4bb4ca5f8444f1071ed9fbd3f43b03b412790c60
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         Avoid 2 times name iteration in Object.assign
4         https://bugs.webkit.org/show_bug.cgi?id=147268
5
6         Reviewed by Geoffrey Garen.
7
8         Object.assign calls Object.getOwnPropertyNames & Object.getOwnPropertySymbols to collect all the names.
9         But exposing the private API that collects both at the same time makes the API efficient when the given Object has so many non-indexed properties.
10         Since Object.assign is so generic API (some form of utility API), the form of the given Object is not expected.
11         So the taken object may have so many non-indexed properties.
12
13         In this patch, we introduce `ownEnumerablePropertyKeys` private function.
14         It is minor changed version of `[[OwnPropertyKeys]]` in the ES6 spec;
15         It only includes enumerable properties.
16
17         By filtering out the non-enumerable properties in the exposed private function,
18         we avoid calling @objectGetOwnPropertyDescriptor for each property at the same time.
19
20         * builtins/ObjectConstructor.js:
21         (assign):
22         * runtime/CommonIdentifiers.h:
23         * runtime/EnumerationMode.h:
24         * runtime/JSGlobalObject.cpp:
25         (JSC::JSGlobalObject::init):
26         * runtime/ObjectConstructor.cpp:
27         (JSC::ownEnumerablePropertyKeys):
28         * runtime/ObjectConstructor.h:
29         * tests/stress/object-assign-enumerable.js: Added.
30         (shouldBe):
31         * tests/stress/object-assign-order.js: Added.
32         (shouldBe):
33
34 2015-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>
35
36         Remove runtime flags for symbols
37         https://bugs.webkit.org/show_bug.cgi?id=147246
38
39         Reviewed by Alex Christensen.
40
41         * runtime/ArrayPrototype.cpp:
42         (JSC::ArrayPrototype::finishCreation):
43         * runtime/JSGlobalObject.cpp:
44         (JSC::JSGlobalObject::init): Deleted.
45         * runtime/JSGlobalObject.h:
46         * runtime/ObjectConstructor.cpp:
47         (JSC::ObjectConstructor::finishCreation):
48         * runtime/RuntimeFlags.h:
49
50 2015-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>
51
52         Object.getOwnPropertySymbols on large list takes very long
53         https://bugs.webkit.org/show_bug.cgi?id=146137
54
55         Reviewed by Mark Lam.
56
57         Before this patch, Object.getOwnPropertySymbols collects all the names including strings.
58         And after it's done, filter the names to only retrieve the symbols.
59         But it's so time consuming if the given object is a large non-holed array since it has
60         many indexed properties and all the indexes have to be converted to uniqued_strings and
61         added to the collection of property names (though they may not be of the requested type
62         and will be filtered out later)
63
64         This patch introduces PropertyNameMode.
65         We leverage this mode in 2 places.
66
67         1. PropertyNameArray side
68         It is set in PropertyNameArray and it filters the incoming added identifiers based on the mode.
69         It ensures that PropertyNameArray doesn't become so large in the pathological case.
70         And it ensures that non-expected typed keys by the filter (Symbols or Strings) are never added
71         to the property name array collections.
72         However it does not solve the whole problem because the huge array still incurs the many
73         "indexed property to uniqued string" conversion and the large iteration before adding the keys
74         to the property name array.
75
76         2. getOwnPropertyNames side
77         So we can use the PropertyNameMode in the caller side (getOwnPropertyNames) as a **hint**.
78         When the large iteration may occur, the caller side can use the PropertyNameMode as a hint to
79         avoid the iteration.
80         But we cannot exclusively rely on these caller side checks because it would require that we
81         exhaustively add the checks to all custom implementations of getOwnPropertyNames as well.
82         This process requires manual inspection of many pieces of code, and is error prone. Instead,
83         we only apply the caller side check in a few strategic places where it is known to yield
84         performance benefits; and we rely on the filter in PropertyNameArray::add() to reject the wrong
85         types of properties for all other calls to PropertyNameArray::add().
86
87         In this patch, there's a concept in use that is not clear just from reading the code, and hence
88         should be documented here. When selecting the PropertyNameMode for the PropertyNameArray to be
89         instantiated, we apply the following logic:
90
91         1. Only JavaScriptCore code is aware of ES6 Symbols.
92         We can assume that pre-existing external code that interfaces JSC are only looking for string named properties. This includes:
93             a. WebCore bindings
94             b. Serializer bindings
95             c. NPAPI bindings
96             d. Objective C bindings
97         2. In JSC, code that compute object storage space needs to iterate both Symbol and String named properties. Hence, use PropertyNameMode::Both.
98         3. In JSC, ES6 APIs that work with Symbols should use PropertyNameMode::Symbols.
99         4. In JSC, ES6 APIs that work with String named properties should use PropertyNameMode::Strings.
100
101         * API/JSObjectRef.cpp:
102         (JSObjectCopyPropertyNames):
103         * bindings/ScriptValue.cpp:
104         (Deprecated::jsToInspectorValue):
105         * bytecode/ObjectAllocationProfile.h:
106         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
107         * runtime/EnumerationMode.h:
108         (JSC::EnumerationMode::EnumerationMode):
109         (JSC::EnumerationMode::includeSymbolProperties): Deleted.
110         * runtime/GenericArgumentsInlines.h:
111         (JSC::GenericArguments<Type>::getOwnPropertyNames):
112         * runtime/JSGenericTypedArrayViewInlines.h:
113         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertyNames):
114         * runtime/JSLexicalEnvironment.cpp:
115         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
116         * runtime/JSONObject.cpp:
117         (JSC::Stringifier::Stringifier):
118         (JSC::Stringifier::Holder::appendNextProperty):
119         (JSC::Walker::walk):
120         * runtime/JSObject.cpp:
121         (JSC::JSObject::getOwnPropertyNames):
122         * runtime/JSPropertyNameEnumerator.cpp:
123         (JSC::JSPropertyNameEnumerator::create):
124         * runtime/JSPropertyNameEnumerator.h:
125         (JSC::propertyNameEnumerator):
126         * runtime/JSSymbolTableObject.cpp:
127         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
128         * runtime/ObjectConstructor.cpp:
129         (JSC::objectConstructorGetOwnPropertyNames):
130         (JSC::objectConstructorGetOwnPropertySymbols):
131         (JSC::objectConstructorKeys):
132         (JSC::defineProperties):
133         (JSC::objectConstructorSeal):
134         (JSC::objectConstructorFreeze):
135         (JSC::objectConstructorIsSealed):
136         (JSC::objectConstructorIsFrozen):
137         * runtime/PropertyNameArray.h:
138         (JSC::PropertyNameArray::PropertyNameArray):
139         (JSC::PropertyNameArray::mode):
140         (JSC::PropertyNameArray::addKnownUnique):
141         (JSC::PropertyNameArray::add):
142         (JSC::PropertyNameArray::isUidMatchedToTypeMode):
143         (JSC::PropertyNameArray::includeSymbolProperties):
144         (JSC::PropertyNameArray::includeStringProperties):
145         * runtime/StringObject.cpp:
146         (JSC::StringObject::getOwnPropertyNames):
147         * runtime/Structure.cpp:
148         (JSC::Structure::getPropertyNamesFromStructure):
149
150 2015-07-24  Saam barati  <saambarati1@gmail.com>
151
152         [ES6] Add support for default parameters
153         https://bugs.webkit.org/show_bug.cgi?id=38409
154
155         Reviewed by Filip Pizlo.
156
157         This patch implements ES6 default parameters according to the ES6
158         specification. This patch builds off the components introduced with 
159         "let" scoping and parsing function parameters in the same parser
160         arena as the function itself. "let" scoping allows functions with default 
161         parameter values to place their parameters under the TDZ. Parsing function
162         parameters in the same parser arena allows the FunctionParameters AST node
163         refer to ExpressionNodes.
164
165         The most subtle part of this patch is how we allocate lexical environments
166         when functions have default parameter values. If a function has default
167         parameter values then there must be a separate lexical environment for
168         its parameters. Then, the function's "var" lexical environment must have
169         the parameter lexical environment as its parent. The BytecodeGenerator
170         takes great care to not allocate the "var" lexical environment before its
171         really needed.
172
173         The "arguments" object for a function with default parameters will never be 
174         a mapped arugments object. It will always be a cloned arugments object.
175
176         * bytecompiler/BytecodeGenerator.cpp:
177         (JSC::BytecodeGenerator::generate):
178         (JSC::BytecodeGenerator::BytecodeGenerator):
179         (JSC::BytecodeGenerator::~BytecodeGenerator):
180         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
181         (JSC::BytecodeGenerator::initializeNextParameter):
182         (JSC::BytecodeGenerator::initializeVarLexicalEnvironment):
183         (JSC::BytecodeGenerator::visibleNameForParameter):
184         (JSC::BytecodeGenerator::emitLoadGlobalObject):
185         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
186         (JSC::BytecodeGenerator::pushLexicalScope):
187         (JSC::BytecodeGenerator::popLexicalScope):
188         * bytecompiler/BytecodeGenerator.h:
189         (JSC::BytecodeGenerator::lastOpcodeID):
190         * bytecompiler/NodesCodegen.cpp:
191         (JSC::FunctionNode::emitBytecode):
192         * jit/JITOperations.cpp:
193         * parser/ASTBuilder.h:
194         (JSC::ASTBuilder::createElementList):
195         (JSC::ASTBuilder::createFormalParameterList):
196         (JSC::ASTBuilder::appendParameter):
197         (JSC::ASTBuilder::createClause):
198         (JSC::ASTBuilder::createClauseList):
199         * parser/Nodes.h:
200         (JSC::FunctionParameters::size):
201         (JSC::FunctionParameters::at):
202         (JSC::FunctionParameters::hasDefaultParameterValues):
203         (JSC::FunctionParameters::append):
204         * parser/Parser.cpp:
205         (JSC::Parser<LexerType>::parseVariableDeclarationList):
206         (JSC::Parser<LexerType>::createBindingPattern):
207         (JSC::Parser<LexerType>::tryParseDestructuringPatternExpression):
208         (JSC::Parser<LexerType>::parseDestructuringPattern):
209         (JSC::Parser<LexerType>::parseFormalParameters):
210         (JSC::Parser<LexerType>::parseFunctionParameters):
211         * parser/Parser.h:
212         (JSC::Scope::declareParameter):
213         * parser/SyntaxChecker.h:
214         (JSC::SyntaxChecker::createElementList):
215         (JSC::SyntaxChecker::createFormalParameterList):
216         (JSC::SyntaxChecker::appendParameter):
217         (JSC::SyntaxChecker::createClause):
218         (JSC::SyntaxChecker::createClauseList):
219         * tests/stress/es6-default-parameters.js: Added.
220         (assert):
221         (shouldThrow):
222         (shouldThrowSyntaxError):
223         (shouldThrowTDZ):
224         (basic):
225         (basicFunctionCaptureInDefault.basicFunctionCaptureInDefault.basicCaptured):
226         (basicCaptured.basicCaptured.tricky):
227         (strict):
228         (playground):
229         (scoping):
230         (augmentsArguments1):
231         (augmentsArguments2):
232         (augmentsArguments3):
233         (augmentsArguments4):
234         (augmentsArguments5):
235
236 2015-07-24  Xabier Rodriguez Calvar  <calvaris@igalia.com>
237
238         Remove JS Promise constructor unused piece of code
239         https://bugs.webkit.org/show_bug.cgi?id=147262
240
241         Reviewed by Geoffrey Garen.
242
243         * runtime/JSPromiseConstructor.cpp:
244         (JSC::constructPromise): Deleted.
245         * runtime/JSPromiseConstructor.h: Removed JSC::constructPromise.
246
247 2015-07-24  Mark Lam  <mark.lam@apple.com>
248
249         Add WASM files to vcxproj files.
250         https://bugs.webkit.org/show_bug.cgi?id=147264
251
252         Reviewed by Geoffrey Garen.
253
254         This is a follow up to http://trac.webkit.org/changeset/187254 where WASM files
255         were introduced but were not able to be added to the vcxproj files yet.
256
257         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
258         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
259
260 2015-07-23  Filip Pizlo  <fpizlo@apple.com>
261
262         DFG::safeToExecute() is wrong for MultiGetByOffset, doesn't consider the structures of the prototypes that get loaded from
263         https://bugs.webkit.org/show_bug.cgi?id=147250
264
265         Reviewed by Geoffrey Garen.
266         
267         This fixes a nasty - but currently benign - bug in DFG::safeToExecute(). That function
268         will tell you if hoisting a node to some point is safe in the sense that the node will
269         not crash the VM if it executes at that point. A node may be unsafe to execute if we
270         cannot prove that at that point, the memory it is loading is not garbage. This is a
271         necessarily loose notion - for example it's OK to hoist a load if we haven't proved
272         that the load makes semantic sense at that point, since anyway the place where the node
273         did get used will still be guarded by any such semantic checks. But because we may also
274         hoist uses of the load, we need to make sure that it doesn't produce a garbage value.
275         Also, we need to ensure that the load won't trap. Hence safeToExecute() returns true
276         anytime we can be sure that a node will not produce a garbage result (i.e. a malformed
277         JSValue or object pointer) and will not trap when executed at the point in question.
278         
279         The bug is that this verification isn't performed for the loads from prototypes inside
280         MultiGetByOffset. DFG::ByteCodeParser will guard MultiGetByOffset with CheckStructure's
281         on the prototypes. So, hypothetically, you might end up hoisting a MultiGetByOffset
282         above those structure checks, which would mean that we might load a value from a memory
283         location without knowing that the location is valid. It might then return the value
284         loaded.
285         
286         This never happens in practice. Those structure checks are more hoistable that the
287         MultiGetByOffset, since they read a strict subset of the MultiGetByOffset's abstract
288         heap reads. Also, we hoist in program order. So, those CheckStructure's will always be
289         hoisted before the MultiGetByOffset gets hoisted.
290         
291         But we should fix this anyway. DFG::safeToExecute() has a clear definition of what a
292         "true" return means for IR transformations, and it fails in satisfying that definition
293         for MultiGetByOffset.
294         
295         There are various approaches we can use for making this safe. I considered two:
296         
297         1) Have MultiGetByOffset refer to the prototypes it is loading from in IR, so that we
298            can check if it's safe to load from them.
299         
300         2) Turn off MultiGetByOffset hoisting when it will emit loads from prototypes, and the
301            prototype structure isn't being watched.
302         
303         I ended up using (2), because it will be the most natural solution once I finish
304         https://bugs.webkit.org/show_bug.cgi?id=146929. Already now, it's somewhat more natural
305         than (1) since that requires more extensive IR changes. Also, (2) will give us what we
306         want in *most* cases: we will usually watch the prototype structure, and we will
307         usually constant-fold loads from prototypes. Both of these usually-true things would
308         have to become false for MultiGetByOffset hoisting to be disabled by this change.
309         
310         This change also adds my attempt at a test, though it's not really a test of this bug.
311         This bug is currently benign. But, the test does at least trigger the logic to run,
312         which is better than nothing.
313
314         * dfg/DFGSafeToExecute.h:
315         (JSC::DFG::safeToExecute):
316         * tests/stress/multi-get-by-offset-hoist-around-structure-check.js: Added.
317         (foo):
318
319 2015-07-23  Sukolsak Sakshuwong  <sukolsak@gmail.com>
320
321         Implement WebAssembly modules
322         https://bugs.webkit.org/show_bug.cgi?id=147222
323
324         Reviewed by Filip Pizlo.
325
326         Make JSWASMModule inherit from JSDestructibleObject so that the destructor is called.
327
328         * wasm/JSWASMModule.h:
329
330 2015-07-23  Alex Christensen  <achristensen@webkit.org>
331
332         Remove compile and runtime flags for promises.
333         https://bugs.webkit.org/show_bug.cgi?id=147244
334
335         Reviewed by Yusuke Suzuki.
336
337         * API/JSCallbackObjectFunctions.h:
338         (JSC::JSCallbackObject<Parent>::JSCallbackObject):
339         * API/JSContextRef.cpp:
340         (JSGlobalContextCreateInGroup):
341         * Configurations/FeatureDefines.xcconfig:
342         * inspector/JSInjectedScriptHost.cpp:
343         (Inspector::JSInjectedScriptHost::getInternalProperties):
344         * runtime/JSGlobalObject.cpp:
345         (JSC::JSGlobalObject::init):
346         (JSC::JSGlobalObject::visitChildren):
347         * runtime/JSGlobalObject.h:
348         (JSC::JSGlobalObject::create):
349         (JSC::JSGlobalObject::syntaxErrorConstructor):
350         (JSC::JSGlobalObject::typeErrorConstructor):
351         (JSC::JSGlobalObject::URIErrorConstructor):
352         (JSC::JSGlobalObject::promiseConstructor):
353         (JSC::JSGlobalObject::nullGetterFunction):
354         (JSC::JSGlobalObject::nullSetterFunction):
355         (JSC::JSGlobalObject::applyFunction):
356         (JSC::JSGlobalObject::definePropertyFunction):
357         (JSC::JSGlobalObject::arrayProtoValuesFunction):
358         (JSC::JSGlobalObject::initializePromiseFunction):
359         (JSC::JSGlobalObject::newPromiseDeferredFunction):
360         (JSC::JSGlobalObject::throwTypeErrorGetterSetter):
361         (JSC::JSGlobalObject::regExpPrototype):
362         (JSC::JSGlobalObject::errorPrototype):
363         (JSC::JSGlobalObject::iteratorPrototype):
364         (JSC::JSGlobalObject::promisePrototype):
365         (JSC::JSGlobalObject::debuggerScopeStructure):
366         (JSC::JSGlobalObject::withScopeStructure):
367         (JSC::JSGlobalObject::iteratorResultStructure):
368         (JSC::JSGlobalObject::iteratorResultStructureOffset):
369         (JSC::JSGlobalObject::regExpMatchesArrayStructure):
370         (JSC::JSGlobalObject::promiseStructure):
371         * runtime/JSPromise.cpp:
372         (JSC::JSPromise::result):
373         * runtime/JSPromise.h:
374         * runtime/JSPromiseConstructor.cpp:
375         (JSC::constructPromise):
376         * runtime/JSPromiseConstructor.h:
377         * runtime/JSPromiseDeferred.cpp:
378         (JSC::JSPromiseDeferred::visitChildren):
379         * runtime/JSPromiseDeferred.h:
380         * runtime/JSPromisePrototype.cpp:
381         (JSC::JSPromisePrototype::getOwnPropertySlot):
382         * runtime/JSPromisePrototype.h:
383         * runtime/RuntimeFlags.h:
384         * runtime/VM.cpp:
385         (JSC::VM::VM):
386         * runtime/VM.h:
387
388 2015-07-23  Sukolsak Sakshuwong  <sukolsak@gmail.com>
389
390         Implement WebAssembly modules
391         https://bugs.webkit.org/show_bug.cgi?id=147222
392
393         Reviewed by Mark Lam.
394
395         Introducing the boilerplate data structure for the WebAssembly module.
396         WebAssembly functionality will be added in a subsequent patch.
397
398         * CMakeLists.txt:
399         * JavaScriptCore.xcodeproj/project.pbxproj:
400         * wasm/JSWASMModule.cpp: Added.
401         (JSC::JSWASMModule::visitChildren):
402         * wasm/JSWASMModule.h: Added.
403         (JSC::JSWASMModule::create):
404         (JSC::JSWASMModule::createStructure):
405         (JSC::JSWASMModule::JSWASMModule):
406
407 2015-07-23  Devin Rousso  <drousso@apple.com>
408
409         Web Inspector: Add a function to CSSCompletions to get a list of supported system fonts
410         https://bugs.webkit.org/show_bug.cgi?id=147009
411
412         Reviewed by Joseph Pecoraro.
413
414         * inspector/protocol/CSS.json: Added getSupportedSystemFontFamilyNames function.
415
416 2015-07-22  Sukolsak Sakshuwong  <sukolsak@gmail.com>
417
418         Add ENABLE_WEBASSEMBLY feature flag for WebAssembly
419         https://bugs.webkit.org/show_bug.cgi?id=147212
420
421         Reviewed by Filip Pizlo.
422
423         * Configurations/FeatureDefines.xcconfig:
424
425 2015-07-22  Filip Pizlo  <fpizlo@apple.com>
426
427         Simplify DFG::DesiredIdentifiers and make it possible to turn a UniquedStringImpl* into an identifierNumber at any time
428         https://bugs.webkit.org/show_bug.cgi?id=147218
429
430         Reviewed by Sam Weinig.
431         
432         I want to be able to take a UniquedStringImpl* and turn it into an identifierNumber at
433         various points in my work on https://bugs.webkit.org/show_bug.cgi?id=146929. Currently,
434         most Nodes that deal with identifiers use identifierNumbers and you can only create an
435         identifierNumber in BytecodeGenerator. DFG::ByteCodeParser does sort of have the
436         ability to create new identifierNumbers when inlining - it takes the inlined code's
437         identifiers and either gives them new numbers or reuses numbers from the enclosing
438         code.
439         
440         This patch takes that basic functionality and puts it in
441         DFG::DesiredIdentifiers::ensure(). Anyone can call this at any time to turn a
442         UniquedStringImpl* into an identifierNumber. This data structure is already used by
443         Plan to properly install any newly created identifier table entries into the CodeBlock.
444
445         * dfg/DFGByteCodeParser.cpp:
446         (JSC::DFG::ByteCodeParser::ByteCodeParser):
447         (JSC::DFG::ByteCodeParser::noticeArgumentsUse):
448         (JSC::DFG::ByteCodeParser::linkBlocks):
449         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
450         (JSC::DFG::ByteCodeParser::buildOperandMapsIfNecessary): Deleted.
451         * dfg/DFGDesiredIdentifiers.cpp:
452         (JSC::DFG::DesiredIdentifiers::DesiredIdentifiers):
453         (JSC::DFG::DesiredIdentifiers::numberOfIdentifiers):
454         (JSC::DFG::DesiredIdentifiers::ensure):
455         (JSC::DFG::DesiredIdentifiers::at):
456         (JSC::DFG::DesiredIdentifiers::addLazily): Deleted.
457         * dfg/DFGDesiredIdentifiers.h:
458
459 2015-07-22  Filip Pizlo  <fpizlo@apple.com>
460
461         Simplify things like CompareEq(@x,@x)
462         https://bugs.webkit.org/show_bug.cgi?id=145850
463
464         Reviewed by Sam Weinig.
465         
466         This simplifies x==x to true, except in cases where x might be a double (in which case this
467         might still be false if x is NaN).
468
469         * dfg/DFGAbstractInterpreterInlines.h:
470         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
471         * tests/stress/nan-equal-untyped.js: Added.
472         (foo):
473         (test):
474         * tests/stress/nan-equal.js: Added.
475         (foo):
476
477 2015-07-22  Joseph Pecoraro  <pecoraro@apple.com>
478
479         Web Inspector: Timeline should immediately start moving play head when starting a new recording
480         https://bugs.webkit.org/show_bug.cgi?id=147210
481
482         Reviewed by Timothy Hatcher.
483
484         * inspector/protocol/Timeline.json:
485         Add timestamps to recordingStarted and recordingStopped events.
486
487 2015-07-22  Yusuke Suzuki  <utatane.tea@gmail.com>
488
489         Introducing construct ability into JS executables
490         https://bugs.webkit.org/show_bug.cgi?id=147183
491
492         Reviewed by Geoffrey Garen.
493
494         Decouple the construct ability from the builtin functions.
495         Currently, all builtin functions are not constructors after r182995.
496         In that patch, when the given function is builtin JS function, we recognize it as the non-constructor function.
497
498         But, we need to relax it to implement some constructors in builtins JS.
499         By decoupling the construct ability from whether the function is builtin or not, we can provide
500
501         1. constructors written in builtin JS
502         2. non-constructors in normal JS functions
503
504         (1) is needed for Promise constructor.
505         And (2) is needed for method functions and arrow functions.
506
507         This patch introduces ConstructAbility into the unlinked function executables.
508         It holds whether the given JS function has the construct ability or not.
509         By leveraging this, this patch disables the construct ability of the method definitions, setters, getters and arrow functions.
510
511         And at the same time, this patch introduces the annotation for constructor in builtin JS.
512         We can define the function as follows,
513
514             constructor Promise(executor)
515             {
516                 ...
517             }
518
519         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
520         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
521         * JavaScriptCore.xcodeproj/project.pbxproj:
522         * builtins/BuiltinExecutables.cpp:
523         (JSC::BuiltinExecutables::createDefaultConstructor):
524         (JSC::BuiltinExecutables::createExecutableInternal):
525         * builtins/BuiltinExecutables.h:
526         * builtins/Iterator.prototype.js:
527         (symbolIterator):
528         (SymbolIterator): Deleted.
529         * bytecode/UnlinkedCodeBlock.cpp:
530         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
531         * bytecode/UnlinkedCodeBlock.h:
532         * bytecompiler/BytecodeGenerator.h:
533         (JSC::BytecodeGenerator::makeFunction):
534         * generate-js-builtins:
535         (getCopyright):
536         (Function):
537         (Function.__init__):
538         (Function.mangleName):
539         (getFunctions):
540         (mangleName): Deleted.
541         * jit/JITOperations.cpp:
542         * llint/LLIntSlowPaths.cpp:
543         (JSC::LLInt::setUpCall):
544         * parser/Parser.cpp:
545         (JSC::Parser<LexerType>::parseClass):
546         * runtime/CodeCache.cpp:
547         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
548         * runtime/CommonIdentifiers.h:
549         * runtime/ConstructAbility.h: Copied from Source/JavaScriptCore/builtins/Iterator.prototype.js.
550         * runtime/Executable.h:
551         * runtime/JSFunction.cpp:
552         (JSC::JSFunction::getConstructData):
553         * runtime/JSGlobalObject.cpp:
554         (JSC::JSGlobalObject::init):
555         * tests/stress/non-constructors.js: Added.
556         (shouldThrow):
557         (.prototype.method):
558         (.prototype.get getter):
559         (.prototype.set setter):
560         (.method):
561         (.get shouldThrow):
562         (.set shouldThrow):
563         (set var.test.get getter):
564         (set var.test.set setter):
565         (set var.test.normal):
566         (.set var):
567         (.set new):
568
569 2015-07-22  Csaba Osztrogonác  <ossy@webkit.org>
570
571         [JSC] Enable exception fuzzing for GCC too
572         https://bugs.webkit.org/show_bug.cgi?id=146831
573
574         Reviewed by Darin Adler.
575
576         * jit/JITOperations.cpp:
577
578 2015-07-22  Filip Pizlo  <fpizlo@apple.com>
579
580         Fixed pool allocation should always be aligned
581         https://bugs.webkit.org/show_bug.cgi?id=147201
582
583         Reviewed by Simon Fraser.
584         
585         Passing an unaligned size to the allocator can cause asserts or even worse things. The
586         Options reservation value isn't going to be aligned.
587
588         * jit/ExecutableAllocatorFixedVMPool.cpp:
589         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
590
591 2015-07-22  Csaba Osztrogonác  <ossy@webkit.org>
592
593         Enable STATIC_ASSERT_IS_TRIVIALLY_DESTRUCTIBLE for GCC
594         https://bugs.webkit.org/show_bug.cgi?id=146829
595
596         Reviewed by Brent Fulgham.
597
598         * heap/GCAssertions.h:
599
600 2015-07-22  Alex Christensen  <achristensen@webkit.org>
601
602         Fix quirks in CMake build on Mac and Windows
603         https://bugs.webkit.org/show_bug.cgi?id=147174
604
605         Reviewed by Gyuyoung Kim.
606
607         * PlatformMac.cmake:
608         Add JSRemoteInspector.cpp and remove semicolon from command to make it actually run.
609
610 2015-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
611
612         Add newTarget accessor to JS constructor written in C++
613         https://bugs.webkit.org/show_bug.cgi?id=147160
614
615         Reviewed by Geoffrey Garen.
616
617         This patch adds `ExecState#newTarget()` which returns `new.target` defined in ECMA262 6th.
618         It enables some C++ constructors (like Intl.XXX constructors) to leverage this to complete
619         its implementation.
620
621         When the constructor is called, |this| in the arguments is used for storing new.target instead.
622         So by adding the accessor for |this|, JS constructor written in C++ can access new.target.
623
624         And at the same time, this patch extends the existing `construct` to accept new.target value.
625         It is corresponding to the spec's Construct abstract operation.
626
627         * interpreter/CallFrame.h:
628         (JSC::ExecState::newTarget):
629         * interpreter/Interpreter.cpp:
630         (JSC::Interpreter::executeConstruct):
631         * interpreter/Interpreter.h:
632         * runtime/ConstructData.cpp:
633         (JSC::construct):
634         * runtime/ConstructData.h:
635         (JSC::construct):
636
637 2015-07-21  Filip Pizlo  <fpizlo@apple.com>
638
639         Unreviewed, fix a lot of tests. Need to initialize WTF threading sooner.
640
641         * jsc.cpp:
642         (main):
643
644 2015-07-21  Filip Pizlo  <fpizlo@apple.com>
645
646         Fixed VM pool allocation should have a reserve for allocations that cannot fail
647         https://bugs.webkit.org/show_bug.cgi?id=147154
648         rdar://problem/21847618
649
650         Reviewed by Geoffrey Garen.
651         
652         This adds the notion of a JIT pool reserve fraction. Some fraction, currently 1/4, of
653         the JIT pool is reserved for allocations that cannot fail. It makes sense to make this
654         a fraction rather than a constant because each allocation that can fail may cause some
655         number of allocations that cannot fail (for example, the OSR exit thunks that we
656         compile when we exit from some CodeBlock cannot fail).
657         
658         I've tested this by adding a test mode where we artificially limit the JIT pool size.
659         Prior to the fix, we had >20 failures. Now we have none.
660
661         * heap/GCLogging.cpp:
662         (WTF::printInternal): I needed a dump method on Options members when debugging this.
663         * heap/GCLogging.h:
664         * jit/ExecutableAllocator.h: Raise the ARM64 limit to 32MB because 16MB is cutting it too close.
665         * jit/ExecutableAllocatorFixedVMPool.cpp:
666         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): Add the ability to artificially limit JIT pool size for testing.
667         (JSC::ExecutableAllocator::memoryPressureMultiplier): Implement the reserve when computing memory pressure for JIT tier-up heuristics.
668         (JSC::ExecutableAllocator::allocate): Implement the reserve when allocating can-fail things.
669         * jsc.cpp: Rewire some options parsing so that CommandLine happens before we create the JIT pool.
670         (main):
671         (CommandLine::parseArguments):
672         (jscmain):
673         * runtime/Options.cpp: 
674         (JSC::OptionRange::dump): I needed a dump method on Options members when debugging this.
675         (JSC::Options::initialize): This can now be called more than once.
676         * runtime/Options.h:
677
678 2015-07-21  Saam barati  <saambarati1@gmail.com>
679
680         ObjectPatternNode's entry should use "const Identifier&" instead of "Identifier"
681         https://bugs.webkit.org/show_bug.cgi?id=147156
682
683         Reviewed by Andreas Kling.
684
685         * parser/Nodes.h:
686
687 2015-07-21  Basile Clement  <basile_clement@apple.com>
688
689         Object allocation sinking phase is performing needless HashMap copies
690         https://bugs.webkit.org/show_bug.cgi?id=147159
691
692         Reviewed by Geoffrey Garen.
693
694         The points-to analyzer in the object allocation sinking phase is
695         currently performing copies of its allocation and pointers tables in
696         several places. While this is not a huge problem since those tables are
697         usually small and we are in the FTL path anyway, we still shouldn't be
698         doing such useless copying.
699
700         This patch also removes the DFGInsertOSRHintsForUpdate files that are
701         no longer needed with the new object sinking phase and should have been
702         removed in r186795.
703
704         * CMakeLists.txt:
705         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
706         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
707         * JavaScriptCore.xcodeproj/project.pbxproj:
708         * dfg/DFGInsertOSRHintsForUpdate.cpp: Removed.
709         (JSC::DFG::insertOSRHintsForUpdate): Deleted.
710         * dfg/DFGInsertOSRHintsForUpdate.h: Removed.
711         * dfg/DFGObjectAllocationSinkingPhase.cpp:
712
713 2015-07-21  Saam barati  <saambarati1@gmail.com>
714
715         DestructuringPatternNode and DestructuringAssignmentNode should be ParserArenaFreeable
716         https://bugs.webkit.org/show_bug.cgi?id=147140
717
718         Reviewed by Geoffrey Garen.
719
720         The descendants of DestructuringPatternNode that need destruction also
721         inherit from ParserArenaDeletable.
722
723         * parser/Nodes.h:
724         (JSC::DestructuringPatternNode::~DestructuringPatternNode):
725         (JSC::ObjectPatternNode::appendEntry):
726         (JSC::DestructuringAssignmentNode::bindings):
727
728 2015-07-21  Keith Miller  <keith_miller@apple.com>
729
730         Add support for the new.target syntax.
731         https://bugs.webkit.org/show_bug.cgi?id=147051
732
733         Reviewed by Yusuke Suzuki.
734
735         Add support for new.target. Essentially the implementation is, before constructor calls,
736         the target of a "new" is placed where "this" noramlly goes in the calling convention.
737         Then in the constructor before object is initialized we move the target of the "new"
738         into a local variable.
739
740         * bytecompiler/BytecodeGenerator.cpp:
741         (JSC::BytecodeGenerator::BytecodeGenerator):
742         * bytecompiler/NodesCodegen.cpp:
743         (JSC::NewTargetNode::emitBytecode):
744         * parser/ASTBuilder.h:
745         (JSC::ASTBuilder::newTargetExpr):
746         * parser/NodeConstructors.h:
747         (JSC::NewTargetNode::NewTargetNode):
748         * parser/Nodes.h:
749         * parser/Parser.cpp:
750         (JSC::Parser<LexerType>::parseMemberExpression):
751         * parser/SyntaxChecker.h:
752         (JSC::SyntaxChecker::newTargetExpr):
753         * runtime/CommonIdentifiers.h:
754         * tests/stress/new-target.js: Added.
755         (test):
756         (call):
757         (Constructor.subCall):
758         (Constructor.SubConstructor):
759         (Constructor):
760         (noAssign):
761         (doWeirdThings):
762         (SuperClass):
763         (SubClass):
764
765 2015-07-20  Saam barati  <saambarati1@gmail.com>
766
767         "let" scoping introduced incoherent story about symbol table cloning
768         https://bugs.webkit.org/show_bug.cgi?id=147046
769
770         Reviewed by Filip Pizlo.
771
772         This patch now establishes a clear set of rules for how SymbolTables
773         are owned by CodeBlock. Every SymbolTable that is used by a bytecode
774         instruction must live in CodeBlock's constant register pool. When CodeBlock
775         is being linked, it ensures that every SymbolTable in the constant pool is cloned. 
776         This leaves no room for an un-cloned symbol table to be used by a bytecode instruction. 
777         Some instructions may refer to SymbolTable's indirectly through a JSLexicalEnvironment. 
778         This is fine, all JSLexicalEnvironment's are allocated with references to cloned symbol tables.
779
780         Another goal of this patch is to remove the notion that a SymbolTable is 1 to 1 
781         with a CodeBlock. With lexical scoping, this view of the world is no longer
782         correct. This patch begins to remove this assumption by making CodeBlock's
783         symbolTable() getter method private. There is still one place where we need
784         to purge our codebase of this assumption and that is the type profiler. It 
785         has not been updated for lexical scoping. After it is updated in 
786         https://bugs.webkit.org/show_bug.cgi?id=145438
787         we will be able to remove CodeBlock's symbolTable() getter entirely.
788
789         * bytecode/CodeBlock.cpp:
790         (JSC::CodeBlock::CodeBlock):
791         (JSC::CodeBlock::nameForRegister):
792         * bytecode/CodeBlock.h:
793         (JSC::CodeBlock::addStringSwitchJumpTable):
794         (JSC::CodeBlock::stringSwitchJumpTable):
795         (JSC::CodeBlock::evalCodeCache):
796         (JSC::CodeBlock::symbolTable):
797         * bytecode/UnlinkedCodeBlock.cpp:
798         (JSC::UnlinkedFunctionExecutable::visitChildren):
799         (JSC::UnlinkedFunctionExecutable::link):
800         (JSC::UnlinkedFunctionExecutable::codeBlockFor):
801         * bytecode/UnlinkedCodeBlock.h:
802         (JSC::UnlinkedCodeBlock::addExceptionHandler):
803         (JSC::UnlinkedCodeBlock::exceptionHandler):
804         (JSC::UnlinkedCodeBlock::setSymbolTableConstantIndex):
805         (JSC::UnlinkedCodeBlock::symbolTableConstantIndex):
806         (JSC::UnlinkedCodeBlock::symbolTable): Deleted.
807         (JSC::UnlinkedCodeBlock::setSymbolTable): Deleted.
808         * bytecompiler/BytecodeGenerator.cpp:
809         (JSC::BytecodeGenerator::generate):
810         (JSC::BytecodeGenerator::BytecodeGenerator):
811         (JSC::BytecodeGenerator::pushLexicalScope):
812         (JSC::BytecodeGenerator::variableForLocalEntry):
813         (JSC::BytecodeGenerator::createVariable):
814         (JSC::BytecodeGenerator::resolveType):
815         (JSC::BytecodeGenerator::emitResolveScope):
816         * bytecompiler/BytecodeGenerator.h:
817         (JSC::BytecodeGenerator::thisRegister):
818         (JSC::BytecodeGenerator::instructions):
819         (JSC::BytecodeGenerator::symbolTable): Deleted.
820         * dfg/DFGGraph.h:
821         (JSC::DFG::Graph::baselineCodeBlockFor):
822         (JSC::DFG::Graph::isStrictModeFor):
823         (JSC::DFG::Graph::symbolTableFor): Deleted.
824         * jit/AssemblyHelpers.h:
825         (JSC::AssemblyHelpers::baselineCodeBlock):
826         (JSC::AssemblyHelpers::argumentsStart):
827         (JSC::AssemblyHelpers::symbolTableFor): Deleted.
828         * runtime/CommonSlowPaths.cpp:
829         (JSC::SLOW_PATH_DECL):
830         * runtime/Executable.cpp:
831         (JSC::FunctionExecutable::visitChildren):
832         (JSC::FunctionExecutable::clearUnlinkedCodeForRecompilation):
833         (JSC::FunctionExecutable::symbolTable): Deleted.
834         * runtime/Executable.h:
835
836 2015-07-18  Filip Pizlo  <fpizlo@apple.com>
837
838         REGRESSION(186691): OSR entry is broken on loop headers that have no live variables
839         https://bugs.webkit.org/show_bug.cgi?id=147074
840         rdar://problem/21869970
841
842         Reviewed by Michael Saboff.
843         
844         The OSR entry must-handle block/value widening introduced in r186691 would cause the
845         CFA to reexecute if it caused any live local variables to change value. But this fails
846         if the must-handle block has no live local variables, and the entry block otherwise
847         appears to be unreachable.
848         
849         This fixes the bug by having the change detection include whether the block hadn't been
850         visited in addition to whether any local variable values got widened.
851         
852         This is a ~4% speed-up on SunSpider in browser.
853
854         * dfg/DFGCFAPhase.cpp:
855         (JSC::DFG::CFAPhase::run):
856
857 2015-07-20  Mark Lam  <mark.lam@apple.com>
858
859         Rollout r187020 and r187021: breaks JSC API tests on debug builds.
860         https://bugs.webkit.org/show_bug.cgi?id=147110
861
862         * heap/MachineStackMarker.cpp:
863         (JSC::MachineThreads::addCurrentThread):
864         * runtime/JSLock.cpp:
865         (JSC::JSLockHolder::~JSLockHolder):
866         (JSC::JSLock::JSLock):
867         (JSC::JSLock::willDestroyVM):
868         (JSC::JSLock::setExclusiveThread):
869         (JSC::JSLock::lock):
870         (JSC::JSLock::unlock):
871         (JSC::JSLock::currentThreadIsHoldingLock):
872         (JSC::JSLock::dropAllLocks):
873         * runtime/JSLock.h:
874         (JSC::JSLock::vm):
875         (JSC::JSLock::hasExclusiveThread):
876         (JSC::JSLock::exclusiveThread):
877         * runtime/VM.h:
878         (JSC::VM::hasExclusiveThread):
879         (JSC::VM::exclusiveThread):
880         (JSC::VM::setExclusiveThread):
881
882 2015-07-20  Per Arne Vollan  <peavo@outlook.com>
883
884         Unreviewed debug build fix after r187020.
885
886         * heap/MachineStackMarker.cpp:
887         (JSC::MachineThreads::addCurrentThread):
888         VM::exclusiveThread() has changed return type to ThreadIdentifier.
889
890 2015-07-20  Per Arne Vollan  <peavo@outlook.com>
891
892         JavaScriptCore performance is very bad on Windows
893         https://bugs.webkit.org/show_bug.cgi?id=146448
894
895         Reviewed by Mark Lam.
896
897         Profiling shows that std::this_thread::get_id() is slow on Windows.
898         Use WTF::currentThread() instead, which calls GetCurrentThreadId().
899         This is faster on Windows. The issue has been reported to Microsoft,
900         https://connect.microsoft.com/VisualStudio/feedback/details/1558211.
901
902         * runtime/JSLock.cpp:
903         (JSC::JSLockHolder::~JSLockHolder):
904         (JSC::JSLock::JSLock):
905         (JSC::JSLock::willDestroyVM):
906         (JSC::JSLock::setExclusiveThread):
907         (JSC::JSLock::lock):
908         (JSC::JSLock::unlock):
909         (JSC::JSLock::currentThreadIsHoldingLock):
910         * runtime/JSLock.h:
911         (JSC::JSLock::vm):
912         (JSC::JSLock::hasExclusiveThread):
913         (JSC::JSLock::exclusiveThread):
914         * runtime/VM.h:
915         (JSC::VM::hasExclusiveThread):
916         (JSC::VM::exclusiveThread):
917         (JSC::VM::setExclusiveThread):
918
919 2015-07-19  Yusuke Suzuki  <utatane.tea@gmail.com>
920
921         In strict mode, `Object.keys(arguments)` includes "length"
922         https://bugs.webkit.org/show_bug.cgi?id=147071
923
924         Reviewed by Darin Adler.
925
926         ClonedAguments didn't set the "length" with DontEnum.
927
928         * runtime/ClonedArguments.cpp:
929         (JSC::ClonedArguments::createWithInlineFrame):
930         (JSC::ClonedArguments::createByCopyingFrom):
931         * tests/stress/arguments-length-always-dont-enum.js: Added.
932         (shouldBe):
933         (argsSloppy):
934         (argsStrict):
935
936 2015-07-19  Jordan Harband  <ljharb@gmail.com>
937
938         new Date(NaN).toJSON() must return null instead of throwing a TypeError
939         https://bugs.webkit.org/show_bug.cgi?id=141115
940
941         Reviewed by Yusuke Suzuki.
942
943         * runtime/DatePrototype.cpp:
944         (JSC::dateProtoFuncToJSON):
945
946 2015-07-19  Saam barati  <saambarati1@gmail.com>
947
948         Parser::parseFunctionInfo hits RELEASE_ASSERT for Arrow Functions
949         https://bugs.webkit.org/show_bug.cgi?id=147090
950
951         Reviewed by Yusuke Suzuki.
952
953         ArrowFunction's have there ParserFunctionInfo "name" field to 
954         be a non-null pointer. This is obviously allowed and valid except we 
955         had a RELEASE_ASSERT that claimed otherwise. This is a mistake. 
956
957         Note: ArrowFunction's will never actually have a function name;
958         there ParserFunctionInfo "name" field will be the empty string. 
959         This is not be mistaken with the name field being a null pointer.
960
961         * parser/Parser.cpp:
962         (JSC::Parser<LexerType>::parseFunctionInfo):
963
964 2015-07-18  Saam barati  <saambarati1@gmail.com>
965
966         [ES6] Add support for block scope const
967         https://bugs.webkit.org/show_bug.cgi?id=31813
968
969         Reviewed by Filip Pizlo.
970
971         'const' is now implemented in an ES6 spec compliant manner.
972         'const' variables are always block scoped and always live
973         either on the stack or in a JSLexicalEnvironment. 'const'
974         variables never live on the global object.
975
976         Inside the BytecodeGenerator, when assigning to a stack
977         'const' variable or a LocalClosureVar 'const' variable,
978         we will emit code that just throws a type error.
979         When assigning to a ClosureVar const variable, CodeBlock linking
980         will ensure that we perform a dynamic lookup of that variable so
981         that put_to_scope's slow path throws a type error.
982
983         The old 'const' implementation has been removed in this patch.
984
985         * bytecode/BytecodeList.json:
986         * bytecode/BytecodeUseDef.h:
987         (JSC::computeUsesForBytecodeOffset):
988         (JSC::computeDefsForBytecodeOffset):
989         * bytecode/CodeBlock.cpp:
990         (JSC::CodeBlock::dumpBytecode):
991         (JSC::CodeBlock::CodeBlock):
992         * bytecompiler/BytecodeGenerator.cpp:
993         (JSC::BytecodeGenerator::BytecodeGenerator):
994         (JSC::BytecodeGenerator::pushLexicalScope):
995         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
996         (JSC::BytecodeGenerator::variable):
997         (JSC::BytecodeGenerator::variableForLocalEntry):
998         (JSC::BytecodeGenerator::createVariable):
999         (JSC::BytecodeGenerator::emitResolveScope):
1000         (JSC::BytecodeGenerator::emitInstanceOf):
1001         (JSC::BytecodeGenerator::emitGetById):
1002         (JSC::BytecodeGenerator::isArgumentNumber):
1003         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
1004         (JSC::BytecodeGenerator::emitEnumeration):
1005         (JSC::BytecodeGenerator::variablePerSymbolTable): Deleted.
1006         (JSC::BytecodeGenerator::emitInitGlobalConst): Deleted.
1007         * bytecompiler/BytecodeGenerator.h:
1008         (JSC::Variable::Variable):
1009         (JSC::Variable::isReadOnly):
1010         (JSC::Variable::isSpecial):
1011         (JSC::Variable::isConst):
1012         (JSC::BytecodeGenerator::thisRegister):
1013         (JSC::BytecodeGenerator::emitTypeOf):
1014         (JSC::BytecodeGenerator::emitIn):
1015         * bytecompiler/NodesCodegen.cpp:
1016         (JSC::PostfixNode::emitResolve):
1017         (JSC::PrefixNode::emitResolve):
1018         (JSC::ReadModifyResolveNode::emitBytecode):
1019         (JSC::AssignResolveNode::emitBytecode):
1020         (JSC::CommaNode::emitBytecode):
1021         (JSC::BindingNode::bindValue):
1022         (JSC::ConstDeclNode::emitCodeSingle): Deleted.
1023         (JSC::ConstDeclNode::emitBytecode): Deleted.
1024         (JSC::ConstStatementNode::emitBytecode): Deleted.
1025         * dfg/DFGByteCodeParser.cpp:
1026         (JSC::DFG::ByteCodeParser::parseBlock):
1027         * dfg/DFGCapabilities.cpp:
1028         (JSC::DFG::capabilityLevel):
1029         * jit/JIT.cpp:
1030         (JSC::JIT::privateCompileMainPass):
1031         * jit/JIT.h:
1032         * jit/JITPropertyAccess.cpp:
1033         (JSC::JIT::emit_op_put_to_arguments):
1034         (JSC::JIT::emit_op_init_global_const): Deleted.
1035         * jit/JITPropertyAccess32_64.cpp:
1036         (JSC::JIT::emit_op_put_to_arguments):
1037         (JSC::JIT::emit_op_init_global_const): Deleted.
1038         * llint/LowLevelInterpreter.asm:
1039         * llint/LowLevelInterpreter32_64.asm:
1040         * llint/LowLevelInterpreter64.asm:
1041         * parser/ASTBuilder.h:
1042         (JSC::ASTBuilder::createDeclarationStatement):
1043         (JSC::ASTBuilder::createEmptyVarExpression):
1044         (JSC::ASTBuilder::createDebugger):
1045         (JSC::ASTBuilder::appendStatement):
1046         (JSC::ASTBuilder::createVarStatement): Deleted.
1047         (JSC::ASTBuilder::createLetStatement): Deleted.
1048         (JSC::ASTBuilder::createConstStatement): Deleted.
1049         (JSC::ASTBuilder::appendConstDecl): Deleted.
1050         * parser/NodeConstructors.h:
1051         (JSC::CommaNode::CommaNode):
1052         (JSC::SourceElements::SourceElements):
1053         (JSC::SwitchNode::SwitchNode):
1054         (JSC::BlockNode::BlockNode):
1055         (JSC::ConstStatementNode::ConstStatementNode): Deleted.
1056         (JSC::ConstDeclNode::ConstDeclNode): Deleted.
1057         * parser/Nodes.h:
1058         (JSC::ConstDeclNode::hasInitializer): Deleted.
1059         (JSC::ConstDeclNode::ident): Deleted.
1060         * parser/Parser.cpp:
1061         (JSC::Parser<LexerType>::parseStatementListItem):
1062         (JSC::Parser<LexerType>::parseVariableDeclaration):
1063         (JSC::Parser<LexerType>::parseWhileStatement):
1064         (JSC::Parser<LexerType>::parseVariableDeclarationList):
1065         (JSC::Parser<LexerType>::createBindingPattern):
1066         (JSC::Parser<LexerType>::parseDestructuringPattern):
1067         (JSC::Parser<LexerType>::parseDefaultValueForDestructuringPattern):
1068         (JSC::Parser<LexerType>::parseForStatement):
1069         (JSC::Parser<LexerType>::parseTryStatement):
1070         (JSC::Parser<LexerType>::parseFunctionInfo):
1071         (JSC::Parser<LexerType>::parseFunctionDeclaration):
1072         (JSC::Parser<LexerType>::parseClass):
1073         (JSC::Parser<LexerType>::parseConstDeclaration): Deleted.
1074         (JSC::Parser<LexerType>::parseConstDeclarationList): Deleted.
1075         * parser/Parser.h:
1076         (JSC::isEvalNode):
1077         (JSC::isEvalNode<EvalNode>):
1078         (JSC::isArguments):
1079         (JSC::isEval):
1080         (JSC::isEvalOrArgumentsIdentifier):
1081         (JSC::Scope::Scope):
1082         (JSC::Scope::declareCallee):
1083         (JSC::Scope::declareVariable):
1084         (JSC::Scope::declareLexicalVariable):
1085         (JSC::Scope::hasDeclaredVariable):
1086         (JSC::Scope::allowsVarDeclarations):
1087         (JSC::Scope::allowsLexicalDeclarations):
1088         (JSC::Scope::declareParameter):
1089         (JSC::Scope::declareBoundParameter):
1090         (JSC::Parser::destructuringKindFromDeclarationType):
1091         (JSC::Parser::assignmentContextFromDeclarationType):
1092         (JSC::Parser::isEvalOrArguments):
1093         (JSC::Parser::currentScope):
1094         (JSC::Parser::popScope):
1095         (JSC::Parser::declareVariable):
1096         (JSC::Parser::hasDeclaredVariable):
1097         (JSC::Parser::setStrictMode):
1098         (JSC::Parser::strictMode):
1099         (JSC::Parser::isValidStrictMode):
1100         (JSC::Parser::declareParameter):
1101         (JSC::Parser::declareBoundParameter):
1102         (JSC::Parser::breakIsValid):
1103         * parser/SyntaxChecker.h:
1104         (JSC::SyntaxChecker::createForInLoop):
1105         (JSC::SyntaxChecker::createForOfLoop):
1106         (JSC::SyntaxChecker::createEmptyStatement):
1107         (JSC::SyntaxChecker::createDeclarationStatement):
1108         (JSC::SyntaxChecker::createReturnStatement):
1109         (JSC::SyntaxChecker::createBreakStatement):
1110         (JSC::SyntaxChecker::createVarStatement): Deleted.
1111         (JSC::SyntaxChecker::createLetStatement): Deleted.
1112         * parser/VariableEnvironment.h:
1113         (JSC::VariableEnvironmentEntry::isCaptured):
1114         (JSC::VariableEnvironmentEntry::isConst):
1115         (JSC::VariableEnvironmentEntry::isVar):
1116         (JSC::VariableEnvironmentEntry::isLet):
1117         (JSC::VariableEnvironmentEntry::setIsCaptured):
1118         (JSC::VariableEnvironmentEntry::setIsConst):
1119         (JSC::VariableEnvironmentEntry::setIsVar):
1120         (JSC::VariableEnvironmentEntry::setIsLet):
1121         (JSC::VariableEnvironmentEntry::isConstant): Deleted.
1122         (JSC::VariableEnvironmentEntry::setIsConstant): Deleted.
1123         * runtime/Executable.cpp:
1124         (JSC::ProgramExecutable::initializeGlobalProperties):
1125         * runtime/JSGlobalObject.cpp:
1126         (JSC::JSGlobalObject::defineOwnProperty):
1127         (JSC::JSGlobalObject::addGlobalVar):
1128         (JSC::JSGlobalObject::addFunction):
1129         (JSC::lastInPrototypeChain):
1130         * runtime/JSGlobalObject.h:
1131         (JSC::JSGlobalObject::finishCreation):
1132         (JSC::JSGlobalObject::addVar):
1133         (JSC::JSGlobalObject::addConst): Deleted.
1134         * runtime/JSLexicalEnvironment.cpp:
1135         (JSC::JSLexicalEnvironment::symbolTablePut):
1136         * tests/stress/const-and-with-statement.js: Added.
1137         (truth):
1138         (assert):
1139         (shouldThrowInvalidConstAssignment):
1140         (.):
1141         * tests/stress/const-exception-handling.js: Added.
1142         (truth):
1143         (assert):
1144         (.):
1145         * tests/stress/const-loop-semantics.js: Added.
1146         (truth):
1147         (assert):
1148         (shouldThrowInvalidConstAssignment):
1149         (.):
1150         * tests/stress/const-not-strict-mode.js: Added.
1151         (truth):
1152         (assert):
1153         (shouldThrowTDZ):
1154         (.):
1155         * tests/stress/const-semantics.js: Added.
1156         (truth):
1157         (assert):
1158         (shouldThrowInvalidConstAssignment):
1159         (.):
1160         * tests/stress/const-tdz.js: Added.
1161         (truth):
1162         (assert):
1163         (shouldThrowTDZ):
1164         (.):
1165
1166 2015-07-18  Saam barati  <saambarati1@gmail.com>
1167
1168         lexical scoping is broken with respect to "break" and "continue"
1169         https://bugs.webkit.org/show_bug.cgi?id=147063
1170
1171         Reviewed by Filip Pizlo.
1172
1173         Bug #142944 which introduced "let" and lexical scoping
1174         didn't properly hook into the bytecode generator's machinery
1175         for calculating scope depth deltas for "break" and "continue". This
1176         resulted in the bytecode generator popping an incorrect number
1177         of scopes when lexical scopes were involved.
1178
1179         This patch fixes this problem and generalizes this machinery a bit.
1180         This patch also renames old functions in a sensible way that is more
1181         coherent in a world with lexical scoping.
1182
1183         * bytecompiler/BytecodeGenerator.cpp:
1184         (JSC::BytecodeGenerator::BytecodeGenerator):
1185         (JSC::BytecodeGenerator::newLabelScope):
1186         (JSC::BytecodeGenerator::emitProfileType):
1187         (JSC::BytecodeGenerator::pushLexicalScope):
1188         (JSC::BytecodeGenerator::popLexicalScope):
1189         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
1190         (JSC::BytecodeGenerator::resolveType):
1191         (JSC::BytecodeGenerator::emitResolveScope):
1192         (JSC::BytecodeGenerator::emitGetFromScope):
1193         (JSC::BytecodeGenerator::emitPutToScope):
1194         (JSC::BytecodeGenerator::emitPushWithScope):
1195         (JSC::BytecodeGenerator::emitGetParentScope):
1196         (JSC::BytecodeGenerator::emitPopScope):
1197         (JSC::BytecodeGenerator::emitPopWithOrCatchScope):
1198         (JSC::BytecodeGenerator::emitPopScopes):
1199         (JSC::BytecodeGenerator::calculateTargetScopeDepthForExceptionHandler):
1200         (JSC::BytecodeGenerator::localScopeDepth):
1201         (JSC::BytecodeGenerator::labelScopeDepth):
1202         (JSC::BytecodeGenerator::emitThrowReferenceError):
1203         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
1204         (JSC::BytecodeGenerator::pushScopedControlFlowContext):
1205         (JSC::BytecodeGenerator::popScopedControlFlowContext):
1206         (JSC::BytecodeGenerator::emitPushCatchScope):
1207         (JSC::BytecodeGenerator::currentScopeDepth): Deleted.
1208         * bytecompiler/BytecodeGenerator.h:
1209         (JSC::BytecodeGenerator::hasFinaliser):
1210         (JSC::BytecodeGenerator::scopeDepth): Deleted.
1211         * bytecompiler/NodesCodegen.cpp:
1212         (JSC::ContinueNode::trivialTarget):
1213         (JSC::BreakNode::trivialTarget):
1214         (JSC::ReturnNode::emitBytecode):
1215         (JSC::WithNode::emitBytecode):
1216         (JSC::TryNode::emitBytecode):
1217         * tests/stress/lexical-scoping-break-continue.js: Added.
1218         (assert):
1219         (.):
1220
1221 2015-07-18  Commit Queue  <commit-queue@webkit.org>
1222
1223         Unreviewed, rolling out r186996.
1224         https://bugs.webkit.org/show_bug.cgi?id=147070
1225
1226         Broke JSC tests (Requested by smfr on #webkit).
1227
1228         Reverted changeset:
1229
1230         "lexical scoping is broken with respect to "break" and
1231         "continue""
1232         https://bugs.webkit.org/show_bug.cgi?id=147063
1233         http://trac.webkit.org/changeset/186996
1234
1235 2015-07-18  Saam barati  <saambarati1@gmail.com>
1236
1237         lexical scoping is broken with respect to "break" and "continue"
1238         https://bugs.webkit.org/show_bug.cgi?id=147063
1239
1240         Reviewed by Filip Pizlo.
1241
1242         Bug #142944 which introduced "let" and lexical scoping
1243         didn't properly hook into the bytecode generator's machinery
1244         for calculating scope depth deltas for "break" and "continue". This
1245         resulted in the bytecode generator popping an incorrect number
1246         of scopes when lexical scopes were involved.
1247
1248         This patch fixes this problem and generalizes this machinery a bit.
1249         This patch also renames old functions in a sensible way that is more
1250         coherent in a world with lexical scoping.
1251
1252         * bytecompiler/BytecodeGenerator.cpp:
1253         (JSC::BytecodeGenerator::BytecodeGenerator):
1254         (JSC::BytecodeGenerator::newLabelScope):
1255         (JSC::BytecodeGenerator::emitProfileType):
1256         (JSC::BytecodeGenerator::pushLexicalScope):
1257         (JSC::BytecodeGenerator::popLexicalScope):
1258         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
1259         (JSC::BytecodeGenerator::resolveType):
1260         (JSC::BytecodeGenerator::emitResolveScope):
1261         (JSC::BytecodeGenerator::emitGetFromScope):
1262         (JSC::BytecodeGenerator::emitPutToScope):
1263         (JSC::BytecodeGenerator::emitPushWithScope):
1264         (JSC::BytecodeGenerator::emitGetParentScope):
1265         (JSC::BytecodeGenerator::emitPopScope):
1266         (JSC::BytecodeGenerator::emitPopWithOrCatchScope):
1267         (JSC::BytecodeGenerator::emitPopScopes):
1268         (JSC::BytecodeGenerator::calculateTargetScopeDepthForExceptionHandler):
1269         (JSC::BytecodeGenerator::localScopeDepth):
1270         (JSC::BytecodeGenerator::labelScopeDepth):
1271         (JSC::BytecodeGenerator::emitThrowReferenceError):
1272         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
1273         (JSC::BytecodeGenerator::pushScopedControlFlowContext):
1274         (JSC::BytecodeGenerator::popScopedControlFlowContext):
1275         (JSC::BytecodeGenerator::emitPushCatchScope):
1276         (JSC::BytecodeGenerator::currentScopeDepth): Deleted.
1277         * bytecompiler/BytecodeGenerator.h:
1278         (JSC::BytecodeGenerator::hasFinaliser):
1279         (JSC::BytecodeGenerator::scopeDepth): Deleted.
1280         * bytecompiler/NodesCodegen.cpp:
1281         (JSC::ContinueNode::trivialTarget):
1282         (JSC::BreakNode::trivialTarget):
1283         (JSC::ReturnNode::emitBytecode):
1284         (JSC::WithNode::emitBytecode):
1285         (JSC::TryNode::emitBytecode):
1286         * tests/stress/lexical-scoping-break-continue.js: Added.
1287         (assert):
1288         (.):
1289
1290 2015-07-17  Filip Pizlo  <fpizlo@apple.com>
1291
1292         DFG should have some obvious mitigations against watching structures that are unprofitable to watch
1293         https://bugs.webkit.org/show_bug.cgi?id=147034
1294
1295         Reviewed by Mark Lam and Michael Saboff.
1296         
1297         This implements two guards against the DFG watching structures that are likely to fire
1298         their watchpoints:
1299         
1300         - Don't watch dictionaries or any structure that had a dictionary in its past. Dictionaries
1301           can be flattened, and then they can transform back to dictionaries.
1302         
1303         - Don't watch structures whose past structures were transitioned-away from while their
1304           transition watchpoints were being watched. This property gives us monotonicity: if we
1305           recompile because we watched structure S1 of object O, then we won't make the same mistake
1306           again when object O has structure S2, S3, and so on.
1307         
1308         This is a 1.5% speed-up on Kraken. It does penalize some Octane tests, but it also seems to
1309         help some of them, so on Octane it's basically neutral.
1310
1311         * bytecode/Watchpoint.h:
1312         (JSC::WatchpointSet::invalidate):
1313         (JSC::WatchpointSet::isBeingWatched):
1314         (JSC::WatchpointSet::addressOfState):
1315         (JSC::WatchpointSet::addressOfSetIsNotEmpty):
1316         (JSC::InlineWatchpointSet::touch):
1317         (JSC::InlineWatchpointSet::isBeingWatched):
1318         * runtime/JSGlobalObject.h:
1319         (JSC::JSGlobalObject::createStructure):
1320         (JSC::JSGlobalObject::registerWeakMap):
1321         * runtime/Structure.cpp:
1322         (JSC::Structure::Structure):
1323         (JSC::Structure::toDictionaryTransition):
1324         (JSC::Structure::didTransitionFromThisStructure):
1325         * runtime/Structure.h:
1326
1327 2015-07-16  Filip Pizlo  <fpizlo@apple.com>
1328
1329         Remove DFG::DesiredWriteBarriers because it's just a very difficult way of saying "please barrier the machine code block owner"
1330         https://bugs.webkit.org/show_bug.cgi?id=147030
1331
1332         Reviewed by Andreas Kling.
1333         
1334         All of the users of DesiredWriteBarriers were just using it to request that Plan
1335         finalization executes a barrier on codeBlock->ownerExecutable. Indeed, that's the only
1336         owning cell in the heap that compilation affects. So, we might as well just have Plan
1337         unconditionally execute that barrier and then we don't need DesiredWriteBarriers at
1338         all.
1339
1340         * CMakeLists.txt:
1341         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1342         * JavaScriptCore.xcodeproj/project.pbxproj:
1343         * dfg/DFGByteCodeParser.cpp:
1344         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1345         * dfg/DFGDesiredWriteBarriers.cpp: Removed.
1346         * dfg/DFGDesiredWriteBarriers.h: Removed.
1347         * dfg/DFGGraph.cpp:
1348         (JSC::DFG::Graph::registerFrozenValues):
1349         * dfg/DFGPlan.cpp:
1350         (JSC::DFG::Plan::reallyAdd):
1351         (JSC::DFG::Plan::notifyCompiling):
1352         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
1353         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
1354         (JSC::DFG::Plan::cancel):
1355         * dfg/DFGPlan.h:
1356
1357 2015-07-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1358
1359         Integrate automatic microtask draining into JSC framework and re-enable Promise
1360         https://bugs.webkit.org/show_bug.cgi?id=146828
1361
1362         Reviewed by Sam Weinig.
1363
1364         Add automatic microtask draining system into JSC framework.
1365         When the depth of VM lock becomes 0, before this, we drain the queued microtasks.
1366         Enqueuing behavior can be injected by the JSGlobalObject's method table.
1367         It is utilized in WebCore to post the microtask to WebCore's event loop.
1368
1369         In the case of JSC interactive shell, VM depth is always greater than 0.
1370         So we manually drains the queued microtasks after evaluating the written line.
1371
1372         Since now JSC framework has the microtask queue, we can drain the queued microtasks.
1373         So re-enable the Promise in the JSC framework context.
1374
1375         * API/JSContextRef.cpp:
1376         (javaScriptRuntimeFlags): Deleted.
1377         * API/tests/testapi.c:
1378         (main):
1379         * API/tests/testapi.mm:
1380         (testObjectiveCAPIMain):
1381         * jsc.cpp:
1382         (runInteractive):
1383         * runtime/JSGlobalObject.cpp:
1384         (JSC::JSGlobalObject::queueMicrotask):
1385         * runtime/JSLock.cpp:
1386         (JSC::JSLock::willReleaseLock):
1387         * runtime/VM.cpp:
1388         (JSC::VM::queueMicrotask):
1389         (JSC::VM::drainMicrotasks):
1390         (JSC::QueuedTask::run):
1391         * runtime/VM.h:
1392         (JSC::QueuedTask::QueuedTask):
1393
1394 2015-07-17  Saam barati  <saambarati1@gmail.com>
1395
1396         Function parameters should be parsed in the same parser arena as the function body
1397         https://bugs.webkit.org/show_bug.cgi?id=145995
1398
1399         Reviewed by Yusuke Suzuki.
1400
1401         This patch changes how functions are parsed in JSC. A function's
1402         parameters are now parsed in the same arena as the function itself.
1403         This allows us to arena allocate all destructuring AST nodes and
1404         the FunctionParameters node. This will help make implementing ES6
1405         default parameter values sane.
1406
1407         A source code that represents a function now includes the text of the function's 
1408         parameters. The starting offset is at the opening parenthesis of the parameter
1409         list or at the starting character of the identifier for arrow functions that
1410         have single arguments and don't start with parenthesis.
1411
1412         For example:
1413
1414         "function (param1, param2) { ... }"
1415                                    ^
1416                                    | This offset used to be the starting offset of a function's SourceCode
1417                   ^
1418                   | This is the new starting offset for a function's SourceCode.
1419
1420         This requires us to change how some offsets are calculated
1421         and also requires us to report some different line numbers for internal
1422         metrics that use a SourceCode's starting line and column numbers.
1423
1424         This patch also does a bit of cleanup with regards to how
1425         functions are parsed in general (especially arrow functions).
1426         It removes some unnecessary #ifdefs and the likes for arrow
1427         to make things clearer and more deliberate.
1428
1429         * API/JSScriptRef.cpp:
1430         (parseScript):
1431         * builtins/BuiltinExecutables.cpp:
1432         (JSC::BuiltinExecutables::createExecutableInternal):
1433         * bytecode/UnlinkedCodeBlock.cpp:
1434         (JSC::generateFunctionCodeBlock):
1435         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1436         (JSC::UnlinkedFunctionExecutable::visitChildren):
1437         (JSC::UnlinkedFunctionExecutable::parameterCount): Deleted.
1438         * bytecode/UnlinkedCodeBlock.h:
1439         * bytecompiler/NodesCodegen.cpp:
1440         (JSC::DestructuringAssignmentNode::emitBytecode):
1441         (JSC::assignDefaultValueIfUndefined):
1442         (JSC::ArrayPatternNode::collectBoundIdentifiers):
1443         (JSC::DestructuringPatternNode::~DestructuringPatternNode): Deleted.
1444         * parser/ASTBuilder.h:
1445         (JSC::ASTBuilder::createClassExpr):
1446         (JSC::ASTBuilder::createFunctionExpr):
1447         (JSC::ASTBuilder::createFunctionBody):
1448         (JSC::ASTBuilder::createArrowFunctionExpr):
1449         (JSC::ASTBuilder::createGetterOrSetterProperty):
1450         (JSC::ASTBuilder::createElementList):
1451         (JSC::ASTBuilder::createFormalParameterList):
1452         (JSC::ASTBuilder::appendParameter):
1453         (JSC::ASTBuilder::createClause):
1454         (JSC::ASTBuilder::createClauseList):
1455         (JSC::ASTBuilder::createFuncDeclStatement):
1456         (JSC::ASTBuilder::createForInLoop):
1457         (JSC::ASTBuilder::createForOfLoop):
1458         (JSC::ASTBuilder::isResolve):
1459         (JSC::ASTBuilder::createDestructuringAssignment):
1460         (JSC::ASTBuilder::createArrayPattern):
1461         (JSC::ASTBuilder::appendArrayPatternSkipEntry):
1462         (JSC::ASTBuilder::appendArrayPatternEntry):
1463         (JSC::ASTBuilder::appendArrayPatternRestEntry):
1464         (JSC::ASTBuilder::finishArrayPattern):
1465         (JSC::ASTBuilder::createObjectPattern):
1466         (JSC::ASTBuilder::appendObjectPatternEntry):
1467         (JSC::ASTBuilder::createBindingLocation):
1468         (JSC::ASTBuilder::setEndOffset):
1469         * parser/Lexer.cpp:
1470         (JSC::Lexer<T>::Lexer):
1471         (JSC::Lexer<T>::nextTokenIsColon):
1472         (JSC::Lexer<T>::setTokenPosition):
1473         (JSC::Lexer<T>::lex):
1474         (JSC::Lexer<T>::clear):
1475         * parser/Lexer.h:
1476         (JSC::Lexer::setIsReparsingFunction):
1477         (JSC::Lexer::isReparsingFunction):
1478         (JSC::Lexer::lineNumber):
1479         (JSC::Lexer::setIsReparsing): Deleted.
1480         (JSC::Lexer::isReparsing): Deleted.
1481         * parser/NodeConstructors.h:
1482         (JSC::TryNode::TryNode):
1483         (JSC::FunctionParameters::FunctionParameters):
1484         (JSC::FuncExprNode::FuncExprNode):
1485         (JSC::FuncDeclNode::FuncDeclNode):
1486         (JSC::ArrayPatternNode::ArrayPatternNode):
1487         (JSC::ObjectPatternNode::ObjectPatternNode):
1488         (JSC::BindingNode::BindingNode):
1489         (JSC::DestructuringAssignmentNode::DestructuringAssignmentNode):
1490         (JSC::ParameterNode::ParameterNode): Deleted.
1491         (JSC::ArrayPatternNode::create): Deleted.
1492         (JSC::ObjectPatternNode::create): Deleted.
1493         (JSC::BindingNode::create): Deleted.
1494         * parser/Nodes.cpp:
1495         (JSC::ProgramNode::ProgramNode):
1496         (JSC::EvalNode::EvalNode):
1497         (JSC::FunctionBodyNode::FunctionBodyNode):
1498         (JSC::FunctionBodyNode::finishParsing):
1499         (JSC::FunctionNode::FunctionNode):
1500         (JSC::FunctionNode::finishParsing):
1501         (JSC::FunctionParameters::create): Deleted.
1502         (JSC::FunctionParameters::FunctionParameters): Deleted.
1503         (JSC::FunctionParameters::~FunctionParameters): Deleted.
1504         * parser/Nodes.h:
1505         (JSC::ProgramNode::startColumn):
1506         (JSC::ProgramNode::endColumn):
1507         (JSC::EvalNode::startColumn):
1508         (JSC::EvalNode::endColumn):
1509         (JSC::FunctionParameters::size):
1510         (JSC::FunctionParameters::at):
1511         (JSC::FunctionParameters::append):
1512         (JSC::FuncExprNode::body):
1513         (JSC::DestructuringPatternNode::~DestructuringPatternNode):
1514         (JSC::DestructuringPatternNode::isBindingNode):
1515         (JSC::DestructuringPatternNode::emitDirectBinding):
1516         (JSC::ArrayPatternNode::appendIndex):
1517         (JSC::ObjectPatternNode::appendEntry):
1518         (JSC::BindingNode::boundProperty):
1519         (JSC::BindingNode::divotStart):
1520         (JSC::BindingNode::divotEnd):
1521         (JSC::DestructuringAssignmentNode::bindings):
1522         (JSC::FuncDeclNode::body):
1523         (JSC::ParameterNode::pattern): Deleted.
1524         (JSC::ParameterNode::nextParam): Deleted.
1525         (JSC::FunctionParameters::patterns): Deleted.
1526         * parser/Parser.cpp:
1527         (JSC::Parser<LexerType>::Parser):
1528         (JSC::Parser<LexerType>::~Parser):
1529         (JSC::Parser<LexerType>::parseInner):
1530         (JSC::Parser<LexerType>::allowAutomaticSemicolon):
1531         (JSC::Parser<LexerType>::parseSourceElements):
1532         (JSC::Parser<LexerType>::createBindingPattern):
1533         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBodySourceElements):
1534         (JSC::Parser<LexerType>::tryParseDestructuringPatternExpression):
1535         (JSC::Parser<LexerType>::parseSwitchClauses):
1536         (JSC::Parser<LexerType>::parseSwitchDefaultClause):
1537         (JSC::Parser<LexerType>::parseBlockStatement):
1538         (JSC::Parser<LexerType>::parseStatement):
1539         (JSC::Parser<LexerType>::parseFormalParameters):
1540         (JSC::Parser<LexerType>::parseFunctionBody):
1541         (JSC::stringForFunctionMode):
1542         (JSC::Parser<LexerType>::parseFunctionParameters):
1543         (JSC::Parser<LexerType>::parseFunctionInfo):
1544         (JSC::Parser<LexerType>::parseFunctionDeclaration):
1545         (JSC::Parser<LexerType>::parseClass):
1546         (JSC::Parser<LexerType>::parsePrimaryExpression):
1547         (JSC::Parser<LexerType>::parseMemberExpression):
1548         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
1549         (JSC::operatorString):
1550         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBody): Deleted.
1551         * parser/Parser.h:
1552         (JSC::Parser::positionBeforeLastNewline):
1553         (JSC::Parser::locationBeforeLastToken):
1554         (JSC::Parser::findCachedFunctionInfo):
1555         (JSC::Parser::isofToken):
1556         (JSC::Parser::isEndOfArrowFunction):
1557         (JSC::Parser::isArrowFunctionParamters):
1558         (JSC::Parser::tokenStart):
1559         (JSC::Parser::isLETMaskedAsIDENT):
1560         (JSC::Parser::autoSemiColon):
1561         (JSC::Parser::setEndOfStatement):
1562         (JSC::Parser::canRecurse):
1563         (JSC::Parser<LexerType>::parse):
1564         (JSC::parse):
1565         * parser/ParserFunctionInfo.h:
1566         * parser/ParserModes.h:
1567         (JSC::functionNameIsInScope):
1568         * parser/SourceCode.h:
1569         (JSC::makeSource):
1570         (JSC::SourceCode::subExpression):
1571         (JSC::SourceCode::subArrowExpression): Deleted.
1572         * parser/SourceProviderCache.h:
1573         (JSC::SourceProviderCache::get):
1574         * parser/SourceProviderCacheItem.h:
1575         (JSC::SourceProviderCacheItem::endFunctionToken):
1576         (JSC::SourceProviderCacheItem::usedVariables):
1577         (JSC::SourceProviderCacheItem::writtenVariables):
1578         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
1579         * parser/SyntaxChecker.h:
1580         (JSC::SyntaxChecker::SyntaxChecker):
1581         (JSC::SyntaxChecker::createClassExpr):
1582         (JSC::SyntaxChecker::createFunctionExpr):
1583         (JSC::SyntaxChecker::createFunctionBody):
1584         (JSC::SyntaxChecker::createArrowFunctionExpr):
1585         (JSC::SyntaxChecker::setFunctionNameStart):
1586         (JSC::SyntaxChecker::createArguments):
1587         (JSC::SyntaxChecker::createPropertyList):
1588         (JSC::SyntaxChecker::createElementList):
1589         (JSC::SyntaxChecker::createFormalParameterList):
1590         (JSC::SyntaxChecker::appendParameter):
1591         (JSC::SyntaxChecker::createClause):
1592         (JSC::SyntaxChecker::createClauseList):
1593         * runtime/CodeCache.cpp:
1594         (JSC::CodeCache::getGlobalCodeBlock):
1595         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
1596         * runtime/Completion.cpp:
1597         (JSC::checkSyntax):
1598         * runtime/Executable.cpp:
1599         (JSC::ProgramExecutable::checkSyntax):
1600         * tests/controlFlowProfiler/conditional-expression.js:
1601         (testConditionalFunctionCall):
1602
1603 2015-07-16  Filip Pizlo  <fpizlo@apple.com>
1604
1605         Unreviewed, fix build for newer LLVMs.
1606
1607         * llvm/LLVMHeaders.h:
1608         * llvm/library/LLVMExports.cpp:
1609
1610 2015-07-16  Mark Lam  <mark.lam@apple.com>
1611
1612         RegExp::match() should set m_state to ByteCode if compilation fails.
1613         https://bugs.webkit.org/show_bug.cgi?id=147023
1614
1615         Reviewed by Michael Saboff.
1616
1617         A RegExp has a YarrCodeBlock that has 4 MacroAssemblerCodeRefs for compiled code.
1618         If one of these compilations succeeds, RegExp::m_state will be set to JITCode.
1619         Subsequently, if RegExp tries to compile another one of these but fails, m_state
1620         will be left untouched i.e. it still says JITCode.  As a result, when
1621         RegExp::match() later tries to execute the non-existant compiled code, it will
1622         crash.
1623
1624         The fix is to downgrade m_state to ByteCode if RegExp ever fails to compile.
1625         This failure should be rare.  We'll do the minimal work here to fix the issue and
1626         keep an eye on the perf bots.  If perf regresses, we can do some optimization work then.
1627
1628         This issue is difficult to test for since it either requires a low memory condition
1629         to trigger a failed RegExp compilation at the right moment, or for the RegExp to
1630         succeed compilation in the MatchedOnly mode but fail in IncludeSubpatterns mode.
1631         Instead, I manually tested it by instrumenting RegExp::compile() to fail once in every
1632         10 compilation attempts.
1633
1634         * runtime/RegExp.cpp:
1635         (JSC::RegExp::compile):
1636         (JSC::RegExp::compileMatchOnly):
1637
1638 2015-07-15  Brent Fulgham  <bfulgham@apple.com>
1639
1640         [Win] Fix armv7 build.
1641
1642         * jit/CCallHelpers.h:
1643         (JSC::CCallHelpers::setupArgumentsWithExecState): The 64-bit argument
1644         version of poke is not available on armv7 builds.
1645
1646 2015-07-15  Brent Fulgham  <bfulgham@apple.com>
1647
1648         [Win] 64-bit Build Failure
1649         https://bugs.webkit.org/show_bug.cgi?id=146989
1650
1651         Reviewed by Mark Lam.
1652
1653         * jit/CCallHelpers.h:
1654         (JSC::CCallHelpers::setupArgumentsWithExecState): Add missing
1655         declaration for 64-bit type on 4-argument register machines (like
1656         Windows).
1657
1658 2015-07-15  Saam barati  <saambarati1@gmail.com>
1659
1660         [ES6] implement block scoping to enable 'let'
1661         https://bugs.webkit.org/show_bug.cgi?id=142944
1662
1663         Reviewed by Filip Pizlo.
1664
1665         * CMakeLists.txt:
1666         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1667         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1668         * JavaScriptCore.xcodeproj/project.pbxproj:
1669         * builtins/BuiltinExecutables.cpp:
1670         (JSC::BuiltinExecutables::createExecutableInternal):
1671         * bytecode/BytecodeList.json:
1672         This patch adds a new opcode and removes op_pop_scope:
1673         1) op_get_parent_scope returns the parent scope but doesn't 
1674         implicitly write that scope into the scope register. op_pop_scope
1675         is now reduced to op_get_parent_scope followed by op_mov.
1676
1677         * bytecode/BytecodeUseDef.h:
1678         (JSC::computeUsesForBytecodeOffset):
1679         (JSC::computeDefsForBytecodeOffset):
1680         * bytecode/CodeBlock.cpp:
1681         (JSC::CodeBlock::dumpBytecode):
1682         (JSC::CodeBlock::CodeBlock):
1683         (JSC::CodeBlock::stronglyVisitStrongReferences):
1684         * bytecode/CodeBlock.h:
1685         (JSC::CodeBlock::addStringSwitchJumpTable):
1686         (JSC::CodeBlock::stringSwitchJumpTable):
1687         (JSC::CodeBlock::symbolTable):
1688         (JSC::CodeBlock::evalCodeCache):
1689         (JSC::CodeBlock::setConstantRegisters):
1690         (JSC::CodeBlock::replaceConstant):
1691         op_put_to_scope for LocalClosureVar now takes as an argument
1692         the constant index for the Symbol Table it will be putting into.
1693         This argument is only used to communicate from the BytecodeGenerator
1694         to CodeBlock linking time and it is not present in the linked bytecode.
1695
1696         op_put_to_scope for non LocalClosureVar takes, at the same index, an
1697         argument that represents the local scope depth which it uses for
1698         JSScope::abstractResolve to know how many scopes it needs to skip.
1699         Again, this is not in the linked code.
1700         op_get_from_scope and op_resolve_scope also take as an argument
1701         the local scope depth to use in JSScope::abstractResolve. Again,
1702         this is not used in the linked code.
1703
1704         * bytecode/EvalCodeCache.h:
1705         (JSC::EvalCodeCache::tryGet):
1706         (JSC::EvalCodeCache::getSlow):
1707         (JSC::EvalCodeCache::clear):
1708         (JSC::EvalCodeCache::isCacheable):
1709         When direct eval is called and passed a scope that 
1710         corresponds to a lexical scope, we can't safely cache 
1711         that code because we won't be able to guarantee
1712         that the cached code is always executed in the same scope.
1713         Consider this example:
1714         function foo() {
1715             let x = 20;
1716             eval("x;");
1717             if (b) {
1718                 let x = 30;
1719                 if (b) {
1720                     let y = 40;
1721                     eval("x;")
1722                 }
1723             }
1724         }
1725
1726         We can't reuse resolution depth when linking get_from_scope in evals.
1727
1728         * bytecode/UnlinkedCodeBlock.cpp:
1729         (JSC::generateFunctionCodeBlock):
1730         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1731         (JSC::UnlinkedFunctionExecutable::parameterCount):
1732         * bytecode/UnlinkedCodeBlock.h:
1733         Unlinked functions now know the variables that were under TDZ in their parent
1734         scope.
1735
1736         (JSC::UnlinkedCodeBlock::symbolTable):
1737         (JSC::UnlinkedCodeBlock::setSymbolTable):
1738         (JSC::UnlinkedCodeBlock::setSymbolTableConstantIndex):
1739         (JSC::UnlinkedCodeBlock::symbolTableConstantIndex):
1740         (JSC::UnlinkedCodeBlock::vm):
1741         * bytecompiler/BytecodeGenerator.cpp:
1742         (JSC::BytecodeGenerator::generate):
1743         (JSC::BytecodeGenerator::BytecodeGenerator):
1744         (JSC::BytecodeGenerator::~BytecodeGenerator):
1745         (JSC::BytecodeGenerator::newRegister):
1746         (JSC::BytecodeGenerator::reclaimFreeRegisters):
1747         (JSC::BytecodeGenerator::newBlockScopeVariable):
1748         (JSC::BytecodeGenerator::newTemporary):
1749         (JSC::BytecodeGenerator::emitProfileType):
1750         (JSC::BytecodeGenerator::emitLoadGlobalObject):
1751         (JSC::BytecodeGenerator::pushLexicalScope):
1752         (JSC::BytecodeGenerator::popLexicalScope):
1753         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
1754         (JSC::BytecodeGenerator::variable):
1755         (JSC::BytecodeGenerator::variablePerSymbolTable):
1756         (JSC::BytecodeGenerator::variableForLocalEntry):
1757         (JSC::BytecodeGenerator::createVariable):
1758         (JSC::BytecodeGenerator::emitResolveScope):
1759         (JSC::BytecodeGenerator::emitGetFromScope):
1760         (JSC::BytecodeGenerator::emitPutToScope):
1761         (JSC::BytecodeGenerator::initializeVariable):
1762         (JSC::BytecodeGenerator::emitTDZCheck):
1763         (JSC::BytecodeGenerator::needsTDZCheck):
1764         (JSC::BytecodeGenerator::emitTDZCheckIfNecessary):
1765         (JSC::BytecodeGenerator::liftTDZCheckIfPossible):
1766         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
1767         (JSC::BytecodeGenerator::emitNewObject):
1768         (JSC::BytecodeGenerator::emitPushWithScope):
1769         (JSC::BytecodeGenerator::emitGetParentScope):
1770         (JSC::BytecodeGenerator::emitPopScope):
1771         (JSC::BytecodeGenerator::emitDebugHook):
1772         (JSC::BytecodeGenerator::pushFinallyContext):
1773         (JSC::BytecodeGenerator::pushIteratorCloseContext):
1774         (JSC::BytecodeGenerator::emitComplexPopScopes):
1775         (JSC::BytecodeGenerator::emitPopScopes):
1776         (JSC::BytecodeGenerator::popTryAndEmitCatch):
1777         (JSC::BytecodeGenerator::calculateTargetScopeDepthForExceptionHandler):
1778         (JSC::BytecodeGenerator::currentScopeDepth):
1779         (JSC::BytecodeGenerator::emitThrowReferenceError):
1780         (JSC::BytecodeGenerator::emitPushCatchScope):
1781         (JSC::BytecodeGenerator::beginSwitch):
1782         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
1783         (JSC::BytecodeGenerator::emitEnumeration):
1784         * bytecompiler/BytecodeGenerator.h:
1785         (JSC::Variable::Variable):
1786         (JSC::Variable::isResolved):
1787         (JSC::Variable::symbolTableConstantIndex):
1788         (JSC::Variable::ident):
1789         (JSC::BytecodeGenerator::ignoredResult):
1790         (JSC::BytecodeGenerator::tempDestination):
1791         (JSC::BytecodeGenerator::lastOpcodeID):
1792         (JSC::BytecodeGenerator::makeFunction):
1793         (JSC::BytecodeGenerator::symbolTable):
1794         (JSC::BytecodeGenerator::shouldOptimizeLocals): Deleted.
1795         (JSC::BytecodeGenerator::canOptimizeNonLocals): Deleted.
1796         The heart of the changes in this patch are in the bytecode generator.
1797         The bytecode generator now keeps a stack of tuples of 
1798         {symbol table, scope register, flag indicating catch or with scope, symbol table index in constant pool}
1799         that models the runtime scope stack. This symbol table stack is used
1800         in resolving local variables.
1801
1802         Also, the bytecode generator handles pushing and popping of lexical scopes. 
1803         This is relatively straight forward:
1804         Captured 'let' variables end up in the JSLexicalEnvironment scope and non-captured
1805         variables end up on the stack. Some trickiness is involved in generating
1806         code for 'for' loops that have captured variables (I'm talking about variables in the loop
1807         header, not the loop body). Each iteration of the for loop ends up with 
1808         its own JSLexicalEnvironment. Static code must be generated in such a way 
1809         to create this runtime behavior. This is done by emitting instructions to 
1810         push and pop a lexical scope at the end of each loop and copying values
1811         from the previous loop's scope into the new scope. This code must also
1812         ensure that each loop iteration's scope refers to the same underlying 
1813         SymbolTable so that no scope is accidentally mistaken as being a singleton scope.
1814
1815         When the debugger is enabled, all lexically defined variables will end up in the
1816         JSLexicalEnvironment.
1817
1818         * bytecompiler/NodesCodegen.cpp:
1819         (JSC::ResolveNode::emitBytecode):
1820         (JSC::FunctionCallResolveNode::emitBytecode):
1821         (JSC::PostfixNode::emitResolve):
1822         (JSC::DeleteResolveNode::emitBytecode):
1823         (JSC::TypeOfResolveNode::emitBytecode):
1824         (JSC::PrefixNode::emitResolve):
1825         (JSC::ReadModifyResolveNode::emitBytecode):
1826         (JSC::AssignResolveNode::emitBytecode):
1827         (JSC::BlockNode::emitBytecode):
1828         (JSC::ExprStatementNode::emitBytecode):
1829         (JSC::DeclarationStatement::emitBytecode):
1830         (JSC::EmptyVarExpression::emitBytecode):
1831         (JSC::EmptyLetExpression::emitBytecode):
1832         (JSC::ForNode::emitBytecode):
1833         (JSC::ForInNode::emitMultiLoopBytecode):
1834         (JSC::ForOfNode::emitBytecode):
1835         (JSC::SwitchNode::emitBytecode):
1836         (JSC::BindingNode::bindValue):
1837         (JSC::VarStatementNode::emitBytecode): Deleted.
1838         * debugger/DebuggerCallFrame.cpp:
1839         (JSC::DebuggerCallFrame::evaluate):
1840         * debugger/DebuggerScope.cpp:
1841         (JSC::DebuggerScope::getOwnPropertySlot):
1842         (JSC::DebuggerScope::put):
1843         * dfg/DFGByteCodeParser.cpp:
1844         (JSC::DFG::ByteCodeParser::parseBlock):
1845         * dfg/DFGCapabilities.cpp:
1846         (JSC::DFG::capabilityLevel):
1847         * dfg/DFGNode.h:
1848         (JSC::DFG::Node::castConstant):
1849         (JSC::DFG::Node::initializationValueForActivation):
1850         (JSC::DFG::Node::containsMovHint):
1851         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1852         CreateActivation nodes now have a second OpInfo that tracks the 
1853         initial value that needs to be placed in the activation. This initial value 
1854         is also used in allocation sinking to create proper bottom values for all 
1855         scope variables.
1856
1857         * dfg/DFGOperations.cpp:
1858         * dfg/DFGOperations.h:
1859         * dfg/DFGSpeculativeJIT.cpp:
1860         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
1861         * dfg/DFGSpeculativeJIT.h:
1862         (JSC::DFG::SpeculativeJIT::callOperation):
1863         * ftl/FTLIntrinsicRepository.h:
1864         * ftl/FTLLowerDFGToLLVM.cpp:
1865         (JSC::FTL::DFG::LowerDFGToLLVM::compileCreateActivation):
1866         (JSC::FTL::DFG::LowerDFGToLLVM::compileMaterializeCreateActivation):
1867         * ftl/FTLOperations.cpp:
1868         (JSC::FTL::operationMaterializeObjectInOSR):
1869         * interpreter/Interpreter.cpp:
1870         (JSC::Interpreter::execute):
1871         * jit/CCallHelpers.h:
1872         (JSC::CCallHelpers::setupArgumentsWithExecState):
1873         * jit/JIT.cpp:
1874         (JSC::JIT::privateCompileMainPass):
1875         * jit/JIT.h:
1876         * jit/JITInlines.h:
1877         (JSC::JIT::callOperation):
1878         * jit/JITOpcodes.cpp:
1879         (JSC::JIT::emit_op_push_with_scope):
1880         (JSC::JIT::compileOpStrictEq):
1881         (JSC::JIT::emit_op_catch):
1882         (JSC::JIT::emit_op_create_lexical_environment):
1883         (JSC::JIT::emit_op_get_parent_scope):
1884         (JSC::JIT::emit_op_switch_imm):
1885         (JSC::JIT::emit_op_enter):
1886         (JSC::JIT::emit_op_get_scope):
1887         (JSC::JIT::emit_op_pop_scope): Deleted.
1888         * jit/JITOpcodes32_64.cpp:
1889         (JSC::JIT::emit_op_push_with_scope):
1890         (JSC::JIT::emit_op_to_number):
1891         (JSC::JIT::emit_op_catch):
1892         (JSC::JIT::emit_op_create_lexical_environment):
1893         (JSC::JIT::emit_op_get_parent_scope):
1894         (JSC::JIT::emit_op_switch_imm):
1895         (JSC::JIT::emit_op_enter):
1896         (JSC::JIT::emit_op_get_scope):
1897         (JSC::JIT::emit_op_pop_scope): Deleted.
1898         * jit/JITOperations.cpp:
1899         (JSC::canAccessArgumentIndexQuickly):
1900         * jit/JITOperations.h:
1901         * llint/LLIntSlowPaths.cpp:
1902         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1903         * llint/LLIntSlowPaths.h:
1904         * llint/LowLevelInterpreter.asm:
1905         * llint/LowLevelInterpreter32_64.asm:
1906         * llint/LowLevelInterpreter64.asm:
1907         * parser/ASTBuilder.h:
1908         (JSC::ASTBuilder::createSourceElements):
1909         (JSC::ASTBuilder::funcDeclarations):
1910         (JSC::ASTBuilder::features):
1911         (JSC::ASTBuilder::numConstants):
1912         (JSC::ASTBuilder::createConditionalExpr):
1913         (JSC::ASTBuilder::createAssignResolve):
1914         (JSC::ASTBuilder::createClassDeclStatement):
1915         (JSC::ASTBuilder::createBlockStatement):
1916         (JSC::ASTBuilder::createIfStatement):
1917         (JSC::ASTBuilder::createForLoop):
1918         (JSC::ASTBuilder::createForInLoop):
1919         (JSC::ASTBuilder::createForOfLoop):
1920         (JSC::ASTBuilder::isBindingNode):
1921         (JSC::ASTBuilder::createEmptyStatement):
1922         (JSC::ASTBuilder::createDeclarationStatement):
1923         (JSC::ASTBuilder::createVarStatement):
1924         (JSC::ASTBuilder::createLetStatement):
1925         (JSC::ASTBuilder::createEmptyVarExpression):
1926         (JSC::ASTBuilder::createEmptyLetExpression):
1927         (JSC::ASTBuilder::createReturnStatement):
1928         (JSC::ASTBuilder::createTryStatement):
1929         (JSC::ASTBuilder::createSwitchStatement):
1930         (JSC::ASTBuilder::appendStatement):
1931         (JSC::ASTBuilder::createCommaExpr):
1932         (JSC::ASTBuilder::appendObjectPatternEntry):
1933         (JSC::ASTBuilder::createBindingLocation):
1934         (JSC::ASTBuilder::setEndOffset):
1935         (JSC::ASTBuilder::Scope::Scope):
1936         (JSC::ASTBuilder::makeAssignNode):
1937         (JSC::ASTBuilder::varDeclarations): Deleted.
1938         (JSC::ASTBuilder::addVar): Deleted.
1939         * parser/Keywords.table:
1940         * parser/NodeConstructors.h:
1941         (JSC::ReadModifyResolveNode::ReadModifyResolveNode):
1942         (JSC::AssignResolveNode::AssignResolveNode):
1943         (JSC::ExprStatementNode::ExprStatementNode):
1944         (JSC::DeclarationStatement::DeclarationStatement):
1945         (JSC::EmptyVarExpression::EmptyVarExpression):
1946         (JSC::EmptyLetExpression::EmptyLetExpression):
1947         (JSC::IfElseNode::IfElseNode):
1948         (JSC::WhileNode::WhileNode):
1949         (JSC::ForNode::ForNode):
1950         (JSC::CaseBlockNode::CaseBlockNode):
1951         (JSC::SwitchNode::SwitchNode):
1952         (JSC::ConstDeclNode::ConstDeclNode):
1953         (JSC::BlockNode::BlockNode):
1954         (JSC::EnumerationNode::EnumerationNode):
1955         (JSC::ForInNode::ForInNode):
1956         (JSC::ForOfNode::ForOfNode):
1957         (JSC::ObjectPatternNode::create):
1958         (JSC::BindingNode::create):
1959         (JSC::BindingNode::BindingNode):
1960         (JSC::VarStatementNode::VarStatementNode): Deleted.
1961         * parser/Nodes.cpp:
1962         (JSC::ScopeNode::ScopeNode):
1963         (JSC::ScopeNode::singleStatement):
1964         (JSC::ProgramNode::ProgramNode):
1965         (JSC::EvalNode::EvalNode):
1966         (JSC::FunctionNode::FunctionNode):
1967         (JSC::FunctionNode::finishParsing):
1968         (JSC::VariableEnvironmentNode::VariableEnvironmentNode):
1969         * parser/Nodes.h:
1970         (JSC::VariableEnvironmentNode::VariableEnvironmentNode):
1971         (JSC::VariableEnvironmentNode::lexicalVariables):
1972         (JSC::ScopeNode::usesThis):
1973         (JSC::ScopeNode::needsActivationForMoreThanVariables):
1974         (JSC::ScopeNode::needsActivation):
1975         (JSC::ScopeNode::hasCapturedVariables):
1976         (JSC::ScopeNode::captures):
1977         (JSC::ScopeNode::varDeclarations):
1978         (JSC::ScopeNode::functionStack):
1979         (JSC::ScopeNode::neededConstants):
1980         (JSC::ProgramNode::startColumn):
1981         (JSC::ProgramNode::endColumn):
1982         (JSC::EvalNode::startColumn):
1983         (JSC::EvalNode::endColumn):
1984         (JSC::BindingNode::boundProperty):
1985         (JSC::BindingNode::divotStart):
1986         (JSC::BindingNode::divotEnd):
1987         (JSC::ScopeNode::capturedVariableCount): Deleted.
1988         (JSC::ScopeNode::capturedVariables): Deleted.
1989         (JSC::ScopeNode::varStack): Deleted.
1990         There is a new class called 'VariableEnvironmentNode' that has the
1991         necessary fields to model a lexical scope. Multiple AST nodes now 
1992         also inherit from VariableEnvironmentNode.
1993
1994         * parser/Parser.cpp:
1995         (JSC::Parser<LexerType>::parseInner):
1996         (JSC::Parser<LexerType>::didFinishParsing):
1997         (JSC::Parser<LexerType>::parseStatementListItem):
1998         (JSC::Parser<LexerType>::parseVariableDeclaration):
1999         (JSC::Parser<LexerType>::parseWhileStatement):
2000         (JSC::Parser<LexerType>::parseVariableDeclarationList):
2001         (JSC::Parser<LexerType>::createBindingPattern):
2002         (JSC::Parser<LexerType>::tryParseDestructuringPatternExpression):
2003         (JSC::Parser<LexerType>::parseDestructuringPattern):
2004         (JSC::Parser<LexerType>::parseConstDeclarationList):
2005         (JSC::Parser<LexerType>::parseForStatement):
2006         (JSC::Parser<LexerType>::parseBreakStatement):
2007         (JSC::Parser<LexerType>::parseContinueStatement):
2008         (JSC::Parser<LexerType>::parseSwitchStatement):
2009         (JSC::Parser<LexerType>::parseTryStatement):
2010         (JSC::Parser<LexerType>::parseBlockStatement):
2011         (JSC::Parser<LexerType>::parseStatement):
2012         (JSC::Parser<LexerType>::parseFunctionInfo):
2013         (JSC::Parser<LexerType>::parseClassDeclaration):
2014         (JSC::Parser<LexerType>::parseClass):
2015         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
2016         (JSC::Parser<LexerType>::parseAssignmentExpression):
2017         (JSC::Parser<LexerType>::parseGetterSetter):
2018         (JSC::Parser<LexerType>::parsePrimaryExpression):
2019         (JSC::Parser<LexerType>::parseVarDeclaration): Deleted.
2020         (JSC::Parser<LexerType>::parseVarDeclarationList): Deleted.
2021         * parser/Parser.h:
2022         (JSC::Scope::Scope):
2023         (JSC::Scope::setIsFunction):
2024         (JSC::Scope::isFunction):
2025         (JSC::Scope::isFunctionBoundary):
2026         (JSC::Scope::setIsLexicalScope):
2027         (JSC::Scope::isLexicalScope):
2028         (JSC::Scope::declaredVariables):
2029         (JSC::Scope::finalizeLexicalEnvironment):
2030         (JSC::Scope::computeLexicallyCapturedVariablesAndPurgeCandidates):
2031         (JSC::Scope::declareCallee):
2032         (JSC::Scope::declareVariable):
2033         (JSC::Scope::declareLexicalVariable):
2034         (JSC::Scope::hasDeclaredVariable):
2035         (JSC::Scope::hasLexicallyDeclaredVariable):
2036         (JSC::Scope::hasDeclaredParameter):
2037         (JSC::Scope::declareWrite):
2038         (JSC::Scope::preventAllVariableDeclarations):
2039         (JSC::Scope::preventVarDeclarations):
2040         (JSC::Scope::allowsVarDeclarations):
2041         (JSC::Scope::allowsLexicalDeclarations):
2042         (JSC::Scope::declareParameter):
2043         (JSC::Scope::declareBoundParameter):
2044         (JSC::Scope::useVariable):
2045         (JSC::Scope::setNeedsFullActivation):
2046         (JSC::Scope::needsFullActivation):
2047         (JSC::Scope::hasDirectSuper):
2048         (JSC::Scope::setNeedsSuperBinding):
2049         (JSC::Scope::collectFreeVariables):
2050         (JSC::Scope::getCapturedVars):
2051         (JSC::Scope::copyCapturedVariablesToVector):
2052         (JSC::Parser::AutoCleanupLexicalScope::AutoCleanupLexicalScope):
2053         (JSC::Parser::AutoCleanupLexicalScope::~AutoCleanupLexicalScope):
2054         (JSC::Parser::AutoCleanupLexicalScope::setIsValid):
2055         (JSC::Parser::AutoCleanupLexicalScope::isValid):
2056         (JSC::Parser::AutoCleanupLexicalScope::setPopped):
2057         (JSC::Parser::AutoCleanupLexicalScope::scope):
2058         (JSC::Parser::currentScope):
2059         (JSC::Parser::pushScope):
2060         (JSC::Parser::popScopeInternal):
2061         (JSC::Parser::popScope):
2062         (JSC::Parser::declareVariable):
2063         (JSC::Parser::hasDeclaredVariable):
2064         (JSC::Parser::hasDeclaredParameter):
2065         (JSC::Parser::declareWrite):
2066         (JSC::Parser::findCachedFunctionInfo):
2067         (JSC::Parser::isFunctionBodyNode):
2068         (JSC::Parser::continueIsValid):
2069         (JSC::Parser::pushLabel):
2070         (JSC::Parser::popLabel):
2071         (JSC::Parser::getLabel):
2072         (JSC::Parser::isLETMaskedAsIDENT):
2073         (JSC::Parser<LexerType>::parse):
2074         (JSC::Scope::preventNewDecls): Deleted.
2075         (JSC::Scope::allowsNewDecls): Deleted.
2076         (JSC::Scope::getCapturedVariables): Deleted.
2077         There are basic parser changes that now allow for the 'let'
2078         keyword. The trickiest change is how we will still treat 'let' 
2079         as an identifier for sloppy-mode code sometimes. For example,
2080         "var let = ..." is allowed but "let let" or "const let" is not.
2081
2082         The most significant change to the parser made for this patch
2083         is appropriating the Scope struct to also also model a lexical 
2084         scope. Changes were made in how we track captured variables to 
2085         account for this. In general, I think some of this code could 
2086         benefit from a slight refactoring to make things cleaner.
2087
2088         * parser/ParserTokens.h:
2089         * parser/SyntaxChecker.h:
2090         (JSC::SyntaxChecker::createNewExpr):
2091         (JSC::SyntaxChecker::createConditionalExpr):
2092         (JSC::SyntaxChecker::createAssignResolve):
2093         (JSC::SyntaxChecker::createEmptyVarExpression):
2094         (JSC::SyntaxChecker::createEmptyLetExpression):
2095         (JSC::SyntaxChecker::createClassExpr):
2096         (JSC::SyntaxChecker::createClassDeclStatement):
2097         (JSC::SyntaxChecker::createBlockStatement):
2098         (JSC::SyntaxChecker::createExprStatement):
2099         (JSC::SyntaxChecker::createIfStatement):
2100         (JSC::SyntaxChecker::createForLoop):
2101         (JSC::SyntaxChecker::createForInLoop):
2102         (JSC::SyntaxChecker::createForOfLoop):
2103         (JSC::SyntaxChecker::createEmptyStatement):
2104         (JSC::SyntaxChecker::createVarStatement):
2105         (JSC::SyntaxChecker::createLetStatement):
2106         (JSC::SyntaxChecker::createReturnStatement):
2107         (JSC::SyntaxChecker::createBreakStatement):
2108         (JSC::SyntaxChecker::createContinueStatement):
2109         (JSC::SyntaxChecker::createTryStatement):
2110         (JSC::SyntaxChecker::createSwitchStatement):
2111         (JSC::SyntaxChecker::createWhileStatement):
2112         (JSC::SyntaxChecker::createWithStatement):
2113         (JSC::SyntaxChecker::createDoWhileStatement):
2114         (JSC::SyntaxChecker::createGetterOrSetterProperty):
2115         (JSC::SyntaxChecker::appendStatement):
2116         (JSC::SyntaxChecker::combineCommaNodes):
2117         (JSC::SyntaxChecker::evalCount):
2118         (JSC::SyntaxChecker::appendBinaryExpressionInfo):
2119         (JSC::SyntaxChecker::operatorStackPop):
2120         (JSC::SyntaxChecker::addVar): Deleted.
2121         * parser/VariableEnvironment.cpp: Added.
2122         (JSC::VariableEnvironment::markVariableAsCapturedIfDefined):
2123         (JSC::VariableEnvironment::markVariableAsCaptured):
2124         (JSC::VariableEnvironment::markAllVariablesAsCaptured):
2125         (JSC::VariableEnvironment::hasCapturedVariables):
2126         (JSC::VariableEnvironment::captures):
2127         (JSC::VariableEnvironment::swap):
2128         * parser/VariableEnvironment.h: Added.
2129         (JSC::VariableEnvironmentEntry::isCaptured):
2130         (JSC::VariableEnvironmentEntry::isConstant):
2131         (JSC::VariableEnvironmentEntry::isVar):
2132         (JSC::VariableEnvironmentEntry::isLet):
2133         (JSC::VariableEnvironmentEntry::setIsCaptured):
2134         (JSC::VariableEnvironmentEntry::setIsConstant):
2135         (JSC::VariableEnvironmentEntry::setIsVar):
2136         (JSC::VariableEnvironmentEntry::setIsLet):
2137         (JSC::VariableEnvironmentEntry::clearIsVar):
2138         (JSC::VariableEnvironment::begin):
2139         (JSC::VariableEnvironment::end):
2140         (JSC::VariableEnvironment::add):
2141         (JSC::VariableEnvironment::size):
2142         (JSC::VariableEnvironment::contains):
2143         (JSC::VariableEnvironment::remove):
2144         VariableEnvironment is a new class that keeps track
2145         of the static environment in the parser and the bytecode generator.
2146         VariableEnvironment behaves like SymbolTable but for the bytecode generator.
2147         It keeps track of variable types, i.e, if a variable is a "var", "let", "const" 
2148         and whether or not its captured.
2149
2150         * runtime/CodeCache.cpp:
2151         (JSC::CodeCache::getGlobalCodeBlock):
2152         (JSC::CodeCache::getProgramCodeBlock):
2153         (JSC::CodeCache::getEvalCodeBlock):
2154         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
2155         * runtime/CodeCache.h:
2156         (JSC::CodeCache::clear):
2157         * runtime/CommonSlowPaths.cpp:
2158         (JSC::SLOW_PATH_DECL):
2159         * runtime/CommonSlowPaths.h:
2160         * runtime/ExceptionHelpers.cpp:
2161         (JSC::createErrorForInvalidGlobalAssignment):
2162         (JSC::createTDZError):
2163         (JSC::throwOutOfMemoryError):
2164         * runtime/ExceptionHelpers.h:
2165         * runtime/Executable.cpp:
2166         (JSC::EvalExecutable::create):
2167         (JSC::ProgramExecutable::initializeGlobalProperties):
2168         * runtime/Executable.h:
2169         * runtime/JSCJSValue.h:
2170         (JSC::jsUndefined):
2171         (JSC::jsTDZValue):
2172         (JSC::jsBoolean):
2173         * runtime/JSEnvironmentRecord.h:
2174         (JSC::JSEnvironmentRecord::finishCreationUninitialized):
2175         (JSC::JSEnvironmentRecord::finishCreation):
2176         * runtime/JSGlobalObject.cpp:
2177         (JSC::JSGlobalObject::createProgramCodeBlock):
2178         (JSC::JSGlobalObject::createEvalCodeBlock):
2179         * runtime/JSGlobalObject.h:
2180         (JSC::JSGlobalObject::weakRandomInteger):
2181         * runtime/JSGlobalObjectFunctions.cpp:
2182         (JSC::globalFuncEval):
2183         * runtime/JSLexicalEnvironment.cpp:
2184         (JSC::JSLexicalEnvironment::symbolTableGet):
2185         * runtime/JSLexicalEnvironment.h:
2186         (JSC::JSLexicalEnvironment::create):
2187         * runtime/JSScope.cpp:
2188         (JSC::JSScope::resolve):
2189         (JSC::JSScope::abstractResolve):
2190         (JSC::JSScope::collectVariablesUnderTDZ):
2191         (JSC::JSScope::isLexicalScope):
2192         (JSC::resolveModeName):
2193         * runtime/JSScope.h:
2194         * runtime/PropertySlot.h:
2195         (JSC::PropertySlot::setValue):
2196         * runtime/SymbolTable.cpp:
2197         (JSC::SymbolTable::SymbolTable):
2198         (JSC::SymbolTable::cloneScopePart):
2199         * runtime/SymbolTable.h:
2200         SymbolTable now uses an extra bit to know if it corresponds
2201         to a "let"-like environment or not.
2202
2203         * runtime/WriteBarrier.h:
2204         (JSC::WriteBarrierBase<Unknown>::get):
2205         (JSC::WriteBarrierBase<Unknown>::clear):
2206         (JSC::WriteBarrierBase<Unknown>::setUndefined):
2207         (JSC::WriteBarrierBase<Unknown>::setStartingValue):
2208         (JSC::WriteBarrierBase<Unknown>::isNumber):
2209         (JSC::WriteBarrierBase<Unknown>::isObject):
2210         (JSC::WriteBarrierBase<Unknown>::isNull):
2211         * tests/stress/activation-sink-default-value-tdz-error.js: Added.
2212         (shouldThrowTDZ):
2213         (bar):
2214         (foo.cap):
2215         * tests/stress/activation-sink-osrexit-default-value-tdz-error.js: Added.
2216         (shouldThrowTDZ):
2217         (bar):
2218         * tests/stress/lexical-let-and-with-statement.js: Added.
2219         (truth):
2220         (assert):
2221         (.):
2222         * tests/stress/lexical-let-exception-handling.js: Added.
2223         (truth):
2224         (assert):
2225         (.):
2226         * tests/stress/lexical-let-global-not-captured-variables.js: Added.
2227         (truth):
2228         (assert):
2229         (foo):
2230         (.let.capY):
2231         * tests/stress/lexical-let-loop-semantics.js: Added.
2232         (truth):
2233         (assert):
2234         (shouldThrowTDZ):
2235         (.):
2236         * tests/stress/lexical-let-not-strict-mode.js: Added.
2237         (truth):
2238         (assert):
2239         (shouldThrowTDZ):
2240         (.):
2241         * tests/stress/lexical-let-semantics.js: Added.
2242         (truth):
2243         (assert):
2244         (let.globalFunction):
2245         (let.retGlobalNumberCaptured):
2246         (let.setGlobalNumberCaptured):
2247         (.):
2248         * tests/stress/lexical-let-tdz.js: Added.
2249         (truth):
2250         (assert):
2251         (shouldThrowTDZ):
2252         (.):
2253
2254 2015-07-15  Anders Carlsson  <andersca@apple.com>
2255
2256         Make JavaScriptCore SPI headers used by WebCore SPI headers self-contained
2257         https://bugs.webkit.org/show_bug.cgi?id=146978
2258
2259         Reviewed by Dan Bernstein.
2260
2261         * debugger/DebuggerPrimitives.h:
2262         * disassembler/Disassembler.h:
2263         * heap/Weak.h:
2264         * inspector/InspectorValues.h:
2265         * runtime/JSCJSValue.h:
2266
2267 2015-07-14  Anders Carlsson  <andersca@apple.com>
2268
2269         Assertions.h should include ExportMacros.h
2270         https://bugs.webkit.org/show_bug.cgi?id=146948
2271
2272         Reviewed by Tim Horton.
2273
2274         Remove now unneeded WTF_EXPORT_PRIVATE define.
2275
2276         * API/JSBase.h:
2277
2278 2015-07-14  Matthew Mirman  <mmirman@apple.com>
2279
2280         Repatch. Makes compileArithSub in the DFG ensure that the constant is an int32.
2281         https://bugs.webkit.org/show_bug.cgi?id=146910
2282         rdar://problem/21729083
2283
2284         Reviewed by Filip Pizlo.
2285         
2286         Also fixes the debug build problem where all edges are assumed to 
2287         have UntypedUse before the fixup phase.
2288
2289         * dfg/DFGSpeculativeJIT.cpp:
2290         (JSC::DFG::SpeculativeJIT::compileArithSub):
2291         * dfg/DFGValidate.cpp:
2292         (JSC::DFG::Validate::validateEdgeWithDoubleResultIfNecessary):
2293         * tests/stress/arith-add-with-constants.js: Added some tests for this case.
2294         (arithAdd42WrittenAsInteger):
2295         (testArithAdd42WrittenAsInteger):
2296         (arithSub42WrittenAsDouble):
2297         (testArithSub42WrittenAsDouble):
2298         (doubleConstant):
2299         (testDoubleConstant): Added test for the case of +0.0 and Math.min(0.0)
2300         (arithAdd42WrittenAsDouble): Deleted.
2301         (testArithAdd42WrittenAsDouble): Deleted.
2302
2303 2015-07-14  Matthew Mirman  <mmirman@apple.com>
2304
2305         Unreviewed, rolling out r186805.
2306
2307         Made raytracer on octane 80% slower
2308
2309         Reverted changeset:
2310
2311         "Makes compileArithSub in the DFG ensure that the constant is
2312         an int32."
2313         https://bugs.webkit.org/show_bug.cgi?id=146910
2314         http://trac.webkit.org/changeset/186805
2315
2316 2015-07-13  Matthew Mirman  <mmirman@apple.com>
2317
2318         Makes compileArithSub in the DFG ensure that the constant is an int32.
2319         https://bugs.webkit.org/show_bug.cgi?id=146910
2320         rdar://problem/21729083
2321
2322         Reviewed by Filip Pizlo.
2323         
2324         Also fixes the debug build problem where all edges are assumed to 
2325         have UntypedUse before the fixup phase.
2326
2327         * dfg/DFGSpeculativeJIT.cpp:
2328         (JSC::DFG::SpeculativeJIT::compileArithSub):
2329         * dfg/DFGValidate.cpp:
2330         (JSC::DFG::Validate::validateEdgeWithDoubleResultIfNecessary):
2331         * tests/stress/arith-add-with-constants.js: Added some tests for this case.
2332         (arithAdd42WrittenAsInteger):
2333         (testArithAdd42WrittenAsInteger):
2334         (arithSub42WrittenAsDouble):
2335         (testArithSub42WrittenAsDouble):
2336         (doubleConstant):
2337         (testDoubleConstant): Added test for the case of +0.0 and Math.min(0.0)
2338         (arithAdd42WrittenAsDouble): Deleted.
2339         (testArithAdd42WrittenAsDouble): Deleted.
2340
2341 2015-07-13  Basile Clement  <basile_clement@apple.com>
2342
2343         Object cycles should not prevent allocation elimination/sinking
2344         https://bugs.webkit.org/show_bug.cgi?id=143073
2345
2346         Reviewed by Filip Pizlo.
2347
2348         This patch introduces a new allocation sinking phase that is able to
2349         sink cycles, in DFGAllocationCycleSinkingPhase.cpp. This phase
2350         supersedes the old allocation sinking phase in
2351         DFGObjectAllocationSinkingPhase.cpp, as that previous phase was never
2352         able to sink allocation cycles while the new phase sometimes can; see
2353         DFGAllocationCycleSinkingPhase.cpp for details.
2354
2355         For now, the new sinking phase is kept behind a
2356         JSC_enableAllocationCycleSinking flag that reverts to the old sinking
2357         phase when false (i.e., by default). This also removes the old
2358         JSC_enableObjectAllocationSinking flag. run-javascriptcore-tests
2359         defaults to using the new sinking phase.
2360
2361         * dfg/DFGGraph.h:
2362         (JSC::DFG::Graph::addStructureSet): Allow empty structure sets
2363         * dfg/DFGLazyNode.cpp:
2364         (JSC::DFG::LazyNode::dump): Prettier dump
2365         * dfg/DFGNode.h:
2366         (JSC::DFG::Node::cellOperand): Move to opInfo for MaterializeCreateActivation
2367         (JSC::DFG::Node::hasStructureSet): Add MaterializeNewObject
2368         (JSC::DFG::Node::objectMaterializationData): Move to opInfo2
2369         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: Remove unused header
2370         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2371         (JSC::DFG::ObjectAllocationSinkingPhase::ObjectAllocationSinkingPhase): Deleted.
2372         (JSC::DFG::ObjectAllocationSinkingPhase::run): Deleted.
2373         (JSC::DFG::ObjectAllocationSinkingPhase::performSinking): Deleted.
2374         (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints): Deleted.
2375         (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints): Deleted.
2376         (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations): Deleted.
2377         (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields): Deleted.
2378         (JSC::DFG::ObjectAllocationSinkingPhase::resolve): Deleted.
2379         (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): Deleted.
2380         (JSC::DFG::ObjectAllocationSinkingPhase::createMaterialize): Deleted.
2381         (JSC::DFG::ObjectAllocationSinkingPhase::populateMaterialize): Deleted.
2382         * dfg/DFGObjectAllocationSinkingPhase.h:
2383         * dfg/DFGPromotedHeapLocation.h: Add a hash and a helper function to PromotedLocationDescriptor
2384         (JSC::DFG::PromotedLocationDescriptor::PromotedLocationDescriptor):
2385         (JSC::DFG::PromotedLocationDescriptor::operator bool):
2386         (JSC::DFG::PromotedLocationDescriptor::neededForMaterialization):
2387         (JSC::DFG::PromotedLocationDescriptorHash::hash):
2388         (JSC::DFG::PromotedLocationDescriptorHash::equal):
2389         * dfg/DFGValidate.cpp:
2390         (JSC::DFG::Validate::validateSSA): Assert that most nodes never see a phantom allocation
2391         * ftl/FTLLowerDFGToLLVM.cpp:
2392         (JSC::FTL::DFG::LowerDFGToLLVM::compileMaterializeNewObject): Use the new structureSet() operand
2393         (JSC::FTL::DFG::LowerDFGToLLVM::compileMaterializeCreateActivation): Node has a new child
2394         * ftl/FTLOSRExitCompiler.cpp: Handle materialization cycles
2395         (JSC::FTL::compileStub):
2396         * ftl/FTLOperations.cpp: Handle materialization cycles
2397         (JSC::FTL::operationPopulateObjectInOSR):
2398         (JSC::FTL::operationMaterializeObjectInOSR):
2399         * ftl/FTLOperations.h: Handle materialization cycles
2400         * tests/stress/correctly-sink-object-even-though-it-dies.js: Added.
2401         (clobber):
2402         (foo):
2403         * tests/stress/eliminate-object-read-over-call.js: Added.
2404         (clobber):
2405         (foo):
2406         * tests/stress/materialize-object-on-edge.js: Added.
2407         (call):
2408         (foo):
2409         * tests/stress/object-sinking-stress.js: Added.
2410         (foo):
2411         * tests/stress/sink-object-cycle.js: Added.
2412         (clobber):
2413         (foo):
2414         * tests/stress/sink-object-past-put.js: Added.
2415         (clobber):
2416         (foo):
2417         * tests/stress/sinkable-new-object-in-loop.js: Added.
2418         (foo):
2419
2420 2015-07-13  Daniel Bates  <dabates@apple.com>
2421
2422         Cleanup: Avoid extraneous increment and decrement of reference count of ScriptArguments in ConsoleClient
2423         https://bugs.webkit.org/show_bug.cgi?id=146920
2424
2425         Reviewed by Brian Burg.
2426
2427         Remove local variable RefPtr<ScriptArguments> and copy constructor call with an argument that
2428         was initialized with an rvalue reference. The argument itself is an lvalue reference.
2429
2430         * runtime/ConsoleClient.cpp:
2431         (JSC::ConsoleClient::printConsoleMessageWithArguments):
2432         (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
2433
2434 2015-07-13  Anders Carlsson  <andersca@apple.com>
2435
2436         Apps linked with a deployment target of iOS 7.x or earlier crash when using modern WebKit API
2437         https://bugs.webkit.org/show_bug.cgi?id=146913
2438         rdar://problem/21789252
2439
2440         Reviewed by Dan Bernstein.
2441
2442         Make a top-level symlink from /System/Library/PrivateFrameworks/JavaScriptCore.framework to
2443         /System/Library/Frameworks/JavaScriptCore.framework.
2444     
2445         * JavaScriptCore.xcodeproj/project.pbxproj:
2446
2447 2015-07-12  Filip Pizlo  <fpizlo@apple.com>
2448
2449         If Watchpoint::fire() looks at the state of the world, it should definitely see its set invalidated, and maybe it should see the object of interest in the transitioned-to state
2450         https://bugs.webkit.org/show_bug.cgi?id=146897
2451
2452         Reviewed by Mark Lam.
2453         
2454         The idea is to eventually support adaptive watchpoints. An adaptive watchpoint will be
2455         able to watch for a condition that is more fine-grained than any one watchpoint set. For
2456         example, we might watch a singleton object to see if it ever acquires a property called
2457         "foo". So long as it doesn't have such a property, we don't want to invalidate any code.
2458         But if it gets that property, then we should deoptimize. Current watchpoints will
2459         invalidate code as soon as any property is added (or deleted), because they will use the
2460         transition watchpoint set of the singleton object's structure, and that fires anytime
2461         there is any transition.
2462         
2463         An adaptive watchpoint would remember the singleton object, and when it got fired, it
2464         would check if the object's new structure has the property "foo". If not, it would check
2465         if the object's new structure is watchable (i.e. has a valid transition watchpoint set).
2466         If the property is missing and the structure is watchable, it would add itself to the
2467         watchpoint set of the new structure. Otherwise, it would deoptimize.
2468         
2469         There are two problems with this idea, and this patch fixes these problems. First, we
2470         usually fire the transition watchpoint before we do the structure transition. This means
2471         that if the fire() method looked at the singleton object's structure, it would see the old
2472         structure, not the new one. It would have no way of knowing what the new structure is.
2473         Second, inside the fire() method, the watchpoint set being invalidated still appears
2474         valid, since we change the state after we fire all watchpoints.
2475         
2476         This patch addresses both issues. Now, in the most important case (addPropertyTransition),
2477         we fire the watchpoint set after we have modified the object. This is accomplished using
2478         a deferral scope called DeferredStructureTransitionWatchpointFire. In cases where there is
2479         no deferral, the adaptive watchpoint will conservatively resort to deoptimization because
2480         it would find that the singleton object's structure is no longer watchable. This is
2481         because in the absence of deferral, the singleton object would still have the original
2482         structure, but that structure's watchpoint set would now report itself as having been
2483         invalidated.
2484
2485         * bytecode/Watchpoint.cpp:
2486         (JSC::WatchpointSet::fireAllSlow): Change the state of the set before firing all watchpoints.
2487         (JSC::WatchpointSet::fireAllWatchpoints):
2488         * runtime/JSObject.h:
2489         (JSC::JSObject::putDirectInternal): Use the deferral scope.
2490         * runtime/Structure.cpp:
2491         (JSC::Structure::Structure): Pass the deferral scope to didTransitionFromThisStructure.
2492         (JSC::Structure::addPropertyTransition): Pass the deferral scope to create().
2493         (JSC::StructureFireDetail::dump): This is no longer anonymous.
2494         (JSC::DeferredStructureTransitionWatchpointFire::DeferredStructureTransitionWatchpointFire): Start with a null structure.
2495         (JSC::DeferredStructureTransitionWatchpointFire::~DeferredStructureTransitionWatchpointFire): Fire the watchpoint if there is a structure.
2496         (JSC::DeferredStructureTransitionWatchpointFire::add): Add a structure. Logically this is a list of deferred things, but we assert that there only will be one (happens to be true now).
2497         (JSC::Structure::didTransitionFromThisStructure): Defer the watchpoint firing if there is a deferral scope.
2498         * runtime/Structure.h:
2499         (JSC::StructureFireDetail::StructureFireDetail): Move this to the header.
2500         * runtime/StructureInlines.h:
2501         (JSC::Structure::create): Pass the deferral scope to the constructor.
2502
2503 2015-07-12  Filip Pizlo  <fpizlo@apple.com>
2504
2505         Watchpoints should be removed from their owning WatchpointSet before they are fired
2506         https://bugs.webkit.org/show_bug.cgi?id=146895
2507
2508         Reviewed by Sam Weinig.
2509         
2510         This simplifies the WatchpointSet API by making it so that when Watchpoint::fire() is
2511         called, the Watchpoint is no longer in the set. This means that you don't have to remember
2512         to remove it from the set's list (currently we do that implicitly as part of whatever
2513         any particular Watchpoint::fireInternal() does), and you can now write adaptive
2514         watchpoints that re-add themselves to a different set if they determine that the thing
2515         they are actually watching is still intact but now needs to be watched in a different way
2516         (like watching for whether some singleton object has a property of some name).
2517
2518         * bytecode/Watchpoint.cpp:
2519         (JSC::Watchpoint::~Watchpoint): Add a comment about why this is necessary.
2520         (JSC::Watchpoint::fire): Make this out-of-line, private, and make it assert that we're no longer on the list.
2521         (JSC::WatchpointSet::fireAllWatchpoints): Make this remove the watchpoint from the list before firing it.
2522         * bytecode/Watchpoint.h:
2523         (JSC::Watchpoint::fire): Deleted. I moved this to Watchpoint.cpp.
2524
2525 2015-07-10  Filip Pizlo  <fpizlo@apple.com>
2526
2527         DFG::DesiredWatchpoints should accept WatchpointSetType's that aren't necessarily pointers
2528         https://bugs.webkit.org/show_bug.cgi?id=146875
2529
2530         Reviewed by Dan Bernstein.
2531         
2532         In the future we'll want to add a desired watchpoint set that's something like "please
2533         watch property 'Foo' for 'deletion' on structure 'S1'", so that the "set type" is struct
2534         like "struct MySet { StringImpl* property; Mode mode; Structure* structure };".
2535         
2536         This is a very mechanical change for now - all of the current users happen to use sets
2537         that are pointer typed, so it's just a matter of moving some "*"'s around.
2538
2539         * dfg/DFGDesiredWatchpoints.h:
2540         (JSC::DFG::GenericSetAdaptor::add):
2541         (JSC::DFG::GenericSetAdaptor::hasBeenInvalidated):
2542         (JSC::DFG::GenericDesiredWatchpoints::GenericDesiredWatchpoints):
2543         (JSC::DFG::GenericDesiredWatchpoints::addLazily):
2544         (JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
2545         (JSC::DFG::GenericDesiredWatchpoints::areStillValid):
2546         (JSC::DFG::GenericDesiredWatchpoints::isWatched):
2547         (JSC::DFG::DesiredWatchpoints::isWatched):
2548
2549 2015-07-10  Filip Pizlo  <fpizlo@apple.com>
2550
2551         Watchpoints should be allocated with FastMalloc
2552         https://bugs.webkit.org/show_bug.cgi?id=146874
2553
2554         Reviewed by Dan Bernstein.
2555         
2556         This is in preparation for adding new subclasses of Watchpoint. While starting to do this
2557         I realized that the way Watchpoints allocated themselves was unusual.
2558
2559         * bytecode/CodeBlockJettisoningWatchpoint.h:
2560         (JSC::CodeBlockJettisoningWatchpoint::CodeBlockJettisoningWatchpoint): No need for the default constructor.
2561         * bytecode/Watchpoint.h:
2562         (JSC::Watchpoint::Watchpoint): This should be noncopyable and fast-allocated.
2563         * dfg/DFGCommonData.h: Use a Bag<> instead of SegmentedVector<>. Bag means "malloc things but allow me to free them all at once", which is what we are doing here.
2564         * dfg/DFGDesiredWatchpoints.h:
2565         (JSC::DFG::GenericDesiredWatchpoints::reallyAdd): Use the Bag<> API rather than the very awkward SegmentedVector<> API.
2566
2567 2015-07-10  Filip Pizlo  <fpizlo@apple.com>
2568
2569         AI folding of IsObjectOrNull is broken for non-object types that may be null
2570         https://bugs.webkit.org/show_bug.cgi?id=146867
2571
2572         Reviewed by Ryosuke Niwa.
2573
2574         * dfg/DFGAbstractInterpreterInlines.h:
2575         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Fix the bug and add some text describing what is going on.
2576         * tests/stress/misc-is-object-or-null.js: Added. Test for the bug.
2577         (foo):
2578         * tests/stress/other-is-object-or-null.js: Added. Test for a bug I almost introduced.
2579         (foo):
2580
2581 2015-07-10  Filip Pizlo  <fpizlo@apple.com>
2582
2583         It should be easy to measure total compile times.
2584         https://bugs.webkit.org/show_bug.cgi?id=146857
2585
2586         Reviewed by Sam Weinig.
2587         
2588         This gives DFG::Plan the ability to track total compile times, and return them in a map
2589         of stats that jsc.cpp can display.
2590         
2591         I want to do some work to bring down DFG compile times. This will help me measure whether
2592         I'm making a difference or not.
2593
2594         * dfg/DFGPlan.cpp:
2595         (JSC::DFG::Plan::Plan):
2596         (JSC::DFG::Plan::~Plan):
2597         (JSC::DFG::Plan::computeCompileTimes):
2598         (JSC::DFG::Plan::reportCompileTimes):
2599         (JSC::DFG::Plan::compileInThread):
2600         (JSC::DFG::Plan::compileInThreadImpl):
2601         (JSC::DFG::Plan::cancel):
2602         (JSC::DFG::Plan::compileTimeStats):
2603         (JSC::DFG::dumpAndVerifyGraph): Deleted.
2604         (JSC::DFG::profilerCompilationKindForMode): Deleted.
2605         * dfg/DFGPlan.h:
2606         (JSC::DFG::Plan::compileTimeStats):
2607         * jsc.cpp:
2608         (jscmain):
2609         * runtime/Options.h:
2610
2611 2015-07-04  Filip Pizlo  <fpizlo@apple.com>
2612
2613         DFG fragile frozen values are fundamentally broken
2614         https://bugs.webkit.org/show_bug.cgi?id=146602
2615
2616         Reviewed by Mark Lam.
2617         
2618         This change gets rid of the FragileValue value strength, because it was fundamentally
2619         broken.
2620         
2621         FragileValue was a value known to the compiler but not tracked by the GC in any way -
2622         it wasn't marked and it wasn't weak. This was used to support AI bootstrap for OSR
2623         must-handle values. The philosophy was that if the compiler did use the value for
2624         optimization, it would have been strengthened to a weak value (or maybe even a strong
2625         value, though we probably won't do that). But this was too much of a pipe dream. I've
2626         found at least one case where the compiler did use the value, but never strengthened
2627         it: it would happen if the value ended up in an OSR entry data expected value. Then if
2628         we GCed, we might have killed the value, but OSR entry would still try to use it for
2629         validation. That might have sort of just worked, but it's clearly shady.
2630
2631         The reason why we made must-handle values fragile and not weak is that most of the time
2632         the values disappear from the abstract state: they are LUBed to a non-constant. If we
2633         kept them around as weak, we'd have too many cases of the GC killing the code because
2634         it thought that the value was somehow meaningful to the code when it was only used as a
2635         temporary artifact of optimization.
2636
2637         So, it's true that it's very important for must-handle values not to automatically be
2638         weak or strong. It's also true that the values are necessary for AI bootstrap because
2639         we need to know what values OSR entry will require. But we shouldn't accomplish these
2640         goals by having the compiler hold onto what are essentially dangling pointers.
2641         
2642         This implements a better solution: instead of having InPlaceAbstractState bootstrap the
2643         AI with must-handle values at the beginning, we now widen the valuesAtHead of the
2644         must-handle block after AI converges. This widening is done in CFAPhase. This allows us
2645         to see if the must-handle values are necessary at all. In most cases, the widening
2646         takes a non-constant abstract value and simply amends something to its type based on
2647         the type of the must-handle value, and so the must-handle value never actually shows up
2648         in either the IR or any abstract value. In the unlikely event that the value at head is
2649         bottom, we freeze the must-handle value. This change removes FragileValue, and this
2650         freezing uses WeakValue as the strength. That makes sense: since the abstract value was
2651         bottom, the must-handle value becomes integral to the IR and so it makes no sense for
2652         the GC to keep the resulting CodeBlock alive if that must-handle value dies. This will
2653         sometimes happen for example if you have a very long-running loop whose pre-header
2654         allocates some object, but that pre-header appears to always exit to the optimizing JIT
2655         because it was only profiled once in the LLInt and that profiling appears insufficient
2656         to the DFG. In that case, we'll effectively constant-fold the references to the object
2657         inside the loop, which is both efficient (yay constant folding!) and necessary
2658         (otherwise we wouldn't know what the type of the variable should have been).
2659         
2660         Testing and debugging this is complicated. So, this adds some new capabilities:
2661         
2662         - DFG IR dumps also dump all of the FrozenValues that point to the heap along with
2663           their strengths, so that it's easy to see what GC objects the DFG feels are necessary
2664           for the compilation.
2665         
2666         - DFG OSR entry preparation prints out the OSR entry data structures, so that it's easy
2667           to see what GC pointers (and other things) are used for OSR entry validation. The
2668           printouts are quite detailed, and should also help other kinds of OSR entry
2669           debugging.
2670         
2671         - DFG::Plan now validates whether all of the GC pointers planted in the various JITCode
2672           data structures are also properly registered as either weak or strong pointers in the
2673           CodeBlock. This validation check previously failed due to fragile values ending up in
2674           the OSR entry data structures, both in the newly added test (dead-osr-entry-value.js)
2675           and in some pre-existing tests (like earley-boyer and 3d-raytrace).
2676
2677         * CMakeLists.txt:
2678         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2679         * JavaScriptCore.xcodeproj/project.pbxproj:
2680         * bytecode/CodeBlock.cpp:
2681         (JSC::CodeBlock::stronglyVisitStrongReferences):
2682         * bytecode/CodeOrigin.cpp:
2683         (JSC::InlineCallFrame::visitAggregate):
2684         * bytecode/Operands.h:
2685         (JSC::Operands::operand):
2686         (JSC::Operands::hasOperand):
2687         * bytecode/StructureSet.cpp:
2688         (JSC::StructureSet::dump):
2689         (JSC::StructureSet::validateReferences):
2690         * bytecode/StructureSet.h:
2691         * bytecode/TrackedReferences.cpp: Added.
2692         (JSC::TrackedReferences::TrackedReferences):
2693         (JSC::TrackedReferences::~TrackedReferences):
2694         (JSC::TrackedReferences::add):
2695         (JSC::TrackedReferences::check):
2696         (JSC::TrackedReferences::dump):
2697         * bytecode/TrackedReferences.h: Added.
2698         * dfg/DFGAbstractValue.cpp:
2699         (JSC::DFG::AbstractValue::observeTransitions):
2700         (JSC::DFG::AbstractValue::set):
2701         (JSC::DFG::AbstractValue::fixTypeForRepresentation):
2702         (JSC::DFG::AbstractValue::mergeOSREntryValue):
2703         (JSC::DFG::AbstractValue::filter):
2704         (JSC::DFG::AbstractValue::dumpInContext):
2705         (JSC::DFG::AbstractValue::validateReferences):
2706         (JSC::DFG::AbstractValue::setOSREntryValue): Deleted.
2707         * dfg/DFGAbstractValue.h:
2708         (JSC::DFG::AbstractValue::fullTop):
2709         (JSC::DFG::AbstractValue::merge):
2710         * dfg/DFGByteCodeParser.cpp:
2711         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2712         * dfg/DFGCFAPhase.cpp:
2713         (JSC::DFG::CFAPhase::run):
2714         * dfg/DFGCommonData.cpp:
2715         (JSC::DFG::CommonData::invalidate):
2716         (JSC::DFG::CommonData::validateReferences):
2717         * dfg/DFGCommonData.h:
2718         (JSC::DFG::CommonData::requiredRegisterCountForExecutionAndExit):
2719         * dfg/DFGFrozenValue.h:
2720         (JSC::DFG::FrozenValue::FrozenValue):
2721         (JSC::DFG::FrozenValue::strengthenTo):
2722         (JSC::DFG::FrozenValue::pointsToHeap):
2723         (JSC::DFG::FrozenValue::strength):
2724         (JSC::DFG::FrozenValue::freeze):
2725         * dfg/DFGGraph.cpp:
2726         (JSC::DFG::Graph::Graph):
2727         (JSC::DFG::Graph::dump):
2728         (JSC::DFG::Graph::registerFrozenValues):
2729         (JSC::DFG::Graph::visitChildren):
2730         (JSC::DFG::Graph::freeze):
2731         (JSC::DFG::Graph::freezeStrong):
2732         (JSC::DFG::Graph::freezeFragile): Deleted.
2733         * dfg/DFGGraph.h:
2734         * dfg/DFGInPlaceAbstractState.cpp:
2735         (JSC::DFG::InPlaceAbstractState::initialize):
2736         * dfg/DFGJITCode.cpp:
2737         (JSC::DFG::JITCode::setOptimizationThresholdBasedOnCompilationResult):
2738         (JSC::DFG::JITCode::validateReferences):
2739         * dfg/DFGJITCode.h:
2740         * dfg/DFGJITCompiler.cpp:
2741         (JSC::DFG::JITCompiler::addressOfDoubleConstant):
2742         (JSC::DFG::JITCompiler::noticeOSREntry):
2743         * dfg/DFGJITCompiler.h:
2744         (JSC::DFG::JITCompiler::branchStructurePtr):
2745         (JSC::DFG::JITCompiler::jitCode):
2746         (JSC::DFG::JITCompiler::noticeOSREntry): Deleted.
2747         * dfg/DFGMinifiedGraph.cpp: Added.
2748         (JSC::DFG::MinifiedGraph::prepareAndShrink):
2749         (JSC::DFG::MinifiedGraph::validateReferences):
2750         * dfg/DFGMinifiedGraph.h:
2751         (JSC::DFG::MinifiedGraph::append):
2752         (JSC::DFG::MinifiedGraph::prepareAndShrink): Deleted.
2753         * dfg/DFGOSREntry.cpp:
2754         (JSC::DFG::OSREntryData::dumpInContext):
2755         (JSC::DFG::OSREntryData::dump):
2756         (JSC::DFG::prepareOSREntry):
2757         * dfg/DFGOSREntry.h:
2758         (JSC::DFG::getOSREntryDataBytecodeIndex):
2759         * dfg/DFGPlan.cpp:
2760         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
2761         * dfg/DFGSpeculativeJIT.cpp:
2762         (JSC::DFG::SpeculativeJIT::linkOSREntries):
2763         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
2764         * dfg/DFGStructureAbstractValue.cpp:
2765         (JSC::DFG::StructureAbstractValue::dump):
2766         (JSC::DFG::StructureAbstractValue::validateReferences):
2767         * dfg/DFGStructureAbstractValue.h:
2768         * dfg/DFGValidate.cpp:
2769         (JSC::DFG::Validate::validate):
2770         * dfg/DFGValueStrength.cpp:
2771         (WTF::printInternal):
2772         * dfg/DFGValueStrength.h:
2773         (JSC::DFG::merge):
2774         * ftl/FTLExitPropertyValue.cpp:
2775         (JSC::FTL::ExitPropertyValue::dump):
2776         (JSC::FTL::ExitPropertyValue::validateReferences):
2777         * ftl/FTLExitPropertyValue.h:
2778         * ftl/FTLExitTimeObjectMaterialization.cpp:
2779         (JSC::FTL::ExitTimeObjectMaterialization::dump):
2780         (JSC::FTL::ExitTimeObjectMaterialization::validateReferences):
2781         * ftl/FTLExitTimeObjectMaterialization.h:
2782         * ftl/FTLExitValue.cpp:
2783         (JSC::FTL::ExitValue::dump):
2784         (JSC::FTL::ExitValue::validateReferences):
2785         * ftl/FTLExitValue.h:
2786         * ftl/FTLJITCode.cpp:
2787         (JSC::FTL::JITCode::dfgCommon):
2788         (JSC::FTL::JITCode::validateReferences):
2789         * ftl/FTLJITCode.h:
2790         (JSC::FTL::JITCode::handles):
2791         (JSC::FTL::JITCode::dataSections):
2792         * ftl/FTLOSRExit.cpp:
2793         (JSC::FTL::OSRExit::codeLocationForRepatch):
2794         (JSC::FTL::OSRExit::validateReferences):
2795         * ftl/FTLOSRExit.h:
2796         (JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
2797         * jit/JITCode.cpp:
2798         (JSC::JITCode::typeName):
2799         (JSC::JITCode::validateReferences):
2800         (JSC::JITCode::execute):
2801         * jit/JITCode.h:
2802         (JSC::JITCode::start):
2803         * tests/stress/dead-osr-entry-value.js: Added.
2804         (foo):
2805
2806 2015-07-09  Filip Pizlo  <fpizlo@apple.com>
2807
2808         It should be possible to run the OSR exit fuzzer
2809         https://bugs.webkit.org/show_bug.cgi?id=146814
2810
2811         Reviewed by Mark Lam.
2812         
2813         Fix a silly bug: the option matching was accidentally allowing a prefix match, which
2814         always did the wrong thing for --fireOSRExitFuzzAt and --fireOSRExitFuzzAtStatic. Make
2815         this an exact match instead.
2816
2817         * runtime/Options.cpp:
2818         (JSC::Options::setOption):
2819
2820 2015-07-09  Mark Lam  <mark.lam@apple.com>
2821
2822         SymbolTable::entryFor() should do a bounds check before indexing into the localToEntry vector.
2823         https://bugs.webkit.org/show_bug.cgi?id=146807
2824
2825         Reviewed by Filip Pizlo.
2826
2827         When we capture an argument by name and we use "arguments", we put all of the
2828         arguments into the scope.  But destructured arguments are put into the scope
2829         anonymously i.e. the SymbolTable knows that the scope offset is in use via
2830         SymbolTable::m_maxScopeOffset, but that ScopeOffset won't appear in
2831         SymbolTable::m_map.
2832
2833         The SymbolTable's m_localToEntry vector is synthesized from its m_map, and will
2834         have a size which is based on the largest ScopeOffset in the m_map.  If we have a
2835         scenario where the anonymous argument is at a higher ScopeOffset than all the
2836         named arguments, then the m_localsToEntry vector will not have an entry for it
2837         i.e. the m_localsToEntry vector will have a size that is <= the ScopeOffset of
2838         the anonymous argument.
2839
2840         Hence, SymbolTable::entryFor() should ensure that the requested ScopeOffset is
2841         within the bounds of the m_localToEntry vector before indexing into it.
2842
2843         * runtime/SymbolTable.cpp:
2844         (JSC::SymbolTable::entryFor):
2845
2846 2015-07-09  Michael Saboff  <msaboff@apple.com>
2847
2848         REGRESSION (r180248): Repro Crash: com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::createRangeError + 20
2849         https://bugs.webkit.org/show_bug.cgi?id=146767
2850
2851         Reviewed by Geoffrey Garen.
2852
2853         If the stack check fails at the top most frame, we must use that frame to
2854         generate the exception.  Reverted the code to always use the current frame to
2855         throw an out of stack exception.
2856
2857         * llint/LLIntSlowPaths.cpp:
2858         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2859
2860 2015-07-03  Filip Pizlo  <fpizlo@apple.com>
2861
2862         OSR exit fuzzing should allow us to select a static exit site
2863         https://bugs.webkit.org/show_bug.cgi?id=146601
2864
2865         Reviewed by Geoffrey Garen.
2866         
2867         The original implementation of the fuzzer allows us to trigger an exit based on its index
2868         in the dynamic sequence of exit sites encountered. But there are usually millions of
2869         dynamically encountered exit sites, even if the program only has thousands of static exit
2870         sites. That means that we would at best be able to do a random sampling of exits, and
2871         those would be biased to the hottest exit sites.
2872         
2873         This change allows us to also select exit sites based on their index in the static
2874         sequence of exit sites that the compiler compiled. Then, once that static exit site is
2875         selected, we can select which dynamic exit at that exit site we should trigger. Since the
2876         number of static exit sites is usually smallish (it's bounded by program size), we can do
2877         an exhaustive search over all exit sites in most programs.
2878
2879         * dfg/DFGOSRExitFuzz.cpp:
2880         (JSC::numberOfStaticOSRExitFuzzChecks):
2881         (JSC::numberOfOSRExitFuzzChecks):
2882         * dfg/DFGOSRExitFuzz.h:
2883         (JSC::DFG::doOSRExitFuzzing):
2884         * dfg/DFGSpeculativeJIT.cpp:
2885         (JSC::DFG::SpeculativeJIT::emitOSRExitFuzzCheck):
2886         * ftl/FTLLowerDFGToLLVM.cpp:
2887         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
2888         * jsc.cpp:
2889         (jscmain):
2890         * runtime/Options.h:
2891         * runtime/TestRunnerUtils.h:
2892
2893 2015-07-08  Joseph Pecoraro  <pecoraro@apple.com>
2894
2895         Fix grammar issue in TypeError attempting to change an unconfigurable property
2896         https://bugs.webkit.org/show_bug.cgi?id=146774
2897
2898         Reviewed by Brent Fulgham.
2899
2900         * runtime/JSFunction.cpp:
2901         (JSC::JSFunction::defineOwnProperty):
2902         * runtime/JSObject.cpp:
2903         (JSC::JSObject::defineOwnNonIndexProperty):
2904         * runtime/StringObject.cpp:
2905         (JSC::StringObject::defineOwnProperty):
2906
2907 2015-07-06  Csaba Osztrogonác  <ossy@webkit.org>
2908
2909         Remove the unused HeapBlock.h
2910         https://bugs.webkit.org/show_bug.cgi?id=146580
2911
2912         Reviewed by Andreas Kling.
2913
2914         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2915         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2916         * JavaScriptCore.xcodeproj/project.pbxproj:
2917         * heap/CopiedBlock.h:
2918         * heap/CopiedSpace.h:
2919         * heap/CopiedSpaceInlines.h:
2920         * heap/HandleBlock.h:
2921         * heap/HeapBlock.h: Removed.
2922         * heap/MarkedBlock.h:
2923
2924 2015-07-06  Saam barati  <saambarati1@gmail.com>
2925
2926         JSC's parser should follow the ES6 spec with respect to parsing Declarations
2927         https://bugs.webkit.org/show_bug.cgi?id=146621
2928
2929         Reviewed by Mark Lam.
2930
2931         There were a few locations where JSC would allow declaration statements
2932         in incorrect ways. JSC didn't distinguish between 'Statement' and
2933         'StatementListItem' grammar productions. The relevant grammar is here:
2934         http://www.ecma-international.org/ecma-262/6.0/index.html#sec-statements
2935
2936         From the ECMA Script 6.0 spec:
2937         1. Section 13.6 The if Statement (http://www.ecma-international.org/ecma-262/6.0/index.html#sec-if-statement) 
2938          says that IfStatements only takes Statements for the "then-else" clauses, not StatementListItems.
2939          (Same with 'while/for/do-while' loop bodies).
2940         2. Section 13 ECMAScript Language: Statements and Declarations 
2941          (http://www.ecma-international.org/ecma-262/6.0/index.html#sec-ecmascript-language-statements-and-declarations)
2942          defines the syntax of Statements, and they do not include ClassDeclarations and LexicalDeclarations 
2943          (const, let, see 13.3.1 Let and Const Declarations).
2944          Declarations can only be in the “then-else” clauses when embedded in a StatementListItem in a BlockStatement (see 13.2).
2945
2946         Hence, the following style of declarations are no longer allowed:
2947             'if/for/while (condition) const x = 40;'
2948             'if/for/while (condition) class C { }'
2949
2950         Instead, we mandate such declaration constructs are within a StatementList 
2951        (which is the production that JSC's Parser::parseSourceElements function parses):
2952            'if/for/while (condition) { const x = 40; }'
2953            'if/for/while (condition) { class C { } }'
2954
2955         * parser/Parser.cpp:
2956         (JSC::Parser<LexerType>::parseSourceElements):
2957         (JSC::Parser<LexerType>::parseStatementListItem):
2958         (JSC::Parser<LexerType>::parseVarDeclaration):
2959         (JSC::Parser<LexerType>::parseStatement):
2960         (JSC::Parser<LexerType>::parseExpressionStatement):
2961         * parser/Parser.h:
2962         (JSC::Parser::getLabel):
2963
2964 2015-07-06  Alex Christensen  <achristensen@webkit.org>
2965
2966         Unreviewed debug build fix after r186358.
2967
2968         * runtime/JSArray.cpp:
2969         (JSC::JSArray::fastConcatWith):
2970         Pass vm parameter to fastConcatType.
2971
2972 2015-07-06  Ryosuke Niwa  <rniwa@webkit.org>
2973
2974         Array.concat should be fast for integer or double arrays
2975         https://bugs.webkit.org/show_bug.cgi?id=146260
2976
2977         Reviewed by Darin Adler.
2978
2979         Added a fast path to Array.prototype.concat. When concatenating two Int32, Double, or Contiguous
2980         arrays, simply memcopy the arrays into a new uninitialized buffer.
2981
2982         This improves huffman encoding in CompressionBench by 3.7x on a Mid 2014 MacBookPro.
2983
2984         * runtime/ArrayPrototype.cpp:
2985         (JSC::arrayProtoFuncConcat):
2986         * runtime/JSArray.cpp:
2987         (JSC::JSArray::fastConcatWith): Added.
2988         * runtime/JSArray.h:
2989         (JSC::JSArray::fastConcatType): Added. Returns the resultant array's indexing type if we can use
2990         the fact path. Returns NonArray otherwise.
2991
2992 2015-07-06  Youenn Fablet  <youenn.fablet@crf.canon.fr>
2993
2994         [Streams API] Remove ReadableStream custom constructor
2995         https://bugs.webkit.org/show_bug.cgi?id=146547
2996
2997         Reviewed by Darin Adler.
2998
2999         Adding helper function to throw range errors.
3000
3001         * runtime/Error.h:
3002         (JSC::throwRangeError):
3003         (JSC::throwVMRangeError):
3004
3005 2015-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
3006
3007         [ES6] Implement the latest Promise spec in JS
3008         https://bugs.webkit.org/show_bug.cgi?id=146229
3009
3010         Reviewed by Sam Weinig.
3011
3012         Updated the Promise implementation to meet to the ES6 spec.
3013         This patch
3014         1. Implement ES6 Promise and related abstract operations in builtins JS
3015         2. Expose @enqueueJob private function to JS world to post the microtask
3016
3017         Updated implementation has one-on-one correspondence to the ES6 spec description.
3018         And keep the JSPromiseDeferred because it is the interface used from the WebCore.
3019
3020         * CMakeLists.txt:
3021         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3022         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3023         * JavaScriptCore.xcodeproj/project.pbxproj:
3024         * builtins/Array.prototype.js:
3025         (reduce):
3026         (reduceRight):
3027         (every):
3028         (forEach):
3029         (filter):
3030         (map):
3031         (some):
3032         (fill):
3033         (find):
3034         (findIndex):
3035         (includes):
3036         (copyWithin):
3037         ToInteger / ToLength are renamed to toInteger and toLength.
3038         * builtins/ArrayConstructor.js:
3039         (from):
3040         ToInteger / ToLength are renamed to toInteger and toLength.
3041         * builtins/GlobalObject.js:
3042         (toInteger):
3043         (toLength):
3044         (isObject):
3045         (ToInteger): Deleted.
3046         (ToLength): Deleted.
3047         ToInteger / ToLength are renamed to toInteger and toLength.
3048         Add new abstract operation, isObject.
3049         * builtins/Operations.Promise.js: Added.
3050         (isPromise):
3051         (newPromiseReaction):
3052         (newPromiseDeferred):
3053         (newPromiseCapability.executor):
3054         (newPromiseCapability):
3055         (triggerPromiseReactions):
3056         (rejectPromise):
3057         (fulfillPromise):
3058         (createResolvingFunctions.resolve):
3059         (createResolvingFunctions.reject):
3060         (createResolvingFunctions):
3061         (promiseReactionJob):
3062         (promiseResolveThenableJob):
3063         (initializePromise):
3064         Added Promise related abstract operations.
3065         * builtins/Promise.prototype.js:
3066         (catch):
3067         (.onFulfilled):
3068         (.onRejected):
3069         (then):
3070         Promise#then implementation in JS.
3071         * builtins/PromiseConstructor.js: Added.
3072         (all.newResolveElement):
3073         (all):
3074         (race):
3075         (reject):
3076         (resolve):
3077         Promise static functions implementations in JS.
3078         * builtins/StringConstructor.js:
3079         (raw):
3080         ToInteger / ToLength are renamed to toInteger and toLength.
3081         * inspector/JSInjectedScriptHost.cpp:
3082         (Inspector::JSInjectedScriptHost::getInternalProperties):
3083         * runtime/CommonIdentifiers.h:
3084         * runtime/JSGlobalObject.cpp:
3085         (JSC::enqueueJob):
3086         (JSC::JSGlobalObject::init):
3087         (JSC::JSGlobalObject::visitChildren):
3088         * runtime/JSGlobalObject.h:
3089         (JSC::JSGlobalObject::initializePromiseFunction):
3090         (JSC::JSGlobalObject::newPromiseDeferredFunction):
3091         * runtime/JSJob.cpp: Renamed from Source/JavaScriptCore/runtime/JSPromiseReaction.h.
3092         (JSC::createJSJob):
3093         (JSC::JSJobMicrotask::run):
3094         * runtime/JSJob.h: Renamed from Source/JavaScriptCore/runtime/JSPromiseFunctions.h.
3095         * runtime/JSPromise.cpp:
3096         (JSC::JSPromise::create):
3097         (JSC::JSPromise::JSPromise):
3098         (JSC::JSPromise::finishCreation):
3099         (JSC::JSPromise::result):
3100         (JSC::JSPromise::destroy): Deleted.
3101         (JSC::JSPromise::visitChildren): Deleted.
3102         (JSC::JSPromise::reject): Deleted.
3103         (JSC::JSPromise::resolve): Deleted.
3104         (JSC::JSPromise::appendResolveReaction): Deleted.
3105         (JSC::JSPromise::appendRejectReaction): Deleted.
3106         (JSC::triggerPromiseReactions): Deleted.
3107         * runtime/JSPromise.h:
3108         (JSC::JSPromise::status): Deleted.
3109         (JSC::JSPromise::result): Deleted.
3110         (JSC::JSPromise::constructor): Deleted.
3111         * runtime/JSPromiseConstructor.cpp:
3112         (JSC::constructPromise):
3113         (JSC::JSPromiseConstructorFuncResolve): Deleted.
3114         (JSC::JSPromiseConstructorFuncReject): Deleted.
3115         (JSC::performPromiseRaceLoop): Deleted.
3116         (JSC::JSPromiseConstructorFuncRace): Deleted.
3117         (JSC::performPromiseAll): Deleted.
3118         (JSC::JSPromiseConstructorFuncAll): Deleted.
3119         * runtime/JSPromiseDeferred.cpp:
3120         (JSC::JSPromiseDeferred::create):
3121         (JSC::createJSPromiseDeferredFromConstructor): Deleted.
3122         (JSC::updateDeferredFromPotentialThenable): Deleted.
3123         (JSC::performDeferredResolve): Deleted.
3124         (JSC::performDeferredReject): Deleted.
3125         (JSC::abruptRejection): Deleted.
3126         * runtime/JSPromiseDeferred.h:
3127         * runtime/JSPromiseFunctions.cpp: Removed.
3128         (JSC::deferredConstructionFunction): Deleted.
3129         (JSC::createDeferredConstructionFunction): Deleted.
3130         (JSC::identifyFunction): Deleted.
3131         (JSC::createIdentifyFunction): Deleted.
3132         (JSC::promiseAllCountdownFunction): Deleted.
3133         (JSC::createPromiseAllCountdownFunction): Deleted.
3134         (JSC::promiseResolutionHandlerFunction): Deleted.
3135         (JSC::createPromiseResolutionHandlerFunction): Deleted.
3136         (JSC::rejectPromiseFunction): Deleted.
3137         (JSC::createRejectPromiseFunction): Deleted.
3138         (JSC::resolvePromiseFunction): Deleted.
3139         (JSC::createResolvePromiseFunction): Deleted.
3140         (JSC::throwerFunction): Deleted.
3141         (JSC::createThrowerFunction): Deleted.
3142         * runtime/JSPromisePrototype.cpp:
3143         (JSC::JSPromisePrototypeFuncThen): Deleted.
3144         * runtime/JSPromiseReaction.cpp: Removed.
3145         (JSC::createExecutePromiseReactionMicrotask): Deleted.
3146         (JSC::ExecutePromiseReactionMicrotask::run): Deleted.
3147         (JSC::JSPromiseReaction::create): Deleted.
3148         (JSC::JSPromiseReaction::JSPromiseReaction): Deleted.
3149         (JSC::JSPromiseReaction::finishCreation): Deleted.
3150         (JSC::JSPromiseReaction::visitChildren): Deleted.
3151         * runtime/VM.cpp:
3152         (JSC::VM::VM): Deleted.
3153         * runtime/VM.h:
3154
3155 2015-07-04  Chris Dumez  <cdumez@apple.com>
3156
3157         Drop RefPtr::clear() method
3158         https://bugs.webkit.org/show_bug.cgi?id=146556
3159
3160         Reviewed by Brady Eidson.
3161
3162         Drop RefPtr::clear() method in favor of "= nullptr;" pattern.
3163
3164 2015-07-03  Dan Bernstein  <mitz@apple.com>
3165
3166         Just give up on -Wunreachable-code in JavaScriptCore.
3167
3168         * Configurations/Base.xcconfig:
3169         * llint/LowLevelInterpreter.cpp:
3170         (JSC::CLoop::execute):
3171
3172 2015-07-03  Dan Bernstein  <mitz@apple.com>
3173
3174         Fixed the LLINT CLoop build.
3175
3176         * llint/LowLevelInterpreter.cpp:
3177         (JSC::CLoop::execute):
3178
3179 2015-07-03  Dan Bernstein  <mitz@apple.com>
3180
3181         [Xcode] Update some build settings as recommended by Xcode 7
3182         https://bugs.webkit.org/show_bug.cgi?id=146597
3183
3184         Reviewed by Sam Weinig.
3185
3186         * Configurations/Base.xcconfig: Enabled CLANG_WARN_UNREACHABLE_CODE and
3187         GCC_NO_COMMON_BLOCKS. Removed GCC_MODEL_TUNING.
3188
3189         * JavaScriptCore.xcodeproj/project.pbxproj: Updated LastUpgradeCheck.
3190
3191         * dfg/DFGGraph.h: Tweaked the definition of DFG_CRASH to suppress unreachable code warnings.
3192
3193 2015-07-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3194
3195         Relax builtin JS restriction about try-catch
3196         https://bugs.webkit.org/show_bug.cgi?id=146555
3197
3198         Reviewed by Sam Weinig.
3199
3200         When retrieving the captured variables from the full activated scope,
3201         it swapped the given vector with the stored declared variables vector.
3202         This is because retrieving the captured variables are executed in the
3203         last sequence of the parser, so declared variables are no longer used.
3204         However, in builtins functions case, after retrieving the captured
3205         variables, we check the variables by using declared variables vector.
3206         So at that time, the declared variables vector becomes empty and it
3207         raises assertion failures when the builtins function contains the full
3208         activated scope. try-catch's catch scope requires the upper scope full
3209         activated, so JS code in the builtins cannot use the try-catch.
3210
3211         This patch relaxes this restriction. When retrieving the captured
3212         variables from the scope, just copy to the given vector.
3213
3214         * parser/Parser.h:
3215         (JSC::Scope::getCapturedVariables):
3216
3217 2015-07-02  Filip Pizlo  <fpizlo@apple.com>
3218
3219         DFG and FTL should have an OSR exit fuzzer
3220         https://bugs.webkit.org/show_bug.cgi?id=146562
3221
3222         Reviewed by Benjamin Poulain.
3223         
3224         Adds a basic OSR exit fuzzer to JSC. This isn't hooked into any test harnesses yet, but I
3225         spot-checked it on v8-earley-boyer.js and so far found no bugs. I'd like to figure out how
3226         to harness this after I land it.
3227         
3228         Since it's turned off by default, it should have no effect on behavior.
3229
3230         * CMakeLists.txt:
3231         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3232         * JavaScriptCore.xcodeproj/project.pbxproj:
3233         * dfg/DFGOSRExitFuzz.cpp: Added.
3234         (JSC::numberOfOSRExitFuzzChecks):
3235         * dfg/DFGOSRExitFuzz.h: Added.
3236         * dfg/DFGSpeculativeJIT.cpp:
3237         (JSC::DFG::SpeculativeJIT::emitGetArgumentStart):
3238         (JSC::DFG::SpeculativeJIT::emitOSRExitFuzzCheck):
3239         (JSC::DFG::SpeculativeJIT::speculationCheck):
3240         * dfg/DFGSpeculativeJIT.h:
3241         * ftl/FTLLowerDFGToLLVM.cpp:
3242         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
3243         * jsc.cpp:
3244         (jscmain):
3245         * runtime/Options.h:
3246         * runtime/TestRunnerUtils.h:
3247
3248 2015-07-02  Saam barati  <saambarati1@gmail.com>
3249
3250         Rename "Deconstruction" to "Destructuring" throughout JSC
3251         https://bugs.webkit.org/show_bug.cgi?id=146100
3252
3253         Reviewed by Mark Lam.
3254
3255         It is good to use the same naming conventions as the ES6 
3256         spec because it is the de facto way of speaking about these 
3257         language features. This also has the benefit of improving JSC's
3258         hackability because it improves code readability for newcomers 
3259         to JSC or newcomers to this part of the code base.
3260
3261         * bytecompiler/BytecodeGenerator.cpp:
3262         (JSC::BytecodeGenerator::generate):
3263         (JSC::BytecodeGenerator::BytecodeGenerator):
3264         (JSC::BytecodeGenerator::initializeNextParameter):
3265         (JSC::BytecodeGenerator::visibleNameForParameter):
3266         * bytecompiler/BytecodeGenerator.h:
3267         (JSC::BytecodeGenerator::registerFor):
3268         * bytecompiler/NodesCodegen.cpp:
3269         (JSC::ForInNode::tryGetBoundLocal):
3270         (JSC::ForInNode::emitLoopHeader):
3271         (JSC::ForOfNode::emitBytecode):
3272         (JSC::ClassExprNode::emitBytecode):
3273         (JSC::DestructuringAssignmentNode::emitBytecode):
3274         (JSC::DestructuringPatternNode::~DestructuringPatternNode):
3275         (JSC::ArrayPatternNode::collectBoundIdentifiers):
3276         (JSC::DeconstructingAssignmentNode::emitBytecode): Deleted.
3277         (JSC::DeconstructionPatternNode::~DeconstructionPatternNode): Deleted.
3278         * parser/ASTBuilder.h:
3279         (JSC::ASTBuilder::createElementList):
3280         (JSC::ASTBuilder::createFormalParameterList):
3281         (JSC::ASTBuilder::createClause):
3282         (JSC::ASTBuilder::createClauseList):
3283         (JSC::ASTBuilder::createForInLoop):
3284         (JSC::ASTBuilder::createForOfLoop):
3285         (JSC::ASTBuilder::isBindingNode):
3286         (JSC::ASTBuilder::isResolve):
3287         (JSC::ASTBuilder::createDestructuringAssignment):
3288         (JSC::ASTBuilder::createArrayPattern):
3289         (JSC::ASTBuilder::appendArrayPatternSkipEntry):
3290         (JSC::ASTBuilder::appendArrayPatternEntry):
3291         (JSC::ASTBuilder::appendArrayPatternRestEntry):
3292         (JSC::ASTBuilder::createObjectPattern):
3293         (JSC::ASTBuilder::appendObjectPatternEntry):
3294         (JSC::ASTBuilder::createDeconstructingAssignment): Deleted.
3295         * parser/NodeConstructors.h:
3296         (JSC::TryNode::TryNode):
3297         (JSC::ParameterNode::ParameterNode):
3298         (JSC::ForOfNode::ForOfNode):
3299         (JSC::DestructuringPatternNode::DestructuringPatternNode):
3300         (JSC::ArrayPatternNode::ArrayPatternNode):
3301         (JSC::ArrayPatternNode::create):
3302         (JSC::ObjectPatternNode::ObjectPatternNode):
3303         (JSC::BindingNode::create):
3304         (JSC::BindingNode::BindingNode):
3305         (JSC::DestructuringAssignmentNode::DestructuringAssignmentNode):
3306         (JSC::DeconstructionPatternNode::DeconstructionPatternNode): Deleted.
3307         (JSC::DeconstructingAssignmentNode::DeconstructingAssignmentNode): Deleted.
3308         * parser/Nodes.cpp:
3309         (JSC::FunctionParameters::create):
3310         * parser/Nodes.h:
3311         (JSC::ExpressionNode::isResolveNode):
3312         (JSC::ExpressionNode::isBracketAccessorNode):
3313         (JSC::ExpressionNode::isDotAccessorNode):
3314         (JSC::ExpressionNode::isDestructuringNode):
3315         (JSC::ExpressionNode::isFuncExprNode):
3316         (JSC::ExpressionNode::isCommaNode):
3317         (JSC::ExpressionNode::isSimpleArray):
3318         (JSC::ParameterNode::pattern):
3319         (JSC::ParameterNode::nextParam):
3320         (JSC::FunctionParameters::size):
3321         (JSC::FunctionParameters::at):
3322         (JSC::FunctionParameters::patterns):
3323         (JSC::DestructuringPatternNode::isBindingNode):
3324         (JSC::DestructuringPatternNode::emitDirectBinding):
3325         (JSC::ArrayPatternNode::appendIndex):
3326         (JSC::ObjectPatternNode::appendEntry):
3327         (JSC::BindingNode::boundProperty):
3328         (JSC::DestructuringAssignmentNode::bindings):
3329         (JSC::ExpressionNode::isDeconstructionNode): Deleted.
3330         (JSC::DeconstructionPatternNode::isBindingNode): Deleted.
3331         (JSC::DeconstructionPatternNode::emitDirectBinding): Deleted.
3332         (JSC::DeconstructingAssignmentNode::bindings): Deleted.
3333         * parser/Parser.cpp:
3334         (JSC::Parser<LexerType>::parseVarDeclaration):
3335         (JSC::Parser<LexerType>::parseWhileStatement):
3336         (JSC::Parser<LexerType>::parseVarDeclarationList):
3337         (JSC::Parser<LexerType>::createBindingPattern):
3338         (JSC::Parser<LexerType>::tryParseDestructuringPatternExpression):
3339         (JSC::Parser<LexerType>::parseDestructuringPattern):
3340         (JSC::Parser<LexerType>::parseDefaultValueForDestructuringPattern):
3341         (JSC::Parser<LexerType>::parseForStatement):
3342         (JSC::Parser<LexerType>::parseFormalParameters):
3343         (JSC::Parser<LexerType>::parseFunctionParameters):
3344         (JSC::Parser<LexerType>::parseAssignmentExpression):
3345         (JSC::Parser<LexerType>::tryParseDeconstructionPatternExpression): Deleted.
3346         (JSC::Parser<LexerType>::parseDeconstructionPattern): Deleted.
3347         (JSC::Parser<LexerType>::parseDefaultValueForDeconstructionPattern): Deleted.
3348         * parser/Parser.h:
3349         (JSC::isEvalNode):
3350         * parser/SyntaxChecker.h:
3351         (JSC::SyntaxChecker::createPropertyList):
3352         (JSC::SyntaxChecker::createElementList):
3353         (JSC::SyntaxChecker::createFormalParameterList):
3354         (JSC::SyntaxChecker::createClause):
3355         (JSC::SyntaxChecker::createClauseList):
3356         (JSC::SyntaxChecker::operatorStackPop):
3357         * tests/stress/reserved-word-with-escape.js:
3358         * tests/stress/rest-elements.js:
3359
3360 2015-07-02  Mark Lam  <mark.lam@apple.com>
3361
3362         Build fix for Win EWS bot.
3363         https://bugs.webkit.org/show_bug.cgi?id=146551
3364
3365         Not reviewed.
3366
3367         * tools/JSDollarVMPrototype.cpp:
3368         (JSC::functionCrash):
3369
3370 2015-07-02  Dan Bernstein  <mitz@apple.com>
3371
3372         <rdar://problem/21429613> [iOS] Stop making symlinks from PrivateFrameworks to Frameworks
3373         https://bugs.webkit.org/show_bug.cgi?id=146542
3374
3375         Reviewed by Sam Weinig.
3376
3377         * JavaScriptCore.xcodeproj/project.pbxproj: Removed the build phase that makes the symlink.
3378
3379 2015-07-01  Joseph Pecoraro  <pecoraro@apple.com>
3380
3381         Web Inspector: Aggregate profile call information on the backend to drastically reduce profile sizes
3382         https://bugs.webkit.org/show_bug.cgi?id=146536
3383
3384         Reviewed by Timothy Hatcher.
3385
3386         * inspector/protocol/Timeline.json:
3387         Change a CPUProfile from sending a required "calls" param to sending a required
3388         "callInfo" param which includes aggregated information about the calls.
3389
3390 2015-06-30  Filip Pizlo  <fpizlo@apple.com>
3391
3392         DFG::freezeFragile should register the frozen value's structure
3393         https://bugs.webkit.org/show_bug.cgi?id=136055
3394         rdar://problem/21042120
3395
3396         Reviewed by Mark Lam and Geoffrey Garen.
3397         
3398         This fixes weird concurrency bugs where the constant folding phase tries to convert
3399         something to a constant but then crashes because the constant's structure wasn't
3400         registered. The AI was registering the structure of any value it saw, but constant folding
3401         wasn't - and that's fine so long as there ain't no concurrency.
3402         
3403         The best fix is to just make it impossible to introduce a constant into the IR without
3404         registering its structure. That's what this change does. This is not only a great
3405         concurrency fix - it also makes the compiler somewhat easier to hack on because it's one
3406         less case of structure registering that you have to remember about.
3407         
3408         * dfg/DFGAbstractValue.cpp:
3409         (JSC::DFG::AbstractValue::setOSREntryValue): No need to register.
3410         (JSC::DFG::AbstractValue::set): We still call register, but just to get the watchpoint state.
3411         * dfg/DFGGraph.cpp:
3412         (JSC::DFG::Graph::freezeFragile): Register the structure.
3413         * dfg/DFGStructureRegistrationPhase.cpp:
3414         (JSC::DFG::StructureRegistrationPhase::run): Assert that these are all registered.
3415
3416 2015-07-01  Matthew Mirman  <mmirman@apple.com>
3417
3418         Unreviewed, rolling out r185889
3419         https://bugs.webkit.org/show_bug.cgi?id=146528
3420         rdar://problem/21573959
3421
3422         Patch breaks chromeexperiments.com
3423         
3424         Reverted changeset:
3425         
3426         * CMakeLists.txt:
3427         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3428         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3429         * JavaScriptCore.xcodeproj/project.pbxproj:
3430         * inspector/InjectedScriptSource.js:
3431         (.):
3432         * runtime/JSBoundSlotBaseFunction.cpp: Removed.
3433         * runtime/JSBoundSlotBaseFunction.h: Removed.
3434         * runtime/JSGlobalObject.cpp:
3435         (JSC::JSGlobalObject::init): Deleted.
3436         (JSC::JSGlobalObject::visitChildren): Deleted.
3437         * runtime/JSGlobalObject.h:
3438         (JSC::JSGlobalObject::boundSlotBaseFunctionStructure): Deleted.
3439         * runtime/JSObject.cpp:
3440         (JSC::JSObject::getOwnPropertyDescriptor):
3441         (JSC::getBoundSlotBaseFunctionForGetterSetter): Deleted.
3442         * runtime/VM.cpp:
3443         (JSC::VM::VM): Deleted.
3444         * runtime/VM.h:
3445
3446 2015-07-01  Dean Jackson  <dino@apple.com>
3447
3448         Disable the experimental WebGL2 implementation
3449         https://bugs.webkit.org/show_bug.cgi?id=146526
3450         <rdar://problem/21641235>
3451
3452         Reviewed by Myles Maxfield.
3453
3454         Add (and disable) an ENABLE_WEBGL2 flag.
3455
3456         * Configurations/FeatureDefines.xcconfig:
3457
3458 2015-07-01  Matthew Daiter  <mdaiter@apple.com>
3459
3460         Enable MEDIA_STREAM flag
3461         https://bugs.webkit.org/show_bug.cgi?id=145947
3462         <rdar://problem/21365829>
3463
3464         Reviewed by Eric Carlson.
3465
3466         * Configurations/FeatureDefines.xcconfig: Added MEDIA_STREAM flag
3467
3468 2015-06-30  Andy VanWagoner  <thetalecrafter@gmail.com>
3469
3470         Implement ECMAScript Internationalization API
3471         https://bugs.webkit.org/show_bug.cgi?id=90906
3472
3473         Reviewed by Benjamin Poulain.
3474
3475         * CMakeLists.txt: add IntlObject.cpp
3476         * Configurations/FeatureDefines.xcconfig: add ENABLE_INTL flag
3477         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: add IntlObject
3478         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: add IntlObject
3479         * JavaScriptCore.xcodeproj/project.pbxproj: add IntlObject
3480         * runtime/CommonIdentifiers.h: add "Intl" name
3481         * runtime/IntlObject.cpp: Added.
3482         (JSC::IntlObject::IntlObject):
3483         (JSC::IntlObject::create):
3484         (JSC::IntlObject::finishCreation):
3485         (JSC::IntlObject::createStructure):
3486         * runtime/IntlObject.h: Added.
3487         * runtime/JSGlobalObject.cpp: Add global Intl
3488         (JSC::JSGlobalObject::init):
3489
3490 2015-06-30  Basile Clement  <basile_clement@apple.com>
3491
3492         Allow object allocation sinking through GetScope, GetExecutable and SkipScope nodes
3493         https://bugs.webkit.org/show_bug.cgi?id=146431
3494
3495         Reviewed by Filip Pizlo.
3496
3497         * dfg/DFGNode.h:
3498         (JSC::DFG::Node::isFunctionAllocation):
3499         (JSC::DFG::Node::isPhantomFunctionAllocation):
3500         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3501         (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
3502         * dfg/DFGPromoteHeapAccess.h:
3503         (JSC::DFG::promoteHeapAccess):
3504
3505 2015-06-30  Matt Baker  <mattbaker@apple.com>
3506
3507         Web Inspector: Reduce rendering frames "Other" time by instrumenting compositing
3508         https://bugs.webkit.org/show_bug.cgi?id=146168
3509
3510         Reviewed by Brian Burg.
3511
3512         * inspector/protocol/Timeline.json:
3513         New timeline record type for compositing events.
3514
3515 2015-06-29  Dean Jackson  <dino@apple.com>
3516
3517         Temporarily disable PICTURE_SIZES
3518         https://bugs.webkit.org/show_bug.cgi?id=146435
3519         <rdar://problem/21087013>
3520
3521         Reviewed by Tim Horton.
3522
3523         Temporarily disable PICTURE_SIZES because it causes problems with out
3524         of date <picture> polyfills.
3525
3526         * Configurations/FeatureDefines.xcconfig:
3527
3528 2015-06-29  Youenn Fablet  <youenn.fablet@crf.canon.fr>
3529
3530         Binding generator should allow using JSC::Value for "any" parameter in lieu of ScriptValue
3531         https://bugs.webkit.org/show_bug.cgi?id=146403
3532
3533         Reviewed by Darin Adler.
3534
3535         * bindings/ScriptValue.h: Added implicit conversion to JSC::JSValue.
3536
3537 2015-06-28 Aleksandr Skachkov   <gskachkov@gmail.com>
3538
3539         [ES6] Implement ES6 arrow function syntax. No Line terminator between function parameters and =>
3540         https://bugs.webkit.org/show_bug.cgi?id=146394
3541
3542         Reviewed by Yusuke Suzuki.
3543
3544         * parser/Parser.cpp:
3545         (JSC::Parser<LexerType>::parseFunctionInfo):
3546
3547 2015-06-27  Darin Adler  <darin@apple.com>
3548
3549         Make converting JSString to StringView idiomatically safe
3550         https://bugs.webkit.org/show_bug.cgi?id=146387
3551
3552         Reviewed by Anders Carlsson.
3553
3554         * jsc.cpp:
3555         (functionPrint): Add explicit call to SafeView::get, needed since there
3556         is no StringView temporary.
3557         (functionDebug): Ditto.
3558
3559         * runtime/ArrayPrototype.cpp:
3560         (JSC::holesMustForwardToPrototype): Refactored into helper function.
3561         (JSC::join): Refactored so that StringView is a function argument, making
3562         the lifetime simpler.
3563         (JSC::arrayProtoFuncJoin): Ditto.
3564         (JSC::arrayProtoFuncReverse): Use new holesMustForwardToPrototype helper.
3565
3566         * runtime/JSGlobalObjectFunctions.cpp:
3567         (JSC::encode): Add explicit call to SafeView::get.
3568
3569         * runtime/JSString.h: Moved declarations of functions to the top of the
3570         file instead of mixing them in with the function definitions. Changed
3571         return type of the view function to return a JSString::SafeView so that
3572         the JSString's lifetime will last as long as the StringView does in
3573         typical coding idioms.
3574         (JSC::JSString::getIndex): Use unsafeView so we can index into the
3575         view; could also have used view.get but here in this class this seems fine.
3576         (JSC::JSRopeString::unsafeView): Renamed existing view function to this.
3577         (JSC::JSString::unsafeView): Ditto.
3578         (JSC::JSString::SafeView::SafeView): Contains reference to an ExecState
3579         and a JSString. The ExecState is needed to create the StringView, and the
3580         JSString needs to be kept alive as long as the StringView is.
3581         (JSC::JSString::SafeView::operator StringView): Call unsafeView.
3582         (JSC::JSString::SafeView::get): Convenience for when we want to call
3583         StringView member functions.
3584         (JSC::JSString::view): Added. Returns a SafeView.
3585
3586         * runtime/StringPrototype.cpp:
3587         (JSC::stringProtoFuncIndexOf): Add explicit call to SafeView::get.
3588
3589 2015-06-26  Csaba Osztrogonác  <ossy@webkit.org>
3590
3591         Remove ARMv7Assembler.cpp
3592         https://bugs.webkit.org/show_bug.cgi?id=146340
3593
3594         Reviewed by Filip Pizlo.
3595
3596         * CMakeLists.txt:
3597         * JavaScriptCore.xcodeproj/project.pbxproj:
3598         * assembler/ARMv7Assembler.cpp: Removed.
3599
3600 2015-06-26  Csaba Osztrogonác  <ossy@webkit.org>
3601
3602         Fix the !ENABLE(ES6_ARROWFUNCTION_SYNTAX) build after r185989
3603         https://bugs.webkit.org/show_bug.cgi?id=146344
3604
3605         Reviewed by Yusuke Suzuki.
3606
3607         * parser/Parser.cpp:
3608         (JSC::Parser<LexerType>::parseSourceElements):
3609
3610 2015-06-26 Aleksandr Skachkov  <gskachkov@gmail.com>
3611
3612          [ES6] Implement ES6 arrow function syntax. Parser of arrow function with execution as common function. 
3613          https://bugs.webkit.org/show_bug.cgi?id=144955
3614
3615          Reviewed by Yusuke Suzuki.
3616
3617          Added support of ES6 arrow function. Changes were made according to following spec http://wiki.ecmascript.org/doku.php?id=harmony:arrow_function_syntax. Patch does not include any arrow function specific behavior e.g. lexical bind this, arguments and etc.     
3618         This patch implements the simplest cases of arrow function declaration:
3619            parameters             () => 10 + 20
3620            parameter               x => x + 20
3621            parameters         (x, y) => x + y
3622            function with block     x => { return x*10; }
3623
3624         Not implemented:
3625            bind of the this, arguments, super and etc.
3626            exception in case of trying to use 'new' with arrow function
3627
3628         * parser/ASTBuilder.h:
3629         (JSC::ASTBuilder::createFunctionExpr):
3630         (JSC::ASTBuilder::createArrowFunctionExpr):
3631         (JSC::ASTBuilder::createGetterOrSetterProperty):
3632         (JSC::ASTBuilder::createFuncDeclStatement):
3633         * parser/Lexer.cpp:
3634         (JSC::Lexer<T>::setTokenPosition):
3635         (JSC::Lexer<T>::lex):
3636         * parser/Lexer.h:
3637         (JSC::Lexer::lastTokenLocation):
3638         (JSC::Lexer::setTerminator):
3639         * parser/Parser.cpp:
3640         (JSC::Parser<LexerType>::parseInner):
3641         (JSC::Parser<LexerType>::parseSourceElements):
3642         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBody):
3643         (JSC::Parser<LexerType>::parseSwitchClauses):
3644         (JSC::Parser<LexerType>::parseSwitchDefaultClause):
3645         (JSC::Parser<LexerType>::parseBlockStatement):
3646         (JSC::Parser<LexerType>::parseFunctionBody):
3647         (JSC::stringForFunctionMode):
3648         (JSC::Parser<LexerType>::parseFunctionParameters):
3649         (JSC::Parser<LexerType>::parseFunctionInfo):
3650         (JSC::Parser<LexerType>::parseFunctionDeclaration):
3651         (JSC::Parser<LexerType>::parseClass):
3652         (JSC::Parser<LexerType>::parseAssignmentExpression):
3653         (JSC::Parser<LexerType>::parsePropertyMethod):
3654         (JSC::Parser<LexerType>::parseGetterSetter):
3655         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
3656         * parser/Parser.h:
3657         (JSC::Parser::locationBeforeLastToken):
3658         (JSC::Parser::isEndOfArrowFunction):
3659         (JSC::Parser::isArrowFunctionParamters):
3660         (JSC::Parser::setEndOfStatement):
3661         * parser/ParserFunctionInfo.h:
3662         * parser/ParserTokens.h:
3663         * parser/SourceCode.h:
3664         (JSC::SourceCode::subArrowExpression):
3665         * parser/SourceProviderCacheItem.h:
3666         (JSC::SourceProviderCacheItem::endFunctionToken):
3667         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
3668         * parser/SyntaxChecker.h:
3669         (JSC::SyntaxChecker::createArrowFunctionExpr):
3670         (JSC::SyntaxChecker::setFunctionNameStart):
3671
3672 2015-06-25  Yusuke Suzuki  <utatane.tea@gmail.com>
3673
3674         [ES6] Support rest element in destructuring assignments
3675         https://bugs.webkit.org/show_bug.cgi?id=146206
3676
3677         Reviewed by Oliver Hunt.
3678
3679         This patch enables rest element (...rest) in array binding patterns.
3680         It generates array from the iterables.
3681         In variable declarations and parameters, `[...identifier]` form is only allowed,
3682         while expressions can take `[...[...rest]]` pattern.
3683
3684         * bytecompiler/BytecodeGenerator.cpp:
3685         (JSC::BytecodeGenerator::emitEnumeration):
3686         (JSC::BytecodeGenerator::emitIteratorNext):
3687         * bytecompiler/BytecodeGenerator.h:
3688         * bytecompiler/NodesCodegen.cpp:
3689         (JSC::ArrayPatternNode::bindValue):
3690         (JSC::ArrayPatternNode::toString):
3691         * parser/ASTBuilder.h:
3692         (JSC::ASTBuilder::appendArrayPatternSkipEntry):
3693         (JSC::ASTBuilder::appendArrayPatternEntry):
3694         (JSC::ASTBuilder::appendArrayPatternRestEntry):
3695         * parser/Nodes.h:
3696         (JSC::ArrayPatternNode::appendIndex):
3697         * parser/Parser.cpp:
3698         (JSC::Parser<LexerType>::parseDeconstructionPattern):
3699         * parser/SyntaxChecker.h:
3700         (JSC::SyntaxChecker::operatorStackPop):
3701         * tests/stress/rest-elements.js: Added.
3702         (shouldBe):
3703         (shouldThrow):
3704
3705 2015-06-25  Commit Queue  <commit-queue@webkit.org>
3706
3707         Unreviewed, rolling out r185956.
3708         https://bugs.webkit.org/show_bug.cgi?id=146321
3709
3710         Causes massive crashes on test bots (Requested by bfulgham on
3711         #webkit).
3712
3713         Reverted changeset:
3714
3715         "Enabling MEDIA_STREAM"
3716         https://bugs.webkit.org/show_bug.cgi?id=145947
3717         http://trac.webkit.org/changeset/185956
3718
3719 2015-06-25  Michael Saboff  <msaboff@apple.com>
3720
3721         Minor fix to idx bounds check after 185954
3722
3723         Rubber Stamped by Ryosuke Niwa.
3724
3725         Changed "idx > 1" to "idx > 0" in two places.
3726
3727         * runtime/ExceptionHelpers.cpp:
3728         (JSC::functionCallBase):
3729
3730 2015-06-25  Keith Miller  <keith_miller@apple.com>
3731
3732         Address Sanitizer does not play well with memcpy in JSC::MachineThreads::tryCopyOtherThreadStack.
3733         https://bugs.webkit.org/show_bug.cgi?id=146297
3734
3735         Reviewed by Filip Pizlo.
3736
3737         Since we cannot blacklist the system memcpy we must use our own naive implementation,
3738         copyMemory. This is not a significant performance loss as tryCopyOtherThreadStack is
3739         only called as part of an O(heapsize) operation. As the heap is generally much larger
3740         than the stack the performance hit is minimal.
3741
3742         * heap/MachineStackMarker.cpp:
3743         (JSC::copyMemory):
3744         (JSC::MachineThreads::tryCopyOtherThreadStack):
3745         (JSC::asanUnsafeMemcpy): Deleted.
3746
3747 2015-06-25  Matthew Daiter  <mdaiter@apple.com>
3748
3749         Enabling MEDIA_STREAM
3750         https://bugs.webkit.org/show_bug.cgi?id=145947
3751         <rdar://problem/21365829>
3752
3753         Reviewed by Brent Fulgham.
3754
3755         * Configurations/FeatureDefines.xcconfig:
3756
3757 2015-06-25  Michael Saboff  <msaboff@apple.com>
3758
3759         REGRESSION (r181889): basspro.com hangs on load under JSC::ErrorInstance::finishCreation(JSC::ExecState*, JSC::VM&, WTF::String const&, bool) + 2801 (JavaScriptCore + 3560689)
3760         https://bugs.webkit.org/show_bug.cgi?id=146298
3761
3762         Reviewed by Mark Lam.
3763
3764         We were underflowing in ExceptionHelpers.cpp::functionCallBase() with a right to left
3765         string index.  Added checks that idx stays within the string.  Also added a termination
3766         condition when idx is 0.
3767
3768         * runtime/ExceptionHelpers.cpp:
3769         (JSC::functionCallBase):
3770
3771 2015-06-24  Chris Dumez  <cdumez@apple.com>
3772
3773         Unreviewed, speculative build fix after r185942.
3774
3775         Add missing include for StrongInlines.h.
3776
3777         * runtime/ArrayPrototype.cpp:
3778
3779 2015-06-24  Darin Adler  <darin@apple.com>
3780
3781         Optimize Array.join and Array.reverse for high speed array types
3782         https://bugs.webkit.org/show_bug.cgi?id=146275
3783
3784         Reviewed by Mark Lam.
3785
3786         This seems to yield another 17% speed improvement in the array
3787         test from the Peacekeeper benchmark.
3788
3789         * runtime/ArrayPrototype.cpp:
3790         (JSC::isHole): Added. Helper to check for holes.
3791         (JSC::containsHole): Ditto.
3792         (JSC::arrayProtoFuncJoin): Added special cases for the various types
3793         of arrays that could be in a butterfly.
3794         (JSC::arrayProtoFuncReverse): Ditto.
3795
3796         * runtime/JSStringJoiner.h: Made appendEmptyString public so we can
3797         call it from the new parts of Array.join.
3798
3799 2015-06-24  Filip Pizlo  <fpizlo@apple.com>
3800
3801         DFG::SpeculativeJIT shouldn't use filter==Contradiction when it meant isClear
3802         https://bugs.webkit.org/show_bug.cgi?id=146291
3803         rdar://problem/21435366
3804
3805         Reviewed by Michael Saboff.
3806         
3807         The filter() method returns Contradiction only when a value *becomes* clear. This is
3808         necessary for supporting the convention that non-JSValue nodes have a bottom proved
3809         type. (We should fix that convention eventually, but for now let's just be consistent
3810         about it.)
3811         
3812         * dfg/DFGFiltrationResult.h: Document the issue.
3813         * dfg/DFGSpeculativeJIT32_64.cpp: Work around the issue.
3814         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
3815         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3816         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3817         * dfg/DFGSpeculativeJIT64.cpp: Work around the issue.
3818         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
3819         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
3820         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3821         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3822
3823 2015-06-24  Michael Saboff  <msaboff@apple.com>
3824
3825         Crash on gog.com due to PolymorphicCallNode's having stale references to CallLinkInfo
3826         https://bugs.webkit.org/show_bug.cgi?id=146285
3827
3828         Reviewed by Filip Pizlo.
3829
3830         CallLinkInfo's contain a RefPtr to a PolymorphicCallStubRoutine, named stub, which contains
3831         a collection of PolymorphicCallNode.  Those PolymorphicCallNodes have a reference back to the
3832         CallLinkInfo.  When a CallLinkInfo replaces or clears "stub", the ref count of the
3833         PolymorphicCallStubRoutine is decremented as expected, but since it inherits from
3834         GCAwareJITStubRoutine, it isn't actually deleted until GC.  In the mean time, the original
3835         CallLinkInfo can go away.  If PolymorphicCallNode::unlink() is called at that point,
3836         it will try to unlink a now deleted CallLinkInfo and crash as a result.
3837
3838         The fix is to clear the CallLinkInfo references from any PolymorphicCallNode objects when
3839         when we set a new stub or clear an existing stub for a CallLinkInfo.  This is done by
3840         calling PolymorphicCallNode::clearCallNodesFor() on the old stub.
3841
3842         The prior code would only call clearCallNodesFor() from the CallLinkInfo destructor.
3843         This only took care of the last PolymorphicCallStubRoutine held in the CallLinkInfo.
3844         Any prior PolymorphicCallStubRoutine would still have a, now bad, reference to the CallLinkInfo.
3845
3846         In the process I refactored CallLinkInfo from a struct to a class with proper accessors and
3847         made all the data elements private.
3848
3849         * bytecode/CallLinkInfo.cpp:
3850         (JSC::CallLinkInfo::clearStub): Updated to call PolymorphicCallStubRoutine::clearCallNodesFor()
3851         to clear the back references to this CallLinkInfo.
3852         * bytecode/CallLinkInfo.h:
3853         (JSC::CallLinkInfo::~CallLinkInfo): Moved clearCallNodesFor() call to clearStub().
3854         (JSC::CallLinkInfo::setStub): Clear any prior stub before changing to the new stub.
3855
3856 2015-06-24  Michael Saboff  <msaboff@apple.com>
3857
3858         Refactor CallLinkInfo from a struct to a class
3859         https://bugs.webkit.org/show_bug.cgi?id=146292
3860
3861         Rubber stamped by Filip Pizlo.
3862
3863         Refactored CallLinkInfo from a struct to a class with proper accessors and made all the
3864         data elements private.
3865
3866         Done in preparation for fixing https://bugs.webkit.org/show_bug.cgi?id=146285.
3867
3868         * bytecode/CallLinkInfo.cpp:
3869         (JSC::CallLinkInfo::clearStub):
3870         (JSC::CallLinkInfo::unlink):
3871         (JSC::CallLinkInfo::visitWeak):
3872         * bytecode/CallLinkInfo.h:
3873         (JSC::CallLinkInfo::callTypeFor):
3874         (JSC::CallLinkInfo::CallLinkInfo):
3875         (JSC::CallLinkInfo::~CallLinkInfo):