46e394a6d22da761f3ce4a3f080bdb7b7b36aae1
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-08-27  Filip Pizlo  <fpizlo@apple.com>
2
3         DFG::StrCat isn't really effectful
4         https://bugs.webkit.org/show_bug.cgi?id=148443
5
6         Reviewed by Geoffrey Garen.
7
8         I previously made the DFG StrCat node effectful because it is implemented by calling a
9         DFGOperations function that could cause arbitrary effects. But, the node is only generated from the
10         op_strcat bytecode operation, and that operation is only used when we first ensure that its
11         operands are primitives. Primitive operands to StrCat cannot cause arbitrary side-effects. The
12         reason why I didn't immediately mark StrCat as pure was because there was nothing in DFG IR that
13         guaranteed that StrCat's children were primitives.
14
15         This change adds a KnownPrimitiveUse use kind, and applies it to StrCat. This allows us to mark
16         StrCat as being pure. This should be a speed-up because we can CSE StrCat and because it means that
17         we can OSR exit after a StrCat (a pure node doesn't clobber exit state), so we can convert more
18         of a large string concatenation into MakeRope's.
19
20         * dfg/DFGAbstractInterpreterInlines.h:
21         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
22         * dfg/DFGClobberize.h:
23         (JSC::DFG::clobberize):
24         * dfg/DFGFixupPhase.cpp:
25         (JSC::DFG::FixupPhase::fixupNode):
26         (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
27         * dfg/DFGOperations.cpp:
28         * dfg/DFGSafeToExecute.h:
29         (JSC::DFG::SafeToExecuteEdge::operator()):
30         * dfg/DFGSpeculativeJIT.cpp:
31         (JSC::DFG::SpeculativeJIT::speculate):
32         * dfg/DFGSpeculativeJIT32_64.cpp:
33         (JSC::DFG::SpeculativeJIT::compile):
34         * dfg/DFGSpeculativeJIT64.cpp:
35         (JSC::DFG::SpeculativeJIT::compile):
36         * dfg/DFGUseKind.cpp:
37         (WTF::printInternal):
38         * dfg/DFGUseKind.h:
39         (JSC::DFG::typeFilterFor):
40         (JSC::DFG::shouldNotHaveTypeCheck):
41         * ftl/FTLCapabilities.cpp:
42         (JSC::FTL::canCompile):
43         * ftl/FTLLowerDFGToLLVM.cpp:
44         (JSC::FTL::DFG::LowerDFGToLLVM::compileStrCat):
45         (JSC::FTL::DFG::LowerDFGToLLVM::speculate):
46
47 2015-08-27  Brent Fulgham  <bfulgham@apple.com>
48
49         [Win] Unreviewed build fix after r189064.
50
51         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
52         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
53
54 2015-08-27  Yusuke Suzuki  <utatane.tea@gmail.com>
55
56         Add module loader "resolve" hook for local file system to test the loader in JSC shell
57         https://bugs.webkit.org/show_bug.cgi?id=148543
58
59         Reviewed by Filip Pizlo.
60
61         Add the module loader "resolve" hook to the JSC shell.
62         It takes the module name and the referrer module key and resolves the name to the unique module key.
63
64         resolve(ModuleName moduleName, ModuleKey referrer) -> Promise<ModuleKey>
65
66         In the JSC shell, since we load the module from the local file system, we treat an absolute file path
67         as a module key. So, in this patch, we implement the "resolve" hook that resolves the module name to
68         the absolute file path.
69
70         This local file system "resolve" functionality makes JSC shell easy to test the module loader.
71
72         * jsc.cpp:
73         (GlobalObject::finishCreation):
74         (GlobalObject::moduleLoaderFetch):
75         (pathSeparator):
76         (extractDirectoryName):
77         (currentWorkingDirectory):
78         (resolvePath):
79         (GlobalObject::moduleLoaderResolve):
80         (functionDrainMicrotasks):
81         * runtime/JSInternalPromiseDeferred.cpp:
82         (JSC::JSInternalPromiseDeferred::resolve):
83         (JSC::JSInternalPromiseDeferred::reject):
84         * runtime/JSInternalPromiseDeferred.h:
85         * tests/stress/pathname-resolve.js: Added.
86         (shouldBe):
87         (shouldThrow):
88
89 2015-08-27  Filip Pizlo  <fpizlo@apple.com>
90
91         Unreviewed, fix some FIXMEs and add some new ones, based on things we've learned from some
92         recent OSR exit work.
93
94         * dfg/DFGLICMPhase.cpp:
95         (JSC::DFG::LICMPhase::run):
96         (JSC::DFG::LICMPhase::attemptHoist):
97         * dfg/DFGMayExit.cpp:
98         * dfg/DFGMayExit.h:
99
100 2015-08-27  Keith Miller  <keith_miller@apple.com>
101
102         [ES6] Add TypedArray.prototype functionality.
103         https://bugs.webkit.org/show_bug.cgi?id=148035
104
105         Reviewed by Geoffrey Garen.
106
107         This patch should add most of the functionality for
108         the prototype properties of TypedArray objects in ES6.
109         There are a few exceptions to this, which will be added
110         in upcoming patches:
111
112         1) First we do not use the species constructor for some
113         of the TypedArray prototype functions (namely: map, filter,
114         slice, and subarray). That will need to be added when
115         species constructors are finished.
116
117         2) TypedArrays still have a length, byteOffset, byteLength,
118         and buffer are still attached to the TypedArray instance (in
119         the spec they are on the TypedArray.prototype instance object)
120         since the JIT currently assumes those properties are fixed.
121
122         3) The TypedArray.constructor property is not added yet
123         as it should point to the TypedArray instance object,
124         which will be added in a future patch.
125
126         * CMakeLists.txt:
127         * JavaScriptCore.xcodeproj/project.pbxproj:
128         * builtins/TypedArray.prototype.js: Added.
129         (every):
130         (find):
131         (findIndex):
132         (forEach):
133         (some):
134         (sort.min):
135         (sort.merge):
136         (sort.mergeSort):
137         (sort):
138         (reduce):
139         (reduceRight):
140         (map):
141         (filter):
142         (toLocaleString):
143         * runtime/ArrayPrototype.cpp:
144         * runtime/ArrayPrototype.h:
145         * runtime/CommonIdentifiers.h:
146         * runtime/JSGenericTypedArrayView.h:
147         (JSC::sortFloat):
148         (JSC::JSGenericTypedArrayView::toAdaptorNativeFromValue):
149         (JSC::JSGenericTypedArrayView::setRangeToValue):
150         (JSC::JSGenericTypedArrayView::sort):
151         * runtime/JSGenericTypedArrayViewInlines.h:
152         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h: Added.
153         (JSC::argumentClampedIndexFromStartOrEnd):
154         (JSC::genericTypedArrayViewProtoFuncSet):
155         (JSC::genericTypedArrayViewProtoFuncEntries):
156         (JSC::genericTypedArrayViewProtoFuncCopyWithin):
157         (JSC::genericTypedArrayViewProtoFuncFill):
158         (JSC::genericTypedArrayViewProtoFuncIndexOf):
159         (JSC::genericTypedArrayViewProtoFuncJoin):
160         (JSC::genericTypedArrayViewProtoFuncKeys):
161         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
162         (JSC::genericTypedArrayViewProtoGetterFuncLength):
163         (JSC::genericTypedArrayViewProtoGetterFuncByteLength):
164         (JSC::genericTypedArrayViewProtoGetterFuncByteOffset):
165         (JSC::genericTypedArrayViewProtoFuncReverse):
166         (JSC::genericTypedArrayViewPrivateFuncSort):
167         (JSC::genericTypedArrayViewProtoFuncSlice):
168         (JSC::genericTypedArrayViewProtoFuncSubarray):
169         (JSC::typedArrayViewProtoFuncValues):
170         * runtime/JSGenericTypedArrayViewPrototypeInlines.h:
171         (JSC::JSGenericTypedArrayViewPrototype<ViewClass>::finishCreation):
172         (JSC::genericTypedArrayViewProtoFuncSet): Deleted.
173         (JSC::genericTypedArrayViewProtoFuncSubarray): Deleted.
174         * runtime/JSGlobalObject.cpp:
175         (JSC::JSGlobalObject::init):
176         * runtime/JSObject.h:
177         * runtime/JSTypedArrayPrototypes.cpp:
178         * runtime/JSTypedArrayPrototypes.h:
179         * runtime/JSTypedArrayViewPrototype.cpp: Added.
180         (JSC::typedArrayViewPrivateFuncLength):
181         (JSC::typedArrayViewPrivateFuncSort):
182         (JSC::typedArrayViewProtoFuncSet):
183         (JSC::typedArrayViewProtoFuncEntries):
184         (JSC::typedArrayViewProtoFuncCopyWithin):
185         (JSC::typedArrayViewProtoFuncFill):
186         (JSC::typedArrayViewProtoFuncLastIndexOf):
187         (JSC::typedArrayViewProtoFuncIndexOf):
188         (JSC::typedArrayViewProtoFuncJoin):
189         (JSC::typedArrayViewProtoFuncKeys):
190         (JSC::typedArrayViewProtoGetterFuncLength):
191         (JSC::typedArrayViewProtoGetterFuncByteLength):
192         (JSC::typedArrayViewProtoGetterFuncByteOffset):
193         (JSC::typedArrayViewProtoFuncReverse):
194         (JSC::typedArrayViewProtoFuncSubarray):
195         (JSC::typedArrayViewProtoFuncSlice):
196         (JSC::typedArrayViewProtoFuncValues):
197         (JSC::JSTypedArrayViewPrototype::JSTypedArrayViewPrototype):
198         (JSC::JSTypedArrayViewPrototype::finishCreation):
199         (JSC::JSTypedArrayViewPrototype::create):
200         (JSC::JSTypedArrayViewPrototype::createStructure):
201         * runtime/JSTypedArrayViewPrototype.h: Copied from Source/JavaScriptCore/runtime/JSTypedArrayPrototypes.cpp.
202
203 2015-08-27  Alex Christensen  <achristensen@webkit.org>
204
205         Isolate Source directories in CMake build
206         https://bugs.webkit.org/show_bug.cgi?id=148389
207
208         Reviewed by Brent Fulgham.
209
210         * PlatformWin.cmake:
211         Include ../include/private to find WTF headers in internal build.
212         Don't use a script to generate forwarding headers.
213         * shell/PlatformWin.cmake:
214         Copy inspector scripts to the forwarding headers directory to be used by WebCore.
215
216 2015-08-27  Alex Christensen  <achristensen@webkit.org>
217
218         [Win CMake] Fix incremental build after r188673
219         https://bugs.webkit.org/show_bug.cgi?id=148539
220
221         Reviewed by Brent Fulgham.
222
223         * PlatformWin.cmake:
224         Use xcopy as a build step instead of file(COPY ...) to copy updated headers.
225
226 2015-08-27  Jon Davis  <jond@apple.com>
227
228         Include ES6 Generators and Proxy object status to feature status page.
229         https://bugs.webkit.org/show_bug.cgi?id=148095
230
231         Reviewed by Timothy Hatcher.
232
233         * features.json:
234
235 2015-08-27  Filip Pizlo  <fpizlo@apple.com>
236
237         Unreviewed, add a comment to describe something I learned about a confusingly-named function.
238
239         * dfg/DFGUseKind.h:
240         (JSC::DFG::isCell):
241
242 2015-08-27  Basile Clement  <basile_clement@apple.com>
243
244         REGRESSION(r184779): Possible read-after-free in JavaScriptCore/dfg/DFGClobberize.h
245         https://bugs.webkit.org/show_bug.cgi?id=148411
246
247         Reviewed by Geoffrey Garen and Filip Pizlo.
248
249         * dfg/DFGClobberize.h:
250         (JSC::DFG::clobberize):
251
252 2015-08-27  Brian Burg  <bburg@apple.com>
253
254         Web Inspector: FrontendChannel should know its own connection type
255         https://bugs.webkit.org/show_bug.cgi?id=148482
256
257         Reviewed by Joseph Pecoraro.
258
259         * inspector/InspectorFrontendChannel.h: Add connectionType().
260         * inspector/remote/RemoteInspectorDebuggableConnection.h:
261
262 2015-08-26  Filip Pizlo  <fpizlo@apple.com>
263
264         Node::origin should always be set, and the dead zone due to SSA Phis can just use exitOK=false
265         https://bugs.webkit.org/show_bug.cgi?id=148462
266
267         Reviewed by Saam Barati.
268
269         The need to label nodes that absolutely cannot exit was first observed when we introduced SSA form.
270         We indicated this by not setting the CodeOrigin.
271
272         But just recently (http://trac.webkit.org/changeset/188979), we added a more comprehensive "exitOK"
273         bit in NodeOrigin. After that change, there were two ways of indicating that you cannot exit:
274         !exitOK and an unset NodeOrigin. An unset NodeOrigin implied !exitOK.
275
276         Now, this change is about removing the old way so that we only use !exitOK. From now on, all nodes
277         must have their NodeOrigin set, and the IR validation will check this. This means that I could
278         remove various pieces of cruft for dealing with unset NodeOrigins, but I did have to add some new
279         cruft to ensure that all nodes we create have a NodeOrigin.
280
281         This change simplifies our IR by having a simpler rule about when NodeOrigin is set: it's always
282         set.
283
284         * dfg/DFGBasicBlock.cpp:
285         (JSC::DFG::BasicBlock::isInBlock):
286         (JSC::DFG::BasicBlock::removePredecessor):
287         (JSC::DFG::BasicBlock::firstOriginNode): Deleted.
288         (JSC::DFG::BasicBlock::firstOrigin): Deleted.
289         * dfg/DFGBasicBlock.h:
290         (JSC::DFG::BasicBlock::begin):
291         (JSC::DFG::BasicBlock::end):
292         (JSC::DFG::BasicBlock::numSuccessors):
293         (JSC::DFG::BasicBlock::successor):
294         * dfg/DFGCombinedLiveness.cpp:
295         (JSC::DFG::liveNodesAtHead):
296         * dfg/DFGConstantHoistingPhase.cpp:
297         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
298         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
299         * dfg/DFGForAllKills.h:
300         (JSC::DFG::forAllKilledOperands):
301         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
302         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
303         (JSC::DFG::createPreHeader):
304         (JSC::DFG::LoopPreHeaderCreationPhase::run):
305         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
306         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
307         * dfg/DFGObjectAllocationSinkingPhase.cpp:
308         * dfg/DFGPutStackSinkingPhase.cpp:
309         * dfg/DFGSSAConversionPhase.cpp:
310         (JSC::DFG::SSAConversionPhase::run):
311         * dfg/DFGValidate.cpp:
312         (JSC::DFG::Validate::validate):
313         (JSC::DFG::Validate::validateSSA):
314
315 2015-08-26  Saam barati  <sbarati@apple.com>
316
317         MarkedBlock::allocateBlock will have the wrong allocation size when (sizeof(MarkedBlock) + bytes) is divisible by WTF::pageSize()
318         https://bugs.webkit.org/show_bug.cgi?id=148500
319
320         Reviewed by Mark Lam.
321
322         Consider the following scenario:
323         - On OS X, WTF::pageSize() is 4*1024 bytes.
324         - JSEnvironmentRecord::allocationSizeForScopeSize(6621) == 53000
325         - sizeof(MarkedBlock) == 248
326         - (248 + 53000) is a multiple of 4*1024.
327         - (248 + 53000)/(4*1024) == 13
328
329         We will allocate a chunk of memory of size 53248 bytes that looks like this:
330         0            248       256                       53248       53256
331         [Marked Block | 8 bytes |  payload     ......      ]  8 bytes  |
332                                 ^                                      ^
333                            Our Environment record starts here.         ^
334                                                                        ^
335                                                                  Our last JSValue in the environment record will go from byte 53248 to 53256. But, we don't own this memory.
336
337         We need to ensure that we round up sizeof(MarkedBlock) to an
338         atomSize boundary. We need to do this because the first atom
339         inside the MarkedBlock will start at the rounded up multiple
340         of atomSize past MarkedBlock. If we end up with an allocation
341         that is perfectly aligned to the page size, then we will be short
342         8 bytes (in the current implementation where atomSize is 16 bytes,
343         and MarkedBlock is 248 bytes).
344
345         * heap/MarkedAllocator.cpp:
346         (JSC::MarkedAllocator::allocateBlock):
347         * tests/stress/heap-allocator-allocates-incorrect-size-for-activation.js: Added.
348         (use):
349         (makeFunction):
350
351 2015-08-26  Mark Lam  <mark.lam@apple.com>
352
353         watchdog m_didFire state erroneously retained.
354         https://bugs.webkit.org/show_bug.cgi?id=131082
355
356         Reviewed by Geoffrey Garen.
357
358         The watchdog can fire for 2 reasons:
359         1. an external controlling entity (i.e. another thread) has scheduled termination
360            of the script thread via watchdog::terminateSoon().
361         2. the allowed CPU time has expired.
362
363         For case 1, we're doing away with the m_didFire flag.  Watchdog::terminateSoon() 
364         will set the timer deadlines and m_timeLimit to 0, and m_timerDidFire to true.
365         This will get the script thread to check Watchdog::didFire() and terminate
366         execution.
367
368         Note: the watchdog only guarantees that script execution will terminate as soon
369         as possible due to a time limit of 0.  Once we've exited the VM, the client of the
370         VM is responsible from keeping a flag to prevent new script execution.
371
372         In a race condition, if terminateSoon() is called just after execution has gotten
373         past the client's reentry check and the client is in the process of re-entering,
374         the worst that can happen is that we will schedule the watchdog timer to fire
375         after a period of 0.  This will terminate script execution quickly, and thereafter
376         the client's check should be able to prevent further entry into the VM.
377
378         The correctness (i.e. has no race condition) of this type of termination relies
379         on the termination state being sticky.  Once the script thread is terminated this
380         way, the VM will continue to terminate scripts quickly until the client sets the
381         time limit to a non-zero value (or clears it which sets the time limit to
382         noTimeLimit).
383
384         For case 2, the watchdog does not alter m_timeLimit.  If the CPU deadline has
385         been reached, the script thread will terminate execution and exit the VM.
386
387         If the client of the VM starts new script execution, the watchdog will allow
388         execution for the specified m_timeLimit.  In this case, since m_timeLimit is not
389         0, the script gets a fresh allowance of CPU time to execute.  Hence, terminations
390         due to watchdog time outs are no longer sticky.
391
392         * API/JSContextRef.cpp:
393         (JSContextGroupSetExecutionTimeLimit):
394         (JSContextGroupClearExecutionTimeLimit):
395         * API/tests/ExecutionTimeLimitTest.cpp:
396         - Add test scenarios to verify that the watchdog is automatically reset by the VM
397           upon throwing the TerminatedExecutionException.
398
399         (testResetAfterTimeout):
400         (testExecutionTimeLimit):
401         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
402         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
403         * JavaScriptCore.xcodeproj/project.pbxproj:
404         * dfg/DFGByteCodeParser.cpp:
405         (JSC::DFG::ByteCodeParser::parseBlock):
406         * interpreter/Interpreter.cpp:
407         (JSC::Interpreter::execute):
408         (JSC::Interpreter::executeCall):
409         (JSC::Interpreter::executeConstruct):
410         * jit/JITOpcodes.cpp:
411         (JSC::JIT::emit_op_loop_hint):
412         (JSC::JIT::emitSlow_op_loop_hint):
413         * jit/JITOperations.cpp:
414         * llint/LLIntSlowPaths.cpp:
415         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
416         * runtime/VM.cpp:
417         (JSC::VM::VM):
418         (JSC::VM::ensureWatchdog):
419         * runtime/VM.h:
420         * runtime/VMInlines.h: Added.
421         (JSC::VM::shouldTriggerTermination):
422         * runtime/Watchdog.cpp:
423         (JSC::Watchdog::Watchdog):
424         (JSC::Watchdog::setTimeLimit):
425         (JSC::Watchdog::terminateSoon):
426         (JSC::Watchdog::didFireSlow):
427         (JSC::Watchdog::hasTimeLimit):
428         (JSC::Watchdog::enteredVM):
429         (JSC::Watchdog::exitedVM):
430         (JSC::Watchdog::startTimer):
431         (JSC::Watchdog::stopTimer):
432         (JSC::Watchdog::hasStartedTimer): Deleted.
433         (JSC::Watchdog::fire): Deleted.
434         * runtime/Watchdog.h:
435         (JSC::Watchdog::didFire):
436         (JSC::Watchdog::timerDidFireAddress):
437
438 2015-08-26  Joseph Pecoraro  <pecoraro@apple.com>
439
440         Web Inspector: Implement tracking of active stylesheets in the frontend
441         https://bugs.webkit.org/show_bug.cgi?id=105828
442
443         Reviewed by Timothy Hatcher.
444
445         * inspector/protocol/CSS.json:
446         Add new events for when a StyleSheet is added or removed.
447
448 2015-08-26  Chris Dumez  <cdumez@apple.com>
449
450         Distinguish Web IDL callback interfaces from Web IDL callback functions
451         https://bugs.webkit.org/show_bug.cgi?id=148434
452
453         Reviewed by Geoffrey Garen.
454
455         Add isNull() convenience method on PropertyName.
456
457         * runtime/PropertyName.h:
458         (JSC::PropertyName::isNull):
459
460 2015-08-26  Filip Pizlo  <fpizlo@apple.com>
461
462         Node::origin should be able to tell you if it's OK to exit
463         https://bugs.webkit.org/show_bug.cgi?id=145204
464
465         Reviewed by Geoffrey Garen.
466
467         This is a major change to DFG IR, that makes it easier to reason about where nodes with
468         speculations can be soundly hoisted.
469
470         A program in DFG IR is a sequence of operations that compute the values of SSA variables,
471         perform effects on the heap or stack, and perform updates to the OSR exit state. Because
472         effects and OSR exit updates are interleaved, there are points in execution where exiting
473         simply won't work. For example, we may have some bytecode operation:
474
475             [  24] op_foo loc42 // does something, and puts a value in loc42.
476
477         that gets compiled down to a sequence of DFG IR nodes like:
478
479             a: Foo(W:Heap, R:World, bc#24) // writes heap, reads world - i.e. an observable effect.
480             b: MovHint(@a, loc42, bc#24)
481             c: SetLocal(Check:Int32:@a, loc42, bc#24, exit: bc#26)
482
483         Note that we can OSR exit at @a because we haven't yet performed any effects for bc#24 yet and
484         we have performed all effects for prior bytecode operations. That's what the origin.forExit
485         being set to "bc#24" guarantees. So, an OSR exit at @a would transfer execution to bc#24 and
486         this would not be observable. But at @b, if we try to exit to bc#24 as indicated by forExit, we
487         would end up causing the side effect of bc#24 to execute a second time. This would be
488         observable, so we cannot do it. And we cannot exit to the next instruction - bc#26 - either,
489         because @b is responsible for updating the OSR state to indicate that the result of @a should
490         be put into loc42. It's not until we get to @c that we can exit again.
491
492         This is a confusing, but useful, property of DFG IR. It's useful because it allows us to use IR
493         to spell out how we would have affected the bytecode state, and we use this to implement hard
494         things like object allocation elimination, where we use IR instructions to indicate what object
495         allocation and mutation operations we would have performed, and which bytecode variables would
496         have pointed to those objects. So long as IR allows us to describe how OSR exit state is
497         updated, there will be points in execution where that state is invalid - especially if the IR
498         to update exit state is separate from the IR to perform actual effects.
499
500         But this property is super confusing! It's difficult to explain that somehow magically, @b is a
501         bad place to put OSR exits, and that magically we will only have OSR exits at @a. Of course, it
502         all kind of makes sense - we insert OSR exit checks in phases that *know* where it's safe to
503         exit - but it's just too opaque. This also gets in the way of more sophisticated
504         transformations. For example, LICM barely works - it magically knows that loop pre-headers are
505         good places to exit from, but it has no way of determining if that is actually true. It would
506         be odd to introduce a restriction that anytime some block qualifies as a pre-header according
507         to our loop calculator, it must end with a terminal at which it is OK to exit. So, our choices
508         are to either leave LICM in a magical state and exercise extreme caution when introducing new
509         optimizations that hoist checks, or to do something to make the "can I exit here" property more
510         explicit in IR.
511
512         We have already, in a separate change, added a NodeOrigin::exitOK property, though it didn't do
513         anything yet. This change puts exitOK to work, and makes it an integral part of IR. The key
514         intuition behind this change is that if we know which nodes clobber exit state - i.e. after the
515         node, it's no longer possible to OSR exit until the exit state is fixed up - then we can figure
516         out where it's fine to exit. This change mostly adopts the already implicit rule that it's
517         always safe to exit right at the boundary of exit origins (in between two nodes where
518         origin.forExit differs), and adds a new node, called ExitOK, which is a kind of declaration
519         that exit state is good again. When making this change, I struggled with the question of
520         whether to make origin.exitOK be explicit, or something that we can compute with an analysis.
521         Of course if we are armed with a clobbersExitState(Node*) function, we can find the places
522         where it's fine to exit. But this kind of computation could get quite sophisticated if the
523         nodes belonging to an exit origin are lowered to a control-flow construct. It would also be
524         harder to see what the original intent was, if we found an error: is the bug that we shouldn't
525         be clobbering exit state, or that we shouldn't be exiting? This change opts to make exitOK be
526         an explicit property of IR, so that DFG IR validation will reject any program where exitOK is
527         true after a node that clobbersExitState(), or if exitOK is true after a node has exitOK set to
528         false - unless the latter node has a different exit origin or is an ExitOK node. It will also
529         reject any program where a node mayExit() with !exitOK.
530
531         It turns out that this revealed a lot of sloppiness and what almost looked like an outright
532         bug: the callee property of an inline closure call frame was being set up "as if" by the
533         callee's op_enter. If we did hoist a check per the old rule - to the boundary of exit origins -
534         then we would crash because the callee is unknown. It also revealed that LICM could *almost*
535         get hosed by having a pre-header where there are effects before the jump. I wasn't able to
536         construct a test case that would crash trunk, but I also couldn't quite prove why such a
537         program couldn't be constructed. I did fix the issue in loop pre-header creation, and the
538         validater does catch the issue because of its exitOK assertions.
539
540         This doesn't yet add any other safeguards to LICM - that phase still expects that pre-headers
541         are in place and that they were created in such a way that their terminal origins have exitOK.
542         It also still keeps the old way of saying "not OK to exit" - having a clear NodeOrigin. In a
543         later patch I'll remove that and use !exitOK everywhere. Note that I did consider using clear
544         NodeOrigins to signify that it's not OK to exit, but that would make DFGForAllKills a lot more
545         expensive - it would have to sometimes search to find nearby forExit origins if the current
546         node doesn't have it set - and that's a critical phase for DFG compilation performance.
547         Requiring that forExit is usually set to *something* and that properly shadows the original
548         bytecode is cheap and easy, so it seemed like a good trade-off.
549
550         This change has no performance effect. Its only effect is that it makes the compiler easier to
551         understand by turning a previously magical concept into an explicit one.
552
553         * CMakeLists.txt:
554         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
555         * JavaScriptCore.xcodeproj/project.pbxproj:
556         * dfg/DFGAbstractHeap.h:
557         * dfg/DFGAbstractInterpreterInlines.h:
558         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
559         * dfg/DFGArgumentsEliminationPhase.cpp:
560         * dfg/DFGByteCodeParser.cpp:
561         (JSC::DFG::ByteCodeParser::setDirect):
562         (JSC::DFG::ByteCodeParser::currentNodeOrigin):
563         (JSC::DFG::ByteCodeParser::branchData):
564         (JSC::DFG::ByteCodeParser::addToGraph):
565         (JSC::DFG::ByteCodeParser::handleCall):
566         (JSC::DFG::ByteCodeParser::inlineCall):
567         (JSC::DFG::ByteCodeParser::handleInlining):
568         (JSC::DFG::ByteCodeParser::handleGetById):
569         (JSC::DFG::ByteCodeParser::handlePutById):
570         (JSC::DFG::ByteCodeParser::parseBlock):
571         * dfg/DFGCFGSimplificationPhase.cpp:
572         (JSC::DFG::CFGSimplificationPhase::run):
573         * dfg/DFGClobberize.h:
574         (JSC::DFG::clobberize):
575         * dfg/DFGClobbersExitState.cpp: Added.
576         (JSC::DFG::clobbersExitState):
577         * dfg/DFGClobbersExitState.h: Added.
578         * dfg/DFGConstantFoldingPhase.cpp:
579         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
580         * dfg/DFGDoesGC.cpp:
581         (JSC::DFG::doesGC):
582         * dfg/DFGFixupPhase.cpp:
583         (JSC::DFG::FixupPhase::fixupNode):
584         (JSC::DFG::FixupPhase::convertStringAddUse):
585         (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
586         (JSC::DFG::FixupPhase::fixupGetAndSetLocalsInBlock):
587         (JSC::DFG::FixupPhase::fixupChecksInBlock):
588         * dfg/DFGFlushFormat.h:
589         (JSC::DFG::useKindFor):
590         (JSC::DFG::uncheckedUseKindFor):
591         (JSC::DFG::typeFilterFor):
592         * dfg/DFGGraph.cpp:
593         (JSC::DFG::printWhiteSpace):
594         (JSC::DFG::Graph::dumpCodeOrigin):
595         (JSC::DFG::Graph::dump):
596         * dfg/DFGGraph.h:
597         (JSC::DFG::Graph::addSpeculationMode):
598         * dfg/DFGInsertionSet.cpp:
599         (JSC::DFG::InsertionSet::insertSlow):
600         (JSC::DFG::InsertionSet::execute):
601         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
602         (JSC::DFG::LoopPreHeaderCreationPhase::run):
603         * dfg/DFGMayExit.cpp:
604         (JSC::DFG::mayExit):
605         (WTF::printInternal):
606         * dfg/DFGMayExit.h:
607         * dfg/DFGMovHintRemovalPhase.cpp:
608         * dfg/DFGNodeOrigin.cpp: Added.
609         (JSC::DFG::NodeOrigin::dump):
610         * dfg/DFGNodeOrigin.h:
611         (JSC::DFG::NodeOrigin::NodeOrigin):
612         (JSC::DFG::NodeOrigin::isSet):
613         (JSC::DFG::NodeOrigin::withSemantic):
614         (JSC::DFG::NodeOrigin::withExitOK):
615         (JSC::DFG::NodeOrigin::withInvalidExit):
616         (JSC::DFG::NodeOrigin::takeValidExit):
617         (JSC::DFG::NodeOrigin::forInsertingAfter):
618         (JSC::DFG::NodeOrigin::operator==):
619         (JSC::DFG::NodeOrigin::operator!=):
620         * dfg/DFGNodeType.h:
621         * dfg/DFGOSREntrypointCreationPhase.cpp:
622         (JSC::DFG::OSREntrypointCreationPhase::run):
623         * dfg/DFGOSRExit.cpp:
624         (JSC::DFG::OSRExit::OSRExit):
625         (JSC::DFG::OSRExit::setPatchableCodeOffset):
626         * dfg/DFGOSRExitBase.h:
627         * dfg/DFGObjectAllocationSinkingPhase.cpp:
628         * dfg/DFGPhantomInsertionPhase.cpp:
629         * dfg/DFGPhase.cpp:
630         (JSC::DFG::Phase::validate):
631         (JSC::DFG::Phase::beginPhase):
632         (JSC::DFG::Phase::endPhase):
633         * dfg/DFGPhase.h:
634         (JSC::DFG::Phase::vm):
635         (JSC::DFG::Phase::codeBlock):
636         (JSC::DFG::Phase::profiledBlock):
637         * dfg/DFGPredictionPropagationPhase.cpp:
638         (JSC::DFG::PredictionPropagationPhase::propagate):
639         * dfg/DFGPutStackSinkingPhase.cpp:
640         * dfg/DFGSSAConversionPhase.cpp:
641         (JSC::DFG::SSAConversionPhase::run):
642         * dfg/DFGSafeToExecute.h:
643         (JSC::DFG::safeToExecute):
644         * dfg/DFGSpeculativeJIT.cpp:
645         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
646         (JSC::DFG::SpeculativeJIT::speculationCheck):
647         (JSC::DFG::SpeculativeJIT::emitInvalidationPoint):
648         (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
649         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
650         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
651         (JSC::DFG::SpeculativeJIT::compile):
652         * dfg/DFGSpeculativeJIT.h:
653         * dfg/DFGSpeculativeJIT32_64.cpp:
654         (JSC::DFG::SpeculativeJIT::compile):
655         * dfg/DFGSpeculativeJIT64.cpp:
656         (JSC::DFG::SpeculativeJIT::compile):
657         * dfg/DFGStoreBarrierInsertionPhase.cpp:
658         * dfg/DFGTypeCheckHoistingPhase.cpp:
659         (JSC::DFG::TypeCheckHoistingPhase::run):
660         * dfg/DFGValidate.cpp:
661         (JSC::DFG::Validate::validate):
662         * ftl/FTLCapabilities.cpp:
663         (JSC::FTL::canCompile):
664         * ftl/FTLLowerDFGToLLVM.cpp:
665         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
666         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
667         (JSC::FTL::DFG::LowerDFGToLLVM::compileUpsilon):
668         (JSC::FTL::DFG::LowerDFGToLLVM::compileInvalidationPoint):
669         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
670
671 2015-08-26  Andreas Kling  <akling@apple.com>
672
673         [JSC] StructureTransitionTable should eagerly deallocate single-transition WeakImpls.
674         <https://webkit.org/b/148478>
675
676         Reviewed by Geoffrey Garen.
677
678         Use a WeakHandleOwner to eagerly deallocate StructureTransitionTable's Weak pointers
679         when it's using the single-transition optimization and the Structure it transitioned
680         to has been GC'd.
681
682         This prevents Structures from keeping WeakBlocks alive longer than necessary when
683         they've been transitioned away from but are still in use themselves.
684
685         * runtime/Structure.cpp:
686         (JSC::singleSlotTransitionWeakOwner):
687         (JSC::StructureTransitionTable::singleTransition):
688         (JSC::StructureTransitionTable::setSingleTransition):
689         (JSC::StructureTransitionTable::add):
690         * runtime/StructureTransitionTable.h:
691         (JSC::StructureTransitionTable::singleTransition): Deleted.
692         (JSC::StructureTransitionTable::setSingleTransition): Deleted.
693
694 2015-08-26  Brian Burg  <bburg@apple.com>
695
696         Web Inspector: REGRESSION(r188965): BackendDispatcher loses request ids when called re-entrantly
697         https://bugs.webkit.org/show_bug.cgi?id=148480
698
699         Reviewed by Joseph Pecoraro.
700
701         I added an assertion that m_currentRequestId is Nullopt when dispatch() is called, but this should
702         not hold if dispatching a backend command while debugger is paused. I will remove the assertion
703         and add proper scoping for all dispatch() branches.
704
705         No new tests, this wrong assert caused inspector/dom-debugger/node-removed.html to crash reliably.
706
707         * inspector/InspectorBackendDispatcher.cpp:
708         (Inspector::BackendDispatcher::dispatch): Cover each exit with an appropriate TemporaryChange scope.
709
710 2015-08-26  Sukolsak Sakshuwong  <sukolsak@gmail.com>
711
712         Remove the unused *Executable::unlinkCalls() and CodeBlock::unlinkCalls()
713         https://bugs.webkit.org/show_bug.cgi?id=148469
714
715         Reviewed by Geoffrey Garen.
716
717         We use CodeBlock::unlinkIncomingCalls() to unlink calls.
718         (...)Executable::unlinkCalls() and CodeBlock::unlinkCalls() are no longer used.
719
720         * bytecode/CodeBlock.cpp:
721         (JSC::CodeBlock::unlinkCalls): Deleted.
722         * bytecode/CodeBlock.h:
723         * runtime/Executable.cpp:
724         (JSC::EvalExecutable::unlinkCalls): Deleted.
725         (JSC::ProgramExecutable::unlinkCalls): Deleted.
726         (JSC::FunctionExecutable::unlinkCalls): Deleted.
727         * runtime/Executable.h:
728         (JSC::ScriptExecutable::unlinkCalls): Deleted.
729
730 2015-08-25  Brian Burg  <bburg@apple.com>
731
732         Web Inspector: no need to allocate protocolErrors array for every dispatched backend command
733         https://bugs.webkit.org/show_bug.cgi?id=146466
734
735         Reviewed by Joseph Pecoraro.
736
737         Clean up some of the backend dispatcher code, with a focus on eliminating useless allocations
738         of objects in the common case when no protocol errors happen. This is done by saving the
739         current id of each request as it is being processed by the backend dispatcher, and tagging any
740         subsequent errors with that id. This also means we don't have to thread the requestId except
741         in the async command code path.
742
743         This patch also lifts some common code shared between all generated backend command
744         implementatations into the per-domain dispatch method instead. This reduces generated code size.
745
746         To be consistent, this patch standardizes on calling the id of a backend message its 'requestId'.
747         Requests can be handled synchronously or asynchronously (triggered via the 'async' property).
748
749         No new tests, covered by existing protocol tests.
750
751         * inspector/InspectorBackendDispatcher.cpp:
752         (Inspector::BackendDispatcher::CallbackBase::CallbackBase): Split the two code paths for reporting
753         success and failure.
754
755         (Inspector::BackendDispatcher::CallbackBase::sendFailure):
756         (Inspector::BackendDispatcher::CallbackBase::sendSuccess): Renamed from sendIfActive.
757         (Inspector::BackendDispatcher::dispatch): Reset counters and current requestId before dispatching.
758         No need to manually thread the requestId to all reportProtocolError calls.
759
760         (Inspector::BackendDispatcher::hasProtocolErrors): Added.
761         (Inspector::BackendDispatcher::sendResponse):
762         (Inspector::BackendDispatcher::sendPendingErrors): Send any saved protocol errors to the frontend.
763         Always send a 'data' member with all of the errors, even if there's just one. We might want to add
764         more information about errors later.
765
766         (Inspector::BackendDispatcher::reportProtocolError): Enqueue a protocol error to be sent later.
767         (Inspector::BackendDispatcher::getPropertyValue): Remove useless type parameters and nuke most of
768         the type conversion methods. Use std::function types instead of function pointer types.
769
770         (Inspector::castToInteger): Added.
771         (Inspector::castToNumber): Added.
772         (Inspector::BackendDispatcher::getInteger):
773         (Inspector::BackendDispatcher::getDouble):
774         (Inspector::BackendDispatcher::getString):
775         (Inspector::BackendDispatcher::getBoolean):
776         (Inspector::BackendDispatcher::getObject):
777         (Inspector::BackendDispatcher::getArray):
778         (Inspector::BackendDispatcher::getValue):
779         (Inspector::getPropertyValue): Deleted.
780         (Inspector::AsMethodBridges::asInteger): Deleted.
781         (Inspector::AsMethodBridges::asDouble): Deleted.
782         (Inspector::AsMethodBridges::asString): Deleted.
783         (Inspector::AsMethodBridges::asBoolean): Deleted.
784         (Inspector::AsMethodBridges::asObject): Deleted.
785         (Inspector::AsMethodBridges::asArray): Deleted.
786         (Inspector::AsMethodBridges::asValue): Deleted.
787         * inspector/InspectorBackendDispatcher.h:
788         * inspector/scripts/codegen/cpp_generator_templates.py: Extract 'params' object in domain dispatch method.
789         Omit requestIds where possible. Convert dispatch tables to use NeverDestroyed. Check the protocol error count
790         to decide whether to abort the dispatch or not, rather than allocating our own errors array.
791
792         * inspector/scripts/codegen/cpp_generator_templates.py:
793         (void):
794         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py: Revert to passing RefPtr<InspectorObject>
795         since parameters are now being passed rather than the message object. Some commands do not require parameters.
796         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
797         (CppBackendDispatcherImplementationGenerator.generate_output):
798         (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
799         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
800         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
801         (ObjCBackendDispatcherHeaderGenerator._generate_objc_handler_declaration_for_command):
802         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
803         (ObjCConfigurationImplementationGenerator._generate_handler_implementation_for_command):
804         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
805         * inspector/scripts/codegen/objc_generator_templates.py:
806
807         Rebaseline some protocol generator tests.
808         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
809         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
810         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
811         * inspector/scripts/tests/expected/enum-values.json-result:
812         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
813         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
814         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
815         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
816         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
817         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
818         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
819         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
820         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
821
822 2015-08-25  Saam barati  <sbarati@apple.com>
823
824         Lets rename codeOriginIndex to callSiteIndex and get rid of CallFrame::Location.
825         https://bugs.webkit.org/show_bug.cgi?id=148213
826
827         Reviewed by Filip Pizlo.
828
829         This patch introduces a struct called CallSiteIndex which is
830         used as a wrapper for a 32-bit int to place things in the tag for ArgumentCount 
831         in the call frame. On 32-bit we place Instruction* into this slot for LLInt and Basline.
832         For 32-bit DFG we place a an index into the code origin table in this slot.
833         On 64-bit we place a bytecode offset into this slot for LLInt and Baseline.
834         On 64-bit we place the index into the code origin table in this slot in the
835         DFG/FTL.
836
837         This patch also gets rid of the encoding scheme that describes if something is a
838         bytecode index or a code origin table index. This information can always
839         be determined based on the CodeBlock's' JITType.
840
841         StructureStubInfo now also has a CallSiteIndex which it stores to
842         the call frame when making a call.
843
844         * bytecode/CodeBlock.h:
845         (JSC::CodeBlock::hasCodeOrigins):
846         (JSC::CodeBlock::canGetCodeOrigin):
847         (JSC::CodeBlock::codeOrigin):
848         (JSC::CodeBlock::addFrequentExitSite):
849         * bytecode/StructureStubInfo.h:
850         (JSC::StructureStubInfo::StructureStubInfo):
851         * dfg/DFGCommonData.cpp:
852         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
853         (JSC::DFG::CommonData::addCodeOrigin):
854         (JSC::DFG::CommonData::shrinkToFit):
855         * dfg/DFGCommonData.h:
856         (JSC::DFG::CommonData::CommonData):
857         * dfg/DFGJITCompiler.h:
858         (JSC::DFG::JITCompiler::setEndOfCode):
859         (JSC::DFG::JITCompiler::addCallSite):
860         (JSC::DFG::JITCompiler::emitStoreCodeOrigin):
861         * dfg/DFGOSRExitCompilerCommon.cpp:
862         (JSC::DFG::reifyInlinedCallFrames):
863         * dfg/DFGSpeculativeJIT.cpp:
864         (JSC::DFG::SpeculativeJIT::compileIn):
865         * dfg/DFGSpeculativeJIT32_64.cpp:
866         (JSC::DFG::SpeculativeJIT::cachedGetById):
867         (JSC::DFG::SpeculativeJIT::cachedPutById):
868         * dfg/DFGSpeculativeJIT64.cpp:
869         (JSC::DFG::SpeculativeJIT::cachedGetById):
870         (JSC::DFG::SpeculativeJIT::cachedPutById):
871         * ftl/FTLCompile.cpp:
872         (JSC::FTL::mmAllocateDataSection):
873         * ftl/FTLInlineCacheDescriptor.h:
874         (JSC::FTL::InlineCacheDescriptor::InlineCacheDescriptor):
875         (JSC::FTL::InlineCacheDescriptor::stackmapID):
876         (JSC::FTL::InlineCacheDescriptor::callSiteIndex):
877         (JSC::FTL::InlineCacheDescriptor::uid):
878         (JSC::FTL::GetByIdDescriptor::GetByIdDescriptor):
879         (JSC::FTL::PutByIdDescriptor::PutByIdDescriptor):
880         (JSC::FTL::CheckInDescriptor::CheckInDescriptor):
881         (JSC::FTL::InlineCacheDescriptor::codeOrigin): Deleted.
882         * ftl/FTLLink.cpp:
883         (JSC::FTL::link):
884         * ftl/FTLLowerDFGToLLVM.cpp:
885         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
886         (JSC::FTL::DFG::LowerDFGToLLVM::compileIn):
887         (JSC::FTL::DFG::LowerDFGToLLVM::getById):
888         (JSC::FTL::DFG::LowerDFGToLLVM::callPreflight):
889         * ftl/FTLSlowPathCall.cpp:
890         (JSC::FTL::storeCodeOrigin):
891         * interpreter/CallFrame.cpp:
892         (JSC::CallFrame::currentVPC):
893         (JSC::CallFrame::setCurrentVPC):
894         (JSC::CallFrame::callSiteBitsAsBytecodeOffset):
895         (JSC::CallFrame::bytecodeOffset):
896         (JSC::CallFrame::codeOrigin):
897         (JSC::CallFrame::topOfFrameInternal):
898         (JSC::CallFrame::locationAsBytecodeOffset): Deleted.
899         (JSC::CallFrame::setLocationAsBytecodeOffset): Deleted.
900         (JSC::CallFrame::bytecodeOffsetFromCodeOriginIndex): Deleted.
901         * interpreter/CallFrame.h:
902         (JSC::CallSiteIndex::CallSiteIndex):
903         (JSC::CallSiteIndex::bits):
904         (JSC::ExecState::returnPCOffset):
905         (JSC::ExecState::abstractReturnPC):
906         (JSC::ExecState::topOfFrame):
907         (JSC::ExecState::setCallerFrame):
908         (JSC::ExecState::setScope):
909         (JSC::ExecState::currentVPC): Deleted.
910         (JSC::ExecState::setCurrentVPC): Deleted.
911         * interpreter/CallFrameInlines.h:
912         (JSC::CallFrame::callSiteBitsAreBytecodeOffset):
913         (JSC::CallFrame::callSiteBitsAreCodeOriginIndex):
914         (JSC::CallFrame::callSiteAsRawBits):
915         (JSC::CallFrame::callSiteIndex):
916         (JSC::CallFrame::hasActivation):
917         (JSC::CallFrame::Location::encode): Deleted.
918         (JSC::CallFrame::Location::decode): Deleted.
919         (JSC::CallFrame::Location::encodeAsBytecodeOffset): Deleted.
920         (JSC::CallFrame::Location::encodeAsBytecodeInstruction): Deleted.
921         (JSC::CallFrame::Location::encodeAsCodeOriginIndex): Deleted.
922         (JSC::CallFrame::Location::isBytecodeLocation): Deleted.
923         (JSC::CallFrame::Location::isCodeOriginIndex): Deleted.
924         (JSC::CallFrame::hasLocationAsBytecodeOffset): Deleted.
925         (JSC::CallFrame::hasLocationAsCodeOriginIndex): Deleted.
926         (JSC::CallFrame::locationAsRawBits): Deleted.
927         (JSC::CallFrame::setLocationAsRawBits): Deleted.
928         (JSC::CallFrame::locationAsBytecodeOffset): Deleted.
929         (JSC::CallFrame::setLocationAsBytecodeOffset): Deleted.
930         (JSC::CallFrame::locationAsCodeOriginIndex): Deleted.
931         * interpreter/StackVisitor.cpp:
932         (JSC::StackVisitor::readFrame):
933         (JSC::StackVisitor::readNonInlinedFrame):
934         (JSC::StackVisitor::Frame::print):
935         * jit/JITCall.cpp:
936         (JSC::JIT::compileOpCall):
937         * jit/JITCall32_64.cpp:
938         (JSC::JIT::compileOpCall):
939         * jit/JITInlineCacheGenerator.cpp:
940         (JSC::garbageStubInfo):
941         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
942         (JSC::JITByIdGenerator::JITByIdGenerator):
943         (JSC::JITByIdGenerator::generateFastPathChecks):
944         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
945         (JSC::JITGetByIdGenerator::generateFastPath):
946         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
947         * jit/JITInlineCacheGenerator.h:
948         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
949         (JSC::JITInlineCacheGenerator::stubInfo):
950         (JSC::JITByIdGenerator::JITByIdGenerator):
951         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
952         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
953         * jit/JITInlines.h:
954         (JSC::JIT::updateTopCallFrame):
955         * jit/JITOperations.cpp:
956         (JSC::getByVal):
957         (JSC::tryGetByValOptimize):
958         * jit/JITPropertyAccess.cpp:
959         (JSC::JIT::emitGetByValWithCachedId):
960         (JSC::JIT::emitPutByValWithCachedId):
961         (JSC::JIT::emit_op_get_by_id):
962         (JSC::JIT::emit_op_put_by_id):
963         * jit/JITPropertyAccess32_64.cpp:
964         (JSC::JIT::emitGetByValWithCachedId):
965         (JSC::JIT::emitPutByValWithCachedId):
966         (JSC::JIT::emit_op_get_by_id):
967         (JSC::JIT::emit_op_put_by_id):
968         * jit/Repatch.cpp:
969         (JSC::generateByIdStub):
970
971 2015-08-25 Aleksandr Skachkov   <gskachkov@gmail.com>
972
973         Function.prototype.toString is incorrect for ArrowFunction
974         https://bugs.webkit.org/show_bug.cgi?id=148148
975
976         Reviewed by Saam Barati.
977         
978         Added correct support of toString() method for arrow function.
979
980         * parser/ASTBuilder.h:
981         (JSC::ASTBuilder::createFunctionMetadata):
982         (JSC::ASTBuilder::createArrowFunctionExpr):
983         * parser/Nodes.cpp:
984         (JSC::FunctionMetadataNode::FunctionMetadataNode):
985         * parser/Nodes.h:
986         * parser/Parser.cpp:
987         (JSC::Parser<LexerType>::parseFunctionBody):
988         (JSC::Parser<LexerType>::parseFunctionInfo):
989         * parser/SyntaxChecker.h:
990         (JSC::SyntaxChecker::createFunctionMetadata):
991         * runtime/FunctionPrototype.cpp:
992         (JSC::functionProtoFuncToString):
993         * tests/stress/arrowfunction-tostring.js: Added.
994
995 2015-08-25  Saam barati  <sbarati@apple.com>
996
997         Callee can be incorrectly overridden when it's captured
998         https://bugs.webkit.org/show_bug.cgi?id=148400
999
1000         Reviewed by Filip Pizlo.
1001
1002         We now resort to always creating the function name scope
1003         when the function name is in scope. Because the bytecode
1004         generator now has a notion of local lexical scoping,
1005         this incurs no runtime penalty for function expression names
1006         that aren't heap allocated. If they are heap allocated,
1007         this means we may now have one more scope on the runtime
1008         scope stack than before. This modification simplifies the
1009         callee initialization code and uses the lexical scoping constructs
1010         to implement this. This implementation also ensures
1011         that everything Just Works for function's with default
1012         parameter values. Before this patch, IIFE functions
1013         with default parameter values and a captured function
1014         name would crash JSC.
1015
1016         * bytecompiler/BytecodeGenerator.cpp:
1017         (JSC::BytecodeGenerator::BytecodeGenerator):
1018         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
1019         (JSC::BytecodeGenerator::popLexicalScopeInternal):
1020         (JSC::BytecodeGenerator::variable):
1021         (JSC::BytecodeGenerator::resolveType):
1022         (JSC::BytecodeGenerator::emitThrowTypeError):
1023         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
1024         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
1025         * bytecompiler/BytecodeGenerator.h:
1026         (JSC::Variable::isReadOnly):
1027         (JSC::Variable::isSpecial):
1028         (JSC::Variable::isConst):
1029         (JSC::Variable::setIsReadOnly):
1030         * bytecompiler/NodesCodegen.cpp:
1031         (JSC::PostfixNode::emitResolve):
1032         (JSC::PrefixNode::emitResolve):
1033         (JSC::ReadModifyResolveNode::emitBytecode):
1034         (JSC::AssignResolveNode::emitBytecode):
1035         (JSC::BindingNode::bindValue):
1036         * tests/stress/IIFE-es6-default-parameters.js: Added.
1037         (assert):
1038         (.):
1039         * tests/stress/IIFE-function-name-captured.js: Added.
1040         (assert):
1041         (.):
1042
1043 2015-08-24  Brian Burg  <bburg@apple.com>
1044
1045         Web Inspector: add protocol test for existing error handling performed by the backend
1046         https://bugs.webkit.org/show_bug.cgi?id=147097
1047
1048         Reviewed by Joseph Pecoraro.
1049
1050         A new test revealed that the protocol "method" parameter was being parsed in a naive way.
1051         Rewrite it to use String::split and improve error checking to avoid failing later.
1052
1053         * inspector/InspectorBackendDispatcher.cpp:
1054         (Inspector::BackendDispatcher::dispatch):
1055
1056 2015-08-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1057
1058         [ES6] Return JSInternalPromise as result of evaluateModule
1059         https://bugs.webkit.org/show_bug.cgi?id=148173
1060
1061         Reviewed by Saam Barati.
1062
1063         Now evaluateModule returns JSInternalPromise* as its result value.
1064         When an error occurs while loading or executing the modules,
1065         this promise is rejected by that error. By leveraging this, we implemented
1066         asynchronous error reporting when executing the modules in JSC shell.
1067
1068         And this patch also changes the evaluateModule signature to accept the entry
1069         point by the moduleName. By using it, JSC shell can start executing the modules
1070         with the entry point module name.
1071
1072         * builtins/ModuleLoaderObject.js:
1073         (loadModule):
1074         * jsc.cpp:
1075         (dumpException):
1076         (runWithScripts):
1077         * runtime/Completion.cpp:
1078         (JSC::evaluateModule):
1079         * runtime/Completion.h:
1080         * runtime/JSInternalPromise.cpp:
1081         (JSC::JSInternalPromise::then):
1082         * runtime/JSInternalPromise.h:
1083         * runtime/ModuleLoaderObject.cpp:
1084         (JSC::ModuleLoaderObject::requestInstantiateAll):
1085         (JSC::ModuleLoaderObject::loadModule):
1086         (JSC::ModuleLoaderObject::resolve):
1087         (JSC::ModuleLoaderObject::fetch):
1088         (JSC::ModuleLoaderObject::translate):
1089         (JSC::ModuleLoaderObject::instantiate):
1090         (JSC::moduleLoaderObjectParseModule):
1091         * runtime/ModuleLoaderObject.h:
1092
1093 2015-08-24  Basile Clement  <basile_clement@apple.com>
1094
1095         REPTACH is not a word
1096         https://bugs.webkit.org/show_bug.cgi?id=148401
1097
1098         Reviewed by Saam Barati.
1099
1100         * assembler/MacroAssemblerX86_64.h:
1101         (JSC::MacroAssemblerX86_64::callWithSlowPathReturnType):
1102         (JSC::MacroAssemblerX86_64::call):
1103         (JSC::MacroAssemblerX86_64::tailRecursiveCall):
1104         (JSC::MacroAssemblerX86_64::makeTailRecursiveCall):
1105         (JSC::MacroAssemblerX86_64::readCallTarget):
1106         (JSC::MacroAssemblerX86_64::linkCall):
1107         (JSC::MacroAssemblerX86_64::repatchCall):
1108
1109 2015-08-24  Mark Lam  <mark.lam@apple.com>
1110
1111         Add support for setting JSC options from a file.
1112         https://bugs.webkit.org/show_bug.cgi?id=148394
1113
1114         Reviewed by Saam Barati.
1115
1116         This is needed for environments where the JSC executable does not have access to
1117         environmental variables.  This is only needed for debugging, and is currently
1118         guarded under a #define USE_OPTIONS_FILE in Options.cpp, and is disabled by
1119         default.
1120
1121         Also fixed Options::setOptions() to be allow for whitespace that is not a single
1122         ' '.  This makes setOptions() much more flexible and friendlier to use for loading
1123         options in general.
1124
1125         For example, this current use case of loading options from a file may have '\n's
1126         in the character stream, and this feature is easier to implement if setOptions()
1127         just support more than 1 whitespace char between options, and recognize whitespace
1128         characters other than ' '.
1129
1130         * runtime/Options.cpp:
1131         (JSC::parse):
1132         (JSC::Options::initialize):
1133         (JSC::Options::setOptions):
1134
1135 2015-08-24  Filip Pizlo  <fpizlo@apple.com>
1136
1137         DFG::FixupPhase should use the lambda form of m_graph.doToChildren() rather than the old macro
1138         https://bugs.webkit.org/show_bug.cgi?id=148397
1139
1140         Reviewed by Geoffrey Garen.
1141
1142         We used to iterate the edges of a node by using the DFG_NODE_DO_TO_CHILDREN macro. We
1143         don't need to do that anymore since we have the lambda-based m_graph.doToChildren(). This
1144         allows us to get rid of a bunch of helper methods in DFG::FixupPhase.
1145
1146         I also took the opportunity to give the injectTypeConversionsInBlock() method a more
1147         generic name, since after https://bugs.webkit.org/show_bug.cgi?id=145204 it will be used
1148         for fix-up of checks more broadly.
1149
1150         * dfg/DFGFixupPhase.cpp:
1151         (JSC::DFG::FixupPhase::run):
1152         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
1153         (JSC::DFG::FixupPhase::fixupChecksInBlock):
1154         (JSC::DFG::FixupPhase::injectTypeConversionsInBlock): Deleted.
1155         (JSC::DFG::FixupPhase::tryToRelaxRepresentation): Deleted.
1156         (JSC::DFG::FixupPhase::fixEdgeRepresentation): Deleted.
1157         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): Deleted.
1158
1159 2015-08-24  Geoffrey Garen  <ggaren@apple.com>
1160
1161         Some renaming to clarify CodeBlock and UnlinkedCodeBlock
1162         https://bugs.webkit.org/show_bug.cgi?id=148391
1163
1164         Reviewed by Saam Barati.
1165
1166         * bytecode/UnlinkedFunctionExecutable.cpp:
1167         (JSC::generateUnlinkedFunctionCodeBlock):
1168         (JSC::UnlinkedFunctionExecutable::visitChildren):
1169         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
1170         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
1171         (JSC::generateFunctionCodeBlock): Deleted.
1172         (JSC::UnlinkedFunctionExecutable::codeBlockFor): Deleted.
1173         * bytecode/UnlinkedFunctionExecutable.h: Call our CodeBlocks "unlinked"
1174         in the name for clarity, since we are unlinked. 
1175
1176         * heap/Heap.cpp:
1177         (JSC::Heap::objectTypeCounts):
1178         (JSC::Heap::deleteAllCodeBlocks):
1179         (JSC::Heap::deleteAllUnlinkedCodeBlocks):
1180         (JSC::Heap::clearUnmarkedExecutables):
1181         (JSC::Heap::deleteOldCode):
1182         (JSC::Heap::FinalizerOwner::finalize):
1183         (JSC::Heap::addExecutable):
1184         (JSC::Heap::collectAllGarbageIfNotDoneRecently):
1185         (JSC::Heap::deleteAllCompiledCode): Deleted.
1186         (JSC::Heap::deleteAllUnlinkedFunctionCode): Deleted.
1187         (JSC::Heap::addCompiledCode): Deleted.
1188         * heap/Heap.h:
1189         (JSC::Heap::notifyIsSafeToCollect):
1190         (JSC::Heap::isSafeToCollect):
1191         (JSC::Heap::sizeBeforeLastFullCollection):
1192         (JSC::Heap::sizeAfterLastFullCollection):
1193         (JSC::Heap::compiledCode): Deleted.
1194
1195             deleteAllCompiledCode => deleteAllCodeBlocks because "compiled"
1196             is a broad phrase these days.
1197
1198             m_compiledCode => m_executables for the same reason.
1199
1200             addCompiledCode => addExecutable for the same reason.
1201
1202             deleteAllUnlinkedFunctionCode => deleteAllUnlinkedCodeBlocks
1203             for consistency.
1204
1205         * jsc.cpp:
1206         (functionDeleteAllCompiledCode):
1207
1208         * runtime/Executable.cpp:
1209         (JSC::ScriptExecutable::newCodeBlockFor): codeBlockFor => unlinkedCodeBlockFor
1210
1211         (JSC::FunctionExecutable::clearUnlinkedCodeForRecompilation): Deleted.
1212         It was strange to put this function on executable, since its name implied
1213         that it only changed the executable, but it actually changed all cached
1214         code. Now, a client that wants to change cached code must do so explicitly.
1215
1216         * runtime/Executable.h:
1217         (JSC::ScriptExecutable::finishCreation):
1218         * runtime/VM.cpp:
1219         (JSC::VM::deleteAllCode):
1220         * runtime/VMEntryScope.cpp:
1221         (JSC::VMEntryScope::VMEntryScope): Updated for renames above.
1222
1223 2015-08-22  Filip Pizlo  <fpizlo@apple.com>
1224
1225         DFG::InsertionSet should be tolerant of occasional out-of-order insertions
1226         https://bugs.webkit.org/show_bug.cgi?id=148367
1227
1228         Reviewed by Geoffrey Garen and Saam Barati.
1229
1230         Since forever, the DFG::InsertionSet has been the way we insert nodes into DFG IR, and it
1231         requires that you walk a block in order and perform insertions in order: you can't insert
1232         something at index J, then at index I where I < J, except if you do a second pass.
1233
1234         This restriction makes sense, because it enables a very fast algorithm. And it's very
1235         rare that a phase would need to insert things out of order.
1236
1237         But sometimes - rarely - we need to insert things slightly out-of-order. For example we
1238         may want to insert a node at index J, but to insert a check associated with that node, we
1239         may need to use index I where I < J. This will come up from the work on
1240         https://bugs.webkit.org/show_bug.cgi?id=145204. And it has already come up in the past.
1241         It seems like it would be best to just lift this restriction.
1242
1243         * CMakeLists.txt:
1244         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1245         * JavaScriptCore.xcodeproj/project.pbxproj:
1246         * dfg/DFGInsertionSet.cpp: Added.
1247         (JSC::DFG::InsertionSet::insertSlow):
1248         * dfg/DFGInsertionSet.h:
1249         (JSC::DFG::InsertionSet::InsertionSet):
1250         (JSC::DFG::InsertionSet::graph):
1251         (JSC::DFG::InsertionSet::insert):
1252         (JSC::DFG::InsertionSet::execute):
1253
1254 2015-08-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1255
1256         Create ById IC for ByVal operation only when the specific Id comes more than once
1257         https://bugs.webkit.org/show_bug.cgi?id=148288
1258
1259         Reviewed by Geoffrey Garen.
1260
1261         After introducing byId ICs into byVal ops, byVal ops creates much ICs than before.
1262         The failure fixed in r188767 figures out these ICs are created even if this op is executed only once.
1263
1264         The situation is the following;
1265         In the current code, when byVal op is executed with the Id, we immediately set up the byId IC for that byVal op.
1266         But setting up JITGetByIdGenerator generates the fast path IC code and consumes executable memory.
1267         As a result, if we call eval("contains byVal ops") with the different strings repeatedly under no-llint environment, each eval call creates byId IC for byVal and consumes executable memory.
1268
1269         To solve it, we will add "seen" flag to ByValInfo.
1270         And we will create the IC on the second byVal op call with the same Id.
1271
1272         * bytecode/ByValInfo.h:
1273         (JSC::ByValInfo::ByValInfo):
1274         * jit/JITOperations.cpp:
1275         (JSC::tryGetByValOptimize):
1276         * jit/JITPropertyAccess.cpp:
1277         (JSC::JIT::privateCompileGetByValWithCachedId): Deleted.
1278         (JSC::JIT::privateCompilePutByValWithCachedId): Deleted.
1279
1280 2015-08-23  Benjamin Poulain  <bpoulain@apple.com>
1281
1282         [JSC] Get rid of NodePointerTraits
1283         https://bugs.webkit.org/show_bug.cgi?id=148340
1284
1285         Reviewed by Anders Carlsson.
1286
1287         NodePointerTraits does exactly the same thing has the default trait.
1288
1289         * dfg/DFGBasicBlock.h:
1290         * dfg/DFGCommon.h:
1291         (JSC::DFG::NodePointerTraits::defaultValue): Deleted.
1292         (JSC::DFG::NodePointerTraits::isEmptyForDump): Deleted.
1293
1294 2015-08-23  Benjamin Poulain  <bpoulain@apple.com>
1295
1296         [JSC] Reduce the memory usage of BytecodeLivenessAnalysis
1297         https://bugs.webkit.org/show_bug.cgi?id=148353
1298
1299         Reviewed by Darin Adler.
1300
1301         BytecodeLivenessAnalysis easily takes kilobytes of memory for
1302         non trivial blocks and that memory sticks around because
1303         it stored on CodeBlock.
1304
1305         This patch reduces that memory use a bit.
1306
1307         Most of the memory is in the array of BytecodeBasicBlock.
1308         BytecodeBasicBlock is shrunk by:
1309         -Making it not ref-counted.
1310         -Removing m_predecessors, it was only used for debugging and
1311          is usually big.
1312         -Added a shrinkToFit() phase to shrink the vectors once we are
1313          done building the BytecodeBasicBlock.
1314
1315         There are more things we should do in the future:
1316         -Store all the BytecodeBasicBlock direclty in the array.
1317          We know the size ahead of time, this would be a pure win.
1318          The only tricky part is changing m_successors to have the
1319          index of the successor instead of a pointer.
1320         -Stop putting duplicates in m_successors.
1321
1322         * bytecode/BytecodeBasicBlock.cpp:
1323         (JSC::computeBytecodeBasicBlocks):
1324         (JSC::BytecodeBasicBlock::shrinkToFit): Deleted.
1325         (JSC::linkBlocks): Deleted.
1326         * bytecode/BytecodeBasicBlock.h:
1327         (JSC::BytecodeBasicBlock::addSuccessor):
1328         (JSC::BytecodeBasicBlock::addPredecessor): Deleted.
1329         (JSC::BytecodeBasicBlock::predecessors): Deleted.
1330         * bytecode/BytecodeLivenessAnalysis.cpp:
1331         (JSC::getLeaderOffsetForBasicBlock):
1332         (JSC::findBasicBlockWithLeaderOffset):
1333         (JSC::findBasicBlockForBytecodeOffset):
1334         (JSC::stepOverInstruction):
1335         (JSC::computeLocalLivenessForBytecodeOffset):
1336         (JSC::computeLocalLivenessForBlock):
1337         (JSC::BytecodeLivenessAnalysis::dumpResults): Deleted.
1338         * bytecode/BytecodeLivenessAnalysis.h:
1339
1340 2015-08-23  Geoffrey Garen  <ggaren@apple.com>
1341
1342         Unreviewed, rolling back in r188792.
1343         https://bugs.webkit.org/show_bug.cgi?id=148347
1344
1345         Previously reverted changesets:
1346
1347         "Unify code paths for manually deleting all code"
1348         https://bugs.webkit.org/show_bug.cgi?id=148280
1349         http://trac.webkit.org/changeset/188792
1350
1351         The previous patch caused some inspector tests to hang because it
1352         introduced extra calls to sourceParsed, and sourceParsed is
1353         pathologically slow in WK1 debug builds. This patch restores pre-existing
1354         code to limit calls to sourceParsed, excluding code not being debugged
1355         (i.e., inspector code).
1356
1357 2015-08-23  Geoffrey Garen  <ggaren@apple.com>
1358
1359         Unreviewed, rolling back in r188803.
1360
1361         Previously reverted changesets:
1362
1363         "Debugger's VM should never be null"
1364         https://bugs.webkit.org/show_bug.cgi?id=148341
1365         http://trac.webkit.org/changeset/188803
1366
1367         * debugger/Debugger.cpp:
1368         (JSC::Debugger::Debugger):
1369         (JSC::Debugger::attach):
1370         (JSC::Debugger::detach):
1371         (JSC::Debugger::isAttached):
1372         (JSC::Debugger::setSteppingMode):
1373         (JSC::Debugger::registerCodeBlock):
1374         (JSC::Debugger::toggleBreakpoint):
1375         (JSC::Debugger::recompileAllJSFunctions):
1376         (JSC::Debugger::setBreakpoint):
1377         (JSC::Debugger::clearBreakpoints):
1378         (JSC::Debugger::clearDebuggerRequests):
1379         (JSC::Debugger::setBreakpointsActivated):
1380         (JSC::Debugger::breakProgram):
1381         (JSC::Debugger::stepOutOfFunction):
1382         (JSC::Debugger::returnEvent):
1383         (JSC::Debugger::didExecuteProgram):
1384         * debugger/Debugger.h:
1385         * inspector/JSGlobalObjectScriptDebugServer.cpp:
1386         (Inspector::JSGlobalObjectScriptDebugServer::JSGlobalObjectScriptDebugServer):
1387         (Inspector::JSGlobalObjectScriptDebugServer::removeListener):
1388         (Inspector::JSGlobalObjectScriptDebugServer::runEventLoopWhilePaused):
1389         (Inspector::JSGlobalObjectScriptDebugServer::recompileAllJSFunctions): Deleted.
1390         * inspector/JSGlobalObjectScriptDebugServer.h:
1391         * inspector/ScriptDebugServer.cpp:
1392         (Inspector::ScriptDebugServer::ScriptDebugServer):
1393         * inspector/ScriptDebugServer.h:
1394
1395 2015-08-22  Filip Pizlo  <fpizlo@apple.com>
1396
1397         DFG string concatenation shouldn't be playing fast and loose with effects and OSR exit
1398         https://bugs.webkit.org/show_bug.cgi?id=148338
1399
1400         Reviewed by Michael Saboff and Saam Barati.
1401
1402         Prior to this change, DFG string concatenation appeared to have various different ways of
1403         creating an OSR exit right after a side effect. That's bad, because the exit will cause
1404         us to reexecute the side effect. The code appears to have some hacks for avoiding this,
1405         but some cases are basically unavoidable, like the OOM case of string concatenation: in
1406         trunk that could cause two executions of the toString operation.
1407
1408         This changes the string concatenation code to either be speculative or effectful but
1409         never both. It's already the case that when this code needs to be effectful, it also
1410         needs to be slow (it does int->string conversions, calls JS functions, etc). So, this is
1411         a small price to pay for sanity.
1412
1413         The biggest part of this change is the introduction of StrCat, which is like MakeRope but
1414         does toString conversions on its own instead of relying on separate nodes. StrCat can
1415         take either 2 or 3 children. It's the effectful but not speculative version of MakeRope.
1416
1417         * dfg/DFGAbstractInterpreterInlines.h:
1418         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1419         * dfg/DFGBackwardsPropagationPhase.cpp:
1420         (JSC::DFG::BackwardsPropagationPhase::propagate):
1421         * dfg/DFGByteCodeParser.cpp:
1422         (JSC::DFG::ByteCodeParser::parseBlock):
1423         * dfg/DFGClobberize.h:
1424         (JSC::DFG::clobberize):
1425         * dfg/DFGDoesGC.cpp:
1426         (JSC::DFG::doesGC):
1427         * dfg/DFGFixupPhase.cpp:
1428         (JSC::DFG::FixupPhase::fixupNode):
1429         (JSC::DFG::FixupPhase::convertStringAddUse):
1430         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
1431         (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
1432         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
1433         * dfg/DFGNodeType.h:
1434         * dfg/DFGOperations.cpp:
1435         * dfg/DFGOperations.h:
1436         * dfg/DFGPredictionPropagationPhase.cpp:
1437         (JSC::DFG::PredictionPropagationPhase::propagate):
1438         * dfg/DFGSafeToExecute.h:
1439         (JSC::DFG::safeToExecute):
1440         * dfg/DFGSpeculativeJIT.h:
1441         (JSC::DFG::SpeculativeJIT::callOperation):
1442         (JSC::DFG::JSValueOperand::JSValueOperand):
1443         (JSC::DFG::JSValueOperand::~JSValueOperand):
1444         * dfg/DFGSpeculativeJIT32_64.cpp:
1445         (JSC::DFG::SpeculativeJIT::compile):
1446         * dfg/DFGSpeculativeJIT64.cpp:
1447         (JSC::DFG::SpeculativeJIT::compile):
1448         * dfg/DFGValidate.cpp:
1449         (JSC::DFG::Validate::validate):
1450         * ftl/FTLCapabilities.cpp:
1451         (JSC::FTL::canCompile):
1452         * ftl/FTLIntrinsicRepository.h:
1453         * ftl/FTLLowerDFGToLLVM.cpp:
1454         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
1455         (JSC::FTL::DFG::LowerDFGToLLVM::compileValueAdd):
1456         (JSC::FTL::DFG::LowerDFGToLLVM::compileStrCat):
1457         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAddOrSub):
1458         * jit/JITOperations.h:
1459         * tests/stress/exception-effect-strcat.js: Added. This test previously failed.
1460         * tests/stress/exception-in-strcat-string-overflow.js: Added. An earlier version of this patch made this fail.
1461         * tests/stress/exception-in-strcat.js: Added.
1462
1463 2015-08-22  Andreas Kling  <akling@apple.com>
1464
1465         [JSC] Static hash tables should be 100% compile-time constant.
1466         <https://webkit.org/b/148359>
1467
1468         Reviewed by Michael Saboff.
1469
1470         We were dirtying the memory pages containing static hash tables the
1471         first time they were used, when a dynamically allocated index-to-key
1472         table was built and cached in the HashTable struct.
1473
1474         It turns out that this "optimization" was completely useless, since
1475         we've long since decoupled static hash tables from the JSC::VM and
1476         we can get the key for an index via HashTable::values[index].m_key!
1477
1478         We also get rid of VM::keywords which was a little wrapper around
1479         a VM-specific copy of JSC::mainTable. There was nothing VM-specific
1480         about it at all, so clients now use JSC::mainTable directly.
1481
1482         After this change all fooHashTable structs end up in __DATA __const
1483         and no runtime initialization/allocation takes place.
1484
1485         * create_hash_table:
1486         * jsc.cpp:
1487         * parser/Lexer.cpp:
1488         (JSC::isLexerKeyword):
1489         (JSC::Lexer<LChar>::parseIdentifier):
1490         (JSC::Lexer<UChar>::parseIdentifier):
1491         (JSC::Lexer<CharacterType>::parseIdentifierSlowCase):
1492         (JSC::Keywords::Keywords): Deleted.
1493         * parser/Lexer.h:
1494         (JSC::Keywords::isKeyword): Deleted.
1495         (JSC::Keywords::getKeyword): Deleted.
1496         (JSC::Keywords::~Keywords): Deleted.
1497         * runtime/LiteralParser.cpp:
1498         (JSC::LiteralParser<CharType>::tryJSONPParse):
1499         * runtime/Lookup.cpp:
1500         (JSC::HashTable::createTable): Deleted.
1501         (JSC::HashTable::deleteTable): Deleted.
1502         * runtime/Lookup.h:
1503         (JSC::HashTable::entry):
1504         (JSC::HashTable::ConstIterator::key):
1505         (JSC::HashTable::ConstIterator::skipInvalidKeys):
1506         (JSC::HashTable::copy): Deleted.
1507         (JSC::HashTable::initializeIfNeeded): Deleted.
1508         (JSC::HashTable::begin): Deleted.
1509         (JSC::HashTable::end): Deleted.
1510         * runtime/VM.cpp:
1511         (JSC::VM::VM): Deleted.
1512         * runtime/VM.h:
1513         * testRegExp.cpp:
1514
1515 2015-08-21  Commit Queue  <commit-queue@webkit.org>
1516
1517         Unreviewed, rolling out r188792 and r188803.
1518         https://bugs.webkit.org/show_bug.cgi?id=148347
1519
1520         broke lots of tests, ggaren is going to investigate and reland
1521         (Requested by thorton on #webkit).
1522
1523         Reverted changesets:
1524
1525         "Unify code paths for manually deleting all code"
1526         https://bugs.webkit.org/show_bug.cgi?id=148280
1527         http://trac.webkit.org/changeset/188792
1528
1529         "Debugger's VM should never be null"
1530         https://bugs.webkit.org/show_bug.cgi?id=148341
1531         http://trac.webkit.org/changeset/188803
1532
1533 2015-08-21  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1534
1535         Parse control flow statements in WebAssembly
1536         https://bugs.webkit.org/show_bug.cgi?id=148333
1537
1538         Reviewed by Geoffrey Garen.
1539
1540         Parse control flow statements in WebAssembly files generated by pack-asmjs
1541         <https://github.com/WebAssembly/polyfill-prototype-1>.
1542
1543         * wasm/WASMConstants.h:
1544         * wasm/WASMFunctionParser.cpp:
1545         (JSC::WASMFunctionParser::parseStatement):
1546         (JSC::WASMFunctionParser::parseIfStatement):
1547         (JSC::WASMFunctionParser::parseIfElseStatement):
1548         (JSC::WASMFunctionParser::parseWhileStatement):
1549         (JSC::WASMFunctionParser::parseDoStatement):
1550         (JSC::WASMFunctionParser::parseLabelStatement):
1551         (JSC::WASMFunctionParser::parseBreakStatement):
1552         (JSC::WASMFunctionParser::parseBreakLabelStatement):
1553         (JSC::WASMFunctionParser::parseContinueStatement):
1554         (JSC::WASMFunctionParser::parseContinueLabelStatement):
1555         (JSC::WASMFunctionParser::parseSwitchStatement):
1556         * wasm/WASMFunctionParser.h:
1557         (JSC::WASMFunctionParser::WASMFunctionParser):
1558         * wasm/WASMReader.cpp:
1559         (JSC::WASMReader::readCompactInt32):
1560         (JSC::WASMReader::readSwitchCase):
1561         * wasm/WASMReader.h:
1562
1563 2015-08-21  Geoffrey Garen  <ggaren@apple.com>
1564
1565         Debugger's VM should never be null
1566         https://bugs.webkit.org/show_bug.cgi?id=148341
1567
1568         Reviewed by Joseph Pecoraro.
1569
1570         It doesn't make sense for a Debugger's VM to be null, and code related
1571         to maintaining that illusion just caused the Web Inspector to crash on
1572         launch (https://bugs.webkit.org/show_bug.cgi?id=148312). So, let's stop
1573         doing that.
1574
1575         Now, Debugger requires its subclass to provide a never-null VM&.
1576
1577         Also took the opportunity, based on review feedback, to remove some
1578         confusion in the virtual recompileAllJSFunctions hierarchy, by eliminating
1579         the pure virtual in ScriptDebugServer and the unnecessary override in
1580         JSGlobalObjectScriptDebugServer.
1581
1582         * debugger/Debugger.cpp:
1583         (JSC::Debugger::Debugger):
1584         (JSC::Debugger::attach):
1585         (JSC::Debugger::detach):
1586         (JSC::Debugger::isAttached):
1587         (JSC::Debugger::setSteppingMode):
1588         (JSC::Debugger::registerCodeBlock):
1589         (JSC::Debugger::toggleBreakpoint):
1590         (JSC::Debugger::recompileAllJSFunctions):
1591         (JSC::Debugger::setBreakpoint):
1592         (JSC::Debugger::clearBreakpoints):
1593         (JSC::Debugger::clearDebuggerRequests):
1594         (JSC::Debugger::setBreakpointsActivated):
1595         (JSC::Debugger::breakProgram):
1596         (JSC::Debugger::stepOutOfFunction):
1597         (JSC::Debugger::returnEvent):
1598         (JSC::Debugger::didExecuteProgram):
1599         * debugger/Debugger.h:
1600         * inspector/JSGlobalObjectScriptDebugServer.cpp:
1601         (Inspector::JSGlobalObjectScriptDebugServer::JSGlobalObjectScriptDebugServer):
1602         (Inspector::JSGlobalObjectScriptDebugServer::recompileAllJSFunctions):
1603         (Inspector::JSGlobalObjectScriptDebugServer::runEventLoopWhilePaused):
1604         * inspector/ScriptDebugServer.cpp:
1605         (Inspector::ScriptDebugServer::ScriptDebugServer):
1606         * inspector/ScriptDebugServer.h:
1607
1608 2015-08-21  Basile Clement  <basile_clement@apple.com>
1609
1610         Remove unused code relative to allocation sinking
1611         https://bugs.webkit.org/show_bug.cgi?id=148342
1612
1613         Reviewed by Mark Lam.
1614
1615         This removes two things:
1616
1617          - The DFGPromoteHeapAccess.h file which is a relic of the old sinking
1618            phase and is no longer used (it has been subsumed by
1619            ObjectAllocationSinking::promoteLocalHeap)
1620
1621          - Code in the allocation sinking phase for sinking
1622            MaterializeCreateActivation and MaterializeNewObject. Handling those
1623            is no longer necessary since the phase no longer runs in a fixpoint
1624            and thus will never see those nodes, since no other phase creates
1625            them.
1626
1627         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1628         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1629         * JavaScriptCore.xcodeproj/project.pbxproj:
1630         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1631         * dfg/DFGPromoteHeapAccess.h: Removed.
1632
1633 2015-08-21  Geoffrey Garen  <ggaren@apple.com>
1634
1635         Unify code paths for manually deleting all code
1636         https://bugs.webkit.org/show_bug.cgi?id=148280
1637
1638         Reviewed by Saam Barati.
1639
1640         We used to have three paths for manually deleting all code. Now we have
1641         one shared path.
1642
1643         * debugger/Debugger.cpp:
1644         (JSC::Debugger::attach): Notify the debugger of all previous code when
1645         it attaches. We used to do this when recompiling, which was only correct
1646         by accident.
1647
1648         (JSC::Debugger::recompileAllJSFunctions): Switch to the shared path.
1649
1650         * heap/Heap.h:
1651         (JSC::Heap::compiledCode):
1652
1653         * inspector/agents/InspectorRuntimeAgent.cpp:
1654         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1655         (Inspector::InspectorRuntimeAgent::willDestroyFrontendAndBackend):
1656         (Inspector::InspectorRuntimeAgent::setTypeProfilerEnabledState):
1657         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
1658         (Inspector::TypeRecompiler::visit): Deleted.
1659         (Inspector::TypeRecompiler::operator()): Deleted.
1660         (Inspector::recompileAllJSFunctionsForTypeProfiling): Deleted. Switch
1661         to the shared path.
1662
1663         * runtime/VM.cpp:
1664         (JSC::VM::afterVMExit): Added a helper for scheduling an activity after
1665         VM exit. We can't delete code while it's on the stack, and we can't
1666         delete auxiliary profiling data while profiling code is on the stack,
1667         so in those cases, we schedule the deletion for the next time we exit.
1668
1669         (JSC::VM::deleteAllCode): Use afterVMExit because we might have code
1670         on the stack when debugger, profiler, or watchdog state changes.
1671
1672         * runtime/VM.h:
1673
1674         * runtime/VMEntryScope.cpp:
1675         (JSC::VMEntryScope::VMEntryScope):
1676         (JSC::VMEntryScope::addDidPopListener):
1677         (JSC::VMEntryScope::~VMEntryScope):
1678         (JSC::VMEntryScope::setEntryScopeDidPopListener): Deleted.
1679         * runtime/VMEntryScope.h:
1680         (JSC::VMEntryScope::globalObject): Removed the uniquing feature from
1681         the scope pop listener list because we don't have a client that wants
1682         it, and it's not convenient to use correctly since you can't take
1683         the address of a member function, a lambda, or an std::function. We can
1684         add this feature back if we discover that we want it.
1685
1686 2015-08-21  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1687
1688         Implement WebAssembly function parser
1689         https://bugs.webkit.org/show_bug.cgi?id=147738
1690
1691         Reviewed by Filip Pizlo.
1692
1693         Implement WebAssembly function parser for WebAssembly files produced by pack-asmjs
1694         <https://github.com/WebAssembly/polyfill-prototype-1>. This patch parses only
1695         some instructions on statements and int32 expressions. Parsing of the rest
1696         will be implemented in subsequent patches. The instruction lists in WASMConstants.h
1697         are slightly modified from
1698         <https://github.com/WebAssembly/polyfill-prototype-1/blob/master/src/shared.h>.
1699
1700         * CMakeLists.txt:
1701         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1702         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1703         * JavaScriptCore.xcodeproj/project.pbxproj:
1704         * wasm/WASMConstants.h: Added.
1705         * wasm/WASMFormat.h:
1706         * wasm/WASMFunctionParser.cpp: Added.
1707         (JSC::WASMFunctionParser::checkSyntax):
1708         (JSC::WASMFunctionParser::parseFunction):
1709         (JSC::WASMFunctionParser::parseLocalVariables):
1710         (JSC::WASMFunctionParser::parseStatement):
1711         (JSC::WASMFunctionParser::parseSetLocalStatement):
1712         (JSC::WASMFunctionParser::parseReturnStatement):
1713         (JSC::WASMFunctionParser::parseBlockStatement):
1714         (JSC::WASMFunctionParser::parseExpression):
1715         (JSC::WASMFunctionParser::parseExpressionI32):
1716         (JSC::WASMFunctionParser::parseImmediateExpressionI32):
1717         * wasm/WASMFunctionParser.h: Added.
1718         (JSC::WASMFunctionParser::WASMFunctionParser):
1719         * wasm/WASMFunctionSyntaxChecker.h: Renamed from Source/JavaScriptCore/wasm/WASMMagicNumber.h.
1720         * wasm/WASMModuleParser.cpp:
1721         (JSC::WASMModuleParser::WASMModuleParser):
1722         (JSC::WASMModuleParser::parseFunctionDefinitionSection):
1723         (JSC::WASMModuleParser::parseFunctionDefinition):
1724         * wasm/WASMModuleParser.h:
1725         * wasm/WASMReader.cpp:
1726         (JSC::WASMReader::readType):
1727         (JSC::WASMReader::readExpressionType):
1728         (JSC::WASMReader::readExportFormat):
1729         (JSC::WASMReader::readOpStatement):
1730         (JSC::WASMReader::readOpExpressionI32):
1731         (JSC::WASMReader::readVariableTypes):
1732         (JSC::WASMReader::readOp):
1733         * wasm/WASMReader.h:
1734         (JSC::WASMReader::offset):
1735         (JSC::WASMReader::setOffset):
1736
1737 2015-08-21  Filip Pizlo  <fpizlo@apple.com>
1738
1739         DFG::PutStackSinkingPhase doesn't need to emit KillStack nodes
1740         https://bugs.webkit.org/show_bug.cgi?id=148331
1741
1742         Reviewed by Geoffrey Garen.
1743
1744         PutStackSinkingPhase previously emitted a KillStack node when it sank a PutStack. This
1745         isn't necessary because KillStack is only interesting for OSR exit, and PutStack nodes
1746         that are relevant to OSR will already be preceded by a KillStack/MovHint pair.
1747
1748         * dfg/DFGPutStackSinkingPhase.cpp:
1749
1750 2015-08-21  Filip Pizlo  <fpizlo@apple.com>
1751
1752         DFG::NodeOrigin should have a flag determining if exiting is OK right now
1753         https://bugs.webkit.org/show_bug.cgi?id=148323
1754
1755         Reviewed by Saam Barati.
1756
1757         * dfg/DFGByteCodeParser.cpp:
1758         (JSC::DFG::ByteCodeParser::currentNodeOrigin):
1759         (JSC::DFG::ByteCodeParser::branchData):
1760         * dfg/DFGInsertionSet.h:
1761         (JSC::DFG::InsertionSet::insertConstant):
1762         (JSC::DFG::InsertionSet::insertConstantForUse):
1763         (JSC::DFG::InsertionSet::insertBottomConstantForUse):
1764         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1765         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
1766         * dfg/DFGLICMPhase.cpp:
1767         (JSC::DFG::LICMPhase::attemptHoist):
1768         * dfg/DFGNodeOrigin.h:
1769         (JSC::DFG::NodeOrigin::NodeOrigin):
1770         (JSC::DFG::NodeOrigin::isSet):
1771         (JSC::DFG::NodeOrigin::withSemantic):
1772         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1773
1774 2015-08-21  Saam barati  <sbarati@apple.com>
1775
1776         DFG callOperations should not implicitly emit an exception check. At callOperation call sites, we should explicitly emit exception checks
1777         https://bugs.webkit.org/show_bug.cgi?id=147988
1778
1779         Reviewed by Geoffrey Garen.
1780
1781         This is in preparation for the DFG being able to handle exceptions. 
1782         To do this, we need more control over when we emit exception checks.
1783         Specifically, we want to be able to silentFill before emitting an exception check.
1784         This patch does that. This patch also allows us to easily see which
1785         operations do and do not emit exception checks. Finding this information
1786         out before was a pain.
1787
1788         * assembler/AbortReason.h:
1789         * dfg/DFGArrayifySlowPathGenerator.h:
1790         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
1791         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
1792         * dfg/DFGJITCompiler.h:
1793         (JSC::DFG::JITCompiler::appendCall):
1794         (JSC::DFG::JITCompiler::exceptionCheck):
1795         * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
1796         * dfg/DFGSlowPathGenerator.h:
1797         (JSC::DFG::CallSlowPathGenerator::CallSlowPathGenerator):
1798         (JSC::DFG::CallSlowPathGenerator::tearDown):
1799         (JSC::DFG::CallResultAndNoArgumentsSlowPathGenerator::CallResultAndNoArgumentsSlowPathGenerator):
1800         (JSC::DFG::CallResultAndOneArgumentSlowPathGenerator::CallResultAndOneArgumentSlowPathGenerator):
1801         (JSC::DFG::CallResultAndTwoArgumentsSlowPathGenerator::CallResultAndTwoArgumentsSlowPathGenerator):
1802         (JSC::DFG::CallResultAndThreeArgumentsSlowPathGenerator::CallResultAndThreeArgumentsSlowPathGenerator):
1803         (JSC::DFG::CallResultAndFourArgumentsSlowPathGenerator::CallResultAndFourArgumentsSlowPathGenerator):
1804         (JSC::DFG::CallResultAndFiveArgumentsSlowPathGenerator::CallResultAndFiveArgumentsSlowPathGenerator):
1805         (JSC::DFG::slowPathCall):
1806         * dfg/DFGSpeculativeJIT.cpp:
1807         (JSC::DFG::SpeculativeJIT::compileIn):
1808         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1809         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1810         (JSC::DFG::SpeculativeJIT::compileArithRound):
1811         (JSC::DFG::SpeculativeJIT::compileNewFunction):
1812         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
1813         (JSC::DFG::SpeculativeJIT::compileCreateScopedArguments):
1814         (JSC::DFG::SpeculativeJIT::compileCreateClonedArguments):
1815         (JSC::DFG::SpeculativeJIT::compileNotifyWrite):
1816         (JSC::DFG::SpeculativeJIT::compileRegExpExec):
1817         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1818         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1819         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnCell):
1820         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
1821         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
1822         * dfg/DFGSpeculativeJIT.h:
1823         (JSC::DFG::SpeculativeJIT::callOperation):
1824         (JSC::DFG::SpeculativeJIT::callOperationWithCallFrameRollbackOnException):
1825         (JSC::DFG::SpeculativeJIT::prepareForExternalCall):
1826         (JSC::DFG::SpeculativeJIT::appendCall):
1827         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException):
1828         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnExceptionSetResult):
1829         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
1830         (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheck): Deleted.
1831         (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheckSetResult): Deleted.
1832         * dfg/DFGSpeculativeJIT32_64.cpp:
1833         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
1834         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator):
1835         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
1836         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
1837         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
1838         (JSC::DFG::SpeculativeJIT::emitCall):
1839         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1840         (JSC::DFG::SpeculativeJIT::compile):
1841         * dfg/DFGSpeculativeJIT64.cpp:
1842         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
1843         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator):
1844         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
1845         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
1846         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
1847         (JSC::DFG::SpeculativeJIT::emitCall):
1848         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1849         (JSC::DFG::SpeculativeJIT::compile):
1850         * ftl/FTLIntrinsicRepository.h:
1851         * ftl/FTLLowerDFGToLLVM.cpp:
1852         (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
1853         * jit/AssemblyHelpers.cpp:
1854         (JSC::AssemblyHelpers::jitAssertArgumentCountSane):
1855         (JSC::AssemblyHelpers::jitAssertNoException):
1856         (JSC::AssemblyHelpers::callExceptionFuzz):
1857         (JSC::AssemblyHelpers::emitExceptionCheck):
1858         * jit/AssemblyHelpers.h:
1859         (JSC::AssemblyHelpers::jitAssertIsInt32):
1860         (JSC::AssemblyHelpers::jitAssertIsJSInt32):
1861         (JSC::AssemblyHelpers::jitAssertIsNull):
1862         (JSC::AssemblyHelpers::jitAssertTagsInPlace):
1863         (JSC::AssemblyHelpers::jitAssertArgumentCountSane):
1864         (JSC::AssemblyHelpers::jitAssertNoException):
1865         * jit/JITOperations.cpp:
1866         * jit/JITOperations.h:
1867         * runtime/VM.h:
1868         (JSC::VM::scratchBufferForSize):
1869         (JSC::VM::exceptionFuzzingBuffer):
1870
1871 2015-08-21  Geoffrey Garen  <ggaren@apple.com>
1872
1873         REGRESSION (r188714): RELEASE_ASSERT in JSC::Heap::incrementDeferralDepth() opening Web Inspector on daringfireball.net
1874         https://bugs.webkit.org/show_bug.cgi?id=148312
1875
1876         Reviewed by Mark Lam.
1877
1878         * debugger/Debugger.cpp:
1879         (JSC::Debugger::recompileAllJSFunctions): Use our vm argument instead of
1880         m_vm because sometimes they are different and m_vm is null. (This behavior
1881         is very strange, and we should probably eliminate it -- but we need a 
1882         fix for this serious regression right now.)
1883
1884 2015-08-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1885
1886         [ES6] prototyping module loader in JSC shell
1887         https://bugs.webkit.org/show_bug.cgi?id=147876
1888
1889         Reviewed by Saam Barati.
1890
1891         This patch implements ES6 Module Loader part. The implementation is based on
1892         the latest draft[1, 2]. The naive implementation poses several problems.
1893         This patch attempts to solve the spec issues and proposes the fix[3, 4, 5].
1894
1895         We construct the JSC internal module loader based on the ES6 Promises.
1896         The chain of the promises represents the dependency graph of the modules and
1897         it automatically enables asynchronous module fetching.
1898         To leverage the Promises internally, we use the InternalPromise landed in r188681.
1899
1900         The loader has several platform-dependent hooks. The platform can implement
1901         these hooks to provide the functionality missing in the module loaders, like
1902         "how to fetch the resources". The method table of the JSGlobalObject is extended
1903         to accept these hooks from the platform.
1904
1905         This patch focus on the loading part. So we don't create the module environment
1906         and don't link the modules yet.
1907
1908         To test the current module progress easily, we add the `-m` option to the JSC shell.
1909         When this option is specified, we load the given script as the module. And to use
1910         the module loading inside the JSC shell, we added the simple loader hook for fetching.
1911         It fetches the module content from the file system.
1912
1913         And to use the ES6 Map in the Loader implementation, we added @get and @set methods to the Map.
1914         But it conflicts with the existing `getPrivateName` method. Rename it to `lookUpPrivateName`.
1915
1916         [1]: https://whatwg.github.io/loader/
1917         [2]: https://github.com/whatwg/loader/commit/214c7a6625b445bdf411c39984f36f01139a24be
1918         [3]: https://github.com/whatwg/loader/pull/66
1919         [4]: https://github.com/whatwg/loader/pull/67
1920         [5]: https://github.com/whatwg/loader/issues/68
1921         [6]: https://bugs.webkit.org/show_bug.cgi?id=148136
1922
1923         * CMakeLists.txt:
1924         * DerivedSources.make:
1925         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1926         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1927         * JavaScriptCore.xcodeproj/project.pbxproj:
1928         * builtins/BuiltinNames.h:
1929         (JSC::BuiltinNames::lookUpPrivateName):
1930         (JSC::BuiltinNames::lookUpPublicName):
1931         (JSC::BuiltinNames::getPrivateName): Deleted.
1932         (JSC::BuiltinNames::getPublicName): Deleted.
1933         * builtins/ModuleLoaderObject.js: Added.
1934         (setStateToMax):
1935         (newRegistryEntry):
1936         (forceFulfillPromise):
1937         (fulfillFetch):
1938         (fulfillTranslate):
1939         (fulfillInstantiate):
1940         (instantiation):
1941         (requestFetch):
1942         (requestTranslate):
1943         (requestInstantiate):
1944         (requestResolveDependencies.resolveDependenciesPromise.this.requestInstantiate.then.):
1945         (requestResolveDependencies.resolveDependenciesPromise.this.requestInstantiate.then):
1946         (requestResolveDependencies):
1947         (requestInstantiateAll):
1948         (provide):
1949         * jsc.cpp:
1950         (stringFromUTF):
1951         (jscSource):
1952         (GlobalObject::moduleLoaderFetch):
1953         (functionCheckModuleSyntax):
1954         (dumpException):
1955         (runWithScripts):
1956         (printUsageStatement):
1957         (CommandLine::parseArguments):
1958         (jscmain):
1959         (CommandLine::CommandLine): Deleted.
1960         * parser/Lexer.cpp:
1961         (JSC::Lexer<LChar>::parseIdentifier):
1962         (JSC::Lexer<UChar>::parseIdentifier):
1963         * parser/ModuleAnalyzer.cpp:
1964         (JSC::ModuleAnalyzer::ModuleAnalyzer):
1965         (JSC::ModuleAnalyzer::exportVariable):
1966         (JSC::ModuleAnalyzer::analyze):
1967         * parser/ModuleAnalyzer.h:
1968         (JSC::ModuleAnalyzer::moduleRecord):
1969         * parser/ModuleRecord.cpp:
1970         (JSC::printableName): Deleted.
1971         (JSC::ModuleRecord::dump): Deleted.
1972         * parser/ModuleRecord.h:
1973         (JSC::ModuleRecord::ImportEntry::isNamespace): Deleted.
1974         (JSC::ModuleRecord::create): Deleted.
1975         (JSC::ModuleRecord::appendRequestedModule): Deleted.
1976         (JSC::ModuleRecord::addImportEntry): Deleted.
1977         (JSC::ModuleRecord::addExportEntry): Deleted.
1978         (JSC::ModuleRecord::addStarExportEntry): Deleted.
1979         * parser/Nodes.h:
1980         * parser/NodesAnalyzeModule.cpp:
1981         (JSC::ImportDeclarationNode::analyzeModule):
1982         (JSC::ExportAllDeclarationNode::analyzeModule):
1983         (JSC::ExportNamedDeclarationNode::analyzeModule):
1984         * runtime/CommonIdentifiers.cpp:
1985         (JSC::CommonIdentifiers::lookUpPrivateName):
1986         (JSC::CommonIdentifiers::lookUpPublicName):
1987         (JSC::CommonIdentifiers::getPrivateName): Deleted.
1988         (JSC::CommonIdentifiers::getPublicName): Deleted.
1989         * runtime/CommonIdentifiers.h:
1990         * runtime/Completion.cpp:
1991         (JSC::checkModuleSyntax):
1992         (JSC::evaluateModule):
1993         * runtime/Completion.h:
1994         * runtime/ExceptionHelpers.cpp:
1995         (JSC::createUndefinedVariableError):
1996         * runtime/Identifier.h:
1997         * runtime/JSGlobalObject.cpp:
1998         (JSC::JSGlobalObject::init):
1999         (JSC::JSGlobalObject::visitChildren):
2000         * runtime/JSGlobalObject.h:
2001         (JSC::JSGlobalObject::moduleLoader):
2002         (JSC::JSGlobalObject::moduleRecordStructure):
2003         * runtime/JSModuleRecord.cpp: Renamed from Source/JavaScriptCore/parser/ModuleRecord.cpp.
2004         (JSC::JSModuleRecord::destroy):
2005         (JSC::JSModuleRecord::finishCreation):
2006         (JSC::printableName):
2007         (JSC::JSModuleRecord::dump):
2008         * runtime/JSModuleRecord.h: Renamed from Source/JavaScriptCore/parser/ModuleRecord.h.
2009         (JSC::JSModuleRecord::ImportEntry::isNamespace):
2010         (JSC::JSModuleRecord::createStructure):
2011         (JSC::JSModuleRecord::create):
2012         (JSC::JSModuleRecord::requestedModules):
2013         (JSC::JSModuleRecord::JSModuleRecord):
2014         (JSC::JSModuleRecord::appendRequestedModule):
2015         (JSC::JSModuleRecord::addImportEntry):
2016         (JSC::JSModuleRecord::addExportEntry):
2017         (JSC::JSModuleRecord::addStarExportEntry):
2018         * runtime/MapPrototype.cpp:
2019         (JSC::MapPrototype::finishCreation):
2020         * runtime/ModuleLoaderObject.cpp: Added.
2021         (JSC::ModuleLoaderObject::ModuleLoaderObject):
2022         (JSC::ModuleLoaderObject::finishCreation):
2023         (JSC::ModuleLoaderObject::getOwnPropertySlot):
2024         (JSC::printableModuleKey):
2025         (JSC::ModuleLoaderObject::provide):
2026         (JSC::ModuleLoaderObject::requestInstantiateAll):
2027         (JSC::ModuleLoaderObject::resolve):
2028         (JSC::ModuleLoaderObject::fetch):
2029         (JSC::ModuleLoaderObject::translate):
2030         (JSC::ModuleLoaderObject::instantiate):
2031         (JSC::moduleLoaderObjectParseModule):
2032         (JSC::moduleLoaderObjectRequestedModules):
2033         (JSC::moduleLoaderObjectResolve):
2034         (JSC::moduleLoaderObjectFetch):
2035         (JSC::moduleLoaderObjectTranslate):
2036         (JSC::moduleLoaderObjectInstantiate):
2037         * runtime/ModuleLoaderObject.h: Added.
2038         (JSC::ModuleLoaderObject::create):
2039         (JSC::ModuleLoaderObject::createStructure):
2040         * runtime/Options.h:
2041
2042 2015-08-20  Filip Pizlo  <fpizlo@apple.com>
2043
2044         DFG should have a KnownBooleanUse for cases where we are required to know that the child is a boolean and it's not OK to speculate
2045         https://bugs.webkit.org/show_bug.cgi?id=148286
2046
2047         Reviewed by Benjamin Poulain.
2048
2049         This enables us to ensure that the Branch or LogicalNot after an effectful CompareXYZ can
2050         be marked as !mayExit(). I need that for https://bugs.webkit.org/show_bug.cgi?id=145204.
2051
2052         * dfg/DFGFixupPhase.cpp:
2053         (JSC::DFG::FixupPhase::fixupNode):
2054         (JSC::DFG::FixupPhase::observeUseKindOnNode):
2055         * dfg/DFGSafeToExecute.h:
2056         (JSC::DFG::SafeToExecuteEdge::operator()):
2057         * dfg/DFGSpeculativeJIT.cpp:
2058         (JSC::DFG::SpeculativeJIT::speculate):
2059         * dfg/DFGSpeculativeJIT.h:
2060         (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand):
2061         * dfg/DFGSpeculativeJIT32_64.cpp:
2062         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2063         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2064         (JSC::DFG::SpeculativeJIT::emitBranch):
2065         * dfg/DFGSpeculativeJIT64.cpp:
2066         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2067         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2068         (JSC::DFG::SpeculativeJIT::emitBranch):
2069         * dfg/DFGUseKind.cpp:
2070         (WTF::printInternal):
2071         * dfg/DFGUseKind.h:
2072         (JSC::DFG::typeFilterFor):
2073         (JSC::DFG::shouldNotHaveTypeCheck):
2074         * ftl/FTLCapabilities.cpp:
2075         (JSC::FTL::canCompile):
2076         * ftl/FTLLowerDFGToLLVM.cpp:
2077         (JSC::FTL::DFG::LowerDFGToLLVM::boolify):
2078         (JSC::FTL::DFG::LowerDFGToLLVM::lowBoolean):
2079
2080 2015-08-20  Filip Pizlo  <fpizlo@apple.com>
2081
2082         Overflow check elimination fails for a simple test case
2083         https://bugs.webkit.org/show_bug.cgi?id=147387
2084
2085         Reviewed by Benjamin Poulain.
2086
2087         Overflow check elimination was having issues when things got constant-folded, because whereas an
2088         Add or LessThan operation teaches us about relationships between the things being added or
2089         compared, we don't do that when we see a JSConstant. We don't create a relationship between every
2090         JSConstant and every other JSConstant. So, if we constant-fold an Add, we forget the relationships
2091         that it would have had with its inputs.
2092
2093         One solution would be to have every JSConstant create a relationship with every other JSConstant.
2094         This is dangerous, since it would create O(n^2) explosion of relationships.
2095
2096         Instead, this patch teaches filtration and merging how to behave "as if" there were inter-constant
2097         relationships. Normally those operations only work on two relationships involving the same node
2098         pair. But now, if we have @x op @c and @x op @d, where @c and @d are different nodes but both are
2099         constants, we will do merging or filtering by grokking the constant values.
2100
2101         This speeds up lots of tests in JSRegress, because it enables overflow check elimination on things
2102         like:
2103
2104         for (var i = 0; i < 100; ++i)
2105
2106         Previously, the fact that this was all constants would throw off the analysis because the analysis
2107         wouldn't "know" that 0 < 100.
2108
2109         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
2110
2111 2015-08-20  Geoffrey Garen  <ggaren@apple.com>
2112
2113         forEachCodeBlock should wait for all CodeBlocks automatically
2114         https://bugs.webkit.org/show_bug.cgi?id=148255
2115
2116         Add back a line of code I deleted by accident in my last patch due to
2117         incorrect merge.
2118
2119         Unreviewed.
2120
2121         * runtime/VM.cpp:
2122         (JSC::VM::deleteAllCode):
2123
2124 2015-08-20  Geoffrey Garen  <ggaren@apple.com>
2125
2126         forEachCodeBlock should wait for all CodeBlocks automatically
2127         https://bugs.webkit.org/show_bug.cgi?id=148255
2128
2129         Reviewed by Saam Barati.
2130
2131         Previously, all clients needed to wait manually before calling
2132         forEachCodeBlock. That's easy to get wrong, and at least one place
2133         got it wrong. Let's do this automatically instead.
2134
2135         * debugger/Debugger.cpp:
2136         (JSC::Debugger::Debugger):
2137         (JSC::Debugger::setSteppingMode):
2138         (JSC::Debugger::toggleBreakpoint): No need to wait manually;
2139         forEachCodeBlock will do it automatically now.
2140
2141         (JSC::Debugger::recompileAllJSFunctions): We still need to wait manually
2142         here because this is an iteration of the heap, which does not wait
2143         automatically. Use the new helper function for waiting.
2144
2145         (JSC::Debugger::clearBreakpoints):
2146         (JSC::Debugger::clearDebuggerRequests):
2147         (JSC::Debugger::setBreakpointsActivated):
2148         (JSC::Debugger::forEachCodeBlock): Deleted. No need to wait manually.
2149
2150         * debugger/Debugger.h:
2151
2152         * dfg/DFGWorklist.cpp:
2153         (JSC::DFG::completeAllPlansForVM):
2154         * dfg/DFGWorklist.h:
2155         (JSC::DFG::completeAllPlansForVM): Added a helper function that replaces
2156         vm.prepareToDeleteCode. This new function is clearer because we need
2157         to call it sometimes even if we are not going to delete code.
2158
2159         * heap/HeapInlines.h:
2160         (JSC::Heap::forEachCodeBlock): Moved.
2161
2162         * inspector/agents/InspectorRuntimeAgent.cpp:
2163         (Inspector::recompileAllJSFunctionsForTypeProfiling): Use the new helper
2164         function.
2165
2166         * runtime/JSCInlines.h:
2167         (JSC::Heap::forEachCodeBlock): Do the waiting automatically.
2168
2169         * runtime/VM.cpp:
2170         (JSC::VM::stopSampling):
2171         (JSC::VM::deleteAllCode):
2172         (JSC::VM::setEnabledProfiler):
2173         (JSC::VM::prepareToDeleteCode): Deleted.
2174         * runtime/VM.h: No need to wait manually.
2175
2176 2015-08-20  Commit Queue  <commit-queue@webkit.org>
2177
2178         Unreviewed, rolling out r188675.
2179         https://bugs.webkit.org/show_bug.cgi?id=148244
2180
2181         "caused a 17% Mac PLT regression" (Requested by ggaren on
2182         #webkit).
2183
2184         Reverted changeset:
2185
2186         "clearCode() should clear code"
2187         https://bugs.webkit.org/show_bug.cgi?id=148203
2188         http://trac.webkit.org/changeset/188675
2189
2190 2015-08-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2191
2192         Introduce put_by_id like IC into put_by_val when the given name is String or Symbol
2193         https://bugs.webkit.org/show_bug.cgi?id=147760
2194
2195         Reviewed by Filip Pizlo.
2196
2197         This patch adds put_by_id IC to put_by_val by caching the one candidate id,
2198         it is the same thing to the get_by_val IC extension.
2199         It will encourage the use of ES6 Symbols and ES6 computed properties in the object literals.
2200
2201         In this patch, we leverage the existing CheckIdent and PutById / PutByVal in DFG,
2202         so this patch does not change FTL because the above operations are already supported in FTL.
2203
2204         And this patch also includes refactoring to leverage byValInfo->slowPathCount in the cached Id path.
2205
2206         Performance results report there's no regression in the existing tests. And in the synthetic
2207         benchmarks created by modifying put-by-id to put-by-val, we can see significant performance
2208         improvements up to 13.9x.
2209
2210         * bytecode/PutByIdStatus.cpp:
2211         (JSC::PutByIdStatus::computeForStubInfo):
2212         * bytecode/PutByIdStatus.h:
2213         * dfg/DFGByteCodeParser.cpp:
2214         (JSC::DFG::ByteCodeParser::parseBlock):
2215         * jit/JIT.h:
2216         (JSC::JIT::compilePutByValWithCachedId):
2217         * jit/JITOperations.cpp:
2218         (JSC::getByVal):
2219         (JSC::tryGetByValOptimize):
2220         * jit/JITOperations.h:
2221         * jit/JITPropertyAccess.cpp:
2222         (JSC::JIT::emitGetByValWithCachedId):
2223         (JSC::JIT::emit_op_put_by_val):
2224         (JSC::JIT::emitPutByValWithCachedId):
2225         (JSC::JIT::emitSlow_op_put_by_val):
2226         (JSC::JIT::emitIdentifierCheck):
2227         (JSC::JIT::privateCompilePutByValWithCachedId):
2228         * jit/JITPropertyAccess32_64.cpp:
2229         (JSC::JIT::emitGetByValWithCachedId):
2230         (JSC::JIT::emit_op_put_by_val):
2231         (JSC::JIT::emitPutByValWithCachedId):
2232         (JSC::JIT::emitSlow_op_put_by_val):
2233         * tests/stress/put-by-val-with-string-break.js: Added.
2234         (shouldBe):
2235         (assign):
2236         * tests/stress/put-by-val-with-string-generated.js: Added.
2237         (shouldBe):
2238         (gen1):
2239         (gen2):
2240         (assign):
2241         * tests/stress/put-by-val-with-string-generic.js: Added.
2242         (shouldBe):
2243         (assign):
2244         * tests/stress/put-by-val-with-symbol-break.js: Added.
2245         (shouldBe):
2246         (assign):
2247         * tests/stress/put-by-val-with-symbol-generic.js: Added.
2248         (shouldBe):
2249         (assign):
2250
2251 2015-08-20  Alex Christensen  <achristensen@webkit.org>
2252
2253         Clean up CMake build after r188673
2254         https://bugs.webkit.org/show_bug.cgi?id=148234
2255
2256         Reviewed by Tim Horton.
2257
2258         * shell/PlatformWin.cmake:
2259         Define WIN_CAIRO so the WinCairo jsc.exe can find the correct dlls.
2260
2261 2015-08-20  Mark Lam  <mark.lam@apple.com>
2262
2263         A watchdog tests is failing on Windows.
2264         https://bugs.webkit.org/show_bug.cgi?id=148228
2265
2266         Reviewed by Brent Fulgham.
2267
2268         The test just needed a little more time because Windows' timer resolution is low.
2269         After increasing the test deadlines, the test started passing.
2270
2271         * API/tests/ExecutionTimeLimitTest.cpp:
2272         (testExecutionTimeLimit):
2273
2274 2015-08-20  Mark Lam  <mark.lam@apple.com>
2275
2276         Fixed some warnings on Windows.
2277         https://bugs.webkit.org/show_bug.cgi?id=148224
2278
2279         Reviewed by Brent Fulgham.
2280
2281         The Windows build was complaining that function params were hiding a global variable.
2282         Since the function params were unused, I resolved this by removing the param names.
2283
2284         * API/tests/ExecutionTimeLimitTest.cpp:
2285         (currentCPUTimeAsJSFunctionCallback):
2286         (shouldTerminateCallback):
2287         (cancelTerminateCallback):
2288         (extendTerminateCallback):
2289
2290 2015-08-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2291
2292         Add InternalPromise to use Promises safely in the internals
2293         https://bugs.webkit.org/show_bug.cgi?id=148136
2294
2295         Reviewed by Saam Barati.
2296
2297         This patch implements InternalPromise.
2298         It is completely different instance set (constructor, prototype, instance)
2299         but it has the same feature to the Promise.
2300
2301         In the Promise operations, when resolving the promise with the returned promise
2302         from the fulfill handler, we need to look up "then" method.
2303
2304         e.g.
2305             var p3 = p1.then(function handler(...) {
2306                 return p2;
2307             });
2308
2309         When handler is executed, we retrieve the returned `p2` promise. And to resolve
2310         the returned promise by "then" method (that is `p3`), we construct the chain by executing
2311         `p2.then(resolving function for p3)`. So if the user modify the Promise.prototype.then,
2312         we can observe the internal operations.
2313
2314         By using InternalPromise, we completely hide InternalPromise.prototype from the users.
2315         It allows JSC to use Promises internally; even if the user modify / override
2316         the Promise.prototype.then function, it does not effect on InternalPromise.
2317
2318         One limitation is that the implementation need to take care not to leak the InternalPromise instance
2319         to the user space.
2320
2321         * CMakeLists.txt:
2322         * DerivedSources.make:
2323         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2324         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2325         * JavaScriptCore.xcodeproj/project.pbxproj:
2326         * builtins/InternalPromiseConstructor.js: Added.
2327         (internalAll.newResolveElement):
2328         (internalAll):
2329         * builtins/Operations.Promise.js:
2330         (newPromiseDeferred): Deleted.
2331         * builtins/PromiseConstructor.js:
2332         (privateAll.newResolveElement): Deleted.
2333         (privateAll): Deleted.
2334         * runtime/CommonIdentifiers.h:
2335         * runtime/JSGlobalObject.cpp:
2336         (JSC::JSGlobalObject::init):
2337         (JSC::JSGlobalObject::visitChildren):
2338         * runtime/JSGlobalObject.h:
2339         (JSC::JSGlobalObject::promiseConstructor):
2340         (JSC::JSGlobalObject::internalPromiseConstructor):
2341         (JSC::JSGlobalObject::newPromiseCapabilityFunction):
2342         (JSC::JSGlobalObject::newPromiseDeferredFunction): Deleted.
2343         * runtime/JSInternalPromise.cpp: Copied from Source/JavaScriptCore/runtime/JSPromisePrototype.h.
2344         (JSC::JSInternalPromise::create):
2345         (JSC::JSInternalPromise::createStructure):
2346         (JSC::JSInternalPromise::JSInternalPromise):
2347         * runtime/JSInternalPromise.h: Copied from Source/JavaScriptCore/runtime/JSPromise.h.
2348         * runtime/JSInternalPromiseConstructor.cpp: Added.
2349         (JSC::JSInternalPromiseConstructor::create):
2350         (JSC::JSInternalPromiseConstructor::createStructure):
2351         (JSC::JSInternalPromiseConstructor::JSInternalPromiseConstructor):
2352         (JSC::constructPromise):
2353         (JSC::JSInternalPromiseConstructor::getConstructData):
2354         (JSC::JSInternalPromiseConstructor::getCallData):
2355         (JSC::JSInternalPromiseConstructor::getOwnPropertySlot):
2356         * runtime/JSInternalPromiseConstructor.h: Copied from Source/JavaScriptCore/runtime/JSPromiseConstructor.h.
2357         * runtime/JSInternalPromiseDeferred.cpp: Added.
2358         (JSC::JSInternalPromiseDeferred::create):
2359         (JSC::JSInternalPromiseDeferred::JSInternalPromiseDeferred):
2360         (JSC::JSInternalPromiseDeferred::promise):
2361         * runtime/JSInternalPromiseDeferred.h: Copied from Source/JavaScriptCore/runtime/JSPromisePrototype.h.
2362         * runtime/JSInternalPromisePrototype.cpp: Copied from Source/JavaScriptCore/runtime/JSPromisePrototype.cpp.
2363         (JSC::JSInternalPromisePrototype::create):
2364         (JSC::JSInternalPromisePrototype::createStructure):
2365         (JSC::JSInternalPromisePrototype::JSInternalPromisePrototype):
2366         * runtime/JSInternalPromisePrototype.h: Copied from Source/JavaScriptCore/runtime/JSPromise.h.
2367         * runtime/JSPromise.cpp:
2368         (JSC::JSPromise::create):
2369         (JSC::JSPromise::JSPromise):
2370         (JSC::JSPromise::initialize):
2371         * runtime/JSPromise.h:
2372         * runtime/JSPromiseConstructor.cpp:
2373         (JSC::JSPromiseConstructor::JSPromiseConstructor):
2374         (JSC::constructPromise):
2375         (JSC::JSPromiseConstructor::getOwnPropertySlot):
2376         (JSC::JSPromiseConstructor::finishCreation): Deleted.
2377         * runtime/JSPromiseConstructor.h:
2378         * runtime/JSPromiseDeferred.cpp:
2379         (JSC::newPromiseCapability):
2380         (JSC::JSPromiseDeferred::create):
2381         (JSC::JSPromiseDeferred::JSPromiseDeferred):
2382         * runtime/JSPromiseDeferred.h:
2383         * runtime/JSPromisePrototype.cpp:
2384         (JSC::JSPromisePrototype::getOwnPropertySlot):
2385         * runtime/JSPromisePrototype.h:
2386         * runtime/VM.cpp:
2387         (JSC::VM::VM):
2388         * runtime/VM.h:
2389
2390 2015-08-19  Filip Pizlo  <fpizlo@apple.com>
2391
2392         Remove WTF::SpinLock
2393         https://bugs.webkit.org/show_bug.cgi?id=148208
2394
2395         Reviewed by Geoffrey Garen.
2396
2397         Remove the one remaining use of SpinLock.
2398
2399         * API/JSValue.mm:
2400         (handerForStructTag):
2401
2402 2015-08-19  Geoffrey Garen  <ggaren@apple.com>
2403
2404         clearCode() should clear code
2405         https://bugs.webkit.org/show_bug.cgi?id=148203
2406
2407         Reviewed by Saam Barati.
2408
2409         Clearing code used to require two steps: clearCode() and
2410         clearUnlinkedCodeForRecompilation(). Unsurprisingly, clients sometimes
2411         did one or the other or both without much rhyme or reason.
2412
2413         This patch simplifies things by merging both functions into clearCode().
2414
2415         * bytecode/UnlinkedFunctionExecutable.h:
2416         * debugger/Debugger.cpp:
2417         * heap/Heap.cpp:
2418         (JSC::Heap::deleteAllCompiledCode):
2419         (JSC::Heap::clearUnmarkedExecutables):
2420         (JSC::Heap::deleteAllUnlinkedFunctionCode): Deleted. No need for this
2421         function anymore since it was only used by clients who already called
2422         clearCode() (and it would be terribly wrong to use without doing both.)
2423
2424         * heap/Heap.h:
2425         (JSC::Heap::sizeAfterLastFullCollection):
2426         * inspector/agents/InspectorRuntimeAgent.cpp:
2427         (Inspector::TypeRecompiler::visit):
2428         (Inspector::TypeRecompiler::operator()):
2429         * runtime/Executable.cpp:
2430         (JSC::FunctionExecutable::visitChildren):
2431         (JSC::FunctionExecutable::clearCode):
2432         (JSC::FunctionExecutable::clearUnlinkedCodeForRecompilation): Deleted.
2433         * runtime/Executable.h:
2434         * runtime/VM.cpp:
2435         (JSC::VM::deleteAllCode):
2436
2437 2015-08-19  Alex Christensen  <achristensen@webkit.org>
2438
2439         CMake Windows build should not include files directly from other Source directories
2440         https://bugs.webkit.org/show_bug.cgi?id=148198
2441
2442         Reviewed by Brent Fulgham.
2443
2444         * CMakeLists.txt:
2445         JavaScriptCore_FORWARDING_HEADERS_FILES is no longer necessary because all the headers
2446         that used to be in it are now in JavaScriptCore_FORWARDING_HEADERS_DIRECTORIES
2447         * PlatformEfl.cmake:
2448         * PlatformGTK.cmake:
2449         * PlatformMac.cmake:
2450         * PlatformWin.cmake:
2451
2452 2015-08-19  Eric Carlson  <eric.carlson@apple.com>
2453
2454         Remove ENABLE_WEBVTT_REGIONS
2455         https://bugs.webkit.org/show_bug.cgi?id=148184
2456
2457         Reviewed by Jer Noble.
2458
2459         * Configurations/FeatureDefines.xcconfig: Remove ENABLE_WEBVTT_REGIONS.
2460
2461 2015-08-19  Joseph Pecoraro  <pecoraro@apple.com>
2462
2463         Web Inspector: Unexpected node preview format for an element with newlines in className attribute
2464         https://bugs.webkit.org/show_bug.cgi?id=148192
2465
2466         Reviewed by Brian Burg.
2467
2468         * inspector/InjectedScriptSource.js:
2469         (InjectedScript.prototype._nodePreview):
2470         Replace whitespace blocks with single spaces to produce a simpler class string for previews.
2471
2472 2015-08-19  Mark Lam  <mark.lam@apple.com>
2473
2474         Add support for CheckWatchdogTimer as slow path in DFG and FTL.
2475         https://bugs.webkit.org/show_bug.cgi?id=147968
2476
2477         Reviewed by Michael Saboff.
2478
2479         Re-implement the DFG's CheckWatchdogTimer as a slow path instead of a speculation
2480         check.  Since the watchdog timer can fire spuriously, this allows the code to
2481         stay optimized if all we have are spurious fires.
2482
2483         Implement the equivalent slow path for CheckWatchdogTimer in the FTL. 
2484
2485         The watchdog tests in ExecutionTimeLimitTest.cpp has already been updated in
2486         https://bugs.webkit.org/show_bug.cgi?id=148125 to test for the FTL's watchdog
2487         implementation.
2488
2489         * dfg/DFGSpeculativeJIT32_64.cpp:
2490         (JSC::DFG::SpeculativeJIT::compile):
2491         * dfg/DFGSpeculativeJIT64.cpp:
2492         (JSC::DFG::SpeculativeJIT::compile):
2493         * ftl/FTLCapabilities.cpp:
2494         (JSC::FTL::canCompile):
2495         * ftl/FTLLowerDFGToLLVM.cpp:
2496         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
2497         (JSC::FTL::DFG::LowerDFGToLLVM::compileMaterializeCreateActivation):
2498         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckWatchdogTimer):
2499         (JSC::FTL::DFG::LowerDFGToLLVM::isInlinableSize):
2500
2501         * jit/JIT.h:
2502         * jit/JITInlines.h:
2503         (JSC::JIT::callOperation):
2504         * jit/JITOperations.cpp:
2505         * jit/JITOperations.h:
2506         - Changed operationHandleWatchdogTimer() to return an unused nullptr.  This
2507           allows me to reuse the existing DFG slow path generator mechanism.  I didn't
2508           think that operationHandleWatchdogTimer() was worth introducing a whole new set
2509           of machinery just so we can have a slow path that returns void.
2510
2511 2015-08-19  Mark Lam  <mark.lam@apple.com>
2512
2513         Add ability to save and restore JSC options.
2514         https://bugs.webkit.org/show_bug.cgi?id=148125
2515
2516         Reviewed by Saam Barati.
2517
2518         * API/tests/ExecutionTimeLimitTest.cpp:
2519         (testExecutionTimeLimit):
2520         - Employ the new options getter/setter to run watchdog tests for each of the
2521           execution engine tiers.
2522         - Also altered the test scripts to be in a function instead of global code.
2523           This is one of 2 changes needed to give them an opportunity to be FTL compiled.
2524           The other is to add support for compiling CheckWatchdogTimer in the FTL (which
2525           will be addressed in a separate patch).
2526
2527         * jsc.cpp:
2528         (CommandLine::parseArguments):
2529         * runtime/Options.cpp:
2530         (JSC::parse):
2531         - Add the ability to clear a string option with a nullptr value.
2532           This is needed to restore a default string option value which may be null.
2533
2534         (JSC::OptionRange::init):
2535         - Add the ability to clear a range option with a null value.
2536           This is needed to restore a default range option value which may be null.
2537
2538         (JSC::Options::initialize):
2539         (JSC::Options::dumpOptionsIfNeeded):
2540         - Factor code to dump options out to dumpOptionsIfNeeded() since we will need
2541           that logic elsewhere.
2542
2543         (JSC::Options::setOptions):
2544         - Parse an options string and set each of the specified options.
2545
2546         (JSC::Options::dumpAllOptions):
2547         (JSC::Options::dumpAllOptionsInALine):
2548         (JSC::Options::dumpOption):
2549         (JSC::Option::dump):
2550         - Refactored so that the underlying dumper dumps to a StringBuilder instead of
2551           stderr.  This lets us reuse this code to serialize all the options into a
2552           single string for dumpAllOptionsInALine().
2553
2554         * runtime/Options.h:
2555         (JSC::OptionRange::rangeString):
2556
2557 2015-08-18  Filip Pizlo  <fpizlo@apple.com>
2558
2559         Replace all uses of std::mutex/std::condition_variable with WTF::Lock/WTF::Condition
2560         https://bugs.webkit.org/show_bug.cgi?id=148140
2561
2562         Reviewed by Geoffrey Garen.
2563
2564         * inspector/remote/RemoteInspector.h:
2565         * inspector/remote/RemoteInspector.mm:
2566         (Inspector::RemoteInspector::registerDebuggable):
2567         (Inspector::RemoteInspector::unregisterDebuggable):
2568         (Inspector::RemoteInspector::updateDebuggable):
2569         (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate):
2570         (Inspector::RemoteInspector::sendMessageToRemoteFrontend):
2571         (Inspector::RemoteInspector::setupFailed):
2572         (Inspector::RemoteInspector::setupCompleted):
2573         (Inspector::RemoteInspector::start):
2574         (Inspector::RemoteInspector::stop):
2575         (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
2576         (Inspector::RemoteInspector::setParentProcessInformation):
2577         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
2578         (Inspector::RemoteInspector::xpcConnectionFailed):
2579         (Inspector::RemoteInspector::pushListingSoon):
2580         (Inspector::RemoteInspector::receivedIndicateMessage):
2581         (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
2582         * inspector/remote/RemoteInspectorXPCConnection.h:
2583         * inspector/remote/RemoteInspectorXPCConnection.mm:
2584         (Inspector::RemoteInspectorXPCConnection::close):
2585         (Inspector::RemoteInspectorXPCConnection::closeFromMessage):
2586         (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
2587         (Inspector::RemoteInspectorXPCConnection::handleEvent):
2588
2589 2015-08-18  Joseph Pecoraro  <pecoraro@apple.com>
2590
2591         Web Inspector: Links for rules in <style> are incorrect, do not account for <style> offset in the document
2592         https://bugs.webkit.org/show_bug.cgi?id=148141
2593
2594         Reviewed by Brian Burg.
2595
2596         * inspector/protocol/CSS.json:
2597         Extend StyleSheetHeader to include start offset information and a bit
2598         for whether or not this was an inline style tag created by the parser.
2599         These match additions to Blink's protocol.
2600
2601 2015-08-18  Benjamin Poulain  <bpoulain@apple.com>
2602
2603         [JSC] Optimize more cases of something-compared-to-null/undefined
2604         https://bugs.webkit.org/show_bug.cgi?id=148157
2605
2606         Reviewed by Geoffrey Garen and Filip Pizlo.
2607
2608         CompareEq is fairly trivial if you assert one of the operands is either
2609         null or undefined. Under those conditions, the only way to have "true"
2610         is to have the other operand be null/undefined or have an object
2611         that masquerades to undefined.
2612
2613         JSC already had a fast path in CompareEqConstant.
2614         With this patch, I generalize this fast path to more cases and try
2615         to eliminate the checks whenever possible.
2616
2617         CompareEq now does the job of CompareEqConstant. If any operand can
2618         be proved to be undefined/other, its edge is set to OtherUse. Whenever
2619         any edge is OtherUse, we generate the fast code we had for CompareEqConstant.
2620
2621         The AbstractInterpreter has additional checks to reduce the node to a constant
2622         whenever possible.
2623
2624         There are two additional changes in this patch:
2625         -The Fixup Phase tries to set edges to OtherUse early. This is done correctly
2626          in ConstantFoldingPhase but setting it up early helps the phases relying
2627          on Clobberize.
2628         -The codegen for CompareEqConstant was improved. The reason is the comparison
2629          for ObjectOrOther could be faster just because the codegen was better.
2630
2631         * dfg/DFGAbstractInterpreterInlines.h:
2632         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2633         * dfg/DFGByteCodeParser.cpp:
2634         (JSC::DFG::ByteCodeParser::parseBlock):
2635         * dfg/DFGClobberize.h:
2636         (JSC::DFG::clobberize): Deleted.
2637         * dfg/DFGConstantFoldingPhase.cpp:
2638         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2639         * dfg/DFGDoesGC.cpp:
2640         (JSC::DFG::doesGC): Deleted.
2641         * dfg/DFGFixupPhase.cpp:
2642         (JSC::DFG::FixupPhase::fixupNode):
2643         * dfg/DFGNode.h:
2644         (JSC::DFG::Node::isUndefinedOrNullConstant):
2645         * dfg/DFGNodeType.h:
2646         * dfg/DFGPredictionPropagationPhase.cpp:
2647         (JSC::DFG::PredictionPropagationPhase::propagate): Deleted.
2648         * dfg/DFGSafeToExecute.h:
2649         (JSC::DFG::safeToExecute): Deleted.
2650         * dfg/DFGSpeculativeJIT.cpp:
2651         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
2652         (JSC::DFG::SpeculativeJIT::compare):
2653         * dfg/DFGSpeculativeJIT.h:
2654         (JSC::DFG::SpeculativeJIT::isKnownNotOther):
2655         * dfg/DFGSpeculativeJIT32_64.cpp:
2656         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
2657         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
2658         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): Deleted.
2659         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): Deleted.
2660         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull): Deleted.
2661         (JSC::DFG::SpeculativeJIT::compile): Deleted.
2662         * dfg/DFGSpeculativeJIT64.cpp:
2663         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
2664         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
2665         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): Deleted.
2666         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): Deleted.
2667         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull): Deleted.
2668         (JSC::DFG::SpeculativeJIT::compile): Deleted.
2669         * dfg/DFGValidate.cpp:
2670         (JSC::DFG::Validate::validate): Deleted.
2671         * dfg/DFGWatchpointCollectionPhase.cpp:
2672         (JSC::DFG::WatchpointCollectionPhase::handle):
2673         * ftl/FTLCapabilities.cpp:
2674         (JSC::FTL::canCompile):
2675         * ftl/FTLLowerDFGToLLVM.cpp:
2676         (JSC::FTL::DFG::LowerDFGToLLVM::compileCompareEq):
2677         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode): Deleted.
2678         (JSC::FTL::DFG::LowerDFGToLLVM::compileCompareEqConstant): Deleted.
2679         * tests/stress/compare-eq-on-null-and-undefined-non-peephole.js: Added.
2680         (string_appeared_here.useForMath):
2681         (testUseForMath):
2682         * tests/stress/compare-eq-on-null-and-undefined-optimized-in-constant-folding.js: Added.
2683         (string_appeared_here.unreachableCodeTest):
2684         (inlinedCompareToNull):
2685         (inlinedComparedToUndefined):
2686         (warmupInlineFunctions):
2687         (testInlineFunctions):
2688         * tests/stress/compare-eq-on-null-and-undefined.js: Added.
2689         (string_appeared_here.compareConstants):
2690         (opaqueNull):
2691         (opaqueUndefined):
2692         (compareConstantsAndDynamicValues):
2693         (compareDynamicValues):
2694         (compareDynamicValueToItself):
2695         (arrayTesting):
2696         (opaqueCompare1):
2697         (testNullComparatorUpdate):
2698         (opaqueCompare2):
2699         (testUndefinedComparatorUpdate):
2700         (opaqueCompare3):
2701         (testNullAndUndefinedComparatorUpdate):
2702
2703 2015-08-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2704
2705         Introduce non-user-observable Promise functions to use Promises internally
2706         https://bugs.webkit.org/show_bug.cgi?id=148118
2707
2708         Reviewed by Saam Barati.
2709
2710         To leverage the Promises internally (like ES6 Module Loaders), we add
2711         the several non-user-observable private methods, like @then, @all. And
2712         refactor the existing Promises implementation to make it easy to use
2713         internally.
2714
2715         But still the trappable part remains. When resolving the promise with
2716         the returned value, we look up the "then" function. So users can trap
2717         by replacing "then" function of the Promise's prototype.
2718         To avoid this situation, we'll introduce completely differnt promise
2719         instances called InternalPromise in the subsequent patch[1].
2720
2721         No behavior change.
2722
2723         [1]: https://bugs.webkit.org/show_bug.cgi?id=148136
2724
2725         * builtins/PromiseConstructor.js:
2726         (privateAll.newResolveElement):
2727         (privateAll):
2728         * runtime/JSGlobalObject.cpp:
2729         (JSC::JSGlobalObject::init):
2730         (JSC::JSGlobalObject::visitChildren): Deleted.
2731         * runtime/JSGlobalObject.h:
2732         (JSC::JSGlobalObject::promiseConstructor): Deleted.
2733         (JSC::JSGlobalObject::promisePrototype): Deleted.
2734         (JSC::JSGlobalObject::promiseStructure): Deleted.
2735         * runtime/JSPromiseConstructor.cpp:
2736         (JSC::JSPromiseConstructor::finishCreation):
2737         * runtime/JSPromiseDeferred.cpp:
2738         (JSC::callFunction):
2739         (JSC::JSPromiseDeferred::resolve):
2740         (JSC::JSPromiseDeferred::reject):
2741         * runtime/JSPromiseDeferred.h:
2742         * runtime/JSPromisePrototype.cpp:
2743         (JSC::JSPromisePrototype::create):
2744         (JSC::JSPromisePrototype::JSPromisePrototype):
2745         * runtime/JSPromisePrototype.h:
2746
2747 2015-08-18  Geoffrey Garen  <ggaren@apple.com>
2748
2749         Try to fix the CLOOP build.
2750
2751         Unreviewed.
2752
2753         * bytecode/CodeBlock.cpp:
2754
2755 2015-08-18  Geoffrey Garen  <ggaren@apple.com>
2756
2757         Split InlineCallFrame into its own file
2758         https://bugs.webkit.org/show_bug.cgi?id=148131
2759
2760         Reviewed by Saam Barati.
2761
2762         * CMakeLists.txt:
2763         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2764         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2765         * JavaScriptCore.xcodeproj/project.pbxproj:
2766         * bytecode/CallLinkStatus.cpp:
2767         * bytecode/CodeBlock.h:
2768         (JSC::ExecState::r):
2769         (JSC::baselineCodeBlockForInlineCallFrame): Deleted.
2770         (JSC::baselineCodeBlockForOriginAndBaselineCodeBlock): Deleted.
2771         * bytecode/CodeOrigin.cpp:
2772         (JSC::CodeOrigin::inlineStack):
2773         (JSC::CodeOrigin::codeOriginOwner):
2774         (JSC::CodeOrigin::stackOffset):
2775         (JSC::CodeOrigin::dump):
2776         (JSC::CodeOrigin::dumpInContext):
2777         (JSC::InlineCallFrame::calleeConstant): Deleted.
2778         (JSC::InlineCallFrame::visitAggregate): Deleted.
2779         (JSC::InlineCallFrame::calleeForCallFrame): Deleted.
2780         (JSC::InlineCallFrame::hash): Deleted.
2781         (JSC::InlineCallFrame::hashAsStringIfPossible): Deleted.
2782         (JSC::InlineCallFrame::inferredName): Deleted.
2783         (JSC::InlineCallFrame::baselineCodeBlock): Deleted.
2784         (JSC::InlineCallFrame::dumpBriefFunctionInformation): Deleted.
2785         (JSC::InlineCallFrame::dumpInContext): Deleted.
2786         (JSC::InlineCallFrame::dump): Deleted.
2787         (WTF::printInternal): Deleted.
2788         * bytecode/CodeOrigin.h:
2789         (JSC::CodeOrigin::deletedMarker):
2790         (JSC::CodeOrigin::hash):
2791         (JSC::CodeOrigin::operator==):
2792         (JSC::CodeOriginHash::hash):
2793         (JSC::CodeOriginHash::equal):
2794         (JSC::InlineCallFrame::kindFor): Deleted.
2795         (JSC::InlineCallFrame::varargsKindFor): Deleted.
2796         (JSC::InlineCallFrame::specializationKindFor): Deleted.
2797         (JSC::InlineCallFrame::isVarargs): Deleted.
2798         (JSC::InlineCallFrame::InlineCallFrame): Deleted.
2799         (JSC::InlineCallFrame::specializationKind): Deleted.
2800         (JSC::InlineCallFrame::setStackOffset): Deleted.
2801         (JSC::InlineCallFrame::callerFrameOffset): Deleted.
2802         (JSC::InlineCallFrame::returnPCOffset): Deleted.
2803         (JSC::CodeOrigin::stackOffset): Deleted.
2804         (JSC::CodeOrigin::codeOriginOwner): Deleted.
2805         * bytecode/InlineCallFrame.cpp: Copied from Source/JavaScriptCore/bytecode/CodeOrigin.cpp.
2806         (JSC::InlineCallFrame::calleeConstant):
2807         (JSC::CodeOrigin::inlineDepthForCallFrame): Deleted.
2808         (JSC::CodeOrigin::inlineDepth): Deleted.
2809         (JSC::CodeOrigin::isApproximatelyEqualTo): Deleted.
2810         (JSC::CodeOrigin::approximateHash): Deleted.
2811         (JSC::CodeOrigin::inlineStack): Deleted.
2812         (JSC::CodeOrigin::dump): Deleted.
2813         (JSC::CodeOrigin::dumpInContext): Deleted.
2814         * bytecode/InlineCallFrame.h: Copied from Source/JavaScriptCore/bytecode/CodeOrigin.h.
2815         (JSC::InlineCallFrame::isVarargs):
2816         (JSC::InlineCallFrame::InlineCallFrame):
2817         (JSC::InlineCallFrame::specializationKind):
2818         (JSC::baselineCodeBlockForInlineCallFrame):
2819         (JSC::baselineCodeBlockForOriginAndBaselineCodeBlock):
2820         (JSC::CodeOrigin::CodeOrigin): Deleted.
2821         (JSC::CodeOrigin::isSet): Deleted.
2822         (JSC::CodeOrigin::operator!): Deleted.
2823         (JSC::CodeOrigin::isHashTableDeletedValue): Deleted.
2824         (JSC::CodeOrigin::operator!=): Deleted.
2825         (JSC::CodeOrigin::deletedMarker): Deleted.
2826         (JSC::CodeOrigin::stackOffset): Deleted.
2827         (JSC::CodeOrigin::hash): Deleted.
2828         (JSC::CodeOrigin::operator==): Deleted.
2829         (JSC::CodeOrigin::codeOriginOwner): Deleted.
2830         (JSC::CodeOriginHash::hash): Deleted.
2831         (JSC::CodeOriginHash::equal): Deleted.
2832         (JSC::CodeOriginApproximateHash::hash): Deleted.
2833         (JSC::CodeOriginApproximateHash::equal): Deleted.
2834         * bytecode/InlineCallFrameSet.cpp:
2835         * dfg/DFGCommonData.cpp:
2836         * dfg/DFGOSRExitBase.cpp:
2837         * dfg/DFGVariableEventStream.cpp:
2838         * ftl/FTLOperations.cpp:
2839         * interpreter/CallFrame.cpp:
2840         * interpreter/StackVisitor.cpp:
2841         * jit/AssemblyHelpers.h:
2842         * profiler/ProfilerOriginStack.cpp:
2843         * runtime/ClonedArguments.cpp:
2844
2845 2015-08-18  Mark Lam  <mark.lam@apple.com>
2846
2847         Removed an unused param in Interpreter::initialize().
2848         https://bugs.webkit.org/show_bug.cgi?id=148129
2849
2850         Reviewed by Michael Saboff.
2851
2852         * interpreter/Interpreter.cpp:
2853         (JSC::Interpreter::~Interpreter):
2854         (JSC::Interpreter::initialize):
2855         * interpreter/Interpreter.h:
2856         (JSC::Interpreter::stack):
2857         * runtime/VM.cpp:
2858         (JSC::VM::VM):
2859
2860 2015-08-17  Alex Christensen  <achristensen@webkit.org>
2861
2862         Add const to content extension parser
2863         https://bugs.webkit.org/show_bug.cgi?id=148044
2864
2865         Reviewed by Benjamin Poulain.
2866
2867         * runtime/JSObject.h:
2868         (JSC::JSObject::getIndexQuickly):
2869         (JSC::JSObject::tryGetIndexQuickly):
2870         (JSC::JSObject::getDirectIndex):
2871         (JSC::JSObject::getIndex):
2872         Added a few const keywords.
2873
2874 2015-08-17  Alex Christensen  <achristensen@webkit.org>
2875
2876         Build Debug Suffix on Windows with CMake
2877         https://bugs.webkit.org/show_bug.cgi?id=148083
2878
2879         Reviewed by Brent Fulgham.
2880
2881         * CMakeLists.txt:
2882         * PlatformWin.cmake:
2883         * shell/CMakeLists.txt:
2884         * shell/PlatformWin.cmake:
2885         Add DEBUG_SUFFIX
2886
2887 2015-08-17  Saam barati  <sbarati@apple.com>
2888
2889         Web Inspector: Type profiler return types aren't showing up
2890         https://bugs.webkit.org/show_bug.cgi?id=147348
2891
2892         Reviewed by Brian Burg.
2893
2894         Bug #145995 changed the starting offset of a function to 
2895         be the open parenthesis of the function's parameter list.
2896         This broke JSC's type profiler protocol of communicating 
2897         return types of a function to the web inspector. This
2898         is now fixed. The text offset used in the protocol is now
2899         the first letter of the function/get/set/method name.
2900         So "f" in "function a() {}", "s" in "set foo(){}", etc.
2901
2902         * bytecode/CodeBlock.cpp:
2903         (JSC::CodeBlock::CodeBlock):
2904         * jsc.cpp:
2905         (functionReturnTypeFor):
2906
2907 2015-08-17 Aleksandr Skachkov   <gskachkov@gmail.com>
2908
2909         [ES6] Implement ES6 arrow function syntax. Arrow function specific features. Lexical bind of this
2910         https://bugs.webkit.org/show_bug.cgi?id=144956
2911
2912         Reviewed by Saam Barati.
2913
2914         Added support of ES6 arrow function specific feature, lexical bind of this and no constructor. http://wiki.ecmascript.org/doku.php?id=harmony:arrow_function_syntax
2915         In patch were implemented the following cases:
2916            this - variable |this| is point to the |this| of the function where arrow function is declared. Lexical bind of |this|
2917            constructor - the using of the command |new| for arrow function leads to runtime error
2918            call(), apply(), bind()  - methods can only pass in arguments, but has no effect on |this| 
2919
2920
2921         * CMakeLists.txt:
2922         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2923         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2924         * JavaScriptCore.xcodeproj/project.pbxproj:
2925         * bytecode/BytecodeList.json:
2926         * bytecode/BytecodeUseDef.h:
2927         (JSC::computeUsesForBytecodeOffset):
2928         (JSC::computeDefsForBytecodeOffset):
2929         * bytecode/CodeBlock.cpp:
2930         (JSC::CodeBlock::dumpBytecode):
2931         * bytecode/ExecutableInfo.h:
2932         (JSC::ExecutableInfo::ExecutableInfo):
2933         (JSC::ExecutableInfo::isArrowFunction):
2934         * bytecode/UnlinkedCodeBlock.cpp:
2935         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2936         * bytecode/UnlinkedCodeBlock.h:
2937         (JSC::UnlinkedCodeBlock::isArrowFunction):
2938         * bytecode/UnlinkedFunctionExecutable.cpp:
2939         (JSC::generateFunctionCodeBlock):
2940         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2941         (JSC::UnlinkedFunctionExecutable::codeBlockFor):
2942         * bytecode/UnlinkedFunctionExecutable.h:
2943         * bytecompiler/BytecodeGenerator.cpp:
2944         (JSC::BytecodeGenerator::BytecodeGenerator):
2945         (JSC::BytecodeGenerator::emitNewFunctionCommon):
2946         (JSC::BytecodeGenerator::emitNewFunctionExpression):
2947         (JSC::BytecodeGenerator::emitNewArrowFunctionExpression):
2948         (JSC::BytecodeGenerator::emitLoadArrowFunctionThis):
2949         * bytecompiler/BytecodeGenerator.h:
2950         * bytecompiler/NodesCodegen.cpp:
2951         (JSC::ArrowFuncExprNode::emitBytecode):
2952         * dfg/DFGAbstractInterpreterInlines.h:
2953         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2954         * dfg/DFGByteCodeParser.cpp:
2955         (JSC::DFG::ByteCodeParser::parseBlock):
2956         * dfg/DFGCapabilities.cpp:
2957         (JSC::DFG::capabilityLevel):
2958         * dfg/DFGClobberize.h:
2959         (JSC::DFG::clobberize):
2960         * dfg/DFGDoesGC.cpp:
2961         (JSC::DFG::doesGC):
2962         * dfg/DFGFixupPhase.cpp:
2963         (JSC::DFG::FixupPhase::fixupNode):
2964         * dfg/DFGNode.h:
2965         (JSC::DFG::Node::convertToPhantomNewFunction):
2966         (JSC::DFG::Node::hasCellOperand):
2967         (JSC::DFG::Node::isFunctionAllocation):
2968         * dfg/DFGNodeType.h:
2969         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2970         * dfg/DFGPredictionPropagationPhase.cpp:
2971         (JSC::DFG::PredictionPropagationPhase::propagate):
2972         * dfg/DFGPromotedHeapLocation.cpp:
2973         (WTF::printInternal):
2974         * dfg/DFGPromotedHeapLocation.h:
2975         * dfg/DFGSafeToExecute.h:
2976         (JSC::DFG::safeToExecute):
2977         * dfg/DFGSpeculativeJIT.cpp:
2978         (JSC::DFG::SpeculativeJIT::compileLoadArrowFunctionThis):
2979         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
2980         (JSC::DFG::SpeculativeJIT::compileNewFunction):
2981         * dfg/DFGSpeculativeJIT.h:
2982         (JSC::DFG::SpeculativeJIT::callOperation):
2983         * dfg/DFGSpeculativeJIT32_64.cpp:
2984         (JSC::DFG::SpeculativeJIT::compile):
2985         * dfg/DFGSpeculativeJIT64.cpp:
2986         (JSC::DFG::SpeculativeJIT::compile):
2987         * dfg/DFGStoreBarrierInsertionPhase.cpp:
2988         * dfg/DFGStructureRegistrationPhase.cpp:
2989         (JSC::DFG::StructureRegistrationPhase::run):
2990         * ftl/FTLAbstractHeapRepository.cpp:
2991         * ftl/FTLAbstractHeapRepository.h:
2992         * ftl/FTLCapabilities.cpp:
2993         (JSC::FTL::canCompile):
2994         * ftl/FTLIntrinsicRepository.h:
2995         * ftl/FTLLowerDFGToLLVM.cpp:
2996         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
2997         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewFunction):
2998         (JSC::FTL::DFG::LowerDFGToLLVM::compileLoadArrowFunctionThis):
2999         * ftl/FTLOperations.cpp:
3000         (JSC::FTL::operationMaterializeObjectInOSR):
3001         * interpreter/Interpreter.cpp:
3002         * interpreter/Interpreter.h:
3003         * jit/CCallHelpers.h:
3004         (JSC::CCallHelpers::setupArgumentsWithExecState): Added 3 arguments version for windows build.
3005         * jit/JIT.cpp:
3006         (JSC::JIT::privateCompileMainPass):
3007         * jit/JIT.h:
3008         * jit/JITInlines.h:
3009         (JSC::JIT::callOperation):
3010         * jit/JITOpcodes.cpp:
3011         (JSC::JIT::emit_op_load_arrowfunction_this):
3012         (JSC::JIT::emit_op_new_func_exp):
3013         (JSC::JIT::emitNewFuncExprCommon):
3014         (JSC::JIT::emit_op_new_arrow_func_exp):
3015         * jit/JITOpcodes32_64.cpp:
3016         (JSC::JIT::emit_op_load_arrowfunction_this):
3017         * jit/JITOperations.cpp:
3018         * jit/JITOperations.h:
3019         * llint/LLIntOffsetsExtractor.cpp:
3020         * llint/LLIntSlowPaths.cpp:
3021         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3022         (JSC::LLInt::setUpCall):
3023         * llint/LLIntSlowPaths.h:
3024         * llint/LowLevelInterpreter.asm:
3025         * llint/LowLevelInterpreter32_64.asm:
3026         * llint/LowLevelInterpreter64.asm:
3027         * parser/ASTBuilder.h:
3028         (JSC::ASTBuilder::createFunctionMetadata):
3029         (JSC::ASTBuilder::createArrowFunctionExpr):
3030         * parser/NodeConstructors.h:
3031         (JSC::BaseFuncExprNode::BaseFuncExprNode):
3032         (JSC::FuncExprNode::FuncExprNode):
3033         (JSC::ArrowFuncExprNode::ArrowFuncExprNode):
3034         * parser/Nodes.cpp:
3035         (JSC::FunctionMetadataNode::FunctionMetadataNode):
3036         * parser/Nodes.h:
3037         (JSC::ExpressionNode::isArrowFuncExprNode):
3038         * parser/Parser.cpp:
3039         (JSC::Parser<LexerType>::parseFunctionBody):
3040         (JSC::Parser<LexerType>::parseFunctionInfo):
3041         * parser/SyntaxChecker.h:
3042         (JSC::SyntaxChecker::createFunctionMetadata):
3043         * runtime/Executable.cpp:
3044         (JSC::ScriptExecutable::newCodeBlockFor):
3045         * runtime/Executable.h:
3046         * runtime/JSArrowFunction.cpp: Added.
3047         (JSC::JSArrowFunction::destroy):
3048         (JSC::JSArrowFunction::create):
3049         (JSC::JSArrowFunction::JSArrowFunction):
3050         (JSC::JSArrowFunction::createWithInvalidatedReallocationWatchpoint):
3051         (JSC::JSArrowFunction::visitChildren):
3052         (JSC::JSArrowFunction::getConstructData):
3053         * runtime/JSArrowFunction.h: Added.
3054         (JSC::JSArrowFunction::allocationSize):
3055         (JSC::JSArrowFunction::createImpl):
3056         (JSC::JSArrowFunction::boundThis):
3057         (JSC::JSArrowFunction::createStructure):
3058         (JSC::JSArrowFunction::offsetOfThisValue):
3059         * runtime/JSFunction.h:
3060         * runtime/JSFunctionInlines.h:
3061         (JSC::JSFunction::JSFunction):
3062         * runtime/JSGlobalObject.cpp:
3063         (JSC::JSGlobalObject::init):
3064         (JSC::JSGlobalObject::visitChildren):
3065         * runtime/JSGlobalObject.h:
3066         (JSC::JSGlobalObject::arrowFunctionStructure):
3067         * tests/stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js: Added.
3068         * tests/stress/arrowfunction-activation-sink-osrexit-default-value.js: Added.
3069         * tests/stress/arrowfunction-activation-sink-osrexit.js: Added.
3070         * tests/stress/arrowfunction-activation-sink.js: Added.
3071         * tests/stress/arrowfunction-bound.js: Added.
3072         * tests/stress/arrowfunction-call.js: Added.
3073         * tests/stress/arrowfunction-constructor.js: Added.
3074         * tests/stress/arrowfunction-lexical-bind-this-1.js: Added.
3075         * tests/stress/arrowfunction-lexical-bind-this-2.js: Added.
3076         * tests/stress/arrowfunction-lexical-bind-this-3.js: Added.
3077         * tests/stress/arrowfunction-lexical-bind-this-4.js: Added.
3078         * tests/stress/arrowfunction-lexical-bind-this-5.js: Added.
3079         * tests/stress/arrowfunction-lexical-bind-this-6.js: Added.
3080         * tests/stress/arrowfunction-lexical-this-activation-sink-osrexit.js: Added.
3081         * tests/stress/arrowfunction-lexical-this-activation-sink.js: Added.
3082         * tests/stress/arrowfunction-lexical-this-sinking-no-double-allocate.js: Added.
3083         * tests/stress/arrowfunction-lexical-this-sinking-osrexit.js: Added.
3084         * tests/stress/arrowfunction-lexical-this-sinking-put.js: Added.
3085         * tests/stress/arrowfunction-others.js: Added.
3086         * tests/stress/arrowfunction-run-10-1.js: Added.
3087         * tests/stress/arrowfunction-run-10-2.js: Added.
3088         * tests/stress/arrowfunction-run-10000-1.js: Added.
3089         * tests/stress/arrowfunction-run-10000-2.js: Added.
3090         * tests/stress/arrowfunction-sinking-no-double-allocate.js: Added.
3091         * tests/stress/arrowfunction-sinking-osrexit.js: Added.
3092         * tests/stress/arrowfunction-sinking-put.js: Added.
3093         * tests/stress/arrowfunction-tdz.js: Added.
3094         * tests/stress/arrowfunction-typeof.js: Added.
3095
3096 2015-07-28  Sam Weinig  <sam@webkit.org>
3097
3098         Cleanup the builtin JavaScript files
3099         https://bugs.webkit.org/show_bug.cgi?id=147382
3100
3101         Reviewed by Geoffrey Garen.
3102
3103         * builtins/Array.prototype.js:
3104         * builtins/ArrayConstructor.js:
3105         * builtins/ArrayIterator.prototype.js:
3106         * builtins/Function.prototype.js:
3107         * builtins/Iterator.prototype.js:
3108         * builtins/ObjectConstructor.js:
3109         * builtins/StringConstructor.js:
3110         * builtins/StringIterator.prototype.js:
3111         Unify the style of the built JavaScript files.
3112
3113 2015-08-17  Alex Christensen  <achristensen@webkit.org>
3114
3115         Move some commands from ./CMakeLists.txt to Source/cmake
3116         https://bugs.webkit.org/show_bug.cgi?id=148003
3117
3118         Reviewed by Brent Fulgham.
3119
3120         * CMakeLists.txt:
3121         Added commands needed to build JSC by itself.
3122
3123 2015-08-17  Yusuke Suzuki  <utatane.tea@gmail.com>
3124
3125         [ES6] Implement Reflect.get
3126         https://bugs.webkit.org/show_bug.cgi?id=147925
3127
3128         Reviewed by Geoffrey Garen.
3129
3130         This patch implements Reflect.get API.
3131         It can take the receiver object as the third argument.
3132         When the receiver is specified and there's a getter for the given property name,
3133         we call the getter with the receiver as the |this| value.
3134
3135         * runtime/ReflectObject.cpp:
3136         (JSC::reflectObjectGet):
3137         * runtime/SparseArrayValueMap.cpp:
3138         (JSC::SparseArrayEntry::get): Deleted.
3139         * runtime/SparseArrayValueMap.h:
3140         * tests/stress/reflect-get.js: Added.
3141         (shouldBe):
3142         (shouldThrow):
3143         (.get shouldThrow):
3144         (.get var):
3145         (get var.object.get hello):
3146         (.get shouldBe):
3147         (get var.object.set hello):
3148
3149 2015-08-17  Simon Fraser  <simon.fraser@apple.com>
3150
3151         will-change should sometimes trigger compositing
3152         https://bugs.webkit.org/show_bug.cgi?id=148072
3153
3154         Reviewed by Tim Horton.
3155         
3156         Include will-change as a reason for compositing.
3157
3158         * inspector/protocol/LayerTree.json:
3159
3160 2015-08-17  Yusuke Suzuki  <utatane.tea@gmail.com>
3161
3162         [ES6] Implement Reflect.getOwnPropertyDescriptor
3163         https://bugs.webkit.org/show_bug.cgi?id=147929
3164
3165         Reviewed by Geoffrey Garen.
3166
3167         Implement Reflect.getOwnPropertyDescriptor.
3168         The difference from the Object.getOwnPropertyDescriptor is
3169         Reflect.getOwnPropertyDescriptor does not perform ToObject onto
3170         the first argument. If the first argument is not an Object, it
3171         immediately raises the TypeError.
3172
3173         * runtime/ObjectConstructor.cpp:
3174         (JSC::objectConstructorGetOwnPropertyDescriptor):
3175         * runtime/ObjectConstructor.h:
3176         * runtime/ReflectObject.cpp:
3177         (JSC::reflectObjectGetOwnPropertyDescriptor):
3178         * tests/stress/reflect-get-own-property.js: Added.
3179         (shouldBe):
3180         (shouldThrow):
3181
3182 2015-08-16  Benjamin Poulain  <bpoulain@apple.com>
3183
3184         [JSC] Use (x + x) instead of (x * 2) when possible
3185         https://bugs.webkit.org/show_bug.cgi?id=148051
3186
3187         Reviewed by Michael Saboff.
3188
3189         When multiplying a number by 2, JSC was loading a constant "2"
3190         in register and multiplying it with the first number:
3191
3192             mov $0x4000000000000000, %rcx
3193             movd %rcx, %xmm0
3194             mulsd %xmm0, %xmm1
3195
3196         This is a problem for a few reasons.
3197         1) "movd %rcx, %xmm0" only set half of XMM0. This instruction
3198            has to wait for any preceding instruction on XMM0 to finish
3199            before executing.
3200         2) The load and transform itself is large and unecessary.
3201
3202         To fix that, I added a StrengthReductionPhase to transform
3203         multiplications by 2 into a addition.
3204
3205         Unfortunately, that turned the code into:
3206             movsd %xmm0 %xmm1
3207             mulsd %xmm1 %xmm0
3208
3209         The reason is GenerationInfo::canReuse() was not accounting
3210         for nodes using other nodes multiple times.
3211
3212         After fixing that too, we now have the multiplications by 2
3213         done as:
3214             addsd %xmm0 %xmm0
3215
3216         * dfg/DFGGenerationInfo.h:
3217         (JSC::DFG::GenerationInfo::useCount):
3218         (JSC::DFG::GenerationInfo::canReuse): Deleted.
3219         * dfg/DFGSpeculativeJIT.cpp:
3220         (JSC::DFG::FPRTemporary::FPRTemporary):
3221         * dfg/DFGSpeculativeJIT.h:
3222         (JSC::DFG::SpeculativeJIT::canReuse):
3223         (JSC::DFG::GPRTemporary::GPRTemporary):
3224         * dfg/DFGStrengthReductionPhase.cpp:
3225         (JSC::DFG::StrengthReductionPhase::handleNode):
3226
3227 2015-08-14  Basile Clement  <basile_clement@apple.com>
3228
3229         Occasional failure in v8-v6/v8-raytrace.js.ftl-eager
3230         https://bugs.webkit.org/show_bug.cgi?id=147165
3231
3232         Reviewed by Saam Barati.
3233
3234         The object allocation sinking phase was not properly checking that a
3235         MultiGetByOffset was safe to lower before lowering it.
3236         This makes it so that we only lower MultiGetByOffset if it only loads
3237         from direct properties of the object, and considers it as an escape in
3238         any other case (e.g. a load from the prototype).
3239
3240         It also ensure proper conversion of MultiGetByOffset into
3241         CheckStructureImmediate when needed.
3242
3243         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3244         * ftl/FTLLowerDFGToLLVM.cpp:
3245         (JSC::FTL::DFG::LowerDFGToLLVM::checkStructure):
3246             We were not compiling properly CheckStructure and
3247             CheckStructureImmediate nodes with an empty StructureSet.
3248         * tests/stress/sink-multigetbyoffset.js: Regression test.
3249
3250 2015-08-14  Filip Pizlo  <fpizlo@apple.com>
3251
3252         Use WTF::Lock and WTF::Condition instead of WTF::Mutex, WTF::ThreadCondition, std::mutex, and std::condition_variable
3253         https://bugs.webkit.org/show_bug.cgi?id=147999
3254
3255         Reviewed by Geoffrey Garen.
3256
3257         * API/JSVirtualMachine.mm:
3258         (initWrapperCache):
3259         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]):
3260         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]):
3261         (wrapperCacheMutex): Deleted.
3262         * bytecode/SamplingTool.cpp:
3263         (JSC::SamplingTool::doRun):
3264         (JSC::SamplingTool::notifyOfScope):
3265         * bytecode/SamplingTool.h:
3266         * dfg/DFGThreadData.h:
3267         * dfg/DFGWorklist.cpp:
3268         (JSC::DFG::Worklist::~Worklist):
3269         (JSC::DFG::Worklist::isActiveForVM):
3270         (JSC::DFG::Worklist::enqueue):
3271         (JSC::DFG::Worklist::compilationState):
3272         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
3273         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
3274         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
3275         (JSC::DFG::Worklist::visitWeakReferences):
3276         (JSC::DFG::Worklist::removeDeadPlans):
3277         (JSC::DFG::Worklist::queueLength):
3278         (JSC::DFG::Worklist::dump):
3279         (JSC::DFG::Worklist::runThread):
3280         * dfg/DFGWorklist.h:
3281         * disassembler/Disassembler.cpp:
3282         * heap/CopiedSpace.cpp:
3283         (JSC::CopiedSpace::doneFillingBlock):
3284         (JSC::CopiedSpace::doneCopying):
3285         * heap/CopiedSpace.h:
3286         * heap/CopiedSpaceInlines.h:
3287         (JSC::CopiedSpace::recycleBorrowedBlock):
3288         (JSC::CopiedSpace::allocateBlockForCopyingPhase):
3289         * heap/GCThread.cpp:
3290         (JSC::GCThread::waitForNextPhase):
3291         (JSC::GCThread::gcThreadMain):
3292         * heap/GCThreadSharedData.cpp:
3293         (JSC::GCThreadSharedData::GCThreadSharedData):
3294         (JSC::GCThreadSharedData::~GCThreadSharedData):
3295         (JSC::GCThreadSharedData::startNextPhase):
3296         (JSC::GCThreadSharedData::endCurrentPhase):
3297         (JSC::GCThreadSharedData::didStartMarking):
3298         (JSC::GCThreadSharedData::didFinishMarking):
3299         * heap/GCThreadSharedData.h:
3300         * heap/HeapTimer.h:
3301         * heap/MachineStackMarker.cpp:
3302         (JSC::ActiveMachineThreadsManager::Locker::Locker):
3303         (JSC::ActiveMachineThreadsManager::add):
3304         (JSC::ActiveMachineThreadsManager::remove):
3305         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager):
3306         (JSC::MachineThreads::~MachineThreads):
3307         (JSC::MachineThreads::addCurrentThread):
3308         (JSC::MachineThreads::removeThreadIfFound):
3309         (JSC::MachineThreads::tryCopyOtherThreadStack):
3310         (JSC::MachineThreads::tryCopyOtherThreadStacks):
3311         (JSC::MachineThreads::gatherConservativeRoots):
3312         * heap/MachineStackMarker.h:
3313         * heap/SlotVisitor.cpp:
3314         (JSC::SlotVisitor::donateKnownParallel):
3315         (JSC::SlotVisitor::drain):
3316         (JSC::SlotVisitor::drainFromShared):
3317         (JSC::SlotVisitor::mergeOpaqueRoots):
3318         * heap/SlotVisitorInlines.h:
3319         (JSC::SlotVisitor::containsOpaqueRootTriState):
3320         * inspector/remote/RemoteInspectorDebuggableConnection.h:
3321         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
3322         (Inspector::RemoteInspectorHandleRunSourceGlobal):
3323         (Inspector::RemoteInspectorQueueTaskOnGlobalQueue):
3324         (Inspector::RemoteInspectorInitializeGlobalQueue):
3325         (Inspector::RemoteInspectorHandleRunSourceWithInfo):
3326         (Inspector::RemoteInspectorDebuggableConnection::setup):
3327         (Inspector::RemoteInspectorDebuggableConnection::closeFromDebuggable):
3328         (Inspector::RemoteInspectorDebuggableConnection::close):
3329         (Inspector::RemoteInspectorDebuggableConnection::sendMessageToBackend):
3330         (Inspector::RemoteInspectorDebuggableConnection::queueTaskOnPrivateRunLoop):
3331         * interpreter/JSStack.cpp:
3332         (JSC::JSStack::JSStack):
3333         (JSC::JSStack::releaseExcessCapacity):
3334         (JSC::JSStack::addToCommittedByteCount):
3335         (JSC::JSStack::committedByteCount):
3336         (JSC::stackStatisticsMutex): Deleted.
3337         (JSC::JSStack::initializeThreading): Deleted.
3338         * interpreter/JSStack.h:
3339         (JSC::JSStack::gatherConservativeRoots):
3340         (JSC::JSStack::sanitizeStack):
3341         (JSC::JSStack::size):
3342         (JSC::JSStack::initializeThreading): Deleted.
3343         * jit/ExecutableAllocator.cpp:
3344         (JSC::DemandExecutableAllocator::DemandExecutableAllocator):
3345         (JSC::DemandExecutableAllocator::~DemandExecutableAllocator):
3346         (JSC::DemandExecutableAllocator::bytesAllocatedByAllAllocators):
3347         (JSC::DemandExecutableAllocator::bytesCommittedByAllocactors):
3348         (JSC::DemandExecutableAllocator::dumpProfileFromAllAllocators):
3349         (JSC::DemandExecutableAllocator::allocators):
3350         (JSC::DemandExecutableAllocator::allocatorsMutex):
3351         * jit/JITThunks.cpp:
3352         (JSC::JITThunks::ctiStub):
3353         * jit/JITThunks.h:
3354         * profiler/ProfilerDatabase.cpp:
3355         (JSC::Profiler::Database::ensureBytecodesFor):
3356         (JSC::Profiler::Database::notifyDestruction):
3357         * profiler/ProfilerDatabase.h:
3358         * runtime/InitializeThreading.cpp:
3359         (JSC::initializeThreading):
3360         * runtime/JSLock.cpp:
3361         (JSC::GlobalJSLock::GlobalJSLock):
3362         (JSC::GlobalJSLock::~GlobalJSLock):
3363         (JSC::JSLockHolder::JSLockHolder):
3364         (JSC::GlobalJSLock::initialize): Deleted.
3365         * runtime/JSLock.h:
3366
3367 2015-08-14  Ryosuke Niwa  <rniwa@webkit.org>
3368
3369         ES6 class syntax should allow computed name method
3370         https://bugs.webkit.org/show_bug.cgi?id=142690
3371
3372         Reviewed by Saam Barati.
3373
3374         Added a new "attributes" attribute to op_put_getter_by_id, op_put_setter_by_id, op_put_getter_setter to specify
3375         the property descriptor options so that we can use use op_put_setter_by_id and op_put_getter_setter to define
3376         getters and setters for classes. Without this, getters and setters could erroneously override methods.
3377
3378         * bytecode/BytecodeList.json:
3379         * bytecode/BytecodeUseDef.h:
3380         (JSC::computeUsesForBytecodeOffset):
3381         * bytecode/CodeBlock.cpp:
3382         (JSC::CodeBlock::dumpBytecode):
3383         * bytecompiler/BytecodeGenerator.cpp:
3384         (JSC::BytecodeGenerator::emitDirectPutById):
3385         (JSC::BytecodeGenerator::emitPutGetterById):
3386         (JSC::BytecodeGenerator::emitPutSetterById):
3387         (JSC::BytecodeGenerator::emitPutGetterSetter):
3388         * bytecompiler/BytecodeGenerator.h:
3389         * bytecompiler/NodesCodegen.cpp:
3390         (JSC::PropertyListNode::emitBytecode): Always use emitPutGetterSetter to emit getters and setters for classes
3391         as done for object literals.
3392         (JSC::PropertyListNode::emitPutConstantProperty):
3393         (JSC::ClassExprNode::emitBytecode):
3394         * jit/CCallHelpers.h:
3395         (JSC::CCallHelpers::setupArgumentsWithExecState):
3396         * jit/JIT.h:
3397         * jit/JITInlines.h:
3398         (JSC::JIT::callOperation):
3399         * jit/JITOperations.cpp:
3400         * jit/JITOperations.h:
3401         * jit/JITPropertyAccess.cpp:
3402         (JSC::JIT::emit_op_put_getter_by_id):
3403         (JSC::JIT::emit_op_put_setter_by_id):
3404         (JSC::JIT::emit_op_put_getter_setter):
3405         (JSC::JIT::emit_op_del_by_id):
3406         * jit/JITPropertyAccess32_64.cpp:
3407         (JSC::JIT::emit_op_put_getter_by_id):
3408         (JSC::JIT::emit_op_put_setter_by_id):
3409         (JSC::JIT::emit_op_put_getter_setter):
3410         (JSC::JIT::emit_op_del_by_id):
3411         * llint/LLIntSlowPaths.cpp:
3412         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3413         * llint/LowLevelInterpreter.asm:
3414         * parser/ASTBuilder.h:
3415         (JSC::ASTBuilder::createProperty):
3416         (JSC::ASTBuilder::createPropertyList):
3417         * parser/NodeConstructors.h:
3418         (JSC::PropertyNode::PropertyNode):
3419         * parser/Nodes.h:
3420         (JSC::PropertyNode::expressionName):
3421         (JSC::PropertyNode::name):
3422         * parser/Parser.cpp:
3423         (JSC::Parser<LexerType>::parseClass): Added the support for computed property name. We don't support computed names
3424         for getters and setters.
3425         * parser/SyntaxChecker.h:
3426         (JSC::SyntaxChecker::createProperty):
3427         * runtime/JSObject.cpp:
3428         (JSC::JSObject::allowsAccessFrom):
3429         (JSC::JSObject::putGetter):
3430         (JSC::JSObject::putSetter):
3431         * runtime/JSObject.h:
3432         * runtime/PropertyDescriptor.h:
3433
3434 2015-08-13  Yusuke Suzuki  <utatane.tea@gmail.com>
3435
3436         Add InspectorInstrumentation builtin object to instrument the code in JS builtins like Promises
3437         https://bugs.webkit.org/show_bug.cgi?id=147942
3438
3439         Reviewed by Geoffrey Garen.
3440
3441         This patch adds new private global object, @InspectorInstrumentation.
3442         It is intended to be used as the namespace object (like Reflect/Math) for Inspector's
3443         instrumentation system and it is used to instrument the builtin JS code, like Promises.
3444
3445         * CMakeLists.txt:
3446         * DerivedSources.make:
3447         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3448         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3449         * JavaScriptCore.xcodeproj/project.pbxproj:
3450         * builtins/InspectorInstrumentationObject.js: Added.
3451         (debug):
3452         (promiseFulfilled):
3453         (promiseRejected):
3454         * builtins/Operations.Promise.js:
3455         (rejectPromise):
3456         (fulfillPromise):
3457         * runtime/CommonIdentifiers.h:
3458         * runtime/InspectorInstrumentationObject.cpp: Added.
3459         (JSC::InspectorInstrumentationObject::InspectorInstrumentationObject):
3460         (JSC::InspectorInstrumentationObject::finishCreation):
3461         (JSC::InspectorInstrumentationObject::getOwnPropertySlot):
3462         (JSC::InspectorInstrumentationObject::isEnabled):
3463         (JSC::InspectorInstrumentationObject::enable):
3464         (JSC::InspectorInstrumentationObject::disable):
3465         (JSC::inspectorInstrumentationObjectDataLogImpl):
3466         * runtime/InspectorInstrumentationObject.h: Added.
3467         (JSC::InspectorInstrumentationObject::create):
3468         (JSC::InspectorInstrumentationObject::createStructure):
3469         * runtime/JSGlobalObject.cpp:
3470         (JSC::JSGlobalObject::init):
3471
3472 2015-08-14  Commit Queue  <commit-queue@webkit.org>
3473
3474         Unreviewed, rolling out r188444.
3475         https://bugs.webkit.org/show_bug.cgi?id=148029
3476
3477         Broke GTK and EFL (see bug #148027) (Requested by philn on
3478         #webkit).
3479
3480         Reverted changeset:
3481
3482         "Use WTF::Lock and WTF::Condition instead of WTF::Mutex,
3483         WTF::ThreadCondition, std::mutex, and std::condition_variable"
3484         https://bugs.webkit.org/show_bug.cgi?id=147999
3485         http://trac.webkit.org/changeset/188444
3486
3487 2015-08-13  Filip Pizlo  <fpizlo@apple.com>
3488
3489         Use WTF::Lock and WTF::Condition instead of WTF::Mutex, WTF::ThreadCondition, std::mutex, and std::condition_variable
3490         https://bugs.webkit.org/show_bug.cgi?id=147999
3491
3492         Reviewed by Geoffrey Garen.
3493
3494         * API/JSVirtualMachine.mm:
3495         (initWrapperCache):
3496         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]):
3497         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]):
3498         (wrapperCacheMutex): Deleted.
3499         * bytecode/SamplingTool.cpp:
3500         (JSC::SamplingTool::doRun):
3501         (JSC::SamplingTool::notifyOfScope):
3502         * bytecode/SamplingTool.h:
3503         * dfg/DFGThreadData.h:
3504         * dfg/DFGWorklist.cpp:
3505         (JSC::DFG::Worklist::~Worklist):
3506         (JSC::DFG::Worklist::isActiveForVM):
3507         (JSC::DFG::Worklist::enqueue):
3508         (JSC::DFG::Worklist::compilationState):
3509         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
3510         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
3511         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
3512         (JSC::DFG::Worklist::visitWeakReferences):
3513         (JSC::DFG::Worklist::removeDeadPlans):
3514         (JSC::DFG::Worklist::queueLength):
3515         (JSC::DFG::Worklist::dump):
3516         (JSC::DFG::Worklist::runThread):
3517         * dfg/DFGWorklist.h:
3518         * disassembler/Disassembler.cpp:
3519         * heap/CopiedSpace.cpp:
3520         (JSC::CopiedSpace::doneFillingBlock):
3521         (JSC::CopiedSpace::doneCopying):
3522         * heap/CopiedSpace.h:
3523         * heap/CopiedSpaceInlines.h:
3524         (JSC::CopiedSpace::recycleBorrowedBlock):
3525         (JSC::CopiedSpace::allocateBlockForCopyingPhase):
3526         * heap/GCThread.cpp:
3527         (JSC::GCThread::waitForNextPhase):
3528         (JSC::GCThread::gcThreadMain):
3529         * heap/GCThreadSharedData.cpp:
3530         (JSC::GCThreadSharedData::GCThreadSharedData):
3531         (JSC::GCThreadSharedData::~GCThreadSharedData):
3532         (JSC::GCThreadSharedData::startNextPhase):
3533         (JSC::GCThreadSharedData::endCurrentPhase):
3534         (JSC::GCThreadSharedData::didStartMarking):
3535         (JSC::GCThreadSharedData::didFinishMarking):
3536         * heap/GCThreadSharedData.h:
3537         * heap/HeapTimer.h:
3538         * heap/MachineStackMarker.cpp:
3539         (JSC::ActiveMachineThreadsManager::Locker::Locker):
3540         (JSC::ActiveMachineThreadsManager::add):
3541         (JSC::ActiveMachineThreadsManager::remove):
3542         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager):
3543         (JSC::MachineThreads::~MachineThreads):
3544         (JSC::MachineThreads::addCurrentThread):
3545         (JSC::MachineThreads::removeThreadIfFound):
3546         (JSC::MachineThreads::tryCopyOtherThreadStack):
3547         (JSC::MachineThreads::tryCopyOtherThreadStacks):
3548         (JSC::MachineThreads::gatherConservativeRoots):
3549         * heap/MachineStackMarker.h:
3550         * heap/SlotVisitor.cpp:
3551         (JSC::SlotVisitor::donateKnownParallel):
3552         (JSC::SlotVisitor::drain):
3553         (JSC::SlotVisitor::drainFromShared):
3554         (JSC::SlotVisitor::mergeOpaqueRoots):
3555         * heap/SlotVisitorInlines.h:
3556         (JSC::SlotVisitor::containsOpaqueRootTriState):
3557         * inspector/remote/RemoteInspectorDebuggableConnection.h:
3558         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
3559         (Inspector::RemoteInspectorHandleRunSourceGlobal):
3560         (Inspector::RemoteInspectorQueueTaskOnGlobalQueue):
3561         (Inspector::RemoteInspectorInitializeGlobalQueue):
3562         (Inspector::RemoteInspectorHandleRunSourceWithInfo):
3563         (Inspector::RemoteInspectorDebuggableConnection::setup):
3564         (Inspector::RemoteInspectorDebuggableConnection::closeFromDebuggable):
3565         (Inspector::RemoteInspectorDebuggableConnection::close):
3566         (Inspector::RemoteInspectorDebuggableConnection::sendMessageToBackend):
3567         (Inspector::RemoteInspectorDebuggableConnection::queueTaskOnPrivateRunLoop):
3568         * interpreter/JSStack.cpp:
3569         (JSC::JSStack::JSStack):
3570         (JSC::JSStack::releaseExcessCapacity):
3571         (JSC::JSStack::addToCommittedByteCount):
3572         (JSC::JSStack::committedByteCount):
3573         (JSC::stackStatisticsMutex): Deleted.
3574         (JSC::JSStack::initializeThreading): Deleted.
3575         * interpreter/JSStack.h:
3576         (JSC::JSStack::gatherConservativeRoots):
3577         (JSC::JSStack::sanitizeStack):
3578         (JSC::JSStack::size):
3579         (JSC::JSStack::initializeThreading): Deleted.
3580         * jit/ExecutableAllocator.cpp:
3581         (JSC::DemandExecutableAllocator::DemandExecutableAllocator):
3582         (JSC::DemandExecutableAllocator::~DemandExecutableAllocator):
3583         (JSC::DemandExecutableAllocator::bytesAllocatedByAllAllocators):
3584         (JSC::DemandExecutableAllocator::bytesCommittedByAllocactors):
3585         (JSC::DemandExecutableAllocator::dumpProfileFromAllAllocators):
3586         (JSC::DemandExecutableAllocator::allocators):
3587         (JSC::DemandExecutableAllocator::allocatorsMutex):
3588         * jit/JITThunks.cpp:
3589         (JSC::JITThunks::ctiStub):
3590         * jit/JITThunks.h:
3591         * profiler/ProfilerDatabase.cpp:
3592         (JSC::Profiler::Database::ensureBytecodesFor):
3593         (JSC::Profiler::Database::notifyDestruction):
3594         * profiler/ProfilerDatabase.h:
3595         * runtime/InitializeThreading.cpp:
3596         (JSC::initializeThreading):
3597         * runtime/JSLock.cpp:
3598         (JSC::GlobalJSLock::GlobalJSLock):
3599         (JSC::GlobalJSLock::~GlobalJSLock):
3600         (JSC::JSLockHolder::JSLockHolder):
3601         (JSC::GlobalJSLock::initialize): Deleted.
3602         * runtime/JSLock.h:
3603
3604 2015-08-13  Commit Queue  <commit-queue@webkit.org>
3605
3606         Unreviewed, rolling out r188428.
3607         https://bugs.webkit.org/show_bug.cgi?id=148015
3608
3609         broke cmake build (Requested by alexchristensen on #webkit).
3610
3611         Reverted changeset:
3612
3613         "Move some commands from ./CMakeLists.txt to Source/cmake"
3614         https://bugs.webkit.org/show_bug.cgi?id=148003
3615         http://trac.webkit.org/changeset/188428
3616
3617 2015-08-13  Commit Queue  <commit-queue@webkit.org>
3618
3619         Unreviewed, rolling out r188431.
3620         https://bugs.webkit.org/show_bug.cgi?id=148013
3621
3622         JSC headers are too hard to understand (Requested by smfr on
3623         #webkit).
3624
3625         Reverted changeset:
3626
3627         "Remove a few includes from JSGlobalObject.h"
3628         https://bugs.webkit.org/show_bug.cgi?id=148004
3629         http://trac.webkit.org/changeset/188431
3630
3631 2015-08-13  Benjamin Poulain  <bpoulain@apple.com>
3632
3633         [JSC] Add support for GetByVal on arrays of Undecided shape
3634         https://bugs.webkit.org/show_bug.cgi?id=147814
3635
3636         Reviewed by Filip Pizlo.
3637
3638         Previously, GetByVal on Array::Undecided would just take
3639         the generic path. The problem is the generic path is so
3640         slow that it could take a significant amount of time
3641         even for unfrequent accesses.
3642
3643         With this patch, if the following conditions are met,
3644         the GetByVal just returns a "undefined" constant:
3645         -The object is an OriginalArray.
3646         -The prototype chain is sane.
3647         -The index is an integer.
3648         -The integer is positive (runtime check).
3649
3650         Ideally, the 4th conditions should be removed
3651         deducing a compile-time constant gives us so much better
3652         opportunities at getting rid of this code.
3653
3654         There are two cases where this patch removes the runtime
3655         check:
3656         -If the index is constant (uncommon but easy)
3657         -If the index is within a range known to be positive.
3658          (common case and made possible with DFGIntegerRangeOptimizationPhase).
3659
3660         When we get into those cases, DFG just nukes everything
3661         and all we have left is a structure check :)
3662
3663         This patch is a 14% improvement on audio-beat-detection,
3664         a few percent faster here and there and no regression.
3665
3666         * dfg/DFGAbstractInterpreterInlines.h:
3667         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3668         If the index is a positive constant, we can get rid of the GetByVal
3669         entirely. :)
3670
3671         * dfg/DFGArrayMode.cpp:
3672         (JSC::DFG::ArrayMode::fromObserved):
3673         The returned type is now Array::Undecided + profiling information.
3674         The useful type is set in ArrayMode::refine().
3675
3676         (JSC::DFG::ArrayMode::refine):
3677         If we meet the particular set conditions, we speculate an Undecided
3678         array type with sane chain. Anything else comes back to Generic.
3679
3680         (JSC::DFG::ArrayMode::originalArrayStructure):
3681         To enable the structure check for Undecided array.
3682
3683         (JSC::DFG::ArrayMode::alreadyChecked):
3684         * dfg/DFGArrayMode.h:
3685         (JSC::DFG::ArrayMode::withProfile):
3686         (JSC::DFG::ArrayMode::canCSEStorage):
3687         (JSC::DFG::ArrayMode::benefitsFromOriginalArray):
3688         (JSC::DFG::ArrayMode::lengthNeedsStorage): Deleted.
3689         (JSC::DFG::ArrayMode::isSpecific): Deleted.A
3690
3691         * dfg/DFGByteCodeParser.cpp:
3692         (JSC::DFG::ByteCodeParser::handleIntrinsic): Deleted.
3693         This is somewhat unrelated.
3694
3695         Having Array::Undecided on ArrayPush was impossible before
3696         since ArrayMode::fromObserved() used to return Array::Generic.
3697
3698         Now that Array::Undecided is possible, we must make sure not
3699         to provide it to ArrayPush since there is no code to handle it
3700         properly.
3701
3702         * dfg/DFGClobberize.h:
3703         (JSC::DFG::clobberize):
3704         The operation only depends on the index, it is pure.
3705
3706         * dfg/DFGFixupPhase.cpp:
3707         (JSC::DFG::FixupPhase::fixupNode): Deleted.
3708         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
3709         * dfg/DFGSpeculativeJIT.cpp:
3710         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
3711         (JSC::DFG::SpeculativeJIT::checkArray):
3712         * dfg/DFGSpeculativeJIT32_64.cpp:
3713         (JSC::DFG::SpeculativeJIT::compile):
3714         * dfg/DFGSpeculativeJIT64.cpp:
3715         (JSC::DFG::SpeculativeJIT::compile):
3716         * ftl/FTLCapabilities.cpp:
3717         (JSC::FTL::canCompile):
3718         * ftl/FTLLowerDFGToLLVM.cpp:
3719         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetByVal):
3720         * tests/stress/get-by-val-on-undecided-array-type.js: Added.
3721         * tests/stress/get-by-val-on-undecided-sane-chain-1.js: Added.
3722         * tests/stress/get-by-val-on-undecided-sane-chain-2.js: Added.
3723         * tests/stress/get-by-val-on-undecided-sane-chain-3.js: Added.
3724         * tests/stress/get-by-val-on-undecided-sane-chain-4.js: Added.
3725         * tests/stress/get-by-val-on-undecided-sane-chain-5.js: Added.
3726         * tests/stress/get-by-val-on-undecided-sane-chain-6.js: Added.
3727
3728 2015-08-13  Simon Fraser  <simon.fraser@apple.com>
3729
3730         Remove a few includes from JSGlobalObject.h
3731         https://bugs.webkit.org/show_bug.cgi?id=148004
3732
3733         Reviewed by Tim Horton.
3734         
3735         Remove 4 #includes from JSGlobalObject.h, and fix the fallout.
3736
3737         * parser/VariableEnvironment.cpp:
3738         * parser/VariableEnvironment.h:
3739         * runtime/JSGlobalObject.h:
3740         * runtime/Structure.h:
3741         * runtime/StructureInlines.h:
3742
3743 2015-08-13  Alex Christensen  <achristensen@webkit.org>
3744
3745         Move some commands from ./CMakeLists.txt to Source/cmake
3746         https://bugs.webkit.org/show_bug.cgi?id=148003
3747
3748         Reviewed by Brent Fulgham.
3749
3750         * CMakeLists.txt:
3751         Added commands needed to build JSC by itself.
3752
3753 2015-08-13  Yusuke Suzuki  <utatane.tea@gmail.com>
3754
3755         Unify JSParserCodeType, FunctionParseMode and ModuleParseMode into SourceParseMode
3756         https://bugs.webkit.org/show_bug.cgi?id=147353
3757
3758         Reviewed by Saam Barati.
3759
3760         This is the follow-up patch after r188355.
3761         It includes the following changes.
3762
3763         - Unify JSParserCodeType, FunctionParseMode and ModuleParseMode into SourceParseMode
3764         - Make SourceParseMode to C++ strongly-typed enum.
3765         - Fix the comments.
3766         - Rename ModuleSpecifier to ModuleName.
3767         - Add the type name `ImportEntry` before the C++11 uniform initialization.
3768         - Fix the thrown message for duplicate 'default' names.
3769         - Assert the all statements in the top-level source elements are the module declarations under the module analyzer phase.
3770
3771         * API/JSScriptRef.cpp:
3772         (parseScript):
3773         * builtins/BuiltinExecutables.cpp:
3774         (JSC::BuiltinExecutables::createExecutableInternal):
3775         * bytecode/UnlinkedFunctionExecutable.cpp:
3776         (JSC::generateFunctionCodeBlock):
3777         * bytecode/UnlinkedFunctionExecutable.h:
3778         * bytecompiler/BytecodeGenerator.h:
3779         (JSC::BytecodeGenerator::makeFunction):
3780         * parser/ASTBuilder.h:
3781         (JSC::ASTBuilder::createFunctionMetadata):
3782         (JSC::ASTBuilder::createModuleName):
3783         (JSC::ASTBuilder::createImportDeclaration):
3784         (JSC::ASTBuilder::createExportAllDeclaration):
3785         (JSC::ASTBuilder::createExportNamedDeclaration):
3786         (JSC::ASTBuilder::createModuleSpecifier): Deleted.
3787         * parser/ModuleAnalyzer.cpp:
3788         (JSC::ModuleAnalyzer::analyze):
3789         * parser/NodeConstructors.h:
3790         (JSC::ModuleNameNode::ModuleNameNode):
3791         (JSC::ImportDeclarationNode::ImportDeclarationNode):
3792         (JSC::ExportAllDeclarationNode::ExportAllDeclarationNode):
3793         (JSC::ExportNamedDeclarationNode::ExportNamedDeclarationNode):
3794         (JSC::ModuleSpecifierNode::ModuleSpecifierNode): Deleted.
3795         * parser/Nodes.cpp:
3796         (JSC::FunctionMetadataNode::FunctionMetadataNode):
3797         * parser/Nodes.h:
3798         (JSC::StatementNode::isModuleDeclarationNode):
3799         (JSC::ModuleDeclarationNode::isModuleDeclarationNode):
3800         (JSC::ImportDeclarationNode::moduleName):
3801         (JSC::ExportAllDeclarationNode::moduleName):
3802         (JSC::ExportNamedDeclarationNode::moduleName):
3803         (JSC::ImportDeclarationNode::moduleSpecifier): Deleted.
3804         (JSC::ExportAllDeclarationNode::moduleSpecifier): Deleted.
3805         (JSC::ExportNamedDeclarationNode::moduleSpecifier): Deleted.
3806         * parser/NodesAnalyzeModule.cpp:
3807         (JSC::SourceElements::analyzeModule):
3808         (JSC::ImportDeclarationNode::analyzeModule):
3809         (JSC::ExportAllDeclarationNode::analyzeModule):
3810         (JSC::ExportNamedDeclarationNode::analyzeModule):
3811         * parser/Parser.cpp:
3812         (JSC::Parser<LexerType>::Parser):
3813         (JSC::Parser<LexerType>::parseInner):
3814         (JSC::Parser<LexerType>::parseModuleSourceElements):
3815         (JSC::Parser<LexerType>::parseFunctionBody):
3816         (JSC::stringForFunctionMode):
3817         (JSC::Parser<LexerType>::parseFunctionParameters):
3818         (JSC::Parser<LexerType>::parseFunctionInfo):
3819         (JSC::Parser<LexerType>::parseFunctionDeclaration):
3820         (JSC::Parser<LexerType>::parseClass):
3821         (JSC::Parser<LexerType>::parseModuleName):
3822         (JSC::Parser<LexerType>::parseImportDeclaration):
3823         (JSC::Parser<LexerType>::parseExportDeclaration):
3824         (JSC::Parser<LexerType>::parsePropertyMethod):
3825         (JSC::Parser<LexerType>::parseGetterSetter):
3826         (JSC::Parser<LexerType>::parsePrimaryExpression):
3827         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
3828         (JSC::Parser<LexerType>::parseModuleSpecifier): Deleted.
3829         * parser/Parser.h:
3830         (JSC::Parser<LexerType>::parse):
3831         (JSC::parse):
3832         * parser/ParserModes.h:
3833         (JSC::isFunctionParseMode):
3834         (JSC::isModuleParseMode):
3835         (JSC::isProgramParseMode):
3836         * parser/SyntaxChecker.h:
3837         (JSC::SyntaxChecker::createFunctionMetadata):
3838         (JSC::SyntaxChecker::createModuleName):
3839         (JSC::SyntaxChecker::createImportDeclaration):
3840         (JSC::SyntaxChecker::createExportAllDeclaration):
3841         (JSC::SyntaxChecker::createExportNamedDeclaration):
3842         (JSC::SyntaxChecker::createModuleSpecifier): Deleted.
3843         * runtime/CodeCache.cpp:
3844         (JSC::CodeCache::getGlobalCodeBlock):
3845         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
3846         * runtime/Completion.cpp:
3847         (JSC::checkSyntax):
3848         (JSC::checkModuleSyntax):
3849         * runtime/Executable.cpp:
3850         (JSC::ProgramExecutable::checkSyntax):
3851         * tests/stress/modules-syntax-error-with-names.js:
3852
3853 2015-08-13  Joseph Pecoraro  <pecoraro@apple.com>
3854
3855         Web Inspector: A {Map, WeakMap, Set, WeakSet} object contains itself will hang the console
3856         https://bugs.webkit.org/show_bug.cgi?id=147966
3857
3858         Reviewed by Timothy Hatcher.
3859
3860         * inspector/InjectedScriptSource.js:
3861         (InjectedScript.prototype._initialPreview):
3862         Renamed to initial preview. This is not a complete preview for
3863         this object, and it needs some processing in order to be a
3864         complete accurate preview.
3865
3866         (InjectedScript.RemoteObject.prototype._emptyPreview):
3867         This attempts to be an accurate empty preview for the given object.
3868         For types with entries, it adds an empty entries list and updates
3869         the overflow and lossless properties.
3870
3871         (InjectedScript.RemoteObject.prototype._createObjectPreviewForValue):
3872         Take a generatePreview parameter to generate a full preview or empty preview.
3873
3874         (InjectedScript.RemoteObject.prototype._appendPropertyPreviews):
3875         (InjectedScript.RemoteObject.prototype._appendEntryPreviews):
3876         (InjectedScript.RemoteObject.prototype._isPreviewableObject):
3877         Take care to avoid cycles.
3878
3879 2015-08-13  Geoffrey Garen  <ggaren@apple.com>
3880
3881         Periodic code deletion should delete RegExp code
3882         https://bugs.webkit.org/show_bug.cgi?id=147990