"static" should not be a reserved keyword in non-strict mode even when ES6 class...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-03-11  Ryosuke Niwa  <rniwa@webkit.org>
2
3         "static" should not be a reserved keyword in non-strict mode even when ES6 class is enabled
4         https://bugs.webkit.org/show_bug.cgi?id=142600
5
6         Reviewed by Mark Lam.
7
8         Make "static" RESERVED_IF_STRICT and manually detect it in parseClass.
9
10         No new tests. This is already checked by js/reserved-words.html and js/keywords-and-reserved_words.html
11
12         * parser/Keywords.table:
13         * parser/Parser.cpp:
14         (JSC::Parser<LexerType>::parseClass):
15         * parser/ParserTokens.h:
16
17 2015-03-11  Geoffrey Garen  <ggaren@apple.com>
18
19         Many users of Heap::reportExtraMemory* are wrong, causing lots of memory growth
20         https://bugs.webkit.org/show_bug.cgi?id=142593
21
22         Reviewed by Andreas Kling.
23
24         Adopt deprecatedReportExtraMemory as a short-term fix for runaway
25         memory growth in these cases where we have not adopted
26         reportExtraMemoryVisited.
27
28         Long-term, we should use reportExtraMemoryAllocated+reportExtraMemoryVisited.
29         That's tracked by https://bugs.webkit.org/show_bug.cgi?id=142595.
30
31         * API/JSBase.cpp:
32         (JSReportExtraMemoryCost):
33         * runtime/SparseArrayValueMap.cpp:
34         (JSC::SparseArrayValueMap::add):
35
36 2015-03-11  Geoffrey Garen  <ggaren@apple.com>
37
38         Refactored the JSC::Heap extra cost API for clarity and to make some known bugs more obvious
39         https://bugs.webkit.org/show_bug.cgi?id=142589
40
41         Reviewed by Andreas Kling.
42
43         * API/JSBase.cpp:
44         (JSReportExtraMemoryCost): Added a FIXME to annotate a known bug.
45
46         * bytecode/CodeBlock.cpp:
47         (JSC::CodeBlock::CodeBlock):
48         (JSC::CodeBlock::visitAggregate):
49         * bytecode/CodeBlock.h:
50         (JSC::CodeBlock::setJITCode): Updated for rename.
51
52         * heap/Heap.cpp:
53         (JSC::Heap::Heap):
54         (JSC::Heap::reportExtraMemoryAllocatedSlowCase):
55         (JSC::Heap::deprecatedReportExtraMemorySlowCase): Renamed our reporting
56         APIs to clarify their relationship to each other: One must report extra
57         memory at the time of allocation, and at the time the GC visits it.
58
59         (JSC::Heap::extraMemorySize):
60         (JSC::Heap::size):
61         (JSC::Heap::capacity):
62         (JSC::Heap::sizeAfterCollect):
63         (JSC::Heap::willStartCollection): Updated for renames. Added explicit
64         API for deprecated users who can't use our best API.
65  
66         (JSC::Heap::reportExtraMemoryCostSlowCase): Deleted.
67         (JSC::Heap::extraSize): Deleted.
68
69         * heap/Heap.h:
70         * heap/HeapInlines.h:
71         (JSC::Heap::reportExtraMemoryAllocated):
72         (JSC::Heap::reportExtraMemoryVisited):
73         (JSC::Heap::deprecatedReportExtraMemory):
74         (JSC::Heap::reportExtraMemoryCost): Deleted. Ditto.
75
76         * heap/SlotVisitor.h:
77         * heap/SlotVisitorInlines.h:
78         (JSC::SlotVisitor::reportExtraMemoryVisited):
79         (JSC::SlotVisitor::reportExtraMemoryUsage): Deleted. Moved this
80         functionality into the Heap since it's pretty detailed in its access
81         to the heap.
82
83         * runtime/JSArrayBufferView.cpp:
84         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
85         * runtime/JSGenericTypedArrayViewInlines.h:
86         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): Updated for
87         renames.
88
89         * runtime/JSString.cpp:
90         (JSC::JSString::visitChildren):
91         (JSC::JSRopeString::resolveRopeToAtomicString):
92         (JSC::JSRopeString::resolveRope):
93         * runtime/JSString.h:
94         (JSC::JSString::finishCreation): Updated for renames.
95
96         * runtime/SparseArrayValueMap.cpp:
97         (JSC::SparseArrayValueMap::add): Added FIXME.
98
99         * runtime/WeakMapData.cpp:
100         (JSC::WeakMapData::visitChildren): Updated for rename.
101
102 2015-03-11  Ryosuke Niwa  <rniwa@webkit.org>
103
104         Calling super() in a base class results in a crash
105         https://bugs.webkit.org/show_bug.cgi?id=142563
106
107         Reviewed by Filip Pizlo.
108
109         The bug was caused by BytecodeGenerator trying to generate "super" expression inside the constructor of a base class.
110         Disallow that by keeping track of whether "super" has been used in the current scope or not (needsSuperBinding flag)
111         and then throwing a syntax error in parseFunctionInfo if it was used and the current scope wasn't the constructor of
112         a derived class.
113
114         * parser/Parser.cpp:
115         (JSC::Parser<LexerType>::parseFunctionInfo): Don't allow super() or super.foo outside the constructor of a derived class.
116         (JSC::Parser<LexerType>::parseClass): Pass in the constructor kind to parseGetterSetter.
117         (JSC::Parser<LexerType>::parseGetterSetter): Ditto to parseFunctionInfo.
118         (JSC::Parser<LexerType>::parseMemberExpression): Set needsSuperBinding flag true on the containing scope.
119         * parser/Parser.h:
120         (JSC::Scope::Scope):
121         (JSC::Scope::needsSuperBinding): Added.
122         (JSC::Scope::setNeedsSuperBinding): Added.
123
124 2015-03-10  Darin Adler  <darin@apple.com>
125
126         Some event handler fixes
127         https://bugs.webkit.org/show_bug.cgi?id=142474
128
129         Reviewed by Anders Carlsson.
130
131         * inspector/InjectedScriptManager.cpp:
132         (Inspector::InjectedScriptManager::createInjectedScript): Call clearException.
133         I spotted the fact it was missing by auditing all the calls to JSC::call.
134
135 2015-03-10  Matthew Mirman  <mmirman@apple.com>
136
137         Functions should have initialization precedence over arguments. 
138         https://bugs.webkit.org/show_bug.cgi?id=142550
139         rdar://problem/19702564
140
141         Reviewed by Geoffrey Garen.
142
143         * bytecompiler/BytecodeGenerator.cpp:
144         (JSC::BytecodeGenerator::BytecodeGenerator):
145         (JSC::BytecodeGenerator::initializeCapturedVariable):
146         * tests/stress/initialize_functions_after_arguments.js: Added.
147
148 2015-03-10  Andreas Kling  <akling@apple.com>
149
150         Eden collections should trigger sweep of MarkedBlocks containing new objects.
151         <https://webkit.org/b/142538>
152
153         Reviewed by Geoffrey Garen.
154
155         Take a snapshot of all MarkedBlocks with new objects as part of Eden collections,
156         and append that to the IncrementalSweeper's working set.
157
158         This ensures that we run destructors for objects that were discovered to be garbage during
159         Eden collections, instead of delaying their teardown until the next full collection,
160         or the next allocation cycle for their block.
161
162         * heap/Heap.cpp:
163         (JSC::Heap::snapshotMarkedSpace): For Eden collections, snapshot the list of MarkedBlocks
164         that contain new objects, since those are the only ones we're interested in.
165         Also use Vector::resizeToFit() to allocate the snapshot for full collections, since we know
166         the final size we need up front.
167
168         (JSC::Heap::notifyIncrementalSweeper): For Eden collections, tell the IncrementalSweeper
169         to add the block snapshot (taken earlier) to its existing set of blocks instead of replacing
170         it entirely. This allows Eden collections and incremental sweeping to occur interleaved with
171         each other without missing destruction opportunities.
172
173         * heap/IncrementalSweeper.h:
174         * heap/IncrementalSweeper.cpp:
175         (JSC::IncrementalSweeper::doSweep):
176         (JSC::IncrementalSweeper::sweepNextBlock): Change the way we iterate over the sweeper's
177         work list: instead of keeping an index for the next block, just pop from the end of the list.
178         This allows us to add new blocks and deduplicate the list without disturbing iteration.
179
180         (JSC::IncrementalSweeper::startSweeping): Make this take a Vector<MarkedBlock>&& so we can
181         pass ownership of this Vector efficiently from Heap to IncrementalSweeper.
182
183         (JSC::IncrementalSweeper::addBlocksAndContinueSweeping): Added. This is used by Eden
184         collections to add a set of MarkedBlocks with new objects to the sweeper's existing
185         working set and kick the timer.
186
187         * heap/MarkedSpace.h:
188         (JSC::MarkedSpace::blocksWithNewObjects): Expose the list of MarkedBlocks with new objects.
189
190 2015-03-10  Alex Christensen  <achristensen@webkit.org>
191
192         Use unsigned for HashSet size.
193         https://bugs.webkit.org/show_bug.cgi?id=142518
194
195         Reviewed by Benjamin Poulain.
196
197         * dfg/DFGAvailabilityMap.cpp:
198         (JSC::DFG::AvailabilityMap::prune):
199         * ftl/FTLOSRExitCompiler.cpp:
200         (JSC::FTL::compileStub):
201         * heap/MarkedBlockSet.h:
202         (JSC::MarkedBlockSet::remove):
203         * runtime/WeakMapData.h:
204
205 2015-03-10  Mark Lam  <mark.lam@apple.com>
206
207         Use std::numeric_limits<unsigned>::max() instead of (unsigned)-1.
208         <https://webkit.org/b/142539>
209
210         Reviewed by Benjamin Poulain.
211
212         * jit/JIT.cpp:
213         (JSC::JIT::JIT):
214         (JSC::JIT::privateCompileMainPass):
215         (JSC::JIT::privateCompileSlowCases):
216         (JSC::JIT::privateCompile):
217         (JSC::JIT::privateCompileExceptionHandlers):
218         * jit/JITInlines.h:
219         (JSC::JIT::emitNakedCall):
220         (JSC::JIT::addSlowCase):
221         (JSC::JIT::addJump):
222         (JSC::JIT::emitJumpSlowToHot):
223         (JSC::JIT::emitGetVirtualRegister):
224         * jit/SlowPathCall.h:
225         (JSC::JITSlowPathCall::call):
226         * yarr/Yarr.h:
227
228 2015-03-10  Mark Lam  <mark.lam@apple.com>
229
230         [Win] JSC Build Warnings Need to be Resolved.
231         <https://webkit.org/b/142366>
232
233         Reviewed by Brent Fulgham.
234
235         Applied some benign changes to make the MSVC compiler happy.
236
237         * bytecode/CodeBlock.cpp:
238         (JSC::CodeBlock::dumpBytecode):
239         * dfg/DFGSpeculativeJIT32_64.cpp:
240         (JSC::DFG::SpeculativeJIT::fillJSValue):
241         * runtime/BasicBlockLocation.cpp:
242         (JSC::BasicBlockLocation::getExecutedRanges):
243         * runtime/ControlFlowProfiler.cpp:
244         (JSC::ControlFlowProfiler::hasBasicBlockAtTextOffsetBeenExecuted):
245
246 2015-03-10  Yusuke Suzuki  <utatane.tea@gmail.com>
247
248         Upgrade Map, Set and WeakMap constructor interface
249         https://bugs.webkit.org/show_bug.cgi?id=142348
250
251         Reviewed by Filip Pizlo.
252
253         In the latest ES6 spec, Map and Set constructors take initialization data sets
254         as iterable value. And iterate it and add the values into the constructed one.
255
256         This is breaking change because the old constructor interface is
257         already shipped in Safari 8.
258
259         * runtime/MapConstructor.cpp:
260         (JSC::callMap):
261         (JSC::constructMap):
262         (JSC::MapConstructor::getCallData):
263         * runtime/SetConstructor.cpp:
264         (JSC::callSet):
265         (JSC::constructSet):
266         * runtime/WeakMapConstructor.cpp:
267         (JSC::callWeakMap):
268         (JSC::constructWeakMap):
269         (JSC::WeakMapConstructor::getCallData):
270         * tests/stress/map-constructor-adder.js: Added.
271         * tests/stress/map-constructor.js: Added.
272         (testCallTypeError):
273         (testTypeError):
274         (for):
275         * tests/stress/set-constructor-adder.js: Added.
276         (Set.prototype.add):
277         * tests/stress/set-constructor.js: Added.
278         (for):
279         * tests/stress/weak-map-constructor-adder.js: Added.
280         * tests/stress/weak-map-constructor.js: Added.
281         (testCallTypeError):
282         (testTypeError):
283         (for):
284
285 2015-03-10  Michael Catanzaro  <mcatanzaro@igalia.com>
286
287         GCC: CRASH() should be annotated with NORETURN
288         https://bugs.webkit.org/show_bug.cgi?id=142524
289
290         Reviewed by Anders Carlsson.
291
292         Don't return from a NORETURN function. This used to avoid a warning from GCC, but now it
293         causes one.
294
295         * jsc.cpp:
296
297 2015-03-10  Mark Lam  <mark.lam@apple.com>
298
299         Gardening: fix bleeding debug test bots.
300         https://webkit.org/b/142513>
301
302         Not reviewed.
303
304         The test needs to initialize WTF threading explicitly before using it.
305
306         * API/tests/CompareAndSwapTest.cpp:
307         (testCompareAndSwap):
308
309 2015-03-10  Alex Christensen  <achristensen@webkit.org>
310
311         [WinCairo] Unreviewed build fix.
312
313         * JavaScriptCore.vcxproj/testapi/testapiCommonCFLite.props:
314         Added directory containing config.h, like r181304.
315
316 2015-03-09  Mark Lam  <mark.lam@apple.com>
317
318         Yet another build fix for Windows.
319         https://webkit.org/b/142513>
320
321         Reviewed by Alex Christensen.
322
323         Looks like MSVC requires the function be explicitly declared in a header file
324         in order for it to be linkable from another file in the same project.  This is
325         strange, but it seems to make MSVC happy.
326
327         Also fixed a typo in testapi.vcxproj.filters.
328
329         * API/tests/CompareAndSwapTest.cpp:
330         * API/tests/CompareAndSwapTest.h: Added.
331         * API/tests/testapi.c:
332         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
333         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters:
334         * JavaScriptCore.xcodeproj/project.pbxproj:
335
336 2015-03-09  Chris Dumez  <cdumez@apple.com>
337
338         [iOS] Sweep all collected objects on critical memory pressure
339         https://bugs.webkit.org/show_bug.cgi?id=142457
340         <rdar://problem/20044440>
341
342         Reviewed by Geoffrey Garen.
343
344         All fullSweep() API to IncrementalSweeper so that we can call it in the
345         memory pressure handler.
346
347         * heap/IncrementalSweeper.cpp:
348         (JSC::IncrementalSweeper::fullSweep):
349         * heap/IncrementalSweeper.h:
350         (JSC::IncrementalSweeper::hasWork):
351
352 2015-03-09  Mark Lam  <mark.lam@apple.com>
353
354         Another build fix for Windows.
355         https://webkit.org/b/142513>
356
357         Not reviewed.
358
359         * API/tests/CompareAndSwapTest.cpp:
360         - Added JS_EXPORT_PRIVATE attribute.
361
362 2015-03-09  Mark Lam  <mark.lam@apple.com>
363
364         Build fix for Windows after r181305.
365         https://webkit.org/b/142513>
366
367         Reviewed by Alex Christensen.
368
369         Windows doesn't like pthreads anymore.  Changed test to use WTF threading.
370
371         * API/tests/CompareAndSwapTest.cpp:
372         (setBitThreadFunc):
373         (testCompareAndSwap):
374
375 2015-03-09  Mark Lam  <mark.lam@apple.com>
376
377         8-bit version of weakCompareAndSwap() can cause an infinite loop.
378         https://webkit.org/b/142513>
379
380         Reviewed by Filip Pizlo.
381
382         Added a test that exercises the 8-bit CAS from multiple threads.  The threads
383         will contend to set bits in a large array of bytes using the CAS function.
384
385         * API/tests/CompareAndSwapTest.cpp: Added.
386         (Bitmap::Bitmap):
387         (Bitmap::numBits):
388         (Bitmap::clearAll):
389         (Bitmap::concurrentTestAndSet):
390         (setBitThreadFunc):
391         (testCompareAndSwap):
392         * API/tests/testapi.c:
393         (main):
394         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
395         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters:
396         * JavaScriptCore.xcodeproj/project.pbxproj:
397
398 2015-03-09  Brent Fulgham  <bfulgham@apple.com>
399
400         [Win] testapi project is unable to find the 'config.h' file.
401
402         Rubberstamped by Mark Lam.
403
404         * JavaScriptCore.vcxproj/testapi/testapiCommon.props: Add JavaScriptCore source directory
405         to the include path.
406
407 2015-03-09  Andreas Kling  <akling@apple.com>
408
409         Stale entries in WeakGCMaps are keeping tons of WeakBlocks alive unnecessarily.
410         <https://webkit.org/b/142115>
411         <rdar://problem/19992268>
412
413         Reviewed by Geoffrey Garen.
414
415         Prune stale entries from WeakGCMaps as part of every full garbage collection.
416         This frees up tons of previously-stuck WeakBlocks that were only sitting around
417         with finalized handles waiting to die.
418
419         Note that WeakGCMaps register/unregister themselves with the GC heap in their
420         ctor/dtor, so creating one now requires passing the VM.
421
422         Average time spent in the PruningStaleEntriesFromWeakGCMaps GC phase appears
423         to be between 0.01ms and 0.3ms, though I've seen a few longer ones at ~1.2ms.
424         It seems somewhat excessive to do this on every Eden collection, so it's only
425         doing work in full collections for now.
426
427         Because the GC may now mutate WeakGCMap below object allocation, I've made it
428         so that the classic HashMap::add() optimization can't be used with WeakGCMap.
429         This caused intermittent test failures when originally landed due to having
430         an invalid iterator on the stack after add() inserted a new entry and we
431         proceeded to allocate the new object, triggering GC.
432
433         * API/JSWeakObjectMapRefInternal.h:
434         (OpaqueJSWeakObjectMap::create):
435         (OpaqueJSWeakObjectMap::OpaqueJSWeakObjectMap):
436         * API/JSWeakObjectMapRefPrivate.cpp:
437         * API/JSWrapperMap.mm:
438         (-[JSWrapperMap initWithContext:]):
439         (-[JSWrapperMap jsWrapperForObject:]): Pass VM to WeakGCMap constructor.
440
441         * JavaScriptCore.xcodeproj/project.pbxproj: Add WeakGCMapInlines.h and make
442         it project-private so WebCore clients can access it.
443
444         * heap/Heap.cpp:
445         (JSC::Heap::collect):
446         (JSC::Heap::pruneStaleEntriesFromWeakGCMaps): Added a new GC phase for pruning
447         stale entries from WeakGCMaps. This is only executed during full collections.
448
449         * heap/Heap.h:
450         * heap/HeapInlines.h:
451         (JSC::Heap::registerWeakGCMap):
452         (JSC::Heap::unregisterWeakGCMap): Added a mechanism for WeakGCMaps to register
453         themselves with the Heap and provide a pruning callback.
454
455         * runtime/PrototypeMap.h:
456         (JSC::PrototypeMap::PrototypeMap):
457         * runtime/Structure.cpp:
458         (JSC::StructureTransitionTable::add): Pass VM to WeakGCMap constructor.
459
460         * runtime/JSCInlines.h: Add "WeakGCMapInlines.h"
461
462         * runtime/JSGlobalObject.cpp: Include "WeakGCMapInlines.h" so this builds.
463
464         * runtime/JSString.cpp:
465         (JSC::jsStringWithCacheSlowCase):
466         * runtime/PrototypeMap.cpp:
467         (JSC::PrototypeMap::addPrototype):
468         (JSC::PrototypeMap::emptyObjectStructureForPrototype): Remove HashMap add()
469         optimization since it's not safe in the GC-managed WeakGCMap world.
470
471         * runtime/VM.cpp:
472         (JSC::VM::VM): Pass VM to WeakGCMap constructor.
473
474         * runtime/WeakGCMap.h:
475         (JSC::WeakGCMap::set):
476         (JSC::WeakGCMap::add):
477         (JSC::WeakGCMap::WeakGCMap): Deleted.
478         (JSC::WeakGCMap::gcMap): Deleted.
479         (JSC::WeakGCMap::gcMapIfNeeded): Deleted.
480         * runtime/WeakGCMapInlines.h: Added.
481         (JSC::WeakGCMap::WeakGCMap):
482         (JSC::WeakGCMap::~WeakGCMap):
483         (JSC::WeakGCMap::pruneStaleEntries): Moved ctor, dtor and pruning callback
484         to WeakGCMapInlines.h to fix interdependent header issues. Removed code that
485         prunes WeakGCMap at certain growth milestones and instead rely on the GC
486         callback for housekeeping.
487
488 2015-03-09  Ryosuke Niwa  <rniwa@webkit.org>
489
490         Support extends and super keywords
491         https://bugs.webkit.org/show_bug.cgi?id=142200
492
493         Reviewed by Filip Pizlo.
494
495         Added the support for ES6 class syntax inheritance.
496
497         Added ConstructorKind as well as boolean flags indicating the constructor kind to
498         various classes in UnlinkedCodeBlock as well as AST nodes.
499
500         Each method stores the associated class as its homeObjectPrivateName. This value is used to
501         make super calls.
502
503         * bytecode/UnlinkedCodeBlock.cpp:
504         (JSC::generateFunctionCodeBlock):
505         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
506         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
507
508         * bytecode/UnlinkedCodeBlock.h:
509         (JSC::ExecutableInfo::ExecutableInfo):
510         (JSC::UnlinkedFunctionExecutable::constructorKindIsDerived): Added.
511         (JSC::UnlinkedCodeBlock::constructorKindIsDerived): Added.
512
513         * bytecompiler/BytecodeGenerator.cpp:
514         (JSC::BytecodeGenerator::BytecodeGenerator): Don't emit op_create_this in a derived class
515         as the object is allocated by the highest base class's constructor. Also set "this" to null
516         and store the original value in m_newTargetRegister. "this" is supposed to be in TDZ but
517         that will be implemented in a separate patch.
518         (JSC::BytecodeGenerator::emitReturn): Allow "undefined" to be returned from a derived class.
519         In a derived class's constructor, not returning "undefined" or an object results in a type
520         error instead of "this" being returned.
521         (JSC::BytecodeGenerator::emitThrowTypeError): Added.
522
523         * bytecompiler/BytecodeGenerator.h:
524         (JSC::BytecodeGenerator::constructorKindIsDerived): Added.
525         (JSC::BytecodeGenerator::newTarget): Added.
526
527         * bytecompiler/NodesCodegen.cpp:
528         (JSC::SuperNode::emitBytecode): Added. Emits the code to obtain the callee's parent class.
529         (JSC::emitSuperBaseForCallee): Added. Emits the code to obtain the parent class's prototype.
530         (JSC::emitPutHomeObject): Added.
531         (JSC::PropertyListNode::emitBytecode): Stores the home object when adding methods.
532         (JSC::PropertyListNode::emitPutConstantProperty): Ditto.
533         (JSC::BracketAccessorNode::emitBytecode): Added the support for super['foo'].
534         (JSC::DotAccessorNode::emitBytecode): Added the support for super.foo.
535         (JSC::FunctionCallValueNode::emitBytecode): Added the support for super().
536         (JSC::FunctionCallBracketNode::emitBytecode): Added the support for super['foo']().
537         (JSC::FunctionCallDotNode::emitBytecode): Added the support for super.foo().
538         (JSC::DeleteBracketNode::emitBytecode): Forbid "delete super.foo".
539         (JSC::DeleteDotNode::emitBytecode): Forbid "delete super['foo']".
540         (JSC::ClassExprNode::emitBytecode): Added the support for "classHeritage". This is the main
541         logic for inheritance. When a class B inherits from a class A, set B.__proto__ to A and set
542         B.prototype.__proto__ to A.prototype. Throw exceptions when either A or A.__proto__ is not
543         an object.
544
545         * parser/ASTBuilder.h:
546         (JSC::ASTBuilder::superExpr): Added.
547
548         * parser/NodeConstructors.h:
549         (JSC::SuperNode::SuperNode): Added.
550
551         * parser/Nodes.cpp:
552         (JSC::FunctionBodyNode::FunctionBodyNode):
553
554         * parser/Nodes.h:
555         (JSC::ExpressionNode::isSuperNode):
556         (JSC::PropertyNode::type):
557         (JSC::PropertyNode::needsSuperBinding):
558
559         * parser/Parser.cpp:
560         (JSC::Parser<LexerType>::parseFunctionBody):
561         (JSC::Parser<LexerType>::parseFunctionInfo): Throw a parser error if super() is used outside
562         of class constructors.
563         (JSC::Parser<LexerType>::parseFunctionDeclaration):
564         (JSC::Parser<LexerType>::parseClass): ConstructorKind is "derived" if and only if the parent
565         class is specified in the declaration / expression.
566         (JSC::Parser<LexerType>::parseGetterSetter):
567         (JSC::Parser<LexerType>::parsePrimaryExpression):
568         (JSC::Parser<LexerType>::parseMemberExpression): Added the support for "super()", "super.foo",
569         and "super['foo']". Throw a semantic error if "super" appears by itself.
570
571         * parser/Parser.h:
572         (JSC::Scope::Scope): Added m_hasDirectSuper. This variable keeps track of the use of "super()"
573         so that parseFunctionInfo can spit an error if it's used outside of class constructors.
574         (JSC::Scope::hasDirectSuper): Added.
575         (JSC::Scope::setHasDirectSuper): Added.
576
577         * parser/ParserModes.h:
578         (JSC::ConstructorKind): Added.
579
580         * parser/SyntaxChecker.h:
581         (JSC::SyntaxChecker::superExpr): Added.
582
583         * runtime/CommonIdentifiers.h: Added homeObjectPrivateName.
584
585         * runtime/Executable.h:
586         (JSC::EvalExecutable::executableInfo): 
587         (JSC::ProgramExecutable::executableInfo):
588
589 2015-03-08  Andreas Kling  <akling@apple.com>
590
591         JITThunks keeps finalized Weaks around, pinning WeakBlocks.
592         <https://webkit.org/b/142454>
593
594         Reviewed by Darin Adler.
595
596         Make JITThunks a WeakHandleOwner so it can keep its host function map free of stale entries.
597         This fixes an issue I was seeing where a bunch of WeakBlocks stuck around with nothing but
598         finalized Weak<NativeExecutable> entries.
599
600         * jit/JITThunks.h:
601         * jit/JITThunks.cpp:
602         (JSC::JITThunks::finalize): Make JITThunks inherit from WeakHandleOwner so it can receive
603         a callback when the NativeExecutables get garbage collected.
604
605         (JSC::JITThunks::hostFunctionStub): Pass 'this' as the handle owner when creating Weaks.
606
607 2015-03-08  Andreas Kling  <akling@apple.com>
608
609         BuiltinExecutables keeps finalized Weaks around, pinning WeakBlocks.
610         <https://webkit.org/b/142460>
611
612         Reviewed by Geoffrey Garen.
613
614         Make BuiltinExecutables a WeakHandleOwner so it can clear out its respective Weak members
615         if and when their pointees get garbage collected.
616
617         This fixes an issue I've seen locally where a WeakBlock is pinned down by a single one of
618         these Weak<BuiltinExecutables>.
619
620         * builtins/BuiltinExecutables.h: Make BuiltinExecutables inherit from WeakHandleOwner.
621
622         * builtins/BuiltinExecutables.cpp:
623         (JSC::BuiltinExecutables::finalize): Clear out the relevant member pointer when it's been
624         garbage collected. We use the WeakImpl's "context" field to pass the address of the member.
625
626 2015-03-07  Geoffrey Garen  <ggaren@apple.com>
627
628         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
629         https://bugs.webkit.org/show_bug.cgi?id=140900
630
631         Reviewed by Mark Hahnenberg.
632
633         Re-landing just the removal of BlockAllocator, which is now unused.
634
635         * API/JSBase.cpp:
636         * CMakeLists.txt:
637         * JavaScriptCore.order:
638         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
639         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
640         * JavaScriptCore.xcodeproj/project.pbxproj:
641         * heap/BlockAllocator.cpp: Removed.
642         * heap/BlockAllocator.h: Removed.
643         * heap/GCThreadSharedData.h:
644         * heap/HandleBlockInlines.h:
645         * heap/Heap.cpp:
646         (JSC::Heap::Heap):
647         * heap/Heap.h:
648         * heap/HeapInlines.h:
649         (JSC::Heap::blockAllocator): Deleted.
650         * heap/HeapTimer.cpp:
651         * heap/MarkedBlock.h:
652         * heap/MarkedSpace.h:
653         * heap/Region.h: Removed.
654         * heap/SuperRegion.cpp: Removed.
655         * heap/SuperRegion.h: Removed.
656
657 2015-03-07  Commit Queue  <commit-queue@webkit.org>
658
659         Unreviewed, rolling out r181010.
660         https://bugs.webkit.org/show_bug.cgi?id=142442
661
662         Broke media/video-src-invalid-poster.html (Requested by kling
663         on #webkit).
664
665         Reverted changeset:
666
667         "Stale entries in WeakGCMaps are keeping tons of WeakBlocks
668         alive unnecessarily."
669         https://bugs.webkit.org/show_bug.cgi?id=142115
670         http://trac.webkit.org/changeset/181010
671
672 2015-03-07  Ryosuke Niwa  <rniwa@webkit.org>
673
674         The code to link FunctionExecutable is duplicated everywhere
675         https://bugs.webkit.org/show_bug.cgi?id=142436
676
677         Reviewed by Darin Adler.
678
679         Reduced code duplication by factoring out linkInsideExecutable and linkGlobalCode.
680
681         * bytecode/CodeBlock.cpp:
682         (JSC::CodeBlock::CodeBlock): Calls linkInsideExecutable.
683
684         * bytecode/UnlinkedCodeBlock.cpp:
685         (JSC::UnlinkedFunctionExecutable::linkInsideExecutable): Renamed from link. Now takes care of startOffset.
686         This change was needed to use this function in CodeBlock::CodeBlock. Also, this function no longer takes
687         lineOffset since this information is already stored in the source code.
688         (JSC::UnlinkedFunctionExecutable::linkGlobalCode): Extracted from FunctionExecutable::fromGlobalCode.
689
690         * bytecode/UnlinkedCodeBlock.h:
691
692         * generate-js-builtins: Calls linkGlobalCode.
693
694         * runtime/Executable.cpp:
695         (JSC::ProgramExecutable::initializeGlobalProperties): Calls linkGlobalCode.
696         (JSC::FunctionExecutable::fromGlobalCode): Calls linkGlobalCode.
697
698 2015-03-06  Geoffrey Garen  <ggaren@apple.com>
699
700         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
701         https://bugs.webkit.org/show_bug.cgi?id=140900
702
703         Reviewed by Mark Hahnenberg.
704
705         Re-landing just the MarkedBlock piece of this patch.
706
707         * heap/MarkedAllocator.cpp:
708         (JSC::MarkedAllocator::allocateBlock):
709         * heap/MarkedBlock.cpp:
710         (JSC::MarkedBlock::create):
711         (JSC::MarkedBlock::destroy):
712         (JSC::MarkedBlock::MarkedBlock):
713         * heap/MarkedBlock.h:
714         (JSC::MarkedBlock::capacity):
715         * heap/MarkedSpace.cpp:
716         (JSC::MarkedSpace::freeBlock):
717
718 2015-03-07  Ryosuke Niwa  <rniwa@webkit.org>
719
720         fromGlobalCode has an unused Debugger* argument
721         https://bugs.webkit.org/show_bug.cgi?id=142430
722
723         Reviewed by Darin Adler.
724
725         Removed the debugger argument from UnlinkedFunctionExecutable::fromGlobalCode and
726         FunctionExecutable::fromGlobalCode since it's not used in either function.
727
728         Also use reference in other arguments.
729
730         * bytecode/UnlinkedCodeBlock.cpp:
731         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
732         * bytecode/UnlinkedCodeBlock.h:
733         * runtime/Executable.cpp:
734         (JSC::FunctionExecutable::fromGlobalCode):
735         * runtime/Executable.h:
736         * runtime/FunctionConstructor.cpp:
737         (JSC::constructFunctionSkippingEvalEnabledCheck):
738
739 2015-03-06  Brent Fulgham  <bfulgham@apple.com>
740
741         [Win] Turn off a warning on Windows.
742
743         Reduce build logging noise on Windows.
744
745         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
746
747 2015-03-06  Joseph Pecoraro  <pecoraro@apple.com>
748
749         Web Inspector: ES6: Improved Support for Iterator Objects
750         https://bugs.webkit.org/show_bug.cgi?id=142420
751
752         Reviewed by Timothy Hatcher.
753
754         * inspector/protocol/Runtime.json:
755         Add new object subtype "iterator" for built-in iterator objects.
756
757         * inspector/InjectedScriptSource.js:
758         Return iterator values as Entry objects.
759
760         * inspector/JSInjectedScriptHost.cpp:
761         (Inspector::JSInjectedScriptHost::subtype):
762         Identify "iterator" typed objects.
763
764         (Inspector::JSInjectedScriptHost::getInternalProperties):
765         Provide internal properties for the different Iterator objects.
766
767         (Inspector::JSInjectedScriptHost::iteratorEntries):
768         Fetch the next few iterator entries of a built-in iterator object.
769
770         * inspector/JSInjectedScriptHost.h:
771         * inspector/JSInjectedScriptHostPrototype.cpp:
772         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
773         (Inspector::jsInjectedScriptHostPrototypeFunctionIteratorEntries):
774         Call through to JSInjectedScriptHost.
775
776         * runtime/JSArgumentsIterator.cpp:
777         (JSC::JSArgumentsIterator::clone):
778         * runtime/JSArgumentsIterator.h:
779         (JSC::JSArgumentsIterator::iteratedValue):
780         * runtime/JSArrayIterator.cpp:
781         (JSC::JSArrayIterator::kind):
782         (JSC::JSArrayIterator::iteratedValue):
783         (JSC::JSArrayIterator::clone):
784         * runtime/JSArrayIterator.h:
785         * runtime/JSMapIterator.cpp:
786         (JSC::JSMapIterator::finishCreation):
787         (JSC::JSMapIterator::clone):
788         * runtime/JSMapIterator.h:
789         (JSC::JSMapIterator::kind):
790         (JSC::JSMapIterator::iteratedValue):
791         * runtime/JSSetIterator.cpp:
792         (JSC::JSSetIterator::finishCreation):
793         (JSC::JSSetIterator::clone):
794         * runtime/JSSetIterator.h:
795         (JSC::JSSetIterator::kind):
796         (JSC::JSSetIterator::iteratedValue):
797         * runtime/JSStringIterator.cpp:
798         (JSC::JSStringIterator::iteratedValue):
799         (JSC::JSStringIterator::clone):
800         * runtime/JSStringIterator.h:
801         Add accessors for internal properties and provide a way to clone the
802         iterator so we can be at the same index and peek at the next few
803         objects without modifying the original iterator object.
804
805 2015-03-06  Ryosuke Niwa  <rniwa@webkit.org>
806
807         REGRESSION(r180595): construct varargs fails in FTL
808         https://bugs.webkit.org/show_bug.cgi?id=142030
809
810         Reviewed by Michael Saboff.
811
812         Increase sizeOfCallVarargs as done for sizeOfConstructVarargs in r180651.
813
814         * ftl/FTLInlineCacheSize.cpp:
815         (JSC::FTL::sizeOfCallVarargs):
816
817 2015-03-06  Joseph Pecoraro  <pecoraro@apple.com>
818
819         Web Inspector: Adopt Object Literal Shorthand Property Construction Syntax
820         https://bugs.webkit.org/show_bug.cgi?id=142374
821
822         Reviewed by Timothy Hatcher.
823
824         * inspector/InjectedScriptSource.js:
825
826 2015-03-06  Joseph Pecoraro  <pecoraro@apple.com>
827
828         ES6: Object Literal Extensions - Methods
829         https://bugs.webkit.org/show_bug.cgi?id=142390
830
831         Reviewed by Geoffrey Garen.
832
833         Support method syntax in object literals.
834
835         * parser/Parser.h:
836         * parser/Parser.cpp:
837         (JSC::stringForFunctionMode):
838         (JSC::Parser<LexerType>::parseProperty):
839         Methods are allowed for identifier, string, and numeric names,
840         and computed property names.
841
842         (JSC::Parser<LexerType>::parsePropertyMethod):
843         Helper for parsing a property method.
844
845 2015-03-05  Joseph Pecoraro  <pecoraro@apple.com>
846
847         __proto__ shorthand property should not modify prototype in Object Literal construction
848         https://bugs.webkit.org/show_bug.cgi?id=142382
849
850         Reviewed by Geoffrey Garen.
851
852         When parsing shorthand property syntax we know we will do a
853         put direct, even if the property name is __proto__. Pass that
854         information through to bytecode generation.
855
856         * bytecompiler/BytecodeGenerator.cpp:
857         (JSC::BytecodeGenerator::emitDirectPutById):
858         * bytecompiler/BytecodeGenerator.h:
859         * bytecompiler/NodesCodegen.cpp:
860         (JSC::PropertyListNode::emitPutConstantProperty):
861         * parser/ASTBuilder.h:
862         (JSC::ASTBuilder::createGetterOrSetterProperty):
863         (JSC::ASTBuilder::createProperty):
864         * parser/NodeConstructors.h:
865         (JSC::PropertyNode::PropertyNode):
866         * parser/Nodes.h:
867         (JSC::PropertyNode::putType):
868         * parser/Parser.cpp:
869         (JSC::Parser<LexerType>::parseClass):
870         (JSC::Parser<LexerType>::parseProperty):
871         * parser/SyntaxChecker.h:
872         (JSC::SyntaxChecker::createProperty):
873
874 2015-03-06  Geoffrey Garen  <ggaren@apple.com>
875
876         Fix crashes seen on the the 32-bit buildbots after my last patch.
877
878         Unreviewed.
879
880         * heap/CopiedBlock.h:
881         (JSC::CopiedBlock::payload):
882         * heap/CopiedSpace.cpp:
883         (JSC::CopiedSpace::tryAllocateOversize): Round up to the right alignment,
884         since the size of the CopiedBlock class is not guaranteed to be the
885         right alignment, and is in fact the wrong alignment on 32-bit.
886
887 2015-03-05  Geoffrey Garen  <ggaren@apple.com>
888
889         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
890         https://bugs.webkit.org/show_bug.cgi?id=140900
891
892         Reviewed by Mark Hahnenberg.
893
894         Re-landing just the CopiedBlock piece of this patch.
895
896         * heap/CopiedBlock.h:
897         (JSC::CopiedBlock::createNoZeroFill):
898         (JSC::CopiedBlock::destroy):
899         (JSC::CopiedBlock::create):
900         (JSC::CopiedBlock::CopiedBlock):
901         (JSC::CopiedBlock::isOversize):
902         (JSC::CopiedBlock::payloadEnd):
903         (JSC::CopiedBlock::capacity):
904         * heap/CopiedSpace.cpp:
905         (JSC::CopiedSpace::~CopiedSpace):
906         (JSC::CopiedSpace::tryAllocateOversize):
907         (JSC::CopiedSpace::tryReallocateOversize):
908         * heap/CopiedSpaceInlines.h:
909         (JSC::CopiedSpace::recycleEvacuatedBlock):
910         (JSC::CopiedSpace::recycleBorrowedBlock):
911         (JSC::CopiedSpace::allocateBlockForCopyingPhase):
912         (JSC::CopiedSpace::allocateBlock):
913         (JSC::CopiedSpace::startedCopying):
914         * heap/CopyWorkList.h:
915
916 2015-03-06  Myles C. Maxfield  <mmaxfield@apple.com>
917
918         [iOS] SVG fonts are garbled
919         https://bugs.webkit.org/show_bug.cgi?id=142377
920
921         Reviewed by Simon Fraser.
922
923         * Configurations/FeatureDefines.xcconfig:
924
925 2015-03-05  Joseph Pecoraro  <pecoraro@apple.com>
926
927         ES6: Object Literal Extensions - Shorthand Properties (Identifiers)
928         https://bugs.webkit.org/show_bug.cgi?id=142353
929
930         Reviewed by Geoffrey Garen.
931
932         * parser/Parser.cpp:
933         (JSC::Parser<LexerType>::parseProperty):
934         Parsing an identifier property followed by a comma or end brace treat
935         as a shorthand property and create a property that has the same
936         property name as the identifier name and value of a variable with that
937         identifier. Otherwise, fall through to getter/setter parsing.
938
939 2015-03-05  Brent Fulgham  <bfulgham@apple.com>
940
941         [Win] Unreviewed gardening.
942
943         Confirmed with JSC that warning 4611 (interaction between '_setjmp' and C++ object
944         destruction is non-portable) should be ignored in the JavaScriptCore project.
945
946         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: Silence warning 4611.
947
948 2015-03-05  Chris Dumez  <cdumez@apple.com>
949
950         Regression(r173761): ASSERTION FAILED: !is8Bit() in StringImpl::characters16()
951         https://bugs.webkit.org/show_bug.cgi?id=142350
952
953         Reviewed by Michael Saboff and Benjamin Poulain.
954
955         Call WTFString::hasInfixStartingAt() / hasInfixEndingAt() now that these
956         methods have been renamed for clarity.
957
958         * runtime/StringPrototype.cpp:
959         (JSC::stringProtoFuncStartsWith):
960         (JSC::stringProtoFuncEndsWith):
961
962 2015-03-05  Yusuke Suzuki  <utatane.tea@gmail.com>
963
964         Implement ES6 StringIterator
965         https://bugs.webkit.org/show_bug.cgi?id=142080
966
967         Reviewed by Filip Pizlo.
968
969         This patch introduces ES6 String Iterator.
970         It enumerates code points instead of elements in String.
971         So surrogate pairs should be handled correctly.
972
973         * CMakeLists.txt:
974         * DerivedSources.make:
975         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
976         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
977         * JavaScriptCore.xcodeproj/project.pbxproj:
978         * builtins/StringIterator.prototype.js: Added.
979         (next):
980         * runtime/CommonIdentifiers.h:
981         * runtime/JSGlobalObject.cpp:
982         * runtime/JSGlobalObject.h:
983         * runtime/JSStringIterator.cpp: Added.
984         (JSC::JSStringIterator::finishCreation):
985         * runtime/JSStringIterator.h: Added.
986         (JSC::JSStringIterator::createStructure):
987         (JSC::JSStringIterator::create):
988         (JSC::JSStringIterator::JSStringIterator):
989         * runtime/StringIteratorConstructor.cpp: Added.
990         (JSC::StringIteratorConstructor::finishCreation):
991         * runtime/StringIteratorConstructor.h: Added.
992         (JSC::StringIteratorConstructor::create):
993         (JSC::StringIteratorConstructor::createStructure):
994         (JSC::StringIteratorConstructor::StringIteratorConstructor):
995         * runtime/StringIteratorPrototype.cpp: Added.
996         (JSC::StringIteratorPrototype::finishCreation):
997         (JSC::StringIteratorPrototype::getOwnPropertySlot):
998         (JSC::stringIteratorPrototypeIterator):
999         * runtime/StringIteratorPrototype.h: Added.
1000         (JSC::StringIteratorPrototype::create):
1001         (JSC::StringIteratorPrototype::createStructure):
1002         (JSC::StringIteratorPrototype::StringIteratorPrototype):
1003         * runtime/StringPrototype.cpp:
1004         (JSC::StringPrototype::finishCreation):
1005         (JSC::stringProtoFuncIterator):
1006         * tests/stress/string-iterators.js: Added.
1007         (testSurrogatePair):
1008         (increment):
1009         (for):
1010
1011 2015-03-05  Csaba Osztrogonác  <ossy@webkit.org>
1012
1013         [ARM] Fix the FTL build on Aarch64 Linux after r177421
1014         https://bugs.webkit.org/show_bug.cgi?id=142040
1015
1016         Reviewed by Mark Lam.
1017
1018         * llvm/library/LLVMExports.cpp:
1019         (initializeAndGetJSCLLVMAPI):
1020
1021 2015-03-05  Yusuke Suzuki  <utatane.tea@gmail.com>
1022
1023         Upgrade ES6 Iterator interfaces
1024         https://bugs.webkit.org/show_bug.cgi?id=141351
1025
1026         Reviewed by Filip Pizlo.
1027
1028         This patch upgrades the exising ES6 iterator to align the latest spec.
1029         In the latest spec,
1030         1. `Iterator.next` returns object that implements IteratorResult interface { value: value, done, boolean }.
1031         2. `Iterator.return` is introduced. When the iteration is terminated by the abrupt completion,
1032         it is called to close iterator state.
1033         3. Iterator.next of Array is moved from an iterator object to `%ArrayIteratorPrototype%`.
1034
1035         To upgrade it, we changes the bytecode that represents for-of loops.
1036         And to embody the efficient iteration with an iterator object,
1037         we implemented %ArrayIteratorPrototype%.next in JavaScript and
1038         it is located in builtins/ArrayIterator.prototype.js.
1039         Implementing it in JavaScript encourages inlining and
1040         utilizes escape analysis for an iterator result object in DFG JIT.
1041         And we dropped the intrinsic version of %ArrayIteratorPrototype%.next.
1042
1043         And we introduced IteratorOperations that is defined in the spec.
1044         It aligns the iteration in the runtime to the latest spec.
1045         Currently, Promise.all and Promise.race uses an iterable object.
1046         However, Promise.all and Promise.race implementation is also based on the old spec.
1047         Subsequent patches will upgrade it.
1048
1049         * CMakeLists.txt:
1050         * DerivedSources.make:
1051         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1052         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1053         * JavaScriptCore.xcodeproj/project.pbxproj:
1054         * builtins/ArrayIterator.prototype.js: Copied from Source/JavaScriptCore/runtime/ArrayIteratorPrototype.h.
1055         (next):
1056         * bytecompiler/BytecodeGenerator.cpp:
1057         (JSC::BytecodeGenerator::emitReturn):
1058         (JSC::BytecodeGenerator::emitThrowTypeError):
1059         (JSC::BytecodeGenerator::emitEnumeration):
1060         (JSC::BytecodeGenerator::emitIsObject):
1061         (JSC::BytecodeGenerator::emitIsUndefined):
1062         * bytecompiler/BytecodeGenerator.h:
1063         * jit/ThunkGenerators.cpp:
1064         (JSC::arrayIteratorNextThunkGenerator): Deleted.
1065         (JSC::arrayIteratorNextKeyThunkGenerator): Deleted.
1066         (JSC::arrayIteratorNextValueThunkGenerator): Deleted.
1067         * jit/ThunkGenerators.h:
1068         * runtime/ArgumentsIteratorPrototype.cpp:
1069         (JSC::ArgumentsIteratorPrototype::finishCreation):
1070         (JSC::argumentsIteratorPrototypeFuncNext):
1071         * runtime/ArrayIteratorPrototype.cpp:
1072         (JSC::ArrayIteratorPrototype::finishCreation):
1073         (JSC::ArrayIteratorPrototype::getOwnPropertySlot):
1074         (JSC::arrayIteratorProtoFuncIterator):
1075         (JSC::arrayIteratorPrototypeIterate): Deleted.
1076         * runtime/ArrayIteratorPrototype.h:
1077         * runtime/CommonIdentifiers.h:
1078         * runtime/Intrinsic.h:
1079         * runtime/IteratorOperations.cpp: Added.
1080         (JSC::iteratorNext):
1081         (JSC::iteratorValue):
1082         (JSC::iteratorComplete):
1083         (JSC::iteratorStep):
1084         (JSC::iteratorClose):
1085         (JSC::createIterResultObject):
1086         * runtime/IteratorOperations.h: Copied from Source/JavaScriptCore/runtime/ArrayIteratorPrototype.cpp.
1087         * runtime/JSArrayIterator.cpp:
1088         (JSC::JSArrayIterator::finishCreation):
1089         (JSC::JSArrayIterator::visitChildren): Deleted.
1090         (JSC::createIteratorResult): Deleted.
1091         (JSC::arrayIteratorNext): Deleted.
1092         (JSC::arrayIteratorNextKey): Deleted.
1093         (JSC::arrayIteratorNextValue): Deleted.
1094         (JSC::arrayIteratorNextGeneric): Deleted.
1095         * runtime/JSArrayIterator.h:
1096         (JSC::JSArrayIterator::JSArrayIterator):
1097         (JSC::JSArrayIterator::iterationKind): Deleted.
1098         (JSC::JSArrayIterator::iteratedObject): Deleted.
1099         (JSC::JSArrayIterator::nextIndex): Deleted.
1100         (JSC::JSArrayIterator::setNextIndex): Deleted.
1101         (JSC::JSArrayIterator::finish): Deleted.
1102         (JSC::JSArrayIterator::offsetOfIterationKind): Deleted.
1103         (JSC::JSArrayIterator::offsetOfIteratedObject): Deleted.
1104         (JSC::JSArrayIterator::offsetOfNextIndex): Deleted.
1105         * runtime/JSGlobalObject.cpp:
1106         (JSC::JSGlobalObject::init):
1107         * runtime/JSPromiseConstructor.cpp:
1108         (JSC::performPromiseRaceLoop):
1109         (JSC::JSPromiseConstructorFuncRace):
1110         (JSC::performPromiseAll):
1111         (JSC::JSPromiseConstructorFuncAll):
1112         * runtime/MapIteratorPrototype.cpp:
1113         (JSC::MapIteratorPrototype::finishCreation):
1114         (JSC::MapIteratorPrototypeFuncNext):
1115         * runtime/SetIteratorPrototype.cpp:
1116         (JSC::SetIteratorPrototype::finishCreation):
1117         (JSC::SetIteratorPrototypeFuncNext):
1118         * runtime/VM.cpp:
1119         (JSC::thunkGeneratorForIntrinsic):
1120         * tests/stress/array-iterators-next-with-call.js: Added.
1121         (increment):
1122         (for):
1123         * tests/stress/array-iterators-next.js: Added.
1124
1125         Revive the older Array iterator tests that manually call 'next' method.
1126
1127         * tests/stress/custom-iterators.js: Added.
1128         (iter.next):
1129         (iter.Symbol.iterator):
1130         (iter.return):
1131         (iter.get next):
1132         (iter.get return):
1133         (iteratorInterfaceErrorTest.iter.next):
1134         (iteratorInterfaceErrorTest.iter.Symbol.iterator):
1135         (iteratorInterfaceErrorTest.iter.return):
1136         (iteratorInterfaceErrorTest):
1137         (iteratorInterfaceErrorTestReturn.iter.next):
1138         (iteratorInterfaceErrorTestReturn.iter.Symbol.iterator):
1139         (iteratorInterfaceErrorTestReturn.iter.return):
1140         (iteratorInterfaceErrorTestReturn):
1141         (iteratorInterfaceBreakTestReturn.iter.next):
1142         (iteratorInterfaceBreakTestReturn.iter.Symbol.iterator):
1143         (iteratorInterfaceBreakTestReturn.iter.return):
1144         (iteratorInterfaceBreakTestReturn):
1145
1146         This tests the behavior of custom iterators.
1147         'next' and 'return' of iterator work with for-of.
1148
1149         * tests/stress/iterators-shape.js: Added.
1150         (iteratorShape):
1151         (sameNextMethods):
1152         (set var):
1153
1154         This tests the shape of iterators; iterators of Array have 'next' method in %ArrayIteratorPrototype%.
1155
1156         * tests/stress/map-iterators-next.js: Added.
1157         (set var):
1158         (.get if):
1159         (otherKey):
1160         * tests/stress/set-iterators-next.js: Added.
1161         (otherKey):
1162
1163 2015-03-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1164
1165         Hide Promise with runtime flags under Cocoa JSContext API
1166         https://bugs.webkit.org/show_bug.cgi?id=141965
1167
1168         Reviewed by Filip Pizlo.
1169
1170         Since there's no run loop in JavaScriptCore APIs, Promises don't work currently.
1171         So until they work, we hide Promise from a global object.
1172         Introduce new JSC runtime flag, PromiseDisabled. When `isPromiseDisabled` is true,
1173         Promise constructor is not attached to JSGlobalObject.
1174
1175         To make 0 as default runtime flags, we choose PromiseDisabled flag
1176         instead of PromiseEnabled flag. So by default, Promise is enabled.
1177
1178         * API/JSCallbackObjectFunctions.h:
1179         (JSC::JSCallbackObject<Parent>::JSCallbackObject):
1180         * API/JSContextRef.cpp:
1181         (javaScriptRuntimeFlags):
1182         (JSGlobalContextCreateInGroup):
1183         * API/tests/testapi.c:
1184         (main):
1185         * API/tests/testapi.mm:
1186         (testObjectiveCAPI):
1187         * runtime/JSGlobalObject.cpp:
1188         (JSC::JSGlobalObject::init):
1189         * runtime/JSGlobalObject.h:
1190         (JSC::JSGlobalObject::create):
1191         * runtime/RuntimeFlags.h:
1192         (JSC::RuntimeFlags::createAllEnabled):
1193
1194 2015-03-04  Joseph Pecoraro  <pecoraro@apple.com>
1195
1196         Web Inspector: Array/Collection Sizes should be visible and distinct
1197         https://bugs.webkit.org/show_bug.cgi?id=142254
1198
1199         Reviewed by Timothy Hatcher.
1200
1201         * runtime/WeakMapData.h:
1202         (JSC::WeakMapData::size):
1203         * inspector/JSInjectedScriptHost.cpp:
1204         (Inspector::JSInjectedScriptHost::weakMapSize):
1205         * inspector/JSInjectedScriptHost.h:
1206         * inspector/JSInjectedScriptHostPrototype.cpp:
1207         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
1208         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakMapSize):
1209         Add a way to get a WeakMap's size.
1210
1211         * inspector/protocol/Runtime.json:
1212         Include size in RemoteObject and ObjectPreview.
1213
1214         * inspector/InjectedScriptSource.js:
1215         Set the size of RemoteObjects and previews if they
1216         are array/collection types.
1217
1218 2015-03-04  Andreas Kling  <akling@apple.com>
1219
1220         GC should compute stack bounds and dump registers at the earliest opportunity.
1221         <https://webkit.org/b/142310>
1222         <rdar://problem/20045624>
1223
1224         Reviewed by Geoffrey Garen.
1225
1226         Make Heap::collect() a wrapper function around a collectImpl() where the work is actually done.
1227         The wrapper function that grabs a snapshot of the current stack boundaries and register values
1228         on entry, and sanitizes the stack on exit.
1229
1230         This is a speculative fix for what appears to be overly conservative behavior in the garbage
1231         collector following r178364 which caused a measurable regression in memory usage on Membuster.
1232         The theory being that we were putting pointers to dead things on the stack before scanning it,
1233         and by doing that ended up marking things that we'd otherwise discover to be garbage.
1234
1235         * heap/Heap.cpp:
1236         (JSC::Heap::markRoots):
1237         (JSC::Heap::gatherStackRoots):
1238         (JSC::Heap::collect):
1239         (JSC::Heap::collectImpl):
1240         * heap/Heap.h:
1241         * heap/MachineStackMarker.cpp:
1242         (JSC::MachineThreads::gatherFromCurrentThread):
1243         (JSC::MachineThreads::gatherConservativeRoots):
1244         * heap/MachineStackMarker.h:
1245
1246 2015-03-04  Debarshi Ray  <debarshir@gnome.org>
1247
1248         Silence GCC's -Wstrict-prototypes
1249         https://bugs.webkit.org/show_bug.cgi?id=142278
1250
1251         Reviewed by Alexey Proskuryakov.
1252
1253         * API/JSContextRef.h:
1254
1255 2015-03-04  Benjamin Poulain  <bpoulain@apple.com>
1256
1257         [JSC] Add a node for Math.log()
1258         https://bugs.webkit.org/show_bug.cgi?id=142126
1259
1260         Reviewed by Geoffrey Garen.
1261
1262         This patch adds the DFG node ArithLog for LogIntrinsic.
1263
1264         Having a direct call to log has very little value by itself, the implementation
1265         in DFG and FTL is a simple function call.
1266
1267         What is useful in ArithLog is that we know the operation is pure.
1268         This allow us to hoist it out of loops when the argument is independent
1269         is an invariant of the loop.
1270
1271         Perf wise, this patch gives:
1272         -Kraken's imaging-darkroom: definitely 1.2372x faster.
1273         -AsmBench's Towers.c: definitely 1.0261x faster.
1274
1275         * dfg/DFGAbstractInterpreterInlines.h:
1276         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1277         * dfg/DFGByteCodeParser.cpp:
1278         (JSC::DFG::ByteCodeParser::handleIntrinsic):
1279         * dfg/DFGClobberize.h:
1280         (JSC::DFG::clobberize):
1281         * dfg/DFGDoesGC.cpp:
1282         (JSC::DFG::doesGC):
1283         * dfg/DFGFixupPhase.cpp:
1284         (JSC::DFG::FixupPhase::fixupNode):
1285         * dfg/DFGNodeType.h:
1286         * dfg/DFGPredictionPropagationPhase.cpp:
1287         (JSC::DFG::PredictionPropagationPhase::propagate):
1288         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
1289         * dfg/DFGSafeToExecute.h:
1290         (JSC::DFG::safeToExecute):
1291         * dfg/DFGSpeculativeJIT.cpp:
1292         (JSC::DFG::SpeculativeJIT::compileArithLog):
1293         * dfg/DFGSpeculativeJIT.h:
1294         * dfg/DFGSpeculativeJIT32_64.cpp:
1295         (JSC::DFG::SpeculativeJIT::compile):
1296         * dfg/DFGSpeculativeJIT64.cpp:
1297         (JSC::DFG::SpeculativeJIT::compile):
1298         * ftl/FTLCapabilities.cpp:
1299         (JSC::FTL::canCompile):
1300         * ftl/FTLIntrinsicRepository.h:
1301         * ftl/FTLLowerDFGToLLVM.cpp:
1302         (JSC::FTL::LowerDFGToLLVM::compileNode):
1303         (JSC::FTL::LowerDFGToLLVM::compileArithLog):
1304         * ftl/FTLOutput.h:
1305         (JSC::FTL::Output::doubleLog):
1306         * tests/stress/math-log-basics.js: Added.
1307         * tests/stress/math-log-with-constants.js: Added.
1308
1309 2015-03-04  Filip Pizlo  <fpizlo@apple.com>
1310
1311         Only Heap should be in charge of deciding how to select a subspace for a type
1312         https://bugs.webkit.org/show_bug.cgi?id=142304
1313
1314         Reviewed by Mark Lam.
1315         
1316         This slightly reduces the code duplication for selecting subspace based on type, and what
1317         duplication is left is at least localized in HeapInlines.h. The immediate effect is that
1318         the DFG and FTL don't have to duplicate this pattern.
1319
1320         * dfg/DFGSpeculativeJIT.h:
1321         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
1322         (JSC::DFG::SpeculativeJIT::emitAllocateVariableSizedJSObject):
1323         * ftl/FTLLowerDFGToLLVM.cpp:
1324         (JSC::FTL::LowerDFGToLLVM::allocateObject):
1325         * heap/Heap.h:
1326         * heap/HeapInlines.h:
1327         (JSC::Heap::allocateObjectOfType):
1328         (JSC::Heap::subspaceForObjectOfType):
1329         (JSC::Heap::allocatorForObjectOfType):
1330         * runtime/JSCellInlines.h:
1331         (JSC::allocateCell):
1332
1333 2015-03-04  Andreas Kling  <akling@apple.com>
1334
1335         Stale entries in WeakGCMaps are keeping tons of WeakBlocks alive unnecessarily.
1336         <https://webkit.org/b/142115>
1337         <rdar://problem/19992268>
1338
1339         Reviewed by Geoffrey Garen.
1340
1341         Prune stale entries from WeakGCMaps as part of every full garbage collection.
1342         This frees up tons of previously-stuck WeakBlocks that were only sitting around
1343         with finalized handles waiting to die.
1344
1345         Note that WeakGCMaps register/unregister themselves with the GC heap in their
1346         ctor/dtor, so creating one now requires passing the VM.
1347
1348         Average time spent in the PruningStaleEntriesFromWeakGCMaps GC phase appears
1349         to be between 0.01ms and 0.3ms, though I've seen a few longer ones at ~1.2ms.
1350         It seems somewhat excessive to do this on every Eden collection, so it's only
1351         doing work in full collections for now.
1352
1353         * API/JSWeakObjectMapRefInternal.h:
1354         (OpaqueJSWeakObjectMap::create):
1355         (OpaqueJSWeakObjectMap::OpaqueJSWeakObjectMap):
1356         * API/JSWeakObjectMapRefPrivate.cpp:
1357         * API/JSWrapperMap.mm:
1358         (-[JSWrapperMap initWithContext:]):
1359         (-[JSWrapperMap jsWrapperForObject:]): Pass VM to WeakGCMap constructor.
1360
1361         * JavaScriptCore.xcodeproj/project.pbxproj: Add WeakGCMapInlines.h and make
1362         it project-private so WebCore clients can access it.
1363
1364         * heap/Heap.cpp:
1365         (JSC::Heap::collect):
1366         (JSC::Heap::pruneStaleEntriesFromWeakGCMaps): Added a new GC phase for pruning
1367         stale entries from WeakGCMaps. This is only executed during full collections.
1368
1369         * heap/Heap.h:
1370         * heap/HeapInlines.h:
1371         (JSC::Heap::registerWeakGCMap):
1372         (JSC::Heap::unregisterWeakGCMap): Added a mechanism for WeakGCMaps to register
1373         themselves with the Heap and provide a pruning callback.
1374
1375         * runtime/PrototypeMap.h:
1376         (JSC::PrototypeMap::PrototypeMap):
1377         * runtime/Structure.cpp:
1378         (JSC::StructureTransitionTable::add): Pass VM to WeakGCMap constructor.
1379
1380         * runtime/JSCInlines.h: Add "WeakGCMapInlines.h"
1381
1382         * runtime/JSGlobalObject.cpp: Include "WeakGCMapInlines.h" so this builds.
1383
1384         * runtime/VM.cpp:
1385         (JSC::VM::VM): Pass VM to WeakGCMap constructor.
1386
1387         * runtime/WeakGCMap.h:
1388         (JSC::WeakGCMap::set):
1389         (JSC::WeakGCMap::add):
1390         (JSC::WeakGCMap::WeakGCMap): Deleted.
1391         (JSC::WeakGCMap::gcMap): Deleted.
1392         (JSC::WeakGCMap::gcMapIfNeeded): Deleted.
1393         * runtime/WeakGCMapInlines.h: Added.
1394         (JSC::WeakGCMap::WeakGCMap):
1395         (JSC::WeakGCMap::~WeakGCMap):
1396         (JSC::WeakGCMap::pruneStaleEntries): Moved ctor, dtor and pruning callback
1397         to WeakGCMapInlines.h to fix interdependent header issues. Removed code that
1398         prunes WeakGCMap at certain growth milestones and instead rely on the GC
1399         callback for housekeeping.
1400
1401 2015-03-03  Filip Pizlo  <fpizlo@apple.com>
1402
1403         DFG IR should refer to FunctionExecutables directly and not via the CodeBlock
1404         https://bugs.webkit.org/show_bug.cgi?id=142229
1405
1406         Reviewed by Mark Lam and Benjamin Poulain.
1407         
1408         Anytime a DFG IR node refers to something in CodeBlock, it has three effects:
1409
1410         - Cumbersome API for accessing the thing that the node refers to.
1411         
1412         - Not obvious how to create a new such node after bytecode parsing, especially if the
1413           thing it refers to isn't already in the CodeBlock. We have done this in the past, but
1414           it usually involves subtle changes to CodeBlock.
1415         
1416         - Not obvious how to inline code that ends up using such nodes. Again, when we have done
1417           this, it involved subtle changes to CodeBlock.
1418         
1419         Prior to this change, the NewFunction* node types used an index into tables in CodeBlock.
1420         For this reason, those operations were not inlineable. But the functin tables in CodeBlock
1421         just point to FunctionExecutables, which are cells; this means that we can just abstract
1422         these operands in DFG IR as cellOperands. cellOperands use DFG::FrozenValue, which means
1423         that GC registration happens automagically. Even better, our dumping for cellOperand
1424         already did FunctionExecutable dumping - so that functionality gets to be deduplicated.
1425         
1426         Because this change increases the number of users of cellOperand, it also adds some
1427         convenience methods for using it. For example, whereas before you'd say things like:
1428         
1429             jsCast<Foo*>(node->cellOperand()->value())
1430         
1431         you can now just say:
1432         
1433             node->castOperand<Foo*>()
1434         
1435         This change also changes existing cellOperand users to use the new conveniance API when
1436         applicable.
1437
1438         * bytecode/CodeBlock.cpp:
1439         (JSC::CodeBlock::jettisonFunctionDeclsAndExprs):
1440         * bytecode/CodeBlock.h:
1441         * dfg/DFGByteCodeParser.cpp:
1442         (JSC::DFG::ByteCodeParser::parseBlock):
1443         * dfg/DFGCapabilities.cpp:
1444         (JSC::DFG::capabilityLevel):
1445         * dfg/DFGFrozenValue.h:
1446         (JSC::DFG::FrozenValue::cell):
1447         (JSC::DFG::FrozenValue::dynamicCast):
1448         (JSC::DFG::FrozenValue::cast):
1449         * dfg/DFGGraph.cpp:
1450         (JSC::DFG::Graph::dump):
1451         (JSC::DFG::Graph::registerFrozenValues):
1452         * dfg/DFGNode.h:
1453         (JSC::DFG::Node::hasCellOperand):
1454         (JSC::DFG::Node::castOperand):
1455         (JSC::DFG::Node::hasFunctionDeclIndex): Deleted.
1456         (JSC::DFG::Node::functionDeclIndex): Deleted.
1457         (JSC::DFG::Node::hasFunctionExprIndex): Deleted.
1458         (JSC::DFG::Node::functionExprIndex): Deleted.
1459         * dfg/DFGSpeculativeJIT.cpp:
1460         (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck):
1461         (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression):
1462         * dfg/DFGSpeculativeJIT32_64.cpp:
1463         (JSC::DFG::SpeculativeJIT::compile):
1464         * dfg/DFGSpeculativeJIT64.cpp:
1465         (JSC::DFG::SpeculativeJIT::compile):
1466         * dfg/DFGWatchpointCollectionPhase.cpp:
1467         (JSC::DFG::WatchpointCollectionPhase::handle):
1468         * ftl/FTLLowerDFGToLLVM.cpp:
1469         (JSC::FTL::LowerDFGToLLVM::compileCheckCell):
1470         (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
1471
1472 2015-03-03  Michael Saboff  <msaboff@apple.com>
1473
1474         DelayedReleaseScope drops locks during GC which can cause a thread switch and code reentry
1475         https://bugs.webkit.org/show_bug.cgi?id=141275
1476
1477         Reviewed by Geoffrey Garen.
1478
1479         The original issue is that the CodeCache uses an unsafe method to add new UnlinkedCodeBlocks.
1480         It basically adds a null UnlinkedCodeBlock if there isn't a cached entry and then later
1481         updates the null entry to the result of the compilation.  If during that compilation and
1482         related processing we need to garbage collect, the DelayedReleaseScope would drop locks
1483         possibly allowing another thread to try to get the same source out of the CodeCache.
1484         This second thread would find the null entry and crash.  The fix is to move the processing of
1485         DelayedReleaseScope to when we drop locks and not drop locks during GC.  That was done in
1486         the original patch with the new function releaseDelayedReleasedObjects().
1487
1488         Updated releaseDelayedReleasedObjects() so that objects are released with all locks
1489         dropped.  Now its processing follows these steps
1490             Increment recursion counter and do recursion check and exit if recursing
1491             While there are objects to release
1492                 ASSERT that lock is held by current thread
1493                 Take all items from delayed release Vector and put into temporary Vector
1494                 Release API lock
1495                 Release and clear items from temporary vector
1496                 Reaquire API lock
1497         This meets the requirement that we release while the API lock is released and it is
1498         safer processing of the delayed release Vector.
1499
1500         Added new regression test to testapi.
1501
1502         Also added comment describing how recursion into releaseDelayedReleasedObjects() is
1503         prevented.
1504
1505         * API/tests/Regress141275.h: Added.
1506         * API/tests/Regress141275.mm: Added.
1507         (+[JSTEvaluatorTask evaluatorTaskWithEvaluateBlock:completionHandler:]):
1508         (-[JSTEvaluator init]):
1509         (-[JSTEvaluator initWithScript:]):
1510         (-[JSTEvaluator _accessPendingTasksWithBlock:]):
1511         (-[JSTEvaluator insertSignPostWithCompletion:]):
1512         (-[JSTEvaluator evaluateScript:completion:]):
1513         (-[JSTEvaluator evaluateBlock:completion:]):
1514         (-[JSTEvaluator waitForTasksDoneAndReportResults]):
1515         (__JSTRunLoopSourceScheduleCallBack):
1516         (__JSTRunLoopSourcePerformCallBack):
1517         (__JSTRunLoopSourceCancelCallBack):
1518         (-[JSTEvaluator _jsThreadMain]):
1519         (-[JSTEvaluator _sourceScheduledOnRunLoop:]):
1520         (-[JSTEvaluator _setupEvaluatorThreadContextIfNeeded]):
1521         (-[JSTEvaluator _callCompletionHandler:ifNeededWithError:]):
1522         (-[JSTEvaluator _sourcePerform]):
1523         (-[JSTEvaluator _sourceCanceledOnRunLoop:]):
1524         (runRegress141275):
1525         * API/tests/testapi.mm:
1526         (testObjectiveCAPI):
1527         * JavaScriptCore.xcodeproj/project.pbxproj:
1528         * heap/Heap.cpp:
1529         (JSC::Heap::releaseDelayedReleasedObjects):
1530         * runtime/JSLock.cpp:
1531         (JSC::JSLock::unlock):
1532
1533 2015-03-03  Filip Pizlo  <fpizlo@apple.com>
1534
1535         DFG should constant fold GetScope, and accesses to the scope register in the ByteCodeParser should not pretend that it's a constant as that breaks OSR exit liveness tracking
1536         https://bugs.webkit.org/show_bug.cgi?id=106202
1537
1538         Rubber stamped by Benjamin Poulain.
1539         
1540         This fixes a bug discovered by working on https://bugs.webkit.org/show_bug.cgi?id=142229,
1541         which was in turn discovered by working on https://bugs.webkit.org/show_bug.cgi?id=141174.
1542         Our way of dealing with scopes known to be constant is very sketchy, and only really works
1543         when a function is inlined. When it is, we pretend that every load of the scopeRegister sees
1544         a constant. But this breaks the DFG's tracking of the liveness of the scopeRegister. The way
1545         this worked made us miss oppportunities for optimizing based on a constant scope, and it also
1546         meant that in some cases - particularly like when we inline code that uses NewFuction and
1547         friends, as I do in bug 142229 - it makes OSR exit think that the scope is dead even though
1548         it's most definitely alive and it's a constant.
1549         
1550         The problem here is that we were doing too many optimizations in the ByteCodeParser, and not
1551         later. Later optimization phases know how to preserve OSR exit liveness. They're actually
1552         really good at it. Also, later phases know how to infer that any variable is a constant no
1553         matter how that constant arose - rather than the inlining-specific thing in ByteCodeParser.
1554         
1555         This changes the ByteCodeParser to largely avoid doing constant folding on the scope, except
1556         making the GetScope operation itself a constant. This is a compilation-time hack for small
1557         functions, and it doesn't break the loads of local variables - so OSR exit liveness still
1558         sees that the scopeRegister is in use. This then adds a vastly more powerful GetScope and
1559         GetClosureVar constant folder in the AbstractInterpreter. This handles most general cases
1560         including those that arise in complex control flow. This will catch cases where the scope
1561         is constant for any number of reasons. Basically anytime that the callee is inferred constant
1562         this will give us a constant scope. Also, we still have the parse-time constant folding of
1563         ResolveScope based on the reentry watchpoint, which luckily did the right thing with respect
1564         to OSR exit liveness (it splats a Phantom on its inputs, and it produces a constant result
1565         which is then set() normally).
1566         
1567         This appears to be a broad speed-up, albeit a small one. But mainly it unblocks bug 142229,
1568         which then should unblock bug 141174.
1569
1570         * dfg/DFGAbstractInterpreterInlines.h:
1571         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1572         * dfg/DFGByteCodeParser.cpp:
1573         (JSC::DFG::ByteCodeParser::get):
1574         (JSC::DFG::ByteCodeParser::getLocal):
1575         (JSC::DFG::ByteCodeParser::parseBlock):
1576         (JSC::DFG::ByteCodeParser::parse):
1577         * dfg/DFGClobberize.h:
1578         (JSC::DFG::clobberize):
1579         * dfg/DFGDoesGC.cpp:
1580         (JSC::DFG::doesGC):
1581         * dfg/DFGFixupPhase.cpp:
1582         (JSC::DFG::FixupPhase::fixupNode):
1583         * dfg/DFGGraph.cpp:
1584         (JSC::DFG::Graph::tryGetConstantClosureVar):
1585         (JSC::DFG::Graph::tryGetRegisters):
1586         (JSC::DFG::Graph::tryGetActivation): Deleted.
1587         * dfg/DFGGraph.h:
1588         * dfg/DFGNode.h:
1589         (JSC::DFG::Node::hasVariableWatchpointSet):
1590         (JSC::DFG::Node::hasSymbolTable): Deleted.
1591         (JSC::DFG::Node::symbolTable): Deleted.
1592         * dfg/DFGNodeType.h:
1593         * dfg/DFGPredictionPropagationPhase.cpp:
1594         (JSC::DFG::PredictionPropagationPhase::propagate):
1595         * dfg/DFGSafeToExecute.h:
1596         (JSC::DFG::safeToExecute):
1597         * dfg/DFGSpeculativeJIT32_64.cpp:
1598         (JSC::DFG::SpeculativeJIT::compile):
1599         * dfg/DFGSpeculativeJIT64.cpp:
1600         (JSC::DFG::SpeculativeJIT::compile):
1601         * dfg/DFGWatchpointCollectionPhase.cpp:
1602         (JSC::DFG::WatchpointCollectionPhase::handle):
1603         * ftl/FTLCapabilities.cpp:
1604         (JSC::FTL::canCompile):
1605         * ftl/FTLLowerDFGToLLVM.cpp:
1606         (JSC::FTL::LowerDFGToLLVM::compileNode):
1607         (JSC::FTL::LowerDFGToLLVM::compileGetClosureVar):
1608         * runtime/SymbolTable.cpp:
1609         (JSC::SymbolTable::visitChildren):
1610         (JSC::SymbolTable::localToEntry):
1611         (JSC::SymbolTable::entryFor):
1612         * runtime/SymbolTable.h:
1613         (JSC::SymbolTable::add):
1614         (JSC::SymbolTable::set):
1615         * tests/stress/function-expression-exit.js: Added.
1616         * tests/stress/function-reentry-infer-on-self.js: Added.
1617         (thingy):
1618         * tests/stress/goofy-function-reentry-incorrect-inference.js: Added.
1619
1620 2015-03-03  Anders Carlsson  <andersca@apple.com>
1621
1622         Remove unused compression code
1623         https://bugs.webkit.org/show_bug.cgi?id=142237
1624
1625         Reviewed by Geoffrey Garen.
1626
1627         * bytecode/UnlinkedCodeBlock.h:
1628
1629 2015-03-03  Filip Pizlo  <fpizlo@apple.com>
1630
1631         JIT debugging features that selectively disable the JITs for code blocks need to stay out of the way of the critical path of JIT management
1632         https://bugs.webkit.org/show_bug.cgi?id=142234
1633
1634         Reviewed by Mark Lam and Benjamin Poulain.
1635         
1636         Long ago, we used to selectively disable compilation of CodeBlocks for debugging purposes by
1637         adding hacks to DFGDriver.cpp.  This was all well and good.  It used the existing
1638         CompilationFailed mode of the DFG driver to signal failure of CodeBlocks that we didn't want
1639         to compile.  That's great because CompilationFailed is a well-supported return value on the
1640         critical path, usually used for when we run out of JIT memory.
1641
1642         Later, this was moved into DFGCapabilities. This was basically incorrect. It introduced a bug
1643         where disabling compiling of a CodeBlock meant that we stopped inlining it as well.  So if
1644         you had a compiler bug that arose if foo was inlined into bar, and you bisected down to bar,
1645         then foo would no longer get inlined and you wouldn't see the bug.  That's busted.
1646
1647         So then we changed the code in DFGCapabilities to mark bar as CanCompile and foo as
1648         CanInline. Now, foo wouldn't get compiled alone but it would get inlined.
1649
1650         But then we removed CanCompile because that capability mode only existed for the purpose of
1651         our old varargs hacks.  After that removal, "CanInline" became CannotCompile.  This means
1652         that if you bisect down on bar in the "foo inlined into bar" case, you'll crash in the DFG
1653         because the baseline JIT wouldn't have known to insert profiling on foo.
1654
1655         We could fix this by bringing back CanInline.
1656
1657         But this is all a pile of nonsense.  The debug support to selectively disable compilation of
1658         some CodeBlocks shouldn't cross-cut our entire engine and should most certainly never involve
1659         adding new capability modes.  This support is a hack at best and is for use by JSC hackers
1660         only.  It should be as unintrusive as possible.
1661
1662         So, as in the ancient times, the only proper place to put this hack is in DFGDriver.cpp, and
1663         return CompilationFailed.  This is correct not just because it takes capability modes out of
1664         the picture (and obviates the need to introduce new ones), but also because it means that
1665         disabling compilation doesn't change the profiling mode of other CodeBlocks in the Baseline
1666         JIT.  Capability mode influences profiling mode which in turn influences code generation in
1667         the Baseline JIT, sometimes in very significant ways - like, we sometimes do additional
1668         double-to-int conversions in Baseline if we know that we might tier-up into the DFG, since
1669         this buys us more precise profiling.
1670         
1671         This change reduces the intrusiveness of debugging hacks by making them use the very simple
1672         CompilationFailed mechanism rather than trying to influence capability modes. Capability
1673         modes have very subtle effects on the whole engine, while CompilationFailed just makes the
1674         engine pretend like the DFG compilation will happen at timelike infinity. That makes these
1675         hacks much more likely to continue working as we make other changes to the system.
1676         
1677         This brings back the ability to bisect down onto a function bar when bar inlines foo. Prior
1678         to this change, we would crash in that case.
1679
1680         * dfg/DFGCapabilities.cpp:
1681         (JSC::DFG::isSupported):
1682         (JSC::DFG::mightCompileEval):
1683         (JSC::DFG::mightCompileProgram):
1684         (JSC::DFG::mightCompileFunctionForCall):
1685         (JSC::DFG::mightCompileFunctionForConstruct):
1686         * dfg/DFGCapabilities.h:
1687         * dfg/DFGDriver.cpp:
1688         (JSC::DFG::compileImpl):
1689
1690 2015-03-03  peavo@outlook.com  <peavo@outlook.com>
1691
1692         [Win64] JSC compile error.
1693         https://bugs.webkit.org/show_bug.cgi?id=142216
1694
1695         Reviewed by Mark Lam.
1696
1697         There is missing a version of setupArgumentsWithExecState when NUMBER_OF_ARGUMENT_REGISTERS == 4.
1698
1699         * jit/CCallHelpers.h:
1700         (JSC::CCallHelpers::setupArgumentsWithExecState):
1701
1702 2015-03-02  Filip Pizlo  <fpizlo@apple.com>
1703
1704         DFG compile time measurements should really report milliseconds
1705         https://bugs.webkit.org/show_bug.cgi?id=142209
1706
1707         Reviewed by Benjamin Poulain.
1708         
1709         Fix this to record milliseconds instead of seconds.
1710
1711         * dfg/DFGPlan.cpp:
1712         (JSC::DFG::Plan::compileInThread):
1713         (JSC::DFG::Plan::compileInThreadImpl):
1714
1715 2015-03-02  Filip Pizlo  <fpizlo@apple.com>
1716
1717         Remove op_get_callee, it's unused
1718         https://bugs.webkit.org/show_bug.cgi?id=142206
1719
1720         Reviewed by Andreas Kling.
1721         
1722         It's a bit of a shame that we stopped using this opcode since it gives us same-callee
1723         profiling. But, if we were to add this functionality back in, we would almost certainly do
1724         it by adding a JSFunction allocation watchpoint on FunctionExecutable.
1725
1726         * bytecode/BytecodeList.json:
1727         * bytecode/BytecodeUseDef.h:
1728         (JSC::computeUsesForBytecodeOffset):
1729         (JSC::computeDefsForBytecodeOffset):
1730         * bytecode/CodeBlock.cpp:
1731         (JSC::CodeBlock::dumpBytecode):
1732         (JSC::CodeBlock::finalizeUnconditionally):
1733         * dfg/DFGByteCodeParser.cpp:
1734         (JSC::DFG::ByteCodeParser::parseBlock):
1735         * dfg/DFGCapabilities.cpp:
1736         (JSC::DFG::capabilityLevel):
1737         * jit/JIT.cpp:
1738         (JSC::JIT::privateCompileMainPass):
1739         (JSC::JIT::privateCompileSlowCases):
1740         * jit/JIT.h:
1741         * jit/JITOpcodes.cpp:
1742         (JSC::JIT::emit_op_get_callee): Deleted.
1743         (JSC::JIT::emitSlow_op_get_callee): Deleted.
1744         * jit/JITOpcodes32_64.cpp:
1745         (JSC::JIT::emit_op_get_callee): Deleted.
1746         (JSC::JIT::emitSlow_op_get_callee): Deleted.
1747         * llint/LowLevelInterpreter32_64.asm:
1748         * llint/LowLevelInterpreter64.asm:
1749         * runtime/CommonSlowPaths.cpp:
1750         (JSC::SLOW_PATH_DECL): Deleted.
1751
1752 2015-03-02  Joseph Pecoraro  <pecoraro@apple.com>
1753
1754         Web Inspector: Context Menu to Log a Particular Object
1755         https://bugs.webkit.org/show_bug.cgi?id=142198
1756
1757         Reviewed by Timothy Hatcher.
1758
1759         Add a protocol method to assign a $n index to a value. For an object
1760         use the injected script context for that object. For a value, use
1761         the execution context to know where to save the value.
1762
1763         * inspector/InjectedScript.cpp:
1764         (Inspector::InjectedScript::saveResult):
1765         * inspector/InjectedScript.h:
1766         * inspector/InjectedScriptSource.js:
1767         * inspector/agents/InspectorRuntimeAgent.cpp:
1768         (Inspector::InspectorRuntimeAgent::saveResult):
1769         * inspector/agents/InspectorRuntimeAgent.h:
1770         * inspector/protocol/Debugger.json:
1771         * inspector/protocol/Runtime.json:
1772
1773 2015-03-02  Filip Pizlo  <fpizlo@apple.com>
1774
1775         SpeculativeJIT::emitAllocateArguments() should be a bit faster, and shouldn't do destructor initialization
1776         https://bugs.webkit.org/show_bug.cgi?id=142197
1777
1778         Reviewed by Geoffrey Garen.
1779
1780         * dfg/DFGSpeculativeJIT.cpp:
1781         (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Use shift instead of mul, since mul doesn't automatically strength-reduce to shift. Also pass the structure as a TrustedImmPtr.
1782         * dfg/DFGSpeculativeJIT.h:
1783         (JSC::DFG::SpeculativeJIT::emitAllocateVariableSizedJSObject): Rationalize this a bit. The other emitAllocate... methods take a templated structure so that it can be either a TrustedImmPtr or a register. Also don't do destructor initialization, since its one client doesn't need it, and it's actually probably wrong.
1784
1785 2015-03-02  Mark Lam  <mark.lam@apple.com>
1786
1787         Exception stack unwinding in JSC hangs while the Timeline Profiler is enabled.
1788         <https://webkit.org/b/142191>
1789
1790         Reviewed by Geoffrey Garen.
1791
1792         Imagine a scenario where the Inspector is paused / suspended at a breakpoint or
1793         while the user is stepping through JS code. The user then tries to evaluate an
1794         expression in the console, and that evaluation results in an exception being
1795         thrown. Currently, if the Timeline Profiler is enabled while this exception is
1796         being thrown, the WebProcess will hang while trying to handle that exception.
1797
1798         The issue is that the Timeline Profiler's ProfileGenerator::didExecute() will
1799         return early and decline to process ProfileNodes if the Inspector is paused.
1800         This is proper because it does not want to count work done for injected scripts
1801         (e.g. from the console) towards the timeline profile of the webpage being run.
1802         However, this is in conflict with ProfileGenerator::exceptionUnwind()'s
1803         expectation that didExecute() will process ProfileNodes in order to do the stack
1804         unwinding for the exception handling. As a result,
1805         ProfileGenerator::exceptionUnwind() hangs.
1806
1807         ProfileGenerator::exceptionUnwind() is in error. While the Inspector is paused,
1808         there will not be any ProfileNodes that it needs to "unwind". Hence, the fix is
1809         simply to return early also in ProfileGenerator::exceptionUnwind() if the
1810         Inspector is paused.
1811
1812         * profiler/ProfileGenerator.cpp:
1813         (JSC::ProfileGenerator::exceptionUnwind):
1814
1815 2015-03-02  Filip Pizlo  <fpizlo@apple.com>
1816
1817         FTL should correctly document where it puts the argument count for inlined varargs frames
1818         https://bugs.webkit.org/show_bug.cgi?id=142187
1819
1820         Reviewed by Geoffrey Garn.
1821         
1822         After LLVM tells us where the captured variables alloca landed in the frame, we need to
1823         tell all of our meta-data about it. We were forgetting to do so for the argument count
1824         register, which is used by inlined varargs calls.
1825
1826         * ftl/FTLCompile.cpp:
1827         (JSC::FTL::mmAllocateDataSection):
1828         * tests/stress/inline-varargs-get-arguments.js: Added.
1829         (foo):
1830         (bar):
1831         (baz):
1832
1833 2015-03-02  Filip Pizlo  <fpizlo@apple.com>
1834
1835         Deduplicate slow path calling code in JITOpcodes.cpp/JITOpcodes32_64.cpp
1836         https://bugs.webkit.org/show_bug.cgi?id=142184
1837
1838         Reviewed by Michael Saboff.
1839
1840         * jit/JITOpcodes.cpp:
1841         (JSC::JIT::emit_op_get_enumerable_length):
1842         (JSC::JIT::emitSlow_op_has_structure_property):
1843         (JSC::JIT::emit_op_has_generic_property):
1844         (JSC::JIT::emit_op_get_structure_property_enumerator):
1845         (JSC::JIT::emit_op_get_generic_property_enumerator):
1846         (JSC::JIT::emit_op_to_index_string):
1847         * jit/JITOpcodes32_64.cpp:
1848         (JSC::JIT::emit_op_get_enumerable_length): Deleted.
1849         (JSC::JIT::emitSlow_op_has_structure_property): Deleted.
1850         (JSC::JIT::emit_op_has_generic_property): Deleted.
1851         (JSC::JIT::emit_op_get_structure_property_enumerator): Deleted.
1852         (JSC::JIT::emit_op_get_generic_property_enumerator): Deleted.
1853         (JSC::JIT::emit_op_to_index_string): Deleted.
1854         (JSC::JIT::emit_op_profile_control_flow): Deleted.
1855
1856 2015-03-02  Antti Koivisto  <antti@apple.com>
1857
1858         Add way to dump cache meta data to file
1859         https://bugs.webkit.org/show_bug.cgi?id=142183
1860
1861         Reviewed by Andreas Kling.
1862
1863         Export appendQuotedJSONStringToBuilder.
1864
1865         * bytecompiler/NodesCodegen.cpp:
1866         (JSC::ObjectPatternNode::toString):
1867         * runtime/JSONObject.cpp:
1868         (JSC::appendQuotedJSONStringToBuilder):
1869         (JSC::Stringifier::appendQuotedString):
1870         (JSC::escapeStringToBuilder): Deleted.
1871         * runtime/JSONObject.h:
1872
1873 2015-03-02  Joseph Pecoraro  <pecoraro@apple.com>
1874
1875         Web Inspector: Add Context Menus to Object Tree properties
1876         https://bugs.webkit.org/show_bug.cgi?id=142125
1877
1878         Reviewed by Timothy Hatcher.
1879
1880         * inspector/JSInjectedScriptHost.cpp:
1881         (Inspector::JSInjectedScriptHost::functionDetails):
1882         Update to include columnNumber.
1883
1884 2015-03-01  Filip Pizlo  <fpizlo@apple.com>
1885
1886         BytecodeGenerator shouldn't emit op_resolve_scope as a roundabout way of returning the scopeRegister
1887         https://bugs.webkit.org/show_bug.cgi?id=142153
1888
1889         Reviewed by Michael Saboff.
1890         
1891         We don't need a op_resolve_scope if we know that it will simply return the scope register.
1892         This changes the BytecodeGenerator to use the scope register directly in those cases where
1893         we know statically that we would just have returned that from op_resolve_scope.
1894         
1895         This doesn't appear to have a significant impact on performance.
1896
1897         * bytecode/CodeBlock.cpp:
1898         (JSC::CodeBlock::CodeBlock):
1899         * bytecompiler/BytecodeGenerator.cpp:
1900         (JSC::BytecodeGenerator::emitResolveScope):
1901         (JSC::BytecodeGenerator::emitReturn):
1902         (JSC::BytecodeGenerator::emitGetOwnScope): Deleted.
1903         * bytecompiler/BytecodeGenerator.h:
1904         * bytecompiler/NodesCodegen.cpp:
1905         (JSC::ResolveNode::emitBytecode):
1906         (JSC::EvalFunctionCallNode::emitBytecode):
1907         (JSC::FunctionCallResolveNode::emitBytecode):
1908         (JSC::PostfixNode::emitResolve):
1909         (JSC::DeleteResolveNode::emitBytecode):
1910         (JSC::TypeOfResolveNode::emitBytecode):
1911         (JSC::PrefixNode::emitResolve):
1912         (JSC::ReadModifyResolveNode::emitBytecode):
1913         (JSC::AssignResolveNode::emitBytecode):
1914         (JSC::ConstDeclNode::emitCodeSingle):
1915         (JSC::EmptyVarExpression::emitBytecode):
1916         (JSC::ForInNode::emitLoopHeader):
1917         (JSC::ForOfNode::emitBytecode):
1918         (JSC::BindingNode::bindValue):
1919
1920 2015-02-27  Benjamin Poulain  <bpoulain@apple.com>
1921
1922         [JSC] Use the way number constants are written to help type speculation
1923         https://bugs.webkit.org/show_bug.cgi?id=142072
1924
1925         Reviewed by Filip Pizlo.
1926
1927         This patch changes how we interpret numeric constant based on how they appear
1928         in the source.
1929
1930         Constants that are integers but written with a decimal point now carry that information
1931         to the optimizating tiers. From there, we use that to be more aggressive about typing
1932         math operations toward double operations.
1933
1934         For example, in:
1935             var a = x + 1.0;
1936             var b = y + 1;
1937         The Add for a would be biased toward doubles, the Add for b would speculate
1938         integer as usual.
1939
1940
1941         The gains are tiny but this is a prerequisite to make my next patch useful:
1942         -SunSpider's access-fannkuch: definitely 1.0661x faster
1943         -SunSpider's math-cordic: definitely 1.0266x slower
1944             overal: might be 1.0066x slower.
1945         -Kraken's imaging-darkroom: definitely 1.0333x faster.
1946
1947         * parser/Lexer.cpp:
1948         (JSC::tokenTypeForIntegerLikeToken):
1949         (JSC::Lexer<T>::lex):
1950         The lexer now create two types of tokens for number: INTEGER and DOUBLE.
1951         Those token types only carry information about how the values were
1952         entered, an INTEGER does not have to be an integer, it is only written like one.
1953         Large integer still end up represented as double in memory.
1954
1955         One trap I fell into was typing numbers like 12e3 as double. This kind of literal
1956         is frequently used in integer-typed code, while 12.e3 would appear in double-typed
1957         code.
1958         Because of that, the only signals for double are: decimal point, negative zero,
1959         and ridiculously large values.
1960
1961         * parser/NodeConstructors.h:
1962         (JSC::DoubleNode::DoubleNode):
1963         (JSC::IntegerNode::IntegerNode):
1964         * parser/Nodes.h:
1965         (JSC::NumberNode::value):
1966         (JSC::NumberNode::setValue): Deleted.
1967         Number get specialized in two new kind of nodes in the AST: IntegerNode and DoubleNode.
1968
1969         * bytecompiler/NodesCodegen.cpp:
1970         (JSC::NumberNode::emitBytecode):
1971
1972         * parser/ASTBuilder.h:
1973         (JSC::ASTBuilder::createDoubleExpr):
1974         (JSC::ASTBuilder::createIntegerExpr):
1975         (JSC::ASTBuilder::createIntegerLikeNumber):
1976         (JSC::ASTBuilder::createDoubleLikeNumber):
1977         (JSC::ASTBuilder::createNumberFromBinaryOperation):
1978         (JSC::ASTBuilder::createNumberFromUnaryOperation):
1979         (JSC::ASTBuilder::makeNegateNode):
1980         (JSC::ASTBuilder::makeBitwiseNotNode):
1981         (JSC::ASTBuilder::makeMultNode):
1982         (JSC::ASTBuilder::makeDivNode):
1983         (JSC::ASTBuilder::makeModNode):
1984         (JSC::ASTBuilder::makeAddNode):
1985         (JSC::ASTBuilder::makeSubNode):
1986         (JSC::ASTBuilder::makeLeftShiftNode):
1987         (JSC::ASTBuilder::makeRightShiftNode):
1988         (JSC::ASTBuilder::makeURightShiftNode):
1989         (JSC::ASTBuilder::makeBitOrNode):
1990         (JSC::ASTBuilder::makeBitAndNode):
1991         (JSC::ASTBuilder::makeBitXOrNode):
1992         (JSC::ASTBuilder::createNumberExpr): Deleted.
1993         (JSC::ASTBuilder::createNumber): Deleted.
1994         The AST has some optimization to resolve constants before emitting bytecode.
1995         In the new code, the intger representation is kept if both operands where
1996         also represented as integers.
1997
1998         * parser/Parser.cpp:
1999         (JSC::Parser<LexerType>::parseDeconstructionPattern):
2000         (JSC::Parser<LexerType>::parseProperty):
2001         (JSC::Parser<LexerType>::parseGetterSetter):
2002         (JSC::Parser<LexerType>::parsePrimaryExpression):
2003         (JSC::Parser<LexerType>::printUnexpectedTokenText):
2004         * parser/ParserTokens.h:
2005         * parser/SyntaxChecker.h:
2006         (JSC::SyntaxChecker::createDoubleExpr):
2007         (JSC::SyntaxChecker::createIntegerExpr):
2008         (JSC::SyntaxChecker::createNumberExpr): Deleted.
2009
2010         * bytecode/CodeBlock.cpp:
2011         (JSC::CodeBlock::registerName):
2012         (JSC::CodeBlock::constantName):
2013         Change constantName(r, getConstant(r)) -> constantName(r) to simplify
2014         the dump code.
2015
2016         (JSC::CodeBlock::dumpBytecode):
2017         Dump thre soure representation information we have with each constant.
2018
2019         (JSC::CodeBlock::CodeBlock):
2020         (JSC::CodeBlock::shrinkToFit):
2021         (JSC::constantName): Deleted.
2022         * bytecode/CodeBlock.h:
2023         (JSC::CodeBlock::constantsSourceCodeRepresentation):
2024         (JSC::CodeBlock::addConstant):
2025         (JSC::CodeBlock::addConstantLazily):
2026         (JSC::CodeBlock::constantSourceCodeRepresentation):
2027         (JSC::CodeBlock::setConstantRegisters):
2028
2029         * bytecode/UnlinkedCodeBlock.h:
2030         (JSC::UnlinkedCodeBlock::addConstant):
2031         (JSC::UnlinkedCodeBlock::constantsSourceCodeRepresentation):
2032         (JSC::UnlinkedCodeBlock::shrinkToFit):
2033
2034         * bytecompiler/BytecodeGenerator.cpp:
2035         (JSC::BytecodeGenerator::addConstantValue):
2036         (JSC::BytecodeGenerator::emitLoad):
2037         * bytecompiler/BytecodeGenerator.h:
2038         We have to differentiate between constants that have the same values but are
2039         represented differently in the source. Values like 1.0 and 1 now end up
2040         as different constants.
2041
2042         * dfg/DFGByteCodeParser.cpp:
2043         (JSC::DFG::ByteCodeParser::get):
2044         (JSC::DFG::ByteCodeParser::addConstantToGraph):
2045         * dfg/DFGGraph.cpp:
2046         (JSC::DFG::Graph::registerFrozenValues):
2047         * dfg/DFGGraph.h:
2048         (JSC::DFG::Graph::addSpeculationMode):
2049         (JSC::DFG::Graph::addImmediateShouldSpeculateInt32):
2050         ArithAdd is very aggressive toward using Int52, which is quite useful
2051         in many benchmarks.
2052
2053         Here we need to specialize to make sure we don't force our literals
2054         to Int52 if there were represented as double.
2055
2056         There is one exception to that rule: when the other operand is guaranteed
2057         to come from a NodeResultInt32. This is because there is some weird code
2058         doing stuff like:
2059             var b = a|0;
2060             var c = b*2.0;
2061
2062         * dfg/DFGNode.h:
2063         (JSC::DFG::Node::Node):
2064         (JSC::DFG::Node::setOpAndDefaultFlags):
2065         (JSC::DFG::Node::sourceCodeRepresentation):
2066         * dfg/DFGPredictionPropagationPhase.cpp:
2067         (JSC::DFG::PredictionPropagationPhase::propagate):
2068         * runtime/JSCJSValue.h:
2069         (JSC::EncodedJSValueWithRepresentationHashTraits::emptyValue):
2070         (JSC::EncodedJSValueWithRepresentationHashTraits::constructDeletedValue):
2071         (JSC::EncodedJSValueWithRepresentationHashTraits::isDeletedValue):
2072         (JSC::EncodedJSValueWithRepresentationHash::hash):
2073         (JSC::EncodedJSValueWithRepresentationHash::equal):
2074         * tests/stress/arith-add-with-constants.js: Added.
2075         * tests/stress/arith-mul-with-constants.js: Added.
2076
2077 2015-02-26  Filip Pizlo  <fpizlo@apple.com>
2078
2079         Unreviewed, roll out r180723. It broke a bunch of tests.
2080
2081         * bytecompiler/BytecodeGenerator.cpp:
2082         (JSC::BytecodeGenerator::constLocal):
2083         * bytecompiler/BytecodeGenerator.h:
2084         * bytecompiler/NodesCodegen.cpp:
2085         (JSC::ConstDeclNode::emitCodeSingle):
2086         * tests/stress/const-arguments.js: Removed.
2087
2088 2015-02-26  Mark Lam  <mark.lam@apple.com>
2089
2090         Assertion fix for r180711: The bool returning form of BytecodeGenerator::addVar() can be removed.
2091         <https://webkit.org/b/142064>
2092
2093         Reviewed by Joseph Pecoraro.
2094
2095         * bytecompiler/BytecodeGenerator.cpp:
2096         (JSC::BytecodeGenerator::addVar):
2097
2098 2015-02-26  Mark Lam  <mark.lam@apple.com>
2099
2100         MachineThreads::Thread clean up has a use after free race condition.
2101         <https://webkit.org/b/141990>
2102
2103         Reviewed by Filip Pizlo.
2104
2105         MachineThreads::Thread clean up relies on the clean up mechanism
2106         implemented in _pthread_tsd_cleanup_key(), which looks like this:
2107
2108         void _pthread_tsd_cleanup_key(pthread_t self, pthread_key_t key)
2109         {
2110             void (*destructor)(void *);
2111             if (_pthread_key_get_destructor(key, &destructor)) {
2112                 void **ptr = &self->tsd[key];
2113                 void *value = *ptr;
2114
2115             // === Start of window for the bug to manifest =================
2116
2117                 // At this point, this thread has cached "destructor" and "value"
2118                 // (which is a MachineThreads*).  If the VM gets destructed (along
2119                 // with its MachineThreads registry) by another thread, then this
2120                 // thread will have no way of knowing that the MachineThreads* is
2121                 // now pointing to freed memory.  Calling the destructor below will
2122                 // therefore result in a use after free scenario when it tries to
2123                 // access the MachineThreads' data members.
2124
2125                 if (value) {
2126                     *ptr = NULL;
2127                     if (destructor) {
2128
2129             // === End of window for the bug to manifest ==================
2130
2131                         destructor(value);
2132                     }
2133                 }
2134             }
2135         }
2136
2137         The fix is to add each active MachineThreads to an ActiveMachineThreadsManager,
2138         and always check if the manager still contains that MachineThreads object
2139         before we call removeCurrentThread() on it.  When MachineThreads is destructed,
2140         it will remove itself from the manager.  The add, remove, and checking
2141         operations are all synchronized on the manager's lock, thereby ensuring that
2142         the MachineThreads object, if found in the manager, will remain alive for the
2143         duration of time we call removeCurrentThread() on it.
2144
2145         There's also possible for the MachineThreads object to already be destructed
2146         and another one happened to have been instantiated at the same address.
2147         Hence, we should only remove the exiting thread if it is found in the
2148         MachineThreads object.
2149
2150         There is no test for this issue because this bug requires a race condition
2151         between 2 threads where:
2152         1. Thread B, which had previously used the VM, exiting and
2153            getting to the bug window shown in _pthread_tsd_cleanup_key() above.
2154         2. Thread A destructing the VM (and its MachineThreads object)
2155            within that window of time before Thread B calls the destructor.
2156
2157         It is not possible to get a reliable test case without invasively
2158         instrumenting _pthread_tsd_cleanup_key() or MachineThreads::removeCurrentThread()
2159         to significantly increase that window of opportunity.
2160
2161         * heap/MachineStackMarker.cpp:
2162         (JSC::ActiveMachineThreadsManager::Locker::Locker):
2163         (JSC::ActiveMachineThreadsManager::add):
2164         (JSC::ActiveMachineThreadsManager::remove):
2165         (JSC::ActiveMachineThreadsManager::contains):
2166         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager):
2167         (JSC::activeMachineThreadsManager):
2168         (JSC::MachineThreads::MachineThreads):
2169         (JSC::MachineThreads::~MachineThreads):
2170         (JSC::MachineThreads::removeThread):
2171         (JSC::MachineThreads::removeThreadIfFound):
2172         (JSC::MachineThreads::removeCurrentThread): Deleted.
2173         * heap/MachineStackMarker.h:
2174
2175 2015-02-26  Joseph Pecoraro  <pecoraro@apple.com>
2176
2177         Web Inspector: Save Console Evaluations into Command Line variables $1-$99 ($n)
2178         https://bugs.webkit.org/show_bug.cgi?id=142061
2179
2180         Reviewed by Timothy Hatcher.
2181
2182         * inspector/protocol/Debugger.json:
2183         * inspector/protocol/Runtime.json:
2184         Input flag "saveResult" on whether we should try to save a result.
2185         Output int "savedResultIndex" to tell the frontend the saved state.
2186
2187         * inspector/InjectedScriptSource.js:
2188         Handle saving and clearing $1-$99 values.
2189         Include in BasicCommandLineAPI for JSContext inspection.
2190
2191         * inspector/InjectedScriptBase.cpp:
2192         (Inspector::InjectedScriptBase::makeEvalCall):
2193         * inspector/InjectedScriptBase.h:
2194         Allow an optional "savedResultIndex" out value on evals.
2195
2196         * inspector/InjectedScript.cpp:
2197         (Inspector::InjectedScript::evaluate):
2198         (Inspector::InjectedScript::evaluateOnCallFrame):
2199         * inspector/InjectedScript.h:
2200         * inspector/agents/InspectorDebuggerAgent.cpp:
2201         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
2202         * inspector/agents/InspectorDebuggerAgent.h:
2203         * inspector/agents/InspectorRuntimeAgent.cpp:
2204         (Inspector::InspectorRuntimeAgent::evaluate):
2205         * inspector/agents/InspectorRuntimeAgent.h:
2206         Plumbing for new in and out parameters.
2207
2208 2015-02-26  Filip Pizlo  <fpizlo@apple.com>
2209
2210         The bool returning form of BytecodeGenerator::addVar() can be removed
2211         https://bugs.webkit.org/show_bug.cgi?id=142064
2212
2213         Reviewed by Mark Lam.
2214         
2215         It's easier to implement addVar() when you don't have to return whether it's a new
2216         variable or not.
2217
2218         * bytecompiler/BytecodeGenerator.cpp:
2219         (JSC::BytecodeGenerator::addVar):
2220         * bytecompiler/BytecodeGenerator.h:
2221         (JSC::BytecodeGenerator::addVar): Deleted.
2222
2223 2015-02-26  Filip Pizlo  <fpizlo@apple.com>
2224
2225         Various array access corner cases should take OSR exit feedback
2226         https://bugs.webkit.org/show_bug.cgi?id=142056
2227
2228         Reviewed by Geoffrey Garen.
2229         
2230         Two major changes here:
2231         
2232         - Don't keep converting GetById into GetArrayLength if we exited due to any kind of array
2233           type check.
2234         
2235         - Use a generic form of GetByVal/PutByVal if we exited due to any kind of exotic checks,
2236           like the Arguments safety checks. We use the "ExoticObjectMode" for out-of-bounds on
2237           arguments for now, since it's a convenient way of forcing out-of-bounds to be handled by
2238           the Generic array mode.
2239
2240         * bytecode/ExitKind.cpp:
2241         (JSC::exitKindToString):
2242         * bytecode/ExitKind.h:
2243         * dfg/DFGArrayMode.cpp:
2244         (JSC::DFG::ArrayMode::refine):
2245         * dfg/DFGFixupPhase.cpp:
2246         (JSC::DFG::FixupPhase::fixupNode):
2247         * dfg/DFGSpeculativeJIT.cpp:
2248         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
2249         (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):
2250         * tests/stress/array-length-array-storage-plain-object.js: Added.
2251         (foo):
2252         * tests/stress/array-length-plain-object.js: Added.
2253         (foo):
2254
2255 2015-02-25  Filip Pizlo  <fpizlo@apple.com>
2256
2257         DFG SSA stack accesses shouldn't speak of VariableAccessDatas
2258         https://bugs.webkit.org/show_bug.cgi?id=142036
2259
2260         Reviewed by Michael Saboff.
2261         
2262         VariableAccessData is a useful thing in LoadStore and ThreadedCPS, but it's purely harmful in
2263         SSA because you can't cook up new VariableAccessDatas. So, if you know that you want to load
2264         or store to the stack, and you know what format to use as well as the location, then prior to
2265         this patch you couldn't do it unless you found some existing VariableAccessData that matched
2266         your requirements. That can be a hard task.
2267         
2268         It's better if SSA doesn't speak of VariableAccessDatas but instead just has stack accesses
2269         that speak of the things that a stack access needs: local, machineLocal, and format. This
2270         patch changes the SSA way of accessing the stack to do just that.
2271         
2272         Also add more IR validation.
2273
2274         * CMakeLists.txt:
2275         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2276         * JavaScriptCore.xcodeproj/project.pbxproj:
2277         * dfg/DFGAbstractInterpreterInlines.h:
2278         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2279         * dfg/DFGClobberize.h:
2280         (JSC::DFG::clobberize):
2281         * dfg/DFGConstantFoldingPhase.cpp:
2282         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2283         * dfg/DFGDoesGC.cpp:
2284         (JSC::DFG::doesGC):
2285         * dfg/DFGFixupPhase.cpp:
2286         (JSC::DFG::FixupPhase::fixupNode):
2287         * dfg/DFGFlushFormat.h:
2288         (JSC::DFG::isConcrete):
2289         * dfg/DFGGraph.cpp:
2290         (JSC::DFG::Graph::dump):
2291         * dfg/DFGGraph.h:
2292         * dfg/DFGMayExit.cpp:
2293         (JSC::DFG::mayExit):
2294         * dfg/DFGNode.cpp:
2295         (JSC::DFG::Node::hasVariableAccessData):
2296         * dfg/DFGNode.h:
2297         (JSC::DFG::StackAccessData::StackAccessData):
2298         (JSC::DFG::StackAccessData::flushedAt):
2299         (JSC::DFG::Node::convertToPutStack):
2300         (JSC::DFG::Node::convertToGetStack):
2301         (JSC::DFG::Node::hasUnlinkedLocal):
2302         (JSC::DFG::Node::hasStackAccessData):
2303         (JSC::DFG::Node::stackAccessData):
2304         (JSC::DFG::Node::willHaveCodeGenOrOSR):
2305         * dfg/DFGNodeType.h:
2306         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2307         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
2308         * dfg/DFGPlan.cpp:
2309         (JSC::DFG::Plan::compileInThreadImpl):
2310         * dfg/DFGPredictionPropagationPhase.cpp:
2311         (JSC::DFG::PredictionPropagationPhase::propagate):
2312         * dfg/DFGPutLocalSinkingPhase.cpp: Removed.
2313         * dfg/DFGPutLocalSinkingPhase.h: Removed.
2314         * dfg/DFGPutStackSinkingPhase.cpp: Copied from Source/JavaScriptCore/dfg/DFGPutLocalSinkingPhase.cpp.
2315         (JSC::DFG::performPutStackSinking):
2316         (JSC::DFG::performPutLocalSinking): Deleted.
2317         * dfg/DFGPutStackSinkingPhase.h: Copied from Source/JavaScriptCore/dfg/DFGPutLocalSinkingPhase.h.
2318         * dfg/DFGSSAConversionPhase.cpp:
2319         (JSC::DFG::SSAConversionPhase::run):
2320         * dfg/DFGSafeToExecute.h:
2321         (JSC::DFG::safeToExecute):
2322         * dfg/DFGSpeculativeJIT32_64.cpp:
2323         (JSC::DFG::SpeculativeJIT::compile):
2324         * dfg/DFGSpeculativeJIT64.cpp:
2325         (JSC::DFG::SpeculativeJIT::compile):
2326         * dfg/DFGStackLayoutPhase.cpp:
2327         (JSC::DFG::StackLayoutPhase::run):
2328         * dfg/DFGValidate.cpp:
2329         (JSC::DFG::Validate::validate):
2330         (JSC::DFG::Validate::validateCPS):
2331         (JSC::DFG::Validate::validateSSA):
2332         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
2333         (JSC::DFG::VirtualRegisterAllocationPhase::run):
2334         * ftl/FTLCapabilities.cpp:
2335         (JSC::FTL::canCompile):
2336         * ftl/FTLLowerDFGToLLVM.cpp:
2337         (JSC::FTL::LowerDFGToLLVM::lower):
2338         (JSC::FTL::LowerDFGToLLVM::compileNode):
2339         (JSC::FTL::LowerDFGToLLVM::compileGetStack):
2340         (JSC::FTL::LowerDFGToLLVM::compilePutStack):
2341         (JSC::FTL::LowerDFGToLLVM::compileGetLocal): Deleted.
2342         (JSC::FTL::LowerDFGToLLVM::compilePutLocal): Deleted.
2343         * ftl/FTLOSRExit.h:
2344         * tests/stress/many-sunken-locals.js: Added. This failure mode was caught by some miscellaneous test, so I figured I should write an explicit test for it.
2345         (foo):
2346         (bar):
2347         (baz):
2348         (fuzz):
2349         (buzz):
2350
2351 2015-02-26  Mark Lam  <mark.lam@apple.com>
2352
2353         Rolling out r180602, r180608, r180613, r180617, r180671.
2354         <https://webkit.org/b/141990>
2355
2356         Not reviewed.
2357
2358         The r180602 solution does result in more work for GC when worker
2359         threads are in use.  Filip is uncomfortable with that.
2360         The EFL and GTK ports also seem to be unhappy with this change.
2361         Rolling out while we investigate.
2362
2363         * heap/Heap.cpp:
2364         (JSC::Heap::Heap):
2365         (JSC::Heap::gatherStackRoots):
2366         (JSC::Heap::machineThreads): Deleted.
2367         * heap/Heap.h:
2368         (JSC::Heap::machineThreads):
2369         * heap/MachineStackMarker.cpp:
2370         (JSC::MachineThreads::MachineThreads):
2371         (JSC::MachineThreads::~MachineThreads):
2372         (JSC::MachineThreads::addCurrentThread):
2373         * heap/MachineStackMarker.h:
2374         * runtime/JSLock.cpp:
2375         (JSC::JSLock::didAcquireLock):
2376
2377 2015-02-26  Myles C. Maxfield  <mmaxfield@apple.com>
2378
2379         [Mac] [iOS] Parsing support for -apple-trailing-word
2380         https://bugs.webkit.org/show_bug.cgi?id=141939
2381
2382         Reviewed by Andreas Kling.
2383
2384         * Configurations/FeatureDefines.xcconfig:
2385
2386 2015-02-26  Michael Saboff  <msaboff@apple.com>
2387
2388         [Win] Debug-only JavaScriptCore failures
2389         https://bugs.webkit.org/show_bug.cgi?id=142045
2390
2391         Rubber stamped by Filip Pizlo.
2392
2393         Reduced loop count to a more reasonable value of 10,000.  This still gets us to tier up
2394         to the FTL, but doesn't take too long to run.
2395
2396         * tests/stress/repeated-arity-check-fail.js:
2397
2398 2015-02-26  Brent Fulgham  <bfulgham@apple.com>
2399
2400         [Win] Make build logs more legible by reducing noise
2401         https://bugs.webkit.org/show_bug.cgi?id=142034
2402
2403         Reviewed by Alexey Proskuryakov.
2404
2405         Modify batch files, makefiles, and DOS commands to remove
2406         uninteresting/unhelpful output.
2407
2408         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
2409         * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd:
2410         * JavaScriptCore.vcxproj/copy-files.cmd:
2411         * JavaScriptCore.vcxproj/jsc/jscLauncherPreBuild.cmd:
2412         * JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd:
2413         * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncherPreBuild.cmd:
2414         * JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd:
2415         * JavaScriptCore.vcxproj/testapi/testapiLauncherPostBuild.cmd:
2416         * JavaScriptCore.vcxproj/testapi/testapiLauncherPreBuild.cmd:
2417         * JavaScriptCore.vcxproj/testapi/testapiPostBuild.cmd:
2418         * JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd:
2419
2420 2015-02-26  Csaba Osztrogonác  <ossy@webkit.org>
2421
2422         Add calleeSaveRegisters() implementation for ARM Traditional
2423         https://bugs.webkit.org/show_bug.cgi?id=141903
2424
2425         Reviewed by Darin Adler.
2426
2427         * jit/RegisterSet.cpp:
2428         (JSC::RegisterSet::calleeSaveRegisters):
2429
2430 2015-02-25  Michael Saboff  <msaboff@apple.com>
2431
2432         Web Inspector: CRASH when debugger pauses inside a Promise handler
2433         https://bugs.webkit.org/show_bug.cgi?id=141396
2434
2435         Reviewed by Mark Lam.
2436
2437         For frames that don't have a scope, typically native frames, use the lexicalGlobalObject to
2438         create the DebuggerScope for that frame.
2439
2440         * debugger/DebuggerCallFrame.cpp:
2441         (JSC::DebuggerCallFrame::scope):
2442
2443 2015-02-25  Filip Pizlo  <fpizlo@apple.com>
2444
2445         DFG abstract heaps should respect the difference between heap and stack
2446         https://bugs.webkit.org/show_bug.cgi?id=142022
2447
2448         Reviewed by Geoffrey Garen.
2449         
2450         We will soon (https://bugs.webkit.org/show_bug.cgi?id=141174) be in a world where a "world
2451         clobbering" operation cannot write to our stack, but may be able to read from it. This
2452         means that we need to change the DFG abstract heap hierarchy to have a notion of Heap that
2453         subsumes all that World previously subsumed, and a new notion of Stack that is a subtype
2454         of World and a sibling of Heap.
2455
2456         So, henceforth "clobbering the world" means reading World and writing Heap.
2457         
2458         This makes a bunch of changes to make this work, including changing the implementation of
2459         disjointness in AbstractHeap to make it support a more general hierarchy. I was expecting
2460         a slow-down, but I measured the heck out of this and found no perf difference.
2461
2462         * dfg/DFGAbstractHeap.cpp:
2463         (JSC::DFG::AbstractHeap::dump):
2464         * dfg/DFGAbstractHeap.h:
2465         (JSC::DFG::AbstractHeap::supertype):
2466         (JSC::DFG::AbstractHeap::isStrictSubtypeOf):
2467         (JSC::DFG::AbstractHeap::isSubtypeOf):
2468         (JSC::DFG::AbstractHeap::overlaps):
2469         (JSC::DFG::AbstractHeap::isDisjoint):
2470         * dfg/DFGClobberize.cpp:
2471         (JSC::DFG::clobbersHeap):
2472         (JSC::DFG::clobbersWorld): Deleted.
2473         * dfg/DFGClobberize.h:
2474         (JSC::DFG::clobberize):
2475         * dfg/DFGDoesGC.cpp:
2476         (JSC::DFG::doesGC):
2477
2478 2015-02-25  Ryosuke Niwa  <rniwa@webkit.org>
2479
2480         REGRESSION(r180595): construct varargs fails in FTL
2481         https://bugs.webkit.org/show_bug.cgi?id=142030
2482
2483         Reviewed by Geoffrey Garen.
2484
2485         The bug was caused by IC size being too small for construct_varargs even though we've added a new argument.
2486         Fixed the bug by increasing the IC size to match call_varargs.
2487
2488         * ftl/FTLInlineCacheSize.cpp:
2489         (JSC::FTL::sizeOfConstructVarargs):
2490
2491 2015-02-25  Mark Lam  <mark.lam@apple.com>
2492
2493         ASan does not like JSC::MachineThreads::tryCopyOtherThreadStack.
2494         <https://webkit.org/b/141672>
2495
2496         Reviewed by Alexey Proskuryakov.
2497
2498         ASan does not like the fact that we memcpy the stack for GC scans.  So,
2499         we're working around this by using our own memcpy (asanUnsafeMemcpy)
2500         implementation that we can tell ASan to ignore.
2501
2502         * heap/MachineStackMarker.cpp:
2503         (JSC::asanUnsafeMemcpy):
2504
2505 2015-02-25  Benjamin Poulain  <bpoulain@apple.com>
2506
2507         CodeBlock crashes when dumping op_push_name_scope
2508         https://bugs.webkit.org/show_bug.cgi?id=141953
2509
2510         Reviewed by Filip Pizlo and Csaba Osztrogonác.
2511
2512         * bytecode/CodeBlock.cpp:
2513         (JSC::CodeBlock::dumpBytecode):
2514         * tests/stress/op-push-name-scope-crashes-profiler.js: Added.
2515
2516 2015-02-25  Benjamin Poulain  <benjamin@webkit.org>
2517
2518         Make ParserError immutable by design
2519         https://bugs.webkit.org/show_bug.cgi?id=141955
2520
2521         Reviewed by Geoffrey Garen.
2522
2523         This patch enforce that no field of ParserError can
2524         be modified after the constructor.
2525
2526         * parser/ParserError.h:
2527         Move the attributes to pack the integer + 2 bytes together.
2528         This is irrelevant for memory impact, it is to remve a load-store
2529         when copying by value.
2530
2531         Also move the attributes to be private.
2532
2533         (JSC::ParserError::isValid):
2534         To client of the interface cared about the type of the error,
2535         the only information needed was: is there an error.
2536
2537         (JSC::ParserError::ParserError):
2538         (JSC::ParserError::syntaxErrorType):
2539         (JSC::ParserError::token):
2540         (JSC::ParserError::message):
2541         (JSC::ParserError::line):
2542         (JSC::ParserError::toErrorObject):
2543         * API/JSScriptRef.cpp:
2544         * builtins/BuiltinExecutables.cpp:
2545         (JSC::BuiltinExecutables::createBuiltinExecutable):
2546         * bytecode/UnlinkedCodeBlock.cpp:
2547         (JSC::generateFunctionCodeBlock):
2548         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
2549         (JSC::UnlinkedFunctionExecutable::codeBlockFor):
2550         * bytecode/UnlinkedCodeBlock.h:
2551         * inspector/agents/InspectorRuntimeAgent.cpp:
2552         (Inspector::InspectorRuntimeAgent::parse):
2553         * jsc.cpp:
2554         (runInteractive):
2555         * parser/Parser.h:
2556         (JSC::parse):
2557         * runtime/CodeCache.cpp:
2558         (JSC::CodeCache::getGlobalCodeBlock):
2559         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
2560         * runtime/CodeCache.h:
2561         * runtime/Completion.h:
2562         * runtime/Executable.cpp:
2563         (JSC::ProgramExecutable::checkSyntax):
2564         * runtime/JSGlobalObject.cpp:
2565         (JSC::JSGlobalObject::createProgramCodeBlock):
2566         (JSC::JSGlobalObject::createEvalCodeBlock):
2567
2568 2015-02-25  Filip Pizlo  <fpizlo@apple.com>
2569
2570         Need to pass RTLD_DEEPBIND to dlopen() to ensure that our LLVMOverrides take effect on Linux
2571         https://bugs.webkit.org/show_bug.cgi?id=142006
2572
2573         Reviewed by Csaba Osztrogonác.
2574
2575         This fixes hard-to-reproduce concurrency-related crashes when running stress tests with FTL and
2576         concurrent JIT enabled.
2577
2578         * llvm/InitializeLLVMPOSIX.cpp:
2579         (JSC::initializeLLVMPOSIX):
2580
2581 2015-02-24  Filip Pizlo  <fpizlo@apple.com>
2582
2583         CMake build of libllvmForJSC.so should limit its export list like the Xcode build does
2584         https://bugs.webkit.org/show_bug.cgi?id=141989
2585
2586         Reviewed by Gyuyoung Kim.
2587
2588         * CMakeLists.txt:
2589         * llvm/library/libllvmForJSC.version: Added.
2590
2591 2015-02-24  Alexey Proskuryakov  <ap@apple.com>
2592
2593         More iOS build fix after r180602.
2594
2595         * heap/Heap.h: Export Heap::machineThreads().
2596
2597 2015-02-24  Brent Fulgham  <bfulgham@apple.com>
2598
2599         Unreviewed build fix after r180602.
2600
2601         * heap/MachineStackMarker.h: Add missing 'no return'
2602         declaration for Windows.
2603
2604 2015-02-24  Commit Queue  <commit-queue@webkit.org>
2605
2606         Unreviewed, rolling out r180599.
2607         https://bugs.webkit.org/show_bug.cgi?id=141998
2608
2609         Lots of new test failures (Requested by smfr on #webkit).
2610
2611         Reverted changeset:
2612
2613         "Parsing support for -webkit-trailing-word"
2614         https://bugs.webkit.org/show_bug.cgi?id=141939
2615         http://trac.webkit.org/changeset/180599
2616
2617 2015-02-24  Mark Lam  <mark.lam@apple.com>
2618
2619         MachineThreads::Thread clean up has a use after free race condition.
2620         <https://webkit.org/b/141990>
2621
2622         Reviewed by Michael Saboff.
2623
2624         MachineThreads::Thread clean up relies on the clean up mechanism
2625         implemented in _pthread_tsd_cleanup_key(), which looks like this:
2626
2627         void _pthread_tsd_cleanup_key(pthread_t self, pthread_key_t key)
2628         {
2629             void (*destructor)(void *);
2630             if (_pthread_key_get_destructor(key, &destructor)) {
2631                 void **ptr = &self->tsd[key];
2632                 void *value = *ptr;
2633
2634                 // At this point, this thread has cached "destructor" and "value"
2635                 // (which is a MachineThreads*).  If the VM gets destructed (along
2636                 // with its MachineThreads registry) by another thread, then this
2637                 // thread will have no way of knowing that the MachineThreads* is
2638                 // now pointing to freed memory.  Calling the destructor below will
2639                 // therefore result in a use after free scenario when it tries to
2640                 // access the MachineThreads' data members.
2641
2642                 if (value) {
2643                     *ptr = NULL;
2644                     if (destructor) {
2645                         destructor(value);
2646                     }
2647                 }
2648             }
2649         }
2650
2651         The solution is simply to change MachineThreads from a per VM thread
2652         registry to a process global singleton thread registry i.e. the
2653         MachineThreads registry is now immortal and we cannot have a use after
2654         free scenario since we never free it.
2655
2656         The cost of this change is that all VM instances will have to scan
2657         stacks of all threads ever touched by a VM, and not just those that
2658         touched a specific VM.  However, stacks tend to be shallow.  Hence,
2659         those additional scans will tend to be cheap.
2660
2661         Secondly, it is not common for there to be multiple JSC VMs in use
2662         concurrently on multiple threads.  Hence, this cost should rarely
2663         manifest in real world applications.
2664
2665         * heap/Heap.cpp:
2666         (JSC::Heap::Heap):
2667         (JSC::Heap::machineThreads):
2668         (JSC::Heap::gatherStackRoots):
2669         * heap/Heap.h:
2670         (JSC::Heap::machineThreads): Deleted.
2671         * heap/MachineStackMarker.cpp:
2672         (JSC::MachineThreads::MachineThreads):
2673         (JSC::MachineThreads::~MachineThreads):
2674         (JSC::MachineThreads::addCurrentThread):
2675         * heap/MachineStackMarker.h:
2676         * runtime/JSLock.cpp:
2677         (JSC::JSLock::didAcquireLock):
2678
2679 2015-02-24  Myles C. Maxfield  <mmaxfield@apple.com>
2680
2681         [Mac] [iOS] Parsing support for -apple-trailing-word
2682         https://bugs.webkit.org/show_bug.cgi?id=141939
2683
2684         Reviewed by Andreas Kling.
2685
2686         * Configurations/FeatureDefines.xcconfig:
2687
2688 2015-02-24  Ryosuke Niwa  <rniwa@webkit.org>
2689
2690         Use "this" instead of "callee" to get the constructor
2691         https://bugs.webkit.org/show_bug.cgi?id=141019
2692
2693         Reviewed by Filip Pizlo.
2694
2695         This patch uses "this" register to pass the constructor (newTarget) to op_create_this from
2696         op_construct or op_construct_varargs. This will allow future patches that implement ES6 class
2697         to pass in the most derived class' constructor through "this" argument.
2698
2699         BytecodeGenerator's emitConstruct and emitConstructVarargs now passes thisRegister like
2700         regular calls and emitCreateThis passes in this register to op_create_this as constructor.
2701
2702         The rest of the code change removes the code for special casing "this" register not being used
2703         in call to construct.
2704
2705         * bytecode/BytecodeUseDef.h:
2706         (JSC::computeUsesForBytecodeOffset):
2707         * bytecompiler/BytecodeGenerator.cpp:
2708         (JSC::BytecodeGenerator::emitCreateThis):
2709         (JSC::BytecodeGenerator::emitConstructVarargs):
2710         (JSC::BytecodeGenerator::emitConstruct):
2711         * bytecompiler/BytecodeGenerator.h:
2712         * bytecompiler/NodesCodegen.cpp:
2713         (JSC::NewExprNode::emitBytecode):
2714         * dfg/DFGByteCodeParser.cpp:
2715         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
2716         (JSC::DFG::ByteCodeParser::handleVarargsCall):
2717         (JSC::DFG::ByteCodeParser::emitArgumentPhantoms):
2718         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
2719         (JSC::DFG::ByteCodeParser::handleInlining):
2720         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2721         (JSC::DFG::ByteCodeParser::parseBlock):
2722         * dfg/DFGJITCode.cpp:
2723         (JSC::DFG::JITCode::reconstruct):
2724         * dfg/DFGSpeculativeJIT32_64.cpp:
2725         (JSC::DFG::SpeculativeJIT::emitCall):
2726         * dfg/DFGSpeculativeJIT64.cpp:
2727         (JSC::DFG::SpeculativeJIT::emitCall):
2728         * ftl/FTLJSCallVarargs.cpp:
2729         (JSC::FTL::JSCallVarargs::emit):
2730         * ftl/FTLLowerDFGToLLVM.cpp:
2731         (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
2732         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
2733         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs):
2734         * interpreter/Interpreter.cpp:
2735         (JSC::Interpreter::executeConstruct):
2736         * jit/JITOperations.cpp:
2737
2738 2015-02-24  Joseph Pecoraro  <pecoraro@apple.com>
2739
2740         Web Inspector: Make Getter/Setter RemoteObject property and ObjectPreview handling consistent
2741         https://bugs.webkit.org/show_bug.cgi?id=141587
2742
2743         Reviewed by Timothy Hatcher.
2744
2745         Convert getProperties(ownAndGetterProperties) to getDisplayableProperties().
2746         Mark PropertyDescriptors that are presumed to be native getters / bindings
2747         separately so that the frontend may display them differently.
2748
2749         * inspector/InjectedScript.cpp:
2750         (Inspector::InjectedScript::getProperties):
2751         (Inspector::InjectedScript::getDisplayableProperties):
2752         * inspector/InjectedScript.h:
2753         * inspector/InjectedScriptSource.js:
2754         * inspector/agents/InspectorRuntimeAgent.cpp:
2755         (Inspector::InspectorRuntimeAgent::getProperties):
2756         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
2757         * inspector/agents/InspectorRuntimeAgent.h:
2758         * inspector/protocol/Runtime.json:
2759
2760 2015-02-24  Mark Lam  <mark.lam@apple.com>
2761
2762         Rolling out r179753.  The fix was invalid.
2763         <https://webkit.org/b/141990>
2764
2765         Not reviewed.
2766
2767         * API/tests/testapi.mm:
2768         (threadMain):
2769         (useVMFromOtherThread): Deleted.
2770         (useVMFromOtherThreadAndOutliveVM): Deleted.
2771         * heap/Heap.cpp:
2772         (JSC::Heap::Heap):
2773         (JSC::Heap::~Heap):
2774         (JSC::Heap::gatherStackRoots):
2775         * heap/Heap.h:
2776         (JSC::Heap::machineThreads):
2777         * heap/MachineStackMarker.cpp:
2778         (JSC::MachineThreads::Thread::Thread):
2779         (JSC::MachineThreads::MachineThreads):
2780         (JSC::MachineThreads::~MachineThreads):
2781         (JSC::MachineThreads::addCurrentThread):
2782         (JSC::MachineThreads::removeThread):
2783         (JSC::MachineThreads::removeCurrentThread):
2784         * heap/MachineStackMarker.h:
2785
2786 2015-02-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2787
2788         Constructor returning null should construct an object instead of null
2789         https://bugs.webkit.org/show_bug.cgi?id=141640
2790
2791         Reviewed by Filip Pizlo.
2792
2793         When constructor code doesn't return object, constructor should return `this` object instead.
2794         Since we used `op_is_object` for this check and `op_is_object` is intended to be used for `typeof`,
2795         it allows `null` as an object.
2796         This patch fixes it by introducing an new bytecode `op_is_object_or_null` for `typeof` use cases.
2797         Instead, constructor uses simplified `is_object`.
2798
2799         As a result, `op_is_object` becomes fairly simple. So we introduce optimization for `op_is_object`.
2800
2801         1. LLInt and baseline JIT support `op_is_object` as a fast path.
2802         2. DFG abstract interpreter support `op_is_object`. And recognize its speculated type and read-write effects.
2803         3. DFG introduces inlined asm for `op_is_object` rather than calling a C++ function.
2804         4. FTL lowers DFG's IsObject into LLVM IR.
2805
2806         And at the same time, this patch fixes isString / isObject predicate used for `op_is_object` and others
2807         in LLInt, JIT, DFG and FTL.
2808         Before introducing ES6 Symbol, JSCell is only used for object and string in user observable area.
2809         So in many places, when the cell is not object, we recognize it as a string, and vice versa.
2810         However, now ES6 Symbol is implemented as a JSCell, this assumption is broken.
2811         So this patch stop using !isString as isObject.
2812         To check whether a cell is an object, instead of seeing that structure ID of a cell is not stringStructure,
2813         we examine typeInfo in JSCell.
2814
2815         * JavaScriptCore.order:
2816         * bytecode/BytecodeList.json:
2817         * bytecode/BytecodeUseDef.h:
2818         (JSC::computeUsesForBytecodeOffset):
2819         (JSC::computeDefsForBytecodeOffset):
2820         * bytecode/CodeBlock.cpp:
2821         (JSC::CodeBlock::dumpBytecode):
2822         * bytecode/PutByIdStatus.cpp:
2823         (JSC::PutByIdStatus::computeFor):
2824         * bytecompiler/BytecodeGenerator.cpp:
2825         (JSC::BytecodeGenerator::emitEqualityOp):
2826         (JSC::BytecodeGenerator::emitReturn):
2827         * dfg/DFGAbstractInterpreterInlines.h:
2828         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2829         * dfg/DFGByteCodeParser.cpp:
2830         (JSC::DFG::ByteCodeParser::parseBlock):
2831         * dfg/DFGCapabilities.cpp:
2832         (JSC::DFG::capabilityLevel):
2833         * dfg/DFGClobberize.h:
2834         (JSC::DFG::clobberize):
2835
2836         IsObject operation only touches JSCell typeInfoType.
2837         And this value would be changed through structure transition.
2838         As a result, IsObject can report that it doesn't read any information.
2839
2840         * dfg/DFGConstantFoldingPhase.cpp:
2841         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2842         * dfg/DFGDoesGC.cpp:
2843         (JSC::DFG::doesGC):
2844         * dfg/DFGFixupPhase.cpp:
2845         (JSC::DFG::FixupPhase::fixupNode):
2846
2847         Just like IsString, IsObject is also fixed up.
2848
2849         * dfg/DFGHeapLocation.cpp:
2850         (WTF::printInternal):
2851         * dfg/DFGHeapLocation.h:
2852         * dfg/DFGNodeType.h:
2853         * dfg/DFGOperations.cpp:
2854         * dfg/DFGOperations.h:
2855         * dfg/DFGPredictionPropagationPhase.cpp:
2856         (JSC::DFG::PredictionPropagationPhase::propagate):
2857         * dfg/DFGSafeToExecute.h:
2858         (JSC::DFG::safeToExecute):
2859         * dfg/DFGSpeculativeJIT.cpp:
2860         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
2861         (JSC::DFG::SpeculativeJIT::compileStringToUntypedEquality):
2862         (JSC::DFG::SpeculativeJIT::compileStringIdentToNotStringVarEquality):
2863         (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
2864         (JSC::DFG::SpeculativeJIT::speculateObject):
2865         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
2866         (JSC::DFG::SpeculativeJIT::speculateString):
2867         (JSC::DFG::SpeculativeJIT::speculateNotStringVar):
2868         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
2869         (JSC::DFG::SpeculativeJIT::emitSwitchString):
2870         (JSC::DFG::SpeculativeJIT::branchIsObject):
2871         (JSC::DFG::SpeculativeJIT::branchNotObject):
2872         (JSC::DFG::SpeculativeJIT::branchIsString):
2873         (JSC::DFG::SpeculativeJIT::branchNotString):
2874         * dfg/DFGSpeculativeJIT.h:
2875         * dfg/DFGSpeculativeJIT32_64.cpp:
2876         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
2877         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
2878         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
2879         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
2880         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2881         (JSC::DFG::SpeculativeJIT::compile):
2882         * dfg/DFGSpeculativeJIT64.cpp:
2883         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
2884         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
2885         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
2886         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
2887         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2888         (JSC::DFG::SpeculativeJIT::compile):
2889         * ftl/FTLCapabilities.cpp:
2890         (JSC::FTL::canCompile):
2891         * ftl/FTLLowerDFGToLLVM.cpp:
2892         (JSC::FTL::LowerDFGToLLVM::compileNode):
2893         (JSC::FTL::LowerDFGToLLVM::compileToString):
2894         (JSC::FTL::LowerDFGToLLVM::compileIsObject):
2895         (JSC::FTL::LowerDFGToLLVM::compileIsObjectOrNull):
2896         (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
2897         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
2898         (JSC::FTL::LowerDFGToLLVM::isObject):
2899         (JSC::FTL::LowerDFGToLLVM::isNotObject):
2900         (JSC::FTL::LowerDFGToLLVM::isNotString):
2901         (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
2902         * jit/JIT.cpp:
2903         (JSC::JIT::privateCompileMainPass):
2904         * jit/JIT.h:
2905         * jit/JITInlines.h:
2906         (JSC::JIT::emitJumpIfCellObject):
2907         * jit/JITOpcodes.cpp:
2908         (JSC::JIT::emit_op_is_object):
2909         (JSC::JIT::emit_op_to_primitive):
2910         * jit/JITOpcodes32_64.cpp:
2911         (JSC::JIT::emit_op_is_object):
2912         (JSC::JIT::emit_op_to_primitive):
2913         (JSC::JIT::compileOpStrictEq):
2914         * llint/LowLevelInterpreter.asm:
2915         * llint/LowLevelInterpreter32_64.asm:
2916         * llint/LowLevelInterpreter64.asm:
2917         * runtime/CommonSlowPaths.cpp:
2918         (JSC::SLOW_PATH_DECL):
2919         * runtime/CommonSlowPaths.h:
2920         * runtime/Operations.cpp:
2921         (JSC::jsIsObjectTypeOrNull):
2922         (JSC::jsIsObjectType): Deleted.
2923         * runtime/Operations.h:
2924         * tests/stress/constructor-with-return.js: Added.
2925         (Test):
2926
2927         When constructor doesn't return an object, `this` should be returned instead.
2928         In this test, we check all primitives. And test object, array and wrappers.
2929
2930         * tests/stress/dfg-to-primitive-pass-symbol.js: Added.
2931         (toPrimitiveTarget):
2932         (doToPrimitive):
2933
2934         op_to_primitive operation passes Symbol in fast path.
2935
2936 2015-02-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2937
2938         REGRESSION(r179429): Can't type comments in Facebook
2939         https://bugs.webkit.org/show_bug.cgi?id=141859
2940
2941         Reviewed by Brent Fulgham.
2942
2943         When window.Symbol is exposed to user-space pages,
2944         Facebook's JavaScript use it (maybe, for immutable-js and React.js's unique key).
2945         However, to work with Symbols completely, it also requires
2946         1) Object.getOwnPropertySymbols (for mixin including Symbols)
2947         2) the latest ES6 Iterator interface that uses Iterator.next and it returns { done: boolean, value: value }.
2948         Since they are not landed yet, comments in Facebook don't work.
2949
2950         This patch introduces RuntimeFlags for JavaScriptCore.
2951         Specifying SymbolEnabled flag under test runner and inspector to continue to work with Symbol.
2952         And drop JavaScriptExperimentsEnabled flag
2953         because it is no longer used and use case of this is duplicated to runtime flags.
2954
2955         * JavaScriptCore.order:
2956         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2957         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2958         * JavaScriptCore.xcodeproj/project.pbxproj:
2959         * jsc.cpp:
2960         (GlobalObject::javaScriptRuntimeFlags):
2961         (GlobalObject::javaScriptExperimentsEnabled): Deleted.
2962         * runtime/JSGlobalObject.cpp:
2963         (JSC::JSGlobalObject::JSGlobalObject):
2964         (JSC::JSGlobalObject::init):
2965         * runtime/JSGlobalObject.h:
2966         (JSC::JSGlobalObject::finishCreation):
2967         (JSC::JSGlobalObject::javaScriptRuntimeFlags):
2968         (JSC::JSGlobalObject::javaScriptExperimentsEnabled): Deleted.
2969         * runtime/RuntimeFlags.h: Added.
2970         (JSC::RuntimeFlags::RuntimeFlags):
2971         (JSC::RuntimeFlags::createAllEnabled):
2972
2973 2015-02-23  Filip Pizlo  <fpizlo@apple.com>
2974
2975         Our bizarre behavior on Arguments::defineOwnProperty should be deliberate rather than a spaghetti incident
2976         https://bugs.webkit.org/show_bug.cgi?id=141951
2977
2978         Reviewed by Benjamin Poulain.
2979         
2980         This patch has no behavioral change, but it simplifies a bunch of wrong code. The code is
2981         still wrong in exactly the same way, but at least it's obvious what's going on. The wrongness
2982         is covered by this bug: https://bugs.webkit.org/show_bug.cgi?id=141952.
2983
2984         * runtime/Arguments.cpp:
2985         (JSC::Arguments::copyBackingStore): We should only see the arguments token; assert otherwise. This works because if the GC sees the butterfly token it calls the JSObject::copyBackingStore method directly.
2986         (JSC::Arguments::defineOwnProperty): Make our bizarre behavior deliberate rather than an accident of a decade of patches.
2987         * tests/stress/arguments-bizarre-behavior.js: Added.
2988         (foo):
2989         * tests/stress/arguments-bizarre-behaviour-disable-enumerability.js: Added. My choice of spellings of the word "behavio[u]r" is almost as consistent as our implementation of arguments.
2990         (foo):
2991         * tests/stress/arguments-custom-properties-gc.js: Added. I added this test because at first I was unsure if we GCd arguments correctly.
2992         (makeBaseArguments):
2993         (makeArray):
2994         (cons):
2995
2996 2015-02-23  Commit Queue  <commit-queue@webkit.org>
2997
2998         Unreviewed, rolling out r180547 and r180550.
2999         https://bugs.webkit.org/show_bug.cgi?id=141957
3000
3001         Broke 10 Windows tests. (Requested by bfulgham_ on #webkit).
3002
3003         Reverted changesets:
3004
3005         "REGRESSION(r179429): Can't type comments in Facebook"
3006         https://bugs.webkit.org/show_bug.cgi?id=141859
3007         http://trac.webkit.org/changeset/180547
3008
3009         "Constructor returning null should construct an object instead
3010         of null"
3011         https://bugs.webkit.org/show_bug.cgi?id=141640
3012         http://trac.webkit.org/changeset/180550
3013
3014 2015-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
3015
3016         Constructor returning null should construct an object instead of null
3017         https://bugs.webkit.org/show_bug.cgi?id=141640
3018
3019         Reviewed by Geoffrey Garen.
3020
3021         When constructor code doesn't return object, constructor should return `this` object instead.
3022         Since we used `op_is_object` for this check and `op_is_object` is intended to be used for `typeof`,
3023         it allows `null` as an object.
3024         This patch fixes it by introducing an new bytecode `op_is_object_or_null` for `typeof` use cases.
3025         Instead, constructor uses simplified `is_object`.
3026
3027         As a result, `op_is_object` becomes fairly simple. So we introduce optimization for `op_is_object`.
3028
3029         1. LLInt and baseline JIT support `op_is_object` as a fast path.
3030         2. DFG abstract interpreter support `op_is_object`. And recognize its speculated type and read-write effects.
3031         3. DFG introduces inlined asm for `op_is_object` rather than calling a C++ function.
3032         4. FTL lowers DFG's IsObject into LLVM IR.
3033
3034         And at the same time, this patch fixes isString / isObject predicate used for `op_is_object` and others
3035         in LLInt, JIT, DFG and FTL.
3036         Before introducing ES6 Symbol, JSCell is only used for object and string in user observable area.
3037         So in many places, when the cell is not object, we recognize it as a string, and vice versa.
3038         However, now ES6 Symbol is implemented as a JSCell, this assumption is broken.
3039         So this patch stop using !isString as isObject.
3040         To check whether a cell is an object, instead of seeing that structure ID of a cell is not stringStructure,
3041         we examine typeInfo in JSCell.
3042
3043         * JavaScriptCore.order:
3044         * bytecode/BytecodeList.json:
3045         * bytecode/BytecodeUseDef.h:
3046         (JSC::computeUsesForBytecodeOffset):
3047         (JSC::computeDefsForBytecodeOffset):
3048         * bytecode/CodeBlock.cpp:
3049         (JSC::CodeBlock::dumpBytecode):
3050         * bytecode/PutByIdStatus.cpp:
3051         (JSC::PutByIdStatus::computeFor):
3052         * bytecompiler/BytecodeGenerator.cpp:
3053         (JSC::BytecodeGenerator::emitEqualityOp):
3054         (JSC::BytecodeGenerator::emitReturn):
3055         * dfg/DFGAbstractInterpreterInlines.h:
3056         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3057         * dfg/DFGByteCodeParser.cpp:
3058         (JSC::DFG::ByteCodeParser::parseBlock):
3059         * dfg/DFGCapabilities.cpp:
3060         (JSC::DFG::capabilityLevel):
3061         * dfg/DFGClobberize.h:
3062         (JSC::DFG::clobberize):
3063
3064         IsObject operation only touches JSCell typeInfoType.
3065         And this value would not be changed through structure transition.
3066         As a result, IsObject can report that it doesn't read any information.
3067
3068         * dfg/DFGDoesGC.cpp:
3069         (JSC::DFG::doesGC):
3070         * dfg/DFGFixupPhase.cpp:
3071         (JSC::DFG::FixupPhase::fixupNode):
3072
3073         Just like IsString, IsObject is also fixed up.
3074
3075         * dfg/DFGHeapLocation.cpp:
3076         (WTF::printInternal):
3077         * dfg/DFGHeapLocation.h:
3078         * dfg/DFGNodeType.h:
3079         * dfg/DFGOperations.cpp:
3080         * dfg/DFGOperations.h:
3081         * dfg/DFGPredictionPropagationPhase.cpp:
3082         (JSC::DFG::PredictionPropagationPhase::propagate):
3083         * dfg/DFGSafeToExecute.h:
3084         (JSC::DFG::safeToExecute):
3085         * dfg/DFGSpeculativeJIT.cpp:
3086         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
3087         (JSC::DFG::SpeculativeJIT::compileStringToUntypedEquality):
3088         (JSC::DFG::SpeculativeJIT::compileStringIdentToNotStringVarEquality):
3089         (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
3090         (JSC::DFG::SpeculativeJIT::speculateObject):
3091         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
3092         (JSC::DFG::SpeculativeJIT::speculateString):
3093         (JSC::DFG::SpeculativeJIT::speculateNotStringVar):
3094         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
3095         (JSC::DFG::SpeculativeJIT::emitSwitchString):
3096         (JSC::DFG::SpeculativeJIT::branchIsObject):
3097         (JSC::DFG::SpeculativeJIT::branchNotObject):
3098         (JSC::DFG::SpeculativeJIT::branchIsString):
3099         (JSC::DFG::SpeculativeJIT::branchNotString):
3100         * dfg/DFGSpeculativeJIT.h:
3101         * dfg/DFGSpeculativeJIT32_64.cpp:
3102         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
3103         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
3104         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
3105         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
3106         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
3107         (JSC::DFG::SpeculativeJIT::compile):
3108         * dfg/DFGSpeculativeJIT64.cpp:
3109         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
3110         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
3111         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
3112         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
3113         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
3114         (JSC::DFG::SpeculativeJIT::compile):
3115         * ftl/FTLCapabilities.cpp:
3116         (JSC::FTL::canCompile):
3117         * ftl/FTLLowerDFGToLLVM.cpp:
3118         (JSC::FTL::LowerDFGToLLVM::compileNode):
3119         (JSC::FTL::LowerDFGToLLVM::compileToString):
3120         (JSC::FTL::LowerDFGToLLVM::compileIsObject):
3121         (JSC::FTL::LowerDFGToLLVM::compileIsObjectOrNull):
3122         (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
3123         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
3124         (JSC::FTL::LowerDFGToLLVM::isObject):
3125         (JSC::FTL::LowerDFGToLLVM::isNotObject):
3126         (JSC::FTL::LowerDFGToLLVM::isNotString):
3127         (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
3128         * jit/JIT.cpp:
3129         (JSC::JIT::privateCompileMainPass):
3130         * jit/JIT.h:
3131         * jit/JITInlines.h:
3132         (JSC::JIT::emitJumpIfCellObject):
3133         * jit/JITOpcodes.cpp:
3134         (JSC::JIT::emit_op_is_object):
3135         (JSC::JIT::emit_op_to_primitive):
3136         * jit/JITOpcodes32_64.cpp:
3137         (JSC::JIT::emit_op_is_object):
3138         (JSC::JIT::emit_op_to_primitive):
3139         (JSC::JIT::compileOpStrictEq):
3140         * llint/LowLevelInterpreter.asm:
3141         * llint/LowLevelInterpreter32_64.asm:
3142         * llint/LowLevelInterpreter64.asm:
3143         * runtime/CommonSlowPaths.cpp:
3144         (JSC::SLOW_PATH_DECL):
3145         * runtime/CommonSlowPaths.h:
3146         * runtime/Operations.cpp:
3147         (JSC::jsIsObjectTypeOrNull):
3148         (JSC::jsIsObjectType): Deleted.
3149         * runtime/Operations.h:
3150
3151 2015-02-23  Ryosuke Niwa  <rniwa@webkit.org>
3152
3153         Disable font loading events until our implementation gets updated to match the latest spec
3154         https://bugs.webkit.org/show_bug.cgi?id=141938
3155
3156         Reviewed by Andreas Kling.
3157
3158         * Configurations/FeatureDefines.xcconfig:
3159
3160 2015-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
3161
3162         REGRESSION(r179429): Can't type comments in Facebook
3163         https://bugs.webkit.org/show_bug.cgi?id=141859
3164
3165         Reviewed by Geoffrey Garen.
3166
3167         When window.Symbol is exposed to user-space pages,
3168         Facebook's JavaScript use it (maybe, for immutable-js and React.js's unique key).
3169         However, to work with Symbols completely, it also requires
3170         1) Object.getOwnPropertySymbols (for mixin including Symbols)
3171         2) the latest ES6 Iterator interface that uses Iterator.next and it returns { done: boolean, value: value }.
3172         Since they are not landed yet, comments in Facebook don't work.
3173
3174         This patch introduces RuntimeFlags for JavaScriptCore.
3175         Specifying SymbolEnabled flag under test runner and inspector to continue to work with Symbol.
3176         And drop JavaScriptExperimentsEnabled flag
3177         because it is no longer used and use case of this is duplicated to runtime flags.
3178
3179         * JavaScriptCore.order:
3180         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3181         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3182         * JavaScriptCore.xcodeproj/project.pbxproj:
3183         * jsc.cpp:
3184         (GlobalObject::javaScriptRuntimeFlags):
3185         (GlobalObject::javaScriptExperimentsEnabled): Deleted.
3186         * runtime/JSGlobalObject.cpp:
3187         (JSC::JSGlobalObject::JSGlobalObject):
3188         (JSC::JSGlobalObject::init):
3189         * runtime/JSGlobalObject.h:
3190         (JSC::JSGlobalObject::finishCreation):
3191         (JSC::JSGlobalObject::javaScriptRuntimeFlags):
3192         (JSC::JSGlobalObject::javaScriptExperimentsEnabled): Deleted.
3193         * runtime/RuntimeFlags.h: Added.
3194         (JSC::RuntimeFlags::RuntimeFlags):
3195         (JSC::RuntimeFlags::createAllEnabled):
3196
3197 2015-02-23  Benjamin Poulain  <bpoulain@apple.com>
3198
3199         Set the semantic origin of delayed SetLocal to the Bytecode that originated it
3200         https://bugs.webkit.org/show_bug.cgi?id=141727
3201
3202         Reviewed by Filip Pizlo.
3203
3204         Previously, delayed SetLocals would have the NodeOrigin of the next
3205         bytecode. This was because delayed SetLocal are...delayed... and
3206         currentCodeOrigin() is the one where the node is emitted.
3207
3208         This made debugging a little awkward since the OSR exits on SetLocal
3209         were reported for the next bytecode. This patch changes the semantic
3210         origin to keep the original bytecode.
3211
3212         From benchmarks, this looks like it could be a tiny bit faster
3213         but it likely just noise.
3214
3215         * dfg/DFGByteCodeParser.cpp:
3216         (JSC::DFG::ByteCodeParser::setDirect):
3217         (JSC::DFG::ByteCodeParser::setLocal):
3218         (JSC::DFG::ByteCodeParser::setArgument):
3219         (JSC::DFG::ByteCodeParser::currentNodeOrigin):
3220         (JSC::DFG::ByteCodeParser::addToGraph):
3221         (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
3222         (JSC::DFG::ByteCodeParser::DelayedSetLocal::execute):
3223
3224 2015-02-23  Benjamin Poulain  <bpoulain@apple.com>
3225
3226         Remove DFGNode::predictHeap()
3227         https://bugs.webkit.org/show_bug.cgi?id=141864
3228
3229         Reviewed by Geoffrey Garen.
3230
3231         * dfg/DFGNode.h:
3232         (JSC::DFG::Node::predictHeap): Deleted.
3233         Unused code.
3234
3235 2015-02-23  Filip Pizlo  <fpizlo@apple.com>
3236
3237         Get rid of JSLexicalEnvironment::argumentsGetter
3238         https://bugs.webkit.org/show_bug.cgi?id=141930
3239
3240         Reviewed by Mark Lam.
3241         
3242         This function is unused, and the way it's written is bizarre - it's a return statement that
3243         dominates a bunch of dead code.
3244
3245         * runtime/JSLexicalEnvironment.cpp:
3246         (JSC::JSLexicalEnvironment::argumentsGetter): Deleted.
3247         * runtime/JSLexicalEnvironment.h:
3248
3249 2015-02-23  Filip Pizlo  <fpizlo@apple.com>
3250
3251         Remove unused activationCount and allTheThingsCount variable declarations.
3252
3253         Rubber stamped by Mark Lam and Michael Saboff.
3254
3255         * runtime/JSLexicalEnvironment.h:
3256
3257 2015-02-23  Saam Barati  <saambarati1@gmail.com>
3258
3259         Adjust the ranges of basic block statements in JSC's control flow profiler to be mutually exclusive
3260         https://bugs.webkit.org/show_bug.cgi?id=141095
3261
3262         Reviewed by Mark Lam.
3263
3264         Suppose the control flow of a program forms basic block A with successor block
3265         B. A's end offset will be the *same* as B's start offset in the current architecture 
3266         of the control flow profiler. This makes reasoning about the text offsets of
3267         the control flow profiler unsound. To make reasoning about offsets sound, all 
3268         basic block ranges should be mutually exclusive.  All calls to emitProfileControlFlow 
3269         now pass in the *start* of a basic block as the text offset argument. This simplifies 
3270         all calls to emitProfileControlFlow because the previous implementation had a
3271         lot of edge cases for getting the desired basic block text boundaries.
3272
3273         This patch also ensures that the basic block boundary of a block statement 
3274         is the exactly the block's open and close brace offsets (inclusive). For example,
3275         in if/for/while statements. This also has the consequence that for statements 
3276         like "if (cond) foo();", the whitespace preceding "foo()" is not part of 
3277         the "foo()" basic block, but instead is part of the "if (cond) " basic block. 
3278         This is okay because these text offsets aren't meant to be human readable.
3279         Instead, they reflect the text offsets of JSC's AST nodes. The Web Inspector 
3280         is the only client of this API and user of these text offsets and it is 
3281         not negatively effected by this new behavior.
3282
3283         * bytecode/CodeBlock.cpp:
3284         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
3285         When computing basic block boundaries in CodeBlock, we ensure that every
3286         block's end offset is one less than its successor's start offset to
3287         maintain that boundaries' ranges should be mutually exclusive.
3288
3289         * bytecompiler/BytecodeGenerator.cpp:
3290         (JSC::BytecodeGenerator::BytecodeGenerator):
3291         Because the control flow profiler needs to know which functions
3292         have executed, we can't lazily create functions. This was a bug 
3293         from before that was hidden because the Type Profiler was always 
3294         enabled when the control flow profiler was enabled when profiling 
3295         was turned on from the Web Inspector. But, JSC allows for Control 
3296         Flow profiling to be turned on without Type Profiling, so we need 
3297         to ensure the Control Flow profiler has all the data it needs.
3298
3299         * bytecompiler/NodesCodegen.cpp:
3300         (JSC::ConditionalNode::emitBytecode):
3301         (JSC::IfElseNode::emitBytecode):
3302         (JSC::WhileNode::emitBytecode):
3303         (JSC::ForNode::emitBytecode):
3304         (JSC::ForInNode::emitMultiLoopBytecode):
3305         (JSC::ForOfNode::emitBytecode):
3306         (JSC::TryNode::emitBytecode):
3307         * jsc.cpp:
3308         (functionHasBasicBlockExecuted):
3309         We now assert that the substring argument is indeed a substring
3310         of the function argument's text because subtle bugs could be
3311         introduced otherwise.
3312
3313         * parser/ASTBuilder.h:
3314         (JSC::ASTBuilder::setStartOffset):
3315         * parser/Nodes.h:
3316         (JSC::Node::setStartOffset):
3317         * parser/Parser.cpp:
3318         (JSC::Parser<LexerType>::parseBlockStatement):
3319         (JSC::Parser<LexerType>::parseStatement):
3320         (JSC::Parser<LexerType>::parseMemberExpression):
3321         For the various function call AST nodes, their m_position member 
3322         variable is now the start of the entire function call expression 
3323         and not at the start of the open paren of the arguments list.
3324
3325         * runtime/BasicBlockLocation.cpp:
3326         (JSC::BasicBlockLocation::getExecutedRanges):
3327         * runtime/ControlFlowProfiler.cpp:
3328         (JSC::ControlFlowProfiler::getBasicBlocksForSourceID):
3329         Function ranges inserted as gaps should follow the same criteria
3330         that the bytecode generator uses to ensure that basic blocks
3331         start and end offsets are mutually exclusive.
3332
3333         * tests/controlFlowProfiler/brace-location.js: Added.
3334         (foo):
3335         (bar):
3336         (baz):
3337         (testIf):
3338         (testForRegular):
3339         (testForIn):
3340         (testForOf):
3341         (testWhile):
3342         (testIfNoBraces):
3343         (testForRegularNoBraces):
3344         (testForInNoBraces):
3345         (testForOfNoBraces):
3346         (testWhileNoBraces):
3347         * tests/controlFlowProfiler/conditional-expression.js: Added.
3348         (foo):
3349         (bar):
3350         (baz):
3351         (testConditionalBasic):
3352         (testConditionalFunctionCall):
3353         * tests/controlFlowProfiler/driver/driver.js:
3354         (checkBasicBlock):
3355
3356 2015-02-23  Matthew Mirman  <mmirman@apple.com>
3357
3358         r9 is volatile on ARMv7 for iOS 3 and up. 
3359         https://bugs.webkit.org/show_bug.cgi?id=141489
3360         rdar://problem/19432916