Unreviewed, fix build. I introduced a new cell type at the same time as kling changed...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-04-13  Filip Pizlo  <fpizlo@apple.com>
2
3         Unreviewed, fix build. I introduced a new cell type at the same time as kling changed how new cell types are written.
4
5         * runtime/InferredValue.h:
6
7 2015-04-08  Filip Pizlo  <fpizlo@apple.com>
8
9         JSC should detect singleton functions
10         https://bugs.webkit.org/show_bug.cgi?id=143232
11
12         Reviewed by Geoffrey Garen.
13         
14         This started out as an attempt to make constructors faster by detecting when a constructor is a
15         singleton. The idea is that each FunctionExecutable has a VariableWatchpointSet - a watchpoint
16         along with an inferred value - that detects if only one JSFunction has been allocated for that
17         executable, and if so, what that JSFunction is. Then, inside the code for the FunctionExecutable,
18         if the watchpoint set has an inferred value (i.e. it's been initialized and it is still valid),
19         we can constant-fold GetCallee.
20         
21         Unfortunately, constructors don't use GetCallee anymore, so that didn't pan out. But in the
22         process I realized a bunch of things:
23         
24         - This allows us to completely eliminate the GetCallee/GetScope sequence that we still sometimes
25           had even in code where our singleton-closure detection worked. That's because singleton-closure
26           inference worked at the op_resolve_scope, and that op_resolve_scope still needed to keep alive
27           the incoming scope in case we OSR exit. But by constant-folding GetCallee, that sequence
28           disappears. OSR exit can rematerialize the callee or the scope by just knowing their constant
29           values.
30           
31         - Singleton detection should be a reusable thing. So, I got rid of VariableWatchpointSet and
32           created InferredValue. InferredValue is a cell, so it can handle its own GC magic.
33           FunctionExecutable uses an InferredValue to tell you about singleton JSFunctions.
34         
35         - The old singleton-scope detection in op_resolve_scope is better abstracted as a SymbolTable
36           detecting a singleton JSSymbolTableObject. So, SymbolTable uses an InferredValue to tell you
37           about singleton JSSymbolTableObjects. It's curious that we want to have singleton detection in
38           SymbolTable if we already have it in FunctionExecutable. This comes into play in two ways.
39           First, it means that the DFG can realize sooner that a resolve_scope resolves to a constant
40           scope. Ths saves compile times and it allows prediction propagation to benefit from the
41           constant folding. Second, it means that we will detect a singleton scope even if it is
42           referenced from a non-singleton scope that is nearer to us in the scope chain. This refactoring
43           allows us to eliminate the function reentry watchpoint.
44         
45         - This allows us to use a normal WatchpointSet, instead of a VariableWatchpointSet, for inferring
46           constant values in scopes. Previously when the DFG inferred that a closure variable was
47           constant, it wouldn't know which closure that variable was in and so it couldn't just load that
48           value. But now we are first inferring that the function is a singleton, which means that we
49           know exactly what scope it points to, and we can load the value from the scope. Using a
50           WatchpointSet instead of a VariableWatchpointSet saves some memory and simplifies a bunch of
51           code. This also means that now, the only user of VariableWatchpointSet is FunctionExecutable.
52           I've tweaked the code of VariableWatchpointSet to reduce its power to just be what
53           FunctionExecutable wants.
54         
55         This also has the effect of simplifying the implementation of block scoping. Prior to this
56         change, block scoping would have needed to have some story for the function reentry watchpoint on
57         any nested symbol table. That's totally weird to think about; it's not really a function reentry
58         but a scope reentry. Now we don't have to think about this. Constant inference on nested scopes
59         will "just work": if we prove that we know the constant value of the scope then the machinery
60         kicks in, otherwise it doesn't.
61         
62         This is a small Octane and AsmBench speed-up. AsmBench sees 1% while Octane sees sub-1%.
63
64         * CMakeLists.txt:
65         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
66         * JavaScriptCore.xcodeproj/project.pbxproj:
67         * bytecode/BytecodeList.json:
68         * bytecode/BytecodeUseDef.h:
69         (JSC::computeUsesForBytecodeOffset):
70         (JSC::computeDefsForBytecodeOffset):
71         * bytecode/CodeBlock.cpp:
72         (JSC::CodeBlock::dumpBytecode):
73         (JSC::CodeBlock::CodeBlock):
74         (JSC::CodeBlock::finalizeUnconditionally):
75         (JSC::CodeBlock::valueProfileForBytecodeOffset):
76         * bytecode/CodeBlock.h:
77         (JSC::CodeBlock::valueProfileForBytecodeOffset): Deleted.
78         * bytecode/CodeOrigin.cpp:
79         (JSC::InlineCallFrame::calleeConstant):
80         (JSC::InlineCallFrame::visitAggregate):
81         * bytecode/CodeOrigin.h:
82         (JSC::InlineCallFrame::calleeConstant): Deleted.
83         (JSC::InlineCallFrame::visitAggregate): Deleted.
84         * bytecode/Instruction.h:
85         * bytecode/VariableWatchpointSet.cpp: Removed.
86         * bytecode/VariableWatchpointSet.h: Removed.
87         * bytecode/VariableWatchpointSetInlines.h: Removed.
88         * bytecode/VariableWriteFireDetail.cpp: Added.
89         (JSC::VariableWriteFireDetail::dump):
90         (JSC::VariableWriteFireDetail::touch):
91         * bytecode/VariableWriteFireDetail.h: Added.
92         (JSC::VariableWriteFireDetail::VariableWriteFireDetail):
93         * bytecode/Watchpoint.h:
94         (JSC::WatchpointSet::stateOnJSThread):
95         (JSC::WatchpointSet::startWatching):
96         (JSC::WatchpointSet::fireAll):
97         (JSC::WatchpointSet::touch):
98         (JSC::WatchpointSet::invalidate):
99         (JSC::InlineWatchpointSet::stateOnJSThread):
100         (JSC::InlineWatchpointSet::state):
101         (JSC::InlineWatchpointSet::hasBeenInvalidated):
102         (JSC::InlineWatchpointSet::invalidate):
103         (JSC::InlineWatchpointSet::touch):
104         * bytecompiler/BytecodeGenerator.cpp:
105         (JSC::BytecodeGenerator::BytecodeGenerator):
106         * dfg/DFGAbstractInterpreterInlines.h:
107         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
108         * dfg/DFGByteCodeParser.cpp:
109         (JSC::DFG::ByteCodeParser::get):
110         (JSC::DFG::ByteCodeParser::parseBlock):
111         (JSC::DFG::ByteCodeParser::getScope): Deleted.
112         * dfg/DFGCapabilities.cpp:
113         (JSC::DFG::capabilityLevel):
114         * dfg/DFGClobberize.h:
115         (JSC::DFG::clobberize):
116         * dfg/DFGDesiredWatchpoints.cpp:
117         (JSC::DFG::InferredValueAdaptor::add):
118         (JSC::DFG::DesiredWatchpoints::addLazily):
119         (JSC::DFG::DesiredWatchpoints::reallyAdd):
120         (JSC::DFG::DesiredWatchpoints::areStillValid):
121         * dfg/DFGDesiredWatchpoints.h:
122         (JSC::DFG::InferredValueAdaptor::hasBeenInvalidated):
123         (JSC::DFG::DesiredWatchpoints::isWatched):
124         * dfg/DFGGraph.cpp:
125         (JSC::DFG::Graph::dump):
126         (JSC::DFG::Graph::tryGetConstantClosureVar):
127         * dfg/DFGNode.h:
128         (JSC::DFG::Node::hasWatchpointSet):
129         (JSC::DFG::Node::watchpointSet):
130         (JSC::DFG::Node::hasVariableWatchpointSet): Deleted.
131         (JSC::DFG::Node::variableWatchpointSet): Deleted.
132         * dfg/DFGOperations.cpp:
133         * dfg/DFGOperations.h:
134         * dfg/DFGSpeculativeJIT.cpp:
135         (JSC::DFG::SpeculativeJIT::compileNewFunction):
136         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
137         (JSC::DFG::SpeculativeJIT::compileNotifyWrite):
138         * dfg/DFGSpeculativeJIT.h:
139         (JSC::DFG::SpeculativeJIT::callOperation):
140         * dfg/DFGSpeculativeJIT32_64.cpp:
141         (JSC::DFG::SpeculativeJIT::compile):
142         * dfg/DFGSpeculativeJIT64.cpp:
143         (JSC::DFG::SpeculativeJIT::compile):
144         * dfg/DFGVarargsForwardingPhase.cpp:
145         * ftl/FTLIntrinsicRepository.h:
146         * ftl/FTLLowerDFGToLLVM.cpp:
147         (JSC::FTL::LowerDFGToLLVM::compileCreateActivation):
148         (JSC::FTL::LowerDFGToLLVM::compileNewFunction):
149         (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
150         * interpreter/Interpreter.cpp:
151         (JSC::StackFrame::friendlySourceURL):
152         (JSC::StackFrame::friendlyFunctionName):
153         * interpreter/Interpreter.h:
154         (JSC::StackFrame::friendlySourceURL): Deleted.
155         (JSC::StackFrame::friendlyFunctionName): Deleted.
156         * jit/JIT.cpp:
157         (JSC::JIT::emitNotifyWrite):
158         (JSC::JIT::privateCompileMainPass):
159         * jit/JIT.h:
160         * jit/JITOpcodes.cpp:
161         (JSC::JIT::emit_op_touch_entry): Deleted.
162         * jit/JITOperations.cpp:
163         * jit/JITOperations.h:
164         * jit/JITPropertyAccess.cpp:
165         (JSC::JIT::emitPutGlobalVar):
166         (JSC::JIT::emitPutClosureVar):
167         (JSC::JIT::emitNotifyWrite): Deleted.
168         * jit/JITPropertyAccess32_64.cpp:
169         (JSC::JIT::emitPutGlobalVar):
170         (JSC::JIT::emitPutClosureVar):
171         (JSC::JIT::emitNotifyWrite): Deleted.
172         * llint/LLIntSlowPaths.cpp:
173         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
174         * llint/LowLevelInterpreter.asm:
175         * llint/LowLevelInterpreter32_64.asm:
176         * llint/LowLevelInterpreter64.asm:
177         * runtime/CommonSlowPaths.cpp:
178         (JSC::SLOW_PATH_DECL): Deleted.
179         * runtime/CommonSlowPaths.h:
180         * runtime/Executable.cpp:
181         (JSC::FunctionExecutable::finishCreation):
182         (JSC::FunctionExecutable::visitChildren):
183         * runtime/Executable.h:
184         (JSC::FunctionExecutable::singletonFunction):
185         * runtime/InferredValue.cpp: Added.
186         (JSC::InferredValue::create):
187         (JSC::InferredValue::destroy):
188         (JSC::InferredValue::createStructure):
189         (JSC::InferredValue::visitChildren):
190         (JSC::InferredValue::InferredValue):
191         (JSC::InferredValue::~InferredValue):
192         (JSC::InferredValue::notifyWriteSlow):
193         (JSC::InferredValue::ValueCleanup::ValueCleanup):
194         (JSC::InferredValue::ValueCleanup::~ValueCleanup):
195         (JSC::InferredValue::ValueCleanup::finalizeUnconditionally):
196         * runtime/InferredValue.h: Added.
197         (JSC::InferredValue::inferredValue):
198         (JSC::InferredValue::state):
199         (JSC::InferredValue::isStillValid):
200         (JSC::InferredValue::hasBeenInvalidated):
201         (JSC::InferredValue::add):
202         (JSC::InferredValue::notifyWrite):
203         (JSC::InferredValue::invalidate):
204         * runtime/JSEnvironmentRecord.cpp:
205         (JSC::JSEnvironmentRecord::visitChildren):
206         * runtime/JSEnvironmentRecord.h:
207         (JSC::JSEnvironmentRecord::isValid):
208         (JSC::JSEnvironmentRecord::finishCreation):
209         * runtime/JSFunction.cpp:
210         (JSC::JSFunction::create):
211         * runtime/JSFunction.h:
212         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
213         (JSC::JSFunction::createImpl):
214         (JSC::JSFunction::create): Deleted.
215         * runtime/JSGlobalObject.cpp:
216         (JSC::JSGlobalObject::addGlobalVar):
217         (JSC::JSGlobalObject::addFunction):
218         * runtime/JSGlobalObject.h:
219         * runtime/JSLexicalEnvironment.cpp:
220         (JSC::JSLexicalEnvironment::symbolTablePut):
221         * runtime/JSScope.h:
222         (JSC::ResolveOp::ResolveOp):
223         * runtime/JSSegmentedVariableObject.h:
224         (JSC::JSSegmentedVariableObject::finishCreation):
225         * runtime/JSSymbolTableObject.h:
226         (JSC::JSSymbolTableObject::JSSymbolTableObject):
227         (JSC::JSSymbolTableObject::setSymbolTable):
228         (JSC::symbolTablePut):
229         (JSC::symbolTablePutWithAttributes):
230         * runtime/PutPropertySlot.h:
231         * runtime/SymbolTable.cpp:
232         (JSC::SymbolTableEntry::prepareToWatch):
233         (JSC::SymbolTable::SymbolTable):
234         (JSC::SymbolTable::finishCreation):
235         (JSC::SymbolTable::visitChildren):
236         (JSC::SymbolTableEntry::inferredValue): Deleted.
237         (JSC::SymbolTableEntry::notifyWriteSlow): Deleted.
238         (JSC::SymbolTable::WatchpointCleanup::WatchpointCleanup): Deleted.
239         (JSC::SymbolTable::WatchpointCleanup::~WatchpointCleanup): Deleted.
240         (JSC::SymbolTable::WatchpointCleanup::finalizeUnconditionally): Deleted.
241         * runtime/SymbolTable.h:
242         (JSC::SymbolTableEntry::disableWatching):
243         (JSC::SymbolTableEntry::watchpointSet):
244         (JSC::SymbolTable::singletonScope):
245         (JSC::SymbolTableEntry::notifyWrite): Deleted.
246         * runtime/TypeProfiler.cpp:
247         * runtime/VM.cpp:
248         (JSC::VM::VM):
249         * runtime/VM.h:
250         * tests/stress/infer-uninitialized-closure-var.js: Added.
251         (foo.f):
252         (foo):
253         * tests/stress/singleton-scope-then-overwrite.js: Added.
254         (foo.f):
255         (foo):
256         * tests/stress/singleton-scope-then-realloc-and-overwrite.js: Added.
257         (foo):
258         * tests/stress/singleton-scope-then-realloc.js: Added.
259         (foo):
260
261 2015-04-13  Andreas Kling  <akling@apple.com>
262
263         Don't segregate heap objects based on Structure immortality.
264         <https://webkit.org/b/143638>
265
266         Reviewed by Darin Adler.
267
268         Put all objects that need a destructor call into the same MarkedBlock.
269         This reduces memory consumption in many situations, while improving locality,
270         since much more of the MarkedBlock space can be shared.
271
272         Instead of branching on the MarkedBlock type, we now check a bit in the
273         JSCell's inline type flags (StructureIsImmortal) to see whether it's safe
274         to access the cell's Structure during destruction or not.
275
276         Performance benchmarks look mostly neutral. Maybe a small regression on
277         SunSpider's date objects.
278
279         On the amazon.com landing page, this saves us 50 MarkedBlocks (3200kB) along
280         with a bunch of WeakBlocks that were hanging off of them. That's on the higher
281         end of savings we can get from this, but still a very real improvement.
282
283         Most of this patch is removing the "hasImmortalStructure" constant from JSCell
284         derived classes and passing that responsibility to the StructureIsImmortal flag.
285         StructureFlags is made public so that it's accessible from non-member functions.
286         I made sure to declare it everywhere and make classes final to try to make it
287         explicit what each class is doing to its inherited flags.
288
289         * API/JSCallbackConstructor.h:
290         * API/JSCallbackObject.h:
291         * bytecode/UnlinkedCodeBlock.h:
292         * debugger/DebuggerScope.h:
293         * dfg/DFGSpeculativeJIT.cpp:
294         (JSC::DFG::SpeculativeJIT::compileMakeRope):
295         * ftl/FTLLowerDFGToLLVM.cpp:
296         (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
297         * heap/Heap.h:
298         (JSC::Heap::subspaceForObjectDestructor):
299         (JSC::Heap::allocatorForObjectWithDestructor):
300         (JSC::Heap::subspaceForObjectNormalDestructor): Deleted.
301         (JSC::Heap::subspaceForObjectsWithImmortalStructure): Deleted.
302         (JSC::Heap::allocatorForObjectWithNormalDestructor): Deleted.
303         (JSC::Heap::allocatorForObjectWithImmortalStructureDestructor): Deleted.
304         * heap/HeapInlines.h:
305         (JSC::Heap::allocateWithDestructor):
306         (JSC::Heap::allocateObjectOfType):
307         (JSC::Heap::subspaceForObjectOfType):
308         (JSC::Heap::allocatorForObjectOfType):
309         (JSC::Heap::allocateWithNormalDestructor): Deleted.
310         (JSC::Heap::allocateWithImmortalStructureDestructor): Deleted.
311         * heap/MarkedAllocator.cpp:
312         (JSC::MarkedAllocator::allocateBlock):
313         * heap/MarkedAllocator.h:
314         (JSC::MarkedAllocator::needsDestruction):
315         (JSC::MarkedAllocator::MarkedAllocator):
316         (JSC::MarkedAllocator::init):
317         (JSC::MarkedAllocator::destructorType): Deleted.
318         * heap/MarkedBlock.cpp:
319         (JSC::MarkedBlock::create):
320         (JSC::MarkedBlock::MarkedBlock):
321         (JSC::MarkedBlock::callDestructor):
322         (JSC::MarkedBlock::specializedSweep):
323         (JSC::MarkedBlock::sweep):
324         (JSC::MarkedBlock::sweepHelper):
325         * heap/MarkedBlock.h:
326         (JSC::MarkedBlock::needsDestruction):
327         (JSC::MarkedBlock::destructorType): Deleted.
328         * heap/MarkedSpace.cpp:
329         (JSC::MarkedSpace::MarkedSpace):
330         (JSC::MarkedSpace::resetAllocators):
331         (JSC::MarkedSpace::forEachAllocator):
332         (JSC::MarkedSpace::isPagedOut):
333         (JSC::MarkedSpace::clearNewlyAllocated):
334         * heap/MarkedSpace.h:
335         (JSC::MarkedSpace::subspaceForObjectsWithDestructor):
336         (JSC::MarkedSpace::destructorAllocatorFor):
337         (JSC::MarkedSpace::allocateWithDestructor):
338         (JSC::MarkedSpace::forEachBlock):
339         (JSC::MarkedSpace::subspaceForObjectsWithNormalDestructor): Deleted.
340         (JSC::MarkedSpace::subspaceForObjectsWithImmortalStructure): Deleted.
341         (JSC::MarkedSpace::immortalStructureDestructorAllocatorFor): Deleted.
342         (JSC::MarkedSpace::normalDestructorAllocatorFor): Deleted.
343         (JSC::MarkedSpace::allocateWithImmortalStructureDestructor): Deleted.
344         (JSC::MarkedSpace::allocateWithNormalDestructor): Deleted.
345         * inspector/JSInjectedScriptHost.h:
346         * inspector/JSInjectedScriptHostPrototype.h:
347         * inspector/JSJavaScriptCallFrame.h:
348         * inspector/JSJavaScriptCallFramePrototype.h:
349         * jsc.cpp:
350         * runtime/ArrayBufferNeuteringWatchpoint.h:
351         * runtime/ArrayConstructor.h:
352         * runtime/ArrayIteratorPrototype.h:
353         * runtime/BooleanPrototype.h:
354         * runtime/ClonedArguments.h:
355         * runtime/CustomGetterSetter.h:
356         * runtime/DateConstructor.h:
357         * runtime/DatePrototype.h:
358         * runtime/ErrorPrototype.h:
359         * runtime/ExceptionHelpers.h:
360         * runtime/Executable.h:
361         * runtime/GenericArguments.h:
362         * runtime/GetterSetter.h:
363         * runtime/InternalFunction.h:
364         * runtime/JSAPIValueWrapper.h:
365         * runtime/JSArgumentsIterator.h:
366         * runtime/JSArray.h:
367         * runtime/JSArrayBuffer.h:
368         * runtime/JSArrayBufferView.h:
369         * runtime/JSBoundFunction.h:
370         * runtime/JSCallee.h:
371         * runtime/JSCell.h:
372         * runtime/JSCellInlines.h:
373         (JSC::JSCell::classInfo):
374         * runtime/JSDataViewPrototype.h:
375         * runtime/JSEnvironmentRecord.h:
376         * runtime/JSFunction.h:
377         * runtime/JSGenericTypedArrayView.h:
378         * runtime/JSGlobalObject.h:
379         * runtime/JSLexicalEnvironment.h:
380         * runtime/JSNameScope.h:
381         * runtime/JSNotAnObject.h:
382         * runtime/JSONObject.h:
383         * runtime/JSObject.h:
384         (JSC::JSFinalObject::JSFinalObject):
385         * runtime/JSPromiseConstructor.h:
386         * runtime/JSPromiseDeferred.h:
387         * runtime/JSPromisePrototype.h:
388         * runtime/JSPromiseReaction.h:
389         * runtime/JSPropertyNameEnumerator.h:
390         * runtime/JSProxy.h:
391         * runtime/JSScope.h:
392         * runtime/JSString.h:
393         * runtime/JSSymbolTableObject.h:
394         * runtime/JSTypeInfo.h:
395         (JSC::TypeInfo::structureIsImmortal):
396         * runtime/MathObject.h:
397         * runtime/NumberConstructor.h:
398         * runtime/NumberPrototype.h:
399         * runtime/ObjectConstructor.h:
400         * runtime/PropertyMapHashTable.h:
401         * runtime/RegExp.h:
402         * runtime/RegExpConstructor.h:
403         * runtime/RegExpObject.h:
404         * runtime/RegExpPrototype.h:
405         * runtime/ScopedArgumentsTable.h:
406         * runtime/SparseArrayValueMap.h:
407         * runtime/StrictEvalActivation.h:
408         * runtime/StringConstructor.h:
409         * runtime/StringIteratorPrototype.h:
410         * runtime/StringObject.h:
411         * runtime/StringPrototype.h:
412         * runtime/Structure.cpp:
413         (JSC::Structure::Structure):
414         * runtime/Structure.h:
415         * runtime/StructureChain.h:
416         * runtime/StructureRareData.h:
417         * runtime/Symbol.h:
418         * runtime/SymbolPrototype.h:
419         * runtime/SymbolTable.h:
420         * runtime/WeakMapData.h:
421
422 2015-04-13  Mark Lam  <mark.lam@apple.com>
423
424         DFG inlining of op_call_varargs should keep the callee alive in case of OSR exit.
425         https://bugs.webkit.org/show_bug.cgi?id=143407
426
427         Reviewed by Filip Pizlo.
428
429         DFG inlining of a varargs call / construct needs to keep the local
430         containing the callee alive with a Phantom node because the LoadVarargs
431         node may OSR exit.  After the OSR exit, the baseline JIT executes the
432         op_call_varargs with that callee in the local.
433
434         Previously, because that callee local was not explicitly kept alive,
435         the op_call_varargs case can OSR exit a DFG function and leave an
436         undefined value in that local.  As a result, the baseline observes the
437         side effect of an op_call_varargs on an undefined value instead of the
438         function it expected.
439
440         Note: this issue does not manifest with op_construct_varargs because
441         the inlined constructor will have an op_create_this which operates on
442         the incoming callee value, thereby keeping it alive.
443
444         * dfg/DFGByteCodeParser.cpp:
445         (JSC::DFG::ByteCodeParser::handleInlining):
446         * tests/stress/call-varargs-with-different-arguments-length-after-warmup.js: Added.
447         (foo):
448         (Foo):
449         (doTest):
450
451 2015-04-12  Yusuke Suzuki  <utatane.tea@gmail.com>
452
453         [ES6] Implement Array.prototype.values
454         https://bugs.webkit.org/show_bug.cgi?id=143633
455
456         Reviewed by Darin Adler.
457
458         Symbol.unscopables is implemented, so we can implement Array.prototype.values
459         without largely breaking the web. The following script passes.
460
461         var array = [];
462         var values = 42;
463         with (array) {
464             assert(values, 42);
465         }
466
467         * runtime/ArrayPrototype.cpp:
468         * tests/stress/array-iterators-next.js:
469         * tests/stress/map-iterators-next.js:
470         * tests/stress/set-iterators-next.js:
471         * tests/stress/values-unscopables.js: Added.
472         (test):
473
474 2015-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
475
476         Run flaky conservative GC related test first before polluting stack and registers
477         https://bugs.webkit.org/show_bug.cgi?id=143634
478
479         Reviewed by Ryosuke Niwa.
480
481         After r182653, JSC API tests fail. However, it's not related to the change.
482         After investigating the cause of this failure, I've found that the failed test is flaky
483         because JSC's GC is conservative. If previously allocated JSGlobalObject is accidentally alive
484         due to conservative roots in C stack and registers, this test fails.
485
486         Since GC marks C stack and registers as roots conservatively,
487         objects not referenced logically can be accidentally marked and alive.
488         To avoid this situation as possible as we can,
489         1. run this test first before stack is polluted,
490         2. extract this test as a function to suppress stack height.
491
492         * API/tests/testapi.mm:
493         (testWeakValue):
494         (testObjectiveCAPIMain):
495         (testObjectiveCAPI):
496
497 2015-04-11  Matt Baker  <mattbaker@apple.com>
498
499         Web Inspector: create content view and details sidebar for Frames timeline
500         https://bugs.webkit.org/show_bug.cgi?id=143533
501
502         Reviewed by Timothy Hatcher.
503
504         Refactoring: RunLoop prefix changed to RenderingFrame.
505
506         * inspector/protocol/Timeline.json:
507
508 2015-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
509
510         [ES6] Enable Symbol in web pages
511         https://bugs.webkit.org/show_bug.cgi?id=143375
512
513         Reviewed by Ryosuke Niwa.
514
515         Expose Symbol to web pages.
516         Symbol was exposed, but it was hidden since it breaks Facebook comments.
517         This is because at that time Symbol is implemented,
518         but methods for Symbol.iterator and Object.getOwnPropertySymbols are not implemented yet
519         and it breaks React.js and immutable.js.
520
521         Now methods for Symbol.iterator and Object.getOwnPropertySymbols are implemented
522         and make sure that Facebook comment input functionality is not broken with exposed Symbol.
523
524         So this patch replaces runtime flags SymbolEnabled to SymbolDisabled
525         and makes enabling symbols by default.
526
527         * runtime/ArrayPrototype.cpp:
528         (JSC::ArrayPrototype::finishCreation):
529         * runtime/CommonIdentifiers.h:
530         * runtime/JSGlobalObject.cpp:
531         (JSC::JSGlobalObject::init):
532         * runtime/ObjectConstructor.cpp:
533         (JSC::ObjectConstructor::finishCreation):
534         * runtime/RuntimeFlags.h:
535
536 2015-04-10  Yusuke Suzuki  <utatane.tea@gmail.com>
537
538         ES6: Iterator toString names should be consistent
539         https://bugs.webkit.org/show_bug.cgi?id=142424
540
541         Reviewed by Geoffrey Garen.
542
543         Iterator Object Names in the spec right now have spaces.
544         In our implementation some do and some don't.
545         This patch aligns JSC to the spec.
546
547         * runtime/JSArrayIterator.cpp:
548         * runtime/JSStringIterator.cpp:
549         * tests/stress/iterator-names.js: Added.
550         (test):
551         (iter):
552         (check):
553
554 2015-04-10  Michael Saboff  <msaboff@apple.com>
555
556         REGRESSION (182567): regress/script-tests/sorting-benchmark.js fails on 32 bit dfg-eager tests
557         https://bugs.webkit.org/show_bug.cgi?id=143582
558
559         Reviewed by Mark Lam.
560
561         For 32 bit builds, we favor spilling unboxed values.  The ASSERT at the root of this bug doesn't
562         fire for 64 bit builds, because we spill an "Other" value as a full JS value (DataFormatJS).
563         For 32 bit builds however, if we are able, we spill Other values as JSCell* (DataFormatCell).
564         The fix is to add a check in fillSpeculateInt32Internal() before the ASSERT that always OSR exits
565         if the spillFormat is DataFormatCell.  Had we spilled in DataFormatJS and the value was a JSCell*,
566         we would still OSR exit after the speculation check.
567
568         * dfg/DFGFixupPhase.cpp:
569         (JSC::DFG::FixupPhase::fixupNode): Fixed an error in a comment while debugging.
570         * dfg/DFGSpeculativeJIT32_64.cpp:
571         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
572
573 2015-04-10  Milan Crha  <mcrha@redhat.com>
574
575         Disable Linux-specific code in a Windows build
576         https://bugs.webkit.org/show_bug.cgi?id=137973
577
578         Reviewed by Joseph Pecoraro.
579
580         * inspector/JSGlobalObjectInspectorController.cpp:
581         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
582
583 2015-04-10  Csaba Osztrogonác  <ossy@webkit.org>
584
585         [ARM] Fix calleeSaveRegisters() on non iOS platforms after r180516
586         https://bugs.webkit.org/show_bug.cgi?id=143368
587
588         Reviewed by Michael Saboff.
589
590         * jit/RegisterSet.cpp:
591         (JSC::RegisterSet::calleeSaveRegisters):
592
593 2015-04-08  Joseph Pecoraro  <pecoraro@apple.com>
594
595         Use jsNontrivialString in more places if the string is guaranteed to be 2 or more characters
596         https://bugs.webkit.org/show_bug.cgi?id=143430
597
598         Reviewed by Darin Adler.
599
600         * runtime/ExceptionHelpers.cpp:
601         (JSC::errorDescriptionForValue):
602         * runtime/NumberPrototype.cpp:
603         (JSC::numberProtoFuncToExponential):
604         (JSC::numberProtoFuncToPrecision):
605         (JSC::numberProtoFuncToString):
606         * runtime/SymbolPrototype.cpp:
607         (JSC::symbolProtoFuncToString):
608
609 2015-04-08  Filip Pizlo  <fpizlo@apple.com>
610
611         JSArray::sortNumeric should handle ArrayWithUndecided
612         https://bugs.webkit.org/show_bug.cgi?id=143535
613
614         Reviewed by Geoffrey Garen.
615         
616         ArrayWithUndecided is what you get if you haven't stored anything into the array yet. We need to handle it.
617
618         * runtime/JSArray.cpp:
619         (JSC::JSArray::sortNumeric):
620         * tests/stress/sort-array-with-undecided.js: Added.
621
622 2015-04-08  Filip Pizlo  <fpizlo@apple.com>
623
624         DFG::IntegerCheckCombiningPhase's wrap-around check shouldn't trigger C++ undef behavior on wrap-around
625         https://bugs.webkit.org/show_bug.cgi?id=143532
626
627         Reviewed by Gavin Barraclough.
628         
629         Oh the irony!  We were protecting an optimization that only worked if there was no wrap-around in JavaScript.
630         But the C++ code had wrap-around, which is undef in C++.  So, if the compiler was smart enough, our compiler
631         would think that there never was wrap-around.
632         
633         This fixes a failure in stress/tricky-array-boiunds-checks.js when JSC is compiled with bleeding-edge clang.
634
635         * dfg/DFGIntegerCheckCombiningPhase.cpp:
636         (JSC::DFG::IntegerCheckCombiningPhase::isValid):
637
638 2015-04-07  Michael Saboff  <msaboff@apple.com>
639
640         Lazily initialize LogToSystemConsole flag to reduce memory usage
641         https://bugs.webkit.org/show_bug.cgi?id=143506
642
643         Reviewed by Mark Lam.
644
645         Only call into CF preferences code when we need to in order to reduce memory usage.
646
647         * inspector/JSGlobalObjectConsoleClient.cpp:
648         (Inspector::JSGlobalObjectConsoleClient::logToSystemConsole):
649         (Inspector::JSGlobalObjectConsoleClient::setLogToSystemConsole):
650         (Inspector::JSGlobalObjectConsoleClient::initializeLogToSystemConsole):
651         (Inspector::JSGlobalObjectConsoleClient::JSGlobalObjectConsoleClient):
652
653 2015-04-07  Benjamin Poulain  <benjamin@webkit.org>
654
655         Get the features.json files ready for open contributions
656         https://bugs.webkit.org/show_bug.cgi?id=143436
657
658         Reviewed by Darin Adler.
659
660         * features.json:
661
662 2015-04-07  Filip Pizlo  <fpizlo@apple.com>
663
664         Constant folding of typed array properties should be handled by AI rather than strength reduction
665         https://bugs.webkit.org/show_bug.cgi?id=143496
666
667         Reviewed by Geoffrey Garen.
668         
669         Handling constant folding in AI is better because it precludes us from having to fixpoint the CFA
670         phase and whatever other phase did the folding in order to find all constants.
671         
672         This also removes the TypedArrayWatchpoint node type because we can just set the watchpoint
673         directly.
674         
675         This also fixes a bug in FTL lowering of GetTypedArrayByteOffset. The bug was previously not
676         found because all of the tests for it involved the property getting constant folded. I found that
677         the codegen was bad because an earlier version of the patch broke that constant folding. This
678         adds a new test for that node type, which makes constant folding impossible by allocating a new
679         typed array every type. The lesson here is: if you write a test for something, run the test with
680         full IR dumps to make sure it's actually testing the thing you want it to test.
681
682         * dfg/DFGAbstractInterpreterInlines.h:
683         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
684         * dfg/DFGClobberize.h:
685         (JSC::DFG::clobberize):
686         * dfg/DFGConstantFoldingPhase.cpp:
687         (JSC::DFG::ConstantFoldingPhase::foldConstants):
688         * dfg/DFGDoesGC.cpp:
689         (JSC::DFG::doesGC):
690         * dfg/DFGFixupPhase.cpp:
691         (JSC::DFG::FixupPhase::fixupNode):
692         * dfg/DFGGraph.cpp:
693         (JSC::DFG::Graph::dump):
694         (JSC::DFG::Graph::tryGetFoldableView):
695         (JSC::DFG::Graph::tryGetFoldableViewForChild1): Deleted.
696         * dfg/DFGGraph.h:
697         * dfg/DFGNode.h:
698         (JSC::DFG::Node::hasTypedArray): Deleted.
699         (JSC::DFG::Node::typedArray): Deleted.
700         * dfg/DFGNodeType.h:
701         * dfg/DFGPredictionPropagationPhase.cpp:
702         (JSC::DFG::PredictionPropagationPhase::propagate):
703         * dfg/DFGSafeToExecute.h:
704         (JSC::DFG::safeToExecute):
705         * dfg/DFGSpeculativeJIT.cpp:
706         (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
707         * dfg/DFGSpeculativeJIT32_64.cpp:
708         (JSC::DFG::SpeculativeJIT::compile):
709         * dfg/DFGSpeculativeJIT64.cpp:
710         (JSC::DFG::SpeculativeJIT::compile):
711         * dfg/DFGStrengthReductionPhase.cpp:
712         (JSC::DFG::StrengthReductionPhase::handleNode):
713         (JSC::DFG::StrengthReductionPhase::foldTypedArrayPropertyToConstant): Deleted.
714         (JSC::DFG::StrengthReductionPhase::prepareToFoldTypedArray): Deleted.
715         * dfg/DFGWatchpointCollectionPhase.cpp:
716         (JSC::DFG::WatchpointCollectionPhase::handle):
717         (JSC::DFG::WatchpointCollectionPhase::addLazily):
718         * ftl/FTLCapabilities.cpp:
719         (JSC::FTL::canCompile):
720         * ftl/FTLLowerDFGToLLVM.cpp:
721         (JSC::FTL::LowerDFGToLLVM::compileNode):
722         (JSC::FTL::LowerDFGToLLVM::compileGetTypedArrayByteOffset):
723         (JSC::FTL::LowerDFGToLLVM::typedArrayLength):
724         * tests/stress/fold-typed-array-properties.js:
725         (foo):
726         * tests/stress/typed-array-byte-offset.js: Added.
727         (foo):
728
729 2015-04-07  Matthew Mirman  <mmirman@apple.com>
730
731         Source and stack information should get appended only to native errors
732         and should be added directly after construction rather than when thrown. 
733         This fixes frozen objects being unfrozen when thrown while conforming to 
734         ecma script standard and other browser behavior.
735         rdar://problem/19927293
736         https://bugs.webkit.org/show_bug.cgi?id=141871
737         
738         Reviewed by Geoffrey Garen.
739
740         Appending stack, source, line, and column information to an object whenever that object is thrown 
741         is incorrect because it violates the ecma script standard for the behavior of throw.  Suppose for example
742         that the object being thrown already has one of these properties or is frozen.  Adding the properties 
743         would then violate the frozen contract or overwrite those properties.  Other browsers do not do this,
744         and doing this causes unnecessary performance hits in code with heavy use of the throw construct as
745         a control flow construct rather than just an error reporting mechanism.  
746         
747         Because WebCore adds "native" errors which do not inherit from any JSC native error, 
748         appending the error properties as a seperate call after construction of the error is required 
749         to avoid having to manually truncate the stack and gather local source information due to 
750         the stack being extended by a nested call to construct one of the native jsc error.
751         
752         * interpreter/Interpreter.cpp:
753         (JSC::Interpreter::execute):
754         * interpreter/Interpreter.h:
755         * parser/ParserError.h:
756         (JSC::ParserError::toErrorObject):
757         * runtime/CommonIdentifiers.h:
758         * runtime/Error.cpp:
759         (JSC::createError):
760         (JSC::createEvalError):
761         (JSC::createRangeError):
762         (JSC::createReferenceError):
763         (JSC::createSyntaxError):
764         (JSC::createTypeError):
765         (JSC::createNotEnoughArgumentsError):
766         (JSC::createURIError):
767         (JSC::createOutOfMemoryError):
768         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor):
769         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()):
770         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame):
771         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index):
772         (JSC::addErrorInfoAndGetBytecodeOffset):  Added.
773         (JSC::addErrorInfo): Added special case for appending complete error info 
774         to a newly constructed error object.
775         * runtime/Error.h:
776         * runtime/ErrorConstructor.cpp:
777         (JSC::Interpreter::constructWithErrorConstructor):
778         (JSC::Interpreter::callErrorConstructor):
779         * runtime/ErrorInstance.cpp:
780         (JSC::appendSourceToError): Moved from VM.cpp
781         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor):
782         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()):
783         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame):
784         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index):
785         (JSC::addErrorInfoAndGetBytecodeOffset):
786         (JSC::ErrorInstance::finishCreation):
787         * runtime/ErrorInstance.h:
788         (JSC::ErrorInstance::create):
789         * runtime/ErrorPrototype.cpp:
790         (JSC::ErrorPrototype::finishCreation):
791         * runtime/ExceptionFuzz.cpp:
792         (JSC::doExceptionFuzzing):
793         * runtime/ExceptionHelpers.cpp:
794         (JSC::createError):
795         (JSC::createInvalidFunctionApplyParameterError):
796         (JSC::createInvalidInParameterError):
797         (JSC::createInvalidInstanceofParameterError):
798         (JSC::createNotAConstructorError):
799         (JSC::createNotAFunctionError):
800         (JSC::createNotAnObjectError):
801         (JSC::throwOutOfMemoryError):
802         (JSC::createStackOverflowError): Deleted.
803         (JSC::createOutOfMemoryError): Deleted.
804         * runtime/ExceptionHelpers.h:
805         * runtime/JSArrayBufferConstructor.cpp:
806         (JSC::constructArrayBuffer):
807         * runtime/JSArrayBufferPrototype.cpp:
808         (JSC::arrayBufferProtoFuncSlice):
809         * runtime/JSGenericTypedArrayViewInlines.h:
810         (JSC::JSGenericTypedArrayView<Adaptor>::create):
811         (JSC::JSGenericTypedArrayView<Adaptor>::createUninitialized):
812         * runtime/NativeErrorConstructor.cpp:
813         (JSC::Interpreter::constructWithNativeErrorConstructor):
814         (JSC::Interpreter::callNativeErrorConstructor):
815         * runtime/VM.cpp:
816         (JSC::VM::throwException):
817         (JSC::appendSourceToError): Moved to Error.cpp
818         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor): Deleted.
819         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()): Deleted.
820         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame): Deleted.
821         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index): Deleted.
822         * tests/stress/freeze_leek.js: Added.
823
824 2015-04-07  Joseph Pecoraro  <pecoraro@apple.com>
825
826         Web Inspector: ES6: Show Symbol properties on Objects
827         https://bugs.webkit.org/show_bug.cgi?id=141279
828
829         Reviewed by Timothy Hatcher.
830
831         * inspector/protocol/Runtime.json:
832         Give PropertyDescriptor a reference to the Symbol RemoteObject
833         if the property is a symbol property.
834
835         * inspector/InjectedScriptSource.js:
836         Enumerate symbol properties on objects.
837
838 2015-04-07  Filip Pizlo  <fpizlo@apple.com>
839
840         Make it possible to enable LLVM FastISel
841         https://bugs.webkit.org/show_bug.cgi?id=143489
842
843         Reviewed by Michael Saboff.
844
845         The decision to enable FastISel is made by Options.h|cpp, but the LLVM library can disable it if it finds that it is built
846         against a version of LLVM that doesn't support it. Thereafter, JSC::enableLLVMFastISel is the flag that tells the system
847         if we should enable it.
848
849         * ftl/FTLCompile.cpp:
850         (JSC::FTL::mmAllocateDataSection):
851         * llvm/InitializeLLVM.cpp:
852         (JSC::initializeLLVMImpl):
853         * llvm/InitializeLLVM.h:
854         * llvm/InitializeLLVMLinux.cpp:
855         (JSC::getLLVMInitializerFunction):
856         (JSC::initializeLLVMImpl): Deleted.
857         * llvm/InitializeLLVMMac.cpp:
858         (JSC::getLLVMInitializerFunction):
859         (JSC::initializeLLVMImpl): Deleted.
860         * llvm/InitializeLLVMPOSIX.cpp:
861         (JSC::getLLVMInitializerFunctionPOSIX):
862         (JSC::initializeLLVMPOSIX): Deleted.
863         * llvm/InitializeLLVMPOSIX.h:
864         * llvm/InitializeLLVMWin.cpp:
865         (JSC::getLLVMInitializerFunction):
866         (JSC::initializeLLVMImpl): Deleted.
867         * llvm/LLVMAPI.cpp:
868         * llvm/LLVMAPI.h:
869         * llvm/library/LLVMExports.cpp:
870         (initCommandLine):
871         (initializeAndGetJSCLLVMAPI):
872         * runtime/Options.cpp:
873         (JSC::Options::initialize):
874
875 2015-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>
876
877         put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex
878         https://bugs.webkit.org/show_bug.cgi?id=140426
879
880         Reviewed by Darin Adler.
881
882         In the put_by_val_direct operation, we use JSObject::putDirect.
883         However, it only accepts non-index property. For index property, we need to use JSObject::putDirectIndex.
884         This patch checks toString-ed Identifier is index or not to choose putDirect / putDirectIndex.
885
886         * dfg/DFGOperations.cpp:
887         (JSC::DFG::putByVal):
888         (JSC::DFG::operationPutByValInternal):
889         * jit/JITOperations.cpp:
890         * llint/LLIntSlowPaths.cpp:
891         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
892         * runtime/Identifier.h:
893         (JSC::isIndex):
894         (JSC::parseIndex):
895         * tests/stress/dfg-put-by-val-direct-with-edge-numbers.js: Added.
896         (lookupWithKey):
897         (toStringThrowsError.toString):
898
899 2015-04-06  Alberto Garcia  <berto@igalia.com>
900
901         [GTK] Fix HPPA build
902         https://bugs.webkit.org/show_bug.cgi?id=143453
903
904         Reviewed by Darin Adler.
905
906         Add HPPA to the list of supported CPUs.
907
908         * CMakeLists.txt:
909
910 2015-04-06  Mark Lam  <mark.lam@apple.com>
911
912         In the 64-bit DFG and FTL, Array::Double case for HasIndexedProperty should set its result to true when all is well.
913         <https://webkit.org/b/143396>
914
915         Reviewed by Filip Pizlo.
916
917         The DFG was neglecting to set the result boolean.  The FTL was setting it with
918         an inverted value.  Both of these are now resolved.
919
920         * dfg/DFGSpeculativeJIT64.cpp:
921         (JSC::DFG::SpeculativeJIT::compile):
922         * ftl/FTLLowerDFGToLLVM.cpp:
923         (JSC::FTL::LowerDFGToLLVM::compileHasIndexedProperty):
924         * tests/stress/for-in-array-mode.js: Added.
925         (.):
926         (test):
927
928 2015-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>
929
930         [ES6] DFG and FTL should be aware of that StringConstructor behavior for symbols becomes different from ToString
931         https://bugs.webkit.org/show_bug.cgi?id=143424
932
933         Reviewed by Geoffrey Garen.
934
935         In ES6, StringConstructor behavior becomes different from ToString abstract operations in the spec. (and JSValue::toString).
936
937         ToString(symbol) throws a type error.
938         However, String(symbol) produces SymbolDescriptiveString(symbol).
939
940         So, in DFG and FTL phase, they should not inline StringConstructor to ToString.
941
942         Now, in the template literals patch, ToString DFG operation is planned to be used.
943         And current ToString behavior is aligned to the spec (and JSValue::toString) and it's better.
944         So intead of changing ToString behavior, this patch adds CallStringConstructor operation into DFG and FTL.
945         In CallStringConstructor, all behavior in DFG analysis is the same.
946         Only the difference from ToString is, when calling DFG operation functions, it calls
947         operationCallStringConstructorOnCell and operationCallStringConstructor instead of
948         operationToStringOnCell and operationToString.
949
950         * dfg/DFGAbstractInterpreterInlines.h:
951         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
952         * dfg/DFGBackwardsPropagationPhase.cpp:
953         (JSC::DFG::BackwardsPropagationPhase::propagate):
954         * dfg/DFGByteCodeParser.cpp:
955         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
956         * dfg/DFGClobberize.h:
957         (JSC::DFG::clobberize):
958         * dfg/DFGDoesGC.cpp:
959         (JSC::DFG::doesGC):
960         * dfg/DFGFixupPhase.cpp:
961         (JSC::DFG::FixupPhase::fixupNode):
962         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
963         (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
964         (JSC::DFG::FixupPhase::fixupToString): Deleted.
965         * dfg/DFGNodeType.h:
966         * dfg/DFGOperations.cpp:
967         * dfg/DFGOperations.h:
968         * dfg/DFGPredictionPropagationPhase.cpp:
969         (JSC::DFG::PredictionPropagationPhase::propagate):
970         * dfg/DFGSafeToExecute.h:
971         (JSC::DFG::safeToExecute):
972         * dfg/DFGSpeculativeJIT.cpp:
973         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnCell):
974         (JSC::DFG::SpeculativeJIT::compileToStringOnCell): Deleted.
975         * dfg/DFGSpeculativeJIT.h:
976         * dfg/DFGSpeculativeJIT32_64.cpp:
977         (JSC::DFG::SpeculativeJIT::compile):
978         * dfg/DFGSpeculativeJIT64.cpp:
979         (JSC::DFG::SpeculativeJIT::compile):
980         * dfg/DFGStructureRegistrationPhase.cpp:
981         (JSC::DFG::StructureRegistrationPhase::run):
982         * ftl/FTLCapabilities.cpp:
983         (JSC::FTL::canCompile):
984         * ftl/FTLLowerDFGToLLVM.cpp:
985         (JSC::FTL::LowerDFGToLLVM::compileNode):
986         (JSC::FTL::LowerDFGToLLVM::compileToStringOrCallStringConstructor):
987         (JSC::FTL::LowerDFGToLLVM::compileToString): Deleted.
988         * runtime/StringConstructor.cpp:
989         (JSC::stringConstructor):
990         (JSC::callStringConstructor):
991         * runtime/StringConstructor.h:
992         * tests/stress/symbol-and-string-constructor.js: Added.
993         (performString):
994
995 2015-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>
996
997         Return Optional<uint32_t> from PropertyName::asIndex
998         https://bugs.webkit.org/show_bug.cgi?id=143422
999
1000         Reviewed by Darin Adler.
1001
1002         PropertyName::asIndex returns uint32_t and use UINT_MAX as NotAnIndex.
1003         But it's not obvious to callers.
1004
1005         This patch changes
1006         1. PropertyName::asIndex() to return Optional<uint32_t> and
1007         2. function name `asIndex()` to `parseIndex()`.
1008         It forces callers to check the value is index or not explicitly.
1009
1010         * bytecode/GetByIdStatus.cpp:
1011         (JSC::GetByIdStatus::computeFor):
1012         * bytecode/PutByIdStatus.cpp:
1013         (JSC::PutByIdStatus::computeFor):
1014         * bytecompiler/BytecodeGenerator.cpp:
1015         (JSC::BytecodeGenerator::emitDirectPutById):
1016         * jit/Repatch.cpp:
1017         (JSC::emitPutTransitionStubAndGetOldStructure):
1018         * jsc.cpp:
1019         * runtime/ArrayPrototype.cpp:
1020         (JSC::arrayProtoFuncSort):
1021         * runtime/GenericArgumentsInlines.h:
1022         (JSC::GenericArguments<Type>::getOwnPropertySlot):
1023         (JSC::GenericArguments<Type>::put):
1024         (JSC::GenericArguments<Type>::deleteProperty):
1025         (JSC::GenericArguments<Type>::defineOwnProperty):
1026         * runtime/Identifier.h:
1027         (JSC::parseIndex):
1028         (JSC::Identifier::isSymbol):
1029         * runtime/JSArray.cpp:
1030         (JSC::JSArray::defineOwnProperty):
1031         * runtime/JSCJSValue.cpp:
1032         (JSC::JSValue::putToPrimitive):
1033         * runtime/JSGenericTypedArrayViewInlines.h:
1034         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
1035         (JSC::JSGenericTypedArrayView<Adaptor>::put):
1036         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
1037         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
1038         * runtime/JSObject.cpp:
1039         (JSC::JSObject::put):
1040         (JSC::JSObject::putDirectAccessor):
1041         (JSC::JSObject::putDirectCustomAccessor):
1042         (JSC::JSObject::deleteProperty):
1043         (JSC::JSObject::putDirectMayBeIndex):
1044         (JSC::JSObject::defineOwnProperty):
1045         * runtime/JSObject.h:
1046         (JSC::JSObject::getOwnPropertySlot):
1047         (JSC::JSObject::getPropertySlot):
1048         (JSC::JSObject::putDirectInternal):
1049         * runtime/JSString.cpp:
1050         (JSC::JSString::getStringPropertyDescriptor):
1051         * runtime/JSString.h:
1052         (JSC::JSString::getStringPropertySlot):
1053         * runtime/LiteralParser.cpp:
1054         (JSC::LiteralParser<CharType>::parse):
1055         * runtime/PropertyName.h:
1056         (JSC::parseIndex):
1057         (JSC::toUInt32FromCharacters): Deleted.
1058         (JSC::toUInt32FromStringImpl): Deleted.
1059         (JSC::PropertyName::asIndex): Deleted.
1060         * runtime/PropertyNameArray.cpp:
1061         (JSC::PropertyNameArray::add):
1062         * runtime/StringObject.cpp:
1063         (JSC::StringObject::deleteProperty):
1064         * runtime/Structure.cpp:
1065         (JSC::Structure::prototypeChainMayInterceptStoreTo):
1066
1067 2015-04-05  Andreas Kling  <akling@apple.com>
1068
1069         URI encoding/escaping should use efficient string building instead of calling snprintf().
1070         <https://webkit.org/b/143426>
1071
1072         Reviewed by Gavin Barraclough.
1073
1074         I saw 0.5% of main thread time in snprintf() on <http://polymerlabs.github.io/benchmarks/>
1075         which seemed pretty silly. This change gets that down to nothing in favor of using our
1076         existing JSStringBuilder and HexNumber.h facilities.
1077
1078         These APIs are well-exercised by our existing test suite.
1079
1080         * runtime/JSGlobalObjectFunctions.cpp:
1081         (JSC::encode):
1082         (JSC::globalFuncEscape):
1083
1084 2015-04-05  Masataka Yakura  <masataka.yakura@gmail.com>
1085
1086         documentation for ES Promises points to the wrong one
1087         https://bugs.webkit.org/show_bug.cgi?id=143263
1088
1089         Reviewed by Darin Adler.
1090
1091         * features.json:
1092
1093 2015-04-05  Simon Fraser  <simon.fraser@apple.com>
1094
1095         Remove "go ahead and" from comments
1096         https://bugs.webkit.org/show_bug.cgi?id=143421
1097
1098         Reviewed by Darin Adler, Benjamin Poulain.
1099
1100         Remove the phrase "go ahead and" from comments where it doesn't add
1101         anything (which is almost all of them).
1102
1103         * interpreter/JSStack.cpp:
1104         (JSC::JSStack::growSlowCase):
1105
1106 2015-04-04  Andreas Kling  <akling@apple.com>
1107
1108         Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely.
1109         <https://webkit.org/b/143210>
1110
1111         Reviewed by Geoffrey Garen.
1112
1113         Since a MarkedBlock cannot be destroyed until all the WeakBlocks pointing into it are gone,
1114         we had a little problem where WeakBlocks with only null pointers would still keep their
1115         MarkedBlock alive.
1116
1117         This patch fixes that by detaching WeakBlocks from their MarkedBlock once a sweep discovers
1118         that the WeakBlock contains no pointers to live objects. Ownership of the WeakBlock is passed
1119         to the Heap, which will sweep the list of these detached WeakBlocks as part of a full GC,
1120         destroying them once they're fully dead.
1121
1122         This allows the garbage collector to reclaim the 64kB MarkedBlocks much sooner, and resolves
1123         a mysterious issue where doing two full garbage collections back-to-back would free additional
1124         memory in the second collection.
1125
1126         Management of detached WeakBlocks is implemented as a Vector<WeakBlock*> in Heap, along with
1127         an index of the next block in that vector that needs to be swept. The IncrementalSweeper then
1128         calls into Heap::sweepNextLogicallyEmptyWeakBlock() to sweep one block at a time.
1129
1130         * heap/Heap.h:
1131         * heap/Heap.cpp:
1132         (JSC::Heap::collectAllGarbage): Add a final pass where we sweep the logically empty WeakBlocks
1133         owned by Heap, after everything else has been swept.
1134
1135         (JSC::Heap::notifyIncrementalSweeper): Set up an incremental sweep of logically empty WeakBlocks
1136         after a full garbage collection ends. Note that we don't do this after Eden collections, since
1137         they are unlikely to cause entire WeakBlocks to go empty.
1138
1139         (JSC::Heap::addLogicallyEmptyWeakBlock): Added. Interface for passing ownership of a WeakBlock
1140         to the Heap when it's detached from a WeakSet.
1141
1142         (JSC::Heap::sweepAllLogicallyEmptyWeakBlocks): Helper for collectAllGarbage() that sweeps all
1143         of the logically empty WeakBlocks owned by Heap.
1144
1145         (JSC::Heap::sweepNextLogicallyEmptyWeakBlock): Sweeps one logically empty WeakBlock if needed
1146         and updates the next-logically-empty-weak-block-to-sweep index.
1147
1148         (JSC::Heap::lastChanceToFinalize): call sweepAllLogicallyEmptyWeakBlocks() here, since there
1149         won't be another chance after this.
1150
1151         * heap/IncrementalSweeper.h:
1152         (JSC::IncrementalSweeper::hasWork): Deleted.
1153
1154         * heap/IncrementalSweeper.cpp:
1155         (JSC::IncrementalSweeper::fullSweep):
1156         (JSC::IncrementalSweeper::doSweep):
1157         (JSC::IncrementalSweeper::sweepNextBlock): Restructured IncrementalSweeper a bit to simplify
1158         adding a new sweeping stage for the Heap's logically empty WeakBlocks. sweepNextBlock() is
1159         changed to return a bool (true if there's more work to be done.)
1160
1161         * heap/WeakBlock.cpp:
1162         (JSC::WeakBlock::sweep): This now figures out if the WeakBlock is logically empty, i.e doesn't
1163         contain any pointers to live objects. The answer is stored in a new SweepResult member.
1164
1165         * heap/WeakBlock.h:
1166         (JSC::WeakBlock::isLogicallyEmptyButNotFree): Added. Can be queried after a sweep to determine
1167         if the WeakBlock could be detached from the MarkedBlock.
1168
1169         (JSC::WeakBlock::SweepResult::SweepResult): Deleted in favor of initializing member variables
1170         when declaring them.
1171
1172 2015-04-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1173
1174         Implement ES6 Object.getOwnPropertySymbols
1175         https://bugs.webkit.org/show_bug.cgi?id=141106
1176
1177         Reviewed by Geoffrey Garen.
1178
1179         This patch implements `Object.getOwnPropertySymbols`.
1180         One technical issue is that, since we use private symbols (such as `@Object`) in the
1181         privileged JS code in `builtins/`, they should not be exposed.
1182         To distinguish them from the usual symbols, check the target `StringImpl*` is a not private name
1183         before adding it into PropertyNameArray.
1184
1185         To check the target `StringImpl*` is a private name, we leverage privateToPublic map in `BuiltinNames`
1186         since all private symbols are held in this map.
1187
1188         * builtins/BuiltinExecutables.cpp:
1189         (JSC::BuiltinExecutables::createExecutableInternal):
1190         * builtins/BuiltinNames.h:
1191         (JSC::BuiltinNames::isPrivateName):
1192         * runtime/CommonIdentifiers.cpp:
1193         (JSC::CommonIdentifiers::isPrivateName):
1194         * runtime/CommonIdentifiers.h:
1195         * runtime/EnumerationMode.h:
1196         (JSC::EnumerationMode::EnumerationMode):
1197         (JSC::EnumerationMode::includeSymbolProperties):
1198         * runtime/ExceptionHelpers.cpp:
1199         (JSC::createUndefinedVariableError):
1200         * runtime/JSGlobalObject.cpp:
1201         (JSC::JSGlobalObject::init):
1202         * runtime/JSLexicalEnvironment.cpp:
1203         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
1204         * runtime/JSSymbolTableObject.cpp:
1205         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
1206         * runtime/ObjectConstructor.cpp:
1207         (JSC::ObjectConstructor::finishCreation):
1208         (JSC::objectConstructorGetOwnPropertySymbols):
1209         (JSC::defineProperties):
1210         (JSC::objectConstructorSeal):
1211         (JSC::objectConstructorFreeze):
1212         (JSC::objectConstructorIsSealed):
1213         (JSC::objectConstructorIsFrozen):
1214         * runtime/ObjectConstructor.h:
1215         (JSC::ObjectConstructor::create):
1216         * runtime/Structure.cpp:
1217         (JSC::Structure::getPropertyNamesFromStructure):
1218         * tests/stress/object-get-own-property-symbols-perform-to-object.js: Added.
1219         (compare):
1220         * tests/stress/object-get-own-property-symbols.js: Added.
1221         (forIn):
1222         * tests/stress/symbol-define-property.js: Added.
1223         (testSymbol):
1224         * tests/stress/symbol-seal-and-freeze.js: Added.
1225         * tests/stress/symbol-with-json.js: Added.
1226
1227 2015-04-03  Mark Lam  <mark.lam@apple.com>
1228
1229         Add Options::jitPolicyScale() as a single knob to make all compilations happen sooner.
1230         <https://webkit.org/b/143385>
1231
1232         Reviewed by Geoffrey Garen.
1233
1234         For debugging purposes, sometimes, we want to be able to make compilation happen
1235         sooner to see if we can accelerate the manifestation of certain events / bugs.
1236         Currently, in order to achieve this, we'll have to tweak multiple JIT thresholds
1237         which make up the compilation policy.  Let's add a single knob that can tune all
1238         the thresholds up / down in one go proportionately so that we can easily tweak
1239         how soon compilation occurs.
1240
1241         * runtime/Options.cpp:
1242         (JSC::scaleJITPolicy):
1243         (JSC::recomputeDependentOptions):
1244         * runtime/Options.h:
1245
1246 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
1247
1248         is* API methods should be @properties
1249         https://bugs.webkit.org/show_bug.cgi?id=143388
1250
1251         Reviewed by Mark Lam.
1252
1253         This appears to be the preferred idiom in WebKit, CA, AppKit, and
1254         Foundation.
1255
1256         * API/JSValue.h: Be @properties.
1257
1258         * API/tests/testapi.mm:
1259         (testObjectiveCAPI): Use the @properties.
1260
1261 2015-04-03  Mark Lam  <mark.lam@apple.com>
1262
1263         Some JSC Options refactoring and enhancements.
1264         <https://webkit.org/b/143384>
1265
1266         Rubber stamped by Benjamin Poulain.
1267
1268         Create a better encapsulated Option class to make working with options easier.  This
1269         is a building block towards a JIT policy scaling debugging option I will introduce later.
1270
1271         This work entails:
1272         1. Convert Options::Option into a public class Option (who works closely with Options).
1273         2. Convert Options::EntryType into an enum class Options::Type and make it public.
1274         3. Renamed Options::OPT_<option name> to Options::<option name>ID because it reads better.
1275         4. Add misc methods to class Option to make it more useable.
1276
1277         * runtime/Options.cpp:
1278         (JSC::Options::dumpOption):
1279         (JSC::Option::dump):
1280         (JSC::Option::operator==):
1281         (JSC::Options::Option::dump): Deleted.
1282         (JSC::Options::Option::operator==): Deleted.
1283         * runtime/Options.h:
1284         (JSC::Option::Option):
1285         (JSC::Option::operator!=):
1286         (JSC::Option::name):
1287         (JSC::Option::description):
1288         (JSC::Option::type):
1289         (JSC::Option::isOverridden):
1290         (JSC::Option::defaultOption):
1291         (JSC::Option::boolVal):
1292         (JSC::Option::unsignedVal):
1293         (JSC::Option::doubleVal):
1294         (JSC::Option::int32Val):
1295         (JSC::Option::optionRangeVal):
1296         (JSC::Option::optionStringVal):
1297         (JSC::Option::gcLogLevelVal):
1298         (JSC::Options::Option::Option): Deleted.
1299         (JSC::Options::Option::operator!=): Deleted.
1300
1301 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
1302
1303         JavaScriptCore API should support type checking for Array and Date
1304         https://bugs.webkit.org/show_bug.cgi?id=143324
1305
1306         Follow-up to address a comment by Dan.
1307
1308         * API/WebKitAvailability.h: __MAC_OS_X_VERSION_MIN_REQUIRED <= 101100
1309         is wrong, since this API is available when __MAC_OS_X_VERSION_MIN_REQUIRED
1310         is equal to 101100.
1311
1312 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
1313
1314         JavaScriptCore API should support type checking for Array and Date
1315         https://bugs.webkit.org/show_bug.cgi?id=143324
1316
1317         Follow-up to address a comment by Dan.
1318
1319         * API/WebKitAvailability.h: Do use 10.0 because it was right all along.
1320         Added a comment explaining why.
1321
1322 2015-04-03  Csaba Osztrogonác  <ossy@webkit.org>
1323
1324         FTL JIT tests should fail if LLVM library isn't available
1325         https://bugs.webkit.org/show_bug.cgi?id=143374
1326
1327         Reviewed by Mark Lam.
1328
1329         * dfg/DFGPlan.cpp:
1330         (JSC::DFG::Plan::compileInThreadImpl):
1331         * runtime/Options.h:
1332
1333 2015-04-03  Zan Dobersek  <zdobersek@igalia.com>
1334
1335         Fix the EFL and GTK build after r182243
1336         https://bugs.webkit.org/show_bug.cgi?id=143361
1337
1338         Reviewed by Csaba Osztrogonác.
1339
1340         * CMakeLists.txt: InspectorBackendCommands.js is generated in the
1341         DerivedSources/JavaScriptCore/inspector/ directory.
1342
1343 2015-04-03  Zan Dobersek  <zdobersek@igalia.com>
1344
1345         Unreviewed, fixing Clang builds of the GTK port on Linux.
1346
1347         * runtime/Options.cpp:
1348         Include the <math.h> header for isnan().
1349
1350 2015-04-02  Mark Lam  <mark.lam@apple.com>
1351
1352         Enhance ability to dump JSC Options.
1353         <https://webkit.org/b/143357>
1354
1355         Reviewed by Benjamin Poulain.
1356
1357         Some enhancements to how the JSC options work:
1358
1359         1. Add a JSC_showOptions option which take values: 0 = None, 1 = Overridden only,
1360            2 = All, 3 = Verbose.
1361
1362            The default is 0 (None).  This dumps nothing.
1363            With the Overridden setting, at VM initialization time, we will dump all
1364            option values that have been changed from their default.
1365            With the All setting, at VM initialization time, we will dump all option values.
1366            With the Verbose setting, at VM initialization time, we will dump all option
1367            values along with their descriptions (if available).
1368
1369         2. We now store a copy of the default option values.
1370
1371            We later use this for comparison to tell if an option has been overridden, and
1372            print the default value for reference.  As a result, we no longer need the
1373            didOverride flag since we can compute whether the option is overridden at any time.
1374
1375         3. Added description strings to some options to be printed when JSC_showOptions=3 (Verbose).
1376
1377            This will come in handy later when we want to rename some of the options to more sane
1378            names that are easier to remember.  For example, we can change
1379            Options::dfgFunctionWhitelistFile() to Options::dfgWhiteList(), and
1380            Options::slowPathAllocsBetweenGCs() to Options::forcedGcRate().  With the availability
1381            of the description, we can afford to use shorter and less descriptive option names,
1382            but they will be easier to remember and use for day to day debugging work.
1383
1384            In this patch, I did not change the names of any of the options yet.  I only added
1385            description strings for options that I know about, and where I think the option name
1386            isn't already descriptive enough.
1387
1388         4. Also deleted some unused code.
1389
1390         * jsc.cpp:
1391         (CommandLine::parseArguments):
1392         * runtime/Options.cpp:
1393         (JSC::Options::initialize):
1394         (JSC::Options::setOption):
1395         (JSC::Options::dumpAllOptions):
1396         (JSC::Options::dumpOption):
1397         (JSC::Options::Option::dump):
1398         (JSC::Options::Option::operator==):
1399         * runtime/Options.h:
1400         (JSC::OptionRange::rangeString):
1401         (JSC::Options::Option::Option):
1402         (JSC::Options::Option::operator!=):
1403
1404 2015-04-02  Geoffrey Garen  <ggaren@apple.com>
1405
1406         JavaScriptCore API should support type checking for Array and Date
1407         https://bugs.webkit.org/show_bug.cgi?id=143324
1408
1409         Reviewed by Darin Adler, Sam Weinig, Dan Bernstein.
1410
1411         * API/JSValue.h:
1412         * API/JSValue.mm:
1413         (-[JSValue isArray]):
1414         (-[JSValue isDate]): Added an ObjC API.
1415
1416         * API/JSValueRef.cpp:
1417         (JSValueIsArray):
1418         (JSValueIsDate):
1419         * API/JSValueRef.h: Added a C API.
1420
1421         * API/WebKitAvailability.h: Brought our availability macros up to date
1422         and fixed a harmless bug where "10_10" translated to "10.0".
1423
1424         * API/tests/testapi.c:
1425         (main): Added a test and corrected a pre-existing leak.
1426
1427         * API/tests/testapi.mm:
1428         (testObjectiveCAPI): Added a test.
1429
1430 2015-04-02  Mark Lam  <mark.lam@apple.com>
1431
1432         Add Options::dumpSourceAtDFGTime().
1433         <https://webkit.org/b/143349>
1434
1435         Reviewed by Oliver Hunt, and Michael Saboff.
1436
1437         Sometimes, we will want to see the JS source code that we're compiling, and it
1438         would be nice to be able to do this without having to jump thru a lot of hoops.
1439         So, let's add a Options::dumpSourceAtDFGTime() option just like we have a
1440         Options::dumpBytecodeAtDFGTime() option.
1441
1442         Also added versions of CodeBlock::dumpSource() and CodeBlock::dumpBytecode()
1443         that explicitly take no arguments (instead of relying on the version that takes
1444         the default argument).  These versions are friendlier to use when we want to call
1445         them from an interactive debugging session.
1446
1447         * bytecode/CodeBlock.cpp:
1448         (JSC::CodeBlock::dumpSource):
1449         (JSC::CodeBlock::dumpBytecode):
1450         * bytecode/CodeBlock.h:
1451         * dfg/DFGByteCodeParser.cpp:
1452         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1453         * runtime/Options.h:
1454
1455 2015-04-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1456
1457         Clean up EnumerationMode to easily extend
1458         https://bugs.webkit.org/show_bug.cgi?id=143276
1459
1460         Reviewed by Geoffrey Garen.
1461
1462         To make the followings easily,
1463         1. Adding new flag Include/ExcludeSymbols in the Object.getOwnPropertySymbols patch
1464         2. Make ExcludeSymbols implicitly default for the existing flags
1465         we encapsulate EnumerationMode flags into EnumerationMode class.
1466
1467         And this class manages 2 flags. Later it will be extended to 3.
1468         1. DontEnumPropertiesMode (default is Exclude)
1469         2. JSObjectPropertiesMode (default is Include)
1470         3. SymbolPropertiesMode (default is Exclude)
1471             SymbolPropertiesMode will be added in Object.getOwnPropertySymbols patch.
1472
1473         This patch replaces places using ExcludeDontEnumProperties
1474         to EnumerationMode() value which represents default mode.
1475
1476         * API/JSCallbackObjectFunctions.h:
1477         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
1478         * API/JSObjectRef.cpp:
1479         (JSObjectCopyPropertyNames):
1480         * bindings/ScriptValue.cpp:
1481         (Deprecated::jsToInspectorValue):
1482         * bytecode/ObjectAllocationProfile.h:
1483         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
1484         * runtime/ArrayPrototype.cpp:
1485         (JSC::arrayProtoFuncSort):
1486         * runtime/EnumerationMode.h:
1487         (JSC::EnumerationMode::EnumerationMode):
1488         (JSC::EnumerationMode::includeDontEnumProperties):
1489         (JSC::EnumerationMode::includeJSObjectProperties):
1490         (JSC::shouldIncludeDontEnumProperties): Deleted.
1491         (JSC::shouldExcludeDontEnumProperties): Deleted.
1492         (JSC::shouldIncludeJSObjectPropertyNames): Deleted.
1493         (JSC::modeThatSkipsJSObject): Deleted.
1494         * runtime/GenericArgumentsInlines.h:
1495         (JSC::GenericArguments<Type>::getOwnPropertyNames):
1496         * runtime/JSArray.cpp:
1497         (JSC::JSArray::getOwnNonIndexPropertyNames):
1498         * runtime/JSArrayBuffer.cpp:
1499         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
1500         * runtime/JSArrayBufferView.cpp:
1501         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
1502         * runtime/JSFunction.cpp:
1503         (JSC::JSFunction::getOwnNonIndexPropertyNames):
1504         * runtime/JSFunction.h:
1505         * runtime/JSGenericTypedArrayViewInlines.h:
1506         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnNonIndexPropertyNames):
1507         * runtime/JSLexicalEnvironment.cpp:
1508         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
1509         * runtime/JSONObject.cpp:
1510         (JSC::Stringifier::Holder::appendNextProperty):
1511         (JSC::Walker::walk):
1512         * runtime/JSObject.cpp:
1513         (JSC::getClassPropertyNames):
1514         (JSC::JSObject::getOwnPropertyNames):
1515         (JSC::JSObject::getOwnNonIndexPropertyNames):
1516         (JSC::JSObject::getGenericPropertyNames):
1517         * runtime/JSPropertyNameEnumerator.h:
1518         (JSC::propertyNameEnumerator):
1519         * runtime/JSSymbolTableObject.cpp:
1520         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
1521         * runtime/ObjectConstructor.cpp:
1522         (JSC::objectConstructorGetOwnPropertyNames):
1523         (JSC::objectConstructorKeys):
1524         (JSC::defineProperties):
1525         (JSC::objectConstructorSeal):
1526         (JSC::objectConstructorFreeze):
1527         (JSC::objectConstructorIsSealed):
1528         (JSC::objectConstructorIsFrozen):
1529         * runtime/RegExpObject.cpp:
1530         (JSC::RegExpObject::getOwnNonIndexPropertyNames):
1531         (JSC::RegExpObject::getPropertyNames):
1532         (JSC::RegExpObject::getGenericPropertyNames):
1533         * runtime/StringObject.cpp:
1534         (JSC::StringObject::getOwnPropertyNames):
1535         * runtime/Structure.cpp:
1536         (JSC::Structure::getPropertyNamesFromStructure):
1537
1538 2015-04-01  Alex Christensen  <achristensen@webkit.org>
1539
1540         Progress towards CMake on Windows and Mac.
1541         https://bugs.webkit.org/show_bug.cgi?id=143293
1542
1543         Reviewed by Filip Pizlo.
1544
1545         * CMakeLists.txt:
1546         Enabled using assembly on Windows.
1547         Replaced unix commands with CMake commands.
1548         * PlatformMac.cmake:
1549         Tell open source builders where to find unicode headers.
1550
1551 2015-04-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1552
1553         IteratorClose should be called when jumping over the target for-of loop
1554         https://bugs.webkit.org/show_bug.cgi?id=143140
1555
1556         Reviewed by Geoffrey Garen.
1557
1558         This patch fixes labeled break/continue behaviors with for-of and iterators.
1559
1560         1. Support IteratorClose beyond multiple loop contexts
1561         Previously, IteratorClose is only executed in for-of's breakTarget().
1562         However, this misses IteratorClose execution when statement roll-ups multiple control flow contexts.
1563         For example,
1564         outer: for (var e1 of outer) {
1565             inner: for (var e2 of inner) {
1566                 break outer;
1567             }
1568         }
1569         In this case, return method of inner should be called.
1570         We leverage the existing system for `finally` to execute inner.return method correctly.
1571         Leveraging `finally` system fixes `break`, `continue` and `return` cases.
1572         `throw` case is already supported by emitting try-catch handlers in for-of.
1573
1574         2. Incorrect LabelScope creation is done in ForOfNode
1575         ForOfNode creates duplicated LabelScope.
1576         It causes infinite loop when executing the following program that contains
1577         explicitly labeled for-of loop.
1578         For example,
1579         inner: for (var elm of array) {
1580             continue inner;
1581         }
1582
1583         * bytecompiler/BytecodeGenerator.cpp:
1584         (JSC::BytecodeGenerator::pushFinallyContext):
1585         (JSC::BytecodeGenerator::pushIteratorCloseContext):
1586         (JSC::BytecodeGenerator::popFinallyContext):
1587         (JSC::BytecodeGenerator::popIteratorCloseContext):
1588         (JSC::BytecodeGenerator::emitComplexPopScopes):
1589         (JSC::BytecodeGenerator::emitEnumeration):
1590         (JSC::BytecodeGenerator::emitIteratorClose):
1591         * bytecompiler/BytecodeGenerator.h:
1592         * bytecompiler/NodesCodegen.cpp:
1593         (JSC::ForOfNode::emitBytecode):
1594         * tests/stress/iterator-return-beyond-multiple-iteration-scopes.js: Added.
1595         (createIterator.iterator.return):
1596         (createIterator):
1597         * tests/stress/raise-error-in-iterator-close.js: Added.
1598         (createIterator.iterator.return):
1599         (createIterator):
1600
1601 2015-04-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1602
1603         [ES6] Implement Symbol.unscopables
1604         https://bugs.webkit.org/show_bug.cgi?id=142829
1605
1606         Reviewed by Geoffrey Garen.
1607
1608         This patch introduces Symbol.unscopables functionality.
1609         In ES6, some generic names (like keys, values) are introduced
1610         as Array's method name. And this breaks the web since some web sites
1611         use like the following code.
1612
1613         var values = ...;
1614         with (array) {
1615             values;  // This values is trapped by array's method "values".
1616         }
1617
1618         To fix this, Symbol.unscopables introduces blacklist
1619         for with scope's trapping. When resolving scope,
1620         if name is found in the target scope and the target scope is with scope,
1621         we check Symbol.unscopables object to filter generic names.
1622
1623         This functionality is only active for with scopes.
1624         Global scope does not have unscopables functionality.
1625
1626         And since
1627         1) op_resolve_scope for with scope always return Dynamic resolve type,
1628         2) in that case, JSScope::resolve is always used in JIT and LLInt,
1629         3) the code which contains op_resolve_scope that returns Dynamic cannot be compiled with DFG and FTL,
1630         to implement this functionality, we just change JSScope::resolve and no need to change JIT code.
1631         So performance regression is only visible in Dynamic resolving case, and it is already much slow.
1632
1633         * runtime/ArrayPrototype.cpp:
1634         (JSC::ArrayPrototype::finishCreation):
1635         * runtime/CommonIdentifiers.h:
1636         * runtime/JSGlobalObject.h:
1637         (JSC::JSGlobalObject::runtimeFlags):
1638         * runtime/JSScope.cpp:
1639         (JSC::isUnscopable):
1640         (JSC::JSScope::resolve):
1641         * runtime/JSScope.h:
1642         (JSC::ScopeChainIterator::scope):
1643         * tests/stress/global-environment-does-not-trap-unscopables.js: Added.
1644         (test):
1645         * tests/stress/unscopables.js: Added.
1646         (test):
1647         (.):
1648
1649 2015-03-31  Ryosuke Niwa  <rniwa@webkit.org>
1650
1651         ES6 class syntax should allow static setters and getters
1652         https://bugs.webkit.org/show_bug.cgi?id=143180
1653
1654         Reviewed by Filip Pizlo
1655
1656         Apparently I misread the spec when I initially implemented parseClass.
1657         ES6 class syntax allows static getters and setters so just allow that.
1658
1659         * parser/Parser.cpp:
1660         (JSC::Parser<LexerType>::parseClass):
1661
1662 2015-03-31  Filip Pizlo  <fpizlo@apple.com>
1663
1664         PutClosureVar CSE def() rule has a wrong base
1665         https://bugs.webkit.org/show_bug.cgi?id=143280
1666
1667         Reviewed by Michael Saboff.
1668         
1669         I think that this code was incorrect in a benign way, since the base of a
1670         PutClosureVar is not a JS-visible object. But it was preventing some optimizations.
1671
1672         * dfg/DFGClobberize.h:
1673         (JSC::DFG::clobberize):
1674
1675 2015-03-31  Commit Queue  <commit-queue@webkit.org>
1676
1677         Unreviewed, rolling out r182200.
1678         https://bugs.webkit.org/show_bug.cgi?id=143279
1679
1680         Probably causing assertion extravaganza on bots. (Requested by
1681         kling on #webkit).
1682
1683         Reverted changeset:
1684
1685         "Logically empty WeakBlocks should not pin down their
1686         MarkedBlocks indefinitely."
1687         https://bugs.webkit.org/show_bug.cgi?id=143210
1688         http://trac.webkit.org/changeset/182200
1689
1690 2015-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1691
1692         Clean up Identifier factories to clarify the meaning of StringImpl*
1693         https://bugs.webkit.org/show_bug.cgi?id=143146
1694
1695         Reviewed by Filip Pizlo.
1696
1697         In the a lot of places, `Identifier(VM*/ExecState*, StringImpl*)` constructor is used.
1698         However, it's ambiguous because `StringImpl*` has 2 different meanings.
1699         1) normal string, it is replacable with `WTFString` and
1700         2) `uid`, which holds `isSymbol` information to represent Symbols.
1701         So we dropped Identifier constructors for strings and instead, introduced 2 factory functions.
1702         + `Identifier::fromString(VM*/ExecState*, const String&)`.
1703         Just construct Identifier from strings. The symbol-ness of StringImpl* is not kept.
1704         + `Identifier::fromUid(VM*/ExecState*, StringImpl*)`.
1705         This function is used for 2) `uid`. So symbol-ness of `StringImpl*` is kept.
1706
1707         And to clean up `StringImpl` which is used as uid,
1708         we introduce `StringKind` into `StringImpl`. There's 3 kinds
1709         1. StringNormal (non-atomic, non-symbol)
1710         2. StringAtomic (atomic, non-symbol)
1711         3. StringSymbol (non-atomic, symbol)
1712         They are mutually exclusive. And (atomic, symbol) case should not exist.
1713
1714         * API/JSCallbackObjectFunctions.h:
1715         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
1716         * API/JSObjectRef.cpp:
1717         (JSObjectMakeFunction):
1718         * API/OpaqueJSString.cpp:
1719         (OpaqueJSString::identifier):
1720         * bindings/ScriptFunctionCall.cpp:
1721         (Deprecated::ScriptFunctionCall::call):
1722         * builtins/BuiltinExecutables.cpp:
1723         (JSC::BuiltinExecutables::createExecutableInternal):
1724         * builtins/BuiltinNames.h:
1725         (JSC::BuiltinNames::BuiltinNames):
1726         * bytecompiler/BytecodeGenerator.cpp:
1727         (JSC::BytecodeGenerator::BytecodeGenerator):
1728         (JSC::BytecodeGenerator::emitThrowReferenceError):
1729         (JSC::BytecodeGenerator::emitThrowTypeError):
1730         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
1731         (JSC::BytecodeGenerator::emitEnumeration):
1732         * dfg/DFGDesiredIdentifiers.cpp:
1733         (JSC::DFG::DesiredIdentifiers::reallyAdd):
1734         * inspector/JSInjectedScriptHost.cpp:
1735         (Inspector::JSInjectedScriptHost::functionDetails):
1736         (Inspector::constructInternalProperty):
1737         (Inspector::JSInjectedScriptHost::weakMapEntries):
1738         (Inspector::JSInjectedScriptHost::iteratorEntries):
1739         * inspector/JSInjectedScriptHostPrototype.cpp:
1740         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
1741         * inspector/JSJavaScriptCallFramePrototype.cpp:
1742         * inspector/ScriptCallStackFactory.cpp:
1743         (Inspector::extractSourceInformationFromException):
1744         * jit/JITOperations.cpp:
1745         * jsc.cpp:
1746         (GlobalObject::finishCreation):
1747         (GlobalObject::addFunction):
1748         (GlobalObject::addConstructableFunction):
1749         (functionRun):
1750         (runWithScripts):
1751         * llint/LLIntData.cpp:
1752         (JSC::LLInt::Data::performAssertions):
1753         * llint/LowLevelInterpreter.asm:
1754         * parser/ASTBuilder.h:
1755         (JSC::ASTBuilder::addVar):
1756         * parser/Parser.cpp:
1757         (JSC::Parser<LexerType>::parseInner):
1758         (JSC::Parser<LexerType>::createBindingPattern):
1759         * parser/ParserArena.h:
1760         (JSC::IdentifierArena::makeIdentifier):
1761         (JSC::IdentifierArena::makeIdentifierLCharFromUChar):
1762         (JSC::IdentifierArena::makeNumericIdentifier):
1763         * runtime/ArgumentsIteratorPrototype.cpp:
1764         (JSC::ArgumentsIteratorPrototype::finishCreation):
1765         * runtime/ArrayIteratorPrototype.cpp:
1766         (JSC::ArrayIteratorPrototype::finishCreation):
1767         * runtime/ArrayPrototype.cpp:
1768         (JSC::ArrayPrototype::finishCreation):
1769         (JSC::arrayProtoFuncPush):
1770         * runtime/ClonedArguments.cpp:
1771         (JSC::ClonedArguments::getOwnPropertySlot):
1772         * runtime/CommonIdentifiers.cpp:
1773         (JSC::CommonIdentifiers::CommonIdentifiers):
1774         * runtime/CommonIdentifiers.h:
1775         * runtime/Error.cpp:
1776         (JSC::addErrorInfo):
1777         (JSC::hasErrorInfo):
1778         * runtime/ExceptionHelpers.cpp:
1779         (JSC::createUndefinedVariableError):
1780         * runtime/GenericArgumentsInlines.h:
1781         (JSC::GenericArguments<Type>::getOwnPropertySlot):
1782         * runtime/Identifier.h:
1783         (JSC::Identifier::isSymbol):
1784         (JSC::Identifier::Identifier):
1785         (JSC::Identifier::from): Deleted.
1786         * runtime/IdentifierInlines.h:
1787         (JSC::Identifier::Identifier):
1788         (JSC::Identifier::fromUid):
1789         (JSC::Identifier::fromString):
1790         * runtime/JSCJSValue.cpp:
1791         (JSC::JSValue::dumpInContextAssumingStructure):
1792         * runtime/JSCJSValueInlines.h:
1793         (JSC::JSValue::toPropertyKey):
1794         * runtime/JSGlobalObject.cpp:
1795         (JSC::JSGlobalObject::init):
1796         * runtime/JSLexicalEnvironment.cpp:
1797         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
1798         * runtime/JSObject.cpp:
1799         (JSC::getClassPropertyNames):
1800         (JSC::JSObject::reifyStaticFunctionsForDelete):
1801         * runtime/JSObject.h:
1802         (JSC::makeIdentifier):
1803         * runtime/JSPromiseConstructor.cpp:
1804         (JSC::JSPromiseConstructorFuncRace):
1805         (JSC::JSPromiseConstructorFuncAll):
1806         * runtime/JSString.h:
1807         (JSC::JSString::toIdentifier):
1808         * runtime/JSSymbolTableObject.cpp:
1809         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
1810         * runtime/LiteralParser.cpp:
1811         (JSC::LiteralParser<CharType>::tryJSONPParse):
1812         (JSC::LiteralParser<CharType>::makeIdentifier):
1813         * runtime/Lookup.h:
1814         (JSC::reifyStaticProperties):
1815         * runtime/MapConstructor.cpp:
1816         (JSC::constructMap):
1817         * runtime/MapIteratorPrototype.cpp:
1818         (JSC::MapIteratorPrototype::finishCreation):
1819         * runtime/MapPrototype.cpp:
1820         (JSC::MapPrototype::finishCreation):
1821         * runtime/MathObject.cpp:
1822         (JSC::MathObject::finishCreation):
1823         * runtime/NumberConstructor.cpp:
1824         (JSC::NumberConstructor::finishCreation):
1825         * runtime/ObjectConstructor.cpp:
1826         (JSC::ObjectConstructor::finishCreation):
1827         * runtime/PrivateName.h:
1828         (JSC::PrivateName::PrivateName):
1829         * runtime/PropertyMapHashTable.h:
1830         (JSC::PropertyTable::find):
1831         (JSC::PropertyTable::get):
1832         * runtime/PropertyName.h:
1833         (JSC::PropertyName::PropertyName):
1834         (JSC::PropertyName::publicName):
1835         (JSC::PropertyName::asIndex):
1836         * runtime/PropertyNameArray.cpp:
1837         (JSC::PropertyNameArray::add):
1838         * runtime/PropertyNameArray.h:
1839         (JSC::PropertyNameArray::addKnownUnique):
1840         * runtime/RegExpConstructor.cpp:
1841         (JSC::RegExpConstructor::finishCreation):
1842         * runtime/SetConstructor.cpp:
1843         (JSC::constructSet):
1844         * runtime/SetIteratorPrototype.cpp:
1845         (JSC::SetIteratorPrototype::finishCreation):
1846         * runtime/SetPrototype.cpp:
1847         (JSC::SetPrototype::finishCreation):
1848         * runtime/StringIteratorPrototype.cpp:
1849         (JSC::StringIteratorPrototype::finishCreation):
1850         * runtime/StringPrototype.cpp:
1851         (JSC::StringPrototype::finishCreation):
1852         * runtime/Structure.cpp:
1853         (JSC::Structure::getPropertyNamesFromStructure):
1854         * runtime/SymbolConstructor.cpp:
1855         * runtime/VM.cpp:
1856         (JSC::VM::throwException):
1857         * runtime/WeakMapConstructor.cpp:
1858         (JSC::constructWeakMap):
1859
1860 2015-03-31  Andreas Kling  <akling@apple.com>
1861
1862         Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely.
1863         <https://webkit.org/b/143210>
1864
1865         Reviewed by Geoffrey Garen.
1866
1867         Since a MarkedBlock cannot be destroyed until all the WeakBlocks pointing into it are gone,
1868         we had a little problem where WeakBlocks with only null pointers would still keep their
1869         MarkedBlock alive.
1870
1871         This patch fixes that by detaching WeakBlocks from their MarkedBlock once a sweep discovers
1872         that the WeakBlock contains no pointers to live objects. Ownership of the WeakBlock is passed
1873         to the Heap, which will sweep the list of these detached WeakBlocks as part of a full GC,
1874         destroying them once they're fully dead.
1875
1876         This allows the garbage collector to reclaim the 64kB MarkedBlocks much sooner, and resolves
1877         a mysterious issue where doing two full garbage collections back-to-back would free additional
1878         memory in the second collection.
1879
1880         Management of detached WeakBlocks is implemented as a Vector<WeakBlock*> in Heap, along with
1881         an index of the next block in that vector that needs to be swept. The IncrementalSweeper then
1882         calls into Heap::sweepNextLogicallyEmptyWeakBlock() to sweep one block at a time.
1883
1884         * heap/Heap.h:
1885         * heap/Heap.cpp:
1886         (JSC::Heap::collectAllGarbage): Add a final pass where we sweep the logically empty WeakBlocks
1887         owned by Heap, after everything else has been swept.
1888
1889         (JSC::Heap::notifyIncrementalSweeper): Set up an incremental sweep of logically empty WeakBlocks
1890         after a full garbage collection ends. Note that we don't do this after Eden collections, since
1891         they are unlikely to cause entire WeakBlocks to go empty.
1892
1893         (JSC::Heap::addLogicallyEmptyWeakBlock): Added. Interface for passing ownership of a WeakBlock
1894         to the Heap when it's detached from a WeakSet.
1895
1896         (JSC::Heap::sweepAllLogicallyEmptyWeakBlocks): Helper for collectAllGarbage() that sweeps all
1897         of the logically empty WeakBlocks owned by Heap.
1898
1899         (JSC::Heap::sweepNextLogicallyEmptyWeakBlock): Sweeps one logically empty WeakBlock if needed
1900         and updates the next-logically-empty-weak-block-to-sweep index.
1901
1902         (JSC::Heap::lastChanceToFinalize): call sweepAllLogicallyEmptyWeakBlocks() here, since there
1903         won't be another chance after this.
1904
1905         * heap/IncrementalSweeper.h:
1906         (JSC::IncrementalSweeper::hasWork): Deleted.
1907
1908         * heap/IncrementalSweeper.cpp:
1909         (JSC::IncrementalSweeper::fullSweep):
1910         (JSC::IncrementalSweeper::doSweep):
1911         (JSC::IncrementalSweeper::sweepNextBlock): Restructured IncrementalSweeper a bit to simplify
1912         adding a new sweeping stage for the Heap's logically empty WeakBlocks. sweepNextBlock() is
1913         changed to return a bool (true if there's more work to be done.)
1914
1915         * heap/WeakBlock.cpp:
1916         (JSC::WeakBlock::sweep): This now figures out if the WeakBlock is logically empty, i.e doesn't
1917         contain any pointers to live objects. The answer is stored in a new SweepResult member.
1918
1919         * heap/WeakBlock.h:
1920         (JSC::WeakBlock::isLogicallyEmptyButNotFree): Added. Can be queried after a sweep to determine
1921         if the WeakBlock could be detached from the MarkedBlock.
1922
1923         (JSC::WeakBlock::SweepResult::SweepResult): Deleted in favor of initializing member variables
1924         when declaring them.
1925
1926 2015-03-31  Ryosuke Niwa  <rniwa@webkit.org>
1927
1928         eval("this.foo") causes a crash if this had not been initialized in a derived class's constructor
1929         https://bugs.webkit.org/show_bug.cgi?id=142883
1930
1931         Reviewed by Filip Pizlo.
1932
1933         The crash was caused by eval inside the constructor of a derived class not checking TDZ.
1934
1935         Fixed the bug by adding a parser flag that forces the TDZ check to be always emitted when accessing "this"
1936         in eval inside a derived class' constructor.
1937
1938         * bytecode/EvalCodeCache.h:
1939         (JSC::EvalCodeCache::getSlow):
1940         * bytecompiler/NodesCodegen.cpp:
1941         (JSC::ThisNode::emitBytecode):
1942         * debugger/DebuggerCallFrame.cpp:
1943         (JSC::DebuggerCallFrame::evaluate):
1944         * interpreter/Interpreter.cpp:
1945         (JSC::eval):
1946         * parser/ASTBuilder.h:
1947         (JSC::ASTBuilder::thisExpr):
1948         * parser/NodeConstructors.h:
1949         (JSC::ThisNode::ThisNode):
1950         * parser/Nodes.h:
1951         * parser/Parser.cpp:
1952         (JSC::Parser<LexerType>::Parser):
1953         (JSC::Parser<LexerType>::parsePrimaryExpression):
1954         * parser/Parser.h:
1955         (JSC::parse):
1956         * parser/ParserModes.h:
1957         * parser/SyntaxChecker.h:
1958         (JSC::SyntaxChecker::thisExpr):
1959         * runtime/CodeCache.cpp:
1960         (JSC::CodeCache::getGlobalCodeBlock):
1961         (JSC::CodeCache::getProgramCodeBlock):
1962         (JSC::CodeCache::getEvalCodeBlock):
1963         * runtime/CodeCache.h:
1964         (JSC::SourceCodeKey::SourceCodeKey):
1965         * runtime/Executable.cpp:
1966         (JSC::EvalExecutable::create):
1967         * runtime/Executable.h:
1968         * runtime/JSGlobalObject.cpp:
1969         (JSC::JSGlobalObject::createEvalCodeBlock):
1970         * runtime/JSGlobalObject.h:
1971         * runtime/JSGlobalObjectFunctions.cpp:
1972         (JSC::globalFuncEval):
1973         * tests/stress/class-syntax-no-tdz-in-eval.js: Added.
1974         * tests/stress/class-syntax-tdz-in-eval.js: Added.
1975
1976 2015-03-31  Commit Queue  <commit-queue@webkit.org>
1977
1978         Unreviewed, rolling out r182186.
1979         https://bugs.webkit.org/show_bug.cgi?id=143270
1980
1981         it crashes all the WebGL tests on the Debug bots (Requested by
1982         dino on #webkit).
1983
1984         Reverted changeset:
1985
1986         "Web Inspector: add 2D/WebGL canvas instrumentation
1987         infrastructure"
1988         https://bugs.webkit.org/show_bug.cgi?id=137278
1989         http://trac.webkit.org/changeset/182186
1990
1991 2015-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1992
1993         [ES6] Object type restrictions on a first parameter of several Object.* functions are relaxed
1994         https://bugs.webkit.org/show_bug.cgi?id=142937
1995
1996         Reviewed by Darin Adler.
1997
1998         In ES6, Object type restrictions on a first parameter of several Object.* functions are relaxed.
1999         In ES5 or prior, when a first parameter is not object type, these functions raise TypeError.
2000         But now, several functions perform ToObject onto a non-object parameter.
2001         And others behaves as if a parameter is a non-extensible ordinary object with no own properties.
2002         It is described in ES6 Annex E.
2003         Functions different from ES5 are following.
2004
2005         1. An attempt is make to coerce the argument using ToObject.
2006             Object.getOwnPropertyDescriptor
2007             Object.getOwnPropertyNames
2008             Object.getPrototypeOf
2009             Object.keys
2010
2011         2. Treated as if it was a non-extensible ordinary object with no own properties.
2012             Object.freeze
2013             Object.isExtensible
2014             Object.isFrozen
2015             Object.isSealed
2016             Object.preventExtensions
2017             Object.seal
2018
2019         * runtime/ObjectConstructor.cpp:
2020         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
2021         (JSC::objectConstructorGetPrototypeOf):
2022         (JSC::objectConstructorGetOwnPropertyDescriptor):
2023         (JSC::objectConstructorGetOwnPropertyNames):
2024         (JSC::objectConstructorKeys):
2025         (JSC::objectConstructorSeal):
2026         (JSC::objectConstructorFreeze):
2027         (JSC::objectConstructorPreventExtensions):
2028         (JSC::objectConstructorIsSealed):
2029         (JSC::objectConstructorIsFrozen):
2030         (JSC::objectConstructorIsExtensible):
2031         * tests/stress/object-freeze-accept-non-object.js: Added.
2032         * tests/stress/object-get-own-property-descriptor-perform-to-object.js: Added.
2033         (canary):
2034         * tests/stress/object-get-own-property-names-perform-to-object.js: Added.
2035         (compare):
2036         * tests/stress/object-get-prototype-of-perform-to-object.js: Added.
2037         * tests/stress/object-is-extensible-accept-non-object.js: Added.
2038         * tests/stress/object-is-frozen-accept-non-object.js: Added.
2039         * tests/stress/object-is-sealed-accept-non-object.js: Added.
2040         * tests/stress/object-keys-perform-to-object.js: Added.
2041         (compare):
2042         * tests/stress/object-prevent-extensions-accept-non-object.js: Added.
2043         * tests/stress/object-seal-accept-non-object.js: Added.
2044
2045 2015-03-31  Matt Baker  <mattbaker@apple.com>
2046
2047         Web Inspector: add 2D/WebGL canvas instrumentation infrastructure
2048         https://bugs.webkit.org/show_bug.cgi?id=137278
2049
2050         Reviewed by Timothy Hatcher.
2051
2052         Added Canvas protocol which defines types used by InspectorCanvasAgent.
2053
2054         * CMakeLists.txt:
2055         * DerivedSources.make:
2056         * inspector/protocol/Canvas.json: Added.
2057
2058         * inspector/scripts/codegen/generator.py:
2059         (Generator.stylized_name_for_enum_value):
2060         Added special handling for 2D (always uppercase) and WebGL (rename mapping) enum strings.
2061
2062 2015-03-30  Ryosuke Niwa  <rniwa@webkit.org>
2063
2064         Extending null should set __proto__ to null
2065         https://bugs.webkit.org/show_bug.cgi?id=142882
2066
2067         Reviewed by Geoffrey Garen and Benjamin Poulain.
2068
2069         Set Derived.prototype.__proto__ to null when extending null.
2070
2071         * bytecompiler/NodesCodegen.cpp:
2072         (JSC::ClassExprNode::emitBytecode):
2073
2074 2015-03-30  Mark Lam  <mark.lam@apple.com>
2075
2076         REGRESSION (r181993): inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html crashes.
2077         <https://webkit.org/b/143105>
2078
2079         Reviewed by Filip Pizlo.
2080
2081         With r181993, the DFG and FTL may elide the storing of the scope register.  As a result,
2082         on OSR exits from DFG / FTL frames where this elision has take place, we may get baseline
2083         JIT frames that may have its scope register not set.  The Debugger's current implementation
2084         which relies on the scope register is not happy about this.  For example, this results in a
2085         crash in the layout test inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html.
2086
2087         The fix is to disable inlining when the debugger is in use.  Also, we add Flush nodes to
2088         ensure that the scope register value is flushed to the register in the stack frame.
2089
2090         * dfg/DFGByteCodeParser.cpp:
2091         (JSC::DFG::ByteCodeParser::ByteCodeParser):
2092         (JSC::DFG::ByteCodeParser::setLocal):
2093         (JSC::DFG::ByteCodeParser::flush):
2094         - Add code to flush the scope register.
2095         (JSC::DFG::ByteCodeParser::inliningCost):
2096         - Pretend that all codeBlocks are too expensive to inline if the debugger is in use, thereby
2097           disabling inlining whenever the debugger is in use.
2098         * dfg/DFGGraph.cpp:
2099         (JSC::DFG::Graph::Graph):
2100         * dfg/DFGGraph.h:
2101         (JSC::DFG::Graph::hasDebuggerEnabled):
2102         * dfg/DFGStackLayoutPhase.cpp:
2103         (JSC::DFG::StackLayoutPhase::run):
2104         - Update the DFG codeBlock's scopeRegister since it can be moved during stack layout.
2105         * ftl/FTLCompile.cpp:
2106         (JSC::FTL::mmAllocateDataSection):
2107         - Update the FTL codeBlock's scopeRegister since it can be moved during stack layout.
2108
2109 2015-03-30  Michael Saboff  <msaboff@apple.com>
2110
2111         Fix flakey float32-repeat-out-of-bounds.js and int8-repeat-out-of-bounds.js tests for ARM64
2112         https://bugs.webkit.org/show_bug.cgi?id=138391
2113
2114         Reviewed by Mark Lam.
2115
2116         Re-enabling these tests as I can't get them to fail on local iOS test devices.
2117         There have been many changes since these tests were disabled.
2118         I'll watch automated test results for failures.  If there are failures running automated
2119         testing, it might be due to the device's relative CPU performance.
2120         
2121         * tests/stress/float32-repeat-out-of-bounds.js:
2122         * tests/stress/int8-repeat-out-of-bounds.js:
2123
2124 2015-03-30  Joseph Pecoraro  <pecoraro@apple.com>
2125
2126         Web Inspector: Regression: Preview for [[null]] shouldn't be []
2127         https://bugs.webkit.org/show_bug.cgi?id=143208
2128
2129         Reviewed by Mark Lam.
2130
2131         * inspector/InjectedScriptSource.js:
2132         Handle null when generating simple object previews.
2133
2134 2015-03-30  Per Arne Vollan  <peavo@outlook.com>
2135
2136         Avoid using hardcoded values for JSValue::Int32Tag, if possible.
2137         https://bugs.webkit.org/show_bug.cgi?id=143134
2138
2139         Reviewed by Geoffrey Garen.
2140
2141         * jit/JSInterfaceJIT.h:
2142         * jit/Repatch.cpp:
2143         (JSC::tryCacheGetByID):
2144
2145 2015-03-30  Filip Pizlo  <fpizlo@apple.com>
2146
2147         REGRESSION: js/regress/inline-arguments-local-escape.html is flaky
2148         https://bugs.webkit.org/show_bug.cgi?id=143104
2149
2150         Reviewed by Geoffrey Garen.
2151         
2152         Created a test that is a 100% repro of the flaky failure. This test is called
2153         get-my-argument-by-val-for-inlined-escaped-arguments.js. It fails all of the time because it
2154         always causes the compiler to emit a GetMyArgumentByVal of the arguments object returned by
2155         the inlined function. Other than that, it's the same as inline-arguments-local-escape.
2156         
2157         Also created three more tests for three similar, but not identical, failures.
2158         
2159         Then fixed the bug: PreciseLocalClobberize was assuming that if we read(Stack) then we are
2160         only reading those parts of the stack that are relevant to the current semantic code origin.
2161         That's false after ArgumentsEliminationPhase - we might have operations on phantom arguments,
2162         like GetMyArgumentByVal, ForwardVarargs, CallForwardVarargs, and ConstructForwardVarargs, that
2163         read parts of the stack associated with the inline call frame for the phantom arguments. This
2164         may not be subsumed by the current semantic origin's stack area in cases that the arguments
2165         were allowed to "locally" escape.
2166         
2167         The higher-order lesson here is that in DFG SSA IR, the current semantic origin's stack area
2168         is not really a meaningful concept anymore. It is only meaningful for nodes that will read
2169         the stack due to function.arguments, but there are a bunch of other ways that we could also
2170         read the stack and those operations may read any stack slot. I believe that this change makes
2171         PreciseLocalClobberize right: it will refine a read(Stack) from Clobberize correctly by casing
2172         on node type. In future, if we add a read(Stack) to Clobberize, we'll have to make sure that
2173         readTop() in PreciseLocalClobberize does the right thing.
2174
2175         * dfg/DFGClobberize.h:
2176         (JSC::DFG::clobberize):
2177         * dfg/DFGPreciseLocalClobberize.h:
2178         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
2179         * dfg/DFGPutStackSinkingPhase.cpp:
2180         * tests/stress/call-forward-varargs-for-inlined-escaped-arguments.js: Added.
2181         * tests/stress/construct-forward-varargs-for-inlined-escaped-arguments.js: Added.
2182         * tests/stress/forward-varargs-for-inlined-escaped-arguments.js: Added.
2183         * tests/stress/get-my-argument-by-val-for-inlined-escaped-arguments.js: Added.
2184         * tests/stress/real-forward-varargs-for-inlined-escaped-arguments.js: Added.
2185
2186 2015-03-30  Benjamin Poulain  <benjamin@webkit.org>
2187
2188         Start the features.json files
2189         https://bugs.webkit.org/show_bug.cgi?id=143207
2190
2191         Reviewed by Darin Adler.
2192
2193         Start the features.json files to have something to experiment
2194         with for the UI.
2195
2196         * features.json: Added.
2197
2198 2015-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
2199
2200         [Win] Addresing post-review comment after r182122
2201         https://bugs.webkit.org/show_bug.cgi?id=143189
2202
2203         Unreviewed.
2204
2205 2015-03-29  Myles C. Maxfield  <mmaxfield@apple.com>
2206
2207         [Win] Allow building JavaScriptCore without Cygwin
2208         https://bugs.webkit.org/show_bug.cgi?id=143189
2209
2210         Reviewed by Brent Fulgham.
2211
2212         Paths like /usr/bin/ don't exist on Windows.
2213         Hashbangs don't work on Windows. Instead we must explicitly call the executable.
2214         Prefixing commands with environment variables doesn't work on Windows.
2215         Windows doesn't have 'cmp'
2216         Windows uses 'del' instead of 'rm'
2217         Windows uses 'type NUL' intead of 'touch'
2218
2219         * DerivedSources.make:
2220         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
2221         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
2222         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl:
2223         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
2224         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl:
2225         * JavaScriptCore.vcxproj/build-generated-files.pl:
2226         * UpdateContents.py: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl.
2227
2228 2015-03-28  Joseph Pecoraro  <pecoraro@apple.com>
2229
2230         Clean up JavaScriptCore/builtins
2231         https://bugs.webkit.org/show_bug.cgi?id=143177
2232
2233         Reviewed by Ryosuke Niwa.
2234
2235         * builtins/ArrayConstructor.js:
2236         (from):
2237         - We can compare to undefined instead of using a typeof undefined check.
2238         - Converge on double quoted strings everywhere.
2239
2240         * builtins/ArrayIterator.prototype.js:
2241         (next):
2242         * builtins/StringIterator.prototype.js:
2243         (next):
2244         - Use shorthand object construction to avoid duplication.
2245         - Improve grammar in error messages.
2246
2247         * tests/stress/array-iterators-next-with-call.js:
2248         * tests/stress/string-iterators.js:
2249         - Update for new error message strings.
2250
2251 2015-03-28  Saam Barati  <saambarati1@gmail.com>
2252
2253         Web Inspector: ES6: Better support for Symbol types in Type Profiler
2254         https://bugs.webkit.org/show_bug.cgi?id=141257
2255
2256         Reviewed by Joseph Pecoraro.
2257
2258         ES6 introduces the new primitive type Symbol. This patch makes JSC's 
2259         type profiler support this new primitive type.
2260
2261         * dfg/DFGFixupPhase.cpp:
2262         (JSC::DFG::FixupPhase::fixupNode):
2263         * inspector/protocol/Runtime.json:
2264         * runtime/RuntimeType.cpp:
2265         (JSC::runtimeTypeForValue):
2266         * runtime/RuntimeType.h:
2267         (JSC::runtimeTypeIsPrimitive):
2268         * runtime/TypeSet.cpp:
2269         (JSC::TypeSet::addTypeInformation):
2270         (JSC::TypeSet::dumpTypes):
2271         (JSC::TypeSet::doesTypeConformTo):
2272         (JSC::TypeSet::displayName):
2273         (JSC::TypeSet::inspectorTypeSet):
2274         (JSC::TypeSet::toJSONString):
2275         * runtime/TypeSet.h:
2276         (JSC::TypeSet::seenTypes):
2277         * tests/typeProfiler/driver/driver.js:
2278         * tests/typeProfiler/symbol.js: Added.
2279         (wrapper.foo):
2280         (wrapper.bar):
2281         (wrapper.bar.bar.baz):
2282         (wrapper):
2283
2284 2015-03-27  Saam Barati  <saambarati1@gmail.com>
2285
2286         Deconstruction parameters are bound too late
2287         https://bugs.webkit.org/show_bug.cgi?id=143148
2288
2289         Reviewed by Filip Pizlo.
2290
2291         Currently, a deconstruction pattern named with the same
2292         name as a function will shadow the function. This is
2293         wrong. It should be the other way around.
2294
2295         * bytecompiler/BytecodeGenerator.cpp:
2296         (JSC::BytecodeGenerator::generate):
2297
2298 2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>
2299
2300         parse doesn't initialize the 16-bit version of the JSC parser with defaultConstructorKind
2301         https://bugs.webkit.org/show_bug.cgi?id=143170
2302
2303         Reviewed by Benjamin Poulain.
2304
2305         Assert that we never use 16-bit version of the parser to parse a default constructor
2306         since both base and derived default constructors should be using a 8-bit string.
2307
2308         * parser/Parser.h:
2309         (JSC::parse):
2310
2311 2015-03-27  Ryosuke Niwa  <rniwa@webkit.org>
2312
2313         ES6 Classes: Runtime error in JIT'd class calling super() with arguments and superclass has default constructor
2314         https://bugs.webkit.org/show_bug.cgi?id=142862
2315
2316         Reviewed by Benjamin Poulain.
2317
2318         Add a test that used to fail in DFG now that the bug has been fixed by r181993.
2319
2320         * tests/stress/class-syntax-derived-default-constructor.js: Added.
2321
2322 2015-03-27  Michael Saboff  <msaboff@apple.com>
2323
2324         load8Signed() and load16Signed() should be renamed to avoid confusion
2325         https://bugs.webkit.org/show_bug.cgi?id=143168
2326
2327         Reviewed by Benjamin Poulain.
2328
2329         Renamed load8Signed() to load8SignedExtendTo32() and load16Signed() to load16SignedExtendTo32().
2330
2331         * assembler/MacroAssemblerARM.h:
2332         (JSC::MacroAssemblerARM::load8SignedExtendTo32):
2333         (JSC::MacroAssemblerARM::load16SignedExtendTo32):
2334         (JSC::MacroAssemblerARM::load8Signed): Deleted.
2335         (JSC::MacroAssemblerARM::load16Signed): Deleted.
2336         * assembler/MacroAssemblerARM64.h:
2337         (JSC::MacroAssemblerARM64::load16SignedExtendTo32):
2338         (JSC::MacroAssemblerARM64::load8SignedExtendTo32):
2339         (JSC::MacroAssemblerARM64::load16Signed): Deleted.
2340         (JSC::MacroAssemblerARM64::load8Signed): Deleted.
2341         * assembler/MacroAssemblerARMv7.h:
2342         (JSC::MacroAssemblerARMv7::load16SignedExtendTo32):
2343         (JSC::MacroAssemblerARMv7::load8SignedExtendTo32):
2344         (JSC::MacroAssemblerARMv7::load16Signed): Deleted.
2345         (JSC::MacroAssemblerARMv7::load8Signed): Deleted.
2346         * assembler/MacroAssemblerMIPS.h:
2347         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
2348         (JSC::MacroAssemblerMIPS::load16SignedExtendTo32):
2349         (JSC::MacroAssemblerMIPS::load8Signed): Deleted.
2350         (JSC::MacroAssemblerMIPS::load16Signed): Deleted.
2351         * assembler/MacroAssemblerSH4.h:
2352         (JSC::MacroAssemblerSH4::load8SignedExtendTo32):
2353         (JSC::MacroAssemblerSH4::load8):
2354         (JSC::MacroAssemblerSH4::load16SignedExtendTo32):
2355         (JSC::MacroAssemblerSH4::load16):
2356         (JSC::MacroAssemblerSH4::load8Signed): Deleted.
2357         (JSC::MacroAssemblerSH4::load16Signed): Deleted.
2358         * assembler/MacroAssemblerX86Common.h:
2359         (JSC::MacroAssemblerX86Common::load8SignedExtendTo32):
2360         (JSC::MacroAssemblerX86Common::load16SignedExtendTo32):
2361         (JSC::MacroAssemblerX86Common::load8Signed): Deleted.
2362         (JSC::MacroAssemblerX86Common::load16Signed): Deleted.
2363         * dfg/DFGSpeculativeJIT.cpp:
2364         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
2365         * jit/JITPropertyAccess.cpp:
2366         (JSC::JIT::emitIntTypedArrayGetByVal):
2367
2368 2015-03-27  Michael Saboff  <msaboff@apple.com>
2369
2370         Fix flakey dfg-int8array.js and dfg-int16array.js tests for ARM64
2371         https://bugs.webkit.org/show_bug.cgi?id=138390
2372
2373         Reviewed by Mark Lam.
2374
2375         Changed load8Signed() and load16Signed() to only sign extend the loaded value to 32 bits
2376         instead of 64 bits.  This is what X86-64 does.
2377
2378         * assembler/MacroAssemblerARM64.h:
2379         (JSC::MacroAssemblerARM64::load16Signed):
2380         (JSC::MacroAssemblerARM64::load8Signed):
2381
2382 2015-03-27  Saam Barati  <saambarati1@gmail.com>
2383
2384         Add back previously broken assert from bug 141869
2385         https://bugs.webkit.org/show_bug.cgi?id=143005
2386
2387         Reviewed by Michael Saboff.
2388
2389         * runtime/ExceptionHelpers.cpp:
2390         (JSC::invalidParameterInSourceAppender):
2391
2392 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
2393
2394         Make some more objects use FastMalloc
2395         https://bugs.webkit.org/show_bug.cgi?id=143122
2396
2397         Reviewed by Csaba Osztrogonác.
2398
2399         * API/JSCallbackObject.h:
2400         * heap/IncrementalSweeper.h:
2401         * jit/JITThunks.h:
2402         * runtime/JSGlobalObjectDebuggable.h:
2403         * runtime/RegExpCache.h:
2404
2405 2015-03-27  Michael Saboff  <msaboff@apple.com>
2406
2407         Objects with numeric properties intermittently get a phantom 'length' property
2408         https://bugs.webkit.org/show_bug.cgi?id=142792
2409
2410         Reviewed by Csaba Osztrogonác.
2411
2412         Fixed a > (greater than) that should be a >> (right shift) in the code that disassembles
2413         test and branch instructions.  This function is used for linking tbz/tbnz branches between
2414         two seperately JIT'ed sections of code.  Sometime we'd create a bogus tbz instruction in
2415         the failure case checks in the GetById array length stub created for "obj.length" access.
2416         If the failure case code address was at a negative offset from the stub, we'd look for bit 1
2417         being set when we should have been looking for bit 0.
2418
2419         * assembler/ARM64Assembler.h:
2420         (JSC::ARM64Assembler::disassembleTestAndBranchImmediate):
2421
2422 2015-03-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2423
2424         Insert exception check around toPropertyKey call
2425         https://bugs.webkit.org/show_bug.cgi?id=142922
2426
2427         Reviewed by Geoffrey Garen.
2428
2429         In some places, exception check is missing after/before toPropertyKey.
2430         However, since it calls toString, it's observable to users,
2431
2432         Missing exception checks in Object.prototype methods can be
2433         observed since it would be overridden with toObject(null/undefined) errors.
2434         We inserted exception checks after toPropertyKey.
2435
2436         Missing exception checks in GetById related code can be
2437         observed since it would be overridden with toObject(null/undefined) errors.
2438         In this case, we need to insert exception checks before/after toPropertyKey
2439         since RequireObjectCoercible followed by toPropertyKey can cause exceptions.
2440
2441         JSValue::get checks null/undefined and raise an exception if |this| is null or undefined.
2442         However, we need to check whether the baseValue is object coercible before executing JSValue::toPropertyKey.
2443         According to the spec, we first perform RequireObjectCoercible and check the exception.
2444         And second, we perform ToPropertyKey and check the exception.
2445         Since JSValue::toPropertyKey can cause toString call, this is observable to users.
2446         For example, if the target is not object coercible,
2447         ToPropertyKey should not be executed, and toString should not be executed by ToPropertyKey.
2448         So the order of observable actions (RequireObjectCoercible and ToPropertyKey) should be correct to the spec.
2449
2450         This patch introduces JSValue::requireObjectCoercible and use it because of the following 2 reasons.
2451
2452         1. Using toObject instead of requireObjectCoercible produces unnecessary wrapper object.
2453
2454         toObject converts primitive types into wrapper objects.
2455         But it is not efficient since wrapper objects are not necessary
2456         if we look up methods from primitive values's prototype. (using synthesizePrototype is better).
2457
2458         2. Using the result of toObject is not correct to the spec.
2459
2460         To align to the spec correctly, we cannot use JSObject::get
2461         by using the wrapper object produced by the toObject suggested in (1).
2462         If we use JSObject that is converted by toObject, getter will be called by using this JSObject as |this|.
2463         It is not correct since getter should be called with the original |this| value that may be primitive types.
2464
2465         So in this patch, we use JSValue::requireObjectCoercible
2466         to check the target is object coercible and raise an error if it's not.
2467
2468         * dfg/DFGOperations.cpp:
2469         * jit/JITOperations.cpp:
2470         (JSC::getByVal):
2471         * llint/LLIntSlowPaths.cpp:
2472         (JSC::LLInt::getByVal):
2473         * runtime/CommonSlowPaths.cpp:
2474         (JSC::SLOW_PATH_DECL):
2475         * runtime/JSCJSValue.h:
2476         * runtime/JSCJSValueInlines.h:
2477         (JSC::JSValue::requireObjectCoercible):
2478         * runtime/ObjectPrototype.cpp:
2479         (JSC::objectProtoFuncHasOwnProperty):
2480         (JSC::objectProtoFuncDefineGetter):
2481         (JSC::objectProtoFuncDefineSetter):
2482         (JSC::objectProtoFuncLookupGetter):
2483         (JSC::objectProtoFuncLookupSetter):
2484         (JSC::objectProtoFuncPropertyIsEnumerable):
2485         * tests/stress/exception-in-to-property-key-should-be-handled-early-in-object-methods.js: Added.
2486         (shouldThrow):
2487         (if):
2488         * tests/stress/exception-in-to-property-key-should-be-handled-early.js: Added.
2489         (shouldThrow):
2490         (.):
2491
2492 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
2493
2494         WebContent Crash when instantiating class with Type Profiling enabled
2495         https://bugs.webkit.org/show_bug.cgi?id=143037
2496
2497         Reviewed by Ryosuke Niwa.
2498
2499         * bytecompiler/BytecodeGenerator.h:
2500         * bytecompiler/BytecodeGenerator.cpp:
2501         (JSC::BytecodeGenerator::BytecodeGenerator):
2502         (JSC::BytecodeGenerator::emitMoveEmptyValue):
2503         We cannot profile the type of an uninitialized empty JSValue.
2504         Nor do we expect this to be necessary, since it is effectively
2505         an unseen undefined value. So add a way to put the empty value
2506         without profiling.
2507
2508         (JSC::BytecodeGenerator::emitMove):
2509         Add an assert to try to catch this issue early on, and force
2510         callers to explicitly use emitMoveEmptyValue instead.
2511
2512         * tests/typeProfiler/classes.js: Added.
2513         (wrapper.Base):
2514         (wrapper.Derived):
2515         (wrapper):
2516         Add test coverage both for this case and classes in general.
2517
2518 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
2519
2520         Web Inspector: ES6: Provide a better view for Classes in the console
2521         https://bugs.webkit.org/show_bug.cgi?id=142999
2522
2523         Reviewed by Timothy Hatcher.
2524
2525         * inspector/protocol/Runtime.json:
2526         Provide a new `subtype` enum "class". This is a subtype of `type`
2527         "function", all other subtypes are subtypes of `object` types.
2528         For a class, the frontend will immediately want to get the prototype
2529         to enumerate its methods, so include the `classPrototype`.
2530
2531         * inspector/JSInjectedScriptHost.cpp:
2532         (Inspector::JSInjectedScriptHost::subtype):
2533         Denote class construction functions as "class" subtypes.
2534
2535         * inspector/InjectedScriptSource.js:
2536         Handling for the new "class" type.
2537
2538         * bytecode/UnlinkedCodeBlock.h:
2539         (JSC::UnlinkedFunctionExecutable::isClassConstructorFunction):
2540         * runtime/Executable.h:
2541         (JSC::FunctionExecutable::isClassConstructorFunction):
2542         * runtime/JSFunction.h:
2543         * runtime/JSFunctionInlines.h:
2544         (JSC::JSFunction::isClassConstructorFunction):
2545         Check if this function is a class constructor function. That information
2546         is on the UnlinkedFunctionExecutable, so plumb it through to JSFunction.
2547
2548 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
2549
2550         Function.prototype.toString should not decompile the AST
2551         https://bugs.webkit.org/show_bug.cgi?id=142853
2552
2553         Reviewed by Darin Adler.
2554
2555         Following up on Darin's review comments.
2556
2557         * runtime/FunctionConstructor.cpp:
2558         (JSC::constructFunctionSkippingEvalEnabledCheck):
2559
2560 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
2561
2562         "lineNo" does not match WebKit coding style guidelines
2563         https://bugs.webkit.org/show_bug.cgi?id=143119
2564
2565         Reviewed by Michael Saboff.
2566
2567         We can afford to use whole words.
2568
2569         * bytecode/CodeBlock.cpp:
2570         (JSC::CodeBlock::lineNumberForBytecodeOffset):
2571         (JSC::CodeBlock::expressionRangeForBytecodeOffset):
2572         * bytecode/UnlinkedCodeBlock.cpp:
2573         (JSC::UnlinkedFunctionExecutable::link):
2574         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
2575         * bytecode/UnlinkedCodeBlock.h:
2576         * bytecompiler/NodesCodegen.cpp:
2577         (JSC::WhileNode::emitBytecode):
2578         * debugger/Debugger.cpp:
2579         (JSC::Debugger::toggleBreakpoint):
2580         * interpreter/Interpreter.cpp:
2581         (JSC::StackFrame::computeLineAndColumn):
2582         (JSC::GetStackTraceFunctor::operator()):
2583         (JSC::Interpreter::execute):
2584         * interpreter/StackVisitor.cpp:
2585         (JSC::StackVisitor::Frame::computeLineAndColumn):
2586         * parser/Nodes.h:
2587         (JSC::Node::firstLine):
2588         (JSC::Node::lineNo): Deleted.
2589         (JSC::StatementNode::firstLine): Deleted.
2590         * parser/ParserError.h:
2591         (JSC::ParserError::toErrorObject):
2592         * profiler/LegacyProfiler.cpp:
2593         (JSC::createCallIdentifierFromFunctionImp):
2594         * runtime/CodeCache.cpp:
2595         (JSC::CodeCache::getGlobalCodeBlock):
2596         * runtime/Executable.cpp:
2597         (JSC::ScriptExecutable::ScriptExecutable):
2598         (JSC::ScriptExecutable::newCodeBlockFor):
2599         (JSC::FunctionExecutable::fromGlobalCode):
2600         * runtime/Executable.h:
2601         (JSC::ScriptExecutable::firstLine):
2602         (JSC::ScriptExecutable::setOverrideLineNumber):
2603         (JSC::ScriptExecutable::hasOverrideLineNumber):
2604         (JSC::ScriptExecutable::overrideLineNumber):
2605         (JSC::ScriptExecutable::lineNo): Deleted.
2606         (JSC::ScriptExecutable::setOverrideLineNo): Deleted.
2607         (JSC::ScriptExecutable::hasOverrideLineNo): Deleted.
2608         (JSC::ScriptExecutable::overrideLineNo): Deleted.
2609         * runtime/FunctionConstructor.cpp:
2610         (JSC::constructFunctionSkippingEvalEnabledCheck):
2611         * runtime/FunctionConstructor.h:
2612         * tools/CodeProfile.cpp:
2613         (JSC::CodeProfile::report):
2614         * tools/CodeProfile.h:
2615         (JSC::CodeProfile::CodeProfile):
2616
2617 2015-03-26  Geoffrey Garen  <ggaren@apple.com>
2618
2619         Assertion firing in JavaScriptCore/parser/parser.h for statesman.com site
2620         https://bugs.webkit.org/show_bug.cgi?id=142974
2621
2622         Reviewed by Joseph Pecoraro.
2623
2624         This patch does two things:
2625
2626         (1) Restore JavaScriptCore's sanitization of line and column numbers to
2627         one-based values.
2628
2629         We need this because WebCore sometimes provides huge negative column
2630         numbers.
2631
2632         (2) Solve the attribute event listener line numbering problem a different
2633         way: Rather than offseting all line numbers by -1 in an attribute event
2634         listener in order to arrange for a custom result, instead use an explicit
2635         feature for saying "all errors in this code should map to this line number".
2636
2637         * bytecode/UnlinkedCodeBlock.cpp:
2638         (JSC::UnlinkedFunctionExecutable::link):
2639         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
2640         * bytecode/UnlinkedCodeBlock.h:
2641         * interpreter/Interpreter.cpp:
2642         (JSC::StackFrame::computeLineAndColumn):
2643         (JSC::GetStackTraceFunctor::operator()):
2644         * interpreter/Interpreter.h:
2645         * interpreter/StackVisitor.cpp:
2646         (JSC::StackVisitor::Frame::computeLineAndColumn):
2647         * parser/ParserError.h:
2648         (JSC::ParserError::toErrorObject): Plumb through an override line number.
2649         When a function has an override line number, all syntax and runtime
2650         errors in the function will map to it. This is useful for attribute event
2651         listeners.
2652  
2653         * parser/SourceCode.h:
2654         (JSC::SourceCode::SourceCode): Restore the old sanitization of line and
2655         column numbers to one-based integers. It was kind of a hack to remove this.
2656
2657         * runtime/Executable.cpp:
2658         (JSC::ScriptExecutable::ScriptExecutable):
2659         (JSC::FunctionExecutable::fromGlobalCode):
2660         * runtime/Executable.h:
2661         (JSC::ScriptExecutable::setOverrideLineNo):
2662         (JSC::ScriptExecutable::hasOverrideLineNo):
2663         (JSC::ScriptExecutable::overrideLineNo):
2664         * runtime/FunctionConstructor.cpp:
2665         (JSC::constructFunctionSkippingEvalEnabledCheck):
2666         * runtime/FunctionConstructor.h: Plumb through an override line number.
2667
2668 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
2669
2670         If we're in code for accessing scoped arguments, we should probably check if the object is a scoped arguments rather than checking if it's a direct arguments.
2671
2672         Reviewed by Michael Saboff.
2673
2674         * jit/JITPropertyAccess.cpp:
2675         (JSC::JIT::emitScopedArgumentsGetByVal):
2676         * tests/stress/scoped-then-direct-arguments-get-by-val-in-baseline.js: Added.
2677
2678 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
2679
2680         FTL ScopedArguments GetArrayLength generates incorrect code and crashes in LLVM
2681         https://bugs.webkit.org/show_bug.cgi?id=143098
2682
2683         Reviewed by Csaba Osztrogonác.
2684
2685         * ftl/FTLLowerDFGToLLVM.cpp:
2686         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength): Fix a typo.
2687         * tests/stress/scoped-arguments-array-length.js: Added. This test previously always crashed in ftl-no-cjit mode.
2688
2689 2015-03-26  Csaba Osztrogonác  <ossy@webkit.org>
2690
2691         Unreviewed gardening, skip failing tests on AArch64 Linux.
2692
2693         * tests/mozilla/mozilla-tests.yaml:
2694         * tests/stress/cached-prototype-setter.js:
2695
2696 2015-03-26  Filip Pizlo  <fpizlo@apple.com>
2697
2698         Unreviewed, fixes to silly things. While landing fixes to r181993, I introduced crashes. This fixes them.
2699
2700         * dfg/DFGConstantFoldingPhase.cpp:
2701         (JSC::DFG::ConstantFoldingPhase::foldConstants): I landed a fix for a VS warning. It broke this. Now I'm fixing it.
2702         * ftl/FTLCompile.cpp:
2703         (JSC::FTL::compile): Make sure we pass the module when dumping. This makes FTL debugging possible again.
2704         * ftl/FTLState.cpp:
2705         (JSC::FTL::State::dumpState): New overload that takes a module, so that we can call this after FTL::compile() clears State's module.
2706         * ftl/FTLState.h:
2707
2708 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2709
2710         Unreviewed, fix obvious goof that was causing 32-bit debug crashes. The 64-bit version did it
2711         right, so this just makes 32-bit do the same.
2712
2713         * dfg/DFGSpeculativeJIT32_64.cpp:
2714         (JSC::DFG::SpeculativeJIT::emitCall):
2715
2716 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2717
2718         Fix a typo that ggaren found but that I didn't fix before.
2719
2720         * runtime/DirectArgumentsOffset.h:
2721
2722 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2723
2724         Unreviewed, VC found a bug. This fixes the bug.
2725
2726         * dfg/DFGConstantFoldingPhase.cpp:
2727         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2728
2729 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2730
2731         Unreviewed, try to fix Windows build.
2732
2733         * runtime/ClonedArguments.cpp:
2734         (JSC::ClonedArguments::createWithInlineFrame):
2735
2736 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2737
2738         Unreviewed, fix debug build.
2739
2740         * bytecompiler/NodesCodegen.cpp:
2741         (JSC::ConstDeclNode::emitCodeSingle):
2742
2743 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2744
2745         Unreviewed, fix CLOOP build.
2746
2747         * dfg/DFGMinifiedID.h:
2748
2749 2015-03-25  Filip Pizlo  <fpizlo@apple.com>
2750
2751         Heap variables shouldn't end up in the stack frame
2752         https://bugs.webkit.org/show_bug.cgi?id=141174
2753
2754         Reviewed by Geoffrey Garen.
2755         
2756         This is a major change to how JavaScriptCore handles declared variables (i.e. "var"). It removes
2757         any ambiguity about whether a variable should be in the heap or on the stack. A variable will no
2758         longer move between heap and stack during its lifetime. This enables a bunch of optimizations and
2759         simplifications:
2760         
2761         - Accesses to variables no longer need checks or indirections to determine where the variable is
2762           at that moment in time. For example, loading a closure variable now takes just one load instead
2763           of two. Loading an argument by index now takes a bounds check and a load in the fastest case
2764           (when no arguments object allocation is required) while previously that same operation required
2765           a "did I allocate arguments yet" check, a bounds check, and then the load.
2766         
2767         - Reasoning about the allocation of an activation or arguments object now follows the same simple
2768           logic as the allocation of any other kind of object. Previously, those objects were lazily
2769           allocated - so an allocation instruction wasn't the actual allocation site, since it might not
2770           allocate anything at all. This made the implementation of traditional escape analyses really
2771           awkward, and ultimately it meant that we missed important cases. Now, we can reason about the
2772           arguments object using the usual SSA tricks which allows for more comprehensive removal.
2773         
2774         - The allocations of arguments objects, functions, and activations are now much faster. While
2775           this patch generally expands our ability to eliminate arguments object allocations, an earlier
2776           version of the patch - which lacked that functionality - was a progression on some arguments-
2777           and closure-happy benchmarks because although no allocations were eliminated, all allocations
2778           were faster.
2779         
2780         - There is no tear-off. The runtime no loner needs to know about where on the stack a frame keeps
2781           its arguments objects or activations. The runtime doesn't have to do things to the arguments
2782           objects and activations that a frame allocated, when the frame is unwound. We always had horrid
2783           bugs in that code, so it's good to see it go. This removes *a ton* of machinery from the DFG,
2784           FTL, CodeBlock, and other places. All of the things having to do with "captured variables" is
2785           now gone. This also enables implementing block-scoping. Without this change, block-scope
2786           support would require telling CodeBlock and all of the rest of the runtime about all of the
2787           variables that store currently-live scopes. That would have been so disastrously hard that it
2788           might as well be impossible. With this change, it's fair game for the bytecode generator to
2789           simply allocate whatever activations it wants, wherever it wants, and to keep them live for
2790           however long it wants. This all works, because after bytecode generation, an activation is just
2791           an object and variables that refer to it are just normal variables.
2792         
2793         - SymbolTable can now tell you explicitly where a variable lives. The answer is in the form of a
2794           VarOffset object, which has methods like isStack(), isScope(), etc. VirtualRegister is never
2795           used for offsets of non-stack variables anymore. We now have shiny new objects for other kinds
2796           of offsets - ScopeOffset for offsets into scopes, and DirectArgumentsOffset for offsets into
2797           an arguments object.
2798         
2799         - Functions that create activations can now tier-up into the FTL. Previously they couldn't. Also,
2800           using activations used to prevent inlining; now functions that use activations can be inlined
2801           just fine.
2802         
2803         This is a >1% speed-up on Octane. This is a >2% speed-up on CompressionBench. This is a tiny
2804         speed-up on AsmBench (~0.4% or something). This looks like it might be a speed-up on SunSpider.
2805         It's only a slow-down on very short-running microbenchmarks we had previously written for our old
2806         style of tear-off-based arguments optimization. Those benchmarks are not part of any major suite.
2807         
2808         The easiest way of understanding this change is to start by looking at the changes in runtime/,
2809         and then the changes in bytecompiler/, and then sort of work your way up the compiler tiers.
2810
2811         * CMakeLists.txt:
2812         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2813         * JavaScriptCore.xcodeproj/project.pbxproj:
2814         * assembler/AbortReason.h:
2815         * assembler/AbstractMacroAssembler.h:
2816         (JSC::AbstractMacroAssembler::BaseIndex::withOffset):
2817         * bytecode/ByValInfo.h:
2818         (JSC::hasOptimizableIndexingForJSType):
2819         (JSC::hasOptimizableIndexing):
2820         (JSC::jitArrayModeForJSType):
2821         (JSC::jitArrayModePermitsPut):
2822         (JSC::jitArrayModeForStructure):
2823         * bytecode/BytecodeKills.h: Added.
2824         (JSC::BytecodeKills::BytecodeKills):
2825         (JSC::BytecodeKills::operandIsKilled):
2826         (JSC::BytecodeKills::forEachOperandKilledAt):
2827         (JSC::BytecodeKills::KillSet::KillSet):
2828         (JSC::BytecodeKills::KillSet::add):
2829         (JSC::BytecodeKills::KillSet::forEachLocal):
2830         (JSC::BytecodeKills::KillSet::contains):
2831         * bytecode/BytecodeList.json:
2832         * bytecode/BytecodeLivenessAnalysis.cpp:
2833         (JSC::isValidRegisterForLiveness):
2834         (JSC::stepOverInstruction):
2835         (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint):
2836         (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset):
2837         (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset):
2838         (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
2839         (JSC::BytecodeLivenessAnalysis::computeKills):
2840         (JSC::indexForOperand): Deleted.
2841         (JSC::BytecodeLivenessAnalysis::getLivenessInfoForNonCapturedVarsAtBytecodeOffset): Deleted.
2842         (JSC::getLivenessInfo): Deleted.
2843         * bytecode/BytecodeLivenessAnalysis.h:
2844         * bytecode/BytecodeLivenessAnalysisInlines.h:
2845         (JSC::operandIsAlwaysLive):
2846         (JSC::operandThatIsNotAlwaysLiveIsLive):
2847         (JSC::operandIsLive):
2848         * bytecode/BytecodeUseDef.h:
2849         (JSC::computeUsesForBytecodeOffset):
2850         (JSC::computeDefsForBytecodeOffset):
2851         * bytecode/CodeBlock.cpp:
2852         (JSC::CodeBlock::dumpBytecode):
2853         (JSC::CodeBlock::CodeBlock):
2854         (JSC::CodeBlock::nameForRegister):
2855         (JSC::CodeBlock::validate):
2856         (JSC::CodeBlock::isCaptured): Deleted.
2857         (JSC::CodeBlock::framePointerOffsetToGetActivationRegisters): Deleted.
2858         (JSC::CodeBlock::machineSlowArguments): Deleted.
2859         * bytecode/CodeBlock.h:
2860         (JSC::unmodifiedArgumentsRegister): Deleted.
2861         (JSC::CodeBlock::setArgumentsRegister): Deleted.
2862         (JSC::CodeBlock::argumentsRegister): Deleted.
2863         (JSC::CodeBlock::uncheckedArgumentsRegister): Deleted.
2864         (JSC::CodeBlock::usesArguments): Deleted.
2865         (JSC::CodeBlock::captureCount): Deleted.
2866         (JSC::CodeBlock::captureStart): Deleted.
2867         (JSC::CodeBlock::captureEnd): Deleted.
2868         (JSC::CodeBlock::argumentIndexAfterCapture): Deleted.
2869         (JSC::CodeBlock::hasSlowArguments): Deleted.
2870         (JSC::ExecState::argumentAfterCapture): Deleted.
2871         * bytecode/CodeOrigin.h:
2872         * bytecode/DataFormat.h:
2873         (JSC::dataFormatToString):
2874         * bytecode/FullBytecodeLiveness.h:
2875         (JSC::FullBytecodeLiveness::getLiveness):
2876         (JSC::FullBytecodeLiveness::operandIsLive):
2877         (JSC::FullBytecodeLiveness::FullBytecodeLiveness): Deleted.
2878         (JSC::FullBytecodeLiveness::getOut): Deleted.
2879         * bytecode/Instruction.h:
2880         (JSC::Instruction::Instruction):
2881         * bytecode/Operands.h:
2882         (JSC::Operands::virtualRegisterForIndex):
2883         * bytecode/SpeculatedType.cpp:
2884         (JSC::dumpSpeculation):
2885         (JSC::speculationToAbbreviatedString):
2886         (JSC::speculationFromClassInfo):
2887         * bytecode/SpeculatedType.h:
2888         (JSC::isDirectArgumentsSpeculation):
2889         (JSC::isScopedArgumentsSpeculation):
2890         (JSC::isActionableMutableArraySpeculation):
2891         (JSC::isActionableArraySpeculation):
2892         (JSC::isArgumentsSpeculation): Deleted.
2893         * bytecode/UnlinkedCodeBlock.cpp:
2894         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2895         * bytecode/UnlinkedCodeBlock.h:
2896         (JSC::UnlinkedCodeBlock::setArgumentsRegister): Deleted.
2897         (JSC::UnlinkedCodeBlock::usesArguments): Deleted.
2898         (JSC::UnlinkedCodeBlock::argumentsRegister): Deleted.
2899         * bytecode/ValueRecovery.cpp:
2900         (JSC::ValueRecovery::dumpInContext):
2901         * bytecode/ValueRecovery.h:
2902         (JSC::ValueRecovery::directArgumentsThatWereNotCreated):
2903         (JSC::ValueRecovery::outOfBandArgumentsThatWereNotCreated):
2904         (JSC::ValueRecovery::nodeID):
2905         (JSC::ValueRecovery::argumentsThatWereNotCreated): Deleted.
2906         * bytecode/VirtualRegister.h:
2907         (JSC::VirtualRegister::operator==):
2908         (JSC::VirtualRegister::operator!=):
2909         (JSC::VirtualRegister::operator<):
2910         (JSC::VirtualRegister::operator>):
2911         (JSC::VirtualRegister::operator<=):
2912         (JSC::VirtualRegister::operator>=):
2913         * bytecompiler/BytecodeGenerator.cpp:
2914         (JSC::BytecodeGenerator::generate):
2915         (JSC::BytecodeGenerator::BytecodeGenerator):
2916         (JSC::BytecodeGenerator::initializeNextParameter):
2917         (JSC::BytecodeGenerator::visibleNameForParameter):
2918         (JSC::BytecodeGenerator::emitMove):
2919         (JSC::BytecodeGenerator::variable):
2920         (JSC::BytecodeGenerator::createVariable):
2921         (JSC::BytecodeGenerator::emitResolveScope):
2922         (JSC::BytecodeGenerator::emitGetFromScope):
2923         (JSC::BytecodeGenerator::emitPutToScope):
2924         (JSC::BytecodeGenerator::initializeVariable):
2925         (JSC::BytecodeGenerator::emitInstanceOf):
2926         (JSC::BytecodeGenerator::emitNewFunction):
2927         (JSC::BytecodeGenerator::emitNewFunctionInternal):
2928         (JSC::BytecodeGenerator::emitCall):
2929         (JSC::BytecodeGenerator::emitReturn):
2930         (JSC::BytecodeGenerator::emitConstruct):
2931         (JSC::BytecodeGenerator::isArgumentNumber):
2932         (JSC::BytecodeGenerator::emitEnumeration):
2933         (JSC::BytecodeGenerator::addVar): Deleted.
2934         (JSC::BytecodeGenerator::emitInitLazyRegister): Deleted.
2935         (JSC::BytecodeGenerator::initializeCapturedVariable): Deleted.
2936         (JSC::BytecodeGenerator::resolveCallee): Deleted.
2937         (JSC::BytecodeGenerator::addCallee): Deleted.
2938         (JSC::BytecodeGenerator::addParameter): Deleted.
2939         (JSC::BytecodeGenerator::willResolveToArgumentsRegister): Deleted.
2940         (JSC::BytecodeGenerator::uncheckedLocalArgumentsRegister): Deleted.
2941         (JSC::BytecodeGenerator::createLazyRegisterIfNecessary): Deleted.
2942         (JSC::BytecodeGenerator::isCaptured): Deleted.
2943         (JSC::BytecodeGenerator::local): Deleted.
2944         (JSC::BytecodeGenerator::constLocal): Deleted.
2945         (JSC::BytecodeGenerator::emitResolveConstantLocal): Deleted.
2946         (JSC::BytecodeGenerator::emitGetArgumentsLength): Deleted.
2947         (JSC::BytecodeGenerator::emitGetArgumentByVal): Deleted.
2948         (JSC::BytecodeGenerator::emitLazyNewFunction): Deleted.
2949         (JSC::BytecodeGenerator::createArgumentsIfNecessary): Deleted.
2950         * bytecompiler/BytecodeGenerator.h:
2951         (JSC::Variable::Variable):
2952         (JSC::Variable::isResolved):
2953         (JSC::Variable::ident):
2954         (JSC::Variable::offset):
2955         (JSC::Variable::isLocal):
2956         (JSC::Variable::local):
2957         (JSC::Variable::isSpecial):
2958         (JSC::BytecodeGenerator::argumentsRegister):
2959         (JSC::BytecodeGenerator::emitNode):
2960         (JSC::BytecodeGenerator::registerFor):
2961         (JSC::Local::Local): Deleted.
2962         (JSC::Local::operator bool): Deleted.
2963         (JSC::Local::get): Deleted.
2964         (JSC::Local::isSpecial): Deleted.
2965         (JSC::ResolveScopeInfo::ResolveScopeInfo): Deleted.
2966         (JSC::ResolveScopeInfo::isLocal): Deleted.
2967         (JSC::ResolveScopeInfo::localIndex): Deleted.
2968         (JSC::BytecodeGenerator::hasSafeLocalArgumentsRegister): Deleted.
2969         (JSC::BytecodeGenerator::captureMode): Deleted.
2970         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly): Deleted.
2971         (JSC::BytecodeGenerator::shouldCreateArgumentsEagerly): Deleted.
2972         (JSC::BytecodeGenerator::hasWatchableVariable): Deleted.
2973         (JSC::BytecodeGenerator::watchableVariableIdentifier): Deleted.
2974         * bytecompiler/NodesCodegen.cpp:
2975         (JSC::ResolveNode::isPure):
2976         (JSC::ResolveNode::emitBytecode):
2977         (JSC::BracketAccessorNode::emitBytecode):
2978         (JSC::DotAccessorNode::emitBytecode):
2979         (JSC::EvalFunctionCallNode::emitBytecode):
2980         (JSC::FunctionCallResolveNode::emitBytecode):
2981         (JSC::CallFunctionCallDotNode::emitBytecode):
2982         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2983         (JSC::PostfixNode::emitResolve):
2984         (JSC::DeleteResolveNode::emitBytecode):
2985         (JSC::TypeOfResolveNode::emitBytecode):
2986         (JSC::PrefixNode::emitResolve):
2987         (JSC::ReadModifyResolveNode::emitBytecode):
2988         (JSC::AssignResolveNode::emitBytecode):
2989         (JSC::ConstDeclNode::emitCodeSingle):
2990         (JSC::EmptyVarExpression::emitBytecode):
2991         (JSC::ForInNode::tryGetBoundLocal):
2992         (JSC::ForInNode::emitLoopHeader):
2993         (JSC::ForOfNode::emitBytecode):
2994         (JSC::ArrayPatternNode::emitDirectBinding):
2995         (JSC::BindingNode::bindValue):
2996         (JSC::getArgumentByVal): Deleted.
2997         * dfg/DFGAbstractHeap.h:
2998         * dfg/DFGAbstractInterpreter.h:
2999         * dfg/DFGAbstractInterpreterInlines.h:
3000         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3001         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberWorld):
3002         (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberCapturedVars): Deleted.
3003         * dfg/DFGAbstractValue.h:
3004         * dfg/DFGArgumentPosition.h:
3005         (JSC::DFG::ArgumentPosition::addVariable):
3006         * dfg/DFGArgumentsEliminationPhase.cpp: Added.
3007         (JSC::DFG::performArgumentsElimination):
3008         * dfg/DFGArgumentsEliminationPhase.h: Added.
3009         * dfg/DFGArgumentsSimplificationPhase.cpp: Removed.
3010         * dfg/DFGArgumentsSimplificationPhase.h: Removed.
3011         * dfg/DFGArgumentsUtilities.cpp: Added.
3012         (JSC::DFG::argumentsInvolveStackSlot):
3013         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
3014         * dfg/DFGArgumentsUtilities.h: Added.
3015         * dfg/DFGArrayMode.cpp:
3016         (JSC::DFG::ArrayMode::refine):
3017         (JSC::DFG::ArrayMode::alreadyChecked):
3018         (JSC::DFG::arrayTypeToString):
3019         * dfg/DFGArrayMode.h:
3020         (JSC::DFG::ArrayMode::canCSEStorage):
3021         (JSC::DFG::ArrayMode::modeForPut):
3022         * dfg/DFGAvailabilityMap.cpp:
3023         (JSC::DFG::AvailabilityMap::prune):
3024         * dfg/DFGAvailabilityMap.h:
3025         (JSC::DFG::AvailabilityMap::closeOverNodes):
3026         (JSC::DFG::AvailabilityMap::closeStartingWithLocal):
3027         * dfg/DFGBackwardsPropagationPhase.cpp:
3028         (JSC::DFG::BackwardsPropagationPhase::propagate):
3029         * dfg/DFGByteCodeParser.cpp:
3030         (JSC::DFG::ByteCodeParser::newVariableAccessData):
3031         (JSC::DFG::ByteCodeParser::getLocal):
3032         (JSC::DFG::ByteCodeParser::setLocal):
3033         (JSC::DFG::ByteCodeParser::getArgument):
3034         (JSC::DFG::ByteCodeParser::setArgument):
3035         (JSC::DFG::ByteCodeParser::flushDirect):
3036         (JSC::DFG::ByteCodeParser::flush):
3037         (JSC::DFG::ByteCodeParser::noticeArgumentsUse):
3038         (JSC::DFG::ByteCodeParser::handleVarargsCall):
3039         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
3040         (JSC::DFG::ByteCodeParser::handleInlining):
3041         (JSC::DFG::ByteCodeParser::parseBlock):
3042         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
3043         (JSC::DFG::ByteCodeParser::parseCodeBlock):
3044         * dfg/DFGCPSRethreadingPhase.cpp:
3045         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
3046         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
3047         * dfg/DFGCSEPhase.cpp:
3048         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h: Added.
3049         (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
3050         * dfg/DFGCapabilities.cpp:
3051         (JSC::DFG::isSupportedForInlining):
3052         (JSC::DFG::capabilityLevel):
3053         * dfg/DFGClobberize.h:
3054         (JSC::DFG::clobberize):
3055         * dfg/DFGCommon.h:
3056         * dfg/DFGCommonData.h:
3057         (JSC::DFG::CommonData::CommonData):
3058         * dfg/DFGConstantFoldingPhase.cpp:
3059         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3060         * dfg/DFGDCEPhase.cpp:
3061         (JSC::DFG::DCEPhase::cleanVariables):
3062         * dfg/DFGDisassembler.h:
3063         * dfg/DFGDoesGC.cpp:
3064         (JSC::DFG::doesGC):
3065         * dfg/DFGFixupPhase.cpp:
3066         (JSC::DFG::FixupPhase::fixupNode):
3067         * dfg/DFGFlushFormat.cpp:
3068         (WTF::printInternal):
3069         * dfg/DFGFlushFormat.h:
3070         (JSC::DFG::resultFor):
3071         (JSC::DFG::useKindFor):
3072         (JSC::DFG::dataFormatFor):
3073         * dfg/DFGForAllKills.h: Added.
3074         (JSC::DFG::forAllLiveNodesAtTail):
3075         (JSC::DFG::forAllDirectlyKilledOperands):
3076         (JSC::DFG::forAllKilledOperands):
3077         (JSC::DFG::forAllKilledNodesAtNodeIndex):
3078         (JSC::DFG::forAllKillsInBlock):
3079         * dfg/DFGGraph.cpp:
3080         (JSC::DFG::Graph::Graph):
3081         (JSC::DFG::Graph::dump):
3082         (JSC::DFG::Graph::substituteGetLocal):
3083         (JSC::DFG::Graph::livenessFor):
3084         (JSC::DFG::Graph::killsFor):
3085         (JSC::DFG::Graph::tryGetConstantClosureVar):
3086         (JSC::DFG::Graph::tryGetRegisters): Deleted.
3087         * dfg/DFGGraph.h:
3088         (JSC::DFG::Graph::symbolTableFor):
3089         (JSC::DFG::Graph::uses):
3090         (JSC::DFG::Graph::bytecodeRegisterForArgument): Deleted.
3091         (JSC::DFG::Graph::capturedVarsFor): Deleted.
3092         (JSC::DFG::Graph::usesArguments): Deleted.
3093         (JSC::DFG::Graph::argumentsRegisterFor): Deleted.
3094         (JSC::DFG::Graph::machineArgumentsRegisterFor): Deleted.
3095         (JSC::DFG::Graph::uncheckedArgumentsRegisterFor): Deleted.
3096         * dfg/DFGHeapLocation.cpp:
3097         (WTF::printInternal):
3098         * dfg/DFGHeapLocation.h:
3099         * dfg/DFGInPlaceAbstractState.cpp:
3100         (JSC::DFG::InPlaceAbstractState::initialize):
3101         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
3102         * dfg/DFGJITCompiler.cpp:
3103         (JSC::DFG::JITCompiler::link):
3104         * dfg/DFGMayExit.cpp:
3105         (JSC::DFG::mayExit):
3106         * dfg/DFGMinifiedID.h:
3107         * dfg/DFGMinifiedNode.cpp:
3108         (JSC::DFG::MinifiedNode::fromNode):
3109         * dfg/DFGMinifiedNode.h:
3110         (JSC::DFG::belongsInMinifiedGraph):
3111         (JSC::DFG::MinifiedNode::hasInlineCallFrame):
3112         (JSC::DFG::MinifiedNode::inlineCallFrame):
3113         * dfg/DFGNode.cpp:
3114         (JSC::DFG::Node::convertToIdentityOn):
3115         * dfg/DFGNode.h:
3116         (JSC::DFG::Node::hasConstant):
3117         (JSC::DFG::Node::constant):
3118         (JSC::DFG::Node::hasScopeOffset):
3119         (JSC::DFG::Node::scopeOffset):
3120         (JSC::DFG::Node::hasDirectArgumentsOffset):
3121         (JSC::DFG::Node::capturedArgumentsOffset):
3122         (JSC::DFG::Node::variablePointer):
3123         (JSC::DFG::Node::hasCallVarargsData):
3124         (JSC::DFG::Node::hasLoadVarargsData):
3125         (JSC::DFG::Node::hasHeapPrediction):
3126         (JSC::DFG::Node::hasCellOperand):
3127         (JSC::DFG::Node::objectMaterializationData):
3128         (JSC::DFG::Node::isPhantomAllocation):
3129         (JSC::DFG::Node::willHaveCodeGenOrOSR):
3130         (JSC::DFG::Node::shouldSpeculateDirectArguments):
3131         (JSC::DFG::Node::shouldSpeculateScopedArguments):
3132         (JSC::DFG::Node::isPhantomArguments): Deleted.
3133         (JSC::DFG::Node::hasVarNumber): Deleted.
3134         (JSC::DFG::Node::varNumber): Deleted.
3135         (JSC::DFG::Node::registerPointer): Deleted.
3136         (JSC::DFG::Node::shouldSpeculateArguments): Deleted.
3137         * dfg/DFGNodeType.h:
3138         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
3139         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
3140         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
3141         * dfg/DFGOSRExitCompiler.cpp:
3142         (JSC::DFG::OSRExitCompiler::emitRestoreArguments):
3143         * dfg/DFGOSRExitCompiler.h:
3144         (JSC::DFG::OSRExitCompiler::badIndex): Deleted.
3145         (JSC::DFG::OSRExitCompiler::initializePoisoned): Deleted.
3146         (JSC::DFG::OSRExitCompiler::poisonIndex): Deleted.
3147         * dfg/DFGOSRExitCompiler32_64.cpp:
3148         (JSC::DFG::OSRExitCompiler::compileExit):
3149         * dfg/DFGOSRExitCompiler64.cpp:
3150         (JSC::DFG::OSRExitCompiler::compileExit):
3151         * dfg/DFGOSRExitCompilerCommon.cpp:
3152         (JSC::DFG::reifyInlinedCallFrames):
3153         (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator): Deleted.
3154         (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator): Deleted.
3155         (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): Deleted.
3156         * dfg/DFGOSRExitCompilerCommon.h:
3157         * dfg/DFGOperations.cpp:
3158         * dfg/DFGOperations.h:
3159         * dfg/DFGPlan.cpp:
3160         (JSC::DFG::Plan::compileInThreadImpl):
3161         * dfg/DFGPreciseLocalClobberize.h:
3162         (JSC::DFG::PreciseLocalClobberizeAdaptor::read):
3163         (JSC::DFG::PreciseLocalClobberizeAdaptor::write):
3164         (JSC::DFG::PreciseLocalClobberizeAdaptor::def):
3165         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
3166         (JSC::DFG::preciseLocalClobberize):
3167         (JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop): Deleted.
3168         (JSC::DFG::forEachLocalReadByUnwind): Deleted.
3169         * dfg/DFGPredictionPropagationPhase.cpp:
3170         (JSC::DFG::PredictionPropagationPhase::run):
3171         (JSC::DFG::PredictionPropagationPhase::propagate):
3172         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
3173         (JSC::DFG::PredictionPropagationPhase::propagateThroughArgumentPositions):
3174         * dfg/DFGPromoteHeapAccess.h:
3175         (JSC::DFG::promoteHeapAccess):
3176         * dfg/DFGPromotedHeapLocation.cpp:
3177         (WTF::printInternal):
3178         * dfg/DFGPromotedHeapLocation.h:
3179         * dfg/DFGSSAConversionPhase.cpp:
3180         (JSC::DFG::SSAConversionPhase::run):
3181         * dfg/DFGSafeToExecute.h:
3182         (JSC::DFG::safeToExecute):
3183         * dfg/DFGSpeculativeJIT.cpp:
3184         (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
3185         (JSC::DFG::SpeculativeJIT::emitGetLength):
3186         (JSC::DFG::SpeculativeJIT::emitGetCallee):
3187         (JSC::DFG::SpeculativeJIT::emitGetArgumentStart):
3188         (JSC::DFG::SpeculativeJIT::checkArray):
3189         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
3190         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
3191         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
3192         (JSC::DFG::SpeculativeJIT::compileNewFunction):
3193         (JSC::DFG::SpeculativeJIT::compileForwardVarargs):
3194         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
3195         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
3196         (JSC::DFG::SpeculativeJIT::compileGetFromArguments):
3197         (JSC::DFG::SpeculativeJIT::compilePutToArguments):
3198         (JSC::DFG::SpeculativeJIT::compileCreateScopedArguments):
3199         (JSC::DFG::SpeculativeJIT::compileCreateClonedArguments):
3200         (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Deleted.
3201         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments): Deleted.
3202         (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength): Deleted.
3203         (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck): Deleted.
3204         (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression): Deleted.
3205         * dfg/DFGSpeculativeJIT.h:
3206         (JSC::DFG::SpeculativeJIT::callOperation):
3207         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
3208         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
3209         (JSC::DFG::SpeculativeJIT::framePointerOffsetToGetActivationRegisters): Deleted.
3210         * dfg/DFGSpeculativeJIT32_64.cpp:
3211         (JSC::DFG::SpeculativeJIT::emitCall):
3212         (JSC::DFG::SpeculativeJIT::compile):
3213         * dfg/DFGSpeculativeJIT64.cpp:
3214         (JSC::DFG::SpeculativeJIT::emitCall):
3215         (JSC::DFG::SpeculativeJIT::compile):
3216         * dfg/DFGStackLayoutPhase.cpp:
3217         (JSC::DFG::StackLayoutPhase::run):
3218         * dfg/DFGStrengthReductionPhase.cpp:
3219         (JSC::DFG::StrengthReductionPhase::handleNode):
3220         * dfg/DFGStructureRegistrationPhase.cpp:
3221         (JSC::DFG::StructureRegistrationPhase::run):
3222         * dfg/DFGUnificationPhase.cpp:
3223         (JSC::DFG::UnificationPhase::run):
3224         * dfg/DFGValidate.cpp:
3225         (JSC::DFG::Validate::validateCPS):
3226         * dfg/DFGValueSource.cpp:
3227         (JSC::DFG::ValueSource::dump):
3228         * dfg/DFGValueSource.h:
3229         (JSC::DFG::dataFormatToValueSourceKind):
3230         (JSC::DFG::valueSourceKindToDataFormat):
3231         (JSC::DFG::ValueSource::ValueSource):
3232         (JSC::DFG::ValueSource::forFlushFormat):
3233         (JSC::DFG::ValueSource::valueRecovery):
3234         * dfg/DFGVarargsForwardingPhase.cpp: Added.
3235         (JSC::DFG::performVarargsForwarding):
3236         * dfg/DFGVarargsForwardingPhase.h: Added.
3237         * dfg/DFGVariableAccessData.cpp:
3238         (JSC::DFG::VariableAccessData::VariableAccessData):
3239         (JSC::DFG::VariableAccessData::flushFormat):
3240         (JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted.
3241         * dfg/DFGVariableAccessData.h:
3242         (JSC::DFG::VariableAccessData::shouldNeverUnbox):
3243         (JSC::DFG::VariableAccessData::shouldUseDoubleFormat):
3244         (JSC::DFG::VariableAccessData::isCaptured): Deleted.
3245         (JSC::DFG::VariableAccessData::mergeIsArgumentsAlias): Deleted.
3246         (JSC::DFG::VariableAccessData::isArgumentsAlias): Deleted.
3247         * dfg/DFGVariableAccessDataDump.cpp:
3248         (JSC::DFG::VariableAccessDataDump::dump):
3249         * dfg/DFGVariableAccessDataDump.h:
3250         * dfg/DFGVariableEventStream.cpp:
3251         (JSC::DFG::VariableEventStream::tryToSetConstantRecovery):
3252         * dfg/DFGVariableEventStream.h:
3253         * ftl/FTLAbstractHeap.cpp:
3254         (JSC::FTL::AbstractHeap::dump):
3255         (JSC::FTL::AbstractField::dump):
3256         (JSC::FTL::IndexedAbstractHeap::dump):
3257         (JSC::FTL::NumberedAbstractHeap::dump):
3258         (JSC::FTL::AbsoluteAbstractHeap::dump):
3259         * ftl/FTLAbstractHeap.h:
3260         * ftl/FTLAbstractHeapRepository.cpp:
3261         * ftl/FTLAbstractHeapRepository.h:
3262         * ftl/FTLCapabilities.cpp:
3263         (JSC::FTL::canCompile):
3264         * ftl/FTLCompile.cpp:
3265         (JSC::FTL::mmAllocateDataSection):
3266         * ftl/FTLExitArgument.cpp:
3267         (JSC::FTL::ExitArgument::dump):
3268         * ftl/FTLExitPropertyValue.cpp:
3269         (JSC::FTL::ExitPropertyValue::withLocalsOffset):
3270         * ftl/FTLExitPropertyValue.h:
3271         * ftl/FTLExitTimeObjectMaterialization.cpp:
3272         (JSC::FTL::ExitTimeObjectMaterialization::ExitTimeObjectMaterialization):
3273         (JSC::FTL::ExitTimeObjectMaterialization::accountForLocalsOffset):
3274         * ftl/FTLExitTimeObjectMaterialization.h:
3275         (JSC::FTL::ExitTimeObjectMaterialization::origin):
3276         * ftl/FTLExitValue.cpp:
3277         (JSC::FTL::ExitValue::withLocalsOffset):
3278         (JSC::FTL::ExitValue::valueFormat):
3279         (JSC::FTL::ExitValue::dumpInContext):
3280         * ftl/FTLExitValue.h:
3281         (JSC::FTL::ExitValue::isArgument):
3282         (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated): Deleted.
3283         (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated): Deleted.
3284         (JSC::FTL::ExitValue::valueFormat): Deleted.
3285         * ftl/FTLInlineCacheSize.cpp:
3286         (JSC::FTL::sizeOfCallForwardVarargs):
3287         (JSC::FTL::sizeOfConstructForwardVarargs):
3288         (JSC::FTL::sizeOfICFor):
3289         * ftl/FTLInlineCacheSize.h:
3290         * ftl/FTLIntrinsicRepository.h:
3291         * ftl/FTLJSCallVarargs.cpp:
3292         (JSC::FTL::JSCallVarargs::JSCallVarargs):
3293         (JSC::FTL::JSCallVarargs::emit):
3294         * ftl/FTLJSCallVarargs.h:
3295         * ftl/FTLLowerDFGToLLVM.cpp:
3296         (JSC::FTL::LowerDFGToLLVM::lower):
3297         (JSC::FTL::LowerDFGToLLVM::compileNode):
3298         (JSC::FTL::LowerDFGToLLVM::compilePutStack):
3299         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
3300         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
3301         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
3302         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
3303         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
3304         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
3305         (JSC::FTL::LowerDFGToLLVM::compileCreateActivation):
3306         (JSC::FTL::LowerDFGToLLVM::compileNewFunction):
3307         (JSC::FTL::LowerDFGToLLVM::compileCreateDirectArguments):
3308         (JSC::FTL::LowerDFGToLLVM::compileCreateScopedArguments):
3309         (JSC::FTL::LowerDFGToLLVM::compileCreateClonedArguments):
3310         (JSC::FTL::LowerDFGToLLVM::compileStringCharAt):
3311         (JSC::FTL::LowerDFGToLLVM::compileStringCharCodeAt):
3312         (JSC::FTL::LowerDFGToLLVM::compileGetGlobalVar):
3313         (JSC::FTL::LowerDFGToLLVM::compilePutGlobalVar):
3314         (JSC::FTL::LowerDFGToLLVM::compileGetArgumentCount):
3315         (JSC::FTL::LowerDFGToLLVM::compileGetClosureVar):
3316         (JSC::FTL::LowerDFGToLLVM::compilePutClosureVar):
3317         (JSC::FTL::LowerDFGToLLVM::compileGetFromArguments):
3318         (JSC::FTL::LowerDFGToLLVM::compilePutToArguments):
3319         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs):
3320         (JSC::FTL::LowerDFGToLLVM::compileForwardVarargs):
3321         (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname):
3322         (JSC::FTL::LowerDFGToLLVM::ArgumentsLength::ArgumentsLength):
3323         (JSC::FTL::LowerDFGToLLVM::getArgumentsLength):
3324         (JSC::FTL::LowerDFGToLLVM::getCurrentCallee):
3325         (JSC::FTL::LowerDFGToLLVM::getArgumentsStart):
3326         (JSC::FTL::LowerDFGToLLVM::baseIndex):
3327         (JSC::FTL::LowerDFGToLLVM::allocateObject):
3328         (JSC::FTL::LowerDFGToLLVM::allocateVariableSizedObject):
3329         (JSC::FTL::LowerDFGToLLVM::isArrayType):
3330         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
3331         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
3332         (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
3333         (JSC::FTL::LowerDFGToLLVM: