1f9b33de0957e740fd88d2427d32e177c704bfac
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-03-31  Filip Pizlo  <fpizlo@apple.com>
2
3         PutClosureVar CSE def() rule has a wrong base
4         https://bugs.webkit.org/show_bug.cgi?id=143280
5
6         Reviewed by Michael Saboff.
7         
8         I think that this code was incorrect in a benign way, since the base of a
9         PutClosureVar is not a JS-visible object. But it was preventing some optimizations.
10
11         * dfg/DFGClobberize.h:
12         (JSC::DFG::clobberize):
13
14 2015-03-31  Commit Queue  <commit-queue@webkit.org>
15
16         Unreviewed, rolling out r182200.
17         https://bugs.webkit.org/show_bug.cgi?id=143279
18
19         Probably causing assertion extravaganza on bots. (Requested by
20         kling on #webkit).
21
22         Reverted changeset:
23
24         "Logically empty WeakBlocks should not pin down their
25         MarkedBlocks indefinitely."
26         https://bugs.webkit.org/show_bug.cgi?id=143210
27         http://trac.webkit.org/changeset/182200
28
29 2015-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>
30
31         Clean up Identifier factories to clarify the meaning of StringImpl*
32         https://bugs.webkit.org/show_bug.cgi?id=143146
33
34         Reviewed by Filip Pizlo.
35
36         In the a lot of places, `Identifier(VM*/ExecState*, StringImpl*)` constructor is used.
37         However, it's ambiguous because `StringImpl*` has 2 different meanings.
38         1) normal string, it is replacable with `WTFString` and
39         2) `uid`, which holds `isSymbol` information to represent Symbols.
40         So we dropped Identifier constructors for strings and instead, introduced 2 factory functions.
41         + `Identifier::fromString(VM*/ExecState*, const String&)`.
42         Just construct Identifier from strings. The symbol-ness of StringImpl* is not kept.
43         + `Identifier::fromUid(VM*/ExecState*, StringImpl*)`.
44         This function is used for 2) `uid`. So symbol-ness of `StringImpl*` is kept.
45
46         And to clean up `StringImpl` which is used as uid,
47         we introduce `StringKind` into `StringImpl`. There's 3 kinds
48         1. StringNormal (non-atomic, non-symbol)
49         2. StringAtomic (atomic, non-symbol)
50         3. StringSymbol (non-atomic, symbol)
51         They are mutually exclusive. And (atomic, symbol) case should not exist.
52
53         * API/JSCallbackObjectFunctions.h:
54         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
55         * API/JSObjectRef.cpp:
56         (JSObjectMakeFunction):
57         * API/OpaqueJSString.cpp:
58         (OpaqueJSString::identifier):
59         * bindings/ScriptFunctionCall.cpp:
60         (Deprecated::ScriptFunctionCall::call):
61         * builtins/BuiltinExecutables.cpp:
62         (JSC::BuiltinExecutables::createExecutableInternal):
63         * builtins/BuiltinNames.h:
64         (JSC::BuiltinNames::BuiltinNames):
65         * bytecompiler/BytecodeGenerator.cpp:
66         (JSC::BytecodeGenerator::BytecodeGenerator):
67         (JSC::BytecodeGenerator::emitThrowReferenceError):
68         (JSC::BytecodeGenerator::emitThrowTypeError):
69         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
70         (JSC::BytecodeGenerator::emitEnumeration):
71         * dfg/DFGDesiredIdentifiers.cpp:
72         (JSC::DFG::DesiredIdentifiers::reallyAdd):
73         * inspector/JSInjectedScriptHost.cpp:
74         (Inspector::JSInjectedScriptHost::functionDetails):
75         (Inspector::constructInternalProperty):
76         (Inspector::JSInjectedScriptHost::weakMapEntries):
77         (Inspector::JSInjectedScriptHost::iteratorEntries):
78         * inspector/JSInjectedScriptHostPrototype.cpp:
79         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
80         * inspector/JSJavaScriptCallFramePrototype.cpp:
81         * inspector/ScriptCallStackFactory.cpp:
82         (Inspector::extractSourceInformationFromException):
83         * jit/JITOperations.cpp:
84         * jsc.cpp:
85         (GlobalObject::finishCreation):
86         (GlobalObject::addFunction):
87         (GlobalObject::addConstructableFunction):
88         (functionRun):
89         (runWithScripts):
90         * llint/LLIntData.cpp:
91         (JSC::LLInt::Data::performAssertions):
92         * llint/LowLevelInterpreter.asm:
93         * parser/ASTBuilder.h:
94         (JSC::ASTBuilder::addVar):
95         * parser/Parser.cpp:
96         (JSC::Parser<LexerType>::parseInner):
97         (JSC::Parser<LexerType>::createBindingPattern):
98         * parser/ParserArena.h:
99         (JSC::IdentifierArena::makeIdentifier):
100         (JSC::IdentifierArena::makeIdentifierLCharFromUChar):
101         (JSC::IdentifierArena::makeNumericIdentifier):
102         * runtime/ArgumentsIteratorPrototype.cpp:
103         (JSC::ArgumentsIteratorPrototype::finishCreation):
104         * runtime/ArrayIteratorPrototype.cpp:
105         (JSC::ArrayIteratorPrototype::finishCreation):
106         * runtime/ArrayPrototype.cpp:
107         (JSC::ArrayPrototype::finishCreation):
108         (JSC::arrayProtoFuncPush):
109         * runtime/ClonedArguments.cpp:
110         (JSC::ClonedArguments::getOwnPropertySlot):
111         * runtime/CommonIdentifiers.cpp:
112         (JSC::CommonIdentifiers::CommonIdentifiers):
113         * runtime/CommonIdentifiers.h:
114         * runtime/Error.cpp:
115         (JSC::addErrorInfo):
116         (JSC::hasErrorInfo):
117         * runtime/ExceptionHelpers.cpp:
118         (JSC::createUndefinedVariableError):
119         * runtime/GenericArgumentsInlines.h:
120         (JSC::GenericArguments<Type>::getOwnPropertySlot):
121         * runtime/Identifier.h:
122         (JSC::Identifier::isSymbol):
123         (JSC::Identifier::Identifier):
124         (JSC::Identifier::from): Deleted.
125         * runtime/IdentifierInlines.h:
126         (JSC::Identifier::Identifier):
127         (JSC::Identifier::fromUid):
128         (JSC::Identifier::fromString):
129         * runtime/JSCJSValue.cpp:
130         (JSC::JSValue::dumpInContextAssumingStructure):
131         * runtime/JSCJSValueInlines.h:
132         (JSC::JSValue::toPropertyKey):
133         * runtime/JSGlobalObject.cpp:
134         (JSC::JSGlobalObject::init):
135         * runtime/JSLexicalEnvironment.cpp:
136         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
137         * runtime/JSObject.cpp:
138         (JSC::getClassPropertyNames):
139         (JSC::JSObject::reifyStaticFunctionsForDelete):
140         * runtime/JSObject.h:
141         (JSC::makeIdentifier):
142         * runtime/JSPromiseConstructor.cpp:
143         (JSC::JSPromiseConstructorFuncRace):
144         (JSC::JSPromiseConstructorFuncAll):
145         * runtime/JSString.h:
146         (JSC::JSString::toIdentifier):
147         * runtime/JSSymbolTableObject.cpp:
148         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
149         * runtime/LiteralParser.cpp:
150         (JSC::LiteralParser<CharType>::tryJSONPParse):
151         (JSC::LiteralParser<CharType>::makeIdentifier):
152         * runtime/Lookup.h:
153         (JSC::reifyStaticProperties):
154         * runtime/MapConstructor.cpp:
155         (JSC::constructMap):
156         * runtime/MapIteratorPrototype.cpp:
157         (JSC::MapIteratorPrototype::finishCreation):
158         * runtime/MapPrototype.cpp:
159         (JSC::MapPrototype::finishCreation):
160         * runtime/MathObject.cpp:
161         (JSC::MathObject::finishCreation):
162         * runtime/NumberConstructor.cpp:
163         (JSC::NumberConstructor::finishCreation):
164         * runtime/ObjectConstructor.cpp:
165         (JSC::ObjectConstructor::finishCreation):
166         * runtime/PrivateName.h:
167         (JSC::PrivateName::PrivateName):
168         * runtime/PropertyMapHashTable.h:
169         (JSC::PropertyTable::find):
170         (JSC::PropertyTable::get):
171         * runtime/PropertyName.h:
172         (JSC::PropertyName::PropertyName):
173         (JSC::PropertyName::publicName):
174         (JSC::PropertyName::asIndex):
175         * runtime/PropertyNameArray.cpp:
176         (JSC::PropertyNameArray::add):
177         * runtime/PropertyNameArray.h:
178         (JSC::PropertyNameArray::addKnownUnique):
179         * runtime/RegExpConstructor.cpp:
180         (JSC::RegExpConstructor::finishCreation):
181         * runtime/SetConstructor.cpp:
182         (JSC::constructSet):
183         * runtime/SetIteratorPrototype.cpp:
184         (JSC::SetIteratorPrototype::finishCreation):
185         * runtime/SetPrototype.cpp:
186         (JSC::SetPrototype::finishCreation):
187         * runtime/StringIteratorPrototype.cpp:
188         (JSC::StringIteratorPrototype::finishCreation):
189         * runtime/StringPrototype.cpp:
190         (JSC::StringPrototype::finishCreation):
191         * runtime/Structure.cpp:
192         (JSC::Structure::getPropertyNamesFromStructure):
193         * runtime/SymbolConstructor.cpp:
194         * runtime/VM.cpp:
195         (JSC::VM::throwException):
196         * runtime/WeakMapConstructor.cpp:
197         (JSC::constructWeakMap):
198
199 2015-03-31  Andreas Kling  <akling@apple.com>
200
201         Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely.
202         <https://webkit.org/b/143210>
203
204         Reviewed by Geoffrey Garen.
205
206         Since a MarkedBlock cannot be destroyed until all the WeakBlocks pointing into it are gone,
207         we had a little problem where WeakBlocks with only null pointers would still keep their
208         MarkedBlock alive.
209
210         This patch fixes that by detaching WeakBlocks from their MarkedBlock once a sweep discovers
211         that the WeakBlock contains no pointers to live objects. Ownership of the WeakBlock is passed
212         to the Heap, which will sweep the list of these detached WeakBlocks as part of a full GC,
213         destroying them once they're fully dead.
214
215         This allows the garbage collector to reclaim the 64kB MarkedBlocks much sooner, and resolves
216         a mysterious issue where doing two full garbage collections back-to-back would free additional
217         memory in the second collection.
218
219         Management of detached WeakBlocks is implemented as a Vector<WeakBlock*> in Heap, along with
220         an index of the next block in that vector that needs to be swept. The IncrementalSweeper then
221         calls into Heap::sweepNextLogicallyEmptyWeakBlock() to sweep one block at a time.
222
223         * heap/Heap.h:
224         * heap/Heap.cpp:
225         (JSC::Heap::collectAllGarbage): Add a final pass where we sweep the logically empty WeakBlocks
226         owned by Heap, after everything else has been swept.
227
228         (JSC::Heap::notifyIncrementalSweeper): Set up an incremental sweep of logically empty WeakBlocks
229         after a full garbage collection ends. Note that we don't do this after Eden collections, since
230         they are unlikely to cause entire WeakBlocks to go empty.
231
232         (JSC::Heap::addLogicallyEmptyWeakBlock): Added. Interface for passing ownership of a WeakBlock
233         to the Heap when it's detached from a WeakSet.
234
235         (JSC::Heap::sweepAllLogicallyEmptyWeakBlocks): Helper for collectAllGarbage() that sweeps all
236         of the logically empty WeakBlocks owned by Heap.
237
238         (JSC::Heap::sweepNextLogicallyEmptyWeakBlock): Sweeps one logically empty WeakBlock if needed
239         and updates the next-logically-empty-weak-block-to-sweep index.
240
241         (JSC::Heap::lastChanceToFinalize): call sweepAllLogicallyEmptyWeakBlocks() here, since there
242         won't be another chance after this.
243
244         * heap/IncrementalSweeper.h:
245         (JSC::IncrementalSweeper::hasWork): Deleted.
246
247         * heap/IncrementalSweeper.cpp:
248         (JSC::IncrementalSweeper::fullSweep):
249         (JSC::IncrementalSweeper::doSweep):
250         (JSC::IncrementalSweeper::sweepNextBlock): Restructured IncrementalSweeper a bit to simplify
251         adding a new sweeping stage for the Heap's logically empty WeakBlocks. sweepNextBlock() is
252         changed to return a bool (true if there's more work to be done.)
253
254         * heap/WeakBlock.cpp:
255         (JSC::WeakBlock::sweep): This now figures out if the WeakBlock is logically empty, i.e doesn't
256         contain any pointers to live objects. The answer is stored in a new SweepResult member.
257
258         * heap/WeakBlock.h:
259         (JSC::WeakBlock::isLogicallyEmptyButNotFree): Added. Can be queried after a sweep to determine
260         if the WeakBlock could be detached from the MarkedBlock.
261
262         (JSC::WeakBlock::SweepResult::SweepResult): Deleted in favor of initializing member variables
263         when declaring them.
264
265 2015-03-31  Ryosuke Niwa  <rniwa@webkit.org>
266
267         eval("this.foo") causes a crash if this had not been initialized in a derived class's constructor
268         https://bugs.webkit.org/show_bug.cgi?id=142883
269
270         Reviewed by Filip Pizlo.
271
272         The crash was caused by eval inside the constructor of a derived class not checking TDZ.
273
274         Fixed the bug by adding a parser flag that forces the TDZ check to be always emitted when accessing "this"
275         in eval inside a derived class' constructor.
276
277         * bytecode/EvalCodeCache.h:
278         (JSC::EvalCodeCache::getSlow):
279         * bytecompiler/NodesCodegen.cpp:
280         (JSC::ThisNode::emitBytecode):
281         * debugger/DebuggerCallFrame.cpp:
282         (JSC::DebuggerCallFrame::evaluate):
283         * interpreter/Interpreter.cpp:
284         (JSC::eval):
285         * parser/ASTBuilder.h:
286         (JSC::ASTBuilder::thisExpr):
287         * parser/NodeConstructors.h:
288         (JSC::ThisNode::ThisNode):
289         * parser/Nodes.h:
290         * parser/Parser.cpp:
291         (JSC::Parser<LexerType>::Parser):
292         (JSC::Parser<LexerType>::parsePrimaryExpression):
293         * parser/Parser.h:
294         (JSC::parse):
295         * parser/ParserModes.h:
296         * parser/SyntaxChecker.h:
297         (JSC::SyntaxChecker::thisExpr):
298         * runtime/CodeCache.cpp:
299         (JSC::CodeCache::getGlobalCodeBlock):
300         (JSC::CodeCache::getProgramCodeBlock):
301         (JSC::CodeCache::getEvalCodeBlock):
302         * runtime/CodeCache.h:
303         (JSC::SourceCodeKey::SourceCodeKey):
304         * runtime/Executable.cpp:
305         (JSC::EvalExecutable::create):
306         * runtime/Executable.h:
307         * runtime/JSGlobalObject.cpp:
308         (JSC::JSGlobalObject::createEvalCodeBlock):
309         * runtime/JSGlobalObject.h:
310         * runtime/JSGlobalObjectFunctions.cpp:
311         (JSC::globalFuncEval):
312         * tests/stress/class-syntax-no-tdz-in-eval.js: Added.
313         * tests/stress/class-syntax-tdz-in-eval.js: Added.
314
315 2015-03-31  Commit Queue  <commit-queue@webkit.org>
316
317         Unreviewed, rolling out r182186.
318         https://bugs.webkit.org/show_bug.cgi?id=143270
319
320         it crashes all the WebGL tests on the Debug bots (Requested by
321         dino on #webkit).
322
323         Reverted changeset:
324
325         "Web Inspector: add 2D/WebGL canvas instrumentation
326         infrastructure"
327         https://bugs.webkit.org/show_bug.cgi?id=137278
328         http://trac.webkit.org/changeset/182186
329
330 2015-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>
331
332         [ES6] Object type restrictions on a first parameter of several Object.* functions are relaxed
333         https://bugs.webkit.org/show_bug.cgi?id=142937
334
335         Reviewed by Darin Adler.
336
337         In ES6, Object type restrictions on a first parameter of several Object.* functions are relaxed.
338         In ES5 or prior, when a first parameter is not object type, these functions raise TypeError.
339         But now, several functions perform ToObject onto a non-object parameter.
340         And others behaves as if a parameter is a non-extensible ordinary object with no own properties.
341         It is described in ES6 Annex E.
342         Functions different from ES5 are following.
343
344         1. An attempt is make to coerce the argument using ToObject.
345             Object.getOwnPropertyDescriptor
346             Object.getOwnPropertyNames
347             Object.getPrototypeOf
348             Object.keys
349
350         2. Treated as if it was a non-extensible ordinary object with no own properties.
351             Object.freeze
352             Object.isExtensible
353             Object.isFrozen
354             Object.isSealed
355             Object.preventExtensions
356             Object.seal
357
358         * runtime/ObjectConstructor.cpp:
359         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
360         (JSC::objectConstructorGetPrototypeOf):
361         (JSC::objectConstructorGetOwnPropertyDescriptor):
362         (JSC::objectConstructorGetOwnPropertyNames):
363         (JSC::objectConstructorKeys):
364         (JSC::objectConstructorSeal):
365         (JSC::objectConstructorFreeze):
366         (JSC::objectConstructorPreventExtensions):
367         (JSC::objectConstructorIsSealed):
368         (JSC::objectConstructorIsFrozen):
369         (JSC::objectConstructorIsExtensible):
370         * tests/stress/object-freeze-accept-non-object.js: Added.
371         * tests/stress/object-get-own-property-descriptor-perform-to-object.js: Added.
372         (canary):
373         * tests/stress/object-get-own-property-names-perform-to-object.js: Added.
374         (compare):
375         * tests/stress/object-get-prototype-of-perform-to-object.js: Added.
376         * tests/stress/object-is-extensible-accept-non-object.js: Added.
377         * tests/stress/object-is-frozen-accept-non-object.js: Added.
378         * tests/stress/object-is-sealed-accept-non-object.js: Added.
379         * tests/stress/object-keys-perform-to-object.js: Added.
380         (compare):
381         * tests/stress/object-prevent-extensions-accept-non-object.js: Added.
382         * tests/stress/object-seal-accept-non-object.js: Added.
383
384 2015-03-31  Matt Baker  <mattbaker@apple.com>
385
386         Web Inspector: add 2D/WebGL canvas instrumentation infrastructure
387         https://bugs.webkit.org/show_bug.cgi?id=137278
388
389         Reviewed by Timothy Hatcher.
390
391         Added Canvas protocol which defines types used by InspectorCanvasAgent.
392
393         * CMakeLists.txt:
394         * DerivedSources.make:
395         * inspector/protocol/Canvas.json: Added.
396
397         * inspector/scripts/codegen/generator.py:
398         (Generator.stylized_name_for_enum_value):
399         Added special handling for 2D (always uppercase) and WebGL (rename mapping) enum strings.
400
401 2015-03-30  Ryosuke Niwa  <rniwa@webkit.org>
402
403         Extending null should set __proto__ to null
404         https://bugs.webkit.org/show_bug.cgi?id=142882
405
406         Reviewed by Geoffrey Garen and Benjamin Poulain.
407
408         Set Derived.prototype.__proto__ to null when extending null.
409
410         * bytecompiler/NodesCodegen.cpp:
411         (JSC::ClassExprNode::emitBytecode):
412
413 2015-03-30  Mark Lam  <mark.lam@apple.com>
414
415         REGRESSION (r181993): inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html crashes.
416         <https://webkit.org/b/143105>
417
418         Reviewed by Filip Pizlo.
419
420         With r181993, the DFG and FTL may elide the storing of the scope register.  As a result,
421         on OSR exits from DFG / FTL frames where this elision has take place, we may get baseline
422         JIT frames that may have its scope register not set.  The Debugger's current implementation
423         which relies on the scope register is not happy about this.  For example, this results in a
424         crash in the layout test inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html.
425
426         The fix is to disable inlining when the debugger is in use.  Also, we add Flush nodes to
427         ensure that the scope register value is flushed to the register in the stack frame.
428
429         * dfg/DFGByteCodeParser.cpp:
430         (JSC::DFG::ByteCodeParser::ByteCodeParser):
431         (JSC::DFG::ByteCodeParser::setLocal):
432         (JSC::DFG::ByteCodeParser::flush):
433         - Add code to flush the scope register.
434         (JSC::DFG::ByteCodeParser::inliningCost):
435         - Pretend that all codeBlocks are too expensive to inline if the debugger is in use, thereby
436           disabling inlining whenever the debugger is in use.
437         * dfg/DFGGraph.cpp:
438         (JSC::DFG::Graph::Graph):
439         * dfg/DFGGraph.h:
440         (JSC::DFG::Graph::hasDebuggerEnabled):
441         * dfg/DFGStackLayoutPhase.cpp:
442         (JSC::DFG::StackLayoutPhase::run):
443         - Update the DFG codeBlock's scopeRegister since it can be moved during stack layout.
444         * ftl/FTLCompile.cpp:
445         (JSC::FTL::mmAllocateDataSection):
446         - Update the FTL codeBlock's scopeRegister since it can be moved during stack layout.
447
448 2015-03-30  Michael Saboff  <msaboff@apple.com>
449
450         Fix flakey float32-repeat-out-of-bounds.js and int8-repeat-out-of-bounds.js tests for ARM64
451         https://bugs.webkit.org/show_bug.cgi?id=138391
452
453         Reviewed by Mark Lam.
454
455         Re-enabling these tests as I can't get them to fail on local iOS test devices.
456         There have been many changes since these tests were disabled.
457         I'll watch automated test results for failures.  If there are failures running automated
458         testing, it might be due to the device's relative CPU performance.
459         
460         * tests/stress/float32-repeat-out-of-bounds.js:
461         * tests/stress/int8-repeat-out-of-bounds.js:
462
463 2015-03-30  Joseph Pecoraro  <pecoraro@apple.com>
464
465         Web Inspector: Regression: Preview for [[null]] shouldn't be []
466         https://bugs.webkit.org/show_bug.cgi?id=143208
467
468         Reviewed by Mark Lam.
469
470         * inspector/InjectedScriptSource.js:
471         Handle null when generating simple object previews.
472
473 2015-03-30  Per Arne Vollan  <peavo@outlook.com>
474
475         Avoid using hardcoded values for JSValue::Int32Tag, if possible.
476         https://bugs.webkit.org/show_bug.cgi?id=143134
477
478         Reviewed by Geoffrey Garen.
479
480         * jit/JSInterfaceJIT.h:
481         * jit/Repatch.cpp:
482         (JSC::tryCacheGetByID):
483
484 2015-03-30  Filip Pizlo  <fpizlo@apple.com>
485
486         REGRESSION: js/regress/inline-arguments-local-escape.html is flaky
487         https://bugs.webkit.org/show_bug.cgi?id=143104
488
489         Reviewed by Geoffrey Garen.
490         
491         Created a test that is a 100% repro of the flaky failure. This test is called
492         get-my-argument-by-val-for-inlined-escaped-arguments.js. It fails all of the time because it
493         always causes the compiler to emit a GetMyArgumentByVal of the arguments object returned by
494         the inlined function. Other than that, it's the same as inline-arguments-local-escape.
495         
496         Also created three more tests for three similar, but not identical, failures.
497         
498         Then fixed the bug: PreciseLocalClobberize was assuming that if we read(Stack) then we are
499         only reading those parts of the stack that are relevant to the current semantic code origin.
500         That's false after ArgumentsEliminationPhase - we might have operations on phantom arguments,
501         like GetMyArgumentByVal, ForwardVarargs, CallForwardVarargs, and ConstructForwardVarargs, that
502         read parts of the stack associated with the inline call frame for the phantom arguments. This
503         may not be subsumed by the current semantic origin's stack area in cases that the arguments
504         were allowed to "locally" escape.
505         
506         The higher-order lesson here is that in DFG SSA IR, the current semantic origin's stack area
507         is not really a meaningful concept anymore. It is only meaningful for nodes that will read
508         the stack due to function.arguments, but there are a bunch of other ways that we could also
509         read the stack and those operations may read any stack slot. I believe that this change makes
510         PreciseLocalClobberize right: it will refine a read(Stack) from Clobberize correctly by casing
511         on node type. In future, if we add a read(Stack) to Clobberize, we'll have to make sure that
512         readTop() in PreciseLocalClobberize does the right thing.
513
514         * dfg/DFGClobberize.h:
515         (JSC::DFG::clobberize):
516         * dfg/DFGPreciseLocalClobberize.h:
517         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
518         * dfg/DFGPutStackSinkingPhase.cpp:
519         * tests/stress/call-forward-varargs-for-inlined-escaped-arguments.js: Added.
520         * tests/stress/construct-forward-varargs-for-inlined-escaped-arguments.js: Added.
521         * tests/stress/forward-varargs-for-inlined-escaped-arguments.js: Added.
522         * tests/stress/get-my-argument-by-val-for-inlined-escaped-arguments.js: Added.
523         * tests/stress/real-forward-varargs-for-inlined-escaped-arguments.js: Added.
524
525 2015-03-30  Benjamin Poulain  <benjamin@webkit.org>
526
527         Start the features.json files
528         https://bugs.webkit.org/show_bug.cgi?id=143207
529
530         Reviewed by Darin Adler.
531
532         Start the features.json files to have something to experiment
533         with for the UI.
534
535         * features.json: Added.
536
537 2015-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
538
539         [Win] Addresing post-review comment after r182122
540         https://bugs.webkit.org/show_bug.cgi?id=143189
541
542         Unreviewed.
543
544 2015-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
545
546         [Win] Allow building JavaScriptCore without Cygwin
547         https://bugs.webkit.org/show_bug.cgi?id=143189
548
549         Reviewed by Brent Fulgham.
550
551         Paths like /usr/bin/ don't exist on Windows.
552         Hashbangs don't work on Windows. Instead we must explicitly call the executable.
553         Prefixing commands with environment variables doesn't work on Windows.
554         Windows doesn't have 'cmp'
555         Windows uses 'del' instead of 'rm'
556         Windows uses 'type NUL' intead of 'touch'
557
558         * DerivedSources.make:
559         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
560         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
561         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl:
562         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
563         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl:
564         * JavaScriptCore.vcxproj/build-generated-files.pl:
565         * UpdateContents.py: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl.
566
567 2015-03-28  Joseph Pecoraro  <pecoraro@apple.com>
568
569         Clean up JavaScriptCore/builtins
570         https://bugs.webkit.org/show_bug.cgi?id=143177
571
572         Reviewed by Ryosuke Niwa.
573
574         * builtins/ArrayConstructor.js:
575         (from):
576         - We can compare to undefined instead of using a typeof undefined check.
577         - Converge on double quoted strings everywhere.
578
579         * builtins/ArrayIterator.prototype.js:
580         (next):
581         * builtins/StringIterator.prototype.js:
582         (next):
583         - Use shorthand object construction to avoid duplication.
584         - Improve grammar in error messages.
585
586         * tests/stress/array-iterators-next-with-call.js:
587         * tests/stress/string-iterators.js:
588         - Update for new error message strings.
589
590 2015-03-28  Saam Barati  <saambarati1@gmail.com>
591
592         Web Inspector: ES6: Better support for Symbol types in Type Profiler
593         https://bugs.webkit.org/show_bug.cgi?id=141257
594
595         Reviewed by Joseph Pecoraro.
596
597         ES6 introduces the new primitive type Symbol. This patch makes JSC's 
598         type profiler support this new primitive type.
599
600         * dfg/DFGFixupPhase.cpp:
601         (JSC::DFG::FixupPhase::fixupNode):
602         * inspector/protocol/Runtime.json:
603         * runtime/RuntimeType.cpp:
604         (JSC::runtimeTypeForValue):
605         * runtime/RuntimeType.h:
606         (JSC::runtimeTypeIsPrimitive):
607         * runtime/TypeSet.cpp:
608         (JSC::TypeSet::addTypeInformation):
609         (JSC::TypeSet::dumpTypes):
610         (JSC::TypeSet::doesTypeConformTo):
611         (JSC::TypeSet::displayName):
612         (JSC::TypeSet::inspectorTypeSet):
613         (JSC::TypeSet::toJSONString):
614         * runtime/TypeSet.h:
615         (JSC::TypeSet::seenTypes):
616         * tests/typeProfiler/driver/driver.js:
617         * tests/typeProfiler/symbol.js: Added.
618         (wrapper.foo):
619         (wrapper.bar):
620         (wrapper.bar.bar.baz):
621         (wrapper):
622
623 2015-03-27  Saam Barati  <saambarati1@gmail.com>
624
625         Deconstruction parameters are bound too late
626         https://bugs.webkit.org/show_bug.cgi?id=143148
627
628         Reviewed by Filip Pizlo.
629
630         Currently, a deconstruction pattern named with the same
631         name as a function will shadow the function. This is
632         wrong. It should be the other way around.
633
634         * bytecompiler/BytecodeGenerator.cpp:
635         (JSC::BytecodeGenerator::generate):
636
637 2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>
638
639         parse doesn't initialize the 16-bit version of the JSC parser with defaultConstructorKind
640         https://bugs.webkit.org/show_bug.cgi?id=143170
641
642         Reviewed by Benjamin Poulain.
643
644         Assert that we never use 16-bit version of the parser to parse a default constructor
645         since both base and derived default constructors should be using a 8-bit string.
646
647         * parser/Parser.h:
648         (JSC::parse):
649
650 2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>
651
652         ES6 Classes: Runtime error in JIT'd class calling super() with arguments and superclass has default constructor
653         https://bugs.webkit.org/show_bug.cgi?id=142862
654
655         Reviewed by Benjamin Poulain.
656
657         Add a test that used to fail in DFG now that the bug has been fixed by r181993.
658
659         * tests/stress/class-syntax-derived-default-constructor.js: Added.
660
661 2015-03-27  Michael Saboff  <msaboff@apple.com>
662
663         load8Signed() and load16Signed() should be renamed to avoid confusion
664         https://bugs.webkit.org/show_bug.cgi?id=143168
665
666         Reviewed by Benjamin Poulain.
667
668         Renamed load8Signed() to load8SignedExtendTo32() and load16Signed() to load16SignedExtendTo32().
669
670         * assembler/MacroAssemblerARM.h:
671         (JSC::MacroAssemblerARM::load8SignedExtendTo32):
672         (JSC::MacroAssemblerARM::load16SignedExtendTo32):
673         (JSC::MacroAssemblerARM::load8Signed): Deleted.
674         (JSC::MacroAssemblerARM::load16Signed): Deleted.
675         * assembler/MacroAssemblerARM64.h:
676         (JSC::MacroAssemblerARM64::load16SignedExtendTo32):
677         (JSC::MacroAssemblerARM64::load8SignedExtendTo32):
678         (JSC::MacroAssemblerARM64::load16Signed): Deleted.
679         (JSC::MacroAssemblerARM64::load8Signed): Deleted.
680         * assembler/MacroAssemblerARMv7.h:
681         (JSC::MacroAssemblerARMv7::load16SignedExtendTo32):
682         (JSC::MacroAssemblerARMv7::load8SignedExtendTo32):
683         (JSC::MacroAssemblerARMv7::load16Signed): Deleted.
684         (JSC::MacroAssemblerARMv7::load8Signed): Deleted.
685         * assembler/MacroAssemblerMIPS.h:
686         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
687         (JSC::MacroAssemblerMIPS::load16SignedExtendTo32):
688         (JSC::MacroAssemblerMIPS::load8Signed): Deleted.
689         (JSC::MacroAssemblerMIPS::load16Signed): Deleted.
690         * assembler/MacroAssemblerSH4.h:
691         (JSC::MacroAssemblerSH4::load8SignedExtendTo32):
692         (JSC::MacroAssemblerSH4::load8):
693         (JSC::MacroAssemblerSH4::load16SignedExtendTo32):
694         (JSC::MacroAssemblerSH4::load16):
695         (JSC::MacroAssemblerSH4::load8Signed): Deleted.
696         (JSC::MacroAssemblerSH4::load16Signed): Deleted.
697         * assembler/MacroAssemblerX86Common.h:
698         (JSC::MacroAssemblerX86Common::load8SignedExtendTo32):
699         (JSC::MacroAssemblerX86Common::load16SignedExtendTo32):
700         (JSC::MacroAssemblerX86Common::load8Signed): Deleted.
701         (JSC::MacroAssemblerX86Common::load16Signed): Deleted.
702         * dfg/DFGSpeculativeJIT.cpp:
703         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
704         * jit/JITPropertyAccess.cpp:
705         (JSC::JIT::emitIntTypedArrayGetByVal):
706
707 2015-03-27  Michael Saboff  <msaboff@apple.com>
708
709         Fix flakey dfg-int8array.js and dfg-int16array.js tests for ARM64
710         https://bugs.webkit.org/show_bug.cgi?id=138390
711
712         Reviewed by Mark Lam.
713
714         Changed load8Signed() and load16Signed() to only sign extend the loaded value to 32 bits
715         instead of 64 bits.  This is what X86-64 does.
716
717         * assembler/MacroAssemblerARM64.h:
718         (JSC::MacroAssemblerARM64::load16Signed):
719         (JSC::MacroAssemblerARM64::load8Signed):
720
721 2015-03-27  Saam Barati  <saambarati1@gmail.com>
722
723         Add back previously broken assert from bug 141869
724         https://bugs.webkit.org/show_bug.cgi?id=143005
725
726         Reviewed by Michael Saboff.
727
728         * runtime/ExceptionHelpers.cpp:
729         (JSC::invalidParameterInSourceAppender):
730
731 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
732
733         Make some more objects use FastMalloc
734         https://bugs.webkit.org/show_bug.cgi?id=143122
735
736         Reviewed by Csaba Osztrogonác.
737
738         * API/JSCallbackObject.h:
739         * heap/IncrementalSweeper.h:
740         * jit/JITThunks.h:
741         * runtime/JSGlobalObjectDebuggable.h:
742         * runtime/RegExpCache.h:
743
744 2015-03-27  Michael Saboff  <msaboff@apple.com>
745
746         Objects with numeric properties intermittently get a phantom 'length' property
747         https://bugs.webkit.org/show_bug.cgi?id=142792
748
749         Reviewed by Csaba Osztrogonác.
750
751         Fixed a > (greater than) that should be a >> (right shift) in the code that disassembles
752         test and branch instructions.  This function is used for linking tbz/tbnz branches between
753         two seperately JIT'ed sections of code.  Sometime we'd create a bogus tbz instruction in
754         the failure case checks in the GetById array length stub created for "obj.length" access.
755         If the failure case code address was at a negative offset from the stub, we'd look for bit 1
756         being set when we should have been looking for bit 0.
757
758         * assembler/ARM64Assembler.h:
759         (JSC::ARM64Assembler::disassembleTestAndBranchImmediate):
760
761 2015-03-27  Yusuke Suzuki  <utatane.tea@gmail.com>
762
763         Insert exception check around toPropertyKey call
764         https://bugs.webkit.org/show_bug.cgi?id=142922
765
766         Reviewed by Geoffrey Garen.
767
768         In some places, exception check is missing after/before toPropertyKey.
769         However, since it calls toString, it's observable to users,
770
771         Missing exception checks in Object.prototype methods can be
772         observed since it would be overridden with toObject(null/undefined) errors.
773         We inserted exception checks after toPropertyKey.
774
775         Missing exception checks in GetById related code can be
776         observed since it would be overridden with toObject(null/undefined) errors.
777         In this case, we need to insert exception checks before/after toPropertyKey
778         since RequireObjectCoercible followed by toPropertyKey can cause exceptions.
779
780         JSValue::get checks null/undefined and raise an exception if |this| is null or undefined.
781         However, we need to check whether the baseValue is object coercible before executing JSValue::toPropertyKey.
782         According to the spec, we first perform RequireObjectCoercible and check the exception.
783         And second, we perform ToPropertyKey and check the exception.
784         Since JSValue::toPropertyKey can cause toString call, this is observable to users.
785         For example, if the target is not object coercible,
786         ToPropertyKey should not be executed, and toString should not be executed by ToPropertyKey.
787         So the order of observable actions (RequireObjectCoercible and ToPropertyKey) should be correct to the spec.
788
789         This patch introduces JSValue::requireObjectCoercible and use it because of the following 2 reasons.
790
791         1. Using toObject instead of requireObjectCoercible produces unnecessary wrapper object.
792
793         toObject converts primitive types into wrapper objects.
794         But it is not efficient since wrapper objects are not necessary
795         if we look up methods from primitive values's prototype. (using synthesizePrototype is better).
796
797         2. Using the result of toObject is not correct to the spec.
798
799         To align to the spec correctly, we cannot use JSObject::get
800         by using the wrapper object produced by the toObject suggested in (1).
801         If we use JSObject that is converted by toObject, getter will be called by using this JSObject as |this|.
802         It is not correct since getter should be called with the original |this| value that may be primitive types.
803
804         So in this patch, we use JSValue::requireObjectCoercible
805         to check the target is object coercible and raise an error if it's not.
806
807         * dfg/DFGOperations.cpp:
808         * jit/JITOperations.cpp:
809         (JSC::getByVal):
810         * llint/LLIntSlowPaths.cpp:
811         (JSC::LLInt::getByVal):
812         * runtime/CommonSlowPaths.cpp:
813         (JSC::SLOW_PATH_DECL):
814         * runtime/JSCJSValue.h:
815         * runtime/JSCJSValueInlines.h:
816         (JSC::JSValue::requireObjectCoercible):
817         * runtime/ObjectPrototype.cpp:
818         (JSC::objectProtoFuncHasOwnProperty):
819         (JSC::objectProtoFuncDefineGetter):
820         (JSC::objectProtoFuncDefineSetter):
821         (JSC::objectProtoFuncLookupGetter):
822         (JSC::objectProtoFuncLookupSetter):
823         (JSC::objectProtoFuncPropertyIsEnumerable):
824         * tests/stress/exception-in-to-property-key-should-be-handled-early-in-object-methods.js: Added.
825         (shouldThrow):
826         (if):
827         * tests/stress/exception-in-to-property-key-should-be-handled-early.js: Added.
828         (shouldThrow):
829         (.):
830
831 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
832
833         WebContent Crash when instantiating class with Type Profiling enabled
834         https://bugs.webkit.org/show_bug.cgi?id=143037
835
836         Reviewed by Ryosuke Niwa.
837
838         * bytecompiler/BytecodeGenerator.h:
839         * bytecompiler/BytecodeGenerator.cpp:
840         (JSC::BytecodeGenerator::BytecodeGenerator):
841         (JSC::BytecodeGenerator::emitMoveEmptyValue):
842         We cannot profile the type of an uninitialized empty JSValue.
843         Nor do we expect this to be necessary, since it is effectively
844         an unseen undefined value. So add a way to put the empty value
845         without profiling.
846
847         (JSC::BytecodeGenerator::emitMove):
848         Add an assert to try to catch this issue early on, and force
849         callers to explicitly use emitMoveEmptyValue instead.
850
851         * tests/typeProfiler/classes.js: Added.
852         (wrapper.Base):
853         (wrapper.Derived):
854         (wrapper):
855         Add test coverage both for this case and classes in general.
856
857 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
858
859         Web Inspector: ES6: Provide a better view for Classes in the console
860         https://bugs.webkit.org/show_bug.cgi?id=142999
861
862         Reviewed by Timothy Hatcher.
863
864         * inspector/protocol/Runtime.json:
865         Provide a new `subtype` enum "class". This is a subtype of `type`
866         "function", all other subtypes are subtypes of `object` types.
867         For a class, the frontend will immediately want to get the prototype
868         to enumerate its methods, so include the `classPrototype`.
869
870         * inspector/JSInjectedScriptHost.cpp:
871         (Inspector::JSInjectedScriptHost::subtype):
872         Denote class construction functions as "class" subtypes.
873
874         * inspector/InjectedScriptSource.js:
875         Handling for the new "class" type.
876
877         * bytecode/UnlinkedCodeBlock.h:
878         (JSC::UnlinkedFunctionExecutable::isClassConstructorFunction):
879         * runtime/Executable.h:
880         (JSC::FunctionExecutable::isClassConstructorFunction):
881         * runtime/JSFunction.h:
882         * runtime/JSFunctionInlines.h:
883         (JSC::JSFunction::isClassConstructorFunction):
884         Check if this function is a class constructor function. That information
885         is on the UnlinkedFunctionExecutable, so plumb it through to JSFunction.
886
887 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
888
889         Function.prototype.toString should not decompile the AST
890         https://bugs.webkit.org/show_bug.cgi?id=142853
891
892         Reviewed by Darin Adler.
893
894         Following up on Darin's review comments.
895
896         * runtime/FunctionConstructor.cpp:
897         (JSC::constructFunctionSkippingEvalEnabledCheck):
898
899 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
900
901         "lineNo" does not match WebKit coding style guidelines
902         https://bugs.webkit.org/show_bug.cgi?id=143119
903
904         Reviewed by Michael Saboff.
905
906         We can afford to use whole words.
907
908         * bytecode/CodeBlock.cpp:
909         (JSC::CodeBlock::lineNumberForBytecodeOffset):
910         (JSC::CodeBlock::expressionRangeForBytecodeOffset):
911         * bytecode/UnlinkedCodeBlock.cpp:
912         (JSC::UnlinkedFunctionExecutable::link):
913         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
914         * bytecode/UnlinkedCodeBlock.h:
915         * bytecompiler/NodesCodegen.cpp:
916         (JSC::WhileNode::emitBytecode):
917         * debugger/Debugger.cpp:
918         (JSC::Debugger::toggleBreakpoint):
919         * interpreter/Interpreter.cpp:
920         (JSC::StackFrame::computeLineAndColumn):
921         (JSC::GetStackTraceFunctor::operator()):
922         (JSC::Interpreter::execute):
923         * interpreter/StackVisitor.cpp:
924         (JSC::StackVisitor::Frame::computeLineAndColumn):
925         * parser/Nodes.h:
926         (JSC::Node::firstLine):
927         (JSC::Node::lineNo): Deleted.
928         (JSC::StatementNode::firstLine): Deleted.
929         * parser/ParserError.h:
930         (JSC::ParserError::toErrorObject):
931         * profiler/LegacyProfiler.cpp:
932         (JSC::createCallIdentifierFromFunctionImp):
933         * runtime/CodeCache.cpp:
934         (JSC::CodeCache::getGlobalCodeBlock):
935         * runtime/Executable.cpp:
936         (JSC::ScriptExecutable::ScriptExecutable):
937         (JSC::ScriptExecutable::newCodeBlockFor):
938         (JSC::FunctionExecutable::fromGlobalCode):
939         * runtime/Executable.h:
940         (JSC::ScriptExecutable::firstLine):
941         (JSC::ScriptExecutable::setOverrideLineNumber):
942         (JSC::ScriptExecutable::hasOverrideLineNumber):
943         (JSC::ScriptExecutable::overrideLineNumber):
944         (JSC::ScriptExecutable::lineNo): Deleted.
945         (JSC::ScriptExecutable::setOverrideLineNo): Deleted.
946         (JSC::ScriptExecutable::hasOverrideLineNo): Deleted.
947         (JSC::ScriptExecutable::overrideLineNo): Deleted.
948         * runtime/FunctionConstructor.cpp:
949         (JSC::constructFunctionSkippingEvalEnabledCheck):
950         * runtime/FunctionConstructor.h:
951         * tools/CodeProfile.cpp:
952         (JSC::CodeProfile::report):
953         * tools/CodeProfile.h:
954         (JSC::CodeProfile::CodeProfile):
955
956 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
957
958         Assertion firing in JavaScriptCore/parser/parser.h for statesman.com site
959         https://bugs.webkit.org/show_bug.cgi?id=142974
960
961         Reviewed by Joseph Pecoraro.
962
963         This patch does two things:
964
965         (1) Restore JavaScriptCore's sanitization of line and column numbers to
966         one-based values.
967
968         We need this because WebCore sometimes provides huge negative column
969         numbers.
970
971         (2) Solve the attribute event listener line numbering problem a different
972         way: Rather than offseting all line numbers by -1 in an attribute event
973         listener in order to arrange for a custom result, instead use an explicit
974         feature for saying "all errors in this code should map to this line number".
975
976         * bytecode/UnlinkedCodeBlock.cpp:
977         (JSC::UnlinkedFunctionExecutable::link):
978         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
979         * bytecode/UnlinkedCodeBlock.h:
980         * interpreter/Interpreter.cpp:
981         (JSC::StackFrame::computeLineAndColumn):
982         (JSC::GetStackTraceFunctor::operator()):
983         * interpreter/Interpreter.h:
984         * interpreter/StackVisitor.cpp:
985         (JSC::StackVisitor::Frame::computeLineAndColumn):
986         * parser/ParserError.h:
987         (JSC::ParserError::toErrorObject): Plumb through an override line number.
988         When a function has an override line number, all syntax and runtime
989         errors in the function will map to it. This is useful for attribute event
990         listeners.
991  
992         * parser/SourceCode.h:
993         (JSC::SourceCode::SourceCode): Restore the old sanitization of line and
994         column numbers to one-based integers. It was kind of a hack to remove this.
995
996         * runtime/Executable.cpp:
997         (JSC::ScriptExecutable::ScriptExecutable):
998         (JSC::FunctionExecutable::fromGlobalCode):
999         * runtime/Executable.h:
1000         (JSC::ScriptExecutable::setOverrideLineNo):
1001         (JSC::ScriptExecutable::hasOverrideLineNo):
1002         (JSC::ScriptExecutable::overrideLineNo):
1003         * runtime/FunctionConstructor.cpp:
1004         (JSC::constructFunctionSkippingEvalEnabledCheck):
1005         * runtime/FunctionConstructor.h: Plumb through an override line number.
1006
1007 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
1008
1009         If we're in code for accessing scoped arguments, we should probably check if the object is a scoped arguments rather than checking if it's a direct arguments.
1010
1011         Reviewed by Michael Saboff.
1012
1013         * jit/JITPropertyAccess.cpp:
1014         (JSC::JIT::emitScopedArgumentsGetByVal):
1015         * tests/stress/scoped-then-direct-arguments-get-by-val-in-baseline.js: Added.
1016
1017 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
1018
1019         FTL ScopedArguments GetArrayLength generates incorrect code and crashes in LLVM
1020         https://bugs.webkit.org/show_bug.cgi?id=143098
1021
1022         Reviewed by Csaba Osztrogonác.
1023
1024         * ftl/FTLLowerDFGToLLVM.cpp:
1025         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength): Fix a typo.
1026         * tests/stress/scoped-arguments-array-length.js: Added. This test previously always crashed in ftl-no-cjit mode.
1027
1028 2015-03-26  Csaba Osztrogonác  <ossy@webkit.org>
1029
1030         Unreviewed gardening, skip failing tests on AArch64 Linux.
1031
1032         * tests/mozilla/mozilla-tests.yaml:
1033         * tests/stress/cached-prototype-setter.js:
1034
1035 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
1036
1037         Unreviewed, fixes to silly things. While landing fixes to r181993, I introduced crashes. This fixes them.
1038
1039         * dfg/DFGConstantFoldingPhase.cpp:
1040         (JSC::DFG::ConstantFoldingPhase::foldConstants): I landed a fix for a VS warning. It broke this. Now I'm fixing it.
1041         * ftl/FTLCompile.cpp:
1042         (JSC::FTL::compile): Make sure we pass the module when dumping. This makes FTL debugging possible again.
1043         * ftl/FTLState.cpp:
1044         (JSC::FTL::State::dumpState): New overload that takes a module, so that we can call this after FTL::compile() clears State's module.
1045         * ftl/FTLState.h:
1046
1047 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1048
1049         Unreviewed, fix obvious goof that was causing 32-bit debug crashes. The 64-bit version did it
1050         right, so this just makes 32-bit do the same.
1051
1052         * dfg/DFGSpeculativeJIT32_64.cpp:
1053         (JSC::DFG::SpeculativeJIT::emitCall):
1054
1055 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1056
1057         Fix a typo that ggaren found but that I didn't fix before.
1058
1059         * runtime/DirectArgumentsOffset.h:
1060
1061 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1062
1063         Unreviewed, VC found a bug. This fixes the bug.
1064
1065         * dfg/DFGConstantFoldingPhase.cpp:
1066         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1067
1068 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1069
1070         Unreviewed, try to fix Windows build.
1071
1072         * runtime/ClonedArguments.cpp:
1073         (JSC::ClonedArguments::createWithInlineFrame):
1074
1075 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1076
1077         Unreviewed, fix debug build.
1078
1079         * bytecompiler/NodesCodegen.cpp:
1080         (JSC::ConstDeclNode::emitCodeSingle):
1081
1082 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1083
1084         Unreviewed, fix CLOOP build.
1085
1086         * dfg/DFGMinifiedID.h:
1087
1088 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
1089
1090         Heap variables shouldn't end up in the stack frame
1091         https://bugs.webkit.org/show_bug.cgi?id=141174
1092
1093         Reviewed by Geoffrey Garen.
1094         
1095         This is a major change to how JavaScriptCore handles declared variables (i.e. "var"). It removes
1096         any ambiguity about whether a variable should be in the heap or on the stack. A variable will no
1097         longer move between heap and stack during its lifetime. This enables a bunch of optimizations and
1098         simplifications:
1099         
1100         - Accesses to variables no longer need checks or indirections to determine where the variable is
1101           at that moment in time. For example, loading a closure variable now takes just one load instead
1102           of two. Loading an argument by index now takes a bounds check and a load in the fastest case
1103           (when no arguments object allocation is required) while previously that same operation required
1104           a "did I allocate arguments yet" check, a bounds check, and then the load.
1105         
1106         - Reasoning about the allocation of an activation or arguments object now follows the same simple
1107           logic as the allocation of any other kind of object. Previously, those objects were lazily
1108           allocated - so an allocation instruction wasn't the actual allocation site, since it might not
1109           allocate anything at all. This made the implementation of traditional escape analyses really
1110           awkward, and ultimately it meant that we missed important cases. Now, we can reason about the
1111           arguments object using the usual SSA tricks which allows for more comprehensive removal.
1112         
1113         - The allocations of arguments objects, functions, and activations are now much faster. While
1114           this patch generally expands our ability to eliminate arguments object allocations, an earlier
1115           version of the patch - which lacked that functionality - was a progression on some arguments-
1116           and closure-happy benchmarks because although no allocations were eliminated, all allocations
1117           were faster.
1118         
1119         - There is no tear-off. The runtime no loner needs to know about where on the stack a frame keeps
1120           its arguments objects or activations. The runtime doesn't have to do things to the arguments
1121           objects and activations that a frame allocated, when the frame is unwound. We always had horrid
1122           bugs in that code, so it's good to see it go. This removes *a ton* of machinery from the DFG,
1123           FTL, CodeBlock, and other places. All of the things having to do with "captured variables" is
1124           now gone. This also enables implementing block-scoping. Without this change, block-scope
1125           support would require telling CodeBlock and all of the rest of the runtime about all of the
1126           variables that store currently-live scopes. That would have been so disastrously hard that it
1127           might as well be impossible. With this change, it's fair game for the bytecode generator to
1128           simply allocate whatever activations it wants, wherever it wants, and to keep them live for
1129           however long it wants. This all works, because after bytecode generation, an activation is just
1130           an object and variables that refer to it are just normal variables.
1131         
1132         - SymbolTable can now tell you explicitly where a variable lives. The answer is in the form of a
1133           VarOffset object, which has methods like isStack(), isScope(), etc. VirtualRegister is never
1134           used for offsets of non-stack variables anymore. We now have shiny new objects for other kinds
1135           of offsets - ScopeOffset for offsets into scopes, and DirectArgumentsOffset for offsets into
1136           an arguments object.
1137         
1138         - Functions that create activations can now tier-up into the FTL. Previously they couldn't. Also,
1139           using activations used to prevent inlining; now functions that use activations can be inlined
1140           just fine.
1141         
1142         This is a >1% speed-up on Octane. This is a >2% speed-up on CompressionBench. This is a tiny
1143         speed-up on AsmBench (~0.4% or something). This looks like it might be a speed-up on SunSpider.
1144         It's only a slow-down on very short-running microbenchmarks we had previously written for our old
1145         style of tear-off-based arguments optimization. Those benchmarks are not part of any major suite.
1146         
1147         The easiest way of understanding this change is to start by looking at the changes in runtime/,
1148         and then the changes in bytecompiler/, and then sort of work your way up the compiler tiers.
1149
1150         * CMakeLists.txt:
1151         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1152         * JavaScriptCore.xcodeproj/project.pbxproj:
1153         * assembler/AbortReason.h:
1154         * assembler/AbstractMacroAssembler.h:
1155         (JSC::AbstractMacroAssembler::BaseIndex::withOffset):
1156         * bytecode/ByValInfo.h:
1157         (JSC::hasOptimizableIndexingForJSType):
1158         (JSC::hasOptimizableIndexing):
1159         (JSC::jitArrayModeForJSType):
1160         (JSC::jitArrayModePermitsPut):
1161         (JSC::jitArrayModeForStructure):
1162         * bytecode/BytecodeKills.h: Added.
1163         (JSC::BytecodeKills::BytecodeKills):
1164         (JSC::BytecodeKills::operandIsKilled):
1165         (JSC::BytecodeKills::forEachOperandKilledAt):
1166         (JSC::BytecodeKills::KillSet::KillSet):
1167         (JSC::BytecodeKills::KillSet::add):
1168         (JSC::BytecodeKills::KillSet::forEachLocal):
1169         (JSC::BytecodeKills::KillSet::contains):
1170         * bytecode/BytecodeList.json:
1171         * bytecode/BytecodeLivenessAnalysis.cpp:
1172         (JSC::isValidRegisterForLiveness):
1173         (JSC::stepOverInstruction):
1174         (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint):
1175         (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset):
1176         (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset):
1177         (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
1178         (JSC::BytecodeLivenessAnalysis::computeKills):
1179         (JSC::indexForOperand): Deleted.
1180         (JSC::BytecodeLivenessAnalysis::getLivenessInfoForNonCapturedVarsAtBytecodeOffset): Deleted.
1181         (JSC::getLivenessInfo): Deleted.
1182         * bytecode/BytecodeLivenessAnalysis.h:
1183         * bytecode/BytecodeLivenessAnalysisInlines.h:
1184         (JSC::operandIsAlwaysLive):
1185         (JSC::operandThatIsNotAlwaysLiveIsLive):
1186         (JSC::operandIsLive):
1187         * bytecode/BytecodeUseDef.h:
1188         (JSC::computeUsesForBytecodeOffset):
1189         (JSC::computeDefsForBytecodeOffset):
1190         * bytecode/CodeBlock.cpp:
1191         (JSC::CodeBlock::dumpBytecode):
1192         (JSC::CodeBlock::CodeBlock):
1193         (JSC::CodeBlock::nameForRegister):
1194         (JSC::CodeBlock::validate):
1195         (JSC::CodeBlock::isCaptured): Deleted.
1196         (JSC::CodeBlock::framePointerOffsetToGetActivationRegisters): Deleted.
1197         (JSC::CodeBlock::machineSlowArguments): Deleted.
1198         * bytecode/CodeBlock.h:
1199         (JSC::unmodifiedArgumentsRegister): Deleted.
1200         (JSC::CodeBlock::setArgumentsRegister): Deleted.
1201         (JSC::CodeBlock::argumentsRegister): Deleted.
1202         (JSC::CodeBlock::uncheckedArgumentsRegister): Deleted.
1203         (JSC::CodeBlock::usesArguments): Deleted.
1204         (JSC::CodeBlock::captureCount): Deleted.
1205         (JSC::CodeBlock::captureStart): Deleted.
1206         (JSC::CodeBlock::captureEnd): Deleted.
1207         (JSC::CodeBlock::argumentIndexAfterCapture): Deleted.
1208         (JSC::CodeBlock::hasSlowArguments): Deleted.
1209         (JSC::ExecState::argumentAfterCapture): Deleted.
1210         * bytecode/CodeOrigin.h:
1211         * bytecode/DataFormat.h:
1212         (JSC::dataFormatToString):
1213         * bytecode/FullBytecodeLiveness.h:
1214         (JSC::FullBytecodeLiveness::getLiveness):
1215         (JSC::FullBytecodeLiveness::operandIsLive):
1216         (JSC::FullBytecodeLiveness::FullBytecodeLiveness): Deleted.
1217         (JSC::FullBytecodeLiveness::getOut): Deleted.
1218         * bytecode/Instruction.h:
1219         (JSC::Instruction::Instruction):
1220         * bytecode/Operands.h:
1221         (JSC::Operands::virtualRegisterForIndex):
1222         * bytecode/SpeculatedType.cpp:
1223         (JSC::dumpSpeculation):
1224         (JSC::speculationToAbbreviatedString):
1225         (JSC::speculationFromClassInfo):
1226         * bytecode/SpeculatedType.h:
1227         (JSC::isDirectArgumentsSpeculation):
1228         (JSC::isScopedArgumentsSpeculation):
1229         (JSC::isActionableMutableArraySpeculation):
1230         (JSC::isActionableArraySpeculation):
1231         (JSC::isArgumentsSpeculation): Deleted.
1232         * bytecode/UnlinkedCodeBlock.cpp:
1233         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1234         * bytecode/UnlinkedCodeBlock.h:
1235         (JSC::UnlinkedCodeBlock::setArgumentsRegister): Deleted.
1236         (JSC::UnlinkedCodeBlock::usesArguments): Deleted.
1237         (JSC::UnlinkedCodeBlock::argumentsRegister): Deleted.
1238         * bytecode/ValueRecovery.cpp:
1239         (JSC::ValueRecovery::dumpInContext):
1240         * bytecode/ValueRecovery.h:
1241         (JSC::ValueRecovery::directArgumentsThatWereNotCreated):
1242         (JSC::ValueRecovery::outOfBandArgumentsThatWereNotCreated):
1243         (JSC::ValueRecovery::nodeID):
1244         (JSC::ValueRecovery::argumentsThatWereNotCreated): Deleted.
1245         * bytecode/VirtualRegister.h:
1246         (JSC::VirtualRegister::operator==):
1247         (JSC::VirtualRegister::operator!=):
1248         (JSC::VirtualRegister::operator<):
1249         (JSC::VirtualRegister::operator>):
1250         (JSC::VirtualRegister::operator<=):
1251         (JSC::VirtualRegister::operator>=):
1252         * bytecompiler/BytecodeGenerator.cpp:
1253         (JSC::BytecodeGenerator::generate):
1254         (JSC::BytecodeGenerator::BytecodeGenerator):
1255         (JSC::BytecodeGenerator::initializeNextParameter):
1256         (JSC::BytecodeGenerator::visibleNameForParameter):
1257         (JSC::BytecodeGenerator::emitMove):
1258         (JSC::BytecodeGenerator::variable):
1259         (JSC::BytecodeGenerator::createVariable):
1260         (JSC::BytecodeGenerator::emitResolveScope):
1261         (JSC::BytecodeGenerator::emitGetFromScope):
1262         (JSC::BytecodeGenerator::emitPutToScope):
1263         (JSC::BytecodeGenerator::initializeVariable):
1264         (JSC::BytecodeGenerator::emitInstanceOf):
1265         (JSC::BytecodeGenerator::emitNewFunction):
1266         (JSC::BytecodeGenerator::emitNewFunctionInternal):
1267         (JSC::BytecodeGenerator::emitCall):
1268         (JSC::BytecodeGenerator::emitReturn):
1269         (JSC::BytecodeGenerator::emitConstruct):
1270         (JSC::BytecodeGenerator::isArgumentNumber):
1271         (JSC::BytecodeGenerator::emitEnumeration):
1272         (JSC::BytecodeGenerator::addVar): Deleted.
1273         (JSC::BytecodeGenerator::emitInitLazyRegister): Deleted.
1274         (JSC::BytecodeGenerator::initializeCapturedVariable): Deleted.
1275         (JSC::BytecodeGenerator::resolveCallee): Deleted.
1276         (JSC::BytecodeGenerator::addCallee): Deleted.
1277         (JSC::BytecodeGenerator::addParameter): Deleted.
1278         (JSC::BytecodeGenerator::willResolveToArgumentsRegister): Deleted.
1279         (JSC::BytecodeGenerator::uncheckedLocalArgumentsRegister): Deleted.
1280         (JSC::BytecodeGenerator::createLazyRegisterIfNecessary): Deleted.
1281         (JSC::BytecodeGenerator::isCaptured): Deleted.
1282         (JSC::BytecodeGenerator::local): Deleted.
1283         (JSC::BytecodeGenerator::constLocal): Deleted.
1284         (JSC::BytecodeGenerator::emitResolveConstantLocal): Deleted.
1285         (JSC::BytecodeGenerator::emitGetArgumentsLength): Deleted.
1286         (JSC::BytecodeGenerator::emitGetArgumentByVal): Deleted.
1287         (JSC::BytecodeGenerator::emitLazyNewFunction): Deleted.
1288         (JSC::BytecodeGenerator::createArgumentsIfNecessary): Deleted.
1289         * bytecompiler/BytecodeGenerator.h:
1290         (JSC::Variable::Variable):
1291         (JSC::Variable::isResolved):
1292         (JSC::Variable::ident):
1293         (JSC::Variable::offset):
1294         (JSC::Variable::isLocal):
1295         (JSC::Variable::local):
1296         (JSC::Variable::isSpecial):
1297         (JSC::BytecodeGenerator::argumentsRegister):
1298         (JSC::BytecodeGenerator::emitNode):
1299         (JSC::BytecodeGenerator::registerFor):
1300         (JSC::Local::Local): Deleted.
1301         (JSC::Local::operator bool): Deleted.
1302         (JSC::Local::get): Deleted.
1303         (JSC::Local::isSpecial): Deleted.
1304         (JSC::ResolveScopeInfo::ResolveScopeInfo): Deleted.
1305         (JSC::ResolveScopeInfo::isLocal): Deleted.
1306         (JSC::ResolveScopeInfo::localIndex): Deleted.
1307         (JSC::BytecodeGenerator::hasSafeLocalArgumentsRegister): Deleted.
1308         (JSC::BytecodeGenerator::captureMode): Deleted.
1309         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly): Deleted.
1310         (JSC::BytecodeGenerator::shouldCreateArgumentsEagerly): Deleted.
1311         (JSC::BytecodeGenerator::hasWatchableVariable): Deleted.
1312         (JSC::BytecodeGenerator::watchableVariableIdentifier): Deleted.
1313         * bytecompiler/NodesCodegen.cpp:
1314         (JSC::ResolveNode::isPure):
1315         (JSC::ResolveNode::emitBytecode):
1316         (JSC::BracketAccessorNode::emitBytecode):
1317         (JSC::DotAccessorNode::emitBytecode):
1318         (JSC::EvalFunctionCallNode::emitBytecode):
1319         (JSC::FunctionCallResolveNode::emitBytecode):
1320         (JSC::CallFunctionCallDotNode::emitBytecode):
1321         (JSC::ApplyFunctionCallDotNode::emitBytecode):
1322         (JSC::PostfixNode::emitResolve):
1323         (JSC::DeleteResolveNode::emitBytecode):
1324         (JSC::TypeOfResolveNode::emitBytecode):
1325         (JSC::PrefixNode::emitResolve):
1326         (JSC::ReadModifyResolveNode::emitBytecode):
1327         (JSC::AssignResolveNode::emitBytecode):
1328         (JSC::ConstDeclNode::emitCodeSingle):
1329         (JSC::EmptyVarExpression::emitBytecode):
1330         (JSC::ForInNode::tryGetBoundLocal):
1331         (JSC::ForInNode::emitLoopHeader):
1332         (JSC::ForOfNode::emitBytecode):
1333         (JSC::ArrayPatternNode::emitDirectBinding):
1334         (JSC::BindingNode::bindValue):
1335         (JSC::getArgumentByVal): Deleted.
1336         * dfg/DFGAbstractHeap.h:
1337         * dfg/DFGAbstractInterpreter.h:
1338         * dfg/DFGAbstractInterpreterInlines.h:
1339         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1340         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberWorld):
1341         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberCapturedVars): Deleted.
1342         * dfg/DFGAbstractValue.h:
1343         * dfg/DFGArgumentPosition.h:
1344         (JSC::DFG::ArgumentPosition::addVariable):
1345         * dfg/DFGArgumentsEliminationPhase.cpp: Added.
1346         (JSC::DFG::performArgumentsElimination):
1347         * dfg/DFGArgumentsEliminationPhase.h: Added.
1348         * dfg/DFGArgumentsSimplificationPhase.cpp: Removed.
1349         * dfg/DFGArgumentsSimplificationPhase.h: Removed.
1350         * dfg/DFGArgumentsUtilities.cpp: Added.
1351         (JSC::DFG::argumentsInvolveStackSlot):
1352         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
1353         * dfg/DFGArgumentsUtilities.h: Added.
1354         * dfg/DFGArrayMode.cpp:
1355         (JSC::DFG::ArrayMode::refine):
1356         (JSC::DFG::ArrayMode::alreadyChecked):
1357         (JSC::DFG::arrayTypeToString):
1358         * dfg/DFGArrayMode.h:
1359         (JSC::DFG::ArrayMode::canCSEStorage):
1360         (JSC::DFG::ArrayMode::modeForPut):
1361         * dfg/DFGAvailabilityMap.cpp:
1362         (JSC::DFG::AvailabilityMap::prune):
1363         * dfg/DFGAvailabilityMap.h:
1364         (JSC::DFG::AvailabilityMap::closeOverNodes):
1365         (JSC::DFG::AvailabilityMap::closeStartingWithLocal):
1366         * dfg/DFGBackwardsPropagationPhase.cpp:
1367         (JSC::DFG::BackwardsPropagationPhase::propagate):
1368         * dfg/DFGByteCodeParser.cpp:
1369         (JSC::DFG::ByteCodeParser::newVariableAccessData):
1370         (JSC::DFG::ByteCodeParser::getLocal):
1371         (JSC::DFG::ByteCodeParser::setLocal):
1372         (JSC::DFG::ByteCodeParser::getArgument):
1373         (JSC::DFG::ByteCodeParser::setArgument):
1374         (JSC::DFG::ByteCodeParser::flushDirect):
1375         (JSC::DFG::ByteCodeParser::flush):
1376         (JSC::DFG::ByteCodeParser::noticeArgumentsUse):
1377         (JSC::DFG::ByteCodeParser::handleVarargsCall):
1378         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
1379         (JSC::DFG::ByteCodeParser::handleInlining):
1380         (JSC::DFG::ByteCodeParser::parseBlock):
1381         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1382         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1383         * dfg/DFGCPSRethreadingPhase.cpp:
1384         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
1385         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
1386         * dfg/DFGCSEPhase.cpp:
1387         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h: Added.
1388         (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
1389         * dfg/DFGCapabilities.cpp:
1390         (JSC::DFG::isSupportedForInlining):
1391         (JSC::DFG::capabilityLevel):
1392         * dfg/DFGClobberize.h:
1393         (JSC::DFG::clobberize):
1394         * dfg/DFGCommon.h:
1395         * dfg/DFGCommonData.h:
1396         (JSC::DFG::CommonData::CommonData):
1397         * dfg/DFGConstantFoldingPhase.cpp:
1398         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1399         * dfg/DFGDCEPhase.cpp:
1400         (JSC::DFG::DCEPhase::cleanVariables):
1401         * dfg/DFGDisassembler.h:
1402         * dfg/DFGDoesGC.cpp:
1403         (JSC::DFG::doesGC):
1404         * dfg/DFGFixupPhase.cpp:
1405         (JSC::DFG::FixupPhase::fixupNode):
1406         * dfg/DFGFlushFormat.cpp:
1407         (WTF::printInternal):
1408         * dfg/DFGFlushFormat.h:
1409         (JSC::DFG::resultFor):
1410         (JSC::DFG::useKindFor):
1411         (JSC::DFG::dataFormatFor):
1412         * dfg/DFGForAllKills.h: Added.
1413         (JSC::DFG::forAllLiveNodesAtTail):
1414         (JSC::DFG::forAllDirectlyKilledOperands):
1415         (JSC::DFG::forAllKilledOperands):
1416         (JSC::DFG::forAllKilledNodesAtNodeIndex):
1417         (JSC::DFG::forAllKillsInBlock):
1418         * dfg/DFGGraph.cpp:
1419         (JSC::DFG::Graph::Graph):
1420         (JSC::DFG::Graph::dump):
1421         (JSC::DFG::Graph::substituteGetLocal):
1422         (JSC::DFG::Graph::livenessFor):
1423         (JSC::DFG::Graph::killsFor):
1424         (JSC::DFG::Graph::tryGetConstantClosureVar):
1425         (JSC::DFG::Graph::tryGetRegisters): Deleted.
1426         * dfg/DFGGraph.h:
1427         (JSC::DFG::Graph::symbolTableFor):
1428         (JSC::DFG::Graph::uses):
1429         (JSC::DFG::Graph::bytecodeRegisterForArgument): Deleted.
1430         (JSC::DFG::Graph::capturedVarsFor): Deleted.
1431         (JSC::DFG::Graph::usesArguments): Deleted.
1432         (JSC::DFG::Graph::argumentsRegisterFor): Deleted.
1433         (JSC::DFG::Graph::machineArgumentsRegisterFor): Deleted.
1434         (JSC::DFG::Graph::uncheckedArgumentsRegisterFor): Deleted.
1435         * dfg/DFGHeapLocation.cpp:
1436         (WTF::printInternal):
1437         * dfg/DFGHeapLocation.h:
1438         * dfg/DFGInPlaceAbstractState.cpp:
1439         (JSC::DFG::InPlaceAbstractState::initialize):
1440         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
1441         * dfg/DFGJITCompiler.cpp:
1442         (JSC::DFG::JITCompiler::link):
1443         * dfg/DFGMayExit.cpp:
1444         (JSC::DFG::mayExit):
1445         * dfg/DFGMinifiedID.h:
1446         * dfg/DFGMinifiedNode.cpp:
1447         (JSC::DFG::MinifiedNode::fromNode):
1448         * dfg/DFGMinifiedNode.h:
1449         (JSC::DFG::belongsInMinifiedGraph):
1450         (JSC::DFG::MinifiedNode::hasInlineCallFrame):
1451         (JSC::DFG::MinifiedNode::inlineCallFrame):
1452         * dfg/DFGNode.cpp:
1453         (JSC::DFG::Node::convertToIdentityOn):
1454         * dfg/DFGNode.h:
1455         (JSC::DFG::Node::hasConstant):
1456         (JSC::DFG::Node::constant):
1457         (JSC::DFG::Node::hasScopeOffset):
1458         (JSC::DFG::Node::scopeOffset):
1459         (JSC::DFG::Node::hasDirectArgumentsOffset):
1460         (JSC::DFG::Node::capturedArgumentsOffset):
1461         (JSC::DFG::Node::variablePointer):
1462         (JSC::DFG::Node::hasCallVarargsData):
1463         (JSC::DFG::Node::hasLoadVarargsData):
1464         (JSC::DFG::Node::hasHeapPrediction):
1465         (JSC::DFG::Node::hasCellOperand):
1466         (JSC::DFG::Node::objectMaterializationData):
1467         (JSC::DFG::Node::isPhantomAllocation):
1468         (JSC::DFG::Node::willHaveCodeGenOrOSR):
1469         (JSC::DFG::Node::shouldSpeculateDirectArguments):
1470         (JSC::DFG::Node::shouldSpeculateScopedArguments):
1471         (JSC::DFG::Node::isPhantomArguments): Deleted.
1472         (JSC::DFG::Node::hasVarNumber): Deleted.
1473         (JSC::DFG::Node::varNumber): Deleted.
1474         (JSC::DFG::Node::registerPointer): Deleted.
1475         (JSC::DFG::Node::shouldSpeculateArguments): Deleted.
1476         * dfg/DFGNodeType.h:
1477         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
1478         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
1479         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
1480         * dfg/DFGOSRExitCompiler.cpp:
1481         (JSC::DFG::OSRExitCompiler::emitRestoreArguments):
1482         * dfg/DFGOSRExitCompiler.h:
1483         (JSC::DFG::OSRExitCompiler::badIndex): Deleted.
1484         (JSC::DFG::OSRExitCompiler::initializePoisoned): Deleted.
1485         (JSC::DFG::OSRExitCompiler::poisonIndex): Deleted.
1486         * dfg/DFGOSRExitCompiler32_64.cpp:
1487         (JSC::DFG::OSRExitCompiler::compileExit):
1488         * dfg/DFGOSRExitCompiler64.cpp:
1489         (JSC::DFG::OSRExitCompiler::compileExit):
1490         * dfg/DFGOSRExitCompilerCommon.cpp:
1491         (JSC::DFG::reifyInlinedCallFrames):
1492         (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator): Deleted.
1493         (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator): Deleted.
1494         (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): Deleted.
1495         * dfg/DFGOSRExitCompilerCommon.h:
1496         * dfg/DFGOperations.cpp:
1497         * dfg/DFGOperations.h:
1498         * dfg/DFGPlan.cpp:
1499         (JSC::DFG::Plan::compileInThreadImpl):
1500         * dfg/DFGPreciseLocalClobberize.h:
1501         (JSC::DFG::PreciseLocalClobberizeAdaptor::read):
1502         (JSC::DFG::PreciseLocalClobberizeAdaptor::write):
1503         (JSC::DFG::PreciseLocalClobberizeAdaptor::def):
1504         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1505         (JSC::DFG::preciseLocalClobberize):
1506         (JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop): Deleted.
1507         (JSC::DFG::forEachLocalReadByUnwind): Deleted.
1508         * dfg/DFGPredictionPropagationPhase.cpp:
1509         (JSC::DFG::PredictionPropagationPhase::run):
1510         (JSC::DFG::PredictionPropagationPhase::propagate):
1511         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
1512         (JSC::DFG::PredictionPropagationPhase::propagateThroughArgumentPositions):
1513         * dfg/DFGPromoteHeapAccess.h:
1514         (JSC::DFG::promoteHeapAccess):
1515         * dfg/DFGPromotedHeapLocation.cpp:
1516         (WTF::printInternal):
1517         * dfg/DFGPromotedHeapLocation.h:
1518         * dfg/DFGSSAConversionPhase.cpp:
1519         (JSC::DFG::SSAConversionPhase::run):
1520         * dfg/DFGSafeToExecute.h:
1521         (JSC::DFG::safeToExecute):
1522         * dfg/DFGSpeculativeJIT.cpp:
1523         (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
1524         (JSC::DFG::SpeculativeJIT::emitGetLength):
1525         (JSC::DFG::SpeculativeJIT::emitGetCallee):
1526         (JSC::DFG::SpeculativeJIT::emitGetArgumentStart):
1527         (JSC::DFG::SpeculativeJIT::checkArray):
1528         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
1529         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1530         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
1531         (JSC::DFG::SpeculativeJIT::compileNewFunction):
1532         (JSC::DFG::SpeculativeJIT::compileForwardVarargs):
1533         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
1534         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
1535         (JSC::DFG::SpeculativeJIT::compileGetFromArguments):
1536         (JSC::DFG::SpeculativeJIT::compilePutToArguments):
1537         (JSC::DFG::SpeculativeJIT::compileCreateScopedArguments):
1538         (JSC::DFG::SpeculativeJIT::compileCreateClonedArguments):
1539         (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Deleted.
1540         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments): Deleted.
1541         (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength): Deleted.
1542         (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck): Deleted.
1543         (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression): Deleted.
1544         * dfg/DFGSpeculativeJIT.h:
1545         (JSC::DFG::SpeculativeJIT::callOperation):
1546         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
1547         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
1548         (JSC::DFG::SpeculativeJIT::framePointerOffsetToGetActivationRegisters): Deleted.
1549         * dfg/DFGSpeculativeJIT32_64.cpp:
1550         (JSC::DFG::SpeculativeJIT::emitCall):
1551         (JSC::DFG::SpeculativeJIT::compile):
1552         * dfg/DFGSpeculativeJIT64.cpp:
1553         (JSC::DFG::SpeculativeJIT::emitCall):
1554         (JSC::DFG::SpeculativeJIT::compile):
1555         * dfg/DFGStackLayoutPhase.cpp:
1556         (JSC::DFG::StackLayoutPhase::run):
1557         * dfg/DFGStrengthReductionPhase.cpp:
1558         (JSC::DFG::StrengthReductionPhase::handleNode):
1559         * dfg/DFGStructureRegistrationPhase.cpp:
1560         (JSC::DFG::StructureRegistrationPhase::run):
1561         * dfg/DFGUnificationPhase.cpp:
1562         (JSC::DFG::UnificationPhase::run):
1563         * dfg/DFGValidate.cpp:
1564         (JSC::DFG::Validate::validateCPS):
1565         * dfg/DFGValueSource.cpp:
1566         (JSC::DFG::ValueSource::dump):
1567         * dfg/DFGValueSource.h:
1568         (JSC::DFG::dataFormatToValueSourceKind):
1569         (JSC::DFG::valueSourceKindToDataFormat):
1570         (JSC::DFG::ValueSource::ValueSource):
1571         (JSC::DFG::ValueSource::forFlushFormat):
1572         (JSC::DFG::ValueSource::valueRecovery):
1573         * dfg/DFGVarargsForwardingPhase.cpp: Added.
1574         (JSC::DFG::performVarargsForwarding):
1575         * dfg/DFGVarargsForwardingPhase.h: Added.
1576         * dfg/DFGVariableAccessData.cpp:
1577         (JSC::DFG::VariableAccessData::VariableAccessData):
1578         (JSC::DFG::VariableAccessData::flushFormat):
1579         (JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted.
1580         * dfg/DFGVariableAccessData.h:
1581         (JSC::DFG::VariableAccessData::shouldNeverUnbox):
1582         (JSC::DFG::VariableAccessData::shouldUseDoubleFormat):
1583         (JSC::DFG::VariableAccessData::isCaptured): Deleted.
1584         (JSC::DFG::VariableAccessData::mergeIsArgumentsAlias): Deleted.
1585         (JSC::DFG::VariableAccessData::isArgumentsAlias): Deleted.
1586         * dfg/DFGVariableAccessDataDump.cpp:
1587         (JSC::DFG::VariableAccessDataDump::dump):
1588         * dfg/DFGVariableAccessDataDump.h:
1589         * dfg/DFGVariableEventStream.cpp:
1590         (JSC::DFG::VariableEventStream::tryToSetConstantRecovery):
1591         * dfg/DFGVariableEventStream.h:
1592         * ftl/FTLAbstractHeap.cpp:
1593         (JSC::FTL::AbstractHeap::dump):
1594         (JSC::FTL::AbstractField::dump):
1595         (JSC::FTL::IndexedAbstractHeap::dump):
1596         (JSC::FTL::NumberedAbstractHeap::dump):
1597         (JSC::FTL::AbsoluteAbstractHeap::dump):
1598         * ftl/FTLAbstractHeap.h:
1599         * ftl/FTLAbstractHeapRepository.cpp:
1600         * ftl/FTLAbstractHeapRepository.h:
1601         * ftl/FTLCapabilities.cpp:
1602         (JSC::FTL::canCompile):
1603         * ftl/FTLCompile.cpp:
1604         (JSC::FTL::mmAllocateDataSection):
1605         * ftl/FTLExitArgument.cpp:
1606         (JSC::FTL::ExitArgument::dump):
1607         * ftl/FTLExitPropertyValue.cpp:
1608         (JSC::FTL::ExitPropertyValue::withLocalsOffset):
1609         * ftl/FTLExitPropertyValue.h:
1610         * ftl/FTLExitTimeObjectMaterialization.cpp:
1611         (JSC::FTL::ExitTimeObjectMaterialization::ExitTimeObjectMaterialization):
1612         (JSC::FTL::ExitTimeObjectMaterialization::accountForLocalsOffset):
1613         * ftl/FTLExitTimeObjectMaterialization.h:
1614         (JSC::FTL::ExitTimeObjectMaterialization::origin):
1615         * ftl/FTLExitValue.cpp:
1616         (JSC::FTL::ExitValue::withLocalsOffset):
1617         (JSC::FTL::ExitValue::valueFormat):
1618         (JSC::FTL::ExitValue::dumpInContext):
1619         * ftl/FTLExitValue.h:
1620         (JSC::FTL::ExitValue::isArgument):
1621         (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated): Deleted.
1622         (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated): Deleted.
1623         (JSC::FTL::ExitValue::valueFormat): Deleted.
1624         * ftl/FTLInlineCacheSize.cpp:
1625         (JSC::FTL::sizeOfCallForwardVarargs):
1626         (JSC::FTL::sizeOfConstructForwardVarargs):
1627         (JSC::FTL::sizeOfICFor):
1628         * ftl/FTLInlineCacheSize.h:
1629         * ftl/FTLIntrinsicRepository.h:
1630         * ftl/FTLJSCallVarargs.cpp:
1631         (JSC::FTL::JSCallVarargs::JSCallVarargs):
1632         (JSC::FTL::JSCallVarargs::emit):
1633         * ftl/FTLJSCallVarargs.h:
1634         * ftl/FTLLowerDFGToLLVM.cpp:
1635         (JSC::FTL::LowerDFGToLLVM::lower):
1636         (JSC::FTL::LowerDFGToLLVM::compileNode):
1637         (JSC::FTL::LowerDFGToLLVM::compilePutStack):
1638         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
1639         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
1640         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
1641         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
1642         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
1643         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
1644         (JSC::FTL::LowerDFGToLLVM::compileCreateActivation):
1645         (JSC::FTL::LowerDFGToLLVM::compileNewFunction):
1646         (JSC::FTL::LowerDFGToLLVM::compileCreateDirectArguments):
1647         (JSC::FTL::LowerDFGToLLVM::compileCreateScopedArguments):
1648         (JSC::FTL::LowerDFGToLLVM::compileCreateClonedArguments):
1649         (JSC::FTL::LowerDFGToLLVM::compileStringCharAt):
1650         (JSC::FTL::LowerDFGToLLVM::compileStringCharCodeAt):
1651         (JSC::FTL::LowerDFGToLLVM::compileGetGlobalVar):
1652         (JSC::FTL::LowerDFGToLLVM::compilePutGlobalVar):
1653         (JSC::FTL::LowerDFGToLLVM::compileGetArgumentCount):
1654         (JSC::FTL::LowerDFGToLLVM::compileGetClosureVar):
1655         (JSC::FTL::LowerDFGToLLVM::compilePutClosureVar):
1656         (JSC::FTL::LowerDFGToLLVM::compileGetFromArguments):
1657         (JSC::FTL::LowerDFGToLLVM::compilePutToArguments):
1658         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs):
1659         (JSC::FTL::LowerDFGToLLVM::compileForwardVarargs):
1660         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname):
1661         (JSC::FTL::LowerDFGToLLVM::ArgumentsLength::ArgumentsLength):
1662         (JSC::FTL::LowerDFGToLLVM::getArgumentsLength):
1663         (JSC::FTL::LowerDFGToLLVM::getCurrentCallee):
1664         (JSC::FTL::LowerDFGToLLVM::getArgumentsStart):
1665         (JSC::FTL::LowerDFGToLLVM::baseIndex):
1666         (JSC::FTL::LowerDFGToLLVM::allocateObject):
1667         (JSC::FTL::LowerDFGToLLVM::allocateVariableSizedObject):
1668         (JSC::FTL::LowerDFGToLLVM::isArrayType):
1669         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
1670         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
1671         (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
1672         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
1673         (JSC::FTL::LowerDFGToLLVM::loadStructure):
1674         (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments): Deleted.
1675         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength): Deleted.
1676         (JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters): Deleted.
1677         (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated): Deleted.
1678         (JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated): Deleted.
1679         * ftl/FTLOSRExitCompiler.cpp:
1680         (JSC::FTL::compileRecovery):
1681         (JSC::FTL::compileStub):
1682         * ftl/FTLOperations.cpp:
1683         (JSC::FTL::operationMaterializeObjectInOSR):
1684         * ftl/FTLOutput.h:
1685         (JSC::FTL::Output::aShr):
1686         (JSC::FTL::Output::lShr):
1687         (JSC::FTL::Output::zeroExtPtr):
1688         * heap/CopyToken.h:
1689         * interpreter/CallFrame.h:
1690         (JSC::ExecState::getArgumentUnsafe):
1691         * interpreter/Interpreter.cpp:
1692         (JSC::sizeOfVarargs):
1693         (JSC::sizeFrameForVarargs):
1694         (JSC::loadVarargs):
1695         (JSC::unwindCallFrame):
1696         * interpreter/Interpreter.h:
1697         * interpreter/StackVisitor.cpp:
1698         (JSC::StackVisitor::Frame::createArguments):
1699         (JSC::StackVisitor::Frame::existingArguments): Deleted.
1700         * interpreter/StackVisitor.h:
1701         * jit/AssemblyHelpers.h:
1702         (JSC::AssemblyHelpers::storeValue):
1703         (JSC::AssemblyHelpers::loadValue):
1704         (JSC::AssemblyHelpers::storeTrustedValue):
1705         (JSC::AssemblyHelpers::branchIfNotCell):
1706         (JSC::AssemblyHelpers::branchIsEmpty):
1707         (JSC::AssemblyHelpers::argumentsStart):
1708         (JSC::AssemblyHelpers::baselineArgumentsRegisterFor): Deleted.
1709         (JSC::AssemblyHelpers::offsetOfLocals): Deleted.
1710         (JSC::AssemblyHelpers::offsetOfArguments): Deleted.
1711         * jit/CCallHelpers.h:
1712         (JSC::CCallHelpers::setupArgument):
1713         * jit/GPRInfo.h:
1714         (JSC::JSValueRegs::withTwoAvailableRegs):
1715         * jit/JIT.cpp:
1716         (JSC::JIT::privateCompileMainPass):
1717         (JSC::JIT::privateCompileSlowCases):
1718         * jit/JIT.h:
1719         * jit/JITCall.cpp:
1720         (JSC::JIT::compileSetupVarargsFrame):
1721         * jit/JITCall32_64.cpp:
1722         (JSC::JIT::compileSetupVarargsFrame):
1723         * jit/JITInlines.h:
1724         (JSC::JIT::callOperation):
1725         * jit/JITOpcodes.cpp:
1726         (JSC::JIT::emit_op_create_lexical_environment):
1727         (JSC::JIT::emit_op_new_func):
1728         (JSC::JIT::emit_op_create_direct_arguments):
1729         (JSC::JIT::emit_op_create_scoped_arguments):
1730         (JSC::JIT::emit_op_create_out_of_band_arguments):
1731         (JSC::JIT::emit_op_tear_off_arguments): Deleted.
1732         (JSC::JIT::emit_op_create_arguments): Deleted.
1733         (JSC::JIT::emit_op_init_lazy_reg): Deleted.
1734         (JSC::JIT::emit_op_get_arguments_length): Deleted.
1735         (JSC::JIT::emitSlow_op_get_arguments_length): Deleted.
1736         (JSC::JIT::emit_op_get_argument_by_val): Deleted.
1737         (JSC::JIT::emitSlow_op_get_argument_by_val): Deleted.
1738         * jit/JITOpcodes32_64.cpp:
1739         (JSC::JIT::emit_op_create_lexical_environment):
1740         (JSC::JIT::emit_op_tear_off_arguments): Deleted.
1741         (JSC::JIT::emit_op_create_arguments): Deleted.
1742         (JSC::JIT::emit_op_init_lazy_reg): Deleted.
1743         (JSC::JIT::emit_op_get_arguments_length): Deleted.
1744         (JSC::JIT::emitSlow_op_get_arguments_length): Deleted.
1745         (JSC::JIT::emit_op_get_argument_by_val): Deleted.
1746         (JSC::JIT::emitSlow_op_get_argument_by_val): Deleted.
1747         * jit/JITOperations.cpp:
1748         * jit/JITOperations.h:
1749         * jit/JITPropertyAccess.cpp:
1750         (JSC::JIT::emitGetClosureVar):
1751         (JSC::JIT::emitPutClosureVar):
1752         (JSC::JIT::emit_op_get_from_arguments):
1753         (JSC::JIT::emit_op_put_to_arguments):
1754         (JSC::JIT::emit_op_init_global_const):
1755         (JSC::JIT::privateCompileGetByVal):
1756         (JSC::JIT::emitDirectArgumentsGetByVal):
1757         (JSC::JIT::emitScopedArgumentsGetByVal):
1758         * jit/JITPropertyAccess32_64.cpp:
1759         (JSC::JIT::emitGetClosureVar):
1760         (JSC::JIT::emitPutClosureVar):
1761         (JSC::JIT::emit_op_get_from_arguments):
1762         (JSC::JIT::emit_op_put_to_arguments):
1763         (JSC::JIT::emit_op_init_global_const):
1764         * jit/SetupVarargsFrame.cpp:
1765         (JSC::emitSetupVarargsFrameFastCase):
1766         * llint/LLIntOffsetsExtractor.cpp:
1767         * llint/LLIntSlowPaths.cpp:
1768         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1769         * llint/LowLevelInterpreter.asm:
1770         * llint/LowLevelInterpreter32_64.asm:
1771         * llint/LowLevelInterpreter64.asm:
1772         * parser/Nodes.h:
1773         (JSC::ScopeNode::captures):
1774         * runtime/Arguments.cpp: Removed.
1775         * runtime/Arguments.h: Removed.
1776         * runtime/ArgumentsMode.h: Added.
1777         * runtime/DirectArgumentsOffset.cpp: Added.
1778         (JSC::DirectArgumentsOffset::dump):
1779         * runtime/DirectArgumentsOffset.h: Added.
1780         (JSC::DirectArgumentsOffset::DirectArgumentsOffset):
1781         * runtime/CommonSlowPaths.cpp:
1782         (JSC::SLOW_PATH_DECL):
1783         * runtime/CommonSlowPaths.h:
1784         * runtime/ConstantMode.cpp: Added.
1785         (WTF::printInternal):
1786         * runtime/ConstantMode.h:
1787         (JSC::modeForIsConstant):
1788         * runtime/DirectArguments.cpp: Added.
1789         (JSC::DirectArguments::DirectArguments):
1790         (JSC::DirectArguments::createUninitialized):
1791         (JSC::DirectArguments::create):
1792         (JSC::DirectArguments::createByCopying):
1793         (JSC::DirectArguments::visitChildren):
1794         (JSC::DirectArguments::copyBackingStore):
1795         (JSC::DirectArguments::createStructure):
1796         (JSC::DirectArguments::overrideThings):
1797         (JSC::DirectArguments::overrideThingsIfNecessary):
1798         (JSC::DirectArguments::overrideArgument):
1799         (JSC::DirectArguments::copyToArguments):
1800         (JSC::DirectArguments::overridesSize):
1801         * runtime/DirectArguments.h: Added.
1802         (JSC::DirectArguments::internalLength):
1803         (JSC::DirectArguments::length):
1804         (JSC::DirectArguments::canAccessIndexQuickly):
1805         (JSC::DirectArguments::getIndexQuickly):
1806         (JSC::DirectArguments::setIndexQuickly):
1807         (JSC::DirectArguments::callee):
1808         (JSC::DirectArguments::argument):
1809         (JSC::DirectArguments::overrodeThings):
1810         (JSC::DirectArguments::offsetOfCallee):
1811         (JSC::DirectArguments::offsetOfLength):
1812         (JSC::DirectArguments::offsetOfMinCapacity):
1813         (JSC::DirectArguments::offsetOfOverrides):
1814         (JSC::DirectArguments::storageOffset):
1815         (JSC::DirectArguments::offsetOfSlot):
1816         (JSC::DirectArguments::allocationSize):
1817         (JSC::DirectArguments::storage):
1818         * runtime/FunctionPrototype.cpp:
1819         * runtime/GenericArguments.h: Added.
1820         (JSC::GenericArguments::GenericArguments):
1821         * runtime/GenericArgumentsInlines.h: Added.
1822         (JSC::GenericArguments<Type>::getOwnPropertySlot):
1823         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
1824         (JSC::GenericArguments<Type>::getOwnPropertyNames):
1825         (JSC::GenericArguments<Type>::put):
1826         (JSC::GenericArguments<Type>::putByIndex):
1827         (JSC::GenericArguments<Type>::deleteProperty):
1828         (JSC::GenericArguments<Type>::deletePropertyByIndex):
1829         (JSC::GenericArguments<Type>::defineOwnProperty):
1830         (JSC::GenericArguments<Type>::copyToArguments):
1831         * runtime/GenericOffset.h: Added.
1832         (JSC::GenericOffset::GenericOffset):
1833         (JSC::GenericOffset::operator!):
1834         (JSC::GenericOffset::offsetUnchecked):
1835         (JSC::GenericOffset::offset):
1836         (JSC::GenericOffset::operator==):
1837         (JSC::GenericOffset::operator!=):
1838         (JSC::GenericOffset::operator<):
1839         (JSC::GenericOffset::operator>):
1840         (JSC::GenericOffset::operator<=):
1841         (JSC::GenericOffset::operator>=):
1842         (JSC::GenericOffset::operator+):
1843         (JSC::GenericOffset::operator-):
1844         (JSC::GenericOffset::operator+=):
1845         (JSC::GenericOffset::operator-=):
1846         * runtime/JSArgumentsIterator.cpp:
1847         (JSC::JSArgumentsIterator::finishCreation):
1848         (JSC::argumentsFuncIterator):
1849         * runtime/JSArgumentsIterator.h:
1850         (JSC::JSArgumentsIterator::create):
1851         (JSC::JSArgumentsIterator::next):
1852         * runtime/JSEnvironmentRecord.cpp:
1853         (JSC::JSEnvironmentRecord::visitChildren):
1854         * runtime/JSEnvironmentRecord.h:
1855         (JSC::JSEnvironmentRecord::variables):
1856         (JSC::JSEnvironmentRecord::isValid):
1857         (JSC::JSEnvironmentRecord::variableAt):
1858         (JSC::JSEnvironmentRecord::offsetOfVariables):
1859         (JSC::JSEnvironmentRecord::offsetOfVariable):
1860         (JSC::JSEnvironmentRecord::allocationSizeForScopeSize):
1861         (JSC::JSEnvironmentRecord::allocationSize):
1862         (JSC::JSEnvironmentRecord::JSEnvironmentRecord):
1863         (JSC::JSEnvironmentRecord::finishCreationUninitialized):
1864         (JSC::JSEnvironmentRecord::finishCreation):
1865         (JSC::JSEnvironmentRecord::registers): Deleted.
1866         (JSC::JSEnvironmentRecord::registerAt): Deleted.
1867         (JSC::JSEnvironmentRecord::addressOfRegisters): Deleted.
1868         (JSC::JSEnvironmentRecord::offsetOfRegisters): Deleted.
1869         * runtime/JSFunction.cpp:
1870         * runtime/JSGlobalObject.cpp:
1871         (JSC::JSGlobalObject::init):
1872         (JSC::JSGlobalObject::addGlobalVar):
1873         (JSC::JSGlobalObject::addFunction):
1874         (JSC::JSGlobalObject::visitChildren):
1875         (JSC::JSGlobalObject::addStaticGlobals):
1876         * runtime/JSGlobalObject.h:
1877         (JSC::JSGlobalObject::directArgumentsStructure):
1878         (JSC::JSGlobalObject::scopedArgumentsStructure):
1879         (JSC::JSGlobalObject::outOfBandArgumentsStructure):
1880         (JSC::JSGlobalObject::argumentsStructure): Deleted.
1881         * runtime/JSLexicalEnvironment.cpp:
1882         (JSC::JSLexicalEnvironment::symbolTableGet):
1883         (JSC::JSLexicalEnvironment::symbolTablePut):
1884         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
1885         (JSC::JSLexicalEnvironment::symbolTablePutWithAttributes):
1886         (JSC::JSLexicalEnvironment::visitChildren): Deleted.
1887         * runtime/JSLexicalEnvironment.h:
1888         (JSC::JSLexicalEnvironment::create):
1889         (JSC::JSLexicalEnvironment::JSLexicalEnvironment):
1890         (JSC::JSLexicalEnvironment::registersOffset): Deleted.
1891         (JSC::JSLexicalEnvironment::storageOffset): Deleted.
1892         (JSC::JSLexicalEnvironment::storage): Deleted.
1893         (JSC::JSLexicalEnvironment::allocationSize): Deleted.
1894         (JSC::JSLexicalEnvironment::isValidIndex): Deleted.
1895         (JSC::JSLexicalEnvironment::isValid): Deleted.
1896         (JSC::JSLexicalEnvironment::registerAt): Deleted.
1897         * runtime/JSNameScope.cpp:
1898         (JSC::JSNameScope::visitChildren): Deleted.
1899         * runtime/JSNameScope.h:
1900         (JSC::JSNameScope::create):
1901         (JSC::JSNameScope::value):
1902         (JSC::JSNameScope::finishCreation):
1903         (JSC::JSNameScope::JSNameScope):
1904         * runtime/JSScope.cpp:
1905         (JSC::abstractAccess):
1906         * runtime/JSSegmentedVariableObject.cpp:
1907         (JSC::JSSegmentedVariableObject::findVariableIndex):
1908         (JSC::JSSegmentedVariableObject::addVariables):
1909         (JSC::JSSegmentedVariableObject::visitChildren):
1910         (JSC::JSSegmentedVariableObject::findRegisterIndex): Deleted.
1911         (JSC::JSSegmentedVariableObject::addRegisters): Deleted.
1912         * runtime/JSSegmentedVariableObject.h:
1913         (JSC::JSSegmentedVariableObject::variableAt):
1914         (JSC::JSSegmentedVariableObject::assertVariableIsInThisObject):
1915         (JSC::JSSegmentedVariableObject::registerAt): Deleted.
1916         (JSC::JSSegmentedVariableObject::assertRegisterIsInThisObject): Deleted.
1917         * runtime/JSSymbolTableObject.h:
1918         (JSC::JSSymbolTableObject::offsetOfSymbolTable):
1919         (JSC::symbolTableGet):
1920         (JSC::symbolTablePut):
1921         (JSC::symbolTablePutWithAttributes):
1922         * runtime/JSType.h:
1923         * runtime/Options.h:
1924         * runtime/ClonedArguments.cpp: Added.
1925         (JSC::ClonedArguments::ClonedArguments):
1926         (JSC::ClonedArguments::createEmpty):
1927         (JSC::ClonedArguments::createWithInlineFrame):
1928         (JSC::ClonedArguments::createWithMachineFrame):
1929         (JSC::ClonedArguments::createByCopyingFrom):
1930         (JSC::ClonedArguments::createStructure):
1931         (JSC::ClonedArguments::getOwnPropertySlot):
1932         (JSC::ClonedArguments::getOwnPropertyNames):
1933         (JSC::ClonedArguments::put):
1934         (JSC::ClonedArguments::deleteProperty):
1935         (JSC::ClonedArguments::defineOwnProperty):
1936         (JSC::ClonedArguments::materializeSpecials):
1937         (JSC::ClonedArguments::materializeSpecialsIfNecessary):
1938         * runtime/ClonedArguments.h: Added.
1939         (JSC::ClonedArguments::specialsMaterialized):
1940         * runtime/ScopeOffset.cpp: Added.
1941         (JSC::ScopeOffset::dump):
1942         * runtime/ScopeOffset.h: Added.
1943         (JSC::ScopeOffset::ScopeOffset):
1944         * runtime/ScopedArguments.cpp: Added.
1945         (JSC::ScopedArguments::ScopedArguments):
1946         (JSC::ScopedArguments::finishCreation):
1947         (JSC::ScopedArguments::createUninitialized):
1948         (JSC::ScopedArguments::create):
1949         (JSC::ScopedArguments::createByCopying):
1950         (JSC::ScopedArguments::createByCopyingFrom):
1951         (JSC::ScopedArguments::visitChildren):
1952         (JSC::ScopedArguments::createStructure):
1953         (JSC::ScopedArguments::overrideThings):
1954         (JSC::ScopedArguments::overrideThingsIfNecessary):
1955         (JSC::ScopedArguments::overrideArgument):
1956         (JSC::ScopedArguments::copyToArguments):
1957         * runtime/ScopedArguments.h: Added.
1958         (JSC::ScopedArguments::internalLength):
1959         (JSC::ScopedArguments::length):
1960         (JSC::ScopedArguments::canAccessIndexQuickly):
1961         (JSC::ScopedArguments::getIndexQuickly):
1962         (JSC::ScopedArguments::setIndexQuickly):
1963         (JSC::ScopedArguments::callee):
1964         (JSC::ScopedArguments::overrodeThings):
1965         (JSC::ScopedArguments::offsetOfOverrodeThings):
1966         (JSC::ScopedArguments::offsetOfTotalLength):
1967         (JSC::ScopedArguments::offsetOfTable):
1968         (JSC::ScopedArguments::offsetOfScope):
1969         (JSC::ScopedArguments::overflowStorageOffset):
1970         (JSC::ScopedArguments::allocationSize):
1971         (JSC::ScopedArguments::overflowStorage):
1972         * runtime/ScopedArgumentsTable.cpp: Added.
1973         (JSC::ScopedArgumentsTable::ScopedArgumentsTable):
1974         (JSC::ScopedArgumentsTable::~ScopedArgumentsTable):
1975         (JSC::ScopedArgumentsTable::destroy):
1976         (JSC::ScopedArgumentsTable::create):
1977         (JSC::ScopedArgumentsTable::clone):
1978         (JSC::ScopedArgumentsTable::setLength):
1979         (JSC::ScopedArgumentsTable::set):
1980         (JSC::ScopedArgumentsTable::createStructure):
1981         * runtime/ScopedArgumentsTable.h: Added.
1982         (JSC::ScopedArgumentsTable::length):
1983         (JSC::ScopedArgumentsTable::get):
1984         (JSC::ScopedArgumentsTable::lock):
1985         (JSC::ScopedArgumentsTable::offsetOfLength):
1986         (JSC::ScopedArgumentsTable::offsetOfArguments):
1987         (JSC::ScopedArgumentsTable::at):
1988         * runtime/SymbolTable.cpp:
1989         (JSC::SymbolTableEntry::prepareToWatch):
1990         (JSC::SymbolTable::SymbolTable):
1991         (JSC::SymbolTable::visitChildren):
1992         (JSC::SymbolTable::localToEntry):
1993         (JSC::SymbolTable::entryFor):
1994         (JSC::SymbolTable::cloneScopePart):
1995         (JSC::SymbolTable::prepareForTypeProfiling):
1996         (JSC::SymbolTable::uniqueIDForOffset):
1997         (JSC::SymbolTable::globalTypeSetForOffset):
1998         (JSC::SymbolTable::cloneCapturedNames): Deleted.
1999         (JSC::SymbolTable::uniqueIDForRegister): Deleted.
2000         (JSC::SymbolTable::globalTypeSetForRegister): Deleted.
2001         * runtime/SymbolTable.h:
2002         (JSC::SymbolTableEntry::varOffsetFromBits):
2003         (JSC::SymbolTableEntry::scopeOffsetFromBits):
2004         (JSC::SymbolTableEntry::Fast::varOffset):
2005         (JSC::SymbolTableEntry::Fast::scopeOffset):
2006         (JSC::SymbolTableEntry::Fast::isDontEnum):
2007         (JSC::SymbolTableEntry::Fast::getAttributes):
2008         (JSC::SymbolTableEntry::SymbolTableEntry):
2009         (JSC::SymbolTableEntry::varOffset):
2010         (JSC::SymbolTableEntry::isWatchable):
2011         (JSC::SymbolTableEntry::scopeOffset):
2012         (JSC::SymbolTableEntry::setAttributes):
2013         (JSC::SymbolTableEntry::constantMode):
2014         (JSC::SymbolTableEntry::isDontEnum):
2015         (JSC::SymbolTableEntry::disableWatching):
2016         (JSC::SymbolTableEntry::pack):
2017         (JSC::SymbolTableEntry::isValidVarOffset):
2018         (JSC::SymbolTable::createNameScopeTable):
2019         (JSC::SymbolTable::maxScopeOffset):
2020         (JSC::SymbolTable::didUseScopeOffset):
2021         (JSC::SymbolTable::didUseVarOffset):
2022         (JSC::SymbolTable::scopeSize):
2023         (JSC::SymbolTable::nextScopeOffset):
2024         (JSC::SymbolTable::takeNextScopeOffset):
2025         (JSC::SymbolTable::add):
2026         (JSC::SymbolTable::set):
2027         (JSC::SymbolTable::argumentsLength):
2028         (JSC::SymbolTable::setArgumentsLength):
2029         (JSC::SymbolTable::argumentOffset):
2030         (JSC::SymbolTable::setArgumentOffset):
2031         (JSC::SymbolTable::arguments):
2032         (JSC::SlowArgument::SlowArgument): Deleted.
2033         (JSC::SymbolTableEntry::Fast::getIndex): Deleted.
2034         (JSC::SymbolTableEntry::getIndex): Deleted.
2035         (JSC::SymbolTableEntry::isValidIndex): Deleted.
2036         (JSC::SymbolTable::captureStart): Deleted.
2037         (JSC::SymbolTable::setCaptureStart): Deleted.
2038         (JSC::SymbolTable::captureEnd): Deleted.
2039         (JSC::SymbolTable::setCaptureEnd): Deleted.
2040         (JSC::SymbolTable::captureCount): Deleted.
2041         (JSC::SymbolTable::isCaptured): Deleted.
2042         (JSC::SymbolTable::parameterCount): Deleted.
2043         (JSC::SymbolTable::parameterCountIncludingThis): Deleted.
2044         (JSC::SymbolTable::setParameterCountIncludingThis): Deleted.
2045         (JSC::SymbolTable::slowArguments): Deleted.
2046         (JSC::SymbolTable::setSlowArguments): Deleted.
2047         * runtime/VM.cpp:
2048         (JSC::VM::VM):
2049         * runtime/VM.h:
2050         * runtime/VarOffset.cpp: Added.
2051         (JSC::VarOffset::dump):
2052         (WTF::printInternal):
2053         * runtime/VarOffset.h: Added.
2054         (JSC::VarOffset::VarOffset):
2055         (JSC::VarOffset::assemble):
2056         (JSC::VarOffset::isValid):
2057         (JSC::VarOffset::operator!):
2058         (JSC::VarOffset::kind):
2059         (JSC::VarOffset::isStack):
2060         (JSC::VarOffset::isScope):
2061         (JSC::VarOffset::isDirectArgument):
2062         (JSC::VarOffset::stackOffsetUnchecked):
2063         (JSC::VarOffset::scopeOffsetUnchecked):
2064         (JSC::VarOffset::capturedArgumentsOffsetUnchecked):
2065         (JSC::VarOffset::stackOffset):
2066         (JSC::VarOffset::scopeOffset):
2067         (JSC::VarOffset::capturedArgumentsOffset):
2068         (JSC::VarOffset::rawOffset):
2069         (JSC::VarOffset::checkSanity):
2070         (JSC::VarOffset::operator==):
2071         (JSC::VarOffset::operator!=):
2072         (JSC::VarOffset::hash):
2073         (JSC::VarOffset::isHashTableDeletedValue):
2074         (JSC::VarOffsetHash::hash):
2075         (JSC::VarOffsetHash::equal):
2076         * tests/stress/arguments-exit-strict-mode.js: Added.
2077         * tests/stress/arguments-exit.js: Added.
2078         * tests/stress/arguments-inlined-exit-strict-mode-fixed.js: Added.
2079         * tests/stress/arguments-inlined-exit-strict-mode.js: Added.
2080         * tests/stress/arguments-inlined-exit.js: Added.
2081         * tests/stress/arguments-interference.js: Added.
2082         * tests/stress/arguments-interference-cfg.js: Added.
2083         * tests/stress/dead-get-closure-var.js: Added.
2084         * tests/stress/get-declared-unpassed-argument-in-direct-arguments.js: Added.
2085         * tests/stress/get-declared-unpassed-argument-in-scoped-arguments.js: Added.
2086         * tests/stress/varargs-closure-inlined-exit-strict-mode.js: Added.
2087         * tests/stress/varargs-closure-inlined-exit.js: Added.
2088         * tests/stress/varargs-exit.js: Added.
2089         * tests/stress/varargs-inlined-exit.js: Added.
2090         * tests/stress/varargs-inlined-simple-exit-aliasing-weird-reversed-args.js: Added.
2091         * tests/stress/varargs-inlined-simple-exit-aliasing-weird.js: Added.
2092         * tests/stress/varargs-inlined-simple-exit-aliasing.js: Added.
2093         * tests/stress/varargs-inlined-simple-exit.js: Added.
2094         * tests/stress/varargs-too-few-arguments.js: Added.
2095         * tests/stress/varargs-varargs-closure-inlined-exit.js: Added.
2096         * tests/stress/varargs-varargs-inlined-exit-strict-mode.js: Added.
2097         * tests/stress/varargs-varargs-inlined-exit.js: Added.
2098
2099 2015-03-25  Andy Estes  <aestes@apple.com>
2100
2101         [Cocoa] RemoteInspectorXPCConnection::deserializeMessage() leaks a NSDictionary under Objective-C GC
2102         https://bugs.webkit.org/show_bug.cgi?id=143068
2103
2104         Reviewed by Dan Bernstein.
2105
2106         * inspector/remote/RemoteInspectorXPCConnection.mm:
2107         (Inspector::RemoteInspectorXPCConnection::deserializeMessage): Used RetainPtr::autorelease(), which does the right thing under GC.
2108
2109 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2110
2111         Use JITCompilationCanFail in more places, and make the fail path of JITCompilationMustSucceed a crash instead of attempting GC
2112         https://bugs.webkit.org/show_bug.cgi?id=142993
2113
2114         Reviewed by Geoffrey Garen and Mark Lam.
2115         
2116         This changes the most commonly invoked paths that relied on JITCompilationMustSucceed
2117         into using JITCompilationCanFail and having a legit fallback path. This mostly involves
2118         having the FTL JIT do the same trick as the DFG JIT in case of any memory allocation
2119         failure, but also involves adding the same kind of thing to the stub generators in
2120         Repatch.
2121         
2122         Because of that change, there are relatively few uses of JITCompilationMustSucceed. Most
2123         of those uses cannot handle a GC, and so cannot do releaseExecutableMemory(). Only a few,
2124         like host call stub generation, could handle a GC, but those get invoked very rarely. So,
2125         this patch changes the releaseExecutableMemory() call into a crash with some diagnostic
2126         printout.
2127         
2128         Also add a way of inducing executable allocation failure, so that we can test this.
2129
2130         * CMakeLists.txt:
2131         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2132         * JavaScriptCore.xcodeproj/project.pbxproj:
2133         * dfg/DFGJITCompiler.cpp:
2134         (JSC::DFG::JITCompiler::compile):
2135         (JSC::DFG::JITCompiler::compileFunction):
2136         (JSC::DFG::JITCompiler::link): Deleted.
2137         (JSC::DFG::JITCompiler::linkFunction): Deleted.
2138         * dfg/DFGJITCompiler.h:
2139         * dfg/DFGPlan.cpp:
2140         (JSC::DFG::Plan::compileInThreadImpl):
2141         * ftl/FTLCompile.cpp:
2142         (JSC::FTL::mmAllocateCodeSection):
2143         (JSC::FTL::mmAllocateDataSection):
2144         * ftl/FTLLink.cpp:
2145         (JSC::FTL::link):
2146         * ftl/FTLState.h:
2147         * jit/ArityCheckFailReturnThunks.cpp:
2148         (JSC::ArityCheckFailReturnThunks::returnPCsFor):
2149         * jit/ExecutableAllocationFuzz.cpp: Added.
2150         (JSC::numberOfExecutableAllocationFuzzChecks):
2151         (JSC::doExecutableAllocationFuzzing):
2152         * jit/ExecutableAllocationFuzz.h: Added.
2153         (JSC::doExecutableAllocationFuzzingIfEnabled):
2154         * jit/ExecutableAllocatorFixedVMPool.cpp:
2155         (JSC::ExecutableAllocator::allocate):
2156         * jit/JIT.cpp:
2157         (JSC::JIT::privateCompile):
2158         * jit/JITCompilationEffort.h:
2159         * jit/Repatch.cpp:
2160         (JSC::generateByIdStub):
2161         (JSC::tryCacheGetByID):
2162         (JSC::tryBuildGetByIDList):
2163         (JSC::emitPutReplaceStub):
2164         (JSC::emitPutTransitionStubAndGetOldStructure):
2165         (JSC::tryCachePutByID):
2166         (JSC::tryBuildPutByIdList):
2167         (JSC::tryRepatchIn):
2168         (JSC::linkPolymorphicCall):
2169         * jsc.cpp:
2170         (jscmain):
2171         * runtime/Options.h:
2172         * runtime/TestRunnerUtils.h:
2173         * runtime/VM.cpp:
2174         * tests/executableAllocationFuzz: Added.
2175         * tests/executableAllocationFuzz.yaml: Added.
2176         * tests/executableAllocationFuzz/v8-raytrace.js: Added.
2177
2178 2015-03-25  Mark Lam  <mark.lam@apple.com>
2179
2180         REGRESSION(169139): LLINT intermittently fails JSC testapi tests.
2181         <https://webkit.org/b/135719>
2182
2183         Reviewed by Geoffrey Garen.
2184
2185         This is a regression introduced in http://trac.webkit.org/changeset/169139 which
2186         changed VM::watchdog from an embedded field into a std::unique_ptr, but did not
2187         update the LLINT to access it as such.
2188
2189         The issue has only manifested so far on the CLoop tests because those are LLINT
2190         only.  In the non-CLoop cases, the JIT kicks in and does the right thing, thereby
2191         hiding the bug in the LLINT.
2192
2193         * API/JSContextRef.cpp:
2194         (createWatchdogIfNeeded):
2195         (JSContextGroupSetExecutionTimeLimit):
2196         (JSContextGroupClearExecutionTimeLimit):
2197         * llint/LowLevelInterpreter.asm:
2198
2199 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2200
2201         Change Atomic methods from using the_wrong_naming_conventions to using theRightNamingConventions. Also make seq_cst the default.
2202
2203         Rubber stamped by Geoffrey Garen.
2204
2205         * bytecode/CodeBlock.cpp:
2206         (JSC::CodeBlock::visitAggregate):
2207
2208 2015-03-25  Joseph Pecoraro  <pecoraro@apple.com>
2209
2210         Fix formatting in BuiltinExecutables
2211         https://bugs.webkit.org/show_bug.cgi?id=143061
2212
2213         Reviewed by Ryosuke Niwa.
2214
2215         * builtins/BuiltinExecutables.cpp:
2216         (JSC::BuiltinExecutables::createExecutableInternal):
2217
2218 2015-03-25  Joseph Pecoraro  <pecoraro@apple.com>
2219
2220         ES6: Classes: Program level class statement throws exception in strict mode
2221         https://bugs.webkit.org/show_bug.cgi?id=143038
2222
2223         Reviewed by Ryosuke Niwa.
2224
2225         Classes expose a name to the current lexical environment. This treats
2226         "class X {}" like "var X = class X {}". Ideally it would be "let X = class X {}".
2227         Also, improve error messages for class statements where the class is missing a name.
2228
2229         * parser/Parser.h:
2230         * parser/Parser.cpp:
2231         (JSC::Parser<LexerType>::parseClass):
2232         Fill name in info parameter if needed. Better error message if name is needed and missing.
2233
2234         (JSC::Parser<LexerType>::parseClassDeclaration):
2235         Pass info parameter to get name, and expose the name as a variable name.
2236
2237         (JSC::Parser<LexerType>::parsePrimaryExpression):
2238         Pass info parameter that is ignored.
2239
2240         * parser/ParserFunctionInfo.h:
2241         Add a parser info for class, to extract the name.
2242
2243 2015-03-25  Yusuke Suzuki  <utatane.tea@gmail.com>
2244
2245         New map and set modification tests in r181922 fails
2246         https://bugs.webkit.org/show_bug.cgi?id=143031
2247
2248         Reviewed and tweaked by Geoffrey Garen.
2249
2250         When packing Map/Set backing store, we need to decrement Map/Set iterator's m_index
2251         to adjust for the packed backing store.
2252
2253         Consider the following map data.
2254
2255         x: deleted, o: exists
2256         0 1 2 3 4
2257         x x x x o
2258
2259         And iterator with m_index 3.
2260
2261         When packing the map data, map data will become,
2262
2263         0
2264         o
2265
2266         At that time, we perfom didRemoveEntry 4 times on iterators.
2267         times => m_index/index/result
2268         1 => 3/0/dec
2269         2 => 2/1/dec
2270         3 => 1/2/nothing
2271         4 => 1/3/nothing
2272
2273         After iteration, iterator's m_index becomes 1. But we expected that becomes 0.
2274         This is because if we use decremented m_index for comparison,
2275         while provided deletedIndex is the index in old storage, m_index is the index in partially packed storage.
2276
2277         In this patch, we compare against the packed index instead.
2278         times => m_index/packedIndex/result
2279         1 => 3/0/dec
2280         2 => 2/0/dec
2281         3 => 1/0/dec
2282         4 => 0/0/nothing
2283
2284         So m_index becomes 0 as expected.
2285
2286         And according to the spec, once the iterator is closed (becomes done: true),
2287         its internal [[Map]]/[[Set]] is set to undefined.
2288         So after the iterator is finished, we don't revive the iterator (e.g. by clearing m_index = 0).
2289
2290         In this patch, we change 2 things.
2291         1.
2292         Compare an iterator's index against the packed index when removing an entry.
2293
2294         2.
2295         If the iterator is closed (isFinished()), we don't apply adjustment to the iterator.
2296
2297         * runtime/MapData.h:
2298         (JSC::MapDataImpl::IteratorData::finish):
2299         (JSC::MapDataImpl::IteratorData::isFinished):
2300         (JSC::MapDataImpl::IteratorData::didRemoveEntry):
2301         (JSC::MapDataImpl::IteratorData::didRemoveAllEntries):
2302         (JSC::MapDataImpl::IteratorData::startPackBackingStore):
2303         * runtime/MapDataInlines.h:
2304         (JSC::JSIterator>::replaceAndPackBackingStore):
2305         * tests/stress/modify-map-during-iteration.js:
2306         * tests/stress/modify-set-during-iteration.js:
2307
2308 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
2309
2310         Setter should have a single formal parameter, Getter no parameters
2311         https://bugs.webkit.org/show_bug.cgi?id=142903
2312
2313         Reviewed by Geoffrey Garen.
2314
2315         * parser/Parser.cpp:
2316         (JSC::Parser<LexerType>::parseFunctionInfo):
2317         Enforce no parameters for getters and a single parameter
2318         for setters, with informational error messages.
2319
2320 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
2321
2322         ES6: Classes: Early return in sub-class constructor results in returning undefined instead of instance
2323         https://bugs.webkit.org/show_bug.cgi?id=143012
2324
2325         Reviewed by Ryosuke Niwa.
2326
2327         * bytecompiler/BytecodeGenerator.cpp:
2328         (JSC::BytecodeGenerator::emitReturn):
2329         Fix handling of "undefined" when returned from a Derived class. It was
2330         returning "undefined" when it should have returned "this".
2331
2332 2015-03-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2333
2334         REGRESSION (r181458): Heap use-after-free in JSSetIterator destructor
2335         https://bugs.webkit.org/show_bug.cgi?id=142696
2336
2337         Reviewed and tweaked by Geoffrey Garen.
2338
2339         Before r142556, JSSetIterator::destroy was not defined.
2340         So accidentally MapData::const_iterator in JSSet was never destroyed.
2341         But it had non trivial destructor, decrementing MapData->m_iteratorCount.
2342
2343         After r142556, JSSetIterator::destroy works.
2344         It correctly destruct MapData::const_iterator and m_iteratorCount partially works.
2345         But JSSetIterator::~JSSetIterator requires owned JSSet since it mutates MapData->m_iteratorCount.
2346
2347         It is guaranteed that JSSet is live since JSSetIterator has a reference to JSSet
2348         and marks it in visitChildren (WriteBarrier<Unknown>).
2349         However, the order of destructions is not guaranteed in GC-ed system.
2350
2351         Consider the following case,
2352         allocate JSSet and subsequently allocate JSSetIterator.
2353         And they resides in the separated MarkedBlock, <1> and <2>.
2354
2355         JSSet<1> <- JSSetIterator<2>
2356
2357         And after that, when performing GC, Marker decides that the above 2 objects are not marked.
2358         And Marker also decides MarkedBlocks <1> and <2> can be sweeped.
2359
2360         First Sweeper sweep <1>, destruct JSSet<1> and free MarkedBlock<1>.
2361         Second Sweeper sweep <2>, attempt to destruct JSSetIterator<2>.
2362         However, JSSetIterator<2>'s destructor,
2363         JSSetIterator::~JSSetIterator requires live JSSet<1>, it causes use-after-free.
2364
2365         In this patch, we introduce WeakGCMap into JSMap/JSSet to track live iterators.
2366         When packing the removed elements in JSSet/JSMap, we apply the change to all live
2367         iterators tracked by WeakGCMap.
2368
2369         WeakGCMap can only track JSCell since they are managed by GC.
2370         So we drop JSSet/JSMap C++ style iterators. Instead of C++ style iterator, this patch
2371         introduces JS style iterator signatures into C++ class IteratorData.
2372         If we need to iterate over JSMap/JSSet, use JSSetIterator/JSMapIterator instead of using
2373         IteratorData directly.
2374
2375         * runtime/JSMap.cpp:
2376         (JSC::JSMap::destroy):
2377         * runtime/JSMap.h:
2378         (JSC::JSMap::JSMap):
2379         (JSC::JSMap::begin): Deleted.
2380         (JSC::JSMap::end): Deleted.
2381         * runtime/JSMapIterator.cpp:
2382         (JSC::JSMapIterator::destroy):
2383         * runtime/JSMapIterator.h:
2384         (JSC::JSMapIterator::next):
2385         (JSC::JSMapIterator::nextKeyValue):
2386         (JSC::JSMapIterator::iteratorData):
2387         (JSC::JSMapIterator::JSMapIterator):
2388         * runtime/JSSet.cpp:
2389         (JSC::JSSet::destroy):
2390         * runtime/JSSet.h:
2391         (JSC::JSSet::JSSet):
2392         (JSC::JSSet::begin): Deleted.
2393         (JSC::JSSet::end): Deleted.
2394         * runtime/JSSetIterator.cpp:
2395         (JSC::JSSetIterator::destroy):
2396         * runtime/JSSetIterator.h:
2397         (JSC::JSSetIterator::next):
2398         (JSC::JSSetIterator::iteratorData):
2399         (JSC::JSSetIterator::JSSetIterator):
2400         * runtime/MapData.h:
2401         (JSC::MapDataImpl::IteratorData::finish):
2402         (JSC::MapDataImpl::IteratorData::isFinished):
2403         (JSC::MapDataImpl::shouldPack):
2404         (JSC::JSIterator>::MapDataImpl):
2405         (JSC::JSIterator>::KeyType::KeyType):
2406         (JSC::JSIterator>::IteratorData::IteratorData):
2407         (JSC::JSIterator>::IteratorData::next):
2408         (JSC::JSIterator>::IteratorData::ensureSlot):
2409         (JSC::JSIterator>::IteratorData::applyMapDataPatch):
2410         (JSC::JSIterator>::IteratorData::refreshCursor):
2411         (JSC::MapDataImpl::const_iterator::key): Deleted.
2412         (JSC::MapDataImpl::const_iterator::value): Deleted.
2413         (JSC::MapDataImpl::const_iterator::operator++): Deleted.
2414         (JSC::MapDataImpl::const_iterator::finish): Deleted.
2415         (JSC::MapDataImpl::const_iterator::atEnd): Deleted.
2416         (JSC::MapDataImpl::begin): Deleted.
2417         (JSC::MapDataImpl::end): Deleted.
2418         (JSC::MapDataImpl<Entry>::MapDataImpl): Deleted.
2419         (JSC::MapDataImpl<Entry>::clear): Deleted.
2420         (JSC::MapDataImpl<Entry>::KeyType::KeyType): Deleted.
2421         (JSC::MapDataImpl<Entry>::const_iterator::internalIncrement): Deleted.
2422         (JSC::MapDataImpl<Entry>::const_iterator::ensureSlot): Deleted.
2423         (JSC::MapDataImpl<Entry>::const_iterator::const_iterator): Deleted.
2424         (JSC::MapDataImpl<Entry>::const_iterator::~const_iterator): Deleted.
2425         (JSC::MapDataImpl<Entry>::const_iterator::operator): Deleted.
2426         (JSC::=): Deleted.
2427         * runtime/MapDataInlines.h:
2428         (JSC::JSIterator>::clear):
2429         (JSC::JSIterator>::find):
2430         (JSC::JSIterator>::contains):
2431         (JSC::JSIterator>::add):
2432         (JSC::JSIterator>::set):
2433         (JSC::JSIterator>::get):
2434         (JSC::JSIterator>::remove):
2435         (JSC::JSIterator>::replaceAndPackBackingStore):
2436         (JSC::JSIterator>::replaceBackingStore):
2437         (JSC::JSIterator>::ensureSpaceForAppend):
2438         (JSC::JSIterator>::visitChildren):
2439         (JSC::JSIterator>::copyBackingStore):
2440         (JSC::JSIterator>::applyMapDataPatch):
2441         (JSC::MapDataImpl<Entry>::find): Deleted.
2442         (JSC::MapDataImpl<Entry>::contains): Deleted.
2443         (JSC::MapDataImpl<Entry>::add): Deleted.
2444         (JSC::MapDataImpl<Entry>::set): Deleted.
2445         (JSC::MapDataImpl<Entry>::get): Deleted.
2446         (JSC::MapDataImpl<Entry>::remove): Deleted.
2447         (JSC::MapDataImpl<Entry>::replaceAndPackBackingStore): Deleted.
2448         (JSC::MapDataImpl<Entry>::replaceBackingStore): Deleted.
2449         (JSC::MapDataImpl<Entry>::ensureSpaceForAppend): Deleted.
2450         (JSC::MapDataImpl<Entry>::visitChildren): Deleted.
2451         (JSC::MapDataImpl<Entry>::copyBackingStore): Deleted.
2452         * runtime/MapPrototype.cpp:
2453         (JSC::mapProtoFuncForEach):
2454         * runtime/SetPrototype.cpp:
2455         (JSC::setProtoFuncForEach):
2456         * runtime/WeakGCMap.h:
2457         (JSC::WeakGCMap::forEach):
2458         * tests/stress/modify-map-during-iteration.js: Added.
2459         (testValue):
2460         (identityPairs):
2461         (.set if):
2462         (var):
2463         (set map):
2464         * tests/stress/modify-set-during-iteration.js: Added.
2465         (testValue):
2466         (set forEach):
2467         (set delete):
2468
2469 2015-03-24  Mark Lam  <mark.lam@apple.com>
2470
2471         The ExecutionTimeLimit test should use its own JSGlobalContextRef.
2472         <https://webkit.org/b/143024>
2473
2474         Reviewed by Geoffrey Garen.
2475
2476         Currently, the ExecutionTimeLimit test is using a JSGlobalContextRef
2477         passed in from testapi.c.  It should create its own for better
2478         encapsulation of the test.
2479
2480         * API/tests/ExecutionTimeLimitTest.cpp:
2481         (currentCPUTimeAsJSFunctionCallback):
2482         (testExecutionTimeLimit):
2483         * API/tests/ExecutionTimeLimitTest.h:
2484         * API/tests/testapi.c:
2485         (main):
2486
2487 2015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
2488
2489         ES6: Object Literal Methods toString is missing method name
2490         https://bugs.webkit.org/show_bug.cgi?id=142992
2491
2492         Reviewed by Geoffrey Garen.
2493
2494         Always stringify functions in the pattern:
2495
2496           "function " + <function name> + <text from opening parenthesis to closing brace>.
2497
2498         * runtime/FunctionPrototype.cpp:
2499         (JSC::functionProtoFuncToString):
2500         Update the path that was not stringifying in this pattern.
2501
2502         * bytecode/UnlinkedCodeBlock.cpp:
2503         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2504         * bytecode/UnlinkedCodeBlock.h:
2505         (JSC::UnlinkedFunctionExecutable::parametersStartOffset):
2506         * parser/Nodes.h:
2507         * runtime/Executable.cpp:
2508         (JSC::FunctionExecutable::FunctionExecutable):
2509         * runtime/Executable.h:
2510         (JSC::FunctionExecutable::parametersStartOffset):
2511         Pass the already known function parameter opening parenthesis
2512         start offset through to the FunctionExecutable. 
2513
2514         * tests/mozilla/js1_5/Scope/regress-185485.js:
2515         (with.g):
2516         Add back original space in this test that was removed by r181810
2517         now that we have the space again in stringification.
2518
2519 2015-03-24  Michael Saboff  <msaboff@apple.com>
2520
2521         REGRESSION (172175-172177): Change in for...in processing causes properties added in loop to be enumerated
2522         https://bugs.webkit.org/show_bug.cgi?id=142856
2523
2524         Reviewed by Filip Pizlo.
2525
2526         Refactored the way the for .. in enumeration over objects is done.  We used to make three C++ calls to
2527         get info for three loops to iterate over indexed properties, structure properties and other properties,
2528         respectively.  We still have the three loops, but now we make one C++ call to get all the info needed
2529         for all loops before we exectue any enumeration.
2530
2531         The JSPropertyEnumerator has a count of the indexed properties and a list of named properties.
2532         The named properties are one list, with structured properties in the range [0,m_endStructurePropertyIndex)
2533         and the generic properties in the range [m_endStructurePropertyIndex, m_endGenericPropertyIndex);
2534
2535         Eliminated the bytecodes op_get_structure_property_enumerator, op_get_generic_property_enumerator and
2536         op_next_enumerator_pname.
2537         Added the bytecodes op_get_property_enumerator, op_enumerator_structure_pname and op_enumerator_generic_pname.
2538         The bytecodes op_enumerator_structure_pname and op_enumerator_generic_pname are similar except for what
2539         end value we stop iterating on.
2540
2541         Made corresponding node changes to the DFG and FTL for the bytecode changes.
2542
2543         * bytecode/BytecodeList.json:
2544         * bytecode/BytecodeUseDef.h:
2545         (JSC::computeUsesForBytecodeOffset):
2546         (JSC::computeDefsForBytecodeOffset):
2547         * bytecode/CodeBlock.cpp:
2548         (JSC::CodeBlock::dumpBytecode):
2549         * bytecompiler/BytecodeGenerator.cpp:
2550         (JSC::BytecodeGenerator::emitGetPropertyEnumerator):
2551         (JSC::BytecodeGenerator::emitEnumeratorStructurePropertyName):
2552         (JSC::BytecodeGenerator::emitEnumeratorGenericPropertyName):
2553         (JSC::BytecodeGenerator::emitGetStructurePropertyEnumerator): Deleted.
2554         (JSC::BytecodeGenerator::emitGetGenericPropertyEnumerator): Deleted.
2555         (JSC::BytecodeGenerator::emitNextEnumeratorPropertyName): Deleted.
2556         * bytecompiler/BytecodeGenerator.h:
2557         * bytecompiler/NodesCodegen.cpp:
2558         (JSC::ForInNode::emitMultiLoopBytecode):
2559         * dfg/DFGAbstractInterpreterInlines.h:
2560         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2561         * dfg/DFGByteCodeParser.cpp:
2562         (JSC::DFG::ByteCodeParser::parseBlock):
2563         * dfg/DFGCapabilities.cpp:
2564         (JSC::DFG::capabilityLevel):
2565         * dfg/DFGClobberize.h:
2566         (JSC::DFG::clobberize):
2567         * dfg/DFGDoesGC.cpp:
2568         (JSC::DFG::doesGC):
2569         * dfg/DFGFixupPhase.cpp:
2570         (JSC::DFG::FixupPhase::fixupNode):
2571         * dfg/DFGNodeType.h:
2572         * dfg/DFGPredictionPropagationPhase.cpp:
2573         (JSC::DFG::PredictionPropagationPhase::propagate):
2574         * dfg/DFGSafeToExecute.h:
2575         (JSC::DFG::safeToExecute):
2576         * dfg/DFGSpeculativeJIT32_64.cpp:
2577         (JSC::DFG::SpeculativeJIT::compile):
2578         * dfg/DFGSpeculativeJIT64.cpp:
2579         (JSC::DFG::SpeculativeJIT::compile):
2580         * ftl/FTLAbstractHeapRepository.h:
2581         * ftl/FTLCapabilities.cpp:
2582         (JSC::FTL::canCompile):
2583         * ftl/FTLLowerDFGToLLVM.cpp:
2584         (JSC::FTL::LowerDFGToLLVM::compileNode):
2585         (JSC::FTL::LowerDFGToLLVM::compileGetEnumerableLength):
2586         (JSC::FTL::LowerDFGToLLVM::compileGetPropertyEnumerator):
2587         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorStructurePname):
2588         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorGenericPname):
2589         (JSC::FTL::LowerDFGToLLVM::compileGetStructurePropertyEnumerator): Deleted.
2590         (JSC::FTL::LowerDFGToLLVM::compileGetGenericPropertyEnumerator): Deleted.
2591         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname): Deleted.
2592         * jit/JIT.cpp:
2593         (JSC::JIT::privateCompileMainPass):
2594         * jit/JIT.h:
2595         * jit/JITOpcodes.cpp:
2596         (JSC::JIT::emit_op_enumerator_structure_pname):
2597         (JSC::JIT::emit_op_enumerator_generic_pname):
2598         (JSC::JIT::emit_op_get_property_enumerator):
2599         (JSC::JIT::emit_op_next_enumerator_pname): Deleted.
2600         (JSC::JIT::emit_op_get_structure_property_enumerator): Deleted.
2601         (JSC::JIT::emit_op_get_generic_property_enumerator): Deleted.
2602         * jit/JITOpcodes32_64.cpp:
2603         (JSC::JIT::emit_op_enumerator_structure_pname):
2604         (JSC::JIT::emit_op_enumerator_generic_pname):
2605         (JSC::JIT::emit_op_next_enumerator_pname): Deleted.
2606         * jit/JITOperations.cpp:
2607         * jit/JITOperations.h:
2608         * llint/LowLevelInterpreter.asm:
2609         * runtime/CommonSlowPaths.cpp:
2610         (JSC::SLOW_PATH_DECL):
2611         * runtime/CommonSlowPaths.h:
2612         * runtime/JSPropertyNameEnumerator.cpp:
2613         (JSC::JSPropertyNameEnumerator::create):
2614         (JSC::JSPropertyNameEnumerator::finishCreation):
2615         * runtime/JSPropertyNameEnumerator.h:
2616         (JSC::JSPropertyNameEnumerator::indexedLength):
2617         (JSC::JSPropertyNameEnumerator::endStructurePropertyIndex):
2618         (JSC::JSPropertyNameEnumerator::endGenericPropertyIndex):
2619         (JSC::JSPropertyNameEnumerator::indexedLengthOffset):
2620         (JSC::JSPropertyNameEnumerator::endStructurePropertyIndexOffset):
2621         (JSC::JSPropertyNameEnumerator::endGenericPropertyIndexOffset):
2622         (JSC::JSPropertyNameEnumerator::cachedInlineCapacityOffset):
2623         (JSC::propertyNameEnumerator):
2624         (JSC::JSPropertyNameEnumerator::cachedPropertyNamesLengthOffset): Deleted.
2625         (JSC::structurePropertyNameEnumerator): Deleted.
2626         (JSC::genericPropertyNameEnumerator): Deleted.
2627         * runtime/Structure.cpp:
2628         (JSC::Structure::setCachedPropertyNameEnumerator):
2629         (JSC::Structure::cachedPropertyNameEnumerator):
2630         (JSC::Structure::canCachePropertyNameEnumerator):
2631         (JSC::Structure::setCachedStructurePropertyNameEnumerator): Deleted.
2632         (JSC::Structure::cachedStructurePropertyNameEnumerator): Deleted.
2633         (JSC::Structure::setCachedGenericPropertyNameEnumerator): Deleted.
2634         (JSC::Structure::cachedGenericPropertyNameEnumerator): Deleted.
2635         (JSC::Structure::canCacheStructurePropertyNameEnumerator): Deleted.
2636         (JSC::Structure::canCacheGenericPropertyNameEnumerator): Deleted.
2637         * runtime/Structure.h:
2638         * runtime/StructureRareData.cpp:
2639         (JSC::StructureRareData::visitChildren):
2640         (JSC::StructureRareData::cachedPropertyNameEnumerator):
2641         (JSC::StructureRareData::setCachedPropertyNameEnumerator):
2642         (JSC::StructureRareData::cachedStructurePropertyNameEnumerator): Deleted.
2643         (JSC::StructureRareData::setCachedStructurePropertyNameEnumerator): Deleted.
2644         (JSC::StructureRareData::cachedGenericPropertyNameEnumerator): Deleted.
2645         (JSC::StructureRareData::setCachedGenericPropertyNameEnumerator): Deleted.
2646         * runtime/StructureRareData.h:
2647         * tests/stress/for-in-delete-during-iteration.js:
2648
2649 2015-03-24  Michael Saboff  <msaboff@apple.com>
2650
2651         Unreviewed build fix for debug builds.
2652
2653         * runtime/ExceptionHelpers.cpp:
2654         (JSC::invalidParameterInSourceAppender):
2655
2656 2015-03-24  Saam Barati  <saambarati1@gmail.com>
2657
2658         Improve error messages in JSC
2659         https://bugs.webkit.org/show_bug.cgi?id=141869
2660
2661         Reviewed by Geoffrey Garen.
2662
2663         JavaScriptCore has some unintuitive error messages associated
2664         with certain common errors. This patch changes some specific
2665         error messages to be more understandable and also creates a
2666         mechanism that will allow for easy modification of error messages
2667         in the future. The specific errors we change are not a function
2668         errors and invalid parameter errors.
2669
2670         * CMakeLists.txt:
2671         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2672         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2673         * JavaScriptCore.xcodeproj/project.pbxproj:
2674         * interpreter/Interpreter.cpp:
2675         (JSC::sizeOfVarargs):
2676         * jit/JITOperations.cpp:
2677         op_throw_static_error always has a JSString as its argument.
2678         There is no need to dance around this, and we should assert
2679         that this always holds. This JSString represents the error 
2680         message we want to display to the user, so there is no need
2681         to pass it into errorDescriptionForValue which will now place
2682         quotes around the string.
2683
2684         * llint/LLIntSlowPaths.cpp:
2685         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2686         * runtime/CommonSlowPaths.h:
2687         (JSC::CommonSlowPaths::opIn):
2688         * runtime/ErrorInstance.cpp:
2689         (JSC::ErrorInstance::ErrorInstance):
2690         * runtime/ErrorInstance.h:
2691         (JSC::ErrorInstance::hasSourceAppender):
2692         (JSC::ErrorInstance::sourceAppender):
2693         (JSC::ErrorInstance::setSourceAppender):
2694         (JSC::ErrorInstance::clearSourceAppender):
2695         (JSC::ErrorInstance::setRuntimeTypeForCause):
2696         (JSC::ErrorInstance::runtimeTypeForCause):
2697         (JSC::ErrorInstance::clearRuntimeTypeForCause):
2698         (JSC::ErrorInstance::appendSourceToMessage): Deleted.
2699         (JSC::ErrorInstance::setAppendSourceToMessage): Deleted.
2700         (JSC::ErrorInstance::clearAppendSourceToMessage): Deleted.
2701         * runtime/ExceptionHelpers.cpp:
2702         (JSC::errorDescriptionForValue):
2703         (JSC::defaultApproximateSourceError):
2704         (JSC::defaultSourceAppender):
2705         (JSC::functionCallBase):
2706         (JSC::notAFunctionSourceAppender):
2707         (JSC::invalidParameterInSourceAppender):
2708         (JSC::invalidParameterInstanceofSourceAppender):
2709         (JSC::createError):
2710         (JSC::createInvalidFunctionApplyParameterError):
2711         (JSC::createInvalidInParameterError):
2712         (JSC::createInvalidInstanceofParameterError):
2713         (JSC::createNotAConstructorError):
2714         (JSC::createNotAFunctionError):
2715         (JSC::createNotAnObjectError):
2716         (JSC::createInvalidParameterError): Deleted.
2717         * runtime/ExceptionHelpers.h:
2718         * runtime/JSObject.cpp:
2719         (JSC::JSObject::hasInstance):
2720         * runtime/RuntimeType.cpp: Added.
2721         (JSC::runtimeTypeForValue):
2722         (JSC::runtimeTypeAsString):
2723         * runtime/RuntimeType.h: Added.
2724         * runtime/TypeProfilerLog.cpp:
2725         (JSC::TypeProfilerLog::processLogEntries):
2726         * runtime/TypeSet.cpp:
2727         (JSC::TypeSet::getRuntimeTypeForValue): Deleted.
2728         * runtime/TypeSet.h:
2729         * runtime/VM.cpp:
2730         (JSC::appendSourceToError):
2731         (JSC::VM::throwException):
2732
2733 2015-03-23  Filip Pizlo  <fpizlo@apple.com>
2734
2735         JSC should have a low-cost asynchronous disassembler
2736         https://bugs.webkit.org/show_bug.cgi?id=142997
2737
2738         Reviewed by Mark Lam.
2739         
2740         This adds a JSC_asyncDisassembly option that disassembles on a thread. Disassembly
2741         doesn't block execution. Some code will live a little longer because of this, since the
2742         work tasks hold a ref to the code, but other than that there is basically no overhead.
2743         
2744         At present, this isn't really a replacement for JSC_showDisassembly, since it doesn't
2745         provide contextual IR information for Baseline and DFG disassemblies, and it doesn't do
2746         the separate IR dumps for FTL. Using JSC_showDisassembly and friends along with
2747         JSC_asyncDisassembly has bizarre behavior - so just choose one.
2748         
2749         A simple way of understanding how great this is, is to run a small benchmark like
2750         V8Spider/earley-boyer.
2751         
2752         Performance without any disassembly flags: 60ms
2753         Performance with JSC_showDisassembly=true: 477ms
2754         Performance with JSC_asyncDisassembly=true: 65ms
2755         
2756         So, the overhead of disassembly goes from 8x to 8%.
2757         
2758         Note that JSC_asyncDisassembly=true does make it incorrect to run "time" as a way of
2759         measuring benchmark performance. This is because at VM exit, we wait for all async
2760         disassembly requests to finish. For example, for earley-boyer, we spend an extra ~130ms
2761         after the benchmark completely finishes to finish the disassemblies. This small weirdness
2762         should be OK for the intended use-cases, since all you have to do to get around it is to
2763         measure the execution time of the benchmark payload rather than the end-to-end time of
2764         launching the VM.
2765
2766         * assembler/LinkBuffer.cpp:
2767         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
2768         * assembler/LinkBuffer.h:
2769         (JSC::LinkBuffer::wasAlreadyDisassembled):
2770         (JSC::LinkBuffer::didAlreadyDisassemble):
2771         * dfg/DFGJITCompiler.cpp:
2772         (JSC::DFG::JITCompiler::disassemble):
2773         * dfg/DFGJITFinalizer.cpp:
2774         (JSC::DFG::JITFinalizer::finalize):
2775         (JSC::DFG::JITFinalizer::finalizeFunction):
2776         * disassembler/Disassembler.cpp:
2777         (JSC::disassembleAsynchronously):
2778         (JSC::waitForAsynchronousDisassembly):
2779         * disassembler/Disassembler.h:
2780         * ftl/FTLCompile.cpp:
2781         (JSC::FTL::mmAllocateDataSection):
2782         * ftl/FTLLink.cpp:
2783         (JSC::FTL::link):
2784         * jit/JIT.cpp:
2785         (JSC::JIT::privateCompile):
2786         * jsc.cpp:
2787         * runtime/Options.h:
2788         * runtime/VM.cpp:
2789         (JSC::VM::~VM):
2790
2791 2015-03-23  Dean Jackson  <dino@apple.com>
2792
2793         ES7: Implement Array.prototype.includes
2794         https://bugs.webkit.org/show_bug.cgi?id=142707
2795
2796         Reviewed by Geoffrey Garen.
2797
2798         Add support for the ES7 includes method on Arrays.
2799         https://github.com/tc39/Array.prototype.includes
2800
2801         * builtins/Array.prototype.js:
2802         (includes): Implementation in JS.
2803         * runtime/ArrayPrototype.cpp: Add 'includes' to the lookup table.
2804
2805 2015-03-23  Joseph Pecoraro  <pecoraro@apple.com>
2806
2807         __defineGetter__/__defineSetter__ should throw exceptions
2808         https://bugs.webkit.org/show_bug.cgi?id=142934
2809
2810         Reviewed by Geoffrey Garen.
2811
2812         * runtime/ObjectPrototype.cpp:
2813         (JSC::objectProtoFuncDefineGetter):
2814         (JSC::objectProtoFuncDefineSetter):
2815         Throw exceptions when these functions are used directly.
2816
2817 2015-03-23  Joseph Pecoraro  <pecoraro@apple.com>
2818
2819         Fix DO_PROPERTYMAP_CONSTENCY_CHECK enabled build
2820         https://bugs.webkit.org/show_bug.cgi?id=142952
2821
2822         Reviewed by Geoffrey Garen.
2823
2824         * runtime/Structure.cpp:
2825         (JSC::PropertyTable::checkConsistency):
2826         The check offset method doesn't exist in PropertyTable, it exists in Structure.
2827
2828         (JSC::Structure::checkConsistency):
2829         So move it here, and always put it at the start to match normal behavior.
2830
2831 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
2832
2833         Remove DFG::ValueRecoveryOverride; it's been dead since we removed forward speculations
2834         https://bugs.webkit.org/show_bug.cgi?id=142956
2835
2836         Rubber stamped by Gyuyoung Kim.
2837         
2838         Just removing dead code.
2839
2840         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2841         * JavaScriptCore.xcodeproj/project.pbxproj:
2842         * dfg/DFGOSRExit.h:
2843         * dfg/DFGOSRExitCompiler.cpp:
2844         * dfg/DFGValueRecoveryOverride.h: Removed.
2845
2846 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
2847
2848         DFG OSR exit shouldn't assume that the frame count for exit is greater than the frame count in DFG
2849         https://bugs.webkit.org/show_bug.cgi?id=142948
2850
2851         Reviewed by Sam Weinig.
2852         
2853         It's necessary to ensure that the stack pointer accounts for the extent of our stack usage
2854         since a signal may clobber the area below the stack pointer. When the DFG is executing,
2855         the stack pointer accounts for the DFG's worst-case stack usage. When we OSR exit back to
2856         baseline, we will use a different amount of stack. This is because baseline is a different
2857         compiler. It will make different decisions. So it will use a different amount of stack.
2858         
2859         This gets tricky when we are in the process of doing an OSR exit, because we are sort of
2860         incrementally transforming the stack from how it looked in the DFG to how it will look in
2861         baseline. The most conservative approach would be to set the stack pointer to the max of
2862         DFG and baseline.
2863         
2864         When this code was written, a reckless assumption was made: that the stack usage in
2865         baseline is always at least as large as the stack usage in DFG. Based on this incorrect
2866         assumption, the code first adjusts the stack pointer to account for the baseline stack
2867         usage. This sort of usually works, because usually baseline does happen to use more stack.
2868         But that's not an invariant. Nobody guarantees this. We will never make any changes that
2869         would make this be guaranteed, because that would be antithetical to how optimizing
2870         compilers work. The DFG should be allowed to use however much stack it decides that it
2871         should use in order to get good performance, and it shouldn't try to guarantee that it
2872         always uses less stack than baseline.
2873         
2874         As such, we must always assume that the frame size for DFG execution (i.e.
2875         frameRegisterCount) and the frame size in baseline once we exit (i.e.
2876         requiredRegisterCountForExit) are two independent quantities and they have no
2877         relationship.
2878         
2879         Fortunately, though, this code can be made correct by just moving the stack adjustment to
2880         just before we do conversions. This is because we have since changed the OSR exit
2881         algorithm to first lift up all state from the DFG state into a scratch buffer, and then to
2882         drop it out of the scratch buffer and into the stack according to the baseline layout. The
2883         point just before conversions is the point where we have finished reading the DFG frame
2884         and will not read it anymore, and we haven't started writing the baseline frame. So, at
2885         this point it is safe to set the stack pointer to account for the frame size at exit.
2886         
2887         This is benign because baseline happens to create larger frames than DFG.
2888
2889         * dfg/DFGOSRExitCompiler32_64.cpp:
2890         (JSC::DFG::OSRExitCompiler::compileExit):
2891         * dfg/DFGOSRExitCompiler64.cpp:
2892         (JSC::DFG::OSRExitCompiler::compileExit):
2893         * dfg/DFGOSRExitCompilerCommon.cpp:
2894         (JSC::DFG::adjustAndJumpToTarget):
2895
2896 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
2897
2898         Shorten the number of iterations to 10,000 since that's enough to test all tiers.
2899
2900         Rubber stamped by Sam Weinig.
2901
2902         * tests/stress/equals-masquerader.js:
2903
2904 2015-03-22  Filip Pizlo  <fpizlo@apple.com>
2905
2906         tests/stress/*tdz* tests do 10x more iterations than necessary
2907         https://bugs.webkit.org/show_bug.cgi?id=142946
2908
2909         Reviewed by Ryosuke Niwa.
2910         
2911         The stress test harness runs all of these tests in various configurations. This includes
2912         no-cjit, which has tier-up heuristics locked in such a way that 10,000 iterations is
2913         enough to get to the highest tier. The only exceptions are very large functions or
2914         functions that have some reoptimizations. That happens rarely, and when it does happen,
2915         usually 20,000 iterations is enough.
2916         
2917         Therefore, these tests use 10x too many iterations. This is bad, since these tests
2918         allocate on each iteration, and so they run very slowly in debug mode.
2919
2920         * tests/stress/class-syntax-no-loop-tdz.js:
2921         * tests/stress/class-syntax-no-tdz-in-catch.js:
2922         * tests/stress/class-syntax-no-tdz-in-conditional.js:
2923         * tests/stress/class-syntax-no-tdz-in-loop-no-inline-super.js:
2924         * tests/stress/class-syntax-no-tdz-in-loop.js:
2925         * tests/stress/class-syntax-no-tdz.js:
2926         * tests/stress/class-syntax-tdz-in-catch.js:
2927         * tests/stress/class-syntax-tdz-in-conditional.js:
2928         * tests/stress/class-syntax-tdz-in-loop.js:
2929         * tests/stress/class-syntax-tdz.js:
2930
2931 2015-03-21  Joseph Pecoraro  <pecoraro@apple.com>
2932
2933         Fix a typo in Parser error message
2934         https://bugs.webkit.org/show_bug.cgi?id=142942
2935
2936         Reviewed by Alexey Proskuryakov.
2937
2938         * jit/JITPropertyAccess.cpp:
2939         (JSC::JIT::emitSlow_op_resolve_scope):
2940         * jit/JITPropertyAccess32_64.cpp:
2941         (JSC::JIT::emitSlow_op_resolve_scope):
2942         * parser/Parser.cpp:
2943         (JSC::Parser<LexerType>::parseClass):
2944         Fix a common identifier typo.
2945
2946 2015-03-21  Joseph Pecoraro  <pecoraro@apple.com>
2947
2948         Computed Property names should allow only AssignmentExpressions not any Expression
2949         https://bugs.webkit.org/show_bug.cgi?id=142902
2950
2951         Reviewed by Ryosuke Niwa.
2952
2953         * parser/Parser.cpp:
2954         (JSC::Parser<LexerType>::parseProperty):
2955         Limit computed expressions to just assignment expressions instead of
2956         any expression (which allowed comma expressions).
2957
2958 2015-03-21  Andreas Kling  <akling@apple.com>
2959
2960         Make UnlinkedFunctionExecutable fit in a 128-byte cell.
2961         <https://webkit.org/b/142939>
2962
2963         Reviewed by Mark Hahnenberg.
2964
2965         Re-arrange the members of UnlinkedFunctionExecutable so it can fit inside
2966         a 128-byte heap cell instead of requiring a 256-byte one.
2967
2968         Threw in a static_assert to catch anyone pushing it over the limit again.
2969
2970         * bytecode/UnlinkedCodeBlock.cpp:
2971         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2972         * bytecode/UnlinkedCodeBlock.h:
2973         (JSC::UnlinkedFunctionExecutable::functionMode):
2974
2975 2015-03-20  Mark Hahnenberg  <mhahnenb@gmail.com>
2976
2977         GCTimer should know keep track of nested GC phases
2978         https://bugs.webkit.org/show_bug.cgi?id=142675
2979
2980         Reviewed by Darin Adler.
2981
2982         This improves the GC phase timing output in Heap.cpp by linking
2983         phases nested inside other phases together, allowing tools
2984         to compute how much time we're spending in various nested phases.
2985
2986         * heap/Heap.cpp:
2987
2988 2015-03-20  Geoffrey Garen  <ggaren@apple.com>
2989
2990         FunctionBodyNode should known where its parameters started
2991         https://bugs.webkit.org/show_bug.cgi?id=142926
2992
2993         Reviewed by Ryosuke Niwa.
2994
2995         This will allow us to re-parse parameters instead of keeping the
2996         parameters piece of the AST around forever.
2997
2998         I also took the opportunity to initialize most FunctionBodyNode data
2999         members at construction time, to help clarify that they are set right.
3000
3001         * parser/ASTBuilder.h:
3002         (JSC::ASTBuilder::createFunctionExpr): No need to pass
3003         functionKeywordStart here; we now provide it at FunctionBodyNode
3004         creation time.
3005
3006         (JSC::ASTBuilder::createFunctionBody): Require everything we need at
3007         construction time, including the start of our parameters.
3008
3009         (JSC::ASTBuilder::createGetterOrSetterProperty):
3010         (JSC::ASTBuilder::createFuncDeclStatement):  No need to pass
3011         functionKeywordStart here; we now provide it at FunctionBodyNode
3012         creation time.
3013
3014         (JSC::ASTBuilder::setFunctionNameStart): Deleted.
3015
3016         * parser/Nodes.cpp:
3017         (JSC::FunctionBodyNode::FunctionBodyNode): Initialize everything at
3018         construction time.
3019
3020         * parser/Nodes.h: Added a field for the location of our parameters.
3021
3022         * parser/Parser.cpp:
3023         (JSC::Parser<LexerType>::parseFunctionBody):
3024         (JSC::Parser<LexerType>::parseFunctionInfo):
3025         (JSC::Parser<LexerType>::parseFunctionDeclaration):
3026         (JSC::Parser<LexerType>::parseClass):
3027         (JSC::Parser<LexerType>::parsePropertyMethod):
3028         (JSC::Parser<LexerType>::parseGetterSetter):
3029         (JSC::Parser<LexerType>::parsePrimaryExpression):
3030         * parser/Parser.h: Refactored to match above interface changes.
3031
3032         * parser/SyntaxChecker.h:
3033         (JSC::SyntaxChecker::createFunctionExpr):
3034         (JSC::SyntaxChecker::createFunctionBody):
3035         (JSC::SyntaxChecker::createFuncDeclStatement):
3036         (JSC::SyntaxChecker::createGetterOrSetterProperty): Refactored to match
3037         above interface changes.
3038
3039         (JSC::SyntaxChecker::setFunctionNameStart): Deleted.
3040
3041 2015-03-20  Filip Pizlo  <fpizlo@apple.com>
3042
3043         Observably effectful nodes in DFG IR should come last in their bytecode instruction (i.e. forExit section), except for Hint nodes
3044         https://bugs.webkit.org/show_bug.cgi?id=142920
3045
3046         Reviewed by Oliver Hunt, Geoffrey Garen, and Mark Lam.
3047         
3048         Observably effectful, n.: If we reexecute the bytecode instruction after this node has
3049         executed, then something other than the bytecode instruction's specified outcome will
3050         happen.
3051
3052         We almost never had observably effectful nodes except at the end of the bytecode
3053         instruction.  The exception is a lowered transitioning PutById:
3054
3055         PutStructure(@o, S1 -> S2)
3056         PutByOffset(@o, @o, @v)
3057
3058         The PutStructure is observably effectful: if you try to reexecute the bytecode after
3059         doing the PutStructure, then we'll most likely crash.  The generic PutById handling means
3060         first checking what the old structure of the object is; but if we reexecute, the old
3061         structure will seem to be the new structure.  But the property ensured by the new
3062         structure hasn't been stored yet, so any attempt to load it or scan it will crash.
3063
3064         Intriguingly, however, none of the other operations involved in the PutById are
3065         observably effectful.  Consider this example:
3066
3067         PutByOffset(@o, @o, @v)
3068         PutStructure(@o, S1 -> S2)
3069
3070         Note that the PutStructure node doesn't reallocate property storage; see further below
3071         for an example that does that. Because no property storage is happening, we know that we
3072         already had room for the new property.  This means that the PutByOffset is no observable
3073         until the PutStructure executes and "reveals" the property.  Hence, PutByOffset is not
3074         observably effectful.
3075
3076         Now consider this:
3077
3078         b: AllocatePropertyStorage(@o)
3079         PutByOffset(@b, @o, @v)
3080         PutStructure(@o, S1 -> S2)
3081
3082         Surprisingly, this is also safe, because the AllocatePropertyStorage is not observably
3083         effectful. It *does* reallocate the property storage and the new property storage pointer
3084         is stored into the object. But until the PutStructure occurs, the world will just think
3085         that the reallocation didn't happen, in the sense that we'll think that the property
3086         storage is using less memory than what we just allocated. That's harmless.
3087
3088         The AllocatePropertyStorage is safe in other ways, too. Even if we GC'd after the
3089         AllocatePropertyStorage but before the PutByOffset (or before the PutStructure),
3090         everything could be expected to be fine, so long as all of @o, @v and @b are on the
3091         stack. If they are all on the stack, then the GC will leave the property storage alone
3092         (so the extra memory we just allocated would be safe). The GC will not scan the part of
3093         the property storage that contains @v, but that's fine, so long as @v is on the stack.
3094         
3095         The better long-term solution is probably bug 142921.
3096         
3097         But for now, this:
3098         
3099         - Fixes an object materialization bug, exemplified by the two tests, that previously
3100           crashed 100% of the time with FTL enabled and concurrent JIT disabled.
3101         
3102         - Allows us to remove the workaround introduced in r174856.
3103
3104         * dfg/DFGByteCodeParser.cpp:
3105         (JSC::DFG::ByteCodeParser::handlePutById):
3106         * dfg/DFGConstantFoldingPhase.cpp:
3107         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
3108         * dfg/DFGFixupPhase.cpp:
3109         (JSC::DFG::FixupPhase::insertCheck):
3110         (JSC::DFG::FixupPhase::indexOfNode): Deleted.
3111         (JSC::DFG::FixupPhase::indexOfFirstNodeOfExitOrigin): Deleted.
3112         * dfg/DFGInsertionSet.h:
3113         (JSC::DFG::InsertionSet::insertOutOfOrder): Deleted.
3114         (JSC::DFG::InsertionSet::insertOutOfOrderNode): Deleted.
3115         * tests/stress/materialize-past-butterfly-allocation.js: Added.
3116         (bar):
3117         (foo0):
3118         (foo1):
3119         (foo2):
3120         (foo3):
3121         (foo4):
3122         * tests/stress/materialize-past-put-structure.js: Added.
3123         (foo):
3124
3125 2015-03-20  Yusuke Suzuki  <utatane.tea@gmail.com>
3126
3127         REGRESSION (r179429): Potential Use after free in JavaScriptCore`WTF::StringImpl::ref + 83
3128         https://bugs.webkit.org/show_bug.cgi?id=142410
3129
3130         Reviewed by Geoffrey Garen.
3131
3132         Before this patch, added function JSValue::toPropertyKey returns PropertyName.
3133         Since PropertyName doesn't have AtomicStringImpl ownership,
3134         if Identifier is implicitly converted to PropertyName and Identifier is destructed,
3135         PropertyName may refer freed AtomicStringImpl*.
3136
3137         This patch changes the result type of JSValue::toPropertyName from PropertyName to Identifier,
3138         to keep AtomicStringImpl* ownership after the toPropertyName call is done.
3139         And receive the result value as Identifier type to keep ownership in the caller side.
3140
3141         To catch the result of toPropertyKey as is, we catch the result of toPropertyName as auto.
3142
3143         However, now we don't need to have both Identifier and PropertyName.
3144         So we'll merge PropertyName to Identifier in the subsequent patch.
3145
3146         * dfg/DFGOperations.cpp:
3147         (JSC::DFG::operationPutByValInternal):
3148         * jit/JITOperations.cpp:
3149         (JSC::getByVal):
3150         * llint/LLIntSlowPaths.cpp:
3151         (JSC::LLInt::getByVal):
3152         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3153         * runtime/CommonSlowPaths.cpp:
3154         (JSC::SLOW_PATH_DECL):
3155         * runtime/CommonSlowPaths.h:
3156         (JSC::CommonSlowPaths::opIn):
3157         * runtime/JSCJSValue.h:
3158         * runtime/JSCJSValueInlines.h:
3159         (JSC::JSValue::toPropertyKey):
3160         * runtime/ObjectConstructor.cpp:
3161         (JSC::objectConstructorGetOwnPropertyDescriptor):
3162         (JSC::objectConstructorDefineProperty):
3163         * runtime/ObjectPrototype.cpp:
3164         (JSC::objectProtoFuncPropertyIsEnumerable):
3165
3166 2015-03-18  Geoffrey Garen  <ggaren@apple.com>
3167
3168         Function.prototype.toString should not decompile the AST
3169         https://bugs.webkit.org/show_bug.cgi?id=142853
3170
3171         Reviewed by Sam Weinig.
3172
3173         To recover the function parameter string, Function.prototype.toString
3174         decompiles the function parameters from the AST. This is bad for a few
3175         reasons:
3176
3177         (1) It requires us to keep pieces of the AST live forever. This is an
3178         awkward design and a waste of memory.
3179
3180         (2) It doesn't match Firefox or Chrome (because it changes whitespace
3181         and ES6 destructuring expressions).
3182
3183         (3) It doesn't scale to ES6 default argument parameters, which require
3184         arbitrarily complex decompilation.
3185
3186         (4) It can counterfeit all the line numbers in a function (because
3187         whitespace can include newlines).
3188
3189         (5) It's expensive, and we've seen cases where websites invoke
3190         Function.prototype.toString a lot by accident.
3191
3192         The fix is to do what we do for the rest of the function: Just quote the
3193         original source text.
3194
3195         Since this change inevitably changes some function stringification, I
3196         took the opportunity to make our stringification match Firefox's and
3197         Chrome's.
3198
3199         * API/tests/testapi.c:
3200         (assertEqualsAsUTF8String): Be more informative when this fails.
3201
3202         (main): Updated to match new stringification rules.
3203
3204         * bytecode/UnlinkedCodeBlock.cpp:
3205         (JSC::UnlinkedFunctionExecutable::paramString): Deleted. Yay!
3206         * bytecode/UnlinkedCodeBlock.h:
3207
3208         * parser/Nodes.h:
3209         (JSC::StatementNode::isFuncDeclNode): New helper for constructing
3210         anonymous functions.
3211
3212         * parser/SourceCode.h:
3213         (JSC::SourceCode::SourceCode): Allow zero because WebCore wants it.
3214
3215         * runtime/CodeCache.cpp:
3216         (JSC::CodeCache::getFunctionExecutableFromGlobalCode): Updated for use
3217         of function declaration over function expression.
3218
3219         * runtime/Executable.cpp:
3220         (JSC::FunctionExecutable::paramString): Deleted. Yay!
3221         * runtime/Executable.h:
3222         (JSC::FunctionExecutable::parameterCount):
3223
3224         * runtime/FunctionConstructor.cpp:
3225         (JSC::constructFunctionSkippingEvalEnabledCheck): Added a newline after
3226         the opening brace to match Firefox and Chrome, and a space after the comma
3227         to match Firefox and WebKit coding style. Added the function name to
3228         the text of the function so it would look right when stringify-ing. Switched
3229         from parentheses to braces to produce a function declaration instead of
3230         a function expression because we are required to exclude the function's
3231         name from its scope, and that's what a function declaration does.
3232
3233         * runtime/FunctionPrototype.cpp:
3234         (JSC::functionProtoFuncToString): Removed an old workaround because the
3235         library it worked around doesn't really exist anymore, and the behavior
3236         doesn't match Firefox or Chrome. Use type profiling offsets instead of
3237         function body offsets because we want to include the function name and
3238         the parameter string, rather than stitching them in manually by
3239         decompiling the AST.
3240
3241         (JSC::insertSemicolonIfNeeded): Deleted.
3242
3243         * tests/mozilla/js1_2/function/tostring-1.js:
3244         * tests/mozilla/js1_5/Scope/regress-185485.js:
3245         (with.g): Updated these test results for formatting changes.
3246
3247 2015-03-20  Joseph Pecoraro  <pecoraro@apple.com>
3248
3249         SyntaxChecker assertion is trapped with computed property name and getter
3250         https://bugs.webkit.org/show_bug.cgi?id=142863
3251
3252         Reviewed by Ryosuke Niwa.
3253
3254         * parser/SyntaxChecker.h:
3255         (JSC::SyntaxChecker::getName):
3256         Remove invalid assert. Computed properties will not have a name
3257         and the calling code is checking for null expecting it. The
3258         AST path (non-CheckingPath) already does this without the assert
3259         so it is well tested.
3260
3261 2015-03-19  Mark Lam  <mark.lam@apple.com>
3262
3263         JSCallbackObject<JSGlobalObject> should not destroy its JSCallbackObjectData before all its finalizers have been called.
3264         <https://webkit.org/b/142846>
3265
3266         Reviewed by Geoffrey Garen.
3267
3268         Currently, JSCallbackObject<JSGlobalObject> registers weak finalizers via 2 mechanisms:
3269         1. JSCallbackObject<Parent>::init() registers a weak finalizer for all JSClassRef
3270            that a JSCallbackObject references.
3271         2. JSCallbackObject<JSGlobalObject>::create() registers a finalizer via
3272            vm.heap.addFinalizer() which destroys the JSCallbackObject.
3273
3274         The first finalizer is implemented as a virtual function of a JSCallbackObjectData
3275         instance that will be destructed if the 2nd finalizer is called.  Hence, if the
3276         2nd finalizer if called first, the later invocation of the 1st finalizer will
3277         result in a crash.
3278
3279         This patch fixes the issue by eliminating the finalizer registration in init().
3280         Instead, we'll have the JSCallbackObject destructor call all the JSClassRef finalizers
3281         if needed.  This ensures that these finalizers are called before the JSCallbackObject
3282         is destructor.
3283
3284         Also added assertions to a few Heap functions because JSCell::classInfo() expects
3285         all objects that are allocated from MarkedBlock::Normal blocks to be derived from
3286         JSDestructibleObject.  These assertions will help us catch violations of this
3287         expectation earlier.
3288
3289         * API/JSCallbackObject.cpp:
3290         (JSC::JSCallbackObjectData::finalize): Deleted.
3291         * API/JSCallbackObject.h:
3292         (JSC::JSCallbackObjectData::~JSCallbackObjectData):
3293         * API/JSCallbackObjectFunctions.h:
3294         (JSC::JSCallbackObject<Parent>::~JSCallbackObject):
3295         (JSC::JSCallbackObject<Parent>::init):
3296         * API/tests/GlobalContextWithFinalizerTest.cpp: Added.
3297         (finalize):
3298         (testGlobalContextWithFinalizer):
3299         * API/tests/GlobalContextWithFinalizerTest.h: Added.
3300         * API/tests/testapi.c:
3301         (main):
3302         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
3303         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters:
3304         * JavaScriptCore.xcodeproj/project.pbxproj:
3305         * heap/HeapInlines.h:
3306         (JSC::Heap::allocateObjectOfType):
3307         (JSC::Heap::subspaceForObjectOfType):
3308         (JSC::Heap::allocatorForObjectOfType):
3309
3310 2015-03-19  Andreas Kling  <akling@apple.com>
3311
3312         JSCallee unnecessarily overrides a bunch of things in the method table.
3313         <https://webkit.org/b/142855>
3314
3315         Reviewed by Geoffrey Garen.
3316
3317         Remove JSCallee method table overrides that simply call to base class.
3318         This makes JSFunction property slot lookups slightly more efficient since
3319         they can take the fast path when passing over JSCallee in the base class chain.
3320
3321         * runtime/JSCallee.cpp:
3322         (JSC::JSCallee::getOwnPropertySlot): Deleted.
3323         (JSC::JSCallee::getOwnNonIndexPropertyNames): Deleted.
3324         (JSC::JSCallee::put): Deleted.
3325         (JSC::JSCallee::deleteProperty): Deleted.
3326         (JSC::JSCallee::defineOwnProperty): Deleted.
3327         * runtime/JSCallee.h:
3328
3329 2015-03-19  Andreas Kling  <akling@apple.com>
3330
3331         DFGAllocator should use bmalloc's aligned allocator.
3332         <https://webkit.org/b/142871>
3333
3334         Reviewed by Geoffrey Garen.
3335
3336         Switch DFGAllocator to using bmalloc through fastAlignedMalloc().
3337
3338         * dfg/DFGAllocator.h:
3339         (JSC::DFG::Allocator<T>::allocateSlow):
3340         (JSC::DFG::Allocator<T>::freeRegionsStartingAt):
3341         * heap/CopiedSpace.h:
3342         * heap/MarkedBlock.h:
3343         * heap/MarkedSpace.h:
3344
3345 2015-03-18  Joseph Pecoraro  <pecoraro@apple.com>
3346
3347         ES6 Classes: Extends should accept an expression without parenthesis
3348         https://bugs.webkit.org/show_bug.cgi?id=142840
3349
3350         Reviewed by Ryosuke Niwa.
3351
3352         * parser/Parser.cpp:
3353         (JSC::Parser<LexerType>::parseClass):
3354         "extends" allows a LeftHandExpression (new expression / call expression,
3355         which includes a member expression), not a primary expression. Our
3356         parseMemberExpression does all of these.
3357
3358 2015-03-18  Joseph Pecoraro  <pecoraro@apple.com>
3359
3360         Web Inspector: Debugger Popovers and Probes should use FormattedValue/ObjectTreeView instead of Custom/ObjectPropertiesSection
3361         https://bugs.webkit.org/show_bug.cgi?id=142830
3362
3363         Reviewed by Timothy Hatcher.
3364
3365         * inspector/agents/InspectorDebuggerAgent.cpp:
3366         (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
3367         Give Probe Samples object previews.
3368
3369 2015-03-17  Ryuan Choi  <ryuan.choi@navercorp.com>
3370
3371         [EFL] Expose JavaScript binding interface through ewk_extension
3372         https://bugs.webkit.org/show_bug.cgi?id=142033
3373
3374         Reviewed by Gyuyoung Kim.
3375
3376         * PlatformEfl.cmake: Install Javascript APIs.
3377
3378 2015-03-17  Geoffrey Garen  <ggaren@apple.com>
3379
3380         Function bodies should always include braces
3381         https://bugs.webkit.org/show_bug.cgi?id=142795
3382
3383         Reviewed by Michael Saboff.
3384
3385         Having a mode for excluding the opening and closing braces from a function
3386         body was unnecessary and confusing.
3387
3388         * bytecode/CodeBlock.cpp:
3389         (JSC::CodeBlock::CodeBlock): Adopt the new one true linking function.
3390
3391         * bytecode/UnlinkedCodeBlock.cpp:
3392         (JSC::generateFunctionCodeBlock):
3393         (JSC::UnlinkedFunctionExecutable::link):
3394         (JSC::UnlinkedFunctionExecutable::codeBlockFor): No need to pass through
3395         a boolean: there is only one kind of function now.
3396
3397         (JSC::UnlinkedFunctionExecutable::linkInsideExecutable): Deleted.
3398         (JSC::UnlinkedFunctionExecutable::linkGlobalCode): Deleted. Let's only
3399         have one way to do things. This removes the old mode that would pretend
3400         that a function always started at column 1. That pretense was not true:
3401         an attribute event listener does not necessarily start at column 1.
3402
3403         * bytecode/UnlinkedCodeBlock.h:
3404         * generate-js-builtins: Adopt the new one true linking function.
3405
3406         * parser/Parser.h:
3407         (JSC::Parser<LexerType>::parse):
3408         (JSC::parse): needsReparsingAdjustment is always true now, so I removed it.
3409
3410         * runtime/Executable.cpp:
3411         (JSC::ScriptExecutable::newCodeBlockFor):
3412         (JSC::FunctionExecutable::FunctionExecutable):
3413         (JSC::ProgramExecutable::initializeGlobalProperties):
3414         (JSC::FunctionExecutable::fromGlobalCode):
3415         * runtime/Executable.h:
3416         (JSC::FunctionExecutable::create):
3417         (JSC::FunctionExecutable::bodyIncludesBraces): Deleted. Removed unused stuff.
3418
3419         * runtime/FunctionConstructor.cpp:
3420         (JSC::constructFunctionSkippingEvalEnabledCheck): Always provide a
3421         leading space because that's what this function's comment says is required
3422         for web compatibility. We used to fake this up after the fact when
3423         stringifying, based on the bodyIncludesBraces flag, but that flag is gone now.
3424
3425         * runtime/FunctionPrototype.cpp:
3426         (JSC::insertSemicolonIfNeeded):
3427         (JSC::functionProtoFuncToString): No need to add braces and/or a space
3428         after the fact -- we always have them now.
3429
3430 2015-03-17  Mark Lam  <mark.lam@apple.com>
3431
3432         Refactor execution time limit tests out of testapi.c.
3433         <https://webkit.org/b/142798>
3434
3435         Rubber stamped by Michael Saboff.
3436
3437         These tests were sometimes failing to time out on C loop builds.  Let's
3438         refactor them out of the big monolith that is testapi.c so that we can
3439         reason more easily about them and make adjustments if needed.
3440
3441         * API/tests/ExecutionTimeLimitTest.cpp: Added.
3442         (currentCPUTime):
3443         (currentCPUTimeAsJSFunctionCallback):
3444         (shouldTerminateCallback):
3445         (cancelTerminateCallback):
3446         (extendTerminateCallback):
3447         (testExecutionTimeLimit):
3448         * API/tests/ExecutionTimeLimitTest.h: Added.
3449         * API/tests/testapi.c:
3450         (main):
3451         (currentCPUTime): Deleted.
3452         (currentCPUTime_callAsFunction): Deleted.
3453         (shouldTerminateCallback): Deleted.
3454         (cancelTerminateCallback): Deleted.
3455         (extendTerminateCallback): Deleted.
3456         * JavaScriptCore.xcodeproj/project.pbxproj:
3457
3458 2015-03-17  Geoffrey Garen  <ggaren@apple.com>
3459
3460         Built-in functions should know that they use strict mode
3461         https://bugs.webkit.org/show_bug.cgi?id=142788
3462
3463         Reviewed by Mark Lam.
3464
3465         Even though all of our builtin functions use strict mode, the parser
3466         thinks that they don't. This is because Executable::toStrictness treats
3467         builtin-ness and strict-ness as mutually exclusive.
3468
3469         The fix is to disambiguate builtin-ness from strict-ness.
3470
3471         This bug is currently unobservable because of some other parser bugs. But
3472         it causes lots of test failures once those other bugs are fixed.
3473
3474         * API/JSScriptRef.cpp:
3475         (parseScript):
3476         * builtins/BuiltinExecutables.cpp:
3477         (JSC::BuiltinExecutables::createBuiltinExecutable): Adopt the new API
3478         for a separate value to indicate builtin-ness vs strict-ness.
3479
3480         * bytecode/UnlinkedCodeBlock.cpp:
3481         (JSC::generateFunctionCodeBlock):
3482         (JSC::UnlinkedFunctionExecutable::codeBlockFor): Ditto.
3483
3484         * bytecode/UnlinkedCodeBlock.h:
3485         (JSC::UnlinkedFunctionExecutable::toStrictness): Deleted. This function
3486         was misleading since it pretended that no builtin function was ever
3487         strict, which is the opposite of true.
3488
3489         * parser/Lexer.cpp:
3490         (JSC::Lexer<T>::Lexer):
3491         * parser/Lexer.h:
3492         * parser/Parser.cpp:
3493         (JSC::Parser<LexerType>::Parser):
3494         * parser/Parser.h:
3495         (JSC::parse): Adopt the new API.
3496
3497         * parser/ParserModes.h: Added JSParserBuiltinMode, and tried to give
3498         existing modes clearer names.
3499
3500         * runtime/CodeCache.cpp:
3501         (JSC::CodeCache::getGlobalCodeBlock):
3502         (JSC::CodeCache::getProgramCodeBlock):
3503         (JSC::CodeCache::getEvalCodeBlock):
3504         (JSC::CodeCache::getFunctionExecutableFromGlobalCode): Adopt the new API.
3505
3506         * runtime/CodeCache.h:
3507         (JSC::SourceCodeKey::SourceCodeKey): Be sure to treat strict-ness and
3508         bulitin-ness as separate pieces of the code cache key. We would not want
3509         a user function to match a built-in function in the cache, even if they
3510         agreed about strictness, since builtin functions have different lexing
3511         rules.
3512
3513         * runtime/Completion.cpp:
3514         (JSC::checkSyntax):
3515         * runtime/Executable.cpp:
3516         (JSC::FunctionExecutable::FunctionExecutable):
3517         (JSC::ProgramExecutable::checkSyntax):
3518         * runtime/Executable.h:
3519         (JSC::FunctionExecutable::create):
3520         * runtime/JSGlobalObject.cpp:
3521         (JSC::JSGlobalObject::createProgramCodeBlock):
3522         (JSC::JSGlobalObject::createEvalCodeBlock): Adopt the new API.
3523
3524 2015-03-16  Filip Pizlo  <fpizlo@apple.com>
3525
3526         DFG IR shouldn't have a separate node for every kind of put hint that could be described using PromotedLocationDescriptor
3527         https://bugs.webkit.org/show_bug.cgi?id=142769
3528
3529         Reviewed by Michael Saboff.
3530         
3531         When we sink an object allocation, we need to have some way of tracking what stores would
3532         have happened had the allocation not been sunk, so that we know how to rematerialize the
3533         object on OSR exit. Prior to this change, trunk had two ways of describing such a "put
3534         hint":
3535         
3536         - The PutStrutureHint and PutByOffsetHint node types.
3537         - The PromotedLocationDescriptor class, which has an enum with cases StructurePLoc and
3538           NamedPropertyPLoc.
3539         
3540         We also had ways of converting from a Node with those two node types to a
3541         PromotedLocationDescriptor, and we had a way of converting a PromotedLocationDescriptor to
3542         a Node.
3543         
3544         This change removes the redundancy. We now have just one node type that corresponds to a
3545         put hint, and it's called PutHint. It has a PromotedLocationDescriptor as metadata.
3546         Converting between a PutHint node and a PromotedLocationDescriptor and vice-versa is now
3547         trivial.
3548         
3549         This means that if we add new kinds of sunken objects, we'll have less pro-forma to write
3550         for the put hints to those objects. This is mainly to simplify the implementation of
3551         arguments elimination in bug 141174.
3552
3553         * dfg/DFGAbstractInterpreterInlines.h:
3554         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3555         * dfg/DFGClobberize.h:
3556         (JSC::DFG::clobberize):
3557         * dfg/DFGDoesGC.cpp:
3558         (JSC::DFG::doesGC):
3559         * dfg/DFGFixupPhase.cpp:
3560         (JSC::DFG::FixupPhase::fixupNode):
3561         * dfg/DFGGraph.cpp:
3562         (JSC::DFG::Graph::dump):
3563         (JSC::DFG::Graph::mergeRelevantToOSR):
3564         * dfg/DFGMayExit.cpp:
3565         (JSC::DFG::mayExit):
3566         * dfg/DFGNode.cpp:
3567         (JSC::DFG::Node::convertToPutHint):
3568         (JSC::DFG::Node::convertToPutStructureHint):
3569         (JSC::DFG::Node::convertToPutByOffsetHint):
3570         (JSC::DFG::Node::promotedLocationDescriptor):
3571         * dfg/DFGNode.h:
3572         (JSC::DFG::Node::hasIdentifier):
3573         (JSC::DFG::Node::hasPromotedLocationDescriptor):
3574         (JSC::DFG::Node::convertToPutByOffsetHint): Deleted.
3575         (JSC::DFG::Node::convertToPutStructureHint): Deleted.
3576         * dfg/DFGNodeType.h:
3577         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
3578         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
3579         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3580         (JSC::DFG::ObjectAllocationSinkingPhase::run):
3581         (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations):
3582         (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
3583         * dfg/DFGPredictionPropagationPhase.cpp:
3584         (JSC::DFG::PredictionPropagationPhase::propagate):
3585         * dfg/DFGPromoteHeapAccess.h:
3586         (JSC::DFG::promoteHeapAccess):
3587         * dfg/DFGPromotedHeapLocation.cpp:
3588         (JSC::DFG::PromotedHeapLocation::createHint):
3589         * dfg/DFGPromotedHeapLocation.h:
3590         (JSC::DFG::PromotedLocationDescriptor::imm1):
3591         (JSC::DFG::PromotedLocationDescriptor::imm2):
3592         * dfg/DFGSafeToExecute.h:
3593         (JSC::DFG::safeToExecute):
3594         * dfg/DFGSpeculativeJIT32_64.cpp:
3595         (JSC::DFG::SpeculativeJIT::compile):
3596         * dfg/DFGSpeculativeJIT64.cpp:
3597         (JSC::DFG::SpeculativeJIT::compile):
3598         * dfg/DFGValidate.cpp:
3599         (JSC::DFG::Validate::validateCPS):
3600         * ftl/FTLCapabilities.cpp:
3601         (JSC::FTL::canCompile):
3602         * ftl/FTLLowerDFGToLLVM.cpp:
3603         (JSC::FTL::LowerDFGToLLVM::compileNode):
3604
3605 2015-03-17  Michael Saboff  <msaboff@apple.com>
3606
3607         Windows X86-64 should use the fixed executable allocator
3608         https://bugs.webkit.org/show_bug.cgi?id=142749
3609
3610         Reviewed by Filip Pizlo.
3611
3612         Added jit/ExecutableAllocatorFixedVMPool.cpp to Windows build.
3613
3614         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3615         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3616         * jit/ExecutableAllocatorFixedVMPool.cpp: Don't include unistd.h on Windows.
3617
3618 2015-03-17  Matt Baker  <mattbaker@apple.com>
3619
3620         Web Inspector: Show rendering frames (and FPS) in Layout and Rendering timeline
3621         https://bugs.webkit.org/show_bug.cgi?id=142029
3622
3623         Reviewed by Timothy Hatcher.
3624
3625         * inspector/protocol/Timeline.json:
3626         Added new event type for runloop timeline records.
3627
3628 2015-03-16  Ryosuke Niwa  <rniwa@webkit.org>
3629
3630         Enable ES6 classes by default
3631         https://bugs.webkit.org/show_bug.cgi?id=142774
3632
3633         Reviewed by Gavin Barraclough.
3634
3635         Enabled the feature and unskipped tests.
3636
3637         * Configurations/FeatureDefines.xcconfig:
3638         * tests/stress/class-syntax-no-loop-tdz.js:
3639         * tests/stress/class-syntax-no-tdz-in-catch.js:
3640         * tests/stress/class-syntax-no-tdz-in-conditional.js:
3641         * tests/stress/class-syntax-no-tdz-in-loop-no-inline-super.js:
3642         * tests/stress/class-syntax-no-tdz-in-loop.js:
3643         * tests/stress/class-syntax-no-tdz.js:
3644         * tests/stress/class-syntax-tdz-in-catch.js:
3645         * tests/stress/class-syntax-tdz-in-conditional.js:
3646         * tests/stress/class-syntax-tdz-in-loop.js:
3647         * tests/stress/class-syntax-tdz.js:
3648
3649 2015-03-16  Joseph Pecoraro  <pecoraro@apple.com>
3650
3651         Web Inspector: Better Console Previews for Arrays / Small Objects
3652         https://bugs.webkit.org/show_bug.cgi?id=142322
3653
3654         Reviewed by Timothy Hatcher.
3655
3656         * inspector/InjectedScriptSource.js:
3657         Create deep valuePreviews for simple previewable objects,
3658         such as arrays with 5 values, or basic objects with
3659         3 properties.
3660
3661 2015-03-16  Ryosuke Niwa  <rniwa@webkit.org>
3662
3663         Add support for default constructor
3664         https://bugs.webkit.org/show_bug.cgi?id=142388
3665
3666         Reviewed by Filip Pizlo.
3667
3668         Added the support for default constructors. They're generated by ClassExprNode::emitBytecode
3669         via BuiltinExecutables::createDefaultConstructor.
3670
3671         UnlinkedFunctionExecutable now has the ability to override SourceCode provided by the owner
3672         executable. We can't make store SourceCode in UnlinkedFunctionExecutable since CodeCache can use
3673         the same UnlinkedFunctionExecutable to generate code blocks for multiple functions.
3674
3675         Parser now has the ability to treat any function expression as a constructor of the kind specified
3676         by m_defaultConstructorKind member variable.
3677
3678         * builtins/BuiltinExecutables.cpp:
3679         (JSC::BuiltinExecutables::createDefaultConstructor): Added.
3680         (JSC::BuiltinExecutables::createExecutableInternal): Generalized from createBuiltinExecutable.
3681         Parse default constructors as normal non-builtin functions. Override SourceCode in the unlinked
3682         function executable since the Miranda function's code is definitely not in the owner executable's
3683         source code. That's the whole point.
3684         * builtins/BuiltinExecutables.h:
3685         (UnlinkedFunctionExecutable::createBuiltinExecutable): Added. Wraps createExecutableInternal.
3686         * bytecode/UnlinkedCodeBlock.cpp:
3687         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3688         (JSC::UnlinkedFunctionExecutable::linkInsideExecutable):
3689         (JSC::UnlinkedFunctionExecutable::linkGlobalCode):
3690         * bytecode/UnlinkedCodeBlock.h:
3691         (JSC::UnlinkedFunctionExecutable::create):
3692         (JSC::UnlinkedFunctionExecutable::symbolTable): Deleted.
3693         * bytecompiler/BytecodeGenerator.cpp:
3694         (JSC::BytecodeGenerator::emitNewDefaultConstructor): Added.
3695         * bytecompiler/BytecodeGenerator.h:
3696         * bytecompiler/NodesCodegen.cpp:
3697         (JSC::ClassExprNode::emitBytecode): Generate the default constructor if needed.
3698         * parser/Parser.cpp:
3699         (JSC::Parser<LexerType>::Parser):
3700         (JSC::Parser<LexerType>::parseFunctionInfo): Override ownerClassKind and assume the function as
3701         a constructor if we're parsing a default constructor.
3702         (JSC::Parser<LexerType>::parseClass): Allow omission of the class constructor.
3703         * parser/Parser.h:
3704         (JSC::parse):
3705
3706 2015-03-16  Alex Christensen  <achristensen@webkit.org>
3707
3708         Progress towards CMake on Mac
3709         https://bugs.webkit.org/show_bug.cgi?id=142747
3710
3711         Reviewed by Chris Dumez.
3712
3713         * CMakeLists.txt:
3714         Include AugmentableInspectorController.h in CMake build.
3715
3716 2015-03-16  Csaba Osztrogonác  <ossy@webkit.org>
3717
3718         [ARM] Enable generating idiv instructions if it is supported
3719         https://bugs.webkit.org/show_bug.cgi?id=142725
3720
3721         Reviewed by Michael Saboff.
3722
3723         * assembler/ARMAssembler.h: Added sdiv and udiv implementation for ARM Traditional instruction set.
3724         (JSC::ARMAssembler::sdiv):
3725         (JSC::ARMAssembler::udiv):
3726         * assembler/ARMv7Assembler.h: Use HAVE(ARM_IDIV_INSTRUCTIONS) instead of CPU(APPLE_ARMV7S).
3727         * assembler/AbstractMacroAssembler.h:
3728         (JSC::isARMv7IDIVSupported):
3729         (JSC::optimizeForARMv7IDIVSupported):
3730         (JSC::isARMv7s): Renamed to isARMv7IDIVSupported().
3731         (JSC::optimizeForARMv7s): Renamed to optimizeForARMv7IDIVSupported().
3732         * dfg/DFGFixupPhase.cpp:
3733         (JSC::DFG::FixupPhase::fixupNode):
3734         * dfg/DFGSpeculativeJIT.cpp:
3735         (JSC::DFG::SpeculativeJIT::compileArithDiv):
3736         (JSC::DFG::SpeculativeJIT::compileArithMod):
3737
3738 2015-03-15  Filip Pizlo  <fpizlo@apple.com>
3739
3740         DFG::PutStackSinkingPhase should eliminate GetStacks that have an obviously known source, and emit GetStacks when the stack's value is needed and none is deferred
3741         https://bugs.webkit.org/show_bug.cgi?id=141624
3742
3743         Reviewed by Geoffrey Garen.
3744
3745         Not eliminating GetStacks was an obvious omission from the original PutStackSinkingPhase.
3746         Previously, we would treat GetStacks conservatively and assume that the stack slot
3747         escaped. That's pretty dumb, since a GetStack is a local load of the stack. This change
3748         makes GetStack a no-op from the standpoint of this phase's deferral analysis. At the end
3749         we either keep the GetStack (if there was no concrete deferral) or we replace it with an
3750         identity over the value that would have been stored by the deferred PutStack. Note that
3751         this might be a Phi that the phase creates, so this is strictly stronger than what GCSE
3752         could do.
3753         
3754         But this change revealed the fact that this phase never correctly handled side effects in
3755         case that we had done a GetStack, then a side-effect, and then found ourselves wanting the
3756         value on the stack due to (for example) a Phi on a deferred PutStack and that GetStack.
3757         Basically, it's only correct to use the SSA converter's incoming value mapping if we have
3758         a concrete deferral - since anything but a concrete deferral may imply that the value has
3759         been clobbered.
3760         
3761         This has no performance change. I believe that the bug was previously benign because we
3762         have so few operations that clobber the stack anymore, and most of those get used in a
3763         very idiomatic way. The GetStack elimination will be very useful for the varargs
3764         simplification that is part of bug 141174.
3765         
3766         This includes a test for the case that Speedometer hit, plus tests for the other cases I
3767         thought of once I realized the deeper issue.
3768
3769         * dfg/DFGPutStackSinkingPhase.cpp:
3770         * tests/stress/get-stack-identity-due-to-sinking.js: Added.
3771         (foo):
3772         (bar):
3773         * tests/stress/get-stack-mapping-with-dead-get-stack.js: Added.
3774         (bar):
3775         (foo):
3776         * tests/stress/get-stack-mapping.js: Added.
3777         (bar):
3778         (foo):
3779         * tests/stress/weird-put-stack-varargs.js: Added.
3780         (baz):
3781         (foo):
3782         (fuzz):
3783         (bar):
3784
3785 2015-03-16  Joseph Pecoraro  <pecoraro@apple.com>
3786
3787         Update Map/Set to treat -0 and 0 as the same value
3788         https://bugs.webkit.org/show_bug.cgi?id=142709
3789
3790         Reviewed by Csaba Osztrogonác.
3791
3792         * runtime/MapData.h:
3793         (JSC::MapDataImpl<Entry>::KeyType::KeyType):
3794         No longer special case -0. It will be treated as the same as 0.
3795
3796 2015-03-15  Joseph Pecoraro  <pecoraro@apple.com>
3797
3798         Web Inspector: Better handle displaying -0
3799         https://bugs.webkit.org/show_bug.cgi?id=142708
3800
3801         Reviewed by Timothy Hatcher.
3802
3803         Modeled after a blink change:
3804
3805         Patch by <aandrey@chromium.org>
3806         DevTools: DevTools: Show -0 for negative zero in console
3807         https://src.chromium.org/viewvc/blink?revision=162605&view=revision
3808
3809         * inspector/InjectedScriptSource.js:
3810         When creating a description string, or preview value string
3811         for -0, be sure the string is "-0" and not "0".
3812
3813 2015-03-14  Ryosuke Niwa  <rniwa@webkit.org>
3814
3815         parseClass should popScope after pushScope
3816         https://bugs.webkit.org/show_bug.cgi?id=142689
3817
3818         Reviewed by Benjamin Poulain.
3819
3820         Pop the parser scope as needed.
3821
3822         * parser/Parser.cpp:
3823         (JSC::Parser<LexerType>::parseClass):
3824
3825 2015-03-14  Dean Jackson  <dino@apple.com>
3826
3827         Feature flag for Animations Level 2
3828         https://bugs.webkit.org/show_bug.cgi?id=142699
3829         <rdar://problem/20165097>
3830
3831         Reviewed by Brent Fulgham.
3832
3833         Add ENABLE_CSS_ANIMATIONS_LEVEL_2 and a runtime flag animationTriggersEnabled.
3834
3835         * Configurations/FeatureDefines.xcconfig:
3836
3837 2015-03-14  Commit Queue  <commit-queue@webkit.org>
3838
3839         Unreviewed, rolling out r181487.
3840         https://bugs.webkit.org/show_bug.cgi?id=142695
3841
3842         Caused Speedometer/Full.html to fail (Requested by smfr on
3843         #webkit).
3844
3845         Reverted changeset:
3846
3847         "DFG::PutStackSinkingPhase should eliminate GetStacks that
3848         have an obviously known source"
3849         https://bugs.webkit.org/show_bug.cgi?id=141624
3850         http://trac.webkit.org/changeset/181487
3851
3852 2015-03-14  Michael Saboff  <msaboff@apple.com>
3853
3854         ES6: Add binary and octal literal support
3855         https://bugs.webkit.org/show_bug.cgi?id=142681
3856
3857         Reviewed by Ryosuke Niwa.
3858
3859         Added a binary literal parser function, parseBinary(), to Lexer patterned after the octal parser.
3860         Refactored the parseBinary, parseOctal and parseDecimal to use a constant size for the number of
3861         characters to try and handle directly. Factored out the shifting past any prefix to be handled by
3862         the caller. Added binary and octal parsing to toDouble() via helper functions.
3863
3864         * parser/Lexer.cpp:
3865         (JSC::Lexer<T>::parseHex):
3866         (JSC::Lexer<T>::parseBinary):
3867         (JSC::Lexer<T>::parseOctal):
3868         (JSC::Lexer<T>::parseDecimal):
3869         (JSC::Lexer<T>::lex):
3870         * parser/Lexer.h:
3871         * parser/ParserTokens.h:
3872         * runtime/JSGlobalObjectFunctions.cpp:
3873         (JSC::jsBinaryIntegerLiteral):
3874         (JSC::jsOctalIntegerLiteral):
3875         (JSC::toDouble):
3876
3877 2015-03-13  Alex Christensen  <achristensen@webkit.org>
3878
3879         Progress towards CMake on Mac.
3880         https://bugs.webkit.org/show_bug.cgi?id=142680
3881
3882         Reviewed by Gyuyoung Kim.
3883
3884         * PlatformMac.cmake:
3885