Remove the unused *Executable::unlinkCalls() and CodeBlock::unlinkCalls()
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-08-26  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2
3         Remove the unused *Executable::unlinkCalls() and CodeBlock::unlinkCalls()
4         https://bugs.webkit.org/show_bug.cgi?id=148469
5
6         Reviewed by Geoffrey Garen.
7
8         We use CodeBlock::unlinkIncomingCalls() to unlink calls.
9         (...)Executable::unlinkCalls() and CodeBlock::unlinkCalls() are no longer used.
10
11         * bytecode/CodeBlock.cpp:
12         (JSC::CodeBlock::unlinkCalls): Deleted.
13         * bytecode/CodeBlock.h:
14         * runtime/Executable.cpp:
15         (JSC::EvalExecutable::unlinkCalls): Deleted.
16         (JSC::ProgramExecutable::unlinkCalls): Deleted.
17         (JSC::FunctionExecutable::unlinkCalls): Deleted.
18         * runtime/Executable.h:
19         (JSC::ScriptExecutable::unlinkCalls): Deleted.
20
21 2015-08-25  Brian Burg  <bburg@apple.com>
22
23         Web Inspector: no need to allocate protocolErrors array for every dispatched backend command
24         https://bugs.webkit.org/show_bug.cgi?id=146466
25
26         Reviewed by Joseph Pecoraro.
27
28         Clean up some of the backend dispatcher code, with a focus on eliminating useless allocations
29         of objects in the common case when no protocol errors happen. This is done by saving the
30         current id of each request as it is being processed by the backend dispatcher, and tagging any
31         subsequent errors with that id. This also means we don't have to thread the requestId except
32         in the async command code path.
33
34         This patch also lifts some common code shared between all generated backend command
35         implementatations into the per-domain dispatch method instead. This reduces generated code size.
36
37         To be consistent, this patch standardizes on calling the id of a backend message its 'requestId'.
38         Requests can be handled synchronously or asynchronously (triggered via the 'async' property).
39
40         No new tests, covered by existing protocol tests.
41
42         * inspector/InspectorBackendDispatcher.cpp:
43         (Inspector::BackendDispatcher::CallbackBase::CallbackBase): Split the two code paths for reporting
44         success and failure.
45
46         (Inspector::BackendDispatcher::CallbackBase::sendFailure):
47         (Inspector::BackendDispatcher::CallbackBase::sendSuccess): Renamed from sendIfActive.
48         (Inspector::BackendDispatcher::dispatch): Reset counters and current requestId before dispatching.
49         No need to manually thread the requestId to all reportProtocolError calls.
50
51         (Inspector::BackendDispatcher::hasProtocolErrors): Added.
52         (Inspector::BackendDispatcher::sendResponse):
53         (Inspector::BackendDispatcher::sendPendingErrors): Send any saved protocol errors to the frontend.
54         Always send a 'data' member with all of the errors, even if there's just one. We might want to add
55         more information about errors later.
56
57         (Inspector::BackendDispatcher::reportProtocolError): Enqueue a protocol error to be sent later.
58         (Inspector::BackendDispatcher::getPropertyValue): Remove useless type parameters and nuke most of
59         the type conversion methods. Use std::function types instead of function pointer types.
60
61         (Inspector::castToInteger): Added.
62         (Inspector::castToNumber): Added.
63         (Inspector::BackendDispatcher::getInteger):
64         (Inspector::BackendDispatcher::getDouble):
65         (Inspector::BackendDispatcher::getString):
66         (Inspector::BackendDispatcher::getBoolean):
67         (Inspector::BackendDispatcher::getObject):
68         (Inspector::BackendDispatcher::getArray):
69         (Inspector::BackendDispatcher::getValue):
70         (Inspector::getPropertyValue): Deleted.
71         (Inspector::AsMethodBridges::asInteger): Deleted.
72         (Inspector::AsMethodBridges::asDouble): Deleted.
73         (Inspector::AsMethodBridges::asString): Deleted.
74         (Inspector::AsMethodBridges::asBoolean): Deleted.
75         (Inspector::AsMethodBridges::asObject): Deleted.
76         (Inspector::AsMethodBridges::asArray): Deleted.
77         (Inspector::AsMethodBridges::asValue): Deleted.
78         * inspector/InspectorBackendDispatcher.h:
79         * inspector/scripts/codegen/cpp_generator_templates.py: Extract 'params' object in domain dispatch method.
80         Omit requestIds where possible. Convert dispatch tables to use NeverDestroyed. Check the protocol error count
81         to decide whether to abort the dispatch or not, rather than allocating our own errors array.
82
83         * inspector/scripts/codegen/cpp_generator_templates.py:
84         (void):
85         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py: Revert to passing RefPtr<InspectorObject>
86         since parameters are now being passed rather than the message object. Some commands do not require parameters.
87         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
88         (CppBackendDispatcherImplementationGenerator.generate_output):
89         (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
90         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
91         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
92         (ObjCBackendDispatcherHeaderGenerator._generate_objc_handler_declaration_for_command):
93         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
94         (ObjCConfigurationImplementationGenerator._generate_handler_implementation_for_command):
95         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
96         * inspector/scripts/codegen/objc_generator_templates.py:
97
98         Rebaseline some protocol generator tests.
99         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
100         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
101         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
102         * inspector/scripts/tests/expected/enum-values.json-result:
103         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
104         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
105         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
106         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
107         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
108         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
109         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
110         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
111         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
112
113 2015-08-25  Saam barati  <sbarati@apple.com>
114
115         Lets rename codeOriginIndex to callSiteIndex and get rid of CallFrame::Location.
116         https://bugs.webkit.org/show_bug.cgi?id=148213
117
118         Reviewed by Filip Pizlo.
119
120         This patch introduces a struct called CallSiteIndex which is
121         used as a wrapper for a 32-bit int to place things in the tag for ArgumentCount 
122         in the call frame. On 32-bit we place Instruction* into this slot for LLInt and Basline.
123         For 32-bit DFG we place a an index into the code origin table in this slot.
124         On 64-bit we place a bytecode offset into this slot for LLInt and Baseline.
125         On 64-bit we place the index into the code origin table in this slot in the
126         DFG/FTL.
127
128         This patch also gets rid of the encoding scheme that describes if something is a
129         bytecode index or a code origin table index. This information can always
130         be determined based on the CodeBlock's' JITType.
131
132         StructureStubInfo now also has a CallSiteIndex which it stores to
133         the call frame when making a call.
134
135         * bytecode/CodeBlock.h:
136         (JSC::CodeBlock::hasCodeOrigins):
137         (JSC::CodeBlock::canGetCodeOrigin):
138         (JSC::CodeBlock::codeOrigin):
139         (JSC::CodeBlock::addFrequentExitSite):
140         * bytecode/StructureStubInfo.h:
141         (JSC::StructureStubInfo::StructureStubInfo):
142         * dfg/DFGCommonData.cpp:
143         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
144         (JSC::DFG::CommonData::addCodeOrigin):
145         (JSC::DFG::CommonData::shrinkToFit):
146         * dfg/DFGCommonData.h:
147         (JSC::DFG::CommonData::CommonData):
148         * dfg/DFGJITCompiler.h:
149         (JSC::DFG::JITCompiler::setEndOfCode):
150         (JSC::DFG::JITCompiler::addCallSite):
151         (JSC::DFG::JITCompiler::emitStoreCodeOrigin):
152         * dfg/DFGOSRExitCompilerCommon.cpp:
153         (JSC::DFG::reifyInlinedCallFrames):
154         * dfg/DFGSpeculativeJIT.cpp:
155         (JSC::DFG::SpeculativeJIT::compileIn):
156         * dfg/DFGSpeculativeJIT32_64.cpp:
157         (JSC::DFG::SpeculativeJIT::cachedGetById):
158         (JSC::DFG::SpeculativeJIT::cachedPutById):
159         * dfg/DFGSpeculativeJIT64.cpp:
160         (JSC::DFG::SpeculativeJIT::cachedGetById):
161         (JSC::DFG::SpeculativeJIT::cachedPutById):
162         * ftl/FTLCompile.cpp:
163         (JSC::FTL::mmAllocateDataSection):
164         * ftl/FTLInlineCacheDescriptor.h:
165         (JSC::FTL::InlineCacheDescriptor::InlineCacheDescriptor):
166         (JSC::FTL::InlineCacheDescriptor::stackmapID):
167         (JSC::FTL::InlineCacheDescriptor::callSiteIndex):
168         (JSC::FTL::InlineCacheDescriptor::uid):
169         (JSC::FTL::GetByIdDescriptor::GetByIdDescriptor):
170         (JSC::FTL::PutByIdDescriptor::PutByIdDescriptor):
171         (JSC::FTL::CheckInDescriptor::CheckInDescriptor):
172         (JSC::FTL::InlineCacheDescriptor::codeOrigin): Deleted.
173         * ftl/FTLLink.cpp:
174         (JSC::FTL::link):
175         * ftl/FTLLowerDFGToLLVM.cpp:
176         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
177         (JSC::FTL::DFG::LowerDFGToLLVM::compileIn):
178         (JSC::FTL::DFG::LowerDFGToLLVM::getById):
179         (JSC::FTL::DFG::LowerDFGToLLVM::callPreflight):
180         * ftl/FTLSlowPathCall.cpp:
181         (JSC::FTL::storeCodeOrigin):
182         * interpreter/CallFrame.cpp:
183         (JSC::CallFrame::currentVPC):
184         (JSC::CallFrame::setCurrentVPC):
185         (JSC::CallFrame::callSiteBitsAsBytecodeOffset):
186         (JSC::CallFrame::bytecodeOffset):
187         (JSC::CallFrame::codeOrigin):
188         (JSC::CallFrame::topOfFrameInternal):
189         (JSC::CallFrame::locationAsBytecodeOffset): Deleted.
190         (JSC::CallFrame::setLocationAsBytecodeOffset): Deleted.
191         (JSC::CallFrame::bytecodeOffsetFromCodeOriginIndex): Deleted.
192         * interpreter/CallFrame.h:
193         (JSC::CallSiteIndex::CallSiteIndex):
194         (JSC::CallSiteIndex::bits):
195         (JSC::ExecState::returnPCOffset):
196         (JSC::ExecState::abstractReturnPC):
197         (JSC::ExecState::topOfFrame):
198         (JSC::ExecState::setCallerFrame):
199         (JSC::ExecState::setScope):
200         (JSC::ExecState::currentVPC): Deleted.
201         (JSC::ExecState::setCurrentVPC): Deleted.
202         * interpreter/CallFrameInlines.h:
203         (JSC::CallFrame::callSiteBitsAreBytecodeOffset):
204         (JSC::CallFrame::callSiteBitsAreCodeOriginIndex):
205         (JSC::CallFrame::callSiteAsRawBits):
206         (JSC::CallFrame::callSiteIndex):
207         (JSC::CallFrame::hasActivation):
208         (JSC::CallFrame::Location::encode): Deleted.
209         (JSC::CallFrame::Location::decode): Deleted.
210         (JSC::CallFrame::Location::encodeAsBytecodeOffset): Deleted.
211         (JSC::CallFrame::Location::encodeAsBytecodeInstruction): Deleted.
212         (JSC::CallFrame::Location::encodeAsCodeOriginIndex): Deleted.
213         (JSC::CallFrame::Location::isBytecodeLocation): Deleted.
214         (JSC::CallFrame::Location::isCodeOriginIndex): Deleted.
215         (JSC::CallFrame::hasLocationAsBytecodeOffset): Deleted.
216         (JSC::CallFrame::hasLocationAsCodeOriginIndex): Deleted.
217         (JSC::CallFrame::locationAsRawBits): Deleted.
218         (JSC::CallFrame::setLocationAsRawBits): Deleted.
219         (JSC::CallFrame::locationAsBytecodeOffset): Deleted.
220         (JSC::CallFrame::setLocationAsBytecodeOffset): Deleted.
221         (JSC::CallFrame::locationAsCodeOriginIndex): Deleted.
222         * interpreter/StackVisitor.cpp:
223         (JSC::StackVisitor::readFrame):
224         (JSC::StackVisitor::readNonInlinedFrame):
225         (JSC::StackVisitor::Frame::print):
226         * jit/JITCall.cpp:
227         (JSC::JIT::compileOpCall):
228         * jit/JITCall32_64.cpp:
229         (JSC::JIT::compileOpCall):
230         * jit/JITInlineCacheGenerator.cpp:
231         (JSC::garbageStubInfo):
232         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
233         (JSC::JITByIdGenerator::JITByIdGenerator):
234         (JSC::JITByIdGenerator::generateFastPathChecks):
235         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
236         (JSC::JITGetByIdGenerator::generateFastPath):
237         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
238         * jit/JITInlineCacheGenerator.h:
239         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
240         (JSC::JITInlineCacheGenerator::stubInfo):
241         (JSC::JITByIdGenerator::JITByIdGenerator):
242         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
243         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
244         * jit/JITInlines.h:
245         (JSC::JIT::updateTopCallFrame):
246         * jit/JITOperations.cpp:
247         (JSC::getByVal):
248         (JSC::tryGetByValOptimize):
249         * jit/JITPropertyAccess.cpp:
250         (JSC::JIT::emitGetByValWithCachedId):
251         (JSC::JIT::emitPutByValWithCachedId):
252         (JSC::JIT::emit_op_get_by_id):
253         (JSC::JIT::emit_op_put_by_id):
254         * jit/JITPropertyAccess32_64.cpp:
255         (JSC::JIT::emitGetByValWithCachedId):
256         (JSC::JIT::emitPutByValWithCachedId):
257         (JSC::JIT::emit_op_get_by_id):
258         (JSC::JIT::emit_op_put_by_id):
259         * jit/Repatch.cpp:
260         (JSC::generateByIdStub):
261
262 2015-08-25 Aleksandr Skachkov   <gskachkov@gmail.com>
263
264         Function.prototype.toString is incorrect for ArrowFunction
265         https://bugs.webkit.org/show_bug.cgi?id=148148
266
267         Reviewed by Saam Barati.
268         
269         Added correct support of toString() method for arrow function.
270
271         * parser/ASTBuilder.h:
272         (JSC::ASTBuilder::createFunctionMetadata):
273         (JSC::ASTBuilder::createArrowFunctionExpr):
274         * parser/Nodes.cpp:
275         (JSC::FunctionMetadataNode::FunctionMetadataNode):
276         * parser/Nodes.h:
277         * parser/Parser.cpp:
278         (JSC::Parser<LexerType>::parseFunctionBody):
279         (JSC::Parser<LexerType>::parseFunctionInfo):
280         * parser/SyntaxChecker.h:
281         (JSC::SyntaxChecker::createFunctionMetadata):
282         * runtime/FunctionPrototype.cpp:
283         (JSC::functionProtoFuncToString):
284         * tests/stress/arrowfunction-tostring.js: Added.
285
286 2015-08-25  Saam barati  <sbarati@apple.com>
287
288         Callee can be incorrectly overridden when it's captured
289         https://bugs.webkit.org/show_bug.cgi?id=148400
290
291         Reviewed by Filip Pizlo.
292
293         We now resort to always creating the function name scope
294         when the function name is in scope. Because the bytecode
295         generator now has a notion of local lexical scoping,
296         this incurs no runtime penalty for function expression names
297         that aren't heap allocated. If they are heap allocated,
298         this means we may now have one more scope on the runtime
299         scope stack than before. This modification simplifies the
300         callee initialization code and uses the lexical scoping constructs
301         to implement this. This implementation also ensures
302         that everything Just Works for function's with default
303         parameter values. Before this patch, IIFE functions
304         with default parameter values and a captured function
305         name would crash JSC.
306
307         * bytecompiler/BytecodeGenerator.cpp:
308         (JSC::BytecodeGenerator::BytecodeGenerator):
309         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
310         (JSC::BytecodeGenerator::popLexicalScopeInternal):
311         (JSC::BytecodeGenerator::variable):
312         (JSC::BytecodeGenerator::resolveType):
313         (JSC::BytecodeGenerator::emitThrowTypeError):
314         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
315         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
316         * bytecompiler/BytecodeGenerator.h:
317         (JSC::Variable::isReadOnly):
318         (JSC::Variable::isSpecial):
319         (JSC::Variable::isConst):
320         (JSC::Variable::setIsReadOnly):
321         * bytecompiler/NodesCodegen.cpp:
322         (JSC::PostfixNode::emitResolve):
323         (JSC::PrefixNode::emitResolve):
324         (JSC::ReadModifyResolveNode::emitBytecode):
325         (JSC::AssignResolveNode::emitBytecode):
326         (JSC::BindingNode::bindValue):
327         * tests/stress/IIFE-es6-default-parameters.js: Added.
328         (assert):
329         (.):
330         * tests/stress/IIFE-function-name-captured.js: Added.
331         (assert):
332         (.):
333
334 2015-08-24  Brian Burg  <bburg@apple.com>
335
336         Web Inspector: add protocol test for existing error handling performed by the backend
337         https://bugs.webkit.org/show_bug.cgi?id=147097
338
339         Reviewed by Joseph Pecoraro.
340
341         A new test revealed that the protocol "method" parameter was being parsed in a naive way.
342         Rewrite it to use String::split and improve error checking to avoid failing later.
343
344         * inspector/InspectorBackendDispatcher.cpp:
345         (Inspector::BackendDispatcher::dispatch):
346
347 2015-08-24  Yusuke Suzuki  <utatane.tea@gmail.com>
348
349         [ES6] Return JSInternalPromise as result of evaluateModule
350         https://bugs.webkit.org/show_bug.cgi?id=148173
351
352         Reviewed by Saam Barati.
353
354         Now evaluateModule returns JSInternalPromise* as its result value.
355         When an error occurs while loading or executing the modules,
356         this promise is rejected by that error. By leveraging this, we implemented
357         asynchronous error reporting when executing the modules in JSC shell.
358
359         And this patch also changes the evaluateModule signature to accept the entry
360         point by the moduleName. By using it, JSC shell can start executing the modules
361         with the entry point module name.
362
363         * builtins/ModuleLoaderObject.js:
364         (loadModule):
365         * jsc.cpp:
366         (dumpException):
367         (runWithScripts):
368         * runtime/Completion.cpp:
369         (JSC::evaluateModule):
370         * runtime/Completion.h:
371         * runtime/JSInternalPromise.cpp:
372         (JSC::JSInternalPromise::then):
373         * runtime/JSInternalPromise.h:
374         * runtime/ModuleLoaderObject.cpp:
375         (JSC::ModuleLoaderObject::requestInstantiateAll):
376         (JSC::ModuleLoaderObject::loadModule):
377         (JSC::ModuleLoaderObject::resolve):
378         (JSC::ModuleLoaderObject::fetch):
379         (JSC::ModuleLoaderObject::translate):
380         (JSC::ModuleLoaderObject::instantiate):
381         (JSC::moduleLoaderObjectParseModule):
382         * runtime/ModuleLoaderObject.h:
383
384 2015-08-24  Basile Clement  <basile_clement@apple.com>
385
386         REPTACH is not a word
387         https://bugs.webkit.org/show_bug.cgi?id=148401
388
389         Reviewed by Saam Barati.
390
391         * assembler/MacroAssemblerX86_64.h:
392         (JSC::MacroAssemblerX86_64::callWithSlowPathReturnType):
393         (JSC::MacroAssemblerX86_64::call):
394         (JSC::MacroAssemblerX86_64::tailRecursiveCall):
395         (JSC::MacroAssemblerX86_64::makeTailRecursiveCall):
396         (JSC::MacroAssemblerX86_64::readCallTarget):
397         (JSC::MacroAssemblerX86_64::linkCall):
398         (JSC::MacroAssemblerX86_64::repatchCall):
399
400 2015-08-24  Mark Lam  <mark.lam@apple.com>
401
402         Add support for setting JSC options from a file.
403         https://bugs.webkit.org/show_bug.cgi?id=148394
404
405         Reviewed by Saam Barati.
406
407         This is needed for environments where the JSC executable does not have access to
408         environmental variables.  This is only needed for debugging, and is currently
409         guarded under a #define USE_OPTIONS_FILE in Options.cpp, and is disabled by
410         default.
411
412         Also fixed Options::setOptions() to be allow for whitespace that is not a single
413         ' '.  This makes setOptions() much more flexible and friendlier to use for loading
414         options in general.
415
416         For example, this current use case of loading options from a file may have '\n's
417         in the character stream, and this feature is easier to implement if setOptions()
418         just support more than 1 whitespace char between options, and recognize whitespace
419         characters other than ' '.
420
421         * runtime/Options.cpp:
422         (JSC::parse):
423         (JSC::Options::initialize):
424         (JSC::Options::setOptions):
425
426 2015-08-24  Filip Pizlo  <fpizlo@apple.com>
427
428         DFG::FixupPhase should use the lambda form of m_graph.doToChildren() rather than the old macro
429         https://bugs.webkit.org/show_bug.cgi?id=148397
430
431         Reviewed by Geoffrey Garen.
432
433         We used to iterate the edges of a node by using the DFG_NODE_DO_TO_CHILDREN macro. We
434         don't need to do that anymore since we have the lambda-based m_graph.doToChildren(). This
435         allows us to get rid of a bunch of helper methods in DFG::FixupPhase.
436
437         I also took the opportunity to give the injectTypeConversionsInBlock() method a more
438         generic name, since after https://bugs.webkit.org/show_bug.cgi?id=145204 it will be used
439         for fix-up of checks more broadly.
440
441         * dfg/DFGFixupPhase.cpp:
442         (JSC::DFG::FixupPhase::run):
443         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
444         (JSC::DFG::FixupPhase::fixupChecksInBlock):
445         (JSC::DFG::FixupPhase::injectTypeConversionsInBlock): Deleted.
446         (JSC::DFG::FixupPhase::tryToRelaxRepresentation): Deleted.
447         (JSC::DFG::FixupPhase::fixEdgeRepresentation): Deleted.
448         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): Deleted.
449
450 2015-08-24  Geoffrey Garen  <ggaren@apple.com>
451
452         Some renaming to clarify CodeBlock and UnlinkedCodeBlock
453         https://bugs.webkit.org/show_bug.cgi?id=148391
454
455         Reviewed by Saam Barati.
456
457         * bytecode/UnlinkedFunctionExecutable.cpp:
458         (JSC::generateUnlinkedFunctionCodeBlock):
459         (JSC::UnlinkedFunctionExecutable::visitChildren):
460         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
461         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
462         (JSC::generateFunctionCodeBlock): Deleted.
463         (JSC::UnlinkedFunctionExecutable::codeBlockFor): Deleted.
464         * bytecode/UnlinkedFunctionExecutable.h: Call our CodeBlocks "unlinked"
465         in the name for clarity, since we are unlinked. 
466
467         * heap/Heap.cpp:
468         (JSC::Heap::objectTypeCounts):
469         (JSC::Heap::deleteAllCodeBlocks):
470         (JSC::Heap::deleteAllUnlinkedCodeBlocks):
471         (JSC::Heap::clearUnmarkedExecutables):
472         (JSC::Heap::deleteOldCode):
473         (JSC::Heap::FinalizerOwner::finalize):
474         (JSC::Heap::addExecutable):
475         (JSC::Heap::collectAllGarbageIfNotDoneRecently):
476         (JSC::Heap::deleteAllCompiledCode): Deleted.
477         (JSC::Heap::deleteAllUnlinkedFunctionCode): Deleted.
478         (JSC::Heap::addCompiledCode): Deleted.
479         * heap/Heap.h:
480         (JSC::Heap::notifyIsSafeToCollect):
481         (JSC::Heap::isSafeToCollect):
482         (JSC::Heap::sizeBeforeLastFullCollection):
483         (JSC::Heap::sizeAfterLastFullCollection):
484         (JSC::Heap::compiledCode): Deleted.
485
486             deleteAllCompiledCode => deleteAllCodeBlocks because "compiled"
487             is a broad phrase these days.
488
489             m_compiledCode => m_executables for the same reason.
490
491             addCompiledCode => addExecutable for the same reason.
492
493             deleteAllUnlinkedFunctionCode => deleteAllUnlinkedCodeBlocks
494             for consistency.
495
496         * jsc.cpp:
497         (functionDeleteAllCompiledCode):
498
499         * runtime/Executable.cpp:
500         (JSC::ScriptExecutable::newCodeBlockFor): codeBlockFor => unlinkedCodeBlockFor
501
502         (JSC::FunctionExecutable::clearUnlinkedCodeForRecompilation): Deleted.
503         It was strange to put this function on executable, since its name implied
504         that it only changed the executable, but it actually changed all cached
505         code. Now, a client that wants to change cached code must do so explicitly.
506
507         * runtime/Executable.h:
508         (JSC::ScriptExecutable::finishCreation):
509         * runtime/VM.cpp:
510         (JSC::VM::deleteAllCode):
511         * runtime/VMEntryScope.cpp:
512         (JSC::VMEntryScope::VMEntryScope): Updated for renames above.
513
514 2015-08-22  Filip Pizlo  <fpizlo@apple.com>
515
516         DFG::InsertionSet should be tolerant of occasional out-of-order insertions
517         https://bugs.webkit.org/show_bug.cgi?id=148367
518
519         Reviewed by Geoffrey Garen and Saam Barati.
520
521         Since forever, the DFG::InsertionSet has been the way we insert nodes into DFG IR, and it
522         requires that you walk a block in order and perform insertions in order: you can't insert
523         something at index J, then at index I where I < J, except if you do a second pass.
524
525         This restriction makes sense, because it enables a very fast algorithm. And it's very
526         rare that a phase would need to insert things out of order.
527
528         But sometimes - rarely - we need to insert things slightly out-of-order. For example we
529         may want to insert a node at index J, but to insert a check associated with that node, we
530         may need to use index I where I < J. This will come up from the work on
531         https://bugs.webkit.org/show_bug.cgi?id=145204. And it has already come up in the past.
532         It seems like it would be best to just lift this restriction.
533
534         * CMakeLists.txt:
535         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
536         * JavaScriptCore.xcodeproj/project.pbxproj:
537         * dfg/DFGInsertionSet.cpp: Added.
538         (JSC::DFG::InsertionSet::insertSlow):
539         * dfg/DFGInsertionSet.h:
540         (JSC::DFG::InsertionSet::InsertionSet):
541         (JSC::DFG::InsertionSet::graph):
542         (JSC::DFG::InsertionSet::insert):
543         (JSC::DFG::InsertionSet::execute):
544
545 2015-08-24  Yusuke Suzuki  <utatane.tea@gmail.com>
546
547         Create ById IC for ByVal operation only when the specific Id comes more than once
548         https://bugs.webkit.org/show_bug.cgi?id=148288
549
550         Reviewed by Geoffrey Garen.
551
552         After introducing byId ICs into byVal ops, byVal ops creates much ICs than before.
553         The failure fixed in r188767 figures out these ICs are created even if this op is executed only once.
554
555         The situation is the following;
556         In the current code, when byVal op is executed with the Id, we immediately set up the byId IC for that byVal op.
557         But setting up JITGetByIdGenerator generates the fast path IC code and consumes executable memory.
558         As a result, if we call eval("contains byVal ops") with the different strings repeatedly under no-llint environment, each eval call creates byId IC for byVal and consumes executable memory.
559
560         To solve it, we will add "seen" flag to ByValInfo.
561         And we will create the IC on the second byVal op call with the same Id.
562
563         * bytecode/ByValInfo.h:
564         (JSC::ByValInfo::ByValInfo):
565         * jit/JITOperations.cpp:
566         (JSC::tryGetByValOptimize):
567         * jit/JITPropertyAccess.cpp:
568         (JSC::JIT::privateCompileGetByValWithCachedId): Deleted.
569         (JSC::JIT::privateCompilePutByValWithCachedId): Deleted.
570
571 2015-08-23  Benjamin Poulain  <bpoulain@apple.com>
572
573         [JSC] Get rid of NodePointerTraits
574         https://bugs.webkit.org/show_bug.cgi?id=148340
575
576         Reviewed by Anders Carlsson.
577
578         NodePointerTraits does exactly the same thing has the default trait.
579
580         * dfg/DFGBasicBlock.h:
581         * dfg/DFGCommon.h:
582         (JSC::DFG::NodePointerTraits::defaultValue): Deleted.
583         (JSC::DFG::NodePointerTraits::isEmptyForDump): Deleted.
584
585 2015-08-23  Benjamin Poulain  <bpoulain@apple.com>
586
587         [JSC] Reduce the memory usage of BytecodeLivenessAnalysis
588         https://bugs.webkit.org/show_bug.cgi?id=148353
589
590         Reviewed by Darin Adler.
591
592         BytecodeLivenessAnalysis easily takes kilobytes of memory for
593         non trivial blocks and that memory sticks around because
594         it stored on CodeBlock.
595
596         This patch reduces that memory use a bit.
597
598         Most of the memory is in the array of BytecodeBasicBlock.
599         BytecodeBasicBlock is shrunk by:
600         -Making it not ref-counted.
601         -Removing m_predecessors, it was only used for debugging and
602          is usually big.
603         -Added a shrinkToFit() phase to shrink the vectors once we are
604          done building the BytecodeBasicBlock.
605
606         There are more things we should do in the future:
607         -Store all the BytecodeBasicBlock direclty in the array.
608          We know the size ahead of time, this would be a pure win.
609          The only tricky part is changing m_successors to have the
610          index of the successor instead of a pointer.
611         -Stop putting duplicates in m_successors.
612
613         * bytecode/BytecodeBasicBlock.cpp:
614         (JSC::computeBytecodeBasicBlocks):
615         (JSC::BytecodeBasicBlock::shrinkToFit): Deleted.
616         (JSC::linkBlocks): Deleted.
617         * bytecode/BytecodeBasicBlock.h:
618         (JSC::BytecodeBasicBlock::addSuccessor):
619         (JSC::BytecodeBasicBlock::addPredecessor): Deleted.
620         (JSC::BytecodeBasicBlock::predecessors): Deleted.
621         * bytecode/BytecodeLivenessAnalysis.cpp:
622         (JSC::getLeaderOffsetForBasicBlock):
623         (JSC::findBasicBlockWithLeaderOffset):
624         (JSC::findBasicBlockForBytecodeOffset):
625         (JSC::stepOverInstruction):
626         (JSC::computeLocalLivenessForBytecodeOffset):
627         (JSC::computeLocalLivenessForBlock):
628         (JSC::BytecodeLivenessAnalysis::dumpResults): Deleted.
629         * bytecode/BytecodeLivenessAnalysis.h:
630
631 2015-08-23  Geoffrey Garen  <ggaren@apple.com>
632
633         Unreviewed, rolling back in r188792.
634         https://bugs.webkit.org/show_bug.cgi?id=148347
635
636         Previously reverted changesets:
637
638         "Unify code paths for manually deleting all code"
639         https://bugs.webkit.org/show_bug.cgi?id=148280
640         http://trac.webkit.org/changeset/188792
641
642         The previous patch caused some inspector tests to hang because it
643         introduced extra calls to sourceParsed, and sourceParsed is
644         pathologically slow in WK1 debug builds. This patch restores pre-existing
645         code to limit calls to sourceParsed, excluding code not being debugged
646         (i.e., inspector code).
647
648 2015-08-23  Geoffrey Garen  <ggaren@apple.com>
649
650         Unreviewed, rolling back in r188803.
651
652         Previously reverted changesets:
653
654         "Debugger's VM should never be null"
655         https://bugs.webkit.org/show_bug.cgi?id=148341
656         http://trac.webkit.org/changeset/188803
657
658         * debugger/Debugger.cpp:
659         (JSC::Debugger::Debugger):
660         (JSC::Debugger::attach):
661         (JSC::Debugger::detach):
662         (JSC::Debugger::isAttached):
663         (JSC::Debugger::setSteppingMode):
664         (JSC::Debugger::registerCodeBlock):
665         (JSC::Debugger::toggleBreakpoint):
666         (JSC::Debugger::recompileAllJSFunctions):
667         (JSC::Debugger::setBreakpoint):
668         (JSC::Debugger::clearBreakpoints):
669         (JSC::Debugger::clearDebuggerRequests):
670         (JSC::Debugger::setBreakpointsActivated):
671         (JSC::Debugger::breakProgram):
672         (JSC::Debugger::stepOutOfFunction):
673         (JSC::Debugger::returnEvent):
674         (JSC::Debugger::didExecuteProgram):
675         * debugger/Debugger.h:
676         * inspector/JSGlobalObjectScriptDebugServer.cpp:
677         (Inspector::JSGlobalObjectScriptDebugServer::JSGlobalObjectScriptDebugServer):
678         (Inspector::JSGlobalObjectScriptDebugServer::removeListener):
679         (Inspector::JSGlobalObjectScriptDebugServer::runEventLoopWhilePaused):
680         (Inspector::JSGlobalObjectScriptDebugServer::recompileAllJSFunctions): Deleted.
681         * inspector/JSGlobalObjectScriptDebugServer.h:
682         * inspector/ScriptDebugServer.cpp:
683         (Inspector::ScriptDebugServer::ScriptDebugServer):
684         * inspector/ScriptDebugServer.h:
685
686 2015-08-22  Filip Pizlo  <fpizlo@apple.com>
687
688         DFG string concatenation shouldn't be playing fast and loose with effects and OSR exit
689         https://bugs.webkit.org/show_bug.cgi?id=148338
690
691         Reviewed by Michael Saboff and Saam Barati.
692
693         Prior to this change, DFG string concatenation appeared to have various different ways of
694         creating an OSR exit right after a side effect. That's bad, because the exit will cause
695         us to reexecute the side effect. The code appears to have some hacks for avoiding this,
696         but some cases are basically unavoidable, like the OOM case of string concatenation: in
697         trunk that could cause two executions of the toString operation.
698
699         This changes the string concatenation code to either be speculative or effectful but
700         never both. It's already the case that when this code needs to be effectful, it also
701         needs to be slow (it does int->string conversions, calls JS functions, etc). So, this is
702         a small price to pay for sanity.
703
704         The biggest part of this change is the introduction of StrCat, which is like MakeRope but
705         does toString conversions on its own instead of relying on separate nodes. StrCat can
706         take either 2 or 3 children. It's the effectful but not speculative version of MakeRope.
707
708         * dfg/DFGAbstractInterpreterInlines.h:
709         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
710         * dfg/DFGBackwardsPropagationPhase.cpp:
711         (JSC::DFG::BackwardsPropagationPhase::propagate):
712         * dfg/DFGByteCodeParser.cpp:
713         (JSC::DFG::ByteCodeParser::parseBlock):
714         * dfg/DFGClobberize.h:
715         (JSC::DFG::clobberize):
716         * dfg/DFGDoesGC.cpp:
717         (JSC::DFG::doesGC):
718         * dfg/DFGFixupPhase.cpp:
719         (JSC::DFG::FixupPhase::fixupNode):
720         (JSC::DFG::FixupPhase::convertStringAddUse):
721         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
722         (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
723         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
724         * dfg/DFGNodeType.h:
725         * dfg/DFGOperations.cpp:
726         * dfg/DFGOperations.h:
727         * dfg/DFGPredictionPropagationPhase.cpp:
728         (JSC::DFG::PredictionPropagationPhase::propagate):
729         * dfg/DFGSafeToExecute.h:
730         (JSC::DFG::safeToExecute):
731         * dfg/DFGSpeculativeJIT.h:
732         (JSC::DFG::SpeculativeJIT::callOperation):
733         (JSC::DFG::JSValueOperand::JSValueOperand):
734         (JSC::DFG::JSValueOperand::~JSValueOperand):
735         * dfg/DFGSpeculativeJIT32_64.cpp:
736         (JSC::DFG::SpeculativeJIT::compile):
737         * dfg/DFGSpeculativeJIT64.cpp:
738         (JSC::DFG::SpeculativeJIT::compile):
739         * dfg/DFGValidate.cpp:
740         (JSC::DFG::Validate::validate):
741         * ftl/FTLCapabilities.cpp:
742         (JSC::FTL::canCompile):
743         * ftl/FTLIntrinsicRepository.h:
744         * ftl/FTLLowerDFGToLLVM.cpp:
745         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
746         (JSC::FTL::DFG::LowerDFGToLLVM::compileValueAdd):
747         (JSC::FTL::DFG::LowerDFGToLLVM::compileStrCat):
748         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAddOrSub):
749         * jit/JITOperations.h:
750         * tests/stress/exception-effect-strcat.js: Added. This test previously failed.
751         * tests/stress/exception-in-strcat-string-overflow.js: Added. An earlier version of this patch made this fail.
752         * tests/stress/exception-in-strcat.js: Added.
753
754 2015-08-22  Andreas Kling  <akling@apple.com>
755
756         [JSC] Static hash tables should be 100% compile-time constant.
757         <https://webkit.org/b/148359>
758
759         Reviewed by Michael Saboff.
760
761         We were dirtying the memory pages containing static hash tables the
762         first time they were used, when a dynamically allocated index-to-key
763         table was built and cached in the HashTable struct.
764
765         It turns out that this "optimization" was completely useless, since
766         we've long since decoupled static hash tables from the JSC::VM and
767         we can get the key for an index via HashTable::values[index].m_key!
768
769         We also get rid of VM::keywords which was a little wrapper around
770         a VM-specific copy of JSC::mainTable. There was nothing VM-specific
771         about it at all, so clients now use JSC::mainTable directly.
772
773         After this change all fooHashTable structs end up in __DATA __const
774         and no runtime initialization/allocation takes place.
775
776         * create_hash_table:
777         * jsc.cpp:
778         * parser/Lexer.cpp:
779         (JSC::isLexerKeyword):
780         (JSC::Lexer<LChar>::parseIdentifier):
781         (JSC::Lexer<UChar>::parseIdentifier):
782         (JSC::Lexer<CharacterType>::parseIdentifierSlowCase):
783         (JSC::Keywords::Keywords): Deleted.
784         * parser/Lexer.h:
785         (JSC::Keywords::isKeyword): Deleted.
786         (JSC::Keywords::getKeyword): Deleted.
787         (JSC::Keywords::~Keywords): Deleted.
788         * runtime/LiteralParser.cpp:
789         (JSC::LiteralParser<CharType>::tryJSONPParse):
790         * runtime/Lookup.cpp:
791         (JSC::HashTable::createTable): Deleted.
792         (JSC::HashTable::deleteTable): Deleted.
793         * runtime/Lookup.h:
794         (JSC::HashTable::entry):
795         (JSC::HashTable::ConstIterator::key):
796         (JSC::HashTable::ConstIterator::skipInvalidKeys):
797         (JSC::HashTable::copy): Deleted.
798         (JSC::HashTable::initializeIfNeeded): Deleted.
799         (JSC::HashTable::begin): Deleted.
800         (JSC::HashTable::end): Deleted.
801         * runtime/VM.cpp:
802         (JSC::VM::VM): Deleted.
803         * runtime/VM.h:
804         * testRegExp.cpp:
805
806 2015-08-21  Commit Queue  <commit-queue@webkit.org>
807
808         Unreviewed, rolling out r188792 and r188803.
809         https://bugs.webkit.org/show_bug.cgi?id=148347
810
811         broke lots of tests, ggaren is going to investigate and reland
812         (Requested by thorton on #webkit).
813
814         Reverted changesets:
815
816         "Unify code paths for manually deleting all code"
817         https://bugs.webkit.org/show_bug.cgi?id=148280
818         http://trac.webkit.org/changeset/188792
819
820         "Debugger's VM should never be null"
821         https://bugs.webkit.org/show_bug.cgi?id=148341
822         http://trac.webkit.org/changeset/188803
823
824 2015-08-21  Sukolsak Sakshuwong  <sukolsak@gmail.com>
825
826         Parse control flow statements in WebAssembly
827         https://bugs.webkit.org/show_bug.cgi?id=148333
828
829         Reviewed by Geoffrey Garen.
830
831         Parse control flow statements in WebAssembly files generated by pack-asmjs
832         <https://github.com/WebAssembly/polyfill-prototype-1>.
833
834         * wasm/WASMConstants.h:
835         * wasm/WASMFunctionParser.cpp:
836         (JSC::WASMFunctionParser::parseStatement):
837         (JSC::WASMFunctionParser::parseIfStatement):
838         (JSC::WASMFunctionParser::parseIfElseStatement):
839         (JSC::WASMFunctionParser::parseWhileStatement):
840         (JSC::WASMFunctionParser::parseDoStatement):
841         (JSC::WASMFunctionParser::parseLabelStatement):
842         (JSC::WASMFunctionParser::parseBreakStatement):
843         (JSC::WASMFunctionParser::parseBreakLabelStatement):
844         (JSC::WASMFunctionParser::parseContinueStatement):
845         (JSC::WASMFunctionParser::parseContinueLabelStatement):
846         (JSC::WASMFunctionParser::parseSwitchStatement):
847         * wasm/WASMFunctionParser.h:
848         (JSC::WASMFunctionParser::WASMFunctionParser):
849         * wasm/WASMReader.cpp:
850         (JSC::WASMReader::readCompactInt32):
851         (JSC::WASMReader::readSwitchCase):
852         * wasm/WASMReader.h:
853
854 2015-08-21  Geoffrey Garen  <ggaren@apple.com>
855
856         Debugger's VM should never be null
857         https://bugs.webkit.org/show_bug.cgi?id=148341
858
859         Reviewed by Joseph Pecoraro.
860
861         It doesn't make sense for a Debugger's VM to be null, and code related
862         to maintaining that illusion just caused the Web Inspector to crash on
863         launch (https://bugs.webkit.org/show_bug.cgi?id=148312). So, let's stop
864         doing that.
865
866         Now, Debugger requires its subclass to provide a never-null VM&.
867
868         Also took the opportunity, based on review feedback, to remove some
869         confusion in the virtual recompileAllJSFunctions hierarchy, by eliminating
870         the pure virtual in ScriptDebugServer and the unnecessary override in
871         JSGlobalObjectScriptDebugServer.
872
873         * debugger/Debugger.cpp:
874         (JSC::Debugger::Debugger):
875         (JSC::Debugger::attach):
876         (JSC::Debugger::detach):
877         (JSC::Debugger::isAttached):
878         (JSC::Debugger::setSteppingMode):
879         (JSC::Debugger::registerCodeBlock):
880         (JSC::Debugger::toggleBreakpoint):
881         (JSC::Debugger::recompileAllJSFunctions):
882         (JSC::Debugger::setBreakpoint):
883         (JSC::Debugger::clearBreakpoints):
884         (JSC::Debugger::clearDebuggerRequests):
885         (JSC::Debugger::setBreakpointsActivated):
886         (JSC::Debugger::breakProgram):
887         (JSC::Debugger::stepOutOfFunction):
888         (JSC::Debugger::returnEvent):
889         (JSC::Debugger::didExecuteProgram):
890         * debugger/Debugger.h:
891         * inspector/JSGlobalObjectScriptDebugServer.cpp:
892         (Inspector::JSGlobalObjectScriptDebugServer::JSGlobalObjectScriptDebugServer):
893         (Inspector::JSGlobalObjectScriptDebugServer::recompileAllJSFunctions):
894         (Inspector::JSGlobalObjectScriptDebugServer::runEventLoopWhilePaused):
895         * inspector/ScriptDebugServer.cpp:
896         (Inspector::ScriptDebugServer::ScriptDebugServer):
897         * inspector/ScriptDebugServer.h:
898
899 2015-08-21  Basile Clement  <basile_clement@apple.com>
900
901         Remove unused code relative to allocation sinking
902         https://bugs.webkit.org/show_bug.cgi?id=148342
903
904         Reviewed by Mark Lam.
905
906         This removes two things:
907
908          - The DFGPromoteHeapAccess.h file which is a relic of the old sinking
909            phase and is no longer used (it has been subsumed by
910            ObjectAllocationSinking::promoteLocalHeap)
911
912          - Code in the allocation sinking phase for sinking
913            MaterializeCreateActivation and MaterializeNewObject. Handling those
914            is no longer necessary since the phase no longer runs in a fixpoint
915            and thus will never see those nodes, since no other phase creates
916            them.
917
918         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
919         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
920         * JavaScriptCore.xcodeproj/project.pbxproj:
921         * dfg/DFGObjectAllocationSinkingPhase.cpp:
922         * dfg/DFGPromoteHeapAccess.h: Removed.
923
924 2015-08-21  Geoffrey Garen  <ggaren@apple.com>
925
926         Unify code paths for manually deleting all code
927         https://bugs.webkit.org/show_bug.cgi?id=148280
928
929         Reviewed by Saam Barati.
930
931         We used to have three paths for manually deleting all code. Now we have
932         one shared path.
933
934         * debugger/Debugger.cpp:
935         (JSC::Debugger::attach): Notify the debugger of all previous code when
936         it attaches. We used to do this when recompiling, which was only correct
937         by accident.
938
939         (JSC::Debugger::recompileAllJSFunctions): Switch to the shared path.
940
941         * heap/Heap.h:
942         (JSC::Heap::compiledCode):
943
944         * inspector/agents/InspectorRuntimeAgent.cpp:
945         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
946         (Inspector::InspectorRuntimeAgent::willDestroyFrontendAndBackend):
947         (Inspector::InspectorRuntimeAgent::setTypeProfilerEnabledState):
948         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
949         (Inspector::TypeRecompiler::visit): Deleted.
950         (Inspector::TypeRecompiler::operator()): Deleted.
951         (Inspector::recompileAllJSFunctionsForTypeProfiling): Deleted. Switch
952         to the shared path.
953
954         * runtime/VM.cpp:
955         (JSC::VM::afterVMExit): Added a helper for scheduling an activity after
956         VM exit. We can't delete code while it's on the stack, and we can't
957         delete auxiliary profiling data while profiling code is on the stack,
958         so in those cases, we schedule the deletion for the next time we exit.
959
960         (JSC::VM::deleteAllCode): Use afterVMExit because we might have code
961         on the stack when debugger, profiler, or watchdog state changes.
962
963         * runtime/VM.h:
964
965         * runtime/VMEntryScope.cpp:
966         (JSC::VMEntryScope::VMEntryScope):
967         (JSC::VMEntryScope::addDidPopListener):
968         (JSC::VMEntryScope::~VMEntryScope):
969         (JSC::VMEntryScope::setEntryScopeDidPopListener): Deleted.
970         * runtime/VMEntryScope.h:
971         (JSC::VMEntryScope::globalObject): Removed the uniquing feature from
972         the scope pop listener list because we don't have a client that wants
973         it, and it's not convenient to use correctly since you can't take
974         the address of a member function, a lambda, or an std::function. We can
975         add this feature back if we discover that we want it.
976
977 2015-08-21  Sukolsak Sakshuwong  <sukolsak@gmail.com>
978
979         Implement WebAssembly function parser
980         https://bugs.webkit.org/show_bug.cgi?id=147738
981
982         Reviewed by Filip Pizlo.
983
984         Implement WebAssembly function parser for WebAssembly files produced by pack-asmjs
985         <https://github.com/WebAssembly/polyfill-prototype-1>. This patch parses only
986         some instructions on statements and int32 expressions. Parsing of the rest
987         will be implemented in subsequent patches. The instruction lists in WASMConstants.h
988         are slightly modified from
989         <https://github.com/WebAssembly/polyfill-prototype-1/blob/master/src/shared.h>.
990
991         * CMakeLists.txt:
992         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
993         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
994         * JavaScriptCore.xcodeproj/project.pbxproj:
995         * wasm/WASMConstants.h: Added.
996         * wasm/WASMFormat.h:
997         * wasm/WASMFunctionParser.cpp: Added.
998         (JSC::WASMFunctionParser::checkSyntax):
999         (JSC::WASMFunctionParser::parseFunction):
1000         (JSC::WASMFunctionParser::parseLocalVariables):
1001         (JSC::WASMFunctionParser::parseStatement):
1002         (JSC::WASMFunctionParser::parseSetLocalStatement):
1003         (JSC::WASMFunctionParser::parseReturnStatement):
1004         (JSC::WASMFunctionParser::parseBlockStatement):
1005         (JSC::WASMFunctionParser::parseExpression):
1006         (JSC::WASMFunctionParser::parseExpressionI32):
1007         (JSC::WASMFunctionParser::parseImmediateExpressionI32):
1008         * wasm/WASMFunctionParser.h: Added.
1009         (JSC::WASMFunctionParser::WASMFunctionParser):
1010         * wasm/WASMFunctionSyntaxChecker.h: Renamed from Source/JavaScriptCore/wasm/WASMMagicNumber.h.
1011         * wasm/WASMModuleParser.cpp:
1012         (JSC::WASMModuleParser::WASMModuleParser):
1013         (JSC::WASMModuleParser::parseFunctionDefinitionSection):
1014         (JSC::WASMModuleParser::parseFunctionDefinition):
1015         * wasm/WASMModuleParser.h:
1016         * wasm/WASMReader.cpp:
1017         (JSC::WASMReader::readType):
1018         (JSC::WASMReader::readExpressionType):
1019         (JSC::WASMReader::readExportFormat):
1020         (JSC::WASMReader::readOpStatement):
1021         (JSC::WASMReader::readOpExpressionI32):
1022         (JSC::WASMReader::readVariableTypes):
1023         (JSC::WASMReader::readOp):
1024         * wasm/WASMReader.h:
1025         (JSC::WASMReader::offset):
1026         (JSC::WASMReader::setOffset):
1027
1028 2015-08-21  Filip Pizlo  <fpizlo@apple.com>
1029
1030         DFG::PutStackSinkingPhase doesn't need to emit KillStack nodes
1031         https://bugs.webkit.org/show_bug.cgi?id=148331
1032
1033         Reviewed by Geoffrey Garen.
1034
1035         PutStackSinkingPhase previously emitted a KillStack node when it sank a PutStack. This
1036         isn't necessary because KillStack is only interesting for OSR exit, and PutStack nodes
1037         that are relevant to OSR will already be preceded by a KillStack/MovHint pair.
1038
1039         * dfg/DFGPutStackSinkingPhase.cpp:
1040
1041 2015-08-21  Filip Pizlo  <fpizlo@apple.com>
1042
1043         DFG::NodeOrigin should have a flag determining if exiting is OK right now
1044         https://bugs.webkit.org/show_bug.cgi?id=148323
1045
1046         Reviewed by Saam Barati.
1047
1048         * dfg/DFGByteCodeParser.cpp:
1049         (JSC::DFG::ByteCodeParser::currentNodeOrigin):
1050         (JSC::DFG::ByteCodeParser::branchData):
1051         * dfg/DFGInsertionSet.h:
1052         (JSC::DFG::InsertionSet::insertConstant):
1053         (JSC::DFG::InsertionSet::insertConstantForUse):
1054         (JSC::DFG::InsertionSet::insertBottomConstantForUse):
1055         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1056         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
1057         * dfg/DFGLICMPhase.cpp:
1058         (JSC::DFG::LICMPhase::attemptHoist):
1059         * dfg/DFGNodeOrigin.h:
1060         (JSC::DFG::NodeOrigin::NodeOrigin):
1061         (JSC::DFG::NodeOrigin::isSet):
1062         (JSC::DFG::NodeOrigin::withSemantic):
1063         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1064
1065 2015-08-21  Saam barati  <sbarati@apple.com>
1066
1067         DFG callOperations should not implicitly emit an exception check. At callOperation call sites, we should explicitly emit exception checks
1068         https://bugs.webkit.org/show_bug.cgi?id=147988
1069
1070         Reviewed by Geoffrey Garen.
1071
1072         This is in preparation for the DFG being able to handle exceptions. 
1073         To do this, we need more control over when we emit exception checks.
1074         Specifically, we want to be able to silentFill before emitting an exception check.
1075         This patch does that. This patch also allows us to easily see which
1076         operations do and do not emit exception checks. Finding this information
1077         out before was a pain.
1078
1079         * assembler/AbortReason.h:
1080         * dfg/DFGArrayifySlowPathGenerator.h:
1081         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
1082         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
1083         * dfg/DFGJITCompiler.h:
1084         (JSC::DFG::JITCompiler::appendCall):
1085         (JSC::DFG::JITCompiler::exceptionCheck):
1086         * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
1087         * dfg/DFGSlowPathGenerator.h:
1088         (JSC::DFG::CallSlowPathGenerator::CallSlowPathGenerator):
1089         (JSC::DFG::CallSlowPathGenerator::tearDown):
1090         (JSC::DFG::CallResultAndNoArgumentsSlowPathGenerator::CallResultAndNoArgumentsSlowPathGenerator):
1091         (JSC::DFG::CallResultAndOneArgumentSlowPathGenerator::CallResultAndOneArgumentSlowPathGenerator):
1092         (JSC::DFG::CallResultAndTwoArgumentsSlowPathGenerator::CallResultAndTwoArgumentsSlowPathGenerator):
1093         (JSC::DFG::CallResultAndThreeArgumentsSlowPathGenerator::CallResultAndThreeArgumentsSlowPathGenerator):
1094         (JSC::DFG::CallResultAndFourArgumentsSlowPathGenerator::CallResultAndFourArgumentsSlowPathGenerator):
1095         (JSC::DFG::CallResultAndFiveArgumentsSlowPathGenerator::CallResultAndFiveArgumentsSlowPathGenerator):
1096         (JSC::DFG::slowPathCall):
1097         * dfg/DFGSpeculativeJIT.cpp:
1098         (JSC::DFG::SpeculativeJIT::compileIn):
1099         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1100         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1101         (JSC::DFG::SpeculativeJIT::compileArithRound):
1102         (JSC::DFG::SpeculativeJIT::compileNewFunction):
1103         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
1104         (JSC::DFG::SpeculativeJIT::compileCreateScopedArguments):
1105         (JSC::DFG::SpeculativeJIT::compileCreateClonedArguments):
1106         (JSC::DFG::SpeculativeJIT::compileNotifyWrite):
1107         (JSC::DFG::SpeculativeJIT::compileRegExpExec):
1108         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1109         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1110         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnCell):
1111         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
1112         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
1113         * dfg/DFGSpeculativeJIT.h:
1114         (JSC::DFG::SpeculativeJIT::callOperation):
1115         (JSC::DFG::SpeculativeJIT::callOperationWithCallFrameRollbackOnException):
1116         (JSC::DFG::SpeculativeJIT::prepareForExternalCall):
1117         (JSC::DFG::SpeculativeJIT::appendCall):
1118         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException):
1119         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnExceptionSetResult):
1120         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
1121         (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheck): Deleted.
1122         (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheckSetResult): Deleted.
1123         * dfg/DFGSpeculativeJIT32_64.cpp:
1124         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
1125         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator):
1126         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
1127         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
1128         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
1129         (JSC::DFG::SpeculativeJIT::emitCall):
1130         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1131         (JSC::DFG::SpeculativeJIT::compile):
1132         * dfg/DFGSpeculativeJIT64.cpp:
1133         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
1134         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator):
1135         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
1136         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
1137         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
1138         (JSC::DFG::SpeculativeJIT::emitCall):
1139         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1140         (JSC::DFG::SpeculativeJIT::compile):
1141         * ftl/FTLIntrinsicRepository.h:
1142         * ftl/FTLLowerDFGToLLVM.cpp:
1143         (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
1144         * jit/AssemblyHelpers.cpp:
1145         (JSC::AssemblyHelpers::jitAssertArgumentCountSane):
1146         (JSC::AssemblyHelpers::jitAssertNoException):
1147         (JSC::AssemblyHelpers::callExceptionFuzz):
1148         (JSC::AssemblyHelpers::emitExceptionCheck):
1149         * jit/AssemblyHelpers.h:
1150         (JSC::AssemblyHelpers::jitAssertIsInt32):
1151         (JSC::AssemblyHelpers::jitAssertIsJSInt32):
1152         (JSC::AssemblyHelpers::jitAssertIsNull):
1153         (JSC::AssemblyHelpers::jitAssertTagsInPlace):
1154         (JSC::AssemblyHelpers::jitAssertArgumentCountSane):
1155         (JSC::AssemblyHelpers::jitAssertNoException):
1156         * jit/JITOperations.cpp:
1157         * jit/JITOperations.h:
1158         * runtime/VM.h:
1159         (JSC::VM::scratchBufferForSize):
1160         (JSC::VM::exceptionFuzzingBuffer):
1161
1162 2015-08-21  Geoffrey Garen  <ggaren@apple.com>
1163
1164         REGRESSION (r188714): RELEASE_ASSERT in JSC::Heap::incrementDeferralDepth() opening Web Inspector on daringfireball.net
1165         https://bugs.webkit.org/show_bug.cgi?id=148312
1166
1167         Reviewed by Mark Lam.
1168
1169         * debugger/Debugger.cpp:
1170         (JSC::Debugger::recompileAllJSFunctions): Use our vm argument instead of
1171         m_vm because sometimes they are different and m_vm is null. (This behavior
1172         is very strange, and we should probably eliminate it -- but we need a 
1173         fix for this serious regression right now.)
1174
1175 2015-08-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1176
1177         [ES6] prototyping module loader in JSC shell
1178         https://bugs.webkit.org/show_bug.cgi?id=147876
1179
1180         Reviewed by Saam Barati.
1181
1182         This patch implements ES6 Module Loader part. The implementation is based on
1183         the latest draft[1, 2]. The naive implementation poses several problems.
1184         This patch attempts to solve the spec issues and proposes the fix[3, 4, 5].
1185
1186         We construct the JSC internal module loader based on the ES6 Promises.
1187         The chain of the promises represents the dependency graph of the modules and
1188         it automatically enables asynchronous module fetching.
1189         To leverage the Promises internally, we use the InternalPromise landed in r188681.
1190
1191         The loader has several platform-dependent hooks. The platform can implement
1192         these hooks to provide the functionality missing in the module loaders, like
1193         "how to fetch the resources". The method table of the JSGlobalObject is extended
1194         to accept these hooks from the platform.
1195
1196         This patch focus on the loading part. So we don't create the module environment
1197         and don't link the modules yet.
1198
1199         To test the current module progress easily, we add the `-m` option to the JSC shell.
1200         When this option is specified, we load the given script as the module. And to use
1201         the module loading inside the JSC shell, we added the simple loader hook for fetching.
1202         It fetches the module content from the file system.
1203
1204         And to use the ES6 Map in the Loader implementation, we added @get and @set methods to the Map.
1205         But it conflicts with the existing `getPrivateName` method. Rename it to `lookUpPrivateName`.
1206
1207         [1]: https://whatwg.github.io/loader/
1208         [2]: https://github.com/whatwg/loader/commit/214c7a6625b445bdf411c39984f36f01139a24be
1209         [3]: https://github.com/whatwg/loader/pull/66
1210         [4]: https://github.com/whatwg/loader/pull/67
1211         [5]: https://github.com/whatwg/loader/issues/68
1212         [6]: https://bugs.webkit.org/show_bug.cgi?id=148136
1213
1214         * CMakeLists.txt:
1215         * DerivedSources.make:
1216         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1217         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1218         * JavaScriptCore.xcodeproj/project.pbxproj:
1219         * builtins/BuiltinNames.h:
1220         (JSC::BuiltinNames::lookUpPrivateName):
1221         (JSC::BuiltinNames::lookUpPublicName):
1222         (JSC::BuiltinNames::getPrivateName): Deleted.
1223         (JSC::BuiltinNames::getPublicName): Deleted.
1224         * builtins/ModuleLoaderObject.js: Added.
1225         (setStateToMax):
1226         (newRegistryEntry):
1227         (forceFulfillPromise):
1228         (fulfillFetch):
1229         (fulfillTranslate):
1230         (fulfillInstantiate):
1231         (instantiation):
1232         (requestFetch):
1233         (requestTranslate):
1234         (requestInstantiate):
1235         (requestResolveDependencies.resolveDependenciesPromise.this.requestInstantiate.then.):
1236         (requestResolveDependencies.resolveDependenciesPromise.this.requestInstantiate.then):
1237         (requestResolveDependencies):
1238         (requestInstantiateAll):
1239         (provide):
1240         * jsc.cpp:
1241         (stringFromUTF):
1242         (jscSource):
1243         (GlobalObject::moduleLoaderFetch):
1244         (functionCheckModuleSyntax):
1245         (dumpException):
1246         (runWithScripts):
1247         (printUsageStatement):
1248         (CommandLine::parseArguments):
1249         (jscmain):
1250         (CommandLine::CommandLine): Deleted.
1251         * parser/Lexer.cpp:
1252         (JSC::Lexer<LChar>::parseIdentifier):
1253         (JSC::Lexer<UChar>::parseIdentifier):
1254         * parser/ModuleAnalyzer.cpp:
1255         (JSC::ModuleAnalyzer::ModuleAnalyzer):
1256         (JSC::ModuleAnalyzer::exportVariable):
1257         (JSC::ModuleAnalyzer::analyze):
1258         * parser/ModuleAnalyzer.h:
1259         (JSC::ModuleAnalyzer::moduleRecord):
1260         * parser/ModuleRecord.cpp:
1261         (JSC::printableName): Deleted.
1262         (JSC::ModuleRecord::dump): Deleted.
1263         * parser/ModuleRecord.h:
1264         (JSC::ModuleRecord::ImportEntry::isNamespace): Deleted.
1265         (JSC::ModuleRecord::create): Deleted.
1266         (JSC::ModuleRecord::appendRequestedModule): Deleted.
1267         (JSC::ModuleRecord::addImportEntry): Deleted.
1268         (JSC::ModuleRecord::addExportEntry): Deleted.
1269         (JSC::ModuleRecord::addStarExportEntry): Deleted.
1270         * parser/Nodes.h:
1271         * parser/NodesAnalyzeModule.cpp:
1272         (JSC::ImportDeclarationNode::analyzeModule):
1273         (JSC::ExportAllDeclarationNode::analyzeModule):
1274         (JSC::ExportNamedDeclarationNode::analyzeModule):
1275         * runtime/CommonIdentifiers.cpp:
1276         (JSC::CommonIdentifiers::lookUpPrivateName):
1277         (JSC::CommonIdentifiers::lookUpPublicName):
1278         (JSC::CommonIdentifiers::getPrivateName): Deleted.
1279         (JSC::CommonIdentifiers::getPublicName): Deleted.
1280         * runtime/CommonIdentifiers.h:
1281         * runtime/Completion.cpp:
1282         (JSC::checkModuleSyntax):
1283         (JSC::evaluateModule):
1284         * runtime/Completion.h:
1285         * runtime/ExceptionHelpers.cpp:
1286         (JSC::createUndefinedVariableError):
1287         * runtime/Identifier.h:
1288         * runtime/JSGlobalObject.cpp:
1289         (JSC::JSGlobalObject::init):
1290         (JSC::JSGlobalObject::visitChildren):
1291         * runtime/JSGlobalObject.h:
1292         (JSC::JSGlobalObject::moduleLoader):
1293         (JSC::JSGlobalObject::moduleRecordStructure):
1294         * runtime/JSModuleRecord.cpp: Renamed from Source/JavaScriptCore/parser/ModuleRecord.cpp.
1295         (JSC::JSModuleRecord::destroy):
1296         (JSC::JSModuleRecord::finishCreation):
1297         (JSC::printableName):
1298         (JSC::JSModuleRecord::dump):
1299         * runtime/JSModuleRecord.h: Renamed from Source/JavaScriptCore/parser/ModuleRecord.h.
1300         (JSC::JSModuleRecord::ImportEntry::isNamespace):
1301         (JSC::JSModuleRecord::createStructure):
1302         (JSC::JSModuleRecord::create):
1303         (JSC::JSModuleRecord::requestedModules):
1304         (JSC::JSModuleRecord::JSModuleRecord):
1305         (JSC::JSModuleRecord::appendRequestedModule):
1306         (JSC::JSModuleRecord::addImportEntry):
1307         (JSC::JSModuleRecord::addExportEntry):
1308         (JSC::JSModuleRecord::addStarExportEntry):
1309         * runtime/MapPrototype.cpp:
1310         (JSC::MapPrototype::finishCreation):
1311         * runtime/ModuleLoaderObject.cpp: Added.
1312         (JSC::ModuleLoaderObject::ModuleLoaderObject):
1313         (JSC::ModuleLoaderObject::finishCreation):
1314         (JSC::ModuleLoaderObject::getOwnPropertySlot):
1315         (JSC::printableModuleKey):
1316         (JSC::ModuleLoaderObject::provide):
1317         (JSC::ModuleLoaderObject::requestInstantiateAll):
1318         (JSC::ModuleLoaderObject::resolve):
1319         (JSC::ModuleLoaderObject::fetch):
1320         (JSC::ModuleLoaderObject::translate):
1321         (JSC::ModuleLoaderObject::instantiate):
1322         (JSC::moduleLoaderObjectParseModule):
1323         (JSC::moduleLoaderObjectRequestedModules):
1324         (JSC::moduleLoaderObjectResolve):
1325         (JSC::moduleLoaderObjectFetch):
1326         (JSC::moduleLoaderObjectTranslate):
1327         (JSC::moduleLoaderObjectInstantiate):
1328         * runtime/ModuleLoaderObject.h: Added.
1329         (JSC::ModuleLoaderObject::create):
1330         (JSC::ModuleLoaderObject::createStructure):
1331         * runtime/Options.h:
1332
1333 2015-08-20  Filip Pizlo  <fpizlo@apple.com>
1334
1335         DFG should have a KnownBooleanUse for cases where we are required to know that the child is a boolean and it's not OK to speculate
1336         https://bugs.webkit.org/show_bug.cgi?id=148286
1337
1338         Reviewed by Benjamin Poulain.
1339
1340         This enables us to ensure that the Branch or LogicalNot after an effectful CompareXYZ can
1341         be marked as !mayExit(). I need that for https://bugs.webkit.org/show_bug.cgi?id=145204.
1342
1343         * dfg/DFGFixupPhase.cpp:
1344         (JSC::DFG::FixupPhase::fixupNode):
1345         (JSC::DFG::FixupPhase::observeUseKindOnNode):
1346         * dfg/DFGSafeToExecute.h:
1347         (JSC::DFG::SafeToExecuteEdge::operator()):
1348         * dfg/DFGSpeculativeJIT.cpp:
1349         (JSC::DFG::SpeculativeJIT::speculate):
1350         * dfg/DFGSpeculativeJIT.h:
1351         (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand):
1352         * dfg/DFGSpeculativeJIT32_64.cpp:
1353         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1354         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1355         (JSC::DFG::SpeculativeJIT::emitBranch):
1356         * dfg/DFGSpeculativeJIT64.cpp:
1357         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1358         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1359         (JSC::DFG::SpeculativeJIT::emitBranch):
1360         * dfg/DFGUseKind.cpp:
1361         (WTF::printInternal):
1362         * dfg/DFGUseKind.h:
1363         (JSC::DFG::typeFilterFor):
1364         (JSC::DFG::shouldNotHaveTypeCheck):
1365         * ftl/FTLCapabilities.cpp:
1366         (JSC::FTL::canCompile):
1367         * ftl/FTLLowerDFGToLLVM.cpp:
1368         (JSC::FTL::DFG::LowerDFGToLLVM::boolify):
1369         (JSC::FTL::DFG::LowerDFGToLLVM::lowBoolean):
1370
1371 2015-08-20  Filip Pizlo  <fpizlo@apple.com>
1372
1373         Overflow check elimination fails for a simple test case
1374         https://bugs.webkit.org/show_bug.cgi?id=147387
1375
1376         Reviewed by Benjamin Poulain.
1377
1378         Overflow check elimination was having issues when things got constant-folded, because whereas an
1379         Add or LessThan operation teaches us about relationships between the things being added or
1380         compared, we don't do that when we see a JSConstant. We don't create a relationship between every
1381         JSConstant and every other JSConstant. So, if we constant-fold an Add, we forget the relationships
1382         that it would have had with its inputs.
1383
1384         One solution would be to have every JSConstant create a relationship with every other JSConstant.
1385         This is dangerous, since it would create O(n^2) explosion of relationships.
1386
1387         Instead, this patch teaches filtration and merging how to behave "as if" there were inter-constant
1388         relationships. Normally those operations only work on two relationships involving the same node
1389         pair. But now, if we have @x op @c and @x op @d, where @c and @d are different nodes but both are
1390         constants, we will do merging or filtering by grokking the constant values.
1391
1392         This speeds up lots of tests in JSRegress, because it enables overflow check elimination on things
1393         like:
1394
1395         for (var i = 0; i < 100; ++i)
1396
1397         Previously, the fact that this was all constants would throw off the analysis because the analysis
1398         wouldn't "know" that 0 < 100.
1399
1400         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
1401
1402 2015-08-20  Geoffrey Garen  <ggaren@apple.com>
1403
1404         forEachCodeBlock should wait for all CodeBlocks automatically
1405         https://bugs.webkit.org/show_bug.cgi?id=148255
1406
1407         Add back a line of code I deleted by accident in my last patch due to
1408         incorrect merge.
1409
1410         Unreviewed.
1411
1412         * runtime/VM.cpp:
1413         (JSC::VM::deleteAllCode):
1414
1415 2015-08-20  Geoffrey Garen  <ggaren@apple.com>
1416
1417         forEachCodeBlock should wait for all CodeBlocks automatically
1418         https://bugs.webkit.org/show_bug.cgi?id=148255
1419
1420         Reviewed by Saam Barati.
1421
1422         Previously, all clients needed to wait manually before calling
1423         forEachCodeBlock. That's easy to get wrong, and at least one place
1424         got it wrong. Let's do this automatically instead.
1425
1426         * debugger/Debugger.cpp:
1427         (JSC::Debugger::Debugger):
1428         (JSC::Debugger::setSteppingMode):
1429         (JSC::Debugger::toggleBreakpoint): No need to wait manually;
1430         forEachCodeBlock will do it automatically now.
1431
1432         (JSC::Debugger::recompileAllJSFunctions): We still need to wait manually
1433         here because this is an iteration of the heap, which does not wait
1434         automatically. Use the new helper function for waiting.
1435
1436         (JSC::Debugger::clearBreakpoints):
1437         (JSC::Debugger::clearDebuggerRequests):
1438         (JSC::Debugger::setBreakpointsActivated):
1439         (JSC::Debugger::forEachCodeBlock): Deleted. No need to wait manually.
1440
1441         * debugger/Debugger.h:
1442
1443         * dfg/DFGWorklist.cpp:
1444         (JSC::DFG::completeAllPlansForVM):
1445         * dfg/DFGWorklist.h:
1446         (JSC::DFG::completeAllPlansForVM): Added a helper function that replaces
1447         vm.prepareToDeleteCode. This new function is clearer because we need
1448         to call it sometimes even if we are not going to delete code.
1449
1450         * heap/HeapInlines.h:
1451         (JSC::Heap::forEachCodeBlock): Moved.
1452
1453         * inspector/agents/InspectorRuntimeAgent.cpp:
1454         (Inspector::recompileAllJSFunctionsForTypeProfiling): Use the new helper
1455         function.
1456
1457         * runtime/JSCInlines.h:
1458         (JSC::Heap::forEachCodeBlock): Do the waiting automatically.
1459
1460         * runtime/VM.cpp:
1461         (JSC::VM::stopSampling):
1462         (JSC::VM::deleteAllCode):
1463         (JSC::VM::setEnabledProfiler):
1464         (JSC::VM::prepareToDeleteCode): Deleted.
1465         * runtime/VM.h: No need to wait manually.
1466
1467 2015-08-20  Commit Queue  <commit-queue@webkit.org>
1468
1469         Unreviewed, rolling out r188675.
1470         https://bugs.webkit.org/show_bug.cgi?id=148244
1471
1472         "caused a 17% Mac PLT regression" (Requested by ggaren on
1473         #webkit).
1474
1475         Reverted changeset:
1476
1477         "clearCode() should clear code"
1478         https://bugs.webkit.org/show_bug.cgi?id=148203
1479         http://trac.webkit.org/changeset/188675
1480
1481 2015-08-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1482
1483         Introduce put_by_id like IC into put_by_val when the given name is String or Symbol
1484         https://bugs.webkit.org/show_bug.cgi?id=147760
1485
1486         Reviewed by Filip Pizlo.
1487
1488         This patch adds put_by_id IC to put_by_val by caching the one candidate id,
1489         it is the same thing to the get_by_val IC extension.
1490         It will encourage the use of ES6 Symbols and ES6 computed properties in the object literals.
1491
1492         In this patch, we leverage the existing CheckIdent and PutById / PutByVal in DFG,
1493         so this patch does not change FTL because the above operations are already supported in FTL.
1494
1495         And this patch also includes refactoring to leverage byValInfo->slowPathCount in the cached Id path.
1496
1497         Performance results report there's no regression in the existing tests. And in the synthetic
1498         benchmarks created by modifying put-by-id to put-by-val, we can see significant performance
1499         improvements up to 13.9x.
1500
1501         * bytecode/PutByIdStatus.cpp:
1502         (JSC::PutByIdStatus::computeForStubInfo):
1503         * bytecode/PutByIdStatus.h:
1504         * dfg/DFGByteCodeParser.cpp:
1505         (JSC::DFG::ByteCodeParser::parseBlock):
1506         * jit/JIT.h:
1507         (JSC::JIT::compilePutByValWithCachedId):
1508         * jit/JITOperations.cpp:
1509         (JSC::getByVal):
1510         (JSC::tryGetByValOptimize):
1511         * jit/JITOperations.h:
1512         * jit/JITPropertyAccess.cpp:
1513         (JSC::JIT::emitGetByValWithCachedId):
1514         (JSC::JIT::emit_op_put_by_val):
1515         (JSC::JIT::emitPutByValWithCachedId):
1516         (JSC::JIT::emitSlow_op_put_by_val):
1517         (JSC::JIT::emitIdentifierCheck):
1518         (JSC::JIT::privateCompilePutByValWithCachedId):
1519         * jit/JITPropertyAccess32_64.cpp:
1520         (JSC::JIT::emitGetByValWithCachedId):
1521         (JSC::JIT::emit_op_put_by_val):
1522         (JSC::JIT::emitPutByValWithCachedId):
1523         (JSC::JIT::emitSlow_op_put_by_val):
1524         * tests/stress/put-by-val-with-string-break.js: Added.
1525         (shouldBe):
1526         (assign):
1527         * tests/stress/put-by-val-with-string-generated.js: Added.
1528         (shouldBe):
1529         (gen1):
1530         (gen2):
1531         (assign):
1532         * tests/stress/put-by-val-with-string-generic.js: Added.
1533         (shouldBe):
1534         (assign):
1535         * tests/stress/put-by-val-with-symbol-break.js: Added.
1536         (shouldBe):
1537         (assign):
1538         * tests/stress/put-by-val-with-symbol-generic.js: Added.
1539         (shouldBe):
1540         (assign):
1541
1542 2015-08-20  Alex Christensen  <achristensen@webkit.org>
1543
1544         Clean up CMake build after r188673
1545         https://bugs.webkit.org/show_bug.cgi?id=148234
1546
1547         Reviewed by Tim Horton.
1548
1549         * shell/PlatformWin.cmake:
1550         Define WIN_CAIRO so the WinCairo jsc.exe can find the correct dlls.
1551
1552 2015-08-20  Mark Lam  <mark.lam@apple.com>
1553
1554         A watchdog tests is failing on Windows.
1555         https://bugs.webkit.org/show_bug.cgi?id=148228
1556
1557         Reviewed by Brent Fulgham.
1558
1559         The test just needed a little more time because Windows' timer resolution is low.
1560         After increasing the test deadlines, the test started passing.
1561
1562         * API/tests/ExecutionTimeLimitTest.cpp:
1563         (testExecutionTimeLimit):
1564
1565 2015-08-20  Mark Lam  <mark.lam@apple.com>
1566
1567         Fixed some warnings on Windows.
1568         https://bugs.webkit.org/show_bug.cgi?id=148224
1569
1570         Reviewed by Brent Fulgham.
1571
1572         The Windows build was complaining that function params were hiding a global variable.
1573         Since the function params were unused, I resolved this by removing the param names.
1574
1575         * API/tests/ExecutionTimeLimitTest.cpp:
1576         (currentCPUTimeAsJSFunctionCallback):
1577         (shouldTerminateCallback):
1578         (cancelTerminateCallback):
1579         (extendTerminateCallback):
1580
1581 2015-08-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1582
1583         Add InternalPromise to use Promises safely in the internals
1584         https://bugs.webkit.org/show_bug.cgi?id=148136
1585
1586         Reviewed by Saam Barati.
1587
1588         This patch implements InternalPromise.
1589         It is completely different instance set (constructor, prototype, instance)
1590         but it has the same feature to the Promise.
1591
1592         In the Promise operations, when resolving the promise with the returned promise
1593         from the fulfill handler, we need to look up "then" method.
1594
1595         e.g.
1596             var p3 = p1.then(function handler(...) {
1597                 return p2;
1598             });
1599
1600         When handler is executed, we retrieve the returned `p2` promise. And to resolve
1601         the returned promise by "then" method (that is `p3`), we construct the chain by executing
1602         `p2.then(resolving function for p3)`. So if the user modify the Promise.prototype.then,
1603         we can observe the internal operations.
1604
1605         By using InternalPromise, we completely hide InternalPromise.prototype from the users.
1606         It allows JSC to use Promises internally; even if the user modify / override
1607         the Promise.prototype.then function, it does not effect on InternalPromise.
1608
1609         One limitation is that the implementation need to take care not to leak the InternalPromise instance
1610         to the user space.
1611
1612         * CMakeLists.txt:
1613         * DerivedSources.make:
1614         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1615         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1616         * JavaScriptCore.xcodeproj/project.pbxproj:
1617         * builtins/InternalPromiseConstructor.js: Added.
1618         (internalAll.newResolveElement):
1619         (internalAll):
1620         * builtins/Operations.Promise.js:
1621         (newPromiseDeferred): Deleted.
1622         * builtins/PromiseConstructor.js:
1623         (privateAll.newResolveElement): Deleted.
1624         (privateAll): Deleted.
1625         * runtime/CommonIdentifiers.h:
1626         * runtime/JSGlobalObject.cpp:
1627         (JSC::JSGlobalObject::init):
1628         (JSC::JSGlobalObject::visitChildren):
1629         * runtime/JSGlobalObject.h:
1630         (JSC::JSGlobalObject::promiseConstructor):
1631         (JSC::JSGlobalObject::internalPromiseConstructor):
1632         (JSC::JSGlobalObject::newPromiseCapabilityFunction):
1633         (JSC::JSGlobalObject::newPromiseDeferredFunction): Deleted.
1634         * runtime/JSInternalPromise.cpp: Copied from Source/JavaScriptCore/runtime/JSPromisePrototype.h.
1635         (JSC::JSInternalPromise::create):
1636         (JSC::JSInternalPromise::createStructure):
1637         (JSC::JSInternalPromise::JSInternalPromise):
1638         * runtime/JSInternalPromise.h: Copied from Source/JavaScriptCore/runtime/JSPromise.h.
1639         * runtime/JSInternalPromiseConstructor.cpp: Added.
1640         (JSC::JSInternalPromiseConstructor::create):
1641         (JSC::JSInternalPromiseConstructor::createStructure):
1642         (JSC::JSInternalPromiseConstructor::JSInternalPromiseConstructor):
1643         (JSC::constructPromise):
1644         (JSC::JSInternalPromiseConstructor::getConstructData):
1645         (JSC::JSInternalPromiseConstructor::getCallData):
1646         (JSC::JSInternalPromiseConstructor::getOwnPropertySlot):
1647         * runtime/JSInternalPromiseConstructor.h: Copied from Source/JavaScriptCore/runtime/JSPromiseConstructor.h.
1648         * runtime/JSInternalPromiseDeferred.cpp: Added.
1649         (JSC::JSInternalPromiseDeferred::create):
1650         (JSC::JSInternalPromiseDeferred::JSInternalPromiseDeferred):
1651         (JSC::JSInternalPromiseDeferred::promise):
1652         * runtime/JSInternalPromiseDeferred.h: Copied from Source/JavaScriptCore/runtime/JSPromisePrototype.h.
1653         * runtime/JSInternalPromisePrototype.cpp: Copied from Source/JavaScriptCore/runtime/JSPromisePrototype.cpp.
1654         (JSC::JSInternalPromisePrototype::create):
1655         (JSC::JSInternalPromisePrototype::createStructure):
1656         (JSC::JSInternalPromisePrototype::JSInternalPromisePrototype):
1657         * runtime/JSInternalPromisePrototype.h: Copied from Source/JavaScriptCore/runtime/JSPromise.h.
1658         * runtime/JSPromise.cpp:
1659         (JSC::JSPromise::create):
1660         (JSC::JSPromise::JSPromise):
1661         (JSC::JSPromise::initialize):
1662         * runtime/JSPromise.h:
1663         * runtime/JSPromiseConstructor.cpp:
1664         (JSC::JSPromiseConstructor::JSPromiseConstructor):
1665         (JSC::constructPromise):
1666         (JSC::JSPromiseConstructor::getOwnPropertySlot):
1667         (JSC::JSPromiseConstructor::finishCreation): Deleted.
1668         * runtime/JSPromiseConstructor.h:
1669         * runtime/JSPromiseDeferred.cpp:
1670         (JSC::newPromiseCapability):
1671         (JSC::JSPromiseDeferred::create):
1672         (JSC::JSPromiseDeferred::JSPromiseDeferred):
1673         * runtime/JSPromiseDeferred.h:
1674         * runtime/JSPromisePrototype.cpp:
1675         (JSC::JSPromisePrototype::getOwnPropertySlot):
1676         * runtime/JSPromisePrototype.h:
1677         * runtime/VM.cpp:
1678         (JSC::VM::VM):
1679         * runtime/VM.h:
1680
1681 2015-08-19  Filip Pizlo  <fpizlo@apple.com>
1682
1683         Remove WTF::SpinLock
1684         https://bugs.webkit.org/show_bug.cgi?id=148208
1685
1686         Reviewed by Geoffrey Garen.
1687
1688         Remove the one remaining use of SpinLock.
1689
1690         * API/JSValue.mm:
1691         (handerForStructTag):
1692
1693 2015-08-19  Geoffrey Garen  <ggaren@apple.com>
1694
1695         clearCode() should clear code
1696         https://bugs.webkit.org/show_bug.cgi?id=148203
1697
1698         Reviewed by Saam Barati.
1699
1700         Clearing code used to require two steps: clearCode() and
1701         clearUnlinkedCodeForRecompilation(). Unsurprisingly, clients sometimes
1702         did one or the other or both without much rhyme or reason.
1703
1704         This patch simplifies things by merging both functions into clearCode().
1705
1706         * bytecode/UnlinkedFunctionExecutable.h:
1707         * debugger/Debugger.cpp:
1708         * heap/Heap.cpp:
1709         (JSC::Heap::deleteAllCompiledCode):
1710         (JSC::Heap::clearUnmarkedExecutables):
1711         (JSC::Heap::deleteAllUnlinkedFunctionCode): Deleted. No need for this
1712         function anymore since it was only used by clients who already called
1713         clearCode() (and it would be terribly wrong to use without doing both.)
1714
1715         * heap/Heap.h:
1716         (JSC::Heap::sizeAfterLastFullCollection):
1717         * inspector/agents/InspectorRuntimeAgent.cpp:
1718         (Inspector::TypeRecompiler::visit):
1719         (Inspector::TypeRecompiler::operator()):
1720         * runtime/Executable.cpp:
1721         (JSC::FunctionExecutable::visitChildren):
1722         (JSC::FunctionExecutable::clearCode):
1723         (JSC::FunctionExecutable::clearUnlinkedCodeForRecompilation): Deleted.
1724         * runtime/Executable.h:
1725         * runtime/VM.cpp:
1726         (JSC::VM::deleteAllCode):
1727
1728 2015-08-19  Alex Christensen  <achristensen@webkit.org>
1729
1730         CMake Windows build should not include files directly from other Source directories
1731         https://bugs.webkit.org/show_bug.cgi?id=148198
1732
1733         Reviewed by Brent Fulgham.
1734
1735         * CMakeLists.txt:
1736         JavaScriptCore_FORWARDING_HEADERS_FILES is no longer necessary because all the headers
1737         that used to be in it are now in JavaScriptCore_FORWARDING_HEADERS_DIRECTORIES
1738         * PlatformEfl.cmake:
1739         * PlatformGTK.cmake:
1740         * PlatformMac.cmake:
1741         * PlatformWin.cmake:
1742
1743 2015-08-19  Eric Carlson  <eric.carlson@apple.com>
1744
1745         Remove ENABLE_WEBVTT_REGIONS
1746         https://bugs.webkit.org/show_bug.cgi?id=148184
1747
1748         Reviewed by Jer Noble.
1749
1750         * Configurations/FeatureDefines.xcconfig: Remove ENABLE_WEBVTT_REGIONS.
1751
1752 2015-08-19  Joseph Pecoraro  <pecoraro@apple.com>
1753
1754         Web Inspector: Unexpected node preview format for an element with newlines in className attribute
1755         https://bugs.webkit.org/show_bug.cgi?id=148192
1756
1757         Reviewed by Brian Burg.
1758
1759         * inspector/InjectedScriptSource.js:
1760         (InjectedScript.prototype._nodePreview):
1761         Replace whitespace blocks with single spaces to produce a simpler class string for previews.
1762
1763 2015-08-19  Mark Lam  <mark.lam@apple.com>
1764
1765         Add support for CheckWatchdogTimer as slow path in DFG and FTL.
1766         https://bugs.webkit.org/show_bug.cgi?id=147968
1767
1768         Reviewed by Michael Saboff.
1769
1770         Re-implement the DFG's CheckWatchdogTimer as a slow path instead of a speculation
1771         check.  Since the watchdog timer can fire spuriously, this allows the code to
1772         stay optimized if all we have are spurious fires.
1773
1774         Implement the equivalent slow path for CheckWatchdogTimer in the FTL. 
1775
1776         The watchdog tests in ExecutionTimeLimitTest.cpp has already been updated in
1777         https://bugs.webkit.org/show_bug.cgi?id=148125 to test for the FTL's watchdog
1778         implementation.
1779
1780         * dfg/DFGSpeculativeJIT32_64.cpp:
1781         (JSC::DFG::SpeculativeJIT::compile):
1782         * dfg/DFGSpeculativeJIT64.cpp:
1783         (JSC::DFG::SpeculativeJIT::compile):
1784         * ftl/FTLCapabilities.cpp:
1785         (JSC::FTL::canCompile):
1786         * ftl/FTLLowerDFGToLLVM.cpp:
1787         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
1788         (JSC::FTL::DFG::LowerDFGToLLVM::compileMaterializeCreateActivation):
1789         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckWatchdogTimer):
1790         (JSC::FTL::DFG::LowerDFGToLLVM::isInlinableSize):
1791
1792         * jit/JIT.h:
1793         * jit/JITInlines.h:
1794         (JSC::JIT::callOperation):
1795         * jit/JITOperations.cpp:
1796         * jit/JITOperations.h:
1797         - Changed operationHandleWatchdogTimer() to return an unused nullptr.  This
1798           allows me to reuse the existing DFG slow path generator mechanism.  I didn't
1799           think that operationHandleWatchdogTimer() was worth introducing a whole new set
1800           of machinery just so we can have a slow path that returns void.
1801
1802 2015-08-19  Mark Lam  <mark.lam@apple.com>
1803
1804         Add ability to save and restore JSC options.
1805         https://bugs.webkit.org/show_bug.cgi?id=148125
1806
1807         Reviewed by Saam Barati.
1808
1809         * API/tests/ExecutionTimeLimitTest.cpp:
1810         (testExecutionTimeLimit):
1811         - Employ the new options getter/setter to run watchdog tests for each of the
1812           execution engine tiers.
1813         - Also altered the test scripts to be in a function instead of global code.
1814           This is one of 2 changes needed to give them an opportunity to be FTL compiled.
1815           The other is to add support for compiling CheckWatchdogTimer in the FTL (which
1816           will be addressed in a separate patch).
1817
1818         * jsc.cpp:
1819         (CommandLine::parseArguments):
1820         * runtime/Options.cpp:
1821         (JSC::parse):
1822         - Add the ability to clear a string option with a nullptr value.
1823           This is needed to restore a default string option value which may be null.
1824
1825         (JSC::OptionRange::init):
1826         - Add the ability to clear a range option with a null value.
1827           This is needed to restore a default range option value which may be null.
1828
1829         (JSC::Options::initialize):
1830         (JSC::Options::dumpOptionsIfNeeded):
1831         - Factor code to dump options out to dumpOptionsIfNeeded() since we will need
1832           that logic elsewhere.
1833
1834         (JSC::Options::setOptions):
1835         - Parse an options string and set each of the specified options.
1836
1837         (JSC::Options::dumpAllOptions):
1838         (JSC::Options::dumpAllOptionsInALine):
1839         (JSC::Options::dumpOption):
1840         (JSC::Option::dump):
1841         - Refactored so that the underlying dumper dumps to a StringBuilder instead of
1842           stderr.  This lets us reuse this code to serialize all the options into a
1843           single string for dumpAllOptionsInALine().
1844
1845         * runtime/Options.h:
1846         (JSC::OptionRange::rangeString):
1847
1848 2015-08-18  Filip Pizlo  <fpizlo@apple.com>
1849
1850         Replace all uses of std::mutex/std::condition_variable with WTF::Lock/WTF::Condition
1851         https://bugs.webkit.org/show_bug.cgi?id=148140
1852
1853         Reviewed by Geoffrey Garen.
1854
1855         * inspector/remote/RemoteInspector.h:
1856         * inspector/remote/RemoteInspector.mm:
1857         (Inspector::RemoteInspector::registerDebuggable):
1858         (Inspector::RemoteInspector::unregisterDebuggable):
1859         (Inspector::RemoteInspector::updateDebuggable):
1860         (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate):
1861         (Inspector::RemoteInspector::sendMessageToRemoteFrontend):
1862         (Inspector::RemoteInspector::setupFailed):
1863         (Inspector::RemoteInspector::setupCompleted):
1864         (Inspector::RemoteInspector::start):
1865         (Inspector::RemoteInspector::stop):
1866         (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
1867         (Inspector::RemoteInspector::setParentProcessInformation):
1868         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
1869         (Inspector::RemoteInspector::xpcConnectionFailed):
1870         (Inspector::RemoteInspector::pushListingSoon):
1871         (Inspector::RemoteInspector::receivedIndicateMessage):
1872         (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
1873         * inspector/remote/RemoteInspectorXPCConnection.h:
1874         * inspector/remote/RemoteInspectorXPCConnection.mm:
1875         (Inspector::RemoteInspectorXPCConnection::close):
1876         (Inspector::RemoteInspectorXPCConnection::closeFromMessage):
1877         (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
1878         (Inspector::RemoteInspectorXPCConnection::handleEvent):
1879
1880 2015-08-18  Joseph Pecoraro  <pecoraro@apple.com>
1881
1882         Web Inspector: Links for rules in <style> are incorrect, do not account for <style> offset in the document
1883         https://bugs.webkit.org/show_bug.cgi?id=148141
1884
1885         Reviewed by Brian Burg.
1886
1887         * inspector/protocol/CSS.json:
1888         Extend StyleSheetHeader to include start offset information and a bit
1889         for whether or not this was an inline style tag created by the parser.
1890         These match additions to Blink's protocol.
1891
1892 2015-08-18  Benjamin Poulain  <bpoulain@apple.com>
1893
1894         [JSC] Optimize more cases of something-compared-to-null/undefined
1895         https://bugs.webkit.org/show_bug.cgi?id=148157
1896
1897         Reviewed by Geoffrey Garen and Filip Pizlo.
1898
1899         CompareEq is fairly trivial if you assert one of the operands is either
1900         null or undefined. Under those conditions, the only way to have "true"
1901         is to have the other operand be null/undefined or have an object
1902         that masquerades to undefined.
1903
1904         JSC already had a fast path in CompareEqConstant.
1905         With this patch, I generalize this fast path to more cases and try
1906         to eliminate the checks whenever possible.
1907
1908         CompareEq now does the job of CompareEqConstant. If any operand can
1909         be proved to be undefined/other, its edge is set to OtherUse. Whenever
1910         any edge is OtherUse, we generate the fast code we had for CompareEqConstant.
1911
1912         The AbstractInterpreter has additional checks to reduce the node to a constant
1913         whenever possible.
1914
1915         There are two additional changes in this patch:
1916         -The Fixup Phase tries to set edges to OtherUse early. This is done correctly
1917          in ConstantFoldingPhase but setting it up early helps the phases relying
1918          on Clobberize.
1919         -The codegen for CompareEqConstant was improved. The reason is the comparison
1920          for ObjectOrOther could be faster just because the codegen was better.
1921
1922         * dfg/DFGAbstractInterpreterInlines.h:
1923         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1924         * dfg/DFGByteCodeParser.cpp:
1925         (JSC::DFG::ByteCodeParser::parseBlock):
1926         * dfg/DFGClobberize.h:
1927         (JSC::DFG::clobberize): Deleted.
1928         * dfg/DFGConstantFoldingPhase.cpp:
1929         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1930         * dfg/DFGDoesGC.cpp:
1931         (JSC::DFG::doesGC): Deleted.
1932         * dfg/DFGFixupPhase.cpp:
1933         (JSC::DFG::FixupPhase::fixupNode):
1934         * dfg/DFGNode.h:
1935         (JSC::DFG::Node::isUndefinedOrNullConstant):
1936         * dfg/DFGNodeType.h:
1937         * dfg/DFGPredictionPropagationPhase.cpp:
1938         (JSC::DFG::PredictionPropagationPhase::propagate): Deleted.
1939         * dfg/DFGSafeToExecute.h:
1940         (JSC::DFG::safeToExecute): Deleted.
1941         * dfg/DFGSpeculativeJIT.cpp:
1942         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
1943         (JSC::DFG::SpeculativeJIT::compare):
1944         * dfg/DFGSpeculativeJIT.h:
1945         (JSC::DFG::SpeculativeJIT::isKnownNotOther):
1946         * dfg/DFGSpeculativeJIT32_64.cpp:
1947         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
1948         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
1949         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): Deleted.
1950         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): Deleted.
1951         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull): Deleted.
1952         (JSC::DFG::SpeculativeJIT::compile): Deleted.
1953         * dfg/DFGSpeculativeJIT64.cpp:
1954         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
1955         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
1956         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): Deleted.
1957         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): Deleted.
1958         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull): Deleted.
1959         (JSC::DFG::SpeculativeJIT::compile): Deleted.
1960         * dfg/DFGValidate.cpp:
1961         (JSC::DFG::Validate::validate): Deleted.
1962         * dfg/DFGWatchpointCollectionPhase.cpp:
1963         (JSC::DFG::WatchpointCollectionPhase::handle):
1964         * ftl/FTLCapabilities.cpp:
1965         (JSC::FTL::canCompile):
1966         * ftl/FTLLowerDFGToLLVM.cpp:
1967         (JSC::FTL::DFG::LowerDFGToLLVM::compileCompareEq):
1968         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode): Deleted.
1969         (JSC::FTL::DFG::LowerDFGToLLVM::compileCompareEqConstant): Deleted.
1970         * tests/stress/compare-eq-on-null-and-undefined-non-peephole.js: Added.
1971         (string_appeared_here.useForMath):
1972         (testUseForMath):
1973         * tests/stress/compare-eq-on-null-and-undefined-optimized-in-constant-folding.js: Added.
1974         (string_appeared_here.unreachableCodeTest):
1975         (inlinedCompareToNull):
1976         (inlinedComparedToUndefined):
1977         (warmupInlineFunctions):
1978         (testInlineFunctions):
1979         * tests/stress/compare-eq-on-null-and-undefined.js: Added.
1980         (string_appeared_here.compareConstants):
1981         (opaqueNull):
1982         (opaqueUndefined):
1983         (compareConstantsAndDynamicValues):
1984         (compareDynamicValues):
1985         (compareDynamicValueToItself):
1986         (arrayTesting):
1987         (opaqueCompare1):
1988         (testNullComparatorUpdate):
1989         (opaqueCompare2):
1990         (testUndefinedComparatorUpdate):
1991         (opaqueCompare3):
1992         (testNullAndUndefinedComparatorUpdate):
1993
1994 2015-08-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1995
1996         Introduce non-user-observable Promise functions to use Promises internally
1997         https://bugs.webkit.org/show_bug.cgi?id=148118
1998
1999         Reviewed by Saam Barati.
2000
2001         To leverage the Promises internally (like ES6 Module Loaders), we add
2002         the several non-user-observable private methods, like @then, @all. And
2003         refactor the existing Promises implementation to make it easy to use
2004         internally.
2005
2006         But still the trappable part remains. When resolving the promise with
2007         the returned value, we look up the "then" function. So users can trap
2008         by replacing "then" function of the Promise's prototype.
2009         To avoid this situation, we'll introduce completely differnt promise
2010         instances called InternalPromise in the subsequent patch[1].
2011
2012         No behavior change.
2013
2014         [1]: https://bugs.webkit.org/show_bug.cgi?id=148136
2015
2016         * builtins/PromiseConstructor.js:
2017         (privateAll.newResolveElement):
2018         (privateAll):
2019         * runtime/JSGlobalObject.cpp:
2020         (JSC::JSGlobalObject::init):
2021         (JSC::JSGlobalObject::visitChildren): Deleted.
2022         * runtime/JSGlobalObject.h:
2023         (JSC::JSGlobalObject::promiseConstructor): Deleted.
2024         (JSC::JSGlobalObject::promisePrototype): Deleted.
2025         (JSC::JSGlobalObject::promiseStructure): Deleted.
2026         * runtime/JSPromiseConstructor.cpp:
2027         (JSC::JSPromiseConstructor::finishCreation):
2028         * runtime/JSPromiseDeferred.cpp:
2029         (JSC::callFunction):
2030         (JSC::JSPromiseDeferred::resolve):
2031         (JSC::JSPromiseDeferred::reject):
2032         * runtime/JSPromiseDeferred.h:
2033         * runtime/JSPromisePrototype.cpp:
2034         (JSC::JSPromisePrototype::create):
2035         (JSC::JSPromisePrototype::JSPromisePrototype):
2036         * runtime/JSPromisePrototype.h:
2037
2038 2015-08-18  Geoffrey Garen  <ggaren@apple.com>
2039
2040         Try to fix the CLOOP build.
2041
2042         Unreviewed.
2043
2044         * bytecode/CodeBlock.cpp:
2045
2046 2015-08-18  Geoffrey Garen  <ggaren@apple.com>
2047
2048         Split InlineCallFrame into its own file
2049         https://bugs.webkit.org/show_bug.cgi?id=148131
2050
2051         Reviewed by Saam Barati.
2052
2053         * CMakeLists.txt:
2054         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2055         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2056         * JavaScriptCore.xcodeproj/project.pbxproj:
2057         * bytecode/CallLinkStatus.cpp:
2058         * bytecode/CodeBlock.h:
2059         (JSC::ExecState::r):
2060         (JSC::baselineCodeBlockForInlineCallFrame): Deleted.
2061         (JSC::baselineCodeBlockForOriginAndBaselineCodeBlock): Deleted.
2062         * bytecode/CodeOrigin.cpp:
2063         (JSC::CodeOrigin::inlineStack):
2064         (JSC::CodeOrigin::codeOriginOwner):
2065         (JSC::CodeOrigin::stackOffset):
2066         (JSC::CodeOrigin::dump):
2067         (JSC::CodeOrigin::dumpInContext):
2068         (JSC::InlineCallFrame::calleeConstant): Deleted.
2069         (JSC::InlineCallFrame::visitAggregate): Deleted.
2070         (JSC::InlineCallFrame::calleeForCallFrame): Deleted.
2071         (JSC::InlineCallFrame::hash): Deleted.
2072         (JSC::InlineCallFrame::hashAsStringIfPossible): Deleted.
2073         (JSC::InlineCallFrame::inferredName): Deleted.
2074         (JSC::InlineCallFrame::baselineCodeBlock): Deleted.
2075         (JSC::InlineCallFrame::dumpBriefFunctionInformation): Deleted.
2076         (JSC::InlineCallFrame::dumpInContext): Deleted.
2077         (JSC::InlineCallFrame::dump): Deleted.
2078         (WTF::printInternal): Deleted.
2079         * bytecode/CodeOrigin.h:
2080         (JSC::CodeOrigin::deletedMarker):
2081         (JSC::CodeOrigin::hash):
2082         (JSC::CodeOrigin::operator==):
2083         (JSC::CodeOriginHash::hash):
2084         (JSC::CodeOriginHash::equal):
2085         (JSC::InlineCallFrame::kindFor): Deleted.
2086         (JSC::InlineCallFrame::varargsKindFor): Deleted.
2087         (JSC::InlineCallFrame::specializationKindFor): Deleted.
2088         (JSC::InlineCallFrame::isVarargs): Deleted.
2089         (JSC::InlineCallFrame::InlineCallFrame): Deleted.
2090         (JSC::InlineCallFrame::specializationKind): Deleted.
2091         (JSC::InlineCallFrame::setStackOffset): Deleted.
2092         (JSC::InlineCallFrame::callerFrameOffset): Deleted.
2093         (JSC::InlineCallFrame::returnPCOffset): Deleted.
2094         (JSC::CodeOrigin::stackOffset): Deleted.
2095         (JSC::CodeOrigin::codeOriginOwner): Deleted.
2096         * bytecode/InlineCallFrame.cpp: Copied from Source/JavaScriptCore/bytecode/CodeOrigin.cpp.
2097         (JSC::InlineCallFrame::calleeConstant):
2098         (JSC::CodeOrigin::inlineDepthForCallFrame): Deleted.
2099         (JSC::CodeOrigin::inlineDepth): Deleted.
2100         (JSC::CodeOrigin::isApproximatelyEqualTo): Deleted.
2101         (JSC::CodeOrigin::approximateHash): Deleted.
2102         (JSC::CodeOrigin::inlineStack): Deleted.
2103         (JSC::CodeOrigin::dump): Deleted.
2104         (JSC::CodeOrigin::dumpInContext): Deleted.
2105         * bytecode/InlineCallFrame.h: Copied from Source/JavaScriptCore/bytecode/CodeOrigin.h.
2106         (JSC::InlineCallFrame::isVarargs):
2107         (JSC::InlineCallFrame::InlineCallFrame):
2108         (JSC::InlineCallFrame::specializationKind):
2109         (JSC::baselineCodeBlockForInlineCallFrame):
2110         (JSC::baselineCodeBlockForOriginAndBaselineCodeBlock):
2111         (JSC::CodeOrigin::CodeOrigin): Deleted.
2112         (JSC::CodeOrigin::isSet): Deleted.
2113         (JSC::CodeOrigin::operator!): Deleted.
2114         (JSC::CodeOrigin::isHashTableDeletedValue): Deleted.
2115         (JSC::CodeOrigin::operator!=): Deleted.
2116         (JSC::CodeOrigin::deletedMarker): Deleted.
2117         (JSC::CodeOrigin::stackOffset): Deleted.
2118         (JSC::CodeOrigin::hash): Deleted.
2119         (JSC::CodeOrigin::operator==): Deleted.
2120         (JSC::CodeOrigin::codeOriginOwner): Deleted.
2121         (JSC::CodeOriginHash::hash): Deleted.
2122         (JSC::CodeOriginHash::equal): Deleted.
2123         (JSC::CodeOriginApproximateHash::hash): Deleted.
2124         (JSC::CodeOriginApproximateHash::equal): Deleted.
2125         * bytecode/InlineCallFrameSet.cpp:
2126         * dfg/DFGCommonData.cpp:
2127         * dfg/DFGOSRExitBase.cpp:
2128         * dfg/DFGVariableEventStream.cpp:
2129         * ftl/FTLOperations.cpp:
2130         * interpreter/CallFrame.cpp:
2131         * interpreter/StackVisitor.cpp:
2132         * jit/AssemblyHelpers.h:
2133         * profiler/ProfilerOriginStack.cpp:
2134         * runtime/ClonedArguments.cpp:
2135
2136 2015-08-18  Mark Lam  <mark.lam@apple.com>
2137
2138         Removed an unused param in Interpreter::initialize().
2139         https://bugs.webkit.org/show_bug.cgi?id=148129
2140
2141         Reviewed by Michael Saboff.
2142
2143         * interpreter/Interpreter.cpp:
2144         (JSC::Interpreter::~Interpreter):
2145         (JSC::Interpreter::initialize):
2146         * interpreter/Interpreter.h:
2147         (JSC::Interpreter::stack):
2148         * runtime/VM.cpp:
2149         (JSC::VM::VM):
2150
2151 2015-08-17  Alex Christensen  <achristensen@webkit.org>
2152
2153         Add const to content extension parser
2154         https://bugs.webkit.org/show_bug.cgi?id=148044
2155
2156         Reviewed by Benjamin Poulain.
2157
2158         * runtime/JSObject.h:
2159         (JSC::JSObject::getIndexQuickly):
2160         (JSC::JSObject::tryGetIndexQuickly):
2161         (JSC::JSObject::getDirectIndex):
2162         (JSC::JSObject::getIndex):
2163         Added a few const keywords.
2164
2165 2015-08-17  Alex Christensen  <achristensen@webkit.org>
2166
2167         Build Debug Suffix on Windows with CMake
2168         https://bugs.webkit.org/show_bug.cgi?id=148083
2169
2170         Reviewed by Brent Fulgham.
2171
2172         * CMakeLists.txt:
2173         * PlatformWin.cmake:
2174         * shell/CMakeLists.txt:
2175         * shell/PlatformWin.cmake:
2176         Add DEBUG_SUFFIX
2177
2178 2015-08-17  Saam barati  <sbarati@apple.com>
2179
2180         Web Inspector: Type profiler return types aren't showing up
2181         https://bugs.webkit.org/show_bug.cgi?id=147348
2182
2183         Reviewed by Brian Burg.
2184
2185         Bug #145995 changed the starting offset of a function to 
2186         be the open parenthesis of the function's parameter list.
2187         This broke JSC's type profiler protocol of communicating 
2188         return types of a function to the web inspector. This
2189         is now fixed. The text offset used in the protocol is now
2190         the first letter of the function/get/set/method name.
2191         So "f" in "function a() {}", "s" in "set foo(){}", etc.
2192
2193         * bytecode/CodeBlock.cpp:
2194         (JSC::CodeBlock::CodeBlock):
2195         * jsc.cpp:
2196         (functionReturnTypeFor):
2197
2198 2015-08-17 Aleksandr Skachkov   <gskachkov@gmail.com>
2199
2200         [ES6] Implement ES6 arrow function syntax. Arrow function specific features. Lexical bind of this
2201         https://bugs.webkit.org/show_bug.cgi?id=144956
2202
2203         Reviewed by Saam Barati.
2204
2205         Added support of ES6 arrow function specific feature, lexical bind of this and no constructor. http://wiki.ecmascript.org/doku.php?id=harmony:arrow_function_syntax
2206         In patch were implemented the following cases:
2207            this - variable |this| is point to the |this| of the function where arrow function is declared. Lexical bind of |this|
2208            constructor - the using of the command |new| for arrow function leads to runtime error
2209            call(), apply(), bind()  - methods can only pass in arguments, but has no effect on |this| 
2210
2211
2212         * CMakeLists.txt:
2213         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2214         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2215         * JavaScriptCore.xcodeproj/project.pbxproj:
2216         * bytecode/BytecodeList.json:
2217         * bytecode/BytecodeUseDef.h:
2218         (JSC::computeUsesForBytecodeOffset):
2219         (JSC::computeDefsForBytecodeOffset):
2220         * bytecode/CodeBlock.cpp:
2221         (JSC::CodeBlock::dumpBytecode):
2222         * bytecode/ExecutableInfo.h:
2223         (JSC::ExecutableInfo::ExecutableInfo):
2224         (JSC::ExecutableInfo::isArrowFunction):
2225         * bytecode/UnlinkedCodeBlock.cpp:
2226         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2227         * bytecode/UnlinkedCodeBlock.h:
2228         (JSC::UnlinkedCodeBlock::isArrowFunction):
2229         * bytecode/UnlinkedFunctionExecutable.cpp:
2230         (JSC::generateFunctionCodeBlock):
2231         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2232         (JSC::UnlinkedFunctionExecutable::codeBlockFor):
2233         * bytecode/UnlinkedFunctionExecutable.h:
2234         * bytecompiler/BytecodeGenerator.cpp:
2235         (JSC::BytecodeGenerator::BytecodeGenerator):
2236         (JSC::BytecodeGenerator::emitNewFunctionCommon):
2237         (JSC::BytecodeGenerator::emitNewFunctionExpression):
2238         (JSC::BytecodeGenerator::emitNewArrowFunctionExpression):
2239         (JSC::BytecodeGenerator::emitLoadArrowFunctionThis):
2240         * bytecompiler/BytecodeGenerator.h:
2241         * bytecompiler/NodesCodegen.cpp:
2242         (JSC::ArrowFuncExprNode::emitBytecode):
2243         * dfg/DFGAbstractInterpreterInlines.h:
2244         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2245         * dfg/DFGByteCodeParser.cpp:
2246         (JSC::DFG::ByteCodeParser::parseBlock):
2247         * dfg/DFGCapabilities.cpp:
2248         (JSC::DFG::capabilityLevel):
2249         * dfg/DFGClobberize.h:
2250         (JSC::DFG::clobberize):
2251         * dfg/DFGDoesGC.cpp:
2252         (JSC::DFG::doesGC):
2253         * dfg/DFGFixupPhase.cpp:
2254         (JSC::DFG::FixupPhase::fixupNode):
2255         * dfg/DFGNode.h:
2256         (JSC::DFG::Node::convertToPhantomNewFunction):
2257         (JSC::DFG::Node::hasCellOperand):
2258         (JSC::DFG::Node::isFunctionAllocation):
2259         * dfg/DFGNodeType.h:
2260         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2261         * dfg/DFGPredictionPropagationPhase.cpp:
2262         (JSC::DFG::PredictionPropagationPhase::propagate):
2263         * dfg/DFGPromotedHeapLocation.cpp:
2264         (WTF::printInternal):
2265         * dfg/DFGPromotedHeapLocation.h:
2266         * dfg/DFGSafeToExecute.h:
2267         (JSC::DFG::safeToExecute):
2268         * dfg/DFGSpeculativeJIT.cpp:
2269         (JSC::DFG::SpeculativeJIT::compileLoadArrowFunctionThis):
2270         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
2271         (JSC::DFG::SpeculativeJIT::compileNewFunction):
2272         * dfg/DFGSpeculativeJIT.h:
2273         (JSC::DFG::SpeculativeJIT::callOperation):
2274         * dfg/DFGSpeculativeJIT32_64.cpp:
2275         (JSC::DFG::SpeculativeJIT::compile):
2276         * dfg/DFGSpeculativeJIT64.cpp:
2277         (JSC::DFG::SpeculativeJIT::compile):
2278         * dfg/DFGStoreBarrierInsertionPhase.cpp:
2279         * dfg/DFGStructureRegistrationPhase.cpp:
2280         (JSC::DFG::StructureRegistrationPhase::run):
2281         * ftl/FTLAbstractHeapRepository.cpp:
2282         * ftl/FTLAbstractHeapRepository.h:
2283         * ftl/FTLCapabilities.cpp:
2284         (JSC::FTL::canCompile):
2285         * ftl/FTLIntrinsicRepository.h:
2286         * ftl/FTLLowerDFGToLLVM.cpp:
2287         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
2288         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewFunction):
2289         (JSC::FTL::DFG::LowerDFGToLLVM::compileLoadArrowFunctionThis):
2290         * ftl/FTLOperations.cpp:
2291         (JSC::FTL::operationMaterializeObjectInOSR):
2292         * interpreter/Interpreter.cpp:
2293         * interpreter/Interpreter.h:
2294         * jit/CCallHelpers.h:
2295         (JSC::CCallHelpers::setupArgumentsWithExecState): Added 3 arguments version for windows build.
2296         * jit/JIT.cpp:
2297         (JSC::JIT::privateCompileMainPass):
2298         * jit/JIT.h:
2299         * jit/JITInlines.h:
2300         (JSC::JIT::callOperation):
2301         * jit/JITOpcodes.cpp:
2302         (JSC::JIT::emit_op_load_arrowfunction_this):
2303         (JSC::JIT::emit_op_new_func_exp):
2304         (JSC::JIT::emitNewFuncExprCommon):
2305         (JSC::JIT::emit_op_new_arrow_func_exp):
2306         * jit/JITOpcodes32_64.cpp:
2307         (JSC::JIT::emit_op_load_arrowfunction_this):
2308         * jit/JITOperations.cpp:
2309         * jit/JITOperations.h:
2310         * llint/LLIntOffsetsExtractor.cpp:
2311         * llint/LLIntSlowPaths.cpp:
2312         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2313         (JSC::LLInt::setUpCall):
2314         * llint/LLIntSlowPaths.h:
2315         * llint/LowLevelInterpreter.asm:
2316         * llint/LowLevelInterpreter32_64.asm:
2317         * llint/LowLevelInterpreter64.asm:
2318         * parser/ASTBuilder.h:
2319         (JSC::ASTBuilder::createFunctionMetadata):
2320         (JSC::ASTBuilder::createArrowFunctionExpr):
2321         * parser/NodeConstructors.h:
2322         (JSC::BaseFuncExprNode::BaseFuncExprNode):
2323         (JSC::FuncExprNode::FuncExprNode):
2324         (JSC::ArrowFuncExprNode::ArrowFuncExprNode):
2325         * parser/Nodes.cpp:
2326         (JSC::FunctionMetadataNode::FunctionMetadataNode):
2327         * parser/Nodes.h:
2328         (JSC::ExpressionNode::isArrowFuncExprNode):
2329         * parser/Parser.cpp:
2330         (JSC::Parser<LexerType>::parseFunctionBody):
2331         (JSC::Parser<LexerType>::parseFunctionInfo):
2332         * parser/SyntaxChecker.h:
2333         (JSC::SyntaxChecker::createFunctionMetadata):
2334         * runtime/Executable.cpp:
2335         (JSC::ScriptExecutable::newCodeBlockFor):
2336         * runtime/Executable.h:
2337         * runtime/JSArrowFunction.cpp: Added.
2338         (JSC::JSArrowFunction::destroy):
2339         (JSC::JSArrowFunction::create):
2340         (JSC::JSArrowFunction::JSArrowFunction):
2341         (JSC::JSArrowFunction::createWithInvalidatedReallocationWatchpoint):
2342         (JSC::JSArrowFunction::visitChildren):
2343         (JSC::JSArrowFunction::getConstructData):
2344         * runtime/JSArrowFunction.h: Added.
2345         (JSC::JSArrowFunction::allocationSize):
2346         (JSC::JSArrowFunction::createImpl):
2347         (JSC::JSArrowFunction::boundThis):
2348         (JSC::JSArrowFunction::createStructure):
2349         (JSC::JSArrowFunction::offsetOfThisValue):
2350         * runtime/JSFunction.h:
2351         * runtime/JSFunctionInlines.h:
2352         (JSC::JSFunction::JSFunction):
2353         * runtime/JSGlobalObject.cpp:
2354         (JSC::JSGlobalObject::init):
2355         (JSC::JSGlobalObject::visitChildren):
2356         * runtime/JSGlobalObject.h:
2357         (JSC::JSGlobalObject::arrowFunctionStructure):
2358         * tests/stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js: Added.
2359         * tests/stress/arrowfunction-activation-sink-osrexit-default-value.js: Added.
2360         * tests/stress/arrowfunction-activation-sink-osrexit.js: Added.
2361         * tests/stress/arrowfunction-activation-sink.js: Added.
2362         * tests/stress/arrowfunction-bound.js: Added.
2363         * tests/stress/arrowfunction-call.js: Added.
2364         * tests/stress/arrowfunction-constructor.js: Added.
2365         * tests/stress/arrowfunction-lexical-bind-this-1.js: Added.
2366         * tests/stress/arrowfunction-lexical-bind-this-2.js: Added.
2367         * tests/stress/arrowfunction-lexical-bind-this-3.js: Added.
2368         * tests/stress/arrowfunction-lexical-bind-this-4.js: Added.
2369         * tests/stress/arrowfunction-lexical-bind-this-5.js: Added.
2370         * tests/stress/arrowfunction-lexical-bind-this-6.js: Added.
2371         * tests/stress/arrowfunction-lexical-this-activation-sink-osrexit.js: Added.
2372         * tests/stress/arrowfunction-lexical-this-activation-sink.js: Added.
2373         * tests/stress/arrowfunction-lexical-this-sinking-no-double-allocate.js: Added.
2374         * tests/stress/arrowfunction-lexical-this-sinking-osrexit.js: Added.
2375         * tests/stress/arrowfunction-lexical-this-sinking-put.js: Added.
2376         * tests/stress/arrowfunction-others.js: Added.
2377         * tests/stress/arrowfunction-run-10-1.js: Added.
2378         * tests/stress/arrowfunction-run-10-2.js: Added.
2379         * tests/stress/arrowfunction-run-10000-1.js: Added.
2380         * tests/stress/arrowfunction-run-10000-2.js: Added.
2381         * tests/stress/arrowfunction-sinking-no-double-allocate.js: Added.
2382         * tests/stress/arrowfunction-sinking-osrexit.js: Added.
2383         * tests/stress/arrowfunction-sinking-put.js: Added.
2384         * tests/stress/arrowfunction-tdz.js: Added.
2385         * tests/stress/arrowfunction-typeof.js: Added.
2386
2387 2015-07-28  Sam Weinig  <sam@webkit.org>
2388
2389         Cleanup the builtin JavaScript files
2390         https://bugs.webkit.org/show_bug.cgi?id=147382
2391
2392         Reviewed by Geoffrey Garen.
2393
2394         * builtins/Array.prototype.js:
2395         * builtins/ArrayConstructor.js:
2396         * builtins/ArrayIterator.prototype.js:
2397         * builtins/Function.prototype.js:
2398         * builtins/Iterator.prototype.js:
2399         * builtins/ObjectConstructor.js:
2400         * builtins/StringConstructor.js:
2401         * builtins/StringIterator.prototype.js:
2402         Unify the style of the built JavaScript files.
2403
2404 2015-08-17  Alex Christensen  <achristensen@webkit.org>
2405
2406         Move some commands from ./CMakeLists.txt to Source/cmake
2407         https://bugs.webkit.org/show_bug.cgi?id=148003
2408
2409         Reviewed by Brent Fulgham.
2410
2411         * CMakeLists.txt:
2412         Added commands needed to build JSC by itself.
2413
2414 2015-08-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2415
2416         [ES6] Implement Reflect.get
2417         https://bugs.webkit.org/show_bug.cgi?id=147925
2418
2419         Reviewed by Geoffrey Garen.
2420
2421         This patch implements Reflect.get API.
2422         It can take the receiver object as the third argument.
2423         When the receiver is specified and there's a getter for the given property name,
2424         we call the getter with the receiver as the |this| value.
2425
2426         * runtime/ReflectObject.cpp:
2427         (JSC::reflectObjectGet):
2428         * runtime/SparseArrayValueMap.cpp:
2429         (JSC::SparseArrayEntry::get): Deleted.
2430         * runtime/SparseArrayValueMap.h:
2431         * tests/stress/reflect-get.js: Added.
2432         (shouldBe):
2433         (shouldThrow):
2434         (.get shouldThrow):
2435         (.get var):
2436         (get var.object.get hello):
2437         (.get shouldBe):
2438         (get var.object.set hello):
2439
2440 2015-08-17  Simon Fraser  <simon.fraser@apple.com>
2441
2442         will-change should sometimes trigger compositing
2443         https://bugs.webkit.org/show_bug.cgi?id=148072
2444
2445         Reviewed by Tim Horton.
2446         
2447         Include will-change as a reason for compositing.
2448
2449         * inspector/protocol/LayerTree.json:
2450
2451 2015-08-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2452
2453         [ES6] Implement Reflect.getOwnPropertyDescriptor
2454         https://bugs.webkit.org/show_bug.cgi?id=147929
2455
2456         Reviewed by Geoffrey Garen.
2457
2458         Implement Reflect.getOwnPropertyDescriptor.
2459         The difference from the Object.getOwnPropertyDescriptor is
2460         Reflect.getOwnPropertyDescriptor does not perform ToObject onto
2461         the first argument. If the first argument is not an Object, it
2462         immediately raises the TypeError.
2463
2464         * runtime/ObjectConstructor.cpp:
2465         (JSC::objectConstructorGetOwnPropertyDescriptor):
2466         * runtime/ObjectConstructor.h:
2467         * runtime/ReflectObject.cpp:
2468         (JSC::reflectObjectGetOwnPropertyDescriptor):
2469         * tests/stress/reflect-get-own-property.js: Added.
2470         (shouldBe):
2471         (shouldThrow):
2472
2473 2015-08-16  Benjamin Poulain  <bpoulain@apple.com>
2474
2475         [JSC] Use (x + x) instead of (x * 2) when possible
2476         https://bugs.webkit.org/show_bug.cgi?id=148051
2477
2478         Reviewed by Michael Saboff.
2479
2480         When multiplying a number by 2, JSC was loading a constant "2"
2481         in register and multiplying it with the first number:
2482
2483             mov $0x4000000000000000, %rcx
2484             movd %rcx, %xmm0
2485             mulsd %xmm0, %xmm1
2486
2487         This is a problem for a few reasons.
2488         1) "movd %rcx, %xmm0" only set half of XMM0. This instruction
2489            has to wait for any preceding instruction on XMM0 to finish
2490            before executing.
2491         2) The load and transform itself is large and unecessary.
2492
2493         To fix that, I added a StrengthReductionPhase to transform
2494         multiplications by 2 into a addition.
2495
2496         Unfortunately, that turned the code into:
2497             movsd %xmm0 %xmm1
2498             mulsd %xmm1 %xmm0
2499
2500         The reason is GenerationInfo::canReuse() was not accounting
2501         for nodes using other nodes multiple times.
2502
2503         After fixing that too, we now have the multiplications by 2
2504         done as:
2505             addsd %xmm0 %xmm0
2506
2507         * dfg/DFGGenerationInfo.h:
2508         (JSC::DFG::GenerationInfo::useCount):
2509         (JSC::DFG::GenerationInfo::canReuse): Deleted.
2510         * dfg/DFGSpeculativeJIT.cpp:
2511         (JSC::DFG::FPRTemporary::FPRTemporary):
2512         * dfg/DFGSpeculativeJIT.h:
2513         (JSC::DFG::SpeculativeJIT::canReuse):
2514         (JSC::DFG::GPRTemporary::GPRTemporary):
2515         * dfg/DFGStrengthReductionPhase.cpp:
2516         (JSC::DFG::StrengthReductionPhase::handleNode):
2517
2518 2015-08-14  Basile Clement  <basile_clement@apple.com>
2519
2520         Occasional failure in v8-v6/v8-raytrace.js.ftl-eager
2521         https://bugs.webkit.org/show_bug.cgi?id=147165
2522
2523         Reviewed by Saam Barati.
2524
2525         The object allocation sinking phase was not properly checking that a
2526         MultiGetByOffset was safe to lower before lowering it.
2527         This makes it so that we only lower MultiGetByOffset if it only loads
2528         from direct properties of the object, and considers it as an escape in
2529         any other case (e.g. a load from the prototype).
2530
2531         It also ensure proper conversion of MultiGetByOffset into
2532         CheckStructureImmediate when needed.
2533
2534         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2535         * ftl/FTLLowerDFGToLLVM.cpp:
2536         (JSC::FTL::DFG::LowerDFGToLLVM::checkStructure):
2537             We were not compiling properly CheckStructure and
2538             CheckStructureImmediate nodes with an empty StructureSet.
2539         * tests/stress/sink-multigetbyoffset.js: Regression test.
2540
2541 2015-08-14  Filip Pizlo  <fpizlo@apple.com>
2542
2543         Use WTF::Lock and WTF::Condition instead of WTF::Mutex, WTF::ThreadCondition, std::mutex, and std::condition_variable
2544         https://bugs.webkit.org/show_bug.cgi?id=147999
2545
2546         Reviewed by Geoffrey Garen.
2547
2548         * API/JSVirtualMachine.mm:
2549         (initWrapperCache):
2550         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]):
2551         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]):
2552         (wrapperCacheMutex): Deleted.
2553         * bytecode/SamplingTool.cpp:
2554         (JSC::SamplingTool::doRun):
2555         (JSC::SamplingTool::notifyOfScope):
2556         * bytecode/SamplingTool.h:
2557         * dfg/DFGThreadData.h:
2558         * dfg/DFGWorklist.cpp:
2559         (JSC::DFG::Worklist::~Worklist):
2560         (JSC::DFG::Worklist::isActiveForVM):
2561         (JSC::DFG::Worklist::enqueue):
2562         (JSC::DFG::Worklist::compilationState):
2563         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
2564         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
2565         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
2566         (JSC::DFG::Worklist::visitWeakReferences):
2567         (JSC::DFG::Worklist::removeDeadPlans):
2568         (JSC::DFG::Worklist::queueLength):
2569         (JSC::DFG::Worklist::dump):
2570         (JSC::DFG::Worklist::runThread):
2571         * dfg/DFGWorklist.h:
2572         * disassembler/Disassembler.cpp:
2573         * heap/CopiedSpace.cpp:
2574         (JSC::CopiedSpace::doneFillingBlock):
2575         (JSC::CopiedSpace::doneCopying):
2576         * heap/CopiedSpace.h:
2577         * heap/CopiedSpaceInlines.h:
2578         (JSC::CopiedSpace::recycleBorrowedBlock):
2579         (JSC::CopiedSpace::allocateBlockForCopyingPhase):
2580         * heap/GCThread.cpp:
2581         (JSC::GCThread::waitForNextPhase):
2582         (JSC::GCThread::gcThreadMain):
2583         * heap/GCThreadSharedData.cpp:
2584         (JSC::GCThreadSharedData::GCThreadSharedData):
2585         (JSC::GCThreadSharedData::~GCThreadSharedData):
2586         (JSC::GCThreadSharedData::startNextPhase):
2587         (JSC::GCThreadSharedData::endCurrentPhase):
2588         (JSC::GCThreadSharedData::didStartMarking):
2589         (JSC::GCThreadSharedData::didFinishMarking):
2590         * heap/GCThreadSharedData.h:
2591         * heap/HeapTimer.h:
2592         * heap/MachineStackMarker.cpp:
2593         (JSC::ActiveMachineThreadsManager::Locker::Locker):
2594         (JSC::ActiveMachineThreadsManager::add):
2595         (JSC::ActiveMachineThreadsManager::remove):
2596         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager):
2597         (JSC::MachineThreads::~MachineThreads):
2598         (JSC::MachineThreads::addCurrentThread):
2599         (JSC::MachineThreads::removeThreadIfFound):
2600         (JSC::MachineThreads::tryCopyOtherThreadStack):
2601         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2602         (JSC::MachineThreads::gatherConservativeRoots):
2603         * heap/MachineStackMarker.h:
2604         * heap/SlotVisitor.cpp:
2605         (JSC::SlotVisitor::donateKnownParallel):
2606         (JSC::SlotVisitor::drain):
2607         (JSC::SlotVisitor::drainFromShared):
2608         (JSC::SlotVisitor::mergeOpaqueRoots):
2609         * heap/SlotVisitorInlines.h:
2610         (JSC::SlotVisitor::containsOpaqueRootTriState):
2611         * inspector/remote/RemoteInspectorDebuggableConnection.h:
2612         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
2613         (Inspector::RemoteInspectorHandleRunSourceGlobal):
2614         (Inspector::RemoteInspectorQueueTaskOnGlobalQueue):
2615         (Inspector::RemoteInspectorInitializeGlobalQueue):
2616         (Inspector::RemoteInspectorHandleRunSourceWithInfo):
2617         (Inspector::RemoteInspectorDebuggableConnection::setup):
2618         (Inspector::RemoteInspectorDebuggableConnection::closeFromDebuggable):
2619         (Inspector::RemoteInspectorDebuggableConnection::close):
2620         (Inspector::RemoteInspectorDebuggableConnection::sendMessageToBackend):
2621         (Inspector::RemoteInspectorDebuggableConnection::queueTaskOnPrivateRunLoop):
2622         * interpreter/JSStack.cpp:
2623         (JSC::JSStack::JSStack):
2624         (JSC::JSStack::releaseExcessCapacity):
2625         (JSC::JSStack::addToCommittedByteCount):
2626         (JSC::JSStack::committedByteCount):
2627         (JSC::stackStatisticsMutex): Deleted.
2628         (JSC::JSStack::initializeThreading): Deleted.
2629         * interpreter/JSStack.h:
2630         (JSC::JSStack::gatherConservativeRoots):
2631         (JSC::JSStack::sanitizeStack):
2632         (JSC::JSStack::size):
2633         (JSC::JSStack::initializeThreading): Deleted.
2634         * jit/ExecutableAllocator.cpp:
2635         (JSC::DemandExecutableAllocator::DemandExecutableAllocator):
2636         (JSC::DemandExecutableAllocator::~DemandExecutableAllocator):
2637         (JSC::DemandExecutableAllocator::bytesAllocatedByAllAllocators):
2638         (JSC::DemandExecutableAllocator::bytesCommittedByAllocactors):
2639         (JSC::DemandExecutableAllocator::dumpProfileFromAllAllocators):
2640         (JSC::DemandExecutableAllocator::allocators):
2641         (JSC::DemandExecutableAllocator::allocatorsMutex):
2642         * jit/JITThunks.cpp:
2643         (JSC::JITThunks::ctiStub):
2644         * jit/JITThunks.h:
2645         * profiler/ProfilerDatabase.cpp:
2646         (JSC::Profiler::Database::ensureBytecodesFor):
2647         (JSC::Profiler::Database::notifyDestruction):
2648         * profiler/ProfilerDatabase.h:
2649         * runtime/InitializeThreading.cpp:
2650         (JSC::initializeThreading):
2651         * runtime/JSLock.cpp:
2652         (JSC::GlobalJSLock::GlobalJSLock):
2653         (JSC::GlobalJSLock::~GlobalJSLock):
2654         (JSC::JSLockHolder::JSLockHolder):
2655         (JSC::GlobalJSLock::initialize): Deleted.
2656         * runtime/JSLock.h:
2657
2658 2015-08-14  Ryosuke Niwa  <rniwa@webkit.org>
2659
2660         ES6 class syntax should allow computed name method
2661         https://bugs.webkit.org/show_bug.cgi?id=142690
2662
2663         Reviewed by Saam Barati.
2664
2665         Added a new "attributes" attribute to op_put_getter_by_id, op_put_setter_by_id, op_put_getter_setter to specify
2666         the property descriptor options so that we can use use op_put_setter_by_id and op_put_getter_setter to define
2667         getters and setters for classes. Without this, getters and setters could erroneously override methods.
2668
2669         * bytecode/BytecodeList.json:
2670         * bytecode/BytecodeUseDef.h:
2671         (JSC::computeUsesForBytecodeOffset):
2672         * bytecode/CodeBlock.cpp:
2673         (JSC::CodeBlock::dumpBytecode):
2674         * bytecompiler/BytecodeGenerator.cpp:
2675         (JSC::BytecodeGenerator::emitDirectPutById):
2676         (JSC::BytecodeGenerator::emitPutGetterById):
2677         (JSC::BytecodeGenerator::emitPutSetterById):
2678         (JSC::BytecodeGenerator::emitPutGetterSetter):
2679         * bytecompiler/BytecodeGenerator.h:
2680         * bytecompiler/NodesCodegen.cpp:
2681         (JSC::PropertyListNode::emitBytecode): Always use emitPutGetterSetter to emit getters and setters for classes
2682         as done for object literals.
2683         (JSC::PropertyListNode::emitPutConstantProperty):
2684         (JSC::ClassExprNode::emitBytecode):
2685         * jit/CCallHelpers.h:
2686         (JSC::CCallHelpers::setupArgumentsWithExecState):
2687         * jit/JIT.h:
2688         * jit/JITInlines.h:
2689         (JSC::JIT::callOperation):
2690         * jit/JITOperations.cpp:
2691         * jit/JITOperations.h:
2692         * jit/JITPropertyAccess.cpp:
2693         (JSC::JIT::emit_op_put_getter_by_id):
2694         (JSC::JIT::emit_op_put_setter_by_id):
2695         (JSC::JIT::emit_op_put_getter_setter):
2696         (JSC::JIT::emit_op_del_by_id):
2697         * jit/JITPropertyAccess32_64.cpp:
2698         (JSC::JIT::emit_op_put_getter_by_id):
2699         (JSC::JIT::emit_op_put_setter_by_id):
2700         (JSC::JIT::emit_op_put_getter_setter):
2701         (JSC::JIT::emit_op_del_by_id):
2702         * llint/LLIntSlowPaths.cpp:
2703         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2704         * llint/LowLevelInterpreter.asm:
2705         * parser/ASTBuilder.h:
2706         (JSC::ASTBuilder::createProperty):
2707         (JSC::ASTBuilder::createPropertyList):
2708         * parser/NodeConstructors.h:
2709         (JSC::PropertyNode::PropertyNode):
2710         * parser/Nodes.h:
2711         (JSC::PropertyNode::expressionName):
2712         (JSC::PropertyNode::name):
2713         * parser/Parser.cpp:
2714         (JSC::Parser<LexerType>::parseClass): Added the support for computed property name. We don't support computed names
2715         for getters and setters.
2716         * parser/SyntaxChecker.h:
2717         (JSC::SyntaxChecker::createProperty):
2718         * runtime/JSObject.cpp:
2719         (JSC::JSObject::allowsAccessFrom):
2720         (JSC::JSObject::putGetter):
2721         (JSC::JSObject::putSetter):
2722         * runtime/JSObject.h:
2723         * runtime/PropertyDescriptor.h:
2724
2725 2015-08-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2726
2727         Add InspectorInstrumentation builtin object to instrument the code in JS builtins like Promises
2728         https://bugs.webkit.org/show_bug.cgi?id=147942
2729
2730         Reviewed by Geoffrey Garen.
2731
2732         This patch adds new private global object, @InspectorInstrumentation.
2733         It is intended to be used as the namespace object (like Reflect/Math) for Inspector's
2734         instrumentation system and it is used to instrument the builtin JS code, like Promises.
2735
2736         * CMakeLists.txt:
2737         * DerivedSources.make:
2738         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2739         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2740         * JavaScriptCore.xcodeproj/project.pbxproj:
2741         * builtins/InspectorInstrumentationObject.js: Added.
2742         (debug):
2743         (promiseFulfilled):
2744         (promiseRejected):
2745         * builtins/Operations.Promise.js:
2746         (rejectPromise):
2747         (fulfillPromise):
2748         * runtime/CommonIdentifiers.h:
2749         * runtime/InspectorInstrumentationObject.cpp: Added.
2750         (JSC::InspectorInstrumentationObject::InspectorInstrumentationObject):
2751         (JSC::InspectorInstrumentationObject::finishCreation):
2752         (JSC::InspectorInstrumentationObject::getOwnPropertySlot):
2753         (JSC::InspectorInstrumentationObject::isEnabled):
2754         (JSC::InspectorInstrumentationObject::enable):
2755         (JSC::InspectorInstrumentationObject::disable):
2756         (JSC::inspectorInstrumentationObjectDataLogImpl):
2757         * runtime/InspectorInstrumentationObject.h: Added.
2758         (JSC::InspectorInstrumentationObject::create):
2759         (JSC::InspectorInstrumentationObject::createStructure):
2760         * runtime/JSGlobalObject.cpp:
2761         (JSC::JSGlobalObject::init):
2762
2763 2015-08-14  Commit Queue  <commit-queue@webkit.org>
2764
2765         Unreviewed, rolling out r188444.
2766         https://bugs.webkit.org/show_bug.cgi?id=148029
2767
2768         Broke GTK and EFL (see bug #148027) (Requested by philn on
2769         #webkit).
2770
2771         Reverted changeset:
2772
2773         "Use WTF::Lock and WTF::Condition instead of WTF::Mutex,
2774         WTF::ThreadCondition, std::mutex, and std::condition_variable"
2775         https://bugs.webkit.org/show_bug.cgi?id=147999
2776         http://trac.webkit.org/changeset/188444
2777
2778 2015-08-13  Filip Pizlo  <fpizlo@apple.com>
2779
2780         Use WTF::Lock and WTF::Condition instead of WTF::Mutex, WTF::ThreadCondition, std::mutex, and std::condition_variable
2781         https://bugs.webkit.org/show_bug.cgi?id=147999
2782
2783         Reviewed by Geoffrey Garen.
2784
2785         * API/JSVirtualMachine.mm:
2786         (initWrapperCache):
2787         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]):
2788         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]):
2789         (wrapperCacheMutex): Deleted.
2790         * bytecode/SamplingTool.cpp:
2791         (JSC::SamplingTool::doRun):
2792         (JSC::SamplingTool::notifyOfScope):
2793         * bytecode/SamplingTool.h:
2794         * dfg/DFGThreadData.h:
2795         * dfg/DFGWorklist.cpp:
2796         (JSC::DFG::Worklist::~Worklist):
2797         (JSC::DFG::Worklist::isActiveForVM):
2798         (JSC::DFG::Worklist::enqueue):
2799         (JSC::DFG::Worklist::compilationState):
2800         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
2801         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
2802         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
2803         (JSC::DFG::Worklist::visitWeakReferences):
2804         (JSC::DFG::Worklist::removeDeadPlans):
2805         (JSC::DFG::Worklist::queueLength):
2806         (JSC::DFG::Worklist::dump):
2807         (JSC::DFG::Worklist::runThread):
2808         * dfg/DFGWorklist.h:
2809         * disassembler/Disassembler.cpp:
2810         * heap/CopiedSpace.cpp:
2811         (JSC::CopiedSpace::doneFillingBlock):
2812         (JSC::CopiedSpace::doneCopying):
2813         * heap/CopiedSpace.h:
2814         * heap/CopiedSpaceInlines.h:
2815         (JSC::CopiedSpace::recycleBorrowedBlock):
2816         (JSC::CopiedSpace::allocateBlockForCopyingPhase):
2817         * heap/GCThread.cpp:
2818         (JSC::GCThread::waitForNextPhase):
2819         (JSC::GCThread::gcThreadMain):
2820         * heap/GCThreadSharedData.cpp:
2821         (JSC::GCThreadSharedData::GCThreadSharedData):
2822         (JSC::GCThreadSharedData::~GCThreadSharedData):
2823         (JSC::GCThreadSharedData::startNextPhase):
2824         (JSC::GCThreadSharedData::endCurrentPhase):
2825         (JSC::GCThreadSharedData::didStartMarking):
2826         (JSC::GCThreadSharedData::didFinishMarking):
2827         * heap/GCThreadSharedData.h:
2828         * heap/HeapTimer.h:
2829         * heap/MachineStackMarker.cpp:
2830         (JSC::ActiveMachineThreadsManager::Locker::Locker):
2831         (JSC::ActiveMachineThreadsManager::add):
2832         (JSC::ActiveMachineThreadsManager::remove):
2833         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager):
2834         (JSC::MachineThreads::~MachineThreads):
2835         (JSC::MachineThreads::addCurrentThread):
2836         (JSC::MachineThreads::removeThreadIfFound):
2837         (JSC::MachineThreads::tryCopyOtherThreadStack):
2838         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2839         (JSC::MachineThreads::gatherConservativeRoots):
2840         * heap/MachineStackMarker.h:
2841         * heap/SlotVisitor.cpp:
2842         (JSC::SlotVisitor::donateKnownParallel):
2843         (JSC::SlotVisitor::drain):
2844         (JSC::SlotVisitor::drainFromShared):
2845         (JSC::SlotVisitor::mergeOpaqueRoots):
2846         * heap/SlotVisitorInlines.h:
2847         (JSC::SlotVisitor::containsOpaqueRootTriState):
2848         * inspector/remote/RemoteInspectorDebuggableConnection.h:
2849         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
2850         (Inspector::RemoteInspectorHandleRunSourceGlobal):
2851         (Inspector::RemoteInspectorQueueTaskOnGlobalQueue):
2852         (Inspector::RemoteInspectorInitializeGlobalQueue):
2853         (Inspector::RemoteInspectorHandleRunSourceWithInfo):
2854         (Inspector::RemoteInspectorDebuggableConnection::setup):
2855         (Inspector::RemoteInspectorDebuggableConnection::closeFromDebuggable):
2856         (Inspector::RemoteInspectorDebuggableConnection::close):
2857         (Inspector::RemoteInspectorDebuggableConnection::sendMessageToBackend):
2858         (Inspector::RemoteInspectorDebuggableConnection::queueTaskOnPrivateRunLoop):
2859         * interpreter/JSStack.cpp:
2860         (JSC::JSStack::JSStack):
2861         (JSC::JSStack::releaseExcessCapacity):
2862         (JSC::JSStack::addToCommittedByteCount):
2863         (JSC::JSStack::committedByteCount):
2864         (JSC::stackStatisticsMutex): Deleted.
2865         (JSC::JSStack::initializeThreading): Deleted.
2866         * interpreter/JSStack.h:
2867         (JSC::JSStack::gatherConservativeRoots):
2868         (JSC::JSStack::sanitizeStack):
2869         (JSC::JSStack::size):
2870         (JSC::JSStack::initializeThreading): Deleted.
2871         * jit/ExecutableAllocator.cpp:
2872         (JSC::DemandExecutableAllocator::DemandExecutableAllocator):
2873         (JSC::DemandExecutableAllocator::~DemandExecutableAllocator):
2874         (JSC::DemandExecutableAllocator::bytesAllocatedByAllAllocators):
2875         (JSC::DemandExecutableAllocator::bytesCommittedByAllocactors):
2876         (JSC::DemandExecutableAllocator::dumpProfileFromAllAllocators):
2877         (JSC::DemandExecutableAllocator::allocators):
2878         (JSC::DemandExecutableAllocator::allocatorsMutex):
2879         * jit/JITThunks.cpp:
2880         (JSC::JITThunks::ctiStub):
2881         * jit/JITThunks.h:
2882         * profiler/ProfilerDatabase.cpp:
2883         (JSC::Profiler::Database::ensureBytecodesFor):
2884         (JSC::Profiler::Database::notifyDestruction):
2885         * profiler/ProfilerDatabase.h:
2886         * runtime/InitializeThreading.cpp:
2887         (JSC::initializeThreading):
2888         * runtime/JSLock.cpp:
2889         (JSC::GlobalJSLock::GlobalJSLock):
2890         (JSC::GlobalJSLock::~GlobalJSLock):
2891         (JSC::JSLockHolder::JSLockHolder):
2892         (JSC::GlobalJSLock::initialize): Deleted.
2893         * runtime/JSLock.h:
2894
2895 2015-08-13  Commit Queue  <commit-queue@webkit.org>
2896
2897         Unreviewed, rolling out r188428.
2898         https://bugs.webkit.org/show_bug.cgi?id=148015
2899
2900         broke cmake build (Requested by alexchristensen on #webkit).
2901
2902         Reverted changeset:
2903
2904         "Move some commands from ./CMakeLists.txt to Source/cmake"
2905         https://bugs.webkit.org/show_bug.cgi?id=148003
2906         http://trac.webkit.org/changeset/188428
2907
2908 2015-08-13  Commit Queue  <commit-queue@webkit.org>
2909
2910         Unreviewed, rolling out r188431.
2911         https://bugs.webkit.org/show_bug.cgi?id=148013
2912
2913         JSC headers are too hard to understand (Requested by smfr on
2914         #webkit).
2915
2916         Reverted changeset:
2917
2918         "Remove a few includes from JSGlobalObject.h"
2919         https://bugs.webkit.org/show_bug.cgi?id=148004
2920         http://trac.webkit.org/changeset/188431
2921
2922 2015-08-13  Benjamin Poulain  <bpoulain@apple.com>
2923
2924         [JSC] Add support for GetByVal on arrays of Undecided shape
2925         https://bugs.webkit.org/show_bug.cgi?id=147814
2926
2927         Reviewed by Filip Pizlo.
2928
2929         Previously, GetByVal on Array::Undecided would just take
2930         the generic path. The problem is the generic path is so
2931         slow that it could take a significant amount of time
2932         even for unfrequent accesses.
2933
2934         With this patch, if the following conditions are met,
2935         the GetByVal just returns a "undefined" constant:
2936         -The object is an OriginalArray.
2937         -The prototype chain is sane.
2938         -The index is an integer.
2939         -The integer is positive (runtime check).
2940
2941         Ideally, the 4th conditions should be removed
2942         deducing a compile-time constant gives us so much better
2943         opportunities at getting rid of this code.
2944
2945         There are two cases where this patch removes the runtime
2946         check:
2947         -If the index is constant (uncommon but easy)
2948         -If the index is within a range known to be positive.
2949          (common case and made possible with DFGIntegerRangeOptimizationPhase).
2950
2951         When we get into those cases, DFG just nukes everything
2952         and all we have left is a structure check :)
2953
2954         This patch is a 14% improvement on audio-beat-detection,
2955         a few percent faster here and there and no regression.
2956
2957         * dfg/DFGAbstractInterpreterInlines.h:
2958         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2959         If the index is a positive constant, we can get rid of the GetByVal
2960         entirely. :)
2961
2962         * dfg/DFGArrayMode.cpp:
2963         (JSC::DFG::ArrayMode::fromObserved):
2964         The returned type is now Array::Undecided + profiling information.
2965         The useful type is set in ArrayMode::refine().
2966
2967         (JSC::DFG::ArrayMode::refine):
2968         If we meet the particular set conditions, we speculate an Undecided
2969         array type with sane chain. Anything else comes back to Generic.
2970
2971         (JSC::DFG::ArrayMode::originalArrayStructure):
2972         To enable the structure check for Undecided array.
2973
2974         (JSC::DFG::ArrayMode::alreadyChecked):
2975         * dfg/DFGArrayMode.h:
2976         (JSC::DFG::ArrayMode::withProfile):
2977         (JSC::DFG::ArrayMode::canCSEStorage):
2978         (JSC::DFG::ArrayMode::benefitsFromOriginalArray):
2979         (JSC::DFG::ArrayMode::lengthNeedsStorage): Deleted.
2980         (JSC::DFG::ArrayMode::isSpecific): Deleted.A
2981
2982         * dfg/DFGByteCodeParser.cpp:
2983         (JSC::DFG::ByteCodeParser::handleIntrinsic): Deleted.
2984         This is somewhat unrelated.
2985
2986         Having Array::Undecided on ArrayPush was impossible before
2987         since ArrayMode::fromObserved() used to return Array::Generic.
2988
2989         Now that Array::Undecided is possible, we must make sure not
2990         to provide it to ArrayPush since there is no code to handle it
2991         properly.
2992
2993         * dfg/DFGClobberize.h:
2994         (JSC::DFG::clobberize):
2995         The operation only depends on the index, it is pure.
2996
2997         * dfg/DFGFixupPhase.cpp:
2998         (JSC::DFG::FixupPhase::fixupNode): Deleted.
2999         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
3000         * dfg/DFGSpeculativeJIT.cpp:
3001         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
3002         (JSC::DFG::SpeculativeJIT::checkArray):
3003         * dfg/DFGSpeculativeJIT32_64.cpp:
3004         (JSC::DFG::SpeculativeJIT::compile):
3005         * dfg/DFGSpeculativeJIT64.cpp:
3006         (JSC::DFG::SpeculativeJIT::compile):
3007         * ftl/FTLCapabilities.cpp:
3008         (JSC::FTL::canCompile):
3009         * ftl/FTLLowerDFGToLLVM.cpp:
3010         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetByVal):
3011         * tests/stress/get-by-val-on-undecided-array-type.js: Added.
3012         * tests/stress/get-by-val-on-undecided-sane-chain-1.js: Added.
3013         * tests/stress/get-by-val-on-undecided-sane-chain-2.js: Added.
3014         * tests/stress/get-by-val-on-undecided-sane-chain-3.js: Added.
3015         * tests/stress/get-by-val-on-undecided-sane-chain-4.js: Added.
3016         * tests/stress/get-by-val-on-undecided-sane-chain-5.js: Added.
3017         * tests/stress/get-by-val-on-undecided-sane-chain-6.js: Added.
3018
3019 2015-08-13  Simon Fraser  <simon.fraser@apple.com>
3020
3021         Remove a few includes from JSGlobalObject.h
3022         https://bugs.webkit.org/show_bug.cgi?id=148004
3023
3024         Reviewed by Tim Horton.
3025         
3026         Remove 4 #includes from JSGlobalObject.h, and fix the fallout.
3027
3028         * parser/VariableEnvironment.cpp:
3029         * parser/VariableEnvironment.h:
3030         * runtime/JSGlobalObject.h:
3031         * runtime/Structure.h:
3032         * runtime/StructureInlines.h:
3033
3034 2015-08-13  Alex Christensen  <achristensen@webkit.org>
3035
3036         Move some commands from ./CMakeLists.txt to Source/cmake
3037         https://bugs.webkit.org/show_bug.cgi?id=148003
3038
3039         Reviewed by Brent Fulgham.
3040
3041         * CMakeLists.txt:
3042         Added commands needed to build JSC by itself.
3043
3044 2015-08-13  Yusuke Suzuki  <utatane.tea@gmail.com>
3045
3046         Unify JSParserCodeType, FunctionParseMode and ModuleParseMode into SourceParseMode
3047         https://bugs.webkit.org/show_bug.cgi?id=147353
3048
3049         Reviewed by Saam Barati.
3050
3051         This is the follow-up patch after r188355.
3052         It includes the following changes.
3053
3054         - Unify JSParserCodeType, FunctionParseMode and ModuleParseMode into SourceParseMode
3055         - Make SourceParseMode to C++ strongly-typed enum.
3056         - Fix the comments.
3057         - Rename ModuleSpecifier to ModuleName.
3058         - Add the type name `ImportEntry` before the C++11 uniform initialization.
3059         - Fix the thrown message for duplicate 'default' names.
3060         - Assert the all statements in the top-level source elements are the module declarations under the module analyzer phase.
3061
3062         * API/JSScriptRef.cpp:
3063         (parseScript):
3064         * builtins/BuiltinExecutables.cpp:
3065         (JSC::BuiltinExecutables::createExecutableInternal):
3066         * bytecode/UnlinkedFunctionExecutable.cpp:
3067         (JSC::generateFunctionCodeBlock):
3068         * bytecode/UnlinkedFunctionExecutable.h:
3069         * bytecompiler/BytecodeGenerator.h:
3070         (JSC::BytecodeGenerator::makeFunction):
3071         * parser/ASTBuilder.h:
3072         (JSC::ASTBuilder::createFunctionMetadata):
3073         (JSC::ASTBuilder::createModuleName):
3074         (JSC::ASTBuilder::createImportDeclaration):
3075         (JSC::ASTBuilder::createExportAllDeclaration):
3076         (JSC::ASTBuilder::createExportNamedDeclaration):
3077         (JSC::ASTBuilder::createModuleSpecifier): Deleted.
3078         * parser/ModuleAnalyzer.cpp:
3079         (JSC::ModuleAnalyzer::analyze):
3080         * parser/NodeConstructors.h:
3081         (JSC::ModuleNameNode::ModuleNameNode):
3082         (JSC::ImportDeclarationNode::ImportDeclarationNode):
3083         (JSC::ExportAllDeclarationNode::ExportAllDeclarationNode):
3084         (JSC::ExportNamedDeclarationNode::ExportNamedDeclarationNode):
3085         (JSC::ModuleSpecifierNode::ModuleSpecifierNode): Deleted.
3086         * parser/Nodes.cpp:
3087         (JSC::FunctionMetadataNode::FunctionMetadataNode):
3088         * parser/Nodes.h:
3089         (JSC::StatementNode::isModuleDeclarationNode):
3090         (JSC::ModuleDeclarationNode::isModuleDeclarationNode):
3091         (JSC::ImportDeclarationNode::moduleName):
3092         (JSC::ExportAllDeclarationNode::moduleName):
3093         (JSC::ExportNamedDeclarationNode::moduleName):
3094         (JSC::ImportDeclarationNode::moduleSpecifier): Deleted.
3095         (JSC::ExportAllDeclarationNode::moduleSpecifier): Deleted.
3096         (JSC::ExportNamedDeclarationNode::moduleSpecifier): Deleted.
3097         * parser/NodesAnalyzeModule.cpp:
3098         (JSC::SourceElements::analyzeModule):
3099         (JSC::ImportDeclarationNode::analyzeModule):
3100         (JSC::ExportAllDeclarationNode::analyzeModule):
3101         (JSC::ExportNamedDeclarationNode::analyzeModule):
3102         * parser/Parser.cpp:
3103         (JSC::Parser<LexerType>::Parser):
3104         (JSC::Parser<LexerType>::parseInner):
3105         (JSC::Parser<LexerType>::parseModuleSourceElements):
3106         (JSC::Parser<LexerType>::parseFunctionBody):
3107         (JSC::stringForFunctionMode):
3108         (JSC::Parser<LexerType>::parseFunctionParameters):
3109         (JSC::Parser<LexerType>::parseFunctionInfo):
3110         (JSC::Parser<LexerType>::parseFunctionDeclaration):
3111         (JSC::Parser<LexerType>::parseClass):
3112         (JSC::Parser<LexerType>::parseModuleName):
3113         (JSC::Parser<LexerType>::parseImportDeclaration):
3114         (JSC::Parser<LexerType>::parseExportDeclaration):
3115         (JSC::Parser<LexerType>::parsePropertyMethod):
3116         (JSC::Parser<LexerType>::parseGetterSetter):
3117         (JSC::Parser<LexerType>::parsePrimaryExpression):
3118         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
3119         (JSC::Parser<LexerType>::parseModuleSpecifier): Deleted.
3120         * parser/Parser.h:
3121         (JSC::Parser<LexerType>::parse):
3122         (JSC::parse):
3123         * parser/ParserModes.h:
3124         (JSC::isFunctionParseMode):
3125         (JSC::isModuleParseMode):
3126         (JSC::isProgramParseMode):
3127         * parser/SyntaxChecker.h:
3128         (JSC::SyntaxChecker::createFunctionMetadata):
3129         (JSC::SyntaxChecker::createModuleName):
3130         (JSC::SyntaxChecker::createImportDeclaration):
3131         (JSC::SyntaxChecker::createExportAllDeclaration):
3132         (JSC::SyntaxChecker::createExportNamedDeclaration):
3133         (JSC::SyntaxChecker::createModuleSpecifier): Deleted.
3134         * runtime/CodeCache.cpp:
3135         (JSC::CodeCache::getGlobalCodeBlock):
3136         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
3137         * runtime/Completion.cpp:
3138         (JSC::checkSyntax):
3139         (JSC::checkModuleSyntax):
3140         * runtime/Executable.cpp:
3141         (JSC::ProgramExecutable::checkSyntax):
3142         * tests/stress/modules-syntax-error-with-names.js:
3143
3144 2015-08-13  Joseph Pecoraro  <pecoraro@apple.com>
3145
3146         Web Inspector: A {Map, WeakMap, Set, WeakSet} object contains itself will hang the console
3147         https://bugs.webkit.org/show_bug.cgi?id=147966
3148
3149         Reviewed by Timothy Hatcher.
3150
3151         * inspector/InjectedScriptSource.js:
3152         (InjectedScript.prototype._initialPreview):
3153         Renamed to initial preview. This is not a complete preview for
3154         this object, and it needs some processing in order to be a
3155         complete accurate preview.
3156
3157         (InjectedScript.RemoteObject.prototype._emptyPreview):
3158         This attempts to be an accurate empty preview for the given object.
3159         For types with entries, it adds an empty entries list and updates
3160         the overflow and lossless properties.
3161
3162         (InjectedScript.RemoteObject.prototype._createObjectPreviewForValue):
3163         Take a generatePreview parameter to generate a full preview or empty preview.
3164
3165         (InjectedScript.RemoteObject.prototype._appendPropertyPreviews):
3166         (InjectedScript.RemoteObject.prototype._appendEntryPreviews):
3167         (InjectedScript.RemoteObject.prototype._isPreviewableObject):
3168         Take care to avoid cycles.
3169
3170 2015-08-13  Geoffrey Garen  <ggaren@apple.com>
3171
3172         Periodic code deletion should delete RegExp code
3173         https://bugs.webkit.org/show_bug.cgi?id=147990
3174
3175         Reviewed by Filip Pizlo.
3176
3177         The RegExp code cache was created for the sake of simple loops that
3178         re-created the same RegExps. It's reasonable to delete it periodically.
3179
3180         * heap/Heap.cpp:
3181         (JSC::Heap::deleteOldCode):
3182
3183 2015-08-13  Geoffrey Garen  <ggaren@apple.com>
3184
3185         RegExpCache::finalize should not delete code
3186         https://bugs.webkit.org/show_bug.cgi?id=147987
3187
3188         Reviewed by Mark Lam.
3189
3190         The RegExp object already knows how to delete its own code in its
3191         destructor. Our job is just to clear our stale pointer.
3192
3193         * runtime/RegExpCache.cpp:
3194         (JSC::RegExpCache::finalize):
3195         (JSC::RegExpCache::addToStrongCache):
3196
3197 2015-08-13  Geoffrey Garen  <ggaren@apple.com>
3198
3199         Standardize on the phrase "delete code"
3200         https://bugs.webkit.org/show_bug.cgi?id=147984
3201
3202         Reviewed by Mark Lam.
3203
3204         Use "delete" when we talk about throwing away code, as opposed to
3205         "invalidate" or "discard".
3206
3207         * debugger/Debugger.cpp:
3208         (JSC::Debugger::forEachCodeBlock):
3209         (JSC::Debugger::setSteppingMode):
3210         (JSC::Debugger::recompileAllJSFunctions):
3211         * heap/Heap.cpp:
3212         (JSC::Heap::deleteAllCompiledCode):
3213         * inspector/agents/InspectorRuntimeAgent.cpp:
3214         (Inspector::recompileAllJSFunctionsForTypeProfiling):
3215         * runtime/RegExp.cpp:
3216         (JSC::RegExp::match):
3217         (JSC::RegExp::deleteCode):
3218         (JSC::RegExp::invalidateCode): Deleted.
3219         * runtime/RegExp.h:
3220         * runtime/RegExpCache.cpp:
3221         (JSC::RegExpCache::finalize):
3222         (JSC::RegExpCache::addToStrongCache):
3223         (JSC::RegExpCache::deleteAllCode):
3224         (JSC::RegExpCache::invalidateCode): Deleted.
3225         * runtime/RegExpCache.h:
3226         * runtime/VM.cpp:
3227         (JSC::VM::stopSampling):
3228         (JSC::VM::prepareToDeleteCode):
3229         (JSC::VM::deleteAllCode):
3230         (JSC::VM::setEnabledProfiler):
3231         (JSC::VM::prepareToDiscardCode): Deleted.
3232         (JSC::VM::discardAllCode): Deleted.
3233         * runtime/VM.h:
3234         (JSC::VM::apiLock):
3235         (JSC::VM::codeCache):
3236         * runtime/Watchdog.cpp:
3237         (JSC::Watchdog::setTimeLimit):
3238
3239 2015-08-13  Yusuke Suzuki  <utatane.tea@gmail.com>
3240
3241         X.[[SetPrototypeOf]](Y) should succeed if X.[[Prototype]] is already Y even if X is not extensible
3242         https://bugs.webkit.org/show_bug.cgi?id=147930
3243
3244         Reviewed by Saam Barati.
3245
3246         When the passed prototype object to be set is the same to the existing
3247         prototype object, [[SetPrototypeOf]] just finishes its operation even
3248         if the extensibility of the target object is `false`.
3249
3250         * runtime/JSGlobalObjectFunctions.cpp:
3251         (JSC::globalFuncProtoSetter):
3252         * runtime/ObjectConstructor.cpp:
3253         (JSC::objectConstructorSetPrototypeOf):
3254         * runtime/ReflectObject.cpp:
3255         (JSC::reflectObjectSetPrototypeOf):
3256         * tests/stress/set-same-prototype.js: Added.
3257         (shouldBe):
3258         (shouldThrow):
3259
3260 2015-08-12  Geoffrey Garen  <ggaren@apple.com>
3261
3262         Removed clearEvalCodeCache()
3263         https://bugs.webkit.org/show_bug.cgi?id=147957
3264
3265         Reviewed by Filip Pizlo.
3266
3267         It was unused.
3268
3269         * bytecode/CodeBlock.cpp:
3270         (JSC::CodeBlock::linkIncomingCall):
3271         (JSC::CodeBlock::install):
3272         (JSC::CodeBlock::clearEvalCache): Deleted.
3273         * bytecode/CodeBlock.h:
3274         (JSC::CodeBlock::numberOfJumpTargets):
3275         (JSC::CodeBlock::jumpTarget):
3276         (JSC::CodeBlock::numberOfArgumentValueProfiles):
3277
3278 2015-08-12  Yusuke Suzuki  <utatane.tea@gmail.com>
3279
3280         [ES6] Implement Reflect.defineProperty
3281         https://bugs.webkit.org/show_bug.cgi?id=147943
3282
3283         Reviewed by Saam Barati.
3284
3285         This patch implements Reflect.defineProperty.
3286         The difference from the Object.defineProperty is,
3287
3288         1. Reflect.defineProperty does not perform ToObject operation onto the first argument.
3289         2. Reflect.defineProperty does not throw a TypeError when the [[DefineOwnProperty]] operation fails.
3290         3. Reflect.defineProperty returns the boolean value that represents whether [[DefineOwnProperty]] succeeded.
3291
3292         And this patch comments the links to the ES6 spec.
3293
3294         * builtins/ReflectObject.js:
3295         * runtime/ObjectConstructor.cpp:
3296         (JSC::toPropertyDescriptor):
3297         * runtime/ObjectConstructor.h:
3298         * runtime/ReflectObject.cpp:
3299         (JSC::reflectObjectDefineProperty):
3300         * tests/stress/reflect-define-property.js: Added.
3301         (shouldBe):
3302         (shouldThrow):
3303         (.set getter):
3304         (setter):
3305         (.get testDescriptor):
3306         (.set get var):
3307         (.set testDescriptor):
3308         (.set get testDescriptor):
3309         (.set get shouldThrow):
3310         (.get var):
3311
3312 2015-08-12  Filip Pizlo  <fpizlo@apple.com>
3313
3314         DFG::ByteCodeParser should attempt constant folding on loads from structures that are DFG-watchable
3315         https://bugs.webkit.org/show_bug.cgi?id=147950
3316
3317         Reviewed by Michael Saboff.
3318
3319         Previously we reduced the constant folding power of ByteCodeParser::load() because that code was
3320         responsible for memory corruption, since it would sometimes install watchpoints on structures that
3321         weren't being traced.  It seemed like the safest fix was to remove the constant folding rule
3322         entirely since later phases also do constant folding, and they do it without introducing the bug.
3323         Well, that change (http://trac.webkit.org/changeset/188292) caused a big regression, because we
3324         still have some constant folding rules that only exist in ByteCodeParser, and so ByteCodeParser must
3325         be maximally aggressive in constant-folding whenever possible.
3326
3327         So, this change now brings back that constant folding rule - for loads from object constants that
3328         have DFG-watchable structures - and implements it properly, by ensuring that we only call into
3329         tryGetConstantProperty() if we have registered the structure set.
3330
3331         * dfg/DFGByteCodeParser.cpp:
3332         (JSC::DFG::ByteCodeParser::load):
3333
3334 2015-08-12  Yusuke Suzuki  <utatane.tea@gmail.com>
3335
3336         [ES6] Add ES6 Modules preparsing phase to collect the dependencies
3337         https://bugs.webkit.org/show_bug.cgi?id=147353
3338
3339         Reviewed by Geoffrey Garen.
3340
3341         This patch implements ModuleRecord and ModuleAnalyzer.
3342         ModuleAnalyzer analyzes the produced AST from the parser.
3343         By collaborating with the parser, ModuleAnalyzer collects the information
3344         that is necessary to request the loading for the dependent modules and
3345         construct module's environment and namespace object before executing the actual
3346         module body.
3347
3348         In the parser, we annotate which variable is imported binding and which variable
3349         is exported from the current module. This information is leveraged in the ModuleAnalyzer
3350         to categorize the export entries.
3351
3352         To preparse the modules in the parser, we just add the new flag `ModuleParseMode`
3353         instead of introducing a new TreeContext type. This is because only 2 users use the
3354         parseModuleSourceElements; preparser and actual compiler. Adding the flag is simple
3355         enough to switch the context to the SyntaxChecker when parsing the non-module related
3356         statement in the preparsing phase.
3357
3358         To demonstrate the module analyzer, we added the new option dumpModuleRecord option
3359         into the JSC shell. By specifying this, the result of analysis is dumped when the module
3360         is parsed and analyzed.