heap::addLogicallyEmptyWeakBlock): Added. Interface for passing ownership of a WeakBlock
2681         to the Heap when it's detached from a WeakSet.
2682
2683         (JSC::Heap::sweepAllLogicallyEmptyWeakBlocks): Helper for collectAllGarbage() that sweeps all
2684         of the logically empty WeakBlocks owned by Heap.
2685
2686         (JSC::Heap::sweepNextLogicallyEmptyWeakBlock): Sweeps one logically empty WeakBlock if needed
2687         and updates the next-logically-empty-weak-block-to-sweep index.
2688
2689         (JSC::Heap::lastChanceToFinalize): call sweepAllLogicallyEmptyWeakBlocks() here, since there
2690         won't be another chance after this.
2691
2692         * heap/IncrementalSweeper.h:
2693         (JSC::IncrementalSweeper::hasWork): Deleted.
2694
2695         * heap/IncrementalSweeper.cpp:
2696         (JSC::IncrementalSweeper::fullSweep):
2697         (JSC::IncrementalSweeper::doSweep):
2698         (JSC::IncrementalSweeper::sweepNextBlock): Restructured IncrementalSweeper a bit to simplify
2699         adding a new sweeping stage for the Heap's logically empty WeakBlocks. sweepNextBlock() is
2700         changed to return a bool (true if there's more work to be done.)
2701
2702         * heap/WeakBlock.cpp:
2703         (JSC::WeakBlock::sweep): This now figures out if the WeakBlock is logically empty, i.e doesn't
2704         contain any pointers to live objects. The answer is stored in a new SweepResult member.
2705
2706         * heap/WeakBlock.h:
2707         (JSC::WeakBlock::isLogicallyEmptyButNotFree): Added. Can be queried after a sweep to determine
2708         if the WeakBlock could be detached from the MarkedBlock.
2709
2710         (JSC::WeakBlock::SweepResult::SweepResult): Deleted in favor of initializing member variables
2711         when declaring them.
2712
2713 2015-03-31  Ryosuke Niwa  <rniwa@webkit.org>
2714
2715         eval("this.foo") causes a crash if this had not been initialized in a derived class's constructor
2716         https://bugs.webkit.org/show_bug.cgi?id=142883
2717
2718         Reviewed by Filip Pizlo.
2719
2720         The crash was caused by eval inside the constructor of a derived class not checking TDZ.
2721
2722         Fixed the bug by adding a parser flag that forces the TDZ check to be always emitted when accessing "this"
2723         in eval inside a derived class' constructor.
2724
2725         * bytecode/EvalCodeCache.h:
2726         (JSC::EvalCodeCache::getSlow):
2727         * bytecompiler/NodesCodegen.cpp:
2728         (JSC::ThisNode::emitBytecode):
2729         * debugger/DebuggerCallFrame.cpp:
2730         (JSC::DebuggerCallFrame::evaluate):
2731         * interpreter/Interpreter.cpp:
2732         (JSC::eval):
2733         * parser/ASTBuilder.h:
2734         (JSC::ASTBuilder::thisExpr):
2735         * parser/NodeConstructors.h:
2736         (JSC::ThisNode::ThisNode):
2737         * parser/Nodes.h:
2738         * parser/Parser.cpp:
2739         (JSC::Parser<LexerType>::Parser):
2740         (JSC::Parser<LexerType>::parsePrimaryExpression):
2741         * parser/Parser.h:
2742         (JSC::parse):
2743         * parser/ParserModes.h:
2744         * parser/SyntaxChecker.h:
2745         (JSC::SyntaxChecker::thisExpr):
2746         * runtime/CodeCache.cpp:
2747         (JSC::CodeCache::getGlobalCodeBlock):
2748         (JSC::CodeCache::getProgramCodeBlock):
2749         (JSC::CodeCache::getEvalCodeBlock):
2750         * runtime/CodeCache.h:
2751         (JSC::SourceCodeKey::SourceCodeKey):
2752         * runtime/Executable.cpp:
2753         (JSC::EvalExecutable::create):
2754         * runtime/Executable.h:
2755         * runtime/JSGlobalObject.cpp:
2756         (JSC::JSGlobalObject::createEvalCodeBlock):
2757         * runtime/JSGlobalObject.h:
2758         * runtime/JSGlobalObjectFunctions.cpp:
2759         (JSC::globalFuncEval):
2760         * tests/stress/class-syntax-no-tdz-in-eval.js: Added.
2761         * tests/stress/class-syntax-tdz-in-eval.js: Added.
2762
2763 2015-03-31  Commit Queue  <commit-queue@webkit.org>
2764
2765         Unreviewed, rolling out r182186.
2766         https://bugs.webkit.org/show_bug.cgi?id=143270
2767
2768         it crashes all the WebGL tests on the Debug bots (Requested by
2769         dino on #webkit).
2770
2771         Reverted changeset:
2772
2773         "Web Inspector: add 2D/WebGL canvas instrumentation
2774         infrastructure"
2775         https://bugs.webkit.org/show_bug.cgi?id=137278
2776         http://trac.webkit.org/changeset/182186
2777
2778 2015-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2779
2780         [ES6] Object type restrictions on a first parameter of several Object.* functions are relaxed
2781         https://bugs.webkit.org/show_bug.cgi?id=142937
2782
2783         Reviewed by Darin Adler.
2784
2785         In ES6, Object type restrictions on a first parameter of several Object.* functions are relaxed.
2786         In ES5 or prior, when a first parameter is not object type, these functions raise TypeError.
2787         But now, several functions perform ToObject onto a non-object parameter.
2788         And others behaves as if a parameter is a non-extensible ordinary object with no own properties.
2789         It is described in ES6 Annex E.
2790         Functions different from ES5 are following.
2791
2792         1. An attempt is make to coerce the argument using ToObject.
2793             Object.getOwnPropertyDescriptor
2794             Object.getOwnPropertyNames
2795             Object.getPrototypeOf
2796             Object.keys
2797
2798         2. Treated as if it was a non-extensible ordinary object with no own properties.
2799             Object.freeze
2800             Object.isExtensible
2801             Object.isFrozen
2802             Object.isSealed
2803             Object.preventExtensions
2804             Object.seal
2805
2806         * runtime/ObjectConstructor.cpp:
2807         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
2808         (JSC::objectConstructorGetPrototypeOf):
2809         (JSC::objectConstructorGetOwnPropertyDescriptor):
2810         (JSC::objectConstructorGetOwnPropertyNames):
2811         (JSC::objectConstructorKeys):
2812         (JSC::objectConstructorSeal):
2813         (JSC::objectConstructorFreeze):
2814         (JSC::objectConstructorPreventExtensions):
2815         (JSC::objectConstructorIsSealed):
2816         (JSC::objectConstructorIsFrozen):
2817         (JSC::objectConstructorIsExtensible):
2818         * tests/stress/object-freeze-accept-non-object.js: Added.
2819         * tests/stress/object-get-own-property-descriptor-perform-to-object.js: Added.
2820         (canary):
2821         * tests/stress/object-get-own-property-names-perform-to-object.js: Added.
2822         (compare):
2823         * tests/stress/object-get-prototype-of-perform-to-object.js: Added.
2824         * tests/stress/object-is-extensible-accept-non-object.js: Added.
2825         * tests/stress/object-is-frozen-accept-non-object.js: Added.
2826         * tests/stress/object-is-sealed-accept-non-object.js: Added.
2827         * tests/stress/object-keys-perform-to-object.js: Added.
2828         (compare):
2829         * tests/stress/object-prevent-extensions-accept-non-object.js: Added.
2830         * tests/stress/object-seal-accept-non-object.js: Added.
2831
2832 2015-03-31  Matt Baker  <mattbaker@apple.com>
2833
2834         Web Inspector: add 2D/WebGL canvas instrumentation infrastructure
2835         https://bugs.webkit.org/show_bug.cgi?id=137278
2836
2837         Reviewed by Timothy Hatcher.
2838
2839         Added Canvas protocol which defines types used by InspectorCanvasAgent.
2840
2841         * CMakeLists.txt:
2842         * DerivedSources.make:
2843         * inspector/protocol/Canvas.json: Added.
2844
2845         * inspector/scripts/codegen/generator.py:
2846         (Generator.stylized_name_for_enum_value):
2847         Added special handling for 2D (always uppercase) and WebGL (rename mapping) enum strings.
2848
2849 2015-03-30  Ryosuke Niwa  <rniwa@webkit.org>
2850
2851         Extending null should set __proto__ to null
2852         https://bugs.webkit.org/show_bug.cgi?id=142882
2853
2854         Reviewed by Geoffrey Garen and Benjamin Poulain.
2855
2856         Set Derived.prototype.__proto__ to null when extending null.
2857
2858         * bytecompiler/NodesCodegen.cpp:
2859         (JSC::ClassExprNode::emitBytecode):
2860
2861 2015-03-30  Mark Lam  <mark.lam@apple.com>
2862
2863         REGRESSION (r181993): inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html crashes.
2864         <https://webkit.org/b/143105>
2865
2866         Reviewed by Filip Pizlo.
2867
2868         With r181993, the DFG and FTL may elide the storing of the scope register.  As a result,
2869         on OSR exits from DFG / FTL frames where this elision has take place, we may get baseline
2870         JIT frames that may have its scope register not set.  The Debugger's current implementation
2871         which relies on the scope register is not happy about this.  For example, this results in a
2872         crash in the layout test inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html.
2873
2874         The fix is to disable inlining when the debugger is in use.  Also, we add Flush nodes to
2875         ensure that the scope register value is flushed to the register in the stack frame.
2876
2877         * dfg/DFGByteCodeParser.cpp:
2878         (JSC::DFG::ByteCodeParser::ByteCodeParser):
2879         (JSC::DFG::ByteCodeParser::setLocal):
2880         (JSC::DFG::ByteCodeParser::flush):
2881         - Add code to flush the scope register.
2882         (JSC::DFG::ByteCodeParser::inliningCost):
2883         - Pretend that all codeBlocks are too expensive to inline if the debugger is in use, thereby
2884           disabling inlining whenever the debugger is in use.
2885         * dfg/DFGGraph.cpp:
2886         (JSC::DFG::Graph::Graph):
2887         * dfg/DFGGraph.h:
2888         (JSC::DFG::Graph::hasDebuggerEnabled):
2889         * dfg/DFGStackLayoutPhase.cpp:
2890         (JSC::DFG::StackLayoutPhase::run):
2891         - Update the DFG codeBlock's scopeRegister since it can be moved during stack layout.
2892         * ftl/FTLCompile.cpp:
2893         (JSC::FTL::mmAllocateDataSection):
2894         - Update the FTL codeBlock's scopeRegister since it can be moved during stack layout.
2895
2896 2015-03-30  Michael Saboff  <msaboff@apple.com>
2897
2898         Fix flakey float32-repeat-out-of-bounds.js and int8-repeat-out-of-bounds.js tests for ARM64
2899         https://bugs.webkit.org/show_bug.cgi?id=138391
2900
2901         Reviewed by Mark Lam.
2902
2903         Re-enabling these tests as I can't get them to fail on local iOS test devices.
2904         There have been many changes since these tests were disabled.
2905         I'll watch automated test results for failures.  If there are failures running automated
2906         testing, it might be due to the device's relative CPU performance.
2907         
2908         * tests/stress/float32-repeat-out-of-bounds.js:
2909         * tests/stress/int8-repeat-out-of-bounds.js:
2910
2911 2015-03-30  Joseph Pecoraro  <pecoraro@apple.com>
2912
2913         Web Inspector: Regression: Preview for [[null]] shouldn't be []
2914         https://bugs.webkit.org/show_bug.cgi?id=143208
2915
2916         Reviewed by Mark Lam.
2917
2918         * inspector/InjectedScriptSource.js:
2919         Handle null when generating simple object previews.
2920
2921 2015-03-30  Per Arne Vollan  <peavo@outlook.com>
2922
2923         Avoid using hardcoded values for JSValue::Int32Tag, if possible.
2924         https://bugs.webkit.org/show_bug.cgi?id=143134
2925
2926         Reviewed by Geoffrey Garen.
2927
2928         * jit/JSInterfaceJIT.h:
2929         * jit/Repatch.cpp:
2930         (JSC::tryCacheGetByID):
2931
2932 2015-03-30  Filip Pizlo  <fpizlo@apple.com>
2933
2934         REGRESSION: js/regress/inline-arguments-local-escape.html is flaky
2935         https://bugs.webkit.org/show_bug.cgi?id=143104
2936
2937         Reviewed by Geoffrey Garen.
2938         
2939         Created a test that is a 100% repro of the flaky failure. This test is called
2940         get-my-argument-by-val-for-inlined-escaped-arguments.js. It fails all of the time because it
2941         always causes the compiler to emit a GetMyArgumentByVal of the arguments object returned by
2942         the inlined function. Other than that, it's the same as inline-arguments-local-escape.
2943         
2944         Also created three more tests for three similar, but not identical, failures.
2945         
2946         Then fixed the bug: PreciseLocalClobberize was assuming that if we read(Stack) then we are
2947         only reading those parts of the stack that are relevant to the current semantic code origin.
2948         That's false after ArgumentsEliminationPhase - we might have operations on phantom arguments,
2949         like GetMyArgumentByVal, ForwardVarargs, CallForwardVarargs, and ConstructForwardVarargs, that
2950         read parts of the stack associated with the inline call frame for the phantom arguments. This
2951         may not be subsumed by the current semantic origin's stack area in cases that the arguments
2952         were allowed to "locally" escape.
2953         
2954         The higher-order lesson here is that in DFG SSA IR, the current semantic origin's stack area
2955         is not really a meaningful concept anymore. It is only meaningful for nodes that will read
2956         the stack due to function.arguments, but there are a bunch of other ways that we could also
2957         read the stack and those operations may read any stack slot. I believe that this change makes
2958         PreciseLocalClobberize right: it will refine a read(Stack) from Clobberize correctly by casing
2959         on node type. In future, if we add a read(Stack) to Clobberize, we'll have to make sure that
2960         readTop() in PreciseLocalClobberize does the right thing.
2961
2962         * dfg/DFGClobberize.h:
2963         (JSC::DFG::clobberize):
2964         * dfg/DFGPreciseLocalClobberize.h:
2965         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
2966         * dfg/DFGPutStackSinkingPhase.cpp:
2967         * tests/stress/call-forward-varargs-for-inlined-escaped-arguments.js: Added.
2968         * tests/stress/construct-forward-varargs-for-inlined-escaped-arguments.js: Added.
2969         * tests/stress/forward-varargs-for-inlined-escaped-arguments.js: Added.
2970         * tests/stress/get-my-argument-by-val-for-inlined-escaped-arguments.js: Added.
2971         * tests/stress/real-forward-varargs-for-inlined-escaped-arguments.js: Added.
2972
2973 2015-03-30  Benjamin Poulain  <benjamin@webkit.org>
2974
2975         Start the features.json files
2976         https://bugs.webkit.org/show_bug.cgi?id=143207
2977
2978         Reviewed by Darin Adler.
2979
2980         Start the features.json files to have something to experiment
2981         with for the UI.
2982
2983         * features.json: Added.
2984
2985 2015-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
2986
2987         [Win] Addresing post-review comment after r182122
2988         https://bugs.webkit.org/show_bug.cgi?id=143189
2989
2990         Unreviewed.
2991
2992 2015-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
2993
2994         [Win] Allow building JavaScriptCore without Cygwin
2995         https://bugs.webkit.org/show_bug.cgi?id=143189
2996
2997         Reviewed by Brent Fulgham.
2998
2999         Paths like /usr/bin/ don't exist on Windows.
3000         Hashbangs don't work on Windows. Instead we must explicitly call the executable.
3001         Prefixing commands with environment variables doesn't work on Windows.
3002         Windows doesn't have 'cmp'
3003         Windows uses 'del' instead of 'rm'
3004         Windows uses 'type NUL' intead of 'touch'
3005
3006         * DerivedSources.make:
3007         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
3008         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
3009         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl:
3010         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
3011         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl:
3012         * JavaScriptCore.vcxproj/build-generated-files.pl:
3013         * UpdateContents.py: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl.
3014
3015 2015-03-28  Joseph Pecoraro  <pecoraro@apple.com>
3016
3017         Clean up JavaScriptCore/builtins
3018         https://bugs.webkit.org/show_bug.cgi?id=143177
3019
3020         Reviewed by Ryosuke Niwa.
3021
3022         * builtins/ArrayConstructor.js:
3023         (from):
3024         - We can compare to undefined instead of using a typeof undefined check.
3025         - Converge on double quoted strings everywhere.
3026
3027         * builtins/ArrayIterator.prototype.js:
3028         (next):
3029         * builtins/StringIterator.prototype.js:
3030         (next):
3031         - Use shorthand object construction to avoid duplication.
3032         - Improve grammar in error messages.
3033
3034         * tests/stress/array-iterators-next-with-call.js:
3035         * tests/stress/string-iterators.js:
3036         - Update for new error message strings.
3037
3038 2015-03-28  Saam Barati  <saambarati1@gmail.com>
3039
3040         Web Inspector: ES6: Better support for Symbol types in Type Profiler
3041         https://bugs.webkit.org/show_bug.cgi?id=141257
3042
3043         Reviewed by Joseph Pecoraro.
3044
3045         ES6 introduces the new primitive type Symbol. This patch makes JSC's 
3046         type profiler support this new primitive type.
3047
3048         * dfg/DFGFixupPhase.cpp:
3049         (JSC::DFG::FixupPhase::fixupNode):
3050         * inspector/protocol/Runtime.json:
3051         * runtime/RuntimeType.cpp:
3052         (JSC::runtimeTypeForValue):
3053         * runtime/RuntimeType.h:
3054         (JSC::runtimeTypeIsPrimitive):
3055         * runtime/TypeSet.cpp:
3056         (JSC::TypeSet::addTypeInformation):
3057         (JSC::TypeSet::dumpTypes):
3058         (JSC::TypeSet::doesTypeConformTo):
3059         (JSC::TypeSet::displayName):
3060         (JSC::TypeSet::inspectorTypeSet):
3061         (JSC::TypeSet::toJSONString):
3062         * runtime/TypeSet.h:
3063         (JSC::TypeSet::seenTypes):
3064         * tests/typeProfiler/driver/driver.js:
3065         * tests/typeProfiler/symbol.js: Added.
3066         (wrapper.foo):
3067         (wrapper.bar):
3068         (wrapper.bar.bar.baz):
3069         (wrapper):
3070
3071 2015-03-27  Saam Barati  <saambarati1@gmail.com>
3072
3073         Deconstruction parameters are bound too late
3074         https://bugs.webkit.org/show_bug.cgi?id=143148
3075
3076         Reviewed by Filip Pizlo.
3077
3078         Currently, a deconstruction pattern named with the same
3079         name as a function will shadow the function. This is
3080         wrong. It should be the other way around.
3081
3082         * bytecompiler/BytecodeGenerator.cpp:
3083         (JSC::BytecodeGenerator::generate):
3084
3085 2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>
3086
3087         parse doesn't initialize the 16-bit version of the JSC parser with defaultConstructorKind
3088         https://bugs.webkit.org/show_bug.cgi?id=143170
3089
3090         Reviewed by Benjamin Poulain.
3091
3092         Assert that we never use 16-bit version of the parser to parse a default constructor
3093         since both base and derived default constructors should be using a 8-bit string.
3094
3095         * parser/Parser.h:
3096         (JSC::parse):
3097
3098 2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>
3099
3100         ES6 Classes: Runtime error in JIT'd class calling super() with arguments and superclass has default constructor
3101         https://bugs.webkit.org/show_bug.cgi?id=142862
3102
3103         Reviewed by Benjamin Poulain.
3104
3105         Add a test that used to fail in DFG now that the bug has been fixed by r181993.
3106
3107         * tests/stress/class-syntax-derived-default-constructor.js: Added.
3108
3109 2015-03-27  Michael Saboff  <msaboff@apple.com>
3110
3111         load8Signed() and load16Signed() should be renamed to avoid confusion
3112         https://bugs.webkit.org/show_bug.cgi?id=143168
3113
3114         Reviewed by Benjamin Poulain.
3115
3116         Renamed load8Signed() to load8SignedExtendTo32() and load16Signed() to load16SignedExtendTo32().
3117
3118         * assembler/MacroAssemblerARM.h:
3119         (JSC::MacroAssemblerARM::load8SignedExtendTo32):
3120         (JSC::MacroAssemblerARM::load16SignedExtendTo32):
3121         (JSC::MacroAssemblerARM::load8Signed): Deleted.
3122         (JSC::MacroAssemblerARM::load16Signed): Deleted.
3123         * assembler/MacroAssemblerARM64.h:
3124         (JSC::MacroAssemblerARM64::load16SignedExtendTo32):
3125         (JSC::MacroAssemblerARM64::load8SignedExtendTo32):
3126         (JSC::MacroAssemblerARM64::load16Signed): Deleted.
3127         (JSC::MacroAssemblerARM64::load8Signed): Deleted.
3128         * assembler/MacroAssemblerARMv7.h:
3129         (JSC::MacroAssemblerARMv7::load16SignedExtendTo32):
3130         (JSC::MacroAssemblerARMv7::load8SignedExtendTo32):
3131         (JSC::MacroAssemblerARMv7::load16Signed): Deleted.
3132         (JSC::MacroAssemblerARMv7::load8Signed): Deleted.
3133         * assembler/MacroAssemblerMIPS.h:
3134         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
3135         (JSC::MacroAssemblerMIPS::load16SignedExtendTo32):
3136         (JSC::MacroAssemblerMIPS::load8Signed): Deleted.
3137         (JSC::MacroAssemblerMIPS::load16Signed): Deleted.
3138         * assembler/MacroAssemblerSH4.h:
3139         (JSC::MacroAssemblerSH4::load8SignedExtendTo32):
3140         (JSC::MacroAssemblerSH4::load8):
3141         (JSC::MacroAssemblerSH4::load16SignedExtendTo32):
3142         (JSC::MacroAssemblerSH4::load16):
3143         (JSC::MacroAssemblerSH4::load8Signed): Deleted.
3144         (JSC::MacroAssemblerSH4::load16Signed): Deleted.
3145         * assembler/MacroAssemblerX86Common.h:
3146         (JSC::MacroAssemblerX86Common::load8SignedExtendTo32):
3147         (JSC::MacroAssemblerX86Common::load16SignedExtendTo32):
3148         (JSC::MacroAssemblerX86Common::load8Signed): Deleted.
3149         (JSC::MacroAssemblerX86Common::load16Signed): Deleted.
3150         * dfg/DFGSpeculativeJIT.cpp:
3151         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
3152         * jit/JITPropertyAccess.cpp:
3153         (JSC::JIT::emitIntTypedArrayGetByVal):
3154
3155 2015-03-27  Michael Saboff  <msaboff@apple.com>
3156
3157         Fix flakey dfg-int8array.js and dfg-int16array.js tests for ARM64
3158         https://bugs.webkit.org/show_bug.cgi?id=138390
3159
3160         Reviewed by Mark Lam.
3161
3162         Changed load8Signed() and load16Signed() to only sign extend the loaded value to 32 bits
3163         instead of 64 bits.  This is what X86-64 does.
3164
3165         * assembler/MacroAssemblerARM64.h:
3166         (JSC::MacroAssemblerARM64::load16Signed):
3167         (JSC::MacroAssemblerARM64::load8Signed):
3168
3169 2015-03-27  Saam Barati  <saambarati1@gmail.com>
3170
3171         Add back previously broken assert from bug 141869
3172         https://bugs.webkit.org/show_bug.cgi?id=143005
3173
3174         Reviewed by Michael Saboff.
3175
3176         * runtime/ExceptionHelpers.cpp:
3177         (JSC::invalidParameterInSourceAppender):
3178
3179 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
3180
3181         Make some more objects use FastMalloc
3182         https://bugs.webkit.org/show_bug.cgi?id=143122
3183
3184         Reviewed by Csaba Osztrogonác.
3185
3186         * API/JSCallbackObject.h:
3187         * heap/IncrementalSweeper.h:
3188         * jit/JITThunks.h:
3189         * runtime/JSGlobalObjectDebuggable.h:
3190         * runtime/RegExpCache.h:
3191
3192 2015-03-27  Michael Saboff  <msaboff@apple.com>
3193
3194         Objects with numeric properties intermittently get a phantom 'length' property
3195         https://bugs.webkit.org/show_bug.cgi?id=142792
3196
3197         Reviewed by Csaba Osztrogonác.
3198
3199         Fixed a > (greater than) that should be a >> (right shift) in the code that disassembles
3200         test and branch instructions.  This function is used for linking tbz/tbnz branches between
3201         two seperately JIT'ed sections of code.  Sometime we'd create a bogus tbz instruction in
3202         the failure case checks in the GetById array length stub created for "obj.length" access.
3203         If the failure case code address was at a negative offset from the stub, we'd look for bit 1
3204         being set when we should have been looking for bit 0.
3205
3206         * assembler/ARM64Assembler.h:
3207         (JSC::ARM64Assembler::disassembleTestAndBranchImmediate):
3208
3209 2015-03-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3210
3211         Insert exception check around toPropertyKey call
3212         https://bugs.webkit.org/show_bug.cgi?id=142922
3213
3214         Reviewed by Geoffrey Garen.
3215
3216         In some places, exception check is missing after/before toPropertyKey.
3217         However, since it calls toString, it's observable to users,
3218
3219         Missing exception checks in Object.prototype methods can be
3220         observed since it would be overridden with toObject(null/undefined) errors.
3221         We inserted exception checks after toPropertyKey.
3222
3223         Missing exception checks in GetById related code can be
3224         observed since it would be overridden with toObject(null/undefined) errors.
3225         In this case, we need to insert exception checks before/after toPropertyKey
3226         since RequireObjectCoercible followed by toPropertyKey can cause exceptions.
3227
3228         JSValue::get checks null/undefined and raise an exception if |this| is null or undefined.
3229         However, we need to check whether the baseValue is object coercible before executing JSValue::toPropertyKey.
3230         According to the spec, we first perform RequireObjectCoercible and check the exception.
3231         And second, we perform ToPropertyKey and check the exception.
3232         Since JSValue::toPropertyKey can cause toString call, this is observable to users.
3233         For example, if the target is not object coercible,
3234         ToPropertyKey should not be executed, and toString should not be executed by ToPropertyKey.
3235         So the order of observable actions (RequireObjectCoercible and ToPropertyKey) should be correct to the spec.
3236
3237         This patch introduces JSValue::requireObjectCoercible and use it because of the following 2 reasons.
3238
3239         1. Using toObject instead of requireObjectCoercible produces unnecessary wrapper object.
3240
3241         toObject converts primitive types into wrapper objects.
3242         But it is not efficient since wrapper objects are not necessary
3243         if we look up methods from primitive values's prototype. (using synthesizePrototype is better).
3244
3245         2. Using the result of toObject is not correct to the spec.
3246
3247         To align to the spec correctly, we cannot use JSObject::get
3248         by using the wrapper object produced by the toObject suggested in (1).
3249         If we use JSObject that is converted by toObject, getter will be called by using this JSObject as |this|.
3250         It is not correct since getter should be called with the original |this| value that may be primitive types.
3251
3252         So in this patch, we use JSValue::requireObjectCoercible
3253         to check the target is object coercible and raise an error if it's not.
3254
3255         * dfg/DFGOperations.cpp:
3256         * jit/JITOperations.cpp:
3257         (JSC::getByVal):
3258         * llint/LLIntSlowPaths.cpp:
3259         (JSC::LLInt::getByVal):
3260         * runtime/CommonSlowPaths.cpp:
3261         (JSC::SLOW_PATH_DECL):
3262         * runtime/JSCJSValue.h:
3263         * runtime/JSCJSValueInlines.h:
3264         (JSC::JSValue::requireObjectCoercible):
3265         * runtime/ObjectPrototype.cpp:
3266         (JSC::objectProtoFuncHasOwnProperty):
3267         (JSC::objectProtoFuncDefineGetter):
3268         (JSC::objectProtoFuncDefineSetter):
3269         (JSC::objectProtoFuncLookupGetter):
3270         (JSC::objectProtoFuncLookupSetter):
3271         (JSC::objectProtoFuncPropertyIsEnumerable):
3272         * tests/stress/exception-in-to-property-key-should-be-handled-early-in-object-methods.js: Added.
3273         (shouldThrow):
3274         (if):
3275         * tests/stress/exception-in-to-property-key-should-be-handled-early.js: Added.
3276         (shouldThrow):
3277         (.):
3278
3279 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
3280
3281         WebContent Crash when instantiating class with Type Profiling enabled
3282         https://bugs.webkit.org/show_bug.cgi?id=143037
3283
3284         Reviewed by Ryosuke Niwa.
3285
3286         * bytecompiler/BytecodeGenerator.h:
3287         * bytecompiler/BytecodeGenerator.cpp:
3288         (JSC::BytecodeGenerator::BytecodeGenerator):
3289         (JSC::BytecodeGenerator::emitMoveEmptyValue):
3290         We cannot profile the type of an uninitialized empty JSValue.
3291         Nor do we expect this to be necessary, since it is effectively
3292         an unseen undefined value. So add a way to put the empty value
3293         without profiling.
3294
3295         (JSC::BytecodeGenerator::emitMove):
3296         Add an assert to try to catch this issue early on, and force
3297         callers to explicitly use emitMoveEmptyValue instead.
3298
3299         * tests/typeProfiler/classes.js: Added.
3300         (wrapper.Base):
3301         (wrapper.Derived):
3302         (wrapper):
3303         Add test coverage both for this case and classes in general.
3304
3305 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
3306
3307         Web Inspector: ES6: Provide a better view for Classes in the console
3308         https://bugs.webkit.org/show_bug.cgi?id=142999
3309
3310         Reviewed by Timothy Hatcher.
3311
3312         * inspector/protocol/Runtime.json:
3313         Provide a new `subtype` enum "class". This is a subtype of `type`
3314         "function", all other subtypes are subtypes of `object` types.
3315         For a class, the frontend will immediately want to get the prototype
3316         to enumerate its methods, so include the `classPrototype`.
3317
3318         * inspector/JSInjectedScriptHost.cpp:
3319         (Inspector::JSInjectedScriptHost::subtype):
3320         Denote class construction functions as "class" subtypes.
3321
3322         * inspector/InjectedScriptSource.js:
3323         Handling for the new "class" type.
3324
3325         * bytecode/UnlinkedCodeBlock.h:
3326         (JSC::UnlinkedFunctionExecutable::isClassConstructorFunction):
3327         * runtime/Executable.h:
3328         (JSC::FunctionExecutable::isClassConstructorFunction):
3329         * runtime/JSFunction.h:
3330         * runtime/JSFunctionInlines.h:
3331         (JSC::JSFunction::isClassConstructorFunction):
3332         Check if this function is a class constructor function. That information
3333         is on the UnlinkedFunctionExecutable, so plumb it through to JSFunction.
3334
3335 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
3336
3337         Function.prototype.toString should not decompile the AST
3338         https://bugs.webkit.org/show_bug.cgi?id=142853
3339
3340         Reviewed by Darin Adler.
3341
3342         Following up on Darin's review comments.
3343
3344         * runtime/FunctionConstructor.cpp:
3345         (JSC::constructFunctionSkippingEvalEnabledCheck):
3346
3347 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
3348
3349         "lineNo" does not match WebKit coding style guidelines
3350         https://bugs.webkit.org/show_bug.cgi?id=143119
3351
3352         Reviewed by Michael Saboff.
3353
3354         We can afford to use whole words.
3355
3356         * bytecode/CodeBlock.cpp:
3357         (JSC::CodeBlock::lineNumberForBytecodeOffset):
3358         (JSC::CodeBlock::expressionRangeForBytecodeOffset):
3359         * bytecode/UnlinkedCodeBlock.cpp:
3360         (JSC::UnlinkedFunctionExecutable::link):
3361         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
3362         * bytecode/UnlinkedCodeBlock.h:
3363         * bytecompiler/NodesCodegen.cpp:
3364         (JSC::WhileNode::emitBytecode):
3365         * debugger/Debugger.cpp:
3366         (JSC::Debugger::toggleBreakpoint):
3367         * interpreter/Interpreter.cpp:
3368         (JSC::StackFrame::computeLineAndColumn):
3369         (JSC::GetStackTraceFunctor::operator()):
3370         (JSC::Interpreter::execute):
3371         * interpreter/StackVisitor.cpp:
3372         (JSC::StackVisitor::Frame::computeLineAndColumn):
3373         * parser/Nodes.h:
3374         (JSC::Node::firstLine):
3375         (JSC::Node::lineNo): Deleted.
3376         (JSC::StatementNode::firstLine): Deleted.
3377         * parser/ParserError.h:
3378         (JSC::ParserError::toErrorObject):
3379         * profiler/LegacyProfiler.cpp:
3380         (JSC::createCallIdentifierFromFunctionImp):
3381         * runtime/CodeCache.cpp:
3382         (JSC::CodeCache::getGlobalCodeBlock):
3383         * runtime/Executable.cpp:
3384         (JSC::ScriptExecutable::ScriptExecutable):
3385         (JSC::ScriptExecutable::newCodeBlockFor):
3386         (JSC::FunctionExecutable::fromGlobalCode):
3387         * runtime/Executable.h:
3388         (JSC::ScriptExecutable::firstLine):
3389         (JSC::ScriptExecutable::setOverrideLineNumber):
3390         (JSC::ScriptExecutable::hasOverrideLineNumber):
3391         (JSC::ScriptExecutable::overrideLineNumber):
3392         (JSC::ScriptExecutable::lineNo): Deleted.
3393         (JSC::ScriptExecutable::setOverrideLineNo): Deleted.
3394         (JSC::ScriptExecutable::hasOverrideLineNo): Deleted.
3395         (JSC::ScriptExecutable::overrideLineNo): Deleted.
3396         * runtime/FunctionConstructor.cpp:
3397         (JSC::constructFunctionSkippingEvalEnabledCheck):
3398         * runtime/FunctionConstructor.h:
3399         * tools/CodeProfile.cpp:
3400         (JSC::CodeProfile::report):
3401         * tools/CodeProfile.h:
3402         (JSC::CodeProfile::CodeProfile):
3403
3404 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
3405
3406         Assertion firing in JavaScriptCore/parser/parser.h for statesman.com site
3407         https://bugs.webkit.org/show_bug.cgi?id=142974
3408
3409         Reviewed by Joseph Pecoraro.
3410
3411         This patch does two things:
3412
3413         (1) Restore JavaScriptCore's sanitization of line and column numbers to
3414         one-based values.
3415
3416         We need this because WebCore sometimes provides huge negative column
3417         numbers.
3418
3419         (2) Solve the attribute event listener line numbering problem a different
3420         way: Rather than offseting all line numbers by -1 in an attribute event
3421         listener in order to arrange for a custom result, instead use an explicit
3422         feature for saying "all errors in this code should map to this line number".
3423
3424         * bytecode/UnlinkedCodeBlock.cpp:
3425         (JSC::UnlinkedFunctionExecutable::link):
3426         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
3427         * bytecode/UnlinkedCodeBlock.h:
3428         * interpreter/Interpreter.cpp:
3429         (JSC::StackFrame::computeLineAndColumn):
3430         (JSC::GetStackTraceFunctor::operator()):
3431         * interpreter/Interpreter.h:
3432         * interpreter/StackVisitor.cpp:
3433         (JSC::StackVisitor::Frame::computeLineAndColumn):
3434         * parser/ParserError.h:
3435         (JSC::ParserError::toErrorObject): Plumb through an override line number.
3436         When a function has an override line number, all syntax and runtime
3437         errors in the function will map to it. This is useful for attribute event
3438         listeners.
3439  
3440         * parser/SourceCode.h:
3441         (JSC::SourceCode::SourceCode): Restore the old sanitization of line and
3442         column numbers to one-based integers. It was kind of a hack to remove this.
3443
3444         * runtime/Executable.cpp:
3445         (JSC::ScriptExecutable::ScriptExecutable):
3446         (JSC::FunctionExecutable::fromGlobalCode):
3447         * runtime/Executable.h:
3448         (JSC::ScriptExecutable::setOverrideLineNo):
3449         (JSC::ScriptExecutable::hasOverrideLineNo):
3450         (JSC::ScriptExecutable::overrideLineNo):
3451         * runtime/FunctionConstructor.cpp:
3452         (JSC::constructFunctionSkippingEvalEnabledCheck):
3453         * runtime/FunctionConstructor.h: Plumb through an override line number.
3454
3455 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
3456
3457         If we're in code for accessing scoped arguments, we should probably check if the object is a scoped arguments rather than checking if it's a direct arguments.
3458
3459         Reviewed by Michael Saboff.
3460
3461         * jit/JITPropertyAccess.cpp:
3462         (JSC::JIT::emitScopedArgumentsGetByVal):
3463         * tests/stress/scoped-then-direct-arguments-get-by-val-in-baseline.js: Added.
3464
3465 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
3466
3467         FTL ScopedArguments GetArrayLength generates incorrect code and crashes in LLVM
3468         https://bugs.webkit.org/show_bug.cgi?id=143098
3469
3470         Reviewed by Csaba Osztrogonác.
3471
3472         * ftl/FTLLowerDFGToLLVM.cpp:
3473         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength): Fix a typo.
3474         * tests/stress/scoped-arguments-array-length.js: Added. This test previously always crashed in ftl-no-cjit mode.
3475
3476 2015-03-26  Csaba Osztrogonác  <ossy@webkit.org>
3477
3478         Unreviewed gardening, skip failing tests on AArch64 Linux.
3479
3480         * tests/mozilla/mozilla-tests.yaml:
3481         * tests/stress/cached-prototype-setter.js:
3482
3483 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
3484
3485         Unreviewed, fixes to silly things. While landing fixes to r181993, I introduced crashes. This fixes them.
3486
3487         * dfg/DFGConstantFoldingPhase.cpp:
3488         (JSC::DFG::ConstantFoldingPhase::foldConstants): I landed a fix for a VS warning. It broke this. Now I'm fixing it.
3489         * ftl/FTLCompile.cpp:
3490         (JSC::FTL::compile): Make sure we pass the module when dumping. This makes FTL debugging possible again.
3491         * ftl/FTLState.cpp:
3492         (JSC::FTL::State::dumpState): New overload that takes a module, so that we can call this after FTL::compile() clears State's module.
3493         * ftl/FTLState.h:
3494
3495 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
3496
3497         Unreviewed, fix obvious goof that was causing 32-bit debug crashes. The 64-bit version did it
3498         right, so this just makes 32-bit do the same.
3499
3500         * dfg/DFGSpeculativeJIT32_64.cpp:
3501         (JSC::DFG::SpeculativeJIT::emitCall):
3502
3503 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
3504
3505         Fix a typo that ggaren found but that I didn't fix before.
3506
3507         * runtime/DirectArgumentsOffset.h:
3508
3509 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
3510
3511         Unreviewed, VC found a bug. This fixes the bug.
3512
3513         * dfg/DFGConstantFoldingPhase.cpp:
3514         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3515
3516 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
3517
3518         Unreviewed, try to fix Windows build.
3519
3520         * runtime/ClonedArguments.cpp:
3521         (JSC::ClonedArguments::createWithInlineFrame):
3522
3523 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
3524
3525         Unreviewed, fix debug build.
3526
3527         * bytecompiler/NodesCodegen.cpp:
3528         (JSC::ConstDeclNode::emitCodeSingle):
3529
3530 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
3531
3532         Unreviewed, fix CLOOP build.
3533
3534         * dfg/DFGMinifiedID.h:
3535
3536 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
3537
3538         Heap variables shouldn't end up in the stack frame
3539         https://bugs.webkit.org/show_bug.cgi?id=141174
3540
3541         Reviewed by Geoffrey Garen.
3542         
3543         This is a major change to how JavaScriptCore handles declared variables (i.e. "var"). It removes
3544         any ambiguity about whether a variable should be in the heap or on the stack. A variable will no
3545         longer move between heap and stack during its lifetime. This enables a bunch of optimizations and
3546         simplifications:
3547         
3548         - Accesses to variables no longer need checks or indirections to determine where the variable is
3549           at that moment in time. For example, loading a closure variable now takes just one load instead
3550           of two. Loading an argument by index now takes a bounds check and a load in the fastest case
3551           (when no arguments object allocation is required) while previously that same operation required
3552           a "did I allocate arguments yet" check, a bounds check, and then the load.
3553         
3554         - Reasoning about the allocation of an activation or arguments object now follows the same simple
3555           logic as the allocation of any other kind of object. Previously, those objects were lazily
3556           allocated - so an allocation instruction wasn't the actual allocation site, since it might not
3557           allocate anything at all. This made the implementation of traditional escape analyses really
3558           awkward, and ultimately it meant that we missed important cases. Now, we can reason about the
3559           arguments object using the usual SSA tricks which allows for more comprehensive removal.
3560         
3561         - The allocations of arguments objects, functions, and activations are now much faster. While
3562           this patch generally expands our ability to eliminate arguments object allocations, an earlier
3563           version of the patch - which lacked that functionality - was a progression on some arguments-
3564           and closure-happy benchmarks because although no allocations were eliminated, all allocations
3565           were faster.
3566         
3567         - There is no tear-off. The runtime no loner needs to know about where on the stack a frame keeps
3568           its arguments objects or activations. The runtime doesn't have to do things to the arguments
3569           objects and activations that a frame allocated, when the frame is unwound. We always had horrid
3570           bugs in that code, so it's good to see it go. This removes *a ton* of machinery from the DFG,
3571           FTL, CodeBlock, and other places. All of the things having to do with "captured variables" is
3572           now gone. This also enables implementing block-scoping. Without this change, block-scope
3573           support would require telling CodeBlock and all of the rest of the runtime about all of the
3574           variables that store currently-live scopes. That would have been so disastrously hard that it
3575           might as well be impossible. With this change, it's fair game for the bytecode generator to
3576           simply allocate whatever activations it wants, wherever it wants, and to keep them live for
3577           however long it wants. This all works, because after bytecode generation, an activation is just
3578           an object and variables that refer to it are just normal variables.
3579         
3580         - SymbolTable can now tell you explicitly where a variable lives. The answer is in the form of a
3581           VarOffset object, which has methods like isStack(), isScope(), etc. VirtualRegister is never
3582           used for offsets of non-stack variables anymore. We now have shiny new objects for other kinds
3583           of offsets - ScopeOffset for offsets into scopes, and DirectArgumentsOffset for offsets into
3584           an arguments object.
3585         
3586         - Functions that create activations can now tier-up into the FTL. Previously they couldn't. Also,
3587           using activations used to prevent inlining; now functions that use activations can be inlined
3588           just fine.
3589         
3590         This is a >1% speed-up on Octane. This is a >2% speed-up on CompressionBench. This is a tiny
3591         speed-up on AsmBench (~0.4% or something). This looks like it might be a speed-up on SunSpider.
3592         It's only a slow-down on very short-running microbenchmarks we had previously written for our old
3593         style of tear-off-based arguments optimization. Those benchmarks are not part of any major suite.
3594         
3595         The easiest way of understanding this change is to start by looking at the changes in runtime/,
3596         and then the changes in bytecompiler/, and then sort of work your way up the compiler tiers.
3597
3598         * CMakeLists.txt:
3599         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3600         * JavaScriptCore.xcodeproj/project.pbxproj:
3601         * assembler/AbortReason.h:
3602         * assembler/AbstractMacroAssembler.h:
3603         (JSC::AbstractMacroAssembler::BaseIndex::withOffset):
3604         * bytecode/ByValInfo.h:
3605         (JSC::hasOptimizableIndexingForJSType):
3606         (JSC::hasOptimizableIndexing):
3607         (JSC::jitArrayModeForJSType):
3608         (JSC::jitArrayModePermitsPut):
3609         (JSC::jitArrayModeForStructure):
3610         * bytecode/BytecodeKills.h: Added.
3611         (JSC::BytecodeKills::BytecodeKills):
3612         (JSC::BytecodeKills::operandIsKilled):
3613         (JSC::BytecodeKills::forEachOperandKilledAt):
3614         (JSC::BytecodeKills::KillSet::KillSet):
3615         (JSC::BytecodeKills::KillSet::add):
3616         (JSC::BytecodeKills::KillSet::forEachLocal):
3617         (JSC::BytecodeKills::KillSet::contains):
3618         * bytecode/BytecodeList.json:
3619         * bytecode/BytecodeLivenessAnalysis.cpp:
3620         (JSC::isValidRegisterForLiveness):
3621         (JSC::stepOverInstruction):
3622         (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint):
3623         (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset):
3624         (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset):
3625         (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
3626         (JSC::BytecodeLivenessAnalysis::computeKills):
3627         (JSC::indexForOperand): Deleted.
3628         (JSC::BytecodeLivenessAnalysis::getLivenessInfoForNonCapturedVarsAtBytecodeOffset): Deleted.
3629         (JSC::getLivenessInfo): Deleted.
3630         * bytecode/BytecodeLivenessAnalysis.h:
3631         * bytecode/BytecodeLivenessAnalysisInlines.h:
3632         (JSC::operandIsAlwaysLive):
3633         (JSC::operandThatIsNotAlwaysLiveIsLive):
3634         (JSC::operandIsLive):
3635         * bytecode/BytecodeUseDef.h:
3636         (JSC::computeUsesForBytecodeOffset):
3637         (JSC::computeDefsForBytecodeOffset):
3638         * bytecode/CodeBlock.cpp:
3639         (JSC::CodeBlock::dumpBytecode):
3640         (JSC::CodeBlock::CodeBlock):
3641         (JSC::CodeBlock::nameForRegister):
3642         (JSC::CodeBlock::validate):
3643         (JSC::CodeBlock::isCaptured): Deleted.
3644         (JSC::CodeBlock::framePointerOffsetToGetActivationRegisters): Deleted.
3645         (JSC::CodeBlock::machineSlowArguments): Deleted.
3646         * bytecode/CodeBlock.h:
3647         (JSC::unmodifiedArgumentsRegister): Deleted.
3648         (JSC::CodeBlock::setArgumentsRegister): Deleted.
3649         (JSC::CodeBlock::argumentsRegister): Deleted.
3650         (JSC::CodeBlock::uncheckedArgumentsRegister): Deleted.
3651         (JSC::CodeBlock::usesArguments): Deleted.
3652         (JSC::CodeBlock::captureCount): Deleted.
3653         (JSC::CodeBlock::captureStart): Deleted.
3654         (JSC::CodeBlock::captureEnd): Deleted.
3655         (JSC::CodeBlock::argumentIndexAfterCapture): Deleted.
3656         (JSC::CodeBlock::hasSlowArguments): Deleted.
3657         (JSC::ExecState::argumentAfterCapture): Deleted.
3658         * bytecode/CodeOrigin.h:
3659         * bytecode/DataFormat.h:
3660         (JSC::dataFormatToString):
3661         * bytecode/FullBytecodeLiveness.h:
3662         (JSC::FullBytecodeLiveness::getLiveness):
3663         (JSC::FullBytecodeLiveness::operandIsLive):
3664         (JSC::FullBytecodeLiveness::FullBytecodeLiveness): Deleted.
3665         (JSC::FullBytecodeLiveness::getOut): Deleted.
3666         * bytecode/Instruction.h:
3667         (JSC::Instruction::Instruction):
3668         * bytecode/Operands.h:
3669         (JSC::Operands::virtualRegisterForIndex):
3670         * bytecode/SpeculatedType.cpp:
3671         (JSC::dumpSpeculation):
3672         (JSC::speculationToAbbreviatedString):
3673         (JSC::speculationFromClassInfo):
3674         * bytecode/SpeculatedType.h:
3675         (JSC::isDirectArgumentsSpeculation):
3676         (JSC::isScopedArgumentsSpeculation):
3677         (JSC::isActionableMutableArraySpeculation):
3678         (JSC::isActionableArraySpeculation):
3679         (JSC::isArgumentsSpeculation): Deleted.
3680         * bytecode/UnlinkedCodeBlock.cpp:
3681         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
3682         * bytecode/UnlinkedCodeBlock.h:
3683         (JSC::UnlinkedCodeBlock::setArgumentsRegister): Deleted.
3684         (JSC::UnlinkedCodeBlock::usesArguments): Deleted.
3685         (JSC::UnlinkedCodeBlock::argumentsRegister): Deleted.
3686         * bytecode/ValueRecovery.cpp:
3687         (JSC::ValueRecovery::dumpInContext):
3688         * bytecode/ValueRecovery.h:
3689         (JSC::ValueRecovery::directArgumentsThatWereNotCreated):
3690         (JSC::ValueRecovery::outOfBandArgumentsThatWereNotCreated):
3691         (JSC::ValueRecovery::nodeID):
3692         (JSC::ValueRecovery::argumentsThatWereNotCreated): Deleted.
3693         * bytecode/VirtualRegister.h:
3694         (JSC::VirtualRegister::operator==):
3695         (JSC::VirtualRegister::operator!=):
3696         (JSC::VirtualRegister::operator<):
3697         (JSC::VirtualRegister::operator>):
3698         (JSC::VirtualRegister::operator<=):
3699         (JSC::VirtualRegister::operator>=):
3700         * bytecompiler/BytecodeGenerator.cpp:
3701         (JSC::BytecodeGenerator::generate):
3702         (JSC::BytecodeGenerator::BytecodeGenerator):
3703         (JSC::BytecodeGenerator::initializeNextParameter):
3704         (JSC::BytecodeGenerator::visibleNameForParameter):
3705         (JSC::BytecodeGenerator::emitMove):
3706         (JSC::BytecodeGenerator::variable):
3707         (JSC::BytecodeGenerator::createVariable):
3708         (JSC::BytecodeGenerator::emitResolveScope):
3709         (JSC::BytecodeGenerator::emitGetFromScope):
3710         (JSC::BytecodeGenerator::emitPutToScope):
3711         (JSC::BytecodeGenerator::initializeVariable):
3712         (JSC::BytecodeGenerator::emitInstanceOf):
3713         (JSC::BytecodeGenerator::emitNewFunction):
3714         (JSC::BytecodeGenerator::emitNewFunctionInternal):
3715         (JSC::BytecodeGenerator::emitCall):
3716         (JSC::BytecodeGenerator::emitReturn):
3717         (JSC::BytecodeGenerator::emitConstruct):
3718         (JSC::BytecodeGenerator::isArgumentNumber):
3719         (JSC::BytecodeGenerator::emitEnumeration):
3720         (JSC::BytecodeGenerator::addVar): Deleted.
3721         (JSC::BytecodeGenerator::emitInitLazyRegister): Deleted.
3722         (JSC::BytecodeGenerator::initializeCapturedVariable): Deleted.
3723         (JSC::BytecodeGenerator::resolveCallee): Deleted.
3724         (JSC::BytecodeGenerator::addCallee): Deleted.
3725         (JSC::BytecodeGenerator::addParameter): Deleted.
3726         (JSC::BytecodeGenerator::willResolveToArgumentsRegister): Deleted.
3727         (JSC::BytecodeGenerator::uncheckedLocalArgumentsRegister): Deleted.
3728         (JSC::BytecodeGenerator::createLazyRegisterIfNecessary): Deleted.
3729         (JSC::BytecodeGenerator::isCaptured): Deleted.
3730         (JSC::BytecodeGenerator::local): Deleted.
3731         (JSC::BytecodeGenerator::constLocal): Deleted.
3732         (JSC::BytecodeGenerator::emitResolveConstantLocal): Deleted.
3733         (JSC::BytecodeGenerator::emitGetArgumentsLength): Deleted.
3734         (JSC::BytecodeGenerator::emitGetArgumentByVal): Deleted.
3735         (JSC::BytecodeGenerator::emitLazyNewFunction): Deleted.
3736         (JSC::BytecodeGenerator::createArgumentsIfNecessary): Deleted.
3737         * bytecompiler/BytecodeGenerator.h:
3738         (JSC::Variable::Variable):
3739         (JSC::Variable::isResolved):
3740         (JSC::Variable::ident):
3741         (JSC::Variable::offset):
3742         (JSC::Variable::isLocal):
3743         (JSC::Variable::local):
3744         (JSC::Variable::isSpecial):
3745         (JSC::BytecodeGenerator::argumentsRegister):
3746         (JSC::BytecodeGenerator::emitNode):
3747         (JSC::BytecodeGenerator::registerFor):
3748         (JSC::Local::Local): Deleted.
3749         (JSC::Local::operator bool): Deleted.
3750         (JSC::Local::get): Deleted.
3751         (JSC::Local::isSpecial): Deleted.
3752         (JSC::ResolveScopeInfo::ResolveScopeInfo): Deleted.
3753         (JSC::ResolveScopeInfo::isLocal): Deleted.
3754         (JSC::ResolveScopeInfo::localIndex): Deleted.
3755         (JSC::BytecodeGenerator::hasSafeLocalArgumentsRegister): Deleted.
3756         (JSC::BytecodeGenerator::captureMode): Deleted.
3757         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly): Deleted.
3758         (JSC::BytecodeGenerator::shouldCreateArgumentsEagerly): Deleted.
3759         (JSC::BytecodeGenerator::hasWatchableVariable): Deleted.
3760         (JSC::BytecodeGenerator::watchableVariableIdentifier): Deleted.
3761         * bytecompiler/NodesCodegen.cpp:
3762         (JSC::ResolveNode::isPure):
3763         (JSC::ResolveNode::emitBytecode):
3764         (JSC::BracketAccessorNode::emitBytecode):
3765         (JSC::DotAccessorNode::emitBytecode):
3766         (JSC::EvalFunctionCallNode::emitBytecode):
3767         (JSC::FunctionCallResolveNode::emitBytecode):
3768         (JSC::CallFunctionCallDotNode::emitBytecode):
3769         (JSC::ApplyFunctionCallDotNode::emitBytecode):
3770         (JSC::PostfixNode::emitResolve):
3771         (JSC::DeleteResolveNode::emitBytecode):
3772         (JSC::TypeOfResolveNode::emitBytecode):
3773         (JSC::PrefixNode::emitResolve):
3774         (JSC::ReadModifyResolveNode::emitBytecode):
3775         (JSC::AssignResolveNode::emitBytecode):
3776         (JSC::ConstDeclNode::emitCodeSingle):
3777         (JSC::EmptyVarExpression::emitBytecode):
3778         (JSC::ForInNode::tryGetBoundLocal):
3779         (JSC::ForInNode::emitLoopHeader):
3780         (JSC::ForOfNode::emitBytecode):
3781         (JSC::ArrayPatternNode::emitDirectBinding):
3782         (JSC::BindingNode::bindValue):
3783         (JSC::getArgumentByVal): Deleted.
3784         * dfg/DFGAbstractHeap.h:
3785         * dfg/DFGAbstractInterpreter.h:
3786         * dfg/DFGAbstractInterpreterInlines.h:
3787         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3788         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberWorld):
3789         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberCapturedVars): Deleted.
3790         * dfg/DFGAbstractValue.h:
3791         * dfg/DFGArgumentPosition.h:
3792         (JSC::DFG::ArgumentPosition::addVariable):
3793         * dfg/DFGArgumentsEliminationPhase.cpp: Added.
3794         (JSC::DFG::performArgumentsElimination):
3795         * dfg/DFGArgumentsEliminationPhase.h: Added.
3796         * dfg/DFGArgumentsSimplificationPhase.cpp: Removed.
3797         * dfg/DFGArgumentsSimplificationPhase.h: Removed.
3798         * dfg/DFGArgumentsUtilities.cpp: Added.
3799         (JSC::DFG::argumentsInvolveStackSlot):
3800         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
3801         * dfg/DFGArgumentsUtilities.h: Added.
3802         * dfg/DFGArrayMode.cpp:
3803         (JSC::DFG::ArrayMode::refine):
3804         (JSC::DFG::ArrayMode::alreadyChecked):
3805         (JSC::DFG::arrayTypeToString):
3806         * dfg/DFGArrayMode.h:
3807         (JSC::DFG::ArrayMode::canCSEStorage):
3808         (JSC::DFG::ArrayMode::modeForPut):
3809         * dfg/DFGAvailabilityMap.cpp:
3810         (JSC::DFG::AvailabilityMap::prune):
3811         * dfg/DFGAvailabilityMap.h:
3812         (JSC::DFG::AvailabilityMap::closeOverNodes):
3813         (JSC::DFG::AvailabilityMap::closeStartingWithLocal):
3814         * dfg/DFGBackwardsPropagationPhase.cpp:
3815         (JSC::DFG::BackwardsPropagationPhase::propagate):
3816         * dfg/DFGByteCodeParser.cpp:
3817         (JSC::DFG::ByteCodeParser::newVariableAccessData):
3818         (JSC::DFG::ByteCodeParser::getLocal):
3819         (JSC::DFG::ByteCodeParser::setLocal):
3820         (JSC::DFG::ByteCodeParser::getArgument):
3821         (JSC::DFG::ByteCodeParser::setArgument):
3822         (JSC::DFG::ByteCodeParser::flushDirect):
3823         (JSC::DFG::ByteCodeParser::flush):
3824         (JSC::DFG::ByteCodeParser::noticeArgumentsUse):
3825         (JSC::DFG::ByteCodeParser::handleVarargsCall):
3826         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
3827         (JSC::DFG::ByteCodeParser::handleInlining):
3828         (JSC::DFG::ByteCodeParser::parseBlock):
3829         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
3830         (JSC::DFG::ByteCodeParser::parseCodeBlock):
3831         * dfg/DFGCPSRethreadingPhase.cpp:
3832         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
3833         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
3834         * dfg/DFGCSEPhase.cpp:
3835         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h: Added.
3836         (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
3837         * dfg/DFGCapabilities.cpp:
3838         (JSC::DFG::isSupportedForInlining):
3839         (JSC::DFG::capabilityLevel):
3840         * dfg/DFGClobberize.h:
3841         (JSC::DFG::clobberize):
3842         * dfg/DFGCommon.h:
3843         * dfg/DFGCommonData.h:
3844         (JSC::DFG::CommonData::CommonData):
3845         * dfg/DFGConstantFoldingPhase.cpp:
3846         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3847         * dfg/DFGDCEPhase.cpp:
3848         (JSC::DFG::DCEPhase::cleanVariables):
3849         * dfg/DFGDisassembler.h:
3850         * dfg/DFGDoesGC.cpp:
3851         (JSC::DFG::doesGC):
3852         * dfg/DFGFixupPhase.cpp:
3853         (JSC::DFG::FixupPhase::fixupNode):
3854         * dfg/DFGFlushFormat.cpp:
3855         (WTF::printInternal):
3856         * dfg/DFGFlushFormat.h:
3857         (JSC::DFG::resultFor):
3858         (JSC::DFG::useKindFor):
3859         (JSC::DFG::dataFormatFor):
3860         * dfg/DFGForAllKills.h: Added.
3861         (JSC::DFG::forAllLiveNodesAtTail):
3862         (JSC::DFG::forAllDirectlyKilledOperands):
3863         (JSC::DFG::forAllKilledOperands):
3864         (JSC::DFG::forAllKilledNodesAtNodeIndex):
3865         (JSC::DFG::forAllKillsInBlock):
3866         * dfg/DFGGraph.cpp:
3867         (JSC::DFG::Graph::Graph):
3868         (JSC::DFG::Graph::dump):
3869         (JSC::DFG::Graph::substituteGetLocal):
3870         (JSC::DFG::Graph::livenessFor):
3871         (JSC::DFG::Graph::killsFor):
3872         (JSC::DFG::Graph::tryGetConstantClosureVar):
3873         (JSC::DFG::Graph::tryGetRegisters): Deleted.
3874         * dfg/DFGGraph.h:
3875         (JSC::DFG::Graph::symbolTableFor):
3876         (JSC::DFG::Graph::uses):
3877         (JSC::DFG::Graph::bytecodeRegisterForArgument): Deleted.
3878         (JSC::DFG::Graph::capturedVarsFor): Deleted.
3879         (JSC::DFG::Graph::usesArguments): Deleted.
3880         (JSC::DFG::Graph::argumentsRegisterFor): Deleted.
3881         (JSC::DFG::Graph::machineArgumentsRegisterFor): Deleted.
3882         (JSC::DFG::Graph::uncheckedArgumentsRegisterFor): Deleted.