[Win CMake] Fix incremental build after r188673
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-08-27  Alex Christensen  <achristensen@webkit.org>
2
3         [Win CMake] Fix incremental build after r188673
4         https://bugs.webkit.org/show_bug.cgi?id=148539
5
6         Reviewed by Brent Fulgham.
7
8         * PlatformWin.cmake:
9         Use xcopy as a build step instead of file(COPY ...) to copy updated headers.
10
11 2015-08-27  Jon Davis  <jond@apple.com>
12
13         Include ES6 Generators and Proxy object status to feature status page.
14         https://bugs.webkit.org/show_bug.cgi?id=148095
15
16         Reviewed by Timothy Hatcher.
17
18         * features.json:
19
20 2015-08-27  Filip Pizlo  <fpizlo@apple.com>
21
22         Unreviewed, add a comment to describe something I learned about a confusingly-named function.
23
24         * dfg/DFGUseKind.h:
25         (JSC::DFG::isCell):
26
27 2015-08-27  Basile Clement  <basile_clement@apple.com>
28
29         REGRESSION(r184779): Possible read-after-free in JavaScriptCore/dfg/DFGClobberize.h
30         https://bugs.webkit.org/show_bug.cgi?id=148411
31
32         Reviewed by Geoffrey Garen and Filip Pizlo.
33
34         * dfg/DFGClobberize.h:
35         (JSC::DFG::clobberize):
36
37 2015-08-27  Brian Burg  <bburg@apple.com>
38
39         Web Inspector: FrontendChannel should know its own connection type
40         https://bugs.webkit.org/show_bug.cgi?id=148482
41
42         Reviewed by Joseph Pecoraro.
43
44         * inspector/InspectorFrontendChannel.h: Add connectionType().
45         * inspector/remote/RemoteInspectorDebuggableConnection.h:
46
47 2015-08-26  Filip Pizlo  <fpizlo@apple.com>
48
49         Node::origin should always be set, and the dead zone due to SSA Phis can just use exitOK=false
50         https://bugs.webkit.org/show_bug.cgi?id=148462
51
52         Reviewed by Saam Barati.
53
54         The need to label nodes that absolutely cannot exit was first observed when we introduced SSA form.
55         We indicated this by not setting the CodeOrigin.
56
57         But just recently (http://trac.webkit.org/changeset/188979), we added a more comprehensive "exitOK"
58         bit in NodeOrigin. After that change, there were two ways of indicating that you cannot exit:
59         !exitOK and an unset NodeOrigin. An unset NodeOrigin implied !exitOK.
60
61         Now, this change is about removing the old way so that we only use !exitOK. From now on, all nodes
62         must have their NodeOrigin set, and the IR validation will check this. This means that I could
63         remove various pieces of cruft for dealing with unset NodeOrigins, but I did have to add some new
64         cruft to ensure that all nodes we create have a NodeOrigin.
65
66         This change simplifies our IR by having a simpler rule about when NodeOrigin is set: it's always
67         set.
68
69         * dfg/DFGBasicBlock.cpp:
70         (JSC::DFG::BasicBlock::isInBlock):
71         (JSC::DFG::BasicBlock::removePredecessor):
72         (JSC::DFG::BasicBlock::firstOriginNode): Deleted.
73         (JSC::DFG::BasicBlock::firstOrigin): Deleted.
74         * dfg/DFGBasicBlock.h:
75         (JSC::DFG::BasicBlock::begin):
76         (JSC::DFG::BasicBlock::end):
77         (JSC::DFG::BasicBlock::numSuccessors):
78         (JSC::DFG::BasicBlock::successor):
79         * dfg/DFGCombinedLiveness.cpp:
80         (JSC::DFG::liveNodesAtHead):
81         * dfg/DFGConstantHoistingPhase.cpp:
82         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
83         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
84         * dfg/DFGForAllKills.h:
85         (JSC::DFG::forAllKilledOperands):
86         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
87         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
88         (JSC::DFG::createPreHeader):
89         (JSC::DFG::LoopPreHeaderCreationPhase::run):
90         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
91         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
92         * dfg/DFGObjectAllocationSinkingPhase.cpp:
93         * dfg/DFGPutStackSinkingPhase.cpp:
94         * dfg/DFGSSAConversionPhase.cpp:
95         (JSC::DFG::SSAConversionPhase::run):
96         * dfg/DFGValidate.cpp:
97         (JSC::DFG::Validate::validate):
98         (JSC::DFG::Validate::validateSSA):
99
100 2015-08-26  Saam barati  <sbarati@apple.com>
101
102         MarkedBlock::allocateBlock will have the wrong allocation size when (sizeof(MarkedBlock) + bytes) is divisible by WTF::pageSize()
103         https://bugs.webkit.org/show_bug.cgi?id=148500
104
105         Reviewed by Mark Lam.
106
107         Consider the following scenario:
108         - On OS X, WTF::pageSize() is 4*1024 bytes.
109         - JSEnvironmentRecord::allocationSizeForScopeSize(6621) == 53000
110         - sizeof(MarkedBlock) == 248
111         - (248 + 53000) is a multiple of 4*1024.
112         - (248 + 53000)/(4*1024) == 13
113
114         We will allocate a chunk of memory of size 53248 bytes that looks like this:
115         0            248       256                       53248       53256
116         [Marked Block | 8 bytes |  payload     ......      ]  8 bytes  |
117                                 ^                                      ^
118                            Our Environment record starts here.         ^
119                                                                        ^
120                                                                  Our last JSValue in the environment record will go from byte 53248 to 53256. But, we don't own this memory.
121
122         We need to ensure that we round up sizeof(MarkedBlock) to an
123         atomSize boundary. We need to do this because the first atom
124         inside the MarkedBlock will start at the rounded up multiple
125         of atomSize past MarkedBlock. If we end up with an allocation
126         that is perfectly aligned to the page size, then we will be short
127         8 bytes (in the current implementation where atomSize is 16 bytes,
128         and MarkedBlock is 248 bytes).
129
130         * heap/MarkedAllocator.cpp:
131         (JSC::MarkedAllocator::allocateBlock):
132         * tests/stress/heap-allocator-allocates-incorrect-size-for-activation.js: Added.
133         (use):
134         (makeFunction):
135
136 2015-08-26  Mark Lam  <mark.lam@apple.com>
137
138         watchdog m_didFire state erroneously retained.
139         https://bugs.webkit.org/show_bug.cgi?id=131082
140
141         Reviewed by Geoffrey Garen.
142
143         The watchdog can fire for 2 reasons:
144         1. an external controlling entity (i.e. another thread) has scheduled termination
145            of the script thread via watchdog::terminateSoon().
146         2. the allowed CPU time has expired.
147
148         For case 1, we're doing away with the m_didFire flag.  Watchdog::terminateSoon() 
149         will set the timer deadlines and m_timeLimit to 0, and m_timerDidFire to true.
150         This will get the script thread to check Watchdog::didFire() and terminate
151         execution.
152
153         Note: the watchdog only guarantees that script execution will terminate as soon
154         as possible due to a time limit of 0.  Once we've exited the VM, the client of the
155         VM is responsible from keeping a flag to prevent new script execution.
156
157         In a race condition, if terminateSoon() is called just after execution has gotten
158         past the client's reentry check and the client is in the process of re-entering,
159         the worst that can happen is that we will schedule the watchdog timer to fire
160         after a period of 0.  This will terminate script execution quickly, and thereafter
161         the client's check should be able to prevent further entry into the VM.
162
163         The correctness (i.e. has no race condition) of this type of termination relies
164         on the termination state being sticky.  Once the script thread is terminated this
165         way, the VM will continue to terminate scripts quickly until the client sets the
166         time limit to a non-zero value (or clears it which sets the time limit to
167         noTimeLimit).
168
169         For case 2, the watchdog does not alter m_timeLimit.  If the CPU deadline has
170         been reached, the script thread will terminate execution and exit the VM.
171
172         If the client of the VM starts new script execution, the watchdog will allow
173         execution for the specified m_timeLimit.  In this case, since m_timeLimit is not
174         0, the script gets a fresh allowance of CPU time to execute.  Hence, terminations
175         due to watchdog time outs are no longer sticky.
176
177         * API/JSContextRef.cpp:
178         (JSContextGroupSetExecutionTimeLimit):
179         (JSContextGroupClearExecutionTimeLimit):
180         * API/tests/ExecutionTimeLimitTest.cpp:
181         - Add test scenarios to verify that the watchdog is automatically reset by the VM
182           upon throwing the TerminatedExecutionException.
183
184         (testResetAfterTimeout):
185         (testExecutionTimeLimit):
186         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
187         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
188         * JavaScriptCore.xcodeproj/project.pbxproj:
189         * dfg/DFGByteCodeParser.cpp:
190         (JSC::DFG::ByteCodeParser::parseBlock):
191         * interpreter/Interpreter.cpp:
192         (JSC::Interpreter::execute):
193         (JSC::Interpreter::executeCall):
194         (JSC::Interpreter::executeConstruct):
195         * jit/JITOpcodes.cpp:
196         (JSC::JIT::emit_op_loop_hint):
197         (JSC::JIT::emitSlow_op_loop_hint):
198         * jit/JITOperations.cpp:
199         * llint/LLIntSlowPaths.cpp:
200         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
201         * runtime/VM.cpp:
202         (JSC::VM::VM):
203         (JSC::VM::ensureWatchdog):
204         * runtime/VM.h:
205         * runtime/VMInlines.h: Added.
206         (JSC::VM::shouldTriggerTermination):
207         * runtime/Watchdog.cpp:
208         (JSC::Watchdog::Watchdog):
209         (JSC::Watchdog::setTimeLimit):
210         (JSC::Watchdog::terminateSoon):
211         (JSC::Watchdog::didFireSlow):
212         (JSC::Watchdog::hasTimeLimit):
213         (JSC::Watchdog::enteredVM):
214         (JSC::Watchdog::exitedVM):
215         (JSC::Watchdog::startTimer):
216         (JSC::Watchdog::stopTimer):
217         (JSC::Watchdog::hasStartedTimer): Deleted.
218         (JSC::Watchdog::fire): Deleted.
219         * runtime/Watchdog.h:
220         (JSC::Watchdog::didFire):
221         (JSC::Watchdog::timerDidFireAddress):
222
223 2015-08-26  Joseph Pecoraro  <pecoraro@apple.com>
224
225         Web Inspector: Implement tracking of active stylesheets in the frontend
226         https://bugs.webkit.org/show_bug.cgi?id=105828
227
228         Reviewed by Timothy Hatcher.
229
230         * inspector/protocol/CSS.json:
231         Add new events for when a StyleSheet is added or removed.
232
233 2015-08-26  Chris Dumez  <cdumez@apple.com>
234
235         Distinguish Web IDL callback interfaces from Web IDL callback functions
236         https://bugs.webkit.org/show_bug.cgi?id=148434
237
238         Reviewed by Geoffrey Garen.
239
240         Add isNull() convenience method on PropertyName.
241
242         * runtime/PropertyName.h:
243         (JSC::PropertyName::isNull):
244
245 2015-08-26  Filip Pizlo  <fpizlo@apple.com>
246
247         Node::origin should be able to tell you if it's OK to exit
248         https://bugs.webkit.org/show_bug.cgi?id=145204
249
250         Reviewed by Geoffrey Garen.
251
252         This is a major change to DFG IR, that makes it easier to reason about where nodes with
253         speculations can be soundly hoisted.
254
255         A program in DFG IR is a sequence of operations that compute the values of SSA variables,
256         perform effects on the heap or stack, and perform updates to the OSR exit state. Because
257         effects and OSR exit updates are interleaved, there are points in execution where exiting
258         simply won't work. For example, we may have some bytecode operation:
259
260             [  24] op_foo loc42 // does something, and puts a value in loc42.
261
262         that gets compiled down to a sequence of DFG IR nodes like:
263
264             a: Foo(W:Heap, R:World, bc#24) // writes heap, reads world - i.e. an observable effect.
265             b: MovHint(@a, loc42, bc#24)
266             c: SetLocal(Check:Int32:@a, loc42, bc#24, exit: bc#26)
267
268         Note that we can OSR exit at @a because we haven't yet performed any effects for bc#24 yet and
269         we have performed all effects for prior bytecode operations. That's what the origin.forExit
270         being set to "bc#24" guarantees. So, an OSR exit at @a would transfer execution to bc#24 and
271         this would not be observable. But at @b, if we try to exit to bc#24 as indicated by forExit, we
272         would end up causing the side effect of bc#24 to execute a second time. This would be
273         observable, so we cannot do it. And we cannot exit to the next instruction - bc#26 - either,
274         because @b is responsible for updating the OSR state to indicate that the result of @a should
275         be put into loc42. It's not until we get to @c that we can exit again.
276
277         This is a confusing, but useful, property of DFG IR. It's useful because it allows us to use IR
278         to spell out how we would have affected the bytecode state, and we use this to implement hard
279         things like object allocation elimination, where we use IR instructions to indicate what object
280         allocation and mutation operations we would have performed, and which bytecode variables would
281         have pointed to those objects. So long as IR allows us to describe how OSR exit state is
282         updated, there will be points in execution where that state is invalid - especially if the IR
283         to update exit state is separate from the IR to perform actual effects.
284
285         But this property is super confusing! It's difficult to explain that somehow magically, @b is a
286         bad place to put OSR exits, and that magically we will only have OSR exits at @a. Of course, it
287         all kind of makes sense - we insert OSR exit checks in phases that *know* where it's safe to
288         exit - but it's just too opaque. This also gets in the way of more sophisticated
289         transformations. For example, LICM barely works - it magically knows that loop pre-headers are
290         good places to exit from, but it has no way of determining if that is actually true. It would
291         be odd to introduce a restriction that anytime some block qualifies as a pre-header according
292         to our loop calculator, it must end with a terminal at which it is OK to exit. So, our choices
293         are to either leave LICM in a magical state and exercise extreme caution when introducing new
294         optimizations that hoist checks, or to do something to make the "can I exit here" property more
295         explicit in IR.
296
297         We have already, in a separate change, added a NodeOrigin::exitOK property, though it didn't do
298         anything yet. This change puts exitOK to work, and makes it an integral part of IR. The key
299         intuition behind this change is that if we know which nodes clobber exit state - i.e. after the
300         node, it's no longer possible to OSR exit until the exit state is fixed up - then we can figure
301         out where it's fine to exit. This change mostly adopts the already implicit rule that it's
302         always safe to exit right at the boundary of exit origins (in between two nodes where
303         origin.forExit differs), and adds a new node, called ExitOK, which is a kind of declaration
304         that exit state is good again. When making this change, I struggled with the question of
305         whether to make origin.exitOK be explicit, or something that we can compute with an analysis.
306         Of course if we are armed with a clobbersExitState(Node*) function, we can find the places
307         where it's fine to exit. But this kind of computation could get quite sophisticated if the
308         nodes belonging to an exit origin are lowered to a control-flow construct. It would also be
309         harder to see what the original intent was, if we found an error: is the bug that we shouldn't
310         be clobbering exit state, or that we shouldn't be exiting? This change opts to make exitOK be
311         an explicit property of IR, so that DFG IR validation will reject any program where exitOK is
312         true after a node that clobbersExitState(), or if exitOK is true after a node has exitOK set to
313         false - unless the latter node has a different exit origin or is an ExitOK node. It will also
314         reject any program where a node mayExit() with !exitOK.
315
316         It turns out that this revealed a lot of sloppiness and what almost looked like an outright
317         bug: the callee property of an inline closure call frame was being set up "as if" by the
318         callee's op_enter. If we did hoist a check per the old rule - to the boundary of exit origins -
319         then we would crash because the callee is unknown. It also revealed that LICM could *almost*
320         get hosed by having a pre-header where there are effects before the jump. I wasn't able to
321         construct a test case that would crash trunk, but I also couldn't quite prove why such a
322         program couldn't be constructed. I did fix the issue in loop pre-header creation, and the
323         validater does catch the issue because of its exitOK assertions.
324
325         This doesn't yet add any other safeguards to LICM - that phase still expects that pre-headers
326         are in place and that they were created in such a way that their terminal origins have exitOK.
327         It also still keeps the old way of saying "not OK to exit" - having a clear NodeOrigin. In a
328         later patch I'll remove that and use !exitOK everywhere. Note that I did consider using clear
329         NodeOrigins to signify that it's not OK to exit, but that would make DFGForAllKills a lot more
330         expensive - it would have to sometimes search to find nearby forExit origins if the current
331         node doesn't have it set - and that's a critical phase for DFG compilation performance.
332         Requiring that forExit is usually set to *something* and that properly shadows the original
333         bytecode is cheap and easy, so it seemed like a good trade-off.
334
335         This change has no performance effect. Its only effect is that it makes the compiler easier to
336         understand by turning a previously magical concept into an explicit one.
337
338         * CMakeLists.txt:
339         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
340         * JavaScriptCore.xcodeproj/project.pbxproj:
341         * dfg/DFGAbstractHeap.h:
342         * dfg/DFGAbstractInterpreterInlines.h:
343         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
344         * dfg/DFGArgumentsEliminationPhase.cpp:
345         * dfg/DFGByteCodeParser.cpp:
346         (JSC::DFG::ByteCodeParser::setDirect):
347         (JSC::DFG::ByteCodeParser::currentNodeOrigin):
348         (JSC::DFG::ByteCodeParser::branchData):
349         (JSC::DFG::ByteCodeParser::addToGraph):
350         (JSC::DFG::ByteCodeParser::handleCall):
351         (JSC::DFG::ByteCodeParser::inlineCall):
352         (JSC::DFG::ByteCodeParser::handleInlining):
353         (JSC::DFG::ByteCodeParser::handleGetById):
354         (JSC::DFG::ByteCodeParser::handlePutById):
355         (JSC::DFG::ByteCodeParser::parseBlock):
356         * dfg/DFGCFGSimplificationPhase.cpp:
357         (JSC::DFG::CFGSimplificationPhase::run):
358         * dfg/DFGClobberize.h:
359         (JSC::DFG::clobberize):
360         * dfg/DFGClobbersExitState.cpp: Added.
361         (JSC::DFG::clobbersExitState):
362         * dfg/DFGClobbersExitState.h: Added.
363         * dfg/DFGConstantFoldingPhase.cpp:
364         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
365         * dfg/DFGDoesGC.cpp:
366         (JSC::DFG::doesGC):
367         * dfg/DFGFixupPhase.cpp:
368         (JSC::DFG::FixupPhase::fixupNode):
369         (JSC::DFG::FixupPhase::convertStringAddUse):
370         (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
371         (JSC::DFG::FixupPhase::fixupGetAndSetLocalsInBlock):
372         (JSC::DFG::FixupPhase::fixupChecksInBlock):
373         * dfg/DFGFlushFormat.h:
374         (JSC::DFG::useKindFor):
375         (JSC::DFG::uncheckedUseKindFor):
376         (JSC::DFG::typeFilterFor):
377         * dfg/DFGGraph.cpp:
378         (JSC::DFG::printWhiteSpace):
379         (JSC::DFG::Graph::dumpCodeOrigin):
380         (JSC::DFG::Graph::dump):
381         * dfg/DFGGraph.h:
382         (JSC::DFG::Graph::addSpeculationMode):
383         * dfg/DFGInsertionSet.cpp:
384         (JSC::DFG::InsertionSet::insertSlow):
385         (JSC::DFG::InsertionSet::execute):
386         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
387         (JSC::DFG::LoopPreHeaderCreationPhase::run):
388         * dfg/DFGMayExit.cpp:
389         (JSC::DFG::mayExit):
390         (WTF::printInternal):
391         * dfg/DFGMayExit.h:
392         * dfg/DFGMovHintRemovalPhase.cpp:
393         * dfg/DFGNodeOrigin.cpp: Added.
394         (JSC::DFG::NodeOrigin::dump):
395         * dfg/DFGNodeOrigin.h:
396         (JSC::DFG::NodeOrigin::NodeOrigin):
397         (JSC::DFG::NodeOrigin::isSet):
398         (JSC::DFG::NodeOrigin::withSemantic):
399         (JSC::DFG::NodeOrigin::withExitOK):
400         (JSC::DFG::NodeOrigin::withInvalidExit):
401         (JSC::DFG::NodeOrigin::takeValidExit):
402         (JSC::DFG::NodeOrigin::forInsertingAfter):
403         (JSC::DFG::NodeOrigin::operator==):
404         (JSC::DFG::NodeOrigin::operator!=):
405         * dfg/DFGNodeType.h:
406         * dfg/DFGOSREntrypointCreationPhase.cpp:
407         (JSC::DFG::OSREntrypointCreationPhase::run):
408         * dfg/DFGOSRExit.cpp:
409         (JSC::DFG::OSRExit::OSRExit):
410         (JSC::DFG::OSRExit::setPatchableCodeOffset):
411         * dfg/DFGOSRExitBase.h:
412         * dfg/DFGObjectAllocationSinkingPhase.cpp:
413         * dfg/DFGPhantomInsertionPhase.cpp:
414         * dfg/DFGPhase.cpp:
415         (JSC::DFG::Phase::validate):
416         (JSC::DFG::Phase::beginPhase):
417         (JSC::DFG::Phase::endPhase):
418         * dfg/DFGPhase.h:
419         (JSC::DFG::Phase::vm):
420         (JSC::DFG::Phase::codeBlock):
421         (JSC::DFG::Phase::profiledBlock):
422         * dfg/DFGPredictionPropagationPhase.cpp:
423         (JSC::DFG::PredictionPropagationPhase::propagate):
424         * dfg/DFGPutStackSinkingPhase.cpp:
425         * dfg/DFGSSAConversionPhase.cpp:
426         (JSC::DFG::SSAConversionPhase::run):
427         * dfg/DFGSafeToExecute.h:
428         (JSC::DFG::safeToExecute):
429         * dfg/DFGSpeculativeJIT.cpp:
430         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
431         (JSC::DFG::SpeculativeJIT::speculationCheck):
432         (JSC::DFG::SpeculativeJIT::emitInvalidationPoint):
433         (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
434         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
435         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
436         (JSC::DFG::SpeculativeJIT::compile):
437         * dfg/DFGSpeculativeJIT.h:
438         * dfg/DFGSpeculativeJIT32_64.cpp:
439         (JSC::DFG::SpeculativeJIT::compile):
440         * dfg/DFGSpeculativeJIT64.cpp:
441         (JSC::DFG::SpeculativeJIT::compile):
442         * dfg/DFGStoreBarrierInsertionPhase.cpp:
443         * dfg/DFGTypeCheckHoistingPhase.cpp:
444         (JSC::DFG::TypeCheckHoistingPhase::run):
445         * dfg/DFGValidate.cpp:
446         (JSC::DFG::Validate::validate):
447         * ftl/FTLCapabilities.cpp:
448         (JSC::FTL::canCompile):
449         * ftl/FTLLowerDFGToLLVM.cpp:
450         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
451         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
452         (JSC::FTL::DFG::LowerDFGToLLVM::compileUpsilon):
453         (JSC::FTL::DFG::LowerDFGToLLVM::compileInvalidationPoint):
454         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
455
456 2015-08-26  Andreas Kling  <akling@apple.com>
457
458         [JSC] StructureTransitionTable should eagerly deallocate single-transition WeakImpls.
459         <https://webkit.org/b/148478>
460
461         Reviewed by Geoffrey Garen.
462
463         Use a WeakHandleOwner to eagerly deallocate StructureTransitionTable's Weak pointers
464         when it's using the single-transition optimization and the Structure it transitioned
465         to has been GC'd.
466
467         This prevents Structures from keeping WeakBlocks alive longer than necessary when
468         they've been transitioned away from but are still in use themselves.
469
470         * runtime/Structure.cpp:
471         (JSC::singleSlotTransitionWeakOwner):
472         (JSC::StructureTransitionTable::singleTransition):
473         (JSC::StructureTransitionTable::setSingleTransition):
474         (JSC::StructureTransitionTable::add):
475         * runtime/StructureTransitionTable.h:
476         (JSC::StructureTransitionTable::singleTransition): Deleted.
477         (JSC::StructureTransitionTable::setSingleTransition): Deleted.
478
479 2015-08-26  Brian Burg  <bburg@apple.com>
480
481         Web Inspector: REGRESSION(r188965): BackendDispatcher loses request ids when called re-entrantly
482         https://bugs.webkit.org/show_bug.cgi?id=148480
483
484         Reviewed by Joseph Pecoraro.
485
486         I added an assertion that m_currentRequestId is Nullopt when dispatch() is called, but this should
487         not hold if dispatching a backend command while debugger is paused. I will remove the assertion
488         and add proper scoping for all dispatch() branches.
489
490         No new tests, this wrong assert caused inspector/dom-debugger/node-removed.html to crash reliably.
491
492         * inspector/InspectorBackendDispatcher.cpp:
493         (Inspector::BackendDispatcher::dispatch): Cover each exit with an appropriate TemporaryChange scope.
494
495 2015-08-26  Sukolsak Sakshuwong  <sukolsak@gmail.com>
496
497         Remove the unused *Executable::unlinkCalls() and CodeBlock::unlinkCalls()
498         https://bugs.webkit.org/show_bug.cgi?id=148469
499
500         Reviewed by Geoffrey Garen.
501
502         We use CodeBlock::unlinkIncomingCalls() to unlink calls.
503         (...)Executable::unlinkCalls() and CodeBlock::unlinkCalls() are no longer used.
504
505         * bytecode/CodeBlock.cpp:
506         (JSC::CodeBlock::unlinkCalls): Deleted.
507         * bytecode/CodeBlock.h:
508         * runtime/Executable.cpp:
509         (JSC::EvalExecutable::unlinkCalls): Deleted.
510         (JSC::ProgramExecutable::unlinkCalls): Deleted.
511         (JSC::FunctionExecutable::unlinkCalls): Deleted.
512         * runtime/Executable.h:
513         (JSC::ScriptExecutable::unlinkCalls): Deleted.
514
515 2015-08-25  Brian Burg  <bburg@apple.com>
516
517         Web Inspector: no need to allocate protocolErrors array for every dispatched backend command
518         https://bugs.webkit.org/show_bug.cgi?id=146466
519
520         Reviewed by Joseph Pecoraro.
521
522         Clean up some of the backend dispatcher code, with a focus on eliminating useless allocations
523         of objects in the common case when no protocol errors happen. This is done by saving the
524         current id of each request as it is being processed by the backend dispatcher, and tagging any
525         subsequent errors with that id. This also means we don't have to thread the requestId except
526         in the async command code path.
527
528         This patch also lifts some common code shared between all generated backend command
529         implementatations into the per-domain dispatch method instead. This reduces generated code size.
530
531         To be consistent, this patch standardizes on calling the id of a backend message its 'requestId'.
532         Requests can be handled synchronously or asynchronously (triggered via the 'async' property).
533
534         No new tests, covered by existing protocol tests.
535
536         * inspector/InspectorBackendDispatcher.cpp:
537         (Inspector::BackendDispatcher::CallbackBase::CallbackBase): Split the two code paths for reporting
538         success and failure.
539
540         (Inspector::BackendDispatcher::CallbackBase::sendFailure):
541         (Inspector::BackendDispatcher::CallbackBase::sendSuccess): Renamed from sendIfActive.
542         (Inspector::BackendDispatcher::dispatch): Reset counters and current requestId before dispatching.
543         No need to manually thread the requestId to all reportProtocolError calls.
544
545         (Inspector::BackendDispatcher::hasProtocolErrors): Added.
546         (Inspector::BackendDispatcher::sendResponse):
547         (Inspector::BackendDispatcher::sendPendingErrors): Send any saved protocol errors to the frontend.
548         Always send a 'data' member with all of the errors, even if there's just one. We might want to add
549         more information about errors later.
550
551         (Inspector::BackendDispatcher::reportProtocolError): Enqueue a protocol error to be sent later.
552         (Inspector::BackendDispatcher::getPropertyValue): Remove useless type parameters and nuke most of
553         the type conversion methods. Use std::function types instead of function pointer types.
554
555         (Inspector::castToInteger): Added.
556         (Inspector::castToNumber): Added.
557         (Inspector::BackendDispatcher::getInteger):
558         (Inspector::BackendDispatcher::getDouble):
559         (Inspector::BackendDispatcher::getString):
560         (Inspector::BackendDispatcher::getBoolean):
561         (Inspector::BackendDispatcher::getObject):
562         (Inspector::BackendDispatcher::getArray):
563         (Inspector::BackendDispatcher::getValue):
564         (Inspector::getPropertyValue): Deleted.
565         (Inspector::AsMethodBridges::asInteger): Deleted.
566         (Inspector::AsMethodBridges::asDouble): Deleted.
567         (Inspector::AsMethodBridges::asString): Deleted.
568         (Inspector::AsMethodBridges::asBoolean): Deleted.
569         (Inspector::AsMethodBridges::asObject): Deleted.
570         (Inspector::AsMethodBridges::asArray): Deleted.
571         (Inspector::AsMethodBridges::asValue): Deleted.
572         * inspector/InspectorBackendDispatcher.h:
573         * inspector/scripts/codegen/cpp_generator_templates.py: Extract 'params' object in domain dispatch method.
574         Omit requestIds where possible. Convert dispatch tables to use NeverDestroyed. Check the protocol error count
575         to decide whether to abort the dispatch or not, rather than allocating our own errors array.
576
577         * inspector/scripts/codegen/cpp_generator_templates.py:
578         (void):
579         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py: Revert to passing RefPtr<InspectorObject>
580         since parameters are now being passed rather than the message object. Some commands do not require parameters.
581         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
582         (CppBackendDispatcherImplementationGenerator.generate_output):
583         (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
584         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
585         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
586         (ObjCBackendDispatcherHeaderGenerator._generate_objc_handler_declaration_for_command):
587         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
588         (ObjCConfigurationImplementationGenerator._generate_handler_implementation_for_command):
589         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
590         * inspector/scripts/codegen/objc_generator_templates.py:
591
592         Rebaseline some protocol generator tests.
593         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
594         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
595         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
596         * inspector/scripts/tests/expected/enum-values.json-result:
597         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
598         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
599         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
600         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
601         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
602         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
603         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
604         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
605         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
606
607 2015-08-25  Saam barati  <sbarati@apple.com>
608
609         Lets rename codeOriginIndex to callSiteIndex and get rid of CallFrame::Location.
610         https://bugs.webkit.org/show_bug.cgi?id=148213
611
612         Reviewed by Filip Pizlo.
613
614         This patch introduces a struct called CallSiteIndex which is
615         used as a wrapper for a 32-bit int to place things in the tag for ArgumentCount 
616         in the call frame. On 32-bit we place Instruction* into this slot for LLInt and Basline.
617         For 32-bit DFG we place a an index into the code origin table in this slot.
618         On 64-bit we place a bytecode offset into this slot for LLInt and Baseline.
619         On 64-bit we place the index into the code origin table in this slot in the
620         DFG/FTL.
621
622         This patch also gets rid of the encoding scheme that describes if something is a
623         bytecode index or a code origin table index. This information can always
624         be determined based on the CodeBlock's' JITType.
625
626         StructureStubInfo now also has a CallSiteIndex which it stores to
627         the call frame when making a call.
628
629         * bytecode/CodeBlock.h:
630         (JSC::CodeBlock::hasCodeOrigins):
631         (JSC::CodeBlock::canGetCodeOrigin):
632         (JSC::CodeBlock::codeOrigin):
633         (JSC::CodeBlock::addFrequentExitSite):
634         * bytecode/StructureStubInfo.h:
635         (JSC::StructureStubInfo::StructureStubInfo):
636         * dfg/DFGCommonData.cpp:
637         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
638         (JSC::DFG::CommonData::addCodeOrigin):
639         (JSC::DFG::CommonData::shrinkToFit):
640         * dfg/DFGCommonData.h:
641         (JSC::DFG::CommonData::CommonData):
642         * dfg/DFGJITCompiler.h:
643         (JSC::DFG::JITCompiler::setEndOfCode):
644         (JSC::DFG::JITCompiler::addCallSite):
645         (JSC::DFG::JITCompiler::emitStoreCodeOrigin):
646         * dfg/DFGOSRExitCompilerCommon.cpp:
647         (JSC::DFG::reifyInlinedCallFrames):
648         * dfg/DFGSpeculativeJIT.cpp:
649         (JSC::DFG::SpeculativeJIT::compileIn):
650         * dfg/DFGSpeculativeJIT32_64.cpp:
651         (JSC::DFG::SpeculativeJIT::cachedGetById):
652         (JSC::DFG::SpeculativeJIT::cachedPutById):
653         * dfg/DFGSpeculativeJIT64.cpp:
654         (JSC::DFG::SpeculativeJIT::cachedGetById):
655         (JSC::DFG::SpeculativeJIT::cachedPutById):
656         * ftl/FTLCompile.cpp:
657         (JSC::FTL::mmAllocateDataSection):
658         * ftl/FTLInlineCacheDescriptor.h:
659         (JSC::FTL::InlineCacheDescriptor::InlineCacheDescriptor):
660         (JSC::FTL::InlineCacheDescriptor::stackmapID):
661         (JSC::FTL::InlineCacheDescriptor::callSiteIndex):
662         (JSC::FTL::InlineCacheDescriptor::uid):
663         (JSC::FTL::GetByIdDescriptor::GetByIdDescriptor):
664         (JSC::FTL::PutByIdDescriptor::PutByIdDescriptor):
665         (JSC::FTL::CheckInDescriptor::CheckInDescriptor):
666         (JSC::FTL::InlineCacheDescriptor::codeOrigin): Deleted.
667         * ftl/FTLLink.cpp:
668         (JSC::FTL::link):
669         * ftl/FTLLowerDFGToLLVM.cpp:
670         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
671         (JSC::FTL::DFG::LowerDFGToLLVM::compileIn):
672         (JSC::FTL::DFG::LowerDFGToLLVM::getById):
673         (JSC::FTL::DFG::LowerDFGToLLVM::callPreflight):
674         * ftl/FTLSlowPathCall.cpp:
675         (JSC::FTL::storeCodeOrigin):
676         * interpreter/CallFrame.cpp:
677         (JSC::CallFrame::currentVPC):
678         (JSC::CallFrame::setCurrentVPC):
679         (JSC::CallFrame::callSiteBitsAsBytecodeOffset):
680         (JSC::CallFrame::bytecodeOffset):
681         (JSC::CallFrame::codeOrigin):
682         (JSC::CallFrame::topOfFrameInternal):
683         (JSC::CallFrame::locationAsBytecodeOffset): Deleted.
684         (JSC::CallFrame::setLocationAsBytecodeOffset): Deleted.
685         (JSC::CallFrame::bytecodeOffsetFromCodeOriginIndex): Deleted.
686         * interpreter/CallFrame.h:
687         (JSC::CallSiteIndex::CallSiteIndex):
688         (JSC::CallSiteIndex::bits):
689         (JSC::ExecState::returnPCOffset):
690         (JSC::ExecState::abstractReturnPC):
691         (JSC::ExecState::topOfFrame):
692         (JSC::ExecState::setCallerFrame):
693         (JSC::ExecState::setScope):
694         (JSC::ExecState::currentVPC): Deleted.
695         (JSC::ExecState::setCurrentVPC): Deleted.
696         * interpreter/CallFrameInlines.h:
697         (JSC::CallFrame::callSiteBitsAreBytecodeOffset):
698         (JSC::CallFrame::callSiteBitsAreCodeOriginIndex):
699         (JSC::CallFrame::callSiteAsRawBits):
700         (JSC::CallFrame::callSiteIndex):
701         (JSC::CallFrame::hasActivation):
702         (JSC::CallFrame::Location::encode): Deleted.
703         (JSC::CallFrame::Location::decode): Deleted.
704         (JSC::CallFrame::Location::encodeAsBytecodeOffset): Deleted.
705         (JSC::CallFrame::Location::encodeAsBytecodeInstruction): Deleted.
706         (JSC::CallFrame::Location::encodeAsCodeOriginIndex): Deleted.
707         (JSC::CallFrame::Location::isBytecodeLocation): Deleted.
708         (JSC::CallFrame::Location::isCodeOriginIndex): Deleted.
709         (JSC::CallFrame::hasLocationAsBytecodeOffset): Deleted.
710         (JSC::CallFrame::hasLocationAsCodeOriginIndex): Deleted.
711         (JSC::CallFrame::locationAsRawBits): Deleted.
712         (JSC::CallFrame::setLocationAsRawBits): Deleted.
713         (JSC::CallFrame::locationAsBytecodeOffset): Deleted.
714         (JSC::CallFrame::setLocationAsBytecodeOffset): Deleted.
715         (JSC::CallFrame::locationAsCodeOriginIndex): Deleted.
716         * interpreter/StackVisitor.cpp:
717         (JSC::StackVisitor::readFrame):
718         (JSC::StackVisitor::readNonInlinedFrame):
719         (JSC::StackVisitor::Frame::print):
720         * jit/JITCall.cpp:
721         (JSC::JIT::compileOpCall):
722         * jit/JITCall32_64.cpp:
723         (JSC::JIT::compileOpCall):
724         * jit/JITInlineCacheGenerator.cpp:
725         (JSC::garbageStubInfo):
726         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
727         (JSC::JITByIdGenerator::JITByIdGenerator):
728         (JSC::JITByIdGenerator::generateFastPathChecks):
729         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
730         (JSC::JITGetByIdGenerator::generateFastPath):
731         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
732         * jit/JITInlineCacheGenerator.h:
733         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
734         (JSC::JITInlineCacheGenerator::stubInfo):
735         (JSC::JITByIdGenerator::JITByIdGenerator):
736         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
737         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
738         * jit/JITInlines.h:
739         (JSC::JIT::updateTopCallFrame):
740         * jit/JITOperations.cpp:
741         (JSC::getByVal):
742         (JSC::tryGetByValOptimize):
743         * jit/JITPropertyAccess.cpp:
744         (JSC::JIT::emitGetByValWithCachedId):
745         (JSC::JIT::emitPutByValWithCachedId):
746         (JSC::JIT::emit_op_get_by_id):
747         (JSC::JIT::emit_op_put_by_id):
748         * jit/JITPropertyAccess32_64.cpp:
749         (JSC::JIT::emitGetByValWithCachedId):
750         (JSC::JIT::emitPutByValWithCachedId):
751         (JSC::JIT::emit_op_get_by_id):
752         (JSC::JIT::emit_op_put_by_id):
753         * jit/Repatch.cpp:
754         (JSC::generateByIdStub):
755
756 2015-08-25 Aleksandr Skachkov   <gskachkov@gmail.com>
757
758         Function.prototype.toString is incorrect for ArrowFunction
759         https://bugs.webkit.org/show_bug.cgi?id=148148
760
761         Reviewed by Saam Barati.
762         
763         Added correct support of toString() method for arrow function.
764
765         * parser/ASTBuilder.h:
766         (JSC::ASTBuilder::createFunctionMetadata):
767         (JSC::ASTBuilder::createArrowFunctionExpr):
768         * parser/Nodes.cpp:
769         (JSC::FunctionMetadataNode::FunctionMetadataNode):
770         * parser/Nodes.h:
771         * parser/Parser.cpp:
772         (JSC::Parser<LexerType>::parseFunctionBody):
773         (JSC::Parser<LexerType>::parseFunctionInfo):
774         * parser/SyntaxChecker.h:
775         (JSC::SyntaxChecker::createFunctionMetadata):
776         * runtime/FunctionPrototype.cpp:
777         (JSC::functionProtoFuncToString):
778         * tests/stress/arrowfunction-tostring.js: Added.
779
780 2015-08-25  Saam barati  <sbarati@apple.com>
781
782         Callee can be incorrectly overridden when it's captured
783         https://bugs.webkit.org/show_bug.cgi?id=148400
784
785         Reviewed by Filip Pizlo.
786
787         We now resort to always creating the function name scope
788         when the function name is in scope. Because the bytecode
789         generator now has a notion of local lexical scoping,
790         this incurs no runtime penalty for function expression names
791         that aren't heap allocated. If they are heap allocated,
792         this means we may now have one more scope on the runtime
793         scope stack than before. This modification simplifies the
794         callee initialization code and uses the lexical scoping constructs
795         to implement this. This implementation also ensures
796         that everything Just Works for function's with default
797         parameter values. Before this patch, IIFE functions
798         with default parameter values and a captured function
799         name would crash JSC.
800
801         * bytecompiler/BytecodeGenerator.cpp:
802         (JSC::BytecodeGenerator::BytecodeGenerator):
803         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
804         (JSC::BytecodeGenerator::popLexicalScopeInternal):
805         (JSC::BytecodeGenerator::variable):
806         (JSC::BytecodeGenerator::resolveType):
807         (JSC::BytecodeGenerator::emitThrowTypeError):
808         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
809         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
810         * bytecompiler/BytecodeGenerator.h:
811         (JSC::Variable::isReadOnly):
812         (JSC::Variable::isSpecial):
813         (JSC::Variable::isConst):
814         (JSC::Variable::setIsReadOnly):
815         * bytecompiler/NodesCodegen.cpp:
816         (JSC::PostfixNode::emitResolve):
817         (JSC::PrefixNode::emitResolve):
818         (JSC::ReadModifyResolveNode::emitBytecode):
819         (JSC::AssignResolveNode::emitBytecode):
820         (JSC::BindingNode::bindValue):
821         * tests/stress/IIFE-es6-default-parameters.js: Added.
822         (assert):
823         (.):
824         * tests/stress/IIFE-function-name-captured.js: Added.
825         (assert):
826         (.):
827
828 2015-08-24  Brian Burg  <bburg@apple.com>
829
830         Web Inspector: add protocol test for existing error handling performed by the backend
831         https://bugs.webkit.org/show_bug.cgi?id=147097
832
833         Reviewed by Joseph Pecoraro.
834
835         A new test revealed that the protocol "method" parameter was being parsed in a naive way.
836         Rewrite it to use String::split and improve error checking to avoid failing later.
837
838         * inspector/InspectorBackendDispatcher.cpp:
839         (Inspector::BackendDispatcher::dispatch):
840
841 2015-08-24  Yusuke Suzuki  <utatane.tea@gmail.com>
842
843         [ES6] Return JSInternalPromise as result of evaluateModule
844         https://bugs.webkit.org/show_bug.cgi?id=148173
845
846         Reviewed by Saam Barati.
847
848         Now evaluateModule returns JSInternalPromise* as its result value.
849         When an error occurs while loading or executing the modules,
850         this promise is rejected by that error. By leveraging this, we implemented
851         asynchronous error reporting when executing the modules in JSC shell.
852
853         And this patch also changes the evaluateModule signature to accept the entry
854         point by the moduleName. By using it, JSC shell can start executing the modules
855         with the entry point module name.
856
857         * builtins/ModuleLoaderObject.js:
858         (loadModule):
859         * jsc.cpp:
860         (dumpException):
861         (runWithScripts):
862         * runtime/Completion.cpp:
863         (JSC::evaluateModule):
864         * runtime/Completion.h:
865         * runtime/JSInternalPromise.cpp:
866         (JSC::JSInternalPromise::then):
867         * runtime/JSInternalPromise.h:
868         * runtime/ModuleLoaderObject.cpp:
869         (JSC::ModuleLoaderObject::requestInstantiateAll):
870         (JSC::ModuleLoaderObject::loadModule):
871         (JSC::ModuleLoaderObject::resolve):
872         (JSC::ModuleLoaderObject::fetch):
873         (JSC::ModuleLoaderObject::translate):
874         (JSC::ModuleLoaderObject::instantiate):
875         (JSC::moduleLoaderObjectParseModule):
876         * runtime/ModuleLoaderObject.h:
877
878 2015-08-24  Basile Clement  <basile_clement@apple.com>
879
880         REPTACH is not a word
881         https://bugs.webkit.org/show_bug.cgi?id=148401
882
883         Reviewed by Saam Barati.
884
885         * assembler/MacroAssemblerX86_64.h:
886         (JSC::MacroAssemblerX86_64::callWithSlowPathReturnType):
887         (JSC::MacroAssemblerX86_64::call):
888         (JSC::MacroAssemblerX86_64::tailRecursiveCall):
889         (JSC::MacroAssemblerX86_64::makeTailRecursiveCall):
890         (JSC::MacroAssemblerX86_64::readCallTarget):
891         (JSC::MacroAssemblerX86_64::linkCall):
892         (JSC::MacroAssemblerX86_64::repatchCall):
893
894 2015-08-24  Mark Lam  <mark.lam@apple.com>
895
896         Add support for setting JSC options from a file.
897         https://bugs.webkit.org/show_bug.cgi?id=148394
898
899         Reviewed by Saam Barati.
900
901         This is needed for environments where the JSC executable does not have access to
902         environmental variables.  This is only needed for debugging, and is currently
903         guarded under a #define USE_OPTIONS_FILE in Options.cpp, and is disabled by
904         default.
905
906         Also fixed Options::setOptions() to be allow for whitespace that is not a single
907         ' '.  This makes setOptions() much more flexible and friendlier to use for loading
908         options in general.
909
910         For example, this current use case of loading options from a file may have '\n's
911         in the character stream, and this feature is easier to implement if setOptions()
912         just support more than 1 whitespace char between options, and recognize whitespace
913         characters other than ' '.
914
915         * runtime/Options.cpp:
916         (JSC::parse):
917         (JSC::Options::initialize):
918         (JSC::Options::setOptions):
919
920 2015-08-24  Filip Pizlo  <fpizlo@apple.com>
921
922         DFG::FixupPhase should use the lambda form of m_graph.doToChildren() rather than the old macro
923         https://bugs.webkit.org/show_bug.cgi?id=148397
924
925         Reviewed by Geoffrey Garen.
926
927         We used to iterate the edges of a node by using the DFG_NODE_DO_TO_CHILDREN macro. We
928         don't need to do that anymore since we have the lambda-based m_graph.doToChildren(). This
929         allows us to get rid of a bunch of helper methods in DFG::FixupPhase.
930
931         I also took the opportunity to give the injectTypeConversionsInBlock() method a more
932         generic name, since after https://bugs.webkit.org/show_bug.cgi?id=145204 it will be used
933         for fix-up of checks more broadly.
934
935         * dfg/DFGFixupPhase.cpp:
936         (JSC::DFG::FixupPhase::run):
937         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
938         (JSC::DFG::FixupPhase::fixupChecksInBlock):
939         (JSC::DFG::FixupPhase::injectTypeConversionsInBlock): Deleted.
940         (JSC::DFG::FixupPhase::tryToRelaxRepresentation): Deleted.
941         (JSC::DFG::FixupPhase::fixEdgeRepresentation): Deleted.
942         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): Deleted.
943
944 2015-08-24  Geoffrey Garen  <ggaren@apple.com>
945
946         Some renaming to clarify CodeBlock and UnlinkedCodeBlock
947         https://bugs.webkit.org/show_bug.cgi?id=148391
948
949         Reviewed by Saam Barati.
950
951         * bytecode/UnlinkedFunctionExecutable.cpp:
952         (JSC::generateUnlinkedFunctionCodeBlock):
953         (JSC::UnlinkedFunctionExecutable::visitChildren):
954         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
955         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
956         (JSC::generateFunctionCodeBlock): Deleted.
957         (JSC::UnlinkedFunctionExecutable::codeBlockFor): Deleted.
958         * bytecode/UnlinkedFunctionExecutable.h: Call our CodeBlocks "unlinked"
959         in the name for clarity, since we are unlinked. 
960
961         * heap/Heap.cpp:
962         (JSC::Heap::objectTypeCounts):
963         (JSC::Heap::deleteAllCodeBlocks):
964         (JSC::Heap::deleteAllUnlinkedCodeBlocks):
965         (JSC::Heap::clearUnmarkedExecutables):
966         (JSC::Heap::deleteOldCode):
967         (JSC::Heap::FinalizerOwner::finalize):
968         (JSC::Heap::addExecutable):
969         (JSC::Heap::collectAllGarbageIfNotDoneRecently):
970         (JSC::Heap::deleteAllCompiledCode): Deleted.
971         (JSC::Heap::deleteAllUnlinkedFunctionCode): Deleted.
972         (JSC::Heap::addCompiledCode): Deleted.
973         * heap/Heap.h:
974         (JSC::Heap::notifyIsSafeToCollect):
975         (JSC::Heap::isSafeToCollect):
976         (JSC::Heap::sizeBeforeLastFullCollection):
977         (JSC::Heap::sizeAfterLastFullCollection):
978         (JSC::Heap::compiledCode): Deleted.
979
980             deleteAllCompiledCode => deleteAllCodeBlocks because "compiled"
981             is a broad phrase these days.
982
983             m_compiledCode => m_executables for the same reason.
984
985             addCompiledCode => addExecutable for the same reason.
986
987             deleteAllUnlinkedFunctionCode => deleteAllUnlinkedCodeBlocks
988             for consistency.
989
990         * jsc.cpp:
991         (functionDeleteAllCompiledCode):
992
993         * runtime/Executable.cpp:
994         (JSC::ScriptExecutable::newCodeBlockFor): codeBlockFor => unlinkedCodeBlockFor
995
996         (JSC::FunctionExecutable::clearUnlinkedCodeForRecompilation): Deleted.
997         It was strange to put this function on executable, since its name implied
998         that it only changed the executable, but it actually changed all cached
999         code. Now, a client that wants to change cached code must do so explicitly.
1000
1001         * runtime/Executable.h:
1002         (JSC::ScriptExecutable::finishCreation):
1003         * runtime/VM.cpp:
1004         (JSC::VM::deleteAllCode):
1005         * runtime/VMEntryScope.cpp:
1006         (JSC::VMEntryScope::VMEntryScope): Updated for renames above.
1007
1008 2015-08-22  Filip Pizlo  <fpizlo@apple.com>
1009
1010         DFG::InsertionSet should be tolerant of occasional out-of-order insertions
1011         https://bugs.webkit.org/show_bug.cgi?id=148367
1012
1013         Reviewed by Geoffrey Garen and Saam Barati.
1014
1015         Since forever, the DFG::InsertionSet has been the way we insert nodes into DFG IR, and it
1016         requires that you walk a block in order and perform insertions in order: you can't insert
1017         something at index J, then at index I where I < J, except if you do a second pass.
1018
1019         This restriction makes sense, because it enables a very fast algorithm. And it's very
1020         rare that a phase would need to insert things out of order.
1021
1022         But sometimes - rarely - we need to insert things slightly out-of-order. For example we
1023         may want to insert a node at index J, but to insert a check associated with that node, we
1024         may need to use index I where I < J. This will come up from the work on
1025         https://bugs.webkit.org/show_bug.cgi?id=145204. And it has already come up in the past.
1026         It seems like it would be best to just lift this restriction.
1027
1028         * CMakeLists.txt:
1029         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1030         * JavaScriptCore.xcodeproj/project.pbxproj:
1031         * dfg/DFGInsertionSet.cpp: Added.
1032         (JSC::DFG::InsertionSet::insertSlow):
1033         * dfg/DFGInsertionSet.h:
1034         (JSC::DFG::InsertionSet::InsertionSet):
1035         (JSC::DFG::InsertionSet::graph):
1036         (JSC::DFG::InsertionSet::insert):
1037         (JSC::DFG::InsertionSet::execute):
1038
1039 2015-08-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1040
1041         Create ById IC for ByVal operation only when the specific Id comes more than once
1042         https://bugs.webkit.org/show_bug.cgi?id=148288
1043
1044         Reviewed by Geoffrey Garen.
1045
1046         After introducing byId ICs into byVal ops, byVal ops creates much ICs than before.
1047         The failure fixed in r188767 figures out these ICs are created even if this op is executed only once.
1048
1049         The situation is the following;
1050         In the current code, when byVal op is executed with the Id, we immediately set up the byId IC for that byVal op.
1051         But setting up JITGetByIdGenerator generates the fast path IC code and consumes executable memory.
1052         As a result, if we call eval("contains byVal ops") with the different strings repeatedly under no-llint environment, each eval call creates byId IC for byVal and consumes executable memory.
1053
1054         To solve it, we will add "seen" flag to ByValInfo.
1055         And we will create the IC on the second byVal op call with the same Id.
1056
1057         * bytecode/ByValInfo.h:
1058         (JSC::ByValInfo::ByValInfo):
1059         * jit/JITOperations.cpp:
1060         (JSC::tryGetByValOptimize):
1061         * jit/JITPropertyAccess.cpp:
1062         (JSC::JIT::privateCompileGetByValWithCachedId): Deleted.
1063         (JSC::JIT::privateCompilePutByValWithCachedId): Deleted.
1064
1065 2015-08-23  Benjamin Poulain  <bpoulain@apple.com>
1066
1067         [JSC] Get rid of NodePointerTraits
1068         https://bugs.webkit.org/show_bug.cgi?id=148340
1069
1070         Reviewed by Anders Carlsson.
1071
1072         NodePointerTraits does exactly the same thing has the default trait.
1073
1074         * dfg/DFGBasicBlock.h:
1075         * dfg/DFGCommon.h:
1076         (JSC::DFG::NodePointerTraits::defaultValue): Deleted.
1077         (JSC::DFG::NodePointerTraits::isEmptyForDump): Deleted.
1078
1079 2015-08-23  Benjamin Poulain  <bpoulain@apple.com>
1080
1081         [JSC] Reduce the memory usage of BytecodeLivenessAnalysis
1082         https://bugs.webkit.org/show_bug.cgi?id=148353
1083
1084         Reviewed by Darin Adler.
1085
1086         BytecodeLivenessAnalysis easily takes kilobytes of memory for
1087         non trivial blocks and that memory sticks around because
1088         it stored on CodeBlock.
1089
1090         This patch reduces that memory use a bit.
1091
1092         Most of the memory is in the array of BytecodeBasicBlock.
1093         BytecodeBasicBlock is shrunk by:
1094         -Making it not ref-counted.
1095         -Removing m_predecessors, it was only used for debugging and
1096          is usually big.
1097         -Added a shrinkToFit() phase to shrink the vectors once we are
1098          done building the BytecodeBasicBlock.
1099
1100         There are more things we should do in the future:
1101         -Store all the BytecodeBasicBlock direclty in the array.
1102          We know the size ahead of time, this would be a pure win.
1103          The only tricky part is changing m_successors to have the
1104          index of the successor instead of a pointer.
1105         -Stop putting duplicates in m_successors.
1106
1107         * bytecode/BytecodeBasicBlock.cpp:
1108         (JSC::computeBytecodeBasicBlocks):
1109         (JSC::BytecodeBasicBlock::shrinkToFit): Deleted.
1110         (JSC::linkBlocks): Deleted.
1111         * bytecode/BytecodeBasicBlock.h:
1112         (JSC::BytecodeBasicBlock::addSuccessor):
1113         (JSC::BytecodeBasicBlock::addPredecessor): Deleted.
1114         (JSC::BytecodeBasicBlock::predecessors): Deleted.
1115         * bytecode/BytecodeLivenessAnalysis.cpp:
1116         (JSC::getLeaderOffsetForBasicBlock):
1117         (JSC::findBasicBlockWithLeaderOffset):
1118         (JSC::findBasicBlockForBytecodeOffset):
1119         (JSC::stepOverInstruction):
1120         (JSC::computeLocalLivenessForBytecodeOffset):
1121         (JSC::computeLocalLivenessForBlock):
1122         (JSC::BytecodeLivenessAnalysis::dumpResults): Deleted.
1123         * bytecode/BytecodeLivenessAnalysis.h:
1124
1125 2015-08-23  Geoffrey Garen  <ggaren@apple.com>
1126
1127         Unreviewed, rolling back in r188792.
1128         https://bugs.webkit.org/show_bug.cgi?id=148347
1129
1130         Previously reverted changesets:
1131
1132         "Unify code paths for manually deleting all code"
1133         https://bugs.webkit.org/show_bug.cgi?id=148280
1134         http://trac.webkit.org/changeset/188792
1135
1136         The previous patch caused some inspector tests to hang because it
1137         introduced extra calls to sourceParsed, and sourceParsed is
1138         pathologically slow in WK1 debug builds. This patch restores pre-existing
1139         code to limit calls to sourceParsed, excluding code not being debugged
1140         (i.e., inspector code).
1141
1142 2015-08-23  Geoffrey Garen  <ggaren@apple.com>
1143
1144         Unreviewed, rolling back in r188803.
1145
1146         Previously reverted changesets:
1147
1148         "Debugger's VM should never be null"
1149         https://bugs.webkit.org/show_bug.cgi?id=148341
1150         http://trac.webkit.org/changeset/188803
1151
1152         * debugger/Debugger.cpp:
1153         (JSC::Debugger::Debugger):
1154         (JSC::Debugger::attach):
1155         (JSC::Debugger::detach):
1156         (JSC::Debugger::isAttached):
1157         (JSC::Debugger::setSteppingMode):
1158         (JSC::Debugger::registerCodeBlock):
1159         (JSC::Debugger::toggleBreakpoint):
1160         (JSC::Debugger::recompileAllJSFunctions):
1161         (JSC::Debugger::setBreakpoint):
1162         (JSC::Debugger::clearBreakpoints):
1163         (JSC::Debugger::clearDebuggerRequests):
1164         (JSC::Debugger::setBreakpointsActivated):
1165         (JSC::Debugger::breakProgram):
1166         (JSC::Debugger::stepOutOfFunction):
1167         (JSC::Debugger::returnEvent):
1168         (JSC::Debugger::didExecuteProgram):
1169         * debugger/Debugger.h:
1170         * inspector/JSGlobalObjectScriptDebugServer.cpp:
1171         (Inspector::JSGlobalObjectScriptDebugServer::JSGlobalObjectScriptDebugServer):
1172         (Inspector::JSGlobalObjectScriptDebugServer::removeListener):
1173         (Inspector::JSGlobalObjectScriptDebugServer::runEventLoopWhilePaused):
1174         (Inspector::JSGlobalObjectScriptDebugServer::recompileAllJSFunctions): Deleted.
1175         * inspector/JSGlobalObjectScriptDebugServer.h:
1176         * inspector/ScriptDebugServer.cpp:
1177         (Inspector::ScriptDebugServer::ScriptDebugServer):
1178         * inspector/ScriptDebugServer.h:
1179
1180 2015-08-22  Filip Pizlo  <fpizlo@apple.com>
1181
1182         DFG string concatenation shouldn't be playing fast and loose with effects and OSR exit
1183         https://bugs.webkit.org/show_bug.cgi?id=148338
1184
1185         Reviewed by Michael Saboff and Saam Barati.
1186
1187         Prior to this change, DFG string concatenation appeared to have various different ways of
1188         creating an OSR exit right after a side effect. That's bad, because the exit will cause
1189         us to reexecute the side effect. The code appears to have some hacks for avoiding this,
1190         but some cases are basically unavoidable, like the OOM case of string concatenation: in
1191         trunk that could cause two executions of the toString operation.
1192
1193         This changes the string concatenation code to either be speculative or effectful but
1194         never both. It's already the case that when this code needs to be effectful, it also
1195         needs to be slow (it does int->string conversions, calls JS functions, etc). So, this is
1196         a small price to pay for sanity.
1197
1198         The biggest part of this change is the introduction of StrCat, which is like MakeRope but
1199         does toString conversions on its own instead of relying on separate nodes. StrCat can
1200         take either 2 or 3 children. It's the effectful but not speculative version of MakeRope.
1201
1202         * dfg/DFGAbstractInterpreterInlines.h:
1203         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1204         * dfg/DFGBackwardsPropagationPhase.cpp:
1205         (JSC::DFG::BackwardsPropagationPhase::propagate):
1206         * dfg/DFGByteCodeParser.cpp:
1207         (JSC::DFG::ByteCodeParser::parseBlock):
1208         * dfg/DFGClobberize.h:
1209         (JSC::DFG::clobberize):
1210         * dfg/DFGDoesGC.cpp:
1211         (JSC::DFG::doesGC):
1212         * dfg/DFGFixupPhase.cpp:
1213         (JSC::DFG::FixupPhase::fixupNode):
1214         (JSC::DFG::FixupPhase::convertStringAddUse):
1215         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
1216         (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
1217         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
1218         * dfg/DFGNodeType.h:
1219         * dfg/DFGOperations.cpp:
1220         * dfg/DFGOperations.h:
1221         * dfg/DFGPredictionPropagationPhase.cpp:
1222         (JSC::DFG::PredictionPropagationPhase::propagate):
1223         * dfg/DFGSafeToExecute.h:
1224         (JSC::DFG::safeToExecute):
1225         * dfg/DFGSpeculativeJIT.h:
1226         (JSC::DFG::SpeculativeJIT::callOperation):
1227         (JSC::DFG::JSValueOperand::JSValueOperand):
1228         (JSC::DFG::JSValueOperand::~JSValueOperand):
1229         * dfg/DFGSpeculativeJIT32_64.cpp:
1230         (JSC::DFG::SpeculativeJIT::compile):
1231         * dfg/DFGSpeculativeJIT64.cpp:
1232         (JSC::DFG::SpeculativeJIT::compile):
1233         * dfg/DFGValidate.cpp:
1234         (JSC::DFG::Validate::validate):
1235         * ftl/FTLCapabilities.cpp:
1236         (JSC::FTL::canCompile):
1237         * ftl/FTLIntrinsicRepository.h:
1238         * ftl/FTLLowerDFGToLLVM.cpp:
1239         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
1240         (JSC::FTL::DFG::LowerDFGToLLVM::compileValueAdd):
1241         (JSC::FTL::DFG::LowerDFGToLLVM::compileStrCat):
1242         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAddOrSub):
1243         * jit/JITOperations.h:
1244         * tests/stress/exception-effect-strcat.js: Added. This test previously failed.
1245         * tests/stress/exception-in-strcat-string-overflow.js: Added. An earlier version of this patch made this fail.
1246         * tests/stress/exception-in-strcat.js: Added.
1247
1248 2015-08-22  Andreas Kling  <akling@apple.com>
1249
1250         [JSC] Static hash tables should be 100% compile-time constant.
1251         <https://webkit.org/b/148359>
1252
1253         Reviewed by Michael Saboff.
1254
1255         We were dirtying the memory pages containing static hash tables the
1256         first time they were used, when a dynamically allocated index-to-key
1257         table was built and cached in the HashTable struct.
1258
1259         It turns out that this "optimization" was completely useless, since
1260         we've long since decoupled static hash tables from the JSC::VM and
1261         we can get the key for an index via HashTable::values[index].m_key!
1262
1263         We also get rid of VM::keywords which was a little wrapper around
1264         a VM-specific copy of JSC::mainTable. There was nothing VM-specific
1265         about it at all, so clients now use JSC::mainTable directly.
1266
1267         After this change all fooHashTable structs end up in __DATA __const
1268         and no runtime initialization/allocation takes place.
1269
1270         * create_hash_table:
1271         * jsc.cpp:
1272         * parser/Lexer.cpp:
1273         (JSC::isLexerKeyword):
1274         (JSC::Lexer<LChar>::parseIdentifier):
1275         (JSC::Lexer<UChar>::parseIdentifier):
1276         (JSC::Lexer<CharacterType>::parseIdentifierSlowCase):
1277         (JSC::Keywords::Keywords): Deleted.
1278         * parser/Lexer.h:
1279         (JSC::Keywords::isKeyword): Deleted.
1280         (JSC::Keywords::getKeyword): Deleted.
1281         (JSC::Keywords::~Keywords): Deleted.
1282         * runtime/LiteralParser.cpp:
1283         (JSC::LiteralParser<CharType>::tryJSONPParse):
1284         * runtime/Lookup.cpp:
1285         (JSC::HashTable::createTable): Deleted.
1286         (JSC::HashTable::deleteTable): Deleted.
1287         * runtime/Lookup.h:
1288         (JSC::HashTable::entry):
1289         (JSC::HashTable::ConstIterator::key):
1290         (JSC::HashTable::ConstIterator::skipInvalidKeys):
1291         (JSC::HashTable::copy): Deleted.
1292         (JSC::HashTable::initializeIfNeeded): Deleted.
1293         (JSC::HashTable::begin): Deleted.
1294         (JSC::HashTable::end): Deleted.
1295         * runtime/VM.cpp:
1296         (JSC::VM::VM): Deleted.
1297         * runtime/VM.h:
1298         * testRegExp.cpp:
1299
1300 2015-08-21  Commit Queue  <commit-queue@webkit.org>
1301
1302         Unreviewed, rolling out r188792 and r188803.
1303         https://bugs.webkit.org/show_bug.cgi?id=148347
1304
1305         broke lots of tests, ggaren is going to investigate and reland
1306         (Requested by thorton on #webkit).
1307
1308         Reverted changesets:
1309
1310         "Unify code paths for manually deleting all code"
1311         https://bugs.webkit.org/show_bug.cgi?id=148280
1312         http://trac.webkit.org/changeset/188792
1313
1314         "Debugger's VM should never be null"
1315         https://bugs.webkit.org/show_bug.cgi?id=148341
1316         http://trac.webkit.org/changeset/188803
1317
1318 2015-08-21  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1319
1320         Parse control flow statements in WebAssembly
1321         https://bugs.webkit.org/show_bug.cgi?id=148333
1322
1323         Reviewed by Geoffrey Garen.
1324
1325         Parse control flow statements in WebAssembly files generated by pack-asmjs
1326         <https://github.com/WebAssembly/polyfill-prototype-1>.
1327
1328         * wasm/WASMConstants.h:
1329         * wasm/WASMFunctionParser.cpp:
1330         (JSC::WASMFunctionParser::parseStatement):
1331         (JSC::WASMFunctionParser::parseIfStatement):
1332         (JSC::WASMFunctionParser::parseIfElseStatement):
1333         (JSC::WASMFunctionParser::parseWhileStatement):
1334         (JSC::WASMFunctionParser::parseDoStatement):
1335         (JSC::WASMFunctionParser::parseLabelStatement):
1336         (JSC::WASMFunctionParser::parseBreakStatement):
1337         (JSC::WASMFunctionParser::parseBreakLabelStatement):
1338         (JSC::WASMFunctionParser::parseContinueStatement):
1339         (JSC::WASMFunctionParser::parseContinueLabelStatement):
1340         (JSC::WASMFunctionParser::parseSwitchStatement):
1341         * wasm/WASMFunctionParser.h:
1342         (JSC::WASMFunctionParser::WASMFunctionParser):
1343         * wasm/WASMReader.cpp:
1344         (JSC::WASMReader::readCompactInt32):
1345         (JSC::WASMReader::readSwitchCase):
1346         * wasm/WASMReader.h:
1347
1348 2015-08-21  Geoffrey Garen  <ggaren@apple.com>
1349
1350         Debugger's VM should never be null
1351         https://bugs.webkit.org/show_bug.cgi?id=148341
1352
1353         Reviewed by Joseph Pecoraro.
1354
1355         It doesn't make sense for a Debugger's VM to be null, and code related
1356         to maintaining that illusion just caused the Web Inspector to crash on
1357         launch (https://bugs.webkit.org/show_bug.cgi?id=148312). So, let's stop
1358         doing that.
1359
1360         Now, Debugger requires its subclass to provide a never-null VM&.
1361
1362         Also took the opportunity, based on review feedback, to remove some
1363         confusion in the virtual recompileAllJSFunctions hierarchy, by eliminating
1364         the pure virtual in ScriptDebugServer and the unnecessary override in
1365         JSGlobalObjectScriptDebugServer.
1366
1367         * debugger/Debugger.cpp:
1368         (JSC::Debugger::Debugger):
1369         (JSC::Debugger::attach):
1370         (JSC::Debugger::detach):
1371         (JSC::Debugger::isAttached):
1372         (JSC::Debugger::setSteppingMode):
1373         (JSC::Debugger::registerCodeBlock):
1374         (JSC::Debugger::toggleBreakpoint):
1375         (JSC::Debugger::recompileAllJSFunctions):
1376         (JSC::Debugger::setBreakpoint):
1377         (JSC::Debugger::clearBreakpoints):
1378         (JSC::Debugger::clearDebuggerRequests):
1379         (JSC::Debugger::setBreakpointsActivated):
1380         (JSC::Debugger::breakProgram):
1381         (JSC::Debugger::stepOutOfFunction):
1382         (JSC::Debugger::returnEvent):
1383         (JSC::Debugger::didExecuteProgram):
1384         * debugger/Debugger.h:
1385         * inspector/JSGlobalObjectScriptDebugServer.cpp:
1386         (Inspector::JSGlobalObjectScriptDebugServer::JSGlobalObjectScriptDebugServer):
1387         (Inspector::JSGlobalObjectScriptDebugServer::recompileAllJSFunctions):
1388         (Inspector::JSGlobalObjectScriptDebugServer::runEventLoopWhilePaused):
1389         * inspector/ScriptDebugServer.cpp:
1390         (Inspector::ScriptDebugServer::ScriptDebugServer):
1391         * inspector/ScriptDebugServer.h:
1392
1393 2015-08-21  Basile Clement  <basile_clement@apple.com>
1394
1395         Remove unused code relative to allocation sinking
1396         https://bugs.webkit.org/show_bug.cgi?id=148342
1397
1398         Reviewed by Mark Lam.
1399
1400         This removes two things:
1401
1402          - The DFGPromoteHeapAccess.h file which is a relic of the old sinking
1403            phase and is no longer used (it has been subsumed by
1404            ObjectAllocationSinking::promoteLocalHeap)
1405
1406          - Code in the allocation sinking phase for sinking
1407            MaterializeCreateActivation and MaterializeNewObject. Handling those
1408            is no longer necessary since the phase no longer runs in a fixpoint
1409            and thus will never see those nodes, since no other phase creates
1410            them.
1411
1412         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1413         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1414         * JavaScriptCore.xcodeproj/project.pbxproj:
1415         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1416         * dfg/DFGPromoteHeapAccess.h: Removed.
1417
1418 2015-08-21  Geoffrey Garen  <ggaren@apple.com>
1419
1420         Unify code paths for manually deleting all code
1421         https://bugs.webkit.org/show_bug.cgi?id=148280
1422
1423         Reviewed by Saam Barati.
1424
1425         We used to have three paths for manually deleting all code. Now we have
1426         one shared path.
1427
1428         * debugger/Debugger.cpp:
1429         (JSC::Debugger::attach): Notify the debugger of all previous code when
1430         it attaches. We used to do this when recompiling, which was only correct
1431         by accident.
1432
1433         (JSC::Debugger::recompileAllJSFunctions): Switch to the shared path.
1434
1435         * heap/Heap.h:
1436         (JSC::Heap::compiledCode):
1437
1438         * inspector/agents/InspectorRuntimeAgent.cpp:
1439         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1440         (Inspector::InspectorRuntimeAgent::willDestroyFrontendAndBackend):
1441         (Inspector::InspectorRuntimeAgent::setTypeProfilerEnabledState):
1442         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
1443         (Inspector::TypeRecompiler::visit): Deleted.
1444         (Inspector::TypeRecompiler::operator()): Deleted.
1445         (Inspector::recompileAllJSFunctionsForTypeProfiling): Deleted. Switch
1446         to the shared path.
1447
1448         * runtime/VM.cpp:
1449         (JSC::VM::afterVMExit): Added a helper for scheduling an activity after
1450         VM exit. We can't delete code while it's on the stack, and we can't
1451         delete auxiliary profiling data while profiling code is on the stack,
1452         so in those cases, we schedule the deletion for the next time we exit.
1453
1454         (JSC::VM::deleteAllCode): Use afterVMExit because we might have code
1455         on the stack when debugger, profiler, or watchdog state changes.
1456
1457         * runtime/VM.h:
1458
1459         * runtime/VMEntryScope.cpp:
1460         (JSC::VMEntryScope::VMEntryScope):
1461         (JSC::VMEntryScope::addDidPopListener):
1462         (JSC::VMEntryScope::~VMEntryScope):
1463         (JSC::VMEntryScope::setEntryScopeDidPopListener): Deleted.
1464         * runtime/VMEntryScope.h:
1465         (JSC::VMEntryScope::globalObject): Removed the uniquing feature from
1466         the scope pop listener list because we don't have a client that wants
1467         it, and it's not convenient to use correctly since you can't take
1468         the address of a member function, a lambda, or an std::function. We can
1469         add this feature back if we discover that we want it.
1470
1471 2015-08-21  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1472
1473         Implement WebAssembly function parser
1474         https://bugs.webkit.org/show_bug.cgi?id=147738
1475
1476         Reviewed by Filip Pizlo.
1477
1478         Implement WebAssembly function parser for WebAssembly files produced by pack-asmjs
1479         <https://github.com/WebAssembly/polyfill-prototype-1>. This patch parses only
1480         some instructions on statements and int32 expressions. Parsing of the rest
1481         will be implemented in subsequent patches. The instruction lists in WASMConstants.h
1482         are slightly modified from
1483         <https://github.com/WebAssembly/polyfill-prototype-1/blob/master/src/shared.h>.
1484
1485         * CMakeLists.txt:
1486         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1487         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1488         * JavaScriptCore.xcodeproj/project.pbxproj:
1489         * wasm/WASMConstants.h: Added.
1490         * wasm/WASMFormat.h:
1491         * wasm/WASMFunctionParser.cpp: Added.
1492         (JSC::WASMFunctionParser::checkSyntax):
1493         (JSC::WASMFunctionParser::parseFunction):
1494         (JSC::WASMFunctionParser::parseLocalVariables):
1495         (JSC::WASMFunctionParser::parseStatement):
1496         (JSC::WASMFunctionParser::parseSetLocalStatement):
1497         (JSC::WASMFunctionParser::parseReturnStatement):
1498         (JSC::WASMFunctionParser::parseBlockStatement):
1499         (JSC::WASMFunctionParser::parseExpression):
1500         (JSC::WASMFunctionParser::parseExpressionI32):
1501         (JSC::WASMFunctionParser::parseImmediateExpressionI32):
1502         * wasm/WASMFunctionParser.h: Added.
1503         (JSC::WASMFunctionParser::WASMFunctionParser):
1504         * wasm/WASMFunctionSyntaxChecker.h: Renamed from Source/JavaScriptCore/wasm/WASMMagicNumber.h.
1505         * wasm/WASMModuleParser.cpp:
1506         (JSC::WASMModuleParser::WASMModuleParser):
1507         (JSC::WASMModuleParser::parseFunctionDefinitionSection):
1508         (JSC::WASMModuleParser::parseFunctionDefinition):
1509         * wasm/WASMModuleParser.h:
1510         * wasm/WASMReader.cpp:
1511         (JSC::WASMReader::readType):
1512         (JSC::WASMReader::readExpressionType):
1513         (JSC::WASMReader::readExportFormat):
1514         (JSC::WASMReader::readOpStatement):
1515         (JSC::WASMReader::readOpExpressionI32):
1516         (JSC::WASMReader::readVariableTypes):
1517         (JSC::WASMReader::readOp):
1518         * wasm/WASMReader.h:
1519         (JSC::WASMReader::offset):
1520         (JSC::WASMReader::setOffset):
1521
1522 2015-08-21  Filip Pizlo  <fpizlo@apple.com>
1523
1524         DFG::PutStackSinkingPhase doesn't need to emit KillStack nodes
1525         https://bugs.webkit.org/show_bug.cgi?id=148331
1526
1527         Reviewed by Geoffrey Garen.
1528
1529         PutStackSinkingPhase previously emitted a KillStack node when it sank a PutStack. This
1530         isn't necessary because KillStack is only interesting for OSR exit, and PutStack nodes
1531         that are relevant to OSR will already be preceded by a KillStack/MovHint pair.
1532
1533         * dfg/DFGPutStackSinkingPhase.cpp:
1534
1535 2015-08-21  Filip Pizlo  <fpizlo@apple.com>
1536
1537         DFG::NodeOrigin should have a flag determining if exiting is OK right now
1538         https://bugs.webkit.org/show_bug.cgi?id=148323
1539
1540         Reviewed by Saam Barati.
1541
1542         * dfg/DFGByteCodeParser.cpp:
1543         (JSC::DFG::ByteCodeParser::currentNodeOrigin):
1544         (JSC::DFG::ByteCodeParser::branchData):
1545         * dfg/DFGInsertionSet.h:
1546         (JSC::DFG::InsertionSet::insertConstant):
1547         (JSC::DFG::InsertionSet::insertConstantForUse):
1548         (JSC::DFG::InsertionSet::insertBottomConstantForUse):
1549         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1550         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
1551         * dfg/DFGLICMPhase.cpp:
1552         (JSC::DFG::LICMPhase::attemptHoist):
1553         * dfg/DFGNodeOrigin.h:
1554         (JSC::DFG::NodeOrigin::NodeOrigin):
1555         (JSC::DFG::NodeOrigin::isSet):
1556         (JSC::DFG::NodeOrigin::withSemantic):
1557         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1558
1559 2015-08-21  Saam barati  <sbarati@apple.com>
1560
1561         DFG callOperations should not implicitly emit an exception check. At callOperation call sites, we should explicitly emit exception checks
1562         https://bugs.webkit.org/show_bug.cgi?id=147988
1563
1564         Reviewed by Geoffrey Garen.
1565
1566         This is in preparation for the DFG being able to handle exceptions. 
1567         To do this, we need more control over when we emit exception checks.
1568         Specifically, we want to be able to silentFill before emitting an exception check.
1569         This patch does that. This patch also allows us to easily see which
1570         operations do and do not emit exception checks. Finding this information
1571         out before was a pain.
1572
1573         * assembler/AbortReason.h:
1574         * dfg/DFGArrayifySlowPathGenerator.h:
1575         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
1576         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
1577         * dfg/DFGJITCompiler.h:
1578         (JSC::DFG::JITCompiler::appendCall):
1579         (JSC::DFG::JITCompiler::exceptionCheck):
1580         * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
1581         * dfg/DFGSlowPathGenerator.h:
1582         (JSC::DFG::CallSlowPathGenerator::CallSlowPathGenerator):
1583         (JSC::DFG::CallSlowPathGenerator::tearDown):
1584         (JSC::DFG::CallResultAndNoArgumentsSlowPathGenerator::CallResultAndNoArgumentsSlowPathGenerator):
1585         (JSC::DFG::CallResultAndOneArgumentSlowPathGenerator::CallResultAndOneArgumentSlowPathGenerator):
1586         (JSC::DFG::CallResultAndTwoArgumentsSlowPathGenerator::CallResultAndTwoArgumentsSlowPathGenerator):
1587         (JSC::DFG::CallResultAndThreeArgumentsSlowPathGenerator::CallResultAndThreeArgumentsSlowPathGenerator):
1588         (JSC::DFG::CallResultAndFourArgumentsSlowPathGenerator::CallResultAndFourArgumentsSlowPathGenerator):
1589         (JSC::DFG::CallResultAndFiveArgumentsSlowPathGenerator::CallResultAndFiveArgumentsSlowPathGenerator):
1590         (JSC::DFG::slowPathCall):
1591         * dfg/DFGSpeculativeJIT.cpp:
1592         (JSC::DFG::SpeculativeJIT::compileIn):
1593         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1594         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1595         (JSC::DFG::SpeculativeJIT::compileArithRound):
1596         (JSC::DFG::SpeculativeJIT::compileNewFunction):
1597         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
1598         (JSC::DFG::SpeculativeJIT::compileCreateScopedArguments):
1599         (JSC::DFG::SpeculativeJIT::compileCreateClonedArguments):
1600         (JSC::DFG::SpeculativeJIT::compileNotifyWrite):
1601         (JSC::DFG::SpeculativeJIT::compileRegExpExec):
1602         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1603         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1604         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnCell):
1605         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
1606         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
1607         * dfg/DFGSpeculativeJIT.h:
1608         (JSC::DFG::SpeculativeJIT::callOperation):
1609         (JSC::DFG::SpeculativeJIT::callOperationWithCallFrameRollbackOnException):
1610         (JSC::DFG::SpeculativeJIT::prepareForExternalCall):
1611         (JSC::DFG::SpeculativeJIT::appendCall):
1612         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException):
1613         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnExceptionSetResult):
1614         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
1615         (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheck): Deleted.
1616         (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheckSetResult): Deleted.
1617         * dfg/DFGSpeculativeJIT32_64.cpp:
1618         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
1619         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator):
1620         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
1621         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
1622         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
1623         (JSC::DFG::SpeculativeJIT::emitCall):
1624         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1625         (JSC::DFG::SpeculativeJIT::compile):
1626         * dfg/DFGSpeculativeJIT64.cpp:
1627         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
1628         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator):
1629         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
1630         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
1631         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
1632         (JSC::DFG::SpeculativeJIT::emitCall):
1633         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1634         (JSC::DFG::SpeculativeJIT::compile):
1635         * ftl/FTLIntrinsicRepository.h:
1636         * ftl/FTLLowerDFGToLLVM.cpp:
1637         (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
1638         * jit/AssemblyHelpers.cpp:
1639         (JSC::AssemblyHelpers::jitAssertArgumentCountSane):
1640         (JSC::AssemblyHelpers::jitAssertNoException):
1641         (JSC::AssemblyHelpers::callExceptionFuzz):
1642         (JSC::AssemblyHelpers::emitExceptionCheck):
1643         * jit/AssemblyHelpers.h:
1644         (JSC::AssemblyHelpers::jitAssertIsInt32):
1645         (JSC::AssemblyHelpers::jitAssertIsJSInt32):
1646         (JSC::AssemblyHelpers::jitAssertIsNull):
1647         (JSC::AssemblyHelpers::jitAssertTagsInPlace):
1648         (JSC::AssemblyHelpers::jitAssertArgumentCountSane):
1649         (JSC::AssemblyHelpers::jitAssertNoException):
1650         * jit/JITOperations.cpp:
1651         * jit/JITOperations.h:
1652         * runtime/VM.h:
1653         (JSC::VM::scratchBufferForSize):
1654         (JSC::VM::exceptionFuzzingBuffer):
1655
1656 2015-08-21  Geoffrey Garen  <ggaren@apple.com>
1657
1658         REGRESSION (r188714): RELEASE_ASSERT in JSC::Heap::incrementDeferralDepth() opening Web Inspector on daringfireball.net
1659         https://bugs.webkit.org/show_bug.cgi?id=148312
1660
1661         Reviewed by Mark Lam.
1662
1663         * debugger/Debugger.cpp:
1664         (JSC::Debugger::recompileAllJSFunctions): Use our vm argument instead of
1665         m_vm because sometimes they are different and m_vm is null. (This behavior
1666         is very strange, and we should probably eliminate it -- but we need a 
1667         fix for this serious regression right now.)
1668
1669 2015-08-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1670
1671         [ES6] prototyping module loader in JSC shell
1672         https://bugs.webkit.org/show_bug.cgi?id=147876
1673
1674         Reviewed by Saam Barati.
1675
1676         This patch implements ES6 Module Loader part. The implementation is based on
1677         the latest draft[1, 2]. The naive implementation poses several problems.
1678         This patch attempts to solve the spec issues and proposes the fix[3, 4, 5].
1679
1680         We construct the JSC internal module loader based on the ES6 Promises.
1681         The chain of the promises represents the dependency graph of the modules and
1682         it automatically enables asynchronous module fetching.
1683         To leverage the Promises internally, we use the InternalPromise landed in r188681.
1684
1685         The loader has several platform-dependent hooks. The platform can implement
1686         these hooks to provide the functionality missing in the module loaders, like
1687         "how to fetch the resources". The method table of the JSGlobalObject is extended
1688         to accept these hooks from the platform.
1689
1690         This patch focus on the loading part. So we don't create the module environment
1691         and don't link the modules yet.
1692
1693         To test the current module progress easily, we add the `-m` option to the JSC shell.
1694         When this option is specified, we load the given script as the module. And to use
1695         the module loading inside the JSC shell, we added the simple loader hook for fetching.
1696         It fetches the module content from the file system.
1697
1698         And to use the ES6 Map in the Loader implementation, we added @get and @set methods to the Map.
1699         But it conflicts with the existing `getPrivateName` method. Rename it to `lookUpPrivateName`.
1700
1701         [1]: https://whatwg.github.io/loader/
1702         [2]: https://github.com/whatwg/loader/commit/214c7a6625b445bdf411c39984f36f01139a24be
1703         [3]: https://github.com/whatwg/loader/pull/66
1704         [4]: https://github.com/whatwg/loader/pull/67
1705         [5]: https://github.com/whatwg/loader/issues/68
1706         [6]: https://bugs.webkit.org/show_bug.cgi?id=148136
1707
1708         * CMakeLists.txt:
1709         * DerivedSources.make:
1710         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1711         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1712         * JavaScriptCore.xcodeproj/project.pbxproj:
1713         * builtins/BuiltinNames.h:
1714         (JSC::BuiltinNames::lookUpPrivateName):
1715         (JSC::BuiltinNames::lookUpPublicName):
1716         (JSC::BuiltinNames::getPrivateName): Deleted.
1717         (JSC::BuiltinNames::getPublicName): Deleted.
1718         * builtins/ModuleLoaderObject.js: Added.
1719         (setStateToMax):
1720         (newRegistryEntry):
1721         (forceFulfillPromise):
1722         (fulfillFetch):
1723         (fulfillTranslate):
1724         (fulfillInstantiate):
1725         (instantiation):
1726         (requestFetch):
1727         (requestTranslate):
1728         (requestInstantiate):
1729         (requestResolveDependencies.resolveDependenciesPromise.this.requestInstantiate.then.):
1730         (requestResolveDependencies.resolveDependenciesPromise.this.requestInstantiate.then):
1731         (requestResolveDependencies):
1732         (requestInstantiateAll):
1733         (provide):
1734         * jsc.cpp:
1735         (stringFromUTF):
1736         (jscSource):
1737         (GlobalObject::moduleLoaderFetch):
1738         (functionCheckModuleSyntax):
1739         (dumpException):
1740         (runWithScripts):
1741         (printUsageStatement):
1742         (CommandLine::parseArguments):
1743         (jscmain):
1744         (CommandLine::CommandLine): Deleted.
1745         * parser/Lexer.cpp:
1746         (JSC::Lexer<LChar>::parseIdentifier):
1747         (JSC::Lexer<UChar>::parseIdentifier):
1748         * parser/ModuleAnalyzer.cpp:
1749         (JSC::ModuleAnalyzer::ModuleAnalyzer):
1750         (JSC::ModuleAnalyzer::exportVariable):
1751         (JSC::ModuleAnalyzer::analyze):
1752         * parser/ModuleAnalyzer.h:
1753         (JSC::ModuleAnalyzer::moduleRecord):
1754         * parser/ModuleRecord.cpp:
1755         (JSC::printableName): Deleted.
1756         (JSC::ModuleRecord::dump): Deleted.
1757         * parser/ModuleRecord.h:
1758         (JSC::ModuleRecord::ImportEntry::isNamespace): Deleted.
1759         (JSC::ModuleRecord::create): Deleted.
1760         (JSC::ModuleRecord::appendRequestedModule): Deleted.
1761         (JSC::ModuleRecord::addImportEntry): Deleted.
1762         (JSC::ModuleRecord::addExportEntry): Deleted.
1763         (JSC::ModuleRecord::addStarExportEntry): Deleted.
1764         * parser/Nodes.h:
1765         * parser/NodesAnalyzeModule.cpp:
1766         (JSC::ImportDeclarationNode::analyzeModule):
1767         (JSC::ExportAllDeclarationNode::analyzeModule):
1768         (JSC::ExportNamedDeclarationNode::analyzeModule):
1769         * runtime/CommonIdentifiers.cpp:
1770         (JSC::CommonIdentifiers::lookUpPrivateName):
1771         (JSC::CommonIdentifiers::lookUpPublicName):
1772         (JSC::CommonIdentifiers::getPrivateName): Deleted.
1773         (JSC::CommonIdentifiers::getPublicName): Deleted.
1774         * runtime/CommonIdentifiers.h:
1775         * runtime/Completion.cpp:
1776         (JSC::checkModuleSyntax):
1777         (JSC::evaluateModule):
1778         * runtime/Completion.h:
1779         * runtime/ExceptionHelpers.cpp:
1780         (JSC::createUndefinedVariableError):
1781         * runtime/Identifier.h:
1782         * runtime/JSGlobalObject.cpp:
1783         (JSC::JSGlobalObject::init):
1784         (JSC::JSGlobalObject::visitChildren):
1785         * runtime/JSGlobalObject.h:
1786         (JSC::JSGlobalObject::moduleLoader):
1787         (JSC::JSGlobalObject::moduleRecordStructure):
1788         * runtime/JSModuleRecord.cpp: Renamed from Source/JavaScriptCore/parser/ModuleRecord.cpp.
1789         (JSC::JSModuleRecord::destroy):
1790         (JSC::JSModuleRecord::finishCreation):
1791         (JSC::printableName):
1792         (JSC::JSModuleRecord::dump):
1793         * runtime/JSModuleRecord.h: Renamed from Source/JavaScriptCore/parser/ModuleRecord.h.
1794         (JSC::JSModuleRecord::ImportEntry::isNamespace):
1795         (JSC::JSModuleRecord::createStructure):
1796         (JSC::JSModuleRecord::create):
1797         (JSC::JSModuleRecord::requestedModules):
1798         (JSC::JSModuleRecord::JSModuleRecord):
1799         (JSC::JSModuleRecord::appendRequestedModule):
1800         (JSC::JSModuleRecord::addImportEntry):
1801         (JSC::JSModuleRecord::addExportEntry):
1802         (JSC::JSModuleRecord::addStarExportEntry):
1803         * runtime/MapPrototype.cpp:
1804         (JSC::MapPrototype::finishCreation):
1805         * runtime/ModuleLoaderObject.cpp: Added.
1806         (JSC::ModuleLoaderObject::ModuleLoaderObject):
1807         (JSC::ModuleLoaderObject::finishCreation):
1808         (JSC::ModuleLoaderObject::getOwnPropertySlot):
1809         (JSC::printableModuleKey):
1810         (JSC::ModuleLoaderObject::provide):
1811         (JSC::ModuleLoaderObject::requestInstantiateAll):
1812         (JSC::ModuleLoaderObject::resolve):
1813         (JSC::ModuleLoaderObject::fetch):
1814         (JSC::ModuleLoaderObject::translate):
1815         (JSC::ModuleLoaderObject::instantiate):
1816         (JSC::moduleLoaderObjectParseModule):
1817         (JSC::moduleLoaderObjectRequestedModules):
1818         (JSC::moduleLoaderObjectResolve):
1819         (JSC::moduleLoaderObjectFetch):
1820         (JSC::moduleLoaderObjectTranslate):
1821         (JSC::moduleLoaderObjectInstantiate):
1822         * runtime/ModuleLoaderObject.h: Added.
1823         (JSC::ModuleLoaderObject::create):
1824         (JSC::ModuleLoaderObject::createStructure):
1825         * runtime/Options.h:
1826
1827 2015-08-20  Filip Pizlo  <fpizlo@apple.com>
1828
1829         DFG should have a KnownBooleanUse for cases where we are required to know that the child is a boolean and it's not OK to speculate
1830         https://bugs.webkit.org/show_bug.cgi?id=148286
1831
1832         Reviewed by Benjamin Poulain.
1833
1834         This enables us to ensure that the Branch or LogicalNot after an effectful CompareXYZ can
1835         be marked as !mayExit(). I need that for https://bugs.webkit.org/show_bug.cgi?id=145204.
1836
1837         * dfg/DFGFixupPhase.cpp:
1838         (JSC::DFG::FixupPhase::fixupNode):
1839         (JSC::DFG::FixupPhase::observeUseKindOnNode):
1840         * dfg/DFGSafeToExecute.h:
1841         (JSC::DFG::SafeToExecuteEdge::operator()):
1842         * dfg/DFGSpeculativeJIT.cpp:
1843         (JSC::DFG::SpeculativeJIT::speculate):
1844         * dfg/DFGSpeculativeJIT.h:
1845         (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand):
1846         * dfg/DFGSpeculativeJIT32_64.cpp:
1847         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1848         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1849         (JSC::DFG::SpeculativeJIT::emitBranch):
1850         * dfg/DFGSpeculativeJIT64.cpp:
1851         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1852         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1853         (JSC::DFG::SpeculativeJIT::emitBranch):
1854         * dfg/DFGUseKind.cpp:
1855         (WTF::printInternal):
1856         * dfg/DFGUseKind.h:
1857         (JSC::DFG::typeFilterFor):
1858         (JSC::DFG::shouldNotHaveTypeCheck):
1859         * ftl/FTLCapabilities.cpp:
1860         (JSC::FTL::canCompile):
1861         * ftl/FTLLowerDFGToLLVM.cpp:
1862         (JSC::FTL::DFG::LowerDFGToLLVM::boolify):
1863         (JSC::FTL::DFG::LowerDFGToLLVM::lowBoolean):
1864
1865 2015-08-20  Filip Pizlo  <fpizlo@apple.com>
1866
1867         Overflow check elimination fails for a simple test case
1868         https://bugs.webkit.org/show_bug.cgi?id=147387
1869
1870         Reviewed by Benjamin Poulain.
1871
1872         Overflow check elimination was having issues when things got constant-folded, because whereas an
1873         Add or LessThan operation teaches us about relationships between the things being added or
1874         compared, we don't do that when we see a JSConstant. We don't create a relationship between every
1875         JSConstant and every other JSConstant. So, if we constant-fold an Add, we forget the relationships
1876         that it would have had with its inputs.
1877
1878         One solution would be to have every JSConstant create a relationship with every other JSConstant.
1879         This is dangerous, since it would create O(n^2) explosion of relationships.
1880
1881         Instead, this patch teaches filtration and merging how to behave "as if" there were inter-constant
1882         relationships. Normally those operations only work on two relationships involving the same node
1883         pair. But now, if we have @x op @c and @x op @d, where @c and @d are different nodes but both are
1884         constants, we will do merging or filtering by grokking the constant values.
1885
1886         This speeds up lots of tests in JSRegress, because it enables overflow check elimination on things
1887         like:
1888
1889         for (var i = 0; i < 100; ++i)
1890
1891         Previously, the fact that this was all constants would throw off the analysis because the analysis
1892         wouldn't "know" that 0 < 100.
1893
1894         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
1895
1896 2015-08-20  Geoffrey Garen  <ggaren@apple.com>
1897
1898         forEachCodeBlock should wait for all CodeBlocks automatically
1899         https://bugs.webkit.org/show_bug.cgi?id=148255
1900
1901         Add back a line of code I deleted by accident in my last patch due to
1902         incorrect merge.
1903
1904         Unreviewed.
1905
1906         * runtime/VM.cpp:
1907         (JSC::VM::deleteAllCode):
1908
1909 2015-08-20  Geoffrey Garen  <ggaren@apple.com>
1910
1911         forEachCodeBlock should wait for all CodeBlocks automatically
1912         https://bugs.webkit.org/show_bug.cgi?id=148255
1913
1914         Reviewed by Saam Barati.
1915
1916         Previously, all clients needed to wait manually before calling
1917         forEachCodeBlock. That's easy to get wrong, and at least one place
1918         got it wrong. Let's do this automatically instead.
1919
1920         * debugger/Debugger.cpp:
1921         (JSC::Debugger::Debugger):
1922         (JSC::Debugger::setSteppingMode):
1923         (JSC::Debugger::toggleBreakpoint): No need to wait manually;
1924         forEachCodeBlock will do it automatically now.
1925
1926         (JSC::Debugger::recompileAllJSFunctions): We still need to wait manually
1927         here because this is an iteration of the heap, which does not wait
1928         automatically. Use the new helper function for waiting.
1929
1930         (JSC::Debugger::clearBreakpoints):
1931         (JSC::Debugger::clearDebuggerRequests):
1932         (JSC::Debugger::setBreakpointsActivated):
1933         (JSC::Debugger::forEachCodeBlock): Deleted. No need to wait manually.
1934
1935         * debugger/Debugger.h:
1936
1937         * dfg/DFGWorklist.cpp:
1938         (JSC::DFG::completeAllPlansForVM):
1939         * dfg/DFGWorklist.h:
1940         (JSC::DFG::completeAllPlansForVM): Added a helper function that replaces
1941         vm.prepareToDeleteCode. This new function is clearer because we need
1942         to call it sometimes even if we are not going to delete code.
1943
1944         * heap/HeapInlines.h:
1945         (JSC::Heap::forEachCodeBlock): Moved.
1946
1947         * inspector/agents/InspectorRuntimeAgent.cpp:
1948         (Inspector::recompileAllJSFunctionsForTypeProfiling): Use the new helper
1949         function.
1950
1951         * runtime/JSCInlines.h:
1952         (JSC::Heap::forEachCodeBlock): Do the waiting automatically.
1953
1954         * runtime/VM.cpp:
1955         (JSC::VM::stopSampling):
1956         (JSC::VM::deleteAllCode):
1957         (JSC::VM::setEnabledProfiler):
1958         (JSC::VM::prepareToDeleteCode): Deleted.
1959         * runtime/VM.h: No need to wait manually.
1960
1961 2015-08-20  Commit Queue  <commit-queue@webkit.org>
1962
1963         Unreviewed, rolling out r188675.
1964         https://bugs.webkit.org/show_bug.cgi?id=148244
1965
1966         "caused a 17% Mac PLT regression" (Requested by ggaren on
1967         #webkit).
1968
1969         Reverted changeset:
1970
1971         "clearCode() should clear code"
1972         https://bugs.webkit.org/show_bug.cgi?id=148203
1973         http://trac.webkit.org/changeset/188675
1974
1975 2015-08-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1976
1977         Introduce put_by_id like IC into put_by_val when the given name is String or Symbol
1978         https://bugs.webkit.org/show_bug.cgi?id=147760
1979
1980         Reviewed by Filip Pizlo.
1981
1982         This patch adds put_by_id IC to put_by_val by caching the one candidate id,
1983         it is the same thing to the get_by_val IC extension.
1984         It will encourage the use of ES6 Symbols and ES6 computed properties in the object literals.
1985
1986         In this patch, we leverage the existing CheckIdent and PutById / PutByVal in DFG,
1987         so this patch does not change FTL because the above operations are already supported in FTL.
1988
1989         And this patch also includes refactoring to leverage byValInfo->slowPathCount in the cached Id path.
1990
1991         Performance results report there's no regression in the existing tests. And in the synthetic
1992         benchmarks created by modifying put-by-id to put-by-val, we can see significant performance
1993         improvements up to 13.9x.
1994
1995         * bytecode/PutByIdStatus.cpp:
1996         (JSC::PutByIdStatus::computeForStubInfo):
1997         * bytecode/PutByIdStatus.h:
1998         * dfg/DFGByteCodeParser.cpp:
1999         (JSC::DFG::ByteCodeParser::parseBlock):
2000         * jit/JIT.h:
2001         (JSC::JIT::compilePutByValWithCachedId):
2002         * jit/JITOperations.cpp:
2003         (JSC::getByVal):
2004         (JSC::tryGetByValOptimize):
2005         * jit/JITOperations.h:
2006         * jit/JITPropertyAccess.cpp:
2007         (JSC::JIT::emitGetByValWithCachedId):
2008         (JSC::JIT::emit_op_put_by_val):
2009         (JSC::JIT::emitPutByValWithCachedId):
2010         (JSC::JIT::emitSlow_op_put_by_val):
2011         (JSC::JIT::emitIdentifierCheck):
2012         (JSC::JIT::privateCompilePutByValWithCachedId):
2013         * jit/JITPropertyAccess32_64.cpp:
2014         (JSC::JIT::emitGetByValWithCachedId):
2015         (JSC::JIT::emit_op_put_by_val):
2016         (JSC::JIT::emitPutByValWithCachedId):
2017         (JSC::JIT::emitSlow_op_put_by_val):
2018         * tests/stress/put-by-val-with-string-break.js: Added.
2019         (shouldBe):
2020         (assign):
2021         * tests/stress/put-by-val-with-string-generated.js: Added.
2022         (shouldBe):
2023         (gen1):
2024         (gen2):
2025         (assign):
2026         * tests/stress/put-by-val-with-string-generic.js: Added.
2027         (shouldBe):
2028         (assign):
2029         * tests/stress/put-by-val-with-symbol-break.js: Added.
2030         (shouldBe):
2031         (assign):
2032         * tests/stress/put-by-val-with-symbol-generic.js: Added.
2033         (shouldBe):
2034         (assign):
2035
2036 2015-08-20  Alex Christensen  <achristensen@webkit.org>
2037
2038         Clean up CMake build after r188673
2039         https://bugs.webkit.org/show_bug.cgi?id=148234
2040
2041         Reviewed by Tim Horton.
2042
2043         * shell/PlatformWin.cmake:
2044         Define WIN_CAIRO so the WinCairo jsc.exe can find the correct dlls.
2045
2046 2015-08-20  Mark Lam  <mark.lam@apple.com>
2047
2048         A watchdog tests is failing on Windows.
2049         https://bugs.webkit.org/show_bug.cgi?id=148228
2050
2051         Reviewed by Brent Fulgham.
2052
2053         The test just needed a little more time because Windows' timer resolution is low.
2054         After increasing the test deadlines, the test started passing.
2055
2056         * API/tests/ExecutionTimeLimitTest.cpp:
2057         (testExecutionTimeLimit):
2058
2059 2015-08-20  Mark Lam  <mark.lam@apple.com>
2060
2061         Fixed some warnings on Windows.
2062         https://bugs.webkit.org/show_bug.cgi?id=148224
2063
2064         Reviewed by Brent Fulgham.
2065
2066         The Windows build was complaining that function params were hiding a global variable.
2067         Since the function params were unused, I resolved this by removing the param names.
2068
2069         * API/tests/ExecutionTimeLimitTest.cpp:
2070         (currentCPUTimeAsJSFunctionCallback):
2071         (shouldTerminateCallback):
2072         (cancelTerminateCallback):
2073         (extendTerminateCallback):
2074
2075 2015-08-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2076
2077         Add InternalPromise to use Promises safely in the internals
2078         https://bugs.webkit.org/show_bug.cgi?id=148136
2079
2080         Reviewed by Saam Barati.
2081
2082         This patch implements InternalPromise.
2083         It is completely different instance set (constructor, prototype, instance)
2084         but it has the same feature to the Promise.
2085
2086         In the Promise operations, when resolving the promise with the returned promise
2087         from the fulfill handler, we need to look up "then" method.
2088
2089         e.g.
2090             var p3 = p1.then(function handler(...) {
2091                 return p2;
2092             });
2093
2094         When handler is executed, we retrieve the returned `p2` promise. And to resolve
2095         the returned promise by "then" method (that is `p3`), we construct the chain by executing
2096         `p2.then(resolving function for p3)`. So if the user modify the Promise.prototype.then,
2097         we can observe the internal operations.
2098
2099         By using InternalPromise, we completely hide InternalPromise.prototype from the users.
2100         It allows JSC to use Promises internally; even if the user modify / override
2101         the Promise.prototype.then function, it does not effect on InternalPromise.
2102
2103         One limitation is that the implementation need to take care not to leak the InternalPromise instance
2104         to the user space.
2105
2106         * CMakeLists.txt:
2107         * DerivedSources.make:
2108         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2109         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2110         * JavaScriptCore.xcodeproj/project.pbxproj:
2111         * builtins/InternalPromiseConstructor.js: Added.
2112         (internalAll.newResolveElement):
2113         (internalAll):
2114         * builtins/Operations.Promise.js:
2115         (newPromiseDeferred): Deleted.
2116         * builtins/PromiseConstructor.js:
2117         (privateAll.newResolveElement): Deleted.
2118         (privateAll): Deleted.
2119         * runtime/CommonIdentifiers.h:
2120         * runtime/JSGlobalObject.cpp:
2121         (JSC::JSGlobalObject::init):
2122         (JSC::JSGlobalObject::visitChildren):
2123         * runtime/JSGlobalObject.h:
2124         (JSC::JSGlobalObject::promiseConstructor):
2125         (JSC::JSGlobalObject::internalPromiseConstructor):
2126         (JSC::JSGlobalObject::newPromiseCapabilityFunction):
2127         (JSC::JSGlobalObject::newPromiseDeferredFunction): Deleted.
2128         * runtime/JSInternalPromise.cpp: Copied from Source/JavaScriptCore/runtime/JSPromisePrototype.h.
2129         (JSC::JSInternalPromise::create):
2130         (JSC::JSInternalPromise::createStructure):
2131         (JSC::JSInternalPromise::JSInternalPromise):
2132         * runtime/JSInternalPromise.h: Copied from Source/JavaScriptCore/runtime/JSPromise.h.
2133         * runtime/JSInternalPromiseConstructor.cpp: Added.
2134         (JSC::JSInternalPromiseConstructor::create):
2135         (JSC::JSInternalPromiseConstructor::createStructure):
2136         (JSC::JSInternalPromiseConstructor::JSInternalPromiseConstructor):
2137         (JSC::constructPromise):
2138         (JSC::JSInternalPromiseConstructor::getConstructData):
2139         (JSC::JSInternalPromiseConstructor::getCallData):
2140         (JSC::JSInternalPromiseConstructor::getOwnPropertySlot):
2141         * runtime/JSInternalPromiseConstructor.h: Copied from Source/JavaScriptCore/runtime/JSPromiseConstructor.h.
2142         * runtime/JSInternalPromiseDeferred.cpp: Added.
2143         (JSC::JSInternalPromiseDeferred::create):
2144         (JSC::JSInternalPromiseDeferred::JSInternalPromiseDeferred):
2145         (JSC::JSInternalPromiseDeferred::promise):
2146         * runtime/JSInternalPromiseDeferred.h: Copied from Source/JavaScriptCore/runtime/JSPromisePrototype.h.
2147         * runtime/JSInternalPromisePrototype.cpp: Copied from Source/JavaScriptCore/runtime/JSPromisePrototype.cpp.
2148         (JSC::JSInternalPromisePrototype::create):
2149         (JSC::JSInternalPromisePrototype::createStructure):
2150         (JSC::JSInternalPromisePrototype::JSInternalPromisePrototype):
2151         * runtime/JSInternalPromisePrototype.h: Copied from Source/JavaScriptCore/runtime/JSPromise.h.
2152         * runtime/JSPromise.cpp:
2153         (JSC::JSPromise::create):
2154         (JSC::JSPromise::JSPromise):
2155         (JSC::JSPromise::initialize):
2156         * runtime/JSPromise.h:
2157         * runtime/JSPromiseConstructor.cpp:
2158         (JSC::JSPromiseConstructor::JSPromiseConstructor):
2159         (JSC::constructPromise):
2160         (JSC::JSPromiseConstructor::getOwnPropertySlot):
2161         (JSC::JSPromiseConstructor::finishCreation): Deleted.
2162         * runtime/JSPromiseConstructor.h:
2163         * runtime/JSPromiseDeferred.cpp:
2164         (JSC::newPromiseCapability):
2165         (JSC::JSPromiseDeferred::create):
2166         (JSC::JSPromiseDeferred::JSPromiseDeferred):
2167         * runtime/JSPromiseDeferred.h:
2168         * runtime/JSPromisePrototype.cpp:
2169         (JSC::JSPromisePrototype::getOwnPropertySlot):
2170         * runtime/JSPromisePrototype.h:
2171         * runtime/VM.cpp:
2172         (JSC::VM::VM):
2173         * runtime/VM.h:
2174
2175 2015-08-19  Filip Pizlo  <fpizlo@apple.com>
2176
2177         Remove WTF::SpinLock
2178         https://bugs.webkit.org/show_bug.cgi?id=148208
2179
2180         Reviewed by Geoffrey Garen.
2181
2182         Remove the one remaining use of SpinLock.
2183
2184         * API/JSValue.mm:
2185         (handerForStructTag):
2186
2187 2015-08-19  Geoffrey Garen  <ggaren@apple.com>
2188
2189         clearCode() should clear code
2190         https://bugs.webkit.org/show_bug.cgi?id=148203
2191
2192         Reviewed by Saam Barati.
2193
2194         Clearing code used to require two steps: clearCode() and
2195         clearUnlinkedCodeForRecompilation(). Unsurprisingly, clients sometimes
2196         did one or the other or both without much rhyme or reason.
2197
2198         This patch simplifies things by merging both functions into clearCode().
2199
2200         * bytecode/UnlinkedFunctionExecutable.h:
2201         * debugger/Debugger.cpp:
2202         * heap/Heap.cpp:
2203         (JSC::Heap::deleteAllCompiledCode):
2204         (JSC::Heap::clearUnmarkedExecutables):
2205         (JSC::Heap::deleteAllUnlinkedFunctionCode): Deleted. No need for this
2206         function anymore since it was only used by clients who already called
2207         clearCode() (and it would be terribly wrong to use without doing both.)
2208
2209         * heap/Heap.h:
2210         (JSC::Heap::sizeAfterLastFullCollection):
2211         * inspector/agents/InspectorRuntimeAgent.cpp:
2212         (Inspector::TypeRecompiler::visit):
2213         (Inspector::TypeRecompiler::operator()):
2214         * runtime/Executable.cpp:
2215         (JSC::FunctionExecutable::visitChildren):
2216         (JSC::FunctionExecutable::clearCode):
2217         (JSC::FunctionExecutable::clearUnlinkedCodeForRecompilation): Deleted.
2218         * runtime/Executable.h:
2219         * runtime/VM.cpp:
2220         (JSC::VM::deleteAllCode):
2221
2222 2015-08-19  Alex Christensen  <achristensen@webkit.org>
2223
2224         CMake Windows build should not include files directly from other Source directories
2225         https://bugs.webkit.org/show_bug.cgi?id=148198
2226
2227         Reviewed by Brent Fulgham.
2228
2229         * CMakeLists.txt:
2230         JavaScriptCore_FORWARDING_HEADERS_FILES is no longer necessary because all the headers
2231         that used to be in it are now in JavaScriptCore_FORWARDING_HEADERS_DIRECTORIES
2232         * PlatformEfl.cmake:
2233         * PlatformGTK.cmake:
2234         * PlatformMac.cmake:
2235         * PlatformWin.cmake:
2236
2237 2015-08-19  Eric Carlson  <eric.carlson@apple.com>
2238
2239         Remove ENABLE_WEBVTT_REGIONS
2240         https://bugs.webkit.org/show_bug.cgi?id=148184
2241
2242         Reviewed by Jer Noble.
2243
2244         * Configurations/FeatureDefines.xcconfig: Remove ENABLE_WEBVTT_REGIONS.
2245
2246 2015-08-19  Joseph Pecoraro  <pecoraro@apple.com>
2247
2248         Web Inspector: Unexpected node preview format for an element with newlines in className attribute
2249         https://bugs.webkit.org/show_bug.cgi?id=148192
2250
2251         Reviewed by Brian Burg.
2252
2253         * inspector/InjectedScriptSource.js:
2254         (InjectedScript.prototype._nodePreview):
2255         Replace whitespace blocks with single spaces to produce a simpler class string for previews.
2256
2257 2015-08-19  Mark Lam  <mark.lam@apple.com>
2258
2259         Add support for CheckWatchdogTimer as slow path in DFG and FTL.
2260         https://bugs.webkit.org/show_bug.cgi?id=147968
2261
2262         Reviewed by Michael Saboff.
2263
2264         Re-implement the DFG's CheckWatchdogTimer as a slow path instead of a speculation
2265         check.  Since the watchdog timer can fire spuriously, this allows the code to
2266         stay optimized if all we have are spurious fires.
2267
2268         Implement the equivalent slow path for CheckWatchdogTimer in the FTL. 
2269
2270         The watchdog tests in ExecutionTimeLimitTest.cpp has already been updated in
2271         https://bugs.webkit.org/show_bug.cgi?id=148125 to test for the FTL's watchdog
2272         implementation.
2273
2274         * dfg/DFGSpeculativeJIT32_64.cpp:
2275         (JSC::DFG::SpeculativeJIT::compile):
2276         * dfg/DFGSpeculativeJIT64.cpp:
2277         (JSC::DFG::SpeculativeJIT::compile):
2278         * ftl/FTLCapabilities.cpp:
2279         (JSC::FTL::canCompile):
2280         * ftl/FTLLowerDFGToLLVM.cpp:
2281         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
2282         (JSC::FTL::DFG::LowerDFGToLLVM::compileMaterializeCreateActivation):
2283         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckWatchdogTimer):
2284         (JSC::FTL::DFG::LowerDFGToLLVM::isInlinableSize):
2285
2286         * jit/JIT.h:
2287         * jit/JITInlines.h:
2288         (JSC::JIT::callOperation):
2289         * jit/JITOperations.cpp:
2290         * jit/JITOperations.h:
2291         - Changed operationHandleWatchdogTimer() to return an unused nullptr.  This
2292           allows me to reuse the existing DFG slow path generator mechanism.  I didn't
2293           think that operationHandleWatchdogTimer() was worth introducing a whole new set
2294           of machinery just so we can have a slow path that returns void.
2295
2296 2015-08-19  Mark Lam  <mark.lam@apple.com>
2297
2298         Add ability to save and restore JSC options.
2299         https://bugs.webkit.org/show_bug.cgi?id=148125
2300
2301         Reviewed by Saam Barati.
2302
2303         * API/tests/ExecutionTimeLimitTest.cpp:
2304         (testExecutionTimeLimit):
2305         - Employ the new options getter/setter to run watchdog tests for each of the
2306           execution engine tiers.
2307         - Also altered the test scripts to be in a function instead of global code.
2308           This is one of 2 changes needed to give them an opportunity to be FTL compiled.
2309           The other is to add support for compiling CheckWatchdogTimer in the FTL (which
2310           will be addressed in a separate patch).
2311
2312         * jsc.cpp:
2313         (CommandLine::parseArguments):
2314         * runtime/Options.cpp:
2315         (JSC::parse):
2316         - Add the ability to clear a string option with a nullptr value.
2317           This is needed to restore a default string option value which may be null.
2318
2319         (JSC::OptionRange::init):
2320         - Add the ability to clear a range option with a null value.
2321           This is needed to restore a default range option value which may be null.
2322
2323         (JSC::Options::initialize):
2324         (JSC::Options::dumpOptionsIfNeeded):
2325         - Factor code to dump options out to dumpOptionsIfNeeded() since we will need
2326           that logic elsewhere.
2327
2328         (JSC::Options::setOptions):
2329         - Parse an options string and set each of the specified options.
2330
2331         (JSC::Options::dumpAllOptions):
2332         (JSC::Options::dumpAllOptionsInALine):
2333         (JSC::Options::dumpOption):
2334         (JSC::Option::dump):
2335         - Refactored so that the underlying dumper dumps to a StringBuilder instead of
2336           stderr.  This lets us reuse this code to serialize all the options into a
2337           single string for dumpAllOptionsInALine().
2338
2339         * runtime/Options.h:
2340         (JSC::OptionRange::rangeString):
2341
2342 2015-08-18  Filip Pizlo  <fpizlo@apple.com>
2343
2344         Replace all uses of std::mutex/std::condition_variable with WTF::Lock/WTF::Condition
2345         https://bugs.webkit.org/show_bug.cgi?id=148140
2346
2347         Reviewed by Geoffrey Garen.
2348
2349         * inspector/remote/RemoteInspector.h:
2350         * inspector/remote/RemoteInspector.mm:
2351         (Inspector::RemoteInspector::registerDebuggable):
2352         (Inspector::RemoteInspector::unregisterDebuggable):
2353         (Inspector::RemoteInspector::updateDebuggable):
2354         (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate):
2355         (Inspector::RemoteInspector::sendMessageToRemoteFrontend):
2356         (Inspector::RemoteInspector::setupFailed):
2357         (Inspector::RemoteInspector::setupCompleted):
2358         (Inspector::RemoteInspector::start):
2359         (Inspector::RemoteInspector::stop):
2360         (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
2361         (Inspector::RemoteInspector::setParentProcessInformation):
2362         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
2363         (Inspector::RemoteInspector::xpcConnectionFailed):
2364         (Inspector::RemoteInspector::pushListingSoon):
2365         (Inspector::RemoteInspector::receivedIndicateMessage):
2366         (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
2367         * inspector/remote/RemoteInspectorXPCConnection.h:
2368         * inspector/remote/RemoteInspectorXPCConnection.mm:
2369         (Inspector::RemoteInspectorXPCConnection::close):
2370         (Inspector::RemoteInspectorXPCConnection::closeFromMessage):
2371         (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
2372         (Inspector::RemoteInspectorXPCConnection::handleEvent):
2373
2374 2015-08-18  Joseph Pecoraro  <pecoraro@apple.com>
2375
2376         Web Inspector: Links for rules in <style> are incorrect, do not account for <style> offset in the document
2377         https://bugs.webkit.org/show_bug.cgi?id=148141
2378
2379         Reviewed by Brian Burg.
2380
2381         * inspector/protocol/CSS.json:
2382         Extend StyleSheetHeader to include start offset information and a bit
2383         for whether or not this was an inline style tag created by the parser.
2384         These match additions to Blink's protocol.
2385
2386 2015-08-18  Benjamin Poulain  <bpoulain@apple.com>
2387
2388         [JSC] Optimize more cases of something-compared-to-null/undefined
2389         https://bugs.webkit.org/show_bug.cgi?id=148157
2390
2391         Reviewed by Geoffrey Garen and Filip Pizlo.
2392
2393         CompareEq is fairly trivial if you assert one of the operands is either
2394         null or undefined. Under those conditions, the only way to have "true"
2395         is to have the other operand be null/undefined or have an object
2396         that masquerades to undefined.
2397
2398         JSC already had a fast path in CompareEqConstant.
2399         With this patch, I generalize this fast path to more cases and try
2400         to eliminate the checks whenever possible.
2401
2402         CompareEq now does the job of CompareEqConstant. If any operand can
2403         be proved to be undefined/other, its edge is set to OtherUse. Whenever
2404         any edge is OtherUse, we generate the fast code we had for CompareEqConstant.
2405
2406         The AbstractInterpreter has additional checks to reduce the node to a constant
2407         whenever possible.
2408
2409         There are two additional changes in this patch:
2410         -The Fixup Phase tries to set edges to OtherUse early. This is done correctly
2411          in ConstantFoldingPhase but setting it up early helps the phases relying
2412          on Clobberize.
2413         -The codegen for CompareEqConstant was improved. The reason is the comparison
2414          for ObjectOrOther could be faster just because the codegen was better.
2415
2416         * dfg/DFGAbstractInterpreterInlines.h:
2417         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2418         * dfg/DFGByteCodeParser.cpp:
2419         (JSC::DFG::ByteCodeParser::parseBlock):
2420         * dfg/DFGClobberize.h:
2421         (JSC::DFG::clobberize): Deleted.
2422         * dfg/DFGConstantFoldingPhase.cpp:
2423         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2424         * dfg/DFGDoesGC.cpp:
2425         (JSC::DFG::doesGC): Deleted.
2426         * dfg/DFGFixupPhase.cpp:
2427         (JSC::DFG::FixupPhase::fixupNode):
2428         * dfg/DFGNode.h:
2429         (JSC::DFG::Node::isUndefinedOrNullConstant):
2430         * dfg/DFGNodeType.h:
2431         * dfg/DFGPredictionPropagationPhase.cpp:
2432         (JSC::DFG::PredictionPropagationPhase::propagate): Deleted.
2433         * dfg/DFGSafeToExecute.h:
2434         (JSC::DFG::safeToExecute): Deleted.
2435         * dfg/DFGSpeculativeJIT.cpp:
2436         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
2437         (JSC::DFG::SpeculativeJIT::compare):
2438         * dfg/DFGSpeculativeJIT.h:
2439         (JSC::DFG::SpeculativeJIT::isKnownNotOther):
2440         * dfg/DFGSpeculativeJIT32_64.cpp:
2441         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
2442         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
2443         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): Deleted.
2444         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): Deleted.
2445         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull): Deleted.
2446         (JSC::DFG::SpeculativeJIT::compile): Deleted.
2447         * dfg/DFGSpeculativeJIT64.cpp:
2448         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
2449         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
2450         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): Deleted.
2451         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): Deleted.
2452         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull): Deleted.
2453         (JSC::DFG::SpeculativeJIT::compile): Deleted.
2454         * dfg/DFGValidate.cpp:
2455         (JSC::DFG::Validate::validate): Deleted.
2456         * dfg/DFGWatchpointCollectionPhase.cpp:
2457         (JSC::DFG::WatchpointCollectionPhase::handle):
2458         * ftl/FTLCapabilities.cpp:
2459         (JSC::FTL::canCompile):
2460         * ftl/FTLLowerDFGToLLVM.cpp:
2461         (JSC::FTL::DFG::LowerDFGToLLVM::compileCompareEq):
2462         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode): Deleted.
2463         (JSC::FTL::DFG::LowerDFGToLLVM::compileCompareEqConstant): Deleted.
2464         * tests/stress/compare-eq-on-null-and-undefined-non-peephole.js: Added.
2465         (string_appeared_here.useForMath):
2466         (testUseForMath):
2467         * tests/stress/compare-eq-on-null-and-undefined-optimized-in-constant-folding.js: Added.
2468         (string_appeared_here.unreachableCodeTest):
2469         (inlinedCompareToNull):
2470         (inlinedComparedToUndefined):
2471         (warmupInlineFunctions):
2472         (testInlineFunctions):
2473         * tests/stress/compare-eq-on-null-and-undefined.js: Added.
2474         (string_appeared_here.compareConstants):
2475         (opaqueNull):
2476         (opaqueUndefined):
2477         (compareConstantsAndDynamicValues):
2478         (compareDynamicValues):
2479         (compareDynamicValueToItself):
2480         (arrayTesting):
2481         (opaqueCompare1):
2482         (testNullComparatorUpdate):
2483         (opaqueCompare2):
2484         (testUndefinedComparatorUpdate):
2485         (opaqueCompare3):
2486         (testNullAndUndefinedComparatorUpdate):
2487
2488 2015-08-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2489
2490         Introduce non-user-observable Promise functions to use Promises internally
2491         https://bugs.webkit.org/show_bug.cgi?id=148118
2492
2493         Reviewed by Saam Barati.
2494
2495         To leverage the Promises internally (like ES6 Module Loaders), we add
2496         the several non-user-observable private methods, like @then, @all. And
2497         refactor the existing Promises implementation to make it easy to use
2498         internally.
2499
2500         But still the trappable part remains. When resolving the promise with
2501         the returned value, we look up the "then" function. So users can trap
2502         by replacing "then" function of the Promise's prototype.
2503         To avoid this situation, we'll introduce completely differnt promise
2504         instances called InternalPromise in the subsequent patch[1].
2505
2506         No behavior change.
2507
2508         [1]: https://bugs.webkit.org/show_bug.cgi?id=148136
2509
2510         * builtins/PromiseConstructor.js:
2511         (privateAll.newResolveElement):
2512         (privateAll):
2513         * runtime/JSGlobalObject.cpp:
2514         (JSC::JSGlobalObject::init):
2515         (JSC::JSGlobalObject::visitChildren): Deleted.
2516         * runtime/JSGlobalObject.h:
2517         (JSC::JSGlobalObject::promiseConstructor): Deleted.
2518         (JSC::JSGlobalObject::promisePrototype): Deleted.
2519         (JSC::JSGlobalObject::promiseStructure): Deleted.
2520         * runtime/JSPromiseConstructor.cpp:
2521         (JSC::JSPromiseConstructor::finishCreation):
2522         * runtime/JSPromiseDeferred.cpp:
2523         (JSC::callFunction):
2524         (JSC::JSPromiseDeferred::resolve):
2525         (JSC::JSPromiseDeferred::reject):
2526         * runtime/JSPromiseDeferred.h:
2527         * runtime/JSPromisePrototype.cpp:
2528         (JSC::JSPromisePrototype::create):
2529         (JSC::JSPromisePrototype::JSPromisePrototype):
2530         * runtime/JSPromisePrototype.h:
2531
2532 2015-08-18  Geoffrey Garen  <ggaren@apple.com>
2533
2534         Try to fix the CLOOP build.
2535
2536         Unreviewed.
2537
2538         * bytecode/CodeBlock.cpp:
2539
2540 2015-08-18  Geoffrey Garen  <ggaren@apple.com>
2541
2542         Split InlineCallFrame into its own file
2543         https://bugs.webkit.org/show_bug.cgi?id=148131
2544
2545         Reviewed by Saam Barati.
2546
2547         * CMakeLists.txt:
2548         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2549         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2550         * JavaScriptCore.xcodeproj/project.pbxproj:
2551         * bytecode/CallLinkStatus.cpp:
2552         * bytecode/CodeBlock.h:
2553         (JSC::ExecState::r):
2554         (JSC::baselineCodeBlockForInlineCallFrame): Deleted.
2555         (JSC::baselineCodeBlockForOriginAndBaselineCodeBlock): Deleted.
2556         * bytecode/CodeOrigin.cpp:
2557         (JSC::CodeOrigin::inlineStack):
2558         (JSC::CodeOrigin::codeOriginOwner):
2559         (JSC::CodeOrigin::stackOffset):
2560         (JSC::CodeOrigin::dump):
2561         (JSC::CodeOrigin::dumpInContext):
2562         (JSC::InlineCallFrame::calleeConstant): Deleted.
2563         (JSC::InlineCallFrame::visitAggregate): Deleted.
2564         (JSC::InlineCallFrame::calleeForCallFrame): Deleted.
2565         (JSC::InlineCallFrame::hash): Deleted.
2566         (JSC::InlineCallFrame::hashAsStringIfPossible): Deleted.
2567         (JSC::InlineCallFrame::inferredName): Deleted.
2568         (JSC::InlineCallFrame::baselineCodeBlock): Deleted.
2569         (JSC::InlineCallFrame::dumpBriefFunctionInformation): Deleted.
2570         (JSC::InlineCallFrame::dumpInContext): Deleted.
2571         (JSC::InlineCallFrame::dump): Deleted.
2572         (WTF::printInternal): Deleted.
2573         * bytecode/CodeOrigin.h:
2574         (JSC::CodeOrigin::deletedMarker):
2575         (JSC::CodeOrigin::hash):
2576         (JSC::CodeOrigin::operator==):
2577         (JSC::CodeOriginHash::hash):
2578         (JSC::CodeOriginHash::equal):
2579         (JSC::InlineCallFrame::kindFor): Deleted.
2580         (JSC::InlineCallFrame::varargsKindFor): Deleted.
2581         (JSC::InlineCallFrame::specializationKindFor): Deleted.
2582         (JSC::InlineCallFrame::isVarargs): Deleted.
2583         (JSC::InlineCallFrame::InlineCallFrame): Deleted.
2584         (JSC::InlineCallFrame::specializationKind): Deleted.
2585         (JSC::InlineCallFrame::setStackOffset): Deleted.
2586         (JSC::InlineCallFrame::callerFrameOffset): Deleted.
2587         (JSC::InlineCallFrame::returnPCOffset): Deleted.
2588         (JSC::CodeOrigin::stackOffset): Deleted.
2589         (JSC::CodeOrigin::codeOriginOwner): Deleted.
2590         * bytecode/InlineCallFrame.cpp: Copied from Source/JavaScriptCore/bytecode/CodeOrigin.cpp.
2591         (JSC::InlineCallFrame::calleeConstant):
2592         (JSC::CodeOrigin::inlineDepthForCallFrame): Deleted.
2593         (JSC::CodeOrigin::inlineDepth): Deleted.
2594         (JSC::CodeOrigin::isApproximatelyEqualTo): Deleted.
2595         (JSC::CodeOrigin::approximateHash): Deleted.
2596         (JSC::CodeOrigin::inlineStack): Deleted.
2597         (JSC::CodeOrigin::dump): Deleted.
2598         (JSC::CodeOrigin::dumpInContext): Deleted.
2599         * bytecode/InlineCallFrame.h: Copied from Source/JavaScriptCore/bytecode/CodeOrigin.h.
2600         (JSC::InlineCallFrame::isVarargs):
2601         (JSC::InlineCallFrame::InlineCallFrame):
2602         (JSC::InlineCallFrame::specializationKind):
2603         (JSC::baselineCodeBlockForInlineCallFrame):
2604         (JSC::baselineCodeBlockForOriginAndBaselineCodeBlock):
2605         (JSC::CodeOrigin::CodeOrigin): Deleted.
2606         (JSC::CodeOrigin::isSet): Deleted.
2607         (JSC::CodeOrigin::operator!): Deleted.
2608         (JSC::CodeOrigin::isHashTableDeletedValue): Deleted.
2609         (JSC::CodeOrigin::operator!=): Deleted.
2610         (JSC::CodeOrigin::deletedMarker): Deleted.
2611         (JSC::CodeOrigin::stackOffset): Deleted.
2612         (JSC::CodeOrigin::hash): Deleted.
2613         (JSC::CodeOrigin::operator==): Deleted.
2614         (JSC::CodeOrigin::codeOriginOwner): Deleted.
2615         (JSC::CodeOriginHash::hash): Deleted.
2616         (JSC::CodeOriginHash::equal): Deleted.
2617         (JSC::CodeOriginApproximateHash::hash): Deleted.
2618         (JSC::CodeOriginApproximateHash::equal): Deleted.
2619         * bytecode/InlineCallFrameSet.cpp:
2620         * dfg/DFGCommonData.cpp:
2621         * dfg/DFGOSRExitBase.cpp:
2622         * dfg/DFGVariableEventStream.cpp:
2623         * ftl/FTLOperations.cpp:
2624         * interpreter/CallFrame.cpp:
2625         * interpreter/StackVisitor.cpp:
2626         * jit/AssemblyHelpers.h:
2627         * profiler/ProfilerOriginStack.cpp:
2628         * runtime/ClonedArguments.cpp:
2629
2630 2015-08-18  Mark Lam  <mark.lam@apple.com>
2631
2632         Removed an unused param in Interpreter::initialize().
2633         https://bugs.webkit.org/show_bug.cgi?id=148129
2634
2635         Reviewed by Michael Saboff.
2636
2637         * interpreter/Interpreter.cpp:
2638         (JSC::Interpreter::~Interpreter):
2639         (JSC::Interpreter::initialize):
2640         * interpreter/Interpreter.h:
2641         (JSC::Interpreter::stack):
2642         * runtime/VM.cpp:
2643         (JSC::VM::VM):
2644
2645 2015-08-17  Alex Christensen  <achristensen@webkit.org>
2646
2647         Add const to content extension parser
2648         https://bugs.webkit.org/show_bug.cgi?id=148044
2649
2650         Reviewed by Benjamin Poulain.
2651
2652         * runtime/JSObject.h:
2653         (JSC::JSObject::getIndexQuickly):
2654         (JSC::JSObject::tryGetIndexQuickly):
2655         (JSC::JSObject::getDirectIndex):
2656         (JSC::JSObject::getIndex):
2657         Added a few const keywords.
2658
2659 2015-08-17  Alex Christensen  <achristensen@webkit.org>
2660
2661         Build Debug Suffix on Windows with CMake
2662         https://bugs.webkit.org/show_bug.cgi?id=148083
2663
2664         Reviewed by Brent Fulgham.
2665
2666         * CMakeLists.txt:
2667         * PlatformWin.cmake:
2668         * shell/CMakeLists.txt:
2669         * shell/PlatformWin.cmake:
2670         Add DEBUG_SUFFIX
2671
2672 2015-08-17  Saam barati  <sbarati@apple.com>
2673
2674         Web Inspector: Type profiler return types aren't showing up
2675         https://bugs.webkit.org/show_bug.cgi?id=147348
2676
2677         Reviewed by Brian Burg.
2678
2679         Bug #145995 changed the starting offset of a function to 
2680         be the open parenthesis of the function's parameter list.
2681         This broke JSC's type profiler protocol of communicating 
2682         return types of a function to the web inspector. This
2683         is now fixed. The text offset used in the protocol is now
2684         the first letter of the function/get/set/method name.
2685         So "f" in "function a() {}", "s" in "set foo(){}", etc.
2686
2687         * bytecode/CodeBlock.cpp:
2688         (JSC::CodeBlock::CodeBlock):
2689         * jsc.cpp:
2690         (functionReturnTypeFor):
2691
2692 2015-08-17 Aleksandr Skachkov   <gskachkov@gmail.com>
2693
2694         [ES6] Implement ES6 arrow function syntax. Arrow function specific features. Lexical bind of this
2695         https://bugs.webkit.org/show_bug.cgi?id=144956
2696
2697         Reviewed by Saam Barati.
2698
2699         Added support of ES6 arrow function specific feature, lexical bind of this and no constructor. http://wiki.ecmascript.org/doku.php?id=harmony:arrow_function_syntax
2700         In patch were implemented the following cases:
2701            this - variable |this| is point to the |this| of the function where arrow function is declared. Lexical bind of |this|
2702            constructor - the using of the command |new| for arrow function leads to runtime error
2703            call(), apply(), bind()  - methods can only pass in arguments, but has no effect on |this| 
2704
2705
2706         * CMakeLists.txt:
2707         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2708         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2709         * JavaScriptCore.xcodeproj/project.pbxproj:
2710         * bytecode/BytecodeList.json:
2711         * bytecode/BytecodeUseDef.h:
2712         (JSC::computeUsesForBytecodeOffset):
2713         (JSC::computeDefsForBytecodeOffset):
2714         * bytecode/CodeBlock.cpp:
2715         (JSC::CodeBlock::dumpBytecode):
2716         * bytecode/ExecutableInfo.h:
2717         (JSC::ExecutableInfo::ExecutableInfo):
2718         (JSC::ExecutableInfo::isArrowFunction):
2719         * bytecode/UnlinkedCodeBlock.cpp:
2720         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2721         * bytecode/UnlinkedCodeBlock.h:
2722         (JSC::UnlinkedCodeBlock::isArrowFunction):
2723         * bytecode/UnlinkedFunctionExecutable.cpp:
2724         (JSC::generateFunctionCodeBlock):
2725         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2726         (JSC::UnlinkedFunctionExecutable::codeBlockFor):
2727         * bytecode/UnlinkedFunctionExecutable.h:
2728         * bytecompiler/BytecodeGenerator.cpp:
2729         (JSC::BytecodeGenerator::BytecodeGenerator):
2730         (JSC::BytecodeGenerator::emitNewFunctionCommon):
2731         (JSC::BytecodeGenerator::emitNewFunctionExpression):
2732         (JSC::BytecodeGenerator::emitNewArrowFunctionExpression):
2733         (JSC::BytecodeGenerator::emitLoadArrowFunctionThis):
2734         * bytecompiler/BytecodeGenerator.h:
2735         * bytecompiler/NodesCodegen.cpp:
2736         (JSC::ArrowFuncExprNode::emitBytecode):
2737         * dfg/DFGAbstractInterpreterInlines.h:
2738         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2739         * dfg/DFGByteCodeParser.cpp:
2740         (JSC::DFG::ByteCodeParser::parseBlock):
2741         * dfg/DFGCapabilities.cpp:
2742         (JSC::DFG::capabilityLevel):
2743         * dfg/DFGClobberize.h:
2744         (JSC::DFG::clobberize):
2745         * dfg/DFGDoesGC.cpp:
2746         (JSC::DFG::doesGC):
2747         * dfg/DFGFixupPhase.cpp:
2748         (JSC::DFG::FixupPhase::fixupNode):
2749         * dfg/DFGNode.h:
2750         (JSC::DFG::Node::convertToPhantomNewFunction):
2751         (JSC::DFG::Node::hasCellOperand):
2752         (JSC::DFG::Node::isFunctionAllocation):
2753         * dfg/DFGNodeType.h:
2754         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2755         * dfg/DFGPredictionPropagationPhase.cpp:
2756         (JSC::DFG::PredictionPropagationPhase::propagate):
2757         * dfg/DFGPromotedHeapLocation.cpp:
2758         (WTF::printInternal):
2759         * dfg/DFGPromotedHeapLocation.h:
2760         * dfg/DFGSafeToExecute.h:
2761         (JSC::DFG::safeToExecute):
2762         * dfg/DFGSpeculativeJIT.cpp:
2763         (JSC::DFG::SpeculativeJIT::compileLoadArrowFunctionThis):
2764         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
2765         (JSC::DFG::SpeculativeJIT::compileNewFunction):
2766         * dfg/DFGSpeculativeJIT.h:
2767         (JSC::DFG::SpeculativeJIT::callOperation):
2768         * dfg/DFGSpeculativeJIT32_64.cpp:
2769         (JSC::DFG::SpeculativeJIT::compile):
2770         * dfg/DFGSpeculativeJIT64.cpp:
2771         (JSC::DFG::SpeculativeJIT::compile):
2772         * dfg/DFGStoreBarrierInsertionPhase.cpp:
2773         * dfg/DFGStructureRegistrationPhase.cpp:
2774         (JSC::DFG::StructureRegistrationPhase::run):
2775         * ftl/FTLAbstractHeapRepository.cpp:
2776         * ftl/FTLAbstractHeapRepository.h:
2777         * ftl/FTLCapabilities.cpp:
2778         (JSC::FTL::canCompile):
2779         * ftl/FTLIntrinsicRepository.h:
2780         * ftl/FTLLowerDFGToLLVM.cpp:
2781         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
2782         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewFunction):
2783         (JSC::FTL::DFG::LowerDFGToLLVM::compileLoadArrowFunctionThis):
2784         * ftl/FTLOperations.cpp:
2785         (JSC::FTL::operationMaterializeObjectInOSR):
2786         * interpreter/Interpreter.cpp:
2787         * interpreter/Interpreter.h:
2788         * jit/CCallHelpers.h:
2789         (JSC::CCallHelpers::setupArgumentsWithExecState): Added 3 arguments version for windows build.
2790         * jit/JIT.cpp:
2791         (JSC::JIT::privateCompileMainPass):
2792         * jit/JIT.h:
2793         * jit/JITInlines.h:
2794         (JSC::JIT::callOperation):
2795         * jit/JITOpcodes.cpp:
2796         (JSC::JIT::emit_op_load_arrowfunction_this):
2797         (JSC::JIT::emit_op_new_func_exp):
2798         (JSC::JIT::emitNewFuncExprCommon):
2799         (JSC::JIT::emit_op_new_arrow_func_exp):
2800         * jit/JITOpcodes32_64.cpp:
2801         (JSC::JIT::emit_op_load_arrowfunction_this):
2802         * jit/JITOperations.cpp:
2803         * jit/JITOperations.h:
2804         * llint/LLIntOffsetsExtractor.cpp:
2805         * llint/LLIntSlowPaths.cpp:
2806         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2807         (JSC::LLInt::setUpCall):
2808         * llint/LLIntSlowPaths.h:
2809         * llint/LowLevelInterpreter.asm:
2810         * llint/LowLevelInterpreter32_64.asm:
2811         * llint/LowLevelInterpreter64.asm:
2812         * parser/ASTBuilder.h:
2813         (JSC::ASTBuilder::createFunctionMetadata):
2814         (JSC::ASTBuilder::createArrowFunctionExpr):
2815         * parser/NodeConstructors.h:
2816         (JSC::BaseFuncExprNode::BaseFuncExprNode):
2817         (JSC::FuncExprNode::FuncExprNode):
2818         (JSC::ArrowFuncExprNode::ArrowFuncExprNode):
2819         * parser/Nodes.cpp:
2820         (JSC::FunctionMetadataNode::FunctionMetadataNode):
2821         * parser/Nodes.h:
2822         (JSC::ExpressionNode::isArrowFuncExprNode):
2823         * parser/Parser.cpp:
2824         (JSC::Parser<LexerType>::parseFunctionBody):
2825         (JSC::Parser<LexerType>::parseFunctionInfo):
2826         * parser/SyntaxChecker.h:
2827         (JSC::SyntaxChecker::createFunctionMetadata):
2828         * runtime/Executable.cpp:
2829         (JSC::ScriptExecutable::newCodeBlockFor):
2830         * runtime/Executable.h:
2831         * runtime/JSArrowFunction.cpp: Added.
2832         (JSC::JSArrowFunction::destroy):
2833         (JSC::JSArrowFunction::create):
2834         (JSC::JSArrowFunction::JSArrowFunction):
2835         (JSC::JSArrowFunction::createWithInvalidatedReallocationWatchpoint):
2836         (JSC::JSArrowFunction::visitChildren):
2837         (JSC::JSArrowFunction::getConstructData):
2838         * runtime/JSArrowFunction.h: Added.
2839         (JSC::JSArrowFunction::allocationSize):
2840         (JSC::JSArrowFunction::createImpl):
2841         (JSC::JSArrowFunction::boundThis):
2842         (JSC::JSArrowFunction::createStructure):
2843         (JSC::JSArrowFunction::offsetOfThisValue):
2844         * runtime/JSFunction.h:
2845         * runtime/JSFunctionInlines.h:
2846         (JSC::JSFunction::JSFunction):
2847         * runtime/JSGlobalObject.cpp:
2848         (JSC::JSGlobalObject::init):
2849         (JSC::JSGlobalObject::visitChildren):
2850         * runtime/JSGlobalObject.h:
2851         (JSC::JSGlobalObject::arrowFunctionStructure):
2852         * tests/stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js: Added.
2853         * tests/stress/arrowfunction-activation-sink-osrexit-default-value.js: Added.
2854         * tests/stress/arrowfunction-activation-sink-osrexit.js: Added.
2855         * tests/stress/arrowfunction-activation-sink.js: Added.
2856         * tests/stress/arrowfunction-bound.js: Added.
2857         * tests/stress/arrowfunction-call.js: Added.
2858         * tests/stress/arrowfunction-constructor.js: Added.
2859         * tests/stress/arrowfunction-lexical-bind-this-1.js: Added.
2860         * tests/stress/arrowfunction-lexical-bind-this-2.js: Added.
2861         * tests/stress/arrowfunction-lexical-bind-this-3.js: Added.
2862         * tests/stress/arrowfunction-lexical-bind-this-4.js: Added.
2863         * tests/stress/arrowfunction-lexical-bind-this-5.js: Added.
2864         * tests/stress/arrowfunction-lexical-bind-this-6.js: Added.
2865         * tests/stress/arrowfunction-lexical-this-activation-sink-osrexit.js: Added.
2866         * tests/stress/arrowfunction-lexical-this-activation-sink.js: Added.
2867         * tests/stress/arrowfunction-lexical-this-sinking-no-double-allocate.js: Added.
2868         * tests/stress/arrowfunction-lexical-this-sinking-osrexit.js: Added.
2869         * tests/stress/arrowfunction-lexical-this-sinking-put.js: Added.
2870         * tests/stress/arrowfunction-others.js: Added.
2871         * tests/stress/arrowfunction-run-10-1.js: Added.
2872         * tests/stress/arrowfunction-run-10-2.js: Added.
2873         * tests/stress/arrowfunction-run-10000-1.js: Added.
2874         * tests/stress/arrowfunction-run-10000-2.js: Added.
2875         * tests/stress/arrowfunction-sinking-no-double-allocate.js: Added.
2876         * tests/stress/arrowfunction-sinking-osrexit.js: Added.
2877         * tests/stress/arrowfunction-sinking-put.js: Added.
2878         * tests/stress/arrowfunction-tdz.js: Added.
2879         * tests/stress/arrowfunction-typeof.js: Added.
2880
2881 2015-07-28  Sam Weinig  <sam@webkit.org>
2882
2883         Cleanup the builtin JavaScript files
2884         https://bugs.webkit.org/show_bug.cgi?id=147382
2885
2886         Reviewed by Geoffrey Garen.
2887
2888         * builtins/Array.prototype.js:
2889         * builtins/ArrayConstructor.js:
2890         * builtins/ArrayIterator.prototype.js:
2891         * builtins/Function.prototype.js:
2892         * builtins/Iterator.prototype.js:
2893         * builtins/ObjectConstructor.js:
2894         * builtins/StringConstructor.js:
2895         * builtins/StringIterator.prototype.js:
2896         Unify the style of the built JavaScript files.
2897
2898 2015-08-17  Alex Christensen  <achristensen@webkit.org>
2899
2900         Move some commands from ./CMakeLists.txt to Source/cmake
2901         https://bugs.webkit.org/show_bug.cgi?id=148003
2902
2903         Reviewed by Brent Fulgham.
2904
2905         * CMakeLists.txt:
2906         Added commands needed to build JSC by itself.
2907
2908 2015-08-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2909
2910         [ES6] Implement Reflect.get
2911         https://bugs.webkit.org/show_bug.cgi?id=147925
2912
2913         Reviewed by Geoffrey Garen.
2914
2915         This patch implements Reflect.get API.
2916         It can take the receiver object as the third argument.
2917         When the receiver is specified and there's a getter for the given property name,
2918         we call the getter with the receiver as the |this| value.
2919
2920         * runtime/ReflectObject.cpp:
2921         (JSC::reflectObjectGet):
2922         * runtime/SparseArrayValueMap.cpp:
2923         (JSC::SparseArrayEntry::get): Deleted.
2924         * runtime/SparseArrayValueMap.h:
2925         * tests/stress/reflect-get.js: Added.
2926         (shouldBe):
2927         (shouldThrow):
2928         (.get shouldThrow):
2929         (.get var):
2930         (get var.object.get hello):
2931         (.get shouldBe):
2932         (get var.object.set hello):
2933
2934 2015-08-17  Simon Fraser  <simon.fraser@apple.com>
2935
2936         will-change should sometimes trigger compositing
2937         https://bugs.webkit.org/show_bug.cgi?id=148072
2938
2939         Reviewed by Tim Horton.
2940         
2941         Include will-change as a reason for compositing.
2942
2943         * inspector/protocol/LayerTree.json:
2944
2945 2015-08-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2946
2947         [ES6] Implement Reflect.getOwnPropertyDescriptor
2948         https://bugs.webkit.org/show_bug.cgi?id=147929
2949
2950         Reviewed by Geoffrey Garen.
2951
2952         Implement Reflect.getOwnPropertyDescriptor.
2953         The difference from the Object.getOwnPropertyDescriptor is
2954         Reflect.getOwnPropertyDescriptor does not perform ToObject onto
2955         the first argument. If the first argument is not an Object, it
2956         immediately raises the TypeError.
2957
2958         * runtime/ObjectConstructor.cpp:
2959         (JSC::objectConstructorGetOwnPropertyDescriptor):
2960         * runtime/ObjectConstructor.h:
2961         * runtime/ReflectObject.cpp:
2962         (JSC::reflectObjectGetOwnPropertyDescriptor):
2963         * tests/stress/reflect-get-own-property.js: Added.
2964         (shouldBe):
2965         (shouldThrow):
2966
2967 2015-08-16  Benjamin Poulain  <bpoulain@apple.com>
2968
2969         [JSC] Use (x + x) instead of (x * 2) when possible
2970         https://bugs.webkit.org/show_bug.cgi?id=148051
2971
2972         Reviewed by Michael Saboff.
2973
2974         When multiplying a number by 2, JSC was loading a constant "2"
2975         in register and multiplying it with the first number:
2976
2977             mov $0x4000000000000000, %rcx
2978             movd %rcx, %xmm0
2979             mulsd %xmm0, %xmm1
2980
2981         This is a problem for a few reasons.
2982         1) "movd %rcx, %xmm0" only set half of XMM0. This instruction
2983            has to wait for any preceding instruction on XMM0 to finish
2984            before executing.
2985         2) The load and transform itself is large and unecessary.
2986
2987         To fix that, I added a StrengthReductionPhase to transform
2988         multiplications by 2 into a addition.
2989
2990         Unfortunately, that turned the code into:
2991             movsd %xmm0 %xmm1
2992             mulsd %xmm1 %xmm0
2993
2994         The reason is GenerationInfo::canReuse() was not accounting
2995         for nodes using other nodes multiple times.
2996
2997         After fixing that too, we now have the multiplications by 2
2998         done as:
2999             addsd %xmm0 %xmm0
3000
3001         * dfg/DFGGenerationInfo.h:
3002         (JSC::DFG::GenerationInfo::useCount):
3003         (JSC::DFG::GenerationInfo::canReuse): Deleted.
3004         * dfg/DFGSpeculativeJIT.cpp:
3005         (JSC::DFG::FPRTemporary::FPRTemporary):
3006         * dfg/DFGSpeculativeJIT.h:
3007         (JSC::DFG::SpeculativeJIT::canReuse):
3008         (JSC::DFG::GPRTemporary::GPRTemporary):
3009         * dfg/DFGStrengthReductionPhase.cpp:
3010         (JSC::DFG::StrengthReductionPhase::handleNode):
3011
3012 2015-08-14  Basile Clement  <basile_clement@apple.com>
3013
3014         Occasional failure in v8-v6/v8-raytrace.js.ftl-eager
3015         https://bugs.webkit.org/show_bug.cgi?id=147165
3016
3017         Reviewed by Saam Barati.
3018
3019         The object allocation sinking phase was not properly checking that a
3020         MultiGetByOffset was safe to lower before lowering it.
3021         This makes it so that we only lower MultiGetByOffset if it only loads
3022         from direct properties of the object, and considers it as an escape in
3023         any other case (e.g. a load from the prototype).
3024
3025         It also ensure proper conversion of MultiGetByOffset into
3026         CheckStructureImmediate when needed.
3027
3028         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3029         * ftl/FTLLowerDFGToLLVM.cpp:
3030         (JSC::FTL::DFG::LowerDFGToLLVM::checkStructure):
3031             We were not compiling properly CheckStructure and
3032             CheckStructureImmediate nodes with an empty StructureSet.
3033         * tests/stress/sink-multigetbyoffset.js: Regression test.
3034
3035 2015-08-14  Filip Pizlo  <fpizlo@apple.com>
3036
3037         Use WTF::Lock and WTF::Condition instead of WTF::Mutex, WTF::ThreadCondition, std::mutex, and std::condition_variable
3038         https://bugs.webkit.org/show_bug.cgi?id=147999
3039
3040         Reviewed by Geoffrey Garen.
3041
3042         * API/JSVirtualMachine.mm:
3043         (initWrapperCache):
3044         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]):
3045         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]):
3046         (wrapperCacheMutex): Deleted.
3047         * bytecode/SamplingTool.cpp:
3048         (JSC::SamplingTool::doRun):
3049         (JSC::SamplingTool::notifyOfScope):
3050         * bytecode/SamplingTool.h:
3051         * dfg/DFGThreadData.h:
3052         * dfg/DFGWorklist.cpp:
3053         (JSC::DFG::Worklist::~Worklist):
3054         (JSC::DFG::Worklist::isActiveForVM):
3055         (JSC::DFG::Worklist::enqueue):
3056         (JSC::DFG::Worklist::compilationState):
3057         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
3058         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
3059         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
3060         (JSC::DFG::Worklist::visitWeakReferences):
3061         (JSC::DFG::Worklist::removeDeadPlans):
3062         (JSC::DFG::Worklist::queueLength):
3063         (JSC::DFG::Worklist::dump):
3064         (JSC::DFG::Worklist::runThread):
3065         * dfg/DFGWorklist.h:
3066         * disassembler/Disassembler.cpp:
3067         * heap/CopiedSpace.cpp:
3068         (JSC::CopiedSpace::doneFillingBlock):
3069         (JSC::CopiedSpace::doneCopying):
3070         * heap/CopiedSpace.h:
3071         * heap/CopiedSpaceInlines.h:
3072         (JSC::CopiedSpace::recycleBorrowedBlock):
3073         (JSC::CopiedSpace::allocateBlockForCopyingPhase):
3074         * heap/GCThread.cpp:
3075         (JSC::GCThread::waitForNextPhase):
3076         (JSC::GCThread::gcThreadMain):
3077         * heap/GCThreadSharedData.cpp:
3078         (JSC::GCThreadSharedData::GCThreadSharedData):
3079         (JSC::GCThreadSharedData::~GCThreadSharedData):
3080         (JSC::GCThreadSharedData::startNextPhase):
3081         (JSC::GCThreadSharedData::endCurrentPhase):
3082         (JSC::GCThreadSharedData::didStartMarking):
3083         (JSC::GCThreadSharedData::didFinishMarking):
3084         * heap/GCThreadSharedData.h:
3085         * heap/HeapTimer.h:
3086         * heap/MachineStackMarker.cpp:
3087         (JSC::ActiveMachineThreadsManager::Locker::Locker):
3088         (JSC::ActiveMachineThreadsManager::add):
3089         (JSC::ActiveMachineThreadsManager::remove):
3090         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager):
3091         (JSC::MachineThreads::~MachineThreads):
3092         (JSC::MachineThreads::addCurrentThread):
3093         (JSC::MachineThreads::removeThreadIfFound):
3094         (JSC::MachineThreads::tryCopyOtherThreadStack):
3095         (JSC::MachineThreads::tryCopyOtherThreadStacks):
3096         (JSC::MachineThreads::gatherConservativeRoots):
3097         * heap/MachineStackMarker.h:
3098         * heap/SlotVisitor.cpp:
3099         (JSC::SlotVisitor::donateKnownParallel):
3100         (JSC::SlotVisitor::drain):
3101         (JSC::SlotVisitor::drainFromShared):
3102         (JSC::SlotVisitor::mergeOpaqueRoots):
3103         * heap/SlotVisitorInlines.h:
3104         (JSC::SlotVisitor::containsOpaqueRootTriState):
3105         * inspector/remote/RemoteInspectorDebuggableConnection.h:
3106         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
3107         (Inspector::RemoteInspectorHandleRunSourceGlobal):
3108         (Inspector::RemoteInspectorQueueTaskOnGlobalQueue):
3109         (Inspector::RemoteInspectorInitializeGlobalQueue):
3110         (Inspector::RemoteInspectorHandleRunSourceWithInfo):
3111         (Inspector::RemoteInspectorDebuggableConnection::setup):
3112         (Inspector::RemoteInspectorDebuggableConnection::closeFromDebuggable):
3113         (Inspector::RemoteInspectorDebuggableConnection::close):
3114         (Inspector::RemoteInspectorDebuggableConnection::sendMessageToBackend):
3115         (Inspector::RemoteInspectorDebuggableConnection::queueTaskOnPrivateRunLoop):
3116         * interpreter/JSStack.cpp:
3117         (JSC::JSStack::JSStack):
3118         (JSC::JSStack::releaseExcessCapacity):
3119         (JSC::JSStack::addToCommittedByteCount):
3120         (JSC::JSStack::committedByteCount):
3121         (JSC::stackStatisticsMutex): Deleted.
3122         (JSC::JSStack::initializeThreading): Deleted.
3123         * interpreter/JSStack.h:
3124         (JSC::JSStack::gatherConservativeRoots):
3125         (JSC::JSStack::sanitizeStack):
3126         (JSC::JSStack::size):
3127         (JSC::JSStack::initializeThreading): Deleted.
3128         * jit/ExecutableAllocator.cpp:
3129         (JSC::DemandExecutableAllocator::DemandExecutableAllocator):
3130         (JSC::DemandExecutableAllocator::~DemandExecutableAllocator):
3131         (JSC::DemandExecutableAllocator::bytesAllocatedByAllAllocators):
3132         (JSC::DemandExecutableAllocator::bytesCommittedByAllocactors):
3133         (JSC::DemandExecutableAllocator::dumpProfileFromAllAllocators):
3134         (JSC::DemandExecutableAllocator::allocators):
3135         (JSC::DemandExecutableAllocator::allocatorsMutex):
3136         * jit/JITThunks.cpp:
3137         (JSC::JITThunks::ctiStub):
3138         * jit/JITThunks.h:
3139         * profiler/ProfilerDatabase.cpp:
3140         (JSC::Profiler::Database::ensureBytecodesFor):
3141         (JSC::Profiler::Database::notifyDestruction):
3142         * profiler/ProfilerDatabase.h:
3143         * runtime/InitializeThreading.cpp:
3144         (JSC::initializeThreading):
3145         * runtime/JSLock.cpp:
3146         (JSC::GlobalJSLock::GlobalJSLock):
3147         (JSC::GlobalJSLock::~GlobalJSLock):
3148         (JSC::JSLockHolder::JSLockHolder):
3149         (JSC::GlobalJSLock::initialize): Deleted.
3150         * runtime/JSLock.h:
3151
3152 2015-08-14  Ryosuke Niwa  <rniwa@webkit.org>
3153
3154         ES6 class syntax should allow computed name method
3155         https://bugs.webkit.org/show_bug.cgi?id=142690
3156
3157         Reviewed by Saam Barati.
3158
3159         Added a new "attributes" attribute to op_put_getter_by_id, op_put_setter_by_id, op_put_getter_setter to specify
3160         the property descriptor options so that we can use use op_put_setter_by_id and op_put_getter_setter to define
3161         getters and setters for classes. Without this, getters and setters could erroneously override methods.
3162
3163         * bytecode/BytecodeList.json:
3164         * bytecode/BytecodeUseDef.h:
3165         (JSC::computeUsesForBytecodeOffset):
3166         * bytecode/CodeBlock.cpp:
3167         (JSC::CodeBlock::dumpBytecode):
3168         * bytecompiler/BytecodeGenerator.cpp:
3169         (JSC::BytecodeGenerator::emitDirectPutById):
3170         (JSC::BytecodeGenerator::emitPutGetterById):
3171         (JSC::BytecodeGenerator::emitPutSetterById):
3172         (JSC::BytecodeGenerator::emitPutGetterSetter):
3173         * bytecompiler/BytecodeGenerator.h:
3174         * bytecompiler/NodesCodegen.cpp:
3175         (JSC::PropertyListNode::emitBytecode): Always use emitPutGetterSetter to emit getters and setters for classes
3176         as done for object literals.
3177         (JSC::PropertyListNode::emitPutConstantProperty):
3178         (JSC::ClassExprNode::emitBytecode):
3179         * jit/CCallHelpers.h:
3180         (JSC::CCallHelpers::setupArgumentsWithExecState):
3181         * jit/JIT.h:
3182         * jit/JITInlines.h:
3183         (JSC::JIT::callOperation):
3184         * jit/JITOperations.cpp:
3185         * jit/JITOperations.h:
3186         * jit/JITPropertyAccess.cpp:
3187         (JSC::JIT::emit_op_put_getter_by_id):
3188         (JSC::JIT::emit_op_put_setter_by_id):
3189         (JSC::JIT::emit_op_put_getter_setter):
3190         (JSC::JIT::emit_op_del_by_id):
3191         * jit/JITPropertyAccess32_64.cpp:
3192         (JSC::JIT::emit_op_put_getter_by_id):
3193         (JSC::JIT::emit_op_put_setter_by_id):
3194         (JSC::JIT::emit_op_put_getter_setter):
3195         (JSC::JIT::emit_op_del_by_id):
3196         * llint/LLIntSlowPaths.cpp:
3197         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3198         * llint/LowLevelInterpreter.asm:
3199         * parser/ASTBuilder.h:
3200         (JSC::ASTBuilder::createProperty):
3201         (JSC::ASTBuilder::createPropertyList):
3202         * parser/NodeConstructors.h:
3203         (JSC::PropertyNode::PropertyNode):
3204         * parser/Nodes.h:
3205         (JSC::PropertyNode::expressionName):
3206         (JSC::PropertyNode::name):
3207         * parser/Parser.cpp:
3208         (JSC::Parser<LexerType>::parseClass): Added the support for computed property name. We don't support computed names
3209         for getters and setters.
3210         * parser/SyntaxChecker.h:
3211         (JSC::SyntaxChecker::createProperty):
3212         * runtime/JSObject.cpp:
3213         (JSC::JSObject::allowsAccessFrom):
3214         (JSC::JSObject::putGetter):
3215         (JSC::JSObject::putSetter):
3216         * runtime/JSObject.h:
3217         * runtime/PropertyDescriptor.h:
3218
3219 2015-08-13  Yusuke Suzuki  <utatane.tea@gmail.com>
3220
3221         Add InspectorInstrumentation builtin object to instrument the code in JS builtins like Promises
3222         https://bugs.webkit.org/show_bug.cgi?id=147942
3223
3224         Reviewed by Geoffrey Garen.
3225
3226         This patch adds new private global object, @InspectorInstrumentation.
3227         It is intended to be used as the namespace object (like Reflect/Math) for Inspector's
3228         instrumentation system and it is used to instrument the builtin JS code, like Promises.
3229
3230         * CMakeLists.txt:
3231         * DerivedSources.make:
3232         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3233         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3234         * JavaScriptCore.xcodeproj/project.pbxproj:
3235         * builtins/InspectorInstrumentationObject.js: Added.
3236         (debug):
3237         (promiseFulfilled):
3238         (promiseRejected):
3239         * builtins/Operations.Promise.js:
3240         (rejectPromise):
3241         (fulfillPromise):
3242         * runtime/CommonIdentifiers.h:
3243         * runtime/InspectorInstrumentationObject.cpp: Added.
3244         (JSC::InspectorInstrumentationObject::InspectorInstrumentationObject):
3245         (JSC::InspectorInstrumentationObject::finishCreation):
3246         (JSC::InspectorInstrumentationObject::getOwnPropertySlot):
3247         (JSC::InspectorInstrumentationObject::isEnabled):
3248         (JSC::InspectorInstrumentationObject::enable):
3249         (JSC::InspectorInstrumentationObject::disable):
3250         (JSC::inspectorInstrumentationObjectDataLogImpl):
3251         * runtime/InspectorInstrumentationObject.h: Added.
3252         (JSC::InspectorInstrumentationObject::create):
3253         (JSC::InspectorInstrumentationObject::createStructure):
3254         * runtime/JSGlobalObject.cpp:
3255         (JSC::JSGlobalObject::init):
3256
3257 2015-08-14  Commit Queue  <commit-queue@webkit.org>
3258
3259         Unreviewed, rolling out r188444.
3260         https://bugs.webkit.org/show_bug.cgi?id=148029
3261
3262         Broke GTK and EFL (see bug #148027) (Requested by philn on
3263         #webkit).
3264
3265         Reverted changeset:
3266
3267         "Use WTF::Lock and WTF::Condition instead of WTF::Mutex,
3268         WTF::ThreadCondition, std::mutex, and std::condition_variable"
3269         https://bugs.webkit.org/show_bug.cgi?id=147999
3270         http://trac.webkit.org/changeset/188444
3271
3272 2015-08-13  Filip Pizlo  <fpizlo@apple.com>
3273
3274         Use WTF::Lock and WTF::Condition instead of WTF::Mutex, WTF::ThreadCondition, std::mutex, and std::condition_variable
3275         https://bugs.webkit.org/show_bug.cgi?id=147999
3276
3277         Reviewed by Geoffrey Garen.
3278
3279         * API/JSVirtualMachine.mm:
3280         (initWrapperCache):
3281         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]):
3282         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]):
3283         (wrapperCacheMutex): Deleted.
3284         * bytecode/SamplingTool.cpp:
3285         (JSC::SamplingTool::doRun):
3286         (JSC::SamplingTool::notifyOfScope):
3287         * bytecode/SamplingTool.h:
3288         * dfg/DFGThreadData.h:
3289         * dfg/DFGWorklist.cpp:
3290         (JSC::DFG::Worklist::~Worklist):
3291         (JSC::DFG::Worklist::isActiveForVM):
3292         (JSC::DFG::Worklist::enqueue):
3293         (JSC::DFG::Worklist::compilationState):
3294         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
3295         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
3296         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
3297         (JSC::DFG::Worklist::visitWeakReferences):
3298         (JSC::DFG::Worklist::removeDeadPlans):
3299         (JSC::DFG::Worklist::queueLength):
3300         (JSC::DFG::Worklist::dump):
3301         (JSC::DFG::Worklist::runThread):
3302         * dfg/DFGWorklist.h:
3303         * disassembler/Disassembler.cpp:
3304         * heap/CopiedSpace.cpp:
3305         (JSC::CopiedSpace::doneFillingBlock):
3306         (JSC::CopiedSpace::doneCopying):
3307         * heap/CopiedSpace.h:
3308         * heap/CopiedSpaceInlines.h:
3309         (JSC::CopiedSpace::recycleBorrowedBlock):
3310         (JSC::CopiedSpace::allocateBlockForCopyingPhase):
3311         * heap/GCThread.cpp:
3312         (JSC::GCThread::waitForNextPhase):
3313         (JSC::GCThread::gcThreadMain):
3314         * heap/GCThreadSharedData.cpp:
3315         (JSC::GCThreadSharedData::GCThreadSharedData):
3316         (JSC::GCThreadSharedData::~GCThreadSharedData):
3317         (JSC::GCThreadSharedData::startNextPhase):
3318         (JSC::GCThreadSharedData::endCurrentPhase):
3319         (JSC::GCThreadSharedData::didStartMarking):
3320         (JSC::GCThreadSharedData::didFinishMarking):
3321         * heap/GCThreadSharedData.h:
3322         * heap/HeapTimer.h:
3323         * heap/MachineStackMarker.cpp:
3324         (JSC::ActiveMachineThreadsManager::Locker::Locker):
3325         (JSC::ActiveMachineThreadsManager::add):
3326         (JSC::ActiveMachineThreadsManager::remove):
3327         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager):