8365bcaaded756636fc724720745e6197376b88c
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-07-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [ES6] Implement Reflect.apply
4         https://bugs.webkit.org/show_bug.cgi?id=147306
5
6         Reviewed by Sam Weinig.
7
8         Implement Reflect.apply.
9         The large part of this can be implemented by the @apply builtin annotation.
10         The only thing which is different from the Funciton.prototype.apply is the third parameter,
11         "argumentsList" is needed to be an object.
12
13         * builtins/ReflectObject.js:
14         (apply):
15         (deleteProperty):
16         * runtime/ReflectObject.cpp:
17         * tests/stress/reflect-apply.js: Added.
18         (shouldBe):
19         (shouldThrow):
20         (get shouldThrow):
21         (.get shouldThrow):
22         (get var.array.get length):
23         (get var.array.get 0):
24         (.get var):
25         * tests/stress/reflect-delete-property.js:
26
27 2015-07-25  Yusuke Suzuki  <utatane.tea@gmail.com>
28
29         [ES6] Add Reflect namespace and add Reflect.deleteProperty
30         https://bugs.webkit.org/show_bug.cgi?id=147287
31
32         Reviewed by Sam Weinig.
33
34         This patch just creates the namespace for ES6 Reflect APIs.
35         And add template files to implement the actual code.
36
37         Not to keep the JS generated properties C array empty,
38         we added one small method, Reflect.deleteProperty in this patch.
39
40         * CMakeLists.txt:
41         * DerivedSources.make:
42         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
43         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
44         * JavaScriptCore.xcodeproj/project.pbxproj:
45         * builtins/ReflectObject.js: Added.
46         (deleteProperty):
47         * runtime/CommonIdentifiers.h:
48         * runtime/JSGlobalObject.cpp:
49         (JSC::JSGlobalObject::init):
50         * runtime/ReflectObject.cpp: Added.
51         (JSC::ReflectObject::ReflectObject):
52         (JSC::ReflectObject::finishCreation):
53         (JSC::ReflectObject::getOwnPropertySlot):
54         * runtime/ReflectObject.h: Added.
55         (JSC::ReflectObject::create):
56         (JSC::ReflectObject::createStructure):
57         * tests/stress/reflect-delete-property.js: Added.
58         (shouldBe):
59         (shouldThrow):
60
61 2015-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>
62
63         Avoid 2 times name iteration in Object.assign
64         https://bugs.webkit.org/show_bug.cgi?id=147268
65
66         Reviewed by Geoffrey Garen.
67
68         Object.assign calls Object.getOwnPropertyNames & Object.getOwnPropertySymbols to collect all the names.
69         But exposing the private API that collects both at the same time makes the API efficient when the given Object has so many non-indexed properties.
70         Since Object.assign is so generic API (some form of utility API), the form of the given Object is not expected.
71         So the taken object may have so many non-indexed properties.
72
73         In this patch, we introduce `ownEnumerablePropertyKeys` private function.
74         It is minor changed version of `[[OwnPropertyKeys]]` in the ES6 spec;
75         It only includes enumerable properties.
76
77         By filtering out the non-enumerable properties in the exposed private function,
78         we avoid calling @objectGetOwnPropertyDescriptor for each property at the same time.
79
80         * builtins/ObjectConstructor.js:
81         (assign):
82         * runtime/CommonIdentifiers.h:
83         * runtime/EnumerationMode.h:
84         * runtime/JSGlobalObject.cpp:
85         (JSC::JSGlobalObject::init):
86         * runtime/ObjectConstructor.cpp:
87         (JSC::ownEnumerablePropertyKeys):
88         * runtime/ObjectConstructor.h:
89         * tests/stress/object-assign-enumerable.js: Added.
90         (shouldBe):
91         * tests/stress/object-assign-order.js: Added.
92         (shouldBe):
93
94 2015-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>
95
96         Remove runtime flags for symbols
97         https://bugs.webkit.org/show_bug.cgi?id=147246
98
99         Reviewed by Alex Christensen.
100
101         * runtime/ArrayPrototype.cpp:
102         (JSC::ArrayPrototype::finishCreation):
103         * runtime/JSGlobalObject.cpp:
104         (JSC::JSGlobalObject::init): Deleted.
105         * runtime/JSGlobalObject.h:
106         * runtime/ObjectConstructor.cpp:
107         (JSC::ObjectConstructor::finishCreation):
108         * runtime/RuntimeFlags.h:
109
110 2015-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>
111
112         Object.getOwnPropertySymbols on large list takes very long
113         https://bugs.webkit.org/show_bug.cgi?id=146137
114
115         Reviewed by Mark Lam.
116
117         Before this patch, Object.getOwnPropertySymbols collects all the names including strings.
118         And after it's done, filter the names to only retrieve the symbols.
119         But it's so time consuming if the given object is a large non-holed array since it has
120         many indexed properties and all the indexes have to be converted to uniqued_strings and
121         added to the collection of property names (though they may not be of the requested type
122         and will be filtered out later)
123
124         This patch introduces PropertyNameMode.
125         We leverage this mode in 2 places.
126
127         1. PropertyNameArray side
128         It is set in PropertyNameArray and it filters the incoming added identifiers based on the mode.
129         It ensures that PropertyNameArray doesn't become so large in the pathological case.
130         And it ensures that non-expected typed keys by the filter (Symbols or Strings) are never added
131         to the property name array collections.
132         However it does not solve the whole problem because the huge array still incurs the many
133         "indexed property to uniqued string" conversion and the large iteration before adding the keys
134         to the property name array.
135
136         2. getOwnPropertyNames side
137         So we can use the PropertyNameMode in the caller side (getOwnPropertyNames) as a **hint**.
138         When the large iteration may occur, the caller side can use the PropertyNameMode as a hint to
139         avoid the iteration.
140         But we cannot exclusively rely on these caller side checks because it would require that we
141         exhaustively add the checks to all custom implementations of getOwnPropertyNames as well.
142         This process requires manual inspection of many pieces of code, and is error prone. Instead,
143         we only apply the caller side check in a few strategic places where it is known to yield
144         performance benefits; and we rely on the filter in PropertyNameArray::add() to reject the wrong
145         types of properties for all other calls to PropertyNameArray::add().
146
147         In this patch, there's a concept in use that is not clear just from reading the code, and hence
148         should be documented here. When selecting the PropertyNameMode for the PropertyNameArray to be
149         instantiated, we apply the following logic:
150
151         1. Only JavaScriptCore code is aware of ES6 Symbols.
152         We can assume that pre-existing external code that interfaces JSC are only looking for string named properties. This includes:
153             a. WebCore bindings
154             b. Serializer bindings
155             c. NPAPI bindings
156             d. Objective C bindings
157         2. In JSC, code that compute object storage space needs to iterate both Symbol and String named properties. Hence, use PropertyNameMode::Both.
158         3. In JSC, ES6 APIs that work with Symbols should use PropertyNameMode::Symbols.
159         4. In JSC, ES6 APIs that work with String named properties should use PropertyNameMode::Strings.
160
161         * API/JSObjectRef.cpp:
162         (JSObjectCopyPropertyNames):
163         * bindings/ScriptValue.cpp:
164         (Deprecated::jsToInspectorValue):
165         * bytecode/ObjectAllocationProfile.h:
166         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
167         * runtime/EnumerationMode.h:
168         (JSC::EnumerationMode::EnumerationMode):
169         (JSC::EnumerationMode::includeSymbolProperties): Deleted.
170         * runtime/GenericArgumentsInlines.h:
171         (JSC::GenericArguments<Type>::getOwnPropertyNames):
172         * runtime/JSGenericTypedArrayViewInlines.h:
173         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertyNames):
174         * runtime/JSLexicalEnvironment.cpp:
175         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
176         * runtime/JSONObject.cpp:
177         (JSC::Stringifier::Stringifier):
178         (JSC::Stringifier::Holder::appendNextProperty):
179         (JSC::Walker::walk):
180         * runtime/JSObject.cpp:
181         (JSC::JSObject::getOwnPropertyNames):
182         * runtime/JSPropertyNameEnumerator.cpp:
183         (JSC::JSPropertyNameEnumerator::create):
184         * runtime/JSPropertyNameEnumerator.h:
185         (JSC::propertyNameEnumerator):
186         * runtime/JSSymbolTableObject.cpp:
187         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
188         * runtime/ObjectConstructor.cpp:
189         (JSC::objectConstructorGetOwnPropertyNames):
190         (JSC::objectConstructorGetOwnPropertySymbols):
191         (JSC::objectConstructorKeys):
192         (JSC::defineProperties):
193         (JSC::objectConstructorSeal):
194         (JSC::objectConstructorFreeze):
195         (JSC::objectConstructorIsSealed):
196         (JSC::objectConstructorIsFrozen):
197         * runtime/PropertyNameArray.h:
198         (JSC::PropertyNameArray::PropertyNameArray):
199         (JSC::PropertyNameArray::mode):
200         (JSC::PropertyNameArray::addKnownUnique):
201         (JSC::PropertyNameArray::add):
202         (JSC::PropertyNameArray::isUidMatchedToTypeMode):
203         (JSC::PropertyNameArray::includeSymbolProperties):
204         (JSC::PropertyNameArray::includeStringProperties):
205         * runtime/StringObject.cpp:
206         (JSC::StringObject::getOwnPropertyNames):
207         * runtime/Structure.cpp:
208         (JSC::Structure::getPropertyNamesFromStructure):
209
210 2015-07-24  Saam barati  <saambarati1@gmail.com>
211
212         [ES6] Add support for default parameters
213         https://bugs.webkit.org/show_bug.cgi?id=38409
214
215         Reviewed by Filip Pizlo.
216
217         This patch implements ES6 default parameters according to the ES6
218         specification. This patch builds off the components introduced with 
219         "let" scoping and parsing function parameters in the same parser
220         arena as the function itself. "let" scoping allows functions with default 
221         parameter values to place their parameters under the TDZ. Parsing function
222         parameters in the same parser arena allows the FunctionParameters AST node
223         refer to ExpressionNodes.
224
225         The most subtle part of this patch is how we allocate lexical environments
226         when functions have default parameter values. If a function has default
227         parameter values then there must be a separate lexical environment for
228         its parameters. Then, the function's "var" lexical environment must have
229         the parameter lexical environment as its parent. The BytecodeGenerator
230         takes great care to not allocate the "var" lexical environment before its
231         really needed.
232
233         The "arguments" object for a function with default parameters will never be 
234         a mapped arugments object. It will always be a cloned arugments object.
235
236         * bytecompiler/BytecodeGenerator.cpp:
237         (JSC::BytecodeGenerator::generate):
238         (JSC::BytecodeGenerator::BytecodeGenerator):
239         (JSC::BytecodeGenerator::~BytecodeGenerator):
240         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
241         (JSC::BytecodeGenerator::initializeNextParameter):
242         (JSC::BytecodeGenerator::initializeVarLexicalEnvironment):
243         (JSC::BytecodeGenerator::visibleNameForParameter):
244         (JSC::BytecodeGenerator::emitLoadGlobalObject):
245         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
246         (JSC::BytecodeGenerator::pushLexicalScope):
247         (JSC::BytecodeGenerator::popLexicalScope):
248         * bytecompiler/BytecodeGenerator.h:
249         (JSC::BytecodeGenerator::lastOpcodeID):
250         * bytecompiler/NodesCodegen.cpp:
251         (JSC::FunctionNode::emitBytecode):
252         * jit/JITOperations.cpp:
253         * parser/ASTBuilder.h:
254         (JSC::ASTBuilder::createElementList):
255         (JSC::ASTBuilder::createFormalParameterList):
256         (JSC::ASTBuilder::appendParameter):
257         (JSC::ASTBuilder::createClause):
258         (JSC::ASTBuilder::createClauseList):
259         * parser/Nodes.h:
260         (JSC::FunctionParameters::size):
261         (JSC::FunctionParameters::at):
262         (JSC::FunctionParameters::hasDefaultParameterValues):
263         (JSC::FunctionParameters::append):
264         * parser/Parser.cpp:
265         (JSC::Parser<LexerType>::parseVariableDeclarationList):
266         (JSC::Parser<LexerType>::createBindingPattern):
267         (JSC::Parser<LexerType>::tryParseDestructuringPatternExpression):
268         (JSC::Parser<LexerType>::parseDestructuringPattern):
269         (JSC::Parser<LexerType>::parseFormalParameters):
270         (JSC::Parser<LexerType>::parseFunctionParameters):
271         * parser/Parser.h:
272         (JSC::Scope::declareParameter):
273         * parser/SyntaxChecker.h:
274         (JSC::SyntaxChecker::createElementList):
275         (JSC::SyntaxChecker::createFormalParameterList):
276         (JSC::SyntaxChecker::appendParameter):
277         (JSC::SyntaxChecker::createClause):
278         (JSC::SyntaxChecker::createClauseList):
279         * tests/stress/es6-default-parameters.js: Added.
280         (assert):
281         (shouldThrow):
282         (shouldThrowSyntaxError):
283         (shouldThrowTDZ):
284         (basic):
285         (basicFunctionCaptureInDefault.basicFunctionCaptureInDefault.basicCaptured):
286         (basicCaptured.basicCaptured.tricky):
287         (strict):
288         (playground):
289         (scoping):
290         (augmentsArguments1):
291         (augmentsArguments2):
292         (augmentsArguments3):
293         (augmentsArguments4):
294         (augmentsArguments5):
295
296 2015-07-24  Xabier Rodriguez Calvar  <calvaris@igalia.com>
297
298         Remove JS Promise constructor unused piece of code
299         https://bugs.webkit.org/show_bug.cgi?id=147262
300
301         Reviewed by Geoffrey Garen.
302
303         * runtime/JSPromiseConstructor.cpp:
304         (JSC::constructPromise): Deleted.
305         * runtime/JSPromiseConstructor.h: Removed JSC::constructPromise.
306
307 2015-07-24  Mark Lam  <mark.lam@apple.com>
308
309         Add WASM files to vcxproj files.
310         https://bugs.webkit.org/show_bug.cgi?id=147264
311
312         Reviewed by Geoffrey Garen.
313
314         This is a follow up to http://trac.webkit.org/changeset/187254 where WASM files
315         were introduced but were not able to be added to the vcxproj files yet.
316
317         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
318         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
319
320 2015-07-23  Filip Pizlo  <fpizlo@apple.com>
321
322         DFG::safeToExecute() is wrong for MultiGetByOffset, doesn't consider the structures of the prototypes that get loaded from
323         https://bugs.webkit.org/show_bug.cgi?id=147250
324
325         Reviewed by Geoffrey Garen.
326         
327         This fixes a nasty - but currently benign - bug in DFG::safeToExecute(). That function
328         will tell you if hoisting a node to some point is safe in the sense that the node will
329         not crash the VM if it executes at that point. A node may be unsafe to execute if we
330         cannot prove that at that point, the memory it is loading is not garbage. This is a
331         necessarily loose notion - for example it's OK to hoist a load if we haven't proved
332         that the load makes semantic sense at that point, since anyway the place where the node
333         did get used will still be guarded by any such semantic checks. But because we may also
334         hoist uses of the load, we need to make sure that it doesn't produce a garbage value.
335         Also, we need to ensure that the load won't trap. Hence safeToExecute() returns true
336         anytime we can be sure that a node will not produce a garbage result (i.e. a malformed
337         JSValue or object pointer) and will not trap when executed at the point in question.
338         
339         The bug is that this verification isn't performed for the loads from prototypes inside
340         MultiGetByOffset. DFG::ByteCodeParser will guard MultiGetByOffset with CheckStructure's
341         on the prototypes. So, hypothetically, you might end up hoisting a MultiGetByOffset
342         above those structure checks, which would mean that we might load a value from a memory
343         location without knowing that the location is valid. It might then return the value
344         loaded.
345         
346         This never happens in practice. Those structure checks are more hoistable that the
347         MultiGetByOffset, since they read a strict subset of the MultiGetByOffset's abstract
348         heap reads. Also, we hoist in program order. So, those CheckStructure's will always be
349         hoisted before the MultiGetByOffset gets hoisted.
350         
351         But we should fix this anyway. DFG::safeToExecute() has a clear definition of what a
352         "true" return means for IR transformations, and it fails in satisfying that definition
353         for MultiGetByOffset.
354         
355         There are various approaches we can use for making this safe. I considered two:
356         
357         1) Have MultiGetByOffset refer to the prototypes it is loading from in IR, so that we
358            can check if it's safe to load from them.
359         
360         2) Turn off MultiGetByOffset hoisting when it will emit loads from prototypes, and the
361            prototype structure isn't being watched.
362         
363         I ended up using (2), because it will be the most natural solution once I finish
364         https://bugs.webkit.org/show_bug.cgi?id=146929. Already now, it's somewhat more natural
365         than (1) since that requires more extensive IR changes. Also, (2) will give us what we
366         want in *most* cases: we will usually watch the prototype structure, and we will
367         usually constant-fold loads from prototypes. Both of these usually-true things would
368         have to become false for MultiGetByOffset hoisting to be disabled by this change.
369         
370         This change also adds my attempt at a test, though it's not really a test of this bug.
371         This bug is currently benign. But, the test does at least trigger the logic to run,
372         which is better than nothing.
373
374         * dfg/DFGSafeToExecute.h:
375         (JSC::DFG::safeToExecute):
376         * tests/stress/multi-get-by-offset-hoist-around-structure-check.js: Added.
377         (foo):
378
379 2015-07-23  Sukolsak Sakshuwong  <sukolsak@gmail.com>
380
381         Implement WebAssembly modules
382         https://bugs.webkit.org/show_bug.cgi?id=147222
383
384         Reviewed by Filip Pizlo.
385
386         Make JSWASMModule inherit from JSDestructibleObject so that the destructor is called.
387
388         * wasm/JSWASMModule.h:
389
390 2015-07-23  Alex Christensen  <achristensen@webkit.org>
391
392         Remove compile and runtime flags for promises.
393         https://bugs.webkit.org/show_bug.cgi?id=147244
394
395         Reviewed by Yusuke Suzuki.
396
397         * API/JSCallbackObjectFunctions.h:
398         (JSC::JSCallbackObject<Parent>::JSCallbackObject):
399         * API/JSContextRef.cpp:
400         (JSGlobalContextCreateInGroup):
401         * Configurations/FeatureDefines.xcconfig:
402         * inspector/JSInjectedScriptHost.cpp:
403         (Inspector::JSInjectedScriptHost::getInternalProperties):
404         * runtime/JSGlobalObject.cpp:
405         (JSC::JSGlobalObject::init):
406         (JSC::JSGlobalObject::visitChildren):
407         * runtime/JSGlobalObject.h:
408         (JSC::JSGlobalObject::create):
409         (JSC::JSGlobalObject::syntaxErrorConstructor):
410         (JSC::JSGlobalObject::typeErrorConstructor):
411         (JSC::JSGlobalObject::URIErrorConstructor):
412         (JSC::JSGlobalObject::promiseConstructor):
413         (JSC::JSGlobalObject::nullGetterFunction):
414         (JSC::JSGlobalObject::nullSetterFunction):
415         (JSC::JSGlobalObject::applyFunction):
416         (JSC::JSGlobalObject::definePropertyFunction):
417         (JSC::JSGlobalObject::arrayProtoValuesFunction):
418         (JSC::JSGlobalObject::initializePromiseFunction):
419         (JSC::JSGlobalObject::newPromiseDeferredFunction):
420         (JSC::JSGlobalObject::throwTypeErrorGetterSetter):
421         (JSC::JSGlobalObject::regExpPrototype):
422         (JSC::JSGlobalObject::errorPrototype):
423         (JSC::JSGlobalObject::iteratorPrototype):
424         (JSC::JSGlobalObject::promisePrototype):
425         (JSC::JSGlobalObject::debuggerScopeStructure):
426         (JSC::JSGlobalObject::withScopeStructure):
427         (JSC::JSGlobalObject::iteratorResultStructure):
428         (JSC::JSGlobalObject::iteratorResultStructureOffset):
429         (JSC::JSGlobalObject::regExpMatchesArrayStructure):
430         (JSC::JSGlobalObject::promiseStructure):
431         * runtime/JSPromise.cpp:
432         (JSC::JSPromise::result):
433         * runtime/JSPromise.h:
434         * runtime/JSPromiseConstructor.cpp:
435         (JSC::constructPromise):
436         * runtime/JSPromiseConstructor.h:
437         * runtime/JSPromiseDeferred.cpp:
438         (JSC::JSPromiseDeferred::visitChildren):
439         * runtime/JSPromiseDeferred.h:
440         * runtime/JSPromisePrototype.cpp:
441         (JSC::JSPromisePrototype::getOwnPropertySlot):
442         * runtime/JSPromisePrototype.h:
443         * runtime/RuntimeFlags.h:
444         * runtime/VM.cpp:
445         (JSC::VM::VM):
446         * runtime/VM.h:
447
448 2015-07-23  Sukolsak Sakshuwong  <sukolsak@gmail.com>
449
450         Implement WebAssembly modules
451         https://bugs.webkit.org/show_bug.cgi?id=147222
452
453         Reviewed by Mark Lam.
454
455         Introducing the boilerplate data structure for the WebAssembly module.
456         WebAssembly functionality will be added in a subsequent patch.
457
458         * CMakeLists.txt:
459         * JavaScriptCore.xcodeproj/project.pbxproj:
460         * wasm/JSWASMModule.cpp: Added.
461         (JSC::JSWASMModule::visitChildren):
462         * wasm/JSWASMModule.h: Added.
463         (JSC::JSWASMModule::create):
464         (JSC::JSWASMModule::createStructure):
465         (JSC::JSWASMModule::JSWASMModule):
466
467 2015-07-23  Devin Rousso  <drousso@apple.com>
468
469         Web Inspector: Add a function to CSSCompletions to get a list of supported system fonts
470         https://bugs.webkit.org/show_bug.cgi?id=147009
471
472         Reviewed by Joseph Pecoraro.
473
474         * inspector/protocol/CSS.json: Added getSupportedSystemFontFamilyNames function.
475
476 2015-07-22  Sukolsak Sakshuwong  <sukolsak@gmail.com>
477
478         Add ENABLE_WEBASSEMBLY feature flag for WebAssembly
479         https://bugs.webkit.org/show_bug.cgi?id=147212
480
481         Reviewed by Filip Pizlo.
482
483         * Configurations/FeatureDefines.xcconfig:
484
485 2015-07-22  Filip Pizlo  <fpizlo@apple.com>
486
487         Simplify DFG::DesiredIdentifiers and make it possible to turn a UniquedStringImpl* into an identifierNumber at any time
488         https://bugs.webkit.org/show_bug.cgi?id=147218
489
490         Reviewed by Sam Weinig.
491         
492         I want to be able to take a UniquedStringImpl* and turn it into an identifierNumber at
493         various points in my work on https://bugs.webkit.org/show_bug.cgi?id=146929. Currently,
494         most Nodes that deal with identifiers use identifierNumbers and you can only create an
495         identifierNumber in BytecodeGenerator. DFG::ByteCodeParser does sort of have the
496         ability to create new identifierNumbers when inlining - it takes the inlined code's
497         identifiers and either gives them new numbers or reuses numbers from the enclosing
498         code.
499         
500         This patch takes that basic functionality and puts it in
501         DFG::DesiredIdentifiers::ensure(). Anyone can call this at any time to turn a
502         UniquedStringImpl* into an identifierNumber. This data structure is already used by
503         Plan to properly install any newly created identifier table entries into the CodeBlock.
504
505         * dfg/DFGByteCodeParser.cpp:
506         (JSC::DFG::ByteCodeParser::ByteCodeParser):
507         (JSC::DFG::ByteCodeParser::noticeArgumentsUse):
508         (JSC::DFG::ByteCodeParser::linkBlocks):
509         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
510         (JSC::DFG::ByteCodeParser::buildOperandMapsIfNecessary): Deleted.
511         * dfg/DFGDesiredIdentifiers.cpp:
512         (JSC::DFG::DesiredIdentifiers::DesiredIdentifiers):
513         (JSC::DFG::DesiredIdentifiers::numberOfIdentifiers):
514         (JSC::DFG::DesiredIdentifiers::ensure):
515         (JSC::DFG::DesiredIdentifiers::at):
516         (JSC::DFG::DesiredIdentifiers::addLazily): Deleted.
517         * dfg/DFGDesiredIdentifiers.h:
518
519 2015-07-22  Filip Pizlo  <fpizlo@apple.com>
520
521         Simplify things like CompareEq(@x,@x)
522         https://bugs.webkit.org/show_bug.cgi?id=145850
523
524         Reviewed by Sam Weinig.
525         
526         This simplifies x==x to true, except in cases where x might be a double (in which case this
527         might still be false if x is NaN).
528
529         * dfg/DFGAbstractInterpreterInlines.h:
530         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
531         * tests/stress/nan-equal-untyped.js: Added.
532         (foo):
533         (test):
534         * tests/stress/nan-equal.js: Added.
535         (foo):
536
537 2015-07-22  Joseph Pecoraro  <pecoraro@apple.com>
538
539         Web Inspector: Timeline should immediately start moving play head when starting a new recording
540         https://bugs.webkit.org/show_bug.cgi?id=147210
541
542         Reviewed by Timothy Hatcher.
543
544         * inspector/protocol/Timeline.json:
545         Add timestamps to recordingStarted and recordingStopped events.
546
547 2015-07-22  Yusuke Suzuki  <utatane.tea@gmail.com>
548
549         Introducing construct ability into JS executables
550         https://bugs.webkit.org/show_bug.cgi?id=147183
551
552         Reviewed by Geoffrey Garen.
553
554         Decouple the construct ability from the builtin functions.
555         Currently, all builtin functions are not constructors after r182995.
556         In that patch, when the given function is builtin JS function, we recognize it as the non-constructor function.
557
558         But, we need to relax it to implement some constructors in builtins JS.
559         By decoupling the construct ability from whether the function is builtin or not, we can provide
560
561         1. constructors written in builtin JS
562         2. non-constructors in normal JS functions
563
564         (1) is needed for Promise constructor.
565         And (2) is needed for method functions and arrow functions.
566
567         This patch introduces ConstructAbility into the unlinked function executables.
568         It holds whether the given JS function has the construct ability or not.
569         By leveraging this, this patch disables the construct ability of the method definitions, setters, getters and arrow functions.
570
571         And at the same time, this patch introduces the annotation for constructor in builtin JS.
572         We can define the function as follows,
573
574             constructor Promise(executor)
575             {
576                 ...
577             }
578
579         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
580         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
581         * JavaScriptCore.xcodeproj/project.pbxproj:
582         * builtins/BuiltinExecutables.cpp:
583         (JSC::BuiltinExecutables::createDefaultConstructor):
584         (JSC::BuiltinExecutables::createExecutableInternal):
585         * builtins/BuiltinExecutables.h:
586         * builtins/Iterator.prototype.js:
587         (symbolIterator):
588         (SymbolIterator): Deleted.
589         * bytecode/UnlinkedCodeBlock.cpp:
590         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
591         * bytecode/UnlinkedCodeBlock.h:
592         * bytecompiler/BytecodeGenerator.h:
593         (JSC::BytecodeGenerator::makeFunction):
594         * generate-js-builtins:
595         (getCopyright):
596         (Function):
597         (Function.__init__):
598         (Function.mangleName):
599         (getFunctions):
600         (mangleName): Deleted.
601         * jit/JITOperations.cpp:
602         * llint/LLIntSlowPaths.cpp:
603         (JSC::LLInt::setUpCall):
604         * parser/Parser.cpp:
605         (JSC::Parser<LexerType>::parseClass):
606         * runtime/CodeCache.cpp:
607         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
608         * runtime/CommonIdentifiers.h:
609         * runtime/ConstructAbility.h: Copied from Source/JavaScriptCore/builtins/Iterator.prototype.js.
610         * runtime/Executable.h:
611         * runtime/JSFunction.cpp:
612         (JSC::JSFunction::getConstructData):
613         * runtime/JSGlobalObject.cpp:
614         (JSC::JSGlobalObject::init):
615         * tests/stress/non-constructors.js: Added.
616         (shouldThrow):
617         (.prototype.method):
618         (.prototype.get getter):
619         (.prototype.set setter):
620         (.method):
621         (.get shouldThrow):
622         (.set shouldThrow):
623         (set var.test.get getter):
624         (set var.test.set setter):
625         (set var.test.normal):
626         (.set var):
627         (.set new):
628
629 2015-07-22  Csaba Osztrogonác  <ossy@webkit.org>
630
631         [JSC] Enable exception fuzzing for GCC too
632         https://bugs.webkit.org/show_bug.cgi?id=146831
633
634         Reviewed by Darin Adler.
635
636         * jit/JITOperations.cpp:
637
638 2015-07-22  Filip Pizlo  <fpizlo@apple.com>
639
640         Fixed pool allocation should always be aligned
641         https://bugs.webkit.org/show_bug.cgi?id=147201
642
643         Reviewed by Simon Fraser.
644         
645         Passing an unaligned size to the allocator can cause asserts or even worse things. The
646         Options reservation value isn't going to be aligned.
647
648         * jit/ExecutableAllocatorFixedVMPool.cpp:
649         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
650
651 2015-07-22  Csaba Osztrogonác  <ossy@webkit.org>
652
653         Enable STATIC_ASSERT_IS_TRIVIALLY_DESTRUCTIBLE for GCC
654         https://bugs.webkit.org/show_bug.cgi?id=146829
655
656         Reviewed by Brent Fulgham.
657
658         * heap/GCAssertions.h:
659
660 2015-07-22  Alex Christensen  <achristensen@webkit.org>
661
662         Fix quirks in CMake build on Mac and Windows
663         https://bugs.webkit.org/show_bug.cgi?id=147174
664
665         Reviewed by Gyuyoung Kim.
666
667         * PlatformMac.cmake:
668         Add JSRemoteInspector.cpp and remove semicolon from command to make it actually run.
669
670 2015-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
671
672         Add newTarget accessor to JS constructor written in C++
673         https://bugs.webkit.org/show_bug.cgi?id=147160
674
675         Reviewed by Geoffrey Garen.
676
677         This patch adds `ExecState#newTarget()` which returns `new.target` defined in ECMA262 6th.
678         It enables some C++ constructors (like Intl.XXX constructors) to leverage this to complete
679         its implementation.
680
681         When the constructor is called, |this| in the arguments is used for storing new.target instead.
682         So by adding the accessor for |this|, JS constructor written in C++ can access new.target.
683
684         And at the same time, this patch extends the existing `construct` to accept new.target value.
685         It is corresponding to the spec's Construct abstract operation.
686
687         * interpreter/CallFrame.h:
688         (JSC::ExecState::newTarget):
689         * interpreter/Interpreter.cpp:
690         (JSC::Interpreter::executeConstruct):
691         * interpreter/Interpreter.h:
692         * runtime/ConstructData.cpp:
693         (JSC::construct):
694         * runtime/ConstructData.h:
695         (JSC::construct):
696
697 2015-07-21  Filip Pizlo  <fpizlo@apple.com>
698
699         Unreviewed, fix a lot of tests. Need to initialize WTF threading sooner.
700
701         * jsc.cpp:
702         (main):
703
704 2015-07-21  Filip Pizlo  <fpizlo@apple.com>
705
706         Fixed VM pool allocation should have a reserve for allocations that cannot fail
707         https://bugs.webkit.org/show_bug.cgi?id=147154
708         rdar://problem/21847618
709
710         Reviewed by Geoffrey Garen.
711         
712         This adds the notion of a JIT pool reserve fraction. Some fraction, currently 1/4, of
713         the JIT pool is reserved for allocations that cannot fail. It makes sense to make this
714         a fraction rather than a constant because each allocation that can fail may cause some
715         number of allocations that cannot fail (for example, the OSR exit thunks that we
716         compile when we exit from some CodeBlock cannot fail).
717         
718         I've tested this by adding a test mode where we artificially limit the JIT pool size.
719         Prior to the fix, we had >20 failures. Now we have none.
720
721         * heap/GCLogging.cpp:
722         (WTF::printInternal): I needed a dump method on Options members when debugging this.
723         * heap/GCLogging.h:
724         * jit/ExecutableAllocator.h: Raise the ARM64 limit to 32MB because 16MB is cutting it too close.
725         * jit/ExecutableAllocatorFixedVMPool.cpp:
726         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): Add the ability to artificially limit JIT pool size for testing.
727         (JSC::ExecutableAllocator::memoryPressureMultiplier): Implement the reserve when computing memory pressure for JIT tier-up heuristics.
728         (JSC::ExecutableAllocator::allocate): Implement the reserve when allocating can-fail things.
729         * jsc.cpp: Rewire some options parsing so that CommandLine happens before we create the JIT pool.
730         (main):
731         (CommandLine::parseArguments):
732         (jscmain):
733         * runtime/Options.cpp: 
734         (JSC::OptionRange::dump): I needed a dump method on Options members when debugging this.
735         (JSC::Options::initialize): This can now be called more than once.
736         * runtime/Options.h:
737
738 2015-07-21  Saam barati  <saambarati1@gmail.com>
739
740         ObjectPatternNode's entry should use "const Identifier&" instead of "Identifier"
741         https://bugs.webkit.org/show_bug.cgi?id=147156
742
743         Reviewed by Andreas Kling.
744
745         * parser/Nodes.h:
746
747 2015-07-21  Basile Clement  <basile_clement@apple.com>
748
749         Object allocation sinking phase is performing needless HashMap copies
750         https://bugs.webkit.org/show_bug.cgi?id=147159
751
752         Reviewed by Geoffrey Garen.
753
754         The points-to analyzer in the object allocation sinking phase is
755         currently performing copies of its allocation and pointers tables in
756         several places. While this is not a huge problem since those tables are
757         usually small and we are in the FTL path anyway, we still shouldn't be
758         doing such useless copying.
759
760         This patch also removes the DFGInsertOSRHintsForUpdate files that are
761         no longer needed with the new object sinking phase and should have been
762         removed in r186795.
763
764         * CMakeLists.txt:
765         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
766         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
767         * JavaScriptCore.xcodeproj/project.pbxproj:
768         * dfg/DFGInsertOSRHintsForUpdate.cpp: Removed.
769         (JSC::DFG::insertOSRHintsForUpdate): Deleted.
770         * dfg/DFGInsertOSRHintsForUpdate.h: Removed.
771         * dfg/DFGObjectAllocationSinkingPhase.cpp:
772
773 2015-07-21  Saam barati  <saambarati1@gmail.com>
774
775         DestructuringPatternNode and DestructuringAssignmentNode should be ParserArenaFreeable
776         https://bugs.webkit.org/show_bug.cgi?id=147140
777
778         Reviewed by Geoffrey Garen.
779
780         The descendants of DestructuringPatternNode that need destruction also
781         inherit from ParserArenaDeletable.
782
783         * parser/Nodes.h:
784         (JSC::DestructuringPatternNode::~DestructuringPatternNode):
785         (JSC::ObjectPatternNode::appendEntry):
786         (JSC::DestructuringAssignmentNode::bindings):
787
788 2015-07-21  Keith Miller  <keith_miller@apple.com>
789
790         Add support for the new.target syntax.
791         https://bugs.webkit.org/show_bug.cgi?id=147051
792
793         Reviewed by Yusuke Suzuki.
794
795         Add support for new.target. Essentially the implementation is, before constructor calls,
796         the target of a "new" is placed where "this" noramlly goes in the calling convention.
797         Then in the constructor before object is initialized we move the target of the "new"
798         into a local variable.
799
800         * bytecompiler/BytecodeGenerator.cpp:
801         (JSC::BytecodeGenerator::BytecodeGenerator):
802         * bytecompiler/NodesCodegen.cpp:
803         (JSC::NewTargetNode::emitBytecode):
804         * parser/ASTBuilder.h:
805         (JSC::ASTBuilder::newTargetExpr):
806         * parser/NodeConstructors.h:
807         (JSC::NewTargetNode::NewTargetNode):
808         * parser/Nodes.h:
809         * parser/Parser.cpp:
810         (JSC::Parser<LexerType>::parseMemberExpression):
811         * parser/SyntaxChecker.h:
812         (JSC::SyntaxChecker::newTargetExpr):
813         * runtime/CommonIdentifiers.h:
814         * tests/stress/new-target.js: Added.
815         (test):
816         (call):
817         (Constructor.subCall):
818         (Constructor.SubConstructor):
819         (Constructor):
820         (noAssign):
821         (doWeirdThings):
822         (SuperClass):
823         (SubClass):
824
825 2015-07-20  Saam barati  <saambarati1@gmail.com>
826
827         "let" scoping introduced incoherent story about symbol table cloning
828         https://bugs.webkit.org/show_bug.cgi?id=147046
829
830         Reviewed by Filip Pizlo.
831
832         This patch now establishes a clear set of rules for how SymbolTables
833         are owned by CodeBlock. Every SymbolTable that is used by a bytecode
834         instruction must live in CodeBlock's constant register pool. When CodeBlock
835         is being linked, it ensures that every SymbolTable in the constant pool is cloned. 
836         This leaves no room for an un-cloned symbol table to be used by a bytecode instruction. 
837         Some instructions may refer to SymbolTable's indirectly through a JSLexicalEnvironment. 
838         This is fine, all JSLexicalEnvironment's are allocated with references to cloned symbol tables.
839
840         Another goal of this patch is to remove the notion that a SymbolTable is 1 to 1 
841         with a CodeBlock. With lexical scoping, this view of the world is no longer
842         correct. This patch begins to remove this assumption by making CodeBlock's
843         symbolTable() getter method private. There is still one place where we need
844         to purge our codebase of this assumption and that is the type profiler. It 
845         has not been updated for lexical scoping. After it is updated in 
846         https://bugs.webkit.org/show_bug.cgi?id=145438
847         we will be able to remove CodeBlock's symbolTable() getter entirely.
848
849         * bytecode/CodeBlock.cpp:
850         (JSC::CodeBlock::CodeBlock):
851         (JSC::CodeBlock::nameForRegister):
852         * bytecode/CodeBlock.h:
853         (JSC::CodeBlock::addStringSwitchJumpTable):
854         (JSC::CodeBlock::stringSwitchJumpTable):
855         (JSC::CodeBlock::evalCodeCache):
856         (JSC::CodeBlock::symbolTable):
857         * bytecode/UnlinkedCodeBlock.cpp:
858         (JSC::UnlinkedFunctionExecutable::visitChildren):
859         (JSC::UnlinkedFunctionExecutable::link):
860         (JSC::UnlinkedFunctionExecutable::codeBlockFor):
861         * bytecode/UnlinkedCodeBlock.h:
862         (JSC::UnlinkedCodeBlock::addExceptionHandler):
863         (JSC::UnlinkedCodeBlock::exceptionHandler):
864         (JSC::UnlinkedCodeBlock::setSymbolTableConstantIndex):
865         (JSC::UnlinkedCodeBlock::symbolTableConstantIndex):
866         (JSC::UnlinkedCodeBlock::symbolTable): Deleted.
867         (JSC::UnlinkedCodeBlock::setSymbolTable): Deleted.
868         * bytecompiler/BytecodeGenerator.cpp:
869         (JSC::BytecodeGenerator::generate):
870         (JSC::BytecodeGenerator::BytecodeGenerator):
871         (JSC::BytecodeGenerator::pushLexicalScope):
872         (JSC::BytecodeGenerator::variableForLocalEntry):
873         (JSC::BytecodeGenerator::createVariable):
874         (JSC::BytecodeGenerator::resolveType):
875         (JSC::BytecodeGenerator::emitResolveScope):
876         * bytecompiler/BytecodeGenerator.h:
877         (JSC::BytecodeGenerator::thisRegister):
878         (JSC::BytecodeGenerator::instructions):
879         (JSC::BytecodeGenerator::symbolTable): Deleted.
880         * dfg/DFGGraph.h:
881         (JSC::DFG::Graph::baselineCodeBlockFor):
882         (JSC::DFG::Graph::isStrictModeFor):
883         (JSC::DFG::Graph::symbolTableFor): Deleted.
884         * jit/AssemblyHelpers.h:
885         (JSC::AssemblyHelpers::baselineCodeBlock):
886         (JSC::AssemblyHelpers::argumentsStart):
887         (JSC::AssemblyHelpers::symbolTableFor): Deleted.
888         * runtime/CommonSlowPaths.cpp:
889         (JSC::SLOW_PATH_DECL):
890         * runtime/Executable.cpp:
891         (JSC::FunctionExecutable::visitChildren):
892         (JSC::FunctionExecutable::clearUnlinkedCodeForRecompilation):
893         (JSC::FunctionExecutable::symbolTable): Deleted.
894         * runtime/Executable.h:
895
896 2015-07-18  Filip Pizlo  <fpizlo@apple.com>
897
898         REGRESSION(186691): OSR entry is broken on loop headers that have no live variables
899         https://bugs.webkit.org/show_bug.cgi?id=147074
900         rdar://problem/21869970
901
902         Reviewed by Michael Saboff.
903         
904         The OSR entry must-handle block/value widening introduced in r186691 would cause the
905         CFA to reexecute if it caused any live local variables to change value. But this fails
906         if the must-handle block has no live local variables, and the entry block otherwise
907         appears to be unreachable.
908         
909         This fixes the bug by having the change detection include whether the block hadn't been
910         visited in addition to whether any local variable values got widened.
911         
912         This is a ~4% speed-up on SunSpider in browser.
913
914         * dfg/DFGCFAPhase.cpp:
915         (JSC::DFG::CFAPhase::run):
916
917 2015-07-20  Mark Lam  <mark.lam@apple.com>
918
919         Rollout r187020 and r187021: breaks JSC API tests on debug builds.
920         https://bugs.webkit.org/show_bug.cgi?id=147110
921
922         * heap/MachineStackMarker.cpp:
923         (JSC::MachineThreads::addCurrentThread):
924         * runtime/JSLock.cpp:
925         (JSC::JSLockHolder::~JSLockHolder):
926         (JSC::JSLock::JSLock):
927         (JSC::JSLock::willDestroyVM):
928         (JSC::JSLock::setExclusiveThread):
929         (JSC::JSLock::lock):
930         (JSC::JSLock::unlock):
931         (JSC::JSLock::currentThreadIsHoldingLock):
932         (JSC::JSLock::dropAllLocks):
933         * runtime/JSLock.h:
934         (JSC::JSLock::vm):
935         (JSC::JSLock::hasExclusiveThread):
936         (JSC::JSLock::exclusiveThread):
937         * runtime/VM.h:
938         (JSC::VM::hasExclusiveThread):
939         (JSC::VM::exclusiveThread):
940         (JSC::VM::setExclusiveThread):
941
942 2015-07-20  Per Arne Vollan  <peavo@outlook.com>
943
944         Unreviewed debug build fix after r187020.
945
946         * heap/MachineStackMarker.cpp:
947         (JSC::MachineThreads::addCurrentThread):
948         VM::exclusiveThread() has changed return type to ThreadIdentifier.
949
950 2015-07-20  Per Arne Vollan  <peavo@outlook.com>
951
952         JavaScriptCore performance is very bad on Windows
953         https://bugs.webkit.org/show_bug.cgi?id=146448
954
955         Reviewed by Mark Lam.
956
957         Profiling shows that std::this_thread::get_id() is slow on Windows.
958         Use WTF::currentThread() instead, which calls GetCurrentThreadId().
959         This is faster on Windows. The issue has been reported to Microsoft,
960         https://connect.microsoft.com/VisualStudio/feedback/details/1558211.
961
962         * runtime/JSLock.cpp:
963         (JSC::JSLockHolder::~JSLockHolder):
964         (JSC::JSLock::JSLock):
965         (JSC::JSLock::willDestroyVM):
966         (JSC::JSLock::setExclusiveThread):
967         (JSC::JSLock::lock):
968         (JSC::JSLock::unlock):
969         (JSC::JSLock::currentThreadIsHoldingLock):
970         * runtime/JSLock.h:
971         (JSC::JSLock::vm):
972         (JSC::JSLock::hasExclusiveThread):
973         (JSC::JSLock::exclusiveThread):
974         * runtime/VM.h:
975         (JSC::VM::hasExclusiveThread):
976         (JSC::VM::exclusiveThread):
977         (JSC::VM::setExclusiveThread):
978
979 2015-07-19  Yusuke Suzuki  <utatane.tea@gmail.com>
980
981         In strict mode, `Object.keys(arguments)` includes "length"
982         https://bugs.webkit.org/show_bug.cgi?id=147071
983
984         Reviewed by Darin Adler.
985
986         ClonedAguments didn't set the "length" with DontEnum.
987
988         * runtime/ClonedArguments.cpp:
989         (JSC::ClonedArguments::createWithInlineFrame):
990         (JSC::ClonedArguments::createByCopyingFrom):
991         * tests/stress/arguments-length-always-dont-enum.js: Added.
992         (shouldBe):
993         (argsSloppy):
994         (argsStrict):
995
996 2015-07-19  Jordan Harband  <ljharb@gmail.com>
997
998         new Date(NaN).toJSON() must return null instead of throwing a TypeError
999         https://bugs.webkit.org/show_bug.cgi?id=141115
1000
1001         Reviewed by Yusuke Suzuki.
1002
1003         * runtime/DatePrototype.cpp:
1004         (JSC::dateProtoFuncToJSON):
1005
1006 2015-07-19  Saam barati  <saambarati1@gmail.com>
1007
1008         Parser::parseFunctionInfo hits RELEASE_ASSERT for Arrow Functions
1009         https://bugs.webkit.org/show_bug.cgi?id=147090
1010
1011         Reviewed by Yusuke Suzuki.
1012
1013         ArrowFunction's have there ParserFunctionInfo "name" field to 
1014         be a non-null pointer. This is obviously allowed and valid except we 
1015         had a RELEASE_ASSERT that claimed otherwise. This is a mistake. 
1016
1017         Note: ArrowFunction's will never actually have a function name;
1018         there ParserFunctionInfo "name" field will be the empty string. 
1019         This is not be mistaken with the name field being a null pointer.
1020
1021         * parser/Parser.cpp:
1022         (JSC::Parser<LexerType>::parseFunctionInfo):
1023
1024 2015-07-18  Saam barati  <saambarati1@gmail.com>
1025
1026         [ES6] Add support for block scope const
1027         https://bugs.webkit.org/show_bug.cgi?id=31813
1028
1029         Reviewed by Filip Pizlo.
1030
1031         'const' is now implemented in an ES6 spec compliant manner.
1032         'const' variables are always block scoped and always live
1033         either on the stack or in a JSLexicalEnvironment. 'const'
1034         variables never live on the global object.
1035
1036         Inside the BytecodeGenerator, when assigning to a stack
1037         'const' variable or a LocalClosureVar 'const' variable,
1038         we will emit code that just throws a type error.
1039         When assigning to a ClosureVar const variable, CodeBlock linking
1040         will ensure that we perform a dynamic lookup of that variable so
1041         that put_to_scope's slow path throws a type error.
1042
1043         The old 'const' implementation has been removed in this patch.
1044
1045         * bytecode/BytecodeList.json:
1046         * bytecode/BytecodeUseDef.h:
1047         (JSC::computeUsesForBytecodeOffset):
1048         (JSC::computeDefsForBytecodeOffset):
1049         * bytecode/CodeBlock.cpp:
1050         (JSC::CodeBlock::dumpBytecode):
1051         (JSC::CodeBlock::CodeBlock):
1052         * bytecompiler/BytecodeGenerator.cpp:
1053         (JSC::BytecodeGenerator::BytecodeGenerator):
1054         (JSC::BytecodeGenerator::pushLexicalScope):
1055         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
1056         (JSC::BytecodeGenerator::variable):
1057         (JSC::BytecodeGenerator::variableForLocalEntry):
1058         (JSC::BytecodeGenerator::createVariable):
1059         (JSC::BytecodeGenerator::emitResolveScope):
1060         (JSC::BytecodeGenerator::emitInstanceOf):
1061         (JSC::BytecodeGenerator::emitGetById):
1062         (JSC::BytecodeGenerator::isArgumentNumber):
1063         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
1064         (JSC::BytecodeGenerator::emitEnumeration):
1065         (JSC::BytecodeGenerator::variablePerSymbolTable): Deleted.
1066         (JSC::BytecodeGenerator::emitInitGlobalConst): Deleted.
1067         * bytecompiler/BytecodeGenerator.h:
1068         (JSC::Variable::Variable):
1069         (JSC::Variable::isReadOnly):
1070         (JSC::Variable::isSpecial):
1071         (JSC::Variable::isConst):
1072         (JSC::BytecodeGenerator::thisRegister):
1073         (JSC::BytecodeGenerator::emitTypeOf):
1074         (JSC::BytecodeGenerator::emitIn):
1075         * bytecompiler/NodesCodegen.cpp:
1076         (JSC::PostfixNode::emitResolve):
1077         (JSC::PrefixNode::emitResolve):
1078         (JSC::ReadModifyResolveNode::emitBytecode):
1079         (JSC::AssignResolveNode::emitBytecode):
1080         (JSC::CommaNode::emitBytecode):
1081         (JSC::BindingNode::bindValue):
1082         (JSC::ConstDeclNode::emitCodeSingle): Deleted.
1083         (JSC::ConstDeclNode::emitBytecode): Deleted.
1084         (JSC::ConstStatementNode::emitBytecode): Deleted.
1085         * dfg/DFGByteCodeParser.cpp:
1086         (JSC::DFG::ByteCodeParser::parseBlock):
1087         * dfg/DFGCapabilities.cpp:
1088         (JSC::DFG::capabilityLevel):
1089         * jit/JIT.cpp:
1090         (JSC::JIT::privateCompileMainPass):
1091         * jit/JIT.h:
1092         * jit/JITPropertyAccess.cpp:
1093         (JSC::JIT::emit_op_put_to_arguments):
1094         (JSC::JIT::emit_op_init_global_const): Deleted.
1095         * jit/JITPropertyAccess32_64.cpp:
1096         (JSC::JIT::emit_op_put_to_arguments):
1097         (JSC::JIT::emit_op_init_global_const): Deleted.
1098         * llint/LowLevelInterpreter.asm:
1099         * llint/LowLevelInterpreter32_64.asm:
1100         * llint/LowLevelInterpreter64.asm:
1101         * parser/ASTBuilder.h:
1102         (JSC::ASTBuilder::createDeclarationStatement):
1103         (JSC::ASTBuilder::createEmptyVarExpression):
1104         (JSC::ASTBuilder::createDebugger):
1105         (JSC::ASTBuilder::appendStatement):
1106         (JSC::ASTBuilder::createVarStatement): Deleted.
1107         (JSC::ASTBuilder::createLetStatement): Deleted.
1108         (JSC::ASTBuilder::createConstStatement): Deleted.
1109         (JSC::ASTBuilder::appendConstDecl): Deleted.
1110         * parser/NodeConstructors.h:
1111         (JSC::CommaNode::CommaNode):
1112         (JSC::SourceElements::SourceElements):
1113         (JSC::SwitchNode::SwitchNode):
1114         (JSC::BlockNode::BlockNode):
1115         (JSC::ConstStatementNode::ConstStatementNode): Deleted.
1116         (JSC::ConstDeclNode::ConstDeclNode): Deleted.
1117         * parser/Nodes.h:
1118         (JSC::ConstDeclNode::hasInitializer): Deleted.
1119         (JSC::ConstDeclNode::ident): Deleted.
1120         * parser/Parser.cpp:
1121         (JSC::Parser<LexerType>::parseStatementListItem):
1122         (JSC::Parser<LexerType>::parseVariableDeclaration):
1123         (JSC::Parser<LexerType>::parseWhileStatement):
1124         (JSC::Parser<LexerType>::parseVariableDeclarationList):
1125         (JSC::Parser<LexerType>::createBindingPattern):
1126         (JSC::Parser<LexerType>::parseDestructuringPattern):
1127         (JSC::Parser<LexerType>::parseDefaultValueForDestructuringPattern):
1128         (JSC::Parser<LexerType>::parseForStatement):
1129         (JSC::Parser<LexerType>::parseTryStatement):
1130         (JSC::Parser<LexerType>::parseFunctionInfo):
1131         (JSC::Parser<LexerType>::parseFunctionDeclaration):
1132         (JSC::Parser<LexerType>::parseClass):
1133         (JSC::Parser<LexerType>::parseConstDeclaration): Deleted.
1134         (JSC::Parser<LexerType>::parseConstDeclarationList): Deleted.
1135         * parser/Parser.h:
1136         (JSC::isEvalNode):
1137         (JSC::isEvalNode<EvalNode>):
1138         (JSC::isArguments):
1139         (JSC::isEval):
1140         (JSC::isEvalOrArgumentsIdentifier):
1141         (JSC::Scope::Scope):
1142         (JSC::Scope::declareCallee):
1143         (JSC::Scope::declareVariable):
1144         (JSC::Scope::declareLexicalVariable):
1145         (JSC::Scope::hasDeclaredVariable):
1146         (JSC::Scope::allowsVarDeclarations):
1147         (JSC::Scope::allowsLexicalDeclarations):
1148         (JSC::Scope::declareParameter):
1149         (JSC::Scope::declareBoundParameter):
1150         (JSC::Parser::destructuringKindFromDeclarationType):
1151         (JSC::Parser::assignmentContextFromDeclarationType):
1152         (JSC::Parser::isEvalOrArguments):
1153         (JSC::Parser::currentScope):
1154         (JSC::Parser::popScope):
1155         (JSC::Parser::declareVariable):
1156         (JSC::Parser::hasDeclaredVariable):
1157         (JSC::Parser::setStrictMode):
1158         (JSC::Parser::strictMode):
1159         (JSC::Parser::isValidStrictMode):
1160         (JSC::Parser::declareParameter):
1161         (JSC::Parser::declareBoundParameter):
1162         (JSC::Parser::breakIsValid):
1163         * parser/SyntaxChecker.h:
1164         (JSC::SyntaxChecker::createForInLoop):
1165         (JSC::SyntaxChecker::createForOfLoop):
1166         (JSC::SyntaxChecker::createEmptyStatement):
1167         (JSC::SyntaxChecker::createDeclarationStatement):
1168         (JSC::SyntaxChecker::createReturnStatement):
1169         (JSC::SyntaxChecker::createBreakStatement):
1170         (JSC::SyntaxChecker::createVarStatement): Deleted.
1171         (JSC::SyntaxChecker::createLetStatement): Deleted.
1172         * parser/VariableEnvironment.h:
1173         (JSC::VariableEnvironmentEntry::isCaptured):
1174         (JSC::VariableEnvironmentEntry::isConst):
1175         (JSC::VariableEnvironmentEntry::isVar):
1176         (JSC::VariableEnvironmentEntry::isLet):
1177         (JSC::VariableEnvironmentEntry::setIsCaptured):
1178         (JSC::VariableEnvironmentEntry::setIsConst):
1179         (JSC::VariableEnvironmentEntry::setIsVar):
1180         (JSC::VariableEnvironmentEntry::setIsLet):
1181         (JSC::VariableEnvironmentEntry::isConstant): Deleted.
1182         (JSC::VariableEnvironmentEntry::setIsConstant): Deleted.
1183         * runtime/Executable.cpp:
1184         (JSC::ProgramExecutable::initializeGlobalProperties):
1185         * runtime/JSGlobalObject.cpp:
1186         (JSC::JSGlobalObject::defineOwnProperty):
1187         (JSC::JSGlobalObject::addGlobalVar):
1188         (JSC::JSGlobalObject::addFunction):
1189         (JSC::lastInPrototypeChain):
1190         * runtime/JSGlobalObject.h:
1191         (JSC::JSGlobalObject::finishCreation):
1192         (JSC::JSGlobalObject::addVar):
1193         (JSC::JSGlobalObject::addConst): Deleted.
1194         * runtime/JSLexicalEnvironment.cpp:
1195         (JSC::JSLexicalEnvironment::symbolTablePut):
1196         * tests/stress/const-and-with-statement.js: Added.
1197         (truth):
1198         (assert):
1199         (shouldThrowInvalidConstAssignment):
1200         (.):
1201         * tests/stress/const-exception-handling.js: Added.
1202         (truth):
1203         (assert):
1204         (.):
1205         * tests/stress/const-loop-semantics.js: Added.
1206         (truth):
1207         (assert):
1208         (shouldThrowInvalidConstAssignment):
1209         (.):
1210         * tests/stress/const-not-strict-mode.js: Added.
1211         (truth):
1212         (assert):
1213         (shouldThrowTDZ):
1214         (.):
1215         * tests/stress/const-semantics.js: Added.
1216         (truth):
1217         (assert):
1218         (shouldThrowInvalidConstAssignment):
1219         (.):
1220         * tests/stress/const-tdz.js: Added.
1221         (truth):
1222         (assert):
1223         (shouldThrowTDZ):
1224         (.):
1225
1226 2015-07-18  Saam barati  <saambarati1@gmail.com>
1227
1228         lexical scoping is broken with respect to "break" and "continue"
1229         https://bugs.webkit.org/show_bug.cgi?id=147063
1230
1231         Reviewed by Filip Pizlo.
1232
1233         Bug #142944 which introduced "let" and lexical scoping
1234         didn't properly hook into the bytecode generator's machinery
1235         for calculating scope depth deltas for "break" and "continue". This
1236         resulted in the bytecode generator popping an incorrect number
1237         of scopes when lexical scopes were involved.
1238
1239         This patch fixes this problem and generalizes this machinery a bit.
1240         This patch also renames old functions in a sensible way that is more
1241         coherent in a world with lexical scoping.
1242
1243         * bytecompiler/BytecodeGenerator.cpp:
1244         (JSC::BytecodeGenerator::BytecodeGenerator):
1245         (JSC::BytecodeGenerator::newLabelScope):
1246         (JSC::BytecodeGenerator::emitProfileType):
1247         (JSC::BytecodeGenerator::pushLexicalScope):
1248         (JSC::BytecodeGenerator::popLexicalScope):
1249         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
1250         (JSC::BytecodeGenerator::resolveType):
1251         (JSC::BytecodeGenerator::emitResolveScope):
1252         (JSC::BytecodeGenerator::emitGetFromScope):
1253         (JSC::BytecodeGenerator::emitPutToScope):
1254         (JSC::BytecodeGenerator::emitPushWithScope):
1255         (JSC::BytecodeGenerator::emitGetParentScope):
1256         (JSC::BytecodeGenerator::emitPopScope):
1257         (JSC::BytecodeGenerator::emitPopWithOrCatchScope):
1258         (JSC::BytecodeGenerator::emitPopScopes):
1259         (JSC::BytecodeGenerator::calculateTargetScopeDepthForExceptionHandler):
1260         (JSC::BytecodeGenerator::localScopeDepth):
1261         (JSC::BytecodeGenerator::labelScopeDepth):
1262         (JSC::BytecodeGenerator::emitThrowReferenceError):
1263         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
1264         (JSC::BytecodeGenerator::pushScopedControlFlowContext):
1265         (JSC::BytecodeGenerator::popScopedControlFlowContext):
1266         (JSC::BytecodeGenerator::emitPushCatchScope):
1267         (JSC::BytecodeGenerator::currentScopeDepth): Deleted.
1268         * bytecompiler/BytecodeGenerator.h:
1269         (JSC::BytecodeGenerator::hasFinaliser):
1270         (JSC::BytecodeGenerator::scopeDepth): Deleted.
1271         * bytecompiler/NodesCodegen.cpp:
1272         (JSC::ContinueNode::trivialTarget):
1273         (JSC::BreakNode::trivialTarget):
1274         (JSC::ReturnNode::emitBytecode):
1275         (JSC::WithNode::emitBytecode):
1276         (JSC::TryNode::emitBytecode):
1277         * tests/stress/lexical-scoping-break-continue.js: Added.
1278         (assert):
1279         (.):
1280
1281 2015-07-18  Commit Queue  <commit-queue@webkit.org>
1282
1283         Unreviewed, rolling out r186996.
1284         https://bugs.webkit.org/show_bug.cgi?id=147070
1285
1286         Broke JSC tests (Requested by smfr on #webkit).
1287
1288         Reverted changeset:
1289
1290         "lexical scoping is broken with respect to "break" and
1291         "continue""
1292         https://bugs.webkit.org/show_bug.cgi?id=147063
1293         http://trac.webkit.org/changeset/186996
1294
1295 2015-07-18  Saam barati  <saambarati1@gmail.com>
1296
1297         lexical scoping is broken with respect to "break" and "continue"
1298         https://bugs.webkit.org/show_bug.cgi?id=147063
1299
1300         Reviewed by Filip Pizlo.
1301
1302         Bug #142944 which introduced "let" and lexical scoping
1303         didn't properly hook into the bytecode generator's machinery
1304         for calculating scope depth deltas for "break" and "continue". This
1305         resulted in the bytecode generator popping an incorrect number
1306         of scopes when lexical scopes were involved.
1307
1308         This patch fixes this problem and generalizes this machinery a bit.
1309         This patch also renames old functions in a sensible way that is more
1310         coherent in a world with lexical scoping.
1311
1312         * bytecompiler/BytecodeGenerator.cpp:
1313         (JSC::BytecodeGenerator::BytecodeGenerator):
1314         (JSC::BytecodeGenerator::newLabelScope):
1315         (JSC::BytecodeGenerator::emitProfileType):
1316         (JSC::BytecodeGenerator::pushLexicalScope):
1317         (JSC::BytecodeGenerator::popLexicalScope):
1318         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
1319         (JSC::BytecodeGenerator::resolveType):
1320         (JSC::BytecodeGenerator::emitResolveScope):
1321         (JSC::BytecodeGenerator::emitGetFromScope):
1322         (JSC::BytecodeGenerator::emitPutToScope):
1323         (JSC::BytecodeGenerator::emitPushWithScope):
1324         (JSC::BytecodeGenerator::emitGetParentScope):
1325         (JSC::BytecodeGenerator::emitPopScope):
1326         (JSC::BytecodeGenerator::emitPopWithOrCatchScope):
1327         (JSC::BytecodeGenerator::emitPopScopes):
1328         (JSC::BytecodeGenerator::calculateTargetScopeDepthForExceptionHandler):
1329         (JSC::BytecodeGenerator::localScopeDepth):
1330         (JSC::BytecodeGenerator::labelScopeDepth):
1331         (JSC::BytecodeGenerator::emitThrowReferenceError):
1332         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
1333         (JSC::BytecodeGenerator::pushScopedControlFlowContext):
1334         (JSC::BytecodeGenerator::popScopedControlFlowContext):
1335         (JSC::BytecodeGenerator::emitPushCatchScope):
1336         (JSC::BytecodeGenerator::currentScopeDepth): Deleted.
1337         * bytecompiler/BytecodeGenerator.h:
1338         (JSC::BytecodeGenerator::hasFinaliser):
1339         (JSC::BytecodeGenerator::scopeDepth): Deleted.
1340         * bytecompiler/NodesCodegen.cpp:
1341         (JSC::ContinueNode::trivialTarget):
1342         (JSC::BreakNode::trivialTarget):
1343         (JSC::ReturnNode::emitBytecode):
1344         (JSC::WithNode::emitBytecode):
1345         (JSC::TryNode::emitBytecode):
1346         * tests/stress/lexical-scoping-break-continue.js: Added.
1347         (assert):
1348         (.):
1349
1350 2015-07-17  Filip Pizlo  <fpizlo@apple.com>
1351
1352         DFG should have some obvious mitigations against watching structures that are unprofitable to watch
1353         https://bugs.webkit.org/show_bug.cgi?id=147034
1354
1355         Reviewed by Mark Lam and Michael Saboff.
1356         
1357         This implements two guards against the DFG watching structures that are likely to fire
1358         their watchpoints:
1359         
1360         - Don't watch dictionaries or any structure that had a dictionary in its past. Dictionaries
1361           can be flattened, and then they can transform back to dictionaries.
1362         
1363         - Don't watch structures whose past structures were transitioned-away from while their
1364           transition watchpoints were being watched. This property gives us monotonicity: if we
1365           recompile because we watched structure S1 of object O, then we won't make the same mistake
1366           again when object O has structure S2, S3, and so on.
1367         
1368         This is a 1.5% speed-up on Kraken. It does penalize some Octane tests, but it also seems to
1369         help some of them, so on Octane it's basically neutral.
1370
1371         * bytecode/Watchpoint.h:
1372         (JSC::WatchpointSet::invalidate):
1373         (JSC::WatchpointSet::isBeingWatched):
1374         (JSC::WatchpointSet::addressOfState):
1375         (JSC::WatchpointSet::addressOfSetIsNotEmpty):
1376         (JSC::InlineWatchpointSet::touch):
1377         (JSC::InlineWatchpointSet::isBeingWatched):
1378         * runtime/JSGlobalObject.h:
1379         (JSC::JSGlobalObject::createStructure):
1380         (JSC::JSGlobalObject::registerWeakMap):
1381         * runtime/Structure.cpp:
1382         (JSC::Structure::Structure):
1383         (JSC::Structure::toDictionaryTransition):
1384         (JSC::Structure::didTransitionFromThisStructure):
1385         * runtime/Structure.h:
1386
1387 2015-07-16  Filip Pizlo  <fpizlo@apple.com>
1388
1389         Remove DFG::DesiredWriteBarriers because it's just a very difficult way of saying "please barrier the machine code block owner"
1390         https://bugs.webkit.org/show_bug.cgi?id=147030
1391
1392         Reviewed by Andreas Kling.
1393         
1394         All of the users of DesiredWriteBarriers were just using it to request that Plan
1395         finalization executes a barrier on codeBlock->ownerExecutable. Indeed, that's the only
1396         owning cell in the heap that compilation affects. So, we might as well just have Plan
1397         unconditionally execute that barrier and then we don't need DesiredWriteBarriers at
1398         all.
1399
1400         * CMakeLists.txt:
1401         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1402         * JavaScriptCore.xcodeproj/project.pbxproj:
1403         * dfg/DFGByteCodeParser.cpp:
1404         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1405         * dfg/DFGDesiredWriteBarriers.cpp: Removed.
1406         * dfg/DFGDesiredWriteBarriers.h: Removed.
1407         * dfg/DFGGraph.cpp:
1408         (JSC::DFG::Graph::registerFrozenValues):
1409         * dfg/DFGPlan.cpp:
1410         (JSC::DFG::Plan::reallyAdd):
1411         (JSC::DFG::Plan::notifyCompiling):
1412         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
1413         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
1414         (JSC::DFG::Plan::cancel):
1415         * dfg/DFGPlan.h:
1416
1417 2015-07-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1418
1419         Integrate automatic microtask draining into JSC framework and re-enable Promise
1420         https://bugs.webkit.org/show_bug.cgi?id=146828
1421
1422         Reviewed by Sam Weinig.
1423
1424         Add automatic microtask draining system into JSC framework.
1425         When the depth of VM lock becomes 0, before this, we drain the queued microtasks.
1426         Enqueuing behavior can be injected by the JSGlobalObject's method table.
1427         It is utilized in WebCore to post the microtask to WebCore's event loop.
1428
1429         In the case of JSC interactive shell, VM depth is always greater than 0.
1430         So we manually drains the queued microtasks after evaluating the written line.
1431
1432         Since now JSC framework has the microtask queue, we can drain the queued microtasks.
1433         So re-enable the Promise in the JSC framework context.
1434
1435         * API/JSContextRef.cpp:
1436         (javaScriptRuntimeFlags): Deleted.
1437         * API/tests/testapi.c:
1438         (main):
1439         * API/tests/testapi.mm:
1440         (testObjectiveCAPIMain):
1441         * jsc.cpp:
1442         (runInteractive):
1443         * runtime/JSGlobalObject.cpp:
1444         (JSC::JSGlobalObject::queueMicrotask):
1445         * runtime/JSLock.cpp:
1446         (JSC::JSLock::willReleaseLock):
1447         * runtime/VM.cpp:
1448         (JSC::VM::queueMicrotask):
1449         (JSC::VM::drainMicrotasks):
1450         (JSC::QueuedTask::run):
1451         * runtime/VM.h:
1452         (JSC::QueuedTask::QueuedTask):
1453
1454 2015-07-17  Saam barati  <saambarati1@gmail.com>
1455
1456         Function parameters should be parsed in the same parser arena as the function body
1457         https://bugs.webkit.org/show_bug.cgi?id=145995
1458
1459         Reviewed by Yusuke Suzuki.
1460
1461         This patch changes how functions are parsed in JSC. A function's
1462         parameters are now parsed in the same arena as the function itself.
1463         This allows us to arena allocate all destructuring AST nodes and
1464         the FunctionParameters node. This will help make implementing ES6
1465         default parameter values sane.
1466
1467         A source code that represents a function now includes the text of the function's 
1468         parameters. The starting offset is at the opening parenthesis of the parameter
1469         list or at the starting character of the identifier for arrow functions that
1470         have single arguments and don't start with parenthesis.
1471
1472         For example:
1473
1474         "function (param1, param2) { ... }"
1475                                    ^
1476                                    | This offset used to be the starting offset of a function's SourceCode
1477                   ^
1478                   | This is the new starting offset for a function's SourceCode.
1479
1480         This requires us to change how some offsets are calculated
1481         and also requires us to report some different line numbers for internal
1482         metrics that use a SourceCode's starting line and column numbers.
1483
1484         This patch also does a bit of cleanup with regards to how
1485         functions are parsed in general (especially arrow functions).
1486         It removes some unnecessary #ifdefs and the likes for arrow
1487         to make things clearer and more deliberate.
1488
1489         * API/JSScriptRef.cpp:
1490         (parseScript):
1491         * builtins/BuiltinExecutables.cpp:
1492         (JSC::BuiltinExecutables::createExecutableInternal):
1493         * bytecode/UnlinkedCodeBlock.cpp:
1494         (JSC::generateFunctionCodeBlock):
1495         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1496         (JSC::UnlinkedFunctionExecutable::visitChildren):
1497         (JSC::UnlinkedFunctionExecutable::parameterCount): Deleted.
1498         * bytecode/UnlinkedCodeBlock.h:
1499         * bytecompiler/NodesCodegen.cpp:
1500         (JSC::DestructuringAssignmentNode::emitBytecode):
1501         (JSC::assignDefaultValueIfUndefined):
1502         (JSC::ArrayPatternNode::collectBoundIdentifiers):
1503         (JSC::DestructuringPatternNode::~DestructuringPatternNode): Deleted.
1504         * parser/ASTBuilder.h:
1505         (JSC::ASTBuilder::createClassExpr):
1506         (JSC::ASTBuilder::createFunctionExpr):
1507         (JSC::ASTBuilder::createFunctionBody):
1508         (JSC::ASTBuilder::createArrowFunctionExpr):
1509         (JSC::ASTBuilder::createGetterOrSetterProperty):
1510         (JSC::ASTBuilder::createElementList):
1511         (JSC::ASTBuilder::createFormalParameterList):
1512         (JSC::ASTBuilder::appendParameter):
1513         (JSC::ASTBuilder::createClause):
1514         (JSC::ASTBuilder::createClauseList):
1515         (JSC::ASTBuilder::createFuncDeclStatement):
1516         (JSC::ASTBuilder::createForInLoop):
1517         (JSC::ASTBuilder::createForOfLoop):
1518         (JSC::ASTBuilder::isResolve):
1519         (JSC::ASTBuilder::createDestructuringAssignment):
1520         (JSC::ASTBuilder::createArrayPattern):
1521         (JSC::ASTBuilder::appendArrayPatternSkipEntry):
1522         (JSC::ASTBuilder::appendArrayPatternEntry):
1523         (JSC::ASTBuilder::appendArrayPatternRestEntry):
1524         (JSC::ASTBuilder::finishArrayPattern):
1525         (JSC::ASTBuilder::createObjectPattern):
1526         (JSC::ASTBuilder::appendObjectPatternEntry):
1527         (JSC::ASTBuilder::createBindingLocation):
1528         (JSC::ASTBuilder::setEndOffset):
1529         * parser/Lexer.cpp:
1530         (JSC::Lexer<T>::Lexer):
1531         (JSC::Lexer<T>::nextTokenIsColon):
1532         (JSC::Lexer<T>::setTokenPosition):
1533         (JSC::Lexer<T>::lex):
1534         (JSC::Lexer<T>::clear):
1535         * parser/Lexer.h:
1536         (JSC::Lexer::setIsReparsingFunction):
1537         (JSC::Lexer::isReparsingFunction):
1538         (JSC::Lexer::lineNumber):
1539         (JSC::Lexer::setIsReparsing): Deleted.
1540         (JSC::Lexer::isReparsing): Deleted.
1541         * parser/NodeConstructors.h:
1542         (JSC::TryNode::TryNode):
1543         (JSC::FunctionParameters::FunctionParameters):
1544         (JSC::FuncExprNode::FuncExprNode):
1545         (JSC::FuncDeclNode::FuncDeclNode):
1546         (JSC::ArrayPatternNode::ArrayPatternNode):
1547         (JSC::ObjectPatternNode::ObjectPatternNode):
1548         (JSC::BindingNode::BindingNode):
1549         (JSC::DestructuringAssignmentNode::DestructuringAssignmentNode):
1550         (JSC::ParameterNode::ParameterNode): Deleted.
1551         (JSC::ArrayPatternNode::create): Deleted.
1552         (JSC::ObjectPatternNode::create): Deleted.
1553         (JSC::BindingNode::create): Deleted.
1554         * parser/Nodes.cpp:
1555         (JSC::ProgramNode::ProgramNode):
1556         (JSC::EvalNode::EvalNode):
1557         (JSC::FunctionBodyNode::FunctionBodyNode):
1558         (JSC::FunctionBodyNode::finishParsing):
1559         (JSC::FunctionNode::FunctionNode):
1560         (JSC::FunctionNode::finishParsing):
1561         (JSC::FunctionParameters::create): Deleted.
1562         (JSC::FunctionParameters::FunctionParameters): Deleted.
1563         (JSC::FunctionParameters::~FunctionParameters): Deleted.
1564         * parser/Nodes.h:
1565         (JSC::ProgramNode::startColumn):
1566         (JSC::ProgramNode::endColumn):
1567         (JSC::EvalNode::startColumn):
1568         (JSC::EvalNode::endColumn):
1569         (JSC::FunctionParameters::size):
1570         (JSC::FunctionParameters::at):
1571         (JSC::FunctionParameters::append):
1572         (JSC::FuncExprNode::body):
1573         (JSC::DestructuringPatternNode::~DestructuringPatternNode):
1574         (JSC::DestructuringPatternNode::isBindingNode):
1575         (JSC::DestructuringPatternNode::emitDirectBinding):
1576         (JSC::ArrayPatternNode::appendIndex):
1577         (JSC::ObjectPatternNode::appendEntry):
1578         (JSC::BindingNode::boundProperty):
1579         (JSC::BindingNode::divotStart):
1580         (JSC::BindingNode::divotEnd):
1581         (JSC::DestructuringAssignmentNode::bindings):
1582         (JSC::FuncDeclNode::body):
1583         (JSC::ParameterNode::pattern): Deleted.
1584         (JSC::ParameterNode::nextParam): Deleted.
1585         (JSC::FunctionParameters::patterns): Deleted.
1586         * parser/Parser.cpp:
1587         (JSC::Parser<LexerType>::Parser):
1588         (JSC::Parser<LexerType>::~Parser):
1589         (JSC::Parser<LexerType>::parseInner):
1590         (JSC::Parser<LexerType>::allowAutomaticSemicolon):
1591         (JSC::Parser<LexerType>::parseSourceElements):
1592         (JSC::Parser<LexerType>::createBindingPattern):
1593         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBodySourceElements):
1594         (JSC::Parser<LexerType>::tryParseDestructuringPatternExpression):
1595         (JSC::Parser<LexerType>::parseSwitchClauses):
1596         (JSC::Parser<LexerType>::parseSwitchDefaultClause):
1597         (JSC::Parser<LexerType>::parseBlockStatement):
1598         (JSC::Parser<LexerType>::parseStatement):
1599         (JSC::Parser<LexerType>::parseFormalParameters):
1600         (JSC::Parser<LexerType>::parseFunctionBody):
1601         (JSC::stringForFunctionMode):
1602         (JSC::Parser<LexerType>::parseFunctionParameters):
1603         (JSC::Parser<LexerType>::parseFunctionInfo):
1604         (JSC::Parser<LexerType>::parseFunctionDeclaration):
1605         (JSC::Parser<LexerType>::parseClass):
1606         (JSC::Parser<LexerType>::parsePrimaryExpression):
1607         (JSC::Parser<LexerType>::parseMemberExpression):
1608         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
1609         (JSC::operatorString):
1610         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBody): Deleted.
1611         * parser/Parser.h:
1612         (JSC::Parser::positionBeforeLastNewline):
1613         (JSC::Parser::locationBeforeLastToken):
1614         (JSC::Parser::findCachedFunctionInfo):
1615         (JSC::Parser::isofToken):
1616         (JSC::Parser::isEndOfArrowFunction):
1617         (JSC::Parser::isArrowFunctionParamters):
1618         (JSC::Parser::tokenStart):
1619         (JSC::Parser::isLETMaskedAsIDENT):
1620         (JSC::Parser::autoSemiColon):
1621         (JSC::Parser::setEndOfStatement):
1622         (JSC::Parser::canRecurse):
1623         (JSC::Parser<LexerType>::parse):
1624         (JSC::parse):
1625         * parser/ParserFunctionInfo.h:
1626         * parser/ParserModes.h:
1627         (JSC::functionNameIsInScope):
1628         * parser/SourceCode.h:
1629         (JSC::makeSource):
1630         (JSC::SourceCode::subExpression):
1631         (JSC::SourceCode::subArrowExpression): Deleted.
1632         * parser/SourceProviderCache.h:
1633         (JSC::SourceProviderCache::get):
1634         * parser/SourceProviderCacheItem.h:
1635         (JSC::SourceProviderCacheItem::endFunctionToken):
1636         (JSC::SourceProviderCacheItem::usedVariables):
1637         (JSC::SourceProviderCacheItem::writtenVariables):
1638         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
1639         * parser/SyntaxChecker.h:
1640         (JSC::SyntaxChecker::SyntaxChecker):
1641         (JSC::SyntaxChecker::createClassExpr):
1642         (JSC::SyntaxChecker::createFunctionExpr):
1643         (JSC::SyntaxChecker::createFunctionBody):
1644         (JSC::SyntaxChecker::createArrowFunctionExpr):
1645         (JSC::SyntaxChecker::setFunctionNameStart):
1646         (JSC::SyntaxChecker::createArguments):
1647         (JSC::SyntaxChecker::createPropertyList):
1648         (JSC::SyntaxChecker::createElementList):
1649         (JSC::SyntaxChecker::createFormalParameterList):
1650         (JSC::SyntaxChecker::appendParameter):
1651         (JSC::SyntaxChecker::createClause):
1652         (JSC::SyntaxChecker::createClauseList):
1653         * runtime/CodeCache.cpp:
1654         (JSC::CodeCache::getGlobalCodeBlock):
1655         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
1656         * runtime/Completion.cpp:
1657         (JSC::checkSyntax):
1658         * runtime/Executable.cpp:
1659         (JSC::ProgramExecutable::checkSyntax):
1660         * tests/controlFlowProfiler/conditional-expression.js:
1661         (testConditionalFunctionCall):
1662
1663 2015-07-16  Filip Pizlo  <fpizlo@apple.com>
1664
1665         Unreviewed, fix build for newer LLVMs.
1666
1667         * llvm/LLVMHeaders.h:
1668         * llvm/library/LLVMExports.cpp:
1669
1670 2015-07-16  Mark Lam  <mark.lam@apple.com>
1671
1672         RegExp::match() should set m_state to ByteCode if compilation fails.
1673         https://bugs.webkit.org/show_bug.cgi?id=147023
1674
1675         Reviewed by Michael Saboff.
1676
1677         A RegExp has a YarrCodeBlock that has 4 MacroAssemblerCodeRefs for compiled code.
1678         If one of these compilations succeeds, RegExp::m_state will be set to JITCode.
1679         Subsequently, if RegExp tries to compile another one of these but fails, m_state
1680         will be left untouched i.e. it still says JITCode.  As a result, when
1681         RegExp::match() later tries to execute the non-existant compiled code, it will
1682         crash.
1683
1684         The fix is to downgrade m_state to ByteCode if RegExp ever fails to compile.
1685         This failure should be rare.  We'll do the minimal work here to fix the issue and
1686         keep an eye on the perf bots.  If perf regresses, we can do some optimization work then.
1687
1688         This issue is difficult to test for since it either requires a low memory condition
1689         to trigger a failed RegExp compilation at the right moment, or for the RegExp to
1690         succeed compilation in the MatchedOnly mode but fail in IncludeSubpatterns mode.
1691         Instead, I manually tested it by instrumenting RegExp::compile() to fail once in every
1692         10 compilation attempts.
1693
1694         * runtime/RegExp.cpp:
1695         (JSC::RegExp::compile):
1696         (JSC::RegExp::compileMatchOnly):
1697
1698 2015-07-15  Brent Fulgham  <bfulgham@apple.com>
1699
1700         [Win] Fix armv7 build.
1701
1702         * jit/CCallHelpers.h:
1703         (JSC::CCallHelpers::setupArgumentsWithExecState): The 64-bit argument
1704         version of poke is not available on armv7 builds.
1705
1706 2015-07-15  Brent Fulgham  <bfulgham@apple.com>
1707
1708         [Win] 64-bit Build Failure
1709         https://bugs.webkit.org/show_bug.cgi?id=146989
1710
1711         Reviewed by Mark Lam.
1712
1713         * jit/CCallHelpers.h:
1714         (JSC::CCallHelpers::setupArgumentsWithExecState): Add missing
1715         declaration for 64-bit type on 4-argument register machines (like
1716         Windows).
1717
1718 2015-07-15  Saam barati  <saambarati1@gmail.com>
1719
1720         [ES6] implement block scoping to enable 'let'
1721         https://bugs.webkit.org/show_bug.cgi?id=142944
1722
1723         Reviewed by Filip Pizlo.
1724
1725         * CMakeLists.txt:
1726         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1727         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1728         * JavaScriptCore.xcodeproj/project.pbxproj:
1729         * builtins/BuiltinExecutables.cpp:
1730         (JSC::BuiltinExecutables::createExecutableInternal):
1731         * bytecode/BytecodeList.json:
1732         This patch adds a new opcode and removes op_pop_scope:
1733         1) op_get_parent_scope returns the parent scope but doesn't 
1734         implicitly write that scope into the scope register. op_pop_scope
1735         is now reduced to op_get_parent_scope followed by op_mov.
1736
1737         * bytecode/BytecodeUseDef.h:
1738         (JSC::computeUsesForBytecodeOffset):
1739         (JSC::computeDefsForBytecodeOffset):
1740         * bytecode/CodeBlock.cpp:
1741         (JSC::CodeBlock::dumpBytecode):
1742         (JSC::CodeBlock::CodeBlock):
1743         (JSC::CodeBlock::stronglyVisitStrongReferences):
1744         * bytecode/CodeBlock.h:
1745         (JSC::CodeBlock::addStringSwitchJumpTable):
1746         (JSC::CodeBlock::stringSwitchJumpTable):
1747         (JSC::CodeBlock::symbolTable):
1748         (JSC::CodeBlock::evalCodeCache):
1749         (JSC::CodeBlock::setConstantRegisters):
1750         (JSC::CodeBlock::replaceConstant):
1751         op_put_to_scope for LocalClosureVar now takes as an argument
1752         the constant index for the Symbol Table it will be putting into.
1753         This argument is only used to communicate from the BytecodeGenerator
1754         to CodeBlock linking time and it is not present in the linked bytecode.
1755
1756         op_put_to_scope for non LocalClosureVar takes, at the same index, an
1757         argument that represents the local scope depth which it uses for
1758         JSScope::abstractResolve to know how many scopes it needs to skip.
1759         Again, this is not in the linked code.
1760         op_get_from_scope and op_resolve_scope also take as an argument
1761         the local scope depth to use in JSScope::abstractResolve. Again,
1762         this is not used in the linked code.
1763
1764         * bytecode/EvalCodeCache.h:
1765         (JSC::EvalCodeCache::tryGet):
1766         (JSC::EvalCodeCache::getSlow):
1767         (JSC::EvalCodeCache::clear):
1768         (JSC::EvalCodeCache::isCacheable):
1769         When direct eval is called and passed a scope that 
1770         corresponds to a lexical scope, we can't safely cache 
1771         that code because we won't be able to guarantee
1772         that the cached code is always executed in the same scope.
1773         Consider this example:
1774         function foo() {
1775             let x = 20;
1776             eval("x;");
1777             if (b) {
1778                 let x = 30;
1779                 if (b) {
1780                     let y = 40;
1781                     eval("x;")
1782                 }
1783             }
1784         }
1785
1786         We can't reuse resolution depth when linking get_from_scope in evals.
1787
1788         * bytecode/UnlinkedCodeBlock.cpp:
1789         (JSC::generateFunctionCodeBlock):
1790         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1791         (JSC::UnlinkedFunctionExecutable::parameterCount):
1792         * bytecode/UnlinkedCodeBlock.h:
1793         Unlinked functions now know the variables that were under TDZ in their parent
1794         scope.
1795
1796         (JSC::UnlinkedCodeBlock::symbolTable):
1797         (JSC::UnlinkedCodeBlock::setSymbolTable):
1798         (JSC::UnlinkedCodeBlock::setSymbolTableConstantIndex):
1799         (JSC::UnlinkedCodeBlock::symbolTableConstantIndex):
1800         (JSC::UnlinkedCodeBlock::vm):
1801         * bytecompiler/BytecodeGenerator.cpp:
1802         (JSC::BytecodeGenerator::generate):
1803         (JSC::BytecodeGenerator::BytecodeGenerator):
1804         (JSC::BytecodeGenerator::~BytecodeGenerator):
1805         (JSC::BytecodeGenerator::newRegister):
1806         (JSC::BytecodeGenerator::reclaimFreeRegisters):
1807         (JSC::BytecodeGenerator::newBlockScopeVariable):
1808         (JSC::BytecodeGenerator::newTemporary):
1809         (JSC::BytecodeGenerator::emitProfileType):
1810         (JSC::BytecodeGenerator::emitLoadGlobalObject):
1811         (JSC::BytecodeGenerator::pushLexicalScope):
1812         (JSC::BytecodeGenerator::popLexicalScope):
1813         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
1814         (JSC::BytecodeGenerator::variable):
1815         (JSC::BytecodeGenerator::variablePerSymbolTable):
1816         (JSC::BytecodeGenerator::variableForLocalEntry):
1817         (JSC::BytecodeGenerator::createVariable):
1818         (JSC::BytecodeGenerator::emitResolveScope):
1819         (JSC::BytecodeGenerator::emitGetFromScope):
1820         (JSC::BytecodeGenerator::emitPutToScope):
1821         (JSC::BytecodeGenerator::initializeVariable):
1822         (JSC::BytecodeGenerator::emitTDZCheck):
1823         (JSC::BytecodeGenerator::needsTDZCheck):
1824         (JSC::BytecodeGenerator::emitTDZCheckIfNecessary):
1825         (JSC::BytecodeGenerator::liftTDZCheckIfPossible):
1826         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
1827         (JSC::BytecodeGenerator::emitNewObject):
1828         (JSC::BytecodeGenerator::emitPushWithScope):
1829         (JSC::BytecodeGenerator::emitGetParentScope):
1830         (JSC::BytecodeGenerator::emitPopScope):
1831         (JSC::BytecodeGenerator::emitDebugHook):
1832         (JSC::BytecodeGenerator::pushFinallyContext):
1833         (JSC::BytecodeGenerator::pushIteratorCloseContext):
1834         (JSC::BytecodeGenerator::emitComplexPopScopes):
1835         (JSC::BytecodeGenerator::emitPopScopes):
1836         (JSC::BytecodeGenerator::popTryAndEmitCatch):
1837         (JSC::BytecodeGenerator::calculateTargetScopeDepthForExceptionHandler):
1838         (JSC::BytecodeGenerator::currentScopeDepth):
1839         (JSC::BytecodeGenerator::emitThrowReferenceError):
1840         (JSC::BytecodeGenerator::emitPushCatchScope):
1841         (JSC::BytecodeGenerator::beginSwitch):
1842         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
1843         (JSC::BytecodeGenerator::emitEnumeration):
1844         * bytecompiler/BytecodeGenerator.h:
1845         (JSC::Variable::Variable):
1846         (JSC::Variable::isResolved):
1847         (JSC::Variable::symbolTableConstantIndex):
1848         (JSC::Variable::ident):
1849         (JSC::BytecodeGenerator::ignoredResult):
1850         (JSC::BytecodeGenerator::tempDestination):
1851         (JSC::BytecodeGenerator::lastOpcodeID):
1852         (JSC::BytecodeGenerator::makeFunction):
1853         (JSC::BytecodeGenerator::symbolTable):
1854         (JSC::BytecodeGenerator::shouldOptimizeLocals): Deleted.
1855         (JSC::BytecodeGenerator::canOptimizeNonLocals): Deleted.
1856         The heart of the changes in this patch are in the bytecode generator.
1857         The bytecode generator now keeps a stack of tuples of 
1858         {symbol table, scope register, flag indicating catch or with scope, symbol table index in constant pool}
1859         that models the runtime scope stack. This symbol table stack is used
1860         in resolving local variables.
1861
1862         Also, the bytecode generator handles pushing and popping of lexical scopes. 
1863         This is relatively straight forward:
1864         Captured 'let' variables end up in the JSLexicalEnvironment scope and non-captured
1865         variables end up on the stack. Some trickiness is involved in generating
1866         code for 'for' loops that have captured variables (I'm talking about variables in the loop
1867         header, not the loop body). Each iteration of the for loop ends up with 
1868         its own JSLexicalEnvironment. Static code must be generated in such a way 
1869         to create this runtime behavior. This is done by emitting instructions to 
1870         push and pop a lexical scope at the end of each loop and copying values
1871         from the previous loop's scope into the new scope. This code must also
1872         ensure that each loop iteration's scope refers to the same underlying 
1873         SymbolTable so that no scope is accidentally mistaken as being a singleton scope.
1874
1875         When the debugger is enabled, all lexically defined variables will end up in the
1876         JSLexicalEnvironment.
1877
1878         * bytecompiler/NodesCodegen.cpp:
1879         (JSC::ResolveNode::emitBytecode):
1880         (JSC::FunctionCallResolveNode::emitBytecode):
1881         (JSC::PostfixNode::emitResolve):
1882         (JSC::DeleteResolveNode::emitBytecode):
1883         (JSC::TypeOfResolveNode::emitBytecode):
1884         (JSC::PrefixNode::emitResolve):
1885         (JSC::ReadModifyResolveNode::emitBytecode):
1886         (JSC::AssignResolveNode::emitBytecode):
1887         (JSC::BlockNode::emitBytecode):
1888         (JSC::ExprStatementNode::emitBytecode):
1889         (JSC::DeclarationStatement::emitBytecode):
1890         (JSC::EmptyVarExpression::emitBytecode):
1891         (JSC::EmptyLetExpression::emitBytecode):
1892         (JSC::ForNode::emitBytecode):
1893         (JSC::ForInNode::emitMultiLoopBytecode):
1894         (JSC::ForOfNode::emitBytecode):
1895         (JSC::SwitchNode::emitBytecode):
1896         (JSC::BindingNode::bindValue):
1897         (JSC::VarStatementNode::emitBytecode): Deleted.
1898         * debugger/DebuggerCallFrame.cpp:
1899         (JSC::DebuggerCallFrame::evaluate):
1900         * debugger/DebuggerScope.cpp:
1901         (JSC::DebuggerScope::getOwnPropertySlot):
1902         (JSC::DebuggerScope::put):
1903         * dfg/DFGByteCodeParser.cpp:
1904         (JSC::DFG::ByteCodeParser::parseBlock):
1905         * dfg/DFGCapabilities.cpp:
1906         (JSC::DFG::capabilityLevel):
1907         * dfg/DFGNode.h:
1908         (JSC::DFG::Node::castConstant):
1909         (JSC::DFG::Node::initializationValueForActivation):
1910         (JSC::DFG::Node::containsMovHint):
1911         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1912         CreateActivation nodes now have a second OpInfo that tracks the 
1913         initial value that needs to be placed in the activation. This initial value 
1914         is also used in allocation sinking to create proper bottom values for all 
1915         scope variables.
1916
1917         * dfg/DFGOperations.cpp:
1918         * dfg/DFGOperations.h:
1919         * dfg/DFGSpeculativeJIT.cpp:
1920         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
1921         * dfg/DFGSpeculativeJIT.h:
1922         (JSC::DFG::SpeculativeJIT::callOperation):
1923         * ftl/FTLIntrinsicRepository.h:
1924         * ftl/FTLLowerDFGToLLVM.cpp:
1925         (JSC::FTL::DFG::LowerDFGToLLVM::compileCreateActivation):
1926         (JSC::FTL::DFG::LowerDFGToLLVM::compileMaterializeCreateActivation):
1927         * ftl/FTLOperations.cpp:
1928         (JSC::FTL::operationMaterializeObjectInOSR):
1929         * interpreter/Interpreter.cpp:
1930         (JSC::Interpreter::execute):
1931         * jit/CCallHelpers.h:
1932         (JSC::CCallHelpers::setupArgumentsWithExecState):
1933         * jit/JIT.cpp:
1934         (JSC::JIT::privateCompileMainPass):
1935         * jit/JIT.h:
1936         * jit/JITInlines.h:
1937         (JSC::JIT::callOperation):
1938         * jit/JITOpcodes.cpp:
1939         (JSC::JIT::emit_op_push_with_scope):
1940         (JSC::JIT::compileOpStrictEq):
1941         (JSC::JIT::emit_op_catch):
1942         (JSC::JIT::emit_op_create_lexical_environment):
1943         (JSC::JIT::emit_op_get_parent_scope):
1944         (JSC::JIT::emit_op_switch_imm):
1945         (JSC::JIT::emit_op_enter):
1946         (JSC::JIT::emit_op_get_scope):
1947         (JSC::JIT::emit_op_pop_scope): Deleted.
1948         * jit/JITOpcodes32_64.cpp:
1949         (JSC::JIT::emit_op_push_with_scope):
1950         (JSC::JIT::emit_op_to_number):
1951         (JSC::JIT::emit_op_catch):
1952         (JSC::JIT::emit_op_create_lexical_environment):
1953         (JSC::JIT::emit_op_get_parent_scope):
1954         (JSC::JIT::emit_op_switch_imm):
1955         (JSC::JIT::emit_op_enter):
1956         (JSC::JIT::emit_op_get_scope):
1957         (JSC::JIT::emit_op_pop_scope): Deleted.
1958         * jit/JITOperations.cpp:
1959         (JSC::canAccessArgumentIndexQuickly):
1960         * jit/JITOperations.h:
1961         * llint/LLIntSlowPaths.cpp:
1962         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1963         * llint/LLIntSlowPaths.h:
1964         * llint/LowLevelInterpreter.asm:
1965         * llint/LowLevelInterpreter32_64.asm:
1966         * llint/LowLevelInterpreter64.asm:
1967         * parser/ASTBuilder.h:
1968         (JSC::ASTBuilder::createSourceElements):
1969         (JSC::ASTBuilder::funcDeclarations):
1970         (JSC::ASTBuilder::features):
1971         (JSC::ASTBuilder::numConstants):
1972         (JSC::ASTBuilder::createConditionalExpr):
1973         (JSC::ASTBuilder::createAssignResolve):
1974         (JSC::ASTBuilder::createClassDeclStatement):
1975         (JSC::ASTBuilder::createBlockStatement):
1976         (JSC::ASTBuilder::createIfStatement):
1977         (JSC::ASTBuilder::createForLoop):
1978         (JSC::ASTBuilder::createForInLoop):
1979         (JSC::ASTBuilder::createForOfLoop):
1980         (JSC::ASTBuilder::isBindingNode):
1981         (JSC::ASTBuilder::createEmptyStatement):
1982         (JSC::ASTBuilder::createDeclarationStatement):
1983         (JSC::ASTBuilder::createVarStatement):
1984         (JSC::ASTBuilder::createLetStatement):
1985         (JSC::ASTBuilder::createEmptyVarExpression):
1986         (JSC::ASTBuilder::createEmptyLetExpression):
1987         (JSC::ASTBuilder::createReturnStatement):
1988         (JSC::ASTBuilder::createTryStatement):
1989         (JSC::ASTBuilder::createSwitchStatement):
1990         (JSC::ASTBuilder::appendStatement):
1991         (JSC::ASTBuilder::createCommaExpr):
1992         (JSC::ASTBuilder::appendObjectPatternEntry):
1993         (JSC::ASTBuilder::createBindingLocation):
1994         (JSC::ASTBuilder::setEndOffset):
1995         (JSC::ASTBuilder::Scope::Scope):
1996         (JSC::ASTBuilder::makeAssignNode):
1997         (JSC::ASTBuilder::varDeclarations): Deleted.
1998         (JSC::ASTBuilder::addVar): Deleted.
1999         * parser/Keywords.table:
2000         * parser/NodeConstructors.h:
2001         (JSC::ReadModifyResolveNode::ReadModifyResolveNode):
2002         (JSC::AssignResolveNode::AssignResolveNode):
2003         (JSC::ExprStatementNode::ExprStatementNode):
2004         (JSC::DeclarationStatement::DeclarationStatement):
2005         (JSC::EmptyVarExpression::EmptyVarExpression):
2006         (JSC::EmptyLetExpression::EmptyLetExpression):
2007         (JSC::IfElseNode::IfElseNode):
2008         (JSC::WhileNode::WhileNode):
2009         (JSC::ForNode::ForNode):
2010         (JSC::CaseBlockNode::CaseBlockNode):
2011         (JSC::SwitchNode::SwitchNode):
2012         (JSC::ConstDeclNode::ConstDeclNode):
2013         (JSC::BlockNode::BlockNode):
2014         (JSC::EnumerationNode::EnumerationNode):
2015         (JSC::ForInNode::ForInNode):
2016         (JSC::ForOfNode::ForOfNode):
2017         (JSC::ObjectPatternNode::create):
2018         (JSC::BindingNode::create):
2019         (JSC::BindingNode::BindingNode):
2020         (JSC::VarStatementNode::VarStatementNode): Deleted.
2021         * parser/Nodes.cpp:
2022         (JSC::ScopeNode::ScopeNode):
2023         (JSC::ScopeNode::singleStatement):
2024         (JSC::ProgramNode::ProgramNode):
2025         (JSC::EvalNode::EvalNode):
2026         (JSC::FunctionNode::FunctionNode):
2027         (JSC::FunctionNode::finishParsing):
2028         (JSC::VariableEnvironmentNode::VariableEnvironmentNode):
2029         * parser/Nodes.h:
2030         (JSC::VariableEnvironmentNode::VariableEnvironmentNode):
2031         (JSC::VariableEnvironmentNode::lexicalVariables):
2032         (JSC::ScopeNode::usesThis):
2033         (JSC::ScopeNode::needsActivationForMoreThanVariables):
2034         (JSC::ScopeNode::needsActivation):
2035         (JSC::ScopeNode::hasCapturedVariables):
2036         (JSC::ScopeNode::captures):
2037         (JSC::ScopeNode::varDeclarations):
2038         (JSC::ScopeNode::functionStack):
2039         (JSC::ScopeNode::neededConstants):
2040         (JSC::ProgramNode::startColumn):
2041         (JSC::ProgramNode::endColumn):
2042         (JSC::EvalNode::startColumn):
2043         (JSC::EvalNode::endColumn):
2044         (JSC::BindingNode::boundProperty):
2045         (JSC::BindingNode::divotStart):
2046         (JSC::BindingNode::divotEnd):
2047         (JSC::ScopeNode::capturedVariableCount): Deleted.
2048         (JSC::ScopeNode::capturedVariables): Deleted.
2049         (JSC::ScopeNode::varStack): Deleted.
2050         There is a new class called 'VariableEnvironmentNode' that has the
2051         necessary fields to model a lexical scope. Multiple AST nodes now 
2052         also inherit from VariableEnvironmentNode.
2053
2054         * parser/Parser.cpp:
2055         (JSC::Parser<LexerType>::parseInner):
2056         (JSC::Parser<LexerType>::didFinishParsing):
2057         (JSC::Parser<LexerType>::parseStatementListItem):
2058         (JSC::Parser<LexerType>::parseVariableDeclaration):
2059         (JSC::Parser<LexerType>::parseWhileStatement):
2060         (JSC::Parser<LexerType>::parseVariableDeclarationList):
2061         (JSC::Parser<LexerType>::createBindingPattern):
2062         (JSC::Parser<LexerType>::tryParseDestructuringPatternExpression):
2063         (JSC::Parser<LexerType>::parseDestructuringPattern):
2064         (JSC::Parser<LexerType>::parseConstDeclarationList):
2065         (JSC::Parser<LexerType>::parseForStatement):
2066         (JSC::Parser<LexerType>::parseBreakStatement):
2067         (JSC::Parser<LexerType>::parseContinueStatement):
2068         (JSC::Parser<LexerType>::parseSwitchStatement):
2069         (JSC::Parser<LexerType>::parseTryStatement):
2070         (JSC::Parser<LexerType>::parseBlockStatement):
2071         (JSC::Parser<LexerType>::parseStatement):
2072         (JSC::Parser<LexerType>::parseFunctionInfo):
2073         (JSC::Parser<LexerType>::parseClassDeclaration):
2074         (JSC::Parser<LexerType>::parseClass):
2075         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
2076         (JSC::Parser<LexerType>::parseAssignmentExpression):
2077         (JSC::Parser<LexerType>::parseGetterSetter):
2078         (JSC::Parser<LexerType>::parsePrimaryExpression):
2079         (JSC::Parser<LexerType>::parseVarDeclaration): Deleted.
2080         (JSC::Parser<LexerType>::parseVarDeclarationList): Deleted.
2081         * parser/Parser.h:
2082         (JSC::Scope::Scope):
2083         (JSC::Scope::setIsFunction):
2084         (JSC::Scope::isFunction):
2085         (JSC::Scope::isFunctionBoundary):
2086         (JSC::Scope::setIsLexicalScope):
2087         (JSC::Scope::isLexicalScope):
2088         (JSC::Scope::declaredVariables):
2089         (JSC::Scope::finalizeLexicalEnvironment):
2090         (JSC::Scope::computeLexicallyCapturedVariablesAndPurgeCandidates):
2091         (JSC::Scope::declareCallee):
2092         (JSC::Scope::declareVariable):
2093         (JSC::Scope::declareLexicalVariable):
2094         (JSC::Scope::hasDeclaredVariable):
2095         (JSC::Scope::hasLexicallyDeclaredVariable):
2096         (JSC::Scope::hasDeclaredParameter):
2097         (JSC::Scope::declareWrite):
2098         (JSC::Scope::preventAllVariableDeclarations):
2099         (JSC::Scope::preventVarDeclarations):
2100         (JSC::Scope::allowsVarDeclarations):
2101         (JSC::Scope::allowsLexicalDeclarations):
2102         (JSC::Scope::declareParameter):
2103         (JSC::Scope::declareBoundParameter):
2104         (JSC::Scope::useVariable):
2105         (JSC::Scope::setNeedsFullActivation):
2106         (JSC::Scope::needsFullActivation):
2107         (JSC::Scope::hasDirectSuper):
2108         (JSC::Scope::setNeedsSuperBinding):
2109         (JSC::Scope::collectFreeVariables):
2110         (JSC::Scope::getCapturedVars):
2111         (JSC::Scope::copyCapturedVariablesToVector):
2112         (JSC::Parser::AutoCleanupLexicalScope::AutoCleanupLexicalScope):
2113         (JSC::Parser::AutoCleanupLexicalScope::~AutoCleanupLexicalScope):
2114         (JSC::Parser::AutoCleanupLexicalScope::setIsValid):
2115         (JSC::Parser::AutoCleanupLexicalScope::isValid):
2116         (JSC::Parser::AutoCleanupLexicalScope::setPopped):
2117         (JSC::Parser::AutoCleanupLexicalScope::scope):
2118         (JSC::Parser::currentScope):
2119         (JSC::Parser::pushScope):
2120         (JSC::Parser::popScopeInternal):
2121         (JSC::Parser::popScope):
2122         (JSC::Parser::declareVariable):
2123         (JSC::Parser::hasDeclaredVariable):
2124         (JSC::Parser::hasDeclaredParameter):
2125         (JSC::Parser::declareWrite):
2126         (JSC::Parser::findCachedFunctionInfo):
2127         (JSC::Parser::isFunctionBodyNode):
2128         (JSC::Parser::continueIsValid):
2129         (JSC::Parser::pushLabel):
2130         (JSC::Parser::popLabel):
2131         (JSC::Parser::getLabel):
2132         (JSC::Parser::isLETMaskedAsIDENT):
2133         (JSC::Parser<LexerType>::parse):
2134         (JSC::Scope::preventNewDecls): Deleted.
2135         (JSC::Scope::allowsNewDecls): Deleted.
2136         (JSC::Scope::getCapturedVariables): Deleted.
2137         There are basic parser changes that now allow for the 'let'
2138         keyword. The trickiest change is how we will still treat 'let' 
2139         as an identifier for sloppy-mode code sometimes. For example,
2140         "var let = ..." is allowed but "let let" or "const let" is not.
2141
2142         The most significant change to the parser made for this patch
2143         is appropriating the Scope struct to also also model a lexical 
2144         scope. Changes were made in how we track captured variables to 
2145         account for this. In general, I think some of this code could 
2146         benefit from a slight refactoring to make things cleaner.
2147
2148         * parser/ParserTokens.h:
2149         * parser/SyntaxChecker.h:
2150         (JSC::SyntaxChecker::createNewExpr):
2151         (JSC::SyntaxChecker::createConditionalExpr):
2152         (JSC::SyntaxChecker::createAssignResolve):
2153         (JSC::SyntaxChecker::createEmptyVarExpression):
2154         (JSC::SyntaxChecker::createEmptyLetExpression):
2155         (JSC::SyntaxChecker::createClassExpr):
2156         (JSC::SyntaxChecker::createClassDeclStatement):
2157         (JSC::SyntaxChecker::createBlockStatement):
2158         (JSC::SyntaxChecker::createExprStatement):
2159         (JSC::SyntaxChecker::createIfStatement):
2160         (JSC::SyntaxChecker::createForLoop):
2161         (JSC::SyntaxChecker::createForInLoop):
2162         (JSC::SyntaxChecker::createForOfLoop):
2163         (JSC::SyntaxChecker::createEmptyStatement):
2164         (JSC::SyntaxChecker::createVarStatement):
2165         (JSC::SyntaxChecker::createLetStatement):
2166         (JSC::SyntaxChecker::createReturnStatement):
2167         (JSC::SyntaxChecker::createBreakStatement):
2168         (JSC::SyntaxChecker::createContinueStatement):
2169         (JSC::SyntaxChecker::createTryStatement):
2170         (JSC::SyntaxChecker::createSwitchStatement):
2171         (JSC::SyntaxChecker::createWhileStatement):
2172         (JSC::SyntaxChecker::createWithStatement):
2173         (JSC::SyntaxChecker::createDoWhileStatement):
2174         (JSC::SyntaxChecker::createGetterOrSetterProperty):
2175         (JSC::SyntaxChecker::appendStatement):
2176         (JSC::SyntaxChecker::combineCommaNodes):
2177         (JSC::SyntaxChecker::evalCount):
2178         (JSC::SyntaxChecker::appendBinaryExpressionInfo):
2179         (JSC::SyntaxChecker::operatorStackPop):
2180         (JSC::SyntaxChecker::addVar): Deleted.
2181         * parser/VariableEnvironment.cpp: Added.
2182         (JSC::VariableEnvironment::markVariableAsCapturedIfDefined):
2183         (JSC::VariableEnvironment::markVariableAsCaptured):
2184         (JSC::VariableEnvironment::markAllVariablesAsCaptured):
2185         (JSC::VariableEnvironment::hasCapturedVariables):
2186         (JSC::VariableEnvironment::captures):
2187         (JSC::VariableEnvironment::swap):
2188         * parser/VariableEnvironment.h: Added.
2189         (JSC::VariableEnvironmentEntry::isCaptured):
2190         (JSC::VariableEnvironmentEntry::isConstant):
2191         (JSC::VariableEnvironmentEntry::isVar):
2192         (JSC::VariableEnvironmentEntry::isLet):
2193         (JSC::VariableEnvironmentEntry::setIsCaptured):
2194         (JSC::VariableEnvironmentEntry::setIsConstant):
2195         (JSC::VariableEnvironmentEntry::setIsVar):
2196         (JSC::VariableEnvironmentEntry::setIsLet):
2197         (JSC::VariableEnvironmentEntry::clearIsVar):
2198         (JSC::VariableEnvironment::begin):
2199         (JSC::VariableEnvironment::end):
2200         (JSC::VariableEnvironment::add):
2201         (JSC::VariableEnvironment::size):
2202         (JSC::VariableEnvironment::contains):
2203         (JSC::VariableEnvironment::remove):
2204         VariableEnvironment is a new class that keeps track
2205         of the static environment in the parser and the bytecode generator.
2206         VariableEnvironment behaves like SymbolTable but for the bytecode generator.
2207         It keeps track of variable types, i.e, if a variable is a "var", "let", "const" 
2208         and whether or not its captured.
2209
2210         * runtime/CodeCache.cpp:
2211         (JSC::CodeCache::getGlobalCodeBlock):
2212         (JSC::CodeCache::getProgramCodeBlock):
2213         (JSC::CodeCache::getEvalCodeBlock):
2214         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
2215         * runtime/CodeCache.h:
2216         (JSC::CodeCache::clear):
2217         * runtime/CommonSlowPaths.cpp:
2218         (JSC::SLOW_PATH_DECL):
2219         * runtime/CommonSlowPaths.h:
2220         * runtime/ExceptionHelpers.cpp:
2221         (JSC::createErrorForInvalidGlobalAssignment):
2222         (JSC::createTDZError):
2223         (JSC::throwOutOfMemoryError):
2224         * runtime/ExceptionHelpers.h:
2225         * runtime/Executable.cpp:
2226         (JSC::EvalExecutable::create):
2227         (JSC::ProgramExecutable::initializeGlobalProperties):
2228         * runtime/Executable.h:
2229         * runtime/JSCJSValue.h:
2230         (JSC::jsUndefined):
2231         (JSC::jsTDZValue):
2232         (JSC::jsBoolean):
2233         * runtime/JSEnvironmentRecord.h:
2234         (JSC::JSEnvironmentRecord::finishCreationUninitialized):
2235         (JSC::JSEnvironmentRecord::finishCreation):
2236         * runtime/JSGlobalObject.cpp:
2237         (JSC::JSGlobalObject::createProgramCodeBlock):
2238         (JSC::JSGlobalObject::createEvalCodeBlock):
2239         * runtime/JSGlobalObject.h:
2240         (JSC::JSGlobalObject::weakRandomInteger):
2241         * runtime/JSGlobalObjectFunctions.cpp:
2242         (JSC::globalFuncEval):
2243         * runtime/JSLexicalEnvironment.cpp:
2244         (JSC::JSLexicalEnvironment::symbolTableGet):
2245         * runtime/JSLexicalEnvironment.h:
2246         (JSC::JSLexicalEnvironment::create):
2247         * runtime/JSScope.cpp:
2248         (JSC::JSScope::resolve):
2249         (JSC::JSScope::abstractResolve):
2250         (JSC::JSScope::collectVariablesUnderTDZ):
2251         (JSC::JSScope::isLexicalScope):
2252         (JSC::resolveModeName):
2253         * runtime/JSScope.h:
2254         * runtime/PropertySlot.h:
2255         (JSC::PropertySlot::setValue):
2256         * runtime/SymbolTable.cpp:
2257         (JSC::SymbolTable::SymbolTable):
2258         (JSC::SymbolTable::cloneScopePart):
2259         * runtime/SymbolTable.h:
2260         SymbolTable now uses an extra bit to know if it corresponds
2261         to a "let"-like environment or not.
2262
2263         * runtime/WriteBarrier.h:
2264         (JSC::WriteBarrierBase<Unknown>::get):
2265         (JSC::WriteBarrierBase<Unknown>::clear):
2266         (JSC::WriteBarrierBase<Unknown>::setUndefined):
2267         (JSC::WriteBarrierBase<Unknown>::setStartingValue):
2268         (JSC::WriteBarrierBase<Unknown>::isNumber):
2269         (JSC::WriteBarrierBase<Unknown>::isObject):
2270         (JSC::WriteBarrierBase<Unknown>::isNull):
2271         * tests/stress/activation-sink-default-value-tdz-error.js: Added.
2272         (shouldThrowTDZ):
2273         (bar):
2274         (foo.cap):
2275         * tests/stress/activation-sink-osrexit-default-value-tdz-error.js: Added.
2276         (shouldThrowTDZ):
2277         (bar):
2278         * tests/stress/lexical-let-and-with-statement.js: Added.
2279         (truth):
2280         (assert):
2281         (.):
2282         * tests/stress/lexical-let-exception-handling.js: Added.
2283         (truth):
2284         (assert):
2285         (.):
2286         * tests/stress/lexical-let-global-not-captured-variables.js: Added.
2287         (truth):
2288         (assert):
2289         (foo):
2290         (.let.capY):
2291         * tests/stress/lexical-let-loop-semantics.js: Added.
2292         (truth):
2293         (assert):
2294         (shouldThrowTDZ):
2295         (.):
2296         * tests/stress/lexical-let-not-strict-mode.js: Added.
2297         (truth):
2298         (assert):
2299         (shouldThrowTDZ):
2300         (.):
2301         * tests/stress/lexical-let-semantics.js: Added.
2302         (truth):
2303         (assert):
2304         (let.globalFunction):
2305         (let.retGlobalNumberCaptured):
2306         (let.setGlobalNumberCaptured):
2307         (.):
2308         * tests/stress/lexical-let-tdz.js: Added.
2309         (truth):
2310         (assert):
2311         (shouldThrowTDZ):
2312         (.):
2313
2314 2015-07-15  Anders Carlsson  <andersca@apple.com>
2315
2316         Make JavaScriptCore SPI headers used by WebCore SPI headers self-contained
2317         https://bugs.webkit.org/show_bug.cgi?id=146978
2318
2319         Reviewed by Dan Bernstein.
2320
2321         * debugger/DebuggerPrimitives.h:
2322         * disassembler/Disassembler.h:
2323         * heap/Weak.h:
2324         * inspector/InspectorValues.h:
2325         * runtime/JSCJSValue.h:
2326
2327 2015-07-14  Anders Carlsson  <andersca@apple.com>
2328
2329         Assertions.h should include ExportMacros.h
2330         https://bugs.webkit.org/show_bug.cgi?id=146948
2331
2332         Reviewed by Tim Horton.
2333
2334         Remove now unneeded WTF_EXPORT_PRIVATE define.
2335
2336         * API/JSBase.h:
2337
2338 2015-07-14  Matthew Mirman  <mmirman@apple.com>
2339
2340         Repatch. Makes compileArithSub in the DFG ensure that the constant is an int32.
2341         https://bugs.webkit.org/show_bug.cgi?id=146910
2342         rdar://problem/21729083
2343
2344         Reviewed by Filip Pizlo.
2345         
2346         Also fixes the debug build problem where all edges are assumed to 
2347         have UntypedUse before the fixup phase.
2348
2349         * dfg/DFGSpeculativeJIT.cpp:
2350         (JSC::DFG::SpeculativeJIT::compileArithSub):
2351         * dfg/DFGValidate.cpp:
2352         (JSC::DFG::Validate::validateEdgeWithDoubleResultIfNecessary):
2353         * tests/stress/arith-add-with-constants.js: Added some tests for this case.
2354         (arithAdd42WrittenAsInteger):
2355         (testArithAdd42WrittenAsInteger):
2356         (arithSub42WrittenAsDouble):
2357         (testArithSub42WrittenAsDouble):
2358         (doubleConstant):
2359         (testDoubleConstant): Added test for the case of +0.0 and Math.min(0.0)
2360         (arithAdd42WrittenAsDouble): Deleted.
2361         (testArithAdd42WrittenAsDouble): Deleted.
2362
2363 2015-07-14  Matthew Mirman  <mmirman@apple.com>
2364
2365         Unreviewed, rolling out r186805.
2366
2367         Made raytracer on octane 80% slower
2368
2369         Reverted changeset:
2370
2371         "Makes compileArithSub in the DFG ensure that the constant is
2372         an int32."
2373         https://bugs.webkit.org/show_bug.cgi?id=146910
2374         http://trac.webkit.org/changeset/186805
2375
2376 2015-07-13  Matthew Mirman  <mmirman@apple.com>
2377
2378         Makes compileArithSub in the DFG ensure that the constant is an int32.
2379         https://bugs.webkit.org/show_bug.cgi?id=146910
2380         rdar://problem/21729083
2381
2382         Reviewed by Filip Pizlo.
2383         
2384         Also fixes the debug build problem where all edges are assumed to 
2385         have UntypedUse before the fixup phase.
2386
2387         * dfg/DFGSpeculativeJIT.cpp:
2388         (JSC::DFG::SpeculativeJIT::compileArithSub):
2389         * dfg/DFGValidate.cpp:
2390         (JSC::DFG::Validate::validateEdgeWithDoubleResultIfNecessary):
2391         * tests/stress/arith-add-with-constants.js: Added some tests for this case.
2392         (arithAdd42WrittenAsInteger):
2393         (testArithAdd42WrittenAsInteger):
2394         (arithSub42WrittenAsDouble):
2395         (testArithSub42WrittenAsDouble):
2396         (doubleConstant):
2397         (testDoubleConstant): Added test for the case of +0.0 and Math.min(0.0)
2398         (arithAdd42WrittenAsDouble): Deleted.
2399         (testArithAdd42WrittenAsDouble): Deleted.
2400
2401 2015-07-13  Basile Clement  <basile_clement@apple.com>
2402
2403         Object cycles should not prevent allocation elimination/sinking
2404         https://bugs.webkit.org/show_bug.cgi?id=143073
2405
2406         Reviewed by Filip Pizlo.
2407
2408         This patch introduces a new allocation sinking phase that is able to
2409         sink cycles, in DFGAllocationCycleSinkingPhase.cpp. This phase
2410         supersedes the old allocation sinking phase in
2411         DFGObjectAllocationSinkingPhase.cpp, as that previous phase was never
2412         able to sink allocation cycles while the new phase sometimes can; see
2413         DFGAllocationCycleSinkingPhase.cpp for details.
2414
2415         For now, the new sinking phase is kept behind a
2416         JSC_enableAllocationCycleSinking flag that reverts to the old sinking
2417         phase when false (i.e., by default). This also removes the old
2418         JSC_enableObjectAllocationSinking flag. run-javascriptcore-tests
2419         defaults to using the new sinking phase.
2420
2421         * dfg/DFGGraph.h:
2422         (JSC::DFG::Graph::addStructureSet): Allow empty structure sets
2423         * dfg/DFGLazyNode.cpp:
2424         (JSC::DFG::LazyNode::dump): Prettier dump
2425         * dfg/DFGNode.h:
2426         (JSC::DFG::Node::cellOperand): Move to opInfo for MaterializeCreateActivation
2427         (JSC::DFG::Node::hasStructureSet): Add MaterializeNewObject
2428         (JSC::DFG::Node::objectMaterializationData): Move to opInfo2
2429         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: Remove unused header
2430         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2431         (JSC::DFG::ObjectAllocationSinkingPhase::ObjectAllocationSinkingPhase): Deleted.
2432         (JSC::DFG::ObjectAllocationSinkingPhase::run): Deleted.
2433         (JSC::DFG::ObjectAllocationSinkingPhase::performSinking): Deleted.
2434         (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints): Deleted.
2435         (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints): Deleted.
2436         (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations): Deleted.
2437         (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields): Deleted.
2438         (JSC::DFG::ObjectAllocationSinkingPhase::resolve): Deleted.
2439         (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): Deleted.
2440         (JSC::DFG::ObjectAllocationSinkingPhase::createMaterialize): Deleted.
2441         (JSC::DFG::ObjectAllocationSinkingPhase::populateMaterialize): Deleted.
2442         * dfg/DFGObjectAllocationSinkingPhase.h:
2443         * dfg/DFGPromotedHeapLocation.h: Add a hash and a helper function to PromotedLocationDescriptor
2444         (JSC::DFG::PromotedLocationDescriptor::PromotedLocationDescriptor):
2445         (JSC::DFG::PromotedLocationDescriptor::operator bool):
2446         (JSC::DFG::PromotedLocationDescriptor::neededForMaterialization):
2447         (JSC::DFG::PromotedLocationDescriptorHash::hash):
2448         (JSC::DFG::PromotedLocationDescriptorHash::equal):
2449         * dfg/DFGValidate.cpp:
2450         (JSC::DFG::Validate::validateSSA): Assert that most nodes never see a phantom allocation
2451         * ftl/FTLLowerDFGToLLVM.cpp:
2452         (JSC::FTL::DFG::LowerDFGToLLVM::compileMaterializeNewObject): Use the new structureSet() operand
2453         (JSC::FTL::DFG::LowerDFGToLLVM::compileMaterializeCreateActivation): Node has a new child
2454         * ftl/FTLOSRExitCompiler.cpp: Handle materialization cycles
2455         (JSC::FTL::compileStub):
2456         * ftl/FTLOperations.cpp: Handle materialization cycles
2457         (JSC::FTL::operationPopulateObjectInOSR):
2458         (JSC::FTL::operationMaterializeObjectInOSR):
2459         * ftl/FTLOperations.h: Handle materialization cycles
2460         * tests/stress/correctly-sink-object-even-though-it-dies.js: Added.
2461         (clobber):
2462         (foo):
2463         * tests/stress/eliminate-object-read-over-call.js: Added.
2464         (clobber):
2465         (foo):
2466         * tests/stress/materialize-object-on-edge.js: Added.
2467         (call):
2468         (foo):
2469         * tests/stress/object-sinking-stress.js: Added.
2470         (foo):
2471         * tests/stress/sink-object-cycle.js: Added.
2472         (clobber):
2473         (foo):
2474         * tests/stress/sink-object-past-put.js: Added.
2475         (clobber):
2476         (foo):
2477         * tests/stress/sinkable-new-object-in-loop.js: Added.
2478         (foo):
2479
2480 2015-07-13  Daniel Bates  <dabates@apple.com>
2481
2482         Cleanup: Avoid extraneous increment and decrement of reference count of ScriptArguments in ConsoleClient
2483         https://bugs.webkit.org/show_bug.cgi?id=146920
2484
2485         Reviewed by Brian Burg.
2486
2487         Remove local variable RefPtr<ScriptArguments> and copy constructor call with an argument that
2488         was initialized with an rvalue reference. The argument itself is an lvalue reference.
2489
2490         * runtime/ConsoleClient.cpp:
2491         (JSC::ConsoleClient::printConsoleMessageWithArguments):
2492         (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
2493
2494 2015-07-13  Anders Carlsson  <andersca@apple.com>
2495
2496         Apps linked with a deployment target of iOS 7.x or earlier crash when using modern WebKit API
2497         https://bugs.webkit.org/show_bug.cgi?id=146913
2498         rdar://problem/21789252
2499
2500         Reviewed by Dan Bernstein.
2501
2502         Make a top-level symlink from /System/Library/PrivateFrameworks/JavaScriptCore.framework to
2503         /System/Library/Frameworks/JavaScriptCore.framework.
2504     
2505         * JavaScriptCore.xcodeproj/project.pbxproj:
2506
2507 2015-07-12  Filip Pizlo  <fpizlo@apple.com>
2508
2509         If Watchpoint::fire() looks at the state of the world, it should definitely see its set invalidated, and maybe it should see the object of interest in the transitioned-to state
2510         https://bugs.webkit.org/show_bug.cgi?id=146897
2511
2512         Reviewed by Mark Lam.
2513         
2514         The idea is to eventually support adaptive watchpoints. An adaptive watchpoint will be
2515         able to watch for a condition that is more fine-grained than any one watchpoint set. For
2516         example, we might watch a singleton object to see if it ever acquires a property called
2517         "foo". So long as it doesn't have such a property, we don't want to invalidate any code.
2518         But if it gets that property, then we should deoptimize. Current watchpoints will
2519         invalidate code as soon as any property is added (or deleted), because they will use the
2520         transition watchpoint set of the singleton object's structure, and that fires anytime
2521         there is any transition.
2522         
2523         An adaptive watchpoint would remember the singleton object, and when it got fired, it
2524         would check if the object's new structure has the property "foo". If not, it would check
2525         if the object's new structure is watchable (i.e. has a valid transition watchpoint set).
2526         If the property is missing and the structure is watchable, it would add itself to the
2527         watchpoint set of the new structure. Otherwise, it would deoptimize.
2528         
2529         There are two problems with this idea, and this patch fixes these problems. First, we
2530         usually fire the transition watchpoint before we do the structure transition. This means
2531         that if the fire() method looked at the singleton object's structure, it would see the old
2532         structure, not the new one. It would have no way of knowing what the new structure is.
2533         Second, inside the fire() method, the watchpoint set being invalidated still appears
2534         valid, since we change the state after we fire all watchpoints.
2535         
2536         This patch addresses both issues. Now, in the most important case (addPropertyTransition),
2537         we fire the watchpoint set after we have modified the object. This is accomplished using
2538         a deferral scope called DeferredStructureTransitionWatchpointFire. In cases where there is
2539         no deferral, the adaptive watchpoint will conservatively resort to deoptimization because
2540         it would find that the singleton object's structure is no longer watchable. This is
2541         because in the absence of deferral, the singleton object would still have the original
2542         structure, but that structure's watchpoint set would now report itself as having been
2543         invalidated.
2544
2545         * bytecode/Watchpoint.cpp:
2546         (JSC::WatchpointSet::fireAllSlow): Change the state of the set before firing all watchpoints.
2547         (JSC::WatchpointSet::fireAllWatchpoints):
2548         * runtime/JSObject.h:
2549         (JSC::JSObject::putDirectInternal): Use the deferral scope.
2550         * runtime/Structure.cpp:
2551         (JSC::Structure::Structure): Pass the deferral scope to didTransitionFromThisStructure.
2552         (JSC::Structure::addPropertyTransition): Pass the deferral scope to create().
2553         (JSC::StructureFireDetail::dump): This is no longer anonymous.
2554         (JSC::DeferredStructureTransitionWatchpointFire::DeferredStructureTransitionWatchpointFire): Start with a null structure.
2555         (JSC::DeferredStructureTransitionWatchpointFire::~DeferredStructureTransitionWatchpointFire): Fire the watchpoint if there is a structure.
2556         (JSC::DeferredStructureTransitionWatchpointFire::add): Add a structure. Logically this is a list of deferred things, but we assert that there only will be one (happens to be true now).
2557         (JSC::Structure::didTransitionFromThisStructure): Defer the watchpoint firing if there is a deferral scope.
2558         * runtime/Structure.h:
2559         (JSC::StructureFireDetail::StructureFireDetail): Move this to the header.
2560         * runtime/StructureInlines.h:
2561         (JSC::Structure::create): Pass the deferral scope to the constructor.
2562
2563 2015-07-12  Filip Pizlo  <fpizlo@apple.com>
2564
2565         Watchpoints should be removed from their owning WatchpointSet before they are fired
2566         https://bugs.webkit.org/show_bug.cgi?id=146895
2567
2568         Reviewed by Sam Weinig.
2569         
2570         This simplifies the WatchpointSet API by making it so that when Watchpoint::fire() is
2571         called, the Watchpoint is no longer in the set. This means that you don't have to remember
2572         to remove it from the set's list (currently we do that implicitly as part of whatever
2573         any particular Watchpoint::fireInternal() does), and you can now write adaptive
2574         watchpoints that re-add themselves to a different set if they determine that the thing
2575         they are actually watching is still intact but now needs to be watched in a different way
2576         (like watching for whether some singleton object has a property of some name).
2577
2578         * bytecode/Watchpoint.cpp:
2579         (JSC::Watchpoint::~Watchpoint): Add a comment about why this is necessary.
2580         (JSC::Watchpoint::fire): Make this out-of-line, private, and make it assert that we're no longer on the list.
2581         (JSC::WatchpointSet::fireAllWatchpoints): Make this remove the watchpoint from the list before firing it.
2582         * bytecode/Watchpoint.h:
2583         (JSC::Watchpoint::fire): Deleted. I moved this to Watchpoint.cpp.
2584
2585 2015-07-10  Filip Pizlo  <fpizlo@apple.com>
2586
2587         DFG::DesiredWatchpoints should accept WatchpointSetType's that aren't necessarily pointers
2588         https://bugs.webkit.org/show_bug.cgi?id=146875
2589
2590         Reviewed by Dan Bernstein.
2591         
2592         In the future we'll want to add a desired watchpoint set that's something like "please
2593         watch property 'Foo' for 'deletion' on structure 'S1'", so that the "set type" is struct
2594         like "struct MySet { StringImpl* property; Mode mode; Structure* structure };".
2595         
2596         This is a very mechanical change for now - all of the current users happen to use sets
2597         that are pointer typed, so it's just a matter of moving some "*"'s around.
2598
2599         * dfg/DFGDesiredWatchpoints.h:
2600         (JSC::DFG::GenericSetAdaptor::add):
2601         (JSC::DFG::GenericSetAdaptor::hasBeenInvalidated):
2602         (JSC::DFG::GenericDesiredWatchpoints::GenericDesiredWatchpoints):
2603         (JSC::DFG::GenericDesiredWatchpoints::addLazily):
2604         (JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
2605         (JSC::DFG::GenericDesiredWatchpoints::areStillValid):
2606         (JSC::DFG::GenericDesiredWatchpoints::isWatched):
2607         (JSC::DFG::DesiredWatchpoints::isWatched):
2608
2609 2015-07-10  Filip Pizlo  <fpizlo@apple.com>
2610
2611         Watchpoints should be allocated with FastMalloc
2612         https://bugs.webkit.org/show_bug.cgi?id=146874
2613
2614         Reviewed by Dan Bernstein.
2615         
2616         This is in preparation for adding new subclasses of Watchpoint. While starting to do this
2617         I realized that the way Watchpoints allocated themselves was unusual.
2618
2619         * bytecode/CodeBlockJettisoningWatchpoint.h:
2620         (JSC::CodeBlockJettisoningWatchpoint::CodeBlockJettisoningWatchpoint): No need for the default constructor.
2621         * bytecode/Watchpoint.h:
2622         (JSC::Watchpoint::Watchpoint): This should be noncopyable and fast-allocated.
2623         * dfg/DFGCommonData.h: Use a Bag<> instead of SegmentedVector<>. Bag means "malloc things but allow me to free them all at once", which is what we are doing here.
2624         * dfg/DFGDesiredWatchpoints.h:
2625         (JSC::DFG::GenericDesiredWatchpoints::reallyAdd): Use the Bag<> API rather than the very awkward SegmentedVector<> API.
2626
2627 2015-07-10  Filip Pizlo  <fpizlo@apple.com>
2628
2629         AI folding of IsObjectOrNull is broken for non-object types that may be null
2630         https://bugs.webkit.org/show_bug.cgi?id=146867
2631
2632         Reviewed by Ryosuke Niwa.
2633
2634         * dfg/DFGAbstractInterpreterInlines.h:
2635         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Fix the bug and add some text describing what is going on.
2636         * tests/stress/misc-is-object-or-null.js: Added. Test for the bug.
2637         (foo):
2638         * tests/stress/other-is-object-or-null.js: Added. Test for a bug I almost introduced.
2639         (foo):
2640
2641 2015-07-10  Filip Pizlo  <fpizlo@apple.com>
2642
2643         It should be easy to measure total compile times.
2644         https://bugs.webkit.org/show_bug.cgi?id=146857
2645
2646         Reviewed by Sam Weinig.
2647         
2648         This gives DFG::Plan the ability to track total compile times, and return them in a map
2649         of stats that jsc.cpp can display.
2650         
2651         I want to do some work to bring down DFG compile times. This will help me measure whether
2652         I'm making a difference or not.
2653
2654         * dfg/DFGPlan.cpp:
2655         (JSC::DFG::Plan::Plan):
2656         (JSC::DFG::Plan::~Plan):
2657         (JSC::DFG::Plan::computeCompileTimes):
2658         (JSC::DFG::Plan::reportCompileTimes):
2659         (JSC::DFG::Plan::compileInThread):
2660         (JSC::DFG::Plan::compileInThreadImpl):
2661         (JSC::DFG::Plan::cancel):
2662         (JSC::DFG::Plan::compileTimeStats):
2663         (JSC::DFG::dumpAndVerifyGraph): Deleted.
2664         (JSC::DFG::profilerCompilationKindForMode): Deleted.
2665         * dfg/DFGPlan.h:
2666         (JSC::DFG::Plan::compileTimeStats):
2667         * jsc.cpp:
2668         (jscmain):
2669         * runtime/Options.h:
2670
2671 2015-07-04  Filip Pizlo  <fpizlo@apple.com>
2672
2673         DFG fragile frozen values are fundamentally broken
2674         https://bugs.webkit.org/show_bug.cgi?id=146602
2675
2676         Reviewed by Mark Lam.
2677         
2678         This change gets rid of the FragileValue value strength, because it was fundamentally
2679         broken.
2680         
2681         FragileValue was a value known to the compiler but not tracked by the GC in any way -
2682         it wasn't marked and it wasn't weak. This was used to support AI bootstrap for OSR
2683         must-handle values. The philosophy was that if the compiler did use the value for
2684         optimization, it would have been strengthened to a weak value (or maybe even a strong
2685         value, though we probably won't do that). But this was too much of a pipe dream. I've
2686         found at least one case where the compiler did use the value, but never strengthened
2687         it: it would happen if the value ended up in an OSR entry data expected value. Then if
2688         we GCed, we might have killed the value, but OSR entry would still try to use it for
2689         validation. That might have sort of just worked, but it's clearly shady.
2690
2691         The reason why we made must-handle values fragile and not weak is that most of the time
2692         the values disappear from the abstract state: they are LUBed to a non-constant. If we
2693         kept them around as weak, we'd have too many cases of the GC killing the code because
2694         it thought that the value was somehow meaningful to the code when it was only used as a
2695         temporary artifact of optimization.
2696
2697         So, it's true that it's very important for must-handle values not to automatically be
2698         weak or strong. It's also true that the values are necessary for AI bootstrap because
2699         we need to know what values OSR entry will require. But we shouldn't accomplish these
2700         goals by having the compiler hold onto what are essentially dangling pointers.
2701         
2702         This implements a better solution: instead of having InPlaceAbstractState bootstrap the
2703         AI with must-handle values at the beginning, we now widen the valuesAtHead of the
2704         must-handle block after AI converges. This widening is done in CFAPhase. This allows us
2705         to see if the must-handle values are necessary at all. In most cases, the widening
2706         takes a non-constant abstract value and simply amends something to its type based on
2707         the type of the must-handle value, and so the must-handle value never actually shows up
2708         in either the IR or any abstract value. In the unlikely event that the value at head is
2709         bottom, we freeze the must-handle value. This change removes FragileValue, and this
2710         freezing uses WeakValue as the strength. That makes sense: since the abstract value was
2711         bottom, the must-handle value becomes integral to the IR and so it makes no sense for
2712         the GC to keep the resulting CodeBlock alive if that must-handle value dies. This will
2713         sometimes happen for example if you have a very long-running loop whose pre-header
2714         allocates some object, but that pre-header appears to always exit to the optimizing JIT
2715         because it was only profiled once in the LLInt and that profiling appears insufficient
2716         to the DFG. In that case, we'll effectively constant-fold the references to the object
2717         inside the loop, which is both efficient (yay constant folding!) and necessary
2718         (otherwise we wouldn't know what the type of the variable should have been).
2719         
2720         Testing and debugging this is complicated. So, this adds some new capabilities:
2721         
2722         - DFG IR dumps also dump all of the FrozenValues that point to the heap along with
2723           their strengths, so that it's easy to see what GC objects the DFG feels are necessary
2724           for the compilation.
2725         
2726         - DFG OSR entry preparation prints out the OSR entry data structures, so that it's easy
2727           to see what GC pointers (and other things) are used for OSR entry validation. The
2728           printouts are quite detailed, and should also help other kinds of OSR entry
2729           debugging.
2730         
2731         - DFG::Plan now validates whether all of the GC pointers planted in the various JITCode
2732           data structures are also properly registered as either weak or strong pointers in the
2733           CodeBlock. This validation check previously failed due to fragile values ending up in
2734           the OSR entry data structures, both in the newly added test (dead-osr-entry-value.js)
2735           and in some pre-existing tests (like earley-boyer and 3d-raytrace).
2736
2737         * CMakeLists.txt:
2738         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2739         * JavaScriptCore.xcodeproj/project.pbxproj:
2740         * bytecode/CodeBlock.cpp:
2741         (JSC::CodeBlock::stronglyVisitStrongReferences):
2742         * bytecode/CodeOrigin.cpp:
2743         (JSC::InlineCallFrame::visitAggregate):
2744         * bytecode/Operands.h:
2745         (JSC::Operands::operand):
2746         (JSC::Operands::hasOperand):
2747         * bytecode/StructureSet.cpp:
2748         (JSC::StructureSet::dump):
2749         (JSC::StructureSet::validateReferences):
2750         * bytecode/StructureSet.h:
2751         * bytecode/TrackedReferences.cpp: Added.
2752         (JSC::TrackedReferences::TrackedReferences):
2753         (JSC::TrackedReferences::~TrackedReferences):
2754         (JSC::TrackedReferences::add):
2755         (JSC::TrackedReferences::check):
2756         (JSC::TrackedReferences::dump):
2757         * bytecode/TrackedReferences.h: Added.
2758         * dfg/DFGAbstractValue.cpp:
2759         (JSC::DFG::AbstractValue::observeTransitions):
2760         (JSC::DFG::AbstractValue::set):
2761         (JSC::DFG::AbstractValue::fixTypeForRepresentation):
2762         (JSC::DFG::AbstractValue::mergeOSREntryValue):
2763         (JSC::DFG::AbstractValue::filter):
2764         (JSC::DFG::AbstractValue::dumpInContext):
2765         (JSC::DFG::AbstractValue::validateReferences):
2766         (JSC::DFG::AbstractValue::setOSREntryValue): Deleted.
2767         * dfg/DFGAbstractValue.h:
2768         (JSC::DFG::AbstractValue::fullTop):
2769         (JSC::DFG::AbstractValue::merge):
2770         * dfg/DFGByteCodeParser.cpp:
2771         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2772         * dfg/DFGCFAPhase.cpp:
2773         (JSC::DFG::CFAPhase::run):
2774         * dfg/DFGCommonData.cpp:
2775         (JSC::DFG::CommonData::invalidate):
2776         (JSC::DFG::CommonData::validateReferences):
2777         * dfg/DFGCommonData.h:
2778         (JSC::DFG::CommonData::requiredRegisterCountForExecutionAndExit):
2779         * dfg/DFGFrozenValue.h:
2780         (JSC::DFG::FrozenValue::FrozenValue):
2781         (JSC::DFG::FrozenValue::strengthenTo):
2782         (JSC::DFG::FrozenValue::pointsToHeap):
2783         (JSC::DFG::FrozenValue::strength):
2784         (JSC::DFG::FrozenValue::freeze):
2785         * dfg/DFGGraph.cpp:
2786         (JSC::DFG::Graph::Graph):
2787         (JSC::DFG::Graph::dump):
2788         (JSC::DFG::Graph::registerFrozenValues):
2789         (JSC::DFG::Graph::visitChildren):
2790         (JSC::DFG::Graph::freeze):
2791         (JSC::DFG::Graph::freezeStrong):
2792         (JSC::DFG::Graph::freezeFragile): Deleted.
2793         * dfg/DFGGraph.h:
2794         * dfg/DFGInPlaceAbstractState.cpp:
2795         (JSC::DFG::InPlaceAbstractState::initialize):
2796         * dfg/DFGJITCode.cpp:
2797         (JSC::DFG::JITCode::setOptimizationThresholdBasedOnCompilationResult):
2798         (JSC::DFG::JITCode::validateReferences):
2799         * dfg/DFGJITCode.h:
2800         * dfg/DFGJITCompiler.cpp:
2801         (JSC::DFG::JITCompiler::addressOfDoubleConstant):
2802         (JSC::DFG::JITCompiler::noticeOSREntry):
2803         * dfg/DFGJITCompiler.h:
2804         (JSC::DFG::JITCompiler::branchStructurePtr):
2805         (JSC::DFG::JITCompiler::jitCode):
2806         (JSC::DFG::JITCompiler::noticeOSREntry): Deleted.
2807         * dfg/DFGMinifiedGraph.cpp: Added.
2808         (JSC::DFG::MinifiedGraph::prepareAndShrink):
2809         (JSC::DFG::MinifiedGraph::validateReferences):
2810         * dfg/DFGMinifiedGraph.h:
2811         (JSC::DFG::MinifiedGraph::append):
2812         (JSC::DFG::MinifiedGraph::prepareAndShrink): Deleted.
2813         * dfg/DFGOSREntry.cpp:
2814         (JSC::DFG::OSREntryData::dumpInContext):
2815         (JSC::DFG::OSREntryData::dump):
2816         (JSC::DFG::prepareOSREntry):
2817         * dfg/DFGOSREntry.h:
2818         (JSC::DFG::getOSREntryDataBytecodeIndex):
2819         * dfg/DFGPlan.cpp:
2820         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
2821         * dfg/DFGSpeculativeJIT.cpp:
2822         (JSC::DFG::SpeculativeJIT::linkOSREntries):
2823         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
2824         * dfg/DFGStructureAbstractValue.cpp:
2825         (JSC::DFG::StructureAbstractValue::dump):
2826         (JSC::DFG::StructureAbstractValue::validateReferences):
2827         * dfg/DFGStructureAbstractValue.h:
2828         * dfg/DFGValidate.cpp:
2829         (JSC::DFG::Validate::validate):
2830         * dfg/DFGValueStrength.cpp:
2831         (WTF::printInternal):
2832         * dfg/DFGValueStrength.h:
2833         (JSC::DFG::merge):
2834         * ftl/FTLExitPropertyValue.cpp:
2835         (JSC::FTL::ExitPropertyValue::dump):
2836         (JSC::FTL::ExitPropertyValue::validateReferences):
2837         * ftl/FTLExitPropertyValue.h:
2838         * ftl/FTLExitTimeObjectMaterialization.cpp:
2839         (JSC::FTL::ExitTimeObjectMaterialization::dump):
2840         (JSC::FTL::ExitTimeObjectMaterialization::validateReferences):
2841         * ftl/FTLExitTimeObjectMaterialization.h:
2842         * ftl/FTLExitValue.cpp:
2843         (JSC::FTL::ExitValue::dump):
2844         (JSC::FTL::ExitValue::validateReferences):
2845         * ftl/FTLExitValue.h:
2846         * ftl/FTLJITCode.cpp:
2847         (JSC::FTL::JITCode::dfgCommon):
2848         (JSC::FTL::JITCode::validateReferences):
2849         * ftl/FTLJITCode.h:
2850         (JSC::FTL::JITCode::handles):
2851         (JSC::FTL::JITCode::dataSections):
2852         * ftl/FTLOSRExit.cpp:
2853         (JSC::FTL::OSRExit::codeLocationForRepatch):
2854         (JSC::FTL::OSRExit::validateReferences):
2855         * ftl/FTLOSRExit.h:
2856         (JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
2857         * jit/JITCode.cpp:
2858         (JSC::JITCode::typeName):
2859         (JSC::JITCode::validateReferences):
2860         (JSC::JITCode::execute):
2861         * jit/JITCode.h:
2862         (JSC::JITCode::start):
2863         * tests/stress/dead-osr-entry-value.js: Added.
2864         (foo):
2865
2866 2015-07-09  Filip Pizlo  <fpizlo@apple.com>
2867
2868         It should be possible to run the OSR exit fuzzer
2869         https://bugs.webkit.org/show_bug.cgi?id=146814
2870
2871         Reviewed by Mark Lam.
2872         
2873         Fix a silly bug: the option matching was accidentally allowing a prefix match, which
2874         always did the wrong thing for --fireOSRExitFuzzAt and --fireOSRExitFuzzAtStatic. Make
2875         this an exact match instead.
2876
2877         * runtime/Options.cpp:
2878         (JSC::Options::setOption):
2879
2880 2015-07-09  Mark Lam  <mark.lam@apple.com>
2881
2882         SymbolTable::entryFor() should do a bounds check before indexing into the localToEntry vector.
2883         https://bugs.webkit.org/show_bug.cgi?id=146807
2884
2885         Reviewed by Filip Pizlo.
2886
2887         When we capture an argument by name and we use "arguments", we put all of the
2888         arguments into the scope.  But destructured arguments are put into the scope
2889         anonymously i.e. the SymbolTable knows that the scope offset is in use via
2890         SymbolTable::m_maxScopeOffset, but that ScopeOffset won't appear in
2891         SymbolTable::m_map.
2892
2893         The SymbolTable's m_localToEntry vector is synthesized from its m_map, and will
2894         have a size which is based on the largest ScopeOffset in the m_map.  If we have a
2895         scenario where the anonymous argument is at a higher ScopeOffset than all the
2896         named arguments, then the m_localsToEntry vector will not have an entry for it
2897         i.e. the m_localsToEntry vector will have a size that is <= the ScopeOffset of
2898         the anonymous argument.
2899
2900         Hence, SymbolTable::entryFor() should ensure that the requested ScopeOffset is
2901         within the bounds of the m_localToEntry vector before indexing into it.
2902
2903         * runtime/SymbolTable.cpp:
2904         (JSC::SymbolTable::entryFor):
2905
2906 2015-07-09  Michael Saboff  <msaboff@apple.com>
2907
2908         REGRESSION (r180248): Repro Crash: com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::createRangeError + 20
2909         https://bugs.webkit.org/show_bug.cgi?id=146767
2910
2911         Reviewed by Geoffrey Garen.
2912
2913         If the stack check fails at the top most frame, we must use that frame to
2914         generate the exception.  Reverted the code to always use the current frame to
2915         throw an out of stack exception.
2916
2917         * llint/LLIntSlowPaths.cpp:
2918         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2919
2920 2015-07-03  Filip Pizlo  <fpizlo@apple.com>
2921
2922         OSR exit fuzzing should allow us to select a static exit site
2923         https://bugs.webkit.org/show_bug.cgi?id=146601
2924
2925         Reviewed by Geoffrey Garen.
2926         
2927         The original implementation of the fuzzer allows us to trigger an exit based on its index
2928         in the dynamic sequence of exit sites encountered. But there are usually millions of
2929         dynamically encountered exit sites, even if the program only has thousands of static exit
2930         sites. That means that we would at best be able to do a random sampling of exits, and
2931         those would be biased to the hottest exit sites.
2932         
2933         This change allows us to also select exit sites based on their index in the static
2934         sequence of exit sites that the compiler compiled. Then, once that static exit site is
2935         selected, we can select which dynamic exit at that exit site we should trigger. Since the
2936         number of static exit sites is usually smallish (it's bounded by program size), we can do
2937         an exhaustive search over all exit sites in most programs.
2938
2939         * dfg/DFGOSRExitFuzz.cpp:
2940         (JSC::numberOfStaticOSRExitFuzzChecks):
2941         (JSC::numberOfOSRExitFuzzChecks):
2942         * dfg/DFGOSRExitFuzz.h:
2943         (JSC::DFG::doOSRExitFuzzing):
2944         * dfg/DFGSpeculativeJIT.cpp:
2945         (JSC::DFG::SpeculativeJIT::emitOSRExitFuzzCheck):
2946         * ftl/FTLLowerDFGToLLVM.cpp:
2947         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
2948         * jsc.cpp:
2949         (jscmain):
2950         * runtime/Options.h:
2951         * runtime/TestRunnerUtils.h:
2952
2953 2015-07-08  Joseph Pecoraro  <pecoraro@apple.com>
2954
2955         Fix grammar issue in TypeError attempting to change an unconfigurable property
2956         https://bugs.webkit.org/show_bug.cgi?id=146774
2957
2958         Reviewed by Brent Fulgham.
2959
2960         * runtime/JSFunction.cpp:
2961         (JSC::JSFunction::defineOwnProperty):
2962         * runtime/JSObject.cpp:
2963         (JSC::JSObject::defineOwnNonIndexProperty):
2964         * runtime/StringObject.cpp:
2965         (JSC::StringObject::defineOwnProperty):
2966
2967 2015-07-06  Csaba Osztrogonác  <ossy@webkit.org>
2968
2969         Remove the unused HeapBlock.h
2970         https://bugs.webkit.org/show_bug.cgi?id=146580
2971
2972         Reviewed by Andreas Kling.
2973
2974         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2975         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2976         * JavaScriptCore.xcodeproj/project.pbxproj:
2977         * heap/CopiedBlock.h:
2978         * heap/CopiedSpace.h:
2979         * heap/CopiedSpaceInlines.h:
2980         * heap/HandleBlock.h:
2981         * heap/HeapBlock.h: Removed.
2982         * heap/MarkedBlock.h:
2983
2984 2015-07-06  Saam barati  <saambarati1@gmail.com>
2985
2986         JSC's parser should follow the ES6 spec with respect to parsing Declarations
2987         https://bugs.webkit.org/show_bug.cgi?id=146621
2988
2989         Reviewed by Mark Lam.
2990
2991         There were a few locations where JSC would allow declaration statements
2992         in incorrect ways. JSC didn't distinguish between 'Statement' and
2993         'StatementListItem' grammar productions. The relevant grammar is here:
2994         http://www.ecma-international.org/ecma-262/6.0/index.html#sec-statements
2995
2996         From the ECMA Script 6.0 spec:
2997         1. Section 13.6 The if Statement (http://www.ecma-international.org/ecma-262/6.0/index.html#sec-if-statement) 
2998          says that IfStatements only takes Statements for the "then-else" clauses, not StatementListItems.
2999          (Same with 'while/for/do-while' loop bodies).
3000         2. Section 13 ECMAScript Language: Statements and Declarations 
3001          (http://www.ecma-international.org/ecma-262/6.0/index.html#sec-ecmascript-language-statements-and-declarations)
3002          defines the syntax of Statements, and they do not include ClassDeclarations and LexicalDeclarations 
3003          (const, let, see 13.3.1 Let and Const Declarations).
3004          Declarations can only be in the “then-else” clauses when embedded in a StatementListItem in a BlockStatement (see 13.2).
3005
3006         Hence, the following style of declarations are no longer allowed:
3007             'if/for/while (condition) const x = 40;'
3008             'if/for/while (condition) class C { }'
3009
3010         Instead, we mandate such declaration constructs are within a StatementList 
3011        (which is the production that JSC's Parser::parseSourceElements function parses):
3012            'if/for/while (condition) { const x = 40; }'
3013            'if/for/while (condition) { class C { } }'
3014
3015         * parser/Parser.cpp:
3016         (JSC::Parser<LexerType>::parseSourceElements):
3017         (JSC::Parser<LexerType>::parseStatementListItem):
3018         (JSC::Parser<LexerType>::parseVarDeclaration):
3019         (JSC::Parser<LexerType>::parseStatement):
3020         (JSC::Parser<LexerType>::parseExpressionStatement):
3021         * parser/Parser.h:
3022         (JSC::Parser::getLabel):
3023
3024 2015-07-06  Alex Christensen  <achristensen@webkit.org>
3025
3026         Unreviewed debug build fix after r186358.
3027
3028         * runtime/JSArray.cpp:
3029         (JSC::JSArray::fastConcatWith):
3030         Pass vm parameter to fastConcatType.
3031
3032 2015-07-06  Ryosuke Niwa  <rniwa@webkit.org>
3033
3034         Array.concat should be fast for integer or double arrays
3035         https://bugs.webkit.org/show_bug.cgi?id=146260
3036
3037         Reviewed by Darin Adler.
3038
3039         Added a fast path to Array.prototype.concat. When concatenating two Int32, Double, or Contiguous
3040         arrays, simply memcopy the arrays into a new uninitialized buffer.
3041
3042         This improves huffman encoding in CompressionBench by 3.7x on a Mid 2014 MacBookPro.
3043
3044         * runtime/ArrayPrototype.cpp:
3045         (JSC::arrayProtoFuncConcat):
3046         * runtime/JSArray.cpp:
3047         (JSC::JSArray::fastConcatWith): Added.
3048         * runtime/JSArray.h:
3049         (JSC::JSArray::fastConcatType): Added. Returns the resultant array's indexing type if we can use
3050         the fact path. Returns NonArray otherwise.
3051
3052 2015-07-06  Youenn Fablet  <youenn.fablet@crf.canon.fr>
3053
3054         [Streams API] Remove ReadableStream custom constructor
3055         https://bugs.webkit.org/show_bug.cgi?id=146547
3056
3057         Reviewed by Darin Adler.
3058
3059         Adding helper function to throw range errors.
3060
3061         * runtime/Error.h:
3062         (JSC::throwRangeError):
3063         (JSC::throwVMRangeError):
3064
3065 2015-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
3066
3067         [ES6] Implement the latest Promise spec in JS
3068         https://bugs.webkit.org/show_bug.cgi?id=146229
3069
3070         Reviewed by Sam Weinig.
3071
3072         Updated the Promise implementation to meet to the ES6 spec.
3073         This patch
3074         1. Implement ES6 Promise and related abstract operations in builtins JS
3075         2. Expose @enqueueJob private function to JS world to post the microtask
3076
3077         Updated implementation has one-on-one correspondence to the ES6 spec description.
3078         And keep the JSPromiseDeferred because it is the interface used from the WebCore.
3079
3080         * CMakeLists.txt:
3081         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3082         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3083         * JavaScriptCore.xcodeproj/project.pbxproj:
3084         * builtins/Array.prototype.js:
3085         (reduce):
3086         (reduceRight):
3087         (every):
3088         (forEach):
3089         (filter):
3090         (map):
3091         (some):
3092         (fill):
3093         (find):
3094         (findIndex):
3095         (includes):
3096         (copyWithin):
3097         ToInteger / ToLength are renamed to toInteger and toLength.
3098         * builtins/ArrayConstructor.js:
3099         (from):
3100         ToInteger / ToLength are renamed to toInteger and toLength.
3101         * builtins/GlobalObject.js:
3102         (toInteger):
3103         (toLength):
3104         (isObject):
3105         (ToInteger): Deleted.
3106         (ToLength): Deleted.
3107         ToInteger / ToLength are renamed to toInteger and toLength.
3108         Add new abstract operation, isObject.
3109         * builtins/Operations.Promise.js: Added.
3110         (isPromise):
3111         (newPromiseReaction):
3112         (newPromiseDeferred):
3113         (newPromiseCapability.executor):
3114         (newPromiseCapability):
3115         (triggerPromiseReactions):
3116         (rejectPromise):
3117         (fulfillPromise):
3118         (createResolvingFunctions.resolve):
3119         (createResolvingFunctions.reject):
3120         (createResolvingFunctions):
3121         (promiseReactionJob):
3122         (promiseResolveThenableJob):
3123         (initializePromise):
3124         Added Promise related abstract operations.
3125         * builtins/Promise.prototype.js:
3126         (catch):
3127         (.onFulfilled):
3128         (.onRejected):
3129         (then):
3130         Promise#then implementation in JS.
3131         * builtins/PromiseConstructor.js: Added.
3132         (all.newResolveElement):
3133         (all):
3134         (race):
3135         (reject):
3136         (resolve):
3137         Promise static functions implementations in JS.
3138         * builtins/StringConstructor.js:
3139         (raw):
3140         ToInteger / ToLength are renamed to toInteger and toLength.
3141         * inspector/JSInjectedScriptHost.cpp:
3142         (Inspector::JSInjectedScriptHost::getInternalProperties):
3143         * runtime/CommonIdentifiers.h:
3144         * runtime/JSGlobalObject.cpp:
3145         (JSC::enqueueJob):
3146         (JSC::JSGlobalObject::init):
3147         (JSC::JSGlobalObject::visitChildren):
3148         * runtime/JSGlobalObject.h:
3149         (JSC::JSGlobalObject::initializePromiseFunction):
3150         (JSC::JSGlobalObject::newPromiseDeferredFunction):
3151         * runtime/JSJob.cpp: Renamed from Source/JavaScriptCore/runtime/JSPromiseReaction.h.
3152         (JSC::createJSJob):
3153         (JSC::JSJobMicrotask::run):
3154         * runtime/JSJob.h: Renamed from Source/JavaScriptCore/runtime/JSPromiseFunctions.h.
3155         * runtime/JSPromise.cpp:
3156         (JSC::JSPromise::create):
3157         (JSC::JSPromise::JSPromise):
3158         (JSC::JSPromise::finishCreation):
3159         (JSC::JSPromise::result):
3160         (JSC::JSPromise::destroy): Deleted.
3161         (JSC::JSPromise::visitChildren): Deleted.
3162         (JSC::JSPromise::reject): Deleted.
3163         (JSC::JSPromise::resolve): Deleted.
3164         (JSC::JSPromise::appendResolveReaction): Deleted.
3165         (JSC::JSPromise::appendRejectReaction): Deleted.
3166         (JSC::triggerPromiseReactions): Deleted.
3167         * runtime/JSPromise.h:
3168         (JSC::JSPromise::status): Deleted.
3169         (JSC::JSPromise::result): Deleted.
3170         (JSC::JSPromise::constructor): Deleted.
3171         * runtime/JSPromiseConstructor.cpp:
3172         (JSC::constructPromise):
3173         (JSC::JSPromiseConstructorFuncResolve): Deleted.
3174         (JSC::JSPromiseConstructorFuncReject): Deleted.
3175         (JSC::performPromiseRaceLoop): Deleted.
3176         (JSC::JSPromiseConstructorFuncRace): Deleted.
3177         (JSC::performPromiseAll): Deleted.
3178         (JSC::JSPromiseConstructorFuncAll): Deleted.
3179         * runtime/JSPromiseDeferred.cpp:
3180         (JSC::JSPromiseDeferred::create):
3181         (JSC::createJSPromiseDeferredFromConstructor): Deleted.
3182         (JSC::updateDeferredFromPotentialThenable): Deleted.
3183         (JSC::performDeferredResolve): Deleted.
3184         (JSC::performDeferredReject): Deleted.
3185         (JSC::abruptRejection): Deleted.
3186         * runtime/JSPromiseDeferred.h:
3187         * runtime/JSPromiseFunctions.cpp: Removed.
3188         (JSC::deferredConstructionFunction): Deleted.
3189         (JSC::createDeferredConstructionFunction): Deleted.
3190         (JSC::identifyFunction): Deleted.
3191         (JSC::createIdentifyFunction): Deleted.
3192         (JSC::promiseAllCountdownFunction): Deleted.
3193         (JSC::createPromiseAllCountdownFunction): Deleted.
3194         (JSC::promiseResolutionHandlerFunction): Deleted.
3195         (JSC::createPromiseResolutionHandlerFunction): Deleted.
3196         (JSC::rejectPromiseFunction): Deleted.
3197         (JSC::createRejectPromiseFunction): Deleted.
3198         (JSC::resolvePromiseFunction): Deleted.
3199         (JSC::createResolvePromiseFunction): Deleted.
3200         (JSC::throwerFunction): Deleted.
3201         (JSC::createThrowerFunction): Deleted.
3202         * runtime/JSPromisePrototype.cpp:
3203         (JSC::JSPromisePrototypeFuncThen): Deleted.
3204         * runtime/JSPromiseReaction.cpp: Removed.
3205         (JSC::createExecutePromiseReactionMicrotask): Deleted.
3206         (JSC::ExecutePromiseReactionMicrotask::run): Deleted.
3207         (JSC::JSPromiseReaction::create): Deleted.
3208         (JSC::JSPromiseReaction::JSPromiseReaction): Deleted.
3209         (JSC::JSPromiseReaction::finishCreation): Deleted.
3210         (JSC::JSPromiseReaction::visitChildren): Deleted.
3211         * runtime/VM.cpp:
3212         (JSC::VM::VM): Deleted.
3213         * runtime/VM.h:
3214
3215 2015-07-04  Chris Dumez  <cdumez@apple.com>
3216
3217         Drop RefPtr::clear() method
3218         https://bugs.webkit.org/show_bug.cgi?id=146556
3219
3220         Reviewed by Brady Eidson.
3221
3222         Drop RefPtr::clear() method in favor of "= nullptr;" pattern.
3223
3224 2015-07-03  Dan Bernstein  <mitz@apple.com>
3225
3226         Just give up on -Wunreachable-code in JavaScriptCore.
3227
3228         * Configurations/Base.xcconfig:
3229         * llint/LowLevelInterpreter.cpp:
3230         (JSC::CLoop::execute):
3231
3232 2015-07-03  Dan Bernstein  <mitz@apple.com>
3233
3234         Fixed the LLINT CLoop build.
3235
3236         * llint/LowLevelInterpreter.cpp:
3237         (JSC::CLoop::execute):
3238
3239 2015-07-03  Dan Bernstein  <mitz@apple.com>
3240
3241         [Xcode] Update some build settings as recommended by Xcode 7
3242         https://bugs.webkit.org/show_bug.cgi?id=146597
3243
3244         Reviewed by Sam Weinig.
3245
3246         * Configurations/Base.xcconfig: Enabled CLANG_WARN_UNREACHABLE_CODE and
3247         GCC_NO_COMMON_BLOCKS. Removed GCC_MODEL_TUNING.
3248
3249         * JavaScriptCore.xcodeproj/project.pbxproj: Updated LastUpgradeCheck.
3250
3251         * dfg/DFGGraph.h: Tweaked the definition of DFG_CRASH to suppress unreachable code warnings.
3252
3253 2015-07-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3254
3255         Relax builtin JS restriction about try-catch
3256         https://bugs.webkit.org/show_bug.cgi?id=146555
3257
3258         Reviewed by Sam Weinig.
3259
3260         When retrieving the captured variables from the full activated scope,
3261         it swapped the given vector with the stored declared variables vector.
3262         This is because retrieving the captured variables are executed in the
3263         last sequence of the parser, so declared variables are no longer used.
3264         However, in builtins functions case, after retrieving the captured
3265         variables, we check the variables by using declared variables vector.
3266         So at that time, the declared variables vector becomes empty and it
3267         raises assertion failures when the builtins function contains the full
3268         activated scope. try-catch's catch scope requires the upper scope full
3269         activated, so JS code in the builtins cannot use the try-catch.
3270
3271         This patch relaxes this restriction. When retrieving the captured
3272         variables from the scope, just copy to the given vector.
3273
3274         * parser/Parser.h:
3275         (JSC::Scope::getCapturedVariables):
3276
3277 2015-07-02  Filip Pizlo  <fpizlo@apple.com>
3278
3279         DFG and FTL should have an OSR exit fuzzer
3280         https://bugs.webkit.org/show_bug.cgi?id=146562
3281
3282         Reviewed by Benjamin Poulain.
3283         
3284         Adds a basic OSR exit fuzzer to JSC. This isn't hooked into any test harnesses yet, but I
3285         spot-checked it on v8-earley-boyer.js and so far found no bugs. I'd like to figure out how
3286         to harness this after I land it.
3287         
3288         Since it's turned off by default, it should have no effect on behavior.
3289
3290         * CMakeLists.txt:
3291         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3292         * JavaScriptCore.xcodeproj/project.pbxproj:
3293         * dfg/DFGOSRExitFuzz.cpp: Added.
3294         (JSC::numberOfOSRExitFuzzChecks):
3295         * dfg/DFGOSRExitFuzz.h: Added.
3296         * dfg/DFGSpeculativeJIT.cpp:
3297         (JSC::DFG::SpeculativeJIT::emitGetArgumentStart):
3298         (JSC::DFG::SpeculativeJIT::emitOSRExitFuzzCheck):
3299         (JSC::DFG::SpeculativeJIT::speculationCheck):
3300         * dfg/DFGSpeculativeJIT.h:
3301         * ftl/FTLLowerDFGToLLVM.cpp:
3302         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
3303         * jsc.cpp:
3304         (jscmain):
3305         * runtime/Options.h:
3306         * runtime/TestRunnerUtils.h:
3307
3308 2015-07-02  Saam barati  <saambarati1@gmail.com>
3309
3310         Rename "Deconstruction" to "Destructuring" throughout JSC
3311         https://bugs.webkit.org/show_bug.cgi?id=146100
3312
3313         Reviewed by Mark Lam.
3314
3315         It is good to use the same naming conventions as the ES6 
3316         spec because it is the de facto way of speaking about these 
3317         language features. This also has the benefit of improving JSC's
3318         hackability because it improves code readability for newcomers 
3319         to JSC or newcomers to this part of the code base.
3320
3321         * bytecompiler/BytecodeGenerator.cpp:
3322         (JSC::BytecodeGenerator::generate):
3323         (JSC::BytecodeGenerator::BytecodeGenerator):
3324         (JSC::BytecodeGenerator::initializeNextParameter):
3325         (JSC::BytecodeGenerator::visibleNameForParameter):
3326         * bytecompiler/BytecodeGenerator.h:
3327         (JSC::BytecodeGenerator::registerFor):
3328         * bytecompiler/NodesCodegen.cpp:
3329         (JSC::ForInNode::tryGetBoundLocal):
3330         (JSC::ForInNode::emitLoopHeader):
3331         (JSC::ForOfNode::emitBytecode):
3332         (JSC::ClassExprNode::emitBytecode):
3333         (JSC::DestructuringAssignmentNode::emitBytecode):
3334         (JSC::DestructuringPatternNode::~DestructuringPatternNode):
3335         (JSC::ArrayPatternNode::collectBoundIdentifiers):
3336         (JSC::DeconstructingAssignmentNode::emitBytecode): Deleted.
3337         (JSC::DeconstructionPatternNode::~DeconstructionPatternNode): Deleted.
3338         * parser/ASTBuilder.h:
3339         (JSC::ASTBuilder::createElementList):
3340         (JSC::ASTBuilder::createFormalParameterList):
3341         (JSC::ASTBuilder::createClause):
3342         (JSC::ASTBuilder::createClauseList):
3343         (JSC::ASTBuilder::createForInLoop):
3344         (JSC::ASTBuilder::createForOfLoop):
3345         (JSC::ASTBuilder::isBindingNode):
3346         (JSC::ASTBuilder::isResolve):
3347         (JSC::ASTBuilder::createDestructuringAssignment):
3348         (JSC::ASTBuilder::createArrayPattern):
3349         (JSC::ASTBuilder::appendArrayPatternSkipEntry):
3350         (JSC::ASTBuilder::appendArrayPatternEntry):
3351         (JSC::ASTBuilder::appendArrayPatternRestEntry):
3352         (JSC::ASTBuilder::createObjectPattern):
3353         (JSC::ASTBuilder::appendObjectPatternEntry):
3354         (JSC::ASTBuilder::createDeconstructingAssignment): Deleted.
3355         * parser/NodeConstructors.h:
3356         (JSC::TryNode::TryNode):
3357         (JSC::ParameterNode::ParameterNode):
3358         (JSC::ForOfNode::ForOfNode):
3359         (JSC::DestructuringPatternNode::DestructuringPatternNode):
3360         (JSC::ArrayPatternNode::ArrayPatternNode):
3361         (JSC::ArrayPatternNode::create):
3362         (JSC::ObjectPatternNode::ObjectPatternNode):
3363         (JSC::BindingNode::create):
3364         (JSC::BindingNode::BindingNode):
3365         (JSC::DestructuringAssignmentNode::DestructuringAssignmentNode):
3366         (JSC::DeconstructionPatternNode::DeconstructionPatternNode): Deleted.
3367         (JSC::DeconstructingAssignmentNode::DeconstructingAssignmentNode): Deleted.
3368         * parser/Nodes.cpp:
3369         (JSC::FunctionParameters::create):
3370         * parser/Nodes.h:
3371         (JSC::ExpressionNode::isResolveNode):
3372         (JSC::ExpressionNode::isBracketAccessorNode):
3373         (JSC::ExpressionNode::isDotAccessorNode):
3374         (JSC::ExpressionNode::isDestructuringNode):
3375         (JSC::ExpressionNode::isFuncExprNode):
3376         (JSC::ExpressionNode::isCommaNode):
3377         (JSC::ExpressionNode::isSimpleArray):
3378         (JSC::ParameterNode::pattern):
3379         (JSC::ParameterNode::nextParam):
3380         (JSC::FunctionParameters::size):
3381         (JSC::FunctionParameters::at):
3382         (JSC::FunctionParameters::patterns):
3383         (JSC::DestructuringPatternNode::isBindingNode):
3384         (JSC::DestructuringPatternNode::emitDirectBinding):
3385         (JSC::ArrayPatternNode::appendIndex):
3386         (JSC::ObjectPatternNode::appendEntry):
3387         (JSC::BindingNode::boundProperty):
3388         (JSC::DestructuringAssignmentNode::bindings):
3389         (JSC::ExpressionNode::isDeconstructionNode): Deleted.
3390         (JSC::DeconstructionPatternNode::isBindingNode): Deleted.
3391         (JSC::DeconstructionPatternNode::emitDirectBinding): Deleted.
3392         (JSC::DeconstructingAssignmentNode::bindings): Deleted.
3393         * parser/Parser.cpp:
3394         (JSC::Parser<LexerType>::parseVarDeclaration):
3395         (JSC::Parser<LexerType>::parseWhileStatement):
3396         (JSC::Parser<LexerType>::parseVarDeclarationList):
3397         (JSC::Parser<LexerType>::createBindingPattern):
3398         (JSC::Parser<LexerType>::tryParseDestructuringPatternExpression):
3399         (JSC::Parser<LexerType>::parseDestructuringPattern):
3400         (JSC::Parser<LexerType>::parseDefaultValueForDestructuringPattern):
3401         (JSC::Parser<LexerType>::parseForStatement):
3402         (JSC::Parser<LexerType>::parseFormalParameters):
3403         (JSC::Parser<LexerType>::parseFunctionParameters):
3404         (JSC::Parser<LexerType>::parseAssignmentExpression):
3405         (JSC::Parser<LexerType>::tryParseDeconstructionPatternExpression): Deleted.
3406         (JSC::Parser<LexerType>::parseDeconstructionPattern): Deleted.
3407         (JSC::Parser<LexerType>::parseDefaultValueForDeconstructionPattern): Deleted.
3408         * parser/Parser.h:
3409         (JSC::isEvalNode):
3410         * parser/SyntaxChecker.h:
3411         (JSC::SyntaxChecker::createPropertyList):
3412         (JSC::SyntaxChecker::createElementList):
3413         (JSC::SyntaxChecker::createFormalParameterList):
3414         (JSC::SyntaxChecker::createClause):
3415         (JSC::SyntaxChecker::createClauseList):
3416         (JSC::SyntaxChecker::operatorStackPop):
3417         * tests/stress/reserved-word-with-escape.js:
3418         * tests/stress/rest-elements.js:
3419
3420 2015-07-02  Mark Lam  <mark.lam@apple.com>
3421
3422         Build fix for Win EWS bot.
3423         https://bugs.webkit.org/show_bug.cgi?id=146551
3424
3425         Not reviewed.
3426
3427         * tools/JSDollarVMPrototype.cpp:
3428         (JSC::functionCrash):
3429
3430 2015-07-02  Dan Bernstein  <mitz@apple.com>
3431
3432         <rdar://problem/21429613> [iOS] Stop making symlinks from PrivateFrameworks to Frameworks
3433         https://bugs.webkit.org/show_bug.cgi?id=146542
3434
3435         Reviewed by Sam Weinig.
3436
3437         * JavaScriptCore.xcodeproj/project.pbxproj: Removed the build phase that makes the symlink.
3438
3439 2015-07-01  Joseph Pecoraro  <pecoraro@apple.com>
3440
3441         Web Inspector: Aggregate profile call information on the backend to drastically reduce profile sizes
3442         https://bugs.webkit.org/show_bug.cgi?id=146536
3443
3444         Reviewed by Timothy Hatcher.
3445
3446         * inspector/protocol/Timeline.json:
3447         Change a CPUProfile from sending a required "calls" param to sending a required
3448         "callInfo" param which includes aggregated information about the calls.
3449
3450 2015-06-30  Filip Pizlo  <fpizlo@apple.com>
3451
3452         DFG::freezeFragile should register the frozen value's structure
3453         https://bugs.webkit.org/show_bug.cgi?id=136055
3454         rdar://problem/21042120
3455
3456         Reviewed by Mark Lam and Geoffrey Garen.
3457         
3458         This fixes weird concurrency bugs where the constant folding phase tries to convert
3459         something to a constant but then crashes because the constant's structure wasn't
3460         registered. The AI was registering the structure of any value it saw, but constant folding
3461         wasn't - and that's fine so long as there ain't no concurrency.
3462         
3463         The best fix is to just make it impossible to introduce a constant into the IR without
3464         registering its structure. That's what this change does. This is not only a great
3465         concurrency fix - it also makes the compiler somewhat easier to hack on because it's one
3466         less case of structure registering that you have to remember about.
3467         
3468         * dfg/DFGAbstractValue.cpp:
3469         (JSC::DFG::AbstractValue::setOSREntryValue): No need to register.
3470         (JSC::DFG::AbstractValue::set): We still call register, but just to get the watchpoint state.
3471         * dfg/DFGGraph.cpp:
3472         (JSC::DFG::Graph::freezeFragile): Register the structure.
3473         * dfg/DFGStructureRegistrationPhase.cpp:
3474         (JSC::DFG::StructureRegistrationPhase::run): Assert that these are all registered.
3475
3476 2015-07-01  Matthew Mirman  <mmirman@apple.com>
3477
3478         Unreviewed, rolling out r185889
3479         https://bugs.webkit.org/show_bug.cgi?id=146528
3480         rdar://problem/21573959
3481
3482         Patch breaks chromeexperiments.com
3483         
3484         Reverted changeset:
3485         
3486         * CMakeLists.txt:
3487         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3488         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3489         * JavaScriptCore.xcodeproj/project.pbxproj:
3490         * inspector/InjectedScriptSource.js:
3491         (.):
3492         * runtime/JSBoundSlotBaseFunction.cpp: Removed.
3493         * runtime/JSBoundSlotBaseFunction.h: Removed.
3494         * runtime/JSGlobalObject.cpp:
3495         (JSC::JSGlobalObject::init): Deleted.
3496         (JSC::JSGlobalObject::visitChildren): Deleted.
3497         * runtime/JSGlobalObject.h:
3498         (JSC::JSGlobalObject::boundSlotBaseFunctionStructure): Deleted.
3499         * runtime/JSObject.cpp:
3500         (JSC::JSObject::getOwnPropertyDescriptor):
3501         (JSC::getBoundSlotBaseFunctionForGetterSetter): Deleted.
3502         * runtime/VM.cpp:
3503         (JSC::VM::VM): Deleted.
3504         * runtime/VM.h:
3505
3506 2015-07-01  Dean Jackson  <dino@apple.com>
3507
3508         Disable the experimental WebGL2 implementation
3509         https://bugs.webkit.org/show_bug.cgi?id=146526
3510         <rdar://problem/21641235>
3511
3512         Reviewed by Myles Maxfield.
3513
3514         Add (and disable) an ENABLE_WEBGL2 flag.
3515
3516         * Configurations/FeatureDefines.xcconfig:
3517
3518 2015-07-01  Matthew Daiter  <mdaiter@apple.com>
3519
3520         Enable MEDIA_STREAM flag
3521         https://bugs.webkit.org/show_bug.cgi?id=145947
3522         <rdar://problem/21365829>
3523
3524         Reviewed by Eric Carlson.
3525
3526         * Configurations/FeatureDefines.xcconfig: Added MEDIA_STREAM flag
3527
3528 2015-06-30  Andy VanWagoner  <thetalecrafter@gmail.com>
3529
3530         Implement ECMAScript Internationalization API
3531         https://bugs.webkit.org/show_bug.cgi?id=90906
3532
3533         Reviewed by Benjamin Poulain.
3534
3535         * CMakeLists.txt: add IntlObject.cpp
3536         * Configurations/FeatureDefines.xcconfig: add ENABLE_INTL flag
3537         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: add IntlObject
3538         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: add IntlObject
3539         * JavaScriptCore.xcodeproj/project.pbxproj: add IntlObject
3540         * runtime/CommonIdentifiers.h: add "Intl" name
3541         * runtime/IntlObject.cpp: Added.
3542         (JSC::IntlObject::IntlObject):
3543         (JSC::IntlObject::create):
3544         (JSC::IntlObject::finishCreation):
3545         (JSC::IntlObject::createStructure):
3546         * runtime/IntlObject.h: Added.
3547         * runtime/JSGlobalObject.cpp: Add global Intl
3548         (JSC::JSGlobalObject::init):
3549
3550 2015-06-30  Basile Clement  <basile_clement@apple.com>
3551
3552         Allow object allocation sinking through GetScope, GetExecutable and SkipScope nodes
3553         https://bugs.webkit.org/show_bug.cgi?id=146431
3554
3555         Reviewed by Filip Pizlo.
3556
3557         * dfg/DFGNode.h:
3558         (JSC::DFG::Node::isFunctionAllocation):
3559         (JSC::DFG::Node::isPhantomFunctionAllocation):
3560         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3561         (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
3562         * dfg/DFGPromoteHeapAccess.h:
3563         (JSC::DFG::promoteHeapAccess):
3564
3565 2015-06-30  Matt Baker  <mattbaker@apple.com>
3566
3567         Web Inspector: Reduce rendering frames "Other" time by instrumenting compositing
3568         https://bugs.webkit.org/show_bug.cgi?id=146168
3569
3570         Reviewed by Brian Burg.
3571
3572         * inspector/protocol/Timeline.json:
3573         New timeline record type for compositing events.
3574
3575 2015-06-29  Dean Jackson  <dino@apple.com>
3576
3577         Temporarily disable PICTURE_SIZES
3578         https://bugs.webkit.org/show_bug.cgi?id=146435
3579         <rdar://problem/21087013>
3580
3581         Reviewed by Tim Horton.
3582
3583         Temporarily disable PICTURE_SIZES because it causes problems with out
3584         of date <picture> polyfills.
3585
3586         * Configurations/FeatureDefines.xcconfig:
3587
3588 2015-06-29  Youenn Fablet  <youenn.fablet@crf.canon.fr>
3589
3590         Binding generator should allow using JSC::Value for "any" parameter in lieu of ScriptValue
3591         https://bugs.webkit.org/show_bug.cgi?id=146403
3592
3593         Reviewed by Darin Adler.
3594
3595         * bindings/ScriptValue.h: Added implicit conversion to JSC::JSValue.
3596
3597 2015-06-28 Aleksandr Skachkov   <gskachkov@gmail.com>
3598
3599         [ES6] Implement ES6 arrow function syntax. No Line terminator between function parameters and =>
3600         https://bugs.webkit.org/show_bug.cgi?id=146394
3601
3602         Reviewed by Yusuke Suzuki.
3603
3604         * parser/Parser.cpp:
3605         (JSC::Parser<LexerType>::parseFunctionInfo):
3606
3607 2015-06-27  Darin Adler  <darin@apple.com>
3608
3609         Make converting JSString to StringView idiomatically safe
3610         https://bugs.webkit.org/show_bug.cgi?id=146387
3611
3612         Reviewed by Anders Carlsson.
3613
3614         * jsc.cpp:
3615         (functionPrint): Add explicit call to SafeView::get, needed since there
3616         is no StringView temporary.
3617         (functionDebug): Ditto.
3618
3619         * runtime/ArrayPrototype.cpp:
3620         (JSC::holesMustForwardToPrototype): Refactored into helper function.
3621         (JSC::join): Refactored so that StringView is a function argument, making
3622         the lifetime simpler.
3623         (JSC::arrayProtoFuncJoin): Ditto.
3624         (JSC::arrayProtoFuncReverse): Use new holesMustForwardToPrototype helper.
3625
3626         * runtime/JSGlobalObjectFunctions.cpp:
3627         (JSC::encode): Add explicit call to SafeView::get.
3628
3629         * runtime/JSString.h: Moved declarations of functions to the top of the
3630         file instead of mixing them in with the function definitions. Changed
3631         return type of the view function to return a JSString::SafeView so that
3632         the JSString's lifetime will last as long as the StringView does in
3633         typical coding idioms.
3634         (JSC::JSString::getIndex): Use unsafeView so we can index into the
3635         view; could also have used view.get but here in this class this seems fine.
3636         (JSC::JSRopeString::unsafeView): Renamed existing view function to this.
3637         (JSC::JSString::unsafeView): Ditto.
3638         (JSC::JSString::SafeView::SafeView): Contains reference to an ExecState
3639         and a JSString. The ExecState is needed to create the StringView, and the
3640         JSString needs to be kept alive as long as the StringView is.
3641         (JSC::JSString::SafeView::operator StringView): Call unsafeView.
3642         (JSC::JSString::SafeView::get): Convenience for when we want to call
3643         StringView member functions.
3644         (JSC::JSString::view): Added. Returns a SafeView.
3645
3646         * runtime/StringPrototype.cpp:
3647         (JSC::stringProtoFuncIndexOf): Add explicit call to SafeView::get.
3648
3649 2015-06-26  Csaba Osztrogonác  <ossy@webkit.org>
3650
3651         Remove ARMv7Assembler.cpp
3652         https://bugs.webkit.org/show_bug.cgi?id=146340
3653
3654         Reviewed by Filip Pizlo.
3655
3656         * CMakeLists.txt:
3657         * JavaScriptCore.xcodeproj/project.pbxproj:
3658         * assembler/ARMv7Assembler.cpp: Removed.
3659
3660 2015-06-26  Csaba Osztrogonác  <ossy@webkit.org>
3661
3662         Fix the !ENABLE(ES6_ARROWFUNCTION_SYNTAX) build after r185989
3663         https://bugs.webkit.org/show_bug.cgi?id=146344
3664
3665         Reviewed by Yusuke Suzuki.
3666
3667         * parser/Parser.cpp:
3668         (JSC::Parser<LexerType>::parseSourceElements):
3669
3670 2015-06-26 Aleksandr Skachkov  <gskachkov@gmail.com>
3671
3672          [ES6] Implement ES6 arrow function syntax. Parser of arrow function with execution as common function. 
3673          https://bugs.webkit.org/show_bug.cgi?id=144955
3674
3675          Reviewed by Yusuke Suzuki.
3676
3677          Added support of ES6 arrow function. Changes were made according to following spec http://wiki.ecmascript.org/doku.php?id=harmony:arrow_function_syntax. Patch does not include any arrow function specific behavior e.g. lexical bind this, arguments and etc.     
3678         This patch implements the simplest cases of arrow function declaration:
3679            parameters             () => 10 + 20
3680            parameter               x => x + 20
3681            parameters         (x, y) => x + y
3682            function with block     x => { return x*10; }
3683
3684         Not implemented:
3685            bind of the this, arguments, super and etc.
3686            exception in case of trying to use 'new' with arrow function
3687
3688         * parser/ASTBuilder.h:
3689         (JSC::ASTBuilder::createFunctionExpr):
3690         (JSC::ASTBuilder::createArrowFunctionExpr):
3691         (JSC::ASTBuilder::createGetterOrSetterProperty):
3692         (JSC::ASTBuilder::createFuncDeclStatement):
3693         * parser/Lexer.cpp:
3694         (JSC::Lexer<T>::setTokenPosition):
3695         (JSC::Lexer<T>::lex):
3696         * parser/Lexer.h:
3697         (JSC::Lexer::lastTokenLocation):
3698         (JSC::Lexer::setTerminator):
3699         * parser/Parser.cpp:
3700         (JSC::Parser<LexerType>::parseInner):
3701         (JSC::Parser<LexerType>::parseSourceElements):
3702         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBody):
3703         (JSC::Parser<LexerType>::parseSwitchClauses):
3704         (JSC::Parser<LexerType>::parseSwitchDefaultClause):
3705         (JSC::Parser<LexerType>::parseBlockStatement):
3706         (JSC::Parser<LexerType>::parseFunctionBody):
3707         (JSC::stringForFunctionMode):
3708         (JSC::Parser<LexerType>::parseFunctionParameters):
3709         (JSC::Parser<LexerType>::parseFunctionInfo):
3710         (JSC::Parser<LexerType>::parseFunctionDeclaration):
3711         (JSC::Parser<LexerType>::parseClass):
3712         (JSC::Parser<LexerType>::parseAssignmentExpression):
3713         (JSC::Parser<LexerType>::parsePropertyMethod):
3714         (JSC::Parser<LexerType>::parseGetterSetter):
3715         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
3716         * parser/Parser.h:
3717         (JSC::Parser::locationBeforeLastToken):
3718         (JSC::Parser::isEndOfArrowFunction):
3719         (JSC::Parser::isArrowFunctionParamters):
3720         (JSC::Parser::setEndOfStatement):
3721         * parser/ParserFunctionInfo.h:
3722         * parser/ParserTokens.h:
3723         * parser/SourceCode.h:
3724         (JSC::SourceCode::subArrowExpression):
3725         * parser/SourceProviderCacheItem.h:
3726         (JSC::SourceProviderCacheItem::endFunctionToken):
3727         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
3728         * parser/SyntaxChecker.h:
3729         (JSC::SyntaxChecker::createArrowFunctionExpr):
3730         (JSC::SyntaxChecker::setFunctionNameStart):
3731
3732 2015-06-25  Yusuke Suzuki  <utatane.tea@gmail.com>
3733
3734         [ES6] Support rest element in destructuring assignments
3735         https://bugs.webkit.org/show_bug.cgi?id=146206
3736
3737         Reviewed by Oliver Hunt.
3738
3739         This patch enables rest element (...rest) in array binding patterns.
3740         It generates array from the iterables.
3741         In variable declarations and parameters, `[...identifier]` form is only allowed,
3742         while expressions can take `[...[...rest]]` pattern.
3743
3744         * bytecompiler/BytecodeGenerator.cpp:
3745         (JSC::BytecodeGenerator::emitEnumeration):
3746         (JSC::BytecodeGenerator::emitIteratorNext):
3747         * bytecompiler/BytecodeGenerator.h:
3748         * bytecompiler/NodesCodegen.cpp:
3749         (JSC::ArrayPatternNode::bindValue):
3750         (JSC::ArrayPatternNode::toString):
3751         * parser/ASTBuilder.h:
3752         (JSC::ASTBuilder::appendArrayPatternSkipEntry):
3753         (JSC::ASTBuilder::appendArrayPatternEntry):
3754         (JSC::ASTBuilder::appendArrayPatternRestEntry):
3755         * parser/Nodes.h:
3756         (JSC::ArrayPatternNode::appendIndex):
3757         * parser/Parser.cpp:
3758         (JSC::Parser<LexerType>::parseDeconstructionPattern):
3759         * parser/SyntaxChecker.h:
3760         (JSC::SyntaxChecker::operatorStackPop):
3761         * tests/stress/rest-elements.js: Added.
3762         (shouldBe):
3763         (shouldThrow):
3764
3765 2015-06-25  Commit Queue  <commit-queue@webkit.org>
3766
3767         Unreviewed, rolling out r185956.
3768         https://bugs.webkit.org/show_bug.cgi?id=146321
3769
3770         Causes massive crashes on test bots (Requested by bfulgham on
3771         #webkit).
3772
3773         Reverted changeset:
3774
3775         "Enabling MEDIA_STREAM"
3776         https://bugs.webkit.org/show_bug.cgi?id=145947
3777         http://trac.webkit.org/changeset/185956
3778
3779 2015-06-25  Michael Saboff  <msaboff@apple.com>
3780
3781         Minor fix to idx bounds check after 185954
3782
3783         Rubber Stamped by Ryosuke Niwa.
3784
3785         Changed "idx > 1" to "idx > 0" in two places.
3786
3787         * runtime/ExceptionHelpers.cpp:
3788         (JSC::functionCallBase):
3789
3790 2015-06-25  Keith Miller  <keith_miller@apple.com>
3791
3792         Address Sanitizer does not play well with memcpy in JSC::MachineThreads::tryCopyOtherThreadStack.
3793         https://bugs.webkit.org/show_bug.cgi?id=146297
3794
3795         Reviewed by Filip Pizlo.
3796
3797         Since we cannot blacklist the system memcpy we must use our own naive implementation,
3798         copyMemory. This is not a significant performance loss as tryCopyOtherThreadStack is
3799         only called as part of an O(heapsize) operation. As the heap is generally much larger
3800         than the stack the performance hit is minimal.
3801
3802         * heap/MachineStackMarker.cpp:
3803         (JSC::copyMemory):
3804         (JSC::MachineThreads::tryCopyOtherThreadStack):
3805         (JSC::asanUnsafeMemcpy): Deleted.
3806
3807 2015-06-25  Matthew Daiter  <mdaiter@apple.com>
3808
3809         Enabling MEDIA_STREAM
3810         https://bugs.webkit.org/show_bug.cgi?id=145947
3811         <rdar://problem/21365829>
3812
3813         Reviewed by Brent Fulgham.
3814
3815         * Configurations/FeatureDefines.xcconfig:
3816
3817 2015-06-25  Michael Saboff  <msaboff@apple.com>
3818
3819         REGRESSION (r181889): basspro.com hangs on load under JSC::ErrorInstance::finishCreation(JSC::ExecState*, JSC::VM&, WTF::String const&, bool) + 2801 (JavaScriptCore + 3560689)
3820         https://bugs.webkit.org/show_bug.cgi?id=146298
3821
3822         Reviewed by Mark Lam.
3823
3824         We were underflowing in ExceptionHelpers.cpp::functionCallBase() with a right to left
3825         string index.  Added checks that idx stays within the string.  Also added a termination
3826         condition when idx is 0.
3827
3828         * runtime/ExceptionHelpers.cpp:
3829         (JSC::functionCallBase):
3830
3831 2015-06-24  Chris Dumez  <cdumez@apple.com>
3832
3833         Unreviewed, speculative build fix after r185942.
3834
3835         Add missing include for StrongInlines.h.
3836
3837         * runtime/ArrayPrototype.cpp:
3838
3839 2015-06-24  Darin Adler  <darin@apple.com>
3840
3841         Optimize Array.join and Array.reverse for high speed array types
3842         https://bugs.webkit.org/show_bug.cgi?id=146275
3843
3844         Reviewed by Mark Lam.
3845
3846         This seems to yield another 17% speed improvement in the array
3847         test from the Peacekeeper benchmark.
3848
3849         * runtime/ArrayPrototype.cpp:
3850         (JSC::isHole): Added. Helper to check for holes.
3851         (JSC::containsHole): Ditto.
3852         (JSC::arrayProtoFuncJoin): Added special cases for the various types
3853         of arrays that could be in a butterfly.
3854         (JSC::arrayProtoFuncReverse): Ditto.
3855
3856         * runtime/JSStringJoiner.h: Made appendEmptyString public so we can
3857         call it from the new parts of Array.join.
3858
3859 2015-06-24  Filip Pizlo  <fpizlo@apple.com>
3860
3861         DFG::SpeculativeJIT shouldn't use filter==Contradiction when it meant isClear
3862         https://bugs.webkit.org/show_bug.cgi?id=146291
3863         rdar://problem/21435366
3864
3865         Reviewed by Michael Saboff.
3866         
3867         The filter() method returns Contradiction only when a value *becomes* clear. This is
3868         necessary for supporting the convention that non-JSValue nodes have a bottom proved
3869         type. (We should fix that convention eventually, but for now let's just be consistent
3870         about it.)
3871         
3872         * dfg/DFGFiltrationResult.h: Document the issue.
3873         * dfg/DFGSpeculativeJIT32_64.cpp: Work around the issue.
3874         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
3875         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3876         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3877         * dfg/DFGSpeculativeJIT64.cpp: Work around the issue.
3878         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
3879         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
3880         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3881         (JSC::DFG::SpeculativeJIT::fillSpeculateBoole