54f093674ebc05f540dda8078be66365fd823dfc
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-04-26  Jordan Harband  <ljharb@gmail.com>
2
3         Map#forEach does not pass "map" argument to callback.
4         https://bugs.webkit.org/show_bug.cgi?id=144187
5
6         Reviewed by Darin Adler.
7
8         Per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-map.prototype.foreach
9         step 7.a.i., the callback should be called with three arguments.
10
11         * runtime/MapPrototype.cpp:
12         (JSC::mapProtoFuncForEach):
13
14 2015-04-26  Yusuke Suzuki  <utatane.tea@gmail.com>
15
16         [ES6] Implement ES6 template literals
17         https://bugs.webkit.org/show_bug.cgi?id=142691
18
19         Reviewed by Darin Adler.
20
21         This patch implements TemplateLiteral.
22         Since TaggedTemplate requires some global states and
23         primitive operations like GetTemplateObject,
24         we separate the patch. It will be implemented in a subsequent patch.
25
26         Template Literal Syntax is guarded by ENABLE_ES6_TEMPLATE_LITERAL_SYNTAX compile time flag.
27         By disabling it, we can disable Template Literal support.
28
29         To implement template literals, in this patch,
30         we newly introduces bytecode op_to_string.
31         In template literals, we alternately evaluate the expression and
32         perform ToString onto the result of evaluation.
33         For example,
34
35         `${f1()} ${f2()}`
36
37         In this template literal, execution order is the following,
38         1. calling f1()
39         2. ToString(the result of f1())
40         3. calling f2()
41         4. ToString(the result of f2())
42
43         op_strcat also performs ToString. However, performing ToString
44         onto expressions are batched in op_strcat, it's not the same to the
45         template literal spec. In the above example,
46         ToString(f1()) should be called before calling f2().
47
48         * Configurations/FeatureDefines.xcconfig:
49         * bytecode/BytecodeList.json:
50         * bytecode/BytecodeUseDef.h:
51         (JSC::computeUsesForBytecodeOffset):
52         (JSC::computeDefsForBytecodeOffset):
53         * bytecode/CodeBlock.cpp:
54         (JSC::CodeBlock::dumpBytecode):
55         * bytecompiler/BytecodeGenerator.h:
56         (JSC::BytecodeGenerator::emitToString):
57         (JSC::BytecodeGenerator::emitToNumber): Deleted.
58         * bytecompiler/NodesCodegen.cpp:
59         (JSC::TemplateStringNode::emitBytecode):
60         (JSC::TemplateLiteralNode::emitBytecode):
61         * dfg/DFGByteCodeParser.cpp:
62         (JSC::DFG::ByteCodeParser::parseBlock):
63         * dfg/DFGCapabilities.cpp:
64         (JSC::DFG::capabilityLevel):
65         * jit/JIT.cpp:
66         (JSC::JIT::privateCompileMainPass):
67         (JSC::JIT::privateCompileSlowCases):
68         * jit/JIT.h:
69         * jit/JITOpcodes.cpp:
70         (JSC::JIT::emit_op_to_string):
71         (JSC::JIT::emitSlow_op_to_string):
72         * jit/JITOpcodes32_64.cpp:
73         (JSC::JIT::emit_op_to_string):
74         (JSC::JIT::emitSlow_op_to_string):
75         * llint/LowLevelInterpreter32_64.asm:
76         * llint/LowLevelInterpreter64.asm:
77         * parser/ASTBuilder.h:
78         (JSC::ASTBuilder::createTemplateString):
79         (JSC::ASTBuilder::createTemplateStringList):
80         (JSC::ASTBuilder::createTemplateExpressionList):
81         (JSC::ASTBuilder::createTemplateLiteral):
82         * parser/Lexer.cpp:
83         (JSC::Lexer<T>::Lexer):
84         (JSC::Lexer<T>::parseIdentifierSlowCase):
85         (JSC::Lexer<T>::parseString):
86         (JSC::LineNumberAdder::LineNumberAdder):
87         (JSC::LineNumberAdder::clear):
88         (JSC::LineNumberAdder::add):
89         (JSC::Lexer<T>::parseTemplateLiteral):
90         (JSC::Lexer<T>::lex):
91         (JSC::Lexer<T>::scanRegExp):
92         (JSC::Lexer<T>::scanTrailingTemplateString):
93         (JSC::Lexer<T>::parseStringSlowCase): Deleted.
94         * parser/Lexer.h:
95         * parser/NodeConstructors.h:
96         (JSC::TemplateExpressionListNode::TemplateExpressionListNode):
97         (JSC::TemplateStringNode::TemplateStringNode):
98         (JSC::TemplateStringListNode::TemplateStringListNode):
99         (JSC::TemplateLiteralNode::TemplateLiteralNode):
100         * parser/Nodes.h:
101         (JSC::TemplateExpressionListNode::value):
102         (JSC::TemplateExpressionListNode::next):
103         (JSC::TemplateStringNode::cooked):
104         (JSC::TemplateStringNode::raw):
105         (JSC::TemplateStringListNode::value):
106         (JSC::TemplateStringListNode::next):
107         * parser/Parser.cpp:
108         (JSC::Parser<LexerType>::parseTemplateString):
109         (JSC::Parser<LexerType>::parseTemplateLiteral):
110         (JSC::Parser<LexerType>::parsePrimaryExpression):
111         * parser/Parser.h:
112         * parser/ParserTokens.h:
113         * parser/SyntaxChecker.h:
114         (JSC::SyntaxChecker::createTemplateString):
115         (JSC::SyntaxChecker::createTemplateStringList):
116         (JSC::SyntaxChecker::createTemplateExpressionList):
117         (JSC::SyntaxChecker::createTemplateLiteral):
118         (JSC::SyntaxChecker::createSpreadExpression): Deleted.
119         * runtime/CommonSlowPaths.cpp:
120         (JSC::SLOW_PATH_DECL):
121         * runtime/CommonSlowPaths.h:
122         * tests/stress/template-literal-line-terminators.js: Added.
123         (test):
124         (testEval):
125         (testEvalLineNumber):
126         * tests/stress/template-literal-syntax.js: Added.
127         (testSyntax):
128         (testSyntaxError):
129         * tests/stress/template-literal.js: Added.
130         (test):
131         (testEval):
132         (testEmbedded):
133
134 2015-04-26  Jordan Harband  <ljharb@gmail.com>
135
136         Set#forEach does not pass "key" or "set" arguments to callback.
137         https://bugs.webkit.org/show_bug.cgi?id=144188
138
139         Reviewed by Darin Adler.
140
141         Per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-set.prototype.foreach
142         Set#forEach should pass 3 arguments to the callback.
143
144         * runtime/SetPrototype.cpp:
145         (JSC::setProtoFuncForEach):
146
147 2015-04-26  Benjamin Poulain  <benjamin@webkit.org>
148
149         [JSC] Implement Math.clz32(), remove Number.clz()
150         https://bugs.webkit.org/show_bug.cgi?id=144205
151
152         Reviewed by Michael Saboff.
153
154         This patch adds the ES6 function Math.clz32(), and remove the non-standard
155         Number.clz(). Number.clz() probably came from an older draft.
156
157         The new function has a corresponding instrinsic: Clz32Intrinsic,
158         and a corresponding DFG node: ArithClz32, optimized all the way to LLVM.
159
160         * assembler/MacroAssemblerX86Common.h:
161         (JSC::MacroAssemblerX86Common::countLeadingZeros32):
162         * assembler/X86Assembler.h:
163         (JSC::X86Assembler::bsr_rr):
164         The x86 assembler did not have countLeadingZeros32() because there is
165         no native CLZ instruction on that architecture.
166
167         I have added the version with bsr + branches for the case of zero.
168         An other popular version uses cmov to handle the case of zero. I kept
169         it simple since the Assembler has no support for cmov.
170
171         It is unlikely to matter much. If the code is hot enough, LLVM picks
172         something good based on the surrounding code.
173
174         * dfg/DFGAbstractInterpreterInlines.h:
175         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
176         Constant handling + effect propagation. The node only produces integer (between 0 and 32).
177
178         * dfg/DFGBackwardsPropagationPhase.cpp:
179         (JSC::DFG::BackwardsPropagationPhase::propagate):
180         Thanks to the definition of toUint32(), we can ignore plenty of details
181         from doubles.
182
183         * dfg/DFGByteCodeParser.cpp:
184         (JSC::DFG::ByteCodeParser::handleIntrinsic):
185         * dfg/DFGClobberize.h:
186         (JSC::DFG::clobberize):
187         * dfg/DFGDoesGC.cpp:
188         (JSC::DFG::doesGC):
189         * dfg/DFGFixupPhase.cpp:
190         (JSC::DFG::FixupPhase::fixupNode):
191         * dfg/DFGNodeType.h:
192         * dfg/DFGPredictionPropagationPhase.cpp:
193         (JSC::DFG::PredictionPropagationPhase::propagate):
194         * dfg/DFGSafeToExecute.h:
195         (JSC::DFG::safeToExecute):
196         * dfg/DFGSpeculativeJIT.cpp:
197         (JSC::DFG::SpeculativeJIT::compileArithClz32):
198         * dfg/DFGSpeculativeJIT.h:
199         * dfg/DFGSpeculativeJIT32_64.cpp:
200         (JSC::DFG::SpeculativeJIT::compile):
201         * dfg/DFGSpeculativeJIT64.cpp:
202         (JSC::DFG::SpeculativeJIT::compile):
203         * ftl/FTLCapabilities.cpp:
204         (JSC::FTL::canCompile):
205         * ftl/FTLIntrinsicRepository.h:
206         * ftl/FTLLowerDFGToLLVM.cpp:
207         (JSC::FTL::LowerDFGToLLVM::compileNode):
208         (JSC::FTL::LowerDFGToLLVM::compileArithClz32):
209         * ftl/FTLOutput.h:
210         (JSC::FTL::Output::ctlz32):
211         * jit/ThunkGenerators.cpp:
212         (JSC::clz32ThunkGenerator):
213         * jit/ThunkGenerators.h:
214         * runtime/Intrinsic.h:
215         * runtime/MathCommon.h:
216         (JSC::clz32):
217         Fun fact: InstCombine does not recognize this pattern to eliminate
218         the branch which makes our FTL version better than the C version.
219
220         * runtime/MathObject.cpp:
221         (JSC::MathObject::finishCreation):
222         (JSC::mathProtoFuncClz32):
223         * runtime/NumberPrototype.cpp:
224         (JSC::clz): Deleted.
225         (JSC::numberProtoFuncClz): Deleted.
226         * runtime/VM.cpp:
227         (JSC::thunkGeneratorForIntrinsic):
228         * tests/stress/math-clz32-basics.js: Added.
229         (mathClz32OnInteger):
230         (testMathClz32OnIntegers):
231         (verifyMathClz32OnIntegerWithOtherTypes):
232         (mathClz32OnDouble):
233         (testMathClz32OnDoubles):
234         (verifyMathClz32OnDoublesWithOtherTypes):
235         (mathClz32NoArguments):
236         (mathClz32TooManyArguments):
237         (testMathClz32OnConstants):
238         (mathClz32StructTransition):
239         (Math.clz32):
240
241 2015-04-26  Yusuke Suzuki  <utatane.tea@gmail.com>
242
243         [ES6] Array.from need to accept iterables
244         https://bugs.webkit.org/show_bug.cgi?id=141055
245
246         Reviewed by Darin Adler.
247
248         ES6 spec requires that Array.from accepts iterable objects.
249         This patch introduces this functionality, Array.from accepting iterable objects.
250
251         Currently, `isConstructor` is not used. Instead of it, `typeof thiObj === "function"` is used.
252         However, it doesn't conform to the spec. While `isConstructor` queries the given object has `[[Construct]]`,
253         `typeof thisObj === "function"` queries the given object has `[[Call]]`.
254         This will be fixed in the subsequent patch[1].
255
256         [1]: https://bugs.webkit.org/show_bug.cgi?id=144093
257
258         * builtins/ArrayConstructor.js:
259         (from):
260         * parser/Parser.cpp:
261         (JSC::Parser<LexerType>::parseInner):
262         * runtime/CommonIdentifiers.h:
263         * runtime/JSGlobalObject.cpp:
264         (JSC::JSGlobalObject::init):
265         * tests/stress/array-from-with-iterable.js: Added.
266         (shouldBe):
267         (.set for):
268         (.set var):
269         (.get var):
270         (argumentsGenerators):
271         (.set shouldBe):
272         (.set new):
273         * tests/stress/array-from-with-iterator.js: Added.
274         (shouldBe):
275         (shouldThrow):
276         (createIterator.iterator.return):
277         (createIterator):
278         (.):
279
280 2015-04-25  Jordan Harband  <ljharb@gmail.com>
281
282         Set#keys !== Set#values
283         https://bugs.webkit.org/show_bug.cgi?id=144190
284
285         Reviewed by Darin Adler.
286
287         per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-set.prototype.keys
288         Set#keys should === Set#values
289
290         * runtime/SetPrototype.cpp:
291         (JSC::SetPrototype::finishCreation):
292         (JSC::setProtoFuncValues):
293         (JSC::setProtoFuncEntries):
294         (JSC::setProtoFuncKeys): Deleted.
295
296 2015-04-25  Joseph Pecoraro  <pecoraro@apple.com>
297
298         Allow for pausing a JSContext when opening a Web Inspector
299         <rdar://problem/20564788>
300
301         Reviewed by Timothy Hatcher.
302
303         * inspector/remote/RemoteInspector.mm:
304         (Inspector::RemoteInspector::receivedSetupMessage):
305         * inspector/remote/RemoteInspectorConstants.h:
306         * inspector/remote/RemoteInspectorDebuggable.h:
307         * inspector/remote/RemoteInspectorDebuggableConnection.h:
308         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
309         (Inspector::RemoteInspectorDebuggableConnection::setup):
310         On any incoming setup message, we may want to automatically
311         pause the debuggable. If requested, pause the debuggable
312         after we have setup the frontend connection.
313
314         * runtime/JSGlobalObjectDebuggable.h:
315         * runtime/JSGlobalObjectDebuggable.cpp:
316         (JSC::JSGlobalObjectDebuggable::pause):
317         Pass through to the inspector controller.
318
319         * inspector/JSGlobalObjectInspectorController.h:
320         * inspector/JSGlobalObjectInspectorController.cpp:
321         (Inspector::JSGlobalObjectInspectorController::pause):
322         Enable pause on next statement.
323
324 2015-04-23  Ryosuke Niwa  <rniwa@webkit.org>
325
326         class methods should be non-enumerable
327         https://bugs.webkit.org/show_bug.cgi?id=143181
328
329         Reviewed by Darin Adler.
330
331         Fixed the bug by using Object.defineProperty to define methods.
332
333         This patch adds the concept of link time constants and uses it to resolve Object.defineProperty
334         inside CodeBlock's constructor since bytecode can be linked against multiple global objects.
335
336         * bytecode/CodeBlock.cpp: 
337         (JSC::CodeBlock::CodeBlock): Resolve link time constants that are used. Ignore ones with register
338         index of zero.
339         * bytecode/SpecialPointer.h: Added a new enum for link time constants. It currently contains
340         exactly one entry for Object.defineProperty.
341         * bytecode/UnlinkedCodeBlock.h:
342         (JSC::UnlinkedCodeBlock::addConstant): Added. Like addConstant that takes JSValue, allocate a new
343         constant register for the link time constant we're adding.
344         (JSC::UnlinkedCodeBlock::registerIndexForLinkTimeConstant): Added.
345         * bytecompiler/BytecodeGenerator.cpp:
346         (JSC::BytecodeGenerator::emitMoveLinkTimeConstant): Added. Like addConstantValue, allocate a new
347         register for the specified link time constant and notify UnlinkedCodeBlock about it.
348         (JSC::BytecodeGenerator::emitCallDefineProperty): Added. Create a new property descriptor and call
349         Object.defineProperty with it.
350         * bytecompiler/BytecodeGenerator.h:
351         * bytecompiler/NodesCodegen.cpp:
352         (JSC::PropertyListNode::emitBytecode): Make static and non-static getters and setters for classes
353         non-enumerable by using emitCallDefineProperty to define them.
354         (JSC::PropertyListNode::emitPutConstantProperty): Ditto for a non-accessor properties.
355         (JSC::ClassExprNode::emitBytecode): Make prototype.constructor non-enumerable and make prototype
356         property on the class non-writable, non-configurable, and non-enumerable by using defineProperty.
357         * runtime/CommonIdentifiers.h:
358         * runtime/JSGlobalObject.cpp:
359         (JSC::JSGlobalObject::init): Set m_definePropertyFunction.
360         (JSC::JSGlobalObject::visitChildren): Visit m_definePropertyFunction.
361         * runtime/JSGlobalObject.h:
362         (JSC::JSGlobalObject::definePropertyFunction): Added.
363         (JSC::JSGlobalObject::actualPointerFor): Added a variant that takes LinkTimeConstant.
364         (JSC::JSGlobalObject::jsCellForLinkTimeConstant): Like actualPointerFor, takes LinkTimeConstant and
365         returns a JSCell; e.g. Object.defineProperty.
366         * runtime/ObjectConstructor.cpp:
367         (JSC::ObjectConstructor::addDefineProperty): Added. Returns Object.defineProperty.
368         * runtime/ObjectConstructor.h:
369
370 2015-04-25  Yusuke Suzuki  <utatane.tea@gmail.com>
371
372         [ES6] Implement String.fromCodePoint
373         https://bugs.webkit.org/show_bug.cgi?id=144160
374
375         Reviewed by Darin Adler.
376
377         This patch implements String.fromCodePoint.
378         It accepts multiple code points and generates a string that consists of given code points.
379         The range [0x0000 - 0x10FFFF] is valid for code points.
380         If the given value is out of range, throw a range error.
381
382         When a 0xFFFF <= valid code point is given,
383         String.fromCodePoint generates a string that contains surrogate pairs.
384
385         * runtime/StringConstructor.cpp:
386         (JSC::stringFromCodePoint):
387         (JSC::constructWithStringConstructor):
388         * tests/stress/string-from-code-point.js: Added.
389         (shouldBe):
390         (shouldThrow):
391         (toCodePoints):
392         (passThrough):
393
394 2015-04-25  Martin Robinson  <mrobinson@igalia.com>
395
396         Rename ENABLE_3D_RENDERING to ENABLE_3D_TRANSFORMS
397         https://bugs.webkit.org/show_bug.cgi?id=144182
398
399         Reviewed by Simon Fraser.
400
401         * Configurations/FeatureDefines.xcconfig: Replace all instances of 3D_RENDERING with 3D_TRANSFORMS.
402
403 2015-04-25  Mark Lam  <mark.lam@apple.com>
404
405         mayExit() is wrong about Branch nodes with ObjectOrOtherUse: they can exit.
406         https://bugs.webkit.org/show_bug.cgi?id=144152
407
408         Reviewed by Filip Pizlo.
409
410         Changed the EdgeMayExit functor to recognize ObjectUse, ObjectOrOtherUse,
411         StringObjectUse, and StringOrStringObjectUse kinds as potentially triggering
412         OSR exits.  This was overlooked in the original code.
413
414         While only the ObjectOrOtherUse kind is relevant for manifesting this bug with
415         the Branch node, the other 3 may also trigger the same bug for other nodes.
416         To prevent this bug from manifesting with other nodes (and future ones that
417         are yet to be added to mayExits()'s "potential won't exit" set), we fix the
418         EdgeMayExit functor to handle all 4 use kinds (instead of just ObjectOrOtherUse).
419
420         Also added a test to exercise a code path that will trigger this bug with
421         the Branch node before the fix is applied.
422
423         * dfg/DFGMayExit.cpp:
424         * tests/stress/branch-may-exit-due-to-object-or-other-use-kind.js: Added.
425         (inlinedFunction):
426         (foo):
427
428 2015-04-24  Commit Queue  <commit-queue@webkit.org>
429
430         Unreviewed, rolling out r183288.
431         https://bugs.webkit.org/show_bug.cgi?id=144189
432
433         Made js/sort-with-side-effecting-comparisons.html time out in
434         debug builds (Requested by ap on #webkit).
435
436         Reverted changeset:
437
438         "It shouldn't take 1846 lines of code and 5 FIXMEs to sort an
439         array."
440         https://bugs.webkit.org/show_bug.cgi?id=144013
441         http://trac.webkit.org/changeset/183288
442
443 2015-04-24  Filip Pizlo  <fpizlo@apple.com>
444
445         CRASH in operationCreateDirectArgumentsDuringExit()
446         https://bugs.webkit.org/show_bug.cgi?id=143962
447
448         Reviewed by Geoffrey Garen.
449         
450         We shouldn't assume that constant-like OSR exit values are always recoverable. They are only
451         recoverable so long as they are live. Therefore, OSR exit should track liveness of
452         constants instead of assuming that they are always live.
453
454         * dfg/DFGGenerationInfo.h:
455         (JSC::DFG::GenerationInfo::noticeOSRBirth):
456         (JSC::DFG::GenerationInfo::appendBirth):
457         * dfg/DFGSpeculativeJIT.cpp:
458         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
459         * dfg/DFGVariableEvent.cpp:
460         (JSC::DFG::VariableEvent::dump):
461         * dfg/DFGVariableEvent.h:
462         (JSC::DFG::VariableEvent::birth):
463         (JSC::DFG::VariableEvent::id):
464         (JSC::DFG::VariableEvent::dataFormat):
465         * dfg/DFGVariableEventStream.cpp:
466         (JSC::DFG::VariableEventStream::reconstruct):
467         * tests/stress/phantom-direct-arguments-clobber-argument-count.js: Added.
468         (foo):
469         (bar):
470         * tests/stress/phantom-direct-arguments-clobber-callee.js: Added.
471         (foo):
472         (bar):
473
474 2015-04-24  Benjamin Poulain  <bpoulain@apple.com>
475
476         [JSC] When inserting a NaN into a Int32 array, we convert it to DoubleArray then to ContiguousArray
477         https://bugs.webkit.org/show_bug.cgi?id=144169
478
479         Reviewed by Geoffrey Garen.
480
481         * runtime/JSObject.cpp:
482         (JSC::JSObject::convertInt32ForValue):
483         DoubleArray do not store NaN, they are used for holes.
484         What happened was:
485         1) We fail to insert the NaN in the Int32 array because it is a double.
486         2) We were converting the array to DoubleArray.
487         3) We were trying to insert the value again. We would fail again because
488            DoubleArray does not store NaN.
489         4) We would convert the DoubleArrayt to Contiguous Array, converting the values
490            to boxed values.
491
492         * tests/stress/int32array-transition-on-nan.js: Added.
493         The behavior is not really observable. This only test nothing crashes in those
494         cases.
495
496         (insertNaNWhileFilling):
497         (testInsertNaNWhileFilling):
498         (insertNaNAfterFilling):
499         (testInsertNaNAfterFilling):
500         (pushNaNWhileFilling):
501         (testPushNaNWhileFilling):
502
503 2015-04-21  Geoffrey Garen  <ggaren@apple.com>
504
505         It shouldn't take 1846 lines of code and 5 FIXMEs to sort an array.
506         https://bugs.webkit.org/show_bug.cgi?id=144013
507
508         Reviewed by Mark Lam.
509
510         This patch implements Array.prototype.sort in JavaScript, removing the
511         C++ implementations. It is simpler and less error-prone to express our
512         operations in JavaScript, which provides memory safety, exception safety,
513         and recursion safety.
514
515         The performance result is mixed, but net positive in my opinion. It's
516         difficult to enumerate all the results, since we used to have so many
517         different sorting modes, and there are lots of different data patterns
518         across which you might want to measure sorting. Suffice it to say:
519
520             (*) The benchmarks we track are faster or unchanged.
521
522             (*) Sorting random input using a comparator -- which we think is
523             common -- is 3X faster.
524
525             (*) Sorting random input in a non-array object -- which jQuery does
526             -- is 4X faster.
527
528             (*) Sorting random input in a compact array of integers using a
529             trivial pattern-matchable comparator is 2X *slower*.
530
531         * builtins/Array.prototype.js:
532         (sort.min):
533         (sort.stringComparator):
534         (sort.compactSparse): Special case compaction for sparse arrays because
535         we don't want to hang when sorting new Array(BIG).
536
537         (sort.compact):
538         (sort.merge):
539         (sort.mergeSort): Use merge sort because it's a reasonably efficient
540         stable sort. We have evidence that some sites depend on stable sort,
541         even though the ES6 spec does not mandate it. (See
542         <http://trac.webkit.org/changeset/33967>.)
543
544         This is a textbook implementation of merge sort with three optimizations:
545
546             (1) Use iteration instead of recursion;
547
548             (2) Use array subscripting instead of array copying in order to
549             create logical sub-lists without creating physical sub-lists;
550
551             (3) Swap src and dst at each iteration instead of copying src into
552             dst, and only copy src into the subject array at the end if src is
553             not the subject array.
554
555         (sort.inflate):
556         (sort.comparatorSort):
557         (sort): Sort in JavaScript for the win.
558
559         * builtins/BuiltinExecutables.cpp:
560         (JSC::BuiltinExecutables::createExecutableInternal): Allow non-private
561         names so we can use helper functions.
562
563         * bytecode/CodeBlock.h:
564         (JSC::CodeBlock::isNumericCompareFunction): Deleted.
565         * bytecode/UnlinkedCodeBlock.cpp:
566         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
567         * bytecode/UnlinkedCodeBlock.h:
568         (JSC::UnlinkedCodeBlock::setIsNumericCompareFunction): Deleted.
569         (JSC::UnlinkedCodeBlock::isNumericCompareFunction): Deleted.
570         * bytecompiler/BytecodeGenerator.cpp:
571         (JSC::BytecodeGenerator::setIsNumericCompareFunction): Deleted.
572         * bytecompiler/BytecodeGenerator.h:
573         * bytecompiler/NodesCodegen.cpp:
574         (JSC::FunctionNode::emitBytecode): We don't do this special casing based
575         on pattern matching anymore. This was mainly an optimization to avoid 
576         the overhead of calling from C++ to JS, which we now avoid by
577         sorting in JS.
578
579         * heap/Heap.cpp:
580         (JSC::Heap::markRoots):
581         (JSC::Heap::pushTempSortVector): Deleted.
582         (JSC::Heap::popTempSortVector): Deleted.
583         (JSC::Heap::visitTempSortVectors): Deleted.
584         * heap/Heap.h: We don't have temp sort vectors anymore because we sort
585         in JavaScript using a normal JavaScript array for our temporary storage.
586
587         * parser/Parser.cpp:
588         (JSC::Parser<LexerType>::parseInner): Allow capturing so we can use
589         helper functions.
590
591         * runtime/ArrayPrototype.cpp:
592         (JSC::isNumericCompareFunction): Deleted.
593         (JSC::attemptFastSort): Deleted.
594         (JSC::performSlowSort): Deleted.
595         (JSC::arrayProtoFuncSort): Deleted.
596
597         * runtime/CommonIdentifiers.h: New strings used by sort.
598
599         * runtime/JSArray.cpp:
600         (JSC::compareNumbersForQSortWithInt32): Deleted.
601         (JSC::compareNumbersForQSortWithDouble): Deleted.
602         (JSC::compareNumbersForQSort): Deleted.
603         (JSC::compareByStringPairForQSort): Deleted.
604         (JSC::JSArray::sortNumericVector): Deleted.
605         (JSC::JSArray::sortNumeric): Deleted.
606         (JSC::ContiguousTypeAccessor::getAsValue): Deleted.
607         (JSC::ContiguousTypeAccessor::setWithValue): Deleted.
608         (JSC::ContiguousTypeAccessor::replaceDataReference): Deleted.
609         (JSC::ContiguousTypeAccessor<ArrayWithDouble>::getAsValue): Deleted.
610         (JSC::ContiguousTypeAccessor<ArrayWithDouble>::setWithValue): Deleted.
611         (JSC::ContiguousTypeAccessor<ArrayWithDouble>::replaceDataReference): Deleted.
612         (JSC::JSArray::sortCompactedVector): Deleted.
613         (JSC::JSArray::sort): Deleted.
614         (JSC::AVLTreeAbstractorForArrayCompare::get_less): Deleted.
615         (JSC::AVLTreeAbstractorForArrayCompare::set_less): Deleted.
616         (JSC::AVLTreeAbstractorForArrayCompare::get_greater): Deleted.
617         (JSC::AVLTreeAbstractorForArrayCompare::set_greater): Deleted.
618         (JSC::AVLTreeAbstractorForArrayCompare::get_balance_factor): Deleted.
619         (JSC::AVLTreeAbstractorForArrayCompare::set_balance_factor): Deleted.
620         (JSC::AVLTreeAbstractorForArrayCompare::compare_key_key): Deleted.
621         (JSC::AVLTreeAbstractorForArrayCompare::compare_key_node): Deleted.
622         (JSC::AVLTreeAbstractorForArrayCompare::compare_node_node): Deleted.
623         (JSC::AVLTreeAbstractorForArrayCompare::null): Deleted.
624         (JSC::JSArray::sortVector): Deleted.
625         (JSC::JSArray::compactForSorting): Deleted.
626         * runtime/JSArray.h:
627
628         * runtime/JSGlobalObject.cpp:
629         (JSC::JSGlobalObject::init):
630         * runtime/ObjectConstructor.cpp:
631         (JSC::ObjectConstructor::finishCreation): Provide some builtins used
632         by sort.
633
634 2015-04-24  Matthew Mirman  <mmirman@apple.com>
635
636         Made Object.prototype.__proto__ native getter and setter check that this object not null or undefined
637         https://bugs.webkit.org/show_bug.cgi?id=141865
638         rdar://problem/19927273
639
640         Reviewed by Filip Pizlo.
641
642         * runtime/JSGlobalObjectFunctions.cpp:
643         (JSC::globalFuncProtoGetter):
644         (JSC::globalFuncProtoSetter):
645
646 2015-04-23  Benjamin Poulain  <bpoulain@apple.com>
647
648         Remove a useless branch on DFGGraph::addShouldSpeculateMachineInt()
649         https://bugs.webkit.org/show_bug.cgi?id=144118
650
651         Reviewed by Geoffrey Garen.
652
653         * dfg/DFGGraph.h:
654         (JSC::DFG::Graph::addShouldSpeculateMachineInt):
655         Both block do the same thing.
656
657 2015-04-23  Joseph Pecoraro  <pecoraro@apple.com>
658
659         Web Inspector: Speculative fix for non-main thread auto-attach failures
660         https://bugs.webkit.org/show_bug.cgi?id=144134
661
662         Reviewed by Timothy Hatcher.
663
664         * inspector/remote/RemoteInspector.mm:
665         (Inspector::RemoteInspector::singleton):
666
667 2015-04-23  Basile Clement  <basile_clement@apple.com>
668
669         Allow function allocation sinking
670         https://bugs.webkit.org/show_bug.cgi?id=144016
671
672         Reviewed by Filip Pizlo.
673
674         This adds the ability to sink function allocations in the
675         DFGObjectAllocationSinkingPhase.
676
677         In order to enable this, we add a new PhantomNewFunction node that is
678         used similarily to the PhantomNewObject node, i.e. as a placeholder to replace
679         a sunk NewFunction and keep track of the allocations that have to be performed
680         in case of OSR exit after the sunk allocation but before the real one.
681         The FunctionExecutable and JSLexicalEnvironment (activation) of the function
682         are stored onto the PhantomNewFunction through PutHints in order for them
683         to be recovered on OSR exit.
684
685         Contrary to sunk object allocations, sunk function allocations do not
686         support any kind of operations (e.g. storing into a field) ; any such operation
687         will mark the function allocation as escaping and trigger materialization. As
688         such, function allocations can only be sunk to places where it would have been
689         correct to syntactically move them, and we don't need a special
690         MaterializeNewFunction node to recover possible operations on the function. A
691         sunk NewFunction node will simply create new NewFunction nodes, then replace
692         itself with a PhantomNewFunction node.
693
694         In itself, this change is not expected to have a significant impact on
695         performances other than in degenerate cases (see e.g.
696         JSRegress/sink-function), but it is a step towards being able to sink recursive
697         closures onces we support CreateActivation sinking as well as allocation cycles
698         sinking.
699
700         * dfg/DFGAbstractInterpreterInlines.h:
701         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
702         * dfg/DFGClobberize.h:
703         (JSC::DFG::clobberize):
704         * dfg/DFGDoesGC.cpp:
705         (JSC::DFG::doesGC):
706         * dfg/DFGFixupPhase.cpp:
707         (JSC::DFG::FixupPhase::fixupNode):
708         * dfg/DFGNode.h:
709         (JSC::DFG::Node::convertToPhantomNewFunction):
710         (JSC::DFG::Node::isPhantomAllocation):
711         * dfg/DFGNodeType.h:
712         * dfg/DFGObjectAllocationSinkingPhase.cpp:
713         (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations):
714         (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
715         (JSC::DFG::ObjectAllocationSinkingPhase::createMaterialize):
716         (JSC::DFG::ObjectAllocationSinkingPhase::populateMaterialize):
717         * dfg/DFGPredictionPropagationPhase.cpp:
718         (JSC::DFG::PredictionPropagationPhase::propagate):
719         * dfg/DFGPromotedHeapLocation.cpp:
720         (WTF::printInternal):
721         * dfg/DFGPromotedHeapLocation.h:
722         * dfg/DFGSafeToExecute.h:
723         (JSC::DFG::safeToExecute):
724         * dfg/DFGSpeculativeJIT32_64.cpp:
725         (JSC::DFG::SpeculativeJIT::compile):
726         * dfg/DFGSpeculativeJIT64.cpp:
727         (JSC::DFG::SpeculativeJIT::compile):
728         * dfg/DFGValidate.cpp:
729         (JSC::DFG::Validate::validateCPS):
730         * ftl/FTLCapabilities.cpp:
731         (JSC::FTL::canCompile):
732         * ftl/FTLLowerDFGToLLVM.cpp:
733         (JSC::FTL::LowerDFGToLLVM::compileNode):
734         * ftl/FTLOperations.cpp:
735         (JSC::FTL::operationMaterializeObjectInOSR):
736         * tests/stress/function-sinking-no-double-allocate.js: Added.
737         (call):
738         (.f):
739         (sink):
740         * tests/stress/function-sinking-osrexit.js: Added.
741         (.g):
742         (sink):
743         * tests/stress/function-sinking-put.js: Added.
744         (.g):
745         (sink):
746
747 2015-04-23  Basile Clement  <basile_clement@apple.com>
748
749         Make FunctionRareData allocation thread-safe
750         https://bugs.webkit.org/show_bug.cgi?id=144001
751
752         Reviewed by Mark Lam.
753
754         The two things we want to prevent are:
755
756          1. A thread seeing a pointer to a not-yet-fully-created rare data from
757             a JSFunction
758          2. A thread seeing a pointer to a not-yet-fully-created Structure from
759             an ObjectAllocationProfile
760
761         For 1., only the JS thread can be creating the rare data (in
762         runtime/CommonSlowPaths.cpp or in dfg/DFGOperations.cpp), so we don't need to
763         worry about concurrent writes, and we don't need any fences when *reading* the
764         rare data from the JS thread. Thus we only need a storeStoreFence between the
765         rare data creation and assignment to m_rareData in
766         JSFunction::createAndInitializeRareData() to ensure that when the store to
767         m_rareData is issued, the rare data has been properly created.
768
769         For the DFG compilation threads, the only place they can access the
770         rare data is through JSFunction::rareData(), and so we only need a
771         loadLoadFence there to ensure that when we see a non-null pointer in
772         m_rareData, the pointed object will be seen as a fully created
773         FunctionRareData.
774
775
776         For 2., the structure is created in
777         ObjectAllocationProfile::initialize() (which appears to be called only by the
778         JS thread as well, in bytecode/CodeBlock.cpp and on rare data initialization,
779         which always happen in the JS thread), and read through
780         ObjectAllocationProfile::structure() and
781         ObjectAllocationProfile::inlineCapacity(), so following the same reasoning we
782         put a storeStoreFence in ObjectAllocationProfile::initialize() and a
783         loadLoadFence in ObjectAllocationProfile::structure() (and change
784         ObjectAllocationProfile::inlineCapacity() to go through
785         ObjectAllocationProfile::structure()).
786
787         We don't need a fence in ObjectAllocationProfile::clear() because
788         clearing the structure is already as atomic as it gets.
789
790         Finally, notice that we don't care about the ObjectAllocationProfile's
791         m_allocator as that is only used by ObjectAllocationProfile::initialize() and
792         ObjectAllocationProfile::clear() that are always run in the JS thread.
793         ObjectAllocationProfile::isNull() could cause some trouble, but it is
794         currently only used in the ObjectAllocationProfile::clear()'s ASSERT in the JS
795         thread.  Doing isNull()-style pre-checks would be wrong in any other concurrent
796         thread anyway.
797
798         * bytecode/ObjectAllocationProfile.h:
799         (JSC::ObjectAllocationProfile::initialize):
800         (JSC::ObjectAllocationProfile::structure):
801         (JSC::ObjectAllocationProfile::inlineCapacity):
802         * runtime/JSFunction.cpp:
803         (JSC::JSFunction::allocateAndInitializeRareData):
804         * runtime/JSFunction.h:
805         (JSC::JSFunction::rareData):
806         (JSC::JSFunction::allocationStructure): Deleted.
807         This is no longer used, as all the accesses to the ObjectAllocationProfile go through the rare data.
808
809 2015-04-22  Filip Pizlo  <fpizlo@apple.com>
810
811         DFG should insert Phantoms late using BytecodeKills and block-local OSR availability
812         https://bugs.webkit.org/show_bug.cgi?id=143735
813
814         Reviewed by Geoffrey Garen.
815         
816         We've always had bugs arising from the fact that we would MovHint something into a local,
817         and then fail to keep it alive. We would then try to keep things alive by putting Phantoms
818         on those Nodes that were MovHinted. But this became increasingly tricky. Given the
819         sophistication of the transformations we are doing today, this approach is just not sound
820         anymore.
821         
822         This comprehensively fixes these bugs by having the DFG backend automatically insert
823         Phantoms just before codegen based on bytecode liveness. To make this practical, this also
824         makes it much faster to query bytecode liveness.
825         
826         It's about as perf-neutral as it gets for a change that increases compiler work without
827         actually optimizing anything. Later changes will remove the old Phantom-preserving logic,
828         which should then speed us up. I can't really report concrete slow-down numbers because
829         they are low enough to basically be in the noise. For example, a 20-iteration run of
830         SunSpider yields "maybe 0.8% slower", whatever that means.
831
832         * CMakeLists.txt:
833         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
834         * JavaScriptCore.xcodeproj/project.pbxproj:
835         * bytecode/BytecodeLivenessAnalysis.cpp:
836         (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
837         * bytecode/FullBytecodeLiveness.h:
838         (JSC::FullBytecodeLiveness::getLiveness):
839         * bytecode/VirtualRegister.h:
840         (JSC::VirtualRegister::operator+):
841         (JSC::VirtualRegister::operator-):
842         * dfg/DFGForAllKills.h:
843         (JSC::DFG::forAllLiveNodesAtTail):
844         (JSC::DFG::forAllKilledOperands):
845         (JSC::DFG::forAllKilledNodesAtNodeIndex):
846         * dfg/DFGGraph.cpp:
847         (JSC::DFG::Graph::isLiveInBytecode):
848         (JSC::DFG::Graph::localsLiveInBytecode):
849         * dfg/DFGGraph.h:
850         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
851         (JSC::DFG::Graph::forAllLiveInBytecode):
852         * dfg/DFGMayExit.cpp:
853         (JSC::DFG::mayExit):
854         * dfg/DFGMovHintRemovalPhase.cpp:
855         * dfg/DFGNodeType.h:
856         * dfg/DFGPhantomInsertionPhase.cpp: Added.
857         (JSC::DFG::performPhantomInsertion):
858         * dfg/DFGPhantomInsertionPhase.h: Added.
859         * dfg/DFGPlan.cpp:
860         (JSC::DFG::Plan::compileInThreadImpl):
861         * dfg/DFGScoreBoard.h:
862         (JSC::DFG::ScoreBoard::sortFree):
863         (JSC::DFG::ScoreBoard::assertClear):
864         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
865         (JSC::DFG::VirtualRegisterAllocationPhase::run):
866         * ftl/FTLLowerDFGToLLVM.cpp:
867         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
868         * tests/stress/phantom-inadequacy.js: Added.
869         (bar):
870         (baz):
871         (foo):
872
873 2015-04-23  Filip Pizlo  <fpizlo@apple.com>
874
875         Rename HardPhantom to MustGenerate.
876
877         Rubber stamped by Geoffrey Garen.
878         
879         We are steadily moving towards Phantom just being a backend hack in the DFG. HardPhantom
880         is more than that; it's a utility for forcing the execution of otherwise killable nodes.
881         NodeMustGenerate is the flag we use to indicate that something isn't killable. So this
882         node should just be called MustGenerate.
883
884         * dfg/DFGAbstractInterpreterInlines.h:
885         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
886         * dfg/DFGArgumentsEliminationPhase.cpp:
887         * dfg/DFGClobberize.h:
888         (JSC::DFG::clobberize):
889         * dfg/DFGDCEPhase.cpp:
890         (JSC::DFG::DCEPhase::run):
891         * dfg/DFGDoesGC.cpp:
892         (JSC::DFG::doesGC):
893         * dfg/DFGFixupPhase.cpp:
894         (JSC::DFG::FixupPhase::fixupNode):
895         (JSC::DFG::FixupPhase::tryToRelaxRepresentation):
896         * dfg/DFGIntegerCheckCombiningPhase.cpp:
897         (JSC::DFG::IntegerCheckCombiningPhase::insertMustAdd):
898         * dfg/DFGMayExit.cpp:
899         (JSC::DFG::mayExit):
900         * dfg/DFGNode.h:
901         (JSC::DFG::Node::willHaveCodeGenOrOSR):
902         * dfg/DFGNodeType.h:
903         * dfg/DFGObjectAllocationSinkingPhase.cpp:
904         (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
905         * dfg/DFGPhantomCanonicalizationPhase.cpp:
906         (JSC::DFG::PhantomCanonicalizationPhase::run):
907         * dfg/DFGPhantomRemovalPhase.cpp:
908         (JSC::DFG::PhantomRemovalPhase::run):
909         * dfg/DFGPredictionPropagationPhase.cpp:
910         (JSC::DFG::PredictionPropagationPhase::propagate):
911         * dfg/DFGSafeToExecute.h:
912         (JSC::DFG::safeToExecute):
913         * dfg/DFGSpeculativeJIT32_64.cpp:
914         (JSC::DFG::SpeculativeJIT::compile):
915         * dfg/DFGSpeculativeJIT64.cpp:
916         (JSC::DFG::SpeculativeJIT::compile):
917         * dfg/DFGTypeCheckHoistingPhase.cpp:
918         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
919         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
920         * dfg/DFGVarargsForwardingPhase.cpp:
921         * ftl/FTLCapabilities.cpp:
922         (JSC::FTL::canCompile):
923         * ftl/FTLLowerDFGToLLVM.cpp:
924         (JSC::FTL::LowerDFGToLLVM::compileNode):
925
926 2015-04-23  Jordan Harband  <ljharb@gmail.com>
927
928         Implement `Object.assign`
929         https://bugs.webkit.org/show_bug.cgi?id=143980
930
931         Reviewed by Filip Pizlo.
932
933         per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-object.assign
934
935         * builtins/ObjectConstructor.js: Added.
936         (assign):
937         * runtime/CommonIdentifiers.h:
938         * runtime/JSGlobalObject.cpp:
939         (JSC::JSGlobalObject::init):
940         * runtime/ObjectConstructor.cpp:
941         * runtime/ObjectConstructor.h:
942
943 2015-04-22  Filip Pizlo  <fpizlo@apple.com>
944
945         Unreviewed, fix debug build.
946
947         * dfg/DFGGraph.h:
948         (JSC::DFG::Graph::performSubstitutionForEdge):
949
950 2015-04-22  Filip Pizlo  <fpizlo@apple.com>
951
952         Nodes should have an optional epoch field
953         https://bugs.webkit.org/show_bug.cgi?id=144084
954
955         Reviewed by Ryosuke Niwa and Mark Lam.
956         
957         This makes it easier to do epoch-based analyses on nodes. I plan to do just that in
958         https://bugs.webkit.org/show_bug.cgi?id=143735. Currently the epoch field is not yet
959         used.
960
961         * dfg/DFGCPSRethreadingPhase.cpp:
962         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
963         * dfg/DFGCSEPhase.cpp:
964         * dfg/DFGEpoch.h:
965         (JSC::DFG::Epoch::fromUnsigned):
966         (JSC::DFG::Epoch::toUnsigned):
967         * dfg/DFGGraph.cpp:
968         (JSC::DFG::Graph::clearReplacements):
969         (JSC::DFG::Graph::clearEpochs):
970         * dfg/DFGGraph.h:
971         (JSC::DFG::Graph::performSubstitutionForEdge):
972         * dfg/DFGNode.h:
973         (JSC::DFG::Node::Node):
974         (JSC::DFG::Node::replaceWith):
975         (JSC::DFG::Node::replacement):
976         (JSC::DFG::Node::setReplacement):
977         (JSC::DFG::Node::epoch):
978         (JSC::DFG::Node::setEpoch):
979         * dfg/DFGSSAConversionPhase.cpp:
980         (JSC::DFG::SSAConversionPhase::run):
981
982 2015-04-22  Mark Lam  <mark.lam@apple.com>
983
984         Fix assertion failure and race condition in Options::dumpSourceAtDFGTime().
985         https://bugs.webkit.org/show_bug.cgi?id=143898
986
987         Reviewed by Filip Pizlo.
988
989         CodeBlock::dumpSource() will access SourceCode strings in a way that requires
990         ref'ing of the underlying StringImpls. This is unsafe to do from arbitrary
991         compilation threads because StringImpls are not thread safe. As a result, we get
992         an assertion failure when we run with JSC_dumpSourceAtDFGTime=true on a debug
993         build.
994
995         This patch fixes the issue by only collecting the CodeBlock (and associated info)
996         into a DeferredSourceDump record while compiling, and stashing it away in a
997         deferredSourceDump list in the DeferredCompilationCallback object to be dumped
998         later.
999
1000         When compilation is done, the callback object will be notified that
1001         compilationDidComplete().  We will dump the SourceCode strings from there. 
1002         Since compilationDidComplete() is guaranteed to only be called on the thread
1003         doing JS execution, it is safe to access the SourceCode strings there and ref
1004         their underlying StringImpls as needed.        
1005
1006         * CMakeLists.txt:
1007         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1008         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1009         * JavaScriptCore.xcodeproj/project.pbxproj:
1010         * bytecode/DeferredCompilationCallback.cpp:
1011         (JSC::DeferredCompilationCallback::compilationDidComplete):
1012         (JSC::DeferredCompilationCallback::sourceDumpInfo):
1013         (JSC::DeferredCompilationCallback::dumpCompiledSources):
1014         * bytecode/DeferredCompilationCallback.h:
1015         * bytecode/DeferredSourceDump.cpp: Added.
1016         (JSC::DeferredSourceDump::DeferredSourceDump):
1017         (JSC::DeferredSourceDump::dump):
1018         * bytecode/DeferredSourceDump.h: Added.
1019         * dfg/DFGByteCodeParser.cpp:
1020         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1021         * dfg/DFGDriver.cpp:
1022         (JSC::DFG::compileImpl):
1023
1024 2015-04-22  Benjamin Poulain  <benjamin@webkit.org>
1025
1026         Implement String.codePointAt()
1027         https://bugs.webkit.org/show_bug.cgi?id=143934
1028
1029         Reviewed by Darin Adler.
1030
1031         This patch adds String.codePointAt() as defined by ES6.
1032         I opted for a C++ implementation for now.
1033
1034         * runtime/StringPrototype.cpp:
1035         (JSC::StringPrototype::finishCreation):
1036         (JSC::codePointAt):
1037         (JSC::stringProtoFuncCodePointAt):
1038
1039 2015-04-22  Mark Lam  <mark.lam@apple.com>
1040
1041         SparseArrayEntry's write barrier owner should be the SparseArrayValueMap.
1042         https://bugs.webkit.org/show_bug.cgi?id=144067
1043
1044         Reviewed by Michael Saboff.
1045
1046         Currently, there are a few places where the JSObject that owns the
1047         SparseArrayValueMap is designated as the owner of the SparseArrayEntry
1048         write barrier.  This is a bug and can result in the GC collecting the
1049         SparseArrayEntry even though it is being referenced by the
1050         SparseArrayValueMap.  This patch fixes the bug.
1051
1052         * runtime/JSObject.cpp:
1053         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
1054         (JSC::JSObject::putIndexedDescriptor):
1055         * tests/stress/sparse-array-entry-update-144067.js: Added.
1056         (useMemoryToTriggerGCs):
1057         (foo):
1058
1059 2015-04-22  Mark Lam  <mark.lam@apple.com>
1060
1061         Give the heap object iterators the ability to return early.
1062         https://bugs.webkit.org/show_bug.cgi?id=144011
1063
1064         Reviewed by Michael Saboff.
1065
1066         JSDollarVMPrototype::isValidCell() uses a heap object iterator to validate
1067         candidate cell pointers, and, when in use, is called a lot more often than
1068         the normal way those iterators are used.  As a result, I see my instrumented
1069         VM killed with a SIGXCPU (CPU time limit exceeded).  This patch gives the
1070         callback functor the ability to tell the iterators to return early when the
1071         functor no longer needs to continue iterating.  With this, my instrumented
1072         VM is useful again for debugging.
1073
1074         Since heap iteration is not something that we do in a typical fast path,
1075         I don't expect this to have any noticeable impact on performance.
1076
1077         I also renamed ObjectAddressCheckFunctor to CellAddressCheckFunctor since
1078         it checks JSCell addresses, not just JSObjects.
1079
1080         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1081         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1082         * JavaScriptCore.xcodeproj/project.pbxproj:
1083         * debugger/Debugger.cpp:
1084         * heap/GCLogging.cpp:
1085         (JSC::LoggingFunctor::operator()):
1086         * heap/Heap.cpp:
1087         (JSC::Zombify::visit):
1088         (JSC::Zombify::operator()):
1089         * heap/HeapStatistics.cpp:
1090         (JSC::StorageStatistics::visit):
1091         (JSC::StorageStatistics::operator()):
1092         * heap/HeapVerifier.cpp:
1093         (JSC::GatherLiveObjFunctor::visit):
1094         (JSC::GatherLiveObjFunctor::operator()):
1095         * heap/MarkedBlock.cpp:
1096         (JSC::SetNewlyAllocatedFunctor::operator()):
1097         * heap/MarkedBlock.h:
1098         (JSC::MarkedBlock::forEachCell):
1099         (JSC::MarkedBlock::forEachLiveCell):
1100         (JSC::MarkedBlock::forEachDeadCell):
1101         * heap/MarkedSpace.h:
1102         (JSC::MarkedSpace::forEachLiveCell):
1103         (JSC::MarkedSpace::forEachDeadCell):
1104         * inspector/agents/InspectorRuntimeAgent.cpp:
1105         (Inspector::TypeRecompiler::visit):
1106         (Inspector::TypeRecompiler::operator()):
1107         * runtime/IterationStatus.h: Added.
1108         * runtime/JSGlobalObject.cpp:
1109         * runtime/VM.cpp:
1110         (JSC::StackPreservingRecompiler::visit):
1111         (JSC::StackPreservingRecompiler::operator()):
1112         * tools/JSDollarVMPrototype.cpp:
1113         (JSC::CellAddressCheckFunctor::CellAddressCheckFunctor):
1114         (JSC::CellAddressCheckFunctor::operator()):
1115         (JSC::JSDollarVMPrototype::isValidCell):
1116         (JSC::ObjectAddressCheckFunctor::ObjectAddressCheckFunctor): Deleted.
1117         (JSC::ObjectAddressCheckFunctor::operator()): Deleted.
1118
1119 2015-04-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1120
1121         [[Set]] should be properly executed in JS builtins
1122         https://bugs.webkit.org/show_bug.cgi?id=143996
1123
1124         Reviewed by Geoffrey Garen.
1125
1126         Currently, all assignments in builtins JS code is compiled into put_by_val_direct.
1127         However,
1128
1129         1. Some functions (like Array.from) needs [[Set]]. (but it is now compiled into put_by_val_direct, [[DefineOwnProperty]]).
1130         2. It's different from the default JS behavior.
1131
1132         In this patch, we implement the bytecode intrinsic emitting put_by_val_direct and use it explicitly.
1133         And dropping the current hack for builtins.
1134
1135         * builtins/Array.prototype.js:
1136         (filter):
1137         (map):
1138         (find):
1139         * bytecompiler/BytecodeGenerator.cpp:
1140         (JSC::BytecodeGenerator::emitPutByVal):
1141         * tests/stress/array-fill-put-by-val.js: Added.
1142         (shouldThrow):
1143         (.set get array):
1144         * tests/stress/array-filter-put-by-val-direct.js: Added.
1145         (shouldBe):
1146         (.set get var):
1147         * tests/stress/array-find-does-not-lookup-twice.js: Added.
1148         (shouldBe):
1149         (shouldThrow):
1150         (.get shouldBe):
1151         * tests/stress/array-from-put-by-val-direct.js: Added.
1152         (shouldBe):
1153         (.set get var):
1154         * tests/stress/array-from-set-length.js: Added.
1155         (shouldBe):
1156         (ArrayLike):
1157         (ArrayLike.prototype.set length):
1158         (ArrayLike.prototype.get length):
1159         * tests/stress/array-map-put-by-val-direct.js: Added.
1160         (shouldBe):
1161         (.set get var):
1162
1163 2015-04-22  Basile Clement  <basile_clement@apple.com>
1164  
1165         Don't de-allocate FunctionRareData
1166         https://bugs.webkit.org/show_bug.cgi?id=144000
1167
1168         Reviewed by Michael Saboff.
1169
1170         A function rare data (containing most notably its allocation profile) is currently
1171         freed and re-allocated each time the function's prototype is cleared.
1172         This is not optimal as it means we are invalidating the watchpoint and recompiling the
1173         scope each time the prototype is cleared.
1174
1175         This makes it so that a single rare data is reused, clearing the underlying
1176         ObjectAllocationProfile instead of throwing away the whole rare data on
1177         .prototype updates.
1178
1179         * runtime/FunctionRareData.cpp:
1180         (JSC::FunctionRareData::create):
1181         (JSC::FunctionRareData::finishCreation):
1182         * runtime/FunctionRareData.h:
1183         * runtime/JSFunction.cpp:
1184         (JSC::JSFunction::allocateAndInitializeRareData):
1185         (JSC::JSFunction::initializeRareData):
1186
1187 2015-04-21  Filip Pizlo  <fpizlo@apple.com>
1188
1189         Unreviewed, fix 32-bit. Forgot to make this simple change to 32_64 as well.
1190
1191         * dfg/DFGSpeculativeJIT32_64.cpp:
1192         (JSC::DFG::SpeculativeJIT::compile):
1193
1194 2015-04-21  Filip Pizlo  <fpizlo@apple.com>
1195
1196         DFG should allow Phantoms after terminals
1197         https://bugs.webkit.org/show_bug.cgi?id=126778
1198
1199         Reviewed by Mark Lam.
1200         
1201         It's important for us to be able to place liveness-marking nodes after nodes that do
1202         things. These liveness-marking nodes are nops. Previously, we disallowed such nodes after
1203         terminals. That made things awkward, especially for Switch and Branch, which may do
1204         things that necessitate liveness markers (for example they might want to use a converted
1205         version of a value rather than the value that was MovHinted). We previously made this
1206         work by disallowing certain optimizations on Switch and Branch, which was probably a bad
1207         thing.
1208         
1209         This changes our IR to allow for the terminal to not be the last node in a block. Asking
1210         for the terminal involves a search. DFG::validate() checks that the nodes after the
1211         terminal are liveness markers that have no effects or checks.
1212         
1213         This is perf-neutral but will allow more optimizations in the future. It will also make
1214         it cleaner to fix https://bugs.webkit.org/show_bug.cgi?id=143735.
1215
1216         * dfg/DFGBasicBlock.cpp:
1217         (JSC::DFG::BasicBlock::replaceTerminal):
1218         * dfg/DFGBasicBlock.h:
1219         (JSC::DFG::BasicBlock::findTerminal):
1220         (JSC::DFG::BasicBlock::terminal):
1221         (JSC::DFG::BasicBlock::insertBeforeTerminal):
1222         (JSC::DFG::BasicBlock::numSuccessors):
1223         (JSC::DFG::BasicBlock::successor):
1224         (JSC::DFG::BasicBlock::successorForCondition):
1225         (JSC::DFG::BasicBlock::successors):
1226         (JSC::DFG::BasicBlock::last): Deleted.
1227         (JSC::DFG::BasicBlock::takeLast): Deleted.
1228         (JSC::DFG::BasicBlock::insertBeforeLast): Deleted.
1229         (JSC::DFG::BasicBlock::SuccessorsIterable::SuccessorsIterable): Deleted.
1230         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::iterator): Deleted.
1231         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator*): Deleted.
1232         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator++): Deleted.
1233         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator==): Deleted.
1234         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator!=): Deleted.
1235         (JSC::DFG::BasicBlock::SuccessorsIterable::begin): Deleted.
1236         (JSC::DFG::BasicBlock::SuccessorsIterable::end): Deleted.
1237         * dfg/DFGBasicBlockInlines.h:
1238         (JSC::DFG::BasicBlock::appendNonTerminal):
1239         (JSC::DFG::BasicBlock::replaceTerminal):
1240         * dfg/DFGByteCodeParser.cpp:
1241         (JSC::DFG::ByteCodeParser::addToGraph):
1242         (JSC::DFG::ByteCodeParser::inlineCall):
1243         (JSC::DFG::ByteCodeParser::handleInlining):
1244         (JSC::DFG::ByteCodeParser::parseBlock):
1245         (JSC::DFG::ByteCodeParser::linkBlock):
1246         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1247         * dfg/DFGCFGSimplificationPhase.cpp:
1248         (JSC::DFG::CFGSimplificationPhase::run):
1249         (JSC::DFG::CFGSimplificationPhase::convertToJump):
1250         (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
1251         * dfg/DFGCPSRethreadingPhase.cpp:
1252         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
1253         * dfg/DFGCommon.h:
1254         (JSC::DFG::NodeAndIndex::NodeAndIndex):
1255         (JSC::DFG::NodeAndIndex::operator!):
1256         * dfg/DFGFixupPhase.cpp:
1257         (JSC::DFG::FixupPhase::fixupBlock):
1258         (JSC::DFG::FixupPhase::fixupNode):
1259         (JSC::DFG::FixupPhase::injectTypeConversionsInBlock):
1260         (JSC::DFG::FixupPhase::clearPhantomsAtEnd): Deleted.
1261         * dfg/DFGForAllKills.h:
1262         (JSC::DFG::forAllLiveNodesAtTail):
1263         * dfg/DFGGraph.cpp:
1264         (JSC::DFG::Graph::terminalsAreValid):
1265         (JSC::DFG::Graph::dumpBlockHeader):
1266         * dfg/DFGGraph.h:
1267         * dfg/DFGInPlaceAbstractState.cpp:
1268         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
1269         * dfg/DFGLICMPhase.cpp:
1270         (JSC::DFG::LICMPhase::run):
1271         (JSC::DFG::LICMPhase::attemptHoist):
1272         * dfg/DFGMovHintRemovalPhase.cpp:
1273         * dfg/DFGNode.h:
1274         (JSC::DFG::Node::SuccessorsIterable::SuccessorsIterable):
1275         (JSC::DFG::Node::SuccessorsIterable::iterator::iterator):
1276         (JSC::DFG::Node::SuccessorsIterable::iterator::operator*):
1277         (JSC::DFG::Node::SuccessorsIterable::iterator::operator++):
1278         (JSC::DFG::Node::SuccessorsIterable::iterator::operator==):
1279         (JSC::DFG::Node::SuccessorsIterable::iterator::operator!=):
1280         (JSC::DFG::Node::SuccessorsIterable::begin):
1281         (JSC::DFG::Node::SuccessorsIterable::end):
1282         (JSC::DFG::Node::successors):
1283         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1284         (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints):
1285         (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints):
1286         (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields):
1287         * dfg/DFGPhantomRemovalPhase.cpp:
1288         (JSC::DFG::PhantomRemovalPhase::run):
1289         * dfg/DFGPutStackSinkingPhase.cpp:
1290         * dfg/DFGSSAConversionPhase.cpp:
1291         (JSC::DFG::SSAConversionPhase::run):
1292         * dfg/DFGSpeculativeJIT.h:
1293         (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):
1294         * dfg/DFGSpeculativeJIT32_64.cpp:
1295         (JSC::DFG::SpeculativeJIT::compile):
1296         * dfg/DFGSpeculativeJIT64.cpp:
1297         (JSC::DFG::SpeculativeJIT::compile):
1298         * dfg/DFGStaticExecutionCountEstimationPhase.cpp:
1299         (JSC::DFG::StaticExecutionCountEstimationPhase::run):
1300         * dfg/DFGTierUpCheckInjectionPhase.cpp:
1301         (JSC::DFG::TierUpCheckInjectionPhase::run):
1302         * dfg/DFGValidate.cpp:
1303         (JSC::DFG::Validate::validate):
1304         * ftl/FTLLowerDFGToLLVM.cpp:
1305         (JSC::FTL::LowerDFGToLLVM::compileNode):
1306         * tests/stress/closure-call-exit.js: Added.
1307         (foo):
1308
1309 2015-04-21  Basile Clement  <basile_clement@apple.com>
1310
1311         PhantomNewObject should be marked NodeMustGenerate
1312         https://bugs.webkit.org/show_bug.cgi?id=143974
1313
1314         Reviewed by Filip Pizlo.
1315
1316         * dfg/DFGNode.h:
1317         (JSC::DFG::Node::convertToPhantomNewObject):
1318         Was not properly marking NodeMustGenerate when converting.
1319
1320 2015-04-21  Filip Pizlo  <fpizlo@apple.com>
1321
1322         DFG Call/ConstructForwardVarargs fails to restore the stack pointer
1323         https://bugs.webkit.org/show_bug.cgi?id=144007
1324
1325         Reviewed by Mark Lam.
1326         
1327         We were conditioning the stack pointer restoration on isVarargs, but we also need to do it
1328         if isForwardVarargs.
1329
1330         * dfg/DFGSpeculativeJIT32_64.cpp:
1331         (JSC::DFG::SpeculativeJIT::emitCall):
1332         * dfg/DFGSpeculativeJIT64.cpp:
1333         (JSC::DFG::SpeculativeJIT::emitCall):
1334         * tests/stress/varargs-then-slow-call.js: Added.
1335         (foo):
1336         (bar):
1337         (fuzz):
1338         (baz):
1339
1340 2015-04-21  Basile Clement  <basile_clement@apple.com>
1341
1342         Remove AllocationProfileWatchpoint node
1343         https://bugs.webkit.org/show_bug.cgi?id=143999
1344
1345         Reviewed by Filip Pizlo.
1346
1347         * dfg/DFGAbstractInterpreterInlines.h:
1348         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1349         * dfg/DFGByteCodeParser.cpp:
1350         (JSC::DFG::ByteCodeParser::parseBlock):
1351         * dfg/DFGClobberize.h:
1352         (JSC::DFG::clobberize):
1353         * dfg/DFGDoesGC.cpp:
1354         (JSC::DFG::doesGC):
1355         * dfg/DFGFixupPhase.cpp:
1356         (JSC::DFG::FixupPhase::fixupNode):
1357         * dfg/DFGHeapLocation.cpp:
1358         (WTF::printInternal):
1359         * dfg/DFGHeapLocation.h:
1360         * dfg/DFGNode.h:
1361         (JSC::DFG::Node::hasCellOperand):
1362         * dfg/DFGNodeType.h:
1363         * dfg/DFGPredictionPropagationPhase.cpp:
1364         (JSC::DFG::PredictionPropagationPhase::propagate):
1365         * dfg/DFGSafeToExecute.h:
1366         (JSC::DFG::safeToExecute):
1367         * dfg/DFGSpeculativeJIT32_64.cpp:
1368         (JSC::DFG::SpeculativeJIT::compile):
1369         * dfg/DFGSpeculativeJIT64.cpp:
1370         (JSC::DFG::SpeculativeJIT::compile):
1371         * dfg/DFGWatchpointCollectionPhase.cpp:
1372         (JSC::DFG::WatchpointCollectionPhase::handle):
1373         * ftl/FTLCapabilities.cpp:
1374         (JSC::FTL::canCompile):
1375         * ftl/FTLLowerDFGToLLVM.cpp:
1376         (JSC::FTL::LowerDFGToLLVM::compileNode):
1377         * runtime/JSFunction.h:
1378         (JSC::JSFunction::rareData):
1379         (JSC::JSFunction::allocationProfileWatchpointSet): Deleted.
1380
1381 2015-04-19  Filip Pizlo  <fpizlo@apple.com>
1382
1383         MovHint should be a strong use
1384         https://bugs.webkit.org/show_bug.cgi?id=143734
1385
1386         Reviewed by Geoffrey Garen.
1387         
1388         This disables any DCE that assumes equivalence between DFG IR uses and bytecode uses. Doing
1389         so is a major step towards allowing more fancy DFG transformations and also probably fixing
1390         some bugs.
1391         
1392         Just making MovHint a strong use would also completely disable DCE. So we mitigate this by
1393         introducing a MovHint removal phase that runs in FTL.
1394         
1395         This is a slight slowdown on Octane/gbemu, but it's basically neutral on suite averages.
1396
1397         * CMakeLists.txt:
1398         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1399         * JavaScriptCore.xcodeproj/project.pbxproj:
1400         * bytecode/CodeOrigin.cpp:
1401         (JSC::InlineCallFrame::dumpInContext):
1402         * dfg/DFGDCEPhase.cpp:
1403         (JSC::DFG::DCEPhase::fixupBlock):
1404         * dfg/DFGDisassembler.cpp:
1405         (JSC::DFG::Disassembler::createDumpList):
1406         * dfg/DFGEpoch.cpp: Added.
1407         (JSC::DFG::Epoch::dump):
1408         * dfg/DFGEpoch.h: Added.
1409         (JSC::DFG::Epoch::Epoch):
1410         (JSC::DFG::Epoch::first):
1411         (JSC::DFG::Epoch::operator!):
1412         (JSC::DFG::Epoch::next):
1413         (JSC::DFG::Epoch::bump):
1414         (JSC::DFG::Epoch::operator==):
1415         (JSC::DFG::Epoch::operator!=):
1416         * dfg/DFGMayExit.cpp:
1417         (JSC::DFG::mayExit):
1418         * dfg/DFGMovHintRemovalPhase.cpp: Added.
1419         (JSC::DFG::performMovHintRemoval):
1420         * dfg/DFGMovHintRemovalPhase.h: Added.
1421         * dfg/DFGNodeType.h:
1422         * dfg/DFGPlan.cpp:
1423         (JSC::DFG::Plan::compileInThreadImpl):
1424         * dfg/DFGSpeculativeJIT.cpp:
1425         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1426         * dfg/DFGSpeculativeJIT64.cpp:
1427         (JSC::DFG::SpeculativeJIT::compile):
1428         * runtime/Options.h:
1429
1430 2015-04-21  Basile Clement  <basile_clement@apple.com>
1431
1432         REGRESSION (r182899): icloud.com crashes
1433         https://bugs.webkit.org/show_bug.cgi?id=143960
1434
1435         Reviewed by Filip Pizlo.
1436
1437         * runtime/JSFunction.h:
1438         (JSC::JSFunction::allocationStructure):
1439         * tests/stress/dfg-rare-data.js: Added.
1440         (F): Regression test
1441
1442 2015-04-21  Michael Saboff  <msaboff@apple.com>
1443
1444         Crash in JSC::Interpreter::execute
1445         https://bugs.webkit.org/show_bug.cgi?id=142625
1446
1447         Reviewed by Filip Pizlo.
1448
1449         We need to keep the FunctionExecutables in the code block for the eval flavor of 
1450         Interpreter::execute() in order to create the scope used to eval.
1451
1452         * bytecode/CodeBlock.cpp:
1453         (JSC::CodeBlock::jettisonFunctionDeclsAndExprs): Deleted.
1454         * bytecode/CodeBlock.h:
1455         * dfg/DFGGraph.cpp:
1456         (JSC::DFG::Graph::registerFrozenValues):
1457
1458 2015-04-21  Chris Dumez  <cdumez@apple.com>
1459
1460         Make Vector(const Vector<T, otherCapacity, otherOverflowBehaviour>&) constructor explicit
1461         https://bugs.webkit.org/show_bug.cgi?id=143970
1462
1463         Reviewed by Darin Adler.
1464
1465         Make Vector(const Vector<T, otherCapacity, otherOverflowBehaviour>&)
1466         constructor explicit as it copies the vector and it is easy to call it
1467         by mistake.
1468
1469         * bytecode/UnlinkedInstructionStream.cpp:
1470         (JSC::UnlinkedInstructionStream::UnlinkedInstructionStream):
1471         * bytecode/UnlinkedInstructionStream.h:
1472         * ftl/FTLLowerDFGToLLVM.cpp:
1473         (JSC::FTL::LowerDFGToLLVM::lower):
1474
1475 2015-04-20  Basile Clement  <basile_clement@apple.com>
1476
1477         PhantomNewObject should be marked NodeMustGenerate
1478         https://bugs.webkit.org/show_bug.cgi?id=143974
1479
1480         Reviewed by Filip Pizlo.
1481
1482         * dfg/DFGNodeType.h: Mark PhantomNewObject as NodeMustGenerate
1483
1484 2015-04-20  Joseph Pecoraro  <pecoraro@apple.com>
1485
1486         Cleanup some StringBuilder use
1487         https://bugs.webkit.org/show_bug.cgi?id=143550
1488
1489         Reviewed by Darin Adler.
1490
1491         * runtime/Symbol.cpp:
1492         (JSC::Symbol::descriptiveString):
1493         * runtime/TypeProfiler.cpp:
1494         (JSC::TypeProfiler::typeInformationForExpressionAtOffset):
1495         * runtime/TypeSet.cpp:
1496         (JSC::TypeSet::toJSONString):
1497         (JSC::StructureShape::propertyHash):
1498         (JSC::StructureShape::stringRepresentation):
1499         (JSC::StructureShape::toJSONString):
1500
1501 2015-04-20  Mark Lam  <mark.lam@apple.com>
1502
1503         Add debugging tools to test if a given pointer is a valid object and in the heap.
1504         https://bugs.webkit.org/show_bug.cgi?id=143910
1505
1506         Reviewed by Geoffrey Garen.
1507
1508         When doing debugging from lldb, sometimes, it is useful to be able to tell if a
1509         purported JSObject is really a valid object in the heap or not.  We can add the
1510         following utility functions to help:
1511             isValidCell(heap, candidate) - returns true if the candidate is a "live" cell in the heap.
1512             isInHeap(heap, candidate) - returns true if the candidate is the heap's Object space or Storage space.
1513             isInObjectSpace(heap, candidate) - returns true if the candidate is the heap's Object space.
1514             isInStorageSpace(heap, candidate) - returns true if the candidate is the heap's Storage space.
1515
1516         Also moved lldb callable debug utility function prototypes from
1517         JSDollarVMPrototype.cpp to JSDollarVMPrototype.h as static members of the
1518         JSDollarVMPrototype class.  This is so that we can conveniently #include that
1519         file to get the prototypes when we need to call them programmatically from
1520         instrumentation that we add while debugging an issue.
1521
1522         * heap/Heap.h:
1523         (JSC::Heap::storageSpace):
1524         * tools/JSDollarVMPrototype.cpp:
1525         (JSC::JSDollarVMPrototype::currentThreadOwnsJSLock):
1526         (JSC::ensureCurrentThreadOwnsJSLock):
1527         (JSC::JSDollarVMPrototype::gc):
1528         (JSC::functionGC):
1529         (JSC::JSDollarVMPrototype::edenGC):
1530         (JSC::functionEdenGC):
1531         (JSC::JSDollarVMPrototype::isInHeap):
1532         (JSC::JSDollarVMPrototype::isInObjectSpace):
1533         (JSC::JSDollarVMPrototype::isInStorageSpace):
1534         (JSC::ObjectAddressCheckFunctor::ObjectAddressCheckFunctor):
1535         (JSC::ObjectAddressCheckFunctor::operator()):
1536         (JSC::JSDollarVMPrototype::isValidCell):
1537         (JSC::JSDollarVMPrototype::isValidCodeBlock):
1538         (JSC::JSDollarVMPrototype::codeBlockForFrame):
1539         (JSC::functionCodeBlockForFrame):
1540         (JSC::codeBlockFromArg):
1541         (JSC::JSDollarVMPrototype::printCallFrame):
1542         (JSC::JSDollarVMPrototype::printStack):
1543         (JSC::JSDollarVMPrototype::printValue):
1544         (JSC::currentThreadOwnsJSLock): Deleted.
1545         (JSC::gc): Deleted.
1546         (JSC::edenGC): Deleted.
1547         (JSC::isValidCodeBlock): Deleted.
1548         (JSC::codeBlockForFrame): Deleted.
1549         (JSC::printCallFrame): Deleted.
1550         (JSC::printStack): Deleted.
1551         (JSC::printValue): Deleted.
1552         * tools/JSDollarVMPrototype.h:
1553
1554 2015-04-20  Joseph Pecoraro  <pecoraro@apple.com>
1555
1556         Web Inspector: Improve Support for WeakSet in Console
1557         https://bugs.webkit.org/show_bug.cgi?id=143951
1558
1559         Reviewed by Darin Adler.
1560
1561         * inspector/InjectedScriptSource.js:
1562         * inspector/JSInjectedScriptHost.cpp:
1563         (Inspector::JSInjectedScriptHost::subtype):
1564         (Inspector::JSInjectedScriptHost::weakSetSize):
1565         (Inspector::JSInjectedScriptHost::weakSetEntries):
1566         * inspector/JSInjectedScriptHost.h:
1567         * inspector/JSInjectedScriptHostPrototype.cpp:
1568         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
1569         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetSize):
1570         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetEntries):
1571         Treat WeakSets like special sets.
1572
1573         * inspector/protocol/Runtime.json:
1574         Add a new object subtype, "weakset".
1575
1576 2015-04-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1577
1578         HashMap storing PropertyKey StringImpl* need to use IdentifierRepHash to handle Symbols
1579         https://bugs.webkit.org/show_bug.cgi?id=143947
1580
1581         Reviewed by Darin Adler.
1582
1583         Type profiler has map between PropertyKey (StringImpl*) and offset.
1584         StringImpl* is also used for Symbol PropertyKey.
1585         So equality of hash tables is considered by interned StringImpl*'s pointer value.
1586         To do so, use IdentifierRepHash instead of StringHash.
1587
1588         * runtime/SymbolTable.h:
1589
1590 2015-04-20  Jordan Harband  <ljharb@gmail.com>
1591
1592         Implement `Object.is`
1593         https://bugs.webkit.org/show_bug.cgi?id=143865
1594
1595         Reviewed by Darin Adler.
1596
1597         Expose sameValue to JS, via Object.is
1598         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-object.is
1599
1600         * runtime/ObjectConstructor.cpp:
1601         (JSC::objectConstructorIs):
1602         * runtime/PropertyDescriptor.cpp:
1603         (JSC::sameValue):
1604
1605 2015-04-19  Darin Adler  <darin@apple.com>
1606
1607         Remove all the remaining uses of OwnPtr and PassOwnPtr in JavaScriptCore
1608         https://bugs.webkit.org/show_bug.cgi?id=143941
1609
1610         Reviewed by Gyuyoung Kim.
1611
1612         * API/JSCallbackObject.h: Use unique_ptr for m_callbackObjectData.
1613         * API/JSCallbackObjectFunctions.h: Ditto.
1614
1615         * API/ObjCCallbackFunction.h: Use unique_ptr for the arguments to the
1616         create function and the constructor and for m_impl.
1617         * API/ObjCCallbackFunction.mm:
1618         (CallbackArgumentOfClass::CallbackArgumentOfClass): Streamline this
1619         class by using RetainPtr<Class>.
1620         (ArgumentTypeDelegate::typeInteger): Use make_unique.
1621         (ArgumentTypeDelegate::typeDouble): Ditto.
1622         (ArgumentTypeDelegate::typeBool): Ditto.
1623         (ArgumentTypeDelegate::typeVoid): Ditto.
1624         (ArgumentTypeDelegate::typeId): Ditto.
1625         (ArgumentTypeDelegate::typeOfClass): Ditto.
1626         (ArgumentTypeDelegate::typeBlock): Ditto.
1627         (ArgumentTypeDelegate::typeStruct): Ditto.
1628         (ResultTypeDelegate::typeInteger): Ditto.
1629         (ResultTypeDelegate::typeDouble): Ditto.
1630         (ResultTypeDelegate::typeBool): Ditto.
1631         (ResultTypeDelegate::typeVoid): Ditto.
1632         (ResultTypeDelegate::typeId): Ditto.
1633         (ResultTypeDelegate::typeOfClass): Ditto.
1634         (ResultTypeDelegate::typeBlock): Ditto.
1635         (ResultTypeDelegate::typeStruct): Ditto.
1636         (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl): Use
1637         unique_ptr for the arguments to the constructor, m_arguments, and m_result.
1638         Use RetainPtr<Class> for m_instanceClass.
1639         (JSC::objCCallbackFunctionCallAsConstructor): Use nullptr instead of nil or 0
1640         for non-Objective-C object pointer null.
1641         (JSC::ObjCCallbackFunction::ObjCCallbackFunction): Use unique_ptr for
1642         the arguments to the constructor and for m_impl.
1643         (JSC::ObjCCallbackFunction::create): Use unique_ptr for arguments.
1644         (skipNumber): Mark this static since it's local to this source file.
1645         (objCCallbackFunctionForInvocation): Call parseObjCType without doing any
1646         explicit adoptPtr since the types in the traits are now unique_ptr. Also use
1647         nullptr instead of nil for JSObjectRef values.
1648         (objCCallbackFunctionForMethod): Tweaked comment.
1649         (objCCallbackFunctionForBlock): Use nullptr instead of 0 for JSObjectRef.
1650
1651         * bytecode/CallLinkInfo.h: Removed unneeded include of OwnPtr.h.
1652
1653         * heap/GCThread.cpp:
1654         (JSC::GCThread::GCThread): Use unique_ptr.
1655         * heap/GCThread.h: Use unique_ptr for arguments to the constructor and for
1656         m_slotVisitor and m_copyVisitor.
1657         * heap/GCThreadSharedData.cpp:
1658         (JSC::GCThreadSharedData::GCThreadSharedData): Ditto.
1659
1660         * parser/SourceProvider.h: Removed unneeded include of PassOwnPtr.h.
1661
1662 2015-04-19  Benjamin Poulain  <benjamin@webkit.org>
1663
1664         Improve the feature.json files
1665
1666         * features.json:
1667
1668 2015-04-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1669
1670         Introduce bytecode intrinsics
1671         https://bugs.webkit.org/show_bug.cgi?id=143926
1672
1673         Reviewed by Filip Pizlo.
1674
1675         This patch introduces bytecode level intrinsics into builtins/*.js JS code.
1676         When implementing functions in builtins/*.js,
1677         sometimes we require lower level functionality.
1678
1679         For example, in the current Array.from, we use `result[k] = value`.
1680         The spec requires `[[DefineOwnProperty]]` operation here.
1681         However, usual `result[k] = value` is evaluated as `[[Set]]`. (`PutValue` => `[[Set]]`)
1682         So if we implement `Array.prototype[k]` getter/setter, the difference is observable.
1683
1684         Ideally, reaching here, we would like to use put_by_val_direct bytecode.
1685         However, there's no syntax to generate it directly.
1686
1687         This patch introduces bytecode level intrinsics into JSC BytecodeCompiler.
1688         Like @call, @apply, we introduce a new node, Intrinsic.
1689         These are generated when calling appropriate private symbols in privileged code.
1690         AST parser detects them and generates Intrinsic nodes and
1691         BytecodeCompiler detects them and generate required bytecodes.
1692
1693         Currently, Array.from implementation works fine without this patch.
1694         This is because when the target code is builtin JS,
1695         BytecodeGenerator emits put_by_val_direct instead of put_by_val.
1696         This solves the above issue. However, instead of solving this issue,
1697         it raises another issue; There's no way to emit `[[Set]]` operation.
1698         `[[Set]]` operation is actually used in the spec (Array.from's "length" is set by `[[Set]]`).
1699         So to implement it precisely, introducing bytecode level intrinsics is necessary.
1700
1701         In the subsequent fixes, we'll remove that special path emitting put_by_val_direct
1702         for `result[k] = value` under builtin JS environment. Instead of that special handling,
1703         use bytecode intrinsics instead. It solves problems and it is more intuitive
1704         because written JS code in builtin works as the same to the usual JS code.
1705
1706         * CMakeLists.txt:
1707         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1708         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1709         * JavaScriptCore.xcodeproj/project.pbxproj:
1710         * builtins/ArrayConstructor.js:
1711         (from):
1712         * bytecode/BytecodeIntrinsicRegistry.cpp: Added.
1713         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1714         (JSC::BytecodeIntrinsicRegistry::lookup):
1715         * bytecode/BytecodeIntrinsicRegistry.h: Added.
1716         * bytecompiler/NodesCodegen.cpp:
1717         (JSC::BytecodeIntrinsicNode::emitBytecode):
1718         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByValDirect):
1719         * parser/ASTBuilder.h:
1720         (JSC::ASTBuilder::makeFunctionCallNode):
1721         * parser/NodeConstructors.h:
1722         (JSC::BytecodeIntrinsicNode::BytecodeIntrinsicNode):
1723         * parser/Nodes.h:
1724         (JSC::BytecodeIntrinsicNode::identifier):
1725         * runtime/CommonIdentifiers.cpp:
1726         (JSC::CommonIdentifiers::CommonIdentifiers):
1727         * runtime/CommonIdentifiers.h:
1728         (JSC::CommonIdentifiers::bytecodeIntrinsicRegistry):
1729         * tests/stress/array-from-with-accessors.js: Added.
1730         (shouldBe):
1731
1732 2015-04-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1733
1734         Make Builtin functions non constructible
1735         https://bugs.webkit.org/show_bug.cgi?id=143923
1736
1737         Reviewed by Darin Adler.
1738
1739         Builtin functions defined by builtins/*.js accidentally have [[Construct]].
1740         According to the spec, these functions except for explicitly defined as a constructor do not have [[Construct]].
1741         This patch fixes it. When the JS function used for a construction is builtin function, throw not a constructor error.
1742
1743         Ideally, returning ConstructTypeNone in JSFunction::getConstructData is enough.
1744         However, to avoid calling getConstructData (it involves indirect call of function pointer of getConstructData), some places do not check ConstructType.
1745         In these places, they only check the target function is JSFunction because previously JSFunction always has [[Construct]].
1746         So in this patch, we check `isBuiltinFunction()` in those places.
1747
1748         * dfg/DFGByteCodeParser.cpp:
1749         (JSC::DFG::ByteCodeParser::inliningCost):
1750         * jit/JITOperations.cpp:
1751         * llint/LLIntSlowPaths.cpp:
1752         (JSC::LLInt::setUpCall):
1753         * runtime/JSFunction.cpp:
1754         (JSC::JSFunction::getConstructData):
1755         * tests/stress/builtin-function-is-construct-type-none.js: Added.
1756         (shouldThrow):
1757
1758 2015-04-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1759
1760         [ES6] Implement WeakSet
1761         https://bugs.webkit.org/show_bug.cgi?id=142408
1762
1763         Reviewed by Darin Adler.
1764
1765         This patch implements ES6 WeakSet.
1766         Current implementation simply leverages WeakMapData with undefined value.
1767         This WeakMapData should be optimized in the same manner as MapData/SetData in the subsequent patch[1].
1768
1769         And in this patch, we also fix WeakMap/WeakSet behavior to conform the ES6 spec.
1770         Except for adders (WeakMap.prototype.set/WeakSet.prototype.add),
1771         methods return false (or undefined for WeakMap.prototype.get)
1772         when a key is not Object instead of throwing a type error.
1773
1774         [1]: https://bugs.webkit.org/show_bug.cgi?id=143919
1775
1776         * CMakeLists.txt:
1777         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1778         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1779         * JavaScriptCore.xcodeproj/project.pbxproj:
1780         * runtime/CommonIdentifiers.h:
1781         * runtime/JSGlobalObject.cpp:
1782         * runtime/JSGlobalObject.h:
1783         * runtime/JSWeakSet.cpp: Added.
1784         (JSC::JSWeakSet::finishCreation):
1785         (JSC::JSWeakSet::visitChildren):
1786         * runtime/JSWeakSet.h: Added.
1787         (JSC::JSWeakSet::createStructure):
1788         (JSC::JSWeakSet::create):
1789         (JSC::JSWeakSet::weakMapData):
1790         (JSC::JSWeakSet::JSWeakSet):
1791         * runtime/WeakMapPrototype.cpp:
1792         (JSC::getWeakMapData):
1793         (JSC::protoFuncWeakMapDelete):
1794         (JSC::protoFuncWeakMapGet):
1795         (JSC::protoFuncWeakMapHas):
1796         * runtime/WeakSetConstructor.cpp: Added.
1797         (JSC::WeakSetConstructor::finishCreation):
1798         (JSC::callWeakSet):
1799         (JSC::constructWeakSet):
1800         (JSC::WeakSetConstructor::getConstructData):
1801         (JSC::WeakSetConstructor::getCallData):
1802         * runtime/WeakSetConstructor.h: Added.
1803         (JSC::WeakSetConstructor::create):
1804         (JSC::WeakSetConstructor::createStructure):
1805         (JSC::WeakSetConstructor::WeakSetConstructor):
1806         * runtime/WeakSetPrototype.cpp: Added.
1807         (JSC::WeakSetPrototype::finishCreation):
1808         (JSC::getWeakMapData):
1809         (JSC::protoFuncWeakSetDelete):
1810         (JSC::protoFuncWeakSetHas):
1811         (JSC::protoFuncWeakSetAdd):
1812         * runtime/WeakSetPrototype.h: Added.
1813         (JSC::WeakSetPrototype::create):
1814         (JSC::WeakSetPrototype::createStructure):
1815         (JSC::WeakSetPrototype::WeakSetPrototype):
1816         * tests/stress/weak-set-constructor-adder.js: Added.
1817         (WeakSet.prototype.add):
1818         * tests/stress/weak-set-constructor.js: Added.
1819
1820 2015-04-17  Alexey Proskuryakov  <ap@apple.com>
1821
1822         Remove unused BoundsCheckedPointer
1823         https://bugs.webkit.org/show_bug.cgi?id=143896
1824
1825         Reviewed by Geoffrey Garen.
1826
1827         * bytecode/SpeculatedType.cpp: The header was included here.
1828
1829 2015-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1830
1831         [ES6] Fix name enumeration of static functions for Symbol constructor
1832         https://bugs.webkit.org/show_bug.cgi?id=143891
1833
1834         Reviewed by Geoffrey Garen.
1835
1836         Fix missing symbolPrototypeTable registration to the js class object.
1837         This patch fixes name enumeration of static functions (Symbol.key, Symbol.keyFor) for Symbol constructor.
1838
1839         * runtime/SymbolConstructor.cpp:
1840
1841 2015-04-17  Basile Clement  <basile_clement@apple.com>
1842
1843         Inline JSFunction allocation in DFG
1844         https://bugs.webkit.org/show_bug.cgi?id=143858
1845
1846         Reviewed by Filip Pizlo.
1847
1848         Followup to my previous patch which inlines JSFunction allocation when
1849         using FTL, now also enabled in DFG.
1850
1851         * dfg/DFGSpeculativeJIT.cpp:
1852         (JSC::DFG::SpeculativeJIT::compileNewFunction):
1853
1854 2015-04-16  Jordan Harband  <ljharb@gmail.com>
1855
1856         Number.parseInt is not === global parseInt in nightly r182673
1857         https://bugs.webkit.org/show_bug.cgi?id=143799
1858
1859         Reviewed by Darin Adler.
1860
1861         Ensuring parseInt === Number.parseInt, per spec
1862         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-number.parseint
1863
1864         * runtime/CommonIdentifiers.h:
1865         * runtime/JSGlobalObject.cpp:
1866         (JSC::JSGlobalObject::init):
1867         * runtime/JSGlobalObject.h:
1868         (JSC::JSGlobalObject::parseIntFunction):
1869         * runtime/NumberConstructor.cpp:
1870         (JSC::NumberConstructor::finishCreation):
1871
1872 2015-04-16  Mark Lam  <mark.lam@apple.com>
1873
1874         Gardening: fix CLOOP build after r182927.
1875
1876         Not reviewed.
1877
1878         * interpreter/StackVisitor.cpp:
1879         (JSC::StackVisitor::Frame::print):
1880
1881 2015-04-16  Basile Clement  <basile_clement@apple.com>
1882
1883         Inline JSFunction allocation in FTL
1884         https://bugs.webkit.org/show_bug.cgi?id=143851
1885
1886         Reviewed by Filip Pizlo.
1887
1888         JSFunction allocation is a simple operation that should be inlined when possible.
1889
1890         * ftl/FTLAbstractHeapRepository.h:
1891         * ftl/FTLLowerDFGToLLVM.cpp:
1892         (JSC::FTL::LowerDFGToLLVM::compileNewFunction):
1893         * runtime/JSFunction.h:
1894         (JSC::JSFunction::allocationSize):
1895
1896 2015-04-16  Mark Lam  <mark.lam@apple.com>
1897
1898         Add $vm debugging tool.
1899         https://bugs.webkit.org/show_bug.cgi?id=143809
1900
1901         Reviewed by Geoffrey Garen.
1902
1903         For debugging VM bugs, it would be useful to be able to dump VM data structures
1904         from JS code that we instrument.  To this end, let's introduce a
1905         JS_enableDollarVM option that, if true, installs an $vm property into each JS
1906         global object at creation time.  The $vm property refers to an object that
1907         provides a collection of useful utility functions.  For this initial
1908         implementation, $vm will have the following:
1909
1910             crash() - trigger an intentional crash.
1911
1912             dfgTrue() - returns true if the current function is DFG compiled, else returns false.
1913             jitTrue() - returns true if the current function is compiled by the baseline JIT, else returns false.
1914             llintTrue() - returns true if the current function is interpreted by the LLINT, else returns false.
1915
1916             gc() - runs a full GC.
1917             edenGC() - runs an eden GC.
1918
1919             codeBlockForFrame(frameNumber) - gets the codeBlock at the specified frame (0 = current, 1 = caller, etc).
1920             printSourceFor(codeBlock) - prints the source code for the codeBlock.
1921             printByteCodeFor(codeBlock) - prints the bytecode for the codeBlock.
1922
1923             print(str) - prints a string to dataLog output.
1924             printCallFrame() - prints the current CallFrame.
1925             printStack() - prints the JS stack.
1926             printInternal(value) - prints the JSC internal info for the specified value.
1927
1928         With JS_enableDollarVM=true, JS code can use the above functions like so:
1929
1930             $vm.print("Using $vm features\n");
1931
1932         * CMakeLists.txt:
1933         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1934         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1935         * JavaScriptCore.xcodeproj/project.pbxproj:
1936         * bytecode/CodeBlock.cpp:
1937         (JSC::CodeBlock::printCallOp):
1938         - FTL compiled functions don't like it when we try to compute the CallLinkStatus.
1939           Hence, we skip this step if we're dumping an FTL codeBlock.
1940
1941         * heap/Heap.cpp:
1942         (JSC::Heap::collectAndSweep):
1943         (JSC::Heap::collectAllGarbage): Deleted.
1944         * heap/Heap.h:
1945         (JSC::Heap::collectAllGarbage):
1946         - Add ability to do an Eden collection and sweep.
1947
1948         * interpreter/StackVisitor.cpp:
1949         (JSC::printIndents):
1950         (JSC::log):
1951         (JSC::logF):
1952         (JSC::StackVisitor::Frame::print):
1953         (JSC::jitTypeName): Deleted.
1954         (JSC::printif): Deleted.
1955         - Modernize the implementation of StackVisitor::Frame::print(), and remove some
1956           now redundant code.
1957         - Also fix it so that it downgrades gracefully when encountering inlined DFG
1958           and compiled FTL functions.
1959
1960         (DebugPrintFrameFunctor::DebugPrintFrameFunctor): Deleted.
1961         (DebugPrintFrameFunctor::operator()): Deleted.
1962         (debugPrintCallFrame): Deleted.
1963         (debugPrintStack): Deleted.
1964         - these have been moved into JSDollarVMPrototype.cpp. 
1965
1966         * interpreter/StackVisitor.h:
1967         - StackVisitor::Frame::print() is now enabled for release builds as well so that
1968           we can call it from $vm.
1969
1970         * runtime/JSGlobalObject.cpp:
1971         (JSC::JSGlobalObject::init):
1972         (JSC::JSGlobalObject::visitChildren):
1973         * runtime/JSGlobalObject.h:
1974         - Added the $vm instance to global objects conditional on the JSC_enableDollarVM
1975           option.
1976
1977         * runtime/Options.h:
1978         - Added the JSC_enableDollarVM option.
1979
1980         * tools/JSDollarVM.cpp: Added.
1981         * tools/JSDollarVM.h: Added.
1982         (JSC::JSDollarVM::createStructure):
1983         (JSC::JSDollarVM::create):
1984         (JSC::JSDollarVM::JSDollarVM):
1985
1986         * tools/JSDollarVMPrototype.cpp: Added.
1987         - This file contains 2 sets of functions:
1988
1989           a. a C++ implementation of debugging utility functions that are callable when
1990              doing debugging from lldb.  To the extent possible, these functions try to
1991              be cautious and not cause unintended crashes should the user call them with
1992              the wrong info.  Hence, they are designed to be robust rather than speedy.
1993
1994           b. the native implementations of JS functions in the $vm object.  Where there
1995              is overlapping functionality, these are built on top of the C++ functions
1996              above to do the work.
1997
1998           Note: it does not make sense for all of the $vm functions to have a C++
1999           counterpart for lldb debugging.  For example, the $vm.dfgTrue() function is
2000           only useful for JS code, and works via the DFG intrinsics mechanism.
2001           When doing debugging via lldb, the optimization level of the currently
2002           executing JS function can be gotten by dumping the current CallFrame instead.
2003
2004         (JSC::currentThreadOwnsJSLock):
2005         (JSC::ensureCurrentThreadOwnsJSLock):
2006         (JSC::JSDollarVMPrototype::addFunction):
2007         (JSC::functionCrash): - $vm.crash()
2008         (JSC::functionDFGTrue): - $vm.dfgTrue()
2009         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
2010         (JSC::CallerFrameJITTypeFunctor::operator()):
2011         (JSC::CallerFrameJITTypeFunctor::jitType):
2012         (JSC::functionLLintTrue): - $vm.llintTrue()
2013         (JSC::functionJITTrue): - $vm.jitTrue()
2014         (JSC::gc):
2015         (JSC::functionGC): - $vm.gc()
2016         (JSC::edenGC):
2017         (JSC::functionEdenGC): - $vm.edenGC()
2018         (JSC::isValidCodeBlock):
2019         (JSC::codeBlockForFrame):
2020         (JSC::functionCodeBlockForFrame): - $vm.codeBlockForFrame(frameNumber)
2021         (JSC::codeBlockFromArg):
2022         (JSC::functionPrintSourceFor): - $vm.printSourceFor(codeBlock)
2023         (JSC::functionPrintByteCodeFor): - $vm.printBytecodeFor(codeBlock)
2024         (JSC::functionPrint): - $vm.print(str)
2025         (JSC::PrintFrameFunctor::PrintFrameFunctor):
2026         (JSC::PrintFrameFunctor::operator()):
2027         (JSC::printCallFrame):
2028         (JSC::printStack):
2029         (JSC::functionPrintCallFrame): - $vm.printCallFrame()
2030         (JSC::functionPrintStack): - $vm.printStack()
2031         (JSC::printValue):
2032         (JSC::functionPrintValue): - $vm.printValue()
2033         (JSC::JSDollarVMPrototype::finishCreation):
2034         * tools/JSDollarVMPrototype.h: Added.
2035         (JSC::JSDollarVMPrototype::create):
2036         (JSC::JSDollarVMPrototype::createStructure):
2037         (JSC::JSDollarVMPrototype::JSDollarVMPrototype):
2038
2039 2015-04-16  Geoffrey Garen  <ggaren@apple.com>
2040
2041         Speculative fix after r182915
2042         https://bugs.webkit.org/show_bug.cgi?id=143404
2043
2044         Reviewed by Alexey Proskuryakov.
2045
2046         * runtime/SymbolConstructor.h:
2047
2048 2015-04-16  Mark Lam  <mark.lam@apple.com>
2049
2050         Fixed some typos in a comment.
2051
2052         Not reviewed.
2053
2054         * dfg/DFGGenerationInfo.h:
2055
2056 2015-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2057
2058         [ES6] Implement Symbol.for and Symbol.keyFor
2059         https://bugs.webkit.org/show_bug.cgi?id=143404
2060
2061         Reviewed by Geoffrey Garen.
2062
2063         This patch implements Symbol.for and Symbol.keyFor.
2064         SymbolRegistry maintains registered StringImpl* symbols.
2065         And to make this mapping enabled over realms,
2066         VM owns this mapping (not JSGlobalObject).
2067
2068         While there's Default AtomicStringTable per thread,
2069         SymbolRegistry should not exist over VMs.
2070         So everytime VM is created, SymbolRegistry is also created.
2071
2072         In SymbolRegistry implementation, we don't leverage WeakGCMap (or weak reference design).
2073         Theres are several reasons.
2074         1. StringImpl* which represents identity of Symbols is not GC-managed object.
2075            So we cannot use WeakGCMap directly.
2076            While Symbol* is GC-managed object, holding weak reference to Symbol* doesn't maintain JS symbols (exposed primitive values to users) liveness,
2077            because distinct Symbol* can exist.
2078            Distinct Symbol* means the Symbol* object that pointer value (Symbol*) is different from weakly referenced Symbol* but held StringImpl* is the same.
2079
2080         2. We don't use WTF::WeakPtr. If we add WeakPtrFactory into StringImpl's member, we can track StringImpl*'s liveness by WeakPtr.
2081            However there's problem about when we prune staled entries in SymbolRegistry.
2082            Since the memory allocated for the Symbol is typically occupied by allocated symbolized StringImpl*'s content,
2083            and it is not in GC-heap.
2084            While heavily registering Symbols and storing StringImpl* into SymbolRegistry, Heap's EdenSpace is not so occupied.
2085            So GC typically attempt to perform EdenCollection, and it doesn't call WeakGCMap's pruleStaleEntries callback.
2086            As a result, before pruning staled entries in SymbolRegistry, fast malloc-ed memory fills up the system memory.
2087
2088         So instead of using Weak reference, we take relatively easy design.
2089         When we register symbolized StringImpl* into SymbolRegistry, symbolized StringImpl* is aware of that.
2090         And when destructing it, it removes its reference from SymbolRegistry as if atomic StringImpl do so with AtomicStringTable.
2091
2092         * CMakeLists.txt:
2093         * DerivedSources.make:
2094         * runtime/SymbolConstructor.cpp:
2095         (JSC::SymbolConstructor::getOwnPropertySlot):
2096         (JSC::symbolConstructorFor):
2097         (JSC::symbolConstructorKeyFor):
2098         * runtime/SymbolConstructor.h:
2099         * runtime/VM.cpp:
2100         * runtime/VM.h:
2101         (JSC::VM::symbolRegistry):
2102         * tests/stress/symbol-registry.js: Added.
2103         (test):
2104
2105 2015-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2106
2107         [ES6] Use specific functions for @@iterator functions
2108         https://bugs.webkit.org/show_bug.cgi?id=143838
2109
2110         Reviewed by Geoffrey Garen.
2111
2112         In ES6, some methods are defined with the different names.
2113
2114         For example,
2115
2116         Map.prototype[Symbol.iterator] === Map.prototype.entries
2117         Set.prototype[Symbol.iterator] === Set.prototype.values
2118         Array.prototype[Symbol.iterator] === Array.prototype.values
2119         %Arguments%[Symbol.iterator] === Array.prototype.values
2120
2121         However, current implementation creates different function objects per name.
2122         This patch fixes it by setting the object that is used for the other method to @@iterator.
2123         e.g. Setting Array.prototype.values function object to Array.prototype[Symbol.iterator].
2124
2125         And we drop Arguments' iterator implementation and replace Argument[@@iterator] implementation
2126         with Array.prototype.values to conform to the spec.
2127
2128         * CMakeLists.txt:
2129         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2130         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2131         * JavaScriptCore.xcodeproj/project.pbxproj:
2132         * inspector/JSInjectedScriptHost.cpp:
2133         (Inspector::JSInjectedScriptHost::subtype):
2134         (Inspector::JSInjectedScriptHost::getInternalProperties):
2135         (Inspector::JSInjectedScriptHost::iteratorEntries):
2136         * runtime/ArgumentsIteratorConstructor.cpp: Removed.
2137         * runtime/ArgumentsIteratorConstructor.h: Removed.
2138         * runtime/ArgumentsIteratorPrototype.cpp: Removed.
2139         * runtime/ArgumentsIteratorPrototype.h: Removed.
2140         * runtime/ArrayPrototype.cpp:
2141         (JSC::ArrayPrototype::finishCreation):
2142         * runtime/ArrayPrototype.h:
2143         * runtime/ClonedArguments.cpp:
2144         (JSC::ClonedArguments::getOwnPropertySlot):
2145         (JSC::ClonedArguments::put):
2146         (JSC::ClonedArguments::deleteProperty):
2147         (JSC::ClonedArguments::defineOwnProperty):
2148         (JSC::ClonedArguments::materializeSpecials):
2149         * runtime/ClonedArguments.h:
2150         * runtime/CommonIdentifiers.h:
2151         * runtime/DirectArguments.cpp:
2152         (JSC::DirectArguments::overrideThings):
2153         * runtime/GenericArgumentsInlines.h:
2154         (JSC::GenericArguments<Type>::getOwnPropertySlot):
2155         (JSC::GenericArguments<Type>::getOwnPropertyNames):
2156         (JSC::GenericArguments<Type>::put):
2157         (JSC::GenericArguments<Type>::deleteProperty):
2158         (JSC::GenericArguments<Type>::defineOwnProperty):
2159         * runtime/JSArgumentsIterator.cpp: Removed.
2160         * runtime/JSArgumentsIterator.h: Removed.
2161         * runtime/JSGlobalObject.cpp:
2162         (JSC::JSGlobalObject::init):
2163         (JSC::JSGlobalObject::visitChildren):
2164         * runtime/JSGlobalObject.h:
2165         (JSC::JSGlobalObject::arrayProtoValuesFunction):
2166         * runtime/MapPrototype.cpp:
2167         (JSC::MapPrototype::finishCreation):
2168         * runtime/ScopedArguments.cpp:
2169         (JSC::ScopedArguments::overrideThings):
2170         * runtime/SetPrototype.cpp:
2171         (JSC::SetPrototype::finishCreation):
2172         * tests/stress/arguments-iterator.js: Added.
2173         (test):
2174         (testArguments):
2175         * tests/stress/iterator-functions.js: Added.
2176         (test):
2177         (argumentsTests):
2178
2179 2015-04-14  Mark Lam  <mark.lam@apple.com>
2180
2181         Add JSC_functionOverrides=<overrides file> debugging tool.
2182         https://bugs.webkit.org/show_bug.cgi?id=143717
2183
2184         Reviewed by Geoffrey Garen.
2185
2186         This tool allows us to do runtime replacement of function bodies with alternatives
2187         for debugging purposes.  For example, this is useful when we need to debug VM bugs
2188         which manifest in scripts executing in webpages downloaded from remote servers
2189         that we don't control.  The tool allows us to augment those scripts with logging
2190         or test code to help isolate the bugs.
2191
2192         This tool works by substituting the SourceCode at FunctionExecutable creation
2193         time.  It identifies which SourceCode to substitute by comparing the source
2194         string against keys in a set of key value pairs.
2195
2196         The keys are function body strings defined by 'override' clauses in the overrides
2197         file specified by in the JSC_functionOverrides option.  The values are function
2198         body strings defines by 'with' clauses in the overrides file.
2199         See comment blob at top of FunctionOverrides.cpp on the formatting
2200         of the overrides file.
2201
2202         At FunctionExecutable creation time, if the SourceCode string matches one of the
2203         'override' keys from the overrides file, the tool will replace the SourceCode with
2204         a new one based on the corresponding 'with' value string.  The FunctionExecutable
2205         will then be created with the new SourceCode instead.
2206
2207         Some design decisions:
2208         1. We opted to require that the 'with' clause appear on a separate line than the
2209            'override' clause because this makes it easier to read and write when the
2210            'override' clause's function body is single lined and long.
2211
2212         2. The user can use any sequence of characters for the delimiter (except for '{',
2213            '}' and white space characters) because this ensures that there can always be
2214            some delimiter pattern that does not appear in the function body in the clause
2215            e.g. in the body of strings in the JS code.
2216
2217            '{' and '}' are disallowed because they are used to mark the boundaries of the
2218            function body string.  White space characters are disallowed because they can
2219            be error prone (the user may not be able to tell between spaces and tabs).
2220
2221         3. The start and end delimiter must be an identical sequence of characters.
2222
2223            I had considered allowing the use of complementary characters like <>, [], and
2224            () for making delimiter pairs like:
2225                [[[[ ... ]]]]
2226                <[([( ... )])]>
2227
2228            But in the end, decided against it because:
2229            a. These sequences of complementary characters can exists in JS code.
2230               In contrast, a repeating delimiter like %%%% is unlikely to appear in JS
2231               code.
2232            b. It can be error prone for the user to have to type the exact complement
2233               character for the end delimiter in reverse order.
2234               In contrast, a repeating delimiter like %%%% is much easier to type and
2235               less error prone.  Even a sequence like @#$%^ is less error prone than
2236               a complementary sequence because it can be copy-pasted, and need not be
2237               typed in reverse order.
2238            c. It is easier to parse for the same delimiter string for both start and end.
2239
2240         4. The tool does a lot of checks for syntax errors in the overrides file because
2241            we don't want any overrides to fail silently.  If a syntax error is detected,
2242            the tool will print an error message and call exit().  This avoids the user
2243            wasting time doing debugging only to be surprised later that their specified
2244            overrides did not take effect because of some unnoticed typo.
2245
2246         * CMakeLists.txt:
2247         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2248         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2249         * JavaScriptCore.xcodeproj/project.pbxproj:
2250         * bytecode/UnlinkedCodeBlock.cpp:
2251         (JSC::UnlinkedFunctionExecutable::link):
2252         * runtime/Executable.h:
2253         * runtime/Options.h:
2254         * tools/FunctionOverrides.cpp: Added.
2255         (JSC::FunctionOverrides::overrides):
2256         (JSC::FunctionOverrides::FunctionOverrides):
2257         (JSC::initializeOverrideInfo):
2258         (JSC::FunctionOverrides::initializeOverrideFor):
2259         (JSC::hasDisallowedCharacters):
2260         (JSC::parseClause):
2261         (JSC::FunctionOverrides::parseOverridesInFile):
2262         * tools/FunctionOverrides.h: Added.
2263
2264 2015-04-16  Basile Clement  <basile_clement@apple.com>
2265  
2266         Extract the allocation profile from JSFunction into a rare object
2267         https://bugs.webkit.org/show_bug.cgi?id=143807
2268  
2269         Reviewed by Filip Pizlo.
2270  
2271         The allocation profile is only needed for those functions that are used
2272         to create objects with [new].
2273         Extracting it into its own JSCell removes the need for JSFunction and
2274         JSCallee to be JSDestructibleObjects, which should improve performances in most
2275         cases at the cost of an extra pointer dereference when the allocation profile
2276         is actually needed.
2277  
2278         * CMakeLists.txt:
2279         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2280         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2281         * JavaScriptCore.xcodeproj/project.pbxproj:
2282         * dfg/DFGOperations.cpp:
2283         * dfg/DFGSpeculativeJIT32_64.cpp:
2284         (JSC::DFG::SpeculativeJIT::compile):
2285         * dfg/DFGSpeculativeJIT64.cpp:
2286         (JSC::DFG::SpeculativeJIT::compile):
2287         * jit/JITOpcodes.cpp:
2288         (JSC::JIT::emit_op_create_this):
2289         * jit/JITOpcodes32_64.cpp:
2290         (JSC::JIT::emit_op_create_this):
2291         * llint/LowLevelInterpreter32_64.asm:
2292         * llint/LowLevelInterpreter64.asm:
2293         * runtime/CommonSlowPaths.cpp:
2294         (JSC::SLOW_PATH_DECL):
2295         * runtime/FunctionRareData.cpp: Added.
2296         (JSC::FunctionRareData::create):
2297         (JSC::FunctionRareData::destroy):
2298         (JSC::FunctionRareData::createStructure):
2299         (JSC::FunctionRareData::visitChildren):
2300         (JSC::FunctionRareData::FunctionRareData):
2301         (JSC::FunctionRareData::~FunctionRareData):
2302         (JSC::FunctionRareData::finishCreation):
2303         * runtime/FunctionRareData.h: Added.
2304         (JSC::FunctionRareData::offsetOfAllocationProfile):
2305         (JSC::FunctionRareData::allocationProfile):
2306         (JSC::FunctionRareData::allocationStructure):
2307         (JSC::FunctionRareData::allocationProfileWatchpointSet):
2308         * runtime/JSBoundFunction.cpp:
2309         (JSC::JSBoundFunction::destroy): Deleted.
2310         * runtime/JSBoundFunction.h:
2311         * runtime/JSCallee.cpp:
2312         (JSC::JSCallee::destroy): Deleted.
2313         * runtime/JSCallee.h:
2314         * runtime/JSFunction.cpp:
2315         (JSC::JSFunction::JSFunction):
2316         (JSC::JSFunction::createRareData):
2317         (JSC::JSFunction::visitChildren):
2318         (JSC::JSFunction::put):
2319         (JSC::JSFunction::defineOwnProperty):
2320         (JSC::JSFunction::destroy): Deleted.
2321         (JSC::JSFunction::createAllocationProfile): Deleted.
2322         * runtime/JSFunction.h:
2323         (JSC::JSFunction::offsetOfRareData):
2324         (JSC::JSFunction::rareData):
2325         (JSC::JSFunction::allocationStructure):
2326         (JSC::JSFunction::allocationProfileWatchpointSet):
2327         (JSC::JSFunction::offsetOfAllocationProfile): Deleted.
2328         (JSC::JSFunction::allocationProfile): Deleted.
2329         * runtime/JSFunctionInlines.h:
2330         (JSC::JSFunction::JSFunction):
2331         * runtime/VM.cpp:
2332         (JSC::VM::VM):
2333         * runtime/VM.h:
2334  
2335 2015-04-16  Csaba Osztrogon√°c  <ossy@webkit.org>
2336
2337         Remove the unnecessary WTF_CHANGES define
2338         https://bugs.webkit.org/show_bug.cgi?id=143825
2339
2340         Reviewed by Andreas Kling.
2341
2342         * config.h:
2343
2344 2015-04-15  Andreas Kling  <akling@apple.com>
2345
2346         Make MarkedBlock and WeakBlock 4x smaller.
2347         <https://webkit.org/b/143802>
2348
2349         Reviewed by Mark Hahnenberg.
2350
2351         To reduce GC heap fragmentation and generally use less memory, reduce the size of MarkedBlock
2352         and its buddy WeakBlock by 4x, bringing them from 64kB+4kB to 16kB+1kB.
2353
2354         In a sampling of cool web sites, I'm seeing ~8% average reduction in overall GC heap size.
2355         Some examples:
2356
2357                    apple.com:  6.3MB ->  5.5MB (14.5% smaller)
2358                   reddit.com:  4.5MB ->  4.1MB ( 9.7% smaller)
2359                  twitter.com: 23.2MB -> 21.4MB ( 8.4% smaller)
2360             cuteoverload.com: 24.5MB -> 23.6MB ( 3.8% smaller)
2361
2362         Benchmarks look mostly neutral.
2363         Some small slowdowns on Octane, some slightly bigger speedups on Kraken and SunSpider.
2364
2365         * heap/MarkedBlock.h:
2366         * heap/WeakBlock.h:
2367         * llint/LLIntData.cpp:
2368         (JSC::LLInt::Data::performAssertions):
2369         * llint/LowLevelInterpreter.asm:
2370
2371 2015-04-15  Jordan Harband  <ljharb@gmail.com>
2372
2373         String.prototype.startsWith/endsWith/includes have wrong length in r182673
2374         https://bugs.webkit.org/show_bug.cgi?id=143659
2375
2376         Reviewed by Benjamin Poulain.
2377
2378         Fix lengths of String.prototype.{includes,startsWith,endsWith} per spec
2379         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.includes
2380         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.startswith
2381         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.endswith
2382
2383         * runtime/StringPrototype.cpp:
2384         (JSC::StringPrototype::finishCreation):
2385
2386 2015-04-15  Mark Lam  <mark.lam@apple.com>
2387
2388         Remove obsolete VMInspector debugging tool.
2389         https://bugs.webkit.org/show_bug.cgi?id=143798
2390
2391         Reviewed by Michael Saboff.
2392
2393         I added the VMInspector tool 3 years ago to aid in VM hacking work.  Some of it
2394         has bit rotted, and now the VM also has better ways to achieve its functionality.
2395         Hence this code is now obsolete and should be removed.
2396
2397         * CMakeLists.txt:
2398         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2399         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2400         * JavaScriptCore.xcodeproj/project.pbxproj:
2401         * interpreter/CallFrame.h:
2402         * interpreter/VMInspector.cpp: Removed.
2403         * interpreter/VMInspector.h: Removed.
2404         * llint/LowLevelInterpreter.cpp:
2405
2406 2015-04-15  Jordan Harband  <ljharb@gmail.com>
2407
2408         Math.imul has wrong length in Safari 8.0.4
2409         https://bugs.webkit.org/show_bug.cgi?id=143658
2410
2411         Reviewed by Benjamin Poulain.
2412
2413         Correcting function length from 1, to 2, to match spec
2414         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-math.imul
2415
2416         * runtime/MathObject.cpp:
2417         (JSC::MathObject::finishCreation):
2418
2419 2015-04-15  Jordan Harband  <ljharb@gmail.com>
2420
2421         Number.parseInt in nightly r182673 has wrong length
2422         https://bugs.webkit.org/show_bug.cgi?id=143657
2423
2424         Reviewed by Benjamin Poulain.
2425
2426         Correcting function length from 1, to 2, to match spec
2427         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-number.parseint
2428
2429         * runtime/NumberConstructor.cpp:
2430         (JSC::NumberConstructor::finishCreation):
2431
2432 2015-04-15  Filip Pizlo  <fpizlo@apple.com>
2433
2434         Harden DFGForAllKills
2435         https://bugs.webkit.org/show_bug.cgi?id=143792
2436
2437         Reviewed by Geoffrey Garen.
2438         
2439         Unfortunately, we don't have a good way to test this yet - but it will be needed to prevent
2440         bugs in https://bugs.webkit.org/show_bug.cgi?id=143734.
2441         
2442         Previously ForAllKills used the bytecode kill analysis. That seemed like a good idea because
2443         that analysis is cheaper than the full liveness analysis. Unfortunately, it's probably wrong:
2444         
2445         - It looks for kill sites at forExit origin boundaries. But, something might have been killed
2446           by an operation that was logically in between the forExit origins at the boundary, but was
2447           removed from the DFG for whatever reason. The DFG is allowed to have bytecode instruction
2448           gaps.
2449         
2450         - It overlooked the fact that a MovHint that addresses a local that is always live kills that
2451           local. For example, storing to an argument means that the prior value of the argument is
2452           killed.
2453         
2454         This fixes the analysis by making it handle MovHints directly, and making it define kills in
2455         the most conservative way possible: it asks if you were live before but dead after. If we
2456         have the compile time budget to afford this more direct approach, then it's definitel a good
2457         idea since it's so fool-proof.
2458
2459         * dfg/DFGArgumentsEliminationPhase.cpp:
2460         * dfg/DFGForAllKills.h:
2461         (JSC::DFG::forAllKilledOperands):
2462         (JSC::DFG::forAllKilledNodesAtNodeIndex):
2463         (JSC::DFG::forAllDirectlyKilledOperands): Deleted.
2464
2465 2015-04-15  Joseph Pecoraro  <pecoraro@apple.com>
2466
2467         Provide SPI to allow changing whether JSContexts are remote debuggable by default
2468         https://bugs.webkit.org/show_bug.cgi?id=143681
2469
2470         Reviewed by Darin Adler.
2471
2472         * API/JSRemoteInspector.h:
2473         * API/JSRemoteInspector.cpp:
2474         (JSRemoteInspectorGetInspectionEnabledByDefault):
2475         (JSRemoteInspectorSetInspectionEnabledByDefault):
2476         Provide SPI to toggle the default enabled inspection state of debuggables.
2477
2478         * API/JSContextRef.cpp:
2479         (JSGlobalContextCreateInGroup):
2480         Respect the default setting.
2481
2482 2015-04-15  Joseph Pecoraro  <pecoraro@apple.com>
2483
2484         JavaScriptCore: Use kCFAllocatorDefault where possible
2485         https://bugs.webkit.org/show_bug.cgi?id=143747
2486
2487         Reviewed by Darin Adler.
2488
2489         * heap/HeapTimer.cpp:
2490         (JSC::HeapTimer::HeapTimer):
2491         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
2492         (Inspector::RemoteInspectorInitializeGlobalQueue):
2493         (Inspector::RemoteInspectorDebuggableConnection::setupRunLoop):
2494         For consistency and readability use the constant instead of
2495         different representations of null.
2496
2497 2015-04-14  Michael Saboff  <msaboff@apple.com>
2498
2499         Remove JavaScriptCoreUseJIT default from JavaScriptCore
2500         https://bugs.webkit.org/show_bug.cgi?id=143746
2501
2502         Reviewed by Mark Lam.
2503
2504         * runtime/VM.cpp:
2505         (JSC::enableAssembler):
2506
2507 2015-04-14  Chris Dumez  <cdumez@apple.com>
2508
2509         Regression(r180020): Web Inspector crashes on pages that have a stylesheet with an invalid MIME type
2510         https://bugs.webkit.org/show_bug.cgi?id=143745
2511         <rdar://problem/20243916>
2512
2513         Reviewed by Joseph Pecoraro.
2514
2515         Add assertion in ContentSearchUtilities::findMagicComment() to make
2516         sure the content String is not null or we would crash in
2517         JSC::Yarr::interpret() later.
2518
2519         * inspector/ContentSearchUtilities.cpp:
2520         (Inspector::ContentSearchUtilities::findMagicComment):
2521
2522 2015-04-14  Michael Saboff  <msaboff@apple.com>
2523
2524         DFG register fillSpeculate*() functions should validate incoming spill format is compatible with requested fill format
2525         https://bugs.webkit.org/show_bug.cgi?id=143727
2526
2527         Reviewed by Geoffrey Garen.
2528
2529         Used the result of AbstractInterpreter<>::filter() to check that the current spill format is compatible
2530         with the requested fill format.  If filter() reports a contradiction, then we force an OSR exit.
2531         Removed individual checks made redundant by the new check.
2532
2533         * dfg/DFGSpeculativeJIT32_64.cpp:
2534         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2535         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2536         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2537         * dfg/DFGSpeculativeJIT64.cpp:
2538         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2539         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
2540         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2541         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2542
2543 2015-04-14  Joseph Pecoraro  <pecoraro@apple.com>
2544
2545         Replace JavaScriptCoreOutputConsoleMessagesToSystemConsole default with an SPI
2546         https://bugs.webkit.org/show_bug.cgi?id=143691
2547
2548         Reviewed by Geoffrey Garen.
2549
2550         * API/JSRemoteInspector.h:
2551         * API/JSRemoteInspector.cpp:
2552         (JSRemoteInspectorSetLogToSystemConsole):
2553         Add SPI to enable/disable logging to the system console.
2554         This only affects JSContext `console` logs and warnings.
2555
2556         * inspector/JSGlobalObjectConsoleClient.h:
2557         * inspector/JSGlobalObjectConsoleClient.cpp:
2558         (Inspector::JSGlobalObjectConsoleClient::logToSystemConsole):
2559         (Inspector::JSGlobalObjectConsoleClient::setLogToSystemConsole):
2560         (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
2561         (Inspector::JSGlobalObjectConsoleClient::initializeLogToSystemConsole): Deleted.
2562         Simplify access to the setting now that it doesn't need to
2563         initialize its value from preferences.
2564
2565 2015-04-14  Joseph Pecoraro  <pecoraro@apple.com>
2566
2567         Web Inspector: Auto-attach fails after r179562, initialization too late after dispatch
2568         https://bugs.webkit.org/show_bug.cgi?id=143682
2569
2570         Reviewed by Timothy Hatcher.
2571
2572         * inspector/remote/RemoteInspector.mm:
2573         (Inspector::RemoteInspector::singleton):
2574         If we are on the main thread, run the initialization immediately.
2575         Otherwise dispatch to the main thread. This way if the first JSContext
2576         was created on the main thread it can get auto-attached if applicable.
2577
2578 2015-04-14  Joseph Pecoraro  <pecoraro@apple.com>
2579
2580         Unreviewed build fix for Mavericks.
2581
2582         Mavericks includes this file but does not enable ENABLE_REMOTE_INSPECTOR
2583         so the Inspector namespace is not available when compiling this file.
2584
2585         * API/JSRemoteInspector.cpp:
2586
2587 2015-04-14  Joseph Pecoraro  <pecoraro@apple.com>
2588
2589         Web Inspector: Expose private APIs to interact with RemoteInspector instead of going through WebKit
2590         https://bugs.webkit.org/show_bug.cgi?id=143729
2591
2592         Reviewed by Timothy Hatcher.
2593
2594         * API/JSRemoteInspector.h: Added.
2595         * API/JSRemoteInspector.cpp: Added.
2596         (JSRemoteInspectorDisableAutoStart):
2597         (JSRemoteInspectorStart):
2598         (JSRemoteInspectorSetParentProcessInformation):
2599         Add the new SPIs for basic remote inspection behavior.
2600
2601         * JavaScriptCore.xcodeproj/project.pbxproj:
2602         Add the new files to Mac only, since remote inspection is only
2603         enabled there anyways.
2604
2605 2015-04-14  Mark Lam  <mark.lam@apple.com>
2606
2607         Rename JSC_dfgFunctionWhitelistFile to JSC_dfgWhitelist.
2608         https://bugs.webkit.org/show_bug.cgi?id=143722
2609
2610         Reviewed by Michael Saboff.
2611
2612         Renaming JSC_dfgFunctionWhitelistFile to JSC_dfgWhitelist so that it is
2613         shorter, and easier to remember (without having to look it up) and to
2614         type.  JSC options now support descriptions, and one can always look up
2615         the description if the option's purpose is not already obvious.
2616
2617         * dfg/DFGFunctionWhitelist.cpp:
2618         (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
2619         (JSC::DFG::FunctionWhitelist::contains):
2620         * runtime/Options.h:
2621
2622 2015-04-13  Filip Pizlo  <fpizlo@apple.com>
2623
2624         Unreviewed, fix Windows build. Windows doesn't take kindly to private classes that use FAST_ALLOCATED.
2625
2626         * runtime/InferredValue.h:
2627
2628 2015-04-13  Filip Pizlo  <fpizlo@apple.com>
2629
2630         Unreviewed, fix build. I introduced a new cell type at the same time as kling changed how new cell types are written.
2631
2632         * runtime/InferredValue.h:
2633
2634 2015-04-08  Filip Pizlo  <fpizlo@apple.com>
2635
2636         JSC should detect singleton functions
2637         https://bugs.webkit.org/show_bug.cgi?id=143232
2638
2639         Reviewed by Geoffrey Garen.
2640         
2641         This started out as an attempt to make constructors faster by detecting when a constructor is a
2642         singleton. The idea is that each FunctionExecutable has a VariableWatchpointSet - a watchpoint
2643         along with an inferred value - that detects if only one JSFunction has been allocated for that
2644         executable, and if so, what that JSFunction is. Then, inside the code for the FunctionExecutable,
2645         if the watchpoint set has an inferred value (i.e. it's been initialized and it is still valid),
2646         we can constant-fold GetCallee.
2647         
2648         Unfortunately, constructors don't use GetCallee anymore, so that didn't pan out. But in the
2649         process I realized a bunch of things:
2650         
2651         - This allows us to completely eliminate the GetCallee/GetScope sequence that we still sometimes
2652           had even in code where our singleton-closure detection worked. That's because singleton-closure
2653           inference worked at the op_resolve_scope, and that op_resolve_scope still needed to keep alive
2654           the incoming scope in case we OSR exit. But by constant-folding GetCallee, that sequence
2655           disappears. OSR exit can rematerialize the callee or the scope by just knowing their constant
2656           values.
2657           
2658         - Singleton detection should be a reusable thing. So, I got rid of VariableWatchpointSet and
2659           created InferredValue. InferredValue is a cell, so it can handle its own GC magic.
2660           FunctionExecutable uses an InferredValue to tell you about singleton JSFunctions.
2661         
2662         - The old singleton-scope detection in op_resolve_scope is better abstracted as a SymbolTable
2663           detecting a singleton JSSymbolTableObject. So, SymbolTable uses an InferredValue to tell you
2664           about singleton JSSymbolTableObjects. It's curious that we want to have singleton detection in
2665           SymbolTable if we already have it in FunctionExecutable. This comes into play in two ways.
2666           First, it means that the DFG can realize sooner that a resolve_scope resolves to a constant
2667           scope. Ths saves compile times and it allows prediction propagation to benefit from the
2668           constant folding. Second, it means that we will detect a singleton scope even if it is
2669           referenced from a non-singleton scope that is nearer to us in the scope chain. This refactoring
2670           allows us to eliminate the function reentry watchpoint.
2671         
2672         - This allows us to use a normal WatchpointSet, instead of a VariableWatchpointSet, for inferring
2673           constant values in scopes. Previously when the DFG inferred that a closure variable was
2674           constant, it wouldn't know which closure that variable was in and so it couldn't just load that
2675           value. But now we are first inferring that the function is a singleton, which means that we
2676           know exactly what scope it points to, and we can load the value from the scope. Using a
2677           WatchpointSet instead of a VariableWatchpointSet saves some memory and simplifies a bunch of
2678           code. This also means that now, the only user of VariableWatchpointSet is FunctionExecutable.
2679           I've tweaked the code of VariableWatchpointSet to reduce its power to just be what
2680           FunctionExecutable wants.
2681         
2682         This also has the effect of simplifying the implementation of block scoping. Prior to this
2683         change, block scoping would have needed to have some story for the function reentry watchpoint on
2684         any nested symbol table. That's totally weird to think about; it's not really a function reentry
2685         but a scope reentry. Now we don't have to think about this. Constant inference on nested scopes
2686         will "just work": if we prove that we know the constant value of the scope then the machinery
2687         kicks in, otherwise it doesn't.
2688         
2689         This is a small Octane and AsmBench speed-up. AsmBench sees 1% while Octane sees sub-1%.
2690
2691         * CMakeLists.txt:
2692         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2693         * JavaScriptCore.xcodeproj/project.pbxproj:
2694         * bytecode/BytecodeList.json:
2695         * bytecode/BytecodeUseDef.h:
2696         (JSC::computeUsesForBytecodeOffset):
2697         (JSC::computeDefsForBytecodeOffset):
2698         * bytecode/CodeBlock.cpp:
2699         (JSC::CodeBlock::dumpBytecode):
2700         (JSC::CodeBlock::CodeBlock):
2701         (JSC::CodeBlock::finalizeUnconditionally):
2702         (JSC::CodeBlock::valueProfileForBytecodeOffset):
2703         * bytecode/CodeBlock.h:
2704         (JSC::CodeBlock::valueProfileForBytecodeOffset): Deleted.
2705         * bytecode/CodeOrigin.cpp:
2706         (JSC::InlineCallFrame::calleeConstant):
2707         (JSC::InlineCallFrame::visitAggregate):
2708         * bytecode/CodeOrigin.h:
2709         (JSC::InlineCallFrame::calleeConstant): Deleted.
2710         (JSC::InlineCallFrame::visitAggregate): Deleted.
2711         * bytecode/Instruction.h:
2712         * bytecode/VariableWatchpointSet.cpp: Removed.
2713         * bytecode/VariableWatchpointSet.h: Removed.
2714         * bytecode/VariableWatchpointSetInlines.h: Removed.
2715         * bytecode/VariableWriteFireDetail.cpp: Added.
2716         (JSC::VariableWriteFireDetail::dump):
2717         (JSC::VariableWriteFireDetail::touch):
2718         * bytecode/VariableWriteFireDetail.h: Added.
2719         (JSC::VariableWriteFireDetail::VariableWriteFireDetail):
2720         * bytecode/Watchpoint.h:
2721         (JSC::WatchpointSet::stateOnJSThread):
2722         (JSC::WatchpointSet::startWatching):
2723         (JSC::WatchpointSet::fireAll):
2724         (JSC::WatchpointSet::touch):
2725         (JSC::WatchpointSet::invalidate):
2726         (JSC::InlineWatchpointSet::stateOnJSThread):
2727         (JSC::InlineWatchpointSet::state):
2728         (JSC::InlineWatchpointSet::hasBeenInvalidated):
2729         (JSC::InlineWatchpointSet::invalidate):
2730         (JSC::InlineWatchpointSet::touch):
2731         * bytecompiler/BytecodeGenerator.cpp:
2732         (JSC::BytecodeGenerator::BytecodeGenerator):
2733         * dfg/DFGAbstractInterpreterInlines.h:
2734         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2735         * dfg/DFGByteCodeParser.cpp:
2736         (JSC::DFG::ByteCodeParser::get):
2737         (JSC::DFG::ByteCodeParser::parseBlock):
2738         (JSC::DFG::ByteCodeParser::getScope): Deleted.
2739         * dfg/DFGCapabilities.cpp:
2740         (JSC::DFG::capabilityLevel):
2741         * dfg/DFGClobberize.h:
2742         (JSC::DFG::clobberize):
2743         * dfg/DFGDesiredWatchpoints.cpp:
2744         (JSC::DFG::InferredValueAdaptor::add):
2745         (JSC::DFG::DesiredWatchpoints::addLazily):
2746         (JSC::DFG::DesiredWatchpoints::reallyAdd):
2747         (JSC::DFG::DesiredWatchpoints::areStillValid):
2748         * dfg/DFGDesiredWatchpoints.h:
2749         (JSC::DFG::InferredValueAdaptor::hasBeenInvalidated):
2750         (JSC::DFG::DesiredWatchpoints::isWatched):
2751         * dfg/DFGGraph.cpp:
2752         (JSC::DFG::Graph::dump):
2753         (JSC::DFG::Graph::tryGetConstantClosureVar):
2754         * dfg/DFGNode.h:
2755         (JSC::DFG::Node::hasWatchpointSet):
2756         (JSC::DFG::Node::watchpointSet):
2757         (JSC::DFG::Node::hasVariableWatchpointSet): Deleted.
2758         (JSC::DFG::Node::variableWatchpointSet): Deleted.
2759         * dfg/DFGOperations.cpp:
2760         * dfg/DFGOperations.h:
2761         * dfg/DFGSpeculativeJIT.cpp:
2762         (JSC::DFG::SpeculativeJIT::compileNewFunction):
2763         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
2764         (JSC::DFG::SpeculativeJIT::compileNotifyWrite):
2765         * dfg/DFGSpeculativeJIT.h:
2766         (JSC::DFG::SpeculativeJIT::callOperation):
2767         * dfg/DFGSpeculativeJIT32_64.cpp:
2768         (JSC::DFG::SpeculativeJIT::compile):
2769         * dfg/DFGSpeculativeJIT64.cpp:
2770         (JSC::DFG::SpeculativeJIT::compile):
2771         * dfg/DFGVarargsForwardingPhase.cpp:
2772         * ftl/FTLIntrinsicRepository.h:
2773         * ftl/FTLLowerDFGToLLVM.cpp:
2774         (JSC::FTL::LowerDFGToLLVM::compileCreateActivation):
2775         (JSC::FTL::LowerDFGToLLVM::compileNewFunction):
2776         (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
2777         * interpreter/Interpreter.cpp:
2778         (JSC::StackFrame::friendlySourceURL):
2779         (JSC::StackFrame::friendlyFunctionName):
2780         * interpreter/Interpreter.h:
2781         (JSC::StackFrame::friendlySourceURL): Deleted.
2782         (JSC::StackFrame::friendlyFunctionName): Deleted.
2783         * jit/JIT.cpp:
2784         (JSC::JIT::emitNotifyWrite):
2785         (JSC::JIT::privateCompileMainPass):
2786         * jit/JIT.h:
2787         * jit/JITOpcodes.cpp:
2788         (JSC::JIT::emit_op_touch_entry): Deleted.
2789         * jit/JITOperations.cpp:
2790         * jit/JITOperations.h:
2791         * jit/JITPropertyAccess.cpp:
2792         (JSC::JIT::emitPutGlobalVar):
2793         (JSC::JIT::emitPutClosureVar):
2794         (JSC::JIT::emitNotifyWrite): Deleted.
2795         * jit/JITPropertyAccess32_64.cpp:
2796         (JSC::JIT::emitPutGlobalVar):
2797         (JSC::JIT::emitPutClosureVar):
2798         (JSC::JIT::emitNotifyWrite): Deleted.
2799         * llint/LLIntSlowPaths.cpp:
2800         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2801         * llint/LowLevelInterpreter.asm:
2802         * llint/LowLevelInterpreter32_64.asm:
2803         * llint/LowLevelInterpreter64.asm:
2804         * runtime/CommonSlowPaths.cpp:
2805         (JSC::SLOW_PATH_DECL): Deleted.
2806         * runtime/CommonSlowPaths.h:
2807         * runtime/Executable.cpp:
2808         (JSC::FunctionExecutable::finishCreation):
2809         (JSC::FunctionExecutable::visitChildren):
2810         * runtime/Executable.h:
2811         (JSC::FunctionExecutable::singletonFunction):
2812         * runtime/InferredValue.cpp: Added.
2813         (JSC::InferredValue::create):
2814         (JSC::InferredValue::destroy):
2815         (JSC::InferredValue::createStructure):
2816         (JSC::InferredValue::visitChildren):
2817         (JSC::InferredValue::InferredValue):
2818         (JSC::InferredValue::~InferredValue):
2819         (JSC::InferredValue::notifyWriteSlow):
2820         (JSC::InferredValue::ValueCleanup::ValueCleanup):
2821         (JSC::InferredValue::ValueCleanup::~ValueCleanup):
2822         (JSC::InferredValue::ValueCleanup::finalizeUnconditionally):
2823         * runtime/InferredValue.h: Added.
2824         (JSC::InferredValue::inferredValue):
2825         (JSC::InferredValue::state):
2826         (JSC::InferredValue::isStillValid):
2827         (JSC::InferredValue::hasBeenInvalidated):
2828         (JSC::InferredValue::add):
2829         (JSC::InferredValue::notifyWrite):
2830         (JSC::InferredValue::invalidate):
2831         * runtime/JSEnvironmentRecord.cpp:
2832         (JSC::JSEnvironmentRecord::visitChildren):
2833         * runtime/JSEnvironmentRecord.h:
2834         (JSC::JSEnvironmentRecord::isValid):
2835         (JSC::JSEnvironmentRecord::finishCreation):
2836         * runtime/JSFunction.cpp:
2837         (JSC::JSFunction::create):
2838         * runtime/JSFunction.h:
2839         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
2840         (JSC::JSFunction::createImpl):
2841         (JSC::JSFunction::create): Deleted.
2842         * runtime/JSGlobalObject.cpp:
2843         (JSC::JSGlobalObject::addGlobalVar):
2844         (JSC::JSGlobalObject::addFunction):
2845         * runtime/JSGlobalObject.h:
2846         * runtime/JSLexicalEnvironment.cpp:
2847         (JSC::JSLexicalEnvironment::symbolTablePut):
2848         * runtime/JSScope.h:
2849         (JSC::ResolveOp::ResolveOp):
2850         * runtime/JSSegmentedVariableObject.h:
2851         (JSC::JSSegmentedVariableObject::finishCreation):
2852         * runtime/JSSymbolTableObject.h:
2853         (JSC::JSSymbolTableObject::JSSymbolTableObject):
2854         (JSC::JSSymbolTableObject::setSymbolTable):
2855         (JSC::symbolTablePut):
2856         (JSC::symbolTablePutWithAttributes):
2857         * runtime/PutPropertySlot.h:
2858         * runtime/SymbolTable.cpp:
2859         (JSC::SymbolTableEntry::prepareToWatch):
2860         (JSC::SymbolTable::SymbolTable):
2861         (JSC::SymbolTable::finishCreation):
2862         (JSC::SymbolTable::visitChildren):
2863         (JSC::SymbolTableEntry::inferredValue): Deleted.
2864         (JSC::SymbolTableEntry::notifyWriteSlow): Deleted.
2865         (JSC::SymbolTable::WatchpointCleanup::WatchpointCleanup): Deleted.
2866         (JSC::SymbolTable::WatchpointCleanup::~WatchpointCleanup): Deleted.
2867         (JSC::SymbolTable::WatchpointCleanup::finalizeUnconditionally): Deleted.
2868         * runtime/SymbolTable.h:
2869         (JSC::SymbolTableEntry::disableWatching):
2870         (JSC::SymbolTableEntry::watchpointSet):
2871         (JSC::SymbolTable::singletonScope):
2872         (JSC::SymbolTableEntry::notifyWrite): Deleted.
2873         * runtime/TypeProfiler.cpp:
2874         * runtime/VM.cpp:
2875         (JSC::VM::VM):
2876         * runtime/VM.h:
2877         * tests/stress/infer-uninitialized-closure-var.js: Added.
2878         (foo.f):
2879         (foo):
2880         * tests/stress/singleton-scope-then-overwrite.js: Added.
2881         (foo.f):
2882         (foo):
2883         * tests/stress/singleton-scope-then-realloc-and-overwrite.js: Added.
2884         (foo):
2885         * tests/stress/singleton-scope-then-realloc.js: Added.
2886         (foo):
2887
2888 2015-04-13  Andreas Kling  <akling@apple.com>
2889
2890         Don't segregate heap objects based on Structure immortality.
2891         <https://webkit.org/b/143638>
2892
2893         Reviewed by Darin Adler.
2894
2895         Put all objects that need a destructor call into the same MarkedBlock.
2896         This reduces memory consumption in many situations, while improving locality,
2897         since much more of the MarkedBlock space can be shared.
2898
2899         Instead of branching on the MarkedBlock type, we now check a bit in the
2900         JSCell's inline type flags (StructureIsImmortal) to see whether it's safe
2901         to access the cell's Structure during destruction or not.
2902
2903         Performance benchmarks look mostly neutral. Maybe a small regression on
2904         SunSpider's date objects.
2905
2906         On the amazon.com landing page, this saves us 50 MarkedBlocks (3200kB) along
2907         with a bunch of WeakBlocks that were hanging off of them. That's on the higher
2908         end of savings we can get from this, but still a very real improvement.
2909
2910         Most of this patch is removing the "hasImmortalStructure" constant from JSCell
2911         derived classes and passing that responsibility to the StructureIsImmortal flag.
2912         StructureFlags is made public so that it's accessible from non-member functions.
2913         I made sure to declare it everywhere and make classes final to try to make it
2914         explicit what each class is doing to its inherited flags.
2915
2916         * API/JSCallbackConstructor.h:
2917         * API/JSCallbackObject.h:
2918         * bytecode/UnlinkedCodeBlock.h:
2919         * debugger/DebuggerScope.h:
2920         * dfg/DFGSpeculativeJIT.cpp:
2921         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2922         * ftl/FTLLowerDFGToLLVM.cpp:
2923         (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
2924         * heap/Heap.h:
2925         (JSC::Heap::subspaceForObjectDestructor):
2926         (JSC::Heap::allocatorForObjectWithDestructor):
2927         (JSC::Heap::subspaceForObjectNormalDestructor): Deleted.
2928         (JSC::Heap::subspaceForObjectsWithImmortalStructure): Deleted.
2929         (JSC::Heap::allocatorForObjectWithNormalDestructor): Deleted.
2930         (JSC::Heap::allocatorForObjectWithImmortalStructureDestructor): Deleted.
2931         * heap/HeapInlines.h:
2932         (JSC::Heap::allocateWithDestructor):
2933         (JSC::Heap::allocateObjectOfType):
2934         (JSC::Heap::subspaceForObjectOfType):
2935         (JSC::Heap::allocatorForObjectOfType):
2936         (JSC::Heap::allocateWithNormalDestructor): Deleted.
2937         (JSC::Heap::allocateWithImmortalStructureDestructor): Deleted.
2938         * heap/MarkedAllocator.cpp:
2939         (JSC::MarkedAllocator::allocateBlock):
2940         * heap/MarkedAllocator.h:
2941         (JSC::MarkedAllocator::needsDestruction):
2942         (JSC::MarkedAllocator::MarkedAllocator):
2943         (JSC::MarkedAllocator::init):
2944         (JSC::MarkedAllocator::destructorType): Deleted.
2945         * heap/MarkedBlock.cpp:
2946         (JSC::MarkedBlock::create):
2947         (JSC::MarkedBlock::MarkedBlock):
2948         (JSC::MarkedBlock::callDestructor):
2949         (JSC::MarkedBlock::specializedSweep):
2950         (JSC::MarkedBlock::sweep):
2951         (JSC::MarkedBlock::sweepHelper):
2952         * heap/MarkedBlock.h:
2953         (JSC::MarkedBlock::needsDestruction):
2954         (JSC::MarkedBlock::destructorType): Deleted.
2955         * heap/MarkedSpace.cpp:
2956         (JSC::MarkedSpace::MarkedSpace):
2957         (JSC::MarkedSpace::resetAllocators):
2958         (JSC::MarkedSpace::forEachAllocator):
2959         (JSC::MarkedSpace::isPagedOut):
2960         (JSC::MarkedSpace::clearNewlyAllocated):
2961         * heap/MarkedSpace.h:
2962         (JSC::MarkedSpace::subspaceForObjectsWithDestructor):
2963         (JSC::MarkedSpace::destructorAllocatorFor):
2964         (JSC::MarkedSpace::allocateWithDestructor):
2965         (JSC::MarkedSpace::forEachBlock):
2966         (JSC::MarkedSpace::subspaceForObjectsWithNormalDestructor): Deleted.
2967         (JSC::MarkedSpace::subspaceForObjectsWithImmortalStructure): Deleted.
2968         (JSC::MarkedSpace::immortalStructureDestructorAllocatorFor): Deleted.
2969         (JSC::MarkedSpace::normalDestructorAllocatorFor): Deleted.
2970         (JSC::MarkedSpace::allocateWithImmortalStructureDestructor): Deleted.
2971         (JSC::MarkedSpace::allocateWithNormalDestructor): Deleted.
2972         * inspector/JSInjectedScriptHost.h:
2973         * inspector/JSInjectedScriptHostPrototype.h:
2974         * inspector/JSJavaScriptCallFrame.h:
2975         * inspector/JSJavaScriptCallFramePrototype.h:
2976         * jsc.cpp:
2977         * runtime/ArrayBufferNeuteringWatchpoint.h:
2978         * runtime/ArrayConstructor.h:
2979         * runtime/ArrayIteratorPrototype.h:
2980         * runtime/BooleanPrototype.h:
2981         * runtime/ClonedArguments.h:
2982         * runtime/CustomGetterSetter.h:
2983         * runtime/DateConstructor.h:
2984         * runtime/DatePrototype.h:
2985         * runtime/ErrorPrototype.h:
2986         * runtime/ExceptionHelpers.h:
2987         * runtime/Executable.h:
2988         * runtime/GenericArguments.h:
2989         * runtime/GetterSetter.h:
2990         * runtime/InternalFunction.h:
2991         * runtime/JSAPIValueWrapper.h:
2992         * runtime/JSArgumentsIterator.h:
2993         * runtime/JSArray.h:
2994         * runtime/JSArrayBuffer.h:
2995         * runtime/JSArrayBufferView.h:
2996         * runtime/JSBoundFunction.h:
2997         * runtime/JSCallee.h:
2998         * runtime/JSCell.h:
2999         * runtime/JSCellInlines.h:
3000         (JSC::JSCell::classInfo):
3001         * runtime/JSDataViewPrototype.h:
3002         * runtime/JSEnvironmentRecord.h:
3003         * runtime/JSFunction.h:
3004         * runtime/JSGenericTypedArrayView.h:
3005         * runtime/JSGlobalObject.h:
3006         * runtime/JSLexicalEnvironment.h:
3007         * runtime/JSNameScope.h:
3008         * runtime/JSNotAnObject.h:
3009         * runtime/JSONObject.h:
3010         * runtime/JSObject.h:
3011         (JSC::JSFinalObject::JSFinalObject):
3012         * runtime/JSPromiseConstructor.h:
3013         * runtime/JSPromiseDeferred.h:
3014         * runtime/JSPromisePrototype.h:
3015         * runtime/JSPromiseReaction.h:
3016         * runtime/JSPropertyNameEnumerator.h:
3017         * runtime/JSProxy.h:
3018         * runtime/JSScope.h:
3019         * runtime/JSString.h:
3020         * runtime/JSSymbolTableObject.h:
3021         * runtime/JSTypeInfo.h:
3022         (JSC::TypeInfo::structureIsImmortal):
3023         * runtime/MathObject.h:
3024         * runtime/NumberConstructor.h:
3025         * runtime/NumberPrototype.h:
3026         * runtime/ObjectConstructor.h:
3027         * runtime/PropertyMapHashTable.h:
3028         * runtime/RegExp.h:
3029         * runtime/RegExpConstructor.h:
3030         * runtime/RegExpObject.h:
3031         * runtime/RegExpPrototype.h:
3032         * runtime/ScopedArgumentsTable.h:
3033         * runtime/SparseArrayValueMap.h:
3034         * runtime/StrictEvalActivation.h:
3035         * runtime/StringConstructor.h:
3036         * runtime/StringIteratorPrototype.h:
3037         * runtime/StringObject.h:
3038         * runtime/StringPrototype.h:
3039         * runtime/Structure.cpp:
3040         (JSC::Structure::Structure):
3041         * runtime/Structure.h:
3042         * runtime/StructureChain.h:
3043         * runtime/StructureRareData.h:
3044         * runtime/Symbol.h:
3045         * runtime/SymbolPrototype.h:
3046         * runtime/SymbolTable.h:
3047         * runtime/WeakMapData.h:
3048
3049 2015-04-13  Mark Lam  <mark.lam@apple.com>
3050
3051         DFG inlining of op_call_varargs should keep the callee alive in case of OSR exit.
3052         https://bugs.webkit.org/show_bug.cgi?id=143407
3053
3054         Reviewed by Filip Pizlo.
3055
3056         DFG inlining of a varargs call / construct needs to keep the local
3057         containing the callee alive with a Phantom node because the LoadVarargs
3058         node may OSR exit.  After the OSR exit, the baseline JIT executes the
3059         op_call_varargs with that callee in the local.
3060
3061         Previously, because that callee local was not explicitly kept alive,
3062         the op_call_varargs case can OSR exit a DFG function and leave an
3063         undefined value in that local.  As a result, the baseline observes the
3064         side effect of an op_call_varargs on an undefined value instead of the
3065         function it expected.
3066
3067         Note: this issue does not manifest with op_construct_varargs because
3068         the inlined constructor will have an op_create_this which operates on
3069         the incoming callee value, thereby keeping it alive.
3070
3071         * dfg/DFGByteCodeParser.cpp:
3072         (JSC::DFG::ByteCodeParser::handleInlining):
3073         * tests/stress/call-varargs-with-different-arguments-length-after-warmup.js: Added.
3074         (foo):
3075         (Foo):
3076         (doTest):
3077
3078 2015-04-12  Yusuke Suzuki  <utatane.tea@gmail.com>
3079
3080         [ES6] Implement Array.prototype.values
3081         https://bugs.webkit.org/show_bug.cgi?id=143633
3082
3083         Reviewed by Darin Adler.
3084
3085         Symbol.unscopables is implemented, so we can implement Array.prototype.values
3086         without largely breaking the web. The following script passes.
3087
3088         var array = [];
3089         var values = 42;
3090         with (array) {
3091             assert(values, 42);
3092         }
3093
3094         * runtime/ArrayPrototype.cpp:
3095         * tests/stress/array-iterators-next.js:
3096         * tests/stress/map-iterators-next.js:
3097         * tests/stress/set-iterators-next.js:
3098         * tests/stress/values-unscopables.js: Added.
3099         (test):
3100
3101 2015-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
3102
3103         Run flaky conservative GC related test first before polluting stack and registers
3104         https://bugs.webkit.org/show_bug.cgi?id=143634
3105
3106         Reviewed by Ryosuke Niwa.
3107
3108         After r182653, JSC API tests fail. However, it's not related to the change.
3109         After investigating the cause of this failure, I've found that the failed test is flaky
3110         because JSC's GC is conservative. If previously allocated JSGlobalObject is accidentally alive
3111         due to conservative roots in C stack and registers, this test fails.
3112
3113         Since GC marks C stack and registers as roots conservatively,
3114         objects not referenced logically can be accidentally marked and alive.
3115         To avoid this situation as possible as we can,
3116         1. run this test first before stack is polluted,
3117         2. extract this test as a function to suppress stack height.
3118
3119         * API/tests/testapi.mm:
3120         (testWeakValue):
3121         (testObjectiveCAPIMain):
3122         (testObjectiveCAPI):
3123
3124 2015-04-11  Matt Baker  <mattbaker@apple.com>
3125
3126         Web Inspector: create content view and details sidebar for Frames timeline
3127         https://bugs.webkit.org/show_bug.cgi?id=143533
3128
3129         Reviewed by Timothy Hatcher.
3130
3131         Refactoring: RunLoop prefix changed to RenderingFrame.
3132
3133         * inspector/protocol/Timeline.json:
3134
3135 2015-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
3136
3137         [ES6] Enable Symbol in web pages
3138         https://bugs.webkit.org/show_bug.cgi?id=143375
3139
3140         Reviewed by Ryosuke Niwa.
3141
3142         Expose Symbol to web pages.
3143         Symbol was exposed, but it was hidden since it breaks Facebook comments.
3144         This is because at that time Symbol is implemented,
3145         but methods for Symbol.iterator and Object.getOwnPropertySymbols are not implemented yet
3146         and it breaks React.js and immutable.js.
3147
3148         Now methods for Symbol.iterator and Object.getOwnPropertySymbols are implemented
3149         and make sure that Facebook comment input functionality is not broken with exposed Symbol.
3150
3151         So this patch replaces runtime flags SymbolEnabled to SymbolDisabled
3152         and makes enabling symbols by default.
3153
3154         * runtime/ArrayPrototype.cpp:
3155         (JSC::ArrayPrototype::finishCreation):
3156         * runtime/CommonIdentifiers.h:
3157         * runtime/JSGlobalObject.cpp:
3158         (JSC::JSGlobalObject::init):
3159         * runtime/ObjectConstructor.cpp:
3160         (JSC::ObjectConstructor::finishCreation):
3161         * runtime/RuntimeFlags.h:
3162
3163 2015-04-10  Yusuke Suzuki  <utatane.tea@gmail.com>
3164
3165         ES6: Iterator toString names should be consistent
3166         https://bugs.webkit.org/show_bug.cgi?id=142424
3167
3168         Reviewed by Geoffrey Garen.
3169
3170         Iterator Object Names in the spec right now have spaces.
3171         In our implementation some do and some don't.
3172         This patch aligns JSC to the spec.
3173
3174         * runtime/JSArrayIterator.cpp:
3175         * runtime/JSStringIterator.cpp:
3176         * tests/stress/iterator-names.js: Added.
3177         (test):
3178         (iter):
3179         (check):
3180
3181 2015-04-10  Michael Saboff  <msaboff@apple.com>
3182
3183         REGRESSION (182567): regress/script-tests/sorting-benchmark.js fails on 32 bit dfg-eager tests
3184         https://bugs.webkit.org/show_bug.cgi?id=143582
3185
3186         Reviewed by Mark Lam.
3187
3188         For 32 bit builds, we favor spilling unboxed values.  The ASSERT at the root of this bug doesn't
3189         fire for 64 bit builds, because we spill an "Other" value as a full JS value (DataFormatJS).
3190         For 32 bit builds however, if we are able, we spill Other values as JSCell* (DataFormatCell).
3191         The fix is to add a check in fillSpeculateInt32Internal() before the ASSERT that always OSR exits
3192         if the spillFormat is DataFormatCell.  Had we spilled in DataFormatJS and the value was a JSCell*,
3193         we would still OSR exit after the speculation check.
3194
3195         * dfg/DFGFixupPhase.cpp:
3196         (JSC::DFG::FixupPhase::fixupNode): Fixed an error in a comment while debugging.
3197         * dfg/DFGSpeculativeJIT32_64.cpp:
3198         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
3199
3200 2015-04-10  Milan Crha  <mcrha@redhat.com>
3201
3202         Disable Linux-specific code in a Windows build
3203         https://bugs.webkit.org/show_bug.cgi?id=137973
3204
3205         Reviewed by Joseph Pecoraro.
3206
3207         * inspector/JSGlobalObjectInspectorController.cpp:
3208         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
3209
3210 2015-04-10  Csaba Osztrogon√°c  <ossy@webkit.org>
3211
3212         [ARM] Fix calleeSaveRegisters() on non iOS platforms after r180516
3213         https://bugs.webkit.org/show_bug.cgi?id=143368
3214
3215         Reviewed by Michael Saboff.
3216
3217         * jit/RegisterSet.cpp:
3218         (JSC::RegisterSet::calleeSaveRegisters):
3219
3220 2015-04-08  Joseph Pecoraro  <pecoraro@apple.com>
3221
3222         Use jsNontrivialString in more places if the string is guaranteed to be 2 or more characters
3223         https://bugs.webkit.org/show_bug.cgi?id=143430
3224
3225         Reviewed by Darin Adler.
3226
3227         * runtime/ExceptionHelpers.cpp:
3228         (JSC::errorDescriptionForValue):
3229         * runtime/NumberPrototype.cpp:
3230         (JSC::numberProtoFuncToExponential):
3231         (JSC::numberProtoFuncToPrecision):
3232         (JSC::numberProtoFuncToString):
3233         * runtime/SymbolPrototype.cpp:
3234         (JSC::symbolProtoFuncToString):
3235
3236 2015-04-08  Filip Pizlo  <fpizlo@apple.com>
3237
3238         JSArray::sortNumeric should handle ArrayWithUndecided
3239         https://bugs.webkit.org/show_bug.cgi?id=143535
3240
3241         Reviewed by Geoffrey Garen.
3242         
3243         ArrayWithUndecided is what you get if you haven't stored anything into the array yet. We need to handle it.
3244
3245         * runtime/JSArray.cpp:
3246         (JSC::JSArray::sortNumeric):
3247         * tests/stress/sort-array-with-undecided.js: Added.
3248
3249 2015-04-08  Filip Pizlo  <fpizlo@apple.com>
3250
3251         DFG::IntegerCheckCombiningPhase's wrap-around check shouldn't trigger C++ undef behavior on wrap-around
3252         https://bugs.webkit.org/show_bug.cgi?id=143532
3253
3254         Reviewed by Gavin Barraclough.
3255         
3256         Oh the irony!  We were protecting an optimization that only worked if there was no wrap-around in JavaScript.
3257         But the C++ code had wrap-around, which is undef in C++.  So, if the compiler was smart enough, our compiler
3258         would think that there never was wrap-around.
3259         
3260         This fixes a failure in stress/tricky-array-boiunds-checks.js when JSC is compiled with bleeding-edge clang.
3261
3262         * dfg/DFGIntegerCheckCombiningPhase.cpp:
3263         (JSC::DFG::IntegerCheckCombiningPhase::isValid):
3264
3265 2015-04-07  Michael Saboff  <msaboff@apple.com>
3266
3267         Lazily initialize LogToSystemConsole flag to reduce memory usage
3268         https://bugs.webkit.org/show_bug.cgi?id=143506
3269
3270         Reviewed by Mark Lam.
3271
3272         Only call into CF preferences code when we need to in order to reduce memory usage.
3273
3274         * inspector/JSGlobalObjectConsoleClient.cpp:
3275         (Inspector::JSGlobalObjectConsoleClient::logToSystemConsole):
3276         (Inspector::JSGlobalObjectConsoleClient::setLogToSystemConsole):
3277         (Inspector::JSGlobalObjectConsoleClient::initializeLogToSystemConsole):
3278         (Inspector::JSGlobalObjectConsoleClient::JSGlobalObjectConsoleClient):
3279
3280 2015-04-07  Benjamin Poulain  <benjamin@webkit.org>
3281
3282         Get the features.json files ready for open contributions
3283         https://bugs.webkit.org/show_bug.cgi?id=143436
3284
3285         Reviewed by Darin Adler.
3286
3287         * features.json:
3288
3289 2015-04-07  Filip Pizlo  <fpizlo@apple.com>
3290
3291         Constant folding of typed array properties should be handled by AI rather than strength reduction
3292         https://bugs.webkit.org/show_bug.cgi?id=143496
3293
3294         Reviewed by Geoffrey Garen.
3295         
3296         Handling constant folding in AI is better because it precludes us from having to fixpoint the CFA
3297         phase and whatever other phase did the folding in order to find all constants.
3298         
3299         This also removes the TypedArrayWatchpoint node type because we can just set the watchpoint
3300         directly.
3301         
3302         This also fixes a bug in FTL lowering of GetTypedArrayByteOffset. The bug was previously not
3303         found because all of the tests for it involved the property getting constant folded. I found that
3304         the codegen was bad because an earlier version of the patch broke that constant folding. This
3305         adds a new test for that node type, which makes constant folding impossible by allocating a new
3306         typed array every type. The lesson here is: if you write a test for something, run the test with
3307         full IR dumps to make sure it's actually testing the thing you want it to test.
3308
3309         * dfg/DFGAbstractInterpreterInlines.h:
3310         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3311         * dfg/DFGClobberize.h:
3312         (JSC::DFG::clobberize):
3313         * dfg/DFGConstantFoldingPhase.cpp:
3314         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3315         * dfg/DFGDoesGC.cpp:
3316         (JSC::DFG::doesGC):
3317         * dfg/DFGFixupPhase.cpp:
3318         (JSC::DFG::FixupPhase::fixupNode):
3319         * dfg/DFGGraph.cpp:
3320         (JSC::DFG::Graph::dump):
3321         (JSC::DFG::Graph::tryGetFoldableView):
3322         (JSC::DFG::Graph::tryGetFoldableViewForChild1): Deleted.
3323         * dfg/DFGGraph.h:
3324         * dfg/DFGNode.h:
3325         (JSC::DFG::Node::hasTypedArray): Deleted.
3326         (JSC::DFG::Node::typedArray): Deleted.
3327         * dfg/DFGNodeType.h:
3328         * dfg/DFGPredictionPropagationPhase.cpp:
3329         (JSC::DFG::PredictionPropagationPhase::propagate):
3330         * dfg/DFGSafeToExecute.h:
3331         (JSC::DFG::safeToExecute):
3332         * dfg/DFGSpeculativeJIT.cpp:
3333         (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
3334         * dfg/DFGSpeculativeJIT32_64.cpp:
3335         (JSC::DFG::SpeculativeJIT::compile):
3336         * dfg/DFGSpeculativeJIT64.cpp:
3337         (JSC::DFG::SpeculativeJIT::compile):
3338         * dfg/DFGStrengthReductionPhase.cpp:
3339         (JSC::DFG::StrengthReductionPhase::handleNode):
3340         (JSC::DFG::StrengthReductionPhase::foldTypedArrayPropertyToConstant): Deleted.
3341         (JSC::DFG::StrengthReductionPhase::prepareToFoldTypedArray): Deleted.
3342         * dfg/DFGWatchpointCollectionPhase.cpp:
3343         (JSC::DFG::WatchpointCollectionPhase::handle):
3344         (JSC::DFG::WatchpointCollectionPhase::addLazily):
3345         * ftl/FTLCapabilities.cpp:
3346         (JSC::FTL::canCompile):
3347         * ftl/FTLLowerDFGToLLVM.cpp:
3348         (JSC::FTL::LowerDFGToLLVM::compileNode):
3349         (JSC::FTL::LowerDFGToLLVM::compileGetTypedArrayByteOffset):
3350         (JSC::FTL::LowerDFGToLLVM::typedArrayLength):